Functional safety handbook - v10 11/6/08 3:29 pm Page 1

© ABB Limited 2008

Functional
safety handbook
Functional safety handbook - v10 11/6/08 3:29 pm Page 2

CONTENTS

1.0 Introduction Page 3

2.0 Background Page 4

3.0 Putting the basics in place Page 6

4.0 Defining the boundaries Page 8

5.0 Specifying competency requirements Page 11

6.0 Benchmarking current practice Page 13

7.0 Selecting the certification body Page 14

8.0 Developing the safety lifecycle model and Page 15

functional safety management system

9.0 Executing the certification process Page 26

10.0 Training courses Page 28

11.0 Establishing Supporting activities Page 29

12.0 Managing channel partners and third-party integrators Page 29

13.0 Final Comments and Conclusions Page 30

Appendices Page 31-33

References Page 34

About the author Page 35

For more information, contact Stuart Nunns, UK Safety Lead Competency Centre at
stuart.nunns@gb.abb.com

2
Functional safety handbook - v10 11/6/08 3:29 pm Page 3

1.0 INTRODUCTION

The demands of the safety critical systems embarking on more formalized regimes,
market are becoming ever more exacting, with including certification programmes, to
international standards being increasingly used ensure their safety applications are
to demonstrate compliance with legal implemented in accordance with IEC61508 [1]
requirements and the increasing need to justify and IEC61511 [2].
that the required functional safety has been
achieved. This is not surprising given the The author has worked with a number of
increasing dependence on such systems to organizations seeking certification. This
achieve the specified tolerable risk targets. With Functional Safety Handbook provides a case
increasing contractual rigour and the potential study illustrating how a major automation
for litigation should something go wrong, system supplier (the organization), with world
organizations need to demonstrate that wide systems integration businesses (the
their functional safety capability is seen as integrators) undertook the challenge to achieve
best in class. third-party accredited certification for its
functional safety management system (FSMS)
Of particular importance in this context is the against the requirements of IEC 61508 and
effectiveness of the competence management IEC 61511.
arrangements to ensure that those within the
organization having responsibility for functional The generic methodology described and
safety are competent to undertake those duties. comprising the procedures and processes to
In order to meet these increasing demands, achieve certification have been developed by
safety suppliers and integrators are increasingly ABB Ltd.

3
Functional safety handbook - v10 11/6/08 3:29 pm Page 4

2.0 BACKGROUND

Statistics relating to the performance of large practice and demand that attention be paid to
organizations are published internationally and all safety lifecycle activities within an effective
incidents, especially those causing injury or functional safety management system.
death, make headline news. Recent inquiries
into major incidents provide further support of 2.2 Safety standards are also changing
the increasing importance of international The publication of the international safety
standards (IEC 61508 and IEC 61511) where standards IEC 61508 and IEC 61511 for the
such standards have been used as a process sector are setting global benchmarks
benchmark of what constitutes acceptable as “good practices” in functional safety. Safety
good practice [3] [4]. Many management Regulators and the legal professions world wide
incentives are based on the safety performance are embracing these standards and using them
of their operation. In order to compete or even to make judgements as to whether accepted
survive, industry continually strives to improve good practice has been applied if negligence is
performance and profitability while maintaining suspected. Ignore them at your peril!
and improving safety. In today’s world there are
significant costs on an organization if they are 2.3 Globalization
not acting in a socially responsible manner. The safety-related market is truly global and
Such costs include direct financial costs arising increasingly based on international standards.
from the incident itself, from legal costs and Although companies throughout the supply
fines in the event of being found guilty of chain are establishing the capability to ensure
breaking the law, damages paid to injured compliance with the relevant international
parties caused by negligence and reputation standards there are currently differences in the
damage which can have far reaching way IEC 61508 and IEC 61511 are being
implications on the business. The result is that implemented. These differences lead to a
safety and profitability are inextricably linked. lack of cohesion in the supply chain and
increase the likelihood of contractual and
In summary, there are strong regulatory and project disruption. The interface between the
social demands for businesses to demonstrate supply chain and the end user organization can
they have exercised their duty of care by sometimes be less than ideal as end user
providing a safe, reliable operation with full organizations have been subjected to right-
documentation and decision traceability. sizing, downsizing, restructuring and changes
of ownership which makes it a challenge for
2.1 Safety technologies are them to retain core competencies in an
changing rapidly environment of rapid change.
In line with all control system technologies,
safety systems are undergoing a revolution. 2.4 Organizational and personal
Increasing reliance for process protection is competence
being placed on networked ‘smart’ equipment, Proven competence at a company, department
integrated control and safety solutions, reusable and individual level is increasingly seen as
safety components and subsystems with necessary to meet contractual and regulatory
automated configuration tools. The application requirements. But which competency scheme is
of such technology has, potentially, significant most appropriate and who should it apply to?
economic and safety benefits, but to release its
potential, it is vital that such technology is 2.5 What do the standards say about
applied by the adoption of current good competency and functional safety?
practice and this means the adoption of The following clauses relate to IEC 61508
relevant standards such as IEC 61508 and IEC and IEC 61511 in respect of the “Management
61511. These standards represent current good of functional safety”. In the case study, the

4
Functional safety handbook - v10 11/6/08 3:29 pm Page 5

organization had to develop a functional The additional benefits to the business of

safety management system (FSMS), centrally, achieving certification included:
in compliance with these clauses as an • Limiting the company’s exposure to
essential pre-requisite to achieving potential liabilities
accredited certification. • Demonstrating due diligence
• Implementing repeatable and cost effective
The relevant clauses in these standards are: safety management systems (procedures,
1. IEC 61508 – Part 1 – clause 6.2.1 states techniques, tools etc)
“Those organizations or individuals that have • Reducing unnecessary and costly pre-
overall responsibility for one or more phases contract discussions and evidence gathering
of the overall E/E/PES or software safety (which actually benefits both the organization
lifecycle shall, in respect of those phases for and its clients)
which they have overall responsibility, specify • Winning work cost effectively
all management and technical activities that • Limiting effort (and cost) in developing so-
are necessary to ensure that the E/E/PES called bespoke project safety procedures
safety-related systems achieve and maintain • Gaining a competitive advantage and as a
the required functional safety”. result securing more business

2. IEC 61511 – Part 1 – clause 5.2.2.2 states

“Persons, departments or organizations
involved in safety life-cycle activities shall be
competent to carry out the activities for which
they are accountable”

Striving to achieve recognition for organizational

and individual functional safety capabilities had
to be seen as both a positive and essential
requirement for the business as a whole. Also,
in the light of many inaccurate and disputed
claims (so-called ‘claims to fame’) relating to
compliance of safety-related products in the
marketplace it was necessary for the
organization to establish an objective and
irrefutable means of demonstrating compliance
and competence. The organization could not
afford to ignore the requirements IEC 61508
and IEC 61511 standards and those of its
customers who increasingly specify them
as a functional safety benchmark and a
contractual requirement.

5
Functional safety handbook - v10 11/6/08 3:29 pm Page 6

3.0 PUTTING THE BASICS IN PLACE

In the case study, the senior management of The ‘Strategic Competency Principles’ are
the organization responded to the strategic based on a multi-tiered approach to
objectives by establishing an internal Company demonstrating functional safety capability, see
Safety Authority (CSA). The CSA was charged Figure 1 below. At the highest level the
with the responsibility of ensuring that safety organization had to demonstrate compliance to
applications were implemented in accordance good practice by the adoption of international
with IEC61508 and IEC61511. standards IEC 61508 and IEC 61511. A key
part of this demonstration was the strategic aim
The CSA was tasked with developing a set of of achieving third party accredited certification.
core principles for functional safety and a An essential element of this was the
program of work to achieve accredited organization’s competence framework.
certification for the organization as a whole.
These core principles endorsed by senior The second level relates to individual
management are collectively referred to as competence and the requirement to achieve
‘Strategic Competency Principles’. They define external recognition of an individual’s functional
minimum requirements designed to reflect a safety capability. This recognition complements
common purpose, shared beliefs and values the organization’s competence framework. At
and a commitment to (functional) safety within the lowest level is the specific requirement to be
all the relevant businesses. competent to implement and deliver a specific
safety product, package or service.

Figure 1

6
Functional safety handbook - v10 11/6/08 3:29 pm Page 7

There are four strategic competency principles: d) Manage Third Party Integrators and
a) Benchmark current practice Channel Partners
Undertake and document a ‘gap All Third Party companies invited to carry out
assessment’ of each of the organizations safety-related activities on behalf of the
integrator companies’ functional safety organization’s integrator companies shall be
management system against IEC 61508 and assessed and approved by the CSA.
IEC61511 to establish the scope of the task.
(See section 6) This assessment and approval shall be
achieved through a gap assessment,
b) Implement safety standards project functional safety assessments
Following the ‘gap assessment’, specify and undertaken by the CSA and project audits
implement a program of work to achieve undertaken by the integrator. All Third Party
accredited certification for each of the Integrators shall have in place a functional
organization’s integrator companies’ safety management system compliant with
functional safety management systems. IEC 61508 and IEC 61511.

Whilst the organization’s integrator The key tenets of these Strategic Competency
companies are seeking accredited Principles are:
certification, they shall produce safety plans
covering all their related safety activities. • To use Certified Products
• To employ Competent (Certified) persons
c) Establish individual Competency • To implement safety systems through the
The organization’s Safety Engineers shall certified organization
progress to certified functional safety
engineer status through the TUV Rheinland
Functional Safety Program.

The organization’s Lead Engineers and

nominated Safety Engineers working on a
safety project shall have attended all the
relevant safety system training courses prior
to working on a safety project

7
Functional safety handbook - v10 11/6/08 3:29 pm Page 8

4.0 DEFINING THE BOUNDARIES

In the case study, prior to the gap assessment a • Integration involves the downloading and
core set of prerequisites had to be agreed for compilation of the configuration data and
the organization. These not only provided a application software on the target platform
clear understanding of the organization’s safety- • Approved libraries and function blocks are
related systems supply chain responsibilities but protected from unauthorized modification
also mapped the organization’s generic • Hardware consists of SIS logic solver,
functional safety management system against cabinets with appropriate termination panels
IEC 61508 Part 1 clause 6 and IEC 61511 Part for connecting the process signal to the logic
1 clause 5 (Management of Functional Safety). solver I/O modules. Power supplies and
power distribution for the logic solver and
This core set of prerequisites are field devices are also normally included
defined below: • A certified application development package
• The subsystem used for systems is used to configure the SIS logic solver, I/O
implementation (logic solver and and communication hardware
associated I/O modules) is third-party • Coding standards are available for each
certified in accordance with the 61131-3 language used, including any
requirements of IEC61508 specific limitations or restrictions
• Safety integrity data (PFD, systematic • The development environment
capability and hardware fault tolerance) provides version and configuration
exists for all devices management facilities
• Safety integrity data for the logic solver is • Process Hazard and Risk Assessment has
clearly defined in the Safety Manual provided been performed to ensure systematic
by the supplier of the logic solver development of a Safety Requirements
• Reliability data necessary for the integrator Specification and this has been provided
to perform their task is provided by supply as a key deliverable from the End
chain manufacturers to the integrator and User/Engineering Procurement and
is readily available Construction (EPC) organization
• Hardware element design (e.g. Analog Input
module, Analog Output module) is not With respect to the last bullet point, there are
undertaken but hardware is configured into significant variations in the quality and contents of
overall hardware architecture by development the Safety Requirements Specification (SRS)
of subsystems within the industry. The fundamental
• Software is Limited Variability Language (LVL). requirements are for a clear specification of the
This is defined in IEC61131-3 [5] and safety functions and target safety integrity for
includes ladder diagram, functional block each safety function. This information is critical to
diagrams, sequential function chart and the integrator, as it enables the integrator to not
structured text only provide a detailed and constructive proposal
• Libraries are available with certified or to any bid document, but also, if successful, to
approved function blocks engineer a solution which meets the safety
• Special (approved) configuration functions and target safety integrity required.
tools are available as part of the logic
solver environment Guidance is provided in IEC 61508 Part 2
• Development tool support confirms that the clause 7.2.3 regarding the content of the Safety
downloaded run-time application software is Requirements Specification. This is
identical to the source application software strengthened, for the process industry, in IEC
• Application software development is 61511 part 1 clause 10.3.1. In the absence of
facilitated by the use of existing an SRS at the bid and proposal phase, the
function blocks integrator established a set of processes to

8
Functional safety handbook - v10 11/6/08 3:29 pm Page 9

facilitate a dialog with the client in order This core set of pre-requisites was also a
to complete, for the bid and proposal phase requirement for defining the certification
purposes, the checklist in Table 1. However, scope and applied area of each integrators’
this was not a substitute for the delivery of certification. The certification scope covered:
an adequate SRS by the client which • IEC 61508 E/E/PE safety related System
would be necessary subsequent to the bid Integration and IEC 61511 SIS Integration
and proposal phase. • Applicable phases – IEC 61508 Phase 9 &
IEC 61511 Phase 4
There are significant benefits to the parties • Specifically:
involved in needing the SRS (the party having • Management of Functional Safety
responsibility for developing the SRS and the • Documentation
party requiring the SRS in order to undertake • Functional Safety Assessments
the integration process) engaging in a dialog at
an early stage. Early dialog facilitates the
concept of partnership working and can be of
advantage to both parties.

Table 1 Requirements to be addressed

A description of all the safety instrumented functions necessary to achieve the required functional safety

Identification of requirements of common cause failures

Definition of the safe state of the process for each identified safety instrumented function

Definition of any individually occurring safe process states which, when occurring concurrently, create a
separate hazard (for example, overload of emergency storage, multiple relief to flare system)

Assumed sources of demand and demand rate on the safety instrumented function

Requirement for proof-test intervals

Response time requirements for the SIS to bring the process to a safe state

Safety integrity level and mode of operation (demand/continuous) for each safety instrumented function

Description of SIS process measurements and their trip points

Description of SIS process output actions and the criteria for successful operation, for example,
requirements for tight shut-off valves

Functional relationship between process inputs and outputs, including logic, mathematical functions and
any required permissives

Requirements for manual shutdown

Requirements relating to energize or de-energize to trip

Requirements for resetting the SIS after a shutdown

Maximum allowable spurious trip rate

Failure modes and desired response of the SIS (for example, alarms, automatic shutdown)

Any specific requirements related to the procedures for starting up and restarting the SIS

All interfaces between the SIS and any other system (including the BPCS and operators)

9
Functional safety handbook - v10 11/6/08 3:29 pm Page 10

4.0 DEFINING THE BOUNDARIES

At the outset of the certification program it was Acceptance Test (SAT) which is undertaken
necessary to analyze the two relevant standards on the complete SIS. However in the context
(IEC 61508 and IEC 61511) to identify of the integrator, Site Acceptance Test (SAT)
differences in interpretation and terminology for is an activity performed by the integrator on
those clauses affecting the scope of supply; the customer’s site, following Factory
such as levels of independence for Functional Acceptance Test (FAT) on the logic solver
Safety Assessments, Techniques and (and not the complete SIS) and after delivery
Measures, Site Acceptance Test (SAT), of the logic solver to site
Verification and Validation.
• IEC 61511, Part 1, 15.2.2, software validation
In addition, this analysis was required as the can be interpreted as applying to the SIS. In
organization only provides logic solver the context of the integrator software
subsystems and IEC 61511 tends to focus on validation is included in the Factory
the complete SIS. As the organization had a Acceptance Test (FAT) on the logic solver
requirement for its certification scope to include itself, and not the complete SIS which is out
both IEC 61508 and IEC 61511 it had to reach of the scope of supply
an agreement with its certification body on
interpretation of the standards in specific areas. • IEC 61511, Part 1, Clause 13.1 refers to
This resulted in a memorandum of Factory Acceptance Test (FAT) and states
understanding providing interpretation and that Factory Acceptance Test (FAT) is
clarification. For example: sometimes referred to as integration test and
part of validation. In the context of the
• IEC 61511, Part 1, clause 15.1.1 states that integrator’s Factory Acceptance Test (FAT)
SIS Validation is also referred to as Site this is a separate activity from integration test
and is undertaken on the logic solver itself

10
Functional safety handbook - v10 11/6/08 3:29 pm Page 11

5.0 SPECIFYING COMPETENCY REQUIREMENTS

There is an increasing trend in the marketplace Strategic Competency Principle (c) (see section
for client organizations to demand formal 3) addresses training (attribute 3) in functional
evidence of the competency of those providers safety and specific safety platforms. The CSA
of safety-related products and services. chose a respected third party specialist as the
Many of these requirements are colloquially provider of training leading to TUV certified
referred to as ‘one liners’ (for example ‘must functional safety engineer status.
have competent people’ or ‘must have certified
engineers’), and it is clear in many cases that The other three attributes above on which the
the originators of such statements do not fully competence of persons was based, namely
understand the requirement or how to respond knowledge, experience and qualifications, were
to questions relating to what is exactly addressed through the development and
meant by such statements. introduction of a Competence Management
System (CMS).
In any well-run organization, staff are required to
be competent to perform the tasks assigned to The CMS introduced a further level of
them. Organizations dealing with safety-related competence specific to functional safety, over
systems increasingly find that their customers and above that required by the company’s ISO
need assurance that the organization’s 9001 QMS. The CMS was based on the UK
personnel can be shown to meet the necessary IEE/BCS “Competency Criteria for Safety-
standards of competency. This includes the related System Practitioners” [6].
designers and implementers of such systems.
Professionals, with responsibility for design The key requirement was for all personnel
and/or supervision, will also, for example, be having responsibilities for specified tasks on a
expected to have a detailed working knowledge safety-related project to have their training,
of all relevant legislation, codes of accepted knowledge, experience and qualifications
good practice which affect their work, together assessed in relation to the particular tasks for
with knowledge of working practices in similar which they were responsible.
establishments and awareness of current
developments in their field. Although IEC61508 does not make a direct
correlation with the required level of rigour
Against this background the case study and competence, the following factors were
company established processes for both taken into consideration:
organizational and individual competence. The • The consequences in the event of failure of
ability to demonstrate that the organization had the Electrical/Electronic/Programmable
competent functional safety staff called for the Electronic (E/E/PE) safety related system; the
establishment of a functional safety competence greater the consequence, the more rigorous
scheme. This competence scheme was based the specification and assessment of
on four attributes: competence.
• The safety integrity levels of the
1. Knowledge Electrical/Electronic/Programmable Electronic
2. Experience (E/E/PE) safety related system; the higher the
3. Training safety integrity levels, the more rigorous the
4. Qualifications specification assessment of competence.
• The novelty of design procedures or
One of the objectives of the CSA was set to application; the newer or more untried the
establish a group of functional safety designs, design procedures or application,
practitioners within the organization. the more rigorous the specification and
assessment of competence should be.

11
Functional safety handbook - v10 11/6/08 3:29 pm Page 12

5.0 SPECIFYING COMPETENCY REQUIREMENTS

• Previous experience and its relevance to the Level 3:

specific duties to be performed and the A recognised expert in his/her application of the
technology being employed. The greater the systems platform, demonstrated through
required competence levels, the closer the fit appropriate combination of experience,
should be between competencies developed application and training. This is the minimum
from previous experience and those required level required for the relevant activities of the
for the specific duties to be undertaken. reviewers of the system.

A competence database, in existence at the A set of supplementary guidelines assists

organization, and used to record the technical those undertaking the assessment of an
capabilities of personnel was used as the basis individual in order to produce an assessment
for personnel selection. That is, the responsible profile and the level of competence achieved.
Project Manager consults the database when This information was subsequently recorded in
assigning resources to a safety-related project, the competence database.
to ensure that candidates have the necessary
experience and qualifications appropriate to the The supplementary guidelines cover such
application area and technology, as well as areas as:
knowledge of the legal and safety regulatory • Engineering knowledge appropriate to the
framework. The classification of the level of industry domain
competence achieved, with respect to specific • Safety system knowledge applicable to the
competence, is as follows: application and technology
• Principles of Functional Safety Assurance
Level 1: • Specifying, witnessing & performing tests
Has experience of the system safety platform in • Transposing safety requirements to design
an implementation capacity and / or has • Analysing design and code (in terms of
attended appropriate training courses. This is software and hardware architecture and
the minimum level required for the relevant including various forms of definition notation)
activities of the implementers and testers of the
system. Completion of the assessment of competence
not only facilitates the mapping of the
Level 2: individual’s competence to the specific project
Has experience and training to the level of tasks and activities they are required to perform
specifying/designing solutions for the but also identifies those areas where mentoring
systems platform. This is the minimum level and supervision is required and any additional
required for the relevant activities of the training necessary.
designers of the system.

12
Functional safety handbook - v10 11/6/08 3:29 pm Page 13

6.0 BENCHMARKING CURRENT PRACTICE

Strategic Competency Principle a) (see Section • Phase 10 Management of functional

3) called for a gap assessment to be performed safety and functional safety
of the functional safety management system assessment and auditing
against the requirements of IEC 61508 and IEC • Phase 11 Safety life-cycle structure
61511 for each of the organization’s integrators and planning
involved in functional safety activities. In order to
undertake this task, a gap assessment A gap assessment module was developed
methodology, based on the CASS (Conformity specifically for each of the above phases.
Assessment of Safety Systems) [7] scheme was
used. The CASS assessment templates were For each gap assessment module, and for
developed to align with clause 6 of IEC 61508 completeness, all relevant clauses of both
Part 1 and clause 5 of IEC 61511 Part 1. standards were reviewed and a series of gap
assessment tables developed to include:
IEC 61511 rather than IEC 61508 was used to
develop the detailed gap assessment • Targets of Evaluation (TOE) i.e.)
methodology, simply because its terminology evidence expected
was more readily understood and relevant to the • Summary of the clause
case study organization that operates • Sub clause reference identifier
predominantly in the process sector. The gap • Supplementary assessor guidance
assessment methodology was aligned to those (Assessor prompt list)
phases of IEC 61511 and mapped across to the • Assessor findings
core set of pre-requisites of the organization (see
Section 3. 2 – Defining the boundaries), namely: An example is provided in table 2 below.

• Phase 4 SIS Design & Engineering As a result of performing the gap assessment
• Phase 9 Verification common areas for improvement were identified,
which in turn helped to prioritize the later
development of the functional safety
Table 2 Example Gap Assessment management system.
Target of Evaluation

Target of Purpose of TOE IEC 61508 Assessment prompt list IEC 61511 Clauses/purpose
Evaluation Clauses/tables
Competence To define procedures 1/6.2.1 h) • There is evidence that the 5.2.2.2
assessment for ensuring that functional safety tasks to Persons, departments or organisations
process applicable parties Figs 2,3,4 and be done have been involved in safety lifecycle activities shall
involved in any of the 1/Table 1 as assigned – the be competent to carry out the activities
overall, E/E/PES or framework. competency required for for which they are accountable.
software safety lifecycle the task and a gap analysis • What evidence is available
activities are competent between the competencies demonstrating this
to carry out the of the individual allocated • Does it take into account, specific
activities for which they to the task have been technology, safety engineering,
are accountable; in undertaken. regulations, management and
particular, the following • There is evidence of a leadership skills, consequences, SIL,
should be specified: logical process that complexity, novelty
the training of staff in documents who is • Knowledge – how do you show this
diagnosing and responsible for • Training – generally records in place
repairing faults and in deciding why an individual (part of ISO9001)
system testing, has been allocated to the • Experience – traditionally
the training of task. poorly recorded
operations staff, the • This element will be • How are these assessed /
retraining of staff at explored in greater detail recorded / updated
periodic intervals; within the overall • How are the competency
competency assessment needs identified
TOES (Annexe C) • How is the ‘gap’ between needs
and skills assessed / bridged

13
Functional safety handbook - v10 11/6/08 3:29 pm Page 14

7.0 SELECTING THE CERTIFICATION BODY

The organization chose to achieve accredited • Reciprocal arrangements including:

third-party certification as its ultimate goal. - Memoranda of Understanding (MOR)
Accredited certification provides transparency, - Mutual Recognition Arrangements (MRA)
credibility, international recognition, objectivity
and independent scrutiny. • CVs of assessors

A short list of accredited certification bodies • List of organizations including those that have
was drawn up by the Company Safety Authority been assessed, their scope of assessment
(CSA) and invited to participate in a pre- and contact details within the organization
qualification exercise to provide information to
demonstrate their capability and competency. • Description of:
- the assessment methodology
The information requested included: - the assessment process
- guidance notes for the assessed
• Appropriate evidence of operation as an organization
accredited certification body including
- national accreditation bodies to which • Typical work program (including labor costs)
accredited for a third party functional safety assessment,
- scope and date of accreditation including man-days effort
- details of applicable standards and
certificates relevant to the accreditation • Any current limitations envisaged in
undertaking the third party assessment
• Pedigree, including a description of the program
experience, capability and competence of the
certification body and its auditors to perform • Company accounts for the last
these specific third-party assessments accounting period
(functional safety management as opposed
to product assessment) • Organizational structure

• Global presence of the certification body It was then necessary to establish an impartial
including countries in which they operate and independent panel representing the
organization to review the responses resulting in
• Whether dependent on agencies in specific the selection of a global third-party accredited
countries and if so their details certification organization. In the case study this
was the Company Safety Authority (CSA).

14
Functional safety handbook - v10 11/6/08 3:29 pm Page 15

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
This was the most significant activity variations) and skeletons (a template consisting
undertaken. It followed the gap assessment and of all necessary headers to be completed).
entailed defining a comprehensive safety
lifecycle model mapping the relevant phases of The development of this safety lifecycle model
IEC 61508 [1] and IEC 61511 [2] in respect of had in addition to make full use of the existing
the core set of pre-requisites described in quality management processes and
section 4 – ‘Defining the boundaries’. This procedures. Figure 2 below details the model.
safety lifecycle model was supported by
procedures, framework documents (basic An explanation of the deliverables specified
default information for a safety project to be in the model is provided below in sections
customized to meet any specific project 8.1 to 8.5.

Figure 2: The Safety Lifecycle Model (see Appendix, page 32 for full version)

15
Functional safety handbook - v10 11/6/08 3:29 pm Page 16

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
8.1 Design Documentation than one programmer on the project team
producing modules that affect the overall
8.1.1 Functional Design Specification functionality of the system.
The Functional Design Specification (FDS) is the
key design document produced by the Examples of modules are as follows:
integrator. It is also the key, controlling • Generic analog input module
document for the system design and contains • Generic digital output module
all the rationale as to why the design has taken • Cause and effect mimic
the specified approach. It takes the client’s • Firewater pump logic
Safety Requirement Specification (SRS) as input • Evacuation criteria
data, and develops them through the FDS,
detailing the platform to be used, system layout 8.1.3 Boundary Diagram
(often in the form of a system block diagram), The purpose of the Boundary Diagram is to
interfaces, and functional and operational graphically identify which components form part
design considerations. The FDS, once of the Sensor, Logic Solver and Final Element,
approved, confirms the basis of design and and is of use as a reference point for the SIL
traceability of the ensuing design to the client’s verification report.
requirements. It also sets up the rollout of the
Hardware Design and Software Design Boundary Diagrams are an optional requirement
Specifications. The FDS provides the key and only need be produced if they are a
acceptance criteria for the system Factory requirement / necessity of the project.
Acceptance Testing (FAT), and is used by the
integrator to measure the success of the project 8.2 Verification documentation
from the results of FAT.
8.2.1 Test Plan
8.1.2 Module Design Specification The Test Plan defines the verification process for
This is the lowest level of detailed design the System. This includes an outline of the tests
document produced on the project. The primary and test criteria, test environment and test
function of the Module Design Specification is to phase prerequisites necessary to verify and
show clear design intent, to communicate that validate the system against the appropriate
design in a clear fashion, and to allow for reference documents and standards.
approval before its implementation. The Module
Design Specification defines in detail the inputs, Refer to the Review and Configuration
outputs and functionality for the operation of a Management Procedure in respect of the
particular software module in pseudo code or verification activities which encompass
structured English. It will also define all variables documentation and code reviews.
used (global or local), other modules called, the
result and error conditions, parameters passed 8.2.2 Module Test Specification
and interfaces/relationships with other modules Once a software module has been coded, and
or systems. reviewed, it is subjected to formal testing
defined by the Module Test Specification. As
The second function of the document is to many module test specifications can be
enable any trained programmer to code to the produced as necessary.
programming language and standards defined
in the document and in accordance with the The functionality of each module will be verified
relevant project programming standards. The by the use of this document and the approved
approach to the Module Design Specification is Module Design Specification specific to the
of particular importance where there is more module under test.

16
Functional safety handbook - v10 11/6/08 3:29 pm Page 17

8.2.3 Integrated Test Specification Tolerance (HFT) and Safe Failure Fraction (SFF)).
The Integrated Test Specification is used to
demonstrate that each application software 8.2.7 Module Failure Modes Analysis
module produced integrates correctly with other The purpose of the Module Failure Modes
software modules and interfaces correctly with Analysis is to provide a report of the hardware
the system target hardware and system failure modes performed on the System.
firmware, all being an integral part of the
deliverable system. Testing will include both This analysis attempts to discover and analyze
functional safety and non-safety aspects of the all potential failure modes of the hardware sub-
system to verify that the system performs its system, the effects these failures have on the
intended functions and does not perform system, and what measures have been
unintended functions. engineered to correct and or mitigate the
failures or effects on the system.
8.2.4 Factory Acceptance Test
Specification The analysis supports the Reliability and
The Factory Acceptance Test Specification is Availability calculations in the SIL Verification
used to demonstrate to the client that each Report, in providing evidence that the ESD
application software module produced system conforms to the availability requirement
integrates correctly with other software of the SIL, as identified in the Safety
modules, and interfaces correctly with the Requirement Specification.
system target hardware and system firmware,
all being an integral part of the deliverable Note that the Failure Modes Analysis is an
system. Testing will include both functional optional requirement and should only be
safety and non-safety aspects of the system, produced if they are a requirement/necessity of
to verify that the system performs its the project.
intended functions and does not perform
unintended functions. 8.3 Safety Lifecycle Structure and Planning
Documentation
8.2.5 Site Acceptance Test Specification
The Site Acceptance Test Specification is used 8.3.1 Safety Lifecycle Management Plan
to demonstrate to the client that the entire The purpose of this document is to
system, including all networks, function correctly demonstrate how the integrator intends to
after re-assembly and installation on site. In manage the realization sections of the safety
addition the SAT verifies that the software lifecycle of the project and defines how the user
loaded is that which was demonstrated at the manages the subsequent operational and
FAT stage, this is achieved by functionally maintenance parts. This is in order to show its
testing specific elements of the control system, alignment with the recommendations laid out in
previously verified at the FAT. IEC 61508 and IEC 61511.

8.2.6 SIL Achievement Report Compliance with this safety lifecycle

The purpose of the SIL Achievement Report is management plan, and thus conformance with
to demonstrate that the system meets the the recommendations of IEC61508 and
systematic and hardware fault tolerances IEC61511, is demonstrated by means of
required by the SIL specified by the Safety assessment (Functional Safety Audits) and
Requirements Specification. The SIL verification (Module, Integrated and Factory
Achievement Report provides the quantitative Acceptance Testing) of the outputs from each
evidence in the form of PFD and architectural phase of the safety lifecycle model.
constraints (a combination of Hardware Fault

17
Functional safety handbook - v10 11/6/08 3:29 pm Page 18

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
8.3.2 Software Configuration 8.3.3 Techniques and Measures
Production Log Specification
The purpose of the software configuration The purpose of this document is to define the
production log is to modularize and categorize techniques and measures, and where
the software elements, for example, generic applicable supporting tools, necessary to align
loop types, graphics, and logic. The production with the requirements of IEC61508, Part 2
log is then used to track the progress of each (Annexes A and B) and Part 3 (Annexes A and
module as it goes through design, build and B) for each phase of the E/E/PE and Software
stage stages, according to the safety lifecycle Safety Lifecycles. In order to demonstrate
model. compliance to the requirements of IEC 61508 it
was necessary for the organization to specify
those techniques and measures used in order
to avoid and control systematic faults, see IEC
Table 3 - Recommendations to
61508 Part 2, clause 7.4.2.2.
avoid faults and failures during
E/E/PES integration
Technique/measure See IEC SIL1 SIL2 SIL3 SIL4 SIS Techniques and Methods
61508-7

Functional testing B.5.1 HR HR HR HR Y In-house ‘Process Navigator’

mandatory mandatory mandatory mandatory
Safety Lifecycle Management Plan

Test Plan

Module Test Specification

Integrated Test Specification

Factory Acceptance Test

Specification

Project Management B.1.1 HR HR HR HR Y ISO9001

Low Low Medium High
‘Process Navigator’

Safety Lifecycle
Management Plan

Documentation B.1.2 HR HR HR HR Y ‘Process Navigator’

Low Low Medium High
Safety Lifecycle
Management Plan

Black box testing B.5.2 R R R R Y Validation and Test Plan

Low Low Medium High

Field experience B.5.4 R R R R N

Low Low Medium High

Statistical testing B.5.3 - - R R N

Low Low Medium High

All techniques marked “R” in the grey shaded group are replaceable, but at least one of these is required.
For the verification of this safety lifecycle phase, at least one of the techniques or measures shaded grey in this table or listed
in table B.5 shall be used.
NOTE 1 For the meaning of the entries under each safety integrity level, see the text preceding this table.
NOTE 2 The measures in this table can be used to varying effectiveness according to table B.6, which gives examples for low and high
effectiveness. The effort required for medium effectiveness lies somewhere between that specified for low and for high effectiveness.
NOTE 3 The overview of techniques and measures associated with this table is in annex B of IEC 61508-7. Relevant sub-clauses are
referenced in the second column.

18
Functional safety handbook - v10 11/6/08 3:29 pm Page 19

In the case study, this was an extensive scope of the certification, a functional safety
exercise. The tables of Techniques and capability of SIL 3. In respect to the techniques
Measures within IEC 61508 cover the complete and measures used, the Highly Recommended
E/E/PES and Software Safety Lifecycles. The ‘HR’ option was selected and then tables
first step was to identify only those tables populated with:
associated with the integrator’s core set of pre- • cross references to organization procedures
requisites (see section 3.2 above) related to IEC • certificates of compliance
61508 Phase 9 and IEC 61511 Phase 4. Having • use of certified logic solvers
identified the sub-set of tables the decision was
made to benchmark the assessment of the Examples are shown in Tables 3 and 4 below
organization against the requirements for SIL 3.
The aim of the certification would be to provide A ‘Y’ in the SIS column within the table against
the third party evidence that the integrator had a specific technique identifies the technique as
demonstrated, for the logic solvers within the being selected for the project.

Table 4 – Software design and development: support tools and programming language

Technique/measure See IEC SIL1 SIL2 SIL3 SIL4 SIS Techniques and Methods
61508-7

1 Suitable programming C.4.6 HR HR HR HR Y Certified Control Language, with a

language subset of function blocks is certified
for use, constrained by certified
logic solver

Certified Control Language

2 Strongly typed C.4.1 HR HR HR HR Y Certified function blocks are utilized,

programming language constrained by certified logic solver

Certified Control Language

3 Language subset C.4.2 - - HR HR Y Certified Control Language is a

component of certified logic solver.
Safe subset dictated by the safety
manual and certified logic solver

4a Certified tools C.4.3 R HR HR HR Y Certified Control Language, with a

subset of function blocks is certified
for use. Safe subset dictated by
the safety manual and certified
logic solver

Certified Control Language

4b Tools: increased confidence C.4.4 HR HR HR HR Y

from use

5a Certified translator C.4.3 R HR HR HR N Not used for LVL

5b Translator: increased C.4.4 HR HR HR HR Y Certified Control Language has >5

confidence from use years proven in use

6 Library of trusted/verified C.4.5 R HR HR HR Y Only certified function blocks, or

software modules modules constructed from these
and components blocks, are utilized in this application.
Refer to the Safety Manual

* Appropriate techniques/measures shall be selected according to the safety integrity level. Alternate or equivalent techniques/measures are
indicated by a letter following the number. Only one of the alternate or equivalent techniques/measures has to be satisfied.

19
Functional safety handbook - v10 11/6/08 3:29 pm Page 20

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
8.3.4 Operator Manual assessment, application software code and
The Operator Manual is developed from the supporting documentation is produced to be
FDS and the Module Design Specifications and consistent, maintainable, of acceptable quality,
is written to ensure that plant personnel are satisfying user requirements, and is safe.
provided with all relevant information on the
operation of the System. 8.4.3 Project Competency Assessment
Procedure
8.3.5 Maintenance Manual The purpose of the Project Competency
The Maintenance Manual is developed from the Assessment Procedure is to provide a formal
FDS and the Module Test Specification and is means of assessing personnel involved in any
written to ensure that plant personnel are Safety Lifecycle Electric / Electronic /
provided with all relevant information on the Programmable Electronic Systems (E/E/PES)
maintenance of the System. and software activities, to ensure that they
possess the necessary experience, knowledge,
The Maintenance Manual makes reference to, training and qualifications to carry out the
and use of, the standard integrator Document activities for which they are accountable and,
Reference Set. This is a collated set of where necessary, to identify any additional
individual, standard instruction booklets (IBs) for training requirements.
the company’s generic Safety system (in the
case of the case study 800xA HI) (which 8.4.4 Functional Safety Audit Procedure
includes the safety manual), covering both The purpose of the Functional Safety Audit
hardware and software. Procedure is to provide additional guidance to
the project auditors in order to verify correct
The Maintenance Manual indicates, where implementation.
applicable, the verification tests that the user
must undertake to proof test the Logic Solver. 8.4.5 Functional Safety Assessment (FSA)
This includes, but is not limited to, the action to Functional Safety Assessments are undertaken
be taken when abnormal conditions are in accordance with the requirements of IEC
indicated by the system (either via LED on the 61508 Part 1 Clause 8.
module, or software diagnostic).
In the case study, the CSA acted as the
The Maintenance Manual provides information 'Independent Department' in performing
to the end user to enable them to ensure functional safety assessments of the integrator’s
functional safety performance is maintained. safety-related projects in accordance with the
requirements of IEC 61508 Part 1, Table 5 for
8.4 Management of Functional Safety Safety Integrity Level (SIL) 3. An assessor drawn
Documentation from the CSA plans, schedules and executes
8.4.1 Query/Change Procedure these functional safety assessments in
The Query/Change Procedure provides accordance with a CSA procedure (‘Functional
guidance in the use of project queries, and Safety Assessment Process’).
defines the impact assessment form to be used
to assess each change or variation to the Safety Acting as an Independent Department for
Instrumented System. undertaking FSAs enables the CSA to perform
a similar role for other business units within the
8.4.2 Review and Configuration organization planning for future accredited
Management Procedure certification.
The Review and Configuration Management
Procedure ensures that, through review and

20
Functional safety handbook - v10 11/6/08 3:29 pm Page 21

The FSA should provide, amongst other Additional FSAs may be required depending
things, confidence that the following have on criteria such as:
been achieved: • Duration of project
• The safety instrumented system logic solver • Number of safety systems implemented
is designed, constructed, verified and tested within the project
in accordance with the safety functional • Safety regulatory requirements
design specification; any differences have • Degree of complexity
been identified and resolved
• The safety instrumented system logic solver Each phase of the FSA is supported by
validation planning is appropriate and the checklists drawn directly from IEC 61508 and
validation activities have been completed designed to assist the assessment team in
• Project design change procedures are in ensuring that the FSA is conducted in
place and have been properly applied accordance with the requirements of the
• SIL capability achieves the SIL target standard.
requirements
• Regulations, mandatory standards and any Table 5 (see page 22) provides an example of a
stated codes of practice have been met checklist to be used during the final FSA. The
• Where development and production tools are white cells are the clauses from the standard
used they shall be included in the FSA setting out the objectives to be achieved
• Adequate and complete documentation is whereby compliance will be measured and
provided findings recorded. The blue cells are the clauses
from the standard setting out the requirements
At least one Functional Safety Assessment to meet the objectives.
(FSA) is performed during the project’s safety
lifecycle. The FSA is split into three phases:
• Preliminary FSA – trigger point completion of
Safety Lifecycle Management Plan
• Design FSA – trigger point completion of
Functional Design Specification
• Final FSA – trigger point completion of
Factory Acceptance Test

21
Functional safety handbook - v10 11/6/08 3:29 pm Page 22

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
Table 5 Example of a Final FSA checklist
Item Clause Objectives & Requirements Recommendation
Accept (A); Reject (R);
Qualified Acceptance (QA);
Not Applicable (NA)

1 IEC 61508-1 5.1 Objectives

Clause 5 5.1.1 The first objective of the requirements of this clause is to
Documentation specify the necessary information to be documented in order
that all phases of the overall, E/E/PES and software safety
lifecycles can be effectively performed.
5.1.2 The second objective of the requirements of this clause is to
specify the necessary information to be documented in order
that the management of functional safety (see clause 6),
verification (see 7.18) and the functional safety assessment
(see clause 8) activities can be effectively performed.

Assessor Note: In respect of the Preliminary FSA this will seek

evidence that the key deliverables are identified within the SLMP and
the SLMP has itself undergone formal review and approval.
During the Design and Final FSA the results of the functional safety
audits will be reviewed.

1.1 IEC 61508-1 5.2.1 The documentation shall contain sufficient information, for
Clause 5.2 each phase of the overall, E/E/PES and software safety
Requirements lifecycles completed, necessary for effective performance of
subsequent phases and verification activities.
5.2.2 The documentation shall contain sufficient information
required for the management of functional safety (clause 6).
5.2.3 The documentation shall contain sufficient information
required for the implementation of a functional safety
assessment, together with the information and results derived
from any functional safety assessment.
5.2.4 Unless justified in the functional safety planning or specified in
the application sector standard, the information to be
documented shall be as stated in the various clauses of this
standard.
5.2.5 The availability of documentation shall be sufficient for the
duties to be performed in respect of the clauses of this
standard.
5.2.6 The documentation shall be
– accurate and concise;
– be easy to understand by those persons having to make
use of it;
– suit the purpose for which it is intended;
– be accessible and maintainable.
5.2.7 The documentation or set of information shall have titles or
names indicating the scope of the contents, and some form
of index arrangement so as to allow ready access to the
information required in this standard.
5.2.8 The documentation structure may take account of company
procedures and the working practices of specific application
sectors.
5.2.9 The documents or set of information shall have a revision
index (version numbers) to make it possible to identify
different versions of the document.
5.2.10 The documents or set of information shall be so structured as
to make it possible to search for relevant information. It shall
be possible to identify the latest revision (version) of a
document or set of information.
5.2.11 All relevant documents shall be revised, amended, reviewed,
approved and be under the control of an appropriate
document control scheme.

22
Functional safety handbook - v10 11/6/08 3:29 pm Page 23

8.5 Safety Project Activity Plans local procedures. An extract of the Activity Plan
The project safety lifecycle model, as defined is provided in Table 6 below.
above, is further supported by a detailed Activity Although Activity Plan activities are in their
Plan, which specifies for each stage of the respective logic sequence, this does not
project, its inputs, outputs and review constitute the actual order in which activities
responsibilities. The intention is that each may be completed. Therefore reference should
integrator will populate the business process be made to each specific safety project
model reference and activity references with schedule.

Table 6 Safety Project Activity Plan

Activity Business Activity Activity Acceptance Prime Activity Inspection schedule

Number Process related criteria responsibility deliverable
Model procedure or for activity
reference document ABB Client VB

1.12 Preparation, Safety Lifecycle Conformity to SIS Lead Client H A R

Submission, Management ABB quality Engineer Approved
Review and Plan system Project Project
up-date of requirements Manager Competency
Competency Review and Independent Assessment
Assessment Configuration Verification Procedure
Procedure Management Body
Procedure

1.13 Assessment of Project Conformity to Project Completed H R R

Safety Team Competency Safety Lifecycle Manager Safety Team
Members Assessment Management Independent Member
Procedure Plan Verification Assessment
Body Forms

1.14 Preparation, Safety Lifecycle Conformity to SIS Lead Client A A R

Submission, Management ABB quality Engineer Approved
Review and Plan system Project Query/Change
up-date of requirements Manager Procedure
Query/Change Review and
Procedure Configuration Independent
Management Verification
Procedure Body

1.15 Preparation, Safety Lifecycle Conformity to SIS Lead Client A A R

Submission, Management ABB quality Engineer Approved
Review and Plan system Project Review and
up-date of requirements Manager Configuration
Review and Review and Management
Configuration Configuration Independent Procedure
Management Management Verification
Procedure Procedure Body

Further clarification of some of the cells is provided on the following page

23
Functional safety handbook - v10 11/6/08 3:29 pm Page 24

8.0 DEVELOPING THE SAFETY LIFECYCLE MODEL AND

FUNCTIONAL SAFETY MANAGEMENT SYSTEM
Verification Body (VB)
Verification is only applicable to those activities W: Witness Point
within the Quality Plan that relate to the design, This is an inspection or test that may be as
hardware build, software configuration, important as a hold point (and must be notified
functional test and validation of safety-related to the client), but which can be responsibly
systems, that is Phase 9, Realization, of the carried out after the point has been passed.
Safety Lifecycle recommended by IEC61508
and IEC61511, and Phase 4, SIS design and Witness points may be attended by the client,
engineering within IEC61511. but authorization from the client is not required
to allow work to proceed beyond that point
The field marked ‘VB’ is used to indicate (and (following expiry of the seven days notice).
demonstrate to the client or Verification Body
(VB)) that each applicable activity has been M: Monitor Point
formally assessed and verified in terms of This is a point in the programme of work where
meeting the required Safety Integrity Level (SIL), a check may be made to verify that a specified
for the particular item of safety-related action has taken place, and that the correct
equipment, to which the activity relates. documentation records exist. Such checks can
be retrospectively made.
The Verification Body will be a person that has
the required competency, skills and A: Approval Point
independence from the project to undertake the (documentation and/or records)
assessment of the particular activity. In line with Approval points are those which require
the recommendations of IEC61511, documentation and/or records to be reviewed
Independence is defined as follows: and approved by the integrator and the client,
and beyond which work cannot proceed until
Independent Person – a competent person who the appropriate approval is given.
is separate and distinct from the activities which
take place during the specific phase of the R: Review Point
safety lifecycle and does not have direct Review points are where design reviews and /
responsibility for those activities or walkthroughs are to be performed for the
specified activity or activities that require
Inspection Schedule Codes verification.
The inspection / documentation schedule
codes listed in the Activity Plan are defined Review points may be attended by the client,
as follows: but authorization from the client is not required
to allow work to proceed beyond that point
H: Hold Point (following expiry of the seven days notice).
This is an inspection or test that is considered
vital to the quality and integrity of the equipment Full adherence to the safety lifecycle model
and services being supplied. required the development of a set of supporting
procedures, framework documents and
A hold point cannot be passed unless the skeletons defined below. Tables 7, 8, 9 and 10
specified acceptance criteria have been met provide titles for all of these additional
(unless a concession is raised and approved). documents including those specific to the
Where a hold point is also specified by the integrator’s QMS.
client, the point cannot be passed without
written authorization from the client.

24
Functional safety handbook - v10 11/6/08 3:29 pm Page 25

Table 7 QMS Document list Table 9 Supplementary FSMS specific

Skeletons Document list –
• New Supplier Assessment
• Contract Review and Order Processing • Functional Design Specification
• Internal Kick-off Meeting Preparation • Software Design Specification
• Quality Plan/Safety Plan • Module Test Specification
• Query Management Process • Integrated Test Specification
• Configuration Management • Factory Acceptance Test Specification
• Competency and Training Work Practice • Site Acceptance Test Specification
• Complete Functional Description • Operator Manual
• Software Production • Maintenance Manual
• Complete Test Specification • FMEA
• Module Test • Boundary Diagrams
• Integrated Test
• Factory Acceptance Test
• Management System Audits Table 10 FSMS Framework Documents –
• Bid and Proposal Guideline
• Safety Requirements Checklist • Safety Lifecycle Management Plan
• Product Alert Handling • Software Production Log
• Management System Review • Techniques and Tools
• Verification and Test Plan
• SIL Verification Report
Table 8 Supplementary FSMS
Document list

• Functional Safety Management System

Overview
• Functional Safety Policy (UK-SEC)
• Project Competency Assessment
• Project Competency Assessment Form
• Review and Configuration Management
Document Review Form
• Code Review Form
• Project Query Handling Supplementary
Instruction & Guideline
• Query Change Impact Analysis Form
• Functional Safety Audit & Assessment
Procedure
• Safety Lifecycle Management Plan
• Software Production Log
• Techniques and Tools
• Verification and Test Plan
• SIL Verification Report

25
Functional safety handbook - v10 11/6/08 3:29 pm Page 26

9.0 EXECUTING THE CERTIFICATION PROCESS

A generic certification process model is 9.1 Training in Functional Safety

necessary for the integrators to identify roles Management and Recommended
and responsibilities of all parties. It is also used Lifecycle Procedures
as the basis for the CSA Assessor to provide The purpose of this training module is to
support and consultancy to each integrator in present the recommended safety lifecycle
order to assist them to achieve certification. model, FSMS procedures and specific
The model shown below was used during the examples to the integrator such that they have
case study. a clear understanding of the intent and purpose
Complacency
Principle ‘A’
Strategic

Perform gap Gap Assessment

Assessment Report

Produce
Implementation
Program

Appoint Project
Manager
Champion
CSA
Recommended
Lifecycle Model
REMOTE & SITE
REMOTE & SITE
Training in
Develop Advise on Local Functional Safety
Functional Safety
Standards Model Managment
Managment &
Template and Development & System
Recommended
Procedures Deviations
Lifecycle
Proceduresdd1 2
CSA
Recommended
Functional Safety REMOTE SITE
Procedures XXXXX XXX Certification Body
Certification Body Assessment &
Agree Program Awareness &
and Place Checklist
Contract 3 Completioneee4
Strategic Complacency Principle ‘B’

SITE REMOTE
Training in SL Issue Completed Certification Body
Achievement & Checklists to Gap Assessment
Functional Safety Certification Body and Review
Assessment at FSMS
5 6

Certification Body
Identify Pilot Gap Assessment
Project and Review
at FSMS

SITE
Perform
Functional Safety Pilot Project Certification Body
Assessment Implementation Pre-Audit

SITE
Key
Pre-Certification
Body Audit
CSA
Activity
8

Local Organisation
Activity
Certification Body Certification Body
Audit Audit Report
Certification Body
Activity

UK CSA Call off

Activity Corrective Action
Program

Certification

Figure 3: The Certification Process (see Appendix, page 31 for larger version)

26
Functional safety handbook - v10 11/6/08 3:29 pm Page 27

of the FSMS and its implementation within their deviations), which are required as part of the
organization. This allows the integrator to certification process.
develop their local procedures based on a
working model. It will also cover the certification Once completed, the CSA will issue the
process and alignment to IEC 61508 and IEC checklists to the certification body Lead
61511. (See section 10 below for a description Assessor for review. At the same time, the
of the training modules). organization will issue its FSMS procedures to
the certification body. In parallel, the integrator
At the conclusion of the training module, the identifies a pilot project or projects to
integrator is presented with a copy of the demonstrate that the safety lifecycle and
training material, the recommended safety FSMS is being implemented in its entirety.
lifecycle model, and the suite of generic The pilot project(s) will be audited by the
procedures. (See section 3.8). certification body.

9.2 Advise on development / deviations for 9.5 Training in SIL Achievement and
integrators’ use of procedures Functional Safety Assessment
The CSA provides advice to the integrator on The purpose of this training module is to
the implementation of the FSMS, development provide the integrator with a detailed
of their own FSMS procedures and answers understanding of the methodology adopted in
technical queries on procedures, templates and order to prepare a SIL Achievement Report for
other documents. a safety project. This will include several worked
examples, and prepare the safety engineers for
The integrator then has the option of making the pilot project implementation.
alterations to the generic suite of FSMS
procedures to align with existing requirements The training module will also address the scope
and local business systems. The CSA will and purpose of Functional Safety Assessments
provide advice on the impact of these and Audits, and commence development of a
deviations on the FSMS and the recommended plan of the assessment activity for the pilot
certification process. project (see section 10, page 28).

9.3 Liaison with the Certifying Authority 9.6 Perform Functional

The CSA directly liaises with the certification Safety Assessment
body to agree a formal program of work and As part of the CSA’s responsibilities, a
place a contract on behalf of the organization functional safety assessment is performed
for the agreed scope of work. The scope and on the pilot project.
program is confirmed and agreed with the
organization prior to order placement. 9.7 Pre-Certification Body Audit
In order to ensure the success of the
9.4 Certification Body Assessment certification site audit, the CSA will perform a
Awareness and Checklist Completion pre-audit to identify any potential risks or
The purpose of this training module is to omissions from the FSMS and/or the pilot
provide the organization with an overview project. This gives the integrator the opportunity
of the certification body’s own detailed to correct these deficiencies before the official
certification process. certification audit, hence ensuring that the
certification audit results in a successful
Following on from the training module, the CSA outcome.
and the integrator prepare the certification
body’s compliance checklists (including any

27
Functional safety handbook - v10 11/6/08 3:29 pm Page 28

10.0 TRAINING COURSES

Technical training was an essential part of the 10.2 SIL achievement & Functional
implementation program and the competency Safety Assessment
management system for the organization. A 1.5 day course consisting of the
Training is one of the four attributes of following topics:
competence (see Section 5). Two technical • Safety function and safety integrity
training courses were developed by the CSA requirements
suitable for delivery to business units working to • Design essentials of IEC 61508, hardware
the core set of the pre-requisites earlier defined safety integrity and systematic safety integrity
(see Section 4). • SIL compliance to IEC 61508
• SIL achievement procedure, worked example
In the case study, these technical training and exercise
courses were delivered to the organization with • Functional safety assessments in the context
a period of six weeks separating them. The of SIL achievement
contents of these courses are set out below:

10.1 Functional Safety Management &

recommended lifecycle procedures
A two day course consisting of the
following topics:
• The certification process
• Overview of IEC 61508 and IEC 61511
• Functional Safety Management and
links to QMS
• Safety lifecycle planning and management –
the safety lifecycle model, inputs, outputs,
deliverables
• Requirements and design
• Overview of SIL Achievement
• Verification & Validation
• Functional safety audit and functional
safety assessment
• Course exercises

28
Functional safety handbook - v10 11/6/08 3:29 pm Page 29

11.0 ESTABLISHING SUPPORTING ACTIVITIES

Prior to and during the case study, there was This was achieved in the form of a Safety
already in place a large internal company Database containing the following information:
network of safety practitioners with different
safety objectives and operational safety • Third-party certificates of safety products
standards. • Lists of certified functional safety engineers
and functional safety technology engineers
Other internal businesses had developed future • Improvement themes
plans for certification. • Technical papers and articles
• Latest FSMS procedures
Consequently it was essential to establish, at an • External functional safety standards
early stage in the process, a common repository • Sales and technical product material
for information exchange. • Case study progress and program updates

12.0 MANAGING CHANNEL PARTNERS AND

THIRD-PARTY INTEGRATORS
The same rigorous approach to functional
safety had to apply to any third-party integrators
being used by any of the company’s integrators.
This ensured the safety and quality of the third-
party integrator. A program of work was
required to perform a gap assessment on third-
party integrators and to subsequently work with
them to ensure that they developed a compliant
functional safety management system,
preferably in line with that of the main system
vendor. This process has been seen to benefit
the third-parties in that they can also achieve
certification and capitalize on the achievement
in the safety market place.

29
Functional safety handbook - v10 11/6/08 3:29 pm Page 30

13.0 FINAL COMMENTS AND CONCLUSIONS

The international safety market is undergoing Successful implementation of a certification

many changes driven by technology, standards, program provided advantages to the
legislation and incidents. Those organizations organization, not least:
working in this demanding and highly • Limiting the company’s exposure to
competitive arena seek to differentiate potential liabilities
themselves, secure market advantage and • Demonstrating due diligence
demonstrate competence and due diligence. • Implementing repeatable and cost effective
Many organizations see accredited certification safety management systems (procedures,
of the organization as a positive step forward. techniques, tools etc)
• Reducing unnecessary and costly pre-
Accredited certification for an organization is a contract discussions and evidence gathering
significant undertaking. It requires management – actually benefiting both the organization
commitment at the highest level in addition to a and its clients
comprehensive work program involving not only • Winning work cost effectively
that part of the organization selected for • Limiting effort (and cost) in developing so-
certification, but other groups within the called bespoke project safety procedures
organization itself. • Gaining competitive advantage and as a
result securing more business
The case study described above provides
details relating to implementation of an The author hopes that the information provided
organization’s generic processes, in this chapter will benefit other organizations
methodologies and procedures and then how and individuals with an interest in functional
these were applied to a specific safety safety management and certification.
integration group within the organization. It
outlines a step-wise approach covering:

• Strategy
• Benchmarking and gap assessment
• Developing the functional safety management
system
• Selecting the certification body
• Implementing the functional safety
management system
• Rolling out the certification process

30
Functional safety handbook - v10 11/6/08 3:29 pm Page 31

APPENDICES

Complacency
Principle ‘A’
Strategic
Perform gap Gap Assessment
Assessment Report

Produce
Implementation
Program

Appoint Project
Manager
Champion
CSA
Recommended
Lifecycle Model
REMOTE & SITE
REMOTE & SITE
Training in
Develop Advise on Local Functional Safety
Functional Safety
Standards Model Managment
Managment &
Template and Development & System
Recommended
Procedures Deviations
Lifecycle
Proceduresdd1 2
CSA
Recommended
Functional Safety REMOTE SITE
Procedures XXXXX XXX Certification Body
Certification Body Assessment &
Agree Program Awareness &
and Place Checklist
Contract 3 Completioneee4
Strategic Complacency Principle ‘B’

SITE REMOTE
Training in SL Issue Completed Certification Body
Achievement & Checklists to Gap Assessment
Functional Safety Certification Body and Review
Assessment at FSMS
5 6

Certification Body
Identify Pilot Gap Assessment
Project and Review
at FSMS

SITE
Perform
Functional Safety Pilot Project Certification Body
Assessment Implementation Pre-Audit

SITE
Key
Pre-Certification
Body Audit
CSA
Activity
8

Local Organisation
Activity
Certification Body Certification Body
Audit Audit Report
Certification Body
Activity

UK CSA Call off

Activity Corrective Action
Program

Certification
Figure 3: The Certification Process (referred from page 26)

31
Functional safety handbook - v10 11/6/08 3:29 pm Page 32

APPENDICES

Figure 2: The Safety Lifecycle Model (referred from page 15)

32
Functional safety handbook - v10 11/6/08 3:29 pm Page 33

APPENDICES

33
Functional safety handbook - v10 11/6/08 3:29 pm Page 34

REFERENCES

[1] IEC 61508 – Functional safety of electronic/electrical/programmable electronic

safety-related systems

[2] IEC 61511 – Functional safety – Safety instrumented systems for the process sector

[3] “Recommendations on the design and operation of fuel storage sites”; Buncefield Major
Incident Investigation Board:
http://www.buncefieldinvestigation.gov.uk/reports/recommendations.pdf

[4] “The Report Of The BP U.S. Refineries Independent Safety Review Panel” (concerning the
Texas City incident).
http://www.csb.gov/completed_investigations/docs/Baker_panel_report.pdf

[5] IEC 61131 – Programmable Controllers

[6] Safety, Competency & Commitment - Competency Guidelines for Safety-Related System
Practitioners 1999 (ISBN 0 85296 787 X)

[7 ] CASS – Conformity Assessment of Safety-related Systems certification scheme - Functional

Safety Capability Assessment (FSCA)

34
Functional safety handbook - v10 11/6/08 3:29 pm Page 35

ABOUT THE AUTHOR

Stuart R Nunns CEng, BSc, FIET, FInstMC - Principal Safety Consultant ABB Ltd

Stuart Nunns has thirty-six Nunns is a TUV Functional Safety Expert and
years’ experience in member of the IET Functional Safety
automation and safety Professional Network Executive Group and
within the oil & gas, the InstMC’s Safety Panel. He has written
chemical, steel and and presented papers and led international
electricity generation safety-related systems workshops. He was
sectors and is a Principal project manager of both the CUIG
Consultant within the Safety Lead Competency (Framework IV) European safety group and
Centre of ABB's Process Automation Division. the F/W V SIPI61508 EC Framework V project
Nunns is a member of ABB's Safety Steering developing guiding principals for the
Team, responsible for identifying and managing implementation of IEC 61508.
the development of functional safety products
and services, mapping the total safety lifecycle. Within the UK he was the instigator and project
He is currently leading a global work program manager of the CASS (conformity assessment
within ABB to establish TUV certified Safety of safety systems to IEC 61508) scheme and
Execution Centres. served as a Director of CASS Ltd.

35
Functional safety handbook - v10 11/6/08 3:29 pm Page 36

Functional safety handbook/June 08

ABB Limited
Howard Road
Eaton Socon
St Neots
Cambridgeshire
PE19 8EU
Tel: 01480 475321
Fax: 01480 217948
www.abb.com

© Copyright 2008 ABB. All rights reserved.

Specifications subject to change without notice.