Functional Safety
Encyclopedia
Functional Safety is the part of the overall safety
of a system
or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.
Functional Safety is intrinsically end-to-end in scope in that it has to treat the function of a component or subsystem as part of the function of the whole system. This means that whilst Functional Safety standards focus on Electrical, Electronic and Programmable Systems (E/E/PS), the end-to-end scope means that in practice Functional Safety methods have to extend to the non-E/E/PS parts of the system that the E/E/PS actuates, controls or monitors.
1. Identifying what the required safety functions are. This means the hazards and safety functions have to be known. A process of function reviews, formal HAZIDs, HAZOPs and Accident Reviews are applied to identify these.
2. Assessment of the risk-reduction required by the safety function. This will involve a Safety Integrity Level
(SIL) Assessment. A Safety Integrity Level (SIL) applies to an end-to-end safety function of the safety-related system, not just to a component or part of the system.
3. Ensuring the safety function performs to the design intent, including under conditions of incorrect operator input and failure modes. This will involve having the design and lifecycle managed by qualified and competent engineers carrying out processes to a recognised functional safety standard. In Europe, that standard is IEC EN 61508, or one of the industry specific standards derived from IEC EN 61508.
4. Verification that the system meets the assigned SIL, by determining the Mean Time Between Failure
s and the Safe Failure Fraction (SFF), along with appropriate tests. The safe failure fraction is the probability of the system failing in a safe state: the dangerous (or critical) state states are identified from a Failure Mode and Effects Analysis
or (Failure Mode, Effects, and Criticality Analysis) of the system (FMEA or FMECA).
5. Conduct functional safety audits to examine and assess the evidence that the appropriate safety lifecycle management techniques were applied consistently and thoroughly in the relevant lifecycle stages of product.
Neither safety nor Functional Safety can be determined without considering the system as a whole and the environment with which it interacts. Functional Safety is inherently end-to-end in scope.
An important element of functional safety certification is on-going surveillance by the certification agency. This follow-up surveillance ensures that that product, sub-system, or system is still being manufactured in accordance with the what was originally certified for functional safety. Follow-up surveillance may occur as various frequencies depending on the certification agency, but will typically look at the product's hardware, software, as well as the manufacturer's ongoing compliance of functional safety management systems.
The principles underpinning Functional Safety were developed in the military, nuclear and aerospace industries, and then taken up by rail transport, process and control industries developing sector specific standards. Functional Safety standards are applied across all industry sectors dealing with safety critical requirements. Thousands of products and processes meet the standards based on IEC EN 61508: from bathroom showers, automotive safety products, medical devices, sensors, actuators, Process Controllers from ABB, Siemens , and their integration by companies such as Capula to ships, aircraft and major plant.
In Europe, Functional Safety certification is supported by a well-developed infrastructure . The CASS Scheme is the primary method by which products are certified to IEC EN 61508 and related standards, through accredited quality auditors. It is possible to certify both products and processes that manage the lifecycle of the product, (in which case, the company certified would then issue a certificate of conformity to that certification in respect of its relevant products).
The US FAA have similar Functional Safety certification processes, in the form of US RTCA DO-178B for software and DO-254 for hardware , which is applied throughout the aerospace industry.
In the USA, NASA developed an infrastructure for safety critical systems adopted widely by industry, both in North America and elsewhere, with a standard , supported by guidelines . The NASA standard and guidelines are built on ISO 12207, which is a software practice standard rather than a safety critical standard, hence the extensive nature of the documentation NASA has been obliged to add, compared to using a purpose designed standard such as EN 61508 with the CASS Templates. A certification process for systems developed in accord with the NASA guidelines exists .
Modern E/E/PS medical devices are being certified to 501(k) on the basis of the industry sector specific IEC EN 62304 standard, based on IEC EN 61508 concepts.
MISRA in the automotive industry are moving standards towards IEC EN 61508 in the development of industry specific standards.
Safety
Safety is the state of being "safe" , the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event which could be...
of a system
System
System is a set of interacting or interdependent components forming an integrated whole....
or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.
Objective of Functional Safety
The objective of Functional Safety is freedom from unacceptable risk of physical injury or of damage to the health of people either directly or indirectly (through damage to property or to the environment).Functional Safety is intrinsically end-to-end in scope in that it has to treat the function of a component or subsystem as part of the function of the whole system. This means that whilst Functional Safety standards focus on Electrical, Electronic and Programmable Systems (E/E/PS), the end-to-end scope means that in practice Functional Safety methods have to extend to the non-E/E/PS parts of the system that the E/E/PS actuates, controls or monitors.
Achieving Functional Safety
Functional Safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met. This is normally achieved by a process that includes the following steps as a minimum:1. Identifying what the required safety functions are. This means the hazards and safety functions have to be known. A process of function reviews, formal HAZIDs, HAZOPs and Accident Reviews are applied to identify these.
2. Assessment of the risk-reduction required by the safety function. This will involve a Safety Integrity Level
Safety Integrity Level
Safety Integrity Level is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function ....
(SIL) Assessment. A Safety Integrity Level (SIL) applies to an end-to-end safety function of the safety-related system, not just to a component or part of the system.
3. Ensuring the safety function performs to the design intent, including under conditions of incorrect operator input and failure modes. This will involve having the design and lifecycle managed by qualified and competent engineers carrying out processes to a recognised functional safety standard. In Europe, that standard is IEC EN 61508, or one of the industry specific standards derived from IEC EN 61508.
4. Verification that the system meets the assigned SIL, by determining the Mean Time Between Failure
Mean time between failure
Mean time between failures is the predicted elapsed time between inherent failures of a system during operation. MTBF can be calculated as the arithmetic mean time between failures of a system. The MTBF is typically part of a model that assumes the failed system is immediately repaired , as a...
s and the Safe Failure Fraction (SFF), along with appropriate tests. The safe failure fraction is the probability of the system failing in a safe state: the dangerous (or critical) state states are identified from a Failure Mode and Effects Analysis
Failure mode and effects analysis
A failure modes and effects analysis is a procedure in product development and operations management for analysis of potential failure modes within a system for classification by the severity and likelihood of the failures...
or (Failure Mode, Effects, and Criticality Analysis) of the system (FMEA or FMECA).
5. Conduct functional safety audits to examine and assess the evidence that the appropriate safety lifecycle management techniques were applied consistently and thoroughly in the relevant lifecycle stages of product.
Neither safety nor Functional Safety can be determined without considering the system as a whole and the environment with which it interacts. Functional Safety is inherently end-to-end in scope.
Certifying Functional Safety
Any claim of Functional Safety for a component, subsystem or system should be independently certified to one of the recognised Functional Safety standards. A certified product can then be claimed to be Functionally Safe to a particular Safety Integrity Level or a Performance Level in a specific range of applications: the certificate is provided to the customers with a test report describing the scope and limits of performance.An important element of functional safety certification is on-going surveillance by the certification agency. This follow-up surveillance ensures that that product, sub-system, or system is still being manufactured in accordance with the what was originally certified for functional safety. Follow-up surveillance may occur as various frequencies depending on the certification agency, but will typically look at the product's hardware, software, as well as the manufacturer's ongoing compliance of functional safety management systems.
The principles underpinning Functional Safety were developed in the military, nuclear and aerospace industries, and then taken up by rail transport, process and control industries developing sector specific standards. Functional Safety standards are applied across all industry sectors dealing with safety critical requirements. Thousands of products and processes meet the standards based on IEC EN 61508: from bathroom showers, automotive safety products, medical devices, sensors, actuators, Process Controllers from ABB, Siemens , and their integration by companies such as Capula to ships, aircraft and major plant.
In Europe, Functional Safety certification is supported by a well-developed infrastructure . The CASS Scheme is the primary method by which products are certified to IEC EN 61508 and related standards, through accredited quality auditors. It is possible to certify both products and processes that manage the lifecycle of the product, (in which case, the company certified would then issue a certificate of conformity to that certification in respect of its relevant products).
The US FAA have similar Functional Safety certification processes, in the form of US RTCA DO-178B for software and DO-254 for hardware , which is applied throughout the aerospace industry.
In the USA, NASA developed an infrastructure for safety critical systems adopted widely by industry, both in North America and elsewhere, with a standard , supported by guidelines . The NASA standard and guidelines are built on ISO 12207, which is a software practice standard rather than a safety critical standard, hence the extensive nature of the documentation NASA has been obliged to add, compared to using a purpose designed standard such as EN 61508 with the CASS Templates. A certification process for systems developed in accord with the NASA guidelines exists .
Modern E/E/PS medical devices are being certified to 501(k) on the basis of the industry sector specific IEC EN 62304 standard, based on IEC EN 61508 concepts.
MISRA in the automotive industry are moving standards towards IEC EN 61508 in the development of industry specific standards.
Contemporary Functional Safety Standards
The primary Functional Safety standards in current use are listed below:- IEC EN 61508 Parts 1 to 3 is a core Functional Safety standard, applied widely to all types of safety critical E/E/PS and to systems with a safety function incorporating E/E/PS.
- UK Defence Standard 00-56 Issue 2
- US RTCA DO-178B North American Avionics Software
- US RTCA DO-254 North American Avionics Hardware
- EUROCAE ED-12B European Airborne Flight Safety Systems
- IEC 62304 - Medical Device Software
- IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems, based on EN 61508
- IEC 61511-1, Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and software requirements, , based on EN 61508
- IEC 61511-2, Functional safety – Safety instrumented systems for the process industry sector – Part 2: Guidelines for the application of IEC 61511-1, , based on EN 61508
- IEC 61511-3, Functional safety – Safety instrumented systems for the process industry sector – Part 3: Guidance for the determination of the required safety integrity levels, based on EN 61508
- IEC 62061, Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems, based on EN 61508
- EN 50128, Railway Industry Specific
- EN 50129, Railway Industry Specific
- NASA Safety Critical Guidelines
See also
- IEC 61508IEC 61508IEC 61508 is an international standard of rules applied in industry. It is titled "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"....
- ALARPALARPALARP stands for "as low as reasonably practicable", and is a term often used in the milieu of safety-critical and safety-involved systems. The ALARP principle is that the residual risk shall be as low as reasonably practicable...
- Hazard and Operability Study
- HAZID
- Safety Integrity LevelSafety Integrity LevelSafety Integrity Level is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a Safety Instrumented Function ....
- Spurious Trip LevelSpurious trip levelSpurious Trip Level is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious...
- Certified Functional Safety Expert (CFSE)Certified Functional Safety Expert (CFSE)Certified Functional Safety Expert is an independent Functional Safety certification governed by the not-for-profit[1] CFSE Governance Board...
External links
- IEC Functional safety zone
- Functional Safety and IEC 61508: A basic guide
- Certified Functional Safety Expert (CFSE) - Organization providing certification for Functional Safety professionals
- Inside Functional Safety - Technical magazine focusing on functional safety
- 61508.org The 61508 Association
- Functional Safety and IEC 61508 TÜV NORD SysTec GmbH
- UL's Functional Safety Certification