Text

Accreditation Body Augmented Observation Checklist A certification body (CB) that is accredited to ISO 17065 is required to have a scheme, as prescribed in section 7 of ISO 17065, to be used to evaluate products. Part of the requirements of this scheme is that it, at a minimum, encompasses the requirements of a specified standard. In this case the standard that provides this foundation for the scheme is IEC 61508. The purpose of this checklist is to gain a deeper understanding of how the accreditation process, as performed by an accreditation body (AB), confirms the CBs scheme to be, at a minimum, in compliance with IEC 61508. This document is built on the content of the Basis for Augmented Observation Checklist as submitted to the NRC for the July 2020 public meeting (see ADAMS ascension number ML20184A012).

The main items (1, 2, 3) in the following table are directly from the Basis for Augmented Observation Checklist as submitted to the NRC for the July 2020 public meeting. The sub-items (X.1, X.2, X.3) are meant to expand on the major items from other references such as IEC 61508.

Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

1. Is there evidence of evaluation of reliability using an IEC 61508 approved methodology?

1.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

a) the architecture of the E/E/PE safety-related system, in terms of its subsystems, as it relates to each safety function under consideration; 1.2. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

b) the architecture of each subsystem of the E/E/PE safety-related system, in terms of its elements, as it relates to each safety function under consideration; 1.3. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

Page 1

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

c) the estimated failure rate of each subsystem and its elements in any modes that would cause a dangerous failure of the E/E/PE safety-related system but are detected by diagnostic tests (see 7.4.9.4 to 7.4.9.5). Justification for the failure rates should be given considering the source of the data and its accuracy or tolerance. This may include consideration and the comparison of data from a number of sources and the selection of failure rates from systems most closely resembling that under consideration.

Failure rates used for quantifying the effect of random hardware failures and calculating safe failure fraction or diagnostic coverage shall take into account the specified operating conditions.

1.4. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

d) the susceptibility of the E/E/PE safety-related system and its subsystems to common cause failures (see Notes 3 and 4 [in IEC 61508-2]). There shall be a justification of the assumptions made; 1.5. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

e) the diagnostic coverage of the diagnostic tests (determined according to Annex C), the associated diagnostic test interval and the rate of dangerous unrevealed failure of the diagnostics due to random hardware failures of each subsystem. Where relevant, only those diagnostic tests that meet the requirements of 7.4.5.3 shall be considered. The MTTR and MRT (see 3.6.21 and 3.6.22 of IEC 61508-4), shall be considered in the reliability model.

Page 2

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

1.6. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

f) the intervals at which proof tests are undertaken to reveal dangerous faults; 1.7. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

g) whether the proof test is likely to be 100 % effective; 1.8. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

h) the repair times for detected failures; 1.9. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

i) the effect of random human error if a person is required to take action to achieve the safety function.

1.10. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

j) the fact that a number of modelling methods are available and that the most appropriate method is a matter for the analyst and will depend on the circumstances. Available methods include cause consequence analysis (B.6.6.2 of IEC 61508-7;), fault tree analysis (B.6.6.5 of IEC 61508-7;), Markov models (Annex B of IEC Page 3

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

61508-6 and B.6.6.6 of IEC 61508-7), reliability block diagrams (Annex B of IEC 61508-6 and B.6.6.7 of IEC 61508-7;) and Petri nets (Annex B of IEC 61508-6 and B.2.3.3 of IEC 61508-7).

2. Is the reliability criteria appropriate for the application of the product?

2.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.1 For each safety function, the achieved safety integrity of the E/E/PE safety-related system due to random hardware failures (including soft-errors) and random failures of data communication processes shall be estimated in accordance with 7.4.5.2 and 7.4.11, and shall be equal to or less than the target failure measure as specified in the E/E/PE system safety requirements specification (see IEC 61508-1, 7.10).

3. Is the IEC Safety Lifecycle (including configuration management) conform to p3-13 through p3-21 of Reference 8 [EPRI Report]?

Does the certification process include a review of the OEM safety case for the product?

3.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to specify the design requirements for each E/E/PE safety-related system, in terms of the subsystems and elements (see 7.10.2 of IEC 615081)?

3.2. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to plan the validation of the safety of the E/E/PE safety-related system?

3.3. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to design and develop the E/E/PE safety-related system (including ASICs if appropriate) to meet the E/E/PE system design requirements specification (with respect to the safety functions requirements and the safety integrity requirements (see 7.2))?

Page 4

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

3.4. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to integrate and test the E/E/PE safety-related system?

3.5. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to develop procedures to confirm that the required functional safety of the E/E/PE safety-related system is maintained during operation and maintenance?

3.6. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to validate that the E/E/PE safety-related system meets, in all respects, the requirements for safety in terms of the required safety functions and safety integrity?

3.7. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to make corrections, enhancements or adaptations to the E/E/PE safety-related system, ensuring that the required safety integrity is achieved and maintained?

3.8. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to test and evaluate the outputs of a given phase to confirm correctness and consistency with respect to the products and standards provided as input to that phase?

3.9. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 Table 1: Were there activities to investigate and arrive at a judgement on the functional safety achieved by the E/E/PE safety-related system?

3.10. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to specify the requirements for safety-related software in terms of the requirements for software safety functions and the requirements Page 5

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

for software systematic capability; To specify the requirements for the software safety functions for each E/E/PE safety-related system necessary to implement the required safety functions; To specify the requirements for software systematic capability for each E/E/PE safety-related system necessary to achieve the safety integrity level specified for each safety function allocated to that E/E/PE safety-related system?

3.11. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to develop a plan for validating the software aspects of system safety?

3.12. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to create a software architecture that fulfils the specified requirements for safety-related software with respect to the required safety integrity level; To evaluate the requirements placed on the software by the hardware architecture of the E/E/PE safety-related system, including the significance of E/E/PE hardware/software interactions for safety of the equipment under control?

3.13. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to select a suitable set of tools, including languages and compilers, run-time system interfaces, user interfaces, and data formats and representations for the required safety integrity level, over the whole safety lifecycle of the software which assists verification, validation, assessment and modification?

3.14. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to design and implement software that fulfils the specified requirements for safety-related software with respect to the required safety integrity level, which is analysable and verifiable, and which is capable of being safely modified?

Page 6

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

3.15. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to design and implement software that fulfils the specified requirements for safety-related software with respect to the required safety integrity level, which is analysable and verifiable, and which is capable of being safely modified?

3.16. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to design and implement software that fulfils the specified requirements for safety-related software with respect to the required safety integrity level, which is analysable and verifiable, and which is capable of being safely modified?

3.17. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to verify that the requirements for safety-related software (in terms of the required software safety functions and the software systematic capability) have been achieved To show that each software module performs its intended function and does not perform unintended functions To ensure, in so far as it is appropriate, that configuration of PE systems by data fulfils the specified requirements for the software systematic capability?

3.18. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to verify that the requirements for safety-related software (in terms of the required software safety functions and the software systematic capability) have been achieved To show that all software modules, elements and subsystems interact correctly to perform their intended function and do not perform unintended functions To ensure, in so far as it is appropriate, that configuration of PE systems by data fulfils the specified requirements for the software systematic capability?

Page 7

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

3.19. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to combine the software and hardware in the safety-related programmable electronics to ensure their compatibility and to meet the requirements of the intended safety integrity level?

3.20. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to provide information and procedures concerning software necessary to ensure that the functional safety of the E/E/PE safety-related system is maintained during operation and modification?

3.21. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to ensure that the integrated system complies with the specified requirements for safety-related software at the intended safety integrity level?

3.22. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to guide corrections, enhancements or adaptations to the validated software, ensuring that the required software systematic capability is sustained?

3.23. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to test and evaluate the outputs from a given software safety lifecycle phase to ensure correctness and consistency with respect to the outputs and standards provided as input to that phase?

3.24. How does the AB confirm that the CBs scheme addresses:

IEC 61508-3 Table 1: Were there activities to investigate and arrive at a judgement on the software aspects of the functional safety achieved by the E/E/PE safety-related systems?

3.25. How does the AB confirm that the CBs scheme addresses:

From IEC 61508-1 section 6.2.10:

Are there procedures in place for configuration management of the E/E/PE safety-related systems during the overall, E/E/PE Page 8

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

system and software safety lifecycle phases, including in particular: a) the point, in respect of specific phases, at which formal configuration control is to be implemented; b) the procedures to be used for uniquely identifying all constituent parts of an item (hardware and software); c) the procedures for preventing unauthorized items from entering service?

4. Does the certification process review the self-diagnostics to detect dangerous failures and force the equipment to a safe state? See the discussion of the Safe Failure Fraction on p3-5 through p3-6 of Reference 8 for more details.

4.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2.e) the diagnostic coverage of the diagnostic tests (determined according to Annex C), the associated diagnostic test interval and the rate of dangerous unrevealed failure of the diagnostics due to random hardware SEE ITEM 1.5 SEE ITEM 1.5 failures of each subsystem. Where relevant, only those diagnostic tests that meet the requirements of 7.4.5.3 shall be considered.

The MTTR and MRT (see 3.6.21 and 3.6.22 of IEC 61508-4), shall be considered in the reliability model.

5. Does the certification process evaluate the defect reporting process in accordance with p4-9 of Reference 8?

5.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2, section 7.8.2.2:

Manufacturers or system suppliers that claim compliance with all or part of this standard shall maintain a system to initiate changes as a result of defects being detected in hardware or software and to inform users of the need for modification in the event of the defect affecting safety.

Page 9

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

6. Review the CBs policy on SIL certification time limits.

6.1. Confirm that the CBs standard contractual requirements of the This is addressed by compliance with ISO manufacturer include a clear explanation of how the validity of 17065 and the contract between the N/A the certification is handled. manufacturer and CB. This is not a CB scheme topic.

7. Does the CB use OE in support of determining reliability similar to Chapter 6 of Reference 8?

7.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

c) the estimated failure rate of each subsystem and its elements in any modes that would cause a dangerous failure of the E/E/PE safety-related system but are detected by diagnostic tests (see 7.4.9.4 to 7.4.9.5). Justification for the failure rates should be given considering the source of the data and its accuracy or tolerance.

8. Is the OEM configuration control and traceability sufficient to support use of operating history data and to ensure the item delivered can be traced back to the documents reviewed as part of acceptance?

8.1. How does the AB confirm that the CBs scheme addresses:

IEC 61508-2 section 7.4.5.2: The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account:

c) This may include consideration and the comparison of data from a number of sources and the selection of failure rates from systems most closely resembling that under consideration.

Failure rates used for quantifying the effect of random hardware failures and calculating safe failure fraction or diagnostic coverage shall take into account the specified operating Page 10

Accreditation Body Augmented Observation Checklist Item # Discussion:

Requirement Evidence References How does the AB verify the CBs scheme meets or exceeds this requirement?

conditions. NOTE 2 To take into account the operating conditions it will normally be necessary to adjust failure rates from data bases for example due to contact load or temperature.

Page 11