International Standards and Conformity Assessment for all electrical, electronic and related technologies
Functional Safety and the IEC

IEC 61508

Functional Safety

 

Edition 1.0

A) Scope

 

A1) Is IEC 61508 relevant to me?

Generally, the significant hazards for equipment and any associated control system have to be identified by the specifier or developer via a hazard analysis. The analysis identifies whether functional safety is necessary to ensure adequate protection against each significant hazard. If so, then it has to be taken into account in an appropriate manner in the design. Functional safety is just one method of dealing with hazards, and other means for their elimination or reduction, such as inherent safety through design, are of primary importance.

 

IEC 61508 defines appropriate means for achieving functional safety in the systems it covers.

 

See IEC/TR 61508-0, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 0:Functional safety and IEC 61508, for further details.

A2) What systems does IEC 61508 cover?

IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices. It covers possible hazards caused by failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE equipment itself (for example electric shock etc). It is generically based and applicable to all E/E/PE safety-related systems irrespective of the application.

 

It is recognized that the consequences of failure could also have serious economic implications and in such cases the standard could be used to specify any E/E/PE safety-related system used for the protection of equipment or product.

 

The scope of IEC 61508-1 gives more details.

A3) Give me some practical examples

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

 

  • emergency shut-down systems,
  • fire and gas systems,
  • turbine control,
  • gas burner management,
  • crane automatic safe-load indicators,
  • guard interlocking and emergency stopping systems for machinery,
  • medical devices,
  • dynamic positioning (control of a ship's movement when in proximity to an offshore installation),
  • railway signalling systems (including moving block train signalling),
  • variable speed motor drives used to restrict speed as a means of protection,
  • remote monitoring, operation or programming of a network-enabled process plant,
  • an information-based decision support tool where erroneous results affect safety.

 

Relevant means of implementing safety functions include electro-mechanical relays (i.e. electrical), non-programmable solid-state electronics (i.e. electronic) and programmable electronics. Programmable electronic safety-related systems typically incorporate programmable controllers, programmable logic controllers, microprocessors, application specific integrated circuits, or other programmable devices (for example "smart" devices such as sensors/transmitters/actuators).

 

In every case, the standard applies to the entire E/E/PE safety-related system (for example from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator). For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole. The physical extent of an E/E/PE safety-related system is solely determined by the safety function.

A4) How does IEC 61058 apply where E/E/PE technology makes up only a small part of the safety-related system?

IEC 61508 is applicable to any safety-related system that contains an E/E/PE device.

 

This applicability is appropriate because many requirements, particularly in IEC 61508-1, are not technology specific. Indeed, early development phases (such as initial concept, overall scope definition, hazard and risk analysis and specifying the overall safety requirements) may take place before the implementation technology has been decided.

 

Even during later phases such as realisation, specific functional safety requirements apply directly to non-E/E/PE devices, such as mechanical components, as well as E/E/PE devices. For example, the requirements for hardware reliability and fault tolerance in IEC 61508-2 directly relate to the properties of all components in the E/E/PE safety-related system, whether or not they include E/E/PE technology.

 

For low complexity E/E/PE safety-related systems, it is possible to comply with IEC 61508 while not meeting every requirement of the standard.

A5) How does IEC 61508 apply to systems whose function is to avoid damage to the environment or severe financial loss?

IEC 61508 is concerned with achieving functional safety, where safety is defined as freedom from unacceptable risk of physical injury or damage to the health of people, either directly or indirectly as a result of damage to property or to the environment (see 3.1 of IEC 61508-4). So damage to long term health, including damage to property or the environment that leads to damage to long term health, is explicitly within the scope of the standard and is encompassed by the term safety.

 

It is recognised that the consequences of failure could also have serious economic implications and in such cases the standard could be used to specify any E/E/PE system used for the protection of equipment or product (1.2 e of IEC 61508-1).

 

The particular safety functions that are necessary, and the associated levels of performance required of them, are determined by hazard and risk analysis (see for example IEC 61508-5). An equivalent analysis of risk in terms of environmental or financial hazards can be performed by replacing safety parameters with environmental or financial parameters. Most of the subsequent requirements of the standard are as applicable for "environmental functions" or "financial functions" as they are for safety functions. This includes the required levels of performance, which are expressed in terms of  the average probability of failure to perform its design function on demand or the probability of a dangerous failure per hour (see Tables 2 & 3 of IEC 61508-1).

A6) What does IEC 61508 consist of?

The standard is published in parts as shown in the table below. Only parts 1 to 4 contain normative requirements.

 

Preview
Reference, Edition, Date, Technical Committee, Title
preview
IEC/TR 61508-0 ed1.0 (2005-01)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 0: Functional safety and IEC 61508
preview
IEC 61508-1 ed1.0 (1998-12)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements
preview
IEC 61508-2 ed1.0 (2000-05)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
preview
IEC 61508-3 ed1.0 (1998-12)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements
preview
IEC 61508-4 ed1.0 (1998-12)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations
preview
IEC 61508-5 ed.10 (1998-12)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety related systems - Part 5: Examples of methods for the determination of safety integrity levels
preview
IEC 61508-6 ed1.0 (2000-04)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
preview
IEC 61508-7 ed1.0 (2000-03)
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 7: Overview of techniques and measures

A7) Can I get hold of the standard for free, for example by downloading from the internet?

No, IEC 61508 is a priced publication. You can purchase it online from the IEC, or obtain it from the national standards body in your own country.

 

You can download for free the first few pages of an IEC standard from the IEC webstore. These previews contain the contents, foreword, introduction, scope and normative references.

A8) Now I've obtained a copy of the standard, how do I go about reading it?

Annex A of IEC 61508-5 provides introductory material on risk and safety integrity. In IEC 61508-1, the overall safety lifecycle requirements contained in clause 7 are summarized in a lifecycle diagram in figure 2, with an overview of each phase in table 1. In addition, requirements relating to verification, management of functional safety and functional safety assessment are contained in 7.18, clause 6 and clause 8 respectively.

 

Annex A of IEC 61508-6 gives an eight-page overview of the requirements in IEC 61508-2 and IEC 61508-3.

 

In IEC 61508-2, the E/E/PES safety lifecycle requirements contained in clause 7 are summarised in a lifecycle diagram in figure 2, with an overview of each phase in table 1. Likewise, in IEC 61508-3, the software safety lifecycle requirements contained in clause 7 are summarised in figure 3 with an overview in table 1.

 

Any particular requirement of IEC 61508 should be considered in the context of its lifecycle phase (where applicable) and the stated objectives for the requirements of that phase, clause or subclause. The objectives are always stated immediately before the requirements.