Detail of GB/T 20438.2-2017

Introduction of GB/T 20438.2-2017

Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative. GB/T 20438 consists of seven parts under the general title of Functional safety of electrical/electronic/programmable electronic safety-related systems: ——Part 1: General requirements; ——Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems; ——Part 3: Software requirements; ——Part 4: Definitions and abbreviations; ——Part 5: Examples of methods for the determination of safety integrity levels; ——Part 6: Guidelines on the application of GB/T 20438.2 and GB/T 20438.3; ——Part 7: Overview of techniques and measures. This is Part 2 of GB/T 20438. This part is developed in accordance with the rules given in GB/T 1.1-2009. This part replaces GB/T 20438.2-2006 Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems and the following main technical changes have been made with respect to GB/T 20438.2-2006: ——ASIC development lifecycle is added (see Figure 3); ——Safety manual for compliant items is added (see Annex D). This part, by means of translation, is identical to IEC 61508-2:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems. This part was proposed by the China Machinery Industry Federation. This part is under the jurisdiction of SAC/TC 124 National Technical Committee on Industrial Process Measurement and Control of Standardization Administration of China. The previous edition of this part is as follow: ——GB/T 20438.2-2006. Introduction Systems comprised of electrical and/or electronic elements have been used for many years to perform safety functions in most application sectors. Computer-based systems (generically referred to as programmable electronic systems) are being used in all application sectors to perform non-safety functions and, increasingly, to perform safety functions. If computer system technology is to be effectively and safely exploited, it is essential that those responsible for making decisions have sufficient guidance on the safety aspects on which to make these decisions. GB/T 20438 sets out a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic (E/E/PE) elements that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy be developed for all electrically-based safety-related systems. A major objective is to facilitate the development of product and application sector standards based on the GB/T 20438 series. Note 1: Examples of product and application sector standards based on the GB/T 20438 series are given in the Bibliography (see references [1], [2] and [3]). In most situations, safety is achieved by a number of systems which rely on many technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy must therefore consider not only all the elements within an individual system (for example sensors, controlling devices and actuators) but also all the safety-related systems making up the total combination of safety-related systems. Therefore, while GB/T 20438 is concerned with E/E/PE safety-related systems, it may also provide a framework within which safety-related systems based on other technologies may be considered. It is recognized that there is a great variety of applications using E/E/PE safety-related systems in a variety of application sectors and covering a wide range of complexity, hazard and risk potentials. In any particular application, the required safety measures will be dependent on many factors specific to the application. GB/T 20438, by being generic, will enable such measures to be formulated in future product and application sector standards and in revisions of those that already exist. GB/T 20438 ——considers all relevant overall, E/E/PE system and software safety lifecycle phases (for example, from initial concept, thorough design, implementation, operation and maintenance to decommissioning) when E/E/PE systems are used to perform safety functions; ——has been conceived with a rapidly developing technology in mind; the framework is sufficiently robust and comprehensive to cater for future developments; ——enables product and application sector standards, dealing with E/E/PE safety-related systems, to be developed; the development of product and application sector standards, within the framework of GB/T 20438, should lead to a high level of consistency (for example, of underlying principles, terminology etc.) both within application sectors and across application sectors; this will have both safety and economic benefits; ——provides a method for the development of the safety requirements specification necessary to achieve the required functional safety for E/E/PE safety-related systems; ——adopts a risk-based approach by which the safety integrity requirements can be determined; ——introduces safety integrity levels for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems; Note 2: GB/T 20438 does not specify the safety integrity level requirements for any safety function, nor does it mandate how the safety integrity level is determined. Instead it provides a risk-based conceptual framework and example techniques. ——sets target failure measures for safety functions carried out by E/E/PE safety-related systems, which are linked to the safety integrity levels; ——sets a lower limit on the target failure measures for a safety function carried out by a single E/E/PE safety-related system. For E/E/PE safety-related systems operating in ——a low demand mode of operation, the lower limit is set at an average probability of a dangerous failure on demand of 10-5; ——a high demand or a continuous mode of operation, the lower limit is set at an average frequency of a dangerous failure of 10-9/h; Note 3: A single E/E/PE safety-related system does not necessarily mean a single-channel architecture. Note 4: It may be possible to achieve designs of safety-related systems with lower values for the target safety integrity for non-complex systems, but these limits are considered to represent what can be achieved for relatively complex systems (for example programmable electronic safety-related systems) at the present time. ——sets requirements for the avoidance and control of systematic faults, which are based on experience and judgement from practical experience gained in industry. Even though the probability of occurrence of systematic failures cannot in general be quantified GB/T 20438 does, however, allow a claim to be made, for a specified safety function, that the target failure measure associated with the safety function can be considered to be achieved if all the requirements in the standard have been met; ——introduces systematic capability which applies to an element with respect to its confidence that the systematic safety integrity meets the requirements of the specified safety integrity level; ——adopts a broad range of principles, techniques and measures to achieve functional safety for E/E/PE safety-related systems, but does not explicitly use the concept of fail safe. However, the concepts of “fail safe” and “inherently safe” principles may be applicable and adoption of such concepts is acceptable providing the requirements of the relevant clauses in the standard are met. Functional safety of electrical/ electronic/ programmable electronic safety-related systems - Part 2: Requirements for electrical/ electronic/ programmable electronic safety-related systems 1 Scope 1.1 This part of the GB/T 20438 series a) is intended to be used only after a thorough understanding of GB/T 20438.1, which provides the overall framework for the achievement of functional safety; b) applies to any safety-related system, as defined by GB/T 20438.1, that contains at least one electrical, electronic or programmable electronic element; c) applies to all elements within an E/E/PE safety-related system (including sensors, actuators and the operator interface); d) specifies how to refine the E/E/PE system safety requirements specification, developed in accordance with GB/T 20438.1 (comprising the E/E/PE system safety functions requirements specification and the E/E/PE system safety integrity requirements specification), into the E/E/PE system design requirements specification; e) specifies the requirements for activities that are to be applied during the design and manufacture of the E/E/PE safety-related systems (i.e. establishes the E/E/PE system safety lifecycle model) except software, which is dealt with in GB/T 20438.3 (see Figures 2 to 4). These requirements include the application of techniques and measures that are graded against the safety integrity level, for the avoidance of, and control of, faults and failures; f) specifies the information necessary for carrying out the installation, commissioning and final safety validation of the E/E/PE safety-related systems; g) does not apply to the operation and maintenance phase of the E/E/PE safety-related systems - this is dealt with in GB/T 20438.1. However, this part does provide requirements for the preparation of information and procedures needed by the user for the operation and maintenance of the E/E/PE safety-related systems; h) specifies requirements to be met by the organisation carrying out any modification of the E/E/PE safety-related systems; Note 1: This part is mainly directed at suppliers and/or in-company engineering departments, hence the inclusion of requirements for modification. Note 2: The relationship between this part and GB/T 20438.3 is illustrated in Figure 4. i) does not apply for medical equipment in compliance with the IEC 60601 series. 1.2 GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are basic safety publications, although this status does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.3 of GB/T 20438.4-2017). As basic safety publications, they are intended for use by technical committees in the preparation of standards in accordance with the principles contained in IEC Guide 104 and ISO/IEC Guide 51. GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are also intended for use as stand-alone standards. The horizontal safety function of GB/T 20438 does not apply to medical equipment in compliance with the IEC 60601 series. 1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use of basic safety publications in the preparation of its publications. In this context, the requirements, test methods or test conditions of this basic safety publication will not apply unless specifically referred to or included in the publications prepared by those technical committees. Note: The functional safety of an E/E/PE safety-related system can only be achieved when all related requirements are met. Therefore, it is important that all related requirements are carefully considered and adequately referenced. 1.4 Figure 1 shows the overall framework of the GB/T 20438 series and indicates the role that this part plays in the achievement of functional safety for E/E/PE safety-related systems. Annex A of GB/T 20438.6-2017 describes the application of GB/T 20438.2 and GB/T 20438.3. Figure 1 Overall framework of the GB/T 20438 series   2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 20438.1-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements (IEC 61508-1:2010, IDT) GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IEC 61508-3:2010, IDT) GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations (IEC 61508-4:2010, IDT) GB/T 20438.7-2017 Functional safety of electrical/electronic/programmable electronic safety related systems - Part 7: Overview of techniques and measures (IEC 61508-7:2010, IDT) IEC 60947-5-1 Low-voltage switchgear and controlgear - Part 5-1: Control circuit devices and switching elements - Electromechanical control circuit devices IEC/TS 61000-1-2 Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena IEC 61326-3-1 Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications IEC 61784-3 Industrial communication networks - Profiles - Part 3: Functional safety fieldbuses - General rules and profile definitions IEC 62280-1 Railway applications - Communication, signalling and processing systems - Part 1: Safety-related communication in closed transmission systems IEC 62280-2 Railway applications - Communication, signalling and processing systems - Part 2: Safety-related communication in open transmission systems IEC Guide 104:1997 The preparation of safety publications and the use of basic safety publications and group safety publications ISO/IEC Guide 51:1999 Safety aspects - Guidelines for their inclusion in standards EN 50205 Relays with forcibly guided (mechanically linked) contacts 3 Definitions and abbreviations For the purposes of this document, the definitions and abbreviations given in GB/T 20438.4-2017 apply. 4 Conformance to GB/T 20438 The requirements for conformance to GB/T 20438 are as detailed in Clause 4 of GB/T 20438.1-2017. 5 Documentation The requirements for documentation are as detailed in Clause 5 of GB/T 20438.1-2017. 6 Management of functional safety The requirements for management of functional safety are as detailed in Clause 6 of GB/T 20438.1-2017. 7 E/E/PE system safety lifecycle requirements 7.1 General 7.1.1 Objectives and requirements - general 7.1.1.1 This subclause sets out the objectives and requirements for the E/E/PE system safety lifecycle phases. Note: The objectives and requirements for the overall safety lifecycle, together with a general introduction to the structure of the standard, are given in GB/T 20438.1. 7.1.1.2 For all phases of the E/E/PE system safety lifecycle, Table 1 indicates: ——the objectives to be achieved; ——the scope of the phase; ——a reference to the subclause containing the requirements; ——the required inputs to the phase; ——the outputs required to comply with the subclause.   7.1.2 Objectives 7.1.2.1 The first objective of the requirements of this subclause is to structure, in a systematic manner, the phases in the E/E/PE system safety lifecycle that shall be considered in order to achieve the required functional safety of the E/E/PE safety-related systems. 7.1.2.2 The second objective of the requirements of this subclause is to document all information relevant to the functional safety of the E/E/PE safety-related systems throughout the E/E/PE system safety lifecycle. 7.1.3 Requirements 7.1.3.1 The E/E/PE system safety lifecycle that shall be used in claiming conformance with GB/T 20438 is that specified in Figure 2. A detailed V-model of the ASIC development lifecycle for the design of ASICs (see GB/T 20438.4-2017, 3.2.15) is shown in Figure 3. If another E/E/PE system safety lifecycle or ASIC development lifecycle is used, it shall be specified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), and all the objectives and requirements of each subclause of GB/T 20438.2 shall be met. Note 1: The relationship between and scope for GB/T 20438.2 and GB/T 20438.3 are shown in Figure 4. Note 2: There are significant similarities between the ASIC and the software design processes. GB/T 20438.3 recommends the V-model for designing safety-related software. The V-model requires a clearly structured design process and a modular software structure for avoiding and controlling systematic faults. The ASIC development lifecycle for the design of ASICs in Figure 3 follows this model. At first the requirements for the ASIC specification are derived from the system requirements. ASIC architecture, ASIC design and module design follow. The results of each step on the left-hand side of the V become the input to the next step, and are also fed back to the preceding step for iteration where appropriate, until the final code is created. This code is verified against the corresponding design through post-layout simulation, module testing, module integration testing and verification of the complete ASIC. The results of any step may necessitate a revision to any of the preceding steps. Finally, the ASIC is validated after its integration into the E/E/PE safety-related system. 7.1.3.2 The procedures for management of functional safety (see Clause 6 of GB/T 20438.1-2017) shall run in parallel with the E/E/PE system safety lifecycle phases. 7.1.3.3 Each phase of the E/E/PE system safety lifecycle shall be divided into elementary activities, with the scope, inputs and outputs specified for each phase (see Table 1). 7.1.3.4 Unless justified as part of the management of functional safety activities (see Clause 6 of GB/T 20438.1-2017), the outputs of each phase of the E/E/PE system safety lifecycle shall be documented (see Clause 5 of GB/T 20438.1-2017). 7.1.3.5 The outputs for each E/E/PE system safety lifecycle phase shall meet the objectives and requirements specified for each phase (see 7.2 to 7.9). Note 1: See also GB/T 20438.6-2017, A.2b). Note 2: This figure shows only those phases of the E/E/PE system safety lifecycle that are within the realisation phase of the overall safety lifecycle. The complete E/E/PE system safety lifecycle will also contain instances, specific to the E/E/PE safety-related system, of the subsequent phases of the overall safety lifecycle (Boxes 12 to 16 in Figure 2 of GB/T 20438.1-2017). Figure 2 E/E/PE system safety lifecycle (in realisation phase) Figure 3 ASIC development lifecycle (the V-Model) Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T 20438.3 Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle Safety lifecycle phase or activity Objectives Scope Requirements subclause Inputs Outputs Figure 2 box number Title 10.1 E/E/PE system design requirements specification To specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements (see 7.10.2 of GB/T 20438.1-2017) E/E/PE safety-related system 7.2.2 E/E/PE system safety requirements specification (see GB/T 20438.1-XXXX, 7.10) E/E/PE system design requirements specification, describing the equipment and architectures for the E/E/PE system 10.2 E/E/PE system safety validation planning To plan the validation of the safety of the E/E/PE safety-related system E/E/PE safety-related system 7.3.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification Plan for the safety validation of the E/E/PE safety-related systems 10.3 E/E/PE system design & development including ASICs & software (see Figure 3 & also GB/T 20438.3) To design and develop the E/E/PE safety-related system (including ASICs if appropriate) to meet the E/E/PE system design requirements specification (with respect to the safety functions requirements and the safety integrity requirements (see 7.2)) E/E/PE safety-related system 7.4.2 ~ 7.4.11 E/E/PE system design requirements specification Design of the E/E/PE safety related systems in conformance with the E/E/PE system design requirements specification; plan for the E/E/PE system integration test; PE system architectural information as an input to the software requirements specification 10.4 E/E/PE system integration To integrate and test the E/E/PE safety-related system E/E/PE safety-related system 7.5.2 E/E/PE system design; E/E/PE system integration test plan; programmable electronics hardware and software Fully functioning E/E/PE safety-related systems in conformance with the E/E/PE system design; results of E/E/PE system integration tests 10.5 E/E/PE system installation, commissioning, operation & maintenance procedures To develop procedures to ensure that the required functional safety of the E/E/PE safety-related system is maintained during operation and maintenance E/E/PE safety-related system; EUC 7.6.2 E/E/PE system design requirements specification; E/E/PE system design E/E/PE system installation, commissioning, operation and maintenance procedures for each individual E/E/PE system 10.6 E/E/PE system safety validation To validate that the E/E/PE safety-related system meets, in all respects, the requirements for safety in terms of the required safety functions and safety integrity E/E/PE safety-related system 7.7.2 E/E/PE system safety requirements specification and E/E/PE system design requirements specification; plan for the safety validation of the E/E/PE safety-related systems Fully safety validated E/E/PE safety-related systems; results of E/E/PE system safety validation - E/E/PE system modification To make corrections, enhancements or adaptations to the E/E/PE safety-related system, ensuring that the required safety integrity is achieved and maintained E/E/PE safety-related system 7.8.2 E/E/PE system design requirements specification Results of E/E/PE system modification - E/E/PE system verification To test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase E/E/PE safety-related system 7.9.2 As above - depends on the phase; plan for the verification of the E/E/PE safety-related systems for each phase As above - depends on the phase; results of the verification of the E/E/PE safety-related systems for each phase - E/E/PE system functional safety assessment To investigate and arrive at a judgement on the functional safety achieved by the E/E/PE safety-related system E/E/PE safety-related system 8 Plan for E/E/PE system functional safety assessment Results of E/E/PE system functional safety assessment 7.2 E/E/PE system design requirements specification Note: This phase is Box 10.1 of Figure 2. 7.2.1 Objective The objective of the requirements of this subclause is to specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements. Note: The E/E/PE system design requirements specification is normally derived from the E/E/PE system safety requirements specification by decomposing the safety functions and allocating parts of the safety function to subsystems (for example groups of sensors, logic solvers or actuators). The requirements for the subsystems may be included in the E/E/PE system design requirements specification or may be separate and referenced from the E/E/PE system design requirements specification. Subsystems may be further decomposed into elements and architectures to satisfy the design and development requirements of 7.4. The requirements for these elements may be included in the requirements for the subsystems or may be separate and referenced from the subsystem requirements. 7.2.2 General 7.2.2.1 The specification of the E/E/PE system design requirements shall be derived from the E/E/PE system safety requirements, specified in 7.10 of GB/T 20438.1-2017. Note: Caution should be exercised if non-safety functions and safety functions are implemented in the same E/E/PE safety-related system. While this is allowed in the standard, it may lead to greater complexity and increase the difficulty in carrying out E/E/PE safety lifecycle activities (for example design, validation, functional safety assessment and maintenance). See also 7.4.2.3. 7.2.2.2 The specification of the E/E/PE system design requirements shall be expressed and structured in such a way that they are: a) clear, precise, unambiguous, verifiable, testable, maintainable and feasible; b) written to aid comprehension by those who are likely to utilise the information at any phase of the E/E/PE safety lifecycle; c) traceable to the E/E/PE system safety requirements specification. 7.2.3 E/E/PE system design requirements specification 7.2.3.1 The specification of the E/E/PE system design requirements shall contain design requirements relating to safety functions (see 7.2.3.2) and design requirements relating to safety integrity (see 7.2.3.3). 7.2.3.2 The specification of the E/E/PE system design requirements shall contain details of all the hardware and software necessary to implement the required safety functions, as specified by the E/E/PE system safety functions requirements specification (see 7.10.2.6 of GB/T 20438.1-2017). The specification shall include, for each safety function: a) requirements for the subsystems and requirements for their hardware and software elements as appropriate; b) requirements for the integration of the subsystems and their hardware and software elements to meet the E/E/PE system safety functions requirements specification; c) throughput performance that enables response time requirements to be met; d) accuracy and stability requirements for measurements and controls; e) E/E/PE safety-related system and operator interfaces; f) interfaces between the E/E/PE safety-related systems and any other systems (either within, or outside, the EUC); g) all modes of behaviour of the E/E/PE safety-related systems, in particular, failure behaviour and the required response (for example alarms, automatic shut-down) of the E/E/PE safety-related systems; h) the significance of all hardware/software interactions and, where relevant, any required constraints between the hardware and the software; Note: Where these interactions are not known before finishing the design, only general constraints can be stated. i) any limiting and constraint conditions for the E/E/PE safety-related systems and their associated elements, for example timing constraints or constraints due to the possibility of common cause failures; j) any specific requirements related to the procedures for starting-up and restarting the E/E/PE safety-related systems. 7.2.3.3 The specification of the E/E/PE system design requirements shall contain details, relevant to the design, to achieve the safety integrity level and the required target failure measure for the safety function, as specified by the E/E/PE system safety integrity requirements specification (see 7.10.2.7 of GB/T 20438.1-2017), including: a) the architecture of each subsystem required to meet the architectural constraints on the hardware safety integrity (see 7.4.4); b) all relevant reliability modelling parameters such as the required proof testing frequency of all hardware elements necessary to achieve the target failure measure; Note 1: Information on the specific application cannot be understated (see 7.10.2.1 of GB/T 20438.1-2017). This is particularly important for maintenance, where the specified proof test interval should not be less than can be reasonably expected for the particular application. For example, the time between services that can be realistically attained for mass-produced items used by the public is likely to be greater than in a more controlled application. c) the actions taken in the event of a dangerous failure being detected by diagnostics; d) the requirements, constraints, functions and facilities to enable the proof testing of the E/E/PE hardware to be undertaken; e) the capabilities of equipment used to meet the extremes of all environmental conditions (e.g. temperature, humidity, mechanical, electrical) that are specified as required during the E/E/PE system safety lifecycle including manufacture, storage, transport, testing, installation, commissioning, operation and maintenance; f) the electromagnetic immunity levels that are required (see IEC/TS 61000-1-2:2008); Note 2: The required immunity levels may vary for different elements of the safety-related system, depending on physical location and power supply arrangements. Note 3: Guidance may be found in EMC product standards, but it is important to recognise that higher immunity levels, or additional immunity requirements, than those specified in such standards may be necessary for particular locations or when the equipment is intended for use in harsher, or different, electromagnetic environments. g) the quality assurance/quality control measures necessary to safety management (see 6.2.5 of GB/T 20438.1-2017); 7.2.3.4 The E/E/PE system design requirements specification shall be completed in detail as the design progresses and updated as necessary after modification. 7.2.3.5 For the avoidance of mistakes during the development of the specification for the E/E/PE system design requirements, an appropriate group of techniques and measures according to Table B.1 shall be used. 7.2.3.6 The implications imposed on the architecture by the E/E/PE system design requirements shall be considered. Note: This should include the consideration of the simplicity of the implementation to achieve the required safety integrity level (including architectural considerations and apportionment of functionality to configuration data or to the embedded system). 7.3 E/E/PE system safety validation planning Note: This phase is Box 10.2 of Figure 2. It will normally be carried out in parallel with E/E/PE system design and development (see 7.4). 7.3.1 Objective The objective of the requirements of this subclause is to plan the validation of the safety of the E/E/PE safety-related system. 7.3.2 Requirements 7.3.2.1 Planning shall be carried out to specify the steps (both procedural and technical) that are to be used to demonstrate that the E/E/PE safety-related system satisfies the E/E/PE system safety requirements specification (see 7.10 of GB/T 20438.1-2017) and the E/E/PE system design requirements specification (see 7.2).

Contents of GB/T 20438.2-2017

Foreword i Introduction ii 1 Scope 2 Normative references 3 Definitions and abbreviations 4 Conformance to GB/T 5 Documentation 6 Management of functional safety 7 E/E/PE system safety lifecycle requirements 7.1 General 7.2 E/E/PE system design requirements specification 7.3 E/E/PE system safety validation planning 7.4 E/E/PE system design and development 7.5 E/E/PE system integration 7.6 E/E/PE system operation and maintenance procedures 7.7 E/E/PE system safety validation 7.8 E/E/PE system modification 7.9 E/E/PE system verification 8 Functional safety assessment Annex A (Normative) Techniques and measures for E/E/PE safety-related systems – control of failures during operation Annex B (Normative) Techniques and measures for E/E/PE safety-related systems - avoidance of systematic failures during the different phases of the lifecycle Annex C (Normative) Diagnostic coverage and safe failure fraction Annex D (Normative) Safety manual for compliant items Annex E (Normative) Special architecture requirements for integrated circuits (ICs) with on-chip redundancy Annex F (Informative) Techniques and measures for ASICs – avoidance of systematic failures Bibliography Figure 1 Overall framework of the GB/T 20438 series Figure 2 E/E/PE system safety lifecycle (in realisation phase) Figure 3 ASIC development lifecycle (the V-Model) Figure 4 Relationship between and scope of GB/T 20438.2 and GB/T Figure 5 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprising a number of series elements, see 7.4.4.2.3) Figure 6 Determination of the maximum SIL for specified architecture (E/E/PE safety-related subsystem comprised of two subsystems X & Y, see 7.4.4.2.4) Figure 7 Architectures for data communication Table 1 Overview – realisation phase of the E/E/PE system safety lifecycle Table 2 Maximum allowable safety integrity level for a safety function carried out by a type A safety-related element or subsystem Table 3 Maximum allowable safety integrity level for a safety function carried out by a type B safety-related element or subsystem Table A.1 Faults or failures to be assumed when quantifying the effect of random hardware failures or to be taken into account in the derivation of safe failure fraction Table A.2 Electrical components Table A.3 Electronic components Table A.4 Processing units Table A.5 Invariable memory ranges Table A.6 Variable memory ranges Table A.7 I/O units and interface (external communication) Table A.8 Data paths (internal communication) Table A.9 Power supply Table A.10 Program sequence (watch-dog) Table A.11 Clock Table A.12 Communication and mass storage Table A.13 Sensors Table A.14 Final elements (actuators) Table A.15 Techniques and measures to control systematic failures caused by hardware design Table A.16 Techniques and measures to control systematic failures caused by environmental stress or influences Table A.17 Techniques and measures to control systematic operational failures Table A.18 Effectiveness of techniques and measures to control systematic failures Table B.1 Techniques and measures to avoid mistakes during specification of E/E/PE system design requirements (see 7.2) Table B.2 Techniques and measures to avoid introducing faults during E/E/PE system design and development (see 7.4) Table B.3 Techniques and measures to avoid faults during E/E/PE system integration (see 7.5) Table B.4 Techniques and measures to avoid faults and failures during E/E/PE system operation and maintenance procedures (see 7.6) Table B.5 Techniques and measures to avoid faults during E/E/PE system safety validation (see 7.7) Table B.6 Effectiveness of techniques and measures to avoid systematic failures Table E.1 Techniques and measures that increase βB-IC Table E.2 Techniques and measures that decrease βB-IC Table F.1 Techniques and measures to avoid introducing faults during ASIC’s design and development – full and semi-custom digital ASICs (see 7.4.6.7) Table F.2 Techniques and measures to avoid introducing faults during ASIC design and development: User programmable ICs (FPGA/PLD/CPLD) (see 7.4.6.7)