D) Complying with the standard
D1) Which requirements do I need to satisfy in order to claim compliance with the standard?
The term shall used in a requirement indicates that the requirement is strictly to be followed if conformance to the standard is to be claimed.
Where should (or it is recommended that) is used, this indicates that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required.
Normative elements set out the provisions to which it is necessary to conform in order to be able to claim compliance with the standard. The text in a normative element usually contains both shall and should.
In IEC 61508, the following contain normative elements: part 1 (excluding annexes); part 2 (including annexes); part 3 (including annexes A and B, excluding annex C); and part 4 (excluding the annex). There are no normative requirements in parts 5, 6 and 7 of the standard.
Informative elements of the standard provide additional information intended to assist its understanding or use, but with which it is not necessary to conform in order to be able to claim compliance. The text in an informative element cannot contain shall. Notes and footnotes are always informative.
In IEC 61508, the following are informative: the annexes of part 1; annex C of part 3; the annex of part 4; and all annexes of parts 5, 6 and 7.
For the overall framework of the IEC 61508 series see IEC 61508-1, Figure 1 (page 10 of the preview).
D2) How does IEC 61508 apply to low complexity E/E/PE safety-related systems?
If the standard is used for low complexity E/E/PE safety-related systems, where dependable field experience exists which provides the necessary confidence that the required safety integrity can be achieved, certain of the requirements specified in the standard may be unnecessary and exemption from compliance with such requirements is acceptable provided this is justified (4.2 of IEC 61508-1).
The standard does not state which requirements this applies to, which is for the user of the standard to decide and justify. Note, however, that the conditions in which this relaxation applies are very restrictive.
D3) Give me some practical examples
IEC 61508 separates the specification of the safety functions to be performed into two elements:
- the safety function requirements (what the function does); and
- the safety integrity requirements (the likelihood of a safety function being performed satisfactorily).
IEC 61508 does not stipulate what safety function requirements nor what safety integrity requirements are necessary for any particular application.
The safety integrity level (SIL 1, 2, 3 or 4) corresponds to a range of safety integrity values, measured for a specified safety function in terms of:
- the average probability of a dangerous failure on demand (for low demand mode of operation); or,
- the average frequency of a dangerous failure per hour (for high demand or continuous mode of operation).
Note: For mode of operation see IEC 61508-4, subclause 3.5.12.
The safety integrity level, of a specified safety function, allocated to the E/E/PE safety-related system will affect the degree of rigour to which a requirement of the standard is to be satisfied. But other factors will also affect this (see 4.1 of IEC 61508-1).
Some elements of the standard make the dependence on safety integrity level explicit by grading the requirements, for example:
D4) Is it necessary to choose techniques and measures from those recommended in annexes A and B of IEC 61508-2 and IEC 61508-3 in order to comply with the standard?
Although all four normative annexes contain recommendations for the use of particular techniques and measures, they differ in what is required for compliance.
In subclause A.2 of IEC 61508-2, table A.1 provides the requirements for faults or failures that shall be detected by techniques and measures to control hardware failures. Tables A.2 to A.15, also in subclause A.2 of IEC 61508-2, support the requirements of table A.1 by recommending techniques and measures for diagnostic tests and recommending maximum levels of diagnostic coverage that can be achieved using them. Therefore, in order to comply with the standard, it is necessary to fulfil the requirements of table A.1, but tables A.2 to A.15 suggest just one set of possibilities on how the requirements of table A.1 can be met.
In subclause A.3 of IEC 61508-2, tables A.16 to A.18 recommend particular techniques and measures, therefore it is not necessary to use any of these in order to claim compliance. However, if you do not use a technique or measure that is highly recommended for the safety integrity level, then the rationale behind not using it shall be detailed. Also, for every technique or measure listed in tables A.16 to A.18 that you do use, it shall be used to the extent necessary to give at least the level of effectiveness stated in the table. Table A.19 gives guidance on what is intended by the terms low and high effectiveness for just some of the techniques and measures.
The techniques and measures in annex B of IEC 61508-2 are recommended in the same way as those in subclause A.3. It is necessary to detail the rationale wherever a technique or measure that is highly recommended for the safety integrity level is not used, and wherever a technique or measure that is positively not recommended for the safety integrity level is used. And it is necessary to achieve at least the level of effectiveness stated in the table for any techniques or measures that you do use. Table B.6 gives guidance on what is intended by the terms low and high effectiveness for most of the techniques and measures.
In annexes A and B of IEC 61508-2, the table shading adds recommendations on how to select and combine the techniques and measures.
Note that annex C of IEC 61508-2 is also normative and contains requirements that are necessary for compliance.
Annexes A and B of IEC 61508-3 contain the requirement that appropriate techniques and measures shall be selected according to the safety integrity level. Anyone claiming compliance with the standard is required to consider which techniques or measures are most appropriate for the specific problems encountered during the development of each E/E/PE safety-related system. These may include techniques and measures recommended by the standard and may include others; the tables give only recommendations as to which techniques and measures may be appropriate.
A particular concern is raised by systematic factors in the failure of a safety function. Systematic failure factors can arise in both hardware and software. The effectiveness of the measures and precautions used to meet the target failure measures for systematic safety integrity generally needs to be assessed qualitatively.
Specifically for software, the IEC 61508-3 tables of recommended techniques are not checklists by which systematic safety integrity in software can be guaranteed. Many factors affect software safety integrity, and it is not possible to give an algorithm for combining the techniques and measures that will guarantee success in any given application. Software techniques will need to be chosen judiciously with attention to several key factors including:
- the developers' personal competence and experience in techniques;
- the developers' familiarity with the application and likely difficulties;
- the size or complexity of the application;
- industry sector recommendations and recognized good practice; and
- and international published standards.
These annexes contain a recommendation that the rationale for not following the guidance for highly recommended or not recommended techniques or measures should be detailed during the safety planning and agreed with the assessor.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other subclauses require some of this documentation to include a justification of the choice of techniques and measures, even if all recommendations are followed. See for example 220.127.116.11 e) and 18.104.22.168 of IEC 61508-2, and 22.214.171.124 a) of IEC 61508-3.
D5) I have contractual responsibility for some (but not all) of the development phases for an E/E/PE safety-related system. What information do I need in documentation from other parties to enable me to comply with IEC 61508?
For an E/E/PE safety-related system to comply with IEC 61508, one or more organizations or individuals have to be responsible for each phase of the overall, E/E/PES and software safety lifecycles. Part of the responsibility for each phase is to document information sufficiently, so that all phases that depend on that information can be effectively performed (see clause 5 of IEC 61508-1).
Table 1 of IEC 61508-1 specifies the information necessary for each phase of the overall safety lifecycle. Table 1 of IEC 61508-2 and table 1 of IEC 61508-3 are the equivalents for the E/E/PES and software safety lifecycles.
For example, part of the entry from table 1 of IEC 61508-1 for the phase E/E/PE safety-related systems: realisation is reproduced below. It can be seen from the table that a system supplier with responsibility for the realisation phase needs documentation containing the specification for the E/E/PES safety requirements. This will set out all the requirements for the safety functions that have been allocated to the E/E/PE safety-related system(s) together with the safety integrity requirements for each of these safety functions.
Safety lifecycle phase
|E/E/PE safety-related systems: realisation||7.10.1 and IEC 61508- and IEC 61508-3:
To create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements)
|E/E/PE safety-related systems||Specification for the E/E/PES safety requirements||Confirmation that each E/E/PE safety-related system meets the E/E/PES safety requirements specification|
We can see that a system supplier with responsibility for the realisation phase needs documentation containing the specification for the E/E/PES safety requirements. This will set out all the safety function requirements that have been allocated to the E/E/PE safety-related system(s) and the safety integrity requirements for each of these functions.
D6) Suppliers are quoting that their products conform to IEC 61508 for a specific safety integrity level. Does this mean that using these products is sufficient for me to comply with IEC 61508?
IEC 61508 covers all components of the E/E/PE safety-related system, including field equipment and specific project application logic. All these subsystems and components, when combined to implement the safety function (or functions), are required to meet the safety integrity level target of the relevant safety functions. Any design using supplied subsystems and components that are all quoted as suitable for the required safety integrity level target of the relevant safety functions, together with the information associated with the supplied subsystems and components, will have to be assessed to determine whether or not the subsystems and components are in fact suitable. Suppliers of products intended for use in E/E/PE safety-related systems should provide sufficient information to facilitate a demonstration that the E/E/PE safety-related system complies with IEC 61508.
D7) I supply subsystems, such as sensors or actuators, that are intended for use in an E/E/PE safety-related system. What does IEC 61508 mean for me?
When a subsystem is integrated into an E/E/PE safety-related system in accordance with IEC 61508, it is necessary to take into account the contribution that the subsystem will make to the performance of the complete system in relation to the safety integrity level of the safety function under consideration. To do this, the system designer/integrator requires sufficient information on the supplied subsystem in order that the system designer/integrator can validate that the E/E/PE safety-related system, in respect of the specified safety functions, meets the E/E/PES safety requirements specification. As a supplier of subsystems intended for use in E/E/PE safety-related systems you should be prepared to supply the required information, as detailed in 126.96.36.199 of IEC 61508-2. To summarise, the following information is required for each subsystem:
- specifications covering functional, interface and environmental aspects;
- estimated failure rate (due to random hardware failures) for each failure mode;
- diagnostic coverage and diagnostic test interval;
- information needed to enable the hardware fault tolerance to be determined;
- information needed to identify the hardware and software configuration;
- information needed to enable the derivation of the safe failure fraction; and
- documentary evidence of validation.
D8) Do I have to use third party certified components in order to comply with IEC 61508?
The level of independence required of the assessor ranges from an independent person in the same organization for safety integrity level 1 to an independent organization for safety integrity level 4. The required level of independence for safety integrity levels 2 and 3 is affected by additional factors including system complexity, novelty of design and previous experience of the developers. There is also a specific requirement that the assessor shall be competent for the activities to be undertaken.
D9) Is there any correlation between the level of independence required for functional safety assessment and the need for third party certification?
The level of independence required should be distinguished from the concept of third-party certification which is not a requirement in IEC 61508. For some companies even the requirement for independent persons and departments may have to be met by using an external organization but this does not mean that the external organisation has necessarily to be a certification body. The external body, in such a situation, should have the competence and the appropriate level of independence to undertake the task. The external body may or may not be a certification body.
Conversely, companies that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization (note 2 of 8.2.12 of IEC 61508-1).
See 3.8.10, 3.8.11 and 3.8.12 of IEC 61508-4 for definitions of independent person, independent department and independent organization respectively.
D10) In what ways do I need to consider the impact of human activities on the operation of an E/E/PE safety-related system?
IEC 61508 requires human factor issues to be considered in the determination of hazards and hazardous events (188.8.131.52 of IEC 61508-1) and in the design of the E/E/PE safety-related system (184.108.40.206 of IEC 61508-2). For E/E/PE safety-related protection systems, there are three principal areas that need to be considered:
- human actions or errors that can place a demand on the E/E/PE safety-related protection system – these need to be identified and quantified;
- human failure to respond effectively to alarms or take other actions that would otherwise reduce the demand on the E/E/PE safety-related protection system;
- human failure in testing and maintenance of the E/E/PE safety-related protection system, reducing its effectiveness and increasing the probability of failure on demand.
D11) Can an E/E/PE safety-related system contain hardware and/or software that was not produced according to IEC 61508, and still comply with the standard (proven in use)?
It may be possible to use a proven in use argument as an alternative to meeting the design requirements for dealing with systematic failure causes in IEC 61508, including hardware and software. But it is essential to note that proven in use cannot be used as an alternative to meeting the requirements for:
- architectural constraints on hardware safety integrity (see 220.127.116.11 of IEC 61508-2);
- the quantification of dangerous failures of the safety function due to random hardware faults (see 18.104.22.168 of IEC 61508-2); and
- system behaviour on detection of faults (see 7.4.6 of IEC 61508-2).
See 22.214.171.124 of IEC 61508-2 for a summary of design requirements, including references to more detailed systematic hardware requirements in the standard.
A proven in use claim relies on the availability of historical data for both random hardware and systematic failures, and on analytical techniques and testing if the previous conditions of use of the subsystem differ in any way from those which will be experienced in the E/E/PE safety-related system. 126.96.36.199 of IEC 61508-2 requires that:
- the previous conditions of use of the subsystem are the same as, or sufficiently close to, those which will be experienced in the E/E/PE safety-related system (see 188.8.131.52 of IEC 61508-2);
- if the above conditions of use differ in any way, a demonstration is necessary (using a combination of appropriate analytical techniques and testing) that the likelihood of unrevealed systematic faults is low enough to achieve the required safety integrity level of the safety functions which use the subsystem (see 184.108.40.206 of IEC 61508-2);
- the claimed failure rates have sufficient statistical basis (see 220.127.116.11 of IEC 61508-2);
- failure data collection is adequate (see 18.104.22.168 of IEC 61508-2);
- evidence is assessed taking into account the complexity of the subsystem, the contribution made by the subsystem to the risk reduction, the consequences associated with a failure of the subsystem, and the novelty of design (see 22.214.171.124 of IEC 61508-2); and
- the application of the proven in use subsystem is restricted to those functions and interfaces of the subsystem that meet the relevant requirements (see 126.96.36.199 of IEC 61508-2).
188.8.131.52 of IEC 61508-3 allows the use of standard or previously developed software without the availability of historical data but with the emphasis on analysis and testing. This concept should be distinguished from the proven in use concept described above.
D12) Do control systems that place demands on a safety-related system have to be themselves designated as safety-related systems?
- allowing for a dangerous failure rate of the control system higher than the maximum defined by the standard for a safety-related system (i.e. higher than 10-5 dangerous failures per hour);
- providing an adequate demonstration that the dangerous failure rate allowed for is achieved (184.108.40.206 of IEC 61508-1 contains further details);
- determining all reasonably foreseeable dangerous failure modes of the control system;
- ensuring that the control system is separate and independent from all safety-related systems.
It should be noted that the dangerous failure rate referred to in the above requirements relate to a specified dangerous failure mode of a function being performed by the control system which could, in the context of the question, place a demand on a safety-related system.
D13) How do electromagnetic immunity limits depend on the safety integrity level? (Under review)
220.127.116.11 (e) of IEC 61508-2 (see also associated notes) states: The E/E/PES safety integrity requirements specification shall contain the electromagnetic immunity limits (see IEC 61000-1-1) that are required to achieve electromagnetic compatibility – the electromagnetic immunity limits should be derived taking into account both the electromagnetic environment (see IEC 61000-2-5) and the required safety integrity levels.
IEC 61508 does not give a method for determining electromagnetic immunity requirements according to the safety integrity level. These should be decided taking into account the electromagnetic environment that the safety-related system will be exposed to during use. In principle, the immunity limits should be set at a level which will not be exceeded in the operating environment. In practice, it is difficult to guarantee that disturbance levels will always be below a set limit. The higher the immunity limit, the lower the probability that a disturbance will exceed the limit during use; therefore it may be necessary to set increased immunity limits as safety integrity levels increase, especially where there is uncertainty about the disturbance levels that are likely to be present in the operating environment.