4 Design process of an SCS and management of functional safety
4.1Objective
The objective of Clause 4 is to describe the design process and the tasks that have to be
completed to realize each safety function performed by the related part of the control system for a given machine.
4.2 Design process
If as a result of the risk assessment of the whole machine according to ISO 12100 (see
Figure 2), a need for risk reduction has been identified and if certain selected risk reduction
measures depend on the control system, corresponding safety functions have to be specified.
NOTE 2 Figure 2 shows where the SCS contributes to the risk reduction process of ISO 12100: Step 2. The SCS
supports the combined protective measures by the implementation of safety functions. ISO 12100 also provides
general design rules for the machine which are applicable for the design of the SCS (see 6.2.11and 6.2.12 of
ISO 12100:2010).
The design process (see Figure 3) of each safety function implemented by a safety-related
control system (SCS) shall include at least the safety function specification (see Clause 5) and
the safety-related control system design (see Clause 6) and the associated verification and validation activities.
The realization of a safety function following the determined required safety integrity shall either
be done by
– using an already developed SCS that meets the required safety integrity, or
– designing a new SCS using pre-designed subsystems according to Clause 6 or designing
new subsystems according to Clause 7, or a combination of both.
If additional design considerations for software are necessary, Clause 8 applies.
A safety function can be implemented by one or more subsystem(s) of a safety-related control
system (SCS), and several safety functions can share one or more subsystem(s) (e.g. a logic
unit, power control element(s)), see examples in Figure 4. A control system can be subdivided
into a safety-related part and a non-safety-related part. It is possible that one subsystem, which
is involved in the implementation of safety functions, is also involved in the implementation of
control functions. The designer may use any of the technologies available, singly or in combination.
4.3 Management of functional safety using a functional safety plan
This subclause specifies management and technical activities that are necessary for the
achievement of the required functional safety of the SCS.
NOTE 1For further information, see IEC 61508-1:2010, Clause 6.
A functional safety plan shall be drawn up and documented for each SCS design project, and
shall be updated as necessary. The functional safety plan is intended to provide measures for
preventing incorrect specification, implementation, or modification issues.
The functional safety plan shall identify the relevant activities (see Figure 3) and shall be
adapted to the project. See examples in Annex I.
NOTE 2 The functional safety plan can be part of a global machine design plan.
NOTE 3 The content of the functional safety plan depends upon the specific circumstances, which can include:
– size of project;
– degree of complexity;
– degree of novelty of design and technology;
– degree of standardization of design features;
– possible consequence(s) in the event of failure.
In particular, the functional safety plan shall:
a) identify the relevant activities specified in Clauses 5 to 9 and details of when they shall take
place;
b) describe the policy and strategy to fulfil the specified functional safety requirements;
c) describe the strategy to achieve functional safety for the application software, results of a
development, integration, verification and validation;
d) identify persons, departments or other units and resources that are responsible for carrying
out and reviewing each of the activities specified in Clauses 5 to 9.
NOTE 4 The level of appropriate competency of the involved persons (i.e. training, technical knowledge, experience
and qualifications) are taken into account. The appropriateness of competence is considered in relation to the
particular application, taking into account all relevant factors including:
a) the responsibilities of the person;
b) the level of supervision required;
c) the potential consequences in the event of failure of the SCS;
d) the safety integrity levels of the SCS;
e) the novelty of the design, design procedures or application;
f) previous experience and its relevance to the specific duties to be performed and the technology being
employed;
g) the type of competence appropriate to the circumstances (for example qualifications, experience, relevant
training and subsequent practice, and leadership and decision-making abilities);
h) engineering knowledge appropriate to the application area and to the technology;
i) safety engineering knowledge appropriate to the technology;
j) knowledge of the legal and safety regulatory framework;
k) relevance of qualifications to specific activities to be performed.
e) identify or establish the procedures and resources to record and maintain information
relevant to the functional safety of an SCS;
NOTE 5 The following are considered:
– the results of the hazard identification and risk assessment;
– the equipment used for safety-related functions together with its safety requirements;
– the organization responsible for maintaining functional safety;
– the procedures necessary to achieve and maintain functional safety (including SCS modifications).
f) describe the strategy for configuration management (see 4.4) taking into account relevant
organizational issues, such as authorized persons and internal structures of the
organization;
g) describe the strategy for modification (see 4.5);
h) establish a verification plan that shall include:
– details of when the verification shall take place;
– details of the persons, departments or units who shall carry out the verification;
– the selection of verification strategies and techniques;
– the selection and utilization of test equipment;
– the selection of verification activities;
– acceptance criteria; and
– the means to be used for the evaluation of verification results;
i) establish a validation plan comprising:
– results of previous verification;
– details of when the validation shall take place;
– identification of the relevant modes of operation of the machine (e.g. normal operation,
setting);
– requirements against which the SCS shall be validated;
– the technical strategy for validation, for example analytical methods or statistical tests;
– acceptance criteria; and
– actions to be taken in the event of failure to meet the acceptance criteria.
NOTE 6 The validation plan indicates whether the SCS and its subsystems are to be subject to routine testing,
type testing and/or sample testing.
The main operational aspects of configuration management are
– identification of the structure of the SCS, identifies e.g. system, subsystems, functions,
function blocks, management documents, tools for creating a baseline;
– controlling of the release of an element created during each lifecycle phase at a specific
point in time;
– recording and reporting of the status of each element which is and/or will be part of a
baseline;
– audit and review of all elements and maintaining consistency among all elements of a
baseline.
Procedures shall be developed for configuration management of the SCS during the overall,
SCS system and software safety lifecycle phases, including in particular:
a) the point, in respect of specific phases, at which formal configuration control is to be
implemented;
b) the procedures to be used for uniquely identifying all constituent parts of hardware and
software;
c) the procedures for preventing unauthorized items from entering service.
The configuration management procedures shall be implemented in accordance with the
functional safety plan (see 4.3).
The procedures for an appropriate change-control-process shall consider the requirements of
procedures for defining a unique baseline of each version of the SCS.
If a modification is to be implemented, then relevant activities shall be identified specifically and
an action plan shall be prepared and documented before carrying out any modification.
NOTE 1The request for a modification can arise from, for example:
– safety requirements specification changed;
– conditions of actual use;
– incident/accident experience;
– change of material processed;
– obsolescence;
– modifications of the machine or of its operating modes.
NOTE 2 Interventions (e.g. adjustment, setting, repairs) on the SCS made in accordance with the information for
use or instruction manual for the SCS are not considered to be a modification in the context of this subclause.
The reason(s) for the request for a modification shall be documented.
The effect of the requested modification shall be analysed to establish the effect on the safety
function.
The modification impact analysis and the effect on the functional safety of the SCS shall be documented.
All accepted modifications that have an effect on the SCS shall initiate a return to an appropriate
design phase for its hardware and/or for its software (e.g. specification, design, integration,
installation, commissioning, and validation). All subsequent phases and management
procedures shall then be carried out in accordance with the procedures specified for the specific
phases in this document. All relevant documents shall be revised, amended and reissued accordingly.