Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Preliminary remark
The Functional Examples dealing with “Safety Integrated” are fully
functional and tested automation configurations based on A&D standard
products for simple, fast and inexpensive implementation of automation
tasks in safety engineering. Each of these Functional Examples covers a
frequently occurring subtask of a typical customer problem in safety
engineering.
Aside from a list of all required software and hardware components and a
description of the way they are connected to each other, the Functional
Examples include the tested and commented code. This ensures that the
functionalities described here can be reset in a short period of time and
thus also be used as a basis for individual expansions.
Note
The Safety Functional Examples are not binding and do not claim to be
complete regarding the circuits shown, equipping and any eventuality. The
Safety Functional Examples do not represent customer-specific solutions.
Copyright © Siemens AG 2007 All rights reserved
They are only intended to provide support for typical applications. You are
23996473_as_fe_i_013_DOKU_v13_e_33.doc
responsible for ensuring that the described products are correctly used.
These Safety Functional Examples do not relieve you of the responsibility
of safely and professionally using, installing, operating and servicing
equipment. When using these Safety Functional Examples, you recognize
that Siemens cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Safety Functional Examples at any time without prior notice. If there are
any deviations between the recommendations provided in these Safety
Functional Examples and other Siemens publications – e.g. Catalogs –
then the contents of the other documents have priority.
As a quality assurance measure for this document, a review was performed
by the Center for Quality Engineering. The independent Center for Quality
Engineering accredited according to DIN EN ISO/IEC 17025 confirms that
IEC 62061 was correctly applied to the Functional Example and
implemented. Further information is available at: www.pruefinstitut.de
Table of Contents
readability.
If you come across a term prefixed by “#” when reading the document, you
see that
• the term is from IEC 62061.
• the definition of the term is listed in the glossary (chapter 28.1).
General abbreviations
Generally valid abbreviations are also listed in the glossary (28.3).
Examples: PLC, F-PLC
References to documents and links to the internet are marked with “(/x/)”.
For an overview of all references and links, please refer to chapter 29.
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The header of the document is useful for the orientation in the document.
This is illustrated by the figure below with a screen shot of the header.
Figure 1-1
safety. IEC 62061 is, for example, applied when #safety functions are
performed on a machine by an F-PLC.
The document is divided into several parts. The structure is explained in the
following table.
Table 2-1
IEC 62061.
IEC 62061 5 to 10 The second part of the document explains the
BASICS most important terms and correlations of IEC
62061.
APPLICATION 11 to 26 The third part of the document uses an application
example to show step-by-step how IEC 62061 is
basically applied.
APPENDIX 27 to 29 The fourth part of the document provides in-depth
information, a glossary and an information
directory.
INTRODUCTION
3 Introduction
In the IEC 62061 environment, the following terms play an important role:
• Safety of machinery
• #Safety function, #safety system (SRECS)
• Functional safety of a #safety system (SRECS)
This chapter provides a brief explanation of these terms and shows where
IEC 62061 is applied.
Machinery
Machinery means an assembly of linked parts or components, at least one
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Safety of a machine
A machine is “safe” if no hazards arise from it.
Safety requires protection against the following hazards:
• Electric shock
• Heat and fire
• Hazardous radiation and emission
• Mechanical hazards
• Hazardous materials
• Operational faults
• Sensors
• F-PLC
• Actuators
An example of an F-PLC in a #safety system (SRECS) is “SIMATIC S7
Distributed Safety”, consisting of:
• Hardware: Fail-safe S7-CPUs, fail-safe input modules and fail-safe
output modules
• Software: “S7 Distributed Safety”, for programming and configuring
Table 4-1
4.2 Characteristics
#Subsystem Property
Finished The IEC 62061 user (machine manufacturer, control integrator)
#subsystem purchases a finished #subsystem from a manufacturer and
uses it in the #safety system (SRECS).
IEC 62061 considers #subsystems that are certified according to
EN 954-1 or IEC 61508.
In general, the #subsystem design is complex.
Examples: F-PLC, laser scanners.
Designed The #subsystem is designed by the IEC 62061 user (machine
#subsystem manufacturer, control integrator) and used in the #safety system
(SRECS).
In general, the #subsystem design is simple.
Example: Combination of electromechanical components such
as contactors or position switches.
• Engineering
23996473_as_fe_i_013_DOKU_v13_e_33.doc
4.3 Benefit
Presumption of conformity
By complying with a harmonized standard, an “automatic presumption of
conformity” ensues for the compliance with the corresponding directive.
The user of a harmonized standard can trust in having complied with the
safety objectives of the corresponding directive.
For EN 62061 this specifically means:
• By applying EN 62061, the user may assume that he/she has complied
with the safety objectives of the machinery directive.
Harmonized standard
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Machinery directive
Machines which are put into circulation or operated in the EU have to
comply with the machinery directive requirements.
The machinery directive includes basic safety requirements for machines
and for replaceable equipment and safety components.
This also affects machines which are delivered to the EU from countries
which are not part of the EU.
sector standards.
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Examples: Example:
Copyright © Siemens AG 2007 All rights reserved
Task of a SRCF
#Safety-related control functions (SRCFs) are performed by a #safety
system (SRECS). The task of a SRCF is to prevent dangerous states on a
machine.
A SRCF has to meet requirements with regard to:
• Functionality and
• #safety integrity.
Functionality of a SRCF
The required functionality of a #safety-related control function (SRCF) is
derived from the risk analysis (chapter 14).
In general, a SRCF consists of the following #function blocks:
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
• Acquiring information
• Evaluating information
• Responding with actions
Task of a SRECS
A #safety system (SRECS) performs #safety-related control functions
(SRCFs). The SRECS has to meet the following requirements:
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Architecture of a SRECS
A #safety system (SRECS) has the following properties:
• It performs #safety-related control functions (SRCFs).
• It consists of #subsystems.
Figure 6-1
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Examples of subsystems:
• Combination of sensors
• Combination of actuators
• Fail-safe programmable logic controller (F-PLC)
Figure 6-2
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Table 7-1
8 #Architectural Constraint
8.1 Meaning of #SIL claim limit (SILCL)
Example:
The statement “the #subsystem has SILCL 2” describes the properties:
• The #subsystem meets all IEC 62061 requirements for
#systematic safety integrity.
• The structure of the #subsystem is maximally suitable for SIL 2.
Two views are used to explain the meaning of #SIL claim limit (SILCL):
• Requirement view
• Solution view
Requirement view
All #subsystems involved in the performance of a #safety-related control
function (SRCF) must have a #SIL claim limit (SILCL) which is at least
equal to the required #safety integrity level (SIL) of this SRCF.
Example
The following applies to the example shown in the figure: SIL 2 of the
SRCF requires that all #subsystems have at least SILCL 2.
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Figure 8-1
Solution view
The maximum #safety integrity level (SIL) that can be achieved for a
#safety-related control function (SRCF) corresponds to the smallest #SIL
claim limit (SILCL) of all #subsystems involved in the performance of the
SRCF.
Example
The following applies to the example shown in the figure: Due to
#subsystem 1, the SIL that can be achieved for the SRCF is limited to
maximally SIL 2.
Figure 8-2
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The #SIL claim limit (SILCL) of the #subsystem is determined from the two
characteristics HFT and SFF.
Note: A central explanation of the terms “fault” and “failure” is given in
chapter 27.6.
Description
The hardware fault tolerance (HFT) expresses the #fault tolerance of a
#subsystem. #Fault tolerance is the ability of a #subsystem to continue to
perform a required function also after faults have occurred.
Determination
To determine the HFT, the hardware configuration of the #subsystem is
considered. The HFT of a #subsystem expresses the tolerance of a
#subsystem to faults in the hardware:
• A #subsystem with an HFT of N only fails after
(N+1) faults have occurred.
A failure of a #subsystem causes the loss of all SRCFs using this
#subsystem.
When determining the HFT, other measures are not considered which
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
A fault in the #subsystem (contactor does not open) has the following
effect:
• 1 fault in the #subsystem
• Ö Failure of the #subsystem
(the #subsystem can no longer perform its function.)
• Ö Loss of all SRCFs using this #subsystem
(the SRCFs are no longer performed because the #subsystem no
longer complies with its function.)
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
A fault in the #subsystem (1 contactor does not open) has the following
effect:
• 1 fault in the #subsystem
• Ö No failure of the #subsystem
• Ö No loss of a SRCF
Description
Failures are caused by random faults in the hardware of the #safety system
(SRECS) or its #subsystems.
The failure of a #subsystem causes a loss of the #safety-related control
functions (SRCFs) which use this #subsystem.
Failures of a #subsystem can be safe or dangerous, depending on the
effect on the machine. The following table illustrates the differences.
Table 8-3
The #safe failure fraction (SFF) describes the fraction of #safe failures of a
#subsystem in the overall failure rate of the #subsystem.
#Subsystem Method
Complex #subsystem Examples of methods:
• Fault tree analysis
• Failure mode analysis
• Effects analysis
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
SFF determination
Table 8-5
Table 8-6
Calculation of SFF
Formula SFF = (λtotal - λDUtotal) / λtotal
Dimension Dimensionless
The SFF is also indicated as a percentage. This requires that the result is
converted: 0.x -> 0.x * 100%. Example: 0.1 -> 10%
Table 8-7
λD = λDD + λDU
Designation Dangerous failure rate
Meaning These failures may cause a dangerous state on the machine.
Table 8-8
There are different options for determining the #SIL claim limit (SILCL) of a
#subsystem. In the following, a differentiation is made between:
• Finished #subsystem
• Designed #subsystem
Finished #subsystem
In this case, the IEC 62061 user (machine manufacturer, control integrator)
purchases the finished #subsystem from the manufacturer (table 4-2).
When purchasing a finished #subsystem, the user is generally provided
with a manufacturer documentation from which he/she can derive the #SIL
claim limit (SILCL).
Table 8-9
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Designed #subsystem
In this case, the IEC 62061 user (machine manufacturer, control integrator)
assembles his/her #subsystem from #subsystem elements (table 4-2).
A designed #subsystem requires that the user determines the
#SIL claim limit (SILCL) of his/her #subsystem.
Chapter 8.7 describes the basic calculation.
Data Remark
Input data of the table Category Information of the manufacturer
Output data of the table SILCL #SIL claim limit (SILCL)
The #SIL claim limit (SILCL) of the #subsystem can be derived from the
hardware fault tolerance (HFT) and the #safe failure fraction (SFF).
To do this, the following table (IEC 62061, table 5, modified) is used.
Table 8-13
HFT
0 1 2
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Data Remark
Input data of the table HFT Hardware fault tolerance (HFT)
SFF #Safe failure fraction (SFF)
Output data of the table SILCL #SIL claim limit (SILCL)
The above table indicates that there are different combinations of SFF and
HFT for a specific SILCL value. A specific SILCL can thus be achieved with
different structures of a #subsystem.
Examples
Example 1: A #subsystem without redundancy (HFT = 0) must have a high
SFF (SFF >= 99%) to achieve SILCL 3.
Example 2: For a #subsystem with high redundancy (HFT = 2), a smaller
SFF (SFF = 60%) is sufficient to achieve SILCL 3.
Table 9-1
In the risk assessment (chapter 15), one #safety integrity level (SIL) is
defined for each #safety-related control function (SRCF) which has to be
met by the SRCF.
Limit values for the maximum permissible #PFHD value (PFHD) are
assigned to each SIL.
• The requirements for the reliability of the SRCF increase with an
increasing SIL, which is shown by a smaller maximum permissible
#PFHD value (PFHD).
• The requirements for the reliability of the SRCF decrease with a
decreasing SIL, which is shown by a larger maximum permissible
#PFHD value (PFHD).
The table below (IEC 62061, table 3) shows the correlation between
#safety integrity level (SIL) and #PFHD value (PFHD) of a #safety-related
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Figure 9-1
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
There are different options for determining the #PFHD value (PFHD) of a
#subsystem. In the following, a differentiation is made between:
• Finished #subsystem
• Designed #subsystem
Finished #subsystem
In this case, the IEC 62061 user (machine manufacturer, control integrator)
purchases the finished #subsystem from the manufacturer (table 4-2).
When purchasing a finished #subsystem, the user is generally provided
with a manufacturer documentation from which he/she can derive the
PFHD.
Table 9-3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Designed #subsystem
In this case, the IEC 62061 user (machine manufacturer, control integrator)
assembles his/her #subsystem from #subsystem elements (table 4-2).
A designed #subsystem requires that the user determines the PFHD of
his/her #subsystem.
Chapter 9.6 describes the basic calculation.
Data Remark
Input data of the table Category Information of the manufacturer
Output data of the table PFHD #PFHD value (PFHD)
C 0 Yes 1 to n x x
B 1 No 2 x
D 1 Yes 2 x x
Characteristic
(*1) The failure of one single #subsystem element causes the failure
of the #subsystem and thus the loss of the SRCF.
(*2) The diagnostic function detects the failure of a #subsystem
element and initiates a fault reaction.
(*3) The failure of one single #subsystem element does not cause
the failure of the #subsystem and thus not the loss of the SRCF.
IEC 62061 (chapter 6.7.8.2) gives the formula for calculating the #PFHD
value (PFHD) for each basic subsystem architecture. The following
parameters are included in these formulae:
Table 9-9
Table 9-10
Basic Example
subsystem
architecture
Copyright © Siemens AG 2007 All rights reserved
A Contactor
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Step Calculation
1 Failure rate of #subsystem element λ
2 Dangerous failure rate of #subsystem element λDe
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Short description of λ
Symbol λ
Designation Failure rate of a #subsystem element
Meaning Number of #subsystem element failures per hour
Definition See tables below.
Example λ = 10-8 / h
Meaning: One failure in 108 hours.
Table 9-13
Calculation of λ
Formula λ = 0.1 * C / B10
Dimension 1 / h (per hour)
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Table 9-14
Parameters of λ
B10
Designation B10 value of the #subsystem element.
Meaning B10 is the number of switching cycles
after which 10% of the test objects have failed.
Definition #Subsystem element manufacturer
Dimension Dimensionless
C
Designation -
Meaning Number of #subsystem element operations per hour
Definition Specification of the #safety-related
control function (SRCF).
Dimension 1 / h (per hour)
Table 9-16
Calculation of λDe
Formula λDe = (dangerous failure fraction) * λ
Dimension 1 / h (per hour)
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Table 9-17
Parameters of λDe
Dangerous failure fraction
Designation -
Meaning Dangerous failure fraction of the #subsystem element
in all #subsystem element failures.
Definition The definition requires that the different fault types and their
fractions are known. The following sources can be used:
• Manufacturer documentation
• IEC 62061, Annex D (chapter 27.3)
Dimension Dimensionless
The “dangerous failure fraction” is normally indicated as a
percentage. The value has to be converted for the formula:
x% -> x% / 100%.
Example: 10% -> 0.1
λ
See table 9-13: Calculation of failure rate λ.
Description
Several #subsystem elements (example: Two position switches for the
detection of the same position) are used in redundant #subsystems
(chapter 8.3.1).
A failure of one single #subsystem element does not yet cause the loss of
the #safety-related control function (SRCF).
Redundant #subsystems require that the probability of “common cause
failures” which can cause a simultaneous failure of the redundant
components is observed. A measure for this is the CCF factor (β).
Examples
Two redundant #subsystem elements can fail simultaneously when the
following faults have occurred:
• Unplanned exiting of the permissible operating conditions of both
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Calculation
IEC 62061 (Annex F) describes a method to determine the
CCF factor (chapter 27.2).
If no special measures are taken, a CCF factor of 10% (0.1) may be
assumed. A value of 10% is then always safe (“conservative value”).
This value can be improved by additional measures (example: Monitoring
the ambient temperature of the redundant #subsystem elements with
regard to the maximally permissible value.)
Description of DC
Dangerous failures in the #safety system (SRECS) are detected by
diagnostics (fault detection) and a reaction of the SRECS is caused (fault
Copyright © Siemens AG 2007 All rights reserved
reaction). The fault reaction prevents that the state of the machine
23996473_as_fe_i_013_DOKU_v13_e_33.doc
becomes dangerous.
Example:
Reading back contactors enables to detect the non-opening of contactors.
A reaction can then be performed which ensures that no dangerous state
arises on the machine.
Calculation of DC
Table 9-19
Short description of DC
Symbol DC
Designation #Diagnostic coverage (DC)
Meaning DC indicates for a #subsystem element how many percent of the
dangerous failures are detected by diagnostics.
Definition See tables below
Example DC = 0.9
Meaning:
90% of the dangerous failures are detected by diagnostics.
Table 9-20
Calculation of DC
Formula DC = λDDtotal / λDtotal
Dimension Dimensionless
The DC is also indicated as a percentage. This requires that the result is
converted: 0.x -> 0.x * 100%. Example: 0.1 -> 10%
Table 9-21
Meaning ---
λD = λDD + λDU
Designation Dangerous failure rate
Meaning These failures may cause a dangerous state on the machine.
Table 9-22
Parameters of DC
λDD
Designation Dangerous failure rate detected by diagnostics.
Meaning These failures may cause a dangerous state on the machine.
λDU
Designation Dangerous failure rate not detected by diagnostics.
Meaning These failures may cause a dangerous state on the machine.
The following statements apply to all parameters listed above
Definition The definition requires that the different failure modes and their fractions are
known. The following sources can be used:
• Manufacturer documentation
• IEC 62061, Annex D (chapter 27.3)
Calculation Principle: See chapter 9.7.1
Dimension 1 / h (per hour)
Short description of T2
Symbol T2
Designation Diagnostic test interval
Meaning -
Definition Specification of the #safety-related
control function (SRCF).
Example -
Dimension h (hour)
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Lifetime
The lifetime is the time in which a #subsystem or a #subsystem element is
used.
After the lifetime has expired, the #subsystem or the #subsystem element
has to be replaced.
The table below provides an overview of the lifetime.
Table 9-24
This chapter presents the formula for basic subsystem architecture D from
IEC 62061. This formula will later be applied in the application example.
Characteristics of basic subsystem architecture D:
• With #fault tolerance (HFT = 1)
• With diagnostics
• Two #subsystem elements
Calculation of λ
Formula λ = 0.1 * C / B10
Meaning Failure rate of the #subsystem element
Description Chapter 9.7.1
Table 9-28
Parameters of λ
B10
Meaning B10 value of the #subsystem element
C
Meaning Number of #subsystem element operations in h
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Calculation of λDe
Formula λDe = (dangerous failure fraction) * λ
Meaning Dangerous failure rate of the #subsystem element
Description Chapter 9.7.1
Table 9-30
Parameters of λDe
Dangerous failure fraction
Meaning Dangerous failure fraction of the #subsystem element
λ
Meaning See table 9-27: Failure rate of the #subsystem element
Calculation of λDssD
Formula λDssD = (1 - β )2 * {[ λDe2 * 2* DC ] * T2 / 2 + [ λDe2 * (1 – DC) ] * T1} + β * λDe
Meaning Dangerous failure rate of the #subsystem
Table 9-32
Parameters of λDssD
β (CCF factor)
Meaning Susceptibility to common cause failures
Description Chapter 9.7.2
T1
Meaning #Subsystem element lifetime
Description Chapter 9.7.4
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
T2
Meaning Diagnostic test interval.
Description Chapter 9.7.3
DC
Meaning #Diagnostic coverage (DC)
Description Chapter 9.7.3
λDe
Meaning See table 9-30: Dangerous failure rate of the #subsystem element
Description Chapter 9.7.1
Calculation of PFHD
Formula PFHD = λDssD * 1h
Meaning #PFHD value (PFHD) of the #subsystem
Dimension Dimensionless
Table 9-34
Parameters of PFHD
λDssD
Meaning See table 9-31: Dangerous failure rate of the #subsystem
Dimension 1 / h (per hour)
APPLICATION
11 Application Example
After the IEC 62061 basics have been explained in the previous chapters,
the practical part of the document starts with this chapter. The document
becomes concrete, IEC 62061 is applied. The used application example is
briefly presented in this chapter.
Figure 11-1
The following section provides a brief overview of the solution shown step-
by-step in the application example.
Table 11-1
Boundary conditions
Two already existing Functional Examples form the basis for the application
example (/5/, chapter 29):
Table 11-2
Discrete steps
The following table 12-2 provides an overview of the steps that are always
required when applying IEC 62061.
The document focuses on steps 2 to 7:
• From the risk analysis
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Parallel activities
Activities to be performed in parallel to all steps are briefly described in
chapter 12.2.
Interface
Step 6: Objective, 18
machine /
Realizing procedure
SRECS
#Subsystems Overview 19 IEC 62061,
#subsystems chapter 6.7
Design 20
#subsystem 1 Solution
from the
Design 21
perspective of
#subsystem 2
the SRECS
Design 22
#subsystem 3
Step 7: 23 IEC 62061,
Determining Achieved SIL chapter 6.6.3
Step 8: IEC 62061,
Implementing Hardware chapter 6.9
Step 9: IEC 62061, Main focus of
Specifying Software the document
chapter 6.10
Step 10: 24 IEC 62061,
Designing / Developing Software chapter 6.11
Step 11: IEC 62061,
Integrating and Testing chapter 6.12
Step 12: IEC 62061,
Installing chapter 6.13
Step 13: 25 IEC 62061,
Generating Information for Use chapter 7
Step 14: 26 IEC 62061,
Performing Validation chapter 8
chapter 10
13.2 Procedure
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The following topics and activities are documented in the #safety plan:
• Planning and procedure of all activities required for the realization of a
#safety system (SRECS).
Examples:
– Developing the specification of the #safety-related control function
(SRCF).
– Designing and integrating the SRECS
– Validating the SRECS
– Preparing the SRECS user documentation
– Documenting all relevant information on the realization of the
SRECS (project documentation)
• Strategy how the functional safety is to be achieved.
• Responsibilities for execution and review of all activities
• Strategy how the configuration management for the user software is to
be performed.
• Plan for the verification
• Plan for the validation
13.3 Application
The chapter shows a concrete example of the #safety plan. The basis is the
application example with the example machine.
Required activities
Table 13-1
Strategy
Strategy Description
Functional The strategy to achieve functional safety consists of:
safety • Identification of the SRCF by a risk analysis
• Specification of the identified SRCF
• Design of a SRECS and verification of the SRECS for all
specified SRCF
• Implementation of the SRECS and validation of the SRECS
• Review of the requirements
• Modification if the SRCF do not meet the verification or
validation criteria.
Application The strategy to achieve the functional safety of the application
software software consists of:
• Use of the development system for the application software
according to the manufacturer documentation.
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Responsibilities
Area of responsibility Responsible
person and/or
department
Project management Mr. Huber
Developing the SRCF specification Mr. Meier
Functionality of the SRECS Mr. Meier
Integration and test on the machine Mr. Schmidt
Document for validation, Mr. Huber
actual validation and documentation of the
validation.
Modifications (SRECS, application software) Mr. Meier
User documentation Documentation department
Project documentation Mr. Müller
Troubleshooting and repair Mr. Müller
Training Mr. Müller
14.2 Procedure
Based on the risk analysis and the machine specification, the following is
determined:
• Hazards caused by the machine
• Necessary SRCFs
• Functionality of the SRCFs
14.3 Application
For our application example, the risk analysis results in the following:
• There is a hazard on the machine.
• A SRCF is necessary to minimize the risk.
The following table shows the result of the risk analysis for the application
example.
Table 14-1
15.2 Procedure
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The higher the severity of a harm and the more probable the occurrence of
a harm, the higher the assessment of a risk of a hazard.
The risk of a hazard depends on the two following factors:
• Severity of the possible harm that may be caused by the hazard
• Probability of occurrence of the harm
After assessing the risk, the required SIL for the SRCF can be determined.
In general, the following applies:
• The higher the determined risk, the higher the required SIL.
15.3 Application
The following section shows how the required SIL of a SRCF can be
determined. The method is described in IEC 62061 (Annex A).
The figure below illustrates the procedure:
• Assessment of the risk of the hazard (step 1 to 4)
• Determination of the required SIL of the SRCF (step 5 and 6)
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Figure 15-1
The factors of influence on the risk of a hazard are assessed with the aid of
the following tables.
Table Concretized
Input data Contact with the blade can cause the loss of limb(s).
Output data Se = 4
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
2. Frequency and duration of the exposure of persons in the danger zone (Fr)
The table below is used to assess how frequently and how long persons
are exposed to the hazard.
Table 15-3
Exposure Fr
Frequency Duration > 10 min (*1)
<= 1 h Yes 5
1 h to 1 day Yes 5
1 day to 2 weeks Yes 4
2 weeks to one year Yes 3
> 1 year Yes 2
(*1): If the duration of the exposure to the hazard < 10 min, Fr can be set to
the next-lower value.
Table Concretized
Input data The operator must open the protective cover at least once per
shift. The operator is then in the danger zone for
approximately 15 minutes.
Output data Fr = 5
Table Concretized
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Input data When the protective cover is open, it is probable that the
operator gets into the blade’s operating range.
Output data Pr = 4
Table Concretized
Input data The operator can avoid the blade only rarely.
Output data Av = 3
The risk was assessed in the previous chapter. To do this, the factors of
influence Se, Fr, Pr and Av were determined. The required SIL is now
derived from this.
Severity of Class Cl
the harm Se
3 to 4 5 to 7 8 to 10 11 to 13 14 to 15
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Table Concretized
Input data Se = 4
Cl = 5 + 4 + 3 = 12
Output data SIL 3
Summary
The SIL required for the SRCF is 3.
Figure 15-2
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The requirements for the SRCFs are described in the specification. All
SRCFs which were identified during the risk analysis are specified. Since
the SRCFs are performed by the #safety system (SRECS), the
specification also includes all requirements that have to be met by a
SRECS to be realized.
The specification can be considered as an interface between machine
(machine manufacturer) and SRECS (SRECS developer):
• The machine manufacturer describes the requirements for the SRECS
• The SRECS developer realizes the SRECS on this basis
Copyright © Siemens AG 2007 All rights reserved
The results of risk analysis and risk assessment are the basis for the
23996473_as_fe_i_013_DOKU_v13_e_33.doc
16.2 Procedure
16.3 Application
Specified SRCF
SRCF 1: “Stop of the rotating blade”
Information
Hazard on the machine to be If the protective cover is open, the operator can
prevented by the SRCF: be injured by the rotating blade.
Persons on the machine: Maintenance staff
Mode of the machine in which “Clean” mode
the SRCF is to be active:
Requirement
Function of the SRCF: After opening the protective cover, the motor must
be switched off.
Conditions in which the The SRCF must always be active on the machine.
SRFC has to be active or
disabled:
Required reaction time: When the protective cover is opened, the motor
has to be stopped at the latest after 200ms.
Reaction to faults: When faults occur, the reaction has to be as
follows:
• Switch off motor
• “Disturbance” indicator light on
It must only be possible to switch on the motor
Copyright © Siemens AG 2007 All rights reserved
Requirement
#Safety integrity level (SIL) of the SRCF SIL 3 (Chapter 15.3.2)
-7
#PFHD value (PFHD) of the SRCF PFHD < 10 (table 9-2)
Each SRCF is intellectually divided into #function blocks in such a way that
these #function blocks can be assigned to specific #subsystems of the
SRECS. All designed #subsystems together then result in the required
SRECS architecture.
Specific components are not yet selected in this step. This is done in step 6
(Realizing #Subsystems).
The step is based on the specification of the SRCF (step 4).
17.2 Procedure
Copyright © Siemens AG 2007 All rights reserved
Figure 17-1
After the segmentation of the SRCF into #function blocks, the following
requirements are specified for each #function block:
• Requirements for the SRCF functionality:
– What is the task of the #function block?
– Which input information does the #function block require?
Copyright © Siemens AG 2007 All rights reserved
17.3 Application
The SRCF of the application example is divided into three #function blocks.
All three #function blocks are required to perform the SRCF. If one
#function blocks fails, the entire SRCF fails (loss of the SRCF).
The figure and table below illustrate the segmentation.
Figure 17-2
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Table 17-1
The requirements for the SRCF #function blocks of the application example
will be specified in this chapter. The requirements are described with the
aid of uniform tables with the following structure:
Table 17-2
#Subsystem 1 and 3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
A design for the structure of #subsystems 1 and 3 can be derived from the
above requirement (at least SILCL 3). The following is assumed for the
design:
The #subsystem elements for #subsystem 1 (position switches) and
#subsystem 3 (contactor) have the following #safe failure fraction (SFF):
• SFF < 99%
With the above assumption and table 8-13 the following ensues for the
structure (architecture) of the #subsystems:
• One single #subsystem element per #subsystem (HFT = 0) is not
sufficient. The design of the #subsystems must be redundant.
• An SFF of at least 90% is required.
#Subsystem 2
A fail-safe programmable logic controller (F-PLC) that complies with SILCL
3 is used for #subsystem 2.
Summary
The table shows the assignment of the SRCF #function blocks to the
#subsystems of the #safety system (SRECS).
Table 17-6
The figure below shows the design for the SRECS architecture.
Figure 17-3
18.3 Procedure
#Subsystem Function
1 Detecting: Detecting the protective cover position
2 Evaluating: Evaluating the detected position and triggering action.
3 Reacting: Disconnecting motor from the supply.
Overview
The design of #subsystem 1 is shown in figure 19-1.
The requirements for #subsystem 1 are listed in the table below
(chapter 17):
Table 20-1
#Subsystem 1 Requirement
Function Detecting the protective cover position
#Safety integrity SILCL 3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Description of #subsystem 1
#Subsystem 1 consists of two identical #subsystem elements (position
switches). Both position switches are wired to an F-DI. Both position
switches are evaluated in the F-CPU.
F-DI and F-CPU are parts of #subsystem 2. #Subsystem 2 is realized with
“SIMATIC S7 Distributed Safety”.
Note: A detailed description of the design is available in the Functional
Examples (table 11.2). However, the information in this document is
sufficient for the considerations concerning IEC 62061.
Diagnostics of #subsystem 1
The following diagnostics have been realized for #subsystem 1:
Table 20-3
Procedure
The #SIL claim limit (SILCL) of #subsystem 1 is determined in this chapter.
To do this, first the hardware fault tolerance (HFT) and the #safe failure
fraction (SFF) are determined. Subsequently, the SILCL is determined
(chapter 8.7).
HFT determination
A failure of a #subsystem element does not cause the loss of the #safety-
related control function (SRCF). Consequently, the #fault tolerance of
#subsystem 1 is one: HFT = 1
SFF determination
SFF refers to the #subsystem. For #subsystems with several identical
#subsystem elements, it is sufficient to consider one #subsystem element
Copyright © Siemens AG 2007 All rights reserved
Note: Wire break and short circuit are not considered here since they are
systematic faults.
SILCL determination
The SILCL is determined from HFT and SFF (table 8-13):
• SILCL 3
function (SRCF).
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Note: For explanations of the calculation of the PFHD value (PFHD), please
refer to chapter 9.8.
#Subsystem element
Type SIRIUS position switch
Technical data Chapter 27.5
Result
Ö Dangerous failure rate of the #subsystem element (λDe) 2.5 * 10-9 / h
Result
Ö #PFHD value (PFHD) of the #subsystem 2.5 * 10-10
Note: Wire break and short circuit are not considered here since they are
systematic faults.
DC calculation
The DC is calculated from the above failure rates (table 9-20):
• DC = λDDtotal / λDtotal = ( Σ λDD) / ( Σ λD) = ( λDD) / ( λD) = 1
The requirements for the #systematic safety integrity equally apply to all
#subsystems. Also #subsystem 1 must meet these requirements.
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
20.6 Summary
SILCL PFHD
#Subsystem 1 3 2.5 * 10-10
Overview
The design of #subsystem 2 is shown in figure 19-1.
The requirements for #subsystem 2 are listed in the table below
(chapter 17):
Table 21-1
#Subsystem 2 Requirement
Function Evaluating the detected position
and triggering associated action.
#Safety integrity SILCL 3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Description of #subsystem 2
#Subsystem 2 is a finished #subsystem. #Subsystem 2 is realized with
“SIMATIC S7 Distributed Safety”.
“SIMATIC S7 Distributed Safety” is certified according to IEC 61508.
The following “SIMATIC Distributed Safety” components are used in
#subsystem 2:
• Fail-safe CPU: F-CPU
• Fail-safe I/O modules: F-DI and F-DO of the ET200S
• Software for programming and configuring: S7 Distributed Safety
Description of F-DI
See #subsystem 1: Chapter 20.1.
Description of F-DO
See #subsystem 3: Chapter 22.1.
Description of F-CPU
The F-CPU processes the user program. The user program consists of the
following parts:
• Standard program (S program)
• Fail-safe program (F program)
The safety-related tasks are performed in the F program, the non-safety-
related tasks are executed in the S program.
If the “0” state of at least one position switch is read, the contactors of
#subsystem 3 are switched off. This disconnects the motor from the supply.
The motor must only be switched on again when the two following
requirements are met:
• The operator has acknowledged.
• Both position switches supply “1” (protective cover closed).
Description of DI
DI is a standard input module of SIMATIC. The DI is used for the
diagnostics of #subsystem 3 (readback of the contactors).
PFHD of #subsystem 2
PFHD (#subsystem 2) = PFHD (F-CPU) + PFHD (F I/O) + PTE (F Communication)
Result
Ö #PFHD value (PFHD) of the #subsystem 1.743 * 10-9
21.6 Summary
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
SILCL PFHD
#Subsystem 2 3 1.743 * 10-9
Overview
The design of #subsystem 3 is shown in figure 19-1.
The requirements for #subsystem 3 are listed in the table below
(chapter 17):
Table 22-1
#Subsystem 3 Requirement
Function Disconnecting motor from the supply.
#Safety integrity SILCL 3
Description of #subsystem 3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Diagnostics of #subsystem 3
The following diagnostics have been realized for #subsystem 3:
Table 22-3
Procedure
The #SIL claim limit (SILCL) of #subsystem 3 is determined in this chapter.
To do this, first the hardware fault tolerance (HFT) and the #safe failure
fraction (SFF) are determined. Subsequently, the SILCL is determined
(chapter 8.7).
HFT determination
A failure of a #subsystem element does not cause the loss of the #safety-
related control function (SRCF). Consequently, the #fault tolerance of
#subsystem 3 is one: HFT = 1
SFF determination
SFF refers to the #subsystem. For #subsystems with several identical
#subsystem elements, it is sufficient to consider one #subsystem element
Copyright © Siemens AG 2007 All rights reserved
Note: Wire break and short circuit are not considered here since they are
systematic faults.
SILCL determination
The SILCL is determined from HFT and SFF (table 8-13):
• SILCL 3
function (SRCF).
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Note: For explanations of the calculation of the PFHD value (PFHD), please
refer to chapter 9.8.
#Subsystem element
Type SIRIUS contactor
Technical data Chapter 27.5
Result
Ö Dangerous failure rate of the #subsystem element (λDe) 9.4 * 10-9 / h
Result
Ö #PFHD value (PFHD) of the #subsystem 9.4 * 10-10
Note: Wire break and short circuit are not considered here since they are
systematic faults.
DC calculation
The DC is calculated from the above failure rates (table 9-20):
• DC = λDDtotal / λDtotal = ( Σ λDD) / ( Σ λD) = ( λDD) / ( λD) = 1
The requirements for the #systematic safety integrity equally apply to all
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
22.6 Summary
SILCL PFHD
#Subsystem 3 3 9.4 * 10-10
In this step it is checked whether the required #safety integrity level (SIL) is
achieved for each #safety-related control function (SRCF) with the realized
#safety system (SRECS).
23.2 Procedure
To ensure that the SIL required for the SRCF is achieved, the following
requirements have to be met for each individual SRCF:
Requirements, clearly graded according to SIL:
• The #SIL claim limit (SILCL) of each SRCF #subsystem must at least
correspond to the #safety integrity level (SIL) of the SRCF.
• The sum of the #PFHD values (PFHD) of all SRCF #subsystems must
not exceed the #PFHD value (PFHD) specified by the #safety integrity
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
The more #subsystems are required for the performance of a SRCF, the
higher the probability that one of these #subsystems fails. Thus also the
probability of a SRCF failure is higher. This aspect is considered via the
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
addition.
The required #safety integrity level (SIL) for the #safety-related control
function (SRCF) is achieved when the two requirements listed below are
met.
Table 23-1
Requirement Description
SILCL_Min ≥ SIL The SILCL of each #subsystem of the SRCF must at
least correspond to the SIL of the SRCF.
PFHD (SRCF) ≤ PFHD (SIL) The sum of the #PFHD values (PFHD) must not be
larger than the #PFHD value (PFHD) defined by the
SIL.
If the required SIL for a SRCF is not achieved, the design of the
#subsystem has to be touched up.
Depending on whether either SILCL or PFHD has not been achieved,
different options exist:
23.3 Application
The risk analysis and the risk assessment for our example machine has
yielded the following result:
• A SRCF with SIL 3 is necessary.
A #safety system (SRECS) consisting of three #subsystems was realized
for this SRCF. The properties are summarized in the table below.
Table 23-2
Result:
• SIL 3 is achieved with the #safety system (SRECS)!
25.2 Procedure
• Circuit diagram
23996473_as_fe_i_013_DOKU_v13_e_33.doc
26.2 Procedure
APPENDIX
27 Background Information
It is not necessarily required to read this chapter. It provides in-depth
information on selected topics. The pieces of information in the following
chapters are independent of one another, the order of the chapters is
random.
Step Activity
Risk analysis Identifying the hazards on a machine for all modes and in
each phase of the lifetime of the machine.
Risk assessment Assessing the risk arising from these hazards and
deciding on adequate risk reduction.
The order of the measures listed above must be complied with. At first, it
must be attempted to make the machine safer via an intrinsically safe
design. Guards to reduce the risk (example: Protective cover) are only used
after this has been attempted.
The following standards have to be applied in the European Union (EU) for
risk analysis and risk assessment:
Table 27-2
Risk analysis and risk assessment are iterative processes. The figure
below shows the basic procedure.
Figure 27-1
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Step Activity
1st step Assessment of the #subsystem with regard to the effectiveness of the
used measures for protection against “common cause failures”.
During this assessment points are awarded for used measures
(examples, see table 27-4).
2nd step Determination of the CCF factor from the overall score
(see table 27-5): Many measures yield a high overall score.
The table below is an incomplete excerpt from IEC 62061 (table F.1).
Table 27-4
de-energized
All contacts remain in the de- 25%
energized position when the coil is
energized
Contacts will not open 10%
Contacts will not close 10%
Simultaneous short circuit between 10%
three contacts of a change-over
contact
Simultaneous closing of normally 10%
open and normally closed contacts
Short circuit between two pairs of 10%
contacts and/or between contacts
and coil terminal
Data source
The data are from the manuals of the corresponding components. When
using a component, the respective manual must always be referred to. This
ensures that the most current values are determined.
Component: F-CPU
Table 27-7
Communication
Table 27-9
PTE
Fail-safe communication F-CPU <-> F-I/O (PROFIBUS) 1.00*10-9
Data source
The data are from a recommendation of the A&D CD (of 02/01/06):
• “Recommendation of the standard B10 values for the application
of EN 62061”
The table below shows excerpts of the SIRIUS standard B10 values for
electromechanical components.
Table 27-10
The terms fault and failure are of great importance when applying
IEC 62061. To illustrate this importance, simple examples will be used to
explain the terms in this chapter. The exact definitions of the terms
according to IEC 62061 are listed in chapter 28.1.
27.6.1 Fault
A #safety system (SRECS) must be realized in such a way that it meets all
requirements according to the required SIL.
The objective during the realization is to minimize he probability of
dangerous systematic and random faults.
Faults
Faults affect the function of:
• SRECS or
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
• #subsystem or
• #subsystem element.
The loss of the #safety-related control function (SRCF) may cause the loss
of the #safety function
Explanation of “may”:
“Loss of the SRCF” means that the required function of the SRCF is no
longer performed.
The fault may be detected by diagnostics by other (not assigned to the
SRCF) measures in the SRECS. A fault reaction of the SRECS can prevent
the occurrence of a dangerous state on the machine. This means that the
#safety function is eventually complied with by a second way (independent
of the SRCF).
Examples for clarification: Chapter 27.6.4
Dangerous faults cause dangerous failures, safe faults cause safe failures
(chapter 27.6.3).
27.6.2 Diagnostics
27.6.3 Failure
Role of diagnostics
In the event of a failure of a SRCF (“first switch-off option” failure), the
#safety function does not necessarily have to fail. If diagnostics (fault
detection) are provided in the SRECS, the #safety function can be
maintained by corresponding fault reaction (“second switch-off option”).
The model shown below is the basis:
Figure 27-2
Failure modes
The figure below shows the considered failure modes. A failure rate λ
(probability of failure) is assigned to each failure mode.
Figure 27-3
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Meaning of “may”:
Depending on the #subsystem (with / without redundancy, with / without
diagnostics), the failure of a #subsystem element causes a dangerous
state on the machine or not. Examples to illustrate this are listed in chapter
27.6.4.
The next chapters use simple, specific examples to answer the following
questions:
• How does a dangerous fault affect #subsystems with different
architectures?
• When is a #safety function or a SRCF lost?
• What is the role of diagnostics?
The examples follow the four basic subsystem architectures of IEC 62061:
Table 27-13
#Subsystem
#Subsystem: 1 contactor
Effect Explanation
Loss of the Yes The #subsystem cannot perform the required
SRCF: function.
Loss of the Yes Due to loss of the SRCF and the missing
#safety function: diagnostics.
Fault type: Dangerous The fault causes a dangerous state on the
Copyright © Siemens AG 2007 All rights reserved
machine.
23996473_as_fe_i_013_DOKU_v13_e_33.doc
#Subsystem
#Subsystem: 1 contactor, with diagnostics by readback
Effect Explanation
Loss of the Yes The #subsystem cannot perform the required function.
SRCF:
Loss of the No The SRECS detects the fault (diagnostics).
#safety The fault reaction of the SRECS ensures that no
function: dangerous state occurs on the machine.
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Fault type: Dangerous The fault may cause a dangerous state on the
machine: In the event of a diagnostics failure, a
dangerous state would occur on the machine.
#Subsystem:
#Subsystem: 2 contactors in series
Effect Explanation
Loss of the No The #subsystem can perform the required function
SRCF: while the second contactor is faultless.
Loss of the No No loss of the SRCF (see above).
#safety
function:
Copyright © Siemens AG 2007 All rights reserved
Fault type: Dangerous The fault may cause a dangerous state on the
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Effect Explanation
Loss of the SRCF: Yes The #subsystem cannot perform the
required function.
Loss of the Yes Due to loss of the SRCF and the missing
#safety function: diagnostics.
Fault type: Dangerous The fault causes a dangerous state on the
machine.
#Subsystem:
#Subsystem: 2 contactors in series, with diagnostics via readback.
Effect Explanation
Loss of the SRCF: No The #subsystem can perform the required
function while the second contactor is
faultless.
Loss of the No No loss of the SRCF (see above).
#safety function:
Copyright © Siemens AG 2007 All rights reserved
Fault type: Dangerous The fault may cause a dangerous state on the
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Effect Explanation
Loss of the SRCF: Yes The #subsystem cannot perform the required
function.
Loss of the No The SRECS detects the fault (diagnostics).
#safety function: The fault reaction of the SRECS ensures that
no dangerous state occurs on the machine.
Type of the faults: Dangerous The faults may cause a dangerous state on
the machine: In the event of a diagnostics
failure, a dangerous state would occur on the
machine.
• Restart of the machine is prevented until the fault has been corrected.
Figure 27-10
achieve safety
B The safety-related parts of control systems and/or The occurrence of a fault can lead to
their protective equipment, as well as their the loss of the safety function.
components, shall be designed, constructed
selected, assembled and combined in accordance
with relevant standards so that they can withstand Mainly
the expected influence. characterized
by selection of
1 The requirements of B shall apply. The occurrence of a fault can result in components
Copyright © Siemens AG 2007 All rights reserved
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Well-proven components and well-proven safety the loss of the safety function, but the
probability of occurrence is less than in
principles must be applied.
Category B.
2 The requirements of B and the use of well-proven The occurrence of a fault can lead to
safety principles must be fulfilled. the loss of the safety function between
The safety function shall be checked at suitable the checks.
intervals by the machine control system. The loss of the safety function is
detected by the check.
3 The requirements of B and the use of well-proven If the individual fault occurs, the safety
safety principles must be fulfilled. function always remains.
Safety-related parts shall be designed, so that: Some but not all faults will be detected.
1. a single fault in any of these parts does not lead Accumulation of undetected faults can
to the loss of the safety function, and lead to the loss of the safety function.
2. whenever reasonably practicable, the single
fault is detected.
Mainly
characterized
4 The requirements of B and the use of well-proven If faults occur, the safety function by structure
safety principles must be fulfilled. always remains.
Safety-related parts shall be designed, so that: Detection of accumulated faults
1. a single fault in any of these parts does not lead reduces the probability of the loss of
to the loss of the safety function, and the safety function.
2. the single fault is detected at or before the next The faults will be detected in time to
demand upon the safety function. If this is not prevent the loss of the safety function.
possible, then an accumulation of faults shall not
lead to a loss of the safety function.
28 Glossary
Terms and abbreviations from IEC 62061 are used in the document. The
associated definitions from IEC 62061 are listed in this chapter.
The conventions are explained in chapter 1.1:
• Marking of terms with “#”
• “Abbreviated notation” of terms
(Abbreviated notation!)
#Failure Failure 27.6
Termination of the ability of a SRECS, a
#subsystem or a #subsystem element to
perform a required function.
#Diagnostic coverage (DC) See “DC” (table 28-2) ---
#Fault Fault 27.6
Abnormal condition that may cause a
reduction in or loss of the capability of a
SRECS, a #subsystem or a #subsystem
element to perform a required function.
#Fault tolerance Fault tolerance 8.3.1
Ability of a SRECS, a #subsystem or
#subsystem element to continue to perform a
required function in the presence of faults or
failures.
is from input devices, data circuits and other communication paths and
23996473_as_fe_i_013_DOKU_v13_e_33.doc
Abbreviation Meaning
29 Information Directory
Table 29-1
(*x) Explanations
(*1) Significant corrections are listed here:
Formula, calculation, statement, ...
(*2) Significant editorial amendments are listed here:
Wording, extension, structure, ...