Articles Written by our Founder
Founder's Articles on IEC 61508 and ISO 9000
Published in April, 2004


E/E/PES development documentation (Objective 2) - Article #7

This is the seventh in a series of short articles on IEC 61508. IEC 61508 is required whenever a computer-based system is used to carry out a safety function. The purpose of these articles is to give the reader an appreciation for this international standard.

IEC 61508-2, clause 7 requires an understanding of the development processes of the Electrical/Electronic/Programmable Electronic System (E/E/PES) lifecycle. The objectives of IEC 61508-2, clause 7 are:

    1. define the processes of the E/E/PES development to achieve the required functional safety.
    2. document all information relevant to the functional safety of the E/E/PES development.

The previous article in this series addressed the E/E/PES development processes, item 1 above. This article addresses the E/E/PES safety development documentation, item 2 above. The E/E/PES safety development documentation is required as objective evidence that the particular development process is complete and represents the value added for the consecutive dependent processes. This data is retained to support E/E/PES safety product maintenance and to prove due diligence to IEC 61508. The E/E/PES development documentation is: E/E/PES Safety Requirements Specification, E/E/PES Design Document, E/E/PES Implementation Documentation, E/E/PES Integration Documentation, E/E/PES Verification Results, and E/E/PES Validation Results.

The purpose of the E/E/PES Safety Requirements Specification is to prove that the functional requirements and safety integrity requirements allocated from the E/E/PES proposal or other customer documents, are compliant to IEC 61508-2, subclause 7.2, and IEC 61508-7, B.2.1. The application of an E/E/PES Safety Requirements Specification Standard aids the development of the E/E/PES Safety Requirements Specification by including requirements methods that address the requirements of IEC 61508-2, subclause 7.2, and IEC 61508-7, B.2.1. IEC 61508-7, B.2.1, requires a structured specification. Computer Aided Systems Engineering (CASE) tools are available to assist the development of a structured specification. All of the E/E/PES Safety Requirements Specification need not be completed before the E/E/PES design process can begin. However, a critical amount, (transition criteria) of the E/E/PES Safety Requirements Specification must be complete to permit the start of the E/E/PES design process. The E/E/PES Safety Requirements Specification is complete when it documents enough requirements to permit the E/E/PES design to be completed.

The purpose of the E/E/PES Design Document is to prove that the E/E/PES safety requirements are developed into the E/E/PES design, and are compliant to IEC 61508-2, subclause 7.4, and IEC 61508-7, B.3.2. The application of an E/E/PES Design Document Standard aids the development of the E/E/PES Design Document by including design methods that address the requirements of IEC 61508-2, subclause 7.4, and IEC 61508-7, B.3.2. IEC 61508-7, B.3.2, requires a structured design. CASE tools are available to assist the development of a structured design. All of the E/E/PES Design Document need not be completed before the E/E/PES implementation process can begin. However, a critical amount, (transition criteria) of the E/E/PES Design Document must be complete to permit the start of the E/E/PES implementation process. The E/E/PES Design Document is complete when it documents enough design to permit the E/E/PES implementation to be completed.

The purpose of the E/E/PES Implementation Documentation is to prove that the E/E/PES design was built from the E/E/PES Design Document and is compliant to IEC 61508-2, subclause 7.4.7, and IEC 61508-7, B.3.3. The application of an E/E/PES Implementation Standard aids the development of the E/E/PES implementation by including implementation methods that address the requirements of IEC 61508-2, subclause 7.4.7, and IEC 61508-7, B.3.3. IEC 61508-7, B.3.3, requires the use of well-tried components. All of the E/E/PES Implementation Documentation need not be completed before the E/E/PES integration process can begin. However, a critical amount, (transition criteria) of the E/E/PES Implementation Documentation must be complete to permit the start of the E/E/PES integration process. The E/E/PES Implementation Documentation is complete when it documents enough implementation to permit the E/E/PES integration to be completed.

The purpose of the E/E/PES Integration Documentation is to prove that the E/E/PES Executable Object Code (if software is required) was loaded into the integrated E/E/PES as described in the E/E/PES Implementation Documentation, and is compliant to IEC 61508-2, subclause 7.5, and IEC 61508-7, B.3.4. The application of an E/E/PES Integration Standard aids the development of the E/E/PES integration by including integration methods that address the requirements of IEC 61508-2, subclause 7.5 and IEC 61508-7, B.3.4. IEC 61508-7, B.3.4, requires the use of modularization. The integration of each validated hardware module from the E/E/PES Implementation Documentation is documented in the E/E/PES Integration Documentation. The software configuration items are integrated also. All of the E/E/PES Integration Documentation need not be completed before the E/E/PES validation process can begin. The E/E/PES Integration Documentation is complete when all validated modules are integrated into the E/E/PES.

The purpose of the E/E/PES Verification Results is to prove that the E/E/PES safety development processes and associated E/E/PES safety development documentation are compliant to IEC 61508-2, subclause 7.9, and IEC 61508-7, B.1.1. The application of an E/E/PES Verification Standard aids the development of the E/E/PES Verification Results by including verification methods that address the requirements of IEC 61508-2, subclause 7.9 and IEC 61508-7, B.1.1. The E/E/PES is assessed for Safety in IEC 61508-2, subclause 8, Functional safety assessment. All of the E/E/PES Verification Results need not be completed before the E/E/PES validation process can begin. The E/E/PES Verification Results is complete when it permits an assessment of the E/E/PES for safety.

The purpose of the E/E/PES Validation Results is to prove that the E/E/PES safety development documentation is compliant to IEC 61508-2, subclause 7.7, and IEC 61508-7, B.6. The application of an E/E/PES Validation Standard aids the development of the E/E/PES Validation Results by including validation methods that address the requirements of IEC 61508-2, subclause 7.7 and IEC 61508-7, B.1.1. The E/E/PES is assessed for Safety in IEC 61508-2, subclause 8, Functional safety assessment. All of the E/E/PES Verification Results need not be completed before the Functional safety assessment process can begin. The E/E/PES Validation Results is complete when it permits the completion of the E/E/PES verification in support of an assessment of the E/E/PES for safety.

This article presented the E/E/PES safety development processes with their trace abilities to IEC 61508-2. The E/E/PES safety development engineer should become familiar with these IEC 61508-2 subclauses to fully understand how to comply with this international safety standard. The next article in this series will address software compliance (IEC 61508-3).

Paul Bodeau is a member of the Safety Division with over 25 years of diversified engineering experience, mostly in safety firmware development for military and civilian aviation. Mr. Bodeau can be reached at (661) 260-1210, or pbodeau@WhyNotEngineering.com.

Copyright (C) 2003 Paul Bodeau. All Rights Reserved.

Why Not Engineering - All Rights Reserved