|
|
 |
 |
| |
|
| |
|
| |
|
E1) What is
functional safety?
Functional safety is part of the overall safety
that depends on a system or equipment operating correctly in response
to its inputs. Functional safety is achieved when every specified
safety function is carried out and the level of performance required
of each safety function is met.
For example, an overtemperature protection device, using a thermal
sensor in the windings of an electric motor to de-energise the motor
before they can overheat, is an instance of functional safety. But
providing specialised insulation to withstand high temperatures
is not an instance of functional safety (although it is still an
instance of safety and could protect against exactly the same hazard).
See the document Functional
safety and IEC 61508 for further details.
|
 |
| |
|
E2) What is a safety-related
system in the context of IEC 61508?
A safety-related system comprises everything (hardware,
software and human elements) necessary to carry out one or more
safety functions, where failure of the safety function would give
rise to a significant increase in the risk to the safety of persons
and/or the environment.
A safety-related system can comprise stand-alone equipment dedicated
to perform a particular safety function (such as a fire detection
system) or can be integrated into other plant or equipment (such
as motor speed control in a machine tool).
3.4.1 of IEC 61508-4
gives a formal definition. |
|
| |
|
E3) What does E/E/PE
mean?
E/E/PE is an abbreviation of electrical/electronic/programmable
electronic. 3.2.6 of IEC 61508-4
defines this as based on electrical and/or electronic and/or programmable
electronic technology (see examples). |
|
| |
|
E4) What is a low
complexity E/E/PE safety-related system?
This is defined in 3.4.4 of IEC
61508-4 as an E/E/PE safety-related
system, in which the failure modes of each individual component
are well defined and the behaviour of the system under fault conditions
can be completely determined.
An example is a system comprising one or more limit switches, operating
one or more contactors to de-energize an electric motor, possibly
via interposing electromechanical relays. |
|
| |
|
E5) What is a safety
integrity level (SIL)?
A safety integrity level is one of four levels, each corresponding
to a range of target likelihood of failures of a safety function.
Note that a safety integrity level is a property of a safety function
rather than of a system or any part of a system. |
|
| |
|
E6) What does
software safety integrity mean in the context of safety integrity
being defined as probability of failure?
A safety integrity
level (SIL) applies to an end-to-end safety function of the
safety-related system. Like any
other system component, software has no safety integrity level in
isolation from the safety-related system. When integrated into
a system, software may be capable of supporting a particular safety
function at some safety integrity level, depending on how the software
was specified, designed, implemented, verified, etc. SILn software
is a short way of saying “software developed using appropriate
techniques and measures to ensure that the software meets the
systematic failure requirements of a specific safety function X
at SILn”.
Hardware suffers physical degradation and the resulting
random failure rates can be described numerically using well established
methods of statistical reliability. In contrast, software does not
degrade physically, and all failures result from systematic factors
in its construction and use. It is not currently widely accepted
that conventional reliability analysis can be applied to systematic
behavior. Therefore, the standard recognizes that a quantitative
demonstration that the target failure measures for safety integrity
levels in tables 2 and 3 of IEC 61508-1
have been met is in general possible only for random hardware failures
(see note 8 of 7.6.2.9 of IEC 61508-1). The effectiveness of the
measures and precautions used to meet the target failure measures
for systematic safety integrity (and specifically software) generally
needs to be assessed qualitatively.
However, despite the above difficulties, tables 2 and 3 of IEC
61508-1 provide a valuable framework for comparing different levels
of achievement of systematic safety integrity.
|
|
| |
|
E7) What is meant by
a SILn system, subsystem or component?
A safety integrity level (SIL)
is not a property of a system, subsystem or component. The correct
interpretation of this phrase is that the system, subsystem or component
is capable of supporting safety functions with a safety integrity
level up to n. This in itself is
not sufficient to achieve a safety function of the required
safety integrity level.
The safety integrity level capability of a subsystem
determines the highest safety integrity level that can be claimed
for any safety function that uses the subsystem. For this reason,
the term safety integrity level claim limit is sometimes used instead.
A SILn capability or claim limit (where n is 1,2,3
or 4) is determined for each subsystem by achieving a or b below.
- The design requirements for SILn
to prevent and control systematic faults in accordance with IEC
61508-2 and IEC 61508-3; or
- The proven
in use requirements for SILn in accordance with 7.4.7.6
to 7.4.7.10 of IEC 61508-2.
Other information
about the system, subsystem or component is also necessary to facilitate
a demonstration that the required safety integrity level of the
safety function in the E/E/PE safety-related
system will be achieved.
|
|
| |
|
E8) What is functional
safety assessment?
This is the critical activity that ensures functional
safety has actually been achieved. Those carrying out the functional
safety assessment shall be competent, shall have adequate
independence and shall consider the activities carried out and
the outputs obtained during each phase of every lifecycle and judge
the extent to which the objectives and requirements of IEC 61508
have been met. See clause 8 of IEC 61508-1
for further details. |
|
| |
|
E9) What
is a mode of operation?
IEC 61508 describes two modes of operation for a
safety function. These are low demand mode of operation and
high demand or continuous mode of operation. The terms are
formally defined in 3.5.12 of IEC 61508-4.
In order to understand these two modes, it is necessary first of
all to understand the division between a demand mode of operation
and a continuous mode of operation.
A safety function operating in demand mode
is only performed when required (i.e. on demand) in order to transfer
the equipment under control (EUC) into a specified state. The E/E/PE
safety-related system that performs the safety
function has no influence on the EUC until there is a demand for
the safety function to be performed. Examples include protection
systems on chemical plants that respond to failures of the EUC or
EUC control system and anti-lock braking systems on automotive vehicles.
A safety function operating in continuous mode operates
to retain the EUC within its normal safe state. That is, the E/E/PE
safety-related system continuously controls the EUC, and a dangerous
failure of the E/E/PE safety-related system will lead to a hazard
unless other safety-related systems or external risk reduction facilities
intervene. Examples include speed control associated with machinery,
burner control of furnaces or fly-by-wire operation of aircraft
flight control surfaces.
IEC 61508 distinguishes between:
- low demand mode of operation, and
- high demand or continuous mode of operation.
|
|
| |
|
E10) What is
the difference between low demand mode of operation and high
demand or continuous mode of operation ?
Modes of operation are used
in IEC 61508 to describe two types of safety function carried out
by E/E/PE safety-related
systems. The modes are relevant when relating the target failure
measure of a safety function to be implemented by an E/E/PE safety-related
system to the safety integrity level. IEC 61508
relates the safety integrity level of a safety function to:
- the average probability of failure to perform
its design function on demand (in the case of low demand
mode – see table 2 of IEC 61508-1),
or
- the probability of a dangerous failure per hour (in the case
of high demand or continuous mode – see table 3 of
IEC 61508-1). The probability of a dangerous failure per hour
is sometimes referred to as the dangerous failure rate (i.e. dangerous
failures per hour).
Low demand mode, as defined in 3.5.12 of IEC 61508-4, is
where the frequency of demands for operation made on a safety-related
system is no greater than one per year and no greater than twice
the proof test frequency.
High demand or continuous mode, as defined in 3.5.12 of
IEC 61508-4, is where the frequency of demands for operation made
on a safety-related system is greater than one per year or greater
than twice the proof test frequency. In the context of this definition,
continuous is regarded as very high demand.
|
|
| |
|
E11) Give
me example architectures for the different modes of operation
 
Figure 1: Example system operating in demand
mode
An example of a system architecture in which a safety-related
system implements safety functions operating in either low or
high demand mode is shown in Figure 1(a). In
this example, dangerous failures of the equipment under control
(EUC) or the EUC control system place demands on the E/E/PE
safety-related system (see Figures 1(b) and 1(c)). Table 2 in IEC
61508-1 is applicable only to system architectures where safety
functions are intended for operation in low demand
mode (Figure 1(b)). For system architectures where safety functions
are intended for operation in high demand mode,
Table 3 in IEC 61508-1 is applicable (Figure 1(c)).
Figure 2: Example system operating in continuous
mode
An example of a system architecture in which a safety-related
control system implements safety functions operating in continuous
mode is shown in Figure 2(a). The corresponding system operation
is shown in Figure 2(b).
For system architectures where safety functions are intended for
operation in continuous mode, Table 3 in IEC 61508-1 is also applicable
(Figure 2(b)). |
|
| |
|
E12) Does
the mode of operation affect how the safety integrity level is determined?
Yes.
First, it is helpful to use a common term hazard
rate to examine the differences between low
demand mode of operation and high demand or
continuous mode of operation. This is the estimated rate at
which specified hazards will take place unless other protective
measures are in place (such as other safety-related
systems). The fundamental aim is to design a safety-related
system so that the resulting hazard rate is sufficiently low to
meet the tolerable risk in the context of the specific application.
See example system architectures.
Low demand mode of operation
For a safety function operating in low demand
mode, the achieved hazard rate depends on the rate of demands on
the E/E/PE safety-related system and the probability
of failure on demand of the E/E/PE safety-related system in the
context of a specified safety function. That is:
| Hazard rate (h) |
= |
Demand rate (d) x Average
probability of failure on demand (PFDavg) |
| h |
= |
d x PFDavg |
In the context of a system architecture such as
that shown in Figure 1(a) and (b), where the
E/E/PE safety-related system is acting as a protection system for
specified conditions arising on the equipment under control (EUC)
and EUC control system (i.e. where a failure of the EUC control
system would give rise to a demand on the E/E/PE safety-related
system), this relationship only holds if there is adequate independence
between the EUC and EUC control system combined and the E/E/PE safety-related
system. If there is inadequate independence then it is necessary
to take into account the effect of common cause failures between
the EUC and EUC control system combined and the E/E/PE safety-related
system. Such failures will lead to an increased hazard rate or place
increased demands on other safety-related systems.
The target failure measure for a safety function operating in low
demand mode is the average probability of failure to perform
the safety function on demand and from above it can be seen
that:
h / d is sometimes referred to as the risk reduction
factor.
Therefore, for a safety function operating in low
demand mode, in the case of a quantified approach to determining
the safety integrity level, the required safety integrity level
is determined from the required average probability of failure on
demand (PFDavg) (see table 2 of IEC
61508-1). The PFDavg required to achieve the
tolerable risk, and hence the required safety integrity level, can
be obtained from knowledge of the demand rate (d) and the
hazard rate (h) necessary to achieve the tolerable risk.
High demand or continuous mode of operation
For a safety function operating in high demand or continuous
mode and in the case of a quantified approach to determining
the safety integrity level, table 3 of IEC 61508-1 is used to determine
the required safety integrity level. The table relates the safety
integrity level to the probability of a dangerous failure per
hour, which is equivalent to the hazard rate and has to be low
enough to achieve the tolerable risk.
| Hazard rate (h) |
= |
Probability of a dangerous failure per hour |
|
|
| |
|
E13) What is
the equipment under control (EUC)?
The equipment under control (EUC) is equipment,
machinery, apparatus or plant used for manufacturing, process, transportation,
medical or other activities (3.2.3 of IEC
61508-4). If any reasonably foreseeable action or inaction leads
to hazards with an intolerable risk arising from the EUC, then safety
functions are necessary to achieve or maintain
a safe state for the EUC. These safety functions are carried out
by one or more safety-related systems.
Therefore, the EUC is the set of all equipment, machinery, apparatus
or plant that gives rise to hazards for which the safety-related
system is required. In the case of a safety-related protection system
on an offshore platform, for example, the EUC is all parts of the
platform that could affect the safety requirements.
|
|
| |
|
| |
| Last updated: 2004-11-01 |
| |
| Note: This document answers
some Frequently Asked Questions (FAQs) about the international standard
IEC 61508, Functional safety of electrical/electronic/programmable
electronic safety-related systems. It has been compiled by SC65A/WG14,
the international committee responsible for producing guidelines
on IEC 61508. The answers to the questions are not intended to provide
a definitive technical answer but rather to inform the new user
to the standard.
We welcome feedback,
in terms of a comment on these web pages or a new question for consideration
by the committee.
Important: The above explanations have been
prepared by the IEC for general assistance but are not intended
to be a substitute for any user's specific requirements related
to a particular IEC standard. Enquiries on specific standards should
be addressed to the relevant IEC Technical Committee.
|
|
