Skip to main content

Functional Safety

General Introduction

What is Functional Safety?

Safety is freedom from unacceptable risk of physical injury or damage to the health of people, property, or the environment.

Overall safety can be divided into three parts:

  • Occupational Safety: The part of safety that concerns the work environment. Hazards can include slips, trips, and falls, and the use of Personal Protection Equipment (PPE) mitigates these types of hazards.
  • Product/System Safety: The part of safety that relates to the design of the system/product. Hazards can be hot surfaces, sharp edges & finger traps, explosion, toxicity, etc. The protections could consist of different mechanical, hydraulical and pneumatical devices such as covers.
  • Functional Safety: The part of the safety of a product/system that is dependent on the system or equipment operating correctly in relation to its inputs. It is the safeguard against hazards resulting from faulty and interrupted functionality, requiring products to be designed in such a way that fault, failures, and external influences do not result in cases of undetected loss of Safety.

Example: A device with a rotating blade. If a cover is mounted over the blade, that is part of the product/system safety. An interlock for the cover that deactivates the rotating blade when the cover is lifted is part of functional safety. Using protection equipment such as gloves when handling the blade is part of occupational safety.

Functional Safety Standards & Certification

Functional Safety Standards such as IEC 61508 provide a generic approach for all safety lifecycle activities for a system comprised of Electrical/Electronic/Programmable Electronic (E/E/PE) elements that are used to perform safety functions. Standards can exist as Generic Standards, Industry Standards, and Application Standards. The figure below presents an overview of Functional Safety Standards and their application sectors.

Functional Safety Standards

Development and maintenance activities of ABB’s High Integrity Systems shall adhere to IEC 61508/IEC 61511 Standards. More Functional Safety Standards could be applicable due to market or technical requirements for a specific product. Current additional safety standards that ABB adheres to can be found on the respective product certificate, see 7PAA006341_en List of active Safety Certificates

To justify adherence to the different standards, ABB certifies its products and its organization. For organizational certification, see What is FSM?. ABB products are certified by an external certification body that verifies that the product meets defined criteria and defined safety-relevant aspects. The certificate specifies the basic principles according to which a product was tested.

What is SIL?

SIL is the abbreviation for Safety Integrity Level (IEC 61508-4, IEC 61511-1).

IEC 61508 requires the analysis of the potential risks or hazards of a given system or device. It provides categories to determine the level of likelihood of a potential hazard and the consequences should it occur.

There are four SILs to indicate the degree to which a system will meet its specified safety functions: SIL1, SIL2, SIL3, and SIL4. The higher the level of Safety Integrity, the lower the probability that the safety-related system will fail to carry out the specified safety functions or will fail to adopt a specified state when required. The table below shows the SIL classification by either probability of failure on demand or probability of failure per hour.

Safety Integrity Level (SIL)​Low Demand Mode: Average probability of a dangerous failure on demand of the Safety function​High Demand or Continuous Mode: Probability of Dangerous Failure per Hour
1\geq 10210^{-2} to < 10110^{-1}\geq 10610^{-6} to < 10510^{-5}
2\geq 10310^{-3} to < 10210^{-2}\geq 10710^{-7} to < 10610^{-6}
3\geq 10410^{-4} to < 10310^{-3}\geq 10810^{-8} to < 10710^{-7}
4\geq 10510^{-5} to < 10410^{-4}\geq 10910^{-9} to < 10810^{-8}

There are other terms used when describing level of risk reduction in safety systems. ISO 13849-1 uses two: Performance Level (PL) and Category (CAT).

  • PL is defined as a "discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions". PL is divided into letters a, b, c, d, e, where a represents the lowest level of risk reduction needed and e the highest. PL is measured in average PFH. The parameters used in determining the PL are: severity of injury, frequency and/or exposure times to hazard, and possibility of avoiding or limiting harm.
  • CAT is defined as a "classification of the subsystem in respect to its resistance to faults and the subsequent behavior in the fault condition which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability". CAT is divided into B, 1, 2, 3, and 4, where B is the basic category (the occurrence of a fault can lead to the loss of the safety function), and the numbers indicate a higher required level of improved performance for the components in the subsystem. The selection of a category depends upon the reduction in risk to be achieved by the safety function to which the subsystem contributes, the required PL, the technologies used, the consequences arising in the case of a fault(s) in an element of the subsystem, the possibilities of avoiding a fault(s) in that subsystem (systematic failure), the mean time to dangerous failure (MTTFD), the diagnostic coverage (DC), and the common cause failures (CCFs)

What is FSM?

FSM is the abbreviation for Functional Safety Management (IEC 61508-4)

According to IEC 61511-4: “Management of functional safety addresses systematic failures, mostly caused by humans, that are not quantifiable as mathematical models. These activities, covering the whole safety lifecycle, are applied through processes and procedures”.

Typical FSM activities include the training and mentoring of responsible persons in the Functional Safety procedures and methods, analysis of hazards and risks, documentation and communication of safety-related information, procedures for ensuring prompt follow-up and monitoring the adherence of the safety-related projects/products to the safety standards and processes via the safety assurance activities.

ABB PCP R&D FSM covers activities in the design, development, manufacturing, and maintenance of safety-related products.

ABB PCP R&D (Västerås, Malmö, Minden, and Hangzhou) is FSM certified by TÜV SÜD according to IEC 61508 with certificate No. Q4B 029049 0007

The valid safety certificates for organizations and products are listed in 7PAA006341_en List of active Safety Certificates

The process of managing received Functional Safety certification documents is described in How-to Manage Received Functional Safety Certification Documents

FSM Certificate

List of Safety certified products

ABB has over 40 years of experience in the design, manufacture, and implementation of process safety systems. With operations on all continents and dedicated safety system teams around the world, ABB provides not only highly-qualified technical resources during project delivery but also ensures competent local support and service in operation.

Please click the following link to check the certified safety products of ABB PCP.

The valid safety certificates for organizations and products are listed in 7PAA006341_en List of active Safety Certificates

System 800xA High Integrity Safety System

Safety Development and Safety Handbook

ABB PCP R&D has interpreted Functional Safety standards into a development model, which helps efficient readability and provides a common approach to achieve Functional Safety. Purchased components and tools to be used in PCP R&D functional safety development must be either pre-qualified according to functional safety standards or integrated & certified under PCP R&D Processes.

The development model is an integrated part of the Quality Management System covering the overall safety life cycle of the High Integrity System.

The central documentation of the development model is the Safety Handbook. To fulfill the standard IEC 61508 for Safety products and IEC 61511 for Libraries the Safety Handbook shall be used together with the 7PAA003088 Quality Plan template for Safety and interference-free development. If there is a need to tailor a project/stream and use legacy artifacts, such as the last approved document version of the Safety Handbook, please refer to the Learn Section for 800xA

note

Note that the Safety Handbook Reference List is subject to regular and continuous updates as the brownfield artifacts are being converted to greenfield.

When a project member has or finds a safety issue that one cannot solve by oneself, it shall be escalated according to the Safety issue escalation table in the Quality Plan. In the QMS and process area outside projects, escalation of safety issues shall follow the escalation ladder for PCP R&D process groups and PCR handling, see Process Teams. The safety documentation responsibilities are described in 3BSE064628 responsibilities safety development

Outsourcing for Functional Safety Product Development

For PCP-owned safety products, the outsourcing of functional safety lifecycle activities to external parties must be clearly defined, documented, and approved in the release as per following:

  • The statement “PCP R&D Processes and Safety Handbook shall be followed to achieve functional safety." must be documented in the Quality Plan.
  • Evidence of competency, evaluation of project personnel, and the plan and execution of mandatory trainings must be documented in the Project Description and Plan.
  • The type of outsourcing (hiring resources or full outsourcing), along with the roles and responsibilities of the organization and personnel, must be documented in the Project Description and Plan, as well as in the RACI.
  • The fullfilment of FSM requirements for people, process and tools must be verified via FSM Audit.

Any deviation or modification to the outsourcing process must be reviewed by ISA and approved by the PCP R&D FSM Manager and Stream Owners involved in safety development.

Safety Team

  • The Safety Team belongs to the Operational Excellence team and provides independent support to R&D Safety product streams and releases. It consists of Safety Engineers and the FSM Manager, for role descriptions, see Functional Safety Management (FSM) Manager and Safety Engineer (SE).
  • The Safety team is mainly focused on the Functional Safety aspects of IEC 61508 and other Functional Safety standards.
  • The Safety team coordinates Safety activities between and within development streams & releases.
  • Being the speaking partner for Functional Safety issues in our processes via the Functional Safety Process Team.
  • The Safety team facilitates the communication channel for the Independent Safety Assessor (ISA) in PCP R&D.
  • The Safety team keeps track of all documents that have been submitted to TÜV in 2PAA121280_en List of Documents sent to TUV.

FSM audit

The Functional Safety Audit is performed to ensure the compliance to functional safety processes (QMS) according to IEC 61508 by the development organization. There are two types of audits: internal, performed by the ABB Functional Safety team, and external, performed by ISA.

The audit shall be focused on the safety-related releases (SIL and interference free) and on general knowledge of ABB PCP R&D processes which should follow IEC standard 61508.

The audits are conducted according to How-to Conduct FSM Audit.

Functional Safety Assessment

In addition to the functional safety audit, there are functional safety assessments performed for each release by the ISA. The Functional Safety Assessment is done by ISA in order to evaluate whether functional safety according to IEC 61508 has been achieved by the E/E/PE safety-related systems.

note

While an audit is verifying examination results of the audited process to verify their accuracy, the assessment is providing a judgment on those results. The assessment goes further than an audit. It determines the action items needed to reach compliance with the assessed entity.

As part of the continuous assessment performed by ISA, the quarterly QMS baselines as defined by Process Governance are sent to ISA by ABB Functional Safety Team.

Factory Inspection

There are also factory inspections conducted by ISA for the safety product and their respective manufacturing site. This is led by the ABB Operations organization and is not the responsibility of ABB PCP R&D FSM.

Activities

Functional Safety Activities

Artifacts

This chapter lists all the safety documents as add-ons for safety-related product development.

Artifact​Description​RACI​Receiver​Comments
Quality PlanDocuments functional safety specific conditions on the quality handling of a development. The safety plan is not a dedicated document on its own but part of the Quality Plan.(R): Release Owner
(A): FSM Manager1)
(C): Quality Control Manager, Safety Engineer
(I): Configuration Manager, Development Team, Test Lead (product/system level)		Stream Owner1)
For safety-related projects, the FSM Manager is accountable (A) instead of the Stream Owner, and the SE is consulted along with the Quality Control Manager.
Safety Requirement SpecificationDescribes main properties of the safety systems being developed and to specify the requirements necessary to make a system with a sufficient level of safety and availability. The document focuses on requirements for diagnostics, supervision, fault reaction and architecture.(R): Safety Engineer
(A): FSM Manager
(C): Release Owner, Test Lead (product/system level), Product Manager
(I): Architect, Configuration Manager, Development Team (SM, Eng, Tester), Technical Coordinator		--
Safety Validation Test (Description/Report)Includes the tests that are needed to verify all specified and approved safety requirements.(R): Test Lead (product/system level)
(A): Product Owner
(C) Description: Development Team (SM, Eng, Tester), Quality Control Manager, Release Owner, Safety Engineer
(C) Record: Quality Control Manager, Safety Engineer
(I) Description: Development Team (SM, Eng, Tester)		Release responsible-
Safety System ArchitectureDescribes the overall system architecture of the safety systems with a focus on the implemented safety functions.(R): Safety Engineer
(A): FSM Manager
(C): Architect
(I): Configuration Manager, Cyber Security Engineer, Development Team (SM, Eng, Tester), Product Owner, Release Owner, Technical Coordinator, Test Lead (product/system level), Product Manager		--
Product/Stream ArchitectureDescribes the entire software architecture (i.e. not only Safety parts).(R): Architect
(A): Stream Owner
(C): Cyber Security Engineer, Development Team (SM, Eng, Tester)
(I): Product Owner, Quality Control Manager, Release Owner, Technical Coordinator, Test Lead (product/system level), Safety Engineer, Product Manager		--
Source Code Classification/Code Criticality Classification (SW)States the resulting SIL for each source code module/component/file.(R): Release Owner
(A): Product Owner
(C): Development Team (SM, Eng, Tester), Safety Engineer		--
System FMEAA Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes.(R): Safety Engineer
(A): FSM Manager
(C): Development Team (SM, Eng, Tester)
(I): Architect, Technical Coordinator		--
System & SW Criticality AnalysisProvides the argumentation for the selected Verification & Validation activities applied to the different SW parts.(R): Safety Engineer
(A): FSM Manager
(C): Development Team (SM, Eng, Tester)
(I): Architect, Cyber Security Engineer, Technical Coordinator		--
Preliminary Hazard Analysis Report/SW Hazop ReportIdentifies what potentially hazardous variations from the design intent could occur within components or in the interactions between components of a system. Those deviations can be caused by systematic software failures or random hardware failures.(R): Safety Engineer
(A): FSM Manager
(C): Development Team (SM, Eng, Tester)
(I): Product Owner, Release Owner		--
Design Description HardwareDescribes in plain text the reasoning for some parts of the hardware diagrams (= schematics) in addition to the drawings (= schematics)(R): Development Team
(A): Product Owner
(C): Architect, Cyber Security Engineer, Development Team, Ex Component Responsible2), Safety Engineer
(I): Quality Control Manager		---2)
If applicable
PFD/PFH calculation and HW FMEDADescribes the result of a component FMEDA and provides the Safe Failure Fraction and the lambda values for use in the PFD/PFH calculations.(R): Safety Engineer
(A): Product Owner
(C): Development Team (SM, Eng, Tester), Release Owner
(I): Quality Control Manager		Safety teamInput for reliability manual
Fault Insertion Test Specification (Function or Component Type Test Description)Provides the required fault insertion tests to verify the correctness of the assumptions of the system which is stated in the system FMEA and the component FMEDAs.(R): Development Team (SM, Eng, Tester)
(A): Product Owner
(C): Cyber Security Engineer, Development Team (SM, Eng, Tester), Ex Component Responsible2), Release Owner, Test Lead (product/system level), Safety Engineer		Test team2)
If applicable
Reliability & Availability ManualUser manual providing PFD and PFH values and their boundary conditions.(R): Safety Engineer
(A): Product Owner
(C): Industrial Engineer
(I): Development Team (SM, Eng, Tester), Quality Control Manager, Release Owner, Product Manager		User manual-
Safety ManualUser manual, describing the Life Cycle for the safe operations of the Safety System.(R): Safety Engineer
(A): FSM Manager
(C): Safety Engineer, Product Manager
(I): Development Team (SM, Eng, Tester), Product Owner, Release Owner, Test Lead (product/system level)		User manual-
Bug Lists for Used ToolsHelps to take appropriate actions to handle known tool-related bugs to ensure that the safety product complies with the safety requirements.TBD--
Impact Analysis ReportDescribes all modifications and new development as well as error corrections made to the certified system since the last certification, including impact on the system, description of the changes, necessary retest, etc.(R): Release Owner
(A): Stream Owner
(C): Cyber Security Engineer, Development Team (SM, Eng, Tester), Ex Component Responsible2), Product Owner, Technical Coordinator, Test Lead (product/system level), Safety Engineer
(I): Configuration Manager, Ex Representative2),		-2)
If applicable
Safety Tool Selection ReportThis justification document contains the argumentation why the selected tool is suitable for use in the safety development environment.(R): Development Team (SM, Eng, Tester)
(A): Stream Owner
(C): Configuration Manager, Product Owner, Release Owner, Technical Coordinator, Safety Engineer		ISA-
Static Code Analysis ReportHandles the outcome of Static Code Analysis.(R): Release Owner
(A): Product Owner
(C): Cyber Security Engineer, Safety Engineer
(I): Configuration Manager, Development Team (SM, Eng, Tester)		--
Justification Report for a project (and burner library))Provides evidence for traceability between requirements and solutions and between requirements and test cases.(R): Release Owner
(A): Stream Owner
(C): Ex Representative2), Safety Engineer, Product Manager
(I): Configuration Manager, Development Team (SM, Eng, Tester), Product Owner, Technical Coordinator, Test Lead (product/system level)		-Internal document
2)
If applicable
Safety Manual Justification ReportProvides for each claim in the Safety Manual the reference to the evidence/test that the claim is fulfilled.(R): Release Owner
(A): FSM Manager
(C): Test Lead (product/system level), Safety Engineer
(I): Configuration Manager, Development Team (SM, Eng, Tester)		-Internal document
Safety Operator Warnings ManualProvides all warnings for a product in one document. Eases translation into national languages.TBDUser manual-
Internal FSM Audit ReportSummarizes FSM audit conducted sessions and lists audit findings.(R): Safety Engineer
(A): FSM Manager
(C): QCM, Safety Engineer
(I): ISA, Release Owner, Product Owner		ISA and local organization-

Dependencies

Process Dependency

Tailoring

ABB R&D PCP products have been developed over many years based on legacy QMS processes and tools, which remain valid in certain situations. If there is a need to tailor a project/stream and use legacy artifacts, such as the last approved document version of the Safety Handbook, please refer to the Learn Section for 800xA.

Training

Further Reading

Owner: Functional Safety Team