Functional Safety Foundations

Defining acceptable risk

Functional safety is defined by the standard IEC 61508^[1] as the absence of an unacceptable risk of bodily injury or harm to people's health as a result of damage to property or equipment, either directly or indirectly. It's part of the overall security that relies on the system or equipment responding correctly to commands. Functional safety is put in place when a potentially hazardous state is detected, to activate a protective or corrective device mechanism in order to prevent hazardous events from occurring or to offer mitigation to decrease the consequences of a hazardous event. The goal of functional safety is to limit damage to people, property, and the environment by minimizing risky conditions in systems or components. 

A simple example of a functional safety system is your office coffee maker. Equipped with a sensor that detects the coffee temperature, the coffee maker will switch the heating element off if the sensor detects the temperature has exceeded a threshold. A more complex example would be an automated robot in a production line - if the system registers the presence of a human worker getting too close it would enable safe mode either stopping it or moving it to a safer position. Functional safety is an active part of a larger safety system that will react to predefined triggers and instruct the overall system to make an active change. This is opposed to passive safety functions such as fire doors or personal safety equipment. 

Image 1: Collaborative robots are required to meet rigorous functional safety standards. 

Why functional safety is important

At its core, functional safety protects users of technology from harm. As industry becomes more automated and factories run 24/7, functional safety is increasingly important as we interact with more and more complex systems. From a purely business standpoint, ensuring functional safety allows manufacturers to operate confidently at maximum efficiency. 

Standards

The basic international safety standard for electrical, electronic, and programmable electronic safety-related systems is IEC 61508. It sets out the requirements for ensuring that systems are designed, implemented, operated, and maintained to the required safety integrity level (SIL).

Since the first revision of IEC 61508. was published in 1998, further revisions have been developed to suit fields such as automotive (ISO 26262), process control (IEC61511), programmable logic controls (IEC61131-6), and machinery (IEC 62061), variable speed drives (IEC 61800-5-2), and many other areas. 

Figure 1: A sample of functional safety standards.

 Hardware Fault Tolerance (HFT).

 Hardware Fault Tolerance (HFT) levels indicate a hardware system’s ability to carry on operating when there is a problem with one or more of its components. In a typical system, if the Safety Integrity Level (SIL) is higher, it will require more HFT in order to continue performing its function.  For example, hardware systems with a zero HFT (HFT 0) are not able to withstand a single dangerous failure. But a system with one level of HFT (HFT 1) can tolerate one. An example is a system with one built-in redundancy feature.

Levels HFT 2 and HFT 3 can also be found in some systems, but the greater the number of redundancies built in - the greater the risk of creating a more complex system. This can have cost and maintenance implications.

(*)SFF means how many safe failures exist in a system. IEC61508 defines detected failure can be considered as safe.
(**)So SFF can be considered nearly equal to DC (Diagnosis Coverage)

Safety Integrity Level (SIL)

SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, in terms of probability of failure on demand (PFD) as it is easier to express the probability of failure rather than that of proper performance (e.g. 1 in 100,000 vs 99,999 in 100,000).

There are four integrity levels associated with SIL: SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL level, the higher the associated safety level, and the lower probability that a system will fail to perform properly. As the SIL level increases, the complexity of a system, its maintenance, and its cost typically increase too. 

Figure 2: SIL Level is a function of hazard frequency and hazard consequence.

Assigning SIL levels

In most circumstances, a risk analysis is used to determine the requirement for a security system and allocate the SIL. The IEC 61508 standard outlines quantitative procedures for doing this analysis and calculating an installation's risk level. There is also a qualitative method for doing risk evaluations and assigning SIL levels.

This qualitative technique is based on determining the degree of damage that can be caused by each of the risks that occur in the facility, the duration of risk exposure, the options for removing the risk, and the frequency/probability with which they occur. The necessary SIL for the installation's security system is assigned based on the level of danger (measured quantitatively or estimated qualitatively). The higher the risk in an installation, the higher the SIL security level that the safety instrumented system must meet in order to minimize the risk to an acceptable level.

Getting a product certified for functional safety is a process that should ideally involve your developers, your assembly teams, and your functional safety certifying organization, and should start in the early development stages. This allows you to build robust development plans in which the assessment process will follow through the product development lifecycle.

Implementing functional safety

Ensuring compliance with functional safety standards calls for a dual approach that involves both hardware and software.

From a hardware standpoint, manufacturers are increasingly producing sensors and processing devices that already have functional safety elements built-in. The result is a generation of industrial equipment that is able to monitor its own adherence to safety standards.

From a software perspective, the IEC 61508 standard requires safety-related software components to adhere to a stringent development process, with analysis, structured design, testing, and validation of all requirements.  

Functional Safety Trends and Challenges

One of the biggest trends – and toughest challenges – revolves around size. Miniaturization of complex semiconductors enables them to be produced in a way that keeps both sizes and cost down, but that also presents challenges in terms of the resulting complexity of wider functional safety systems. 

Increased integration density and relatively short innovation cycles which enable these smaller systems can open the door to the possibility of more faults, meaning they must be designed and manufactured to the highest quality. 

User documentation that accompanies them must also be beyond reproach.

Renesas Electronics has a bundle of solutions provided to support those challenges from a semiconductor supplier's point of view. Which is, the scalable general-purpose MCU to control safety systems and comes with TUV certified software to run on top. This means the manufacturing companies will be able to minimize or skip the safety SW development and certification on those controllers.

Conclusion

Functional safety is becoming increasingly important as we move into an era of high automation. As we hand over more of our trust and indeed, even our lives, to automated devices, safety regulations will need to be relied upon to help guide the manufacturers and software developers that will enable this automation ecosystem.

Not only is adherence to these standards essential to protect people from death and injury, but also to preserve trust in automation by the public, while protecting the reputations and balance sheets of companies.

Renesas could be on your list to consider your safer system.

About the sponsor: Renesas

At Renesas we continuously strive to drive innovation with a comprehensive portfolio of microcontrollers, analog and power devices. Our mission is to develop a safer, healthier, greener, and smarter world by providing intelligence to our four focus growth segments: Automotive, Industrial, Infrastructure, and IoT that are all vital to our daily lives, meaning our products and solutions are embedded everywhere. 

References and further reading

1. https://webstore.iec.ch/publication/5515

2. Renesas, 2022.Functional Safety for Industrial Automation. Available online with complimentary evaluation software to try : https://www.renesas.com/application/industrial/factory-automation/safety/functional-safety-industrial-automation?utm_campaign=mcu_ra_ecosystem&utm_source=wevolver&utm_medium=article&utm_content=fusa_foundations 

3. Perforce software, 2022. A GUIDE TO COMPLIANCE IN SOFTWARE DEVELOPMENT. What Is Functional Safety? Available online: 
https://www.perforce.com/resources/qac/what-is-functional-safety#why-is-functional-safety-important

4. Leah Narodetsky, 2021. What Is IEC 61508? Your Comprehensive Guide to this Functional Safety Standard. Available online: 
https://content.intland.com/blog/what-is-iec-61508