功能安全管理初探

微信公众号 safetyfirst61508

功能安全管理的目的是确定对达到E/E/PE安全相关系统要求的功能安全所必需的，整体的安全生命周期、E/E/PES的安全生命周期和软件的安全生命周期所有阶段的管理和技术活动。以及确定人员、部门和机构对整体的、E/E/PES的和软件的安全生命周期各阶段或各阶段中活动所负的责任。

要达到功能安全管理的目的首先要确定对整体安全生命周期的某一阶段或某几个阶段或某一阶段中的某项活动负全责的人员、机构或组织。然后由这些人员、机构或组织在其所负责的范围内规定所有的管理和技术活动。这个过程应是分层次进行的。

一个功能安全管理要求的实用表格如下表所示：
TOE Ref.
Target of Evaluation (TOE)
Purpose of TOE
Referring IEC 61508 Clauses and Tables
Comments
1
Functional Safety Management System
To specify all responsibilities in the management of Functional Safety that are necessary to ensure that the E/E/PE safety-related systems achieve and maintain the required functional safety (1/6.1.1)

The activities specified as a result of 1/6.2.16 shall be implemented and progress monitored
1/6.2.1 to 6.2.18

This TOE is intended to provide general assessment remarks relevant to the clauses that follow below which should be considered and need to be tailored to business scope and relevant life-cycle phases.

2
Functional Safety Policy
The policy and strategy for achieving functional safety, together with the means for evaluating its achievement, and the means by which this is communicated within the organisation to ensure a culture of safe working;
1/6.2.2

Figs 2,3,4, Table 1, and 1/6.2.1 as framework.

This TOE requires that there should be a top-level policy statement (typically at Board level) that reflects the safety goals and objectives of the organisation
3
Organisation and Responsibilities
Identification of the persons, departments and organisations who perform or review safety lifecycle activities and allocation of responsibilities for those activities.

To ensure that all those specified as responsible for management of functional safety activities are informed of the responsibilities assigned to them.

1/6.2.3

Figs 2,3,4, and 1/Table 1
See Note under 6.2.1
FSM evaluation and assessment activities should verify that the allocation of roles and responsibilities are documented, and cover all of the scope of the subject organisation’s activities. This may be presented in:

• Organisation Chart
• Project Safety Plan
• Responsibility matrix

This includes where relevant, licensing authorities or safety regulatory bodies.

For guidance on level of rigour for this TOE against SIL – refer to TOE8 for competence of staff in technical positions.
4
Identification of relevant lifecycle phases
The overall, E/E/PES or software safety lifecycle phases to be applied;

1/6.2.1

Figs 2,3,4, and 1/Table 1
The organisation shall demonstrate an understanding of where its activities fit in the overall life-cycle.

This could be included as part of the safety plan, procedure or work instruction.
5
Documentation structure and content policy
The way in which information is to be structured, communicated and the extent of the information to be documented.
1/6.2.4

1/5

6
Techniques and Measures conformance plan

The selected measures and techniques used to meet the requirements of a specified clause or sub-clause;

1/6.2.12.a

(see parts 2, 3 and 6)
This TOE is looking for evidence of a general approach that pre-defines which T&M’s shall be used.
See Parts 2 & 3 Annexes or TOEs from other CASS templates (as appropriate to the relevant lifecycle phases) for guidance of rigour against SIL.
7
Corrective action procedure
The procedures for ensuring prompt follow-up and satisfactory resolution of recommendations arising from: hazard and risk,
functional safety assessment,
verification activities,
validation activities,
configuration management;

1/6.2.5

Evidence from the relevant sections:

1/6.2.10, 1/7.4, 1/7.8, 1/7.14, 1/7.16, 1/7.18, 1/8.0
Parts 2 and 3

Figs 2,3,4 and 1/Table 1 as framework.

8
Competence assessment process
To define procedures for ensuring that applicable parties involved in any of the overall, E/E/PES or software safety lifecycle activities are competent to carry out the activities for which they are accountable; in particular, the following should be specified:
the training of staff in diagnosing and repairing faults and in system testing,
the training of operations staff, the retraining of staff at periodic intervals;
1/6.2.13, 6.2.14.a-k, 6.2.15

Figs 2,3,4 and 1/Table 1 as framework.

Organisation training plan and training records are important supporting evidence.

Sources of good guidance are:

• HSE competency guidelines
• IET/BCS
• FSM* TS ref Annex C

Some grading of competence to match SIL can be inferred from the competency level.

• Note: FSM used to be called FSCA – Functional Safety Capability Assessment.
  9
  Procedure for handling of hazardous incidents.
  To define procedures which ensure that hazardous incidents (or incidents with potential to create hazards) are analysed, and that recommendations made to minimise the probability of a repeat occurrence;
  1/6.2.5.f, 6.2.6
  Evidence of regular review of safety logs, incidents, trends for the organisation but also that the organisation considers what lessons may be learnt and disseminated from the published experience of other organisations.
  10
  Procedure for O&M performance analysis
  To define procedures for analysing operations and maintenance performance. In particular procedures for:

• recognising systematic faults which could jeopardise functional safety, including procedures used during routine maintenance which detect recurring faults, assessing whether the demand rates and failure rates during operation and maintenance are in accordance with assumptions made during the design of the system;
  1/6.2.12.c

Figs 2,3,4 and 1/Table 1 as framework.

This TOE is only relevant to organisations performing O&M activities.

Fig 7 (IEC61508-1:2010) provides an example of an operations and maintenance activities model.

Fig 8 (IEC61508-1:2010) provides an example of an O&M management model.

No guidance on level of rigour, for this TOE, against SIL – could be linked with the competency of reviewers and authorisers of modifications.
11
Functional safety audit process
To define requirements for periodic functional safety audits in accordance with this sub-clause including:

• the frequency of the functional safety audits,
• consideration as to the level of independence required for those responsible for the audits,
• the documentation and follow-up activities;
  1/6.2.7
  The organisation should be able to justify the level of independence of those conducting audits.

An audit timetable, audit reports and actions should be available for review.

Guidance given in 1/Table 4, 1/Table 5 on levels of independence, of the FSA auditor, against SIL.

12
Modification process for Safety related systems
To define the procedures for initiating modifications to the safety-related;
To define the required approval procedure and authority for modifications;

1/6.2.8.a
1/6.2.8.b

Figs 2,3,4 and 1/Table 1 as framework.

1/7.16.2.2

The organisation should be able to demonstrate that modification procedures have been properly planned.

The organisation should be able to demonstrate that the modification request has been properly documented and authorised and any impact analysis performed.

The competence level of the checker/approver, of any modification, must be demonstrated by the organisation though there is no definitive guidance.
13
Procedures for maintaining information on hazards with respect to Safety-Related Systems
To define the procedures for maintaining accurate information on hazards and safety-related systems;
1/6.2.9

14
Configuration management procedures
To define the procedures for configuration management of the E/E/PE safety-related systems during the overall, E/E/PES and software safety lifecycle phases; in particular the following should be specified:

• the stage at which formal configuration control is to be implemented,
• the procedures to be used for uniquely identifying all constituent parts of an item (hardware and software),
• the procedures for preventing unauthorised items from entering service;
  1/6.2.10

Figs 2,3,4 and 1/Table 1 as framework.

15
Procedures for provision of training and information for the emergency services
To provide training and information for the emergency services.

1/6.2.11
Note that the requirement of this sub-clause may not be mandatory in all cases. Training records should be auditable (if appropriate).
16
Functional Safety Management System - Formal Reviews
To ensure that requirements for functional safety management are formally reviewed by the organisations concerned, and agreement reached.
1/6.2.16
This is a formal review and decision making process with regard to the effectiveness of the FSM procedures

Minutes of Review meetings and Review documents should be auditable.
17
Supplier Assessment Process
To ensure that suppliers providing products or services to an organisation having overall responsibility for one or more phases of the safety deliver products or services as specified by that organisation and have an appropriate quality management system.
1/6.2.17
The requirement may be satisfied by an appropriate quality management system, certification to a recognised national or international standard, e.g. ISO9001, would be an advantage.

Checks could include, where relevant, review of QMS certificates, supplier CASS assessments, OEM safety manuals (as required by normative Annex D of IEC61508-2, suppliers certificates of conformity (as per ISO/IEC 17050

No guidance on level of rigour for this TOE against SIL – see Technical note on use of sub – contractors (CASS Common Schedules).
18
Functional Safety Assessment
To ensure that an organisation’s approach to dealing with the Functional Safety Assessment requirements of IEC 61508 has been adequately reviewed.
1/6.2.12.b
1/8.11/8.2
1/Table 4
1/Table 5
3/8
3/Table A10
This TOE is aimed at the two parties responsible for Functional Safety Assessments (FSA):
(i) for those responsible for providing the evidence that functional safety has been achieved and which is to be assessed by those performing the FSA
(ii) for those responsible for performing the independent FSA