ABB Functional Safety Assessment

Functional safety assessmentPart 1 - Setting the boundaries of the FSA,defining the scope and planning the FSA.

A

BB

Lim

ited

2009

2CONTENTS

1.0 Introduction Page 3

2.0 Setting the boundaries of the FSA Page 4

3.0 Scope of the FSA Page 6

4.0 Audit and FSA Page 8

5.0 Planning of FSAs Page 9

Appendices Page 13

References Page 24

About the author Page 25

For more information, contact Stuart Nunns, UK Safety Lead Competency Centre [email protected]

3To many readers, Functional SafetyAssessments (FSAs) will be a new topic in thearea of functional safety. Even those who haveread and understand the key features of IEC61508 [1] and IEC 61511 [2] may not be fullyconversant with the specific details of the FSAactivity, aware that it is a mandatory (shall)requirement if one wishes to claim complianceto IEC 61508 or have actually implementedFSAs and reaped the benefits.

FSAs are undertaken in addition to thetraditional activities of verification, validation andfunctional safety audits. These activities aretypically planned and executed directly by theSafety-Related Systems project teamimplementing phase(s) of the safety lifecycle.The FSA is performed and specific to ensuringthat functional safety has been achieved withinthe specific scope of supply for theorganisation(s) in the context of the safetylifecycle. For a typical systems integrator thisscope of supply is the provision of the logicsolver sub-system only within the end-to-endSafety-Related System. For an EngineeringProcurement and Construction (EPC) companythis is typically the end-to-end Safety-RelatedSystem, consisting of the input subsystem, logic solver subsystem and final element(output) subsystem.

IEC 61508 and IEC 61511 both have clausesspecific to FSAs; For IEC 61508 this is Part 1clause 8 and for IEC 61511 Part 1 clause

5.2.6.1. However, there are differences in theapproach and recommendations which needcareful interpretation by those seeking toimplement FSAs. Performing FSAs requires staffwith a high level of competency and are moreoften than not based on subjectivity, particularlywhen applied to earlier phases of the safetylifecycle. The FSA assesses if appropriatemethods, techniques and processes have beenused to achieve functional safety.

This guide, consisting of two parts, provides the reader with details of an FSA processmethodology and FSA reporting mechanismdesigned and implemented by the author and in use across ABBs global Safety ExecutionCentres (SECs). These SECs all have IEC61508 compliant Functional SafetyManagement Systems (FSMS) and areprogressively being certified by TUV Rheinland.They implement safety system solutions forclients that focus on integration andconfiguration of the logic solver subsystem. It is a requirement of this compliance andcertification that these SECs implement FSAs.

In this first part of the guide, we look at how todefine the boundaries of the FSA in the contextof the safety lifecycle model, organisationalscope and responsibilities and levels ofindependence. We then move on to discuss the differences between audits and functionalsafety assessments and then how to plan afunctional safety assessment.

1.0 INTRODUCTION

42.0 SETTING THE BOUNDARIES OF THE FSA

One of the first activities to be performed whendeveloping an FSA methodology is to clearlydefine the scope of supply for the organisationwhich wishes to implement FSAs. This scope ofsupply has to be set in the context of thoseother organisations involved in the safetylifecycle and in particular, those organisationsimplementing phase(s) immediately before andafter those defined in this scope of supply. In the first instance, this requires a fullunderstanding of the requirements of IEC 61508Part 1, clause 8 which provides informationrelating to when, how, who and why in additionto the levels of independence required of theorganisation and staff implementing the FSAs.

The relevance and importance of defining thisscope of supply for an organisation is obviouswhen read in conjunction with IEC 61508, Part1, clause 8.2.3 the functional safetyassessment shall be applied to all phasesthroughout the overall E/E/PES and softwaresafety lifecycle. Similarly, the relevance andimportance of the role of other organisationsand the interfaces is apparent when read inconjunction with clause 8.2.3 those carryingout the functional safety assessment shallconsider the activities carried out and theoutputs obtained during each phase of theoverall, E/E/PES and software safety lifecycles and judge the extent to which the objectives and requirements in this standard have been met.

Also, clause 8.2.4, states the functional safety assessment shall be carried outthroughout the overall, E/E/PES and softwarelifecycle, and may be carried out after eachsafety lifecycle phase, or after a number ofsafety lifecycle phases.

The scope of supply of an ABB SEC relatesdirectly to IEC 61508 Phase 9 and IEC 61511Phase 4 but within these phases is limited tothe engineering and configuration of the logicsolver subsystem and not the end-to-end safetyinstrumented system. This scope of supplyincludes a core set of pre-requisites:

The subsystem used for systemsimplementation (logic solver and associated I/O modules) is third-partycertified in accordance with the requirements of IEC61508

Safety integrity data (PFD, systematiccapability and hardware fault tolerance) exists for all devices

Safety integrity data for the logic solver is clearly defined in the Safety Manualprovided by the supplier of the logic solver

Reliability data necessary for the integrator to perform their task is provided by supplychain manufacturers to the integrator and is readily available

Hardware element design (e.g. AnalogueInput module, Analogue Output module) isnot undertaken but hardware is configuredinto overall hardware architecture bydevelopment of subsystems

Software is Limited Variability Language (LVL).This is defined in IEC61131-3 [3] andincludes ladder diagram, functional blockdiagrams, sequential function chart andstructured text

Libraries are available with certified orapproved function blocks

Special (approved) configuration tools are available as part of the logic solver environment

Development tool support confirms that thedownloaded run-time application software isidentical to the source application software

Application software development is facilitated by the use of existing function blocks

Integration involves the downloading andcompilation of the configuration data andapplication software on the target platform

Approved libraries and function blocks areprotected from unauthorised modification

Hardware consists of Safety-Related Systemlogic solver, cabinets with appropriatetermination panels for connecting the process signal to the logic solver I/Omodules. Power supplies and powerdistribution for the logic solver and fielddevices are also normally included

5 A certified application development package isused to configure the Safety-Related Systemlogic solver. I/O and communication hardware

Coding standards are available for each61131-3 language used, including anyspecific limitations or restrictions

The development environment provides versionand configuration management facilities

In addition to ABBs SECs which operate ineach continent of the world, ABB established a Safety Lead Competency Centre (SLCC). This SLCC operates on behalf of ABB seniormanagement and is responsible for:

developing an IEC 61508 compliant genericfunctional safety management system (FSMS)

rolling this out to each SEC for local implementation

managing a global third-party IEC 61508certification programme for each SEC

providing functional safety training andconsultancy to SECs and external clients

acting as the independent safety authority forperforming FSAs

A further key consideration is the level ofindependence of the organisation performingthe FSA and by implication their assessors. Thelevel of independence is defined in IEC 61508,Part 1, clauses 8.2.12 to 8.2.14 and IEC 61511part 1, clause 5.2.6.1.2. On reading theseclauses it is clear that the requirements inrespect of independence are significantlydifferent between the standards. IEC 61508 hasvery clear and mandatory (shall) requirementsfor independence based on consequences orSIL, the choice dependent on safety lifecyclephase(s). IEC 61511 proposes a more relaxedapproach not dependent on consequences orSIL and not requiring rigidity in terms oforganisational or department independence.

It is essential, therefore, before embarking ondeveloping an FSA methodology that a decisionis made as to which standard is to be used forcompliance in the context of FSA. This decisionmay also be influenced by:

which standard is being used fordevelopment of the FSMS

the specific requirements of the third-partycertification body if the organisation isseeking to achieve certification of itsfunctional safety management system

The organisational and management modelsoperating within the company and how theseimpacts on levels on independence

Availability of competent resources

In respect of ABBs SECs the policy was toimplement FSAs in accordance with therequirements of IEC 61508. Therefore in orderto comply with this requirement:

FSAs shall be performed by resources underthe direction of the Safety Lead CompetencyCentre (SLCC) for safety systems of SIL 3capability in order to meet the independenceand competency requirements of IEC 61508 1, Clause 8, Table 5.

For SIL 1 & SIL 2 safety systems capability,FSAs can be performed by an independentperson from within the SEC, provided thatthe person is independent from the safetysystem design and engineering team and isdeemed competent by the SLCC to performin the role of Lead Assessor. All FSA reportswill be subject to review and approval by theSLCC. If this requirement cannot be met theUK SLCC shall perform the FSA.

In accordance with IEC 61508 Part 1, Table 5,HR1 was deemed appropriate and suitable dueto the fact that each SEC:

Has previous experience with similar designs Those safety systems being engineered and

configured are based on standard certifiedsafety platform technologies with LVLsoftware and certified function/building blocks

There is little or no novelty in the degree of design

Standardised design features and attributesare the norm

63.0 SCOPE OF THE FSA

Figure 1 below provides an overview of thissafety lifecycle model:

IEC61511 SIS SafetyLifecycle Phases and

Functional SafetyAssessment Stages

Stage 10 - Managementof Functional Safety andFunctional SafetyAssessment and Auditing

Stage 11 - Safety Lifecycle Structure and Planning

Stage 4 - Design and Engineering of SafetySystem

Stage 9 - Verification

A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review

AuditReport Review Audit Point

M A

General Bid and Proposal

ReviewReport Review Review Review

ReviewReport

ReviewReport

M D

DevelopFunctional Design

SpecificationM D

Test Plan

M D

SoftwareConfiguration

Production Log

ReviewReviewReport

M D

Safety LifecycleManagement

Plan

Review Report

M A

ProjectCompetencyAssessments

M A

Project LifecycleTools (Process

Navigator)

F u n c t i o n a l Sa f e t y

As s e s s m

e n t

M A

M

Review andConfigurationManagement

M A

Query/ChangeProcedure

M A

Functional SafetyAudit Procedure

ReviewReviewReport

M D

Technique andMeasures

Specification

ReviewReviewReport

O D

Module FailureModes Analysis

ReviewReviewReport

M D

Module TestSpecification

ReviewReviewReport

M D

Integrated TestSpecification

ReviewReviewReport

M D

Factory Acceptance Test Specification

ReviewReviewReport

M D

Site AcceptanceTest Specifications

ReviewReport Review

ReviewReportReviewReport Review

O D

Develop BoundaryDiagrams

ReviewReport Review

M D

Develop Module Design

Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A

Factory Acceptance Test

Review

M A

Site Acceptance Test

ReviewReviewReport

M D

SIL AchievementReport

ReviewReviewReport

M D

Operation andMaintenance

Manual

Optional

Optional

Figure 1 SEC safety lifecycle model, larger version on pages 14 & 15

As stated in section 2 above, ABB developed a generic FSMS for local implementation byeach SEC.

This FSMS specified a safety lifecycle model foruse by each SEC. Integral to this model are theaudit and FSA processes.

7For each compliant item, e.g. safety systemlogic solver, implemented by an ABB SEC anFSA is a mandatory requirement.

FSAs are performed in addition to verification,validation and functional safety audits, these areplanned and executed directly by the SEC.The objective of the FSA is to ensure thatfunctional safety has been achieved within thescope of supply for the SEC, i.e. provision ofthe logic solver sub-system only within the end-to-end Safety-Related System. It assesses ifappropriate methods, techniques, tools andprocesses have been used to achieve functional safety.

The FSA includes amongst other things ananalysis and review of: The safety instrumented system logic solver

and whether it is designed, constructed,verified and tested in accordance with thesafety functional design specification andwhether any differences have been identified and resolved

Whether the safety instrumented system logicsolver validation planning is appropriate andthe validation activities have been completed

Project design change procedures to ensure they are in place and have beenproperly applied

Whether SIL capability achieves the SIL target requirements

Whether regulations, mandatory standards and any stated codes of practice have been met

Development and production tools if used Adequacy and completeness

of documentation

84.0 AUDIT AND FSA

4.1 What do the standards say?An audit is a systematic and independentexamination to determine whether theprocedures specific to the functional safetyrequirements comply with the plannedarrangements, are implemented effectively andare suitable to achieve the specified objectives:

Procedures shall be defined andexecuted

There should be an:- Audit strategy- Audit programme- Audit Plan, reporting and follow-up

In contrast an assessment is an investigationbased on evidence, to judge the functionalsafety achieved by one or more E/E/PES SRS:

In the context of an ABB SEC, this is specificto the logic solver (IEC 61508 Phase 9 andIEC 61511 Phase 4)

Procedure shall be defined andexecuted.

Judgement shall be made as to the functionalsafety and safety integrity achieved by theSafety-Related System

Membership of the team shall include at leastone senior competent person

4.2 What are the differences?An audit is undertaken to ensure compliancewith procedures. It is integral to a QualityManagement System and ISO 9000. Auditors are not required to make judgementson the adequacy of the work they areconsidering and no specific judgement of functional safety and integrity.

In contrast, assessment involves assessorsundertaking an evaluation and making ajudgement, whether provisions are adequate for the achievement of functional safety andintegrity. Assessments are outside the normalISO 9000 scope and rely heavily on assessorjudgements and competency. One of the inputs to the assessment process will be the audit processes and findings.

Assessments can span several organisations and the FSA activities can drill down to technicalities, reserving the right to redo activities.

Assessments performed in accordance with IEC61508 demand prescriptive independence.

9 Preliminary FSA - Following completion ofthe Safety Lifecycle Management Plan andinternal review of the Safety LifecycleManagement Plan. Figure 2 shows thepreliminary FSA in relation to the safetylifecycle, processes and deliverables. Theshaded areas identify the key inputs to thisFSA stage.

5.0 PLANNING OF FSAS

Figure 2 Preliminary FSA, larger version on pages 16 & 17







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



ReviewReport

ReviewReport

M D


SpecificationM D

Test Plan

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

Optional

Optional

Having specified the scope of supply of anSEC, specifically Phase 9 of IEC 61508 andPhase 4 of IEC 61511 and documented thepolicy to comply with IEC 61508 for FSA, thenthe decision was made for one FSA to beperformed for each safety system or logicsolver. However, this FSA is performed at threekey stages of the safety lifecycle:

10

5.0 PLANNING OF FSAS

Design FSA - Following completion of theFunctional Design Specification (FDS), internalreview of the FDS, and prior to approval bythe client. Figure 3 shows the Design FSA inrelation to the safety lifecycle, processes anddeliverables. The light shaded areas identifythe key inputs to this FSA stage and darkshading indicates activities/deliverables thatare revisited following the preliminary FSA.

Final FSA - Following Factory AcceptanceTesting (FAT). Figure 4 shows the Final FSA inrelation to the safety lifecycle, processes anddeliverables. The light shaded areas identifythe key inputs to this FSA stage and the darkshading indicates activities/deliverables thatare revisited following the Preliminary andDesign FSAs.

With respect to safety projects involving morethan one logic solver/safety system, more thanone FSA is likely to be required dependent on the: Duration of the project Number of safety systems implemented

within the project Degree of commonality across the

logic solvers

This would therefore require additional Designand Final FSAs.

The Lead FSA Assessor has the responsibilityfor preparing a Functional Safety AssessmentPlan for the safety project. The plan is written to enable a systematic and comprehensive FSA to be performed and specifies the: Membership of the assessment team at each

FSA stage. As a minimum, it shall include acompetent Lead FSA Assessor and theLead Engineer from the specific safety project

Scope of the FSA. See section 2 of this guidefor minimum requirements

The skills, responsibilities and authorities ofthe assessment team

The information that will be generated as aresult of the functional safety assessment

The identity of any other safety bodies andABB Groups/departments involved in

the assessment The means by which any follow-up

recommendations shall be progressed The stage(s) within the safety life cycle when

the FSA(s) will occur Degree of Independence in accordance with

IEC 61508 Schedule and estimated duration of the

assessment Documents referenced at each FSA stage Checklist utilised at each FSA stage Findings and recommendations from each

FSA stage

The plan is approved by the local SEC Managerand issued to all parties prior to theassessment-taking place. Only one plan isdeveloped for the specific project FSA and thisplan is effectively a living document in that aseach stage is completed the evidence reviewed,findings, conclusions and recommendations areadded to the plan.

11







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



ReviewReport

ReviewReport

M D


SpecificationM D

Test Plan

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

Optional

Optional

Figure 4 Final FSA, larger version on pages 20 & 21







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



ReviewReport

ReviewReport

M D


SpecificationM D

Test Plan

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReviewReport

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

Optional

Optional

Figure 3 Design FSA, larger version on pages 18 & 19

12

ALSO AVAILABLE

This document is the first of a two part series focusing on planning creating and implementing aFunctional Safety Assessment programme. The second part is also available, covering:

PART 2: Performing the Functional Safety Assessment, reporting and follow-up.

13

APPENDICES

APPENDICES







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



M D


SpecificationM D

Test Plan

M

Review

M D


Review

M D


Review

M D


Review

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


R

Optional

O

14

APPENDICES

Figure 1 SEC safety lifecycle model

w ReviewReviewReport

ReviewReport

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


R wReviewReport

wReviewReport

wReviewReport

wReviewReport

ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

O

Optional

15

16

APPENDICES







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



M D


SpecificationM D

Test Plan

M

Review

M D


Review

M D


Review

M D


Review

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


Optional

O

Figure 2 Preliminary FSA


ReviewReport

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


R wReviewReport

wReviewReport

wReviewReport

wReviewReport

ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

O

Optional

17

18

APPENDICES







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



M D


SpecificationM D

Test Plan

M

Review

M D


Review

M D


Review

M D


Review

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


Optional

O

Figure 3 Design FSA

19


ReviewReport

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


R wReviewReport

wReviewReport

wReviewReport

wReviewReport

ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

O

Optional







A

D

M

O

Activity

Deliverable

Mandatory

Optional

AuditReport Review

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

ReviewReport

Audit Point

Review


M A



M D


SpecificationM D

Test Plan

M

Review

M D


Review

M D


Review

M D


Review

M D


ReviewReport Review


O D


ReviewReport Review

M D


Specification

M A

Module Test

ReviewReport Review

M A

Integrated Test

Review

M A


Review

M A


Optional

O

20

APPENDICES

Figure 4 Final FSA


ReviewReport

M D


Production Log

ReviewReviewReport

M D


Plan

Review Report

M A


M A


Navigator)


As s e s s m

e n t

M A

M


M A


M A


ReviewReviewReport

M D


Specification

ReviewReviewReport

O D


R wReviewReport

wReviewReport

wReviewReport

wReviewReport

ReviewReviewReport

M D


ReviewReviewReport

M D


Manual

O

Optional

21

22

NOTES

24

REFERENCES

[1] IEC 61508 Functional safety of electronic/electrical/programmable electronic Safety-Related Systems

[2] IEC 61511 Functional safety Safety instrumented systems for the process sector

[3] IEC 61131 Programmable controllers

25

ABOUT THE AUTHOR

Stuart Nunns has thirty-sixyears experience inautomation and safetywithin the oil & gas,chemical, steel andelectricity generation sectors and is a Principal

Consultant within the Safety Lead CompetencyCentre of ABBs Process Automation Division.Nunns is a member of ABBs Safety SteeringTeam, responsible for identifying and managingthe development of functional safety productsand services, mapping the total safety lifecycle.He is currently leading a global work programwithin ABB to establish TUV certified SafetyExecution Centres.

Nunns is a TUV Functional Safety Expert andmember of the IET Functional SafetyProfessional Network Executive Group and the InstMCs Safety Panel. He has written and presented papers and led internationalSafety-Related Systems workshops. He wasproject manager of both the CUIG (Framework IV) European safety group and the F/W V SIPI61508 EC Framework V projectdeveloping guiding principals for theimplementation of IEC 61508.

Within the UK he was the instigator and projectmanager of the CASS (conformity assessmentof safety systems to IEC 61508) scheme andserved as a Director of CASS Ltd.

Stuart R Nunns CEng, BSc, FIET, FInstMC - Principal Safety Consultant ABB Ltd

ABB LimitedHoward RoadEaton SoconSt NeotsCambridgeshirePE19 8EUTel: 01480 475321Fax: 01480 217948www.abb.com

Copyright 2009 ABB. All rights reserved.Specifications subject to change without notice.

Func

tiona

lsaf

ety

asse

ssm

ents

/Mar

ch09