登陆

IEC 61508ED2: series 06 - system

来源：公众号“汽车安全前瞻研究”

2020-06-15

1034

[Author]

Renhong WENG, Safety, and Security, and RAMS investigator.

First: Failure table and safety mechanism table comparison

IECs listed component names, and in corresponding failure modes, they listed out major diagnostic coverage reference values, however ISOs will not use this as example, detail as following:

Component	Diagnostic technique	IECs contexts	ISOs contexts
Electromechanical devices		For 60% DC: FM: Does not energize or de-energize Welded contacts For 90% DC: 60%+Individual contacts welded For 99% DC: 90%+No positive opening	Does not energize or de-energize Individual contacts welded
	Failure detection by online monitoring	Low (low demand mode) Medium (high demand or continuous mode)	Low
	Monitoring of relay contacts	High	N/A
	Comparator	High	High
	Majority voter	High	High
Discrete hardware I/O power supply		For 60% DC: FM: stuck at 1 or 0 For 90% DC: stuck-at faults, stuck-open, open or high impedance outputs as well as short circuits between signal lines. For integrated circuits, short circuit between any two connections (pins) is considered. Drift and occiliation For 99% DC: =90%	Incorrect I/O and ISO 26262-11:2018, 5.1, Table 30 Drift and oscillation Under and over Voltage Power spikes or ISO 26262-11:2018, 5.2
	Failure detection by online monitoring	Low (low demand mode) Medium (high demand or continuous mode)	Low
	Comparator	High	High
	Majority voter	High	High
	Tests by redundant hardware	Medium
	Dynamic principles	Medium
	Standard test access port and boundary-scan architecture	High
	Monitored redundancy	High
	Hardware with automatic check	High
	Analogue signal monitoring	Low
	Failure detection by on-line monitoring	Low (low demand mode) Medium (high demand or continuous mode)
	Test pattern	High	High
	Code protection	High
	Multi-channel parallel output	High
	Monitored outputs	High	High
	Input comparison/voting (1oo2, 2oo3 or better redundancy)	High	High
	Antivalent signal transmission	High
	Code protection for digital I/O		Medium
	Multi-channel parallel output		High
	Voltage or current control (input)		Low
	Voltage or current control (output)		High
...	...	...	...

Above is the preliminary comparision for the IECs and ISOs in example.

Second: Strengthness of IECs

IECs Have more considerations in systematic safety integrity:

- control failures caused by hardware design

- control failures due to environmental stress or influences and

"software architecture design

- control failues during operation, etc

The importance is signified as follows:
– M: the technique or measure is required (mandatory) for this safety integrity level;
– HR: the technique or measure is highly recommended for this safety integrity level. If this technique or measure is not used then the rationale behind not using it shall be detailed;

– R: the technique or measure is recommended for this safety integrity level;
– -: the technique or measure has no recommendation for or against being used;
– NR: the technique or measure is positively not recommended for this safety integrity level;
If this technique or measure is used then the rationale behind using it shall be detailed.

The required effectiveness is signified as follows:
– Low: if used, the technique or measure shall be used to the extent necessary to give at least low effectiveness against systematic failures;
– Medium: if used, the technique or measure shall be used to the extent necessary to give at least medium effectiveness against systematic failures;
– High: if used, the technique or measure shall be used to the extent necessary to give high effectiveness against systematic failures.

Third: avoidance of systematic failures during the different phases of the lifecycle

this context specialty in IECs, ISOs didnot have.

- when in specification of E/E/PE system design requirements