Founder's article on IEC 61508

The starting point for compliance to IEC 61508 for safety-related system development is to understand the safety-related system lifecycle. The safety-related system lifecycle starts with a functional safety management system. The remaining safety-related system lifecycle will be discussed in following articles. The requirements for the functional safety management system are identified in IEC 61508-1, clause 6. The functional safety management system requires project management, configuration management, quality assurance, functional safety assessment, verification, and validation. Although not specifically required by IEC 61508, most of the clause 6 requirements are addressed by the ISO 9001 quality management system. Other industry standards are available for detailed information on these requirements and encouraged by IEC 61508. The functional safety management system requirements are explained in the following sections.

Project management is traceable to IEC 61508-1, subclause 6.2.1 a), b), c), and g). Project management involves two major disciplines: safety planning, and safety tracking and oversight. Safety planning establishes compliant safety plans for meeting the objectives of IEC 61508. Safety tracking and oversight provides visibility into actual progress of attaining IEC 61508 objectives, permitting management and functional safety assessment corrective action when performance deviates from the compliant safety plans.

safety project estimates are documented and used to plan and track the safety project.
safety project activities and commitments are planned and documented.
all safety development personnel agree to their safety project commitments.
actual safety results and performances are tracked against the safety plans.
corrective actions are managed to closure.
changes to safety plans and commitments are agreed upon by the affected safety development personnel.

Configuration Management is traceable to IEC 61508-1, subclause 6.2.1 d), l), m), and o). Configuration management establishes and maintains the integrity of the safety documentation throughout the lifecycle.

safety lifecycle documentation is identified,
safety lifecycle documentation is controlled (Configuration Control Board),
safety lifecycle documentation is made available, and
changes to identified safety lifecycle documentation are controlled (problem reporting system for corrective actions).

Quality Assurance is traceable to IEC 61508-1, subclause 6.2.1 k). Quality assurance provides safety management independent and objective visibility into the safety lifecycle being used and the safety documentation being developed.

safety lifecycle activities comply with documented and controlled safety lifecycle procedures and are verified objectively,
safety lifecycle documentation complies with safety lifecycle documentation standards and are verified objectively,
the safety development team is informed of quality assurance activities, and
noncompliance issues that are not resolved at the safety project level are resolved by senior management.

Functional Safety Assessment is traceable to IEC 61508-1, subclause 6.2.1 f) and g). Unlike the civil aviation industry, which is regulated by government, unregulated industries typically have no certification authority to oversee safety. With the civil aviation industry in the United States of America, a Designated Engineering Representative (DER), employed by the safety system development company and assigned by the certification authority, Federal Aviation Administration (FAA), approves the safety system development and submits safety objective evidence to the certification authority. IEC 61508 requires a Functional Safety Assessor to provide a similar approval function as a DER. Third party certification companies like Sira Test & Certification LTD. ( Sira ) , can replace the government certification authority for a self regulated industry. Functional safety assessment is a process that independently investigates and arrives at a judgement on the functional safety achieved by the safety project. Objective evidence of the functional safety assessment is produced and retained to show due diligence.

Verification is traceable to IEC 61508-1, subclause 6.2.1 g). Verification is a technical assessment of the results of the lifecycle processes. Verification is not just testing. Testing cannot show the absence of errors. Verification includes a combination of reviews, analyses, and tests. The objective of verification is to demonstrate and document for each safety lifecycle process, that the process outputs meet the process objectives and requirements.

Validation is traceable to IEC 61508-1, subclause 6.2.1 g). Validation determines that the safety system requirements are the correct requirements, and that they are complete. Validation includes a combination of reviews, analyses, and tests. For safety system developers, validation proves that the safety requirements have been met. Verification and validation can be confusing concepts. It can be verified that a person has a driver license, but that does not mean that the driver license is valid. Typically process inputs are determined to be valid before the expense of process output verification is incurred. A concern to safety is to not verify invalid requirements.

The next article in this series will address the overall safety lifecycle requirements.

Paul Bodeau is a member of the Safety Division with over 25 years of diversified engineering experience, mostly in safety firmware development for military and civilian aviation. Mr. Bodeau can be reached at the Why Not Engineering web site page Contact Us at http://www.whynotengineering.com.