Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
GB/T 16855 consists of the following two parts under the general title Safety of machinery — Safety-related parts of control systems:
——Part 1: General principles for design;
——Part 2: Validation.
This part is Part 1 of GB/T 16855.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part replaces GB/T 16855.1-2008 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. In addition to a number of editorial changes, the following technical changes have been made with respect to GB/T 16855.1-2008:
——The Chinese name of the standard is changed to “机械安全 控制系统安全相关部件 第1部分:设计通则” (the English name remains the same);
——Table 1 in the introduction is deleted (see the introduction in 2008 edition);
——The Chinese term "系统失效" is modified to "系统性失效" (the corresponding English term remains the same) (see 3.1.7; 3.1.7 of 2008 edition);
——The Chinese term "平均危险失效时间" is modified to "平均危险失效间隔时间" (the corresponding English term remains the same) and its abbreviation is modified to "MTTFD" (see 3.1.25; 3.1.25 of 2008 edition);
——The terms "high demand or continuous mode” and "proven in use" and their definitions are added (see 3.1.38 and 3.1.39);
——Figure 1 is modified (see Figure 1; Figure 1 of 2008 edition);
——The requirements of description of the output part of the SRP/CS by category are added (see 4.5.5);
——The calculation or estimation of MTTFD values for single components is modified (see Annex C; Annex C of 2008 edition);
——Annex I is redrafted (see Annex I; Annex I of 2008 edition).
This part, by means of translation, is identical to ISO 13849-1:2015 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design.
The Chinese documents consistent and corresponding with the normative international documents in this part are as follows:
——GB 28526-2012 Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems (IEC 62061:2005, IDT);
——GB/T 30175-2013 Safety of machinery — Guidance on the application of GB/T 16855.1and GB 28526 in the design of safety-related control systems (ISO/TR 23849: 2010, IDT).
The following editorial modifications have been made in this part:
——Editorial errors in Table 1 are corrected, and “Table 3” is changed to “Table 2”, “Table 4” to “Table 3” and “Table 7” to “Table 6”.
This part was proposed by and is under the jurisdiction of the National Technical Committee on Machinery Safety of Standardization Administration of China (SAC/TC 208).
The previous editions of this part are as follows:
——GB/T 16855.1-1997, GB/T 16855.1-2005 and GB/T 16855.1-2008.
Introduction
The structure of safety standards in the field of machinery is as follows.
a) Type-A standards (basis standards) give basic concepts, principles for design and general aspects that can be applied to machinery.
b) Type-B standards (generic safety standards) deal with one safety aspect, or one type of safeguards that can be used across a wide range of machinery:
——Type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
——Type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive devices, guards).
c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular machine or group of machines.
This part is a type-B-1 standard as stated in GB/T 15706.
This document is of relevance, in particular, for the following stakeholder groups representing the market players with regard to machinery safety:
——machine manufacturers;
——health and safety bodies.
Others can be affected by the level of machinery safety achieved with the means of the document by the above-mentioned stakeholder groups:
——machine users;
——machine owner;
——service providers;
——consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate at the drafting process of this document.
In addition, this document is intended for standardization bodies elaborating type-C standards.
The requirements of this document can be supplemented or modified by a type-C standard.
For machines which are covered by the scope of a type-C standard and which have been designed and built according to the requirements of that standard, the requirements of that type-C standard take precedence.
This part is intended to give guidance to those involved in the design and assessment of control systems, and to Technical Committees preparing type-B or type-C standards. As part of the overall risk reduction strategy at a machine, a designer will often choose to achieve some measure of risk reduction through the application of safeguards employing one or more safety functions.
Parts of machinery control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS) and these can consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation).
The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called performance levels (PL). These performance levels are defined in terms of probability of dangerous failure per hour (see Table 2).
The probability of dangerous failure of the safety function depends on several factors, including hardware and software structure, the extent of fault detection mechanisms [diagnostic coverage (DC)], reliability of components [mean time to dangerous failure (MTTFD), common cause failure (CCF)], design process, operating stress, environmental conditions and operation procedures.
In order to assist the designer and facilitate the assessment of achieved PL, this document employs a methodology based on the categorization of structures according to specific design criteria and specified behaviours under fault conditions. These categories are allocated one of five levels, termed Categories B, 1, 2, 3 and 4.
The performance levels and categories can be applied to safety-related parts of control systems, such as
——protective devices (e.g. two-hand control devices, interlocking devices), electro-sensitive protective devices (e.g. photoelectric barriers), pressure sensitive devices,
——control units (e.g. a logic unit for control functions, data processing, monitoring, etc.), and
——power control elements (e.g. relays, valves, etc.),
as well as to control systems carrying out safety functions at all kinds of machinery——from simple (e.g. small kitchen machines, or automatic doors and gates) to manufacturing installations (e.g. packaging machines, printing machines, presses).
This part is intended to provide a clear basis upon which the design and performance of any application of the SRP/CS (and the machine) can be assessed, for example, by a third party, in-house or by an independent test house.
Information on the recommended application of IEC 62061 and this part of GB/T 16855
IEC 62061 and this part specify requirements for the design and implementation of safety-related parts of machine control systems. The use of either of these standards, in accordance with their scopes, can be presumed to fulfil the relevant essential safety requirements. ISO/TR 23849 gives guidance on the application of this part of GB/T 16855 and IEC 62061 in the design of safety-related control systems for machinery.
Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
1 Scope
This part of GB/T 16855 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. For these parts of SRP/CS, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to SRP/CS for high demand and continuous mode, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
It does not specify the safety functions or performance levels that are to be used in a particular case.
This part of GB/T 16855 provides specific requirements for SRP/CS using programmable electronic system(s).
It does not give specific requirements for the design of products which are parts of SRP/CS. Nevertheless, the principles given, such as categories or performance levels, can be used.
Note 1: Examples of products which are parts of SRP/CS: relays, solenoid valves, position switches, PLCs, motor control units, two-hand control devices, pressure sensitive equipment. For the design of such products, it is important to refer to the specifically applicable standards, e.g. GB/T 19671, GB/T 17454.1 and GB/T 17454.2.
Note 2: For the definition of required performance level, see 3.1.24.
Note 3: The requirements provided in this part for programmable electronic systems are compatible with the methodology for the design and development of safety-related electrical, electronic and programmable electronic control systems for machinery given in IEC 62061.
Note 4: For safety-related embedded software for components with PLr=e, see IEC 61508–3:1998, Clause 7.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 2900.13-2008 Electrotechnical terminology — Dependability and quality of service [IEC 60050(191):1990, IDT]
GB/T 15706-2012 Safety of machinery — General principles for design — Risk assessment and risk reduction (ISO 12100:2010, IDT)
GB/T 16855.2-2015 Safety of machinery — Safety-related parts of control systems — Part 2: Validation (ISO 13849-2:2012, IDT)
GB 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 3: Software requirements (IEC 61508-3:2010, IDT);
GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 4: Definitions and abbreviations (IEC 61508-4:2010, IDT)
ISO/TR 22100-2:2013 Safety of machinery — Relationship with ISO 12100 — Part 2: How ISO 12100 relates to ISO 13849-1
ISO/TR 23849 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery
IEC 62061:2012 Safety of machinery — Functional safety of safety related electrical, electronic and programmable electronic control systems
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 15706 and GB/T 2900.13 and the following apply.
3.1.1
safety-related part of a control system; SRP/CS
part of a control system that responds to safety-related input signals and generates safety-related output signals
Note 1: The combined safety-related parts of a control system start at the point where the safety-related input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2: If monitoring systems are used for diagnostics, they are also considered as SRP/CS.
3.1.2
category
classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability
3.1.3
fault
state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources
Note 1: A fault is often the result of a failure of the item itself, but may exist without prior failure.
Note 2: In this part, “fault” means random fault.
[GB/T 2900.13-2008, 191-05-01]
3.1.4
failure
termination of the ability of an item to perform a required function
Note 1: After a failure, the item has a fault.
Note 2: “Failure” is an event, as distinguished from “fault”, which is a state.
Note 3: The concept as defined does not apply to items consisting of software only.
Note 4: Failures which only affect the availability of the process under control are outside of the scope of this part.
[GB/T 2900.13-2008, Definition 191-04-01]
3.1.5
dangerous failure
failure which has the potential to put the SRP/CS in a hazardous or fail-to-function state
Note 1: Whether or not the potential is realized can depend on the channel architecture of the system; in redundant systems a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.
Note 2: It is derived from GB/T 20438.4-2017, Definition 3.6.7.
3.1.6
common cause failure; CCF
failures of different items, resulting from a single event, where these failures are not consequences of each other
Note: Common cause failures should not be confused with common mode failures (see GB/T 15706-2012, Definition 3.36).
[GB/T 2900.13-2008, Definition 191-04-23]
3.1.7
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors
Note 1: Corrective maintenance without modification will usually not eliminate the failure cause.
Note 2: A systematic failure can be induced by simulating the failure cause.
Note 3: Examples of causes of systematic failures include human error in
——the safety requirements specification;
——the design, manufacture, installation, operation of the hardware;
——the design, implementation, etc., of the software.
[GB/T 2900.13-2008, Definition 191-04-19]
3.1.8
muting
temporary automatic suspension of a safety function(s) by the SRP/CS
3.1.9
manual reset
function within the SRP/CS used to restore manually one or more safety functions before restarting a machine
3.1.10
harm
physical injury or damage to health
[GB/T 15706-2012, Definition 3.5]
3.1.11
hazard
potential source of harm
Note 1: A hazard can be qualified in order to define its origin (e.g. mechanical hazard, electrical hazard) or the nature of the potential harm (e.g. electric shock hazard, cutting hazard, toxic hazard, fire hazard).
Note 2: The hazard envisaged in this definition:
——either is permanently present during the intended use of the machine (e.g. motion of hazardous moving elements, electric arc during a welding phase, unhealthy posture, noise emission, high temperature);
——or may appear unexpectedly (e.g. explosion, crushing hazard as a consequence of an unintended/unexpected start-up, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration).
Note 3: It is derived from GB/T 15706-2012, Definition 3.6.
3.1.12
hazardous situation
circumstance in which a person is exposed to at least one hazard
Note: The exposure can result in harm immediately or over a period of time.
[GB/T 15706-2012, Definition 3.10]
3.1.13
risk
combination of the probability of occurrence of harm and the severity of that harm
[GB/T 15706-2012, Definition 3.12]
3.1.14
residual risk
risk remaining after protective measures have been taken
Note 1: See Figure 2.
Note 2: It is derived from GB/T 15706-2012, Definition 3.13.
3.1.15
risk assessment
overall process comprising risk analysis and risk evaluation
[GB/T 15706-2012, Definition 3.17]
3.1.16
risk analysis
combination of the specification of the limits of the machine, hazard identification and risk estimation
[GB/T 15706-2012, Definition 3.15]
3.1.17
risk evaluation
judgement, on the basis of risk analysis, of whether risk reduction objectives have been achieved
[GB/T 15706-2012, Definition 3.16]
3.1.18
intended use of a machine
use of the machine in accordance with the information provided in the instructions for use
[GB/T 15706-2012, Definition 3.23]
3.1.19
reasonably foreseeable misuse
use of a machine in a way not intended by the designer, but which may result from readily predictable human behaviour
[GB/T 15706-2012, Definition 3.24]
3.1.20
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[GB/T 15706-2012, Definition 3.30]
3.1.21
monitoring
safety function which ensures that a protective measure is initiated if the ability of a component or an element to perform its function is diminished or if the process conditions are changed in such a way that a decrease of the amount of risk reduction is generated
3.1.22
programmable electronic system; PES
system for control, protection or monitoring dependent for its operation on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, contactors and other output devices
Note: It is derived from IEC 61508-4:1998, Definition 3.3.2.
3.1.23
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions
Note: See 4.5.1.
3.1.24
required performance level
PLr
performance level (PL) applied in order to achieve the required risk reduction for each safety function
Note: See Figures 2 and A.1.
3.1.25
mean time to dangerous failure
MTTFD
expectation of the mean time to dangerous failure
Note: It is derived from GB 28526-2012, Definition 3.2.34.
3.1.26
diagnostic coverage
DC
measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures
Note 1: Diagnostic coverage can exist for the whole or parts of a safety-related system. For example, diagnostic coverage could exist for sensors and/or logic system and/or final elements.
Note 2: It is derived from IEC 61508-4:1998, 3.8.6.
3.1.27
protective measure
measure intended to achieve risk reduction
Example 1: Implemented by the designer: inherent design, safeguarding and complementary protective measures, information for use.
Example 2: Implemented by the user: organization (safe working procedures, supervision, permit-to-work systems), provision and use of additional safeguards, personal protective equipment, training.
Note: It is derived from GB 15706-2012, 3.19.
3.1.28
mission time
TM
period of time covering the intended use of an SRP/CS
3.1.29
test rate
rt
frequency of automatic tests to detect faults in a SRP/CS, reciprocal value of diagnostic test interval
3.1.30
demand rate
rD
frequency of demands for a safety-related action of the SRP/CS
3.1.31
repair rate
rt
reciprocal value of the period of time between detection of a dangerous failure by either an online test or obvious malfunction of the system and the restart of operation after repair or system/component replacement
Note: The repair time does not include the span of time needed for failure-detection.
3.1.32
machine control system
system which responds to input signals from parts of machine elements, operators, external control equipment or any combination of these and generates output signals causing the machine to behave in the intended manner
Note: The machine control system can use any technology or any combination of different technologies (e.g. electrical/electronic, hydraulic, pneumatic, mechanical).
3.1.33
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
[IEC 61508-4:1998, 3.5.6]
3.1.34
limited variability language; LVL
type of language that provides the capability of combining predefined, application-specific library functions to implement the safety requirements specifications
Note 1: Typical examples of LVL (ladder logic, function block diagram) are given in GB/T 15969.3.
Note 2: A typical example of a system using LVL: PLC.
Note 3: It is derived from GB 21109.1-2007, 3.2.81.1.2.
3.1.35
full variability language; FVL
type of language that provides the capability of implementing a wide variety of functions and applications
Example: C, C++, Assembler.
Note 1: A typical example of systems using FVL: embedded systems.
Note 2: In the field of machinery, FVL is found in embedded software and rarely in application software.
Note 3: It is derived from GB 21109.1-2007, 3.2.81.1.3.
3.1.36
application software
software specific to the application, implemented by the machine manufacturer, and generally containing logic sequences, limits and expressions that control the appropriate inputs, outputs, calculations and decisions necessary to meet the SRP/CS requirements
3.1.37
embedded software
firmware
system software
software that is part of the system supplied by the control manufacturer and which is not accessible for modification by the user of the machinery
Note: Embedded software is usually written in FVL.
3.1.38
high demand or continuous mode
mode of operation in which the frequency of demands on a SRP/CS is greater than one per year or the safety related control function retains the machine in a safe state as part of normal operation
Note: It is derived from IEC 62061:2012, 3.2.27.
3.1.39
proven in use
demonstration, based on an analysis of operational experience for a specific configuration of an element, that the likelihood of dangerous systematic faults is low enough so that every safety function that uses the element achieves its required performance level (PLr)
Note: It is revised from GB/T 20438.4-2017, 3.8.18.
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
3.2 Symbols and abbreviated terms
4 Design considerations
4.1 Safety objectives in design
4.2 Strategy for risk reduction
4.3 Determination of required performance level (PLr)
4.4 Design of SRP/CS
4.5 Evaluation of the achieved performance level PL and relationship with SIL
4.6 Software safety requirements
4.7 Verification that achieved PL meets PLr
4.8 Ergonomic aspects of design
5 Safety functions
5.1 Specification of safety functions
5.2 Details of safety functions
6 Categories and their relation to MTTFD of each channel, DCavg and CCF
6.1 General
6.2 Specifications of categories
6.3 Combination of SRP/CS to achieve overall PL
7 Fault consideration, fault exclusion
7.1 General
7.2 Fault consideration
7.3 Fault exclusion
8 Validation
9 Maintenance
10 Technical documentation
11 Information for use
Annex A (Informative) Determination of required performance level (PLr)
Annex B (Informative) Block method and safety-related block diagram
Annex C (Informative) Calculating or evaluating MTTFD values for single components
Annex D (Informative) Simplified method for estimating MTTFD for each channel
Annex E (Informative) Estimates for diagnostic coverage (DC) for functions and modules
Annex F (Informative) Estimates for common cause failure (CCF)
Annex G (Informative) Systematic failure
Annex H (Informative) Example of combination of several safety-related parts of the control system
Annex I (Informative) Examples
Annex J (Informative) Software
Annex K (informative) Numerical representation of Figure
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
GB/T 16855 consists of the following two parts under the general title Safety of machinery — Safety-related parts of control systems:
——Part 1: General principles for design;
——Part 2: Validation.
This part is Part 1 of GB/T 16855.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part replaces GB/T 16855.1-2008 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. In addition to a number of editorial changes, the following technical changes have been made with respect to GB/T 16855.1-2008:
——The Chinese name of the standard is changed to “机械安全 控制系统安全相关部件 第1部分:设计通则” (the English name remains the same);
——Table 1 in the introduction is deleted (see the introduction in 2008 edition);
——The Chinese term "系统失效" is modified to "系统性失效" (the corresponding English term remains the same) (see 3.1.7; 3.1.7 of 2008 edition);
——The Chinese term "平均危险失效时间" is modified to "平均危险失效间隔时间" (the corresponding English term remains the same) and its abbreviation is modified to "MTTFD" (see 3.1.25; 3.1.25 of 2008 edition);
——The terms "high demand or continuous mode” and "proven in use" and their definitions are added (see 3.1.38 and 3.1.39);
——Figure 1 is modified (see Figure 1; Figure 1 of 2008 edition);
——The requirements of description of the output part of the SRP/CS by category are added (see 4.5.5);
——The calculation or estimation of MTTFD values for single components is modified (see Annex C; Annex C of 2008 edition);
——Annex I is redrafted (see Annex I; Annex I of 2008 edition).
This part, by means of translation, is identical to ISO 13849-1:2015 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design.
The Chinese documents consistent and corresponding with the normative international documents in this part are as follows:
——GB 28526-2012 Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems (IEC 62061:2005, IDT);
——GB/T 30175-2013 Safety of machinery — Guidance on the application of GB/T 16855.1and GB 28526 in the design of safety-related control systems (ISO/TR 23849: 2010, IDT).
The following editorial modifications have been made in this part:
——Editorial errors in Table 1 are corrected, and “Table 3” is changed to “Table 2”, “Table 4” to “Table 3” and “Table 7” to “Table 6”.
This part was proposed by and is under the jurisdiction of the National Technical Committee on Machinery Safety of Standardization Administration of China (SAC/TC 208).
The previous editions of this part are as follows:
——GB/T 16855.1-1997, GB/T 16855.1-2005 and GB/T 16855.1-2008.
Introduction
The structure of safety standards in the field of machinery is as follows.
a) Type-A standards (basis standards) give basic concepts, principles for design and general aspects that can be applied to machinery.
b) Type-B standards (generic safety standards) deal with one safety aspect, or one type of safeguards that can be used across a wide range of machinery:
——Type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
——Type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive devices, guards).
c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular machine or group of machines.
This part is a type-B-1 standard as stated in GB/T 15706.
This document is of relevance, in particular, for the following stakeholder groups representing the market players with regard to machinery safety:
——machine manufacturers;
——health and safety bodies.
Others can be affected by the level of machinery safety achieved with the means of the document by the above-mentioned stakeholder groups:
——machine users;
——machine owner;
——service providers;
——consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate at the drafting process of this document.
In addition, this document is intended for standardization bodies elaborating type-C standards.
The requirements of this document can be supplemented or modified by a type-C standard.
For machines which are covered by the scope of a type-C standard and which have been designed and built according to the requirements of that standard, the requirements of that type-C standard take precedence.
This part is intended to give guidance to those involved in the design and assessment of control systems, and to Technical Committees preparing type-B or type-C standards. As part of the overall risk reduction strategy at a machine, a designer will often choose to achieve some measure of risk reduction through the application of safeguards employing one or more safety functions.
Parts of machinery control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS) and these can consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation).
The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called performance levels (PL). These performance levels are defined in terms of probability of dangerous failure per hour (see Table 2).
The probability of dangerous failure of the safety function depends on several factors, including hardware and software structure, the extent of fault detection mechanisms [diagnostic coverage (DC)], reliability of components [mean time to dangerous failure (MTTFD), common cause failure (CCF)], design process, operating stress, environmental conditions and operation procedures.
In order to assist the designer and facilitate the assessment of achieved PL, this document employs a methodology based on the categorization of structures according to specific design criteria and specified behaviours under fault conditions. These categories are allocated one of five levels, termed Categories B, 1, 2, 3 and 4.
The performance levels and categories can be applied to safety-related parts of control systems, such as
——protective devices (e.g. two-hand control devices, interlocking devices), electro-sensitive protective devices (e.g. photoelectric barriers), pressure sensitive devices,
——control units (e.g. a logic unit for control functions, data processing, monitoring, etc.), and
——power control elements (e.g. relays, valves, etc.),
as well as to control systems carrying out safety functions at all kinds of machinery——from simple (e.g. small kitchen machines, or automatic doors and gates) to manufacturing installations (e.g. packaging machines, printing machines, presses).
This part is intended to provide a clear basis upon which the design and performance of any application of the SRP/CS (and the machine) can be assessed, for example, by a third party, in-house or by an independent test house.
Information on the recommended application of IEC 62061 and this part of GB/T 16855
IEC 62061 and this part specify requirements for the design and implementation of safety-related parts of machine control systems. The use of either of these standards, in accordance with their scopes, can be presumed to fulfil the relevant essential safety requirements. ISO/TR 23849 gives guidance on the application of this part of GB/T 16855 and IEC 62061 in the design of safety-related control systems for machinery.
Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
1 Scope
This part of GB/T 16855 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. For these parts of SRP/CS, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to SRP/CS for high demand and continuous mode, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
It does not specify the safety functions or performance levels that are to be used in a particular case.
This part of GB/T 16855 provides specific requirements for SRP/CS using programmable electronic system(s).
It does not give specific requirements for the design of products which are parts of SRP/CS. Nevertheless, the principles given, such as categories or performance levels, can be used.
Note 1: Examples of products which are parts of SRP/CS: relays, solenoid valves, position switches, PLCs, motor control units, two-hand control devices, pressure sensitive equipment. For the design of such products, it is important to refer to the specifically applicable standards, e.g. GB/T 19671, GB/T 17454.1 and GB/T 17454.2.
Note 2: For the definition of required performance level, see 3.1.24.
Note 3: The requirements provided in this part for programmable electronic systems are compatible with the methodology for the design and development of safety-related electrical, electronic and programmable electronic control systems for machinery given in IEC 62061.
Note 4: For safety-related embedded software for components with PLr=e, see IEC 61508–3:1998, Clause 7.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 2900.13-2008 Electrotechnical terminology — Dependability and quality of service [IEC 60050(191):1990, IDT]
GB/T 15706-2012 Safety of machinery — General principles for design — Risk assessment and risk reduction (ISO 12100:2010, IDT)
GB/T 16855.2-2015 Safety of machinery — Safety-related parts of control systems — Part 2: Validation (ISO 13849-2:2012, IDT)
GB 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 3: Software requirements (IEC 61508-3:2010, IDT);
GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems — Part 4: Definitions and abbreviations (IEC 61508-4:2010, IDT)
ISO/TR 22100-2:2013 Safety of machinery — Relationship with ISO 12100 — Part 2: How ISO 12100 relates to ISO 13849-1
ISO/TR 23849 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery
IEC 62061:2012 Safety of machinery — Functional safety of safety related electrical, electronic and programmable electronic control systems
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 15706 and GB/T 2900.13 and the following apply.
3.1.1
safety-related part of a control system; SRP/CS
part of a control system that responds to safety-related input signals and generates safety-related output signals
Note 1: The combined safety-related parts of a control system start at the point where the safety-related input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2: If monitoring systems are used for diagnostics, they are also considered as SRP/CS.
3.1.2
category
classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability
3.1.3
fault
state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources
Note 1: A fault is often the result of a failure of the item itself, but may exist without prior failure.
Note 2: In this part, “fault” means random fault.
[GB/T 2900.13-2008, 191-05-01]
3.1.4
failure
termination of the ability of an item to perform a required function
Note 1: After a failure, the item has a fault.
Note 2: “Failure” is an event, as distinguished from “fault”, which is a state.
Note 3: The concept as defined does not apply to items consisting of software only.
Note 4: Failures which only affect the availability of the process under control are outside of the scope of this part.
[GB/T 2900.13-2008, Definition 191-04-01]
3.1.5
dangerous failure
failure which has the potential to put the SRP/CS in a hazardous or fail-to-function state
Note 1: Whether or not the potential is realized can depend on the channel architecture of the system; in redundant systems a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.
Note 2: It is derived from GB/T 20438.4-2017, Definition 3.6.7.
3.1.6
common cause failure; CCF
failures of different items, resulting from a single event, where these failures are not consequences of each other
Note: Common cause failures should not be confused with common mode failures (see GB/T 15706-2012, Definition 3.36).
[GB/T 2900.13-2008, Definition 191-04-23]
3.1.7
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors
Note 1: Corrective maintenance without modification will usually not eliminate the failure cause.
Note 2: A systematic failure can be induced by simulating the failure cause.
Note 3: Examples of causes of systematic failures include human error in
——the safety requirements specification;
——the design, manufacture, installation, operation of the hardware;
——the design, implementation, etc., of the software.
[GB/T 2900.13-2008, Definition 191-04-19]
3.1.8
muting
temporary automatic suspension of a safety function(s) by the SRP/CS
3.1.9
manual reset
function within the SRP/CS used to restore manually one or more safety functions before restarting a machine
3.1.10
harm
physical injury or damage to health
[GB/T 15706-2012, Definition 3.5]
3.1.11
hazard
potential source of harm
Note 1: A hazard can be qualified in order to define its origin (e.g. mechanical hazard, electrical hazard) or the nature of the potential harm (e.g. electric shock hazard, cutting hazard, toxic hazard, fire hazard).
Note 2: The hazard envisaged in this definition:
——either is permanently present during the intended use of the machine (e.g. motion of hazardous moving elements, electric arc during a welding phase, unhealthy posture, noise emission, high temperature);
——or may appear unexpectedly (e.g. explosion, crushing hazard as a consequence of an unintended/unexpected start-up, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration).
Note 3: It is derived from GB/T 15706-2012, Definition 3.6.
3.1.12
hazardous situation
circumstance in which a person is exposed to at least one hazard
Note: The exposure can result in harm immediately or over a period of time.
[GB/T 15706-2012, Definition 3.10]
3.1.13
risk
combination of the probability of occurrence of harm and the severity of that harm
[GB/T 15706-2012, Definition 3.12]
3.1.14
residual risk
risk remaining after protective measures have been taken
Note 1: See Figure 2.
Note 2: It is derived from GB/T 15706-2012, Definition 3.13.
3.1.15
risk assessment
overall process comprising risk analysis and risk evaluation
[GB/T 15706-2012, Definition 3.17]
3.1.16
risk analysis
combination of the specification of the limits of the machine, hazard identification and risk estimation
[GB/T 15706-2012, Definition 3.15]
3.1.17
risk evaluation
judgement, on the basis of risk analysis, of whether risk reduction objectives have been achieved
[GB/T 15706-2012, Definition 3.16]
3.1.18
intended use of a machine
use of the machine in accordance with the information provided in the instructions for use
[GB/T 15706-2012, Definition 3.23]
3.1.19
reasonably foreseeable misuse
use of a machine in a way not intended by the designer, but which may result from readily predictable human behaviour
[GB/T 15706-2012, Definition 3.24]
3.1.20
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[GB/T 15706-2012, Definition 3.30]
3.1.21
monitoring
safety function which ensures that a protective measure is initiated if the ability of a component or an element to perform its function is diminished or if the process conditions are changed in such a way that a decrease of the amount of risk reduction is generated
3.1.22
programmable electronic system; PES
system for control, protection or monitoring dependent for its operation on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, contactors and other output devices
Note: It is derived from IEC 61508-4:1998, Definition 3.3.2.
3.1.23
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions
Note: See 4.5.1.
3.1.24
required performance level
PLr
performance level (PL) applied in order to achieve the required risk reduction for each safety function
Note: See Figures 2 and A.1.
3.1.25
mean time to dangerous failure
MTTFD
expectation of the mean time to dangerous failure
Note: It is derived from GB 28526-2012, Definition 3.2.34.
3.1.26
diagnostic coverage
DC
measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures
Note 1: Diagnostic coverage can exist for the whole or parts of a safety-related system. For example, diagnostic coverage could exist for sensors and/or logic system and/or final elements.
Note 2: It is derived from IEC 61508-4:1998, 3.8.6.
3.1.27
protective measure
measure intended to achieve risk reduction
Example 1: Implemented by the designer: inherent design, safeguarding and complementary protective measures, information for use.
Example 2: Implemented by the user: organization (safe working procedures, supervision, permit-to-work systems), provision and use of additional safeguards, personal protective equipment, training.
Note: It is derived from GB 15706-2012, 3.19.
3.1.28
mission time
TM
period of time covering the intended use of an SRP/CS
3.1.29
test rate
rt
frequency of automatic tests to detect faults in a SRP/CS, reciprocal value of diagnostic test interval
3.1.30
demand rate
rD
frequency of demands for a safety-related action of the SRP/CS
3.1.31
repair rate
rt
reciprocal value of the period of time between detection of a dangerous failure by either an online test or obvious malfunction of the system and the restart of operation after repair or system/component replacement
Note: The repair time does not include the span of time needed for failure-detection.
3.1.32
machine control system
system which responds to input signals from parts of machine elements, operators, external control equipment or any combination of these and generates output signals causing the machine to behave in the intended manner
Note: The machine control system can use any technology or any combination of different technologies (e.g. electrical/electronic, hydraulic, pneumatic, mechanical).
3.1.33
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
[IEC 61508-4:1998, 3.5.6]
3.1.34
limited variability language; LVL
type of language that provides the capability of combining predefined, application-specific library functions to implement the safety requirements specifications
Note 1: Typical examples of LVL (ladder logic, function block diagram) are given in GB/T 15969.3.
Note 2: A typical example of a system using LVL: PLC.
Note 3: It is derived from GB 21109.1-2007, 3.2.81.1.2.
3.1.35
full variability language; FVL
type of language that provides the capability of implementing a wide variety of functions and applications
Example: C, C++, Assembler.
Note 1: A typical example of systems using FVL: embedded systems.
Note 2: In the field of machinery, FVL is found in embedded software and rarely in application software.
Note 3: It is derived from GB 21109.1-2007, 3.2.81.1.3.
3.1.36
application software
software specific to the application, implemented by the machine manufacturer, and generally containing logic sequences, limits and expressions that control the appropriate inputs, outputs, calculations and decisions necessary to meet the SRP/CS requirements
3.1.37
embedded software
firmware
system software
software that is part of the system supplied by the control manufacturer and which is not accessible for modification by the user of the machinery
Note: Embedded software is usually written in FVL.
3.1.38
high demand or continuous mode
mode of operation in which the frequency of demands on a SRP/CS is greater than one per year or the safety related control function retains the machine in a safe state as part of normal operation
Note: It is derived from IEC 62061:2012, 3.2.27.
3.1.39
proven in use
demonstration, based on an analysis of operational experience for a specific configuration of an element, that the likelihood of dangerous systematic faults is low enough so that every safety function that uses the element achieves its required performance level (PLr)
Note: It is revised from GB/T 20438.4-2017, 3.8.18.
Contents of GB/T 16855.1-2018
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
3.2 Symbols and abbreviated terms
4 Design considerations
4.1 Safety objectives in design
4.2 Strategy for risk reduction
4.3 Determination of required performance level (PLr)
4.4 Design of SRP/CS
4.5 Evaluation of the achieved performance level PL and relationship with SIL
4.6 Software safety requirements
4.7 Verification that achieved PL meets PLr
4.8 Ergonomic aspects of design
5 Safety functions
5.1 Specification of safety functions
5.2 Details of safety functions
6 Categories and their relation to MTTFD of each channel, DCavg and CCF
6.1 General
6.2 Specifications of categories
6.3 Combination of SRP/CS to achieve overall PL
7 Fault consideration, fault exclusion
7.1 General
7.2 Fault consideration
7.3 Fault exclusion
8 Validation
9 Maintenance
10 Technical documentation
11 Information for use
Annex A (Informative) Determination of required performance level (PLr)
Annex B (Informative) Block method and safety-related block diagram
Annex C (Informative) Calculating or evaluating MTTFD values for single components
Annex D (Informative) Simplified method for estimating MTTFD for each channel
Annex E (Informative) Estimates for diagnostic coverage (DC) for functions and modules
Annex F (Informative) Estimates for common cause failure (CCF)
Annex G (Informative) Systematic failure
Annex H (Informative) Example of combination of several safety-related parts of the control system
Annex I (Informative) Examples
Annex J (Informative) Software
Annex K (informative) Numerical representation of Figure
Bibliography
