AS NZS 62061:2019 pdf free.Safety of machinery一Functional safety of safety-related electrical, electronic and programmable electronic control systems (IEC 62061:2005+AMD1: 2012+AMD2:2015 CSV (ED.1.2)/COR1: 2015 MOD).
6.2.4 Maintainability and testability shall be considered during the design and integration to facilitate the implementation of these properties in the SRECS.
6.2.5 The SRECS design, including its diagnostic and fault reaction functions, shall be documented. This documentation shall:
— be accurate, complete and concise;
— be suitable for its intended purpose;
— be accessible and maintainable;
— be version controlled.
6.2.6 The outcome of the activities performed during SRECS design, development and implementation shall be verified at appropriate stages.
6.3 Requirements for behaviour (of the SRECS) on detection of a fault in the SRECS
6.3.1 The detection of a dangerous fault in any subsystem that has a hardware fault tolerance of more than zero shall result in the performance of the specified fault reaction function.
The specification may allow isolation of the faulty part of the subsystem to continue safe operation of the machine while the faulty part is repaired. In this case, if the faulty part is not repaired within the estimated maximum time as assumed in the calculation of the probability of random hardware failure (see 6.7.8), then a second fault reaction shall be performed to maintain a safe condition.
Where the SRECS is designed for online repair, isolation of a faulty part shall only be applicable where this does not increase the probability of dangerous random hardware failure of the SRECS above that specified in the SRS.
After the occurrence of faults that reduce the hardware fault tolerance to zero, the requirements of 6.3.2 apply.
NOTE The mean time to restoration (see 1EV 191-13-08) that is considered in the reliability model will need to take into account the diagnostic test interval, the repair time and any other delays prior to restoration.
6.3.2 Where a diagnostic function(s) is necessary to achieve the required probability of dangerous random hardware failure and the subsystem has a hardware fault tolerance of zero, then the fault detection and specified fault reaction shall be performed before the hazardous situation addressed by the SRCF can occur.
EXCEPTION to 6.3.2: In the case of a subsystem implementing a particular SRCF where the hardware fault tolerance is zero and the ratio of the diagnostic test rate to the demand rate exceeds 100, then the diagnostic test interval of that subsystem shall be such as to enable the subsystem to meet the requirement for the probability of dangerous random hardware failure.AS NZS 62061 pdf download.