IEC 61508 (all parts)

This is the “mother” of all Functional safety standards used in several industries worldwide. It was written in order to allow the use of Electronic components in safety critical systems.

In 1985, the International Electrotechnical Commission (IEC) set up a Task Group in 1985 to assess the viability of developing a generic standard for programmable electronic systems to be used for safety applications. A working group had previously been set up to deal with safety-related software. These two working groups collaborated on the development of an international standard that became the IEC 61508 series, published at the end of the 90’s.

The original scope of the Task Group, programmable electronic systems used for safety applications, was extended to include all types of electro-technical based technologies, electrical, electronic and programmable electronic systems: the so called E/E/PE systems.

Parts 1 to 7 of IEC 61508 were published during the period 1998-2000. In 2005 IEC/TR 61508-0 was published. A review process to update and improve the standard was initiated in 2002 and it was completed with the publication of IEC 61508 Edition 2 in April 2010.

The overall title of IEC 61508 is ‘Functional Safety of electrical, electronic and programmable electronic (E/E/PE) safety-related systems’. It has eight parts.

Part 0: Functional Safety and IEC 61508
Part 1: General requirements
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity levels
Part 6: Guidelines on the application of parts 2 and 3
Part 7: Overview of techniques and measures

Parts 1, 2 and 3 contain the normative requirements and some informative parts. Parts 1, 2, 3 and 4 of IEC 61508 are IEC Basic Safety Publications (BSP). Those are, at the moment, the only BSP on Functional Safety.

IEC 61508 is used as the basis for sector and product standards. It has been used to develop standards for the process, nuclear and railway industries and for machinery and power drive systems. It has influenced, and it will continue to influence, the development of E/E/PE safety-related systems and products across several sectors. This concept is illustrated in Figure 1

Despite its title, EN 50156-1 is applicable to water heating systems, steam boiler installations and heat recovery steam boilers.

Industrial furnaces and associated processing equipment (TPE) follow ISO 13849-1 and IEC 62061 for high demand mode applications and IEC 61511-1 for low demand mode safety systems.

The strategy for achieving Functional Safety is made up of the following key elements:

Management of Functional Safety
Technical requirements for relevant phases of the applicable safety lifecycle
Functional Safety Assessment (FSA)
Competence of persons.

The standard covers the whole safety life-cycle: from the initial concept until the system decommissioning or disposal. It proposes three complementary life-cycles:

The overall Safety Lifecycle can be considered as the leading one. One of its phases, Realisation, is decomposed in two life-cycles which are executed in parallel:
The E/E/PE system safety life-cycle, related to hardware and
The Software safety life-cycle.

HSE Study

Evidence of the need to adopt an approach that covers all phases of a system Safety Lifecycle was illustrated in a study undertaken by the UK Health and Safety Executive [82]. The study analysed a number of accidents and incidents involving Safety-related Control Systems. Figure 2 shows the primary causes of failure for each lifecycle phase.

Based on the HSE study, more than 60% of failures were ‘built in’ the safety-related system, before being taken into service. Whilst the primary causes by phase will vary, depending upon the sector and complexity of the application, what is self-evident is that it is important that all phases of the lifecycle be addressed if Functional Safety is to be achieved.

That, again, is the reason why IEC 61508 puts so much emphasis on the Safety Lifecycle of the Safety Control System.

Safety Integrity Levels

According to IEC 61508, failures can be classified as either random hardware failures or systematic failures. The challenge to anyone designing a complex system, such as a programmable electronic system, is to determine how much confidence is necessary for the specified safety level. IEC 61508 tackles this on the following basis:

that it is possible to quantify the random hardware failures
that is not usually possible to quantify systematic

IEC 61508 series specifies 4 levels of safety performance for a safety function. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level and safety integrity level 4 (SIL4) is the highest level. The standard details the requirements necessary to achieve each safety integrity level. These requirements are more rigorous at higher levels of safety integrity, in order to achieve the required lower likelihood of dangerous failures.

An E/E/PE safety-related system will usually implement more than one safety function. If the safety integrity requirements for these safety functions differ, unless there is sufficient independence of implementation between them, the requirements applicable to the highest relevant safety integrity level shall apply to the entire E/E/PE safety-related system.

If a single E/E/PE system is capable of providing all the required safety functions, and the required safety integrity is less than that specified for SIL1, then IEC 61508 does not apply.

As previously stated, in order to design a reliable safety control system, two aspects have to be considered:

Hardware Safety Integrity. This is achieved through meeting the quantified target failure measures for random failures, together with meeting the Architectural Constraints for the specified SIL.
Systematic Safety Integrity. It is a group of measures used to avoid systematic failure mechanisms; they are in general qualitative measures with increasing rigour, assurance and confidence, the higher the SIL.

Therefore, Safety Integrity is made up of Hardware Safety Integrity, in relation to random failures, and Systematic Safety Integrity, in relation to systematic failures. The above concept is shown in Figure 3.

High and Low demand mode of operation

IEC 61508-1 clarifies which target failure measure, or unreliability function F(t), should be used, depending upon the mode of operation:

PFD_avg should be used for safety systems in low demand mode.
PFH_D should be used for safety systems in high demand or in continuous mode.

[IEC 61508-1] 7.6 Overall safety requirements allocation

[…] 7.6.2.9 When the allocation has sufficiently progressed, the safety integrity requirements, for each safety function allocated to the E/E/PE safety-related system(s), shall be specified in terms of the safety integrity level in accordance with Table 2 or Table 3 and shall indicate whether the target failure measure is, either:

the average probability of dangerous failure on demand of the safety function, (PFD_avg), for a low demand mode of operation (Table 2), or

the average frequency of a dangerous failure of the safety function [h^-1], (PFH), for a high demand mode of operation (Table 3), or

the average frequency of a dangerous failure of the safety function [h^-1], (PFH), for a continuous mode of operation (Table 3).

The content of Table 2 of IEC 61508-1 is the same as shown in Table 2.1 {2.1.1.4.1}; The one of Table 3 is in Table 2.2 {2.1.1.4.2}.

Safety Functions and Safety-related systems

IEC 61508 series sees safety as the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.

Therefore, it considers damage to property but as a risk of indirectly affecting people health.

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. For example, an overtemperature protection device, using a thermal sensor in the windings of an electric motor to de-energise the motor before it can overheat, is an instance of functional

safety. But providing specialised insulation to withstand high temperatures is not an instance of functional safety, although it is still an instance of safety and it could protect against the same hazard.

Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact.

Generally, the significant hazards for equipment and any associated control system in its intended environment have to be identified by the developer via a risk assessment and a risk reduction process. The analysis determines whether functional safety is necessary to ensure adequate protection against each significant hazard. Therefore, functional safety is just one method of dealing with hazards; other means for their elimination or reduction, such as inherent safety through design, remain of primary importance.

The term safety-related, used in all functional safety standards, describe systems that are required to perform a specific function or functions to ensure risks are kept at an accepted level. Such functions are, by definition, safety functions.

Two types of requirements are necessary to achieve functional safety:

Safety function requirements: what the function does and
Safety integrity requirements: the likelihood of a safety function being performed satisfactorily.

The safety function requirements are derived from the hazard analysis and the safety integrity requirements are derived from a risk assessment. The higher the level of safety integrity, the lower the likelihood of dangerous failure.

Any system, implemented in any technology, which carries out safety functions is a safety-related system. A

safety-related system may be separate from any equipment control system or the equipment control system may itself carry out safety functions. In the latter case, the equipment control system will be safety-related.

An Example of risk reduction through functional safety

Consider a machine with a rotating blade that is protected by a hinged solid cover. The blade is accessed for routine cleaning by lifting the cover. The cover is interlocked so that whenever it is lifted, an electromechanical or electronic circuit de-energises the motor and applies a brake. In this way, the blade is stopped before it could injure the operator. In order to ensure that safety is achieved, a risk assessment and a risk reduction are necessary.

The first step is to identify the hazards associated with cleaning the blade. For this machine it might show that it should not be possible to lift the hinged cover more than 5 mm without the brake activating and stopping the blade. Therefore, the risk assessment has established that we need to reduce the risk. Further analysis could reveal that the time for the blade to stop shall be 1 s or less. Therefore we decided that the risk has to be reduced and we will use a safety-related control system.
At this point we need to determine the performance requirements of the safety function. The aim is to ensure that the safety integrity of the safety function is sufficient to ensure that no one is exposed to an unacceptable risk associated with this hazard.

The harm resulting from a failure of the safety function could be the amputation of the operator’s hand or could be just a bruise. The risk also depends on how frequently the cover has to be lifted, which might be many times during daily operation or it might be less than once a month.

The level of safety integrity required increases with the severity of injury and the frequency of exposure to the hazard.

The safety integrity of the safety function will depend on all the equipment that is necessary for the safety function to be carried out correctly: that means, the interlock, the associated electromechanical or electronic circuit and the braking system. Both the safety function and its safety integrity specify the required behaviour for the systems as a whole, within a particular environment.

To summarise, these two elements, “What the safety function shall do”, the safety function requirements, and “What degree of certainty is needed for the safety function”, the safety integrity requirements, are the foundations of functional safety.

Why IEC 61508 was written

Back in the ‘90’s, Safety functions were more and more carried out by electronic or programmable electronic systems. These systems are usually complex, making it impossible, in practice, to fully determine every failure mode or to test all possible behaviours.

The challenge was to design the system in such a way as to prevent dangerous failures or to control them when they arise. Dangerous failures may arise from:

Incorrect specifications of the safety-related control system.
Omissions in the safety requirements specification (e.g. failure to develop all relevant safety functions during different modes of operation).
Random hardware failure mechanisms.
Systematic hardware failure mechanisms.
Software errors;
Common cause failures;
Human error;
Environmental influences (e.g. electromagnetic, temperature, mechanical phenomena);

IEC 61508 contains requirements to minimise these failures and build a reliable safety-related control system. Its aim was:

Release the potential of E/E/PE technology to improve machinery and process safety.
- Enable technological developments to take place within an overall safety framework.
Provide a technically sound, system based approach, with sufficient flexibility for the future.
Provide a risk-based approach for determining the required performance of safety-related control systems.
Provide a generically-based standard that can be used directly by industry but can also help with developing sector standards (e.g. machinery, process chemical plants, medical or rail) or product standards (e.g. power drive systems);
Provide a means for users and regulators to gain confidence when using computer-based technology.