FUNCTIONAL SAFETY SERVICES

FUNCTIONAL SAFETY ASSESSMENTS
(FSA 1 to 5)

Summary

Independent assessment of your functional safety program at every critical lifecycle stage. Find gaps before they become incidents, non-conformances, or startup blockers.

Why Independent Assessment Is Built Into the Lifecycle

Every organization responsible for a safety-instrumented system carries an inherent risk: the people closest to the design are also the least likely to identify its weaknesses. When the same team that developed the SRS also reviews it for completeness, and when the engineers who selected the architecture also verify that it meets the SIL target, the review process has a limited ability to surface the gaps and assumptions that matter most.

Functional Safety Assessment addresses this by requiring that safety lifecycle activities are reviewed by persons with an appropriate level of independence from those who performed them. IEC 61511 Clause 8 defines FSA as a mandatory requirement for safety instrumented systems, not an optional quality enhancement. The level of independence required scales with the SIL: higher consequence systems demand review by parties with greater separation from the design team.

An FSA is not a general audit. It is a structured, technically grounded assessment of specific lifecycle outputs against the requirements of IEC 61511, conducted at defined points in the lifecycle where the findings can still influence the outcome. An FSA finding identified during design is manageable. The same finding identified after commissioning is expensive to address, and after an incident, it is consequential.

We conduct FSAs across the full IEC 61511 lifecycle, from FSA 1 through FSA 5, providing independent, technically credible assessment that supports compliance, protects the organization, and gives genuine confidence in the safety of the systems under review.

What Is a Functional Safety Assessment?

A Functional Safety Assessment is an investigation to judge the functional safety achieved by one or more systems, carried out at defined lifecycle stages. IEC 61511 Clause 8 requires FSAs to be planned, resourced, and carried out by persons with appropriate independence and competence, and the results to be documented and tracked to closure.

Each FSA examines the outputs of the lifecycle phases completed to that point, assessing whether:

  • ✔ The required activities have been carried out in accordance with the FSM Plan and the applicable standard.
  • ✔ The outputs of each activity are complete, correct, and consistent with the inputs they were derived from.
  • ✔ The safety case as developed to that point is coherent and traceable from hazard identification through to the current lifecycle stage.
  • ✔ Identified gaps, errors, or non-conformances are documented and have a defined path to closure.

FSA findings are categorized by severity, typically as non-conformances requiring closure before the lifecycle can advance, observations that represent improvement opportunities, and positive findings that confirm activities have been carried out to a high standard.

The Five FSA Stages Under IEC 61511

FSA 1: After Hazard and Risk Assessment

FSA 1 is conducted following the completion of HAZOP or HAZID studies and the SIL determination activities. It assesses whether the hazard identification has been thorough and systematic, the risk assessment methodology is appropriate and correctly applied, SIL targets have been determined using a recognized and consistently applied method, and the outputs provide a credible and traceable basis for the SRS and subsequent design activities.

FSA 1 findings at this stage are the least costly to address, because they affect upstream risk analysis rather than hardware, software, or installed systems. A weak SIL determination identified at FSA 1 is a documentation correction. The same weakness identified at FSA 4 may require significant redesign.

FSA 2: After Safety Requirements Specification

FSA 2 is conducted following completion of the Safety Requirement Specification. It assesses whether the SRS is complete, unambiguous, and traceable to the HAZOP and SIL determination outputs. Specific assessment areas include whether every SIF has defined functional and integrity requirements, safe states are clearly and unambiguously defined for each SIF, response time requirements are specified and achievable, bypass and override requirements are addressed, and the SRS is structured in a way that will support efficient design verification.

FSA 2 is the last point at which SRS deficiencies can be corrected before they propagate into design, hardware procurement, and software development.

FSA 3: After SIS Design

FSA 3 is conducted when the SIS design is sufficiently complete to be assessed against the SRS. It covers the design of the complete Safety Instrumented System, including sensor selection and configuration, logic solver specification and programming, final element selection and arrangement, SIL verification calculations, and hardware fault tolerance and systematic capability assessments.

FSA 3 confirms that the design will achieve the SIL targets defined in the SRS, that the architecture satisfies IEC 61511 requirements for hardware fault tolerance and systematic capability, and that the software development process meets the requirements for the applicable SIL. Non-conformances at FSA 3 are significant because they require design changes before the fabrication, installation, and commissioning phases can proceed.

FSA 4: After Installation, Commissioning, and Pre-Startup Validation

FSA 4 is conducted after the SIS has been installed, commissioned, and validated, and before the system is placed in service. It is the final independent checkpoint before the system becomes responsible for protecting people, assets, and the environment in live operation.

FSA 4 confirms that the validation activities required by the SRS and validation plan have been completed and documented, the installed system configuration matches the as-designed and as-built records, all FSA 3 non-conformances have been closed or formally accepted with documented rationale, proof test procedures have been validated and are ready for operational use, and the operating and maintenance procedures are in place. A system that does not pass FSA 4 should not enter live service.

FSA 5: During and After Operation

FSA 5 is conducted during the operating life of the system, typically at defined intervals or triggered by significant operational events. It assesses whether the functional safety management system is being operated in accordance with the FSM Plan, proof tests are being conducted on schedule and with adequate coverage, management of change is being applied correctly to all modifications affecting the safety system, incident investigation findings are being tracked and closed, and the system continues to meet its SIL targets as components age and the operating environment evolves.

FSA 5 is the assurance mechanism that prevents safety performance from degrading silently through operational changes, deferred maintenance, accumulated modifications, and the gradual drift that affects any long-lived system without active oversight.

Independence Requirements for FSA

IEC 61511 defines four categories of independence for Functional Safety Assessment (FSA), with the required category determined by the SIL of the safety functions being assessed:

Category 1 Assessment by the person or team responsible for the activity being assessed. Applicable only for low-consequence verification activities.
Category 2 Assessment by a person independent from the individual who performed the activity, but within the same project team or department.
Category 3 Assessment by a department or function independent from the project team responsible for the design. Typically required for SIL 2 and SIL 3 functions.
Category 4 Assessment by an organization entirely independent from the design organization. Required for SIL 3 and SIL 4 functions in many applications.

We provide independent FSA services at Category 2, Category 3, and Category 4 independence levels, depending on the SIL of the systems under assessment and the regulatory context. Where we have been involved in earlier lifecycle phases, we structure our engagement to preserve the independence required for FSA.

Standards Alignment

Our FSA activities are structured to meet the requirements of:

  • IEC 61511-1 Clause 8: Functional Safety Assessment requirements for safety instrumented systems in the process industry, including independence, competency, planning, and documentation requirements
  • IEC 61508 Part 1 Clause 8: FSA requirements at the component and system level, applicable for SIS equipment manufacturers and software developers
  • ISA 84 (ANSI/ISA-84.00.01): Equivalent assessment requirements under the North American process industry standard
  • ISA/IEC 62443: Where FSA scope includes assessment of cybersecurity measures for safety-related programmable systems, particularly networked SIS architectures
Our Approach

An FSA is only valuable if it is conducted with genuine independence, sufficient technical depth, and a clear focus on findings that matter. We approach every FSA as a substantive technical review, not a document checklist.

01

FSA Planning

We develop an FSA plan that defines the scope of the assessment, the lifecycle phases and outputs to be reviewed, the independence category required, the assessment methods to be used, the evidence to be examined, and the format for findings and recommendations. The FSA plan is agreed with the client before assessment activities begin.

02

Document Review and Technical Assessment

We review the lifecycle documentation relevant to the FSA stage, including HAZOP records, SIL determination reports, LOPA worksheets, the SRS, design documentation, SIL verification calculations, V&V records, and the FSM Plan and associated procedures. Where applicable, we conduct facility or workshop visits to confirm that installed systems match design records and that operating procedures reflect the SRS requirements.

03

Findings, Non-Conformances, and Observations

We document all findings clearly, distinguishing between non-conformances that require resolution before the lifecycle can advance, observations that represent improvement opportunities, and positive findings that evidence good practice. Non-conformances are written in operational terms with specific reference to the requirement not met, enabling the responsible team to act without further interpretation.

04

Closure Support and Re-Assessment

We track non-conformances to closure, reviewing the corrective actions taken by the responsible team and confirming whether each finding has been adequately resolved. Where re-assessment is required, we conduct a targeted review of the closed items and produce a final FSA report confirming the assessment outcome and the status of all findings at closure.

Industries We Protect
Oil & Gas
OIL & GAS

Securing exploration, production, and distribution systems.

Manufacturing
MANUFACTURING

Securing exploration, production, and distribution systems.
Energy & Utilities
ENERGY

Safeguarding generation, transmission, and control centers.
Automotive
UTILITIES

Enabling resilient and secure operations for utility providers.

Pharmaceuticals
PHARMACEUTICALS

Ensuring compliance, protecting formulas and IP.
Automotive
MINING

Defending smart factories and connected production lines.

What a Rigorous FSA Program Helps You Achieve
  • Independent confirmation at each lifecycle stage that functional safety activities have been carried out correctly and that the safety case is coherent and traceable
  • Early identification of gaps, errors, and non-conformances while they are still practical to resolve, rather than after commissioning or startup, when the cost of correction escalates sharply
  • A documented FSA record that satisfies IEC 61511 Clause 8 requirements and supports regulatory submissions, insurance assessments, and corporate governance obligations
  • Confidence before startup that the installed system meets its SIL targets, all validation activities have been completed, and all previous FSA non-conformances have been closed.
  • Ongoing assurance during operation through FSA 5, confirming that proof test execution, management of change, and incident investigation are maintaining the safety performance that the system was designed to deliver
  • Protection for the organization against the liability consequences of a functional safety failure that a proper independent assessment would have prevented
Typical Deliverables
  • FSA plan covering scope, independence category, lifecycle phases under assessment, methods, evidence requirements, and reporting format
  • FSA report for each assessment stage, including an executive summary, methodology description, findings register, and assessment conclusion
  • Non-conformance register with specific requirement references, severity classification, and recommended corrective actions.
  • Observation register with improvement recommendations
  • Closure review records confirming the adequacy of corrective actions for each non-conformance
  • Final FSA report confirming the assessment outcome and the closed status of all findings
Why Arista Cyber for Functional Safety Assessments?

An FSA conducted by a team that understands only the process safety requirements of IEC 61511 will assess the documentation thoroughly but may miss the increasingly significant dimension of OT cybersecurity. Modern SIS designs include programmable logic solvers, networked diagnostics, remote access capabilities, and software with update and configuration management requirements that create assessment areas not fully covered by traditional FSA checklists.

What clients value about working with us:
  • Technical depth across the full IEC 61511 lifecycle: our team has performed the studies and developed the documentation being assessed, and understands where the real compliance gaps tend to appear
  • Integrated functional safety and OT/ICS security perspective: FSA scope, where relevant, addresses the cybersecurity aspects of programmable and networked safety system designs
  • Clear, specific findings written in language that the responsible engineering team can act on without requiring further clarification or interpretation
  • Constructive assessment culture: our goal is to help organizations close gaps and achieve a functional safety program that works, not to generate findings for their own sake
  • Deep operational experience across high-consequence sectors, including oil and gas, energy, pharmaceuticals, and process manufacturing

We do more than assess against the standard. We help organizations understand what their FSA findings mean for the safety of their systems, what actions will close them effectively, and how to build a functional safety program that holds up at every stage of the lifecycle.

Ready to Plan Your Functional Safety Assessment Program?

Reach out to our functional safety team. We will confirm the FSA stages required for your systems, the appropriate independence category for your SIL levels, and the assessment scope and timeline your project needs.

Book Your Free Consultation