FUNCTIONAL SAFET Y

Addressing machine and system

operational risks in the safety
lifecycle
The importance of compliance with functional safety
standards

In manufacturing, it is not enough to say that the operation process, household and commercial products, medical, nuclear,
of machines and systems is critical to the creation of the end automotive, railway, and avionics. As a result, the importance
product. “Operation” is only one part of the equation. Efficient of functional safety evaluation and certification has become
production of end products depends on the correct operation recognized internationally. Functional safey certification is
of machines and systems in all scenarios – meaning that they widely considered to be an essential tool to identify, control,
respond safely and reliably to inputs, that all components of the and mitigate hazards and risks, particularly in those cases where
machine or system operate as expected, and that any operation a failure could lead to serious injury or death.
errors, hardware failures, or environmental interference can be
managed safely. In other words, machines and systems will Those unfamiliar with the concept of functional safety may find
operate safely even when they malfunction. This is functional the subject difficult to understand and place it within the context
safety, and it is paramount to the overall success of any business of traditional safety and reliability assessments. The concept
that utilizes machines and systems to achieve their goals. often gets lost as manufacturers navigate through product
safety certifications from notified bodies – such as the ATEX
The integration of automated safety systems is rapidly expanding and IECEx directives for equipment used in hazardous locations
around the world and across diverse industries – including (HazLoc) and electromagnetic compatibility (EMC) directives for

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

electronics – and feel confident that their principles can also be extended to assess
equipment will operate safely in their mechanical elements if they are used in
respective environments. But none of the safety function. IEC 61508 sets out the
these certifications offer assurance that requirements for ensuring that systems
processes will run safely in the event of are designed, implemented, operated,
some form of product failure, or are under and maintained to provide the required
any type of continuous surveillance to safety integrity level (SIL), and forms
help maintain safety. Assessing for a basis for sector-specific standards
functional safety helps to maintain safe including:
and reliable operational processes,
• IEC 61511 process industry
“Assessing for functional reduce mean down time (MDT), and help
prevent dangerous situations. • IEC 61513 nuclear industry
safety helps to maintain
• IEC 62061 & ISO 13849 machinery
safe and reliable Designers who understand and embrace
industry
operational processes.” the concept of functional safety – and
who demonstrate that products or • EN 50402 gas detector systems
systems conform to the requirements of • EN 50126 rail industry
recognized functional safety standards –
are equipped to better manage risk, while A critical part of functional safety is
also helping to capture market share assessing risk and putting into place
among the growing ranks of customers controls that reduce risk to appropriate
who also seek to meet the requirements levels. A hazard analysis can be
of functional safety standards. conducted to identify the scale of risk
and potential resulting harm as well as to
assist in determining if functional safety
Evaluation and Certification to is necessary to mitigate risk. IEC 61508
Functional Safety Standards: defines requirements for determining the
The Basics level of risks and describes the lifecycle
process for ensuring that systems are
Functional safety embodies several critical
designed, validated, verified, operated,
concepts. At its core, it relies on what the
and maintained to perform a specific
equipment actually does – known as
function or functions to ensure risk is kept
safety functions – and how reliably it
“A critical part of at an acceptable level. IEC 61508 defines
does it – or safety integrity. Functional
four SILs according to the risks involved
functional safety is safety is not only concerned with having
in a safety-related system application,
assessing risk and high reliability for safety functions, but it
with SIL 4 representing protection
putting into place also focuses on failure modes, which is
against the highest level of risk.
essentially how the systems/sub-
controls that reduce
systems can fail, and failure data or how Safety function requirements are defined
risk to appropriate likely the failure mode can occur. though a hazard analysis while safety
levels.”
integrity requirements are derived from
Similar to how the concept of functional
an assessment of acceptable risk. IEC
safety itself is composed of many moving
61508 may cover both, determining the
parts, there are several standards that
SIL capability of a product as well as
provide the requirements for testing and
verifying the SIL of the manufacturer.
certification. They represent both the
fundamentals of functional safety as well The higher the SIL assigned to the
as specific sectors where it is commonly safety system or component, the lower
applicable. the likelihood of dangerous failure.
Elements/subsystems covered by these
The IEC 61508 series are international requirements might include sensors,
standards for safety-related systems detectors, signal conditioners, logic
associated with electrical, electronic, controllers, monitors, alarms, actuators,
and software-based technologies. These valves, and motors.

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

Evaluation and Certification to type of approval covers both the generic

Functional Safety Standards: processes of the organization as well as
The Benefits competency of staff. This approval can
be very useful in earning new business,
Managing Complexity or in satisfying ongoing contractual or
regulatory requirements.
With the increased use of programmable
and complex systems, evaluating a
product or system for safety has become Functional Safety: Real Life
correspondingly complex. Using a third-
party testing & certification body to The following example explains the basic
evaluate your systems for functional principles of functional safety. Diagram
safety against internationally accepted 1 shows a relatively simple operation
standards helps foster an understanding from the process industry—filling a bulk
of the important components that storage fuel tank. Some questions that
comprise “safe and efficient operations” must initially be answered include:

Increased Confidence
• What hazards are associated with this
application?
Evaluation of systems and components, • What can go wrong in the process?
and certification that they meet
• What are the risks?
the requirements of the applicable
“Evaluating a product functional safety standards, provides • How safe is the application?
or system for safety designers, end-users, operators, and • How safe does it need to be?
has become increasingly other stakeholders with increased
complex.” confidence that processes operate safely, Without considering these basic
products meet regulations and industry questions, an overflow can occur that can
requirements, risk has been appropriately lead to dire consequences like in image 1.
managed, and the potential for costly
litigation has been minimized.

Market Advantage

Equipment suppliers can also leverage

their functional safety certifications to
gain market advantage, access new
markets, and achieve sales growth
among customers who require products
Oil storage depot, Buncefield, UK, December 2005
to meet a given SIL capability for use
in their safety-related applications or Fortunately, there were no fatalities in
systems. This “product-of-choice” status this particular incident, but dozens of
is reinforced by subsequent positive surrounding businesses were devastated.
assessment reports from customers Several companies were prosecuted and
whose products and systems are also found guilty in criminal and civil courts
certified, further demonstrating full –including the owner/operator, the
compliance with functional safety control system supplier, and one of the
requirements. Organizations that provide instrument suppliers. The incident could
a safety-related service or operation have been prevented if the hazard and
involving safety systems – such as plant risk had been correctly identified and
operators, systems integrators, contract an appropriate target SIL established.
designers, and product suppliers – This would have resulted in the
can be approved for the technical and implementation of an appropriate overfill
management processes that govern protection system and an operational
their functional safety activities. This functional safety management system.

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

P LC

Diagram 1
CONTROL ROOM

SENSOR LEVEL SIGNAL

PUMP CONTROL
ON/OFF

PIPELINE VA LV E
F U E L S T O R A G E TA N K

In a scenario like this, specifying a safety-related system – Safety Function: To close the emergency shut off valve and
usually referred to as a safety instrumented system (SIS) in switch off the pump in the event that the high-high level switch
the process industry – can reduce risk to a target SIL deemed contacts are opened.
acceptable based on an assessment of the hazard. Depending
Safety Integrity: To perform the safety function to SIL 2 (that’s
on the target SIL, risk level can be reduced by at least:
a probability of the independent safety function failing to work
• SIL 1 by ≥10 times of less than 1 in 100 trips).
• SIL 2 by ≥100 times

• SIL 3 by ≥1,000 times Achieving Functional Safety: Basic Steps

• SIL 4 by ≥10,000 times 1. SIL Determination

Once the hazards and risks have been identified, using Hazard
SIS Implementation and Operability Study (HAZOP) analysis, a SIL determination
study can be prepared (normally arranged by the plant/machine
With the hazards and risks identified, safety requirements can
operator) to establish the safety function(s) and the amount of
be assessed and an acceptable target SIL established, resulting
risk reduction required of the safety system, which then defines
in the design of a safety-related protection system – an SIS loop
its SIL. The IEC 61508 standard shows the requirements for
– implemented as shown below.
failure data which are expressed either as a probability of failure
The SIS, identified in red in diagram 2, might be specified as on demand (PFD) for a “trip” safety system or as a failure rate
follows:

Diagram 2

P LC

CONTROL ROOM

SENSOR LEVEL SIGNAL

PUMP CONTROL
ON/OFF

PIPELINE VA LV E
F U E L S T O R A G E TA N K

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

(for a safety system that has to respond 3. Random Hardware Failures

more frequently or even continuously).
A system failure is typically due to a
Each SIL has its own range, with an random hardware or systematic failures .
“order of magnitude” between end Random hardware failures typically stem
points. If the demand from the process on from the components used in assembly
the safety function is predicted to be less and the design architecture. Functional
“Random hardware frequent than once a year, it is classified safety includes design techniques to
as a low demand system; if the demand minimize the probability of the safety
failures typically stem
is more frequent than once a year, it is system failing to perform its designed
from the components
a high demand system. (A continuous safety function and requires estimating
used during assembly mode safety function is where safety is the failure rate using numerical and
and the design achieved by continuous or linear control analytical techniques. A quantitative
architecture.” of the plant/machine). It is important to assessment is performed to ensure the
get the distinction between high and low specified figure is achieved.
demand right as the mathematics used
to derive the requirements are different. A theoretical model of the equipment’s
Once the SIS is in operation, all demands reliability must be constructed,
(whether “nuisance” or valid) should be decomposing the design into functional
logged, investigated, and compared with blocks to form a reliability block diagram
what was predicted at SIL determination. (RBD). Other methods such as fault tree
analysis can also be used, and modelling
2. Safety Requirements Specification is specifically required for more complex
designs.
Once the target safety functions and
safety integrity have been determined, Each “block” down to component level
the Safety Requirements Specification must be analyzed, using methods such
(SRS) should be prepared, as it is one as failure modes and effects analysis
of the most important phases in the (FMEA). During this analysis, it is
lifecycle. Functional safety standards necessary to determine how the failure of
emphasize the importance of capturing each component affects the equipment’s
functional requirements, deriving more safety function.
detailed design requirements (right down
“Failures can be a Failures can be a combination of safe and
to low level hardware and software) and
combination of dangerous depending on the definition of
tracing these through the design and
safe and dangerous development stages, integration and the safety function.
depending on the testing process, and through to final
The outcome of the FMEA for each block
definition of the validation (assessment to the product
is a sum of the different types of failures
safety function.” lifecycle). At the end of every stage
(safe and/or dangerous). Using the RBD,
of the product lifecycle, a verification
the different failure rates can be grouped
process must be followed to capture any
into categories, such as safe failures or
details not fully addressed that can affect
dangerous (detected or undetected). The
compliance. This supports avoidance of
probability of failure on demand (PFD)
systematic failures. For complex or high-
can then be calculated for the equipment.
integrity safety systems, capture of formal
requirements and associated testing In addition to meeting the PFD
require trusted automated tools. The requirement, it is necessary for the
safety system (including all instruments) equipment to meet certain architectural
should then be designed and realized to constraints such as the safe failure
achieve the numerical SIL requirements fraction (SFF) and the hardware fault
identified for the safety function. tolerance (HFT) outlined in the standard.

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

This analysis can be performed using performing the safety function. Software
information from circuit diagrams, defects are a specific type of systematic
mechanical assembly drawings, parts failure and a full discussion is beyond
lists, and other sources, and therefore the scope of this paper. However, these
can be undertaken following design. points should be noted:
It requires a detailed knowledge of
• Ensure requirements are fully
component failure rates, their various
captured and traceable through the
failure modes and how these can affect
development lifecycle
the functionality of the instrument used
in the safety function. The analysis • Remember the linkage between
is a specialist area and should only hardware and software – FMEA is a
be undertaken by analysts with the rich source of generating software
appropriate tools, competence, and requirements to achieve hardware
access to the appropriate failure rate data diagnostic coverage
in order to yield a statistical prediction of • Develop a software review culture
the random hardware failure. (and keep evidence; informal log
books are fine)
4. Systematic Failures
• Modifications must include an
The second reason for system failure is impact analysis and proof of the
weaknesses in the processes used in the implementation process
specification, design, test, installation,
use, modification, and repair of the • Configuration management is
safety system – known as the lifecycle. critical, including versions of test and
Because these failures are the result development tools
of the processes used and are not • SOUP (software of unknown
limited to any product, they can result provenance) and COTS (commercial-
in failures along all product lines. These off-the-shelf ) are best avoided,
systematic failures cannot be modelled or extreme care should be taken in
and determined statistically. Instead, they their use
must be controlled and avoided by using
• Invest in and maximize the use of
processes, backed up with functional
automated test tools – anything
safety management and techniques of
repetitive or requiring manual effort to
sufficient rigor for the SIL involved. These
generate test cases or logging results
are prescribed in the IEC 61508 standard.
will lend itself to such tools
The verification of systematic failures • Static analysis tools – some are very
(hardware or software) require a affordable and offer great benefit; the
qualitative assessment of the evidence of deeper and wider the analysis the
using the prescribed lifecycle, although better
the actual processes and work activities
used will depend on the technologies in • Coding standards – this is an essential
the design and type of safety equipment requirement to ensure correct and
in question. For equipment developers, safe constructs and a safe language
evidence of using these methods must sub-set are used
be gathered during the design and made • Use recommended development tools
available for assessment. (e.g. Misra C) to facilitate the structure
of the safety software compliance
5. Software
• For systems integrators, achieving
Software requires special attention compliance to IEC 61511 is relatively
from the developer if it is involved in straightforward

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

6. Functional Safety Assessment

Common Functional Safety
All safety systems must undergo an independent functional safety assessment
Terms and Concepts
(FSA) covering the hardware and software as well as all the related processes
• Functional Safety is when safety used in the realization of the instrument/system. The FSA applies to all activities
relies on: in the lifecycle of the safety system or instrument.
– Safety function(s) – what
the equipment does, and Requirements for the FSA are defined in IEC 61508-1 (general requirements, section
–  Safety integrity – how reliably 8). The accredited certification process is defined by the international standard for
the equipment does it certification ISO/IEC 17065. The requirements for the assessment, including the
• It is aimed at systems, typically methods and techniques prescribed, increase in rigor with higher SIL. There is a
formed from discrete instruments minimum level of independence between the assessment team and the work being
such as: assessed, which depends on the SIL and the lifecycle activities being evaluated.
– Sensors (to detect for unsafe
process/machine conditions) 7. Management of Functional Safety
– Logic solvers (decision making
or controlling devices) IEC 61508-1 makes it clear that all organizations that deal with safety
– Output elements (devices instrumented systems should operate a functional safety management
that physically interrupt or halt (FSM)/process. This could be a company-wide process, typically part of the
the process/machine to make company’s Quality Management System, and should include the additional
the situation safe) elements required for functional safety. Alternatively, it could be implemented
• It is concerned with how the as an overarching plan that covers a specific project and details how
systems/ instruments can fail: functional safety will be achieved. Either way, FSM is indispensable to avoid
failure modes systematic failures and for creating a safety culture. No product, system or
operation can claim to conform to the IEC 61508 standard without this critical
• How likely will the system/instrument
assessment, which should govern all safety-related work activities from concept
failure mode occur: failure data
to decommissioning.
• The SIS is used to reduce the risk(s)
to an “acceptable level” (a figure An important part of the FSM is the development structure, deployment, and
generally accepted by society and assessment of the competence of all staff who have any roles or responsibilities
legislators) associated with safety systems. For companies starting a functional safety project
for the first time, FSM is a good place to begin as it establishes them procedural
• The level of risk reduction required
infrastructure in advance.
from the SIS will define its Safety
Integrity Level (“SIL”). The SIL places:
– Limits on the probability of
Continued Need Across the Globe
random hardware failure, and
– Requirements on the systematic History shows there is a great need for industry to provide evidence of the reliability
failure during the development of automated safety systems to ensure the safety of people, the environment,
process known as the “lifecycle”
and corporate assets. IEC 61508 and related standards provide the systematic
used during the product
capability lifecycle approach necessary to achieve functional safety. Around the
realization phase
world, new and existing plants are being measured against the criteria of this
• Note that before a SIS is specified, standard and market requirements for elements/sub-systems that are suitable for
risk control is already reduced as SIL-rated systems are now commonplace. This enables instrument suppliers to
much as possible by conventional benefit commercially from functional safety certification, increasing their market
measures such as good (safe) advantage by earning “product-of-choice” status among current and future
process/machine design, the basic customers.
control system, alarms, trips, relief
systems, procedural measures, etc.

csagroup.org
ADDRESSING MACHINE AND SYSTEM
OPERATIONAL RISKS IN THE SAFET Y LIFECYCLE

In a highly complex, safety-related audits by the accrediting body, and

system where functional safety is provides annual compliance evidence
required, equipment suppliers should to the accreditation agency as proof of
identify an accredited third-party agency, full conformance with the requirements
such as CSA Group®, that can evaluate of IEC 61508.
and certify compliance with the IEC 61508
or applicable industry-specific standard. CSA Group demonstrates its experience
Accreditation provides an internationally and expertise in functional safety with
recognized approval and the qualification a highly knowledgeable staff capable
to perform functional safety conformity of carefully performing conformity
assessments. It also means that the third- assessment, while providing levels of
party agency has demonstrated strong service that help clients optimize their
competency, met the requirements of the businesses.
technical authority, is subject to annual

Contact Us
To learn more about how CSA Group
can help you comply with IEC 61508,
contact us today.

866 797 4272

[email protected]
csagroup.org

© 2018 CSA Group Testing & Certification Inc. All Rights Reserved.
csagroup.org 10/2018