Functional Safety for Programmable Electronics Used in PPE: Best Practice Recommendations
Prepared by Safety Requirements, Inc. – NIOSH Contract 200-2003-02355
The objective of this contract was to establish and document recommendations for using a System Safety Approach to ensure the safe design and use of high-tech personal protective equipment throughout its complete life cycle. An analysis of failures associated with electronic safety equipment used by emergency responders illustrated the need to clarify performance requirements. The implementation of a System Safety Approach will ensure the safe design, manufacture, and use of PPE that contains embedded electronic hardware and software. In addition, these guidance documents will support the NFPA Electronic Safety Equipment (ESE) Technical Committee in developing standards by providing a means to assess and ensure the functional safety performance of ESE. This activity supports Strategic Goals 1 and 3, Reduce Exposure to Inhalation Hazards and Reduce Exposure to Injury Hazards. The integration of a System Safety Approach will ensure the safe design, manufacture, and use of PPE with embedded electronic hardware and software.
Manufacturers of PPE use electronics and software technology to improve the safety of emergency responders and increase the likelihood of survival of victims. Electronics and software components embedded in PPE now provide protection, monitoring, and communication functions for emergency responders.
For example, innovative electronics and software engineers are accepting the challenge to design PPE that reduce reliance on audible communications. These products use radio and cellular frequencies to communicate digital information to the unit commander and among the various emergency responder agencies present on scene (i.e., police, fire, and rescue).
Innovators are also embedding electronics in turnout gear and taking advantage of newer materials. The result is more complex products including those that integrate products developed by different manufacturers. Although use of electronics and software provides benefits, the added complexity, if not properly considered, may adversely affect worker safety.
Hazardous situations which require rapid and effective intervention by emergency personnel are growing in scope and complexity. Effective protection of emergency responders is an ever-increasing problem. Equipment used to provide protection for emergency responders will likely be designed and manufactured by a diverse group of suppliers; therefore, proper compatibility and interaction of the components to achieve an integrated, hybrid package is essential to system success and personnel safety. Ultimately, the PPE/support system worn by emergency responders will be an integrated package of components from a diverse group of manufacturers. Proper integration is the key, for instance, to ensure the compatibility and sufficiency of power supplies, computer controllers, component isolation and lack of inter-component interference, and failure mode contingencies. Thus, it is recognized that the systems design process will necessarily involve a heavy integration requirement, and the means to meet it, must be instilled in all component manufacturers early in the design process.
These commercial entities need a “roadmap” which helps guide them through the proper steps for ensuring that the best practices, as well an any impinging standards, are met. Since many of the processes may be new or unfamiliar to the manufacturers, an important issue is to determine the pitfalls, problems, and expected hurdles that must be overcome.
Programmable electronic components and software fail in ways that are not always detectable solely by pre-delivery functional and acceptance testing. At present, the existing safety standards that address the use of personal protection equipment do not sufficiently consider requirements for functional safety of the programmable electronics and software.
Specifically, reliance on programmable electronics and software requires that additional risk analysis, design for safety and other safety engineering practices be followed. To address potential failures for electronics and software, two consensus standards have emerged that are applied when electronics are used in safety applications. These standards are ANSI UL 1998 Standard for Software in Programmable Components and IEC 61508 Functional Safety: E/EE/PE Safety-Related Systems. The standards are based on the following reduced-risk engineering concepts:
- Safety Life Cycle
- Risk Analysis
- Design for Safety
- Verification, Validation, and Test
- Management of Change
- Development of a Safety File
These guidelines address the critical life-safety issues identified.
The report series contains best practice recommendations for the design and implementation of personal protection equipment and systems (PPE). The best practice recommendations apply to systems, protection layers, and devices using electronics and software embedded in or associated with PPE. The entire series provides information for use by life safety equipment manufacturers including component manufacturers, subassembly manufacturers, final equipment manufacturers, systems integrators, installers, and life safety professionals.
Part 1 is intended as an introductory report for the general protective equipment industry. The report provides an overview of functional safety concepts for advanced personal protective equipment and discusses the need to address them. The report also describes the practical benefits of implementing functional safety practices.
Part 2 of the guidance recommends criteria for a Functional Safety Life Cycle. The use of a functional safety life cycle assures the consideration of safety during all phases of developing personal protection equipment and systems (PPE) from conceptualization to retirement, thus reducing the potential for hazards and injuries. The FSLC adds additional functional safety design activities to the equipment life cycle. FSD activities include identifying hazards due to functional failures, analyzing the risks of relying on electronics and software to provide functions, designing to eliminate or reduce hazards, and using this approach over the entire equipment life cycle. These activities start at the equipment level and flow down to the assemblies, subsystems, and components.
- The Functional Safety Life Cycle (FSLC) pdf icon[PDF – 369 KB]
- Concurrent Engineering Model pdf icon[PDF – 13 KB]
- Part 2 – Management of Functional Safety pdf icon[PDF – 12 KB]
- Part 2 – Realization pdf icon[PDF – 13 KB]
- Part 2 – Requirements Specification pdf icon[PDF – 496 KB]
- Part 2 – Use pdf icon[PDF – 12 KB]
- Part 2 – Information Circular/2001 IC 9458 pdf icon[PDF – 496 KB]
Functional safety seeks to design safety into the equipment for all phases of its use. Electronics and software are components; therefore, design of these components must take into account the overall achievement of functional safety. Part 3, Functional Safety by Design (FSD) provides best practice design criteria for use by manufacturers of PPE. The Mining industry guidelines prepared by NIOSH, MSHA and the mining industry manufacturers and entitled Programmable Electronic Mining Systems: Best Practices Recommendations (in Nine Parts) serves as a basis for these guidelines. The report also draws from the design criteria found in International Electro-technical Commission (IEC) Standard 61508 Functional Safety of E/EE/PE Safety Related Systems and the American National Standards Institute(ANSI) by Underwriters Laboratories(UL) 1998 Standard for Safety – Software in Programmable Components .
Part 4, Functional Safety File (FSF), details best practices for safety documentation through the development of a document repository named the FSF. Capturing safety information in the FSF repository starts at the beginning of the FSLC and continues during the full life cycle of the system. The FSF provides the documented evidence of following FSLC and FSD guidance in the report series. In essence, it is a “proof of safety” that the system and its operation meet the appropriate safety requirements for the intended application.
Part 5, Independent Functional Safety Assessment (IFSA), describes the scope, contents, and frequency of conducting IFSAs. The IFSA is an assessment of the documented evidence of the FSLC activities and FSD practices.
Part 6, Additional Guidance: Functional Safety Life Cycle Examples are used to develop the Scope of the Project Plan. The scope guides Project Functional Safety by Design (FSD) Compliance and Project Documentation.
Part 7 bridges theory with practice for design activities by illustrating a Functional Safety Analysis (FSA) for person locator functions embedded in the DKYS components. The illustration addresses the conduct of a Job Hazard Analysis (JHA), a Hazard Analysis (HA), a Design Failure Modes and Effects Analysis (Design FMEA), and a Risk Analysis (RA). The report also references tools for conducting a Design FMEA.
Part 8, Functional Safety File Examples provides a prototype FSF Document Management System (DMS). Screen shots from the DMS define how a FSF may be organized and accessed. The prototype FSF-DMS supports preparation and management of FSF documents that would be submitted for an IFSA. The FSF-DMS uses the hypothetical next generation electronic safety equipment product, code-named DKYS, for Device that Keeps You Safe for illustration. Saros Inc’s PDF Director System was used for rapid prototyping of the FSF-DMS. Appendix A provides information on PDF Director and other potential tools for DMS development.
Part 9, Additional Guidance: Independent Functional Safety Assessment Examples provides an approach to conducting an IFSA and an example audit questionnaire. The approach involves inspecting FSF documents using the questionnaire.