D) Complying with the standard
D1) Which requirements do I need to satisfy in order to claim compliance with the standard?
The term shall used in a requirement indicates that the requirement is strictly to be followed if conformance to the standard is to be claimed.
Where should (or it is recommended that) is used, this indicates that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required.
Normative elements set out the provisions to which it is necessary to conform in order to be able to claim compliance with the standard. The text in a normative element usually contains both shall and should.
In IEC 61508, the following contain normative elements: part 1 (excluding the annexe); part 2 (including annexes A, B, C, D, and E but excluding F); part 3 (including annexes A and D but excluding annexes B, C, E, F and G); and part 4. There are no normative requirements in parts 5, 6 and 7 of the standard.
Informative elements of the standard provide additional information intended to assist its understanding or use, but with which it is not necessary to conform in order to be able to claim compliance. The text in an informative element cannot contain shall. Notes and footnotes are always informative.
In IEC 61508, the following are informative: annexe A of part 1; annex F of part 2; annexes B, C, E, F and G of part 3 and all annexes of parts 5, 6 and 7.
For the overall framework of the IEC 61508 series see IEC 61508-1, Figure 1 (page 10 of the preview).
D2) How does IEC 61508 apply to low complexity E/E/PE safety-related systems?
If the standard is used for low complexity E/E/PE safety-related systems, where dependable field experience exists which provides the necessary confidence that the required safety integrity can be achieved, certain of the requirements specified in the standard may be unnecessary and exemption from compliance with such requirements is acceptable provided this is justified (4.2 of IEC 61508-1).
The standard does not state which requirements this applies to, which is for the user of the standard to decide and justify. Note, however, that the conditions in which this relaxation applies are very restrictive.
D3) Give me some practical examples
IEC 61508 separates the specification of the safety functions to be performed into two elements:
- the safety function requirements (what the function does); and
- the safety integrity requirements (the likelihood of a safety function being performed satisfactorily).
IEC 61508 does not stipulate what safety function requirements nor what safety integrity requirements are necessary for any particular application.
The safety integrity level (SIL 1, 2, 3 or 4) corresponds to a range of safety integrity values, measured for a specified safety function in terms of:
- the average probability of a dangerous failure on demand (for low demand mode of operation); or,
- the average frequency of a dangerous failure per hour (for high demand or continuous mode of operation).
Note: For mode of operation see IEC 61508-4, subclause 3.5.16.
The safety integrity level, of a specified safety function, allocated to the E/E/PE safety-related system will affect the degree of rigour to which a requirement of the standard is to be satisfied. But other factors will also affect this (see 4.1 of IEC 61508-1).
Some elements of the standard make the dependence on safety integrity level explicit by grading the requirements, for example:
D4) Is it necessary to choose techniques and measures from those recommended in annexes A and B of IEC 61508-2 and IEC 61508-3 in order to comply with the standard?
Although all four normative annexes contain recommendations for the use of particular techniques and measures, they differ in what is required for compliance.
In subclause A.2 of IEC 61508-2, table A.1 provides the requirements for faults or failures that shall be detected by techniques and measures to control hardware failures. Tables A.2 to A.15, also in subclause A.2 of IEC 61508-2, support the requirements of table A.1 by recommending techniques and measures for diagnostic tests and recommending maximum levels of diagnostic coverage that can be achieved using them. Therefore, in order to comply with the standard, it is necessary to fulfil the requirements of table A.1, but tables A.2 to A.15 suggest just one set of possibilities on how the requirements of table A.1 can be met.
In subclause A.3 of IEC 61508-2, tables A.16 to A.18 recommend particular techniques and measures, therefore it is not necessary to use any of these in order to claim compliance. However, if you do not use a technique or measure that is highly recommended for the safety integrity level, then the rationale behind not using it shall be detailed. Also, for every technique or measure listed in tables A.16 to A.18 that you do use, it shall be used to the extent necessary to give at least the level of effectiveness stated in the table. Table A.19 gives guidance on what is intended by the terms low and high effectiveness for just some of the techniques and measures.
The techniques and measures in annex B of IEC 61508-2 are recommended in the same way as those in subclause A.3. It is necessary to detail the rationale wherever a technique or measure that is highly recommended for the safety integrity level is not used, and wherever a technique or measure that is positively not recommended for the safety integrity level is used. And it is necessary to achieve at least the level of effectiveness stated in the table for any techniques or measures that you do use. Table B.6 gives guidance on what is intended by the terms low and high effectiveness for most of the techniques and measures.
In annexes A and B of IEC 61508-2, the table shading adds recommendations on how to select and combine the techniques and measures.
Note that annex C of IEC 61508-2 is also normative and contains requirements that are necessary for compliance.
Annexes A and B of IEC 61508-3 contain the requirement that appropriate techniques and measures shall be selected according to the safety integrity level. In addition to the specific techniques listed in Annexes A and B, other techniques may be used providing that the requirements and objectives of the relevant clause of IEC 61508-3 have been met. Anyone claiming compliance with the standard is required to consider which techniques or measures are most appropriate for the specific problems encountered during the development of each E/E/PE safety-related system. See IEC 61508-3 Annex C (and supplementary information in IEC 61508-7 Annex F) for guidance on a reasoned argument to justify the selection of software techniques.
A particular concern is raised by systematic factors in the failure of a safety function. Systematic failure factors can arise in both hardware and software. The effectiveness of the measures and precautions used to meet the target failure measures for systematic safety integrity generally needs to be assessed qualitatively.
The IEC 61508-3 Annex A and B tables of recommended software techniques are not checklists by which systematic safety integrity in software can be guaranteed. Given the large number of factors that affect software systematic capability it is not possible to give an algorithm for combining the techniques and measures that will be correct for any given application. It is for this reason that Annex C (and supplementary information in IEC 61508-7 Annex F) has been developed and whose purpose is:
- to give guidance on deciding between alternative techniques from Annexes A and B to achieve software systematic capability;
- to outline a rationale for justifying the use of techniques that are not explicitly listed in Annexes A and B.
Software techniques will need to be chosen judiciously with attention to several key factors including:
- the developers' personal competence and experience in techniques;
- the developers' familiarity with the application and likely difficulties;
- the size or complexity of the application;
- industry sector recommendations and recognized good practice; and
- national and international published standards.
Annexes A and B contain a recommendation that the rationale for not following the guidance for highly recommended or not recommended techniques or measures should be detailed during the safety planning and agreed with the assessor.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other subclauses require some of this documentation to include a justification of the choice of techniques and measures, even if all recommendations are followed. See for example 18.104.22.168 e) and 22.214.171.124 of IEC 61508-2, and 126.96.36.199 a) of IEC 61508-3.
D5) I have contractual responsibility for some (but not all) of the development phases for an E/E/PE safety-related system. What information do I need in documentation from other parties to enable me to comply with IEC 61508?
IEC 61508-1, clause 6 sets out the requirements on an organisation with responsibility for an E/E/PE safety-related system, or for one or more phases of the overall, E/E/PE system or software safety lifecycle. Also, IEC 61508-1, clause 5 sets out the documentation requirements. The fundamental requirement relating to the documentation is that it shall contain sufficient information, for each phase of the overall, E/E/PE system and software safety lifecycles completed, necessary for effective performance of subsequent phases and verification activities. (see clause 5 of IEC 61508-1).
Of particular importance in this context of this question is the "Safety manual for compliant items" (see IEC 61508-2, Annex D). The purpose of the safety manual for compliant items is to document all the information, relating to a compliant item, which is required to enable the integration of the compliant item into a safety-related system, or a subsystem or element, in compliance with the requirements of IEC 61508.
In summary, IEC 61508 has requirements to ensure that the necessary information is available to achieve functional safety to those who have responsibility for its achievement. IEC 61508-1, clause 5 sets out the general requirements for the need to have sufficient information and the safety manual for compliant items specifies the information that has to be supplied in relation to an item (e.g. a component) on which the supplier is claiming compliance with specified clause(s) in IEC 61508.
Table 1 of IEC 61508-1 specifies the information necessary for each phase of the overall safety lifecycle. Table 1 of IEC 61508-2 and table 1 of IEC 61508-3 are the equivalents for the E/E/PE system safety and software safety lifecycles.
For example, part of the entry from table 1 of IEC 61508-1 for the phase E/E/PE safety-related systems: realisation is reproduced below. It can be seen from the table that a system supplier with responsibility for the realisation phase needs documentation containing the specification for the E/E/PES safety requirements. This will set out all the requirements for the safety functions that have been allocated to the E/E/PE safety-related system(s) together with the safety integrity requirements for each of these safety functions.
Safety lifecycle phase
|E/E/PE safety-related systems: realisation||7.11.1 and parts 2 and 3:
To create E/E/PE safety-related systems conforming to the specification for the E/E/PE system safety requirements (comprising the specification for the E/E/PE system safety functions requirements and the specification for the E/E/PE system safety integrity requirements)
|E/E/PE safety-related systems||Specification for the E/E/PE safety requirements||Realisation of each E/E/PE safety-related system according to the E/E/PE system safety requirements specification|
D6) Suppliers are quoting that their products conform to IEC 61508 for a specific safety integrity level. Does this mean that using these products is sufficient for me to comply with IEC 61508?
IEC 61508 covers all components of the E/E/PE safety-related system, including field equipment and specific project application logic. All these subsystems, elements and components, when combined to implement the safety function (or functions), are required to meet the safety integrity level target of the relevant safety functions. Any design using supplied subsystems and components that are all quoted as suitable for the required safety integrity level target of the relevant safety functions, together with the information associated with the supplied subsystems and components, will have to be assessed to determine whether or not the subsystems and components are in fact suitable. Suppliers of products intended for use in E/E/PE safety-related systems should provide sufficient information to facilitate a demonstration that the E/E/PE safety-related system complies with IEC 61508 and shall comply with Annex D of IEC 61508-2 (Safety manual for compliant items).
D7) I supply subsystems, such as sensors or actuators, that are intended for use in an E/E/PE safety-related system. What does IEC 61508 mean for me?
As a supplier of items (e.g. components/elements) for which you are claiming compliance with specified clauses of IEC 61508, you will need to comply with IEC 61508-2 Annex D "Safety manual for compliant items". The purpose of the safety manual for compliant items is to document all the information, relating to a compliant item, which is required to enable the integration of the compliant item into a safety-related system, or a subsystem or element, in compliance with the requirements of IEC 61508.
The following subclauses are particularly relevant in this context:
- IEC 61508-2/188.8.131.52: Suppliers shall provide a safety manual for compliant items, in accordance with Annex D, for each compliant item that they supply and for which they claim compliance with IEC 61508 series.
- IEC 61508-2/184.108.40.206: The supplier shall document a justification for all the information that is provided in each safety manual for compliant items.
Note 1: It is essential that the claimed safety performance of an element is supported by sufficient evidence. Unsupported claims do not help establish the correctness and integrity of the safety function to which the element contributes.
Note 2: There may be commercial or legal restrictions on the availability of the evidence. These restrictions are outside the scope of this standard. If such restrictions deny the functional safety assessment adequate access to the evidence, then the element is not suitable for use in E/E/PE safety-related systems.
D8) Do I have to use third party certified components in order to comply with IEC 61508?
The level of independence required of the assessor ranges from an independent person in the same organization for safety integrity level 1 to an independent organization for safety integrity level 4. The required level of independence for safety integrity levels 2 and 3 is affected by additional factors including system complexity, novelty of design and previous experience of the developers. There is also a specific requirement that the assessor shall be competent for the activities to be undertaken.
D9) Is there any correlation between the level of independence required for functional safety assessment and the need for third party certification?
The level of independence required should be distinguished from the concept of third-party certification which is not a requirement in IEC 61508. For some companies even the requirement for independent persons and departments may have to be met by using an external organization but this does not mean that the external organisation has necessarily to be a certification body. The external body, in such a situation, should have the competence and the appropriate level of independence to undertake the task. The external body may or may not be a certification body.
Conversely, companies that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization (note 2 of 8.2.12 of IEC 61508-1).
See 3.8.10, 3.8.11 and 3.8.12 of IEC 61508-4 for definitions of independent person, independent department and independent organization respectively.
D10) In what ways do I need to consider the impact of human activities on the operation of an E/E/PE safety-related system?
IEC 61508 requires human factor issues to be considered in the determination of hazards and hazardous events (220.127.116.11 of IEC 61508-1) and in the design of the E/E/PE safety-related system (18.104.22.168 of IEC 61508-2). For E/E/PE safety-related protection systems, there are three principal areas that need to be considered:
- human actions or errors that can place a demand on the E/E/PE safety-related protection system – these need to be identified and quantified;
- human failure to respond effectively to alarms or take other actions that would otherwise reduce the demand on the E/E/PE safety-related protection system;
- human failure in testing and maintenance of the E/E/PE safety-related protection system, reducing its effectiveness and increasing the probability of failure on demand.
D11) Can an E/E/PE safety-related system contain hardware and/or software that was not produced according to IEC 61508, and still comply with the standard (proven in use)?
FAQ answer in preparation.
D12) Do control systems that place demands on a safety-related system have to be themselves designated as safety-related systems?
- allowing for a dangerous failure rate of the control system higher than the maximum defined by the standard for a safety-related system (i.e. higher than 10-5 dangerous failures per hour);
- providing an adequate demonstration that the dangerous failure rate allowed for is achieved (22.214.171.124 of IEC 61508-1 contains further details);
- determining all reasonably foreseeable dangerous failure modes of the control system;
It should be noted that the dangerous failure rate referred to in the above requirements relate to a specified dangerous failure mode of a function being performed by the control system which could, in the context of the question, place a demand on a safety-related system.
D13) How do electromagnetic immunity limits depend on the safety integrity level?
126.96.36.199 (f) of IEC 61508-1 states: The E/E/PE system safety integrity requirements specification shall contain: the electromagnetic immunity limits that are required to achieve functional safety. These limits should be derived taking into account both the electromagnetic environment and the required safety integrity levels (see IEC/TS 61000-1-2).
Note 5: Due to the nature and physics of electromagnetic phenomena no simple, evident and provable correlation can be established between the required immunity level and safety integrity level for nearly all cases of electromagnetic phenomena. Specifying effective immunity levels solely according to the required SIL is therefore not possible and reasonable in those cases. Alternative approaches may be used which, to some degree, specify the required immunity level according to the required SIL but also involve special test arrangements or test performance criteria. See IEC/TS 61000-1-2, Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena.