Journey to IEC 61508 Compliance
The journey to IEC 61508 compliance begins with a functional safety management system.
IEC 61508-1, subclause 6.2.1, describes the required functional safety management system.
Compliance to the IEC 61508 functional safety management system can be more difficult for
some organizations than for others. Organizations with strong compliance to ISO 9001 find
stepping up to IEC 61508 compliance much easier than organizations with weak compliance to ISO 9001.
Why Not Engineering suggests that compliance to IEC 61508-1, subclause 6.2.1, be accomplished in three
steps. These steps are:
1. Develop a management system
2. Evolve the management system into a quality management system, and then
3. Evolve the quality management system into a functional safety management system.
Step 1. A management system (Open loop)
A management system consists of a set of documented procedures that describe the organization's
processes in a way similar to ISO 9001. These procedures describe the forward gain or value added
that management expects from the documented procedures. When these documented procedures are followed, the management system is stable.
ISO 9001:2000, paragraph 0.2, identifies the process approach to a management system.
ISO 9001:2000, paragraph 0.2, is quoted here:
"For an organization to function effectively, it has to identify and manage numerous linked
activities. An activity using resources, and managed in order to enable the transformation of inputs
into outputs, can be considered as a process. Often the output from one process directly forms the
input to the next. The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to as the
Why Not Engineering has developed generic ISO 9001 procedures that implement the process approach
described in ISO 9001:2000, paragraph 0.2. (Products)
These procedures are designed to comply and be traceable to every ISO 9001:2000 paragraph.
The most difficult paragraph of ISO 9001:2000 to comply with is 4.1 parts a), and b).
This paragraph requires that all needed processes are identified, and that the sequence of the
processes and the interaction of these processes are determined. This is known as the lifecycle.
If your ISO 9001 auditor is not helping you with compliance to this paragraph, you will have a difficult
time with compliance to IEC 61508. The Why Not Engineering Generic ISO 9001:2000 Procedures instantly provides adequacy
to ISO 9001:2000, paragraph 4.1 a), and b). All needed processes are contained in procedures that are
sequenced. All procedures have the required inputs and outputs. The procedure inputs and outputs are
traceable from the source procedures and traceable to the sink procedures. In this way, the ISO 9001:2000,
paragraph 4.1 requirements are met.
Step 2. A quality management system (Closed loop)
A quality management system builds upon the already established management system in step 1.,
by providing compliance feedback from the adequate documented procedures to the organizations management.
This feedback comes from metrics and process audits performed with independence. The compliance feedback
is used for process improvement. Usually a quality assurance process is added to accomplish this.
Why Not Engineering is able to assist organizations with developing a quality assurance process. Why Not Engineering is developing a
generic Quality Assurance Manual (Products) adequate to ISO 9001:2000 and IEC 61508. A quality management system
is motivated to eliminate all defects before the customer receives products. This promotes customer
Step 3. A functional safety management system (Closed loop with harm reduction)
A functional safety management system moves the quality management system in step 2., from defect
reduction to harm reduction. See the short section "Does your programmable electronic system require
safety?" An important factor in harm reduction is the avoidance of systematic failures. IEC 61508
defines a systematic failure as "failure related in a deterministic way to a certain cause, which
can only be eliminated by a modification of the design or of the manufacturing process, operational
procedures, documentation or other relevant factors". For safety component development,
(IEC 61508-2 and/or IEC 61508-3), the effort to reduce systematic failures is proportional to the Safety
Integrity Level (SIL) calculated for the component. Why Not Engineering is researching and developing generic procedures
adequate to IEC 61508-1, IEC 61508-2, and IEC 61508-3. Just like the Generic ISO 9001:2000 Procedures,
the IEC 61508 procedures will use the "Process Approach". All procedures will be defined, sequenced, and
traceable to the appropriate IEC 61508 requirement. All procedure inputs and all procedure outputs will
trace to sources and sinks respectively. Also, all Conformity Assessment of Safety-Related Systems ( CASS) Targets of
Evaluation (TOEs) will have traceability to the Generic IEC 61508 Procedures.
Once step 3 has been completed, a third party evaluation of the adequacy to IEC 61508 is wise.
A third party evaluation permits customers to know objectively that an organization has the ability
to meet IEC 61508 requirements. While a safety system is being developed, a third party monitoring the
safety system development can confirm compliance to IEC 61508. Although Why Not Engineering can assist in this effort,
Why Not Engineering is not authorized to certify any organization to IEC 61508. However, there are firms that can certify
organizations to IEC 61508.
Sira Test & Certification LTD. ( Sira ) is authorized to certify organizations via the
Why Not Engineering can
assist an organization to meet all IEC 61508 requirements. Then, if desired, the organization can request
IEC 61508 certification. Read the short section entitled "Why is Process Certification Required?"
Does your programmable electronic system require safety?
IEC 61508 is industry's best practices for programmable electronic systems safety.
Safety is defined by IEC 61508 as "freedom from unacceptable risk." Risk is defined by IEC 61508 as
the "combination of the probability of occurrence of harm and the severity of that harm."
Harm is defined by IEC 61508 as "physical injury or damage to the health of people either directly
or indirectly as a result of damage to property or to the environment."
If a failure in your programmable electronic system can cause physical injury or damage to the
health of people, then your programmable electronic system shall meet industry best practices for safety.
The consequences of non-compliance to industry best practices for safety,
or not showing due diligence, could be grounds for civil or criminal action. Again the risk must be determined for
each organization. Why Not Engineering can assist your organization in meeting all IEC 61508 requirements.
Why is process certification required?
A programmable electronic safety product is as safe as the process that developed it.
What this means is that systematic failures can be introduced during the programmable electronic
safety product development. IEC 61508 requires a lifecycle to be followed to reduce the chances of
systematic failures to an acceptable risk. Without following the lifecycle, no claim to any programmable
electronic system safety is possible. Random failures can be reduced to zero, and still no statement of
programmable electronic product safety can be made.
For practical purposes, compliance to IEC 61508 requires a third party certification. The
practical purposes are that the IEC 61508 lifecycle must be followed, and proof that the lifecycle was
followed needs to be documented. Proof (objective evidence) is believed when the proof is obtained with
independence. Thus a third party certification is required to validate that proof.
Why Not Engineering - All Rights Reserved