November 2009

Lessons learned in functional safety, IEC 61508

By Paul Reeve

Sira Test & Certification has been actively involved in applying the international functional safety standard IEC 61508 since it was first published in 1998. Soon after the publication of the standard a U.K. government-funded initiative introduced the Conformity Assessment of Safety-related Systems (CASS) scheme, intended to provide an industry-wide approach and interpretation to IEC 61508 assessment and certification.

Sira conducted 23 assessments of IEC 61508, working mainly to safety integrity level (SIL) 2 or 3. We present here some of the lessons learned and offer advice to those either specifying and using SIL-rated systems or those requiring certification for components intended for use by safety functions. We cover the three main parts of the standard:

• Part 1: General requirements (functional safety management, overall lifecycle, and competence)
• Part 2: Safety-related system requirements
• Part 3: Software requirements

Conformity templates

A key aspect of the CASS methodology is the use of assessment templates (tables) to cover different aspects of conformity, such as the safety management system, lifecycle activities and processes, sub-system failure data, and software. Each template lists target subject areas requiring the assessor’s evaluation (each subject area cross-references one or more clauses from the standard to show coverage). In the CASS terminology, these target subject areas are called targets of evaluation (TOEs). Each template also enables the client’s documentation to cross-reference each TOE and hence the clauses in the standard. Each template is a procedure, prompting the assessor with guidance (criteria and comments) during the evaluation of each TOE, and it provides a means for the assessor to record evidence of conformity against each TOE. The scheme also provides competence criteria to ensure assessors are technically competent in areas covered by the templates they are using.

Documents open to public

One of the benefits of this methodology is the assessment criteria, scope, guidance, and approach are all open to the client as the scheme documents are all freely available in the public domain. Most Sira functional safety assessments use the CASS methodology.

Work by the 61508 Association on developing the CASS templates continues under a mutual memorandum of understanding with The CASS Scheme Ltd. Our assessments have made use of these guidance procedures as they have become available.

Clients in this study are those who have been assessed in the last three years or so who provide a functional safety product or service. Although Sira has been assessing IEC 61508 since 2000, this case study specifically intends to look at recent experience.

The study highlights lessons learned from the assessment of the lifecycle processes and management of functional safety from the standard, where they see use to ensure the functional safety of a product or service. Where the projects included in the study have involved an assessment of the random hardware failure rates of a product or sub-system established by an FMEA, this element is outside the scope of the study.

Of the 23 clients involved in the study:

• 15 were related to a product intended to be compliant with IEC 61508.
• Two were related to a product intended to be compliant with IEC 61511.
• Six were related to the generic company-wide management and lifecycle processes to IEC 61511.

The term product is used to indicate a system component (sensor), a sub-system (multi-channel controller), or a complete end-to-end system.

Assessment process

In nearly all cases, clients new to IEC 61508 have opted for a staged approach to achieving certification along the following lines: (See table below).

This ensures identifying major gaps in compliance at an early stage and correcting them before expending further effort. Clients can order the stages carried out under a contract with Sira separately when it is convenient (after a period of remediation, which may be a background task, while other projects have to take priority).

Even fundamental compliance gaps identified in Stage 1 might be easy and quick to correct, or they might involve a significant amount of effort to put right.

Clients involved in the study were main equipment manufacturers. However, they either elected for certification of a specific product or for their company-wide lifecycle processes and functional safety management system.

Assessment main findings

The table and histogram on page 33 give an indication of clients’ main challenges during a first-time assessment of their management of functional safety against IEC 61508 (results of the initial gap assessment before remediation).

In the main study, TOEs 9, 10, 13, and 15 are not so relevant to suppliers. These management TOEs are relevant to operators of safety related systems.

Specifying, using SIL-rated systems

In our experience, most safety requirement specifications (SRS) end users received have been woefully inadequate. Commonly, an invitation to tender may include a statement such as, “The system shall meet SILx.” At the tendering phase, there is often no more information about this requirement from the purchaser, which leaves the supplier with guess-work to do. This is clearly not the intent of the standard, and perhaps points to an area of idealism in its approach. It is clear this whole area of requirements specification and hand-over to the developer needs more coverage. It is due for discussion in Edition 2 of the standard (scheduled for publication 2010).

A good definition of the safety functions and safety integrity requirements exists in  few cases. This is such a key document to get right, we would recommend writing it with reference to each sub-clause of Part 2 clause 7.2 and, as with all safety-related documents, appropriately verifying it.

Only use safety-related systems as a last resort when the hazard and risk assessment indicate. Once a SIL-rated system is specified, it brings with it implications concerning the safety management system, competence of persons, demand rate analysis, modification control, proof testing regimes, and the like.

Component certification

Manufacturers would do well to note the emphasis in the requirements of the standard in terms of certain items of documentation. Once these documents are well defined and verified, they form a sound basis for the remainder of the project to continue.

The key documents are:

• Safety Requirements Specification (SRS)
• Architecture Definition (can be part of the SRS)
• Verification and Validation (V&V) plan
• Test Specifications (unit, integration, validation, etc., as required)

It is important to capture requirements in a clear and unambiguous manner, so they can be traced through the development activities to validation testing.

At the end of our study, we concluded:

• Manufacturers wisely have a gap-assessment of their development processes against the requirements of IEC 61508 undertaken for them as a first step to proceeding with formal certification.
• Where certification efforts have failed, insufficient understanding and support for the project from senior management have ensued.
• IEC 61511 certification is normally straightforward for a typical systems integrator.
• Certification to IEC 61508 for components can take much time and effort for firms attempting it for the first time.
• It is possible to build a safety case for legacy code that can support an assessment, but it requires great care and effort.

ABOUT THE AUTHOR

Paul Reeve (paul.reeve@siracertification.com), CEng, MIET, MInstMC is the principal functional safety consultant at Sira Test & Certification in Sira Test & Certification Ltd, Chester, U.K.