A conformance example
The following requirenment statement from IEC 61511 is somewhat easier said than it is achieved.
IEC 61511 conformance: "Each of the requirements outlined in Clause 5 through Clause 19 has been satisfied to the defined criteria and therefore the clauses' objectives have been met" IEC 61511-1 Clause 4.
Let's take a relatively simple example from one of the shortest IEC 61511 clauses:
14.1 Objective - SIS installation and commissioning
"The objective of the requirements of Clause 14 are to:
- install the SIS according to the specification and drawings;
- commission the SIS so that it is ready for final system validation."
Meeting the stated objectives will require reading the remaining clause 14.2 and its sub-clauses 14.2.1 to 14.2.5:
14.2.1 requires "installation and commissioning planning", and lists four (4) elements that must be in the plan.
14.2.2 requires that devices are properly installed based on the design and installation plan(s).
14.2.3 requires commissioning activities, and lists a minimum of nine (9) specific confirmation checks.
14.2.4 requires commissioning records to be kept, including any failures and reasons for failure.
14.2.5 requires impact assessment by a competent person of all non-conformances found during commissioning.
So, to conform with the stated objectives of Clause 14 there are five (5) specific sub-clauses that must be met. However, sub-clause 14.2.1 and 14.2.3 have 13 different elements for checking. A functional safety assessment leader would be looking to raise questions and/or create a checklist for specific evidence that 16 elements in total have been fulfilled.
Demonstrating conformance
All relevant clauses in the IEC 61511 standard can be broken down in a similar way to the example above. Although it still needs expert judgement, it is entirely possible to create a checklist and/or questionnaire which looks for evidence that "shall" requirements have been met in each clause and sub-clause.
The following sections in this chapter explain the concept of Functional Safety Assessment (for conformance demonstration) and then estimates the number of questions that typically come up in each part of the standard. Hopefully this is a clear indication of the level of effort required for demonstrating conformance at each stage.
Functional Safety Assessment Planning
Functional Safety Assessment is an activity that is proposed at several stages in the SIS safety lifecycle, and mandated in IEC 61511 to be carried out at least once prior to startup of an SIS and at intervals during the operations stage. The activity must be led by a senior competent person, who is not involved with the step or steps being analyzed.
Note that FSA planning should be included at the start of any project where an SIS is likely to be needed. If the SIS already exists, then plan for an operations and maintenance FSA stage 4.
There are five stages at which functional safety assessment is recommended, as shown in the following diagram.
The IEC 61511 safety life-cycle and associated FSA stages
Producing huge amounts of paper should not be a goal of any SIS project or operation. However, there must be sufficient evidence upon which an independent assessor can make a judgement for FSA conformance purposes. The goal should be to produce a trail of evidence at each stage to allow an effective independent assessment to take place.
eFunctionalSafety FSA SERVICE
eFunctionalSafety Functional Safety Assessment workflow
Assessment Planning
A functional safety assessment (FSA) will only commence with a sound plan in place. Our typical methodology includes a series of "swim-lane" work processes which show the required steps and responsibilities.
For a new-build or major modification project, our planning will include scoping all the proposed stages of FSA, the required inputs at each stage, and the expected results.
For an FSA of an existing SIS in operation, our plan will show the extent and scope of the assessment to be conducted on the existing system. Any exclusions will be fully clarified at the outset.
New projects or modifications
For a new-build project we recommend that FSA is started as soon as the first SIL assessment has been completed. This may be before the safety requirements are fully developed, but from experience it is not wise to wait that long.
We use a combination of offline document review and site-based project team interviews to conduct our assessment
When the safety requirements specification is fully available, the FSA 1 activity can be finalised and formal reports can be produced.
FSA Experience Notes
The stages of FSA suggested in the standard do not necessarily line up in a linear way with how projects work in practice. This is perhaps best explained with FSA Stage 1 which is intended to analyze all stages up to and including clause 10 (the SRS). However, it is fairly commonplace for requirements to be split into multiple documents which gather in detail as a project progresses. A specific case is the Application Program (software) requirements. These will not be available in any depth until logic solver equipment selection has taken place, which often happens much later in a project than would be advisable for the FSA 1 activity to take place.
In some cases the number of clauses and associated conformance questions may be limited by the type of project, or by decisions made during a project.
For example, if a programmable logic solver system is not part of the SIS scope, then Clause 12 of the standard will not be applicable, and the SRS elements that relate to software will not be needed. Likewise, if equipment is not selected based upon prior use claims, then this will reduce Clause 11 requirements from 110 to around 80. This limitation of the relevant clauses for conformance should be something that is clearly outlined in FSA planning at each stage by the lead independent assessor.
Some companies have the impression that a simple system with very few SIF will somehow limit the conformance assessment activity significantly. However, this is a bit of a misunderstanding. For example, assessing the SRS for a single SIS and SIF will still require asking and answering at least 50 questions related to that part of the life-cycle. There is certainly additional effort if there are a large number number of uniquely designed SIF, but this effort does not reduce to zero even if there is only one SIF in the system.
Conformance results
From experience of conducting many different FSA's including all the stages listed above, the results can depend highly on the functional safety maturity of the Duty Holder's personnel and the personnel leading the project activities from supporting companies.
Typical results for conformance to IEC 61511 shows that around 60% to 75% of clauses can be shown to be adequately met when concluding an FSA activity on a new-build project (ie. not including operations, maintenance and decommissioning).
IEC 61511 conformance assessment typically results in around 60% to 75% of clauses adequately met when concluding an FSA activity on a new-build project.
The above statistic suggests that 100% conformance to IEC 61511 is not only difficult but also unlikely on a new-build project of any complexity. This is for a few reasons:
- There are a large number of elements to check, but evidence is not always easy to find within a restricted time and budget.
- Full conformance is often a judgement call by the assessor. In some cases a project or duty holder may meet a requirement such as "employee training has been completed", but in the view of the assessor the training is not sufficient.
Companies with existing systems who are conducting FSA at Stage 4 of the SIS safety life-cycle should be aiming at 100% compliance. However, this may not be immediately achievable.
Functional Safety Audit & Revision
Functional safety audit and revision (abbreviated FSAR here, but not in IEC 61511) is intentionally separated from FSA in the IEC 61511 standard. The idea is that FSAR is an audit of procedures and records to determine whether an appropriate functional safety management system is in place and being followed.
However, the distinction between FSA and FSAR may be somewhat overplayed if an FSA is already being planned or conducted on a project. The person leading any FSA activity must take account of the detailed life-cycle phases of the stages being assessed. By definition, every stage of the life-cycle includes management, planning and verification activities, so the FSA must take these into account. In this sense, FSA’s already include elements of an audit.
One thing that is clear about the distinction between FSA and FSAR is that FSAR does not have the specific goal of making a judgement about the functional safety achieved by each SIF design, whereas FSA does have that goal.
Somewhat like a Quality or Gap audit, an FSAR cannot be conducted until functional safety procedures are in place, and they have in place long enough to produce sufficient evidence documents about whether the procedures are being followed. However, it is entirely feasible that some procedures will be put in place and followed at least once during an SIS project development, meaning an FSAR alongside an FSA activity is an entirely valid prospect even for a new-build.
An FSAR also involves the important aspect of making recommendations for improvement, including possible revising of procedures or systems under management-of-change control. From experience, this is no different in an FSA given that non-conformances would lead to an action for change.