Functional Safety Assessment (FSA) is the mandatory process prior to SIL certification issue that consists in the evaluation of the adequacy of the Functional Safety achieved by an equipment. The Certification Body in charge analyses the conformity of hardware and software to the relevant clauses of IEC 61508 standards. The products assessed through the scheme presented below are defined as a functional unit(s) specified as safety-related system(s) or its subsystem(s) and element(s).
Functional Safety Assessment process can be divided into three main phases:
- Hardware and software detailed design review where auditors review the product design against Functional Safety requirement with manufacturer designers.
- Functional Safety Management System (FSMS) development review that aims to check the presence and the applicability of a management system for functional safety requirements fulfillment.
- Quality constraint audit which aims to verify the implementation of the quality requirements required in the IEC 61508 in the manufacturer QMS.
Hardware and software design review
The first task of the Functional Safety Assessment (FSA) consists in the design analysis (hardware/software detailed design review) usually made at least in part, at customer’s premises and based on all relevant documentation related to product design (hardware detailed schematics, device datasheet, software code, etc.), safety requirements allocation and specification (SRS) and IO manual of the item.
During hardware review the assessor in charge studies the product design to identify the safety-relevant subsystems and components, define the functional architecture (i.e. presence of redundant elements) and uses the gathered information to fill in the preliminary product Failure Modes Effects and Diagnostics Analysis (FMEDA).
- FMEDA, Failure Modes Effects and Diagnostics Analysis
Through a systematic analysis and decomposition of the product in its safety-relevant components, the failure rates (safe/dangerous and detected/undetected) and the potential failure modes of each component are analyzed and categorized based on their effects on the product expected safety function.
Then, the preliminary FMEDA is discussed together with the manufacturer as it highlights the undetected failures that could compromise functional safety, allowing the commissioned assessor to decide upon potential corrective measures to be implemented, as periodic proof test or software/firmware diagnostic measures.
If gaps against IEC 61508 standards requirements are identified during the design review, they are documented through a Gap Analysis Report, where some recommendations for gaps fixing, in terms of design, documentation etc., are reported.
Upon completion of hardware design review, for all the hardware failure modes identified, the software/firmware diagnostic capabilities are evaluated, and the Functional Safety assessor finalizes product Failure Modes Effects and Diagnostics Analysis (FMEDA).
The result of the FMEDA is an estimate of product reliability and diagnostic capability, through failure rates quantification and distribution.
- Quantification of Systematic Capability
After FMEDA finalization, during the hardware validation step, the hardware is assessed for the quantification of systematic capability, by evaluating the implemented measures and techniques for systematic faults avoidance for all lifecycle phases, as specified in IEC 61508-2.
Systematic capability reports the result of project management, documentation quality and control requirements, structured design etc managed through all lifecycle phases, to prevent the system to fail in a systematic manner.
The systematic capability provides a quantitative estimation of the robustness of the system against systematic failures.
- Software validation
Prior to proceed with the overall integration of hardware and software and validation phase, the software is validated separately according to IEC 61508-3. During this phase:
- the software/firmware structure is validated in accordance with the IEC 61508-3 V-model
- the software/firmware is assessed for the quantification of software systematic capability, by evaluating the implemented measures and techniques for systematic faults avoidance for all lifecycle phases
After that, other relevant requirements are assessed:
- Common Cause Failures avoidance: Common Cause Failures (CCF) are dependent failures, consisting in multiple failures arising from a single shared cause. These are random and systematic events that cause multiple devices, systems, or layers to fail simultaneously. When common cause failures are not evaluated, there is an implicit assumption that there is perfect independence between the related devices regarding design, installation, operation, maintenance and management of change the β-factor model (IEC 61508-6 Annex D) is adopted for the analysis and estimation of hardware common cause failures factor
- Diagnostic Coverage constraints
- Safety Manual minimum contents: the Certification Body carries out a detailed review of the product safety manual contents together with manufacturer personnel in order to verify the compliance with IEC 61508-2 Annex D minimum requirements.
FS Management System review
Client’s management of functional safety implementation (FSMS) is another topic subject to Functional Safety Assessment, where the evaluation is based on client’s documentation.
During this phase, the relevant documentation is analyzed, such as Functional Safety Policy and Procedure, specifying the organizational policy and strategy for achieving Functional Safety; Functional Safety Management and Plan providing the sequence and scheduling of all safety lifecycle activities associated to the respective owner, and the Functional Safety Audits relevant documentation, detailing the requirements for periodic Functional Safety follow-ups.
Quality Constraints Audit
During this phase, the presence of a Quality Management System (ISO 9001 Certification or equivalent) is verified to guarantee the manufacturer capability to maintain FS in all products manufactured across the SIL certificate validity.
The Quality Constraints Audit is an integral part of the Functional Safety Assessment which is focused on all relevant quality documents and procedures, manufacturing and testing documentation relevant for the effective organizational management of functional safety, as required in IEC 61508-1.
Along with this step it shall be also evaluated the presence of any critical supplier, that is a supplier involved in relevant phase(s) of the product lifecycle, such as hardware manufacturing, software development etc. If a critical supplier is identified, it is subject to verification of the proper Quality Management System relevant for Functional Safety purposes.
Functional Safety Assessment finalization and SIL certification
Prior to Functional Safety Assessment finalization, it shall be overseen Functional Safety validation tests performed at client’s premises following the protocol detailed in the FS Test Procedure developed by the Certification Body in charge and provided to the manufacturer. The aim is proving that the product meets the specification for the overall safety function requirements and overall safety integrity requirements, considering the safety requirements definition and allocation.
Upon successful completion of product validation tests, the Certification Body issues the SIL Certificate accompanied by the Functional Safety Assessment report and the Functional Safety label with the unique identification code of the product.
We assist manufacturers on the preparation of the relevant documentation as for required by IEC 61508 and entrust the management of Functional Safety Assessment process, up to the issue of the SIL certificate, to BYHON, ANSI Accredited Product Certification Body – Accreditation #8914.
Did you find this helpful? To receive a quotation for a comprehensive SIL consulting
To learn more about BYHON, Certification for Functional Safety
orGo back to the blog