The second edition of the international standard of IEC 61508, functional safety of electrical/electronic/programmable electronic safety-related system (SRS), was published in 2010. This international standard adopts a risk-based approach by which safety integrity requirements can be determined. It presents a formula to estimate the hazardous event rate taking account of non-perfect proof-tests. But it is not clear how to derive the formula. In the present paper, firstly, taking account of non-perfect proof-tests, the relationship between the dangerous undetected failure of SRS, the demand on the SRS and hazardous event is modeled by a fault tree and state-transition diagrams. Next, the hazardous event rate is formulated by use of the state-transition diagrams for the determination of the safety integrity requirements. Then, a comparison is made between the formulas obtained by this paper and given in the standard, and it is found that the latter does not always present rational formulation.

Although many companies have developed robots that assist humans in the activities of daily living, safety requirements and test methods for such robots have not been established. Given the risk associated with a robot malfunctioning in the human living space, from the viewpoints of safety and EMC, it is necessary that the robot does not create a hazardous situation even when exposed to possibly severe electromagnetic disturbances in the operating environment. Thus, in immunity tests for personal care robots, the safety functions should be more rigorously tested than the other functions, and be repeatedly activated in order to ascertain that the safety functions are not lost in the presence of electromagnetic disturbances. In this paper, immunity test procedures for personal care robots are proposed that take into account functional safety requirements. A variety of test apparatuses are presented, which were built for activating the safety functions of robots, and detecting whether they were in a safe state. The practicality of the developed immunity test system is demonstrated using actual robots.

This paper investigates potential to improve fault-detection coverage by means of on-chip redundancy. The international standard on functional safety, namely, IEC61508 Ed. 2.0 Part 2 Annex E.3 prescribes the upper bound of βIC (common cause failure (CCF) ratio to all failures) is 0.25 to satisfy frequency upper bound of dangerous failure in the safety function for SIL (Safety Integrated Level) 3. On the other hand, this paper argues that the βIC does not necessarily have to be less than 0.25 for SIL 3, and that the upper bound of βIC can be determined depending on failure rate λ and CCF detection coverage. In other words, the frequency upper bound of dangerous failure for SIL3 can also be satisfied with βIC higher than 0.25 if the failure rate λ is lower than 400[fit]. Moreover, the paper shows that on-chip redundancy has potential to satisfy SIL 4 requirement; the frequency upper bound of dangerous failure for SIL4 can be satisfied with feasible ranges of βIC, λ and CCF coverage which can be realized by redundant code.

The present paper modifies the algorithm to estimate harmful event frequencies and examines the definition of modes of operation in IEC 61508. As far as the continuous mode concerns, the calculated results coincide with those obtained based on the standard. However, for the intermediate region of medium demand frequencies and/or medium demand durations, the standard gives much higher harmful event frequencies than the real values. In order to avoid this difficulty, a new definition of modes of operation and a shortcut method for allocation of SILs are presented.