IEC 61508 and Management of Functional Safety

Stephan Aschenbrenner
TÜV Product Service Inc.
Danvers, MA 01923 USA
s_aschenbrenner@tuvps.com

Michel Houtermans
TÜV Product Service Inc.
Danvers, MA 01923 USA
mhoutermans@tuvps.com

Eindhoven University of Technology
Depart. of Mechanical Engineering
Eindhoven, The Netherlands

KEYWORDS
Management of Functional Safety, Safety Integrity Level, PES, IEC 61508, IEC 61511, ISA S84.01,

ABSTRACT
The most discussed global safety standard is without a doubt IEC 61508. This standard addresses "Functional safety of electrical/electronic/programmable electronic safety-related systems". Other standards and IEC 61508 use a total life cycle and system approach towards the development and the use of safety-related systems. This has a major impact on manufacturers and users of safety-related systems.

The standard requires companies or departments to create a safety culture that goes beyond the standard companies' quality procedures. A safety life cycle has to be described, procedures for operation and maintenance planning need to exist, safety validation planning and installation and commissioning planning has to be established. Modifications have to be planned and requirement traceability has to be considered. The interfaces between the different groups must be clear and the overall safety requirements must be fixed before individual departments or groups can start with their safety-related activities.

The paper starts with an overview and comparison of IEC 61508, IEC 61511 and ISA S84.01 and then discusses the IEC 61508 requirements for functional safety. The discussion is based on experience the authors have gathered with their Management of Functional Safety program. The discussion takes into account life cycle activities, the development process and the responsibilities of different people, departments or companies.

1 INTRODUCTION
For many years the safety community, developing safety-related programmable electronic systems, has been following the requirements of the German standard DIN V VDE 0801 [1]. It was the de-facto standard that set the requirements for developers and user of these safety-related systems in the process, oil & gas, railroad, and machinery industry. At the time the standard was developed it was revolutionary and state of the art in addressing microcomputer technology, and thus software, for safety-related applications. The German standard was well accepted all over the world and after a few years an effort was started to develop an international standard. This effort resulted in what is now known as the IEC 61508 standard [2]. The IEC 61508 standard serves as an umbrella standard that addresses Electrical / Electronic / Programmable Electronic safety-related systems for any kind of industry. Sector specific standards that fit under the IEC 61508 standard exist already or are currently under development for the process industry, machinery industry, and railroad industry. Two of these standards for the process industry are the international draft standard IEC 61511 [3] and the already existing ISA S84.01 [5] specifically for the US industry. Both standards follow at large the basic structure of IEC 61508 but are customized to the specific need of the process industry.

Compared to the DIN V VDE 0801 standard, the scope of IEC 61508 is much broader. Where DIN V VDE 0801 only addresses technical requirements of the actual safety system, IEC 61508 follows a complete safety life-cycle approach. This safety life cycle works as a technical framework that makes the requirements of the safety-related system a function of the process to be protected, see Figure 1. The safety lifecycle is divided into distinct phases that addresses requirements among others for the

Process to be protected;
Hazard and risk analysis;
Specification and allocation of safety requirements;
Realization of the hardware and software implementing the safety-related system;
Planning for and the actual installation, commissioning, safety validation, and operation and maintenance of the safety-related system;
Modification, retrofit and decommissioning;

Figure 1 Overview Safety Lifecycle IEC 61508

Implementing these requirements in practice requires an organization that has a "safety culture" in mind and is capable of managing all aspects related to functional safety. This is independent of whether the organization is a user, developer or third party assessor of safety-related systems, but it goes beyond the normal quality procedures these companies usually have in place if they are not yet adapted to IEC 61508. Therefore, the purpose of this paper is to address the requirements related to the Management of Functional Safety as they are imposed by IEC 61508. This paper is especially intended for:

Technical and plant managers, responsible for the selection, installation & commissioning, operation
& maintenance, and training related to safety-related systems;
Design and research personnel, responsible or involved in developing safety-related systems or tools
related to testing and design of safety-related (sub-) systems; and
Engineers and technicians, involved in the operation and maintenance of safety-related systems.

2 Overview of IEC 61508, IEC 61511 and ISA S84.01
The IEC 61508, IEC 61511 and ISA S84.01 standards set out a generic approach addressing safety lifecycle activities for systems comprised of electrical, electronic, or programmable electronic components that are used to carry out safety functions. These standards are performance-based standards where compliance needs to be demonstrated with the specified requirements. The requirements can be divided into technical requirements and non-technical requirements. The technical requirements give guidance on how to build safety-related systems that are functionally safe. The non-technical requirements deal with the organizational aspects that need to be in place to achieve the technical, requirements. They consider the management of functional safety, i.e., how and what did the organization do to come to the product/process they have right now. The non-technical requirements, as can be seen from Figure 1, deal according to IEC 61508 with verification, management of functional safety, documentation and functional assessment activities. Only of course if good management of functional safety is in place it is possible to meet the safety life cycle, verification, documentation and functional safety assessment requirements.

2.1 Overview IEC 61508
The standard is a performance-based standard where compliance needs to be demonstrated with the specified requirements. It is a generic standard applicable to any electrical / electronic / programmable electronic (E/E/PE) safety-related system. The requirements of the standard address the so-called Equipment Under Control (EUC), e.g., a chemical process plant or a train, and the safety-related system, e.g., an emergency shutdown system or a railway signaling system. The standard is divided into seven parts where the first part addresses non-technical requirements (management of functional safety, documentation, verification, functional safety assessment) and the requirements pertaining to the lifecycle of the EUC. Part 2 and 3 respectively address requirements for the hardware and software of the safety-related system. Part 4-7 contain examples and other useful information.

The level of difficulty, i.e., to successfully meet the requirements, depends on the safety integrity level (SIL) that is identified for each safety function protecting the EUC. The SIL is a quantitative index of the required reliability of the programmable electronic system (PES) as a function of the criticality of the process to be protected. IEC 61508 uses four SIL levels where SIL 4 represents the toughest requirements. Also the activities and requirements associated with management of functional safety depend partially on the SIL level. These activities and requirements are explained in detail in paragraph 3. A major objective is to facilitate the development of application sector standards as for example IEC 61511 and IEC 62061 [4] a standard for machinery.

2.2 IEC 61511
The IEC 61511 standard is currently under development and is expected to be completed no sooner than 2003. The standard is developed as a sector specific standard for the process industry within the framework of IEC 61508. Where IEC 61508 uses the general term safety-related system, IEC 61511 uses Safety Instrumented System (SIS), a more common term for the process industry. The term includes sensors, logic solvers, final elements and other peripherals like field connections or cabling. The main technology for logic solvers is programmable electronics. Recently there is also a trend going on to use programmable electronic safety-related sensors and actuators. Even if other technologies (e.g., solid state or relays) are used for logic solvers and field devices, the basic principles of this standard still apply.

Since this standard is developed under the umbrella of IEC 61508 it is expected that the final version of this standard will address the same range of requirements concerning management of functional safety, see paragraph 3.

2.3 ISA S84.01
The ISA S84.01 standard is a US national standard. It was developed and approved in the time that the IEC 61508 standard was also under full development. Like the IEC 61511 standard it addresses the application of SIS for the Process Industries. Compared to IEC 61508 and the future IEC 61511 this standard is considered weak, as it does not address the technical and non-technical requirements in the same level of detail. Where IEC 61508 and IEC 61511 recognize four SILs, ISA S84.01 only recognizes the first three levels. Although the scope of ISA S84.01 is limited, it served together with IEC 61508 as the main input to IEC 61511.

2.4 Relationship of IEC 61508, IEC 61511 and ISA S84.01
Figure 2 gives an overview of the relationship between the three standards. The requirements on management of functional safety in IEC 61508 and IEC 61511 are more or less identical. ISA S84.01 hardly addresses any management issues. The only requirements that can be considered part of management of functional safety is "management of change". For management of change ISA S84.01 requires written procedure to be in place to initiate, document, review, and approve any changes to the SIS, which is similar to IEC 61508.

Figure 2: Relationship of IEC 61508, IEC 61511 and ISA S84.01

3 Management of Functional Safety according to IEC 61508
Clause 6 of part 1 of IEC 61508 discusses the objectives and requirements on management of functional Safety. For TÜV as an assessor, management of functional safety is nothing new. It is part of our daily job. For the users and developers of safety-related systems it adds a new, resource demanding, dimension to functional safety. The safety world has become much more complex over the years. Where safety functions in the past were carried out by small, non-programmable systems, nowadays these safety systems can be very complex systems 1 . The developers as well as the users are often multinationals that have presence in many different countries. The management of functional safety becomes much more important. Different parts of the system are designed in different parts of the world, which requires excellent communication and document control. Software development plays an even more critical role in systems. The systems developed need to be multipurpose machines that can be applied in different industries, for different applications, and in different countries throughout the world. All of this requires an organization that is capable of handling the needs for functional safety. It is TÜV's experience that IEC 61508 has a much higher impact on the development process and the operation of safety-related systems than the developers and users ever expected.

IEC 61508 requires the use of a safety life cycle. This means that users and developers have to think about the use of the product, from the first idea about a new product to the coordination and the execution of verification, validation and assessment activities. This includes the generation of specifications for design and development as well as planning activities for operation, installation, validation, maintenance and decommissioning. Each phase of the safety lifecycle needs to be defined in terms of its inputs, outputs and verification activities. For both the user and the developer it is necessary to understand all these activities and provide input to each other to understand the system in terms of installation, maintenance operation and decommissioning. The level and requirements of management for all these activities depends on the Safety Integrity Level (SIL) according to IEC 61508.

For example, planning of the different modes of operation of a safety system has to be done in an early stage of the project to make sure that the safety system (hardware and software together) can handle these modes in a safe way. From experience, the authors can tell that this planning activity is postponed to the end of the project and developers starts thinking about this while writing the safety manual. This can lead to a situation where, even with a multiple redundant system, because of missing software support a process shut down is required during maintenance. All modes of operation have to be specified in an early stage, e.g. in the safety requirements specification, before the detailed development and the implementation starts. Thinking about these kind of safety issues requires thorough planning activities at the beginning. And this has to be managed.

3.1 Objectives of the Management of Functional Safety
IEC 61508 describes the objectives of management of functional safety as follows:

The first objective is to specify the management and technical activities during the overall, E/E/PES and software safety lifecycle phases that are necessary for the achievement of the required functional safety of the E/E/PE safety-related systems.

The second objective is to specify the responsibilities of the persons, departments and organizations responsible for each overall, E/E/PES and software safety lifecycle phase or for activities within each phase.

These two objectives clearly show that IEC 61508 tries to establish an organization with a safety culture.

Compliance with IEC 61508 is not just about meeting only technical requirements like in DIN V VDE 0801 but it is about having a management that is capable of achieving functional safety throughout all phases of the safety lifecycle. Only if management recognizes and understands what needs to be in place organizationally to achieve functionally safe systems it is possible to be compliant. The days that there was one good technical person that understood all the requirements of a safety-related system are over. Now the whole organization needs to have functional safety in mind. What this means for the organization is expressed in the requirements outlined in the next paragraph.

3.2 Requirements of the Management of Functional Safety
The following is a copy of the requirements for management of functional safety from IEC 61508, part 1 Clause 6. The literal text is italic and indented. After the italic text, comments provide by the authors that are based on experience derived from their Functional Safety Management program.

Those organizations or individuals that have overall responsibility for one or more phases of the safety life cycle shall specify all management and technical activities that are necessary to ensure that the E/E/PE safety-related systems achieve and maintain the
required functional safety.

In particular, the following should be considered:

a) the policy and strategy for achieving functional safety, together with the means for evaluating its achievement, and the means by which this is communicated within the organization to ensure a culture of safe working;

A company dealing with functional safety needs to create a safety culture. This can only be achieved by commitments from the top management. Only if top management is aware of the required resources, in terms of time and people, it is possible to achieve this. In practice it is very comparable, in achieving a safety culture, with implementing quality procedures like ISO 9000.

b) identification of the persons, departments and organizations which are responsible for carrying out and reviewing the applicable safety life cycle phases (including, where relevant, licensing authorities or safety regulatory bodies);

Safety needs to be part of somebody's job description. Assignments based on project basis do not work.

Persons and/or departments and/or organizations have to be clearly appointed to be responsible for the management of functional safety or activities related to functional safety to allow the successful achievement of this requirement. But only if it is part of the job description somebody will feel and can be made truly responsible.

c) the overall, E/E/PES or software safety lifecycle phases to be applied;

A lifecycle needs to be defined, for users, developers, or integrators. It has to be defined up front what lifecycle or which phases have to be managed. If, for example, a software house develops safety related software for a PLC manufacturer then the software house must use a safety lifecycle and is responsible for the activities related to this lifecycle.

d) the way in which information is to be structured and the extent of the information to be documented;

Functional safety management is responsible for setting up a documentation structure. The amount of information and the techniques used depend on the SIL. All of this should be part of the document control system, which is managed as part of the functional safety activities. The documentation structure should take into account the safety lifecycle and the kind of information that is required in the different phases. This requires careful "up front" management.

e) the selected measures and techniques used to meet the requirements of a specified clause;
f) the functional safety assessment activities;

The selection of measures and techniques highly depends on the SIL level. Management of functional safety has to be aware of the impact of selecting measures and techniques. The selection needs to be justified and documented. This also includes functional safety assessment activities and the selection of the right assessor, which can be a person, a department or a third party (depending on the SIL). The project needs to plan for assessment activities. Making the wrong decisions (for example not documenting a decision) can lead to a lot of rework and time delay at later stages in the lifecycle.

g) the procedures for ensuring prompt follow-up and satisfactory resolution of
recommendations relating to E/E/PE safety-related systems arising from:

hazard and risk analysis,

functional safety assessment,

verification activities,

validation activities,

configuration management;

Management of functional safety needs to take into account changes or issues that might result from the above described activities. Procedures need to be in place that keep track of the results of the above mentioned activities and who is responsible for and how to realize changes or improvements. An impact analysis is one of the requirements in this process.

h) the procedures for ensuring that applicable parties involved in any of the safety life cycle activities are competent to carry out the activities for which they are accountable; in particular, the following should be specified:

the training of staff in diagnosing and repairing faults and in system testing,

the training of operations staff,

the retraining of staff at periodic intervals;

The complexity and size of the future safety systems to be developed requires at all times personal that is up to speed. Management of functional safety has to specify and identify training and retraining according to established procedures.

i) the procedures which ensure that hazardous incidents (or incidents with potential to
create hazards) are analyzed, and that recommendations made to minimize the probability of a repeat occurrence;

Management of functional safety should create an organization that is capable of detecting hazards (mainly through training) and where reporting hazards is rewarded. Once a hazard is detected everybody should be aware that procedures are in place that initiate thorough analysis and resolutions to prevent this hazard in the future. This also requires procedures that explain how and where to go back in the life cycle and redo verification and validation activities.
j) the procedures for analyzing operations and maintenance performance. In particular procedures for:

recognizing systematic faults which could jeopardize functional safety, including procedures used during routine maintenance which detect recurring faults,

assessing whether the demand rates and failure rates during operation and maintenance are in accordance with assumptions made during the design of the system;

Management of Functional Safety has to set up a system that allows analyzing operations and maintenance performance. In the manufacturing process this can usually be done by Statistical Process Control. In the field log books need to be kept and procedures need to exist that help collecting and analyzing relevant data. Personal needs to be trained to see the value of collecting this data and thus record the data in the right way.
k) requirements for periodic functional safety audits:

the frequency of the functional safety audits,

consideration as to the level of independence required for those responsible for the audits,

the documentation and follow-up activities;

Especially for global operating companies or companies with complex products it is necessary to have an understanding of the level "safety" incorporated. This can only be verified on a periodic basis by competent auditors. Companies grow, people leave jobs, and it is not always identified and recognized that the safety "knowledge base" is disappearing. Periodic safety audits can identify these problems and do something about it. This is one of the reasons why for each certified product an annual factory inspection is carried out.

l) the procedures for initiating modifications to the safety-related systems;
m) the required approval procedure and authority for modifications;

Management of functional safety is responsible for the "management of change" process. Management of change procedures have to be in place to initiate, document, review, implement and approve changes to the safety instrumented system other than replacement in kind. This is not only required by IEC 61508, IEC 61511 and ISA S84.01 but also by OSHA's 1910.119 Process Safety Management Regulations.
n) the procedures for maintaining accurate information on potential hazards and safety-related systems;

Management of functional safety, especially at a plant, is responsible for maintaining accurate information. That means it has to guarantee that potential hazards are known and are communicated to all people involved in the different modes of operation of the plant and that these people are aware of restrictions and conditions to the safety-related system. Typical example is to keep up to date with the latest laws and standards. Somebody, with a broad system or process understanding, needs to be made responsible for this.

o) the procedures for configuration management of the E/E/PE safety-related systems
during the safety life cycle phases; in particular the following should be specified:

the stage at which formal configuration control is to be implemented,
<>

the procedures for preventing unauthorized items from entering service;

A configuration control tool needs to be implemented. With today's complexity it is not possible anymore to only work with procedures. The job needs to be made easier.

p) where appropriate, the provision of training and information for the emergency services.

This is a requirement on plant and community level. It requires involvement from emergency response organizations that have only indirectly something to do with functional safety. Information for them to better carry out their job in case of an accident needs to be available. Although mentioned in this standard there are other resources like OSHA that elaborate on this topic in much more detail.

Management of functional safety needs to plan up front for procedures that can provide the necessary information flow for emergency services.

The requirements developed as a result of the activities described above shall be formally reviewed by the organizations concerned, and agreement reached.

This requirements more or less makes sure that all parties involved understand all the aspects of doing business with each other, concerning functional safety. For example, subcontracting a software house to develop code without specifying the SIL level this code needs to fulfill is a requirement that both parties should have identified as missing.

All those specified as responsible for management of functional safety activities shall be informed of the responsibilities assigned to them.

It is important to inform people of their responsibilities. It is even more important to find out whether people understand the impact of their, often new, responsibilities.

Suppliers providing products or services to an organization having overall responsibility for one or more phases of the safety life cycles, shall deliver products or services as specified by that organization and shall have an appropriate quality management system.

In practice this is resolved in two ways. Either the suppliers are selected because of their expertise and knowledge with functional safety or the developer keeps the responsibility of management of functional safety for the subcontracted service "in house" and assures themselves that all requirements are met by specifying in detail the requirements.

4 Conclusion
In the short time that IEC 61508 has started to be implemented by users and developers the authors have already noticed that complying with and proving the requirements of management of functional safety is a major hurdle for many companies. Creating a safety culture requires time and resources up front. This is money well spent if done so, but if changes need to be made afterwards it can be extremely costly.

Everybody knows nowadays the cost associated with late design changes. Imagine what the cost will be of changing an entire corporate culture when the same company thinks the product is already almost done.

Management has to ensure that the company has competent and motivated people and have the cognizance to do their jobs correctly. Management needs to be consistent when communicating safety policy. It should not allow the short-term "product-to-market" conflicts challenge or breach the safe functioning of protection systems. The biggest challenge for a company is to estimate the impact of software on their lifecycle activities.

5 References
1. DIN V VDE 0801, Principles for computers in safety-related systems, 1990 and amendment A1, 1994
2. IEC 61508, Functional Safety or Electrical / Electronic / Programmable Electronic Safety-Related Systems, part 1-7, IEC, 1998
3. IEC 61511, Functional safety instrumented systems for the process industry sector , part 1-3, draft standard, 1999
4. IEC 62061, A standard for the machinery industry addressing programmable electronic safety related devices. A public draft version is expected to be available spring 2000.
5. ISA S84.01, Safety Instrumented Systems, Research Triangle Park, 1996

¹ Modern systems are programmable and several micro-processors and other complex IC's are used to carry out a safety function. For new systems, the development cost easily goes into the millions of dollars.

This website uses cookies to ensure you get the best experience on our website. Learn more