A.2.1 IEC 62061 architectural categories
The standard in §6.7.8.2 defines a set of basic system architectures to be used for the design of SRECS
implementing their SRCFs. A key point is the definition of “subsystem”, refer to §3.2.5, as the level of parts for a
system architecture where a dangerous failure could lead to the loss of the safety function.
Focusing on the microcontrollers, IEC 62061 proposed architectures are here quickly summarized for supporting
end users in the development of their Logic Solver units usable as subsystems for the implementation of a SRCF.
The assumptions for the correct understanding of the architectures are listed hereafter:
1. The SRCF is completely in the scope of the end user.
2. The STM32F2 Series device with the adoption of safety mechanism described in this Safety Manual as
single compliant item is by itself suitable for applications up to SILCL 2.
3. Two identical STM32F2 Series devices with the adoption of safety mechanism described in this Manual must
be used for achieving HFT ≠ 0, when required by basic architectures.
4. For a microcontroller, the parameter T1, mentioned in the standard as the minimum between service life or
proof test, is intended as the lifetime (mission time) assumed equal to 10 years, as per Section
3.3.1 Assumed safety requirements of this Manual.
Table 122. IEC 62061 architectural categories
Cat. Ref. § Summary Basic architecture of Logic
A 6.7.8.2.2
Equivalent of 1oo1, with HFT = 0, no diagnostic function(s).
Overall PFH
DssA
is the probability of dangerous failure of MCU
Single channel architecture, one MCU in 1oo1, n=1
PFH
DSSA
= ʎ
De1
1
Hours
• SILCL = 1 if SFF < 90%
• SILCL = 2 if 90% ≤ SFF < 99%
• SILCL = 3 if SFF ≥ 99%
B 6.7.8.2.3
Equivalent to 1oo2 with HFT = 1, a single failure does not lead
to the loss of SRCF.
No diagnostic function(s).
Dual channel architecture with two identical MCUs
• SILCL = 1 if SFF < 60%
• SILCL = 2 if 60% ≤ SFF < 90%
• SILCL = 3 if SFF ≥ 90%
In this case:
ʎ
De1
= ʎ
De2
= ʎ
De
ʎ
DSSB
=
1 − β
2
× λ
De
2
× T
1
+ β × λ
De
For β factor see Section 4.2
C 6.7.8.2.4
It is the equivalent of 1oo1d with a diagnostic function that
initiates a reaction function as a dangerous failure happens on
SRCF.
NOTE: diagnostic function provides the Logic Solver with a
diagnosis of an external subsystem, e.g. the actuator
Single channel architecture, one MCU in 1oo1, n=1
Diagnostic function is in charge of the end user
• SILCL = 1 if SFF < 90%
• SILCL = 2 if 90% < SFF < 99%
• SILCL = 3 if SFF ≥ 99%
ʎ
DSSC
= ʎ
De1
(1-DC
1
)
DC (Diagnostic Coverage) as resulting from FMEDA
PFH
DSSC
= ʎ
DSSC
1
Hours
UM1845
IEC 62061:2005/AMD1:2012
UM1845 - Rev 4
page 93/108
To Next Page
Loading...
