Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. It involves detection of a potentially dangerous condition that activates a protective or corrective device or mechanism to prevent hazardous events arising, or mitigation measures to reduce the consequence of the hazardous event. The base standard for functional safety is IEC 61508, which defines functional safety as “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.”
Even though functional safety has been around for years, many suppliers and users still do not understand it well. Typically, suppliers are first introduced to the concept when designing a product where functional safety has been identified as a requirement. Then the approach to functional safety often is cavalier: we’ll meet our deadline, continue to design the product, but we’ll figure out the functional safety aspect in the end. The problem with this approach is a lack of understanding of functional safety requirements—and quite frankly, confusion.
There are always two points of view when considering a product design for functional safety: the user’s (i.e., the receiver of the product) and the supplier’s (i.e., the designer of the product). Typically the user asks for what he needs in the product from the supplier. The functions are usually well-defined and comprehendible; however, more often than not the functional safety requirements are not fully understood by either party.
What results are negative outcomes: project delay, cost overruns, corporate frustration, poor morale, and the tendency of design teams to become hesitant or excessively conservative. That often looks like taking the most restrictive point of view towards functional safety, which is not necessarily the best perspective. Consequently, the message that gets promoted is that functional safety is extremely complicated.
The question is how do you overcome these barriers to create a smooth, functional safety process?
Why Do We Do Functional Safety?
Functional safety exists in the first place because everyone recognizes that components and safety systems have become more complex over time; the basic industry safety standards traditionally used weren’t drafted to deal with this evolution. With that complexity comes increased risk that a product could fail dangerously.
Functional safety provides a way to review the product and deal with its characteristics and functions; it stipulates a method of calculating the risk of probability of a dangerous fail, as well as reducing that risk based on diagnostics and other methods defined in the IEC 61508 standard. It also allows the product to be more common, because when you have an understanding of the standard, it allows the product to have more commonality blocks moving forward.
The Two-Tier Process
IEC 61508 is written to be technology- and industry-independent; it has no references back to other standards or requirements. As such, it is a non-harmonized standard and doesn’t show compliance to any directives, laws, or requirements for any industry.
So when we’re talking about functional safety, it is always a two-tiered process. The first tier is to understand the requirements of 61508. The second tier is to understand the requirements of the standards that pertain to the technology and industry the product is targeting.
Put another way, when designing for functional safety, product designers must keep in mind that functional safety is a multi-point, industry-specific standard driven around the point of view of reducing the overall risk of the complete system as defined by IEC 61508. IEC 61508 is the base or mother standard, but not the only standard when designing a product for functional safety. For example, when designing products for the automotive market, you’re designing to the ISO 26162 standard, which is specific to the automotive market. Within that standard, there are additional requirements that point to IEC 61508.
So keep in mind what you’re designing for and how to funnel that through the multipoint standards that go through to 61508.
Key points to remember about the position of IEC 61508:
- It is not a harmonized standard in the sense of an EU Directive required by other harmonized standards (e.g., ISO 13849).
- It cannot be used exclusively for the proof of CE-conformity.
- Application and compliance with the standard is voluntary, but is recommended, especially for programmable and complex electronic systems such as safety PLCs.
- Application of the standard is recommended for product liability reasons because it describes the state-of-the-art of safety (good engineering practice).
Taking the Right Path
In order to avoid functional safety-related issues during product design and development, the laissez-faire attitude taken by many concerns towards functional safety and certification must be cast aside, because functional safety is too complex to address without the negative impacts noted above. A defined path is needed.
The first thing product designers need to understand is that users aren’t functional safety experts, and tend to use industry keywords (e.g., SIL, PSDavg) to talk about functional safety without having a clear understanding of what the words mean. Consequently, suppliers must interview the user and ask them for a detailed explanation of the product’s objective. Once that information is at hand, you can figure out the functional safety requirements for product design. This needs to be done up front, before the product design process begins.
Determine if there is a safety function; if there isn’t, functional safety is not applicable. The safety function is always related to a safety loop (i.e., a sensor, actuator and control logic unit) that starts, processes, and acts on the safety sequence. All three components must be present for functional safety to apply.
Once you know that IEC 61508 is applicable, it is important to understand that this standard is a framework—it only provides the basics of functional safety and how to apply them. You will also need to ascertain if any industry-specific standards apply as discussed above.
Determining a Safety Integrity Level (SIL)
Safety Integrity Level is a relative level of risk reduction provided by a safety function, or specifies a target level of risk reduction. In functional safety standards based on IEC 61508, four SILs are defined, with SIL 4 the most dependable and SIL 1 the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.
The requirements of SIL address the following:
- Application of suitable and adequate measures for fault avoidance during the relevant life-cycle phases (QM), installation and application of a FS Management System
- Complete documentation and design and the applied QM measures during all lifecycle phases (reproducibility)
- Measures for fault detection and control (diagnostics)
- Residual probability for a dangerous failure has to be less than the acceptable limit value (safety-related reliability).
SIL assessment includes three parts: the functional safety management review, the component documentation level review, and assessment of residual probability for dangerous failures. The functional safety management review considers the full quality system of the product and the corporation planning the product: the design team, their qualifications, product requirements, etc. The component documentation level review (i.e., the product review) is specific to design. Residual probability of dangerous failure uses FMEA (failure mode and effects analysis) to make the assessment. This is strictly a review of the product and the design of the system and software—what has been incorporated in the product—and in that sense, it’s the simplest part. But keep in mind an FMEA review is not a functional safety assessment; it’s the last third of the review and not sufficient of itself to show functional safety compliance.
The Certification Process
Understanding the requirements of the certification process will streamline the design and development cycle, as well as speed time-to-market when dealing with regulations and regulatory teams. There are three phases to the functional safety certification process:
- Concept Assessment
Identify risks (target SIL) >> Assess proposed design and specification >> Assess test plan >> Result: report issued documenting the performance of the system and areas of design before the main assessment.
- Main Assessment
Functional safety management (FSM) review (Everything is reviewed; this is an intense process and documentation review.) >> Hardware evaluation >> Software evaluation >> Integration testing review. (Considers all internal verifications and development cycles; all to be tested was actually tested, to an appropriate level, and documented).
Verification that all the above has been done successfully. Ends in the formal certification and type approval mark: the goal of the entire process.
Phase One reviews the proposed safety design and determines its feasibility of attaining the FS design requirement. Phase Two is a detailed safety assessment, review, and report. Phase Three is final certification of the inspected safety system. Adjustments or corrections may be made as one goes down this three-phase path, but the path should be single cycle, not iterative.
The key takeaways to remember regarding the FS certification process include:
- Regulatory must be designed in, and is not an afterthought.
- Time-to-market is appreciably reduced if the path is followed.
- Worldwide standards are compartmentalized and industry centric and refer to IEC 61508 (accepted worldwide)
All standards are moving towards harmonizing with IEC standards, because IEC is the worldwide-accepted common & proven standard base. You can see this clearly also in revised or new North American machine safety standards.Have an Inquiry for Siemens about this article? Click Here >>