1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationFunctional safety of electrical/electronic/programmable electronic safety related systemsPart 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3BS EN 61508-6:2010Nat
2、ional forewordThis British Standard is the UK implementation of EN 61508-6:2010. It isidentical to IEC 61508-6:2010. It supersedes BS EN 61508-6:2002 which iswithdrawn.The UK participation in its preparation was entrusted by Technical CommitteeGEL/65, Measurement and control, to Subcommittee GEL/65/
3、1, System considerations.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions of acontract. Users are responsible for its correct application. BSI 2010ISBN 978 0 580 65448 0ICS 13.26
4、0; 25.040.40; 29.020; 35.020Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of the StandardsPolicy and Strategy Committee on 3 Ju 2010.Amendments issued since publicationAmd. No. Date Text affectedBRITISH STANDAR
5、DBS EN 61508-6:2010ne0EUROPEAN STANDARD EN 61508-6 NORME EUROPENNE EUROPISCHE NORM May 2010 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Management Centre: Avenue Marnix 17, B - 1000 B
6、russels 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members. Ref. No. EN 61508-6:2010 E ICS 25.040.40 Supersedes EN 61508-6:2001English version Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6
7、: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IEC 61508-6:2010) Scurit fonctionnelle des systmes lectriques/lectroniques/lectroniques programmables relatifs la scurit - Partie 6: Lignes directrices pour lapplication de la CEI 61508-2 et de la CEI 61508-3 (CEI 61508-6:2010) Funktion
8、ale Sicherheit sicherheitsbezogener elektrischer/elektronischer/programmierbarer elektronischer Systeme - Teil 6: Anwendungsrichtlinie fr IEC 61508-2 und IEC 61508-3 (IEC 61508-6:2010) This European Standard was approved by CENELEC on 2010-05-01. CENELEC members are bound to comply with the CEN/CENE
9、LEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any C
10、ENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versio
11、ns. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal,
12、Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. BS EN 61508-6:2010EN 61508-6:2010 - 2 - Foreword The text of document 65A/553/FDIS, future edition 2 of IEC 61508-6, prepared by SC 65A, System aspects, of IEC TC 65, Industrial-process measurement, control and automatio
13、n, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as EN 61508-6 on 2010-05-01. This European Standard supersedes EN 61508-6:2001. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and CENELEC shall no
14、t be held responsible for identifying any or all such patent rights. The following dates were fixed: latest date by which the EN has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2011-02-01 latest date by which the national standards con
15、flicting with the EN have to be withdrawn (dow) 2013-05-01 Annex ZA has been added by CENELEC. _ Endorsement notice The text of the International Standard IEC 61508-6:2010 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the followin
16、g notes have to be added for the standards indicated: 1 IEC 61511 series NOTE Harmonized in EN 61511 series (not modified). 2 IEC 62061 NOTE Harmonized as EN 62061. 3 IEC 61800-5-2 NOTE Harmonized as EN 61800-5-2. 4 IEC 61078:2006 NOTE Harmonized as EN 61078:2006 (not modified). 5 IEC 61165:2006 NOT
17、E Harmonized as EN 61165:2006 (not modified). 16 IEC 61131-3:2003 NOTE Harmonized as EN 61131-3:2003 (not modified). 18 IEC 61025:2006 NOTE Harmonized as EN 61025:2007 (not modified). 26 IEC 60601 series NOTE Harmonized in EN 60601 series (partially modified). 27 IEC 61508-1:2010 NOTE Harmonized as
18、EN 61508-1:2010 (not modified). 28 IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified). 29 IEC 61508-7:2010 NOTE Harmonized as EN 61508-7:2010 (not modified). _ BS EN 61508-6:2010- 3 - EN 61508-6:2010 Annex ZA (normative) Normative references to international publications with their c
19、orresponding European publications The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. NOTE When an i
20、nternational publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies. Publication Year Title EN/HD Year IEC 61508-2 2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/elect
21、ronic/programmable electronic safety-related systems EN 61508-2 2010 IEC 61508-3 2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements EN 61508-3 2010 IEC 61508-4 2010 Functional safety of electrical/electronic/programmable ele
22、ctronic safety-related systems - Part 4: Definitions and abbreviations EN 61508-4 2010 BS EN 61508-6:2010 2 61508-6 IEC:2010 CONTENTS INTRODUCTION.8 1 Scope.10 2 Normative references .12 3 Definitions and abbreviations12 Annex A (informative) Application of IEC 61508-2 and of IEC 61508-3.13 Annex B
23、(informative) Example of technique for evaluating probabilities of hardware failure .21 Annex C (informative) Calculation of diagnostic coverage and safe failure fraction worked example76 Annex D (informative) A methodology for quantifying the effect of hardware-related common cause failures in E/E/
24、PE systems80 Annex E (informative) Example applications of software safety integrity tables of IEC 61508-3 .95 Bibliography110 Figure 1 Overall framework of the IEC 61508 series 11 Figure A.1 Application of IEC 61508-2 .17 Figure A.2 Application of IEC 61508-2 (Figure A.1 continued)18 Figure A.3 App
25、lication of IEC 61508-3 .20 Figure B.1 Reliability Block Diagram of a whole safety loop .22 Figure B.2 Example configuration for two sensor channels.26 Figure B.3 Subsystem structure .29 Figure B.4 1oo1 physical block diagram.30 Figure B.5 1oo1 reliability block diagram31 Figure B.6 1oo2 physical bl
26、ock diagram.32 Figure B.7 1oo2 reliability block diagram32 Figure B.8 2oo2 physical block diagram.33 Figure B.9 2oo2 reliability block diagram33 Figure B.10 1oo2D physical block diagram.33 Figure B.11 1oo2D reliability block diagram .34 Figure B.12 2oo3 physical block diagram .34 Figure B.13 2oo3 re
27、liability block diagram35 Figure B.14 Architecture of an example for low demand mode of operation40 Figure B.15 Architecture of an example for high demand or continuous mode of operation 49 Figure B.16 Reliability block diagram of a simple whole loop with sensors organised into 2oo3 logic 51 Figure
28、B.17 Simple fault tree equivalent to the reliability block diagram presented on Figure B.1.52 Figure B.18 Equivalence fault tree / reliability block diagram52 Figure B.19 Instantaneous unavailability U(t) of single periodically tested components 54 Figure B.20 Principle of PFDavgcalculations when us
29、ing fault trees.55 BS EN 61508-6:201061508-6 IEC:2010 3 Figure B.21 Effect of staggering the tests 56 Figure B.22 Example of complex testing pattern 56 Figure B.23 Markov graph modelling the behaviour of a two component system 58 Figure B.24 Principle of the multiphase Markovian modelling .59 Figure
30、 B.25 Saw-tooth curve obtained by multiphase Markovian approach.60 Figure B.26 Approximated Markovian model 60 Figure B.27 Impact of failures due to the demand itself61 Figure B.28 Modelling of the impact of test duration.61 Figure B.29 Multiphase Markovian model with both DD and DU failures.62 Figu
31、re B.30 Changing logic (2oo3 to 1oo2) instead of repairing first failure63 Figure B.31 “Reliability“ Markov graphs with an absorbing state 63 Figure B.32 “Availability“ Markov graphs without absorbing states .65 Figure B.33 Petri net for modelling a single periodically tested component.66 Figure B.3
32、4 Petri net to model common cause failure and repair resources69 Figure B.35 Using reliability block diagrams to build Petri net and auxiliary Petri net for PFD and PFH calculations .70 Figure B.36 Simple Petri net for a single component with revealed failures and repairs 71 Figure B.37 Example of f
33、unctional and dysfunctional modelling with a formal language.72 Figure B.38 Uncertainty propagation principle73 Figure D.1 Relationship of common cause failures to the failures of individual channels .82 Figure D.2 Implementing shock model with fault trees93 Table B.1 Terms and their ranges used in
34、this annex (applies to 1oo1, 1oo2, 2oo2, 1oo2D, 1oo3 and 2oo3) 27 Table B.2 Average probability of failure on demand for a proof test interval of six months and a mean time to restoration of 8 h .36 Table B.3 Average probability of failure on demand for a proof test interval of one year and mean tim
35、e to restoration of 8 h.37 Table B.4 Average probability of failure on demand for a proof test interval of two years and a mean time to restoration of 8 h 38 Table B.5 Average probability of failure on demand for a proof test interval of ten years and a mean time to restoration of 8 h 39 Table B.6 A
36、verage probability of failure on demand for the sensor subsystem in the example for low demand mode of operation (one year proof test interval and 8 h MTTR) 40 Table B.7 Average probability of failure on demand for the logic subsystem in the example for low demand mode of operation (one year proof t
37、est interval and 8 h MTTR) 41 Table B.8 Average probability of failure on demand for the final element subsystem in the example for low demand mode of operation (one year proof test interval and 8 h MTTR) 41 Table B.9 Example for a non-perfect proof test 42 Table B.10 Average frequency of a dangerou
38、s failure (in high demand or continuous mode of operation) for a proof test interval of one month and a mean time to restoration of 8 h 45 BS EN 61508-6:2010 4 61508-6 IEC:2010 Table B.11 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test inter
39、val of three month and a mean time to restoration of 8 h 46 Table B.12 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of six month and a mean time to restoration of 8 h Error! Bookmark not defined. Table B.13 Average frequency of a
40、 dangerous failure (in high demand or continuous mode of operation) for a proof test interval of one year and a mean time to restoration of 8 h Error! Bookmark not defined. Table B.14 Average frequency of a dangerous failure for the sensor subsystem in the example for high demand or continuous mode
41、of operation (six month proof test interval and 8 h MTTR) .49 Table B.15 Average frequency of a dangerous failure for the logic subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8 h MTTR) .50 Table B.16 Average frequency of a dangerous failur
42、e for the final element subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8 h MTTR) .50 Table C.1 Example calculations for diagnostic coverage and safe failure fraction 78 Table C.2 Diagnostic coverage and effectiveness for different elements
43、 79 Table D.1 Scoring programmable electronics or sensors/final elements .88 Table D.2 Value of Z programmable electronics 89 Table D.3 Value of Z sensors or final elements .89 Table D.4 Calculation of intor D int90 Table D.5 Calculation of for systems with levels of redundancy greater than 1oo2 91
44、Table D.6 Example values for programmable electronics .92 Table E.1 Software safety requirements specification 96 Table E.2 Software design and development software architecture design.97 Table E.3 Software design and development support tools and programming language.98 Table E.4 Software design an
45、d development detailed design .99 Table E.5 Software design and development software module testing and integration 100 Table E.6 Programmable electronics integration (hardware and software)100 Table E.7 Software aspects of system safety validation .101 Table E.8 Modification .101 Table E.9 Software
46、 verification 102 Table E.10 Functional safety assessment 102 Table E.11 Software safety requirements specification 104 Table E.12 Software design and development software architecture design .104 Table E.13 Software design and development support tools and programming language.105 Table E.14 Softwa
47、re design and development detailed design .106 Table E.15 Software design and development software module testing and integration 106 Table E.16 Programmable electronics integration (hardware and software)107 Table E.17 Software aspects of system safety validation .108 Table E.18 Modification .108 B
48、S EN 61508-6:201061508-6 IEC:2010 5 Table E.19 Software verification 109 Table E.20 Functional safety assessment 109 BS EN 61508-6:2010 8 61508-6 IEC:2010 INTRODUCTION Systems comprised of electrical and/or electronic elements have been used for many years to perform safety functions in most application sectors. Computer-based systems (generically referred to as programmable electronic systems) are being used in all application sectors to perform non-safety functions and, increasingly, to perform safety functions. If computer system technology is to be effectively and
