11 System requirements ToC Previous Next

11.5 Safety manual ToC Previous Next

[RQ11.3] According to IEC 61508-2, the suppliers of equipment implementing OPC UA Safety shall provide a safety manual. The instructions, information and parameters of Table 32 shall be included in this manual unless they are not relevant for a specific device.

Table 32 – Information to be included in the safety manual

  Item Instruction and/or parameter Remark
1 Safety handling Instructions on how to configure, parameterize, commission and test the device safely in accordance with IEC 61508 and IEC 61784-3  
2 PFH, respectively PFDavg The PFH, respectively PFDavg per logical connection of the safety function. See Clause 11.3.2
and Clause 11.4
3 SFRTOPCSafety Information, on how this value can be calculated by the end user / OEM. See Clause 10.2
The implementation and error reaction of ConsumerCycleTime is in the responsibility of the vendor/integrator.
4 SafetyBaseID / SafetyProviderID Information on how the SafetyBaseID and SafetyProviderID are generated and assigned. See Clause 11.1.1
5 Commissioning The end user / OEM is responsible for verification and validation of correct cabling and assignment of network addresses.
The safety manual shall address how this can be accomplished.
 
6 Operator Acknowledgment If the SafetyConsumers makes a transition to fail-safe substitute values requiring operator acknowledgement “frequently”, this is an indication that a check of the installation (for example electromagnetic interference), network traffic load, or transmission quality is required.
It shall be mentioned in the manual that it is potentially unsafe to simply omit these checks. ‘Frequently’ in this context is defined as
* more than once per day in SIL2 and SIL3 applications
* more than once per week in SIL4 applications
 
7 Duration of demand In safety applications where the duration of a demand signal is short (e.g. shorter than the process safety time), and it is crucial that the consumer application never misses a demand, then a bidirectional communication must be arranged and the confirmation of receiving the demand at consumer side must be implemented in the application program, by sending appropriate information within the SafetyData.  
8 High demand and low demand applications The SafetyConsumer must be executed cyclically within a shorter time frame than the SafetyConsumerTimeOut.  
9 Maintenance Specific requirements for device repair and device replacement.  

Previous Next