UNDERSTANDING FUNCTIONAL SAFETY AN OVERVIEW OF THE IEC 61508 STANDARD AND ITS APPLICATION AND BENEFITS

As the integration of automated safety systems expands globally across diverse industries – including process, household and commercial products, medical, nuclear, automotive, railway and avionics – the importance of functional safety evaluation and certification has become recognized internationally. Today functional safety certification is widely considered to be an essential tool to control and mitigate risk, particularly in those cases where a failure could lead to serious injury or death.

Those unfamiliar with the concept of functional safety may find the subject difficult to understand and place within the context of traditional safety and reliability assessments. However, designers who understand and embrace the concept of functional safety – and who demonstrate that products or systems conform to the requirements of recognized functional safety standards – are equipped to better manage risk while also capture increased share of market among the growing ranks of customers who also seek to meet the requirements of functional safety standards.

This paper provides an overview of functional safety concepts, standards requirements and methods of compliance. It is intended to help readers understand the importance of functional safety and the advantages of obtaining formal evaluation and certification services performed by an independent third-party.

Why Functional Safety? Evaluation and certification of systems involved in a safety related system and products to confirm that the functional application, with SIL4 used to protect IEC 61508 is the international standard for safety requirements of IEC 61508 have been against the highest risks. safety related systems associated with met is just one of the methods of dealing Safety function requirements are defined electrical, electronic and software-based with hazards control. An appropriate initial though a hazard analysis while safety technologies. The principles of the standard hazard analysis must be implemented to integrity requirements are derived from an can also be extended to assess mechanical define the level of risk and determine if assessment of acceptable risk. IEC 61508 elements if they are used in the safety function. functional safety is necessary to ensure may cover both determining the SIL level of adequate safety protection. IEC 61508 is an umbrella (generic) standard, a product and verifying the manufacturer intended to form a basis for sector-specific The IEC 61508 standard defines requirements specified safety integrity level (SIL) level. standards, including: for determining the level of risks and describes The higher the SIL assigned to the safety • IEC 61511 process industry the lifecycle process for ensuring that system or component, the lower the systems are designed, validated, verified, likelihood of dangerous failure. Instruments • IEC 61513 nuclear industry operated and maintained to perform a covered by these requirements might • IEC 62061 & ISO 13849 machinery industry specific function or functions to ensure include sensors, detectors, signal risk is kept at an acceptable level. IEC 61508 conditioners, logic controllers, monitors, • EN 50402 gas detector systems defines four SILs according to the risks alarms, actuators, valves and motors. • EN 50126 rail industry

North America | Europe | Asia • www.csagroup.org UNDERSTANDING FUNCTIONAL SAFETY

Demonstrating Functional Safety The Benefits of Functional Safety Organizations that provide a safety related service, or operation involving safety systems, In a highly complex, safety-related system Evaluation of systems and components, and can be approved for the technical and where functional safety is required, equipment certification that they meet the requirements management processes that govern their suppliers should identify an accredited of the applicable functional safety standards, functional safety activities (e.g., plant approval body (third body) that can evaluate provides designers, owners, operators and operators, systems integrators, contract and certify compliance with the IEC 61508 other stakeholders with increased confidence designers, product suppliers etc). This or applicable industry-specific standard. that processes operate safely, products meet type of approval covers the organization’s Accreditation means that the third-party regulations and industry requirements, risk generic processes as well as the competency agency has an internationally recognized has been appropriately managed, and the of its staff. This approval can be very useful in approval that qualifies it for functional potential for costly litigation has been earning new business, or in satisfying ongoing safety conformity assessment. minimized. contractual or regulatory requirements. The agency should demonstrate its Equipment suppliers can also leverage their experience and expertise in functional functional safety certifications to gain market Example of Functional Safety safety with a highly knowledgeable staff advantage, access new markets and achieve The following example explains the basic capable of carefully performing conformity sales growth among customers who require principles of functional safety. The diagram assessment requirements while providing products that meet a given SIL for use in below shows a relatively simple operation levels of service that help clients optimize their safety related applications or systems. from the process industry: filling a bulk their businesses. Agencies should be This “product-of-choice” status is reinforced storage fuel tank. Questions that must be independent third parties subject to annual by subsequent positive assessment reports answered initially include: What hazards audits by the accrediting body. Qualifying from customers whose products and systems are associated with this application? What agencies must provide annual compliance are also certified, further demonstrating can go wrong in the process? What are the evidence to the accreditation agency as full compliance with functional safety risks? How safe is the application? How proof of full conformance with the requirements. safe does it need to be? Other questions requirements of IEC 61508. may also apply.

In this illustration, tank overfill is clearly one of the main hazards that must be addressed.

North America | Europe | Asia • www.csagroup.org UNDERSTANDING FUNCTIONAL SAFETY

That might sound basic, but consider what supplier and one of the instrument SIS Implementation can happen if an overflow occurs… suppliers. The incident could have been prevented if the hazard and risk had been With the hazard and risks identified, safety correctly identified and an appropriate requirements can be assessed and an target SIL established, resulting in the acceptable target SIL established, resulting implementation of an appropriate overfill in the design of a safety related protection protection system and an operational system – an SIS loop – implemented as functional safety management system. shown below.

In a scenario like this, specifying a “safety- The SIS (in red) in this example might be related system,” usually called a “Safety specified as follows: Instrumented System” (SIS) in the process Safety Function: To close the emergency industry, can reduce risk to a target SIL shut off valve and switch off the pump in deemed acceptable based on assessment the event that the high-high level switch Oil storage depot, Buncefield, UK, December 2005 of the hazard. Depending on the target SIL, contacts are opened risk level can be reduced by at least… Miraculously, no-one was killed in this Safety Integrity: To perform the safety incident (it was 6:00 am on a Sunday • SIL1 by ≥10 times function to SIL2 (that’s a probability of the morning), but dozens of surrounding • SIL2 by ≥100 times independent safety function failing to work businesses were devastated. Several of less than 1 in 100 trips) companies were prosecuted and found • SIL3 by ≥1,000 times guilty in criminal and civil courts – including • SIL4 by ≥10,000 times the owner/operator, the control system

North America | Europe | Asia • www.csagroup.org UNDERSTANDING FUNCTIONAL SAFETY

Basic Steps in Achieving prepared, as it is one of the most important Functional Safety phases in the lifecycle. Functional safety Common Functional Safety standards emphasize the importance of Terms and Concepts 1) SIL Determination capturing functional requirements, deriving Once the hazards and risks have been more detailed design requirements (right • Functional Safety is when safety identified, using “HAZOP” analysis, a SIL down to low level hardware and software) relies on: Determination study can be prepared and tracing these through the design and – Safety function(s) – what the (normally arranged by the plant/machine development stages, integration and testing equipment does, and operator) to establish the Safety Function(s) process, and through to final validation – Safety integrity – how reliably and the amount of risk reduction required (assessment to the product lifecycle). At the the equipment does it end of every stage of the product lifecycle, of the safety system, which then defines • It is aimed at systems, typically a verification process must be followed its SIL. The IEC 61508 standard shows the formed from discrete instruments to capture any details not fully addressed requirements for failure data which are such as: that can affect compliance. This supports expressed either as a probability of failure – Sensors (to detect for unsafe avoidance of systematic failures. For complex on demand (PFD) for a “trip” safety system process/machine conditions) or high-integrity safety systems, capture of or as a failure rate (for a safety system – Logic solvers (decision making formal requirements and associated testing that has to respond more frequently or or controlling devices) require trusted automated tools. The safety even continuously). – Output elements (devices system (including all instruments) should that physically interrupt or halt Each SIL has its own range, with an “order then be designed and realized to achieve the process/machine to make of magnitude” between end points. If the the numerical SIL requirements identified the situation safe) demand from the process on the safety for the safety function. function is predicted to be less frequent • It is concerned with how the than once a year, it is classed as a low 3) Random Hardware Failures systems/ instruments can fail: demand system; if the demand is more Systems fail due to random hardware failure modes frequent than once a year, it is a high failures and systematic failures. Random demand system. (A continuous mode • How likely will the system/instrument hardware failures typically stem from the safety function is where safety is achieved failure mode occur: failure data components used in assembly and the by continuous or linear control of the plant/ design architecture. The probability that • The SIS is used to reduce the risk(s) machine). It is important to get the the safety system will fail to perform its to an “acceptable level” (a figure distinction between high and low demand designed safety function must be estimated generally accepted by society and right as the mathematics used to derive the using numerical and analytical techniques. legislators) requirements are different. Once the safety A quantitative assessment is performed to instrumented system is in operation, all ensure the specified figure is achieved. Continued on next page demands (whether “nuisance” or valid) should be logged, investigated and compared with A theoretical model of the equipment’s what was predicted at SIL determination. reliability must be constructed, decomposing the design into functional blocks to form 2) Safety Requirements Specification a “Reliability Block Diagram” (RBD). Other Once the target safety functions and safety methods such as Fault Tree Analysis can integrity have been determined, the Safety also be used. Modelling is particularly Requirements Specification (SRS) should be required for more complex designs.

North America | Europe | Asia • www.csagroup.org UNDERSTANDING FUNCTIONAL SAFETY

Each “block” down to component level must (known as the “lifecycle”). These systematic be analyzed, using methods such as Failure failures cannot be modelled and determined Common Functional Safety Terms Modes and Effects Analysis (FMEA). During statistically. Instead they must be avoided and Concepts Continued this analysis, it is necessary to determine by using processes and techniques of • The level of risk reduction required how the failure of each component affects sufficient rigor for the SIL involved. These from the SIS will define its Safety the equipment’s safety function. Failures are prescribed in the IEC 61508 standard. Integrity Level (“SIL”). The SIL places: can be a combination of safe and The verification of systematic failures – Limits on the probability of random dangerous depending on the definition (hardware or software) require a qualitative hardware failure, and of the safety function. assessment of the evidence of using the – Requirements on the systematic The outcome of the FMEA for each block is prescribed lifecycle, although the actual failure during the development a sum of the different types of failures (safe processes and work activities used will de- process known as the “lifecycle” and/or dangerous). Using the Reliability pend on the technologies in the design and used during the product realization Block Diagram, the different failure rates type of safety equipment in question. For phase can be grouped into categories, such as equipment developers, evidence of using • Note that before a SIS is specified, safe failures or dangerous (detected or these methods must be gathered during the risk control is already reduced as undetected); the probability of failure on design and made available for assessment. much as possible by conventional demand (PFD) can be then calculated for measures such as good (safe) the equipment. 5) Software process/machine design, the basic In addition to meeting the PFD requirement, Software requires special attention from the control system, alarms, trips, relief it is necessary for the equipment to meet developer if it is involved in performing the systems, procedural measures, etc. certain architectural constraints such as safety function. Software defects are a the safe failure fraction (SFF) and the specific type of systematic failure and a full hardware fault tolerance (HFT) outlined discussion is beyond the scope of this paper. in the standard. However, these points should be noted: • Invest in and maximize the use of automated test tools – anything repetitive • Ensure requirements are fully captured This analysis can be performed using or requiring manual effort to generate and traceable through the development information from circuit diagrams, test cases or logging results will lend lifecycle mechanical assembly drawings, parts itself to such tools lists, and other sources, and therefore can • Remember the linkage between hardware • Static analysis tools – some are very be undertaken following design. It requires and software – FMEA is a rich source of affordable and offer great benefit; the a detailed knowledge of component failure generating software requirements to deeper and wider the analysis the better rates, their various failure modes and how achieve hardware diagnostic coverage these can affect the functionality of the • Coding standards – this is an essential • Develop a software review culture (and instrument used in the safety function. requirement to ensure correct and safe keep evidence; informal log books are fine) The analysis is a specialist area and should constructs and a safe language sub-set only be undertaken by analysts with the • Modifications must include an impact are used appropriate tools, competence and access analysis and proof of the implementation • Use recommended (Misra C and to the appropriate failure rate data in order to process yield a statistical prediction of the random approved development tools) to facilitate hardware failure. • Configuration management is critical, the structure of the safety software including versions of test and compliance 4) Systematic Failures development tools • For systems integrators, achieving The second reason for system failure is • SOUP (software of unknown provenance) compliance to IEC 61511 is relatively weaknesses in the processes used in the and COTS (commercial-off-the-shelf) are straightforward specification, design, test, installation, use, best avoided, or extreme care should be modification and repair of the safety system taken in their use

North America | Europe | Asia • www.csagroup.org UNDERSTANDING FUNCTIONAL SAFETY

6) Functional Safety Assessment that covers a specific project and details About CSA Group how functional safety will be achieved. All safety systems must undergo an Either way, FSM is indispensible to avoid CSA Group was the first certification body independent functional safety assessment systematic failures and for creating a safety in the world to be accredited to issue (FSA) covering the hardware and software culture. No product, system or operation can functional safety certification to IEC 61508 as well as all the related processes used in claim to conform to the IEC 61508 standard by UKAS for both products and companies the realization of the instrument/system. without this critical assessment, which (FSM). It has undertaken more than 300 The FSA applies to all activities in the life- should govern all safety-related work activities functional safety projects for clients world- cycle of the safety system or instrument. from concept to decommissioning. wide in the past five years. These projects Requirements for the FSA are defined in IEC have been as diverse as simple electro- An important part of the FSM is the 61508-1 section 8. The accredited certifica- mechanical switches, actuators, and valves, development structure, deployment and tion process is defined by the international to highly complex programmable protection assessment of the competence of all staff standard for certification ISO/IEC 17065, devices and embedded real-time operating that have any roles or responsibilities which was published in September 2012 systems, up to SIL3 compliance. CSA Group’s associated with safety systems. For and replaces EN 45011 and ISO Guide 65. team of functional safety specialists has companies starting a functional safety This change dictated the need for changes experience in a wide range of industry project for the first time, FSM is a good within Certification Body (CB) management sectors and applications, including safety of place to begin as it establishes the systems and processes in order to maintain machinery. procedural infrastructure in advance. UKAS accreditation in. ISO 17065 covers CSA Group offers a wide range of functional many of the requirements with respect of Conclusion safety compliance assessment services – the assessment body. The requirements for from household equipment, software the assessment, including the methods and History (past and recent) shows there is a evaluation, FSM and product certification, techniques prescribed, increase in rigour great need for industry to provide evidence to services for wide sectors in the process with higher SIL. There is a minimum level of the reliability of automated safety industries. CSA Group’s functional safety of independence between the assessment systems to ensure the safety of people, program offers a full-service global solution team and the work being assessed, which the environment and corporate assets. IEC to manufacturers of equipment used in depends on the SIL and the lifecycle activi- 61508 (and related standards) provides the hazardous locations and in critical ties being evaluated. systematic lifecycle approach necessary to applications. achieve functional safety. Around the world, 7) Management of Functional Safety ® new and existing plants are being measured The CSA Certified advantage: helping IEC 61508 makes it clear that all against the criteria of this standard and manufacturers get the market access organizations that deal with safety market requirements for instruments that they need for over 95 years. instrumented systems should operate are suitable for SIL-rated systems are now Contact CSA Group to obtain more a functional safety management (FSM) commonplace. This enables instrument information about our global functional process. This could be a company-wide suppliers to benefit commercially from safety evaluation and certifications process, typically part of the company’s functional safety certification, increasing services: Quality Management System, and should their market advantage by earning include the additional elements required “product-of-choice” status among Call 1.866.463.1785 or for functional safety. Alternatively, it could current and future customers. visit www.csagroup.org or be implemented as an overarching plan email us at [email protected]

THE FOLLOWING ARE TRADEMARKS OF CSA GROUP: THE CSA LOGO AND CSA CERTIFIED. © 2015 CSA GROUP. ALL RIGHTS RESERVED.

North America | Europe | Asia • www.csagroup.org