Members Only | Ezine | Links | Legal Notice | Contact us |

NEWS



Official Release
PLCopen
Safe Motion v1.0

 


booth C-1244


Official release
Creating PLCopen
Compliant Libraries
v1.0

 


PLCopen OPC-UA
Client v 1.1
now released



PLCopen
presentations
available

 


 

 


 

 




 

 

 

Introduction into IEC 61131-6
Functional Safety

Scope

This Part of the IEC 61131 series specifies requirements for programmable controllers (PLCs) and their associated peripherals, as defined in Part 1, which are intended to be used as the logic subsystem of an electrical/electronic/programmable electronic (E/E/PE) safety-related system. A programmable controller and its associated peripherals complying with the requirements of this part is considered suitable for use in an E/E/PE safety-related system and is identified as a functional safety programmable logic controller (FS-PLC). An FS-PLC is generally a hardware (HW) / software (SW) subsystem. An FS-PLC may also include software
elements, for example predefined function blocks.

An E/E/PE safety-related system generally consists of sensors, actuators, software and a logic subsystem. This part is a product specific implementation of the requirements of the IEC 61508 series and conformity to this part fulfils all of the applicable requirements of the IEC 61508 series related to FS-PLCs. While the IEC 61508 series is a system standard, this part provides product specific requirements for the application of the principles of the IEC 61508 series to FS-PLC.

This Part of the IEC 61131 series addresses only the functional safety and safety integrity requirements of an FS-PLC when used as part of an E/E/PE safety-related system. The definition of the functional safety requirements of the overall E/E/PE safety-related system and the functional safety requirements of the ultimate application of the E/E/PE safety-related system are outside the scope of this part, but they are inputs for this part. For application specific information the reader is referred to standards such as the IEC 61511 series, IEC 62061, and the ISO 13849 series.

This part does not cover general safety requirements for an FS-PLC such as requirements related to electric shock and fire hazards specified in IEC 61131-2.

This part applies to an FS-PLC with a Safety Integrity Level (SIL) capability not greater than SIL 3.

The objective of this part is:
• to establish and describe the safety life-cycle elements of an FS-PLC, in harmony with the general safety life-cycle identified in IEC 61508-1, -2 and -3;
• to establish and describe the requirements for FS-PLC HW and SW that relate to the functional safety and safety integrity requirements of a E/E/PE safety-related system;
• to establish evaluation methods for a FS-PLC to this part for the following parameters/criteria:
– a Safety Integrity Level (SIL) claim for which the FS-PLC is capable,
– a Probability of Failure on Demand (PFD) value,
– an average frequency of dangerous failure per hour value (PFH),
– a value for the safe failure fraction (SFF),
– a value for the hardware fault tolerance (HFT),
– a diagnostic coverage (DC) value,
– a verification that the specified FS-PLC manufacturer’s safety lifecycle processes are in place,– the defined safe state,
– the measures and techniques for the prevention and control of systematic faults, and
– for each failure mode addressed in this part, the functional behaviour in the failed state;
• to establish the definitions and identify the principal characteristics relevant to the selection and application of FS-PLCs and their associated peripherals.

This part is primarily intended for FS-PLC manufacturers. It also includes the critical role of FS-PLC users through the user documentation requirements. Some user guidelines for FSPLCs may be found in IEC 61131-4.

The requirements of ISO/IEC Guide 51 and IEC Guide 104, as they relate to this part, are incorporated herein.

 TABLE of CONTENTS

 

FOREWORD

6

 

INTRODUCTION

8

1

Scope

10

2

Normative references

11

3

Terms and definitions

12

4

Conformance to this standard

25

5

FS-PLC safety lifecycle

25

5.1

General

25

5.2

FS-PLC functional safety SIL capability requirements

27

5.2.1

General

27

5.2.2

Data security

28

5.3

Quality management system

28

5.4

Management of FS-PLC safety lifecycle

29

5.4.1

Objectives

29

5.4.2

Requirements and procedures

29

5.4.3

Execution and monitoring

33

5.4.4

Management of functional safety

33

6

FS-PLC design requirements specification

33

6.1

General

33

6.2

Design requirements specification contents

34

6.3

Target failure rate

35

7

FS-PLC design, development and validation plan

36

7.1

General

36

7.2

Segmenting requirements

36

8

FS-PLC architecture

37

8.1

General

37

8.2

Architectures and subsystems

38

8.3

Data communication

38

9

HW design, development and validation planning

38

9.1

HW general requirements

38

9.2

HW functional safety requirements specification

38

9.3

HW safety validation planning

38

9.4

HW design and development

39

9.4.1

General

39

9.4.2

Requirements for FS-PLC behaviour on detection of a fault

39

9.4.3

HW safety integrity

40

9.4.4

Random HW failures

48

9.4.5

HW requirements for the avoidance of systematic failures

53

9.4.6

HW requirements for the control of systematic faults

53

9.4.7

HW classification of faults

54

9.4.8

HW implementation

55

9.4.9

De-rating of components

56

9.4.10

ASIC design and development

56

9.4.11

Techniques and measures to prevent the introduction of faults in ASICs

56

9.5

HW and embedded SW and FS-PLC integration

56

9.6

HW operation and maintenance procedures

57

9.6.1

Objective

57

9.6.2

Requirements

57

9.7

HW safety validation

58

9.7.1

General

58

9.7.2

Requirements

58

9.8

HW verification

59

9.8.1

Objective

59

9.8.2

Requirements

59

10

FS-PLC SW design and development

60

10.1

General

60

10.2

Requirements

61

10.3

Classification of engineering tools

61

10.4

SW safety validation planning

62

11

FS-PLC safety validation

62

12

FS-PLC type tests

62

12.1

General

62

12.2

Type test requirements

62

12.3

Climatic test requirements

65

12.4

Mechanical test requirements

66

12.5

EMC test requirements

66

12.5.1

General

66

12.5.2

General EMC environment

66

12.5.3

Specified EMC environment

67

13

FS-PLC verification

69

13.1

Verification plan

69

13.2

Fault insertion test requirements

70

13.3

As qualified versus as shipped

71

14

Functional safety assessment

71

14.1

Objective

71

14.2

Assessment requirements

72

14.2.1

Assessment evidence and documentation

72

14.2.2

Assessment method

72

14.3

FS-PLC assessment information

74

14.4

Independence

74

15

FS-PLC operation, maintenance and modification procedures

75

15.1

Objective

75

15.2

FS-PLC modification

75

16

Information to be provided by the FS-PLC manufacturer for the user

76

16.1

General

76

16.2

Information on conformance to this standard

76

16.3

Information on type and content of documentation

76

16.4

Information on catalogues and/or datasheets

76

16.5

Safety manual

76

16.5.1

General

76

16.5.2

Safety manual contents

76

Annex A

(informative) Reliability calculations

79

Annex B

(informative) Typical FS-PLC Architectures

80

Annex C

(informative) Energise to trip applications of FS-PLC

86

Annex D

(informative) Available failure rate databases

88

Annex E

(informative) Methodology for the estimation of common cause failure rates in a multiple channel FS-PLC

90

 

Bibliography

92

 

Table of Figures

Figure 1 – FS-PLC in the overall E/E/PE safety-related system safety lifecycle phases

9

Figure 2 – Failure model

16

Figure 3 – FS-PLC safety lifecycle (in realization phase)

26

Figure 4 – Relevant parts of a safety function

35

Figure 5 – FS-PLC to engineering tools relationship

37

Figure 6 – HW subsystem decomposition

43

Figure 7 – Example: determination of the maximum SIL for specified architecture

45

Figure 8 – Example of limitation on hardware safety integrity for a multiple-channel safety function

47

Figure 9 – Fault classification and FS-PLC behaviour

54

Figure 10 – ASIC development lifecycle (V-Model)

56

Figure 11 – Model of FS-PLC and engineering tools layers

60

Figure B.1 – Single FS-PLC with single I/O and external watchdog (1oo1D)

81

Figure B.2 – Dual PE with single I/O and external watchdogs (1oo1D)

81

Figure B.3 – Dual PE with dual I/O, no inter-processor communication, and 1oo2 shutdown logic

82

Figure B.4 – Dual PE with dual I/O, inter-processor communication, and 1oo2D shutdown logic

83

Figure B.5 – Dual PE with dual I/O, no inter-processor communication, external watchdogs, and 2oo2 shutdown logic

83

Figure B.6 – Dual PE with dual I/O, inter-processor communication, external watchdogs, and 2oo2D shutdown logic

84

Figure B.7 – Triple PE with triple I/O, inter-processor communication, and 2oo3D shutdown logic

85

 

Table of Tables

Table 1 – Safety integrity levels for low demand mode of operation

35

Table 2 – Safety integrity levels for high demand or continuous mode of operation

36

Table 3 – Faults to be detected and notified (alarmed) to the application program

40

Table 4 – Hardware safety integrity – low complexity (type A) subsystem

41

Table 5 – Hardware safety integrity – high complexity (type B) subsystem

41

Table 6 – Faults or failures to be assumed when quantifying the effect of random hardware failures or to be taken into account in the derivation of safe failure fraction

50

Table 7 – Examples of tool classification

61

Table 8 – Performance criteria

65

Table 9 – Immunity test levels for enclosure port tests in general EMC environment

66

Table 10 – Immunity test levels in general EMC environment

67

Table 11 – Immunity test levels for enclosure port tests in specified EMC environment

68

Table 12 – Immunity test levels in specified EMC environment

69

Table 13 – Fault tolerance test, required effectiveness

71

Table 14 – Functional safety assessment Information

74

Table 15 – Minimum levels of independence of those carrying out functional safety assessment

75

Table E.1 – Criteria for estimation of common cause failure

90

Table E.2 – Estimation of common cause failure factor

91