When a company starts to develop safe components, devices or systems, the first safety experts are often trained more or less by chance. There is often someone who takes on the topic out of interest or predisposition and develops into an "expert" over time by studying the standards, training courses, discussions with inspectors, etcetera. Over time, however, the tasks increase, and at some point the safety projects can no longer be managed by a single person. The task arises of distributing "safety responsibility" over several shoulders. And this raises the question: How can safety competence be built up?

What is competence?

This question is not easy to answer: What criteria must someone fulfill to be considered competent? And how can competence be proven?
Competence is made up of qualifications and experience. This means that you do not become competent solely through your school education, a degree and any training courses you have attended. Experience is gained by carrying out projects in the desired area of competence. Soft skills such as communication skills and a solution-oriented approach are also required.

However, this series of articles focuses on technical skills. As long as you are not yet an expert, you need a mentor. A mentor is a competent and experienced person who imparts technical knowledge and experience to an inexperienced person, the mentee, accompanies them during their training and monitors the results of their work. According to TÜV Rheinland's competence model, competence development is made up proportionally as follows:

• 10 % learning through guidance, for example through training courses and books
• 20% learning from others, i.e. from mentors or colleagues
• 70 % learning through experience, for example through collaboration on projects, working on challenging tasks or similar.

Before we talk about how we achieve competence, we first need to describe the field we are talking about.

What is functional safety?

Functional safety or safety is always required where a risk analysis has identified a hazard for people or the environment or plant that is to be mitigated by technical measures. Typical hazards in an industrial environment are, for example, the movements of a machine that could injure or even kill a person, or the bursting of a pressure vessel. But functional safety also plays an important role in mobility: the electric drive of a car or even an e-bike must not suddenly build up its maximum torque unintentionally, as an accident would then be unavoidable in many cases.

An identified risk must be reduced to a socially acceptable residual risk. If reasonably possible, constructive measures must first be taken, for example by installing a machine behind a barrier. If such design measures cannot be reasonably implemented, technical measures must be used to reduce the risk. These can be, for example, sensors that detect when a person approaches the source of danger, whereupon the hazard, for example the machine, is stopped.

The international standard IEC 61508 formulates requirements for such technical safety measures depending on the risk to be reduced. A large number of application-specific safety standards implement these requirements for a wide range of industries. Legal regulations such as the Machinery Directive or the Medical Devices Directive "harmonize" such application-specific safety standards, i.e. it is assumed that if the safety standards are complied with, the safety objectives of the directive or regulation are also fulfilled.

An example can be used to explain the risk and corresponding risk-reducing measures:

Risk: A robot could injure or even kill a person. A risk analysis in accordance with the applicable safety standards results in a necessary risk reduction of SIL2/PLd.

Risk-reducing measure: Access to the robot arm is safeguarded. A light curtain is used for this purpose. If the light curtain is interrupted, the robot arm must come to a standstill within the time required for a person to reach it. The identified safety level requires that the components that contribute to the realization of this safety function must fail less than once every 100 years.

Every component used in the context of this safety function must therefore "function with certainty". Neither random errors (of hardware components with certain failure probabilities) nor systematic errors (which usually occur during the development of the system or components) may lead to a dangerous failure of the system. This is usually solved by redundancy and continuous monitoring during operation, among other things. If, for example, a microcontroller stops working, the system must still assume a safe state.

What skills are required for safety?

It is indisputable that functional safety is not a "nice to have", but a necessity in order to protect people and the environment from harm. IEC 61508 therefore requires that all persons involved in the development of a functionally safe system are sufficiently qualified for their activities.
The development of a functionally safe system involves a large number of different activities for which the relevant skills must be available and verifiable:

• Functional safety management:
  • Creating and evaluating safety requirement specifications (based on a risk analysis if necessary)
  • Creating and evaluating a safety concept
  • Creating and evaluating hardware and software concepts
    
• Hardware/software design:
  • Applying the normative measures to avoid errors
  • Recognize all likely errors in a hardware design
  • Design and implement redundancy and diagnostics to control these errors
    
• Calculating the safety-related parameters
• Verification of all development steps and results
• Validation of the complete product, system or application against the input specification

Level of competence

Competence levels are not defined in a standard. In general, a three-level model is helpful, which is also followed by the TÜV Rheinland Functional Safety Training Program:

• FS employee in training (FS-IA) - little knowledge and experience
• FS Engineer - a lot of knowledge and experience
• FS Expert - a great deal of knowledge and experience

A degree in electrical engineering or a comparable professional qualification is a prerequisite for competent collaboration in a functional safety development project. The FS employee in training works on FS projects under supervision. This means that an FS expert explains the normative requirements for the respective work package and checks the work results. By gaining practical FS experience in this way, the FS employee in training gradually gets a feel for the basic requirements of functional safety.

In the TÜV Rheinland Functional Safety Training Program, the decisive step to becoming an FS Engineer is a training course lasting several days, which teaches the essential contents of the basic standard IEC 61508. The training is completed with a demanding examination lasting several hours. Another prerequisite for the certificate is participation in FS projects over the past three years. Only on the basis of personal project experience is it possible to integrate the training content into practical implementation. In principle, the FS Engineer can work independently on FS projects. However, his most important skill remains to know the limits of his own knowledge and - whenever necessary - to seek advice from an FS expert.

Dr. Martin Lange is Head of the Functional Safety department at embeX.

© embeX

The prerequisites for the title of FS expert in the aforementioned training program are at least eight years of practical involvement in FS projects, sound FS expertise, which the candidate documents through a case study to be submitted or through publications in specialist journals and at specialist conferences. In the company, it is ultimately a question of personal assessment and trust as to who is accepted and regarded as an FS expert.

The FS expert should be able to quickly and unerringly recognize the critical points in the concept, design and applied processes of an FS project. On the one hand, they are responsible for the safety of the development object, whereby the following also applies to the FS expert: everything they conceive, design, develop or document must be assessed, tested and checked. On the other hand, he is also responsible for the cost-effectiveness of the implemented solutions, because: "Security that nobody buys does not make our world safer."