Part 2 – Safety Critical Systems – A brief history of the development of guidelines and standards
This week ESC is sharing part 2 of the “Safety Critical Systems – A brief history of the development of guidelines and standards” paper which focus on the developments during 1980 – 1990s and the IEC 61508.
“Acknowledgments: In developing the paper, which is the basis of this blog, I was most grateful for the help given to me from the following people; Phil Bennett, Simon Brown, Brian Clarke, John Canning, Rainer Faller, Martin Goose, James Inge, Ken Simpson and David Ward”.
Safety Critical Systems – A brief history of the development of guidelines and standards
2. Developments during 1980 – 1990s
The period 1980 to the mid-1990s established many of the fundamental building blocks and principles for what is now referred to as the discipline of functional safety. It was a period of intense activity and cooperation amongst many different groups within the UK and other countries in Europe and internationally.
At the beginning of this period there was excessive caution in the adoption of programmable electronic elements for safety-related systems and a high level of uncertainty as to how such technology could be used for safety applications and gain acceptance from safety regulators.
At the end of that period there were much higher levels of confidence that reasonable solutions were available, albeit that for many specific areas of functional safety there were gaps that needed filling, and the filling of these gaps depended on professional judgement.
Some of the key building blocks established during the period 1980 to the mid-1990s are now embedded in accepted good practice and include:
- Effective management of functional safety
- A safety lifecycle approach that covered all relevant phases from initial concept until final decommissioning
- The concept of dangerous random hardware failures and dangerous systematic failures and the need to develop measures and techniques to combat both types of failure
- The concept of a Safety Integrity Level (SIL) for the specified Safety Function that was required to deal with dangerous systematic failures
- The concept of the Safety Function contains the specification for:
- the functionality of what must be achieved to prevent the hazardous event; and
- the safety integrity (i.e. SIL) necessary to achieve the required target risk
Note 1: during this period the distinction between a Safety Function and the Safety-Related System was not sufficiently distinguished. With hindsight, the adoption of a Safety Function was a significant building block in achieving functional safety.
- Quantified Target Failure Measures for a Safety Function having a specified SIL
- Competence of persons involved in any safety life-cycle activity that had to be formally addressed and justified
- The need for assurance measures for all safety life-cycle activities including Functional Safety Assessment, Functional Safety Audit, Verification and Validation. Such assurance measures are relevant to both hardware and software
Note 1: it is interesting to note that in the context of IEC 61508 the concept of a Safety Case was not built into the developing standard. To some degree the Safety Case concept was perceived as a “UK” concept (whether this be a fact or not that was the perception within the Working Group developing IEC 61508).
However, several UK industries developed and adapted the concept and the principles of the Safety Case to demonstrate their understanding and management of risks within their business.
Setting the Target Risk for a specified hazardous event was an essential parameter for the design activity. The concept of a Tolerable Risk within the UK facilitated a quantified approach to the Target Risk within the legal framework.
Also, the advent of quantified target failure measures (emerging in the drafts of IEC 61508) for the safety functions facilitated the verification of the design of a safety critical system based on quantified Target Risk criteria.
The use of quantified risk criteria was, and still is, a sensitive issue for many countries (e.g. A maximum risk of death of 1 in 10-3 per annum for workers in any industry was suggested.
- During this period both qualitative and quantitative risk targets were adopted even for consequences having life changing injuries
- The need to base the required safety performance of a safety critical system, in respect of a specific safety function, on all the risk reduction measures and risk parameters related to the specified hazardous event. Although individual elements of this concept existed prior to the application of programmable electronic systems, implementing such systems demanded a more rigorous systematic and holistic approach.
In the period 1980-1990 there were many initiatives and developments relating to the safe use of Programmable Electronic Systems (PESs) although initially the focus was on safety critical software rather than safety critical systems. Some of these initiatives and developments are summarised in Table A.1.
Note: Table A.1 is not intended to be an authoritative catalogue of initiatives and developments during the 1980 to the mid-1990s but provide a snapshot of some of the key issues that are considered of importance to the author and the activities associated with IEC 61508.
The 3rd and final part of the ‘Safety Critical Systems – A brief history of the development of guidelines and standards’ focuses on the standard IEC 61508, some of its key features and the standards influenced by, derived or based on IEC 61508.
If you have any questions or would like more information just leave a message below or contact us here.