Competence Criteria for Safety - related system practitioners

Guidance provided by the IET in collaboration with the HSE and BCS

The Institution of Engineering and Technology

The Institution of Engineering and Technology was formed on 31 March 2006 through the merger of the Institution of Electrical Engineers (IEE) and the Institution of Incorporated Engineers (IIE). As engineering and technology become increasingly interdisciplinary, global and inclusive, the Institution of Engineering and Technology reflects that progression and welcomes involvement from, and communication between, all sectors of science, engineering and technology. The Institution of Engineering and Technology is a not for profit organisation, registered as a charity in the UK. For more information please visit www.theiet.org

The Institution of Engineering and Technology 2006

Competence Criteria for Safety - related system practitioners Guidance provided by the IET in collaboration with the HSE and BCS 

COMPETENCE CRITERIA FOR SAFETY- RELATED SYSTEM PRACTITIONERS

These criteria have been produced to help organisations assess and record the competence of staff working developing and maintaining electrical, electronic and/or programmable electronic (E/E/PE) safety-related systems for functional safety. They can be used as part of a competence management system to help meet the requirements of Managing competence for safety-related systems. This document is intended to be read and navigated online. The competence criteria are structured according to a competence model. You will need to understand this model when using the competence criteria, in order to apply the criteria to staff in your organisation and, in particular, to tailor the criteria for your own activities and staff roles. A few considerations for the tailoring process are briefly stated. An example assessment method supports the competence criteria. The actual competence criteria are structured into 12 functions.

NAVIGATION: Introduction Competence model Using the competence criteria Performing an assessment Competence criteria Index of functions, tasks and attributes Cross-reference of functions to IEC 61508 lifecycle phases History of this document and Acknowledgements Licence Agreement

The IET does not assume liability to anyone for any loss or damage arising from any error or omission in this document, whether such error or omission is the result of negligence or any other cause. Any and all such liability is disclaimed.
2007 The Institution of Engineering and Technology

Copyright IET 2007

INTRODUCTION
Competence for safety-related systems Competence in activities associated with safety-related systems requires qualifications, experience and other qualities appropriate to individuals responsibilities, such as training, knowledge of hazards and failures, understanding of working practices, communication skills and an appreciation of personal limitations. Four types of competence are identified:

TECHNICAL SKILLS; for example, hazard analysis, report writing BEHAVIOURAL SKILLS; for example, personal integrity, interpersonal skills, problem solving, attention to detail UNDERPINNING KNOWLEDGE; for example, a person performing a hazard identification must have knowledge of the particular application to be able to identify the likely hazards that exist UNDERPINNING UNDERSTANDING; for example, it is unlikely that somebody could establish risk tolerability levels for a particular problem without an understanding of the principles of safety and risk

Professionals with responsibility for design and/or supervision also need a detailed working knowledge of relevant statutory provisions and codes of practice, an awareness of legislation and practices that affect their work, knowledge of working practices in similar establishments and awareness of current developments in their field. The competence criteria The competence criteria in this document are structured into 12 example roles for an organisation covering the specification, development, procurement, and in-service maintenance of E/E/PE safety-related systems. Criteria for operators of safety-related systems are not included. The criteria are described in a generic manner so that they may be used in a range of industries and technology areas. They should be tailored to suit specific organisation and industry constraints. The scope of the criteria is limited to roles arising from activities and responsibilities associated with achieving functional safety of E/E/PE safety-related systems, excluding competence of operators and more general operational health and safety. This approach has been adopted to: allow complementing with existing schemes, such as Investors in People, Capability Maturity Model, BCS Industry Structure Model, that already cover competencies in other areas focus on the key aspects of functional safety.

The activities and responsibilities covered by the criteria are included within the scope of the international safety standard IEC 61508 (see www.iec.ch/functionalsafety for further details). A
4

Copyright IET 2007

table describes the relationship between the example roles and the safety requirements of IEC 61508. In some cases, such as for the example role safety hazard and risk analysis, the safety-related activities are easy to distinguish. In other cases, these activities are separated out from a wider set of closely linked activities. For example, the role of safe system architectural design only includes activities associated with architectural design that would not normally be carried out for a system that is not safety-related. These safety-related activities do not stand alone, in that additional engineering competence in the appropriate domain and technology is assumed. The competence required for safety-related activities, as defined by the competence criteria in this document, is additional to such basic competence. Likewise, assessment against these criteria may be supplemented and complemented by other assessment approaches and professional development.

COMPETENCE MODEL
The competence model sets out the relationships between various concepts used when managing competence, in particular the relationships between tasks, attributes, functions, roles, competence criteria, levels of competence and competence profiles. The competence criteria are based on the following competence model.

Function, Tasks & Attributes (figure 1a). An individual (1), working either alone or in a team, performs a function (e.g. system architecture design). Each function (2) is broken down into a set of tasks (e.g. architecture specification), each of which require particular technical skills and knowledge (3). All the tasks in a function also require behavioural skills and underpinning knowledge and understanding (4), which are expressed as a set of attributes (e.g. up to date technical awareness). Each task or attribute has a set of competence criteria allocated to it (5), which state the competencies required to fulfil the task or attribute (e.g. knows the standards applicable to the architecture).
1
Persons working together either individually or in teams carry out a defined function.

Functions/Tasks and Attributes

2
A function can be broken down into a set of tasks and attributes

Function

3
Task #1 Attribute #1 Attribute #2 Attribute #3

4
Technical skills and knowledge necessary for a function are defined in a set of tasks.
Task#2 Task #3

Behavioural skills and knowledge necessary for a function are defined in a set of attributes.

5
Every task and attribute has competence criteria specified for 3 levels.

Figure 1a
5

Copyright IET 2007

Twelve functions are defined in this document: Corporate functional safety management Project safety assurance management Safety-related system maintenance and modification Safety-related system or services procurement Independent safety assessment Safety hazard and risk analysis Safety requirements specification Safety validation Safety-related system architectural design Safety-related system hardware realisation Safety-related system software realisation Human factors safety engineering.

Each function is broken down into tasks and attributes and each of these has its own set of competence criteria. Each competence criterion can be satisfied at one of the following three competence levels:

SUPERVISED PRACTITIONER The work of a supervised practitioner must be supervised by a practitioner or an expert. A supervised practitioner has sufficient knowledge and understanding of good practice, within the organisation or within the relevant industry sector, to be able to work on the tasks associated with the overall function without placing an excessive burden on the practitioner or expert who is responsible for checking their work. Potential supervised practitioners may not have previous experience working on safety-related projects. Their competence is likely to have been developed through targeted training and work on non-safety-related projects. It may therefore be necessary for an assessor to consider evidence of technical skills derived from a non-safety-related project environment.

PRACTITIONER A practitioner has sufficient knowledge and understanding of good practice, and sufficient demonstrated experience, to be able to work on tasks without the need for detailed supervision. A practitioner will maintain their knowledge and be aware of the current developments in the context in which they work.

EXPERT An expert will have a sufficient understanding of why things are done in certain ways, and sufficient demonstrated managerial skills, to be able to undertake overall responsibility for the performance of a task or function. An expert will be familiar with the ways in which systems, and previous safety management systems, have failed in the past.
6

Copyright IET 2007

An expert will keep abreast of technologies, architectures, application solutions, standards, and regulatory requirements, particularly in rapidly evolving fields such as programmable safety-related systems. An expert will have sufficient breadth of experience, knowledge and deep understanding to be able to work in novel situations. An expert is able to deal with a multiplicity of problems under pressure without jeopardising safety issues.

A function might be fulfilled by an individual, working alone, or by a team. When working in a team, each individual contributes to the teams performance of the function by performing a role within the team, carrying out part of the function. (If the entire function is fulfilled by an individual working alone, then they do still perform a role, but it is equivalent to carrying out the whole function.) Specification (figure 1b). A persons role is specified in terms of the different tasks that they must be able to undertake and the attributes that they must have. For each of these, an appropriate competence level is specified (6). This gives a minimum competence profile for the role, with differing levels of expertise required for the different tasks and attributes (7).

Specification of competence
T1 T2 T3 A1 A2 A3

Expert Practitioner Supervised Practitioner Competence profile for a function

6 7

The required competence is specified for each task and attribute in terms of the three competence levels. This leads to a a competence profile for all the tasks/attributes comprising the function.

A person, working as an individual, is considered competent to carry out the function if the competence criteria set for each task/ attribute are met. For team working, they must be competent to carry out the tasks/attributes for their role in the team.

Figure 1b

Copyright IET 2007

Assessment (figure 1c). To determine if an individual is competent to perform a role, the individuals competence is assessed (8/10) and the resultant personal competence profile is compared against the competence profiles specified for the role (9/11). (Note that the assessment would not normally be limited to the tasks and attributes of any specific role.) An individual is deemed competent for the role if their personal competence profile at least meets the competence profile specified for the role. An individual is deemed not competent for the role if their personal competence profile fails to meet the competence profile specified for the role. A team is deemed competent if each individual in the team is deemed competent for their roles (12).

Assessment of competence
Individual working.
If the results of the Assessment for the person, for each task/attribute of the unction, meet the specified competence profile, then the person is deemed to be competent for role.

9 Role

Assessment of person
If the results of the Assessment for the person, for each task/attribute of their role in the team meet the specified competence profile, then the person is deemed to be competent for their role in the team.

11 Role

Team working.

10

For the Team to be competent, all those in the Team have to be competent for their individual roles in carrying out part of the function.

12

Figure 1c In practice, the competence of staff will often be assessed so as to find out their competence profile independently of any assigned roles. Their competence profile will then be taken into account when putting teams together. This is especially the case when recruiting new staff.

Context
By separating the core principles of competence criteria from their context, a limited set of common competence criteria can be applied universally in many industry sectors, applications, technologies, and regulatory environments. For example, the competence criteria for the task hardware test specification might contain many alternatives for all the different types of hardware that may require test specification e.g. smart transmitter, PLC, bespoke logic,
8

Copyright IET 2007

facets of a test specification e.g. functionality, test coverage requirements, environmental conditions, application domains, with their particular operating environments and regulatory requirements e.g. offshore oil-rig, school-crossing traffic lights, levels of responsibility that an individual might take e.g. a new and junior member of a team, a senior staff member with full accountability, levels of expertise required in different circumstances.

The immediate consequence of this approach would be that most organisations and even projects would have their own very specific competence criteria matched to their own context at a particular point in time. An assessment of competence in one context would be quite unusable in another. For example, if an individual had been assessed as competent to design flight control systems, then no benefit could be derived from the assessment when considering them for designing the control system for aircraft landing-gear. The two roles are different, and competence in one domain does not imply competence in the other. However, some competence in one domain will transfer to the other. The recommended alternative is to separate, in the definition of tasks and attributes, generic principles from the context of their application. This approach requires that in an assessment of an individuals competence the assessor interprets the competence criteria in the particular context of the individuals current work, and captures that context (sector, application area, technology, etc.) for which the individual has demonstrated that they have satisfied the competence criteria.

USING THE COMPETENCE CRITERIA

The competence criteria for tasks and attributes are grouped in this document into twelve example functions. An introductory paragraph for each function summarises the responsibilities and tasks involved. Each task and attribute associated with the function has its own table of competence criteria, with the layout shown in Figure 2. Every function is assumed to be defined by its constituent tasks. The attributes required for the function are much less closely associated with the function in that they are likely to be found in several other functions as well. However, both tasks and attributes can be found in more than one function, and often their competence criteria may be worded slightly differently according to the function.
Title of the task or attribute Description of the task or attribute Supervised Practitioner Practitioner Competence criteria for Competence criteria for supervised practitioner practitioner level. level. Competence criteria for both supervised practitioner level and practitioner level.

Expert Competence criteria for expert level. Explanation for nonrelevance of level to task or attribute

Figure 2: Layout of Assessment Guidance Information Each row of the table contains a set of competence criteria for the task or attribute. At least one and no more than five sets of competence criteria are given for each specific task or attribute. Each of the three columns contains criteria supervised practitioner, practitioner or expert. To be
9

Copyright IET 2007

assessed as competent at a particular level, then the individual will have to satisfy all the criteria indicated in the relevant column for that level. Criteria are, in general, given for each of the three levels. However, if a criterion is equally applicable to more than one level, cells are merged across a row. Further, if a criterion is not applicable to a level, the relevant box in the table is greyed out, and an explanation given. Ideally, all competencies should be demonstrable by the provision of suitable documentary evidence. The achievement of this ideal is far more difficult for the behavioural skills and understanding that underpin attributes than for technical skills and knowledge that relate to tasks. However, the importance of behavioural skills and understanding in being competent for a function is judged to outweigh the difficulty in providing clear-cut assessment criteria. It is important to appreciate that the competence criteria in this document constitute guidance and you should employ flexibility when applying them in your organisation. Also the assessor will have to make a judgement on whether the criteria have been met based on the evidence available. Since jobs in the organisation may not directly map onto the functions in this document, you should tailor the competence criteria to match your own organisation. In the simplest case, this is achieved by moving tasks out of one function into another. For example, in your organisation perhaps safety validation does not include witnessing and executing tests against safety requirements, because your software and hardware designers have this responsibility. This task would then be removed from the safety validation function and added, if appropriate, to safety-related system hardware realisation and/or safety-related system software realisation. Removing a task from a function will usually have no impact on the attributes necessary for the function. However, adding a task to a function could add to the attributes required, since attributes for the function from which the task came may have to be added to its new function.

PERFORMING AN ASSESSMENT
This section describes the process for performing a competence assessment for which the competence criteria in this document were written. You may of course vary this process but you should consider the implications for the competence criteria if your process differs significantly from this process for which the criteria were originally designed. The supporting proforma for this process is provided at the end of this section in Figure 3. It is envisaged that assessment meetings should take no more than half a day to perform and ideally about 2 hours. Each task or attribute should take 10-15 minutes on average to assess. A functions competence criteria are written in generic terms irrespective of industry sector, application, technology, etc. When performing an assessment, the use of these criteria must be conditioned by the context in which the function is performed. Context information is important when reusing the assessment results for new applications, integrity levels, organisations and industries. In the example proforma, the context for the assessment is captured on the front page. In addition, the context of an individuals evidence is recorded during an assessment, where this differs from the context of the present assessment.

Pre-assessment
The individual will need to collect evidence for them to be assessed against in advance of the assessment meeting. Before the assessment meeting, the individual is briefed on what criteria they will be assessed against, when the assessment will take place and the context for the assessment. The competence criteria and any assessment procedures are given to the
10

Copyright IET 2007

individual. The more the individual prepares prior to the meeting (e.g. collecting appropriate evidence), the more efficient the assessment meeting will be. The individual is also briefed on how the competency assessment may affect their current job, and how the scheme fits into the organisation, including any appraisal process.

Preliminaries
At the start of the assessment meeting, the assessor briefs the individual on the assessment, including the purpose and context of the assessment how the assessment will be conducted introducing and explaining the purpose of anyone else involved with the assessment (for example the assessor may sometimes rely on the technical opinion of another individual who has been assessed as competent in the relevant function to expert level)

Context summary
The assessor summarises the required context for which the individual is being assessed. Context information includes items such as industry sector, application and technology information, safety integrity level, applicable standards, etc. An example of a completed context summary is contained in Figure 3.
SAFETY-RELATED SYSTEM SOFTWARE REALISATION

FUNCTION Context Summary

Reference

SSR

SIL 2/3 shutdown protection systems, up to 1000 I/O Chemical/Petrochemical industry, onshore and offshore Duplicated/triplicated PLC architectures using IEC 61131-3 languages especially ladder logic. Mature organisation with safety experience and familiarity with IEC 61511.

Figure 3: Example context summary

Assessing against the competence criteria

For each task or attribute, the individual presents evidence against which an assessment can be made. The assessor, referring to the competence criteria, makes a judgement of the level of competence the individual has attained including the context within which it was attained. It is recommended that each task or attribute takes no more than 15 minutes. The competence criteria in this document are not intended to be used as strict objective pass/fail criteria. They are, rather, indicative of how an individual might be able to demonstrate that they have the required competence; the individual may be able to demonstrate competence using evidence that does not exactly match the competence criteria. The assessor must judge whether an individual is competent at the appropriate level, based on the individuals demonstrated
11

Copyright IET 2007

experience and abilities, and this is necessarily a matter of subjective judgement. The assessor needs to be capable of making such a judgement. The most persuasive indication that a candidate is competent to perform a role is that they have performed that role to a satisfactory level in the recent past. Moreover, their performance should have exhibited their possession of the relevant technical skills, understanding, knowledge and/or behaviour. Where possible, the competence criteria are expressed in this way. Short of having already done something similar to the task or attribute being assessed, the individual may have worked in a related area. If they have not had relevant experience in the workplace, they may have performed a task in an exercise in a training environment. They may have been taught the principles, or may have read relevant information. The assessor must make a judgement as to whether an individual is competent at the appropriate level, even if the individual has not actually performed the role before. This might be on the basis of what they have done, what they have experienced, the efficacy of any training they may have received, and other technical and behavioural abilities. In the absence of records of previous experience, the assessor must seek other evidence of the appropriate understanding, such as a demonstration that the individual would be able to perform a task correctly in a hypothetical situation the ability to answer questions relevant to the task or attribute based on past experience evidence of having been trained for a particular task.

The nature of the available evidence is also important. Documentary records of work done directly by, or under the direction of, the individual are preferred. The assessor has to establish what has actually been carried out by the individual in contrast to what has been performed with or by, other members of the project team. If documentary workplace records appropriate to the task or attribute are not available, other forms of evidence that the assessor can allow at their discretion are

Assignment and/or project records Workplace observation Competence test

Witness testimony Oral

On the assessment proforma for the task or attribute, the assessor 1. summarises the evidence provided, including (importantly) the context of that evidence 2. enters a type code for the evidence provided, one of AP - Assignment and/or project records WO - Workplace observation CT - Competence test WT - Witness testimony OR - Oral DC documentary records

3. ticks the box indicating the level of competence achieved by the individual, in the assessors judgement, for the task or attribute An example of a completed assessment proforma for a task or attribute is shown in Figure 4.

12

Copyright IET 2007

Task/Attribute: SSR2 Transposing from requirements into design Summary of evidence provided, including context.
Evidence Type:

DC+OR

Presented design specification for PLC application of sequence control in car plant. Uses logic block and transition notations and can be traced to requirements. Able to identify design constraints relevant to sequence control, i.e. checking safety conditions in every state and ensuring single entry/exits to sequences. Showed how design matched organisation procedures and identified testability aspects of design. Experienced PLC software designer but no specific expertise in shutdown system design.
Expert Practitioner Supervised Practitioner

Figure 4: An example assessment proforma for a task or attribute The process is repeated until all tasks and attributes competencies have been assessed. A decision will already have been made on which tasks and attributes are fundamental to the function under review. The following rules are recommended in determining the overall level of competence of an individual for a particular function: attainment of a particular level of competence in performing a function should not be awarded if more than 30% of the tasks and attributes have been achieved at only a lower level it is not recommended that the overall level of expert or practitioner is awarded to an individual who does not achieve at least supervised practitioner level in every task and attribute

For those candidates whose experience has been gained within a different context from that required by the assessment, the assessor should follow the appropriate organisation policy in forming a judgement on the overall level achieved for the function, and the way in which the differences in context will be handled.

Assessment summary
After completing the assessment for all the tasks and attributes in a function, the assessor completes the assessment summary by: deriving a competence profile for the individual that collects together the levels achieved for each task and attribute based on the assessment results making a judgement on the level of competence achieved by the individual for the function as a whole, including ticking the relevant box writing an unambiguous statement that either the individual is competent for the function within the context stated and at the level indicated without reservation or competent for the function within the context stated and at the level indicated with any conditions stated or is not yet competent to perform the function at any level, together with the reasons why competence was not demonstrated.
13

Copyright IET 2007

Action plan
The Assessor agrees with the individual appropriate actions to maintain a level of competence or achieve a higher level of competence for the function. These actions are recorded on the summary page in the action plan box, which may refer to a more detailed personal development plan. The action plan may include requirements for the gaining of experience of an application domain or a technique, requirements for training, a requirement for a job review and requirements for the performance of a particular task under supervision. An example of a completed assessment summary and action plan is shown in Figure 5.

Sign-off
The assessor makes a recommendation for when the individual should next be assessed. Both the individual and the assessor sign off the assessment proforma. Alternatively, the individual may invoke an appeals procedure. It is recommended that individual sign-off is performed outside the assessment meeting, once the candidate has had an opportunity to review their assessment and consider the assessment summary, so that undue pressure is not put on the individual to agree with the Assessor. In order to maintain impartiality and consistency, independent review and sign-off can be incorporated into each assessment.

Assessment summary Experienced PLC programmer but with no current background in shutdown system design. Competent to perform function at supervised practitioner level. Requires some supervision to ensure that shutdown system design aspects and safety requirements are dealt with correctly
1,2

10

11

12

13

14

15

Total

Expert Practitioner Supervised practitioner Action Plan

1 6 3

In order to attain practitioner level the candidate requires: 1. Experience of writing shutdown logic for at least one protection system under appropriate supervision 2. Additional background/training in relevant safety standards and guidelines 01/08/2009

Date for next assessment

Figure 5: Example assessment summary and action plan

These totals only include the highest level attained, Thus competence at practitioner and supervised practitioner levels is not counted if expert level has been attained for that task or attribute, and likewise competence at supervised practitioner level is not counted if practitioner level is also attained.
2 Note that the last four sets of boxes are crossed out as being inapplicable to the function being considered there being only 11 tasks and attributes associated with this function. 1

14

Copyright IET 2007

Self assessment
To streamline competence management within an organisation it is recommended that aspects of self assessment are incorporated into the assessment process. In addition to the process described above, the individual to be assessed can perform a self assessment prior to the assessment meeting. This is still against the competence criteria for each task and attribute, recording the results on an assessment proforma. For each task and attribute, the individual reviews their evidence summarises the evidence on the assessment proforma, referencing further information where appropriate and including (importantly) the context in which the evidence is applicable enters the type code for the evidence provided ticks the box indicating the level of competence that they judge they have achieved.

In the assessment meeting, the assessor reviews the self-assessment with the individual, modifying the information if necessary and completing the summary page.

Team competence
This example process has addressed only those aspects associated with the assessment of individuals. It does not discuss building teams. However, the competence of teams is fundamental to achieving overall system safety, and some tasks and attributes and their criteria have been defined with team working in mind.

15

Copyright IET 2007

FUNCTION Context Summary

Reference

Assessment Summary

10

11

12

13

14

15

Total

Expert Practitioner Supervised Practitioner Action Plan

Date for next assessment

ASSESSOR CANDIDATE VERIFIER

Print name Print name Print name

Signature Signature Signature

Date Date Date

Figure 6: Assessment proforma (Page 1)

16

Copyright IET 2007

Competency Statement: Summary of evidence provided, including context.

Evidence Type:

Expert Practitioner Supervised Practitioner

Competency Statement: Summary of evidence provided, including context.

Evidence Type:

Expert Practitioner Supervised Practitioner

Evidence Code

Assignment Project

Competence Skills/Tests

Documentary records

Oral

Workplace Observation

Witness Testimony

AP

CT

DC

OR

WO

WT

Figure 8: Example assessment proforma (Page 2)

17

Copyright IET 2007

COMPETENCE CRITERIA
Competence criteria are provided for the following example functions:

o Corporate functional safety management o Project safety assurance management o Safety-related system maintenance and modification o Safety-related system or services procurement o Independent safety assessment o Safety hazard and risk analysis o Safety requirements specification o Safety validation o Safety-related system architectural design o Safety-related system hardware realisation o Safety-related system software realisation o Human factors safety engineering

18

Copyright IET 2007

Function

Corporate functional safety management

Summary
Corporate functional safety management involves responsibilities for ensuring that a safety culture exists within an organisation, appropriate to the organisations internal and regulatory environment. In discharging this responsibility the key tasks for this function are: defining and instigating a corporate approach to functional safety, including a safety management system, relating to the development or use of safety-related systems within the organisation promulgating the corporate approach to functional safety in both a proactive and reactive manner monitoring compliance with the corporate approach to functional safety, and applying corrective action where necessary

In support of these tasks, additional management tasks are likely to be required such as: advising senior management of the resource required (both people and equipment) necessary to operate the safety management system budgetary responsibility for a corporate safety function, possibly including the supervision of staff

Tasks Realisation of a safety management strategy Allocation of responsibilities Promoting awareness Providing safety advice Monitoring compliance Handling safety incidents Regulatory and legal compliance Managing resource allocation Assuring staff competence

Attributes Effective communication Eliciting information Organisation systems Functional safety practices Principles of functional safety assurance Professional standing and personal integrity

19

Copyright IET 2007

Tasks
CFM1 Realisation of a safety management strategy Identifies a corporate-wide approach to functional safety management and documents the approach in a safety management system, that both meets the requirements of functional safety and is appropriate to the organisations environment. Supervised practitioner Practitioner Expert Can identify relevant Has documented parts of a Has developed at least one Corporate safety documentation relating to the safety management system management system and has been involved in the organisations methods and and can illustrate, using development/ review of others. Can identify procedures and can describe corporate safety organisation methods and procedures, which have their key features. management procedures and had to be updated to meet new standards in audit reports, how existing functional safety assurance, and show how the organisation methods and updated methods and procedures fit within the procedures have been organisations safety management system. incorporated into the safety management system.

CFM2 Allocation of responsibilities Identifies roles and organisational relationships required to implement the corporate safety management system, and allocates or arranges staff responsibilities for the performance of these roles. Supervised practitioner Practitioner Expert Can identify relevant Has participated in the Has allocated responsibilities for safety documentation relating to the definition of specific roles management system roles, monitored the efficacy allocation of responsibilities, and their relationships with of the allocation with respect to effective and and understands the way in other roles so as to ensure robust operation of the system, and improved which appropriate allocation the effective and robust allocation accordingly. and organisation contributes operation of a safety to the effective and robust management system. operation of the safety management system.

CFM3 Promoting awareness Ensures that all staff who can affect the achievement of functional safety are aware of their obligations by: identifying target audience, implementing an appropriate dissemination programme, measuring achievement and applying corrective action as necessary. Supervised practitioner Practitioner Expert Can identify key areas of a safety management Can illustrate, through Can illustrate, through system where difficulty has been encountered in training programme course training programme course promoting awareness of the underlying issues and notes, follow-up notes, follow-up can illustrate specific actions that have been taken questionnaires, audit reports questionnaires, audit reports to overcome them. Can explain how different etc., how awareness of etc., how awareness of a promotional strategies achieve awareness of safety information has been safety management system promoted within an has been promoted within an safety issues within an organisation. organisation. organisation, how the extent of that awareness has been checked and how corrective actions have been taken to increase awareness.

20

Copyright IET 2007

CFM4 Providing safety advice Provides an effective one-stop shop for advice to staff on functional safety within an organisation (e.g. help desk), such that a consistent approach to functional safety is achieved and conflicts on interpretation are resolved. Supervised practitioner Practitioner Expert Not yet experienced enough to provide Can illustrate, through procedures, memos, e-mails etc. and a process of workplace observation (e.g. sit-in on consultations), how effective advice on matters safety advice to others. relating to functional safety has been provided to safety-related projects. Can explain the different methods that have been used and considered for providing advice to safety-related project teams and identify the advantages and disadvantages of each method in relation to the particular requirements of the organisation.

CFM5 Monitoring compliance Achieves adherence with the safety management system, by performing audits against a schedule and instigating improvements to the safety management system when identified as necessary. Supervised practitioner Practitioner Expert Can explain the mechanisms (e.g. Can explain the advantages and Can cite examples (real or hypothetical) audits) that have been put in place disadvantages of different mechanisms where a lack of adequate monitoring has across the organisation to monitor for monitoring compliance with a safety or could lead to a potentially unsafe compliance of these projects with the management system, backing up the situation and can explain how monitoring safety management system. explanation with documentary evidence within the organisation has been of the performance of such monitoring. improved to counter such examples. Can Can show how monitoring has been explain the advantages and achieved within an organisation, and how disadvantages of different mechanisms the results of the monitoring process are for monitoring compliance with a safety fed back into the safety management management system. Has been system responsible for monitoring within an organisation, and can describe the way in which the results of the monitoring process are fed back into the safety management system

CFM6 Handling safety incidents Ensures that all incidents that could impact on functional safety are identified, investigated and necessary actions taken (including updating the safety management system and dissemination to all relevant staff), such that the immediate incident is resolved and its likelihood of re-occurrence is minimised. Supervised practitioner Practitioner Expert Given an incident, (real or Has been involved in the follow-up actions after an incident. Has developed hypothetical) can explain appropriate procedures for the investigation and the implementation of potential measures to reduce recommendations arising from investigations. Can explain how an incident is the likelihood of recurrence in resolved and how the likelihood of re-occurrence is minimised. terms of dissemination and updating the safety management system.

CFM7 Regulatory and legal compliance Ensures that all relevant safety regulations and legal requirements and organisation-specific safety standards are satisfied by the organisation by determining the requirements, encapsulating the requirements into the safety management system and managing the interface with the regulator including successful conflict resolution. Supervised practitioner Practitioner Expert Is aware of the requirements Can illustrate, through Can illustrate, through memos, reports and safety of the relevant functional corporate safety management management procedures, how the requirements of safety standards appropriate procedures, how safety the regulatory authorities are continually reviewed, to the industry sector. regulatory requirements and and where appropriate incorporated, within the Can describe and explain the associated legal issues have organisations safety management system. key principles underlying the been reflected in the relevant regulatory regime organisations safety and associated legal issues. management system.

21

Copyright IET 2007

CFM8 Managing resource allocation Advises and facilitates (and manages if appropriate) the deployment of the allocation of sufficient resource of relevant competence, such that the needs of the safety management system can be met. Supervised practitioner Practitioner Expert Is familiar with an accepted estimating method and associated techniques and is able to present supporting documentation to show how the method has been applied in practice. Can provide rule of thumb estimates for typical safetyrelated projects carried out by the organisation. Can illustrate, through e.g. Can cite examples (real or hypothetical) where estimating sheets, how advice resource issues have or could lead to an unsafe has been provided to safetysituation on a project. Can explain how the related projects with regard to organisations procedures have been developed to the necessary resource ensure adequate resources. requirements for carrying out the project. Can provide rule of thumb estimates for complex or innovative projects carried out by the organisation.

CFM9 Assuring staff competence Ensures that all staff involved with safety-related work are competent to execute their assigned tasks. For example, instigating a formal training programme, work place supervised experience, etc. Supervised practitioner Practitioner Expert Can describe the methods Can illustrate, via the Can illustrate through examples (real or currently used within the organisations procedures, hypothetical) how insufficient attention to the organisation to assess and project safety plans, safety competence of individuals employed on safetyjustify the competence of justifications, how a related projects could lead to an unsafe situation. safety-related project team competence justification Can illustrate, via the organisations procedures, members. system is implemented within how actions have been taken to ensure competent the organisation for safetyindividuals are assigned to projects related projects.

Attributes
CFM10 Effective communication Communicates effectively, both orally in writing and electronically at all levels in an organisation, with people of varying skill and groups of varying size, such that the objectives for the communication are achieved. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. information orally in all situations. Has established Communicates well with Communicates well in a team effective liaison with the organisations peers. and in one-to-one situations at management such that safety issues are raised at most levels within an the highest level. Has effective relationships with organisation. relevant external organisations, such as regulatory bodies. Understands the principles of Has consistently produced Has consistently produced written work of a quality clear report writing. written work of a quality which which is well organised, accurate (both technically Has written at least one report is well organised, accurate and grammatically), complete, logical, concise, which can demonstrate basic (both technically and unambiguous and to the point. Is aware of the literacy skills and the ability to grammatically), complete, wider implications and purpose of present written information in logical, concise, unambiguous communications. an organised, logical and and to the point. unambiguous manner.

CFM11 Eliciting information Proactively elicits all necessary information from relevant personnel at whatever level (e.g. stakeholders, peers, etc.) such that the tasks associated with the role can be properly scoped and undertaken. Supervised practitioner Practitioner Expert Collects the relevant facts Collects and understands the Has established a mechanism for the collection of about safety issues/tasks from relevant information from information across the whole organisation on peers personnel at all levels. Can safety issues and safety activities. identify more important issues from a wider range of points.
22

Copyright IET 2007

CFM12 Organisation systems Has a knowledge and understanding of existing systems in the organisation (e.g. quality management systems) sufficient to ensure that the development and maintenance of the safety management system is cost effective and appropriate to the organisation. Supervised practitioner Practitioner Expert As well as the safety Can explain how the safety Can explain how the safety management system management system, is management system fits in, fits in with other systems in the organisation to aware of the organisations and relies on the quality produce an efficient solution. Can describe ways quality management system, management system and the in which the safety management system could be financial and project financial/project management realigned and the impacts of the change. management systems and systems. can explain how they operate.

CFM13 Functional safety practices Has a knowledge and understanding of functional safety practices, including application and technology appropriate to the organisation and the industry sector, necessary for the successful execution of the role. Supervised practitioner Practitioner Expert Has worked on non safetyHas worked on a safetyHas worked on many safety-related projects, related applications within the related project relating to the some of which relate to the identified context relevant context, but has yet context within which the within which the organisation operates. to work on a safety-related organisation operates and has Understands how safety is addressed at a project application within the relevant gained a knowledge of how level as well as the organisational level. context. safety is addressed within the organisation. Can describe relevant Can describe relevant Can provide evidence of having applied safetytechnologies and their technologies and how they related technologies to a wide range of projects. application, but not might be used for safetynecessarily in relation to related work in the domain of safety related work. interest.

CFM14 Principles of functional safety assurance Has a knowledge and understanding of the principles of functional safety assurance (including: hazards, risks, tolerability, ALARP, safety requirements, safety realisation, etc.) and can relate them to a typical safety lifecycle model. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known outside the organisation as an authority on functional safety assurance. assurance has been achieved the principles of safety assurance, and can Has read, and has a with reference to examples provide evidence to support this claim. Can cite relevant safety assurance standards, knowledge of, the safety from actual project explain their fundamental concepts, illustrate any assurance standards involvement. Can cite relevant safety differences, and explain how they relate to the appropriate to the industry assurance standards, explain safety management system. sector. their fundamental concepts, and illustrate any differences.

CFM15 Professional standing and personal integrity Has the professional standing to provide credible judgements that are generally acknowledged as authoritative, coupled with sufficient strength of character not to compromise sincerely held beliefs when under pressure. Supervised practitioner Practitioner Expert Typically a degree or Typically a Chartered Typically a Chartered Engineer who is equivalent in a relevant Engineer with a degree in a acknowledged as an authority in the field of safetydiscipline. relevant discipline. Has had related systems. Likely to have presented papers practical safety engineering on safety issues. experience within the relevant industry sector. Aware of the importance of Has defended a judgement Has a reputation for integrity that indicates personal integrity when when under external pressure candidate will never allow a judgement on safetypressed to compromise a to compromise position. related issues to be compromised by outside judgement. interference.
23

Copyright IET 2007

Function

Project safety assurance management

Summary
Project safety assurance management involves responsibilities for ensuring that an appropriate level of safety assurance is applied during the various lifecycle phases of a project and that the required evidence is collected and presented together with a reasoned argument to justify the safety of the system. In discharging these responsibilities, the key tasks for the function are: defining the scope and objectives of the project from a safety viewpoint developing and maintaining a project safety assurance plan managing compliance with the project safety assurance plan including the provision of safety assurance evidence

Tasks Defining the scope of the project

Attributes Effective working relationships

Developing and maintaining a project safety assurance plan Managing compliance with the project safety assurance plan Monitoring the engineering development Managing the provision of safety assurance evidence

Effective communication Methodical approach Safety regulations and standards Organisation systems Decision making Influencing and negotiating Team management

24

Copyright IET 2007

Tasks
PSM1 Defining the scope of the project Seeks out and evaluates information in order to define the scope, objectives, context and safety-significance of a safety-related project. Supervised practitioner Practitioner Expert Can identify the main Can illustrate, through design documents, working notes, minutes of meetings etc., categories of information how information has been collected to define the scope, context and safety required to define the scope, significance of safety-related projects carried out within the organisation or relevant context and safety industry sector. significance of a safetyrelated project and describe how this information is obtained and evaluated. PSM2 Developing and maintaining a project safety assurance plan Produces and maintains a project safety assurance plan including: the selection of an appropriate safety lifecycle model and reflecting the selected safety lifecycle model in the activities defined within the project safety assurance plan the selection of appropriate safety assurance measures and techniques to be employed definition of the project organisational structure, particularly with regard to the need for independence and the apportionment of responsibilities for safety at different organisational levels within the project and along the supply chain. Supervised practitioner Practitioner Expert Can illustrate, through Has contributed to project safety assurance plans for projects carried out within the examples of candidates own organisation or industry sector. work, how plans have been developed and then continually updated to reflect the current status of a project. Can identify the safety Can describe the advantages Can cite examples from his/her own experience lifecycle model normally used and disadvantages of where the normal safety lifecycle models used for for safety-related projects and different safety lifecycle projects carried out within the organisation were explain why this particular models and how these relate not appropriate, and can illustrate how the safety safety lifecycle model is to different development lifecycle was modified or a different safety lifecycle appropriate to the lifecycle models. model was selected. organisation. Can illustrate, by example, project situations in Can illustrate, via project Can describe the range of which the safety techniques and measures were safety assurance plans, how safety techniques and not appropriate to the specific safety requirements measures normally employed appropriate selections of of the project. Can illustrate, via review procedures techniques and measures within the organisation or and review records, how actions have been taken have been made for safetyindustry sector for safetyrelated projects carried out by to ensure that the appropriateness of techniques related projects. Given a typical project and measures is adequately considered. the organisation. Can justify the use of the scenario, can select an selected techniques and appropriate set of safety measures by referencing techniques and measures. relevant standards and the capabilities of the organisation. Can illustrate, through examples (real or Can describe the Can illustrate, e.g. via the hypothetical), how project organisations have failed organisational structure of a contents of a project safety to operate effectively from a safety viewpoint and typical safety-related project assurance plan, how safetyexplain how the projects were (or should have carried out within the related projects have been been) re-organised. organisation and how organised, how Can identify how the need for independence would responsibilities for functional responsibilities have been be achieved for the development or operation of safety assurance are allocated and described, and safety-related systems of different safety integrity allocated. how the requirements for levels. independence have been addressed.

25

Copyright IET 2007

Can identify the key resource requirements that need to be addressed for the successful undertaking of a safetyrelated project. Given a typical project scenario, can correctly estimate the order of the necessary resource requirements.

Can illustrate, via project safety assurance plans, memos, how resource requirements were derived, reviewed and updated in line with the progress of safety-related projects carried out within the organisation or industry sector. Can explain previous situations when resource requirements have been incorrectly estimated.

PSM3 Managing compliance with the project safety assurance plan Manages compliance with the project safety assurance plan through the appropriate use of monitoring mechanisms (e.g. project audits, reviews, walkthroughs). Supervised practitioner Practitioner Expert Has monitored compliance with safety plans and participated in audits and safety reviews. Can explain the mechanisms Can explain the advantages and disadvantages of different mechanisms for that were put in place for monitoring compliance with a project safety assurance plan, backing up the specific projects to monitor explanation with documentary evidence from previous projects. Can identify compliance with plans, mechanisms to counter monitoring inadequacies. backing up the explanation with documentary evidence (e.g. audit reports).

PSM4 Monitoring the engineering development Monitors the engineering development to ensure consistency with a design philosophy which contributes to safety assurance. Supervised practitioner Practitioner Expert Has not had the opportunity to Can show how monitoring of Has been responsible for monitoring engineering monitor engineering engineering development is development within an organisation. developments Can illustrate, by examples, project situations in achieved within an which safety has been jeopardised by divergence organisation. Can describe ways in which or potential divergence from a design philosophy. divergence from design philosophy can occur and how safety can therefore be jeopardised.

PSM5 Managing the provision of safety assurance evidence Collects evidence that safety engineering tasks have been adequately executed and constructs a reasoned argument based on that evidence (possibly for inclusion in a safety case). Supervised practitioner Practitioner Expert Can illustrate how sufficient information was collected from a variety of sources to be able to construct a safety argument. Not yet written a safety argument. Has written a safety argument. Can explain how mechanisms were put in place to collect the evidence to support the case for a safety-related system. Can illustrate how safety arguments are constructed and presented to justify the required safety integrity of a typical safety-related system developed within the organisation. Can make reasoned arguments for the inclusion / omission of information with regard to the safety argument for a particular, novel, system. Given a particular safety argument, the candidate can identify flaws or deficiencies in the argument and can pinpoint areas where safety evidence is weak.

Can explain the underlying objectives of a safety case with regard to the current regulatory regime and can describe the contents of a typical safety case.

26

Copyright IET 2007

Attributes
PSM6 Effective working relationships Develops and maintains effective working relationships with other members of the project including: safety engineers, designers and managers within the supplier's organisation personnel within suppliers to the organisation of safety-related systems or services personnel within the purchaser's organisation and other organisations, e.g. operators and maintainers, independent safety assessors and regulatory authorities. Supervised practitioner Practitioner Expert Has worked as an effective Has worked as an effective Has worked as an effective leader of a safetymember of a project team comember of a safety-related related project team co-ordinating the activities of ordinating own activities with project team co-ordinating the more than one organisation and reporting directly those of peers and reporting activities of a group of to the project stakeholders. to a supervisor individuals and reporting to a project manager within his/her own organisation.

PSM7 Effective communication Communicates effectively both orally and in writing, at all levels in and outside the organisation, with people of varying skills and understanding and with groups of varying size. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. information orally in all situations. Is able to Communicates well with Communicates well in a team communicate a safety vision and describe the peers. and in one-to-one situations at safety argument for a safety-related system. most levels. Understands the importance Produces written work of a Produces written work of a quality which is well of keeping reports factual and quality which is well organised, accurate (both technically and avoiding verbose language. organised, accurate (both grammatically), complete, logical, concise, Has written at least one report technically and unambiguous and to the point. Is aware of the which can demonstrate basic grammatically), complete, wider implications and purpose of literacy skills and the ability to logical, concise, unambiguous communications. present written information in and to the point. an organised, logical and unambiguous manner.

PSM8 Methodical approach Works in a methodical, clearly structured manner. Supervised practitioner Practitioner For specific tasks undertaken, For whole safety-related can explain the method projects, can explain how and followed in performing the why particular methods were tasks and indicates the chosen to perform the resulting structure in the work. different tasks required for the project.

Expert Can explain how the work performed on different projects undertaken within the organisation is monitored and controlled to ensure a methodical approach.

PSM9 Safety regulations and standards Addresses the requirements of the relevant safety regulations and standards in the management and performance of safety assurance management activities. Supervised practitioner Practitioner Expert Can identify the safety Can illustrate, via project Can illustrate, via review checklists, and review regulations and standards safety plans, audit reports, records, how compliance with the relevant safety relevant to the domain within design documents, how the regulations and standards is ensured. Can illustrate, via project safety plans, which the organisation requirements of the relevant requirements specifications and design operates and can describe safety regulations and specifications, the different approaches that have their key requirements. standards have been been adopted in order to comply with the relevant incorporated in safety-related safety regulations and standards and can describe projects carried out by the their advantages and disadvantages. organisation.
27

Copyright IET 2007

PSM10 Organisation systems Reflects the organisations safety management system and associated methods and procedures in the project safety assurance plan. Supervised practitioner Practitioner Expert Can identify current or past inadequacies in the Can illustrate, through project Can identify the relevant safety management system and can describe the safety plans, audit reports, documentation relating to the importance of these with regard to typical safetydesign documents, how the organisations safety related projects carried out within the organisation. management system and can requirements of the Can illustrate, via letters, memos etc. how an organisations safety describe the key features of attempt has been made to improve the management system and the the system. Can describe the key organisations safety management system. associated methods and methods and procedures procedures have been associated with the incorporated in the safetyorganisations safety related project activities management system. carried out.

PSM11 Decision making Uncovers the key facts associated with a situation and communicates a firm, rational decision based on an analysis of those key facts. Supervised practitioner Practitioner Expert Given a set of information regarding a hypothetical situation, Can cite examples from his/her own experience can identify the key facts and proposes a decision that relates where it has been necessary to make difficult to the identified key facts. decisions relating to the safety assurance of a safety-related system and can illustrate, via memos, letters, reports, witness testimonies, how the key facts were uncovered and how decisions were taken and communicated.

PSM12 Influencing and negotiating Convincingly argues a point of view or position and obtains buy-in from personnel at all levels of the organisation and is able to compromise on detail, if necessary, whilst still achieving the key objectives of the safety assurance plan. Supervised practitioner Practitioner Expert Understands the principles of Can cite examples from Can cite examples from his/her own experience negotiation and has taken part his/her own experience where where it has been necessary to negotiate to in practical training exercises is has been necessary to satisfactorily resolve a situation relating to the in influencing / negotiating. exert influence to satisfactorily safety assurance of a safety-related system and resolve a situation relating to can illustrate, via memos, letters, witness the safety assurance of a testimonies, how negotiations were brought to a safety-related system. satisfactory conclusion.

PSM13 Team management Organises, supervises and checks the activities carried out by other safety engineering staff such that the overall safety assurance role responsibilities are adequately discharged and the collective ability and resources of a team of individuals are effectively combined. Supervised practitioner Practitioner Expert Has not had the opportunity to Can illustrate, through the presentation of supporting documentation, how the work show competence in leading carried out by others is supported and checked to ensure that the key objectives of a safety team. project safety assurance management are met.

28

Copyright IET 2007

Function

Safety-related system maintenance and modification

Summary
Safety-related system maintenance and modification involves the responsibility for keeping within tolerable levels the likelihood of safety incidents during system use, and reducing them, including during degraded modes of operation such as system change, maintenance or the introduction of new systems into service. In discharging this responsibility, the key tasks for the functions are: planning and implementing maintenance and modification functional safety requirements; managing compliance with planned arrangements including incident handling handling change, either to existing systems, or the introduction of new systems or the decommissioning of existing systems influencing any new design together with the classification of legacy systems from an operation, maintenance and modification perspective advising and facilitating the allocation of appropriate resources managing the provision and use of in-service safety information

Tasks Planning for maintenance and modification of safe operation

Attributes Report writing

Development of maintenance and Effective oral communication modification procedures Handling change Monitoring compliance Handling safety incidents Managing in-service information Resource allocation Existing system classification Influencing new systems Regulatory and legal compliance Methodical approach Organisation systems Principles assurance of functional safety

29

Copyright IET 2007

SRM1 Planning for maintenance and modification of safe operation Originates and maintains a plan which encapsulates an agreed set of activities, including their interrelationship, scheduling and responsibilities, which if implemented correctly results in a system being maintained safely. Supervised practitioner Practitioner Expert Can write sections of a Has written a maintenance Has written maintenance and modification plans maintenance and modification and modification plan and can and can identify a range of different maintenance plan. demonstrate contribution strategies and their impact on safety. towards the formation of a safe maintenance and modification strategy. Understands the importance of clear responsibilities for maintenance and modification tasks where they relate to safety.

SRM2 Development of maintenance and modification procedures Identifies appropriate test and monitoring strategies and techniques and encapsulates these in procedures which, if complied with, result in safe operation for both normal and degraded (maintenance, modification, failure, sabotage, etc.) modes of operation. Supervised practitioner Practitioner Expert Has written maintenance and Has written maintenance and Has written a suite of maintenance and modification procedures. modification procedures which modification procedures for several systems. Can have a direct relationship to explain how maintenance and modification safety. Can explain how procedures ensure safe operation. maintenance and modification procedures ensure safe operation.

SRM3 Handling change Analyses the impact on safety of any change to a system; ensures that the implementation of any change does not result in an unsafe situation, and provides a reversion strategy. Supervised practitioner Practitioner Expert Understands how to analyse Can illustrate, through Can illustrate, through examples (real or the potential safety impact of analysis reports, how hypothetical) how the incorrect assessment of the changes to safety-related proposed changes to safetyimplications of proposed changes have led to systems. Can identify ways in related systems are assessed potentially unsafe situations especially regarding which changes to a safetyfor their impact on safety and maintenance and modification activities. Can related system would impact the maintenance and illustrate, through procedures, work instructions, on safe maintenance modification procedures. training course notes etc., the actions that have procedures. been put in place to ensure that risks are correctly assessed.

SRM4 Monitoring compliance Ensures adherence to the maintenance and modification requirements of safety-related systems by ensuring an audit is performed against a schedule and that any improvements are instigated when identified as necessary. Supervised practitioner Practitioner Expert Can explain the audit system Has contributed to the Has had responsibility for monitoring a range of in place to assess the development of fault maintenance and modification activities on safetymaintenance and modification reporting, auditing and review related systems. Can show evidence of the regime for a system. systems development of the monitoring systems in place Can explain how the and how they have led to changes in the system monitoring system has been and the maintenance and modification regime. used to effect changes in the Can explain the difference between ineffective and system and in its maintenance effective maintenance and modification regimes and modification regime. and how the monitoring systems detect problems.

30

Copyright IET 2007

SRM5 Handling safety incidents Ensures that all incidents during operation that could impact on functional safety are identified, investigated and necessary actions taken, such that the immediate incident is resolved and the likelihood of re-occurrence is minimised. Supervised practitioner Practitioner Expert Given a set of information Has set up or has been involved in the running of a reporting system, and can show regarding a hypothetical how the system is or was used to identify potential incidents. Can cite examples incident can identify key from his/her own experience where it has been necessary to make difficult and fast actions, and propose a decisions during an incident involving a safety-related system. Can illustrate, decision that clearly relates to through memos, letters, reports and witness testimonies, how the key facts were the identified key fact, can uncovered, how decisions were taken and how the decisions were communicated. explain how incident reporting and analysis systems work within the organisation.

SRM6 Managing in-service information Proactively collects, analyses and effectively uses data obtained during in-service operation such that increased safety assurance is obtained on existing systems and is available for new designs. Supervised practitioner Practitioner Expert Can illustrate, through reports Can illustrate, through incident reports, change documents and reliability growth and presentations, how data modelling, how data analysis techniques are used in the provision of evidence of analysis techniques have the operational performance of a safety-related system and used to improve its been used in a practical work safety performance. situation. Understands how Can illustrate, through working Can cite examples where insufficient or incorrect performance information notes, data recorder printouts, information has been obtained with regard to the relating to the performance of oscilloscope traces etc., how operational performance of a safety-related safety-related systems is operational performance system. Can illustrate, using for example collected within the information has been collected checklists, how such examples can be avoided. organisation. from a variety of sources and Knows the basic techniques analysed to arrive at a of data collection and the use conclusion regarding of analysis equipment (e.g. operational safety. data analysers, oscilloscopes).

SRM7 Resource allocation Advises and facilitates (and manages if directed) the deployment of resources (competent staff, spares, tools, etc.), sufficient to ensure safety operation, maintenance and modification. Supervised practitioner Practitioner Expert Can identify the key resource Can illustrate, through project Can illustrate, through examples (real or requirements that are safety assurance plans and hypothetical), how inadequate resources have led necessary for the successful memos, how resource to compromises on safety. Can illustrate, through maintenance and modification requirements have been for example, review procedures and checklists, of a safety-related system. derived, reviewed, updated in how actions are taken to ensure adequate, trained Given a typical project line with operational resources and the actions required to accumulate scenario, correctly estimates experience gained during the changed resource requirements after systems the necessary resource use of a safety-related system modification. requirements. and updated to meet revised needs after modification

31

Copyright IET 2007

SRM8 Existing system classification Supervises the analysis of existing systems using a systematic, risk-based methodology, such that existing systems can be classified for their safety significance. Supervised practitioner Practitioner Expert Understands the way in which Has allocated safety integrity Can explain the pros and cons of different safety integrity levels are levels to functions performed methods for allocating safety integrity levels and allocated to safety functions. by safety-related systems their effects on safety integrity level allocations. Can illustrate through procedures, work Given a particular set of used within the organisation. instructions and training course notes, the actions safety functions and an that have been put in place to ensure the correct implementation scenario, can and appropriate use of methods for the safety illustrate how a method can classification of legacy systems. be used to derive safety integrity levels for each safety function.

SRM9 Influencing new systems Influences the realisation of new safety-related systems such that the requirements to maintain a system safely are properly addressed. Supervised practitioner Practitioner Expert Can describe the main Can describe the key Can illustrate by examples (real or hypothetical), operation and maintenance functional safety issues how failure to address maintenance and and modification procedures associated with the operation modification requirements in the design of a associated with typical safety- and maintenance and safety-related system has led to a potentially related systems developed or modification of typical safetyunsafe situation. Can illustrate with review operated by the organisation. related systems developed or checklists and review records how potential operated by the organisation. safety-related system designs are reviewed for their impact on maintenance and modification. Understands the principles of Can cite examples from his/her own experience where it has been necessary to negotiation and has taken exert influence to resolve a situation relating to the maintenance and modification of part in practical training a safety-related system. Can illustrate through memos, letters and witness exercises in influencing / testimonies, how the necessary influence was brought to bear and how each negotiating. situation was resolved.

Attributes
SRM10 Report writing Produces technical reports, procedures, etc., incorporating a logical document structure with the content grammatically correct using a non-verbose style. Supervised practitioner Practitioner Expert Can show an example of a Contrasts reports which are clear and to the point with reports where key evidence technical report of which is hidden by poor writing or superfluous technical detail. Can show a range of he/she is the principal author. technical reports which he/she has written on maintenance and modification issues.

SRM11 Effective oral communication Effectively interfaces with staff at all levels in an organisation with people of varying skill and groups of varying size. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. information orally in all situations. Can liaise Communicates well with Communicates well in a team effectively with both maintenance and modification peers. and one-to-one situations at staff and senior management. most levels.

32

Copyright IET 2007

SRM12 Regulatory and legal compliance Has a knowledge and understanding of all relevant regulatory and legal requirements, together with organisationspecific procedures. Supervised practitioner Practitioner Expert Has read the relevant Can illustrate through safety Can illustrate through memos, reports, functional safety standards plans and maintenance and maintenance and modification manuals, how the appropriate to the industry modification manuals, how operational and maintenance and modification sector. safety regulatory requirements of the relevant regulatory authorities Can explain the key principles requirements and associated are continually reviewed and, where appropriate, underlying the relevant legal issues are addressed in incorporated within the organisations safety regulatory regime and the performance of safetymanagement system, especially with regard to associated legal issues. related system maintenance maintenance and modification activities. and modification activities.

SRM13 Methodical approach Applies a methodical approach to assignments, incorporating analytical and systematic techniques appropriate to the role. Supervised practitioner Practitioner Expert For specific tasks undertaken, For maintenance and Can explain how the work performed on different can explain the method modification tasks, can projects or maintenance and modification tasks followed in performing the explain how and why within the organisation is monitored and controlled tasks and indicates the particular methods were to ensure a methodical approach. resulting structure in the work, chosen to perform them. backing up the explanation with documentary evidence.

SRM14 Organisation systems Has a knowledge and understanding of existing systems in the organisation (e.g. quality management systems) and functional safety practices, including application and technology appropriate to the organisation and industry sector, sufficient for the successful execution of the role. Supervised practitioner Practitioner Expert Can identify current or past inadequacies in the Can illustrate through Can identify the relevant safety management system, or associated operation and maintenance documentation relating to the methods and procedures, and can describe the and modification manuals, organisations safety importance of these with regard to typical safetymanagement system and can fault reports and impact related system maintenance and modification analysis reports, how the describe the key features of activities carried out within the organisation. requirements of the this system. Can illustrate through letters etc., how an attempt Can describe the key organisations safety has been made to improve the organisations methods and procedures management system and the safety management system and associated associated with the associated methods and methods and procedures. organisations safety procedures are referred to in management system. the safety-related system maintenance and modification activities carried out by the organisation and to which he/she has been a main contributor.

SRM15 Principles of functional safety assurance Has a knowledge and understanding of the principles of functional safety assurance (including; hazards, risks, tolerability, ALARP, safety requirements, safety realisation, etc.) and understands their relationship to the maintenance and modification of safety-related systems. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known as an authority outside the organisation on functional safety assurance. assurance has been the principles of safety assurance in relation to achieved, in relation to safety- safety-related system maintenance activities. related system maintenance Provides illustrations, taken from his or her own and modification activities, experience, of safety principles applied in practice. with reference to examples from actual project involvement.
33

Copyright IET 2007

Function

Safety-related system or services procurement

Summary
Safety-related system or services procurement includes responsibilities for ensuring that system functional and safety assurance requirements are specified contractually and are delivered 2 . Included within the function are responsibilities for ensuring that key safety requirements are highlighted in a procurement specification and that the supplier is managed properly to ensure that the safety requirements of the system or service are satisfied. In discharging these responsibilities, the key tasks for the function are: incorporating safety requirements in an invitation to tender assessing tender submissions for their response to the safety requirements and auditing potential suppliers or sub-contractors letting a contract to obtain a system which will satisfy the safety requirements managing the supplier or sub contractor in the delivery of the system or service compliant with the safety requirements obtaining regulatory approval to operate the delivered safety-related system or the safetyrelated system for which sub-contracted services were procured

Tasks

Attributes

Incorporating safety requirements Business objectives in an invitation to tender Auditing suppliers Assessing tender submissions Letting a contract Managing compliance Obtaining regulatory approval Influencing new systems Effective communication Principles assurance of functional safety

Organisation systems Personal integrity

1 Procurement in this context refers and relates to the engineering responsibilities associated with procurement and should not be confused with the administrative services provided by procurement or contract departments in organisations.

Where the procurement is of a system, that could be any size, from a stand-alone development tool to a major control system. Special care must be taken both in capturing the context for this function, and in interpreting the assessment guidelines appropriately. Similarly, considerations apply to services contracts, which also vary widely in scope.
34

Copyright IET 2007

Tasks
SRP1 Incorporating safety requirements in an invitation to tender Identifies, specifies and includes within the invitation to tender documentation: a set of safety assurance criteria appropriate to the system or service to be procured the relevant safety regulations and standards a description of the domain and environment within which the system or service is to be used. Supervised practitioner Practitioner Expert Can identify the main safety Has compiled the technical Has compiled many invitations to tender regulations and standards aspects of an invitation to documentation packs. Can illustrate through ITT relevant to the domain within tender and can illustrate, review checklists and review records, how which the organisation through safety requirements compliance with safety regulations and standards operates and can describe specifications, how the is ensured and can explain the different their key requirements. requirements of safety approaches that have been adopted in order to regulations and standards comply with the different safety regulations and have been incorporated in standards. safety-related system or services procurement documents. Has had practical work Can illustrate through working Can explain, through examples (real or experience within the relevant notes and safety requirements hypothetical), the potential impact resulting from industry sector and with the specifications, how domain insufficient consideration of application domain relevant safety-related system specific functional safety functional safety requirements. Can illustrate, via applications. requirements have been requirements capture procedures and training incorporated into invitations to course notes, how actions have been taken to tender and can explain the ensure that application domain specific safety reasons behind the key requirements are adequately considered during requirements. the development of invitations to tender. Has contributed to the Has generated safety requirements that are clear and free from implementation production of clear bias. specifications.

SRP2 Auditing suppliers Audits supplier organisations to determine their capabilities with regard to the supply of safety-related systems or services by focusing on the key objectives for assuring functional safety. Supervised practitioner Practitioner Expert Has audited potential suppliers of safety-related For specific auditing tasks For specific safety-related systems or services. Can explain why auditing of undertaken previously, can system or services potential supplier organisations is important for identify the primary objectives procurement projects, can safety-related system and service procurements. of the audit and can explain describe the primary how the objectives were objectives that were identified Knows how to ensure that audits are carried out correctly. achieved. for assuring functional safety and how, in auditing supplier organisations, potential compliance to these objectives was established.

35

Copyright IET 2007

SRP3 Assessing tender submissions Assesses tender submissions, in a methodical, clearly structured manner, to confirm that: the safety requirements for the system will be addressed sufficient functional safety assurance evidence will be provided current technology will be used to best advantage in achieving the functional safety requirements. Supervised practitioner Practitioner Expert Can explain the method Has carried out tender Has carried out tender assessments. Can explain followed in assessing tender assessments. Can explain how the tender submission assessments submissions based on a the method followed in undertaken within the organisation are monitored tender assessment carried out assessing safety-related and controlled to ensure a methodical approach, within the organisation. system tender submissions. backing up the explanation with documentary Can illustrate, via tender evidence from previous projects. submission assessment reports, how tender submissions have been assessed. Can describe the current Can illustrate through Can illustrate, via memos, minutes of meetings, technology relevant to safetychecklists and review organisation procedures and standards, how related systems procured by comments, how tender actions have been taken to ensure that tender the organisation and can submissions have been submissions are adequately reviewed with regard illustrate, through e.g. design reviewed to ensure best use to the best use of current technology. Can identify potential safety benefits in using new documents, previous practical of current technology. technologies, and is also aware of potential experience with the relevant pitfalls. technology.

SRP4 Letting a contract Ensures that the contract information adequately encapsulates the safety requirements and the provision of functional safety assurance evidence, and that issues of product liability are adequately addressed. Supervised practitioner Practitioner Expert Can explain product liability Can illustrate, via relevant Has let contracts for procurement of safety-related law and how functional safety contract documents, how systems or services. Can illustrate, through issues are addressed. product liability issues have examples (real or hypothetical), how product been addressed in typical liability conflicts have arisen in procurement of safety-related system services safety-related systems or services by the procurement contracts placed organisation. Can illustrate how these issues by the organisation. were, or could be resolved.

SRP5 Managing compliance Manages compliance with the safety requirements incorporated in a safety-related system or services procurement contract by establishing appropriate monitoring procedures and negotiating with and exerting influence on suppliers and other personnel within the project organisation. Supervised practitioner Practitioner Expert Has worked with systems Has had day-to-day Has had responsibility for supply of procured suppliers or subcontractors responsibility for systems or subcontracted services. and is aware of the ways in management of systems which their different suppliers or subcontractors. perspectives can lead to safety problems. Can illustrate, through examples, safety problems that can arise with suppliers and subcontractors. Can explain the mechanisms (e.g. audits) that have been put Can explain the advantages and disadvantages of in place for specific projects to monitor compliance with safety different mechanisms for monitoring compliance requirement specifications. with specified safety requirements. Understands the principles of Can cite examples from his/her own experience where is has been necessary to negotiation and has taken negotiate and to exert influence to satisfactorily resolve a situation relating to the part in practical training procurement of a safety-related system or service and can illustrate, via memos, exercises in influencing / letters, witness testimonies, how influence was brought to bear in resolving each negotiating. situation.

36

Copyright IET 2007

SRP6 Obtaining regulatory approval Agrees safety regulatory requirements and associated legal issues with the relevant regulatory authority and ensures that the necessary safety assurance arguments and related evidence is obtained from suppliers in a presentable form. Supervised practitioner Practitioner Expert Has liaised with the relevant regulatory authority. Can explain the key elements Has liaised with the relevant Can illustrate how the safety philosophy of a regulatory authority. Can of the safety philosophy of safety-related system may have to be modified to illustrate, via e.g. the key safety-related systems or comply with the requirements of the regulatory elements of relevant safety services procured by the authority. Can illustrate, via memos, reports, case documentation, the organisation (e.g. use of safety-related system or services procurement safety philosophy underlying redundancy, diversity, failprocedures and checklists how the requirements different safety-related safe states, validation, of the regulatory authorities are continually systems and services competence) and how these reviewed with regard to the underlying safety procured by the organisation relate to the principles philosophy of safety-related systems and services and can explain the underlying the regulatory procured by the organisation. advantages and regime and any associated disadvantages of different legal issues. safety philosophies in relation to the principles underlying different regulatory regimes. Can explain the process by Can illustrate, via records of correspondence and minutes of meetings, the process which regulatory approval is by which safety arguments and related evidence for a safety-related system obtained for safety-related procured by the organisation or a safety-related system for which safety related systems procured by the services have been procured by the organisation, have been obtained from organisation or for which suppliers and presented to and agreed with the relevant regulatory authority safety related services have throughout the procurement process. been procured by the organisation.

Attributes
SRP7 Business objectives Reflects an organisation's business objectives in the safety-related system or services procurement process. Supervised practitioner Practitioner Expert Can describe the key Can cite examples where issues of functional safety assurance have had an impact business objectives of the on the organisations business objectives. Can explain the actions that have been organisation and how taken to ensure that functional safety assurance is seen within projects as a factor functional safety assurance which serves the organisations business objectives. impacts on these business objectives.

SRP8 Effective communication Communicates the safety requirements for the procurement effectively, both orally and in writing, at all levels in and outside an organisation, with people of varying skills and understanding and with groups of varying size. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. information orally in all situations. Is able to Communicates well with Communicates well in a team communicate key requirements (especially safety peers. and in one-to-one situations at requirements) to potential suppliers and discuss most levels. safety issues with the regulatory authorities. Understands the importance Produces written work of a Produces written work of a quality which is well of keeping reports factual and quality which is well organised, accurate (both technically and avoiding verbose language. organised, accurate (both grammatically), complete, logical, concise, Has written at least one report technically and unambiguous and to the point. Is aware of the which can demonstrate basic grammatically), complete, wider implications and purpose of literacy skills and can present logical, concise, unambiguous communications. written information in an and to the point. organised, logical and unambiguous manner.
37

Copyright IET 2007

SRP9 Principles of functional safety assurance Ensures that the principles of functional safety assurance (e.g. hazards, risks, tolerability, ALARP, safety requirements, safety realisation, etc.) are embedded in all safety-related system or services procurement activities, and especially within the invitation to tender and subsequent contractual documentation. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known outside the organisation as an authority on functional safety assurance. assurance has been achieved the principles of functional safety assurance. Has read, and has a Can cite relevant safety assurance standards, with reference to examples knowledge of, the safety explain the fundamental concepts within them, and from actual procurement assurance standards describe differences between them. Understands projects. Can cite relevant safety appropriate to the industry the requirements which need to be placed on assurance standards, explain sector. suppliers in order to demonstrate functional safety. the fundamental concepts within them, and describe differences between them.

SRP10 Organisation systems Addresses the organisations safety management system and associated methods and procedures in the performance of safety-related system or services procurement activities. Supervised practitioner Practitioner Expert Can illustrate, via letters, memos etc., how an Can identify the relevant Can illustrate, via safety attempt has been made to improve the documentation relating to the requirements specifications, organisations safety management system and organisations safety audit reports and safety case associated methods and procedures with regard to management system and can documentation, how the the procurement of safety-related systems. describe its key features requirements of the Can identify inadequacies in the safety including the key methods organisations safety management system or associated methods and and procedures. management system and the procedures and can describe the importance of associated methods and these with regard to typical safety-related system procedures are employed in or services procurement activities carried out the safety-related system or within the organisation. services procurement activities carried out by the organisation.

SRP11 Personal integrity Has sufficient strength of character not to compromise on sincerely held beliefs under pressure. Supervised practitioner Practitioner Expert Aware of the importance of Has defended a judgement Has a reputation for integrity that indicates personal integrity when when under external pressure candidate will never allow a judgement on safetypressed to compromise a to compromise position. related issues to be compromised by outside judgement. interference.

38

Copyright IET 2007

Function

Independent safety assessment

Summary
Independent safety assessment is the formation of a judgement, separate and independent from any system design, development or operations personnel, that the safety requirements for the system are appropriate and adequate for the planned application and that the system satisfies those safety requirements. In discharging this responsibility, the key tasks for the function are: acquiring an appreciation of the scope and context of the assessment selecting and planning a cost-effective assessment strategy gathering relevant evidence forming a judgement including managing any outcomes

Gathering of the evidence is likely to be a combination of auditing for conformance to planned arrangements, reviewing of project documentation and performing of additional analyses.

Tasks Scope and context appreciation Assessment strategy selection Planning Safety auditing Reviewing safety documentation Forming a judgement Producing assessment reports Assessing safety analysis Managing outcomes

Attributes Methodical approach Eliciting information Effective communication Functional safety practices Principles assurance of functional safety

Professional standing and personal integrity

39

Copyright IET 2007

Tasks
ISA1 Scope and context appreciation Acquires an appreciation of the context of a system and establishes the scope and objectives of an assessment, such that all necessary requirements of a safety assessment are capable of being satisfied. Supervised practitioner Practitioner Expert Can illustrate through design documents, interview notes and minutes of meetings, Can identify the main categories of information (e.g. how the necessary information has been collected to correctly define the scope of a safety assessment. Can explain how issues with scope and context of a safetysystem boundaries, technical related system are important in the performance of an effective independent safety expertise, organisational assessment. boundaries, applicable standards) that would be required adequately to define the scope of a typical safety assessment carried out within the industry sector and describe how this information would typically be obtained and evaluated. Can describe the main Can illustrate through system block diagrams, how the inter-relationships between system elements that make system elements of a safety-related system have been analysed in order to define up a typical safety-related the scope of the elements of a safety-related system to be assessed. system that could be the subject of an independent safety assessment.

ISA2 Assessment strategy selection Selects an assessment strategy involving a range of techniques and measures which are capable of yielding sufficient evidence in a cost-effective manner to enable a robust judgement to be made regarding the safety of a system. Supervised practitioner Practitioner Expert Can describe the current Can illustrate how the costCan illustrate project situations in which the technology, and associated effectiveness of an selected assessment techniques and measures standards, relevant to typical independent safety were not cost-effective to the specific safety safety-related systems that assessment has been requirements of the project. Can illustrate could be assessed by the addressed by, for example, methods of ensuring assessment strategies are organisation and has had isolating the most important cost-effective whilst providing a level of assurance previous practical experience elements of the product and appropriate to the safety integrity of the systems. with the relevant technology. of the development process in relation to safety and deriving an appropriate sampling strategy. Can describe the range of Can illustrate through For systems employing different and novel safety assessment techniques independent safety technologies to implement safety functions or and measures normally assessment plans, how legacy systems, is able to select an appropriate employed within the appropriate selections of range of assessment techniques to enable a fair organisation or industry sector techniques and measures judgement to be made on the safety of the system. for safety-related projects. have been made for Given a typical project independent safety scenario, can select an assessments. appropriate set of safety Can justify the use of the assessment techniques and selected techniques and measures. measures by referencing relevant standards and information regarding the capabilities of the organisation.

40

Copyright IET 2007

ISA2 Assessment strategy selection Has not been involved in Can identify the key resource resource/cost estimation on requirements that need to be assessment jobs. addressed for the successful undertaking of an independent safety assessment. Given a typical independent safety assessment scenario, can make a reasonable estimate of the necessary resource requirements.

Can illustrate through independent safety assessment plans and memos, how resource requirements were derived, reviewed and updated in line with the progress of independent safety assessment carried out within the organisation or industry sector.

ISA3 Planning Originates and maintains a plan which encapsulates an agreed set of activities, including their interrelationship, scheduling and responsibilities which, if conformed with, results in the objectives for the plan being satisfied in a cost-effective manner. Supervised practitioner Practitioner Expert Can explain and can illustrate Presents a safety assessment Has been the major contributor in the preparation through examples of his/her plan to which the candidate of safety assessment plans for projects carried out own work, how plans have has contributed. Can within the organisation or industry sector and can been developed and then illustrate through checklists, show how assessment plans have been continually updated to reflect how technical criteria have maintained during the course of a project. Can the current status of a project. been identified and specified illustrate the limits to the extent of applicability of in performing an independent the technical criteria typically used for independent safety assessment. safety assessments and can explain additional technical criteria that could be used.

ISA4 Safety auditing Can perform an audit to arrive at a conclusion (based on evidence) regarding conformance to planned arrangements, using a non-confrontational but tenacious style for soliciting evidence. Supervised practitioner Practitioner Expert For specific auditing tasks For specific independent Can illustrate through examples, how insufficient undertaken, can identify the safety assessments, can attention to primary objectives in auditing supplier primary objectives of the audit describe the primary organisations has led to a potentially unsafe and can explain how these objectives that were identified situation. Can illustrate, through checklists, objectives were achieved, and for assuring functional safety organisation procedures and training course notes provide an accurate summary and how, in carrying out the actions that have been taken to ensure that of the audit results. audits, a conclusion against audits are carried out correctly. these objectives was established. Insufficient auditing Can identify, and can explain the relevance of, key pointers that are usually looked experience to identify key out for when performing functional safety audits. points for safety audits. Given a simple fact to be established from the audit, can identify an appropriate line of questioning to obtain the necessary answers from the staff under assessment, which is tenacious and non-confrontational.

ISA5 Reviewing safety documentation Accurately and systematically reviews documents, supported by discussions to clarify ambiguities and understanding where necessary, to obtain evidence to support a judgement on whether a system has satisfied its functional safety requirements. Supervised practitioner Practitioner Expert Has successfully performed Can illustrate with e.g. review Can illustrate, through review procedures and review work requiring a high reports, witness testimonies review records, how actions have been taken to degree of accuracy. how inaccuracies, omissions ensure the accuracy of design reviews carried out and deficiencies have been as a part of independent safety assessments. identified in reviewing safety- Can illustrate how insufficient accuracy in reviewing safety documentation has led to related system uncertainty with regard to a safety assessment. documentation as part of independent safety assessments.
41

Copyright IET 2007

ISA5 Reviewing safety documentation Has successfully performed review work requiring a high degree of conceptual thinking.

As part of independent safety assessment has reviewed, using conceptual thinking, safety-related system documentation.

ISA6 Assessing safety analysis Identifies, where necessary, the requirements for further safety analyses and facilitates the completion of such safety analyses, to obtain evidence to support a judgement on whether a system has satisfied its functional safety objectives. Supervised practitioner Practitioner Expert Can illustrate, through safety analysis review Has successfully performed Can illustrate, through safety activities requiring the use of analysis reports, how relevant record, safety analysis procedures and training courses, how actions have been taken to ensure relevant safety analysis safety analysis techniques techniques and can illustrate (e.g. fault tree analysis, failure that appropriate analysis techniques and tools are employed and that the techniques and tools are this with e.g. design modes, effects and criticality documents, safety analysis analysis) have been employed employed correctly in performing safety analysis. Can illustrate, how the use of inappropriate reports. in analysing the functional techniques or the incorrect use of analysis safety of a safety-related system and how the results of techniques could lead to an unsafe situation. these analyses have been used to support a conclusion regarding the level of safety of a safety-related system. Unable to judge whether Can judge when the scope and depth of safety analyses carried out are sufficient to sufficient safety analyses provide an appropriate level of safety assurance. have been performed Can explain the importance of Can illustrate, using traceability reports, how the individual safety requirements of a tracing safety requirements safety-related system have been traced through to the design, implementation and through the design and test test specifications to ensure that all of the safety requirements are adequately process and how traceability discharged. is implemented either by the system developers or by the independent safety assessors. Typically, a degree in a numerate discipline would be expected. Someone without A-level mathematics or equivalent would be unlikely to have the logical and numeracy skills to undertake or understand the analyses required.

ISA7 Forming a judgement Makes an unambiguous judgement, through a reasoned and documented argument, on whether a system has satisfied its safety objectives, including the systematic aggregation of evidence obtained through a combination of audits, reviews and analyses. Supervised practitioner Practitioner Expert Has constructed and Has constructed and presented an argument to justify a set of conclusions and presented a clear and recommendations arising from the conduct of an independent safety assessment reasoned argument from carried out within the organisation or the relevant industry sector and can illustrate unstructured information. this with independent safety assessment reports.

ISA8 Producing assessment reports Produces technical reports, etc., incorporating a logical document structure with the content grammatically correct using a non-verbose style. Supervised practitioner Practitioner Expert Has written a technical report Has written a range of assessment reports. Can show how the assessment which is well structured and to activities and results are reported and how these are summarised to present a the point. relevant and clear set of conclusions on the safety evidence for a safety-related system.

42

Copyright IET 2007

ISA9 Managing outcomes Contributes as required to the management of the results of a safety assessment, such that any necessary actions are addressed and appropriately resolved. Supervised practitioner Practitioner Expert Has presented positive and Can illustrate, through independent safety assessment reports, how the findings constructive criticism to peers, resulting from independent safety assessments have been presented in a positive which can be illustrated via and constructive manner. review records and presentations. Can describe the key Can illustrate, through Has handled contentious issues arising from commercial, legal and political independent safety independent safety assessments in a way, which issues associated with typical assessment reports and was appreciated by customers. safety-related systems associated letters and assessed by the organisation. presentations, how commercial, legal or political issues have been taken into account in presenting the findings of independent safety assessments.

Attributes
ISA10 Methodical approach Applies a methodical approach to assignments, incorporating analytical and systematic techniques. Supervised practitioner Practitioner Expert For specific tasks undertaken, Has chosen appropriate Can explain how the work performed on different can explain the method methods for safety-related projects undertaken within the organisation is followed in performing the projects, and can explain how monitored and controlled to ensure a methodical tasks and can indicate the and why these methods were approach, backing up the explanation with resulting structure in the work. chosen to perform the documentary evidence from previous projects. different tasks required for the project.

ISA11 Eliciting information Proactively elicits all necessary information from relevant personnel at whatever level (e.g. stakeholders, peers, etc.) such that the tasks associated with the function can be properly scoped and undertaken. Supervised practitioner Practitioner Expert Collects the relevant facts Collects and understands the Has established a mechanism for the collection of about safety issues/tasks from relevant information from information across the whole organisation on peers. personnel at all levels. Can safety issues and tasks. identify more important issues from a wider range of points.

ISA12 Effective communication Communicates effectively, both orally, in writing and electronically, at all levels in an organisation, with people of varying skill and groups of varying size, such that the objectives for the communication are achieved. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. information orally in all situations. Communicates well with Communicates well in a team peers. and one-to-one situations at most levels. Understands the importance Produces written work of a Produces written work of a quality which is well of keeping reports factual and quality which is well organised, accurate (both technically and avoiding verbose language. organised, accurate (both grammatically), complete, logical, concise, Has written at least one report technically and unambiguous and to the point. Is aware of the which can demonstrate basic grammatically), complete, wider implications and purpose of literacy skills and the ability to logical, concise, unambiguous communications. present written information in and to the point. an organised, logical and unambiguous manner.
43

Copyright IET 2007

ISA13 Functional safety practices Quickly acquires a knowledge and understanding of functional safety practices, including application and technology appropriate to the organisation and the industry sector, necessary for the successful execution of the role. Supervised practitioner Practitioner Expert Can explain the basic functional safety practices (e.g. safe state Understands the key functional safety practices on power off and basic safety architectures) employed in safety employed within the industry and can describe related applications within the industry. situations where traditional safety practices are inadequate for particular systems. Can explain how these situations are resolved to produce a safe system.

ISA14 Principles of functional safety assurance Has a knowledge and understanding of the principles of functional safety assurance (including: hazards, risks, tolerability, ALARP, safety requirements, safety realisation, etc.) and can relate them to a typical safety lifecycle model. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known, outside the organisation, as an authority functional safety assurance. assurance has been achieved on the principles of functional safety assurance in Has read, and has a with reference to examples relation to independent safety assessments and knowledge of, the safety from actual project can provide illustrations, taken from his or her own assurance standards involvement. experience, of safety principles applied in practice. Can cite relevant safety Can cite relevant safety assurance standards, can appropriate to the industry assurance standards, can explain the fundamental concepts within them, and sector. explain the fundamental can identify differences between them. concepts within them, and can identify differences between them. ISA15 Professional standing and personal integrity Has the professional standing to provide credible judgements that are generally acknowledged as authoritative, coupled with sufficient strength of character not to compromise sincerely held beliefs when under pressure. Supervised practitioner Practitioner Expert Aware of the importance of Defended a judgement when Has a reputation for integrity that indicates personal integrity when under external pressure to candidate will never allow a judgement on safetypressed to compromise a compromise position. related issues to be compromised by outside judgement. interference. Typically has a degree or Typically a Chartered Typically a Chartered Engineer who is equivalent in a relevant Engineer with a degree in a acknowledged as an authority in the field of safetydiscipline. relevant discipline. related systems. Has had practical safety Likely to have presented papers on safety issues. engineering experience within the relevant industry sector.

44

Copyright IET 2007

Function

Safety hazard and risk analysis

Summary
Safety hazard and risk analysis involves responsibilities for identifying all foreseeable hazards and assessing the risk of an accident. Hazard and risk analysis has a great influence on system design and maintenance. While it is usually performed early in the lifecycle, it may be required at any part of the lifecycle. The aim is to produce safe systems and in pursuit of this there is a responsibility to ensure that the results of the hazard and risk analysis activities are documented and that the hazard log is controlled throughout the development (and often throughout the lifetime of the system). In discharging these responsibilities the key tasks for the function are: identifying hazards associated with the process, the system and the environment, including defining the scope of the analysis analysing hazards for their impact on the safety-related system and assessing the level of risk assisting with the identification of mitigations to eliminate hazards or reduce the risk of accidents documenting the results of the hazard and risk analysis activities and managing the hazard log

Tasks

Attributes of functional safety

Defining the scope of a hazard Principles and risk analysis assurance Identifying hazards Hazard analysis Risk assessment Eliminating or mitigating hazards

Application domain knowledge Systematic approach Systems viewpoint Professional standing

Formation and control of hazard Team-working log

45

Copyright IET 2007

Tasks
HRA1 Defining the scope of a hazard and risk analysis Gains familiarity with the context and scope of a hazardous problem (process, equipment and personnel) sufficient to perform a hazard and risk analysis, and defines the scope clearly in a written document. (Note: may be required at any part of life cycle, even during operation and maintenance phase.) Supervised practitioner Practitioner Expert Can identify the main Can illustrate, through working notes and minutes of meetings, how the necessary categories of information that information is collected to correctly define the scope of safety hazard and risk would be required to define assessments carried out within the organisation or relevant industry sector. the scope of a typical safety Can describe the choices which have to be made in ensuring that hazard and risk hazard and risk assessment analyses are carried out at an appropriate level of detail. carried out within the organisation. Can describe how this information would typically be obtained and validated. Can describe the main Can illustrate, through system block diagrams, how the inter-relationships between system elements that make elements of a safety-related system, and the interface of the safety-related system up a typical safety-related with its environment, have been identified and defined. system which could be the subject of a safety hazard and risk analysis.

HRA2 Identifying hazards Can identify hazards and hazardous events, including contributory and aggravating factors, for normal and degraded modes of operation through: formation of a suitable hazard identification team (where appropriate) consideration of factors which could affect the operational environment and system performance use of appropriate historical information sources and hazard identification techniques. Supervised practitioner Practitioner Expert For a given scenario, can Can explain the difference Understands how definition of a system boundary identify hazards. between hazards, accidents can affect the definition of hazards and failures and failures. and the relationship of a system to external events and accidents. Can illustrate via hazard identification procedures Given a particular safetyHas participated in hazard and training course notes, how hazard related system scenario, with identification exercises (e.g. which he/she is reasonably brainstorms) that demonstrate identification teams are selected such that an adequate degree of lateral thinking ability is familiar, is able to display the use of lateral thinking in present within the team, and how team activities lateral thinking ability in identifying hazards and, in are run to ensure sufficient results are obtained identifying associated particular, hazards relating to within a reasonable amount of time. hazardous situations. the operation and Can identify key sources of information used to maintenance of the system support hazard identification activities. and degraded modes of operation. Can show how information from previous designs, incidents and other sources has been used in hazard identification exercises.

46

Copyright IET 2007

HRA3 Hazard analysis Analyses whether a hazard can be caused by the behaviour of the safety-related system and how a hazard might lead to an accident by: systematically deriving, collecting and analysing relevant information in determining hazardous system behaviours analysing the operation and maintenance aspects of the system determining and analysing accident sequences. Supervised practitioner Practitioner Expert Can describe the range of Can illustrate, through hazard Can illustrate project situations in which the hazard analysis techniques analysis reports, how the selected hazard analysis techniques were not normally employed within the relevant hazard analysis appropriate to the specific requirements of a organisation or industry techniques have been project. Can illustrate, through hazard analysis sector. correctly employed. review procedures, how actions have been taken Given a typical project Can justify the use of selected to ensure that the appropriateness of selected scenario, is able to select an hazard analysis techniques by hazard analysis techniques is adequately appropriate set of hazard correctly referencing relevant considered. analysis techniques. standards and information regarding the capabilities of the organisation. Has successfully performed Has analysed hazardous event sequences using conceptual thinking and can review work requiring a high illustrate this by reference to hazard analysis reports and related system degree of conceptual thinking. documentation. Can describe the role of Can illustrate, through hazard Can illustrate the importance of paying sufficient operators and maintainers in analysis reports, how human attention to human factors issues in hazard typical safety-related systems factors have been addressed analysis activities. Can show the actions which developed or operated by the in the performance of hazard have been taken (e.g. development of hazard organisation. analysis activities. analysis procedures, organisation of training courses, recruitment of human factors specialists) to ensure human factors issues are addressed properly.

HRA4 Risk assessment Determines the consequences and frequencies of accidents associated with the occurrence of hazardous events by selecting and applying an appropriate risk assessment method (e.g. the risk graph). Supervised practitioner Practitioner Expert Understands the principles of Has carried out risk Has been involved in a number of risk risk assessment and can assessments as part of a assessments, and led some of these activities. explain the process of risk wider team. Can illustrate, Can illustrate, through risk assessment assessment. through risk assessment procedures, work instructions, training course reports, how an accepted notes the actions that have been taken to ensure method for assessing the risks that appropriate methods are used to assess the associated with a safetyrisks associated with safety-related systems. related system application has been used. Can describe the key factors Can illustrate, through risk assessment reports, how the tolerability of risks has that affect the tolerability of been addressed for safety-related projects carried out within the organisation or risks within the relevant within the relevant industry sector. industry sector and general formulae for arriving at accepted figures. Can explain the key principles Can illustrate, through risk Can illustrate how risk assessment activities have underlying the relevant assessment reports, how failed, or could fail adequately to address the regulatory regime and safety regulatory requirements relevant regulatory requirements or associated associated legal issues and and associated legal issues legal issues and can explain how the risk how these relate to the have been addressed during assessment process used within the organisation assessment of risks. risk assessment activities. counters such examples. HRA5 Eliminating or mitigating hazards Identifies potential risk reduction measures and evaluates them using ALARP techniques, including consideration of: the use of different technology/solutions the wider environment including external risk reduction features such as other systems, devices and operation and maintenance activities the relevant safety regulatory requirements, legal issues and the tolerability of risks within the relevant sector.
47

Copyright IET 2007

HRA5 Eliminating or mitigating hazards Supervised practitioner Practitioner Can describe the current Can illustrate, through technology relevant to typical working notes, how the safety-related systems capabilities of current developed or operated by the technology have been organisation and has had evaluated in considering previous practical experience potential means of eliminating with the relevant technology. or mitigating hazards.

Expert Can illustrate, through memos, minutes of meetings, organisation procedures and standards, how actions have been taken to ensure that the capability of current technology is adequately considered in identifying the means of eliminating and mitigating hazards.

HRA6 Formation and control of hazard log Produces a hazard log documenting the results of the hazard analysis and risk assessment activities which can be used to monitor and control the hazards throughout the lifetime of the system. Supervised practitioner Practitioner Expert Has contributed to hazard Has formed and controlled a Has formed and controlled hazard logs on different logs and can explain the hazard log on a project. Can systems. Can explain key issues to be addressed nature and scope of show how a hazard log is in controlling and using a hazard log on large information in the hazard log. used to drive and monitor a projects, with multiple subcontractors. development in line with the safety requirements.

Attributes
HRA7 Principles of functional safety assurance Addresses the principles of functional safety assurance especially hazards, risks, tolerability ALARP and SILs in all hazard and risk analysis activities and understands how the hazard analysis and risk assessment activities impact a safety case. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known, outside the organisation, as an authority functional safety assurance. assurance has been achieved on the principles of safety assurance in relation to Has read, and has a with reference to examples hazard and risk analysis and can provide knowledge of, the safety from actual project illustrations, taken from his or her own experience assurance standards involvement. Can cite of safety principles applied in practice. Can cite appropriate to the industry relevant safety assurance relevant safety assurance standards, can explain sector. standards and can explain the the fundamental concepts within them, and can fundamental concepts within identify differences between them. them, and can identify differences between them.

HRA8 Application domain knowledge Considers the process, external equipment, the operating environment, maintenance activities and other human interactions, etc. associated with a safety-related system throughout the performance of hazard and risk analysis activities. Supervised practitioner Practitioner Expert Can explain, how consideration of application Has had practical work Can illustrate, through hazard domain specific issues is key to successful experience within the relevant identification and brainstorm performance of hazard and risk assessments. industry sector and with the meeting notes how domain Can illustrate, through safety hazard and risk relevant safety-related system specific safety requirements analysis procedures, training course notes, how applications. Can explain the have been addressed during actions have been taken to ensure that application reasons why hazard and risk safety hazard and risk domain specific requirements are adequately analyses are performed and analysis exercises for a considered during safety hazard and risk analysis their place in a safety case for safety-related system. Can activities. a safety-related system. explain the reasons why hazard and risk analyses are performed and their place in a safety case for a safetyrelated system. Is familiar with the history of the development of safety philosophy and standards for the domain and the way in which previous incidents have influenced that development.
48

Copyright IET 2007

HRA9 Systematic approach Employs systematic methods of identifying, analysing and assessing hazards to ensure that all aspects of the behaviour of the system in its environment are addressed. Supervised practitioner Practitioner Expert Has successfully performed Can illustrate, through hazard Can illustrate, through examples, where activities requiring the use of analysis and risk assessment inappropriate techniques have been employed, or relevant systematic reports, how systematic techniques have been incorrectly employed, in techniques and can illustrate techniques have been analysing hazards and assessing risks. Can contribution through e.g. employed in analysing the illustrate, through review records, safety hazard design documents, design hazards and risks associated and risk analysis procedures, training course analysis reports. with a safety-related system programmes how actions have been taken to application. ensure the appropriateness and correct implementation of techniques. Typically, a degree in a numerate discipline would be expected. Someone without A-level mathematics or equivalent would be unlikely to have the logical and numeracy skills to undertake or understand the analyses required.

HRA10 Systems viewpoint Considers the overall system within the operation, the process and the wider environment and is able to abstract away from unimportant detail. Supervised practitioner Practitioner Expert Knows the main system Can analyse the inter-relationships between system elements of a safety-related elements that make up a system, using for example block diagrams, and has systematically documented typical safety-related system. assumptions relating to these inter-relationships in requirements analysis reports. Can identify key system elements which relate to the safety of the system in its environment.

HRA11 Professional standing Has a level of professional standing sufficient to give credibility to judgements on hazards, risk assessment and safety engineering issues. Supervised practitioner Practitioner Expert Typically a degree or Typically a Chartered Typically a Chartered Engineer who is equivalent in a relevant Engineer with a degree in a acknowledged as an authority in the field of safetydiscipline. relevant discipline. Has had related systems. Likely to have presented papers practical safety engineering on safety issues. experience within the relevant industry sector.

HRA12 Team working Works well within a team and contributes effectively during hazard identification, analysis and risk assessment meetings/discussions. Supervised practitioner Practitioner Expert Has worked as an effective member of a hazard and risk Can identify key attributes of a hazard analysis and assessment team. Has made an effective contribution to risk assessment team. Can describe situations hazard and risk analysis work as part of a team. where team dynamics has led to incomplete or insufficient analysis.

49

Copyright IET 2007

Function

Safety requirements specification

Summary
Safety requirements specification involves responsibilities for the production of a complete and consistent set of safety requirements for a safety-related system application. In discharging these responsibilities, the key tasks for the function are: capturing the safety requirements from a range of sources including, typically, hazard studies, existing specifications, standards, operators, maintainers, management personnel evaluating safety requirements to establish whether they are consistent and complete, and their relative priorities specifying safety requirements

Tasks Capturing safety requirements Evaluating safety requirements Specifying safety requirements

Attributes Application domain knowledge Principles of functional safety assurance Clarity Conceptual thinking and openmindedness Systems viewpoint

50

Copyright IET 2007

Tasks
SRS1 Capturing safety requirements Assembles, with a proactive approach, the necessary information to identify functional safety requirements and to determine safety integrity levels for the safety-related system through: adoption of the results arising from hazard and risk analysis activities consideration of relevant safety regulations, standards and guidelines. Supervised practitioner Practitioner Expert Can identify the main Has participated in the collection of potential safety requirements for safety-related categories of information that systems developed or operated by the organisation or within the relevant industry would be required to identify sector. Can illustrate, through working notes and minutes of meetings, how the potential safety requirements necessary information has been collected. for safety-related systems to be developed or operated by the organisation and can describe how, and from whom, this information would typically be obtained and validated. Has had practical work experience within the relevant industry sector and with the relevant safety-related system applications and can explain typical operation and maintenance procedures and modes of operation. Can identify and quantify, to Has participated in identification of safety requirements, given identified baseline an order of magnitude, the hazards and risks, and can illustrate with e.g. hazard and risk analysis reports and main risks associated with associated safety requirements specifications. Can give a comprehensive explanation of the level of risk associated with safetytypical applications of safetyrelated systems developed or related systems developed or operated by the organisation. operated by the organisation. Can describe the current Understands how the constraints imposed by available technology have been technology relevant to typical considered when identifying safety requirements, and can illustrate this through safety-related systems working notes and safety requirements specifications. developed or operated by the organisation and has had some previous practical experience with the relevant technology. Can identify the main safety Can illustrate, through working notes and safety requirements specifications, how regulations and standards requirements of the relevant safety standards, codes or practice and guidelines relevant to the domain within have been addressed in identifying safety requirements. which the organisation operates and can describe the key requirements of these regulations and standards.

51

Copyright IET 2007

SRS2 Evaluating safety requirements Selects an optimum set of safety requirements based on: a clear definition of the boundary and interfaces of the safety-related system identification and analysis of requirement dependencies prioritisation of requirements especially in terms of safety benefit and potential cost. Supervised practitioner Practitioner Expert Can describe the techniques (e.g. fault tree analysis, functional failures modes and effects analysis) used as standard within the organisation or the relevant industry sector for analysing the dependencies between safety functions and their individual impact on the overall safety of a safety-related system application in its environment. Can describe the main Can illustrate, through system block diagrams, safety requirements analysis reports functional components that etc., how the dependencies between safety functions of a safety-related system, make up a typical safetyand their impact on the overall safety of the system have been analysed, making related system developed or reference to the results of any separate hazard and risk analysis activities that have operated by the organisation been carried out. or within the relevant industry sector. Can describe the process by Can illustrate, through working notes and safety requirements analysis reports, how which safety integrity levels safety integrity levels have been allocated to individual safety functions for a safetyassociated with individual related system developed by the organisation, making reference to the results of safety functions are derived any separate hazard and risk analysis activities that have been carried out. based on an assessment of the criticality of each safety function in terms of acceptable probabilities of failure. Can illustrate when factors not covered by Can identify the relevant Can illustrate, through organisational procedures requirements analysis reports, standard organisational procedures (e.g. effects of bad publicity), have, or would need to be, relating to the analysis of how, in accordance with the considered in arriving at an optimum set of safety safety requirements, and relevant procedures, costs requirements for a safety-related system. explain the process by which versus benefits have been costs versus benefits are evaluated to arrive at an evaluated. optimum set of safety requirements for a safetyrelated system developed by the organisation.

SRS3 Specifying safety requirements Produces a safety requirements specification in a form that can be used in the subsequent design, verification and validation of the safety-related systems and embodying the properties that such a specification should possess. Supervised practitioner Practitioner Expert Knows the relevant standards Has made correct use of the relevant notations for specifying safety requirements. or guidelines applicable to the Can explain the strengths and weaknesses of different notations and styles of specification, for use in producing design and test specifications. notations generally used within the organisation, or within the relevant industry sector, for specifying safety requirements. Has made practical use of the relevant notations, and can illustrate this with e.g. design or requirements specifications. Has produced clear Has produced safety requirements specifications that are clear and free from specifications. implementation bias.

52

Copyright IET 2007

Attributes
SRS4 Application domain knowledge Applies knowledge of the application domain of the system including process hazards, safe and unsafe modes of operation, and the potential for human error, to safety requirements specification activities. Supervised practitioner Practitioner Expert Has done practical work on Has written safety requirements specifications, and can illustrate the key safety safety-related applications requirements for a safety-related system within the domain. Can explain how the within the relevant industry safety-related system impacts on the wider environment, including operation and sector. Can describe the key maintenance. safety requirements for the safety-related system.

SRS5 Principles of functional safety assurance Addresses the principles of functional safety assurance especially the hazard and risk assessment process, ALARP, safety requirements and SILs in all safety requirements specification activities. Supervised practitioner Practitioner Expert Known, outside the organisation, as an authority Understands the principles of Can explain how safety functional safety assurance. assurance has been achieved on the principles of safety assurance in relation to Has read, and has a safety requirements and can provide illustrations, with reference to examples knowledge of, the safety taken from his or her own experience, of safety from actual project assurance standards principles applied in practice, especially in safety involvement. Can cite relevant safety appropriate to the industry requirements specifications. assurance standards, explain sector. Can cite relevant safety their fundamental concepts, assurance standards, explain describe any differences their fundamental concepts, between them and can show and describe any differences how these are reflected in between them. safety requirements specifications.

SRS6 Clarity Produces clear and precise specifications and can present requirements clearly during discussions Supervised practitioner Practitioner Expert Has written a clear Has written safety requirements specifications and can explain why the specification. requirements are sufficiently clear and not open to misinterpretation.

SRS7 Conceptual thinking and open-mindedness Presents requirements without bias towards particular design solutions and is open to radical design solutions, additional and modified requirements Supervised practitioner Practitioner Expert Is aware of new technologies Has produced requirements Can show how the organisation ensures that and potentially different ways specifications which allow requirements specifications are free from of designing safety-related radical designs. Is open to implementation bias, and how changes are systems. Presents different design solutions and incorporated. Can show how new design requirements which allow understands the importance solutions have been encouraged where different design solutions. of innovation for performance appropriate. and safety.

SRS8 Systems viewpoint Considers requirements in the context of the overall system and is able to abstract away from unimportant detail Supervised practitioner Practitioner Expert Knows the main functions Understands the main relationships between subsystems of a safety-related system which make up a safetyand how the whole system interacts with the outside environment. Highlights key related system. system issues which affect the overall safety of the system in its environment.

53

Copyright IET 2007

Function

Safety validation

Summary
Safety validation involves responsibilities for ensuring that a safety-related system meets its safety requirements, that there is sufficient validation evidence to support claims that a safetyrelated system has met its safety requirements and that the hazard analysis assumptions are true. In discharging these responsibilities, the key tasks for the function are: defining a safety validation plan incorporating suitable test and analysis activities specifying a range of suitable tests for safety validation ensuring that the safety validation plan is followed through the witnessing and executing tests as part of the safety validation exercise analysing the results of the safety validation activities and documenting the safety validation results in a safety argument

Tasks Defining a safety validation plan Specifying tests Witnessing and executing tests Analysing test results Performing analysis Documenting results safety validation

Attributes Application domain knowledge Principles assurance of functional safety

Test and analysis methods and techniques Attention to accuracy and detail

54

Copyright IET 2007

Tasks
SV1 Defining a safety validation plan Contributes to the definition and documentation of a safety validation plan by identifying sources of safety validation evidence (e.g. testing, analysis, historical usage data) appropriate to the application and its required safety integrity level. Supervised practitioner Practitioner Expert Can write sections of a safety Has written a safety validation Has written safety validation plans and can identify validation plan, or has plan and can demonstrate a a range of potential safety validation strategies for experience of writing contribution towards the a particular safety-related system. validation plans more formation of the safety generally. validation strategy. Understands the underlying Understands the range of validation evidence which can be used to support a safety objectives of a safety case argument, and how arguments that safety-related systems have met their SIL with regard to the relevant requirements are constructed. Can give reasoned arguments for the regulatory regime and can inclusion/omission of validation information with regard to the safety argument for a describe its contents, particular, novel, system. Given a safety argument, can identify deficiencies in the argument and pinpoint especially in relation to the areas where safety validation evidence is weak. required validation evidence. Aware of the range of test and Can illustrate how appropriate Can identify deficiencies in selected test and selections of test and analysis analysis methods and techniques and test tools; analysis methods and can explain the deficiencies; and can suggest methods and techniques and techniques (e.g. functional test tools have been made for additional, or alternative, methods and techniques testing, static analysis, safety-related projects carried to address them. external certification), Understands the limitations of different types of out by the organisation or normally employed for tests and analysis methods in demonstrating within the relevant industry obtaining safety assurance safety performance and can propose acceptable sector, and justifies them evidence at a particular SIL. Given a typical project solutions to achieve the desired level of safety based on references to scenario, is able to select an assurance within practical constraints. relevant standards and appropriate set of test and information regarding the analysis methods and capabilities of the techniques. organisation. Understanding of SILs not fully developed. Can show how the SIL of the safety-related system relates to the selection of appropriate methods and techniques and understands the practical limitations of performing some of the validation techniques at higher SILs.

SV2 Specifying tests Produces practical test specifications and procedures which are consistent with the safety validation plan and which have a high probability of detecting faults in the safety-related system. Supervised practitioner Practitioner Expert Can describe the content of typical test specifications and Can explain, with examples, how the accepted procedures (e.g. initial conditions, safety hazards, space to format of test specifications and procedures has record results, acceptance criteria) appropriate to the evolved with regard to the particular requirements organisation or industry sector and has had recent project of the organisation or the relevant industry sector. experience illustrated by test specifications. Can demonstrate a practical approach in devising means of Typically not involved in detailed specification of tests, although has reviewed some examples. validating a safety-related system, illustrated by e.g. test rig designs, test specifications. Has shown creativity in devising means of validating a safetyTypically not involved in detailed specification of tests, although has reviewed some examples and related system, illustrated by e.g. test rig designs, test is able to discuss novel validation strategies. specifications. Not yet fully aware of a wide range of weaknesses in test Can illustrate, using test specifications and review specifications and how they are identified. records, how weaknesses in test specifications have been identified and can explain the weaknesses and suggests alternative approaches.

55

Copyright IET 2007

SV3 Witnessing and executing tests Ensures that safety validation tests are executed accurately and reliably such that anomalies are identified and that results are reported in a form that aids subsequent analysis. Supervised practitioner Practitioner Expert Can describe and can Can illustrate through site Can illustrate, through the presentation of illustrate through test records acceptance and factory independent test reports, how safety validation and test reports, the process acceptance test reports, how testing has been observed (e.g. as an involved in executing system the significance of side-effects independent witness) to ensure that the testing validation tests (e.g. observed during the has been carried out in accordance with the calibration of test equipment, performance of testing has defined strategy and procedures. Can explain the significance of test failures or recording the system and test been assessed. testing that has not been performed in accordance equipment configuration, with the defined strategy and procedures and can recording test data). explain alternative strategies which may have been used. Not fully considered the Can illustrate, through examples (real or hypothetical), instances where proposed possibility that performance of safety validation tests have, in themselves, been potentially dangerous and can validation tests may pose a illustrate, through test procedure review records and training course programmes, hazard. how actions are taken to ensure that safety is adequately considered during the performance of safety validation activities.

SV4 Analysing test results Analyses and categorises test and other observations such that failures with an impact on safety are clearly highlighted and an objective decision can be taken as to whether a safety-related system is fit for service. Supervised practitioner Practitioner Expert Can identify and can explain Can illustrate, through test reports, how test failures have been analysed and potential test failure categorised in terms of their potential impact on functional safety and their categories (e.g. test rig or test underlying causes, and can show how important side-effects of safety validation equipment fault, fault in the activities have been highlighted and recorded for subsequent action. test procedure, actual system fault) and can illustrate with test reports in which test failures are clearly categorised.

SV5 Performing analysis Ensures that adequate analysis is carried out, in accordance with the safety validation plan, to complement the evidence obtained through functional testing. Supervised practitioner Practitioner Expert Is familiar with the typical Can illustrate, through For a chosen safety-related system, can explain analysis techniques used to extracts from safety validation why particular analysis techniques were selected validate safety-related reports, how analysis has and how the analysis complements the functional systems within the been carried out to validate testing. organisation or industry the implementation of a sector. safety-related system.

SV6 Documenting safety validation results Summarises the results of the safety validation activities in a form suitable for inclusion in a safety argument to indicate how it has been demonstrated that the safety requirements have been achieved. Supervised practitioner Practitioner Expert Can illustrate, through safety arguments, factory acceptance or site acceptance test Is able to identify reports that reports, how the results of safety validation activities have been summarised in a communicate, clearly, form that easily enables a judgement to be made on the success of the safety accurately and precisely, the validation activities. conduct of an engineering Can identify succinct reports which convincingly argue that the system has been activity. Can make a short verbal demonstrated to meet its safety requirements in a form for inclusion in a safety presentation of the contents argument. Can distinguish between key safety validation information and of a chosen report to highlight unimportant detail which can be left out. the way in which safety requirements have been demonstrated.
56

Copyright IET 2007

Attributes
SV7 Application domain knowledge Addresses the overall process, equipment, operating environment, human interactions, EMC and environmental aspects etc. associated with a safety-related system (including constraints, safe and unsafe modes of operation, etc.). Supervised practitioner Practitioner Expert Has had practical work Can illustrate, through working Can explain, through examples (real or experience within the relevant notes and safety validation hypothetical), how potentially unsafe situations industry sector and with the plans, how domain specific have arisen as a result of insufficient consideration relevant safety-related system safety requirements have of application domain specific issues. applications. been addressed during safety Can illustrate, through safety validation procedures and training course notes, how actions validation activities. have been taken to ensure that application domain specific requirements are adequately considered during safety validation activities. Is familiar with the history of the development of safety philosophy and standards for the domain and the way in which previous incidents have influenced that development. Can identify and can describe the main hazards associated with the overall operation and the main functional components that make up a safety-related system developed or operated by the organisation. Can identify the main modes of operation of the safety-related system, the key safety functions in relation to the hazards, and the types of failure that could lead to the occurrence of a hazard.

SV8 Principles of functional safety assurance Contributes to the demonstration that a safety-related system meets its safety requirements through an understanding of the principles of functional safety assurance, especially the hazard analysis and risk assessment process, ALARP, safety integrity levels (SILs) and safety requirements. Supervised practitioner Practitioner Expert Understands the principles of Can explain how safety Known, outside the organisation, as an authority functional safety assurance. assurance has been achieved on the principles of safety assurance. Can Has read, and has a with reference to examples illustrate, how safety principles are applied in knowledge of, the safety from actual project practice. Knows the relevant safety assurance standards, assurance standards involvement. Knows the relevant safety can explain their fundamental concepts, and can appropriate to the industry assurance standards, can illustrate any differences between them. sector. explain their fundamental concepts, and can illustrate any differences between them.

SV9 Test and analysis methods and techniques Has knowledge of a range of suitable test and analysis methods, techniques and tools for incorporation into a safety validation activity and is aware of their practical implementation. Supervised practitioner Practitioner Expert Can explain the strengths and weaknesses of Can identify and can describe Has selected appropriate test and analysis methods and alternative testing and analysis approaches with a range of test and analysis techniques for validating a regard to their practical implementation. methods and techniques Can illustrate, through memos, reports and safety safety-related system within normally employed within the validation procedures, how best industry practice organisation or industry sector the organisation or the in validating safety-related systems is continually relevant industry sector, and for carrying out safety-related reviewed and incorporated within the can illustrate by reference to system validation activities. Given a typical safety organisations safety validation process. safety validation plans. validation scenario, can select an appropriate set of test and analysis methods and techniques.

57

Copyright IET 2007

SV10 Attention to accuracy and detail Recognises incomplete, inaccurate and misleading test specifications and reports and can devise tests which exploit such deficiencies. Supervised practitioner Practitioner Expert Has successfully performed Has reviewed, with consistent Can describe examples where insufficient work requiring a high degree accuracy, safety-related accuracy or attention to detail in safety-related of accuracy and attention to system documentation as part system documentation has led to uncertainty with detail to complete. of safety validation activities. regard to validation of a safety-related system. Can illustrate, through validation plans, how actions are taken to resolve such uncertainties.

58

Copyright IET 2007

Function

Safety-related system architectural design

Summary
Safety-related system architectural design involves responsibility for ensuring that the system architecture is capable of meeting the identified safety requirements. Included within this responsibility is a requirement to ensure that the safety integrity requirements for each of the sub-systems are feasible regarding the limits of the technology proposed for the sub-system and level of complexity of the sub-system functions. In discharging these responsibilities the key tasks for the function are: partitioning of safety requirements into individual sub-systems so that the overall safety requirements can be met evaluating architectural design solutions against performance criteria to provide a safe solution specifying the safety-related system architecture.

Tasks Partitioning safety requirements Evaluating solutions Specifying a safety-related system architecture

Attributes Application domain knowledge Systems viewpoint Technology Conceptual thinking mindedness and open-

59

Copyright IET 2007

Tasks
SAD1 Partitioning safety requirements Allocates the system safety requirements to individual safety-related sub-systems through: a correct interpretation and understanding of the system safety requirements consideration of the level of independence of different sub-systems consideration of the split between hardware and software. Supervised practitioner Practitioner Expert Knows the standards and Understands typical safetyCan identify the key requirements in safety-related guidelines applicable to the related system safety system safety requirements specifications. Can notations and conventions requirements specifications. identify and resolve issues arising from non-typical used for specifying safety Can interpret system safety safety requirements specifications through regular requirements. Has used the requirements specifications in design reviews and monitoring work of others. relevant notations and preparing safety-related Supports others in reviewing their work. conventions in the preparation system architectural design of design or requirements specifications. specifications. Is aware of approaches to Has decided the levels of Has defined, in organisation procedures, the deciding the level of independence of different approaches to be adopted to deciding the levels of independence of different sub-systems, using a independence of different sub-systems. Assists sub-systems. standard approach, and others in deciding levels of independence for nondocumented the results in typical safety-related system architectures. safety-related system architectural design specifications. For a typical safety-related Has apportioned elements of Has defined, in organisation procedures, the system, knows which a safety-related system to standard approach to be adopted in apportioning elements of the system would programmable electronics or elements of a safety-related system to normally be implemented hardwired circuitry in programmable electronics. Assists others in using programmable accordance with a standard deciding which elements of a non-typical safetyelectronics and which approach, and documented related system should be implemented using elements would require the results in safety-related programmable electronics. hardwired circuitry. system architectural design specifications.

SAD2 Evaluating solutions Selects and justifies an architectural design solution through: an evaluation of competing solutions against a pre-defined set of criteria (e.g. safety, cost effectiveness) consideration of the effect of the use of diversity in design and technology in both achieving and demonstrating that the safety requirements have been met. Supervised practitioner Practitioner Expert Understands how a Has compared competing Has defined, through organisation procedures, the comparison between architectures using a standard standard approach, and the set of criteria to be competing architectures approach and a pre-defined used, in comparing competing architectures. Can would normally be carried out set of criteria and has explain the use of criteria for comparing nonand the key criteria that would documented the results in typical safety-related projects. influence such a comparison. system analysis reports. Understands the relative benefits of at least two typical architectures. Understands the advantages In justifying a particular choice Supports others in understanding the advantages and disadvantages of diversity of a safety-related system to be gained by a choice of design and technology of design and technology in architecture, has taken into over another. Can identify and resolves issues relation to demonstrating that account the advantages and arising from the use of new or non-typical safety requirements are met. disadvantages of alternative technologies through regular design reviews. diversities in design and technology, and has documented the rationale in system analysis reports.

60

Copyright IET 2007

SAD3 Specifying a safety-related system architecture Specifies the safety-related system architecture, in a form that can be used in the subsequent realisation of the safety-related system, through the correct use of appropriate architectural design notations. Supervised practitioner Practitioner Expert Knows the standards and Has specified safety-related Has reviewed safety-related system architectures guidelines applicable to the system architectures, using to identify key areas of concern such as over notations and conventions the relevant notations and complex designs where safety functions are prone used for specifying convention, in a way that to common cause failure, where they are spread architectural designs. clearly indicates where safety across subsystems and where functions are Has prepared design functions are to be implemented by inappropriate technologies. specifications using the implemented and how relevant notations and different sub-systems interact. conventions.

Attributes
SAD4 Application domain knowledge Addresses the process, the equipment under control, the operation and maintenance environment, human interactions, etc. associated with a safety-related system (including constraints, safe and unsafe modes of operation etc.). Supervised practitioner Practitioner Expert Has worked within the Has consistently reflected Can explain the importance of domain specific relevant industry sector and relevant domain specific requirements in designing safety-related system with the relevant safetyrequirements in safety-related architectures. Can identify, through regular design related system applications. system architectural design reviews and monitoring, potentially unsafe Knows the key issues relating solutions. situations which could arise as a result of to the environment in which insufficient understanding of the application safety-related systems are domain. required to operate, their key modes of operation and typical architectural design solutions. Is familiar with the history of the development of safety philosophy and standards for the domain and the way in which previous incidents have influenced that development.

SAD5 Systems viewpoint Considers the safe operation of the system in its environment including the interaction between sub-systems and their effect on the operation, and is able to abstract away from unimportant detail. Supervised practitioner Practitioner Expert Knows the main system Has analysed the inter-relationships between system elements of a safety-related elements that make up a system, using for example block diagrams, and has systematically documented any typical safety-related system. assumptions relating to these inter-relationships in requirements analysis reports.

SAD6 Technology Applies knowledge of different engineering technologies, their strengths and weaknesses, and how they can be used to produce a safe architecture (including use of redundancy, diversity, self-test, BITE, transaction roll-back etc.). Supervised practitioner Practitioner Expert Understands current Has reviewed and evaluated Ensures that safety-related system architectures engineering technologies and different engineering are adequately reviewed with regard to the best safe architecture design technologies in relation to the use of available technology. techniques relevant to safetyselection of optimum related systems. Has architectural design solutions practical experience of the and has document the results use of relevant technologies. in system analysis reports.

61

Copyright IET 2007

SAD7 Conceptual thinking and open-mindedness Is open to radical technologies and architectural design solutions and can conceptualise about their effect on the safety integrity of the system in its environment. Supervised practitioner Practitioner Expert Is aware of current Has incorporated new Evaluates the impact of technological advances in technological developments in technology in the architectural the field of architectural and hardware design on the field of architectural and and hardware design for a the safety of safety-related systems, incorporating hardware design. safety-related system and has the findings within organisation awareness evaluated the impact on programmes and procedures. safety.

62

Copyright IET 2007

Function

Safety-related system hardware realisation

Summary
Safety-related system hardware realisation involves responsibilities for ensuring that the realisation of the hardware components of a safety-related system is carried out in accordance with best engineering practice and that sufficient evidence is collected to demonstrate that the resulting system will be safe. In discharging these responsibilities, the key tasks for the function are: interpreting safety requirements and transposing them into hardware specifications designing and analysing hardware elements specifying tests on hardware designs (normally other peoples designs) executing tests on hardware designs

Tasks Interpreting given safety requirements Transposing from requirements into design Designing hardware Analysing the hardware design Specifying tests Executing tests

Attributes Hardware safety regulations and standards Application domain knowledge Team-working Openness

63

Copyright IET 2007

Tasks
SHR1 Interpreting given safety requirements Interprets a given set of safety requirements for completeness and practicality when viewed from the point of view of the selected implementation technology. Supervised practitioner Practitioner Expert Can identify omissions in Has evaluated safety Takes far reaching considerations / boundaries typical safety requirements requirements in the context of into account when evaluating given sets of safety specifications. the current state of available requirements. technology, and has recorded the results in working notes, memos or reports.

SHR2 Transposing from requirements into design Transposes the requirements into an easily understood, testable, hardware design specification through the correct use of appropriate notations and adequate consideration of relevant constraints (e.g. process, physical dimensions etc.). Supervised practitioner Practitioner Expert Has produced a hardware Has produced a hardware Has written hardware design specifications for design specification. Knows design for a complex safetydifferent types of safety-related systems. Supports the relevant notations, related system. Produces others, for example through training courses, standards or guidelines hardware design provision of organisation hardware design applicable to hardware specifications for safetystandards, work instructions and regular design design. Has made practical related systems using the reviews, in making best use of structured hardware use of the notations, in relevant hardware design design methods for safety-related hardware design producing hardware design notations. tasks. specifications. Knows the typical constraints Has addressed hardware Through regular design reviews, and by monitoring that would be imposed on the design constraints for safetythe work of others, can identify constraints that hardware designs for a typical related systems in the could lead to potentially unsafe situations. safety-related system. preparation of hardware design specifications. Has documented within hardware design specifications, using Ensures, through the development of organisation a standard approach, the relationship between each procedures and regular design reviews, that all requirement and the corresponding hardware design features requirements can be easily traced to the resulting so as to facilitate understanding of the design. hardware design. Knows the key requirements Has produced hardware Ensures, through regular hardware design reviews, of relevant standards and design specifications for that sufficient attention is paid to testability in guidelines relating to safety-related systems which designing hardware for safety-related systems. testability (e.g. IEE Guidelines consistently address the Can identify cases where insufficient attention to for assuring testability). requirement for testability. testability in designing hardware for a safetyrelated system could result in inadequate functional safety assurance. SHR3 Designing hardware Designs hardware aspects (e.g. circuits and physical layout) in accordance with relevant hardware design standards and best engineering practice. Supervised practitioner Practitioner Expert Has designed individual Has had responsibility for the Has designed a wide range of hardware devices, hardware modules in overall hardware design of some of which are safety-related. Can explain the accordance with standard safety-related systems. key engineering practices to be employed in design procedures, safety-related hardware designs and can show documenting the design with how these have been employed in recent designs. circuit diagrams, component layout diagrams and assembly drawings. Knows the key requirements Has consistently addressed Ensures, through regular design reviews and of relevant hardware design the requirements of relevant mentoring of other engineers, compliance with the standards (e.g. EMC hardware design standards in relevant hardware design standard. standards, circuit layout designing hardware for safetystandards). related systems.
64

Copyright IET 2007

SHR4 Analysing the hardware design Demonstrates, through the appropriate use of circuit analysis techniques, that constraint limitations will not adversely affect the safe operation of the system and that the hardware realisation is consistent with the requirements. Supervised practitioner Practitioner Expert Can perform reliability analyses and regular Can demonstrate that Has made practical use of design reviews on hardware designs for safetyconstraint limitations will not relevant circuit analysis related systems. Is aware of the differences techniques (e.g. failure modes adversely affect the safe and effects analysis, reliability operation of a system and that between reliability and safety analyses and makes effective use of relevant analysis techniques and the hardware realisation is calculations). Has produced tools. Can explain the benefits of appropriate consistent with the design documents and safety and reliability analyses on hardware requirements. Has analysed reliability analysis reports to designs. the functional safety of the show that individual hardware components of a components are adequately specified and that all expected safety-related system using relevant analysis technique. loads are well within normal Has documented the results component operating ranges. of analyses in a report that could be used to support a justification that the system will be safe. Typically, a degree in a numerate discipline would be expected. Someone without A-level mathematics or equivalent would be unlikely to have the logical skills to undertake or understand the analyses required.

SHR5 Specifying tests Produces hardware test specifications that are consistent with the planned safety validation strategy and contain rigorous test cases that have a high probability of detecting faults in the realisation of a safety-related system through the practical and creative use of proven test methods and techniques. Supervised practitioner Practitioner Expert Can describe the range of test Has prepared hardware Reviews and approves hardware test specification methods and techniques design test specifications, to ensure that safety-related hardware designs are normally employed for safety- using the relevant test tested fully. Can identify the key safety aspects of related projects and the methods and techniques, to a hardware design. different types of fault that are demonstrate compliance with Continually reviews best industry practice in testing safety-related hardware and incorporates findings found by the different types of safety requirements. within organisation test procedures. test. Has developed test specifications, and contributed to the Typically not now involved in detailed specification of tests. development of test rig designs, using a practical and creative approach.

SHR6 Executing tests Executes test procedures precisely, accurately and reliably such that items of importance are not overlooked during the execution of test cases. Supervised practitioner Practitioner Expert Has applied a standard Has produced test reports for Typically not now involved in executing hardware tests. method of the organisation to safety-related systems that execute and record typical clearly identify and highlight, test cases. for subsequent action, the side-effects of safety-related system hardware testing activities.

65

Copyright IET 2007

Attributes
SHR7 Hardware safety regulations and standards Addresses the requirements of the relevant hardware safety regulations and standards throughout the performance of safety-related system hardware realisation activities. Supervised practitioner Practitioner Expert Understands the key Has consistently reflected the Has monitored, reviewed, and reported on the requirements of hardware requirements of the relevant requirements of the relevant hardware safety safety regulations and hardware safety regulations regulations and standards and, when appropriate, standards relevant to the and standards in hardware incorporated the findings within organisation domain within which the development plans and procedures and work instructions. organisation operates. design specifications for safety-related systems.

SHR8 Application domain knowledge Considers the process, equipment, operating environment, human interactions, etc. associated with a safety-related system (including constraints, safe and unsafe modes of operation, etc.) throughout the performance of safetyrelated system hardware realisation activities. Supervised practitioner Practitioner Expert Has worked within the Consistently reflects relevant Assists others, through training courses and relevant industry sector and domain specific requirements mentoring, to appreciate the importance of domain with the relevant safetyin safety-related system specific requirements in designing safety-related related system applications. hardware design solutions. system architectures. Can identify, through Knows the key issues relating regular design reviews and monitoring, potentially to the environment in which unsafe situations which could arise as a result of safety-related systems are insufficient understanding of the application required to operate, the key domain. modes of operation of these safety-related systems and typical hardware design solutions. Is familiar with the history of the development of safety philosophy and standards for the domain and the way in which previous incidents have influenced that development.

SHR9 Team working Works effectively within a hardware development team environment. Supervised practitioner Practitioner Expert Has worked as an effective Has worked as an effective member of a hardware development team for a safetymember of a hardware related project, co-ordinating the activities of the team and, where appropriate, development team coreporting to a project manager within his or her own organisation. ordinating his or her own activities with those of peers and reporting to a supervisor.

SHR10 Openness Openly admits to, and highlights mistakes or potential design weaknesses arising during the performance of safetyrelated system hardware realisation activities. Supervised practitioner Practitioner Expert Is prepared willingly to report Is prepared willingly to describe situations in which mistakes have been made mistakes made in the resulting from insufficient supervision / monitoring of a hardware development team, performance of hardware the underlying reasons and the lessons learned. Encourages openness in hardware design activities, and can development teams, for example through mentoring and the provision of design give illustration through for review procedures example e.g. memos, hardware fault reports and design change documents.
66

Copyright IET 2007

Function

Safety-related system software realisation

Summary
Safety-related system software realisation involves responsibility for ensuring that the realisation of the software components of a safety-related system is carried out in accordance with best practice and that sufficient evidence is collected to demonstrate that the resulting system will be safe. In discharging these responsibilities the key tasks for the function are: transposing from requirements into software design specifications developing software source code and analysing/reviewing software designs and code specifying software tests at unit, software-software integration level (normally other peoples designs) executing software tests at unit, software-software integration level

Tasks Interpreting given safety requirements Transposing from requirements into design Analysing the design Coding Analysing the code Specifying software tests Executing tests

Attributes Software safety regulations and standards Application domain knowledge Team-working Openness

67

Copyright IET 2007

Tasks
SSR1 Interpreting given safety requirements Interprets a given set of safety requirements with regard to completeness and practicality when viewed from the point of view of the selected implementation technology. Supervised practitioner Practitioner Expert Can identify omissions in Has evaluated sets of safety Can explain why given sets of safety requirements typical safety requirements requirements in the context of are (or are not) appropriate, particularly with specifications. the current state of available regard to their complexity and ease or otherwise software technology, and of satisfaction. Takes far-reaching considerations into account recorded the results in when evaluating given sets of safety working notes, memos or requirements. reports.

SSR2 Transposing from requirements into design Transposes requirements into an easily understood, testable, software design specification through the correct interpretation and use of appropriate notations and appropriate consideration of relevant constraints (e.g. process, hardware design, hardware reliability, etc.). Supervised practitioner Practitioner Expert Has contributed to the Has written a software design Has written software design specifications for production of a software specification for a complex different types of safety-related system. Supports design specification. Knows safety-related system. others, for example through training courses, the the relevant notations, Produces software design provision of organisation software design standards or guidelines specifications for safetystandards, work instructions and regular software applicable to software design. related systems using the design reviews, in making best use of structured Has made practical use of the relevant software design software design methods for safety-related notations in producing notations. software design tasks. software design specifications. Knows the typical constraints Has addressed software Through regular software design reviews, and by that would be imposed on the design constraints for safetymonitoring the work of others, can identify software designs for a typical related systems in the constraints that could lead to potentially unsafe safety-related system. preparation of software situations. design specifications. Has produced software design specifications which explicitly Has developed organisation procedures and run document, using a standard approach, the relationship regular design reviews, so that all requirements between each requirement and the corresponding software can be easily traced to the resulting software design features so as to facilitate understanding of the design. design. Knows the key requirements Has produced source code Ensures, for example through regular software of relevant standards and and associated module design reviews, that sufficient attention is paid to guidelines relating to design specifications for testability in designing software for safety-related testability (e.g. IEE Guidelines safety-related systems which systems. Can identify cases where insufficient for assuring testability). consistently address the attention to testability in designing software for a requirement for testability. safety-related system could result in inadequate functional safety assurance.

68

Copyright IET 2007

SSR3 Analysing the design Can demonstrate, through the use of appropriate software safety analysis techniques, that a design meets the given safety requirements (e.g. that sufficient storage space is available for any stack). Supervised practitioner Practitioner Expert For non-typical safety-related systems, can Has an understanding of Has analysed software identify areas in which additional safety analysis is software safety analysis designs for safety-related required to provide adequate safety assurance techniques (e.g. software systems employing software evidence for software designs. Can describe FMEA and HAZOPs) and an safety analysis techniques typical problems with software designs and can appreciation of their and has documented the show how software analysis uncovers these differences. results in software safety analysis reports. Understands problems. the contribution of software safety analysis in the overall safety assessment process and how the results are used in further verification and validation activities (e.g. determining the required rigour of testing of different areas of the software design).

SSR4 Coding Translates the specified software functional and design requirements into easily understood, analysable source code through the correct use of an appropriate programming language. Pays due heed to the requirements of a relevant coding standard (with particular regard to the safety implications of different constructs and the environment in which the code is to operate). Supervised practitioner Practitioner Expert Has coded individual modules Has coded complete software Is abreast of the latest developments in software using the relevant sub-systems for typical safety- engineering research, particularly with regard to programming language(s) in related systems, using a safe unsafe constructs and the circumstances in which accordance with the sub-set of the relevant they should be avoided, and maintains latest organisations programming programming language in understanding in an organisational coding style and commenting accordance with a defined standard. strategy. coding standard.

SSR5 Analysing the code Demonstrates, through the appropriate use of static and dynamic software analysis techniques, that constraint limitations will not adversely affect the safe operation of the system and that the software realisation is consistent with the software requirements and the specified integrity level. Supervised practitioner Practitioner Expert Has analysed the functional safety aspects of Has made practical use of Has analysed the functional software code using appropriate software analysis relevant software analysis safety of the software procedures and regular code walkthroughs. Can techniques (e.g. complexity elements of a safety-related identify situations in which inappropriate analysis, data flow analysis, system using the relevant techniques or the incorrect use of analysis control flow analysis, object techniques, and has techniques could lead to an unsafe situation. Can code analysis, timing analysis, documented the results in explain the types of failures that are identified via stack analysis, build analysis). software analysis reports that code analysis and walkthroughs and can discuss Has taken part in code could be used to support a how these relate to software safety. walkthroughs. justification that the systems are safe. Has taken part in and led code walkthroughs which focus on safety aspects of the code. Typically, a degree in a numerate discipline would be expected. Someone without A-level mathematics or equivalent would be unlikely to have the logical skills to undertake or understand the analyses required.

69

Copyright IET 2007

SSR6 Specifying software tests Produces software test specifications, employing a complementary set of approaches to software testing, that are consistent with the planned safety validation strategy, that contain rigorous test cases, which take account of the environment, that have a high probability of detecting faults in the realisation of a safety-related system through the practical and creative use of proven test methods and techniques. Supervised practitioner Practitioner Expert Understands the range of Has prepared software Has monitored and reported on best industry software test methods and design test specifications practice in testing safety-related software and, techniques normally using the relevant software when appropriate, incorporated the findings within employed for safety-related test methods and techniques organisational test procedures. projects and the different to demonstrate compliance types of fault that are found by with safety requirements. the different types of test. Has developed test specifications, and contributed to the Typically not involved in detailed specification of tests. development of test rig designs, using a practical and creative approach.

SSR7 Executing tests Executes test procedures precisely, accurately and reliably such that items of importance are not overlooked during the execution of test cases. Supervised practitioner Practitioner Expert Has applied a standard Has produced test reports for Typically not involved in executing tests. organisational method to safety-related systems that execute and record typical clearly identify and highlight, test cases. for subsequent action, the side-effects of safety-related system software testing activities. Has reviewed and approved software test specifications to ensure that software designs are tested fully. Can identify key safety functions in a software design.

Attributes
SSR8 Software safety regulations and standards Addresses the requirements of the relevant software safety regulations and standards throughout the performance of safety-related system software realisation activities. Supervised practitioner Practitioner Expert Understands the key Has produced software Has monitored, reviewed, and reported on the requirements of the main development plans and requirements of the relevant software safety software safety regulations software design specifications regulations and standards and, when appropriate, and standards relevant to the for safety-related systems incorporated the findings within organisation domain within which the which consistently reflect the procedures and work instructions. organisation operates. requirements of the relevant software safety regulations and standards.

70

Copyright IET 2007

SSR9 Application domain knowledge Considers the process, equipment, operating environment, human interactions, etc. associated with a safety-related system (including constraints, safe and unsafe modes of operation, etc.) throughout the performance of safetyrelated system software realisation activities. Supervised practitioner Practitioner Expert Has worked within the Has consistently reflected Assists others, through training courses and relevant industry sector and relevant domain specific mentoring, to appreciate the importance of domain with the relevant safetyrequirements in safety-related specific requirements in designing safety-related related system applications. software design solutions. software. Can identify, through regular design Knows the key issues relating reviews and monitoring, potentially unsafe to the environment in which situations which could arise as a result of safety-related systems are insufficient understanding of the application required to operate and the domain. key modes of operation of these safety-related systems. Is familiar with the history of the development of safety philosophy and standards for the domain and the way in which previous incidents have influenced that development.

SSR10 Team working Works effectively within a software development team environment. Supervised practitioner Practitioner Expert Has worked as an effective Has worked as an effective member of a software development team for a safetymember of a software related project, co-ordinating the activities of the team and reporting to a project development team comanager within his or her own organisation. ordinating his or her own activities with those of peers and reporting to a supervisor.

SSR11 Openness Openly admits to, and highlights, mistakes or potential weaknesses arising during the performance of safety-related system software realisation activities. Supervised practitioner Practitioner Expert Is prepared willingly to report Is prepared willingly to describe situations in which mistakes have been made mistakes made in the resulting from insufficient supervision / monitoring of a software development team, performance of software the underlying reasons and the lessons learned. Encourages openness in software design activities, and can give development teams, for example through mentoring and the provision of illustration through for appropriate design review procedures example e.g. memos, software fault reports and design change documents.

71

Copyright IET 2007

Function

Human factors safety engineering

Summary
Human factors safety engineering involves responsibility for ensuring that the impact of humans on the safety of a system is properly addressed through a systematic, risk-based approach at all stages of a system lifecycle. It is usually convenient to split the key responsibilities between the system realisation and operational phases of a safety-related system lifecycle. In discharging these responsibilities, the key tasks of the function are: developing user models and identifying operator/maintainer requirements analysing operational usage and specific user tasks to improve operational impact of systems and to quantify the levels of risk associated with user activities assisting with the development of operation and maintenance procedures managing human factors engineering through development of human factors safety arguments and providing advice on human factors issues

In support of this, competence is required in the underlying theory of human factors including techniques and measures for analysis.

Tasks Modelling human behaviour Identification of end-user requirements Providing human factors safety input Operational analysis Task analysis Developing procedures

Attributes Effective communication Multi-discipline systems viewpoint Human reliability theory Regulatory and legal compliance Organisation systems Principles of functional safety assurance Professional standing and personal integrity

72

Copyright IET 2007

Tasks
HF1 Modelling human behaviour Develops human behaviour and performance models (physiological, psychological, organisation and system) for the safety-related system under development, which are based on generic human factors models and which can accurately link human cause and effect. Supervised practitioner Practitioner Expert Has been involved in the Has developed human behaviour and performance models for safety-related development of a human systems, particularly models addressing the influence of humans on the safety of behaviour and performance the system in its environment. Can explain how different generic models of human model in which key causes performance are used to develop models to capture causes and effect for specific and effects (e.g. alarms applications for the particular safety-related system. overloading operators in the event of system failures) have been addressed.

HF2 Identification of end-user requirements Facilitates, and manages if required, end-user participation in the realisation of safety-related systems, often through prototyping such that any system design addresses the requirements placed on humans for safe operation and maintenance. Supervised practitioner Practitioner Expert Understands the standard Understands how failure Champions the involvement of users in methods and processes used adequately to engage the determining operator and maintainer for consulting, engaging and users of a safety-related requirements. Can identify key user issues with a managing input from users system might lead to an direct impact on safety performance. (e.g. formalised unsafe situation. Regularly questionnaires, interviews, obtains and documents input and brainstorms). Has from users, using standard obtained input from users strategies, during the during the development of a development of safety-related system and has documented systems. the results.

HF3 Providing human factors safety input Contributes to the demonstration of safety for safety-related systems through human systems safety engineering (e.g. safety analysis) and safety case construction, including the provision of human factors advice. Supervised practitioner Practitioner Expert Understands the contribution Has written arguments for the Acknowledged as an authority on human factors of human factors expertise in safety performance of a issues for safety-related systems and has performing safety analysis safety-related system based developed arguments for the safe operation of a activities and developing on predicted human safety-related system as part of safety uses. safety cases for typical safety- performance. Supports safety-related system development related systems. teams by identifying the areas in which human factors expertise is required and ensuring that adequate human factors expertise is made available. Typically not expected to Ensures that human factors are brought to the forefront of discussions regarding the provide expert advice on development or operation of safety-related systems and are a key element of an human factors issues. organisations safety culture. Disseminates human factors advice within a project or an organisation through, for example, memos, reports, organisation procedures and training courses.

73

Copyright IET 2007

HF4 Operational analysis Uses a hazard and risk approach to the analysis of a systems use such that: human factors can be correctly incorporated into a safety-related system design associated operating and maintenance activities can be successfully specified wider environmental problems affecting human performance are identified and resolved so that functional safety is not compromised. Supervised practitioner Practitioner Expert Understands the main Has assisted in the hazard Has performed design reviews and monitored the operation and maintenance analysis and risk assessment work of others to ensure that operational issues procedures associated with of safety-related systems are adequately addressed. Can identify situations typical safety-related systems. through the provision of in which failure adequately to address operation Has had practical experience written hazard analysis and and maintenance requirements in the design of of the operation and risk assessment reports safety-related systems could lead to a potentially maintenance of such systems dealing with the operational unsafe situations. through, for example, and maintenance aspects of participation in installation and safety-related systems. commissioning. Knows the key environmental Regularly assesses the environmental conditions under which safety-related issues that have been shown systems are developed or operated and has proposed solutions to identified to affect the performance of environmental problems in written environmental assessment reports. humans in developing or operating safety-related systems.

HF5 Task analysis Analyses in detail specific tasks performed by operators and maintainers such that human hazards that affect the functional safety of a system are identified and the risk-reduction measures are specified. Supervised practitioner Practitioner Expert Has performed systematic analyses of human Understands the key tasks Has analysed the tasks tasks to identify key operator and maintainer carried out by humans in carried out by humans and activities which need to be carried out to ensure relation to typical safetydocumented the findings in related systems. safety-related system analysis functional safety. reports and safety requirements specifications. Understands how humans interact with safety-related systems and is aware how detailed changes in system designs can impact day-today operation and maintenance tasks and through life costs.

HF6 Developing procedures Facilitates the origination of operational and maintenance procedures, typically through style guides, such that clear, unambiguous instructions are available to humans in performing safety-related tasks. Supervised practitioner Practitioner Expert Has developed operation Has developed operation and maintenance procedures for safety-related systems. and/or maintenance Has written clear specifications for user tasks. Has developed, or tailored, procedures in similar organisation standards, procedures and style guides for use during the environments to the required development or operation of safety-related systems. context. Knows the key standards (internal and external) used by the organisation in developing or operating safety-related systems.

74

Copyright IET 2007

Attributes
HF7 Effective communication Communicates effectively, both orally, in writing and electronically, at all levels in an organisation, with people of varying skill and groups of varying size, such that the objectives for the communication are achieved. Supervised practitioner Practitioner Expert Understands the principles of Has made successful formal Is acknowledged as proficient in communicating good presentation. presentations. Communicates information orally in all situations. Can liaise with Communicates well with well in a team and in one-tooperator and maintenance staff and represent peers. one situations at most levels. their issues fairly to project team members and management. Understands the importance Produces written work of a Produces written work of a quality which is well of keeping reports factual and quality which is well organised, accurate (both technically and avoiding verbose language. organised, accurate (both grammatically), complete, logical, concise, Has written at least one report technically and unambiguous and to the point. Is aware of the which can demonstrate basic grammatically), complete, wider implications and purpose of literacy skills and the ability to logical, concise, unambiguous communications. present written information in and to the point. an organised, logical and unambiguous manner.

HF8 Multi-discipline systems viewpoint Recognises, distinguishes and specifies the safety and non-safety inter-relationships between equipment, procedures and people, for a multi-discipline environment. Supervised practitioner Practitioner Expert Understands the main system Has analysed the inter-relationships between the system elements of an overall elements, including nonsafety-related system and documented the results with system block diagrams and equipment elements that requirements analysis reports. make up a typical safetyrelated system.

HF9 Human reliability theory Has an understanding of human reliability theory including knowledge gained through use of appropriate techniques. Supervised practitioner Practitioner Expert Knows the relevant sources of Has a minimum of three years Generally acknowledged as an expert in the field information relating to the experience of the application of human reliability theory. Makes regular application of human reliability of human reliability theory to contributions, for example papers presented at theory. Typically, a degree in the development and national or international conferences, to the ergonomics or applied operation of safety-related international pool of knowledge in the field of psychology would be systems. human reliability theory. required. Knows the relevant analytical, modelling and empirical methods used to support the application of human reliability theory. Has had experience of practical application of the techniques in training. Has analysed human / system interactions for a safetyrelated system, using relevant analytical, modelling and empirical methods, and has documented the results in system analysis reports. Can identify the most appropriate human factors analysis techniques to apply in a given circumstance and can explain the advantages and disadvantages of different techniques.

75

Copyright IET 2007

HF10 Regulatory and legal compliance Has a knowledge and understanding of relevant regulatory and legal requirements, together with organisationspecific procedures. Supervised practitioner Practitioner Expert Knows the relevant functional safety standards appropriate to Supports others, through regular design reviews the industry sector. Is aware of the key principles underlying and the provision of organisation procedures and the relevant regulatory regime, associated legal issues and mentoring, in addressing regulatory and legal how these relate to human factors safety issues. requirements in human factors engineering activities. Can identify cases where there may be uncertainty regarding compliance with regulatory and legal requirements and can describe a practicable approach.

HF11 Organisation systems Has a knowledge and understanding of existing systems in the organisation (e.g. quality management systems) and functional safety practices, including application and technology appropriate to the organisation and industry sector. Supervised practitioner Practitioner Expert Has yet to work on a safetyHas worked on a safetyHas worked on many safety-related projects, related application within the related project relating to the some of which relate to the context within which relevant context, but has context within which the the organisation operates. Understands how worked on non safety-related organisation operates and has safety is addressed within the organisation. applications within the gained a knowledge of how relevant context. safety is addressed within the organisation. Knows the relevant Understands how relevant Has applied safety-related technologies to a wide technologies and their technologies are used for range of projects. application, but not safety-related work in the necessarily in relation to domain of interest. safety-related work.

HF12 Principles of functional safety assurance Has a knowledge and understanding of the principles of functional safety assurance and is guided by these principles in all human factors engineering activities. Supervised practitioner Practitioner Expert Understands the principles of Understands the impact which Known, outside the organisation, as an authority functional safety assurance. the principles of functional on the principles of safety assurance, and has Knows the safety assurance safety assurance have on extensive experience of the practical application of standards appropriate to the human factors safety these principles, especially regarding human industry sector. engineering activities. factors aspects.

HF13 Professional standing and personal integrity Has the professional standing to provide credible judgements that are generally acknowledged as authoritative, coupled with sufficient strength of character not to compromise sincerely held beliefs when under pressure. Supervised practitioner Practitioner Expert Typically has a degree or Typically a Chartered Typically a Chartered Engineer who is equivalent in a relevant Engineer with a degree in a acknowledged as an authority in the field of safetydiscipline. relevant discipline. Evidence related systems. Likely to have presented papers of human factors safety on human factors and safety issues. engineering experience within the relevant industry sector. Aware of the importance of Has defended a judgement Has a reputation for integrity that indicates personal integrity when when under external pressure candidate will never allow a judgement on safetypressed to compromise a to compromise position. related issues to be compromised by outside judgement. interference.

76

Copyright IET 2007

INDEX OF FUNCTIONS, TASKS AND ATTRIBUTES

Function Corporate functional safety management Task/Attribute Realisation of a safety management strategy Allocation of responsibilities Promoting awareness Providing safety advice Monitoring compliance Handling safety incidents Regulatory and legal compliance Managing resource allocation Assuring staff competence Effective communication Eliciting information Organisation systems Functional safety practices Principles of functional safety assurance Professional standing and personal integrity Defining the scope of the project Developing and maintaining a project safety assurance plan Managing compliance with the project safety assurance plan Monitoring the engineering development Managing the provision of safety assurance evidence Effective working relationships Effective communication Methodical approach Safety regulations and standards Organisation systems Decision making Influencing and negotiating Team management Planning for maintenance and modification of safe operation Development of maintenance and modification procedures Handling change Monitoring compliance Handling safety incidents Managing in-service information Resource allocation Existing system classification Influencing new systems Report writing Effective oral communication Regulatory and legal compliance Methodical approach Organisation systems Principles of functional safety assurance Incorporating safety requirements in an invitation to tender Auditing suppliers Assessing tender submissions Letting a contract Managing compliance Obtaining regulatory approval Business objectives Effective communication Principles of functional safety assurance Organisation systems Personal integrity Scope and context appreciation Assessment strategy selection Planning Safety auditing Reviewing safety documentation Assessing safety analysis Forming a judgement Producing assessment reports Managing outcomes Methodical approach Eliciting information Effective communication Functional safety practices Principles of functional safety assurance Professional standing and personal integrity

Project safety assurance management

Safety-related system maintenance and modification

Safety-related system or services procurement

Independent safety assessment

77

Copyright IET 2007

Function Safety hazard and risk analysis

Safety requirements specification

Safety validation

Safety-related system architectural design

Safety-related system hardware realisation

Safety-related system software realisation

Human factors safety engineering

Task/Attribute Defining the scope of a hazard and risk analysis Identifying hazards Hazard analysis Risk assessment Eliminating or mitigating hazards Formation and control of hazard log Principles of functional safety assurance Application domain knowledge Systematic approach Systems viewpoint Professional standing Team-working Capturing safety requirements Evaluating safety requirements Specifying safety requirements Application domain knowledge Principles of functional safety assurance Clarity Conceptual thinking and open-mindedness Systems viewpoint Defining a safety validation plan Specifying tests Witnessing and executing tests Analysing test results Performing analysis Documenting safety validation results Application domain knowledge Principles of functional safety assurance Test and analysis methods and techniques Attention to accuracy and detail Partitioning safety requirements Evaluating solutions Specifying a safety-related system architecture Application domain knowledge Systems viewpoint Technology Conceptual thinking and open-mindedness Interpreting given safety requirements Transposing from requirements into design Designing hardware Analysing the hardware design Specifying tests Executing tests Hardware safety regulations and standards Application domain knowledge Team-working Openness Interpreting given safety requirements Transposing from requirements into design Analysing the design Coding Analysing the code Specifying software tests Executing tests Software safety regulations and standards Application domain knowledge Team-working Openness Modelling human behaviour Identification of end-user requirements Providing human factors safety input Operational analysis Task analysis Developing procedures Effective communication Multi-discipline systems viewpoint Human reliability theory Regulatory and legal compliance Organisation systems Principles of functional safety assurance Professional standing and personal integrity

78

Copyright IET 2007

CROSS-REFERENCE OF FUNCTIONS TO IEC 61508 LIFECYCLE PHASES

The table below presents lifecycle phases in IEC 61508 and cross references them to the functions supported by competence criteria. Functions are linked to phases where at least one task performed by that function is part of the lifecycle phase. Note that the function corporate functional safety management is not directly relevant to these project lifecycle phases and will have an overview role (potentially from both a supplier and customer viewpoint) on specific safety-related system development and operation. Safety-related operation is outside the scope of these competence criteria.
IEC 61508 safety lifecycle phase
1 Concept

Function
Project safety assurance management Safety-related system procurement
2 1

Overall scope definition

Independent safety assessment Safety hazard and risk analysis

Hazard and risk analysis

Safety hazard and risk analysis Human factors safety engineering

Overall safety requirements

Safety hazard and risk analysis Safety requirements specification Human factors safety engineering

Safety requirements allocation

Safety requirements specification Safety-related system architectural design Human factors safety engineering

Overall operation and maintenance planning

Safety-related system maintenance Human factors safety engineering

7 8

Overall safety validation planning Overall installation and commissioning planning

Safety validation Safety validation Safety-related system maintenance

E/E/PES realisation

Safety-related system software realisation Safety-related system hardware realisation

12

Overall installation and commissioning

Safety validation Safety-related system maintenance

13 14 15 16

Overall safety validation Overall operation, maintenance and repair Overall modification and retrofit Decommissioning or disposal

Safety validation Safety-related system maintenance Safety-related system maintenance Not defined
4

Project safety assurance management is relevant to every lifecycle phase. Safety-related system procurement is relevant to phases up to requirements and overall safety validation depending upon the contractual situation. 3 Independent safety assessment is relevant to most lifecycle phases depending on integrity level of the system. 4 Overall modification and retrofit will call upon all relevant functions to the change as appropriate. 79
2

Copyright IET 2007

HISTORY OF THIS DOCUMENT

The competence criteria were originally published in Safety, Competency and Commitment: Competency Guidelines for Safety-Related System Practitioners. This was published in 1999 by the Institution of Electrical Engineers (the precursor of the IET) in collaboration with the British Computer Society (BCS). The UK Health and Safety Executive commissioned the IEE to manage the initial study that underpinned the development of these guidelines. The guidelines were based on consultations with mainly UK organisations, although a number of comments from overseas organisations were received during the public consultation that preceded the guidelines publication. In 2007, HSE, in collaboration with the IET and BCS, published Managing safety for safetyrelated systems. This aims to describe the core requirements for a competence management system (CMS), for all staff at all levels of responsibility within an organisation that work on safetyrelated systems, to enable the organisation to meet the UK legal requirements for competence for safety-related systems in general (i.e. without going into detail for any one particular industry sector). It does not contain competence criteria. This present document contains material from the 1999 guidelines, in particular the competence criteria and associated assessment guidance, which can be used to help achieve the requirements of Managing safety for safety-related systems. Material in the original guidelines that has become obsolete due to the new HSE guidance has been removed.

ACKNOWLEDGEMENTS
The IET gratefully acknowledge the advice and assistance provided by the following in the

development of the original 1999 publication Safety, Competency and Commitment: Competency Guidelines for Safety-Related System Practitioners, on which this publication is based:
Study Team Audrey Canning, ERA Technology Stephen Clarke, ERA Technology Valerie Downes, Adval Stephen Hatton, ERA Technology Rod May, CSE International John McDermid, McDermid Associates Steering Group Edi Bilimoria, Haliburton Brown & Root James Carpenter, Admiral Management Services Nick Curley, Shell UK Exploration and Production Tony Greenway, Nuclear Electric Ali Hessami, Railtrack Gordon Hughes, Safety Systems Research Centre Brian Hunter, Elite Control Systems Brian Jepson, British Aerospace Ian Kendall, representing MISRA Sharon Lindars, GEC-Alsthom Signalling Stuart Nunns, Eutech Engineering Solutions Barrie Reynolds, Honeywell Control Systems John Spriggs, Airsys ATM Peter Stringer, Westinghouse Signals Initial Survey Interviewees Raymond Blakey, London Underground Andr Clot, National Air Traffic Services Ltd Mervyn Currie, BP Exploration Peter Eickhoff, MoD (PE) Kevin Geary, MoD (PE) Alan Goodwin, British Aerospace David Hawken, National Air Traffic Services Ltd Brian Hepworth, TA Group Ltd Brainstorming Participants Nick Amery, Honeywell Control Systems Edi Bilimoria, Brown & Root Ray Brown, ICS Triplex Ray Buck, Salem Automation Michael Carey, Vectra Technologies Ltd James Carpenter, Admiral Management Services Peter Clinton, Vectra Technologies Ltd Martin Cunningham, BNFL Arthur Dale, BNFL Peter Eickhoff, MOD (PE) Richard Evans, Rover Group Edward Galloway, Railtrack Tony Greenway, Nuclear Electric Steve Harris, British Aerospace David Hawken, National Air Traffic Services Ltd Ali Hessami, Railtrack Gordon Hughes, Safety Systems Research Centre Brian Hunter, Elite Control Systems Geoffrey Hutchin, Baxter Healthcare Mike Johnstone, BNFL Brian Kellison, ICS Triplex Ian Kendall, representing MISRA Alan Lewendon, ICS Triplex Richard Lloyd, Zeneca Michael Lund, Zeneca Iain MacLeod, Aerosystems International Graham Marshall, Brown & Root Mike Moore, Railtrack Mick Pearson, Zeneca Dave Rumens, Airsys ATM Richard Selby, British Aerospace MA&A John Spriggs, Airsys ATM

80

Copyright IET 2007

Ron Howlett, MoD (PE) Annette Hughes, Logica David Hurst, Aerosystems International Brian Jepson, British Aerospace Ian Kendall, representing MISRA D. McDonald, MoD (PE) Peter Morgenroth, Druck Ltd Patrick Neilan, National Air Traffic Services Ltd John ONeil, British Airways Frank ONeill, representing MISRA Malcolm Rotherham, British Airways David Saddleton, MoD (PE) Barry Smith, MoD (PE) Peter Stringer, Westinghouse Signals

Study Management Board Stuart Gunn & Brian Arthur, IEE Arthur Lawrence, British Energy and BCS David Newman, Ford UK Ltd and IEE Bob Malcolm, Ideo Ltd. Andrew McGettrick, University of Strathclyde (Chair) Malcolm Sillars, BCS Ray Ward, HSE

81

Copyright IET 2007

Licence Agreement.
NOTICE TO USER: PLEASE READ THIS LICENCE AGREEMENT CAREFULLY THIS IS A CONTRACT. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT. You must click accept and therefore accept this agreement to download the Document. If you do not accept these terms you may not continue with the download and you must not download or print the Document from your computer or any other computer. LICENCE: Upon your acceptance of these terms, Institution of Engineering and Technology (IET) grants you a revocable, royalty free, non-exclusive licence to download the Competence Criteria for Safety-related System Practitioners the Document and to create copies of the document solely for the purpose of circulating such copies to your staff or fellow employees. You may not otherwise create copies or distribute the Document or any substantial part thereof without first obtaining the express consent of IET. Scope 1. You may: 1.1 Print and copy the Document for your own private use and for the purpose of distributing the Document (or parts thereof) among your employees and colleagues working with you within the same organization for information purposes only. 1.2 Modify, adapt, merge or otherwise incorporate the Document in any other work and create any derivative works from the Document for use among your employees and colleagues. 2. You must not: 2.1 Transfer the Document to any person except your colleagues and employees; 2.2 use or copy the Document other than as permitted by this Licence; 2.3 modify, adapt, merge or otherwise incorporate the Document in any other work or to create any derivative works from the Document except as expressly provided herein; 2.4 use, assign, rent, loan, charge or otherwise deal in the Document or any part or interest therein or under this Licence except as expressly provided herein. Term 3.1 Unless terminated by clause 3.2 or 4.2, this Licence will last for as long as you use the Document. 3.2 This Licence will terminate automatically if you fail to abide by any of the terms. 3.3 When this Licence terminates you must destroy and erase all copies of the Document which you download from your computer and destroy all and any copies in your possession and stored on the any medium whatsoever. Warranties and remedies 4.1 The IET provides the Document on an as is basis and makes no representations or warranties of any kind concerning the Document, express, implied, statutory or otherwise, including, without limitation, warranties of title, fitness for a particular purpose, non-infringement if any trade marks, copyright or other rights of a similar nature, accuracy, or the presence of absence of errors, whether or not discoverable. 4.2 Save as provided in this Licence, IET does not warrant that the provision of the Document will be uninterrupted or error free or that errors can be corrected. You Download the
82

Copyright IET 2007

Document at your own risk and in no event will IET be liable to you for any loss or damage of any kind (except personal injury or death arising from the IETs negligence) including lost profits or other consequential loss arising from the use of or inability to use the Document or from errors or deficiencies in it whether caused by negligence or otherwise. 4.3 These warranties are subject to statutory and common law consumer rights if applicable.

Law and Jurisdiction 5. This Licence is governed by English Law. For more information contact the IET (Institution of Engineering and Technology) System Requirement: Adobe Reader 7 or Adobe Acrobat 7.0 IET 2007 All rights reserved Copyright and all other rights in the Document is property of and remains with IET.

83

Copyright IET 2007