International Standards and Conformity Assessment for all electrical, electronic and related technologies
Functional Safety and the IEC

IEC 61508

Functional Safety

 

Edition 2.0

E) Key concepts

 

E1) What is functional safety?

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met.

 

Functional safety relies on active systems. An example of functional safety would be the activation of a level switch in a tank containing a flammable liquid, when a potentially dangerous level has been reached, which causes a valve to be closed to prevent further liquid entering the tank and thereby preventing the liquid in the tank from overflowing.

 

Safety achieved by measures that rely on passive systems is not functional safety. A fire resistant door or insulation to withstand high temperatures are measures that are passive in nature and can protect against the same hazards as are sometimes controlled by functional safety concepts but are not instances of functional safety.

 

See also IEC/TR 61508-0 Ed1.0, Functional safety of E/E/PE safety-related systems - Part 0: Functional safety and IEC 61508 for further details.

E2) What is a safety-related system in the context of IEC 61508?

A safety-related system comprises everything (hardware, software and human elements) necessary to carry out one or more safety functions, where failure of the safety function would give rise to a significant increase in the risk to the safety of persons and/or the environment.

 

A safety-related system can comprise stand-alone equipment dedicated to perform a particular safety function (such as a fire detection and suppression system) or can be integrated into other plant or equipment (such as motor speed control in a machine tool).

 

3.4.1 of IEC 61508-4 gives a formal definition.

E3) What does E/E/PE mean?

E/E/PE is an abbreviation of electrical/electronic/programmable electronic. 3.2.6 of IEC 61508-4 defines this as based on electrical and/or electronic and/or programmable electronic technology (see examples).

E4) What is a low complexity E/E/PE safety-related system?

This is defined in 3.4.4 of IEC 61508-4 as an E/E/PE safety-related system, in which the failure modes of each individual component are well defined and the behaviour of the system under fault conditions can be completely determined.

 

An example is a system comprising one or more limit switches, operating one or more contactors to de-energize an electric motor, possibly via interposing electromechanical relays.

E5) What is a safety integrity level (SIL)?

A safety integrity level is one of four levels, each corresponding to a range of target likelihood of failures of a safety function. Note that a safety integrity level is a property of a safety function rather than of a system or any part of a system.

E6) What does software safety integrity mean in the context of safety integrity being defined as probability of failure?

FAQ answer in preparation.

E7) What is meant by a SILn system, subsystem or component?

FAQ answer in preparation.

E8) What is functional safety assessment?

The objective of the functional safety assessment investigate and arrive at a judgement on the adequacy of the functional safety achieved by the E/E/PE safety-related system(s) or compliant items (e.g. elements/subsystems) based on compliance with the relevant clauses of this standard.

 

Functional safety assessment is the critical activity that ensures functional safety has actually been achieved based on compliance with the relevant clauses of this standard. Those carrying out the functional safety assessment shall be competent, shall have adequate independence and shall consider the activities carried out and the outputs obtained during each phase of every lifecycle and judge the extent to which the objectives and requirements of IEC 61508 have been met. See clause 8 of IEC 61508-1 for further details.

E9) What is a mode of operation?

IEC 61508 describes two modes of operation for a safety function. These are low demand mode of operation and high demand or continuous mode of operation. The terms are formally defined in 3.5.16 of IEC 61508-4.

 

In order to understand these two modes, it is necessary first of all to understand the division between a demand mode of operation and a continuous mode of operation.

 

A safety function operating in demand mode is only performed when required (i.e. on demand) in order to transfer the equipment under control (EUC) into a specified state. The E/E/PE safety-related system that performs the safety function has no influence on the EUC until there is a demand for the safety function to be performed. Examples include protection systems on chemical plants that respond to failures of the EUC or EUC control system and anti-lock braking systems on automotive vehicles.

 

A safety function operating incontinuous mode operates to retain the EUC within its normal safe state. That is, the E/E/PE safety-related system continuously controls the EUC, and a dangerous failure of the E/E/PE safety-related system will lead to a hazardous event unless other safety-related systems or other risk reduction measures intervene. Examples include speed control associated with machinery, burner control of furnaces or fly-by-wire operation of aircraft flight control surfaces.

 

IEC 61508 distinguishes between:

 

  • low demand mode of operation, and
  • high demand or continuous mode of operation.

E10) What is the difference between low demand mode of operation and high demand or continuous mode of operation?

Modes of operation are used in IEC 61508 to describe two types of safety function carried out by E/E/PE safety-related systems. The modes are relevant when relating the target failure measure of a safety function to be implemented by an E/E/PE safety-related system to the safety integrity level. IEC 61508 relates the safety integrity level of a safety function to:

 

  • the average probability of a dangerous failure on demand (in the case of low demand mode – see table 2 of IEC 61508-1), or
  • the average frequency of a dangerous failure per hour (in the case of high demand or continuous mode – see table 3 of IEC 61508-1). The average frequency of a dangerous failure per hour is sometimes referred to as the dangerous failure rate (i.e. dangerous failures per hour).

 

Low demand mode, as defined in 3.5.16 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is no greater than one per year.

 

High demand or continuous mode, as defined in 3.5.16 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is greater than one per year. Continuous is regarded as very high demand.

E11) Give me example architectures for the different modes of operation

An example of a system architecture in which a safety-related system implements safety functions operating in either low or high demand mode is shown in Figure 1(a). In this example, dangerous failures of the equipment under control (EUC) or the EUC control system place demands on the E/E/PE safety-related system (see Figures 1(b) and 1(c)). Table 2 in IEC 61508-1 is applicable only to system architectures where safety functions are intended for operation in low demand mode (Figure 1(b)). For system architectures where safety functions are intended for operation in high demand mode, Table 3 in IEC 61508-1 is applicable (Figure 1(c)).

 

An example of a system architecture in which a safety-related control system implements safety functions operating in continuous mode is shown in Figure 2(a). The corresponding system operation is shown in Figure 2(b). For system architectures where safety functions are intended for operation in continuous mode, Table 3 in IEC 61508-1 is also applicable (Figure 2(b)).

 

Figure 1: Example system operating in demand mode

 

An example of a system architecture in which a safety-related control system implements safety functions operating in continuous mode is shown in Figure 2(a). The corresponding system operation is shown in Figure 2(b). For system architectures where safety functions are intended for operation in continuous mode, Table 3 in IEC 61508-1 is also applicable (Figure 2(b)).

 

Figure 2: Example system operating in continuous mode

E12) Does the mode of operation affect how the safety integrity level is determined?

Yes.

 

First, it is helpful to use a common term hazard rate to examine the differences between low demand mode of operation and high demand or continuous mode of operation. This is the estimated rate at which specified hazardous events will take place unless other protective measures are in place (such as other safety-related systems). The fundamental aim is to design a safety-related system so that the resulting hazard rate is sufficiently low to meet the tolerable risk in the context of the specific application.

 

See example system architectures.

 

Low demand mode of operation

 

For a safety function operating in low demand mode, the achieved hazard rate depends on the rate of demands on the E/E/PE safety-related system and the probability of failure on demand of the E/E/PE safety-related system in the context of a specified safety function. That is:

Hazard rate (h) = Demand rate (d) x Average probability of failure on demand (PFDavg)
h   = d x PFDavg

 

In the context of a system architecture such as that shown in Figure 1(a) and (b), where the E/E/PE safety-related system is acting as a protection system for specified conditions arising on the equipment under control (EUC) and EUC control system (i.e. where a failure of the EUC control system would give rise to a demand on the E/E/PE safety-related system), this relationship only holds if there is adequate independence between the EUC and EUC control system combined and the E/E/PE safety-related system. If there is inadequate independence then it is necessary to take into account the effect of common cause failures between the EUC and EUC control system combined and the E/E/PE safety-related system. Such failures will lead to an increased hazard rate or place increased demands on other safety-related systems.

 

The target failure measure for a safety function operating in low demand mode is the average probability of failure to perform the safety function on demand and from above it can be seen that:

PFDavg = h / d

 

h / d is sometimes referred to as the risk reduction factor.

 

Therefore, for a safety function operating in low demand mode, in the case of a quantified approach to determining the safety integrity level, the required safety integrity level is determined from the required average probability of failure on demand (PFDavg) (see table 2 of IEC 61508-1). The PFDavg required to achieve the tolerable risk, and hence the required safety integrity level, can be obtained from knowledge of the demand rate (d) and the hazard rate (h) necessary to achieve the tolerable risk.

 

High demand or continuous mode of operation

 

For a safety function operating in high demand or continuous mode and in the case of a quantified approach to determining the safety integrity level, table 3 of IEC 61508-1 is used to determine the required safety integrity level. The table relates the safety integrity level to the The average frequency of a dangerous failure per hour, which is equivalent to the hazard rate and has to be low enough to achieve the tolerable risk.

Hazard rate (h) = Probability of a dangerous failure per hour

E13) What is the equipment under control (EUC)?

The equipment under control (EUC) is equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities (3.2.1 of IEC 61508-4). If any reasonably foreseeable action or inaction leads to hazardous events (i.e. events that may result in harm) with an intolerable risk arising from the EUC, then safety functions are necessary to achieve or maintain a safe state for the EUC. These safety functions are carried out by one or more safety-related systems.

 

Therefore, the EUC is the set of all equipment, machinery, apparatus or plant that gives rise to hazardous events for which the safety-related system is required. In the case of a safety-related protection system on an offshore platform, for example, the EUC is all parts of the platform that could affect the safety requirements.