Functional safety of electrical/electronic/programmable electronic safety-related systems—Part 2:Requirements for electrical/electronic/programmable electronic safety-related systems
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
GB/T 20438 consists of seven parts under the general title of Functional safety of electrical/electronic/programmable electronic safety-related systems:
——Part 1: General requirements;
——Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems;
——Part 3: Software requirements;
——Part 4: Definitions and abbreviations;
——Part 5: Examples of methods for the determination of safety integrity levels;
——Part 6: Guidelines on the application of GB/T 20438.2 and GB/T 20438.3;
——Part 7: Overview of techniques and measures.
This is Part 2 of GB/T 20438.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part replaces GB/T 20438.2-2006 Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems and the following main technical changes have been made with respect to GB/T 20438.2-2006:
——ASIC development lifecycle is added (see Figure 3);
——Safety manual for compliant items is added (see Annex D).
This part, by means of translation, is identical to IEC 61508-2:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems.
This part was proposed by the China Machinery Industry Federation.
This part is under the jurisdiction of SAC/TC 124 National Technical Committee on Industrial Process Measurement and Control of Standardization Administration of China.
The previous edition of this part is as follow:
——GB/T 20438.2-2006.
Introduction
Systems comprised of electrical and/or electronic elements have been used for many years to perform safety functions in most application sectors. Computer-based systems (generically referred to as programmable electronic systems) are being used in all application sectors to perform non-safety functions and, increasingly, to perform safety functions. If computer system technology is to be effectively and safely exploited, it is essential that those responsible for making decisions have sufficient guidance on the safety aspects on which to make these decisions.
GB/T 20438 sets out a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic (E/E/PE) elements that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy be developed for all electrically-based safety-related systems. A major objective is to facilitate the development of product and application sector standards based on the GB/T 20438 series.
Note 1: Examples of product and application sector standards based on the GB/T 20438 series are given in the Bibliography (see references [1], [2] and [3]).
In most situations, safety is achieved by a number of systems which rely on many technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy must therefore consider not only all the elements within an individual system (for example sensors, controlling devices and actuators) but also all the safety-related systems making up the total combination of safety-related systems. Therefore, while GB/T 20438 is concerned with E/E/PE safety-related systems, it may also provide a framework within which safety-related systems based on other technologies may be considered.
It is recognized that there is a great variety of applications using E/E/PE safety-related systems in a variety of application sectors and covering a wide range of complexity, hazard and risk potentials. In any particular application, the required safety measures will be dependent on many factors specific to the application. GB/T 20438, by being generic, will enable such measures to be formulated in future product and application sector standards and in revisions of those that already exist.
GB/T 20438
——considers all relevant overall, E/E/PE system and software safety lifecycle phases (for example, from initial concept, thorough design, implementation, operation and maintenance to decommissioning) when E/E/PE systems are used to perform safety functions;
——has been conceived with a rapidly developing technology in mind; the framework is sufficiently robust and comprehensive to cater for future developments;
——enables product and application sector standards, dealing with E/E/PE safety-related systems, to be developed; the development of product and application sector standards, within the framework of GB/T 20438, should lead to a high level of consistency (for example, of underlying principles, terminology etc.) both within application sectors and across application sectors; this will have both safety and economic benefits;
——provides a method for the development of the safety requirements specification necessary to achieve the required functional safety for E/E/PE safety-related systems;
——adopts a risk-based approach by which the safety integrity requirements can be determined;
——introduces safety integrity levels for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems;
Note 2: GB/T 20438 does not specify the safety integrity level requirements for any safety function, nor does it mandate how the safety integrity level is determined. Instead it provides a risk-based conceptual framework and example techniques.
——sets target failure measures for safety functions carried out by E/E/PE safety-related systems, which are linked to the safety integrity levels;
——sets a lower limit on the target failure measures for a safety function carried out by a single E/E/PE safety-related system. For E/E/PE safety-related systems operating in
——a low demand mode of operation, the lower limit is set at an average probability of a dangerous failure on demand of 10-5;
——a high demand or a continuous mode of operation, the lower limit is set at an average frequency of a dangerous failure of 10-9/h;
Note 3: A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
Note 4: It may be possible to achieve designs of safety-related systems with lower values for the target safety integrity for non-complex systems, but these limits are considered to represent what can be achieved for relatively complex systems (for example programmable electronic safety-related systems) at the present time.
——sets requirements for the avoidance and control of systematic faults, which are based on experience and judgement from practical experience gained in industry. Even though the probability of occurrence of systematic failures cannot in general be quantified GB/T 20438 does, however, allow a claim to be made, for a specified safety function, that the target failure measure associated with the safety function can be considered to be achieved if all the requirements in the standard have been met;
——introduces systematic capability which applies to an element with respect to its confidence that the systematic safety integrity meets the requirements of the specified safety integrity level;
——adopts a broad range of principles, techniques and measures to achieve functional safety for E/E/PE safety-related systems, but does not explicitly use the concept of fail safe. However, the concepts of “fail safe” and “inherently safe” principles may be applicable and adoption of such concepts is acceptable providing the requirements of the relevant clauses in the standard are met.
Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems
1 Scope
1.1 This part of the GB/T 20438 series
a) is intended to be used only after a thorough understanding of GB/T 20438.1, which provides the overall framework for the achievement of functional safety;
b) applies to any safety-related system, as defined by GB/T 20438.1, that contains at least one electrical, electronic or programmable electronic element;
c) applies to all elements within an E/E/PE safety-related system (including sensors, actuators and the operator interface);
d) specifies how to refine the E/E/PE system safety requirements specification, developed in accordance with GB/T 20438.1 (comprising the E/E/PE system safety functions requirements specification and the E/E/PE system safety integrity requirements specification), into the E/E/PE system design requirements specification;
e) specifies the requirements for activities that are to be applied during the design and manufacture of the E/E/PE safety-related systems (i.e. establishes the E/E/PE system safety lifecycle model) except software, which is dealt with in GB/T 20438.3 (see Figures 2 to 4). These requirements include the application of techniques and measures that are graded against the safety integrity level, for the avoidance of, and control of, faults and failures;
f) specifies the information necessary for carrying out the installation, commissioning and final safety validation of the E/E/PE safety-related systems;
g) does not apply to the operation and maintenance phase of the E/E/PE safety-related systems - this is dealt with in GB/T 20438.1. However, this part does provide requirements for the preparation of information and procedures needed by the user for the operation and maintenance of the E/E/PE safety-related systems;
h) specifies requirements to be met by the organisation carrying out any modification of the E/E/PE safety-related systems;
Note 1: This part is mainly directed at suppliers and/or in-company engineering departments, hence the inclusion of requirements for modification.
Note 2: The relationship between this part and GB/T 20438.3 is illustrated in Figure 4.
i) does not apply for medical equipment in compliance with the IEC 60601 series.
1.2 GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are basic safety publications, although this status does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.3 of GB/T 20438.4-2017). As basic safety publications, they are intended for use by technical committees in the preparation of standards in accordance with the principles contained in IEC Guide 104 and ISO/IEC Guide 51. GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are also intended for use as stand-alone standards. The horizontal safety function of GB/T 20438 does not apply to medical equipment in compliance with the IEC 60601 series.
1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use of basic safety publications in the preparation of its publications. In this context, the requirements, test methods or test conditions of this basic safety publication will not apply unless specifically referred to or included in the publications prepared by those technical committees.
Note: The functional safety of an E/E/PE safety-related system can only be achieved when all related requirements are met. Therefore, it is important that all related requirements are carefully considered and adequately referenced.
1.4 Figure 1 shows the overall framework of the GB/T 20438 series and indicates the role that this part plays in the achievement of functional safety for E/E/PE safety-related systems. Annex A of GB/T 20438.6-2017 describes the application of GB/T 20438.2 and GB/T 20438.3.
Figure 1 Overall framework of the GB/T 20438 series
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20438.1-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements (IEC 61508-1:2010, IDT)
GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IEC 61508-3:2010, IDT)
GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations (IEC 61508-4:2010, IDT)
GB/T 20438.7-2017 Functional safety of electrical/electronic/programmable electronic safety related systems - Part 7: Overview of techniques and measures (IEC 61508-7:2010, IDT)
IEC 60947-5-1 Low-voltage switchgear and controlgear - Part 5-1: Control circuit devices and switching elements - Electromechanical control circuit devices
IEC/TS 61000-1-2 Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena
IEC 61326-3-1 Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications
IEC 61784-3 Industrial communication networks - Profiles - Part 3: Functional safety fieldbuses - General rules and profile definitions
IEC 62280-1 Railway applications - Communication, signalling and processing systems - Part 1: Safety-related communication in closed transmission systems
IEC 62280-2 Railway applications - Communication, signalling and processing systems - Part 2: Safety-related communication in open transmission systems
IEC Guide 104:1997 The preparation of safety publications and the use of basic safety publications and group safety publications
ISO/IEC Guide 51:1999 Safety aspects - Guidelines for their inclusion in standards
EN 50205 Relays with forcibly guided (mechanically linked) contacts
3 Definitions and abbreviations
For the purposes of this document, the definitions and abbreviations given in GB/T 20438.4-2017 apply.
4 Conformance to GB/T 20438
The requirements for conformance to GB/T 20438 are as detailed in Clause 4 of GB/T 20438.1-2017.
5 Documentation
The requirements for documentation are as detailed in Clause 5 of GB/T 20438.1-2017.
6 Management of functional safety
The requirements for management of functional safety are as detailed in Clause 6 of GB/T 20438.1-2017.
7 E/E/PE system safety lifecycle requirements
7.1 General
7.1.1 Objectives and requirements - general
7.1.1.1 This subclause sets out the objectives and requirements for the E/E/PE system safety lifecycle phases.
Note: The objectives and requirements for the overall safety lifecycle, together with a general introduction to the structure of the standard, are given in GB/T 20438.1.
7.1.1.2 For all phases of the E/E/PE system safety lifecycle, Table 1 indicates:
——the objectives to be achieved;
——the scope of the phase;
——a reference to the subclause containing the requirements;
——the required inputs to the phase;
——the outputs required to comply with the subclause.
7.1.2 Objectives
7.1.2.1 The first objective of the requirements of this subclause is to structure, in a systematic manner, the phases in the E/E/PE system safety lifecycle that shall be considered in order to achieve the required functional safety of the E/E/PE safety-related systems.
7.1.2.2 The second objective of the requirements of this subclause is to document all information relevant to the functional safety of the E/E/PE safety-related systems throughout the E/E/PE system safety lifecycle.
7.1.3 Requirements
7.1.3.1 The E/E/PE system safety lifecycle that shall be used in claiming conformance with GB/T 20438 is that specified in Figure 2. A detailed V-model of the ASIC development lifecycle for the design of ASICs (see GB/T 20438.4-2017, 3.2.15) is shown in Figure 3. If another E/E/PE system safety lifecycle or ASIC development lifecycle is used, it shall be specified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), and all the objectives and requirements of each subclause of GB/T 20438.2 shall be met.
Note 1: The relationship between and scope for GB/T 20438.2 and GB/T 20438.3 are shown in Figure 4.
Note 2: There are significant similarities between the ASIC and the software design processes. GB/T 20438.3 recommends the V-model for designing safety-related software. The V-model requires a clearly structured design process and a modular software structure for avoiding and controlling systematic faults. The ASIC development lifecycle for the design of ASICs in Figure 3 follows this model. At first the requirements for the ASIC specification are derived from the system requirements. ASIC architecture, ASIC design and module design follow. The results of each step on the left-hand side of the V become the input to the next step, and are also fed back to the preceding step for iteration where appropriate, until the final code is created. This code is verified against the corresponding design through post-layout simulation, module testing, module integration testing and verification of the complete ASIC. The results of any step may necessitate a revision to any of the preceding steps. Finally, the ASIC is validated after its integration into the E/E/PE safety-related system.
7.1.3.2 The procedures for management of functional safety (see Clause 6 of GB/T 20438.1-2017) shall run in parallel with the E/E/PE system safety lifecycle phases.
7.1.3.3 Each phase of the E/E/PE system safety lifecycle shall be divided into elementary activities, with the scope, inputs and outputs specified for each phase (see Table 1).
7.1.3.4 Unless justified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), the outputs of each phase of the E/E/PE system safety lifecycle shall be documented (see Clause 5 of GB/T 20438.1-2017).
7.1.3.5 The outputs for each E/E/PE system safety lifecycle phase shall meet the objectives and requirements specified for each phase (see 7.2 to 7.9).
Note 1: See also GB/T 20438.6-2017, A.2b).
Note 2: This figure shows only those phases of the E/E/PE system safety lifecycle that are within the realisation phase of the overall safety lifecycle. The complete E/E/PE system safety lifecycle will also contain instances, specific to the E/E/PE safety-related system, of the subsequent phases of the overall safety lifecycle (Boxes 12 to 16 in Figure 2 of GB/T 20438.1-2017).
Figure 2 E/E/PE system safety lifecycle (in realisation phase)
Figure 3 ASIC development lifecycle (the V-Model)
Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T 20438.3
Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle
Safety lifecycle phase or activity Objectives Scope Requirements subclause Inputs Outputs
Figure 2 box number Title
10.1 E/E/PE system design requirements specification To specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements (see 7.10.2 of GB/T 20438.1-2017) E/E/PE safety-related system 7.2.2 E/E/PE system safety requirements specification (see GB/T 20438.1-XXXX,
7.10) E/E/PE system design requirements specification, describing the equipment and architectures for the E/E/PE system
10.2 E/E/PE system safety validation planning To plan the validation of the safety of the E/E/PE safety-related system E/E/PE safety-related system 7.3.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification Plan for the safety validation of the E/E/PE safety-related systems
10.3 E/E/PE system design & development including ASICs & software (see Figure 3 & also GB/T 20438.3) To design and develop the E/E/PE safety-related system (including ASICs if appropriate) to meet the E/E/PE system design requirements specification (with respect to the safety functions requirements and the safety integrity requirements (see 7.2)) E/E/PE safety-related system 7.4.2 ~ 7.4.11 E/E/PE system design requirements specification Design of the E/E/PE safety related systems in conformance with the E/E/PE system design requirements specification; plan for the E/E/PE system integration test; PE system architectural information as an input to the software requirements specification
10.4 E/E/PE system integration To integrate and test the E/E/PE safety-related system E/E/PE safety-related system 7.5.2 E/E/PE system design; E/E/PE system integration test plan; programmable electronics hardware and software Fully functioning E/E/PE safety-related systems in conformance with the E/E/PE system design; results of E/E/PE system integration tests
10.5 E/E/PE system installation, commissioning, operation & maintenance procedures To develop procedures to ensure that the required functional safety of the E/E/PE safety-related system is maintained during operation and maintenance E/E/PE safety-related system; EUC 7.6.2 E/E/PE system design requirements specification; E/E/PE system design E/E/PE system installation, commissioning, operation and maintenance procedures for each individual E/E/PE system
10.6 E/E/PE system safety validation To validate that the E/E/PE safety-related system meets, in all respects, the requirements for safety in terms of the required safety functions and safety integrity E/E/PE safety-related system 7.7.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification; plan for the safety validation of the E/E/PE safety-related systems Fully safety validated E/E/PE safety-related systems; results of E/E/PE system safety validation
- E/E/PE system modification To make corrections, enhancements or adaptations to the E/E/PE safety-related system, ensuring that the required safety integrity is achieved and maintained E/E/PE safety-related system 7.8.2 E/E/PE system design requirements specification Results of E/E/PE system modification
- E/E/PE system verification To test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase E/E/PE safety-related system 7.9.2 As above - depends on the phase; plan for the verification of the E/E/PE safety-related systems for each phase As above - depends on the phase; results of the verification of the E/E/PE safety-related systems for each phase
- E/E/PE system functional safety assessment To investigate and arrive at a judgement on the functional safety achieved by the E/E/PE safety-related system E/E/PE safety-related system 8 Plan for E/E/PE system functional safety assessment Results of E/E/PE system functional safety assessment
7.2 E/E/PE system design requirements specification
Note: This phase is Box 10.1 of Figure 2.
7.2.1 Objective
The objective of the requirements of this subclause is to specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements.
Note: The E/E/PE system design requirements specification is normally derived from the E/E/PE system safety requirements specification by decomposing the safety functions and allocating parts of the safety function to subsystems (for example groups of sensors, logic solvers or actuators). The requirements for the subsystems may be included in the E/E/PE system design requirements specification or may be separate and referenced from the E/E/PE system design requirements specification. Subsystems may be further decomposed into elements and architectures to satisfy the design and development requirements of 7.4. The requirements for these elements may be included in the requirements for the subsystems or may be separate and referenced from the subsystem requirements.
7.2.2 General
7.2.2.1 The specification of the E/E/PE system design requirements shall be derived from the E/E/PE system safety requirements, specified in 7.10 of GB/T 20438.1-2017.
Note: Caution should be exercised if non-safety functions and safety functions are implemented in the same E/E/PE safety-related system. While this is allowed in the standard, it may lead to greater complexity and increase the difficulty in carrying out E/E/PE safety lifecycle activities (for example design, validation, functional safety assessment and maintenance). See also 7.4.2.3.
7.2.2.2 The specification of the E/E/PE system design requirements shall be expressed and structured in such a way that they are:
a) clear, precise, unambiguous, verifiable, testable, maintainable and feasible;
b) written to aid comprehension by those who are likely to utilise the information at any phase of the E/E/PE safety lifecycle;
c) traceable to the E/E/PE system safety requirements specification.
7.2.3 E/E/PE system design requirements specification
7.2.3.1 The specification of the E/E/PE system design requirements shall contain design requirements relating to safety functions (see 7.2.3.2) and design requirements relating to safety integrity (see 7.2.3.3).
7.2.3.2 The specification of the E/E/PE system design requirements shall contain details of all the hardware and software necessary to implement the required safety functions, as specified by the E/E/PE system safety functions requirements specification (see 7.10.2.6 of GB/T 20438.1-2017). The specification shall include, for each safety function:
a) requirements for the subsystems and requirements for their hardware and software elements as appropriate;
b) requirements for the integration of the subsystems and their hardware and software elements to meet the E/E/PE system safety functions requirements specification;
c) throughput performance that enables response time requirements to be met;
d) accuracy and stability requirements for measurements and controls;
e) E/E/PE safety-related system and operator interfaces;
f) interfaces between the E/E/PE safety-related systems and any other systems (either within, or outside, the EUC);
g) all modes of behaviour of the E/E/PE safety-related systems, in particular, failure behaviour and the required response (for example alarms, automatic shut-down) of the E/E/PE safety-related systems;
h) the significance of all hardware/software interactions and, where relevant, any required constraints between the hardware and the software;
Note: Where these interactions are not known before finishing the design, only general constraints can be stated.
i) any limiting and constraint conditions for the E/E/PE safety-related systems and their associated elements, for example timing constraints or constraints due to the possibility of common cause failures;
j) any specific requirements related to the procedures for starting-up and restarting the E/E/PE safety-related systems.
7.2.3.3 The specification of the E/E/PE system design requirements shall contain details, relevant to the design, to achieve the safety integrity level and the required target failure measure for the safety function, as specified by the E/E/PE system safety integrity requirements specification (see 7.10.2.7 of GB/T 20438.1-2017), including:
a) the architecture of each subsystem required to meet the architectural constraints on the hardware safety integrity (see 7.4.4);
b) all relevant reliability modelling parameters such as the required proof testing frequency of all hardware elements necessary to achieve the target failure measure;
Note 1: Information on the specific application cannot be understated (see 7.10.2.1 of GB/T 20438.1-2017). This is particularly important for maintenance, where the specified proof test interval should not be less than can be reasonably expected for the particular application. For example, the time between services that can be realistically attained for mass-produced items used by the public is likely to be greater than in a more controlled application.
c) the actions taken in the event of a dangerous failure being detected by diagnostics;
d) the requirements, constraints, functions and facilities to enable the proof testing of the E/E/PE hardware to be undertaken;
e) the capabilities of equipment used to meet the extremes of all environmental conditions (e.g. temperature, humidity, mechanical, electrical) that are specified as required during the E/E/PE system safety lifecycle including manufacture, storage, transport, testing, installation, commissioning, operation and maintenance;
f) the electromagnetic immunity levels that are required (see IEC/TS 61000-1-2:2008);
Note 2: The required immunity levels may vary for different elements of the safety-related system, depending on physical location and power supply arrangements.
Note 3: Guidance may be found in EMC product standards, but it is important to recognise that higher immunity levels, or additional immunity requirements, than those specified in such standards may be necessary for particular locations or when the equipment is intended for use in harsher, or different, electromagnetic environments.
g) the quality assurance/quality control measures necessary to safety management (see 6.2.5 of GB/T 20438.1-2017);
7.2.3.4 The E/E/PE system design requirements specification shall be completed in detail as the design progresses and updated as necessary after modification.
7.2.3.5 For the avoidance of mistakes during the development of the specification for the E/E/PE system design requirements, an appropriate group of techniques and measures according to Table B.1 shall be used.
7.2.3.6 The implications imposed on the architecture by the E/E/PE system design requirements shall be considered.
Note: This should include the consideration of the simplicity of the implementation to achieve the required safety integrity level (including architectural considerations and apportionment of functionality to configuration data or to the embedded system).
7.3 E/E/PE system safety validation planning
Note: This phase is Box 10.2 of Figure 2. It will normally be carried out in parallel with E/E/PE system design and development (see 7.4).
7.3.1 Objective
The objective of the requirements of this subclause is to plan the validation of the safety of the E/E/PE safety-related system.
7.3.2 Requirements
7.3.2.1 Planning shall be carried out to specify the steps (both procedural and technical) that are to be used to demonstrate that the E/E/PE safety-related system satisfies the E/E/PE system safety requirements specification (see 7.10 of GB/T 20438.1-2017) and the E/E/PE system design requirements specification (see 7.2).
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Definitions and abbreviations
4 Conformance to GB/T
5 Documentation
6 Management of functional safety
7 E/E/PE system safety lifecycle requirements
7.1 General
7.2 E/E/PE system design requirements specification
7.3 E/E/PE system safety validation planning
7.4 E/E/PE system design and development
7.5 E/E/PE system integration
7.6 E/E/PE system operation and maintenance procedures
7.7 E/E/PE system safety validation
7.8 E/E/PE system modification
7.9 E/E/PE system verification
8 Functional safety assessment
Annex A (Normative) Techniques and measures for E/E/PE safety-related systems – control of failures during operation
Annex B (Normative) Techniques and measures for E/E/PE safety-related systems - avoidance of systematic failures during the different phases of the lifecycle
Annex C (Normative) Diagnostic coverage and safe failure fraction
Annex D (Normative) Safety manual for compliant items
Annex E (Normative) Special architecture requirements for integrated circuits (ICs) with on-chip redundancy
Annex F (Informative) Techniques and measures for ASICs – avoidance of systematic failures
Bibliography
Figure 1 Overall framework of the GB/T 20438 series
Figure 2 E/E/PE system safety lifecycle (in realisation phase)
Figure 3 ASIC development lifecycle (the V-Model)
Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T
Figure 5 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprising a number of series elements, see 7.4.4.2.3)
Figure 6 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprised of two subsystems X & Y, see 7.4.4.2.4)
Figure 7 Architectures for data communication
Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle
Table 2 Maximum allowable safety integrity level for a safety function carried out by a type A safety-related element or subsystem
Table 3 Maximum allowable safety integrity level for a safety function carried out by a type B safety-related element or subsystem
Table A.1 Faults or failures to be assumed when quantifying the effect of random hardware failures or to be taken into account in the derivation of safe failure fraction
Table A.2 Electrical components
Table A.3 Electronic components
Table A.4 Processing units
Table A.5 Invariable memory ranges
Table A.6 Variable memory ranges
Table A.7 I/O units and interface (external communication)
Table A.8 Data paths (internal communication)
Table A.9 Power supply
Table A.10 Program sequence (watch-dog)
Table A.11 Clock
Table A.12 Communication and mass storage
Table A.13 Sensors
Table A.14 Final elements (actuators)
Table A.15 Techniques and measures to control systematic failures caused by hardware design
Table A.16 Techniques and measures to control systematic failures caused by environmental stress or influences
Table A.17 Techniques and measures to control systematic operational failures
Table A.18 Effectiveness of techniques and measures to control systematic failures
Table B.1 Techniques and measures to avoid mistakes during specification of E/E/PE system design requirements (see 7.2)
Table B.2 Techniques and measures to avoid introducing faults during E/E/PE system design and development (see 7.4)
Table B.3 Techniques and measures to avoid faults during E/E/PE system integration (see 7.5)
Table B.4 Techniques and measures to avoid faults and failures during E/E/PE system operation and maintenance procedures (see 7.6)
Table B.5 Techniques and measures to avoid faults during E/E/PE system safety validation (see 7.7)
Table B.6 Effectiveness of techniques and measures to avoid systematic failures
Table E.1 Techniques and measures that increase βB-IC
Table E.2 Techniques and measures that decrease βB-IC
Table F.1 Techniques and measures to avoid introducing faults during ASIC’s design and development – full and semi-custom digital ASICs (see 7.4.6.7)
Table F.2 Techniques and measures to avoid introducing faults during ASIC design and development: User programmable ICs (FPGA/PLD/CPLD) (see 7.4.6.7)
电气/电子/可编程电子安全相关系统的功能安全第2部分:电气/电子/可编程电子安全相关系统的要求
1范围
1.1 GB/T 20438的本部分
a)在使用前,应充分理解GB/T 20438.1,GB/T 20438.1提供了实现功能安全的总体框架;
b)适用于GB/T 20438.1定义的安全相关系统,安全相关系统至少包含一种电气、电子或可编程电子组件;
c)适用于E/E/PE安全相关系统中的所有组件(包括传感器、执行器和操作员界面);
d)规定了如何按照GB/T 20438.1定义的E/E/PE系统安全要求规范(由E/E/PE系统安全功能要求规范和E/E/PE系统安全完整性要求规范组成),开发出E/E/PE系统设计要求规范;
e)规定了在E/E/PE安全相关系统的设计和制造过程中(即建立E/E/PE系统安全生命周期模型)除软件外所进行活动的要求,软件要求在GB/T 20438.3(见图2~图4)中给出;这些要求包含了用以避免和控制故障和失效发生的技术和措施的应用,并被划分成与安全完整性等级相对应的不同等级;
f)规定了执行E/E/PE安全相关系统的安装、调试以及最终安全确认所需的信息;
g)不适用于E/E/PE安全相关系统的运行和维护阶段,这方面内容在GB/T 20438.1中给出。但是,本部分为用户提供了有关E/E/PE安全相关系统的运行和维护所需的信息和规程的准备要求;
h)规定了对E/E/PE安全相关系统进行各种修改的各方应满足的要求;
注1:本部分主要直接面向供应商和/或公司内部的工程部门,因此包含了对修改的要求。
注2:本部分与GB/T 20438.3的关系见图4。
i)不适用于符合IEC 60601的医疗设备。
1.2 GB/T 20438.1、GB/T 20438.2、GB/T 20438.3和GB/T 20438.4是基础的安全标准,虽然它不是针对低复杂的E/E/PE安全相关系统(见GB/T 20438.4—2017的3.4.3),但作为基础安全标准,各技术委员会可以在IEC指南104和ISO/IEC指南51的指导下制定相关标准时使用。GB/T 20438.1、GB/T 20438.2、GB/T 20438.3和GB/T 20438.4也可作为独立标准来使用。GB/T 20438的横向安全功能不适用于在IEC 60601系列指导下的医疗设备。
1.3各技术委员会的责任之一,是在其标准的起草工作中尽可能使用基础的安全标准。在本部分中,本基础安全标准中的要求、测试方法或测试条件只有在这些技术委员会起草的标准中已明确引用或包含时适用。
注:仅当所有相关要求得到满足时,才能达到E/E/PE安全相关系统的功能安全。因此,认真考虑和充分引用所有相关要求是十分重要的。
1.4图1表示了GB/T 20438的整体框架,同时指出了本部分在实现E/E/PE安全相关系统的功能安全过程中的作用。GB/T 20438.6—2017的附录A详述了GB/T 20438.2和GB/T 20438.3的应用。
技术要求
第1部分
编制整体安全要求(概念、范围、定义、危险和风险分析)
7.1~7.5
第1部分
将安全要求分配给E/E/PE安全相关系统
7.6
第1部分
E/E/PE安全相关系统的系统安全要求规范
7.10
第2部分
E/E/PE安全相关系统的实现阶段
第3部分
安全相关软件的实现阶段
第1部分
E/E/PE安全相关系统的安装、调试和安全确认
7.13和7.14
第1部分
E/E/PE安全相关系统的操作、维护、修理、修改和改型、退役或处置
7.15~7.17
第5部分
确定安全完整性等级的方法示例
第6部分
第2部分和第3部分的应用指南
第7部分
技术和措施概述
其他要求
第4部分
定义和缩略语
第1部分
文档
第5章和附录A
第1部分
功能安全的管理
第6章
第1部分
功能安全评估
第8章
图1 GB/T 20438的整体框架
2规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB/T 20438.1—2017 电气/电子/可编程电子安全相关系统的功能安全 第1部分:一般要求(IEC 61508-1:2010,IDT)
GB/T 20438.3—2017电气/电子/可编程电子安全相关系统的功能安全 第3部分:软件要求(IEC 61508-3:2010,IDT)
GB/T 20438.4—2017 电气/电子/可编程电子安全相关系统的功能安全 第4部分:定义和缩略语(IEC 61508-4:2010,IDT)
GB/T 20438.7—2017 电气/电子/可编程电子安全相关系统的功能安全 第7部分:技术和措施概述(IEC 61508-7:2010,IDT)
IEC 60947-5-1低压开关设备和控制设备 第5-1部分:控制电路电器和开关元件 机电式控制电路电器(Low-voltage switchgear and controlgear—Part 5-1:Control circuit devices and switching el-ements—Electromechanical control circuit devices)
IEC/TS 61000-1-2电磁兼容性(EMC)第1-2部分:通则 电气和电子系统包括带有电磁现象设备的功能安全实现方法(Electromagnetic compatibility(EMC)—Part 1-2:General—Methodology for the achievement of functional safety of electrical and electronic systems including equipment with re-gard to electromagnetic phenomena)
IEC 61326-3-1测量、控制和实验室用的电设备 电磁兼容性要求 第3-1部分:对于安全相关系统和打算执行安全相关功能(功能安全)设备的免疫要求 通用工业应用(Electrical equipment for measurement,control and laboratory use—EMC requirements—Part 3-1:Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions(functional safe-ty)—General industrial applications)
IEC 61784-3工业通信网络 行规 第3部分:功能安全现场总线 通用规则和行规定义(IEC 61784-3,Industrial communication networks—Profiles—Part 3:Functional safety fieldbuses—General rules and profile definitions)
IEC 62280-1轨道交通 通信、信号和处理系统 第1部分:封闭式传输系统中的安全相关通信(Railway applications—Communication,signalling and processing systems—Part 1:Safety-related communication in closed transmission systems)
IEC 62280-2轨道交通 通信、信号和处理系统 第2部分:开放式传输系统中的安全相关通信(Railway applications—Communication,signalling and processing systems—Part 2:Safety-related communication in open transmission systems IEC Guide 104:1997,The preparation of safety publiea-lions and the use of basic safety publications and group safety publications)
IEC Guide 104:1997安全出版物的编写及基础安全出版物和多专业共用安全出版物的应用导则(The preparation of safety publications and the use of basic safety publications and group safety publi-cations)
ISO/IEC Guide 51:1999涉及安全的内容 将安全内容纳入标准的指南(Safety aspects—Guide-lines for their inclusion in standards)
EN 50205 带强制继电器导向(机械链接)触点(Relays with forcibly guided(mechanically linked)contacts)
3定义和缩略语
GB/T 20438.4—2017界定的定义和缩略语适用于本文件。
4与GB/T 20438的符合性
本部分对GB/T 20438的符合性要求,详见GB/T 20438.1—2017的第4章。
5文档
本部分对文档的要求,详见GB/T 20438.1—2017的第5章。
6功能安全管理
本部分对功能安全管理的要求,详见GB/T 20438.1—2017的第6章。
7 E/E/PE系统安全生命周期要求
7.1概述
7.1.1 目的和要求:概述
7.1.1.1 7.1阐述E/E/PE系统安全生命周期各阶段的目的和要求。
注:整体安全生命周期的目的和要求以及标准结构的简述在GB/T 20438.1中给出。
7.1.1.2对于E/E/PE系统安全生命周期的所有阶段,表1给出了:
——需要达到的目的;
——各阶段的范围;
——要求所在的条款;
——各阶段所要求的输入;
——符合条款要求的输出。
7.1.2 目的
7.1.2.1 7.1的第一个目的是以系统化的方式构造应考虑的E/E/PE系统安全生命周期的各阶段,以实现E/E/PE安全相关系统所需的功能安全。
7.1.2.2 7.1的第二个目的是将贯穿于E/E/PE系统安全生命周期的有关E/E/PE安全相关系统功能安全的所有信息建立文档。
7.1.3要求
7.1.3.1用来声明符合GB/T 20438的E/E/PE系统安全生命周期如图2所示。用于ASIC设计(见GB/T 20438.4—2017的3.2.15)的ASIC开发生命周期的一个详细的V模型如图3所示。如果采用其他E/E/PE系统安全生命周期或ASIC开发生命周期,则应作为功能安全活动管理的一部分(见GB/T 20438.1—2017第6章)加以说明,并应满足GB/T 20438.2所有条款的目的和要求。