ABSTRACT
In designing safe systems, the general steps of the design process include risk assessment, specification of the safety functions in terms of function and required performance, the design and implementation of the safety functions, the verification of safety functions, and the validation of the overall safety of the system. These steps are addressed in a number of standards such as IEC61508 (2010). A high-level review may examine the process followed in implementing these steps and include a number of spot checks of the required analyses. In doing so, a potential concern is being biased by the designers’ assumptions. Reviewing what is presented is frequently easier than identifying what is missing. This paper discusses how a high-level review may be extended. Considering the challenges of verifying the completeness of the list of hazards that underlie the specifications of the safety functions, an approach is proposed to examine safety function coverage by a separate risk analysis (hazard identification). The approach involves the following steps:
Modeling the system functions by generic sensor/logic/actuator (controller) components,
Deriving the failure modes of the components,
Identifying the hazards resulting from the component failure modes, yielding a surrogate set of hazards and
Verifying whether the set of the safety technical measures protects against the surrogate set.
