Safety and functional safety FAQ

IEC 61508 explained

1.Scope

Is IEC 61508 relevant to me?

Generally, the significant hazards for equipment and any associated control system have to be identified by the specifier or developer via a hazard analysis. The analysis identifies whether functional safety is necessary to ensure adequate protection against each significant hazard. If so, then it has to be taken into account in an appropriate manner in the design. Functional safety is just one method of dealing with hazards, and other means for their elimination or reduction, such as inherent safety through design, are of primary importance.

IEC 61508 defines appropriate means for achieving functional safety in the systems it covers.

What systems does IEC 61508 cover?

IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices. It covers possible hazards caused by failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE equipment itself (for example electric shock etc). It is generically based and applicable to all E/E/PE safety-related systems irrespective of the application.

It is recognized that the consequences of failure could also have serious economic implications and in such cases the standard could be used to specify any E/E/PE safety-related system used for the protection of equipment or product.

The scope of IEC 61508-1 gives more details.

Give me some practical examples

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

  • emergency shut-down systems,
  • fire and gas systems,
  • turbine control,
  • gas burner management,
  • crane automatic safe-load indicators,
  • guard interlocking and emergency stopping systems for machinery,
  • medical devices,
  • dynamic positioning (control of a ship's movement when in proximity to an offshore installation),
  • railway signalling systems (including moving block train signalling),
  • variable speed motor drives used to restrict speed as a means of protection,
  • remote monitoring, operation or programming of a network-enabled process plant,
  • an information-based decision support tool where erroneous results affect safety.

Relevant means of implementing safety functions include electro-mechanical relays (i.e. electrical), non-programmable solid-state electronics (i.e. electronic) and programmable electronics. Programmable electronic safety-related systems typically incorporate programmable controllers, programmable logic controllers, microprocessors, application specific integrated circuits, or other programmable devices (for example "smart" devices such as sensors/transmitters/actuators).

In every case, the standard applies to the entire E/E/PE safety-related system (for example from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator). For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole. The physical extent of an E/E/PE safety-related system is solely determined by the safety function.

How does IEC 61058 apply where E/E/PE technology makes up only a small part of the safety-related system?

IEC 61508 is applicable to any safety-related system that contains an E/E/PE device.

This applicability is appropriate because many requirements, particularly in IEC 61508-1, are not technology specific. Indeed, early development phases (such as initial concept, overall scope definition, hazard and risk analysis and specifying the overall safety requirements) may take place before the implementation technology has been decided.

Even during later phases such as realisation, specific functional safety requirements apply directly to non-E/E/PE devices, such as mechanical components, as well as E/E/PE devices. For example, the requirements for hardware reliability and fault tolerance in IEC 61508-2 directly relate to the properties of all components in the E/E/PE safety-related system, whether or not they include E/E/PE technology.

For low complexity E/E/PE safety-related systems, it is possible to comply with IEC 61508 while not meeting every requirement of the standard.

How does IEC 61508 apply to systems whose function is to avoid damage to the environment or severe financial loss?

IEC 61508 is concerned with achieving functional safety, where safety is defined as freedom from unacceptable risk of physical injury or damage to the health of people, either directly or indirectly as a result of damage to property or to the environment (see 3.1 of IEC 61508-4). So damage to long term health, including damage to property or the environment that leads to damage to long term health, is explicitly within the scope of the standard and is encompassed by the term safety.

It is recognised that the consequences of failure could also have serious economic implications and in such cases the standard could be used to specify any E/E/PE system used for the protection of equipment or product (1.2 f of IEC 61508-1).

The particular safety functions that are necessary, and the associated levels of performance required of them, are determined by hazard and risk analysis (see for example IEC 61508-5). An equivalent analysis of risk in terms of environmental or financial hazards can be performed by replacing safety parameters with environmental or financial parameters. Most of the subsequent requirements of the standard are as applicable for "environmental functions" or "financial functions" as they are for safety functions. This includes the required levels of performance, which are expressed in terms of the average probability of a dangerous failure on demand of the safety function or the average frequency of a dangerous failure of the safety function [h-1] (see Tables 2 & 3 of IEC 61508-1).

What does IEC 61508 consist of?

The standard is published in parts as shown below. Only parts 1 to 4 contain normative requirements.

Preview document

IEC 61508-1:2010
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements
 

Preview document

IEC 61508-2:2010
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
 

Preview document

IEC 61508-3:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements


Preview document

IEC 61508-4:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations
 

Preview document

IEC 61508-4:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations
 

Preview document

IEC 61508-5:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety related systems - Part 5: Examples of methods for the determination of safety integrity levels
 

Preview document

IEC 61508-6:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
 

Preview document

IEC 61508-7:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 7: Overview of techniques and measures

Can I get hold of the standard for free, for example by downloading from the internet?

No, IEC 61508 is a priced publication. You can purchase it online from the IEC, or obtain it from the national standards body in your own country.

You can download for free the first few pages of an IEC standard from the IEC Webstore. These previews contain the contents, foreword, introduction, scope and normative references.

Now I've obtained a copy of the standard, how do I go about reading it?

Annex A of IEC 61508-5 provides introductory material on risk and safety integrity. In IEC 61508-1, the overall safety lifecycle requirements contained in clause 7 are summarized in a lifecycle diagram in figure 2, with an overview of each phase in table 1. In addition, requirements relating to verification, management of functional safety and functional safety assessment are contained in 7.18, clause 6 and clause 8 respectively.

Annex A of IEC 61508-6 gives an eight-page overview of the requirements in IEC 61508-2 and IEC 61508-3.

In IEC 61508-2, the E/E/PE system safety lifecycle requirements contained in clause 7 are summarised in a lifecycle diagram in figure 2, with an overview of each phase in table 1. Likewise, in IEC 61508-3, the software safety lifecycle requirements contained in clause 7 are summarised in figure 3 with an overview in table 1.

Any particular requirement of IEC 61508 should be considered in the context of its lifecycle phase (where applicable) and the stated objectives for the requirements of that phase, clause or subclause. The objectives are always stated immediately before the requirements.

2.International Standards framework

How will the standard be published internationally?

The standard is already published by the IEC and is available from the IEC Webstore.

What is the international status of IEC 61508?

Adoption of IEC International Standards by any country, whether it is a member of the IEC or not, is entirely voluntary. IEC National Committees undertake to apply IEC International Standards transparently to the maximum extent possible in their national and regional standards. Any divergence between the IEC International Standard and the corresponding national or regional standard shall be clearly indicated in the latter.

How does IEC 61508 fit together with application sector or product standards?

The standard sets out a generic approach for all safety lifecycle activities for E/E/PE safety-related systems that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy is developed for all E/E/PE safety-related systems, irrespective of the application sector. A major objective is to facilitate the development of product and application sector international standards based on the IEC 61508 series. For this reason the first four parts of the standard are basic safety publications.

What is a basic safety publication?

Parts 1, 2, 3 and 4 of IEC 61508 are designated as IEC basic safety publications. This means that IEC Technical Committees will have to use these parts in the preparation of each of their own product or application sector international standards that has E/E/PE safety-related systems within its scope. IEC 61508 will therefore have far reaching implications across all IEC application sectors.

Note 1: The basic safety publication status does not apply in the context of low complexity E/E/PE safety-related systems or where the required safety integrity of the E/E/PE system is less than the lowest safety integrity level in IEC 61508.

Note 2: The basic safety publication status of this international standard does not apply to medical equipment in compliance with the IEC 60601 series.

What product or application sector international standards based on IEC 61508 are there?

The following product and application sector standards have been published (Note: The standards specified below were developed to meet the requirements of IEC 61508 /Edition 1.0).

Webstore Preview

IEC 61513 ed1.0 (2001-03)
SC 45A
Nuclear power plants - Instrumentation and control for systems important to safety - General requirements for systems
 

Webstore Preview

IEC 61511-1 ed1.0 (2003-01)
SC 65A
Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements
 

Webstore Preview

IEC 61511-2 ed1.0 (2003-07)
SC 65A

Functional safety - Safety instrumented systems for the process industry sector - Part 2: Guidelines for the application of IEC 61511-1
 

Webstore Preview

IEC 61511-3 ed1.0 (2003-03)
SC 65A
Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels
 

Webstore Preview

IEC 62061 ed1.0 (2005-01)
TC 44
Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
 

Webstore Preview

IEC 61800-5-2 ed.10 (2007-07)
SC 22G
Adjustable speed electrical power drive systems - Part 5-2: Safety requirements - Functional.

Other standards may also be under development.

In addition to the development of product and application sector international standards based on IEC 61508, there are many standards which reference IEC 61508.

Other standards may also be under development.

In addition to the development of product and application sector international standards based on IEC 61508, there are many standards which reference IEC 61508.

How do safety integrity levels 1 to 4 in IEC 61508 convert or relate to the categories described in EN 954-1?

Because of the different technical criteria used in IEC 61508 and EN 954-1:1996 (also published as ISO 13849-1:1999 and which has now been superseded by IS0 13849-1: 2006), these two standards do not provide a sufficient technical basis for directly linking a measure of safety performance based on the requirements for categories in EN 954-1:1996 with a similar measure of performance based on the requirements for safety integrity levels in IEC 61508.

However, in the context of safety performance, a pragmatic view is that an E/E/PE safety-related system capable of supporting safety integrity level 1 (SIL1) safety functions (according to IEC 61508) broadly satisfies the requirements for a category 1 or a category 2 system (according to EN 954-1:1996). Likewise, SIL2 can be said to satisfy category 3 and SIL3 can be said to satisfy category 4.

It is essential to note that there is no equivalent correlation in the reverse direction. For example, it cannot be said that any category 3 E/E/PE safety-related system is capable of supporting SIL2 safety functions. This is because many of the requirements of IEC 61508 do not have an equivalent in EN 954-1:1996.

Further details are available in IEC 62061.

Can I use IEC 61508 as a standalone standard?

Yes. A major objective of the standard is to enable the development of E/E/PE safety-related systems where product or application sector international standards do not exist.

Many requirements of IEC 61508, particularly in IEC 61508-2 and IEC 61508-3, are not repeated in the application sector or product standards but are referenced instead. The result is that most users of product or application sector international standards will also need IEC 61508.

Will IEC 61508 be revised?

IEC 61508 Edition 2.0 was published in April 2010 and will not be replaced by a new edition before 2014.

 

3.Regional issues / Technical interpretation

Is IEC 61508 also a European Standard?

It is intended to publish the seven parts of IEC 61508 Edition 2.0 as EN 61508.

Is application of IEC 61508 compulsory under any EC Directive?

No. EN 61508 does not have the status of a harmonized European standard, and is not referred to by any EC Directive.

Although EN 61508 is a European Standard, it does not have the status of a harmonized European standard in relation to any EC product directive and it is not therefore listed in the EC Official Journal. However, this does not prevent compliance with relevant parts of EN 61508 being used to support a declaration of conformity with an EC product directive, if that is appropriate. But because EN 61508 is not a harmonized European standard, compliance with it does not provide a presumption of conformity with any directive. It would therefore be necessary to explain in the product's technical file how compliance with EN 61508 is being used to support compliance with specific essential requirements of the particular directive.

There are also no plans to harmonize IEC 61511 or IEC 61513 under any EC Directive. However:

  • IEC 62061, which has been adopted in Europe as EN 62061, was a harmonized European standard under the 98/37/EC Machinery Directive (an EC product directive) and will become a harmonized European standard under the 2006/42/EC Machinery Directive. This is possible because the scope of IEC 62061 is restricted to product requirements rather than the whole safety lifecycle requirements of IEC 61508, which go beyond what is appropriate for a product directive. Although harmonization of EN 62061 means that compliance with it will grant a presumption of conformity with the relevant essential requirements of the Machinery Directive, it will not preclude the use of other ways of meeting those requirements (e.g. by the application of other standards).
  • IEC 61800-5-2 (EN 61800-5-2) is a harmonized European standard under the 2006/42/EC Machinery Directive.

 

Note: For the latest position regarding European standards in relation to Directive 2006/42/EC on machinery, see the Publications in the Official Journal

How can I request a technical interpretation for a particular subclause of the standard?

It is the responsibility of your national committee to answer questions put to them about the standard. They will forward your question to the relevant international committee where appropriate.

How can I contact my national committee?

The IEC web site contains a list of the National Committees that are participating in or observing the development of IEC 61508. You should contact the secretary of the committee in the first instance.

If your country is not on the above list, try contacting the secretary of your National Committee.

4. Complying with the standard

Which requirements do I need to satisfy in order to claim compliance with the standard?

The term shall used in a requirement indicates that the requirement is strictly to be followed if conformance to the standard is to be claimed.

Where should (or it is recommended that) is used, this indicates that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required.

Normative elements set out the provisions to which it is necessary to conform in order to be able to claim compliance with the standard. The text in a normative element usually contains both shall and should.

In IEC 61508, the following contain normative elements: part 1 (excluding the annexe); part 2 (including annexes A, B, C, D, and E but excluding F); part 3 (including annexes A and D but excluding annexes B, C, E, F and G); and part 4. There are no normative requirements in parts 5, 6 and 7 of the standard.

Informative elements of the standard provide additional information intended to assist its understanding or use, but with which it is not necessary to conform in order to be able to claim compliance. The text in an informative element cannot contain shall. Notes and footnotes are always informative.

In IEC 61508, the following are informative: annexe A of part 1; annex F of part 2; annexes B, C, E, F and G of part 3 and all annexes of parts 5, 6 and 7.

For the overall framework of the IEC 61508 series see IEC 61508-1, Figure 1 (page 10 of the preview).

How does IEC 61508 apply to low complexity E/E/PE safety-related systems?

If the standard is used for low complexity E/E/PE safety-related systems, where dependable field experience exists which provides the necessary confidence that the required safety integrity can be achieved, certain of the requirements specified in the standard may be unnecessary and exemption from compliance with such requirements is acceptable provided this is justified (4.2 of IEC 61508-1).

The standard does not state which requirements this applies to, which is for the user of the standard to decide and justify. Note, however, that the conditions in which this relaxation applies are very restrictive.

Give me some practical examples

IEC 61508 separates the specification of the safety functions to be performed into two elements:

  • the safety function requirements (what the function does); and
  • the safety integrity requirements (the likelihood of a safety function being performed satisfactorily).

IEC 61508 does not stipulate what safety function requirements nor what safety integrity requirements are necessary for any particular application.

The safety integrity level (SIL 1, 2, 3 or 4) corresponds to a range of safety integrity values, measured for a specified safety function in terms of:

  • the average probability of a dangerous failure on demand (for low demand mode of operation); or,
  • the average frequency of a dangerous failure per hour (for high demand or continuous mode of operation).

Note: For mode of operation see IEC 61508-4, subclause 3.5.16.

The safety integrity level, of a specified safety function, allocated to the E/E/PE safety-related system will affect the degree of rigour to which a requirement of the standard is to be satisfied. But other factors will also affect this (see 4.1 of IEC 61508-1).

Some elements of the standard make the dependence on safety integrity level explicit by grading the requirements, for example:

  • Table 5 of IEC 61508-1;
  • 7.4.2 and annexes A and B of IEC 61508-2 and
  • Annexes A and B of IEC 61508-3.

Is it necessary to choose techniques and measures from those recommended in annexes A and B of IEC 61508-2 and IEC 61508-3 in order to comply with the standard?

Although all four normative annexes contain recommendations for the use of particular techniques and measures, they differ in what is required for compliance.

In subclause A.2 of IEC 61508-2, table A.1 provides the requirements for faults or failures that shall be detected by techniques and measures to control hardware failures. Tables A.2 to A.15, also in subclause A.2 of IEC 61508-2, support the requirements of table A.1 by recommending techniques and measures for diagnostic tests and recommending maximum levels of diagnostic coverage that can be achieved using them. Therefore, in order to comply with the standard, it is necessary to fulfil the requirements of table A.1, but tables A.2 to A.15 suggest just one set of possibilities on how the requirements of table A.1 can be met.

In subclause A.3 of IEC 61508-2, tables A.16 to A.18 recommend particular techniques and measures, therefore it is not necessary to use any of these in order to claim compliance. However, if you do not use a technique or measure that is highly recommended for the safety integrity level, then the rationale behind not using it shall be detailed. Also, for every technique or measure listed in tables A.16 to A.18 that you do use, it shall be used to the extent necessary to give at least the level of effectiveness stated in the table. Table A.19 gives guidance on what is intended by the terms low and high effectiveness for just some of the techniques and measures.

The techniques and measures in annex B of IEC 61508-2 are recommended in the same way as those in subclause A.3. It is necessary to detail the rationale wherever a technique or measure that is highly recommended for the safety integrity level is not used, and wherever a technique or measure that is positively not recommended for the safety integrity level is used. And it is necessary to achieve at least the level of effectiveness stated in the table for any techniques or measures that you do use. Table B.6 gives guidance on what is intended by the terms low and high effectiveness for most of the techniques and measures.

In annexes A and B of IEC 61508-2, the table shading adds recommendations on how to select and combine the techniques and measures.

Note that annex C of IEC 61508-2 is also normative and contains requirements that are necessary for compliance.

Annexes A and B of IEC 61508-3 contain the requirement that appropriate techniques and measures shall be selected according to the safety integrity level. In addition to the specific techniques listed in Annexes A and B, other techniques may be used providing that the requirements and objectives of the relevant clause of IEC 61508-3 have been met. Anyone claiming compliance with the standard is required to consider which techniques or measures are most appropriate for the specific problems encountered during the development of each E/E/PE safety-related system. See IEC 61508-3 Annex C (and supplementary information in IEC 61508-7 Annex F) for guidance on a reasoned argument to justify the selection of software techniques.

A particular concern is raised by systematic factors in the failure of a safety function. Systematic failure factors can arise in both hardware and software. The effectiveness of the measures and precautions used to meet the target failure measures for systematic safety integrity generally needs to be assessed qualitatively.

The IEC 61508-3 Annex A and B tables of recommended software techniques are not checklists by which systematic safety integrity in software can be guaranteed. Given the large number of factors that affect software systematic capability it is not possible to give an algorithm for combining the techniques and measures that will be correct for any given application. It is for this reason that Annex C (and supplementary information in IEC 61508-7 Annex F) has been developed and whose purpose is:

  • to give guidance on deciding between alternative techniques from Annexes A and B to achieve software systematic capability;
  • to outline a rationale for justifying the use of techniques that are not explicitly listed in Annexes A and B.

Software techniques will need to be chosen judiciously with attention to several key factors including:

  • the developers' personal competence and experience in techniques;
  • the developers' familiarity with the application and likely difficulties;
  • the size or complexity of the application;
  • industry sector recommendations and recognized good practice; and
  • national and international published standards.

Annexes A and B contain a recommendation that the rationale for not following the guidance for highly recommended or not recommended techniques or measures should be detailed during the safety planning and agreed with the assessor.

In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other subclauses require some of this documentation to include a justification of the choice of techniques and measures, even if all recommendations are followed. See for example 7.3.2.2 e) and 7.4.2.9 of IEC 61508-2, and 7.4.3.2 a) of IEC 61508-3.

I have contractual responsibility for some (but not all) of the development phases for an E/E/PE safety-related system. What information do I need in documentation from other parties to enable me to comply with IEC 61508?

IEC 61508-1, clause 6 sets out the requirements on an organisation with responsibility for an E/E/PE safety-related system, or for one or more phases of the overall, E/E/PE system or software safety lifecycle.  Also, IEC 61508-1, clause 5 sets out the documentation requirements. The fundamental requirement relating to the documentation is that it shall contain sufficient information, for each phase of the overall, E/E/PE system and software safety lifecycles completed, necessary for effective performance of subsequent phases and verification activities. (see clause 5 of IEC 61508-1).

Of particular importance in this context of this question is the "Safety manual for compliant items" (see IEC 61508-2, Annex D). The purpose of the safety manual for compliant items is to document all the information, relating to a compliant item, which is required to enable the integration of the compliant item into a safety-related system, or a subsystem or element, in compliance with the requirements of IEC 61508.

In summary, IEC 61508 has requirements to ensure that the necessary information is available to achieve functional safety to those who have responsibility for its achievement. IEC 61508-1, clause 5 sets out the general requirements for the need to have sufficient information and the safety manual for compliant items specifies the information that has to be supplied in relation to an item (e.g. a component) on which the supplier is claiming compliance with specified clause(s) in IEC 61508.

Table 1 of IEC 61508-1 specifies the information necessary for each phase of the overall safety lifecycle. Table 1 of IEC 61508-2 and table 1 of IEC 61508-3 are the equivalents for the E/E/PE system safety and software safety lifecycles.

For example, part of the entry from table 1 of IEC 61508-1 for the phase E/E/PE safety-related systems: realisation is reproduced below.  It can be seen from the table that a system supplier with responsibility for the realisation phase needs documentation containing the specification for the E/E/PES safety requirements. This will set out all the requirements for the safety functions that have been allocated to the E/E/PE safety-related system(s) together with the safety integrity requirements for each of these safety functions.

Safety lifecycle phase
Objectives
Scope
Inputs
Outputs
E/E/PE safety-related systems: realisation 7.11.1 and parts 2 and 3:
To create E/E/PE safety-related systems conforming to the specification for the E/E/PE system safety requirements (comprising the specification for the E/E/PE system safety functions requirements and the specification for the E/E/PE system safety integrity requirements)
E/E/PE safety-related systems Specification for the E/E/PE safety requirements Realisation of each E/E/PE safety-related system according to the E/E/PE system safety requirements specification

 

Suppliers are quoting that their products conform to IEC 61508 for a specific safety integrity level. Does this mean that using these products is sufficient for me to comply with IEC 61508?

No. A safety integrity level is not directly applicable to individual subsystems, elements or components. It applies to a safety function carried out by the E/E/PE safety-related system.

IEC 61508 covers all components of the E/E/PE safety-related system, including field equipment and specific project application logic. All these subsystems, elements and components, when combined to implement the safety function (or functions), are required to meet the safety integrity level target of the relevant safety functions. Any design using supplied subsystems and components that are all quoted as suitable for the required safety integrity level target of the relevant safety functions, together with the information associated with the supplied subsystems and components, will have to be assessed to determine whether or not the subsystems and components are in fact suitable. Suppliers of products intended for use in E/E/PE safety-related systems should provide sufficient information to facilitate a demonstration that the E/E/PE safety-related system complies with IEC 61508 and shall comply with Annex D of IEC 61508-2 (Safety manual for compliant items).

I supply subsystems, such as sensors or actuators, that are intended for use in an E/E/PE safety-related system. What does IEC 61508 mean for me?

As a supplier of items (e.g. components/elements) for which you are claiming compliance with specified clauses of IEC 61508, you will need to comply with IEC 61508-2 Annex D "Safety manual for compliant items". The purpose of the safety manual for compliant items is to document all the information, relating to a compliant item, which is required to enable the integration of the compliant item into a safety-related system, or a subsystem or element, in compliance with the requirements of IEC 61508.

The following subclauses are particularly relevant in this context:

  • IEC 61508-2/7.4.9.6: Suppliers shall provide a safety manual for compliant items, in accordance with Annex D, for each compliant item that they supply and for which they claim compliance with IEC 61508 series.
  • IEC 61508-2/7.4.9.7: The supplier shall document a justification for all the information that is provided in each safety manual for compliant items.

Note 1: It is essential that the claimed safety performance of an element is supported by sufficient evidence. Unsupported claims do not help establish the correctness and integrity of the safety function to which the element contributes.

Note 2: There may be commercial or legal restrictions on the availability of the evidence. These restrictions are outside the scope of this standard. If such restrictions deny the functional safety assessment adequate access to the evidence, then the element is not suitable for use in E/E/PE safety-related systems.

Do I have to use third party certified components in order to comply with IEC 61508?

No. The standard requires a functional safety assessment to be carried out on all parts of the E/E/PE safety-related system and for all phases of the lifecycle (see clause 8 of IEC 61508-1).

The level of independence required of the assessor ranges from an independent person in the same organization for safety integrity level 1 to an independent organization for safety integrity level 4. The required level of independence for safety integrity levels 2 and 3 is affected by additional factors including system complexity, novelty of design and previous experience of the developers. There is also a specific requirement that the assessor shall be competent for the activities to be undertaken.

Is there any correlation between the level of independence required for functional safety assessment and the need for third party certification?

The level of independence required should be distinguished from the concept of third-party certification which is not a requirement in IEC 61508. For some companies even the requirement for independent persons and departments may have to be met by using an external organization but this does not mean that the external organisation has necessarily to be a certification body. The external body, in such a situation, should have the competence and the appropriate level of independence to undertake the task. The external body may or may not be a certification body.

Conversely, companies that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization (note 2 of 8.2.12 of IEC 61508-1).

See 3.8.10, 3.8.11 and 3.8.12 of IEC 61508-4 for definitions of independent person, independent department and independent organization respectively.

In what ways do I need to consider the impact of human activities on the operation of an E/E/PE safety-related system?

IEC 61508 requires human factor issues to be considered in the determination of hazards and hazardous events (7.4.2.3 of IEC 61508-1) and in the design of the E/E/PE safety-related system (7.4.5.3 of IEC 61508-2). For E/E/PE safety-related protection systems, there are three principal areas that need to be considered:

  • human actions or errors that can place a demand on the E/E/PE safety-related protection system – these need to be identified and quantified;
  • human failure to respond effectively to alarms or take other actions that would otherwise reduce the demand on the E/E/PE safety-related protection system;
  • human failure in testing and maintenance of the E/E/PE safety-related protection system, reducing its effectiveness and increasing the probability of failure on demand.

Do control systems that place demands on a safety-related system have to be themselves designated as safety-related systems?

7.5.2.4 of IEC 61508-1 gives the requirements that apply for the control system not to be designated as a safety-related system. In summary, these are:

  • allowing for a dangerous failure rate of the control system higher than the maximum defined by the standard for a safety-related system (i.e. higher than 10-5 dangerous failures per hour);
  • providing an adequate demonstration that the dangerous failure rate allowed for is achieved (7.5.2.4 of IEC 61508-1 contains further details);
  • determining all reasonably foreseeable dangerous failure modes of the control system;

It should be noted that the dangerous failure rate referred to in the above requirements relate to a specified dangerous failure mode of a function being performed by the control system which could, in the context of the question, place a demand on a safety-related system.

How do electromagnetic immunity limits depend on the safety integrity level?

7.10.2.7 (f) of IEC 61508-1 states: The E/E/PE system safety integrity requirements specification shall contain: the electromagnetic immunity limits that are required to achieve functional safety. These limits should be derived taking into account both the electromagnetic environment and the required safety integrity levels (see IEC/TS 61000-1-2).

Note 5: Due to the nature and physics of electromagnetic phenomena no simple, evident and provable correlation can be established between the required immunity level and safety integrity level for nearly all cases of electromagnetic phenomena. Specifying effective immunity levels solely according to the required SIL is therefore not possible and reasonable in those cases. Alternative approaches may be used which, to some degree, specify the required immunity level according to the required SIL but also involve special test arrangements or test performance criteria. See IEC/TS 61000-1-2, Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena.

Anchor placeholder #key-concepts

5. Key concepts

What is functional safety?

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met.

Functional safety relies on active systems. An example of functional safety would be the activation of a level switch in a tank containing a flammable liquid, when a potentially dangerous level has been reached, which causes a valve to be closed to prevent further liquid entering the tank and thereby preventing the liquid in the tank from overflowing.

Safety achieved by measures that rely on passive systems is not functional safety. A fire resistant door or insulation to withstand high temperatures are measures that are passive in nature and can protect against the same hazards as are sometimes controlled by functional safety concepts but are not instances of functional safety.

See also IEC/TR 61508-0 Ed1.0, Functional safety of E/E/PE safety-related systems - Part 0: Functional safety and IEC 61508 for further details.

What is a safety-related system in the context of IEC 61508?

A safety-related system comprises everything (hardware, software and human elements) necessary to carry out one or more safety functions, where failure of the safety function would give rise to a significant increase in the risk to the safety of persons and/or the environment.

A safety-related system can comprise stand-alone equipment dedicated to perform a particular safety function (such as a fire detection and suppression system) or can be integrated into other plant or equipment (such as motor speed control in a machine tool).

3.4.1 of IEC 61508-4 gives a formal definition.

What does E/E/PE mean?

E/E/PE is an abbreviation of electrical/electronic/programmable electronic. 3.2.6 of IEC 61508-4 defines this as based on electrical and/or electronic and/or programmable electronic technology.

What is a low complexity E/E/PE safety-related system?

This is defined in 3.4.4 of IEC 61508-4 as an E/E/PE safety-related system, in which the failure modes of each individual component are well defined and the behaviour of the system under fault conditions can be completely determined.

An example is a system comprising one or more limit switches, operating one or more contactors to de-energize an electric motor, possibly via interposing electromechanical relays.

What is a safety integrity level (SIL)?

A safety integrity level is one of four levels, each corresponding to a range of target likelihood of failures of a safety function. Note that a safety integrity level is a property of a safety function rather than of a system or any part of a system.

What is functional safety assessment?

The objective of the functional safety assessment investigate and arrive at a judgement on the adequacy of the functional safety achieved by the E/E/PE safety-related system(s) or compliant items (e.g. elements/subsystems) based on compliance with the relevant clauses of this standard.

Functional safety assessment is the critical activity that ensures functional safety has actually been achieved based on compliance with the relevant clauses of this standard. Those carrying out the functional safety assessment shall be competent, shall have adequate independence and shall consider the activities carried out and the outputs obtained during each phase of every lifecycle and judge the extent to which the objectives and requirements of IEC 61508 have been met. See clause 8 of IEC 61508-1 for further details.

What is a mode of operation?

IEC 61508 describes two modes of operation for a safety function. These are low demand mode of operation and high demand or continuous mode of operation. The terms are formally defined in 3.5.16 of IEC 61508-4.

In order to understand these two modes, it is necessary first of all to understand the division between a demand mode of operation and a continuous mode of operation.

A safety function operating in demand mode is only performed when required (i.e. on demand) in order to transfer the equipment under control (EUC) into a specified state. The E/E/PE safety-related system that performs the safety function has no influence on the EUC until there is a demand for the safety function to be performed. Examples include protection systems on chemical plants that respond to failures of the EUC or EUC control system and anti-lock braking systems on automotive vehicles.

A safety function operating incontinuous mode operates to retain the EUC within its normal safe state. That is, the E/E/PE safety-related system continuously controls the EUC, and a dangerous failure of the E/E/PE safety-related system will lead to a hazardous event unless other safety-related systems or other risk reduction measures intervene. Examples include speed control associated with machinery, burner control of furnaces or fly-by-wire operation of aircraft flight control surfaces.

IEC 61508 distinguishes between:

  • low demand mode of operation, and
  • high demand or continuous mode of operation.

What is the difference between "low demand mode of operation" and "high demand or continuous mode of operation" ?

Modes of operation are used in IEC 61508 to describe two types of safety function carried out by E/E/PE safety-related systems. The modes are relevant when relating the target failure measure of a safety function to be implemented by an E/E/PE safety-related system to the safety integrity level. IEC 61508 relates the safety integrity level of a safety function to:

  • the average probability of a dangerous failure on demand (in the case of low demand mode – see table 2 of IEC 61508-1), or
  • the average frequency of a dangerous failure per hour (in the case of high demand or continuous mode – see table 3 of IEC 61508-1). The average frequency of a dangerous failure per hour is sometimes referred to as the dangerous failure rate (i.e. dangerous failures per hour).

Low demand mode, as defined in 3.5.16 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is no greater than one per year.

High demand or continuous mode, as defined in 3.5.16 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is greater than one per year. Continuous is regarded as very high demand.

Give me example architectures for the different modes of operation

An example of a system architecture in which a safety-related system implements safety functions operating in either low or high demand mode is shown in Figure 1(a). In this example, dangerous failures of the equipment under control (EUC) or the EUC control system place demands on the E/E/PE safety-related system (see Figures 1(b) and 1(c)). Table 2 in IEC 61508-1 is applicable only to system architectures where safety functions are intended for operation in low demand mode (Figure 1(b)). For system architectures where safety functions are intended for operation in high demand mode, Table 3 in IEC 61508-1 is applicable (Figure 1(c)).

An example of a system architecture in which a safety-related control system implements safety functions operating in continuous mode is shown in Figure 2(a). The corresponding system operation is shown in Figure 2(b). For system architectures where safety functions are intended for operation in continuous mode, Table 3 in IEC 61508-1 is also applicable (Figure 2(b)).

 

Figure 1

Figure 1: Example system operating in demand mode

An example of a system architecture in which a safety-related control system implements safety functions operating in continuous mode is shown in Figure 2(a). The corresponding system operation is shown in Figure 2(b). For system architectures where safety functions are intended for operation in continuous mode, Table 3 in IEC 61508-1 is also applicable (Figure 2(b)).

Figure 2

Figure 2: Example system operating in continuous mode

Does the mode of operation affect how the safety integrity level is determined?

Yes.

First, it is helpful to use a common term hazard rate to examine the differences between low demand mode of operation and high demand or continuous mode of operation. This is the estimated rate at which specified hazardous events will take place unless other protective measures are in place (such as other safety-related systems). The fundamental aim is to design a safety-related system so that the resulting hazard rate is sufficiently low to meet the tolerable risk in the context of the specific application.

See example system architectures.

 

Low demand mode of operation

For a safety function operating in low demand mode, the achieved hazard rate depends on the rate of demands on the E/E/PE safety-related system and the probability of failure on demand of the E/E/PE safety-related system in the context of a specified safety function. That is:

Hazard rate (h) = Demand rate (d) x Average probability of failure on demand (PFDavg)
h   = d x PFDavg

 

In the context of a system architecture such as that shown in Figure 1(a) and (b), where the E/E/PE safety-related system is acting as a protection system for specified conditions arising on the equipment under control (EUC) and EUC control system (i.e. where a failure of the EUC control system would give rise to a demand on the E/E/PE safety-related system), this relationship only holds if there is adequate independence between the EUC and EUC control system combined and the E/E/PE safety-related system. If there is inadequate independence then it is necessary to take into account the effect of common cause failures between the EUC and EUC control system combined and the E/E/PE safety-related system. Such failures will lead to an increased hazard rate or place increased demands on other safety-related systems.

The target failure measure for a safety function operating in low demand mode is the average probability of failure to perform the safety function on demand and from above it can be seen that:

PFDavg = h / d

 

h / d is sometimes referred to as the risk reduction factor.

Therefore, for a safety function operating in low demand mode, in the case of a quantified approach to determining the safety integrity level, the required safety integrity level is determined from the required average probability of failure on demand (PFDavg) (see table 2 of IEC 61508-1). The PFDavg required to achieve the tolerable risk, and hence the required safety integrity level, can be obtained from knowledge of the demand rate (d) and the hazard rate (h) necessary to achieve the tolerable risk.

High demand or continuous mode of operation

For a safety function operating in high demand or continuous mode and in the case of a quantified approach to determining the safety integrity level, table 3 of IEC 61508-1 is used to determine the required safety integrity level. The table relates the safety integrity level to the The average frequency of a dangerous failure per hour, which is equivalent to the hazard rate and has to be low enough to achieve the tolerable risk.

Hazard rate (h) = Probability of a dangerous failure per hour

What is the equipment under control (EUC)?

The equipment under control (EUC) is equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities (3.2.1 of IEC 61508-4). If any reasonably foreseeable action or inaction leads to hazardous events (i.e. events that may result in harm) with an intolerable risk arising from the EUC, then safety functions are necessary to achieve or maintain a safe state for the EUC. These safety functions are carried out by one or more safety-related systems.

Therefore, the EUC is the set of all equipment, machinery, apparatus or plant that gives rise to hazardous events for which the safety-related system is required. In the case of a safety-related protection system on an offshore platform, for example, the EUC is all parts of the platform that could affect the safety requirements.

6. Hazard and risk analysis

Is IEC 61508 only concerned about ensuring safety by improving reliability?

No.  A vital first step in the safety lifecycle is that the necessary safety  functions are derived from an analysis of the hazards and risks. It is not only  the safety integrity of the safety functions that is important, but also the  effective and correct specification of the safety functions themselves.

Does IEC 61508 cover the elimination of hazards at source?

The standard requires that consideration shall be given to the elimination of the hazards and emphasizes the primary importance of eliminating hazards at source (7.4.2.2 and note 2 of 7.4.2.4 of IEC 61508-1). This could be, for example, by the application of inherent safety principles or the application of good engineering practice. However, detailed guidance on hazard elimination is not provided in the standard.

Does IEC 61508 require a quantitative risk analysis to be carried out in order to determine safety integrity levels?

No. It allows both quantitative and qualitative approaches (see annexes B, D, E, F and G of IEC 61508-5).

Note that risk analysis generally requires a wide range of expertise. It will usually be necessary for a team to work together and reach agreement.

What factors should I take into account when planning to use a risk graph method for determining safety integrity levels?

Annex B of IEC 61508-5 provides guidance on the selection methods for determining safety integrity level requirements and Annex E of IEC 61508-5 describes in principle a risk graph method for determining safety integrity levels, using a generalised example. The example figures in annex E are not definitive and their use will not necessarily result in an adequate level of safety for any particular application.

It is essential that a risk graph is designed so that it takes into account the relevant influences on the risk (i.e. the risk parameters) associated with the target application. The process of validating that the use of a risk graph will lead to tolerable residual risks is sometimes referred to as calibration.

If a risk graph is used for applications where authoritative good practice in considering the safety of plant and operations has traditionally included quantitative risk assessment, it should be calibrated in quantitative terms. This will include describing all the risk parameters in numerical terms and basing the design of the risk graph on explicit, quantified tolerable residual risk targets. A properly calibrated risk graph will lead to quantified residual risks that are at, or below, the tolerable risk targets.

Otherwise, if a risk graph is used for applications where qualitative techniques for risk assessment are more appropriate, it will be necessary to demonstrate that it will lead to solutions that are consistent with authoritative good practice.

The restricted range of applications for which the risk graph applies should be clearly stated so that users of the risk graph are aware of its limitations.

How do I take account of hazards that are introduced by the E/E/PE safety-related system?

Undertake further hazard and risk analysis when developing the E/E/PE system safety requirements. This should identify any of the states of an E/E/PE safety-related system that could lead to a hazardous event. 7.4.2.1 of IEC 61508-1 highlights the need to undertake further hazard and risk analyses when decisions are taken which may change the basis on which earlier decisions were made.