Functional Safety Management & Audits

This figure quoted and derived from figure 7 IEC 61511-1 Ed.2 2016 Safety Lifecycle diagram

The intention of FSM is to reduce or avoid systematic failures (in the SIS) and by doing this it will increase the systematic safety integrity. This concept of systematic safety integrity can be better illustrated by the following example:

Suppose the logic application design (mostly Cause and Effect diagrams (C&E’s)) contains a mistake. The SIS integrator starts engineering from these C&E’s, but the mistake is not discovered. The system is internally tested by different persons, and they too do not find the mistake. Then the Factory Acceptance Test (FAT) is done by competent persons from the end-user or a contractor representative. Still the mistake remains "hidden," At the end of the FAT the system goes to site including the mistake. This is what we call a systematic failure. And the only way to resolve a systematic failure is a modification of the C&E’s. FSM intends to reduce or avoid systematic failures, or in other words "find the hidden failures."

But, how to do this?

• Employ and use (proven) competent personnel on the project (i.e., end-user, contractor/EPC, SIS integrator etc.). Knowledgeable and experienced people will discover mistakes earlier.
• Make sure the project is executed in a structured and disciplined manner. No last minute, verbal changes. Instead, design freezes and modification packages. Assign Project Managers that manage the project in a structured way.
• Use procedures, tools and templates. It is tempting to use the documentation from the previous project and re-use the items that are needed according to the (safety) requirements. However, this increases the risk that things (which are in the template but were not used on the previous project) are overlooked and forgotten resulting in either fundamental design mistakes and/or a lot of (unpaid!) rework. Next to this, there may be very client specific safety requirements that are now copied into the new project while in fact, these are not required.
• Verification of the design by means of document reviews and by using a different competent reviewer than the author of the document.
• Testing of the design by means of structured and well documented test procedures. Make sure the tester is a different person than the engineer. Please realize that on a “live” system testing is not possible (or allowed) anymore because it will disrupt the production. Therefore, testing thoroughly in advance is most essential to detect as many unrevealed failures as possible.
• Record and document all that is done and keep these records (up to date). These test records may be an important way of defending the company against claims from insurance companies and other investigators and to prove that all was done to prevent this incident from happening. No records mean no evidence, hence a good reason the insurance companies use to not pay for the damage! Make sure the audit trail is kept and is kept actual.

When an FSM system is set up as suggested above, the rigidity and functioning can be checked by organizing Functional Safety Audits on this system. These audits can be seen as qualitative assessments and have great similarity with the well-known ISO System quality audits.

In fact, an FSM system can be considered as a “super”-ISO quality system.

Like with FS Assessments, also FS Audits need to be performed by proven competent persons that have the correct independence in relation to the system which is audited. The table from the Functional Safety Assessments section can be used to determine the correct independence.

This implies, for example, an independent organization to prove an FSM system is suitable to be used for SIFs with a SIL 3 level, hence SC3 is needed. Optionally an FSM system can be certified by a notified body like TÜV Rheinland, however, the IEC standards are nowhere requiring formal certification. Hence SC can also be stated in a so-called “self-declaration”. Yet, behind the self-declaration there must be an underpinning FSM Audit report as evidence.

Customer Challenges

Many customers are unaware they have an FSM/Systematic Capability responsibility too. They believe that when their SIFs are compliant for the required SIL level (a.k.a Hardware Safety Integrity) they have fulfilled their duty.
This however, is not true. When the customer does not have an FSM system in place compliant with the (highest) SIL level in their installation, no SIL can be claimed.

Our Solution

Having the most TÜV Rheinland certified offices worldwide, Yokogawa has extensive experience with setting-up and maintaining FSM systems. Your company can also be audited on FSM. From a quick check on FSM readiness to a full-scale FSM audit, we can do this for you. Is your ultimate target to have your organization certified by a notified body? In these cases, we can help you with the preparations by auditing the readiness of your company.

Within Yokogawa we have Functional Safety Specialists who, on a yearly basis, audit the implementation and execution of FSM of every office executing safety projects. As FSM is not so much about hardware but the organization around the hardware some Yokogawa Auditors have done independent FSA audits at other companies and end-users, regardless of whether they have Yokogawa hardware in place or not.

Customer Benefits

Yokogawa’s Functional Safety Experts and Specialists can conduct an independent functional safety audit on your organization to review the FSM implementation, processes, procedures, tools and templates and write a report on this. This is regardless the brand of hardware the client has installed or selected. Gaps are identified and improvements are suggested to improve functional safety. Following the FSM Audit report a customer may decide to issue a statement on Systematic Capability by means of self-declaration. Yokogawa has a global network of certified functional safety experts and specialists to ensure FSM compliance.