Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Industrial Engineering
  3. Systems Engineering

Annex-a

advertisement 
System Safety Assessment Methodologies Comparison
SAF.ET1.ST03.1000-REP-A
ANNEX
Edition: 2.0
Released Issue
Page A-1
SAF.ET1.ST03.1000-REP-A
System Safety Assessment Methodologies Comparison
This page is intentionally left blank.
Page A-2
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
SAF.ET1.ST03.1000-REP-A
TABLE OF CONTENTS
ANNEX A – SYSTEM SAFETY ASSESSMENT
METHODOLOGIES COMPARISON
1
INTRODUCTION................................................................................................... A-5
2
TERMS DEFINITION IN IEC 61508 ...................................................................... A-5
3
SYSTEM ASPECTS COMPARISON OF ED12B/DO178B AND IEC 61508 ........ A-7
4
COMPARISON OF SYSTEM SAFETY ASSESSMENT METHODOLOGIES ...... A-8
4.1
IEC 61508 SAFETY ASSESSMENT PROCESS ...................................................... A-8
4.1.1
HAZARD AND RISK ANALYSIS .............................................................................. A-8
4.1.2
IDENTIFICATION OF NECESSARY RISK REDUCTION ........................................ A-8
4.1.3
ALLOCATION OF SAFETY REQUIREMENTS ........................................................ A-8
4.2
MAIN DIFFERENCES .............................................................................................. A-9
4.3
COMPARISON ...................................................................................................... A-12
5
TERMINOLOGY COMPARISON ........................................................................ A-13
6
OUTPUTS COMPARISON ................................................................................. A-15
7
IEC GLOSSARY ................................................................................................. A-17
Edition: 2.0
Released Issue
Page A-3
SAF.ET1.ST03.1000-REP-A
System Safety Assessment Methodologies Comparison
This page is intentionally left blank.
Page A-4
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
SAF.ET1.ST03.1000-REP-A
A
SYSTEM SAFETY ASSESSMENT
METHODOLOGIES COMPARISON
1
INTRODUCTION
This chapter aims at comparing the system safety assessment methodologies of
IEC 61508 part 1 and ARP 4754. It also aims at comparing how those system
safety assessment methodologies permit to allocate the safety requirements to
the software.
2
TERMS DEFINITION IN IEC 61508
IEC 61508 address the functional safety of Equipment Under Control.
The term safety-related systems refers to those systems that are intended to
prevent an Equipment Under Control (EUC) from going into a dangerous state
by taking appropriate action on receipt of command.
Edition: 2.0
Released Issue
Page A-5
SAF.ET1.ST03.1000-REP-A
System Safety Assessment Methodologies Comparison
Safety-related systems, together with the external risk reduction facilities, are
intended to mitigate the risks of the EUC and EUC control system in order to
meet a required tolerable risk level.
A safety-related system may:
a) Be designed to eliminate hazard or prevent the hazardous events of the EUC
and the EUC Control System;
b) Be designed to mitigate the effects of the hazardous event, thereby reducing
the risk by reducing the consequences ;
c) Be designed to achieve a combination of a) and b).
Safety-related system may include hardware and software elements and
supporting services (for example, power supplies). A person can be part of a
safety-related system (e.g., a person could receive information from a
programmable electronic device and perform a safety action based on this
information, or perform a safety action through a programmable electronic
device).
A safety-related system may be based on a wide range of technologies including
 Electrical, electronic, programmable electronic (E/E/PE) technology;
 Other technologies (e.g. mechanical, hydraulic, pneumatic).
Safety-related systems and external risk reduction facilities implement safety
functions.
A safety-related system both:
 Implements the required safety functions necessary to achieve a safe state for
the equipment under control or to maintain a safe state for the equipment
under control, and
 Is intended to achieve, on its own or with other E/E/PE safety-related systems,
other technology safety-related systems or external risk reduction facilities,
the necessary safety integrity for the required safety functions.
Functional safety is the part of the overall safety relating to the EUC and the
EUC control system which depends on the correct functioning of the E/E/PE
safety-related systems, other technology safety-related systems and external risk
reduction facilities.
Page A-6
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
3
SAF.ET1.ST03.1000-REP-A
SYSTEM ASPECTS COMPARISON OF ED12B/DO178B AND IEC 61508
System safety assessment methodologies are described respectively in IEC
61508 part 1 and AMJ 25-1309 / SAE ARP 4754. These methodologies aim at
ensuring that the system safety is ensured through a combination of system
safety assessment and development assurance (validation / verification,
configuration management...).
AMJ 25-1309 is part of the JAR 25 regulation dedicated to the airworthiness of
large aeroplanes. AMJ-25 1309 (Advisory Material Joint) is attached to the JAR
25-1309 item related to the equipment, systems and installation.
SAE ARP-4754 has been developed in the context of the JAR part 25 and
intends to give guidance for the certification of highly integrated or complex
aircraft systems.
The following table gives a comparison of the field of coverage of the IEC 61508
and the aviation related standards.
SYSTEM ASPECTS
IEC 61508 STANDARD
AVIATION STANDARDS
IEC 61508 Part 1
AMJ 25-1309 (equipment
systems and installation)
General requirements
SAE ARP 4754
(Certification considerations
for highly integrated or
complex aircraft systems)
HARDWARE ASPECTS
SOFTWARE ASPECTS
IEC 61508 Part 2
RTCA DO 254
(Requirements for electrical /
electronic / programmable
electronic systems)
(Design Assurance guidance
for airborne electronic
hardware)
IEC 61508 Part 3
RTCA DO 178 B
(Software requirements)
(Software considerations in
airborne systems and
equipment certification)
Both IEC 61508 part 1 and ARP 4754 are fully consistent with respectively IEC
61508 part 3 and ED12B/DO178B. They both give a mean to allocate safety
requirements to the software of the system. Though terminology used throughout
the documents is different, the principles used in both documents are quite close.
Edition: 2.0
Released Issue
Page A-7
SAF.ET1.ST03.1000-REP-A
4
COMPARISON
OF
METHODOLOGIES
System Safety Assessment Methodologies Comparison
SYSTEM
SAFETY
ASSESSMENT
The aim of this chapter is to compare at a high level the safety assessment
processes required by standards AMJ 25-1309 / ARP 4754 and the IEC 61508
part 1.
4.1
IEC 61508 SAFETY ASSESSMENT PROCESS
4.1.1
HAZARD AND RISK ANALYSIS
 Determination of the hazards and hazardous events of the Equipment Under
Control (EUC) and the EUC control system (in all modes of operation), for
all reasonably foreseeable circumstances and misuse
 Determination of the event sequences leading to the hazardous events
determined.
 Determination of the EUC risks associated with the hazardous events
determined.
4.1.2
IDENTIFICATION OF NECESSARY RISK REDUCTION
The necessary risk reduction is the reduction in risk that has to be achieved to
meet the tolerable risk for a specific situation. E/E/PE safety-related systems
contribute towards meeting the necessary risk reduction in order to meet the
tolerable risk.
4.1.3

Identification of safety functions for the E/E/PE safety-related systems, other
technology safety-related systems and external risk reduction facilities.

Specification of overall safety requirements, in terms of the safety function
requirements and safety integrity requirements, for the E/E/PE safety-related
systems, other technology safety-related systems and external risk reduction
facilities, in order to achieve the required functional safety.
ALLOCATION OF SAFETY REQUIREMENTS
 Allocation of the safety functions to the designated E/E/PE safety-related
systems and external risk reduction facilities ;
 Allocation safety integrity level to each safety function.
Page A-8
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
4.2
SAF.ET1.ST03.1000-REP-A
MAIN DIFFERENCES
The following tables provide a comparison of the system safety assessment
processes of the AMJ 25-1309 / ARP 4754 and the IEC 61508 part 1. Phases of
the system safety assessment process are given in parallel of the system
development life cycle. The tables highlight the main differences between the
standards in terms of safety activities and the way to allocate safety objectives to
software.
System
development
life cycle
IEC 61508 Overall safety lifecycle
 System
 Hazard and risk analysis :
requirements
 Hazards
(Assessment of
functions,
 hazardous events
allocation
of
functions
to
 event sequences leading
systems)
hazardous event
ARP 4754 System life cycle
process
 Functional
Assessment (FHA)
 Assessment
functional
conditions
to the
 EUC risk associated (Risk =
consequences of hazard * frequency
of occurrence)
 Assessment of overall safety requirements
Hazard
of
failures
 Assessment of hazard
 Classification of hazard
according to AMJ 251309
classification
matrix
 Assessment of necessary risk
reduction (for each identified hazard.
qualitative or quantitative)
 Assessment of safety functions
 Assessment of safety integrity
requirements for each safety function
Note: Specification for the safety functions +
specification
for
the
safety
integrity
requirements = specification for the overall
safety requirements.
 Detailed
 Safety requirement allocation
 Preliminary system safety
system
assessment (PSSA)
architecture
 Identification of safety related
(Allocation of
systems (E/E/PE) that are to be
 Specific system and
requirements
used to achieve the required
item
safety
to hardware
functional safety
requirements
(allocation of safety
Edition: 2.0
Released Issue
Page A-9
SAF.ET1.ST03.1000-REP-A
System
development
life cycle
and software)
System Safety Assessment Methodologies Comparison
IEC 61508 Overall safety lifecycle
ARP 4754 System life cycle
process
 Allocation of each safety function
and its associated safety integrity to
designated E/E/PE systems
 Allocation qualitative or quantitative
 Assessment of safety integrity level
according to the probability of failure
allocated to the system.
 System
implementati
on
 Overall safety validation
requirements
to
hardware and software)
 preliminary
indication
that
the
systems
architecture can meet
the safety requirements
 System safety assessment
(SSA)
(Verification
that
implemented system meets
the safety requirements)
Table 1-Comparison of system safety assessment activities
System
development
life cycle
IEC 61508 Overall safety lifecycle
Risk classification scheme shall be
 System
requirements defined for any domain (nuclear,
chemical, transport). Quantitative and
(Assessment of qualitative methods are proposed to
functions,
derive risk scheme.
allocation
of
functions
to No specific risk scheme is given.
systems)
AMJ 25 1309 / ARP 4754 System life
cycle process
A risk classification scheme is given in
AMJ 25-1309. This risk scheme is
compliant with the ALARP method
proposed in IEC 61508.
The risk scheme is specific for the
aviation domain.
Safety requirements are quantitative or Safety requirements are quantitative
qualitative.
(probability per flight hour) or
qualitative (development assurance
level).
Page A-10
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
System
development
life cycle
 Detailed
system
architecture
(Allocation of
requirements
to hardware
and software)
SAF.ET1.ST03.1000-REP-A
IEC 61508 Overall safety lifecycle
AMJ 25 1309 / ARP 4754 System life
cycle process
IEC introduces the notion of safety
functions. Some functions may create
hazard and would be monitored by
safety functions. The notion of safety
function seems to favour the monitoring
as a preferred architectural mean to
ensure safety. Anyhow other options are
not detailed but are not excluded. Only
the safety assessment permits to
assess the role of functions related to
safety.
Any function may potentially impact
safety. Architectural options are
proposed in order to decrease the
criticality of functions (redundancy,
monitoring, partitioning).
Safety integrity levels are allocated to
software. Safety integrity level may be
derived on a quantitative or qualitative
basis. No guidance is given in the
standard on how to derive qualitative
safety integrity level. The safety integrity
level permits to assess a level of
development
assurance
process
associated to the software development.
A software development assurance
level is derived only on a qualitative
basis from the safety assessment and
the contribution of software to the
failure conditions. Quantitative safety
requirements are allocated only to
systems and hardware.
Only the safety assessment permits to
decide the criticality level of any
function.
(See Table 1)
(See Table 1)
 System
implementati
on
Overall safety validation data includes
all the results of the validation activities
including test and analysis to show the
compliance of the safety related system
with the requirements.
The System safety assessment is
dedicated only to the verification that
the implemented system complies with
the safety requirements.
The validation and verification activities
are also processed in the document in
specific chapters.
Table 2: Main differences between IEC 61508 and ED12B/DO178B
Edition: 2.0
Released Issue
Page A-11
SAF.ET1.ST03.1000-REP-A
4.3
System Safety Assessment Methodologies Comparison
COMPARISON
ARP 4754
DO 178b
Aircraft
system
System
System
function
System
function
Aircraft
function
function
allocated
to
Functional
hazard
assessment
Hazard/
Failure
condition
Software
level
Equipement
under control
(EUC)
EUC
function
EUC
function
EUC
function
Hazard and
risk analysis
Associated
risk
controlled
by
Failure
condition
category
Safety
Safety
function
Safety
function
function
EUC
control
system
Necessary
risk
reduction
allocated
to
System
Hardware
Software
function
Software
function
IEC 1508
specified
in terms of
System
Contribution
to failure
condition
Hardware
probability
of failure
Hardware
Software
function
function
Target
probability
of failure
Safety
integrity
level
Target
failure
measure
category
Figure 1: Comparison of the processes of allocation of safety requirements
to software.
Page A-12
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
5
SAF.ET1.ST03.1000-REP-A
TERMINOLOGY COMPARISON
The following tables compare the relative terminologies used in the standards
ED12B/DO178B, IEC61508, MIL-STD-498, ISO/IEC 12207 and ISO 9000-3. The
tables only include terms varying with the standards.
Topic
ED12B/DO178B
IEC 61508
ISO/IEC 12207
system
EUC (equipment under
control)+ EUC control
system
system
software
safety-related software (
EUC control system)
software
function
safety function
no specific term
software level
software safety integrity
level (SIL)
non covered
system life cycle
overall safety lifecycle
no specific term
software life cycle
software lifecycle
software life cycle
process
Phase
process
activity
Activity
activity
integral processes
no specific term
supporting life-cycle
processes
system life cycle
planning: (covered in
ARP)
management of functional
safety
no specific term
(software life cycle)
planning process
(safety planning)
planning process
plan for software aspect
of certification
no specific term
no specific term
System
aspects
Life cycle
Planning
development plans 
engineering planning
software development
plan
software configuration
management plan
no specific terms
software quality
assurance plan
Edition: 2.0
configuration
management plan
quality assurance plan
Released Issue
Page A-13
SAF.ET1.ST03.1000-REP-A
Topic
System Safety Assessment Methodologies Comparison
ED12B/DO178B
IEC 61508
software verification
plan
system verification:
covered in ARP
verification (review) plan
+ integration plan
validation planning
development standards
Development
ISO/IEC 12207
validation plan
development standards
(including code
standards)
coding standards
high-level requirements
safety requirements:
software requirements
-safety functions
requirements
-safety integrity
requirements
derived requirements
no specific term
no specific term
low-level requirements
(design description)
design requirements
software design
deactivated/dead code
no specific term
no specific term
software integration
software integration
unit integration
software qualification
hardware/software
integration
system integration
system qualification
Quality
assurance
quality assurance
functional safety
assessment
quality assurance
Maintenance
previous developed
software
previously developed
software,
no specific term
validated software
Certification
certification
non covered
certification authority
Tool
qualification
Page A-14
tool qualification
 acceptance
no specific term
tool qualification (for
system validation only)
Released Issue
no specific term
Edition: 2.0
System Safety Assessment Methodologies Comparison
6
SAF.ET1.ST03.1000-REP-A
OUTPUTS COMPARISON
The following table lists the outputs of the life cycle processes in the standards
ED12B/DO178B, IEC61508 and MIL-STD-498. ISO 12207 and ISO 9000-3 are
not so prescriptive regarding documentation to be established and do not specify
the name or form of the life cycle outputs.
lifecycle
processes
ED12B/DO178B outputs
IEC 61508 outputs related to
software life cycle
Planning
-plan for software aspect of
certification,
-planning records
-development plan,
-development tools
- configuration management plan,
-quality assurance plan,
-verification plan,
- standards,
-other planning records
- coding standards
-safety validation plan
Requirements
specification
software requirements data
safety requirements specification
Design
-architecture,
-architecture design description,
-system design specification,
- low-level requirements
-module design specification
Coding
source code and object code
Integration
executable object code
Testing
-software verification cases and
procedures
source code listing, code review
report
- architecture integration test
specification,
-software/hardware integration test
specification
-system integration test specification
-module test specification
Edition: 2.0
Released Issue
Page A-15
SAF.ET1.ST03.1000-REP-A
lifecycle
processes
System Safety Assessment Methodologies Comparison
ED12B/DO178B outputs
IEC 61508 outputs related to
software life cycle
- module test results, verified and
tested modules
-software verification results
-system integration test results,
verified and tested software system
-safety validation results, validated
software
Test coverage
analysis
analysis record
no requirement on outputs
Reviews and
analysis
software verification results
verification report
Operation and
maintenance
procedures
non covered
operation and maintenance
procedures
Certification
software accomplishment summary,
configuration index
non covered
Configuration
management
configuration index, software
configuration management records
baselines, software release
documentation, configuration status
Modification
software configuration management
records
modification impact, analysis results,
modification log
Corrective
action
problem records
modification request and
authorisation documentation
Quality / Safety
assurance
software quality assurance records
safety audits records
software functional safety
assessment report
Page A-16
Released Issue
Edition: 2.0
System Safety Assessment Methodologies Comparison
7
SAF.ET1.ST03.1000-REP-A
IEC GLOSSARY
 Equipment Under Control (EUC)
Equipment, machinery, apparatus or plant used for manufacturing, process,
transportation, medical or other activities.
 EUC Control System
System which responds to input signals from the process and/or from an
operator and generates output signals causing the EUC to operate in the
desired manner.
 External risk reduction facility
Measure to reduce or mitigate the risks which are separate and distinct from,
and do not use, E/E/PE safety-related systems or other technology safetyrelated systems. Example : A drain system, a fire wall and a bund are all
external risk reduction facilities.
 Other technology safety-related system
Safety-related system based on a technology other than
electrical/electronic/programmable electronic. Example : A relief valve is an
other technology safety-related system.
 Safety function
Function to be implemented by an E/E/PE safety-related system, other
technology safety-related system or external risk reduction facilities, which is
intended to achieve or maintain a safe state for the EUC, in respect of a
specific hazardous event.
Edition: 2.0
Released Issue
Page A-17
SAF.ET1.ST03.1000-REP-A
System Safety Assessment Methodologies Comparison
This page is intentionally left blank.
Page A-18
Released Issue
Edition: 2.0
Related documents
AMA-61850-FiT4HANA
AMA-61850-FiT4HANA
AMA-IEC-DataSolution - AMA
AMA-IEC-DataSolution - AMA
List of test equipment for IEC 60950 3rd ed.
List of test equipment for IEC 60950 3rd ed.
Policy & Procedure Review Policy & Procedure Number: CWUP 2
Policy & Procedure Review Policy & Procedure Number: CWUP 2
Device Networking Access
Device Networking Access
UCAIug Booth Slides RTDS
UCAIug Booth Slides RTDS
Word version
Word version
features and benefits of ISO/IEC 27001
features and benefits of ISO/IEC 27001
Download
advertisement