White_paper--What_is_Functional_Safety-Final.pdf

7/27/2019 White_paper--What_is_Functional_Safety-Final.pdf

http://slidepdf.com/reader/full/whitepaper-whatisfunctionalsafety-finalpdf 1/6

TÜV SÜ D Am eric a In c. Phone : (978) 57 3- 250010 Centennial Drive Fax: (978) 977- 0157Peabody, MA 01960 E -mail: [email protected]

www.TUVamerica.com

Management Service • Product Service • Industry Service • Automotive

What is Functional Safety?Frank West, Senior Engineer, TÜV SÜD America

Many engineers are encountering customer demand that their products meet a “SIL” rating. They

are often encountering the new words “functional safety.” This paper aims to explain what these

requirements mean to design engineers seeking to have a product approved within the regulatory

compliance setting.

Traditional safety assessment focused on electrical, mechanical, and similar aspects of a design.

This assessment was concerned with whether or not a product would pose a hazard because of its usage

by a person or persons. The assessment looked at whether or not a product would, for example, create

an electrical safety hazard, or catch on fire, or have sharp edges that might cut the user. The actual

function of the product was not included in the assessment. Take as an example a product everyone is

familiar with: the toaster. A traditional product safety assessment examines the toaster to ensure that it

will not catch on fire, to ensure that the electrical energy used to heat the toast will not cause an

electrocution hazard, and to assess what might happen if the toaster encounters water. The actual

toasting of the bread is not assessed, because whether or not the toaster produces just the right amount

of crunchy toasted goodness is not safety-relevant.

Functional safety is an additional step beyond the traditional product safety assessment.

Functionally safe products DO—to use the above example—consider the function of the toaster as a

safety-relevant factor in the design, and specific steps are carried out to ensure that the function of the

product is performed with a defined degree of reliability. Using the toaster example, the crunchy

goodness of the bread is defined as safety-relevant, and the reliability of the toaster to provide the exact

amount of toasting to the bread requested by the user is assessed. It is important to remember that a

functional safety assessment does not replace the traditional product safety assessment described

above; it is in addition to the traditional product safety assessment. This is because, using the above

example again, the reliability of the toaster to carry out the toasting function is pretty useless if the toaster

electrocutes the user or catches on fire!




www.TUVamerica.com


Risk Assessment the Key

A risk assessment process, carried out according to accepted principles of risk assessment, is

the key to defining when functional safety is necessary. A risk assessment defines what actions of a

product will be defined as safety-relevant actions, and what actions will not be safety-relevant. In

addition, the risk assessment will define how safety critical the ability to perform particular actions might

be. Consider another, more realistic example: a programmable pressure switch. A risk assessment is

performed, indicating that the target market for the switch is used in chemical processing applications,

and that the potential users of the switch wish to use the switch to monitor pressure and trigger an

automated pressure relief sequence if the pressure becomes too high. From the risk assessment, the

action of the switch that is safety-relevant is the function to monitor pressure and send a command at a

certain pressure trip point. In addition, it is learnt from the market analysis that the failure of the product

in conditions of use may result in loss of one or more lives in the chemical plant, not to mention the

financial considerations related to the accident. Therefore, the action of the switch must meet a fairly high

degree of reliability—lives are at stake!

The safety-relevant action of the switch is termed a safety function. A particular product mayhave more than one safety function, but every product that requires a functional safety assessment has at

least one safety function. A safety function always has the form of some type of input, some type of logic

that acts on that input, and some type of output:

Input Logic Output

From the risk assessment, the product will be defined as having a list of safety functions, and the

safety consequence of failure will be estimated. This list of safety functions and the criticality of each is

the fundamental engineering input to a functional safety assessment. The goal of the entire functional

safety assessment is to ensure that each function defined as safety-relevant carries out the intended

function with a reliability level that is appropriate to the criticality of the function should it fail to perform.

The SIL of a Safety Function

SIL stands for Safety Integrity Level. The SIL is a measure of risk reduction provided by the

safety function in the product. SIL is defined in four steps, from SIL 1 (the lowest amount of risk

reduction) to SIL 4 (the highest amount of risk reduction). Selection of the SIL is performed to match the

risk reduction to the safety criticality of the safety function. For safety functions with a relatively low

criticality, SIL 1 may be appropriate. Safety functions with a high degree of criticality may require a SIL 3

or even a SIL 4 designation.

Selection of the SIL is a confusing point for many, because the way the marketplace is evolving is

at odds with the technical content of the SIL designation. The SIL designation applies to the overall

safety function that is being assessed for the final product…the SIL for the complete pressure relief

system in the chemical plant, for example. An individual component, the pressure switch from the above




www.TUVamerica.com


example, is probably the input section to that overall plant level safety function. Therefore, it is technically

incorrect to talk about the switch itself being “SIL” whatever, and it may cause serious problems for the

user of the switch if the switch designer is not aware of this distinction. It is more accurate to say that a

component is suitable for use in a target SIL function, and the designer designs with this in mind.

Internally, all of the requirements for the target SIL are still designed into the switch. However, because

the switch must go into a larger function the switch user is building, the switch designer normally needs to

ensure the switch is an order of magnitude more reliable than it would seem necessary to achieve for a

particular target SIL. This is to allow the designer of the final safety function in the plant or machine to

meet the SIL target for the final function, without consuming all of the allowable failure rate for the function

in the one component—in our example, the pressure switch!

Assessing the Function

Assessment of the functional safety of a product has two primary elements. One important

element is assessment of random failure of the product, and meeting a required rate of failure for the

components and software that make up the safety function. A second important element is assessing the

means employed to avoid systematic failure—that is, failure that is inadvertently designed into the

product.

Assessment of random failure is done by utilizing standard methods of reliability engineering to

ensure the product meets a defined target failure rate. This failure rate is often expressed as a number of

dangerous, random failures per hour. For example, under some conditions, a SIL 1 function must meet a

target failure rate of 1x10-6 random, dangerous failures per hour. The more safety-critical SIL 4 function

under the same conditions must meet at least a target of 1x10-9 random, dangerous failures per hour.

The methods employed for this assessment include, but are not limited to, component reliability

assessment and engineering, fault tree analysis, assessment of the architecture structure via reliability

block diagrams, Markov modeling, and in some cases HALT and environmental testing and assessment.

Of course, reliability of software cannot give rise to a defined failure rate as the hardware

assessment does. However, rigorous methods are used in software to achieve a degree of reliabilityappropriate to the SIL level. Strict separation of safety-related and non safety-related code must be

ensured, accepted coding standards for safety (like the MISRA C and C++ standards) must be followed,

and static and dynamic testing is performed on both the module and integrated code levels. At higher SIL

levels, formal methods of testing such as mathematical modeling and proving of algorithms is required.

By far, the more difficult part of the assessment is the requirement to ensure that systematic

failure is eliminated. Systematic failures, as mentioned, are failures that are designed into the product.

Examples of systematic failure are incorrect specification of the function of the product (one the most

common and most serious failures), hardware design fault, software bugs, and so on. A life cycle model

must be followed, and documented proof of activities, checks, and controls at each life cycle stage must

be part of the technical documents assessed for the safety function. For higher SIL ratings, ISO quality




www.TUVamerica.com


registration that includes design and development of functionally safe products is mandatory. Internal

checks, such as rigorous design review with documented results, CASE for software development, and

so forth are required parts of the assessment—unfortunately ones that manufacturer’s often overlook.

Meeting the Requirements

The requirements for a functionally safe product are outlined in the IEC 61508 series of

standards. The first step in designing a functionally safe product and meeting the requirements is to

purchase the standards. The table below outlines the standards:

IEC 61508-4 Definitions and Abbreviations

IEC 61508-1 General Requirements (life cycle)

IEC 61508-2 Requirements for E/E/PE (hardware)

IEC 61508-3 Requirements for software

IEC 61508-5 Examples of determining SIL

IEC 61508-6 Guidelines for applications of parts -2

and -3

IEC 61508-7 Overview of techniques and measures

Often, for a manufacturer new to functional safety, a training program from an industry expert is

very helpful in learning the standards and how to apply them. For example, the organization the author

works for offers 2- and 3-day training programs to industry on the IEC 61508 standards and how to apply

and use them. This training allows the manufacturer to meet one of the requirements of the standard

itself—demonstrating the designers and managers are trained in functional safety principles.

The next step is to initiate a functional safety assessment. A functional safety assessment should

be performed by an assessor that is fully conversant with the functional safety standards and

requirements. While lower level SIL targets allow a company to “self assess,” this should only be done

when the company has internally a certified expert for functional safety. Higher level SIL targets require

an outside third-party assessor.

A functional safety assessment normally is broken down into several checkpoint assessments.

The checkpoints may be repeated iteratively if the requirements for that checkpoint are not met. At each

checkpoint, the life cycle documents up to that checkpoint are assessed—failure to have the required life

cycle activity output documents means the checkpoint must be repeated. The normal set of checkpoints

in an assessment may look something like this:




www.TUVamerica.com


Review of safety requirements specification, audit of safety design

management system

Review of hardware, software requirements specification, verification

and validation testing plan

Review of hardware design, software design

Witness testing of hardware and software verification testing

Witness testing of validation testing and results

Review of user documents and instructions

Review of complete technical file and all life cycle documents

Of course, each product may require customization of the checkpoints. The assessor normally produces

a road map to the assessment and gets buy-in from all affected parties as one of the first activities in the

assessment.

How Much, How Long?

Designers contemplating a functional safety assessment normally are very interested in how long

the assessment process will take, and how much it will cost. Cost is of course contingent on the

complexity of the product, the number of safety functions in the product and the SIL targets for the each

function, and the degree of experience the designers have with functional safety. In general, it is safe to

say that low complexity, low safety function count, low SIL targets all lead to much lower cost. Of course,

high complexity (including any form of digital communication), high safety function count, and high SIL

targets all lead to much higher assessment costs.

The time for the assessment is almost completely contingent on the experience of the designers

and design management with functional safety principles. Organizations with an existing ISO qualification

for safety design and development may be able to move through an assessment process fairly quickly,whilst organizations with a low institutional knowledge of life cycle management for safety designs will

have a more difficult time, and take longer to move through the design process.

As a general statement, organizations with no prior experience should not expect to have

complex products with high SIL targets (SIL 3 or SIL 4) approved easily, inexpensively, or quickly. There

is simply too large a learning curve to move through. It is often better to start with a lower complexity,

lower SIL target product, learn the process and the unique challenges of designing to meet the functional

safety standard requirements, and then use that new knowledge to tackle the more complex, higher SIL

target products.




www.TUVamerica.com


Conclusion

Designing a product to meet functional safety requirements introduces new challenges in the

regulatory compliance setting. Designers, management, and assessors must think about what a product

does and how reliably it must do it. Technical standards, like the IEC 61508 series, provide an outline of

how to ensure a product meets the reliability goals for a given safety function. Assessment provides an

independent review of a company’s efforts to meet these goals for a given product.

Additional Information:

The IEC 61508 standards may be ordered as a set from the IEC webstore:

http://webstore.iec.ch/

About the Author:

Frank West

Mr. West is a Senior Engineer with TÜV SÜD America. He is an expert in

industrial and machinery safety, risk assessment methods, and complex system

safety engineering. Mr. West has over ten years experience evaluating

products for safety.

Documents

White_paper--What_is_Functional_Safety-Final.pdf