GB/T 20438.6-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems―Part 6:Guidelines on the application of GB/T 20438.2 and GB/T 20438.3 (English Version)
Functional safety of electrical/electronic/programmable electronic safety-related systems―Part 6:Guidelines on the application of GB/T 20438.2 and GB/T 20438.3
1 Scope
1.1 This part of GB/T 20438 contains information and guidelines on GB/T 20438.2 and GB/T 20438.3.
——Annex A gives a brief overview of the requirements of GB/T 20438.2 and GB/T 20438.3 and sets out the functional steps in their application.
——Annex B gives an example technique for calculating the probabilities of hardware failure and shall be read in conjunction with 7.4.3 and Annex C of GB/T 20438.2-2017 and Annex D.
——Annex C gives a worked example of calculating diagnostic coverage and shall be read in conjunction with Annex C of GB/T 20438.2-2017.
——Annex D gives a methodology for quantifying the effect of hardware-related common cause failures on the probability of failure.
——Annex E gives worked examples of the application of the software safety integrity tables specified in Annex A of GB/T 20438.3-2017 for safety integrity levels 2 and 3.
1.2 GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are basic safety publications, although this status does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.3 of GB/T 20438.4-2017). As basic safety publications, they are intended for use by technical committees in the preparation of standards in accordance with the principles contained in IEC Guide 104 and ISO/IEC Guide 51. GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are also intended for use as stand-alone standards. The horizontal safety function of GB/T 20438 does not apply to medical equipment in compliance with the IEC 60601 series.
1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use of basic safety publications in the preparation of its publications. In this context, the requirements, test methods or test conditions of this basic safety publication will not apply unless specifically referred to or included in the publications prepared by those technical committees.
1.4 Figure 1 shows the overall framework of the GB/T 20438 series and indicates the role that this part plays in the achievement of functional safety for E/E/PE safety-related systems.
Foreword I
Introduction III
1 Scope
2 Normative references
3 Definitions and abbreviations
Annex A (Informative) Application of GB/T 20438.2 and GB/T 20438.3
Annex B (Informative) Example of technique for evaluating probabilities of hardware failure
Annex C (Informative) Calculation of diagnostic coverage and safe failure fraction
Annex D (Informative) A methodology for quantifying the effect of hardware-related common cause failures in E/E/PE systems
Annex E (Informative) Example applications of software safety integrity tables of GB/T 20438.3
Bibliography
Figure 1 Overall framework of the GB/T 20438 series
Figure A.1 Application of GB/T 20438.2
Figure A.2 Application of GB/T 20438.2 (Figure A.1 continued)
Figure A.3 Application of GB/T 20438.3
Figure B.1 Reliability block diagram of a whole safety loop
Figure B.2 Example configuration for two sensor channels
Figure B.3 Subsystem structure
Figure B.4 1oo1 physical block diagram
Figure B.5 1oo1 reliability block diagram
Figure B.6 1oo2 physical block diagram
Figure B.7 1oo2 reliability block diagram
Figure B.8 2oo2 physical block diagram
Figure B.9 2oo2 reliability block diagram
Figure B.10 1oo2D physical block diagram
Figure B.11 1oo2D reliability block diagram
Figure B.12 2oo3 physical block diagram
Figure B.13 2oo3 reliability block diagram
Figure B.14 Architecture of an example for low demand mode of operation
Figure B.15 Architecture of an example for high demand or continuous mode of operation
Figure B.16 Reliability block diagram of a simple whole loop with sensors organised into 2oo3 logic
Figure B.17 Simple fault tree equivalent to the reliability block diagram presented on Figure B.1
Figure B.18 Equivalence fault tree/reliability block diagram
Figure B.19 Instantaneous unavailability U(t) of single periodically tested components
Figure B.20 Principle of PFDavg calculations when using fault trees
Figure B.21 Effect of staggering the tests
Figure B.22 Example of complex testing pattern
Figure B.23 Markov graph modelling the behaviour of a two component system
Figure B.24 Principle of the multiphase Markovian modelling
Figure B.25 Saw-tooth curve obtained by multiphase Markovian approach
Figure B.26 Approximated Markovian model
Figure B.27 Impact of failures due to the demand itself
Figure B.28 Modelling of the impact of test duration
Figure B.29 Multiphase Markovian model with both DD and DU failures
Figure B.30 Changing logic (2oo3 to 1oo2) instead of repairing first failure
Figure B.31 "Reliability" Markov graphs with an absorbing state
Figure B.32 "Availability" Markov graphs without absorbing states
Figure B.33 Petri net for modelling a single periodically tested component
Figure B.34 Petri net to model common cause failure and repair resources
Figure B.35 Using reliability block diagrams to build Petri net and auxiliary Petri net for PFD and PFH calculations
Figure B.36 Simple Petri net for a single component with revealed failures and repairs
Figure B.37 Example of functional and dysfunctional modelling with a formal language
Figure B.38 Uncertainty propagation principle
Figure D.1 Relationship of common cause failures to the failures of individual channels
Figure D.2 Implementing shock model with fault trees
Table B.1 Terms and their ranges used in this annex (applies to 1oo1, 1oo2, 2oo2, 1oo2D, 1oo3 and 2oo3)
Table B.2 Average probability of failure on demand for a proof test interval of six months and a mean time to restoration of 8h
Table B.3 Average probability of failure on demand for a proof test interval of one year and mean time to restoration of 8h
Table B.4 Average probability of failure on demand for a proof test interval of two years and a mean time to restoration of 8h
Table B.5 Average probability of failure on demand for a proof test interval of ten years and a mean time to restoration of 8h
Table B.6 Average probability of failure on demand for the sensor subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.7 Average probability of failure on demand for the logic subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.8 Average probability of failure on demand for the final element subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.9 Example for a non-perfect proof test
Table B.10 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of one month and a mean time to restoration of 8h
Table B.11 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of three months and a mean time to restoration of 8h
Table B.12 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of six months and a mean time to restoration of 8h
Table B.13 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of one year and a mean time to restoration of 8h
Table B.14 Average frequency of a dangerous failure for the sensor subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table B.15 Average frequency of a dangerous failure for the logic subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table B.16 Average frequency of a dangerous failure for the final element subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table C.1 Example calculations for diagnostic coverage and safe failure fraction
Table C.2 Diagnostic coverage and effectiveness for different elements
Table D.1 Scoring programmable electronics or sensors/final elements
Table D.2 Value of Z: programmable electronics
Table D.3 Value of Z: sensors or final elements
Table D.4 Calculation of βint or βDint
Table D.5 Calculation of β for systems with levels of redundancy greater than 1oo2
Table D.6 Example values for programmable electronics
Table E.1 Software safety requirements specification
Table E.2 Software design and development: software architecture design
Table E.3 Software design and development: support tools and programming language
Table E.4 Software design and development: detailed design
Table E.5 Software design and development: software module testing and integration
Table E.6 Programmable electronics integration (hardware and software)
Table E.7 Software aspects of system safety validation
Table E.8 Software modification
Table E.9 Software verification
Table E.10 Functional safety assessment
Table E.11 Software safety requirements specification
Table E.12 Software design and development: software architecture design
Table E.13 Software design and development: support tools and programming language
Table E.14 Software design and development: detailed design
Table E.15 Software design and development: software module testing and integration
Table E.16 Programmable electronics integration (hardware and software)
Table E.17 Software aspects of system safety validation
Table E.18 Modification
Table E.19 Software verification
Table E.20 Functional safety assessment
GB/T 20438.6-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems―Part 6:Guidelines on the application of GB/T 20438.2 and GB/T 20438.3 (English Version)
Standard No.
GB/T 20438.6-2017
Status
valid
Language
English
File Format
PDF
Word Count
46500 words
Price(USD)
1390.0
Implemented on
2018-7-1
Delivery
via email in 1 business day
Detail of GB/T 20438.6-2017
Standard No.
GB/T 20438.6-2017
English Name
Functional safety of electrical/electronic/programmable electronic safety-related systems―Part 6:Guidelines on the application of GB/T 20438.2 and GB/T 20438.3
1 Scope
1.1 This part of GB/T 20438 contains information and guidelines on GB/T 20438.2 and GB/T 20438.3.
——Annex A gives a brief overview of the requirements of GB/T 20438.2 and GB/T 20438.3 and sets out the functional steps in their application.
——Annex B gives an example technique for calculating the probabilities of hardware failure and shall be read in conjunction with 7.4.3 and Annex C of GB/T 20438.2-2017 and Annex D.
——Annex C gives a worked example of calculating diagnostic coverage and shall be read in conjunction with Annex C of GB/T 20438.2-2017.
——Annex D gives a methodology for quantifying the effect of hardware-related common cause failures on the probability of failure.
——Annex E gives worked examples of the application of the software safety integrity tables specified in Annex A of GB/T 20438.3-2017 for safety integrity levels 2 and 3.
1.2 GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are basic safety publications, although this status does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.3 of GB/T 20438.4-2017). As basic safety publications, they are intended for use by technical committees in the preparation of standards in accordance with the principles contained in IEC Guide 104 and ISO/IEC Guide 51. GB/T 20438.1, GB/T 20438.2, GB/T 20438.3 and GB/T 20438.4 are also intended for use as stand-alone standards. The horizontal safety function of GB/T 20438 does not apply to medical equipment in compliance with the IEC 60601 series.
1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use of basic safety publications in the preparation of its publications. In this context, the requirements, test methods or test conditions of this basic safety publication will not apply unless specifically referred to or included in the publications prepared by those technical committees.
1.4 Figure 1 shows the overall framework of the GB/T 20438 series and indicates the role that this part plays in the achievement of functional safety for E/E/PE safety-related systems.
Contents of GB/T 20438.6-2017
Foreword I
Introduction III
1 Scope
2 Normative references
3 Definitions and abbreviations
Annex A (Informative) Application of GB/T 20438.2 and GB/T 20438.3
Annex B (Informative) Example of technique for evaluating probabilities of hardware failure
Annex C (Informative) Calculation of diagnostic coverage and safe failure fraction
Annex D (Informative) A methodology for quantifying the effect of hardware-related common cause failures in E/E/PE systems
Annex E (Informative) Example applications of software safety integrity tables of GB/T 20438.3
Bibliography
Figure 1 Overall framework of the GB/T 20438 series
Figure A.1 Application of GB/T 20438.2
Figure A.2 Application of GB/T 20438.2 (Figure A.1 continued)
Figure A.3 Application of GB/T 20438.3
Figure B.1 Reliability block diagram of a whole safety loop
Figure B.2 Example configuration for two sensor channels
Figure B.3 Subsystem structure
Figure B.4 1oo1 physical block diagram
Figure B.5 1oo1 reliability block diagram
Figure B.6 1oo2 physical block diagram
Figure B.7 1oo2 reliability block diagram
Figure B.8 2oo2 physical block diagram
Figure B.9 2oo2 reliability block diagram
Figure B.10 1oo2D physical block diagram
Figure B.11 1oo2D reliability block diagram
Figure B.12 2oo3 physical block diagram
Figure B.13 2oo3 reliability block diagram
Figure B.14 Architecture of an example for low demand mode of operation
Figure B.15 Architecture of an example for high demand or continuous mode of operation
Figure B.16 Reliability block diagram of a simple whole loop with sensors organised into 2oo3 logic
Figure B.17 Simple fault tree equivalent to the reliability block diagram presented on Figure B.1
Figure B.18 Equivalence fault tree/reliability block diagram
Figure B.19 Instantaneous unavailability U(t) of single periodically tested components
Figure B.20 Principle of PFDavg calculations when using fault trees
Figure B.21 Effect of staggering the tests
Figure B.22 Example of complex testing pattern
Figure B.23 Markov graph modelling the behaviour of a two component system
Figure B.24 Principle of the multiphase Markovian modelling
Figure B.25 Saw-tooth curve obtained by multiphase Markovian approach
Figure B.26 Approximated Markovian model
Figure B.27 Impact of failures due to the demand itself
Figure B.28 Modelling of the impact of test duration
Figure B.29 Multiphase Markovian model with both DD and DU failures
Figure B.30 Changing logic (2oo3 to 1oo2) instead of repairing first failure
Figure B.31 "Reliability" Markov graphs with an absorbing state
Figure B.32 "Availability" Markov graphs without absorbing states
Figure B.33 Petri net for modelling a single periodically tested component
Figure B.34 Petri net to model common cause failure and repair resources
Figure B.35 Using reliability block diagrams to build Petri net and auxiliary Petri net for PFD and PFH calculations
Figure B.36 Simple Petri net for a single component with revealed failures and repairs
Figure B.37 Example of functional and dysfunctional modelling with a formal language
Figure B.38 Uncertainty propagation principle
Figure D.1 Relationship of common cause failures to the failures of individual channels
Figure D.2 Implementing shock model with fault trees
Table B.1 Terms and their ranges used in this annex (applies to 1oo1, 1oo2, 2oo2, 1oo2D, 1oo3 and 2oo3)
Table B.2 Average probability of failure on demand for a proof test interval of six months and a mean time to restoration of 8h
Table B.3 Average probability of failure on demand for a proof test interval of one year and mean time to restoration of 8h
Table B.4 Average probability of failure on demand for a proof test interval of two years and a mean time to restoration of 8h
Table B.5 Average probability of failure on demand for a proof test interval of ten years and a mean time to restoration of 8h
Table B.6 Average probability of failure on demand for the sensor subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.7 Average probability of failure on demand for the logic subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.8 Average probability of failure on demand for the final element subsystem in the example for low demand mode of operation (one year proof test interval and 8h MTTR)
Table B.9 Example for a non-perfect proof test
Table B.10 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of one month and a mean time to restoration of 8h
Table B.11 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of three months and a mean time to restoration of 8h
Table B.12 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of six months and a mean time to restoration of 8h
Table B.13 Average frequency of a dangerous failure (in high demand or continuous mode of operation) for a proof test interval of one year and a mean time to restoration of 8h
Table B.14 Average frequency of a dangerous failure for the sensor subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table B.15 Average frequency of a dangerous failure for the logic subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table B.16 Average frequency of a dangerous failure for the final element subsystem in the example for high demand or continuous mode of operation (six month proof test interval and 8h MTTR)
Table C.1 Example calculations for diagnostic coverage and safe failure fraction
Table C.2 Diagnostic coverage and effectiveness for different elements
Table D.1 Scoring programmable electronics or sensors/final elements
Table D.2 Value of Z: programmable electronics
Table D.3 Value of Z: sensors or final elements
Table D.4 Calculation of βint or βDint
Table D.5 Calculation of β for systems with levels of redundancy greater than 1oo2
Table D.6 Example values for programmable electronics
Table E.1 Software safety requirements specification
Table E.2 Software design and development: software architecture design
Table E.3 Software design and development: support tools and programming language
Table E.4 Software design and development: detailed design
Table E.5 Software design and development: software module testing and integration
Table E.6 Programmable electronics integration (hardware and software)
Table E.7 Software aspects of system safety validation
Table E.8 Software modification
Table E.9 Software verification
Table E.10 Functional safety assessment
Table E.11 Software safety requirements specification
Table E.12 Software design and development: software architecture design
Table E.13 Software design and development: support tools and programming language
Table E.14 Software design and development: detailed design
Table E.15 Software design and development: software module testing and integration
Table E.16 Programmable electronics integration (hardware and software)
Table E.17 Software aspects of system safety validation
Table E.18 Modification
Table E.19 Software verification
Table E.20 Functional safety assessment