Introduction to IEC 61508Ron BellHealth & Safety ExecutiveBootle, [email protected] the past 25 years there have been a number ofinitiatives worldwide to develop guidelines and standardsto enable the safe exploitation of programmableelectronic systems used for safety applications. In thecontext of industrial applications (to distinguish fromaerospace and military applications) a major initiative hasbeen focussed on IEC 61508 and this standard isemerging as a key international standard in manyindustrial sectors.This paper considers some of the key features of IEC61508 and indicates some of the issues that are beingconsidered in the current revision.Keywords: IEC 61508, functional safety, safety integritylevel, SIL1BackgroundDuring the 1980’s computer based systems (genericallyreferred to as programmable electronic systems (PESs))were increasingly being used to carry out safetyfunctions. The driving force was improved functionalityand economic benefits (particularly when viewed on atotal lifecycle basis). Also, the viability of certaindesigns could only be realised when computer technologywas used. The adoption of PESs for safety purposes hadpotentially, many safety advantages, but it wasrecognised that these would only be realised ifappropriate design and assessment methodologies wereused.Many of the features of PESs do not enable the safetyintegrity (that is, the safety performance of the systemscarrying out the required safety functions) to be predictedwith the same degree of confidence that had traditionallybeen available for less complex hardware-based(“hardwired”) systems. It was recognised that whilsttesting was necessary for complex systems it was notsufficient on its own. This meant that even if the PESwas implementing relatively simple safety functions thelevel of complexity of the programmable electronics wassignificantly greater than the hardwired systems that hadtraditionally been used. This rise in complexity meantthat the design and assessment methodologies had to begiven much more consideration than previously was theUK Crown Copyright 2005. This paper appeared at the ACSWorkshop on Tools and Standards Sydney. Conferences inResearch and Practice in Information Technology, Vol. No, 55,Tony Cant Ed. Reproduction for academic, not-for profitpurposes permitted provided this text is included.case and the level of personal competence required toachieve adequate levels of performance of the safetyrelated systems was subsequently greater.In order to tackle these problems, several bodiespublished or began developing guidelines to enable thesafe exploitation of PES technology. In the UK, theHealth and Safety Executive (1987) developed andpublished guidelines for programmable electronicsystems used for safety-related applications. In Germany,DIN (1990) published a standard and, in the USA, ISA(1996) developed a standard on programmable electronicsystems for use in the process industries. Also in theUSA, CCPS (1993) produced guidelines for the chemicalprocess sector.Initially the focus of standards’ developments during theearly 1980s, in the context of PES applications, was onthe software. However, it was becoming increasinglyrecognised that a holistic, systems based, approach wasnecessary if an adequate level of safety performance wereto be achieved. Such an approach meant addressing: The complete system carrying out the requiredsafety function; The system architecture; Both random hardware failures and systematicfailure (including software).In September 1985, the International ElectrotechnicalCommission (IEC) set up a Task Group to assess theviability of developing a generic standard for PESs. Theoutcome of which was the setting up of a working groupto develop a systems based approach. A working grouphad previously been set up to deal with safety-relatedsoftware. The two working groups collaborated on thedevelopment on what was to become IEC 61508. Also,the original scope of PESs was extended to include alltypes of electro-technical based technologies (electrical,electronic and programmable electronic systems). Parts1-7 of IEC 61508 were published between 1998-2000. In2005 IEC TR 61508-0 was published.2The Structure of IEC 61508The overall title of IEC 61508 is; “Functional safety ofelectrical, electronic and programmable electronic(E/E/PE) safety-related systems”. The Parts are asfollows: Part 0: Functional safety and IEC 61508.Note: This has the status of a Technical Report and ispurely informative.
Part 1: General Requirements; Part 2: Requirements for electrical, electronicand programmable electronic systems; Part 3: Software Requirements; Part 4: Definitions and abbreviations; Part 5:Examples of methods fordetermination of safety-integrity levels; Part 6: Guidelines on the application of Parts 2and 6; Part 7: Overview of techniques and measures.the performance requirements of those safetyfunctions; To facilitate the maintenance of the “asdesigned” safety integrity of E/E/PE safetyrelated systems; To provide the technical framework forconformity assessment and certification services; As a basis for carrying out assessments of safetylifecycle activities.theThis concept is illustrated in Figure 1.Parts 0, 5, 6 and 7 do not contain any normativerequirements. Parts 1, 2, 3 contain all the normativerequirements and some informative requirements. Theformal titles are given in Annex A.Note: In IEC standards a normative requirement is prefaced bya “shall”.Parts 1, 2, 3 and 4 of IEC 61508 are IEC basic safetypublications.One of the responsibilities of IECTechnical Committees is, wherever practicable, to makeuse of these parts of IEC 61508 in the preparation of theirown sector or product standards that have E/E/PE safetyrelated systems within their scope.The basic safety publication status of IEC 61508described above does not apply for low complexityE/E/PE safety-related systems. These are E/E/PE safetyrelated systems in which the failure modes of eachindividual component are well defined and the behaviourof the system under fault conditions can be completelydetermined. An example is a system comprising one ormore limit switches, operating one or more contactors tode-energize an electric motor, possibly via interposingelectromechanical relays.IEC 61508 is both a stand-alone standard and can also beused as the basis for sector and product standards. In itslatter role, it has been used to develop standards for boththe process and machinery sectors and is currently beingused to develop a standard for power drive systems. Ithas influenced, and will continue to influence, thedevelopment of E/E/PE safety-related systems andproducts across all sectors.The application of IEC 61508 as a standalone standardincludes the use of the standard: As a set of general requirements for E/E/PEsafety-related systems where no applicationsector or product standards exist or where theyare not appropriate; By suppliers of E/E/PE components andsubsystems for use in all sectors (e.g. hardwareand software of sensors, smart actuators,programmable controllers, data communication); By system builders to meet user specificationsfor E/E/PE safety-related systems; By users to specify requirements in terms of thesafety functions to be performed together withStandaloneSector & product implementationsIEC 62061: MachineryIEC61508Systems, components& subsystemsto IEC 61508Complianceto IEC 61508IEC 61511: ProcessIEC 61513: NuclearProduct (power drives)Complianceto IEC xxxxxSubsystems/components to IEC 61508 used in Sector implementationsFigure 1:Standalone & and sector/product standardsSector specific standards based on IEC 61508: Are aimed at system designers, system integratorsand users; Take account of specific sector practice, whichcan allow less complex requirements; Use sector terminology to increase clarity; May specify particular constraints appropriatefor the sector; Usually rely on the requirements of IEC 61508for detailed design of subsystems; May allow end users to achieve functional safetywithout having to consider IEC 61508themselves.3Scope of IEC 61508IEC 61508 is mainly concerned with E/E/PE safetyrelated systems whose failure could have an impact onthe safety of persons and/or the environment. However,it was recognized that the consequences of failure couldhave serious economic implications and in such cases thestandard could be used to specify any E/E/PE systemused for the protection of equipment or product;Note: This has important implications since it means that IEC61508, which is identified with functional safety, can be used forthe specification and implementation of systems where thefunctional performance parameter is not safety but, forexample, environmental protection or asset protection.
Some of the key features of IEC 61508 are set out below.220.127.116.11.5.6.It enables application sector international standards,dealing with safety-related E/E/PESs, to bedeveloped. This should lead to a high level ofconsistency (for example, of underlying principles,terminology etc.) both within application sectors andacross application sectors; this will have both safetyand economic benefits.It provides a method for the development of thesafety requirements specification necessary toachieve the required functional safety for E/E/PEsafety-related systems.It uses safety integrity levels for specifying the targetlevel of safety integrity for the safety functions to beimplemented by the E/E/PE safety-related systems.It adopts a risk-based approach for the determinationof the safety integrity level requirements.It sets numerical target failure measures for E/E/PEsafety-related systems that are linked to the safetyintegrity levels.It sets a lower limit on the target failure measures, ina dangerous mode of failure, that can be claimed fora single E/E/PE safety-related system; for E/E/PEsafety-related systems operating in: A low demand mode of operation, the lowerlimit is set at an average probability of failure of10–5 to perform its design function on demand, A high demand or continuous mode ofoperation, the lower limit is set at a probabilityof a dangerous failure of 10–9 per hour.Note:A single E/E/PE safety-related system does notnecessarily mean a single-channel architecture.It adopts a broad range of principles, techniques andmeasures to achieve functional safety for E/E/PE safetyrelated systems. The standard does not use the concept offail-safe, which may be appropriate when the failuremodes are well defined and the level of complexity isrelatively low, but inappropriate in view of the widerange of complexity of E/E/PE safety-related systems thatare within the scope of the standard.4What is functional safety?Safety is defined as the freedom from unacceptable risk ofphysical injury or of damage to the health of people,either directly, or indirectly as a result of damage toproperty or to the environment.Functional safety is part of the overall safety that dependson a system or equipment operating correctly in responseto its inputs. For example, an over temperature protectiondevice, using a thermal sensor in the windings of anelectric motor to de-energise the motor before they canoverheat, is an instance of functional safety.Neither safety nor functional safety can be determinedwithout considering the systems as a whole and theenvironment with which they interact.5Strategy to Achieve Functional Safety?The strategy for achieving functional safety is made up ofthe following key elements: Management of functional safety; Technical requirements for each phase of theOverall. E/E/PES and Software SafetyLifecycles; Competence of persons (currently no normativerequirements); Functional safety assessment.IEC 61508 uses three safety lifecycles in order that allrelevant phases are addressed. They are: The Overall Safety Lifecycle (see Figure B1 inAnnex B); The E/E/PES Safety Lifecycle (see Figure B2 inAnnex B); The Software Safety Lifecycle (see Figure B3 inAnnex B).In order to deal in a systematic manner with all theactivities necessary to achieve the required safetyintegrity level for the E/E/PE safety-related systems, IEC61508 adopts the overall safety lifecycle as the technicalframework and this should be used as a basis for claimingconformance to IEC 61508. A different overall safetylifecycle can be used to that given in Figure B1,providing the objectives and requirements of each clauseof this standard are met.The overall safety lifecycle encompasses the followingrisk reduction measures: E/E/PE safety-related systems; Other technology safety-related systems; External risk reduction facilities.The portion of the overall safety lifecycle dealing withE/E/PE safety-related systems is expanded and shown inFigure B2. This is termed the E/E/PES safety lifecycleand forms the technical framework for IEC 61508-2. Thesoftware safety lifecycle is shown in Figure B3 and formsthe technical framework for IEC 61508-3.The overall, E/E/PES and software safety lifecyclefigures are simplified views of reality and as such do notshow all the iterations relating to specific phases orbetween phases. Iteration, however, is an essential andvital part of development through the overall, E/E/PESand software safety lifecycles.Activities relating to the management of functionalsafety, verification and functional safety assessment arenot shown on the overall, E/E/PES or software safetylifecycles. This has been done in order to reduce thecomplexity of the overall, E/E/PES and software safetylifecycle figures. These activities, where required, willneed to be applied at the relevant phases of the overall,E/E/PES and software safety lifecycles.Evidence of the need to adopt an approach that covers allphases of the overall safety lifecycle is illustrated in astudy undertaken by the Health and Safety Executive
(1995). The study analysed a number of accidents anincidents involving the safety-related control systems.Figure 2 shows the primary cause of failure by eachlifecycle phase.Note: It is acknowledged that because of the small sample sizethe results of the analysis have low statistical significance, andtherefore care needs to be taken in using these results togeneralise for all control system failures. Even so, there aremany useful lessons to be learned from summaries of incidentssuch as these.The analysis suggests that most control system failuresmay have their root cause in an inadequate specification.In some cases this was because insufficient hazardanalysis of the equipment-under-control had been carriedout; in others it was because the impact on thespecification of a critical failure mode of the controlsystem had not been assessed.maintain a safe state for the equipment under control inrespect of a specific hazardous event”.If the safety function is performed the hazardous eventwill not take place. The safety function is determinedfrom the hazard analysis. It is the safety function thatdetermines what has to be done to achieve or maintain asafe state for the equipment under control and it is thesafety function that is the basis of the functionalspecification of the safety-related system.It is necessary to determine the safety performance ofeach safety function and IEC 61508 adopts a risk-basedapproach to achieve this. The safety performance isreferred to as the safety integrity and is determined fromthe risk assessment. This is illustrated in Figure 3.Determined fromthe hazard analysisThe control system needs to be continually reviewedthroughout all lifecycle phases, both from the perspectiveof the equipment-under-control and the detailed designand implementation of the control system itself.Otherwise the end result is a machine, or plant, withinadequate protection against the hazardous events.SafetyfunctionDetermined fromthe risk assessmentSafetyintegrity ofsafetyfunctionOther studies provide support for these conclusions. Inthe area of software development a number of studieshave shown that errors made during specification accountfor most software faults and failures.Based on the HSE study, more than 60% of failures were“built in” to the safety-related system before being takeninto service. Whilst the primary causes by phase willvary depending upon the sector and complexity of theapplication, what is self-evident is that it is important thatall phases of the lifecycle be addressed if functionalsafety is to be achieved.44.1%Specification14.7%Design &implementation5.9%Installation &commissioning20.6%Changes aftercommissioning14.7%Operation &maintenanceFigure 2: Primary cause, by phase, of control system failures6The Essence of Functional SafetyA cornerstone of functional safety is the safety function.The safety function is defined as follows:“Function to be implemented by an E/E/PE safety-relatedsystem which is intended to achieve or“what has to be done”the “safety performance” of thesafety function”Example!Safety function: In order to prevent the rupture of pressurevessel “X”, valve “Y” should open in 2 seconds when thepressure in the vessel reaches 2.6 bar.! The safety integrity of the safety function shall be “SIL 2”.Figure 3: Safety function & safety integrity ofthe safety function7Safety-Related SystemA safety-related system is a system that is capable ofcarrying the requirements specified in each safetyfunction and also capable of carrying them out with therequired safety integrity. It is the safety integrityrequirement of the safety function that sets the safetyintegrity requirements for the safety-related system. Asafety-related system will carry out many safety functionsand must be of sufficient safety integrity to carry out thesafety function with the highest safety integrityrequirement (unless special measures are taken)8Safety Integrity LevelsThe failure categories in IEC 61508 relate to failuresarising from (1) random hardware failures and (2)systematic failures (see Figure 4). The challenge toanyone designing a complex system such as aprogrammable electronic system is to determine howmuch rigour/assurance/confidence is necessary for thespecified safety performance level. IEC 61508 tacklesthis on the following basis: That it is possible to quantify the randomhardware failures and therefore estimate whetherthe target failure measure has been achieved. That is not usually possible to quantify thoseelements giving rise to systematic failurebehaviour.
IEC 61508 sets four Safety Integrity Levels (SILs). SIL 1is the lowest and SIL 4 is the highest level of safetyintegrity. Each SIL has a target failure measure. It is theSIL of the safety function(s) to be carried out by a safetyrelated system that determines the measures that need tobe taken in the design of the safety-related system.Therefore, for: Systematic Safety Integrity: “Packages” ofmeasures are used for different systematicfailure mechanisms and these are in urance/confidence the higher the SIL. Hardware Safety Integrity:Quantitativemodelling of the random hardware failuretogether with specified fault tolerancerequirements graded against the SIL but withreduced fault tolerance requirements if certaindiagnostic coverage levels have been achieved. architecture or a safety-related control systemarchitecture (see Figure 5);Continuous mode of operation would typicallybe implemented by a safety-related controlsystem architecture (see Figure 5).Protection systemarchitectureSafety-related control systemarchitectureEUC controlsystemEUC safety-relatedcontrol systemEquipment UnderControl[EUC]Equipment UnderEUCControl[EUC]E/E/PE safety-relatedsystemThis concept is illustrated in Figure 4.Figure 5: Safety-related system architecturesSystematicSafety IntegrityQualitative measures tomeet specifIed SILSafetyHardware Integrity!Quantitative target failuremeasures to meet specified!Minimum fault tolerance forspecified SILRequirements specSystematic hardwareRandom hardware failuresSoftwareEMIFault toleranceetcFigure 4: Achievement of safety integrity to meetspecified SILThe target failure measures for E/E/PE safety-relatedsystems carrying safety functions of specified SILs are setout in Tables 1 and 2. It can be seen from Tables 2 and 3that the SILs are linked to the target failure measuresdepending upon the mode of operation.The mode of operation is an important concept and is theway in which a safety-related system is intended to beused, with respect to the frequency of demands madeupon it, which may be either: Low demand mode: where the frequency ofdemands for operation made on a safety-relatedsystem is no greater than one per year and nogreater than twice the proof-test frequency; High demand or continuous mode: where thefrequency of demands for operation made on asafety-related system is greater than one per yearor greater than twice the proof-check frequencySafety functions operating in a: Low demand mode of operation would typicallybe implemented by a protection systemarchitecture (see Figure 5); High demand mode of operation would typicallybe implemented by a protection systemIt should be noted that when determining the SIL, from abasis of knowing the target failure measure (which isestablished from the tolerable risk), the demand rate isrelevant when the safety function is operating in a lowdemand mode of operation but not when the safetyfunction is operating in a high demand or continuousmode of operation.Table 1: Safety integrity levels: target failuremeasures for a safety function operating in a lowdemand mode of operation.SafetyintegritylevelLow demand mode of operation4 10 –5 to 10 –43 10 –4 to 10 –32 10 –3 to 10 –21 10 –2 to 10 –1(Average probability of failure toperform its design function ondemand)Table 2: Safety integrity levels: target failuremeasures for a safety function operating in ahigh demand or continuous mode of operation.SafetyintegritylevelHigh demand or continuous modeof operation4 10 –9 to 10 –83 10 –8 to 10 –72 10 –7 to 10 –6(Probability of a dangerous failureper hour)
1 10 –6 to 10 –59Risk Based ApproachThe required safety integrity of the E/E/PE safety-relatedsystem, with respect to a specific safety function, must beof such a level as to ensure that: The failure frequency of the safety-relatedsystems is sufficiently low to prevent thehazardous event frequency exceeding thatrequired to meet the tolerable risk, and/or The safety-related systems modify theconsequences of failure to the extent required tomeet the tolerable risk. The failure frequency, with respect to a specific safetyfunction, of the safety-related systems necessary to meetthe tolerable risk (see (1) above) is determined taking intoaccount any other risk reduction measures such as othersafety-related systems and any legitimate managed riskreduction measures. The determination of this failure frequency, with respectto a specified safety function, allows the target failuremeasure to be established and then the SIL to beestablished (from the linkage of SILs to target failuremeasures in Table 1 or Table 2).The determination of the SIL for a specified safetyfunction then allows the design process for the E/E/PEsafety-related system to proceed (see Figure 4). 10 Revision of IEC 61508IEC 61508 is currently being revised and it can be seenfrom the revision schedule in Table 3, that the firstopportunity that National Committees will have tocomment on Parts 1-4 will be in November 2005. Thetwo IEC Maintenance Teams involved in the revision willthen address the comments. Parts 1-4 will then be reissued, together with Parts 5-7, for comment and votingin December 2006. The Final Draft for comment andvoting will be issued to National Committees in January2007 with a target date for publication of the revisedstandard of May 2008.Prior to the revision process beginning in earnest,National Committees submitted their comments on thecurrent standard. The National Committee comments arethe key input to the revision process.A key consideration during the revision process has beenthe need to ensure that any changes proposed added realvalue to standard and to balance any perceived benefitsmade to the standard against the economic costs to users’of the standard of implementing the changes. Increasedcosts of additional requirements in the standard wouldimpact on all users but would have a significant impacton those organisations that have invested in the currentstandard.The Maintenance Teams considered a very large numberof issues including: Clarity of requirements: The need to makeclearer the compliance requirements related toelements. The concept of “SIL capability” willbe proposed to address the systematic aspects. Itis hoped this will be of benefit to manufacturersof subsystems.Programmable devices such as ASICS:Proposals covering ASICS will be included inthe Draft.Component Criticality: This concept, whichrelates to systematic issues, would allow thesynthesis of two elements of, say, “SIL 1capability” to be considered as an element of“SIL 2capability” providing specificrequirements for independence are met. Aproposal on this concept will be in the Draft.Security:Currently the standard does notexplicitly cover security considerations. Thestandard requires; “IEC 61508-1; 18.104.22.168: Thehazards and hazardous events of the EUC andEUC* control system shall be determined underall reasonably foreseeable circumstances(including fault conditions and reasonablyforeseeable misuse)”. Whilst it could be arguedthat the words “ . under all reasonablyforeseeable circumstances” are sufficient tocover security considerations, it is proposed toaddress this issue at the systems level and ifnecessary refer out to standards that have aspecific remit to deal with security issues.Proven-in-use:The standard covers thisconcept but is being revised and furtherdevelopment is being considered.Digital communications:The currentrequirements in the standard will be clarified andfurther elaborated.*Note: EUC Equipment Under ControlTable 3: Revision Schedule for IEC 61508MilestoneTargetdateNational11/2005Parts 1-7: Committee Draft issued toNational Committees for comment andvoting.12/2006Parts 1-7: Final Draft issued NationalCommittees for comment and voting.1/2008Publication of the revised IEC615085/2008Parts 1-4: Draft issuedCommittees for comment.11toReferencesHealth and Safety Executive (1987). “Programmableelectronic systems in safety-related applications”: “1.An introductory guide”, ISBN 011 8839062 “2.General technical guidelines”, ISBN 011 8839063.
DIN (1990): DIN VDE 0801 “Principles for computers insafety-related systems” (“Grundsatze fur Rechner inSystem mit Sicherheitsaufgaben.ISA (1996) “Application of safety instrumented systemsfor the process industries”. Published by ISA NC27709, USA.CCPS (1993) “Guidelines for Safe Automation ofChemical Processes”. Published by the Center forChemical Process Safety of the American Institution ofChemical Engineers, New York NY 10017, USA.Health and Safety Executive (1995): “Out of Control(why control systems go wrong and how to preventfailure)”. HSE Books 2003. ISBN 0 7176 2192 8. www.hsebooks.co.uk 12Further information IEE Functional Safety Professional Networkwww.iee.org/pn/functionalsafety IECFunctionalSafetyZonewww.iec.ch/functionalsafety Functional and IEC 61508 IEC 61508 Brochure FAQ’s on IEC 61508
Annex AThe Parts of IEC 61508 IEC TR 61508-0: Functional safety of electrical/electronic/programmable electronic safety-related systems –Part 0: Functional safety and IEC 61508 IEC 61508–1: Functional safety of electrical/electronic/programmable electronic safety-related systems – Part1: General requirements IEC 61508-2: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 2: Requirements for electrical/electronical/programmable electronic safety-related systems IEC 61508-3:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 3: Software requirements. IEC 61508-4:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 4: Definitions and abbreviations IEC 61508-5:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 5: Examples of methods for the determination of safety integrity levels IEC 61508-6: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 6: Guidelines on the application of parts 2 and 3 IEC 61508-7: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 7: Overview of techniques and measures
Annex BIEC 61508 Safety Lifecycles1Concept2Overall scopedefinition3Hazard and riskanalysis4Overall safetyrequirements5Safety requirementsallocation9Overall planning6OveralIoperation ation xternal riskreductionfacilitiesRealisation(see E/E/PESsafetylifecycle)12Overall installationand commissioning13Overall safetyvalidationOverall operation,14 maintenance and repair16Safety-relatedsystems:othertechnologyBack to appropriateoverall safety lifecyclephase15Decommissioningor disposalFigure B1: Overall Safety LifecycleOverall modificationand retrofit
Box 9 from Figure B19Safety-relatedsystems:E/E/PESE/E/PES safety lifecycleE/E/PES safety requirementsspecification9.1RealisationSafety functionsrequirementsspecification22.214.171.124E/E/PES safetyvalidation planning9.1.2Safety integrityrequirementsspecification9.3E/E/PES design anddevelopment9.4E/E/PES integration9.6E/E/PES safetyvalidation9.5E/E/PES operation andmaintenance proceduresOne E/E/PES safetylifecycle for each E/E/PEsafety-related systemTo box 14in figure B1To box 12 in figure B1Figure B2: E/EPES Safety LifecycleSoftware safety lifecycle9.1Software safety requirementsspecification9.1.1E/E/PESsafetySafety functions
Note: In IEC standards a normative requirement is prefaced by a "shall". Parts 1, 2, 3 and 4 of IEC 61508 are IEC basic safety publications. One of the responsibilities of IEC Technical Committees is, wherever practicable, to make use of these parts of IEC 61508 in the preparation of their own sector or product standards that have E/E/PE .