Functional_Safety_Management_Explained by Jonathan Martins

Functional Safety Management Explained IEC 61508 / 61511 for end-users, integrators and product suppliers Michel J.M. Houtermans, Ph.D. President Functional Safety Management Olympiade 42 Brunssum, The Netherlands

Thomas Huber Senior Project Manager ASI Am Grauen Stein Cologne, Germany

Wolfgang Velten-Philipp Senior Project Manager ASI Am Grauen Stein Cologne, Germany

KEYWORDS IEC 61508, IEC 61511, Management, Functional Safety, Life cycle, SIL, End-users, Operators, Integrators, Manufacturers ABSTRACT Functional safety is a topic that deals with the correct functioning of a safety related system under all circumstances. Correct functioning depends, not only, on the physical safety product itself (hardware and software), but even more so, on the way it was developed, allocated, built, installed, operated and maintained. No matter how good automated safety products will be in the future, achieving safety is and will primarily be an organizational issue. Only if your organization has established a safety culture will it be able to achieve functional safety in all aspects of its business. Program sponsors, project managers and management in general have the responsibility to ensure that the probability of an incident and its consequences are minimized. Managers must, therefore, strive to achieve the highest practicable level of safety. Potential hazards need to be identified and addressed as early as possible in the project lifecycle, when the opportunity to remove or negate them still exists. A systematic approach to safety is required to provide assurance that new systems are tolerably safe for their intended purpose throughout the system lifecycle. That is why functional safety needs to be managed throughout the lifecycle of a safety system. Functional Safety Management (FSM) is the key to guaranteeing safety and can only be accomplished if the right people are in the right place with the right tools doing the right things at the right time. This paper will focus on functional safety management for end-users, operators, system integrators and product manufacturers. It will explain what functional safety is and why functional safety management Copyright 2003 by ISA - The Instrumentation, Systems and Automation Society. Presented at ISA EXPO 2003; www.isa.org

is important. The paper will explain the objectives of functional safety management and who should implement them. Next the requirements and implementation of functional safety management according to IEC 61508 and IEC 61511 are addressed. At the end of the paper we will explain why it is good to be assessed and the experiences TUV has gathered over the years with certification of functional safety management systems.

INTRODUCTION A fatal explosion happened on April 1, 2003, at a melamine chemical plant in The Netherlands. Three maintenance engineers were standing on top of a boiler when it exploded. The explosion had been caused by a series of what was called human error. Research carried out by the chemical company itself showed that several times safety procedures had been violated, that the procedures were not always clear, and that the company lacked a means of verification of the implementation of the procedures. Operators controlling the boiler from the control room made mistakes that led to the explosion. Despite strict procedures, gas supply valves were open. Also later then required a ventilator was started. This caused the gas in the boiler to mix with air, which eventually ignited and resulted in the explosion [1]. The actual problem here is a lack of true safety culture. Although the company has all the safety procedures in place that are required to run processes in a safe manner, it lacks in â&#x20AC;&#x153;thinkingâ&#x20AC;? safety at all times. This is a major issue for the safety industry and is recognized by international safety standards like IEC 61508 [2]. The IEC 61508 standard focus is on the physical safety equipment protecting the process but it takes into account the human aspects through so called functional safety management. Functional safety management is required to assure safety through the lifecycle of a process or plant. Especially during the startup, shutdown and maintenance phases safety is often (un-) intentionally jeopardized because of these unusual situations. The lifecycle approach makes safety independent of the safety expert. Everybody is involved in achieving safety, not only the hazard and risk specialists and the safety instrumented system specialists but also the operators, the maintenance engineers, and of course management. This paper will focus on functional safety management for end-users, operators, system integrators and product manufacturers. It will explain what functional safety is and why functional safety management is important. The paper will explain the objectives of functional safety management and who should implement them. Next the requirements and implementation of functional safety management according to IEC 61508 and IEC 61511 are addressed. At the end of the paper we will explain why it is good to be assessed and the experiences TUV has gathered over the years with certification of functional safety management systems.

FUNCTIONAL SAFETY Functional safety is defined as that part of the overall safety relating to the equipment under control (EUC) and the EUC control system that depends on the correct functioning of the electrical, electronic and programmable electronic (E/E/PE) safety-related systems, other technology safety-related systems and external risk reduction facilities [2]. In practice this means that functional safety deals with the correct functioning of safety related systems and verifies that random, systematic and common cause Copyright 2003 by ISA - The Instrumentation, Systems and Automation Society. Presented at ISA EXPO 2003; www.isa.org

failures do not lead to malfunctioning and do not result in injury or death of humans, hazards to the environment, loss of equipment or production. Thus it is that part of the overall safety which depends on the correct functioning of the safety-related system [8]. FSM was first introduced in the functional safety standard IEC 61508 [2] and did not exist in such detail in the predecessor DIN V VDE 0801 [3]. IEC 61508 follows a complete safety life-cycle approach. This safety life cycle works as a technical framework that makes the requirements of the safety-related system a function of the process it is trying to protect, see Figure 1.

F U N C T I O N A L S A F E T Y A S S E S S M E N T

D O C U M E N T A T I O N

M A N A G E M E N T O F F U N C T I O N A L S A F E T Y

1. Concept

2. Overall Scope Definition

3. Hazard & Risk Analysis

4. Overall Safety Requirements

V e r i f i c a t i o

5. Safety Requirements Allocation

6. Overall operation and maintenance planning

7. Overall safety validation planning

8. Overall installation and commissioning planning

9. SRS E/E/PES Realisation

12. Overall installation and commissioning

13. Overall safety validation

14. Overall operation, maintenance and repair

15. overall modificaton and retrofit

16. Decommissioning or dispossal

Figure 1. Overall Safety Lifecycle With Functional Safety Management Activities [7] The safety lifecycle is divided into distinct phases that address requirements among others for the Â&#x192;

Hazard and risk analysis; Specification and allocation of safety requirements; Realization of the hardware and software implementing the safety-related system; Planning for and the actual installation, commissioning, safety validation, and operation and maintenance of the safety-related system; Modification, retrofit and decommissioning;

Continuous successful implementation of these requirements in practice requires an organization that has established a “safety culture” and is capable of managing all aspects related to functional safety. This is independent of whether the organization is a user, operator, developer or integrator of safety systems, but it goes beyond the normal quality procedures (ISO 9000, 14000) these companies might have in place if they are not yet adapted to IEC 61508. Thus industry recognized that in order to establish a safety culture and be successful in the safety industry it would be necessary not only to address the technical safety product requirements but to also focus on the people as well as on the organization and process they used to develop, integrate, install, operate and maintain the safety system. Functional safety is very different from the general environmental, health and safety tasks that a company needs to implement, facilitate and comply with. Functional safety is very specific and focuses on safety-related systems only. The general health and safety measures still need to be in place for the achievement of overall safety in the workplace. FSM can be seen as a subset of the general health and safety issues a company needs to deal with. But as it deals directly with the physical safety-related systems it is a very important subset and protects not only people and environment but also the capital interest of the shareholders.

WHY IS FUNCTIONAL SAFETY MANAGEMENT IMPORTANT? Functional safety deals with the correct functioning of a safety related system under all circumstances. Correct functioning depends, not only, on the physical safety product itself (hardware and software), but even more so, on the way it was developed, allocated, built, installed, operated and maintained. No matter how good automated safety products will be in the future, achieving safety is and will primarily be an organizational issue. Only if your organization has established a safety culture will it be able to achieve functional safety in all aspects of its business. Program sponsors, project managers and management in general have the responsibility to ensure that the probability of an incident and its consequences are minimized. Managers must, therefore, strive to achieve the highest practicable level of safety. Potential hazards need to be identified and addressed as early as possible in the project lifecycle, when the opportunity to remove or negate them still exists. A systematic approach to safety is required to provide assurance that new systems are tolerably safe for their intended purpose throughout the system lifecycle. That is why functional safety needs to be managed throughout the lifecycle of a safety system. Functional Safety Management (FSM) is the key to guaranteeing safety and can only be accomplished if the right people are in the right place with the right tools doing the right things at the right time.

THE OBJECTIVES The objectives of FSM are two-fold. First of all FSM defines all management and technical activities required during the safety lifecycle phases of a product or process which are necessary for the achievement of the required level of functional safety. Second, FSM specifies the responsibilities of persons, departments and organizations responsible for each safety lifecycle phase or for activities within each phase. Thus, FSM deals with the organizational measures for the effective implementation of the technical requirements and is solely aimed at the achievement and maintenance of functional safety of the safetyrelated systems. A good FSM system basically reduces the risk of failure and guarantees an organization to achieve safety in a structured way. Achieving safety is not a lucky shot with FSM but is merely the only possible outcome of a project.

WHO SHOULD IMPLEMENT FSM? FSM applies to any industry that is involved in (E/E/PE) safety-related systems. In practice FSM applies to end-users, system integrator, and product developers. The following table gives an overview of typical safety products and industries that require FSM. Table 1. What Requires FSM? Typical Safety-Related Systems requiring FSM: Safety Instrumented Systems Fire & Gas Systems Safety-related Instrumentation and Control Burner/boiler management systems Turbine and compressor safeguarding Pipeline monitoring systems Bus-communication systems Actuation systems Partial stroke testing equipment

Typical industries that need to implement FSM are: Oil & Gas Chemical Petro-Chemical Pharmaceutical Automation Automotive Integrators Product Developers for these industries

IEC 61508 VS IEC 61511 IEC 61508 is the overall umbrella standard for functional safety. It applies to all industries incorporating E/E/PE systems for safety purposes. The standard is a performance-based standard where the level of compliance as well as the importance and effectiveness of the requirements depends on the level of safety required. It is a generic standard applicable to any E/E/PE safety system. The requirements of the standard address the so-called equipment under control (e.g., a chemical process plant) and the safetyrelated system (e.g., an emergency shutdown system). The requirements that apply depend on the Safety Integrity Level (SIL). The SIL is a quantitative index of the required reliability of the PES as a function of the criticality of the process to be protected [7]. IEC 61508 uses four SIL levels where SIL 4 represents the toughest requirements. Also the activities and requirements associated with management of functional safety depend partially on the SIL level. IEC 61511 is a sector specific standard and applies to the process industry. Where IEC 61508 uses the general term safety-related system, IEC 61511 uses safety instrumented system (SIS), a more common term for the process industry. The term includes sensors, logic solvers, final elements and other peripherals like field connections or cabling. For both standards, FSM includes requirements for:

Management of functional safety itself Functional Safety Assessment Documentation Lifecycle management Verification & Validation

Both IEC 61505 and 61511 define requirements for the above tasks and they can be applicable to any kind of users of these standards. As a minimum a person, department or company will have to comply with management of functional safety, functional safety assessment and documentation requirements. But this is only possible if somebody else has overall responsibility and has assigned only specific tasks to be carried out by the other party. The difference between IEC 61508 and IEC 61511 concerning FSM lays in the detailed requirements that are specified for IEC 61511. As IEC 61508 is a general purpose standard it is only natural that requirements are more general. IEC 61511 focuses on safety instrumented systems and as such the requirements for FSM are more specific.

IMPLEMENTING FSM INTO YOUR ORGANIZATION Most companies have some form of quality management system for their business processes (ISO 9000, or 14000). Although having an existing quality system is a good basis it is not sufficient to comply with the FSM requirements of IEC 61508 or 61511. The challenge will be to integrate the additional FSM requirements with the existing business processes and make it part of the daily practice or routine. In most cases this requires a culture change in the organization and will take some time to take place. Copyright 2003 by ISA - The Instrumentation, Systems and Automation Society. Presented at ISA EXPO 2003; www.isa.org

Procedures need to be rewritten, people need to be trained accordingly, and the implementation of the procedures needs to be audited by a sufficiently independent person or organization. Especially companies that manufacture safety as well as non-safety products (will) have a hard time to adjust their procedures to incorporate FSM requirements. FSM according to IEC 61508/61511 is not yet well spread among end-users, integrators, and manufacturers. Although many companies claim to be able to deliver services or run (manufacturing) processes in compliance with IEC 61508/61511, most companies still lack a basic understanding of the standards. This does not mean that these companies cannot achieve safe processes in practice (you don’t need a standard for that) but they just do not comply with the standard. The focus in industry seems to be on hardware probability of failure on demand (PFD) calculations and “proven in use” statements, neglecting software, FSM and processes in terms of the standard’s requirements. A survey carried out by Risknowlogy showed that safety product manufacturers are in the best shape when it comes to FSM. The majority stated to have FSM implemented into the quality procedures. Actually half of those interviewed had certified their FSM by a third party like TUV. Of the end-users half claimed to have adjusted their business processes to FSM but further questions indicated that there was not always a full implementation of the FSM requirements. It was rather scattered throughout their existing business processes. Large end-users (multinationals) did a better job then the smaller, often local, end-users. Where the larger companies tend to struggle with implementing FSM world wide, the smaller companies tend to lack resources to understand, teach and implement FSM into their organization. Independent system integrators were the least prepared. They lack besides the same problems as small end-users also the understanding that they are an integrated part of the lifecycle. For all companies counted the actual knowledge of IEC 61508/61511 was rather concentrated with a few “experts” within the organization.

DARE TO BE ASSESSED Both standards require sufficient independence of the auditors to perform FSM audits and assessments. The required independence depends on factors like the required SIL and the complexity of the technology of the safety system. More and more companies will voluntarily or involuntarily choose to have their safety procedures verified by an independent party. Only a few companies in the world have actually taken the step to have an independent third party audit and certify their FSM system. This will likely change in the next couple of years as independent audits will bring several advantages to an organization:

For any organization it means that they can show to government, insurance and other interested parties that they did everything to incorporate safety into their organization and that an independent organization verified they actually do what they say they do. Organizations can show that they are serious about safety.

For suppliers and integrators it is a good way to show to end-users that they are serious about functional safety and that indeed they are capable of delivering services in compliance with IEC 61508/61511. Copyright 2003 by ISA - The Instrumentation, Systems and Automation Society. Presented at ISA EXPO 2003; www.isa.org

Â&#x192;

FSM for the complete organization makes the organization less dependent on individuals. In many companies one (or a few) individual(s) deal with safety. If this individual leaves, all the safety knowledge is lost for the company. Implementing FSM guarantees an organization that is geared toward learning and updating itself. It will have a structure in place that assures that all people in the company or a department are knowledgeable about functional safety.

Companies implementing FSM can expect to go through a learning curve about their processes. The knowledge about their plant will increase significantly. This can only work to their advantage as they will better understand their business processes, better understand their plants, hire smarter people that are better suited for their job, and thus be able to improve their plants in terms of safety, productivity and ultimately performance in terms of throughput time. Assessments and audits should be carried out on a regular basis but as a minimum once per year. It will keep the organization sharp in terms of safety, especially when a truly independent party carries out the audits. Failing an audit should lead to serious corrective actions that should consequently be implemented. If this is not the case then a FSM audit just becomes a formality that generates a lot of paper work and which does not work to the advantage of the company and can actually have the opposite effect in terms of safety. The ultimate goal of FSM would be to achieve a true safety culture within an organization, which assures that the people always â&#x20AC;&#x153;thinkâ&#x20AC;? safety, no matter which task they carry out.

CONSULTING, ASSESSMENT AND CERTIFICATION EXPERIENCE The standards require independent verification where the level of independence depends on the required level of safety integrity. Because of this reason TUV is more and more being asked to not only independently verify but also to certify the FSM systems that companies have in place. The following are some general experiences that TUV and its consultants have gathered when implementing, assessing and certifying FSM for organizations. Functional safety certification is defined as a process through which qualified entities can attest that the claimed functions of a system or process are performed at a verifiable level of functional safety. Only a truly knowledgeable independent party can therefore carry out certification. This is also necessary to assure a quality assessment and to give an organization added value for their investment. Because TUV has no conflict of interest with any company that requires its services it can truly carry out independent functional safety assessments and certifications and treat every company on an equal basis. This assures that every company is audited using the same requirements. For most companies that we were involved with the situation was as follows. They all started some years ago with implementing quality assurance systems like ISO 9000 or similar. The challenges that arrived with implementing these quality systems have been over come by now and the companies have gone through a learning curve when it comes to optimizing business processes. The issue with FSM is that functional safety knowledge is very specific and that it was only possessed by a number of engineers within the organization. But usually these engineers do not have specific knowledge of quality assurance Copyright 2003 by ISA - The Instrumentation, Systems and Automation Society. Presented at ISA EXPO 2003; www.isa.org

procedures and standards. Therefore they do not think in life cycle processes, as required by IEC 61511 and IEC 61508. On the other hand, the quality assurance people understand the processes but they do not have sufficient knowledge of functional safety issues. It is difficult to implement a functional safety management system as competence in quality assurance and functional safety is needed at the same time. The same counts for assessment and auditing of functional safety. This is reflected in current organizations where, as far as it exists, functional safety management has the status or is considered to be a either a pure quality management task or a pure engineering task in today’s facilities. The most important factor in achieving a functional safety management system is full commitment from management. If management has no sensibility for a safety culture in the company, then no one can expect that an engineer or worker somewhere in the plant has. Senior management is seldom present in a meeting discussing the requirements of FSM. This is why those companies have a hard time implementing FSM, as management cannot support what they do not understand. We can summarize the experiences from personal consulting, assessment and audits activities as follows: Few companies have actually implemented FSM in line with IEC 61508 or IEC 61511. Those companies that have implemented FSM or are currently in the process of implementing FSM struggle with transforming their existing quality systems Functional safety assessments that are based on pure quality audit procedures are not effective in terms of functional safety. In some cases they actually turn counterproductive as they turn into paper producing machines where people do anything to just comply with the paperwork. They are not effective. Management commitment, is of course, required and crucial to implement FSM as it will change the way the company does business. In general, management supports FSM but is ill informed about the implications of implementing FSM. Safety needs to be brought up to the management level and as it is now being pushed down by them to the engineering level. Many companies focus only on the technical requirements of the standard and forget about the process and management related requirements. The most important document that needs to be created within the scope of the standards is the safety requirements specification (SRS). The SRS is a direct result of the Hazard and Risk Analysis and determines the required safety integrity of the actual safety system. It is very important for verification and validation planning, for example for the Factory Acceptance Test (FAT). The role of Functional Safety Assessment (FSA) is undervalued. FSA plays an important role in verifying whether the required safety integrity has been achieved and is an absolutely necessary part of any safety project. FSA always needs to be carried out by the party who is responsible for the specific lifecyle phase. For example an end user who assigns a system integrator to select and install a safety related system must assess the integrator at different stages of the selection and installation process to assure the required safety integrity level is reached.

CONCLUSIONS This paper gave the reader on overview on functional safety management, as the IEC 61508 and IEC 61511 standard require it. It focused on end-users, operators, system integrators and product manufacturers and explained what functional safety is and why functional safety management is important. The objectives as well as the implementation of functional safety management were addressed next. At the end the paper explained the benefits of third party assessment and the experiences TUV and their consultants have gathered over the years with implementation and certification of functional safety management systems.

REFERENECES 1. De Limburger, Explosie Gevolg Van Reeks Fouten, Daily Newspaper De Limburger, GeleenSittard, The Netherlands, June, 2003 2. International Electrotechnical Committee, IEC 61508, Functional Safety or Electrical / Electronic / Programmable Electronic Safety-Related Systems, part 1-7, IEC, December 1999 3. Deutsche Industry Norm, DIN V VDE 0801, Principles for computers in safety-related systems, 1990 and amendment A1, 1994 4. International Electrotechnical Committee, IEC 61511, Functional safety instrumented systems for the process industry sector , part 1-3, draft standard, 1999 5. Instrument Society of America, ISA S84.01, Safety Instrumented Systems, Research Triangle Park, 1996 6. Aschenbrenner Stephan, Houtermans Michel, IEC 61508 and Management of Functional Safety, ISA, 2000 7. Houtermans, Michel, A Methodology For Dynamic Process Hazard Analysis And Integrated Process Safety Management, Ph.D. Thesis, ISBN 90-386-2812-9, Eindhoven, The Netherlands, May 2001 8. Karydas, Dimitrios, Houtermans, Michel, A Practical Approach for the Selection of Programmable Electronic Systems used for Safety Functions in the Process Industry. 9th International Symposium on Loss Prevention and Safety Promotion in the Process Industries, Barcelona, Spain, May, 1998.