Functional safety life cycle

NOTE 1 The term functional safety life cycle Is strictly more accurate, but the adjective functional is not considered necessary in this case within the context of this standard. 

S Functional safety life cycle management (FSLCM) ... 

There are a number of approaches to providing safe application software in SISs. However, regardless of the approach used to achieve safe application software, it is assumed that the safety life cycle steps prior to application software development have been executed properly (for example, hazard and risk assessment, functional description development, equipment (hardware and software) selection). 

The standards [l]-[3] concern the entire life cycle of a plant ( safety life cycle ), i.e. all activities required for realizing safety functions during a period which begins with the concept phase of a project and ends when aU safety functions are no longer available for use. In addition to quantitative requirements the standards contain numerous qualitative requirements, which are not discussed here. However, it must be borne in mind that fulfilling the qualitative requirements does not automatically lead to the quantitative requirements being fidfilled. 

Safety instrumented systems (SIS) play a major part in industrial risk management as risk reduction measures. The main European standard for functional safety of SIS, denoted electrical / electronic / programmable electronic (E/E/PE) safety-related systems, is the EC 61508 (lEC, 2005a). The second edition will soon be adopted in 2009 (EC, 2009). Objectives are to enable the design of SIS, and the development of apphca-tion sector standards. Such examples are EC 61511 (lEC, 2004) for process industry, and EC 62061 (EC 2005b) for machinery. One of the main contributions of EC 61508 is to consider the overall system and software safety life cycle. The standard fi amework, with the corresponding normative parts and subclauses, is ... 

A specification containing all the requirements of the safety functions that have to be performed by the safety-related system. It includes both what the functions must do and also how well they must do it. It is often a contractual document between companies and is one of the most important documents in the safety life cycle process. Safety Rule... 

Figure E.l represents the simple flow of the system safety process and provides a graphic summary of the materials presented in this text. This flowchart shows the typical functions of the system safety life cycle.

The stages in the safety life cycle at which the functional safety assessment activities are to be carried out shall be identified during safety planning. 

Figure 8 - SIS safety life-cycle phases and functional safety assessment stages...

Where development and production tools are used for any safety life-cycle activity, they shall themselves be subject to a functional safety assessment. 

Integration tests shall be specified as early in the software safety life cycle as possible to ensure the compatibility of the application software with the hardware and embedded software platform such that the functional and performance safety requirements can be met. 

An analysis shall be carried out to determine the impact on functional safety as a result of the proposed modification. When the analysis shows that the proposed modification will impact safety then there shall be a return to the first phase of the safety life cycle affected by the modification. 

Impact analysis on functional safety as a result of decommissioning required. The assessment includes an update of the hazard and risk assessment to adequately determine any safety life-cycle steps that need to be taken. The assessment also considers -18.2.3... 

Systematic failure normally occurs on account of design failure, including incorrect specifications, using a component not fit for the operation, and or due to error in software. Safety life cycle is adapted for systematic faults. So safety standards meant for E/E/PEs take care of both. SISs (Ref. Chapter VII) are developed to prevent or mitigate hazardous events to protect people or the environment, or prevent damage to process equipment. In this connection another important issue is SIL (Chapter VIII), which is a discrete level for specifying the safety integrity requirements of safety functions, but is not a measure of risk. SIL provides means for risk reduction to a tolerable level. The fundamental question, in case of functionally safe instrumentation, is how frequently failures of function will lead to accidents. The answers can be ... 

Part 2 This part is realization part. This part mainly deals with the hardware safety part of E/E/PEs. It covers a detailed safety life cycle for hardware and aspects of assessing functional safety for the hardware. Part 2, Annex A, includes control of failures during operation, and techniques and measures respectively. Annex C covers the calculation of diagnostic coverage factor (what fraction of failures are identified by the hardware) and safe failure fiaction. All these annexure are required for compliance. 

The overall life cycle discussions in the standard mainly covered in this main Clause 7, having 17 major sub-clauses. Now coming back to main life cycle phases in Fig. VI/4.0.2-1, it is seen that the first part of the safety life cycle is basically the analysis part comprising concept, scope for the system/EUC, hazard/risk analysis, creation of overall safety requirements, and identification of specific safety functions to prevent the identified hazards safety requirements allocation. The middle part is realization activities (Clause 7.10) as detailed in Figs. Vl/4.1.4-1 and Vl/4.1.4-2, are dealt with in Parts 2 and 3 discussions. The next part of the life cycle is related to installation and commissioning (Clause 7.13). Then comes the validation (Clause 7.14), operation and maintenance (Clause 7.15), modification, retrofit (Clause 7.16), and finally, decommissioning (Clause 7.17). 

Authorization is necessary for software modification under the procedures specified during planning. Major issues involved in authorization shall include but are not limited to Hazard to be affected, and proposed change with necessary reason (duly documented). It is necessary to ensure that the required SIL is maintained. In this connection for detailing, clause number 7.8 of the standard may be referenced. The modification process involves an analysis on the impact of the proposed on functional safety and how much of the safety life cycle must be repeated. 

It specifies system architecture, hardware configuration, application software (user and integrator of SIS), and system integration, requirements for safety instmment functions (SIFs) including human factor, and safety life cycle. It also specifies the techniques and measures for SIL. 

Fig. Vll/1.0.1-1 shows various methods of risk reduction in a common figure to include all risk reduction methods. Here, SIS is of main concern to us, so it is shown separately (in dark box). SISs are one of the most commonly used, engineered safeguard systems offering good flexibility to the designers. On account of safety life cycle requirements of lEC 61508/61511, and for better SIS design, experts need to analyze the risk associated with process under control at the beginning. SISs are risk-based systems. When in the subject, it is better to address the first barrier, then to SIFs. Barrier functions are planned for prevention, regulation, and mitigation of undesired events. In safety barriers, such barrier functions are used to combat undesired events. A safety function could be a technical or organizational function, human action, or a combination of them, used to reduce risks. Therefore, safety functions are a type of barrier.

NFPA 72 provides good guidelines for fire detectors. In order to achieve real functional safety, the safety life cycle analysis, which will be discussed next, could be helpful. 

When ASICs are used in a safety function the safety life cycle of the ASICs shall be studied. 

As per lEC 61511 one sees that Persons, departments, organizations involved in safety life cycle activities shall be competent to carry out the activities for which they are accountable. Therefore involvement of certified functional safety experts at an early stage is helpful in appropriate equipment selection and proper framing of... 

Since different people work as per SRS during different phases of the safety life cycle, it is necessary that SRS is developed in an easily understandable manner. SRS includes the functional description of the safety functions as well as all the conditions that cause them to be triggered. In addition, determination of the SIL is part of the detailed consideration of each safety function. 

SIS and SIL for BMS A master fuel trip required by design codes demands multiple actions. The verification results shall confirm that the required risk reduction is achieved. However, the validation can be compromised when an SIF is not defined properly and its functional requirements are poorly specified or when all actions for total shutdown are included in the same functional requirements of the same SIF [8]. From discussions in previous chapters it is clear that the safety life cycle model not only helps with necessary ways and means to avoid systematic failures, but also helps to ensure the required integrity level to prevent random failures. The safety standards (lEC 61508/61511) required to identify a set of parameters and factors for PFDavg calculations are ... 

Safety life cycle All required activities involved in the implementation of safety instrumented functions occurring during a period of time that starts at the concept phase of a project and finishes with decommissioning including management of change. 

---