Functional safety of electrical/electronic/programmable electronic safety-related systems—Part 2:Requirements for electrical/electronic/programmable electronic safety-related systems
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
GB/T 20438 consists of seven parts under the general title of Functional safety of electrical/electronic/programmable electronic safety-related systems:
——Part 1: General requirements;
——Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems;
——Part 3: Software requirements;
——Part 4: Definitions and abbreviations;
——Part 5: Examples of methods for the determination of safety integrity levels;
——Part 6: Guidelines on the application of GB/T 20438.2 and GB/T 20438.3;
——Part 7: Overview of techniques and measures.
This is Part 2 of GB/T 20438.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part replaces GB/T 20438.2-2006 Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems and the following main technical changes have been made with respect to GB/T 20438.2-2006:
——ASIC development lifecycle is added (see Figure 3);
——Safety manual for compliant items is added (see Annex D).
This part, by means of translation, is identical to IEC 61508-2:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems.
This part was proposed by the China Machinery Industry Federation.
This part is under the jurisdiction of SAC/TC 124 National Technical Committee on Industrial Process Measurement and Control of Standardization Administration of China.
The previous edition of this part is as follow:
——GB/T 20438.2-2006.
Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to perform safety functions in most application sectors. Computer-based systems (generically referred to as programmable electronic systems) are being used in all application sectors to perform non-safety functions and, increasingly, to perform safety functions. If computer system technology is to be effectively and safely exploited, it is essential that those responsible for making decisions have sufficient guidance on the safety aspects on which to make these decisions.
GB/T 20438 sets out a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic (E/E/PE) elements that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy be developed for all electrically-based safety-related systems. A major objective is to facilitate the development of product and application sector standards based on the GB/T 20438 series.
Note 1: Examples of product and application sector standards based on the GB/T 20438 series are given in the Bibliography (see references [1], [2] and [3]).
In most situations, safety is achieved by a number of systems which rely on many technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy must therefore consider not only all the elements within an individual system (for example sensors, controlling devices and actuators) but also all the safety-related systems making up the total combination of safety-related systems. Therefore, while GB/T 20438 is concerned with E/E/PE safety-related systems, it may also provide a framework within which safety-related systems based on other technologies may be considered.
It is recognized that there is a great variety of applications using E/E/PE safety-related systems in a variety of application sectors and covering a wide range of complexity, hazard and risk potentials. In any particular application, the required safety measures will be dependent on many factors specific to the application. GB/T 20438, by being generic, will enable such measures to be formulated in future product and application sector standards and in revisions of those that already exist.
GB/T 20438
——considers all relevant overall, E/E/PE system and software safety lifecycle phases (for example, from initial concept, thorough design, implementation, operation and maintenance to decommissioning) when E/E/PE systems are used to perform safety functions;
——has been conceived with a rapidly developing technology in mind; the framework is sufficiently robust and comprehensive to cater for future developments;
——enables product and application sector standards, dealing with E/E/PE safety-related systems, to be developed; the development of product and application sector standards, within the framework of GB/T 20438, should lead to a high level of consistency (for example, of underlying principles, terminology etc.) both within application sectors and across application sectors; this will have both safety and economic benefits;
——provides a method for the development of the safety requirements specification necessary to achieve the required functional safety for E/E/PE safety-related systems;
——adopts a risk-based approach by which the safety integrity requirements can be determined;
——introduces safety integrity levels for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems;
Note 2: GB/T 20438 does not specify the safety integrity level requirements for any safety function, nor does it mandate how the safety integrity level is determined. Instead it provides a risk-based conceptual framework and example techniques.
——sets target failure measures for safety functions carried out by E/E/PE safety-related systems, which are linked to the safety integrity levels;
——sets a lower limit on the target failure measures for a safety function carried out by a single E/E/PE safety-related system. For E/E/PE safety-related systems operating in
——a low demand mode of operation, the lower limit is set at an average probability of a dangerous failure on demand of 10-5;
——a high demand or a continuous mode of operation, the lower limit is set at an average frequency of a dangerous failure of 10-9/h;
Note 3: A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
Note 4: It may be possible to achieve designs of safety-related systems with lower values for the target safety integrity for non-complex systems, but these limits are considered to represent what can be achieved for relatively complex systems (for example programmable electronic safety-related systems) at the present time.
——sets requirements for the avoidance and control of systematic faults, which are based on experience and judgement from practical experience gained in industry. Even though the probability of occurrence of systematic failures cannot in general be quantified GB/T 20438 does, however, allow a claim to be made, for a specified safety function, that the target failure measure associated with the safety function can be considered to be achieved if all the requirements in the standard have been met;
——introduces systematic capability which applies to an element with respect to its confidence that the systematic safety integrity meets the requirements of the specified safety integrity level;
——adopts a broad range of principles, techniques and measures to achieve functional safety for E/E/PE safety-related systems, but does not explicitly use the concept of fail safe. However, the concepts of “fail safe” and “inherently safe” principles may be applicable and adoption of such concepts is acceptable providing the requirements of the relevant clauses in the standard are met.
Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems
1 Scope
1.1 This part of the GB/T 20438 series
a) is intended to be used only after a thorough understanding of GB/T 20438.1, which provides the overall framework for the achievement of functional safety;
b) applies to any safety-related system, as defined by GB/T 20438.1, that contains at least one electrical, electronic or programmable electronic element;
c) applies to all elements within an E/E/PE safety-related system (including sensors, actuators and the operator interface);
d) specifies how to refine the E/E/PE system safety requirements specification, developed in accordance with GB/T 20438.1 (comprising the E/E/PE system safety functions requirements specification and the E/E/PE system safety integrity requirements specification), into the E/E/PE system design requirements specification;
e) specifies the requirements for activities that are to be applied during the design and manufacture of the E/E/PE safety-related systems (i.e. establishes the E/E/PE system safety lifecycle model) except software, which is dealt with in GB/T 20438.3 (see Figures 2 to 4). These requirements include the application of techniques and measures that are graded against the safety integrity level, for the avoidance of, and control of, faults and failures;
f) specifies the information necessary for carrying out the installation, commissioning and final safety validation of the E/E/PE safety-related systems;
g) does not apply to the operation and maintenance phase of the E/E/PE safety-related systems - this is dealt with in GB/T 20438.1. However, this part does provide requirements for the preparation of information and procedures needed by the user for the operation and maintenance of the E/E/PE safety-related systems;
h) specifies requirements to be met by the organisation carrying out any modification of the E/E/PE safety-related systems;
Note 1: This part is mainly directed at suppliers and/or in-company engineering departments, hence the inclusion of requirements for modification.
Note 2: The relationship between this part and GB/T 20438.3 is illustrated in Figure 4.
i) does not apply for medical equipment in compliance with the IEC 60601 series.
1.2 GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are basic safety publications, although this status does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.3 of GB/T 20438.4-2017). As basic safety publications, they are intended for use by technical committees in the preparation of standards in accordance with the principles contained in IEC Guide 104 and ISO/IEC Guide 51. GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are also intended for use as stand-alone standards. The horizontal safety function of GB/T 20438 does not apply to medical equipment in compliance with the IEC 60601 series.
1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use of basic safety publications in the preparation of its publications. In this context, the requirements, test methods or test conditions of this basic safety publication will not apply unless specifically referred to or included in the publications prepared by those technical committees.
Note: The functional safety of an E/E/PE safety-related system can only be achieved when all related requirements are met. Therefore, it is important that all related requirements are carefully considered and adequately referenced.
1.4 Figure 1 shows the overall framework of the GB/T 20438 series and indicates the role that this part plays in the achievement of functional safety for E/E/PE safety-related systems. Annex A of GB/T 20438.6-2017 describes the application of GB/T 20438.2 and GB/T 20438.3.
Figure 1 Overall framework of the GB/T 20438 series
?
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20438.1-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements (IEC 61508-1:2010, IDT)
GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IEC 61508-3:2010, IDT)
GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations (IEC 61508-4:2010, IDT)
GB/T 20438.7-2017 Functional safety of electrical/electronic/programmable electronic safety related systems - Part 7: Overview of techniques and measures (IEC 61508-7:2010, IDT)
IEC 60947-5-1 Low-voltage switchgear and controlgear - Part 5-1: Control circuit devices and switching elements - Electromechanical control circuit devices
IEC/TS 61000-1-2 Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena
IEC 61326-3-1 Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications
IEC 61784-3 Industrial communication networks - Profiles - Part 3: Functional safety fieldbuses - General rules and profile definitions
IEC 62280-1 Railway applications - Communication, signalling and processing systems - Part 1: Safety-related communication in closed transmission systems
IEC 62280-2 Railway applications - Communication, signalling and processing systems - Part 2: Safety-related communication in open transmission systems
IEC Guide 104:1997 The preparation of safety publications and the use of basic safety publications and group safety publications
ISO/IEC Guide 51:1999 Safety aspects - Guidelines for their inclusion in standards
EN 50205 Relays with forcibly guided (mechanically linked) contacts
3 Definitions and abbreviations
For the purposes of this document, the definitions and abbreviations given in GB/T 20438.4-2017 apply.
4 Conformance to GB/T 20438
The requirements for conformance to GB/T 20438 are as detailed in Clause 4 of GB/T 20438.1-2017.
5 Documentation
The requirements for documentation are as detailed in Clause 5 of GB/T 20438.1-2017.
6 Management of functional safety
The requirements for management of functional safety are as detailed in Clause 6 of GB/T 20438.1-2017.
7 E/E/PE system safety lifecycle requirements
7.1 General
7.1.1 Objectives and requirements - general
7.1.1.1 This subclause sets out the objectives and requirements for the E/E/PE system safety lifecycle phases.
Note: The objectives and requirements for the overall safety lifecycle, together with a general introduction to the structure of the standard, are given in GB/T 20438.1.
7.1.1.2 For all phases of the E/E/PE system safety lifecycle, Table 1 indicates:
——the objectives to be achieved;
——the scope of the phase;
——a reference to the subclause containing the requirements;
——the required inputs to the phase;
——the outputs required to comply with the subclause.
?
7.1.2 Objectives
7.1.2.1 The first objective of the requirements of this subclause is to structure, in a systematic manner, the phases in the E/E/PE system safety lifecycle that shall be considered in order to achieve the required functional safety of the E/E/PE safety-related systems.
7.1.2.2 The second objective of the requirements of this subclause is to document all information relevant to the functional safety of the E/E/PE safety-related systems throughout the E/E/PE system safety lifecycle.
7.1.3 Requirements
7.1.3.1 The E/E/PE system safety lifecycle that shall be used in claiming conformance with GB/T 20438 is that specified in Figure 2. A detailed V-model of the ASIC development lifecycle for the design of ASICs (see GB/T 20438.4-2017, 3.2.15) is shown in Figure 3. If another E/E/PE system safety lifecycle or ASIC development lifecycle is used, it shall be specified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), and all the objectives and requirements of each subclause of GB/T 20438.2 shall be met.
Note 1: The relationship between and scope for GB/T 20438.2 and GB/T 20438.3 are shown in Figure 4.
Note 2: There are significant similarities between the ASIC and the software design processes. GB/T 20438.3 recommends the V-model for designing safety-related software. The V-model requires a clearly structured design process and a modular software structure for avoiding and controlling systematic faults. The ASIC development lifecycle for the design of ASICs in Figure 3 follows this model. At first the requirements for the ASIC specification are derived from the system requirements. ASIC architecture, ASIC design and module design follow. The results of each step on the left-hand side of the V become the input to the next step, and are also fed back to the preceding step for iteration where appropriate, until the final code is created. This code is verified against the corresponding design through post-layout simulation, module testing, module integration testing and verification of the complete ASIC. The results of any step may necessitate a revision to any of the preceding steps. Finally, the ASIC is validated after its integration into the E/E/PE safety-related system.
7.1.3.2 The procedures for management of functional safety (see Clause 6 of GB/T 20438.1-2017) shall run in parallel with the E/E/PE system safety lifecycle phases.
7.1.3.3 Each phase of the E/E/PE system safety lifecycle shall be divided into elementary activities, with the scope, inputs and outputs specified for each phase (see Table 1).
7.1.3.4 Unless justified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), the outputs of each phase of the E/E/PE system safety lifecycle shall be documented (see Clause 5 of GB/T 20438.1-2017).
7.1.3.5 The outputs for each E/E/PE system safety lifecycle phase shall meet the objectives and requirements specified for each phase (see 7.2 to 7.9).
Note 1: See also GB/T 20438.6-2017, A.2b).
Note 2: This figure shows only those phases of the E/E/PE system safety lifecycle that are within the realisation phase of the overall safety lifecycle. The complete E/E/PE system safety lifecycle will also contain instances, specific to the E/E/PE safety-related system, of the subsequent phases of the overall safety lifecycle (Boxes 12 to 16 in Figure 2 of GB/T 20438.1-2017).
Figure 2 E/E/PE system safety lifecycle (in realisation phase)
Figure 3 ASIC development lifecycle (the V-Model)
Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T 20438.3
Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle
Safety lifecycle phase or activity Objectives Scope Requirements subclause Inputs Outputs
Figure 2 box number Title
10.1 E/E/PE system design requirements specification To specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements (see 7.10.2 of GB/T 20438.1-2017) E/E/PE safety-related system 7.2.2 E/E/PE system safety requirements specification (see GB/T 20438.1-XXXX,
7.10) E/E/PE system design requirements specification, describing the equipment and architectures for the E/E/PE system
10.2 E/E/PE system safety validation planning To plan the validation of the safety of the E/E/PE safety-related system E/E/PE safety-related system 7.3.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification Plan for the safety validation of the E/E/PE safety-related systems
10.3 E/E/PE system design & development including ASICs & software (see Figure 3 & also GB/T 20438.3) To design and develop the E/E/PE safety-related system (including ASICs if appropriate) to meet the E/E/PE system design requirements specification (with respect to the safety functions requirements and the safety integrity requirements (see 7.2)) E/E/PE safety-related system 7.4.2 ~ 7.4.11 E/E/PE system design requirements specification Design of the E/E/PE safety related systems in conformance with the E/E/PE system design requirements specification; plan for the E/E/PE system integration test; PE system architectural information as an input to the software requirements specification
10.4 E/E/PE system integration To integrate and test the E/E/PE safety-related system E/E/PE safety-related system 7.5.2 E/E/PE system design; E/E/PE system integration test plan; programmable electronics hardware and software Fully functioning E/E/PE safety-related systems in conformance with the E/E/PE system design; results of E/E/PE system integration tests
10.5 E/E/PE system installation, commissioning, operation & maintenance procedures To develop procedures to ensure that the required functional safety of the E/E/PE safety-related system is maintained during operation and maintenance E/E/PE safety-related system; EUC 7.6.2 E/E/PE system design requirements specification; E/E/PE system design E/E/PE system installation, commissioning, operation and maintenance procedures for each individual E/E/PE system
10.6 E/E/PE system safety validation To validate that the E/E/PE safety-related system meets, in all respects, the requirements for safety in terms of the required safety functions and safety integrity E/E/PE safety-related system 7.7.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification; plan for the safety validation of the E/E/PE safety-related systems Fully safety validated E/E/PE safety-related systems; results of E/E/PE system safety validation
- E/E/PE system modification To make corrections, enhancements or adaptations to the E/E/PE safety-related system, ensuring that the required safety integrity is achieved and maintained E/E/PE safety-related system 7.8.2 E/E/PE system design requirements specification Results of E/E/PE system modification
- E/E/PE system verification To test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase E/E/PE safety-related system 7.9.2 As above - depends on the phase; plan for the verification of the E/E/PE safety-related systems for each phase As above - depends on the phase; results of the verification of the E/E/PE safety-related systems for each phase
- E/E/PE system functional safety assessment To investigate and arrive at a judgement on the functional safety achieved by the E/E/PE safety-related system E/E/PE safety-related system 8 Plan for E/E/PE system functional safety assessment Results of E/E/PE system functional safety assessment
7.2 E/E/PE system design requirements specification
Note: This phase is Box 10.1 of Figure 2.
7.2.1 Objective
The objective of the requirements of this subclause is to specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements.
Note: The E/E/PE system design requirements specification is normally derived from the E/E/PE system safety requirements specification by decomposing the safety functions and allocating parts of the safety function to subsystems (for example groups of sensors, logic solvers or actuators). The requirements for the subsystems may be included in the E/E/PE system design requirements specification or may be separate and referenced from the E/E/PE system design requirements specification. Subsystems may be further decomposed into elements and architectures to satisfy the design and development requirements of 7.4. The requirements for these elements may be included in the requirements for the subsystems or may be separate and referenced from the subsystem requirements.
7.2.2 General
7.2.2.1 The specification of the E/E/PE system design requirements shall be derived from the E/E/PE system safety requirements, specified in 7.10 of GB/T 20438.1-2017.
Note: Caution should be exercised if non-safety functions and safety functions are implemented in the same E/E/PE safety-related system. While this is allowed in the standard, it may lead to greater complexity and increase the difficulty in carrying out E/E/PE safety lifecycle activities (for example design, validation, functional safety assessment and maintenance). See also 7.4.2.3.
7.2.2.2 The specification of the E/E/PE system design requirements shall be expressed and structured in such a way that they are:
a) clear, precise, unambiguous, verifiable, testable, maintainable and feasible;
b) written to aid comprehension by those who are likely to utilise the information at any phase of the E/E/PE safety lifecycle;
c) traceable to the E/E/PE system safety requirements specification.
7.2.3 E/E/PE system design requirements specification
7.2.3.1 The specification of the E/E/PE system design requirements shall contain design requirements relating to safety functions (see 7.2.3.2) and design requirements relating to safety integrity (see 7.2.3.3).
7.2.3.2 The specification of the E/E/PE system design requirements shall contain details of all the hardware and software necessary to implement the required safety functions, as specified by the E/E/PE system safety functions requirements specification (see 7.10.2.6 of GB/T 20438.1-2017). The specification shall include, for each safety function:
a) requirements for the subsystems and requirements for their hardware and software elements as appropriate;
b) requirements for the integration of the subsystems and their hardware and software elements to meet the E/E/PE system safety functions requirements specification;
c) throughput performance that enables response time requirements to be met;
d) accuracy and stability requirements for measurements and controls;
e) E/E/PE safety-related system and operator interfaces;
f) interfaces between the E/E/PE safety-related systems and any other systems (either within, or outside, the EUC);
g) all modes of behaviour of the E/E/PE safety-related systems, in particular, failure behaviour and the required response (for example alarms, automatic shut-down) of the E/E/PE safety-related systems;
h) the significance of all hardware/software interactions and, where relevant, any required constraints between the hardware and the software;
Note: Where these interactions are not known before finishing the design, only general constraints can be stated.
i) any limiting and constraint conditions for the E/E/PE safety-related systems and their associated elements, for example timing constraints or constraints due to the possibility of common cause failures;
j) any specific requirements related to the procedures for starting-up and restarting the E/E/PE safety-related systems.
7.2.3.3 The specification of the E/E/PE system design requirements shall contain details, relevant to the design, to achieve the safety integrity level and the required target failure measure for the safety function, as specified by the E/E/PE system safety integrity requirements specification (see 7.10.2.7 of GB/T 20438.1-2017), including:
a) the architecture of each subsystem required to meet the architectural constraints on the hardware safety integrity (see 7.4.4);
b) all relevant reliability modelling parameters such as the required proof testing frequency of all hardware elements necessary to achieve the target failure measure;
Note 1: Information on the specific application cannot be understated (see 7.10.2.1 of GB/T 20438.1-2017). This is particularly important for maintenance, where the specified proof test interval should not be less than can be reasonably expected for the particular application. For example, the time between services that can be realistically attained for mass-produced items used by the public is likely to be greater than in a more controlled application.
c) the actions taken in the event of a dangerous failure being detected by diagnostics;
d) the requirements, constraints, functions and facilities to enable the proof testing of the E/E/PE hardware to be undertaken;
e) the capabilities of equipment used to meet the extremes of all environmental conditions (e.g. temperature, humidity, mechanical, electrical) that are specified as required during the E/E/PE system safety lifecycle including manufacture, storage, transport, testing, installation, commissioning, operation and maintenance;
f) the electromagnetic immunity levels that are required (see IEC/TS 61000-1-2:2008);
Note 2: The required immunity levels may vary for different elements of the safety-related system, depending on physical location and power supply arrangements.
Note 3: Guidance may be found in EMC product standards, but it is important to recognise that higher immunity levels, or additional immunity requirements, than those specified in such standards may be necessary for particular locations or when the equipment is intended for use in harsher, or different, electromagnetic environments.
g) the quality assurance/quality control measures necessary to safety management (see 6.2.5 of GB/T 20438.1-2017);
7.2.3.4 The E/E/PE system design requirements specification shall be completed in detail as the design progresses and updated as necessary after modification.
7.2.3.5 For the avoidance of mistakes during the development of the specification for the E/E/PE system design requirements, an appropriate group of techniques and measures according to Table B.1 shall be used.
7.2.3.6 The implications imposed on the architecture by the E/E/PE system design requirements shall be considered.
Note: This should include the consideration of the simplicity of the implementation to achieve the required safety integrity level (including architectural considerations and apportionment of functionality to configuration data or to the embedded system).
7.3 E/E/PE system safety validation planning
Note: This phase is Box 10.2 of Figure 2. It will normally be carried out in parallel with E/E/PE system design and development (see 7.4).
7.3.1 Objective
The objective of the requirements of this subclause is to plan the validation of the safety of the E/E/PE safety-related system.
7.3.2 Requirements
7.3.2.1 Planning shall be carried out to specify the steps (both procedural and technical) that are to be used to demonstrate that the E/E/PE safety-related system satisfies the E/E/PE system safety requirements specification (see 7.10 of GB/T 20438.1-2017) and the E/E/PE system design requirements specification (see 7.2).
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Definitions and abbreviations
4 Conformance to GB/T
5 Documentation
6 Management of functional safety
7 E/E/PE system safety lifecycle requirements
7.1 General
7.2 E/E/PE system design requirements specification
7.3 E/E/PE system safety validation planning
7.4 E/E/PE system design and development
7.5 E/E/PE system integration
7.6 E/E/PE system operation and maintenance procedures
7.7 E/E/PE system safety validation
7.8 E/E/PE system modification
7.9 E/E/PE system verification
8 Functional safety assessment
Annex A (Normative) Techniques and measures for E/E/PE safety-related systems – control of failures during operation
Annex B (Normative) Techniques and measures for E/E/PE safety-related systems - avoidance of systematic failures during the different phases of the lifecycle
Annex C (Normative) Diagnostic coverage and safe failure fraction
Annex D (Normative) Safety manual for compliant items
Annex E (Normative) Special architecture requirements for integrated circuits (ICs) with on-chip redundancy
Annex F (Informative) Techniques and measures for ASICs – avoidance of systematic failures
Bibliography
Figure 1 Overall framework of the GB/T 20438 series
Figure 2 E/E/PE system safety lifecycle (in realisation phase)
Figure 3 ASIC development lifecycle (the V-Model)
Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T
Figure 5 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprising a number of series elements, see 7.4.4.2.3)
Figure 6 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprised of two subsystems X & Y, see 7.4.4.2.4)
Figure 7 Architectures for data communication
Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle
Table 2 Maximum allowable safety integrity level for a safety function carried out by a type A safety-related element or subsystem
Table 3 Maximum allowable safety integrity level for a safety function carried out by a type B safety-related element or subsystem
Table A.1 Faults or failures to be assumed when quantifying the effect of random hardware failures or to be taken into account in the derivation of safe failure fraction
Table A.2 Electrical components
Table A.3 Electronic components
Table A.4 Processing units
Table A.5 Invariable memory ranges
Table A.6 Variable memory ranges
Table A.7 I/O units and interface (external communication)
Table A.8 Data paths (internal communication)
Table A.9 Power supply
Table A.10 Program sequence (watch-dog)
Table A.11 Clock
Table A.12 Communication and mass storage
Table A.13 Sensors
Table A.14 Final elements (actuators)
Table A.15 Techniques and measures to control systematic failures caused by hardware design
Table A.16 Techniques and measures to control systematic failures caused by environmental stress or influences
Table A.17 Techniques and measures to control systematic operational failures
Table A.18 Effectiveness of techniques and measures to control systematic failures
Table B.1 Techniques and measures to avoid mistakes during specification of E/E/PE system design requirements (see 7.2)
Table B.2 Techniques and measures to avoid introducing faults during E/E/PE system design and development (see 7.4)
Table B.3 Techniques and measures to avoid faults during E/E/PE system integration (see 7.5)
Table B.4 Techniques and measures to avoid faults and failures during E/E/PE system operation and maintenance procedures (see 7.6)
Table B.5 Techniques and measures to avoid faults during E/E/PE system safety validation (see 7.7)
Table B.6 Effectiveness of techniques and measures to avoid systematic failures
Table E.1 Techniques and measures that increase βB-IC
Table E.2 Techniques and measures that decrease βB-IC
Table F.1 Techniques and measures to avoid introducing faults during ASIC’s design and development – full and semi-custom digital ASICs (see 7.4.6.7)
Table F.2 Techniques and measures to avoid introducing faults during ASIC design and development: User programmable ICs (FPGA/PLD/CPLD) (see 7.4.6.7)
電氣/電子/可編程電子安全相關系統的功能安全第2部分:電氣/電子/可編程電子安全相關系統的要求
1范圍
1.1 GB/T 20438的本部分
a)在使用前,應充分理解GB/T 20438.1,GB/T 20438.1提供了實現功能安全的總體框架;
b)適用于GB/T 20438.1定義的安全相關系統,安全相關系統至少包含一種電氣、電子或可編程電子組件;
c)適用于E/E/PE安全相關系統中的所有組件(包括傳感器、執行器和操作員界面);
d)規定了如何按照GB/T 20438.1定義的E/E/PE系統安全要求規范(由E/E/PE系統安全功能要求規范和E/E/PE系統安全完整性要求規范組成),開發出E/E/PE系統設計要求規范;
e)規定了在E/E/PE安全相關系統的設計和制造過程中(即建立E/E/PE系統安全生命周期模型)除軟件外所進行活動的要求,軟件要求在GB/T 20438.3(見圖2~圖4)中給出;這些要求包含了用以避免和控制故障和失效發生的技術和措施的應用,并被劃分成與安全完整性等級相對應的不同等級;
f)規定了執行E/E/PE安全相關系統的安裝、調試以及最終安全確認所需的信息;
g)不適用于E/E/PE安全相關系統的運行和維護階段,這方面內容在GB/T 20438.1中給出。但是,本部分為用戶提供了有關E/E/PE安全相關系統的運行和維護所需的信息和規程的準備要求;
h)規定了對E/E/PE安全相關系統進行各種修改的各方應滿足的要求;
注1:本部分主要直接面向供應商和/或公司內部的工程部門,因此包含了對修改的要求。
注2:本部分與GB/T 20438.3的關系見圖4。
i)不適用于符合IEC 60601的醫療設備。
1.2 GB/T 20438.1、GB/T 20438.2、GB/T 20438.3和GB/T 20438.4是基礎的安全標準,雖然它不是針對低復雜的E/E/PE安全相關系統(見GB/T 20438.4—2017的3.4.3),但作為基礎安全標準,各技術委員會可以在IEC指南104和ISO/IEC指南51的指導下制定相關標準時使用。GB/T 20438.1、GB/T 20438.2、GB/T 20438.3和GB/T 20438.4也可作為獨立標準來使用。GB/T 20438的橫向安全功能不適用于在IEC 60601系列指導下的醫療設備。
1.3各技術委員會的責任之一,是在其標準的起草工作中盡可能使用基礎的安全標準。在本部分中,本基礎安全標準中的要求、測試方法或測試條件只有在這些技術委員會起草的標準中已明確引用或包含時適用。
注:僅當所有相關要求得到滿足時,才能達到E/E/PE安全相關系統的功能安全。因此,認真考慮和充分引用所有相關要求是十分重要的。
1.4圖1表示了GB/T 20438的整體框架,同時指出了本部分在實現E/E/PE安全相關系統的功能安全過程中的作用。GB/T 20438.6—2017的附錄A詳述了GB/T 20438.2和GB/T 20438.3的應用。
技術要求
第1部分
編制整體安全要求(概念、范圍、定義、危險和風險分析)
7.1~7.5
第1部分
將安全要求分配給E/E/PE安全相關系統
7.6
第1部分
E/E/PE安全相關系統的系統安全要求規范
7.10
第2部分
E/E/PE安全相關系統的實現階段
第3部分
安全相關軟件的實現階段
第1部分
E/E/PE安全相關系統的安裝、調試和安全確認
7.13和7.14
第1部分
E/E/PE安全相關系統的操作、維護、修理、修改和改型、退役或處置
7.15~7.17
第5部分
確定安全完整性等級的方法示例
第6部分
第2部分和第3部分的應用指南
第7部分
技術和措施概述
其他要求
第4部分
定義和縮略語
第1部分
文檔
第5章和附錄A
第1部分
功能安全的管理
第6章
第1部分
功能安全評估
第8章
圖1 GB/T 20438的整體框架
2規范性引用文件
下列文件對于本文件的應用是必不可少的。凡是注日期的引用文件,僅注日期的版本適用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 20438.1—2017 電氣/電子/可編程電子安全相關系統的功能安全 第1部分:一般要求(IEC 61508-1:2010,IDT)
GB/T 20438.3—2017電氣/電子/可編程電子安全相關系統的功能安全 第3部分:軟件要求(IEC 61508-3:2010,IDT)
GB/T 20438.4—2017 電氣/電子/可編程電子安全相關系統的功能安全 第4部分:定義和縮略語(IEC 61508-4:2010,IDT)
GB/T 20438.7—2017 電氣/電子/可編程電子安全相關系統的功能安全 第7部分:技術和措施概述(IEC 61508-7:2010,IDT)
IEC 60947-5-1低壓開關設備和控制設備 第5-1部分:控制電路電器和開關元件 機電式控制電路電器(Low-voltage switchgear and controlgear—Part 5-1:Control circuit devices and switching el-ements—Electromechanical control circuit devices)
IEC/TS 61000-1-2電磁兼容性(EMC)第1-2部分:通則 電氣和電子系統包括帶有電磁現象設備的功能安全實現方法(Electromagnetic compatibility(EMC)—Part 1-2:General—Methodology for the achievement of functional safety of electrical and electronic systems including equipment with re-gard to electromagnetic phenomena)
IEC 61326-3-1測量、控制和實驗室用的電設備 電磁兼容性要求 第3-1部分:對于安全相關系統和打算執行安全相關功能(功能安全)設備的免疫要求 通用工業應用(Electrical equipment for measurement,control and laboratory use—EMC requirements—Part 3-1:Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions(functional safe-ty)—General industrial applications)
IEC 61784-3工業通信網絡 行規 第3部分:功能安全現場總線 通用規則和行規定義(IEC 61784-3,Industrial communication networks—Profiles—Part 3:Functional safety fieldbuses—General rules and profile definitions)
IEC 62280-1軌道交通 通信、信號和處理系統 第1部分:封閉式傳輸系統中的安全相關通信(Railway applications—Communication,signalling and processing systems—Part 1:Safety-related communication in closed transmission systems)
IEC 62280-2軌道交通 通信、信號和處理系統 第2部分:開放式傳輸系統中的安全相關通信(Railway applications—Communication,signalling and processing systems—Part 2:Safety-related communication in open transmission systems IEC Guide 104:1997,The preparation of safety publiea-lions and the use of basic safety publications and group safety publications)
IEC Guide 104:1997安全出版物的編寫及基礎安全出版物和多專業共用安全出版物的應用導則(The preparation of safety publications and the use of basic safety publications and group safety publi-cations)
ISO/IEC Guide 51:1999涉及安全的內容 將安全內容納入標準的指南(Safety aspects—Guide-lines for their inclusion in standards)
EN 50205 帶強制繼電器導向(機械鏈接)觸點(Relays with forcibly guided(mechanically linked)contacts)
3定義和縮略語
GB/T 20438.4—2017界定的定義和縮略語適用于本文件。
4與GB/T 20438的符合性
本部分對GB/T 20438的符合性要求,詳見GB/T 20438.1—2017的第4章。
5文檔
本部分對文檔的要求,詳見GB/T 20438.1—2017的第5章。
6功能安全管理
本部分對功能安全管理的要求,詳見GB/T 20438.1—2017的第6章。
7 E/E/PE系統安全生命周期要求
7.1概述
7.1.1 目的和要求:概述
7.1.1.1 7.1闡述E/E/PE系統安全生命周期各階段的目的和要求。
注:整體安全生命周期的目的和要求以及標準結構的簡述在GB/T 20438.1中給出。
7.1.1.2對于E/E/PE系統安全生命周期的所有階段,表1給出了:
——需要達到的目的;
——各階段的范圍;
——要求所在的條款;
——各階段所要求的輸入;
——符合條款要求的輸出。
7.1.2 目的
7.1.2.1 7.1的第一個目的是以系統化的方式構造應考慮的E/E/PE系統安全生命周期的各階段,以實現E/E/PE安全相關系統所需的功能安全。
7.1.2.2 7.1的第二個目的是將貫穿于E/E/PE系統安全生命周期的有關E/E/PE安全相關系統功能安全的所有信息建立文檔。
7.1.3要求
7.1.3.1用來聲明符合GB/T 20438的E/E/PE系統安全生命周期如圖2所示。用于ASIC設計(見GB/T 20438.4—2017的3.2.15)的ASIC開發生命周期的一個詳細的V模型如圖3所示。如果采用其他E/E/PE系統安全生命周期或ASIC開發生命周期,則應作為功能安全活動管理的一部分(見GB/T 20438.1—2017第6章)加以說明,并應滿足GB/T 20438.2所有條款的目的和要求。
