A practical introduction to functional safety: A brief overview of standards, benefits and processes

By Paul Reeve, CEng, Functional Safety Consultant, Sira Certification and CSA International

Functional safety is a complex and confusing subject for those unfamiliar with it. Yet by demonstrating the reliability of automated safety systems, equipment suppliers can benefit from a compelling advantage in the market. This paper aims to provide a straightforward overview of functional safety so readers can better understand the requirements and benefits of certification through an independent third party.

What is Functional Safety?

Functional safety is about using automated safety systems to protect persons and/or the environment from harm.  Functional safety is demonstrated by showing the systems' functionality is dependable enough for the level of risk that they control.

Functional safety is a concern of owners and operators of plants and machinery, as well as the organizations that design and supply safety systems and the components that go into them.  Safety systems  can fail for a variety of reasons, from human blunders and specification errors to minute "bugs" in software.  These failure modes can be inadvertently "built in", waiting to strike... or they can be of a more random nature because all hardware has a probability of failing sooner or later.

No matter the source of failure, a safety system is regarded as the last defence to protect against harm.  Therefore its functional safety must be designed-in from the start and maintained throughout the lifetime of the system.  As one can appreciate, the scope of functional safety is both very wide and very deep, affecting all organizations in the supply and use chain, whether they are responsible for the ownership of the entire plant, the overall system engineering or the development of embedded software in a miniature bought-in sensor.

Functional Safety Standard

IEC 61508 is the international standard for safety related systems associated with electrical, electronic and software-based technologies. (The principles of the standard can also be extended to mechanical components if such parts are used in the safety function.)

The standard defines requirements for determining the level of risk to be controlled from industrial hazards and for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL).  Four SILs are defined according to the risks involved in the system application, with SIL4 being used to protect against the highest risks.

Instruments covered by these requirements might include sensors, detectors, signal conditioners, logic controllers, monitors, alarms, actuators, valves and even motors.  It should be noted that IEC 61508 is an umbrella (generic) standard, intended to form a basis for sector-specific standards, such as:

-      IEC 61511 process industry

-      IEC 61513 nuclear industry

-      IEC 62061 & ISO 13849 machinery industry

-      EN 50402 gas detector systems

-      EN 50126 rail industry

This list is not exhaustive and there are several more under development.

The Benefits of Functional Safety

By meeting the requirements of function safety standards, organizations can operate more safely, meet regulations and avoid costly litigation.

Therefore, equipment suppliers whose products are approved for use in safety related systems that need to meet a given Safety Integrity Level (SIL) can benefit from a distinct market advantage.  Theirs can become products of choice for use in safety systems, resulting in new markets and increased sales growth.  

Likewise, organizations that provide a service or operation involving safety systems can be approved for the technical and management processes that govern their functional safety activities (e.g., plant operators, systems integrators, contract designers, etc).   This type of approval covers the organization's generic processes as well as the competency of its staff.   This can be very useful in winning over competitive tenders or in satisfying contractual or regulatory requirements.

Basic Steps in Achieving Functional Safety

1)    SIL Determination

Once the hazards and risks have been identified, a SIL Determination study should be done (normally arranged by the plant/machine operator) to establish the Safety Function(s) and the amount of risk reduction required of the safety system, which then defines its Safety Integrity Level (SIL).  The IEC 61508 standard shows the requirements for failure data which are expressed either as a probability of failure on demand (for a 'trip' safety system) or as a failure rate (for a safety system that has to respond more frequently or even continuously).

Each SIL is actually a range, with an 'order of magnitude' between end points.  If the demand from the process on the safety function is predicted to be less frequent than once a year, it is classed as a low demand system; if the demand is more frequent than once a year, it is a high demand system. (A continuous mode safety function is where safety is achieved by continuous or linear control of the plant/machine).  It is important to get the distinction between high and low demand right as the mathematics used to derive the requirements are different. Once the safety system is in operation, all demands (whether 'nuisance' or valid) should be logged, investigated and compared with what was predicted at SIL Determination.

2)    Safety Requirements Specification

Once the target safety functions and safety integrity has been determined, the Safety Requirements Specification should be developed.  Functional safety standards emphasize the importance of capturing functional requirements, deriving more detailed design requirements (right down to low level hardware and software) and tracing these through the design and testing process right through to final validation. For complex or high integrity safety systems, formal requirements capture and the associated testing requires trusted automated tools. The safety system (including all instruments) should then be designed and realized to achieve the numerical SIL requirements.

3)    Random Hardware Failures

The first of two reasons for system failure is random hardware failures, depending on the components used in its assembly and the design architecture.  The probability of the safety system failing to perform its function must be estimated using numerical and analytical techniques to ensure the specified figure is achieved.

To do so, a theoretical model of the equipment's reliability must be constructed, decomposing the design into functional blocks to form a "Reliability Block Diagram" (RBD).  Other methods such as Fault Tree Analysis can also be used.  Modelling is particularly required for more complex designs.

Each "block" down to component level must be analyzed, using methods such as Failure Modes and Effects Analysis (FMEA).  During this analysis, it is necessary to determine how the failure of each component affects the equipment's safety function.

The outcome of the FMEA for each block is a sum of the different types of failures.  Now returning to the Reliability Block Diagram, the different failure rates can be inserted and using reliability calculations, the probability of failure on demand (PFD) can be calculated for the equipment.

In addition to meeting the PFD, it is necessary for the equipment to meet certain architectural constraints outlined in the standard. 

This analysis can be performed using information from circuit diagrams, mechanical assembly drawings, parts lists, and other sources, and therefore can be undertaken following design.  It requires a detailed knowledge of the component failure rates, their various failure modes and how these can affect the functionality of the instrument that is being used in the safety function.  The analysis is a specialist area and should only be undertaken by analysts with the appropriate tools, competence and access to the appropriate failure rate data so as to yield a statistical prediction of the random hardware failure.  

4)    Systematic Failures

Systems also fail due to weaknesses in the processes used in the specification, design, test, installation, use, modification and repair of the safety system (known as the "lifecycle").  These systematic failures cannot be modelled and determined statistically as previously described; instead they must be avoided by using processes and techniques of a sufficient rigour for the SIL involved.  These are prescribed in the standard.

Systematic failures require a qualitative assessment of the evidence of using the prescribed lifecycle, although the actual processes and work activities used will depend on the technologies in the design and type of safety equipment in question.  For equipment developers, evidence of using these methods must be gathered during the design and made available for assessment.

5)    Software

Software needs special attention from the developer if it is involved in performing the safety function.  Software defects are a specific type of systematic failure and a full discussion is beyond the scope of this paper.  However, these points should be noted:

• Ensure requirements are fully captured and traceable through the development lifecycle
• Remember the linkage between hardware and software - FMEA is a rich source of generating software requirements to achieve hardware diagnostic coverage
• Develop a software review culture (and keep evidence; informal log books are fine)
• Modifications must include an impact analysis and possibly an escalation process
• Configuration management is critical, including versions of test and development tools
• SOUP (software of unknown provenance) and COTS (commercial-off-the-shelf) are best avoided, or need extreme care in their use.
• Invest in and maximize the use of automated test tools - anything repetitive or requiring manual effort to generate test cases or logging results lend themselves to such tools
• Static analysis tools - some are very affordable and offer great benefit; the deeper and wider the analysis the better
• Coding standards - this is an essential requirement to ensure correct and safe constructs and a safe language sub-set is used
• For systems integrators, achieving compliance to IEC 61511 is relatively straightforward

6)    Functional Safety Assessment

All safety systems need to undergo an independent functional safety assessment (FSA) covering both the hardware and software, and all the related processes used in the realization of the instrument/system. The FSA applies to all activities in the lifecycle of the safety system or instrument.

Requirements for the FSA are given in IEC 61508-1 section 8. The accredited certification process (as defined by the international standards for certification such as ISO Guide 65 and EN 45011) covers many of the requirements of this clause in respect of the assessment body. The requirements for the assessment, including the methods and techniques prescribed, increase in rigour with rising SIL.  There is a minimum level of independence between the assessment team and the work being assessed which depends on the SIL and the lifecycle activities being assessed.

7)    Management of Functional Safety

IEC 61508 is clear that all organizations that deal with safety instrumented systems should operate a functional safety management (FSM) process.  This could be a company-wide process, typically part of the company's Quality Management System, and should include the additional elements required for functional safety.  Alternatively, it could be implemented as an overarching plan that covers a specific project and details how functional safety will be achieved. Either way, FSM is indispensible for the avoidance of systematic failures and for creating a safety culture.  No product, system or operation can claim to conform to the standard without this critical element which should govern all the safety related work activities from concept to decommissioning.

An important part of FSM is the development, deployment and assessment of the competence of all staff that have any roles or responsibilities with safety systems. For companies starting a functional safety project for the first time, FSM is a good place to begin as it gets the procedural infrastructure in place first.

Conclusion

History (some of it quite recent) shows there is a great need for industry to improve the reliability of automated safety systems to ensure the safety of people, the environment and even corporate assets.  IEC 61508 (and related standards) provides the systematic lifecycle approach necessary to achieve functional safety.   Around the world, new and existing plants are being measured against the criteria in this standard, and market requirements for instruments that are suitable for SIL-rated systems are now common place.  Therefore, instrument suppliers can now benefit from the strong marketing advantages that functional safety product certification offers.

About Sira Certification

Sira was the first certification body in the world to be accredited to issue functional safety certification to IEC 61508 by UKAS, and has undertaken more than 170 functional safety projects on behalf of 80 clients worldwide in the past five years.  These projects have been as diverse as simple electro-mechanical switches and valves, to highly complex programmable protection devices and embedded real-time operating systems.  Sira's team of functional safety specialists has experience in many different industry sectors and applications.

In July 2009 Sira Certification was acquired by CSA International, offering a full-service global solution to manufacturers of equipment used in hazardous locations.

Register for our complimentary Functional Safety webinar on December 9th.

For more information contact us at:

1.866.463.1785

cert.sales@gethazloc.com