e-dokumen.com

Some of the key features of IEC 61508 are set out below.1.2.3.4.5.6.It enables application sector international standards,dealing with safety-related E/E/PESs, to bedeveloped. This should lead to a high level ofconsistency (for example, of underlying principles,terminology etc.) both within application sectors andacross application sectors; this will have both safetyand economic benefits.It provides a method for the development of thesafety requirements specification necessary toachieve the required functional safety for E/E/PEsafety-related systems.It uses safety integrity levels for specifying the targetlevel of safety integrity for the safety functions to beimplemented by the E/E/PE safety-related systems.It adopts a risk-based approach for the determinationof the safety integrity level requirements.It sets numerical target failure measures for E/E/PEsafety-related systems that are linked to the safetyintegrity levels.It sets a lower limit on the target failure measures, ina dangerous mode of failure, that can be claimed fora single E/E/PE safety-related system; for E/E/PEsafety-related systems operating in: A low demand mode of operation, the lowerlimit is set at an average probability of failure of10–5 to perform its design function on demand, A high demand or continuous mode ofoperation, the lower limit is set at a probabilityof a dangerous failure of 10–9 per hour.Note:A single E/E/PE safety-related system does notnecessarily mean a single-channel architecture.It adopts a broad range of principles, techniques andmeasures to achieve functional safety for E/E/PE safetyrelated systems. The standard does not use the concept offail-safe, which may be appropriate when the failuremodes are well defined and the level of complexity isrelatively low, but inappropriate in view of the widerange of complexity of E/E/PE safety-related systems thatare within the scope of the standard.4What is functional safety?Safety is defined as the freedom from unacceptable risk ofphysical injury or of damage to the health of people,either directly, or indirectly as a result of damage toproperty or to the environment.Functional safety is part of the overall safety that dependson a system or equipment operating correctly in responseto its inputs. For example, an over temperature protectiondevice, using a thermal sensor in the windings of anelectric motor to de-energise the motor before they canoverheat, is an instance of functional safety.Neither safety nor functional safety can be determinedwithout considering the systems as a whole and theenvironment with which they interact.5Strategy to Achieve Functional Safety?The strategy for achieving functional safety is made up ofthe following key elements: Management of functional safety; Technical requirements for each phase of theOverall. E/E/PES and Software SafetyLifecycles; Competence of persons (currently no normativerequirements); Functional safety assessment.IEC 61508 uses three safety lifecycles in order that allrelevant phases are addressed. They are: The Overall Safety Lifecycle (see Figure B1 inAnnex B); The E/E/PES Safety Lifecycle (see Figure B2 inAnnex B); The Software Safety Lifecycle (see Figure B3 inAnnex B).In order to deal in a systematic manner with all theactivities necessary to achieve the required safetyintegrity level for the E/E/PE safety-related systems, IEC61508 adopts the overall safety lifecycle as the technicalframework and this should be used as a basis for claimingconformance to IEC 61508. A different overall safetylifecycle can be used to that given in Figure B1,providing the objectives and requirements of each clauseof this standard are met.The overall safety lifecycle encompasses the followingrisk reduction measures: E/E/PE safety-related systems; Other technology safety-related systems; External risk reduction facilities.The portion of the overall safety lifecycle dealing withE/E/PE safety-related systems is expanded and shown inFigure B2. This is termed the E/E/PES safety lifecycleand forms the technical framework for IEC 61508-2. Thesoftware safety lifecycle is shown in Figure B3 and formsthe technical framework for IEC 61508-3.The overall, E/E/PES and software safety lifecyclefigures are simplified views of reality and as such do notshow all the iterations relating to specific phases orbetween phases. Iteration, however, is an essential andvital part of development through the overall, E/E/PESand software safety lifecycles.Activities relating to the management of functionalsafety, verification and functional safety assessment arenot shown on the overall, E/E/PES or software safetylifecycles. This has been done in order to reduce thecomplexity of the overall, E/E/PES and software safetylifecycle figures. These activities, where required, willneed to be applied at the relevant phases of the overall,E/E/PES and software safety lifecycles.Evidence of the need to adopt an approach that covers allphases of the overall safety lifecycle is illustrated in astudy undertaken by the Health and Safety Executive

(1995). The study analysed a number of accidents anincidents involving the safety-related control systems.Figure 2 shows the primary cause of failure by eachlifecycle phase.Note: It is acknowledged that because of the small sample sizethe results of the analysis have low statistical significance, andtherefore care needs to be taken in using these results togeneralise for all control system failures. Even so, there aremany useful lessons to be learned from summaries of incidentssuch as these.The analysis suggests that most control system failuresmay have their root cause in an inadequate specification.In some cases this was because insufficient hazardanalysis of the equipment-under-control had been carriedout; in others it was because the impact on thespecification of a critical failure mode of the controlsystem had not been assessed.maintain a safe state for the equipment under control inrespect of a specific hazardous event”.If the safety function is performed the hazardous eventwill not take place. The safety function is determinedfrom the hazard analysis. It is the safety function thatdetermines what has to be done to achieve or maintain asafe state for the equipment under control and it is thesafety function that is the basis of the functionalspecification of the safety-related system.It is necessary to determine the safety performance ofeach safety function and IEC 61508 adopts a risk-basedapproach to achieve this. The safety performance isreferred to as the safety integrity and is determined fromthe risk assessment. This is illustrated in Figure 3.Determined fromthe hazard analysisThe control system needs to be continually reviewedthroughout all lifecycle phases, both from the perspectiveof the equipment-under-control and the detailed designand implementation of the control system itself.Otherwise the end result is a machine, or plant, withinadequate protection against the hazardous events.SafetyfunctionDetermined fromthe risk assessmentSafetyintegrity ofsafetyfunctionOther studies provide support for these conclusions. Inthe area of software development a number of studieshave shown that errors made during specification accountfor most software faults and failures.Based on the HSE study, more than 60% of failures were“built in” to the safety-related system before being takeninto service. Whilst the primary causes by phase willvary depending upon the sector and complexity of theapplication, what is self-evident is that it is important thatall phases of the lifecycle be addressed if functionalsafety is to be achieved.44.1%Specification14.7%Design &implementation5.9%Installation &commissioning20.6%Changes aftercommissioning14.7%Operation &maintenanceFigure 2: Primary cause, by phase, of control system failures6The Essence of Functional SafetyA cornerstone of functional safety is the safety function.The safety function is defined as follows:“Function to be implemented by an E/E/PE safety-relatedsystem which is intended to achieve or“what has to be done”the “safety performance” of thesafety function”Example!Safety function: In order to prevent the rupture of pressurevessel “X”, valve “Y” should open in 2 seconds when thepressure in the vessel reaches 2.6 bar.! The safety integrity of the safety function shall be “SIL 2”.Figure 3: Safety function & safety integrity ofthe safety function7Safety-Related SystemA safety-related system is a system that is capable ofcarrying the requirements specified in each safetyfunction and also capable of carrying them out with therequired safety integrity. It is the safety integrityrequirement of the safety function that sets the safetyintegrity requirements for the safety-related system. Asafety-related system will carry out many safety functionsand must be of sufficient safety integrity to carry out thesafety function with the highest safety integrityrequirement (unless special measures are taken)8Safety Integrity LevelsThe failure categories in IEC 61508 relate to failuresarising from (1) random hardware failures and (2)systematic failures (see Figure 4). The challenge toanyone designing a complex system such as aprogrammable electronic system is to determine howmuch rigour/assurance/confidence is necessary for thespecified safety performance level. IEC 61508 tacklesthis on the following basis: That it is possible to quantify the randomhardware failures and therefore estimate whetherthe target failure measure has been achieved. That is not usually possible to quantify thoseelements giving rise to systematic failurebehaviour.

IEC 61508 sets four Safety Integrity Levels (SILs). SIL 1is the lowest and SIL 4 is the highest level of safetyintegrity. Each SIL has a target failure measure. It is theSIL of the safety function(s) to be carried out by a safetyrelated system that determines the measures that need tobe taken in the design of the safety-related system.Therefore, for: Systematic Safety Integrity: “Packages” ofmeasures are used for different systematicfailure mechanisms and these are in urance/confidence the higher the SIL. Hardware Safety Integrity:Quantitativemodelling of the random hardware failuretogether with specified fault tolerancerequirements graded against the SIL but withreduced fault tolerance requirements if certaindiagnostic coverage levels have been achieved. architecture or a safety-related control systemarchitecture (see Figure 5);Continuous mode of operation would typicallybe implemented by a safety-related controlsystem architecture (see Figure 5).Protection systemarchitectureSafety-related control systemarchitectureEUC controlsystemEUC safety-relatedcontrol systemEquipment UnderControl[EUC]Equipment UnderEUCControl[EUC]E/E/PE safety-relatedsystemThis concept is illustrated in Figure 4.Figure 5: Safety-related system architecturesSystematicSafety IntegrityQualitative measures tomeet specifIed SILSafetyHardware Integrity!Quantitative target failuremeasures to meet specified!Minimum fault tolerance forspecified SILRequirements specSystematic hardwareRandom hardware failuresSoftwareEMIFault toleranceetcFigure 4: Achievement of safety integrity to meetspecified SILThe target failure measures for E/E/PE safety-relatedsystems carrying safety functions of specified SILs are setout in Tables 1 and 2. It can be seen from Tables 2 and 3that the SILs are linked to the target failure measuresdepending upon the mode of operation.The mode of operation is an important concept and is theway in which a safety-related system is intended to beused, with respect to the frequency of demands madeupon it, which may be either: Low demand mode: where the frequency ofdemands for operation made on a safety-relatedsystem is no greater than one per year and nogreater than twice the proof-test frequency; High demand or continuous mode: where thefrequency of demands for operation made on asafety-related system is greater than one per yearor greater than twice the proof-check frequencySafety functions operating in a: Low demand mode of operation would typicallybe implemented by a protection systemarchitecture (see Figure 5); High demand mode of operation would typicallybe implemented by a protection systemIt should be noted that when determining the SIL, from abasis of knowing the target failure measure (which isestablished from the tolerable risk), the demand rate isrelevant when the safety function is operating in a lowdemand mode of operation but not when the safetyfunction is operating in a high demand or continuousmode of operation.Table 1: Safety integrity levels: target failuremeasures for a safety function operating in a lowdemand mode of operation.SafetyintegritylevelLow demand mode of operation4 10 –5 to 10 –43 10 –4 to 10 –32 10 –3 to 10 –21 10 –2 to 10 –1(Average probability of failure toperform its design function ondemand)Table 2: Safety integrity levels: target failuremeasures for a safety function operating in ahigh demand or continuous mode of operation.SafetyintegritylevelHigh demand or continuous modeof operation4 10 –9 to 10 –83 10 –8 to 10 –72 10 –7 to 10 –6(Probability of a dangerous failureper hour)

1 10 –6 to 10 –59Risk Based ApproachThe required safety integrity of the E/E/PE safety-relatedsystem, with respect to a specific safety function, must beof such a level as to ensure that: The failure frequency of the safety-relatedsystems is sufficiently low to prevent thehazardous event frequency exceeding thatrequired to meet the tolerable risk, and/or The safety-related systems modify theconsequences of failure to the extent required tomeet the tolerable risk. The failure frequency, with respect to a specific safetyfunction, of the safety-related systems necessary to meetthe tolerable risk (see (1) above) is determined taking intoaccount any other risk reduction measures such as othersafety-related systems and any legitimate managed riskreduction measures. The determination of this failure frequency, with respectto a specified safety function, allows the target failuremeasure to be established and then the SIL to beestablished (from the linkage of SILs to target failuremeasures in Table 1 or Table 2).The determination of the SIL for a specified safetyfunction then allows the design process for the E/E/PEsafety-related system to proceed (see Figure 4). 10 Revision of IEC 61508IEC 61508 is currently being revised and it can be seenfrom the revision schedule in Table 3, that the firstopportunity that National Committees will have tocomment on Parts 1-4 will be in November 2005. Thetwo IEC Maintenance Teams involved in the revision willthen address the comments. Parts 1-4 will then be reissued, together with Parts 5-7, for comment and votingin December 2006. The Final Draft for comment andvoting will be issued to National Committees in January2007 with a target date for publication of the revisedstandard of May 2008.Prior to the revision process beginning in earnest,National Committees submitted their comments on thecurrent standard. The National Committee comments arethe key input to the revision process.A key consideration during the revision process has beenthe need to ensure that any changes proposed added realvalue to standard and to balance any perceived benefitsmade to the standard against the economic costs to users’of the standard of implementing the changes. Increasedcosts of additional requirements in the standard wouldimpact on all users but would have a significant impacton those organisations that have invested in the currentstandard.The Maintenance Teams considered a very large numberof issues including: Clarity of requirements: The need to makeclearer the compliance requirements related toelements. The concept of “SIL capability” willbe proposed to address the systematic aspects. Itis hoped this will be of benefit to manufacturersof subsystems.Programmable devices such as ASICS:Proposals covering ASICS will be included inthe Draft.Component Criticality: This concept, whichrelates to systematic issues, would allow thesynthesis of two elements of, say, “SIL 1capability” to be considered as an element of“SIL 2capability” providing specificrequirements for independence are met. Aproposal on this concept will be in the Draft.Security:Currently the standard does notexplicitly cover security considerations. Thestandard requires; “IEC 61508-1; 7.4.2.3: Thehazards and hazardous events of the EUC andEUC* control system shall be determined underall reasonably foreseeable circumstances(including fault conditions and reasonablyforeseeable misuse)”. Whilst it could be arguedthat the words “ . under all reasonablyforeseeable circumstances” are sufficient tocover security considerations, it is proposed toaddress this issue at the systems level and ifnecessary refer out to standards that have aspecific remit to deal with security issues.Proven-in-use:The standard covers thisconcept but is being revised and furtherdevelopment is being considered.Digital communications:The currentrequirements in the standard will be clarified andfurther elaborated.*Note: EUC Equipment Under ControlTable 3: Revision Schedule for IEC 61508MilestoneTargetdateNational11/2005Parts 1-7: Committee Draft issued toNational Committees for comment andvoting.12/2006Parts 1-7: Final Draft issued NationalCommittees for comment and voting.1/2008Publication of the revised IEC615085/2008Parts 1-4: Draft issuedCommittees for comment.11toReferencesHealth and Safety Executive (1987). “Programmableelectronic systems in safety-related applications”: “1.An introductory guide”, ISBN 011 8839062 “2.General technical guidelines”, ISBN 011 8839063.

DIN (1990): DIN VDE 0801 “Principles for computers insafety-related systems” (“Grundsatze fur Rechner inSystem mit Sicherheitsaufgaben.ISA (1996) “Application of safety instrumented systemsfor the process industries”. Published by ISA NC27709, USA.CCPS (1993) “Guidelines for Safe Automation ofChemical Processes”. Published by the Center forChemical Process Safety of the American Institution ofChemical Engineers, New York NY 10017, USA.Health and Safety Executive (1995): “Out of Control(why control systems go wrong and how to preventfailure)”. HSE Books 2003. ISBN 0 7176 2192 8. www.hsebooks.co.uk 12Further information IEE Functional Safety Professional Networkwww.iee.org/pn/functionalsafety IECFunctionalSafetyZonewww.iec.ch/functionalsafety Functional and IEC 61508 IEC 61508 Brochure FAQ’s on IEC 61508

Annex AThe Parts of IEC 61508 IEC TR 61508-0: Functional safety of electrical/electronic/programmable electronic safety-related systems –Part 0: Functional safety and IEC 61508 IEC 61508–1: Functional safety of electrical/electronic/programmable electronic safety-related systems – Part1: General requirements IEC 61508-2: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 2: Requirements for electrical/electronical/programmable electronic safety-related systems IEC 61508-3:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 3: Software requirements. IEC 61508-4:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 4: Definitions and abbreviations IEC 61508-5:1998: Functional safety of electrical/electronical/programmable electronic safety-related systems– Part 5: Examples of methods for the determination of safety integrity levels IEC 61508-6: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 6: Guidelines on the application of parts 2 and 3 IEC 61508-7: Functional safety of electrical/electronical/programmable electronic safety-related systems –Part 7: Overview of techniques and measures

Annex BIEC 61508 Safety Lifecycles1Concept2Overall scopedefinition3Hazard and riskanalysis4Overall safetyrequirements5Safety requirementsallocation9Overall planning6OveralIoperation ation xternal riskreductionfacilitiesRealisation(see E/E/PESsafetylifecycle)12Overall installationand commissioning13Overall safetyvalidationOverall operation,14 maintenance and repair16Safety-relatedsystems:othertechnologyBack to appropriateoverall safety lifecyclephase15Decommissioningor disposalFigure B1: Overall Safety LifecycleOverall modificationand retrofit

Box 9 from Figure B19Safety-relatedsystems:E/E/PESE/E/PES safety lifecycleE/E/PES safety requirementsspecification9.1RealisationSafety functionsrequirementsspecification9.1.19.2E/E/PES safetyvalidation planning9.1.2Safety integrityrequirementsspecification9.3E/E/PES design anddevelopment9.4E/E/PES integration9.6E/E/PES safetyvalidation9.5E/E/PES operation andmaintenance proceduresOne E/E/PES safetylifecycle for each E/E/PEsafety-related systemTo box 14in figure B1To box 12 in figure B1Figure B2: E/EPES Safety LifecycleSoftware safety lifecycle9.1Software safety requirementsspecification9.1.1E/E/PESsafetySafety functions

Note: In IEC standards a normative requirement is prefaced by a "shall". Parts 1, 2, 3 and 4 of IEC 61508 are IEC basic safety publications. One of the responsibilities of IEC Technical Committees is, wherever practicable, to make use of these parts of IEC 61508 in the preparation of their own sector or product standards that have E/E/PE .