||This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (February 2015) (Learn how and when to remove this template message)|
IEC 61508 is an international standard published by the International Electrotechnical Commission of rules applied in industry. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES).
IEC 61508 is intended to be a basic functional safety standard applicable to all kinds of industry. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.”
The standard covers the complete safety life cycle, and may need interpretation to develop sector specific standards. It has its origins in the process control industry.
The safety life cycle has 16 phases which roughly can be divided into three groups as follows:
- Phases 1-5 address analysis
- Phases 6-13 address realisation
- Phases 14-16 address operation.
All phases are concerned with the safety function of the system.
The standard has seven parts:
- Parts 1-3 contain the requirements of the standard (normative)
- Parts 4-7 are guidelines and examples for development and thus informative.
Central to the standard are the concepts of risk and safety function. The risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity. The risk is reduced to a tolerable level by applying safety functions which may consist of E/E/PES and/or other technologies. While other technologies may be employed in reducing the risk, only those safety functions relying on E/E/PES are covered by the detailed requirements of IEC 61508.
IEC 61508 has the following views on risks:
- Zero risk can never be reached
- Safety must be considered from the beginning
- Non-tolerable risks must be reduced (ALARP)
- 1 Hazard and Risk Analysis
- 2 Safety integrity level
- 3 Industry/application specific variants
- 4 Testing software
- 5 See also
- 6 References
- 7 Further Reading
- 8 External links
Hazard and Risk Analysis
The standard requires that hazard and risk assessment be carried out: 'The EUC (equipment under control) risk shall be evaluated, or estimated, for each determined hazardous event'.
The standard advises that 'Either qualitative or quantitative hazard and risk analysis techniques may be used' and offers guidance on a number of approaches. One of these, for the qualitative analysis of hazards, is a framework based on 6 categories of likelihood of occurrence and 4 of consequence.
Categories of likelihood of occurrence
|Category||Definition||Range (failures per year)|
|Frequent||Many times in system lifetime||> 10−3|
|Probable||Several times in system lifetime||10−3 to 10−4|
|Occasional||Once in system lifetime||10−4 to 10−5|
|Remote||Unlikely in system lifetime||10−5 to 10−6|
|Improbable||Very unlikely to occur||10−6 to 10−7|
|Incredible||Cannot believe that it could occur||< 10−7|
|Catastrophic||Multiple loss of life|
|Critical||Loss of a single life|
|Marginal||Major injuries to one or more persons|
|Negligible||Minor injuries at worst|
These are typically combined into a risk class matrix
- Class I: Unacceptable in any circumstance;
- Class II: Undesirable: tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained;
- Class III: Tolerable if the cost of risk reduction would exceed the improvement;
- Class IV: Acceptable as it stands, though it may need to be monitored.
Safety integrity level
The safety integrity level (SIL) provides a target to attain in regards to a system's development. A risk assessment effort yields a target SIL, which thus becomes a requirement for the final system. The requirement informs how to set up the development process (using appropriate quality control, management processes, validation and verification techniques, failure analysis etc.) so that one can reasonably justify that the final system attains the required SIL. Part 2 and 3 of IEC 61508 give guidance on activities to perform in order to attain a SIL.
The meaning of the SIL varies depending on whether the functional component will be exposed to high or low demand:
- For systems that operate continuously (continuous mode) or systems that operate more than once per year (high demand mode), SIL specifies an allowable frequency of dangerous failure.
- For systems that operate intermittently and at most once a year (low demand mode), SIL specifies an allowable probability that the system will fail to respond on demand.
|SIL||Low demand mode:
average probability of failure on demand
|High demand or continuous mode:
probability of dangerous failure per hour
|1||≥ 10−2 to < 10−1||≥ 10−6 to < 10−5|
|2||≥ 10−3 to < 10−2||≥ 10−7 to < 10−6|
|3||≥ 10−4 to < 10−3||≥ 10−8 to < 10−7 (1 dangerous failure in 1140 years)|
|4||≥ 10−5 to < 10−4||≥ 10−9 to < 10−8|
Failure to safety
Calculation of safe failure fraction (SFF) determines how Fail-safe the system is. This compares the likelihood of safe failures with dangerous failures. Reliability by itself is not sufficient to claim a SIL level. There are charts in IEC 61508 that specify the level of SFF required for each SIL.
Management, systematic techniques, verification and validation
Specific techniques ensure that mistakes and errors are avoided across the entire life-cycle. Errors introduced anywhere from the initial concept, risk analysis, specification, design, installation, maintenance and through to disposal could undermine even the most reliable protection. IEC 61508 specifies techniques that should be used for each phase of the life-cycle.
Industry/application specific variants
ISO 26262 is an adaptation of IEC 61508 for Automotive Electric/Electronic Systems. It is being widely adopted by the major car manufacturers.
Before the launch of ISO 26262, the development of software for safety related automotive systems was predominantly covered by the Motor Industry Software Reliability Association guidelines. The MISRA project was conceived to develop guidelines for the creation of embedded software in road vehicle electronic systems. A set of guidelines for the development of vehicle based software was published in November 1994. This document provided the first automotive industry interpretation of the principles of the, then emerging, IEC 61508 standard.
Today MISRA is most widely known for its guidelines on how to use the C and C++ languages. MISRA C has gone on to become the de facto standard for embedded C programming in the majority of safety-related industries, and is also used to improve software quality even where safety is not the main consideration. MISRA has also developed guidelines for the use of model based development.
IEC 62279 provides a specific interpretation of IEC 61508 for railway applications. It is intended to cover the development of software for railway control and protection including communications, signaling and processing systems.
The process industry sector includes many types of manufacturing processes, such as refineries, petrochemical, chemical, pharmaceutical, pulp and paper, and power. IEC 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation.
Nuclear power plants
IEC 61513 provides requirements and recommendations for the instrumentation and control for systems important to safety of nuclear power plants. It indicates the general requirements for systems that contain conventional hardwired equipment, computer-based equipment or a combination of both types of equipment.
IEC 62061 is the machinery-specific implementation of IEC 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
Software written in accordance with IEC 61508 may need to be unit tested, depending up on the SIL level it needs to achieve. The main requirement in Unit Testing is to ensure that the software is fully tested at the function level and that all possible branches and paths are taken through the software. In some higher SIL level applications, the software code coverage requirement is much tougher and an MCDC code coverage criterion is used rather than simple branch coverage. To obtain the MCDC (modified condition decision coverage) coverage information, one will need a Unit Testing tool, sometimes referred to as a Software Module Testing tool.
- Functional safety
- Safety standards
- Spurious trip level
- Time-triggered system (A software architecture used to achieve IEC 61508 compliance)
- An article about meeting the IEC 61508 part 3 (software development) requirements for tool certification, specially compilers.
- M.J.M. Houtermans, "SIL and Functional Safety in a Nutshell" (Risknowlogy Best Practices, 1st Edition, eBook in PDF, ePub, and iBook format, 40 Pages) SIL and Functional Safety in a Nutshell - eBook introducing SIL and Functional Safety
- M.Medoff, R.Faller, "Functional Safety - An IEC 61508 SIL 3 Compliant Development Process" - www.exida.com
- C. O'Brien, "Final Elements and the IEC 61508 and IEC 61511 Functional Safety Standards" - www.exida.com
- Münch, Jürgen; Armbrust, Ove; Soto, Martín; Kowalczyk, Martin. “Software Process Definition and Management“, Springer, 2012.
- M.Punch, "Functional Safety for the Mining Industry – An Integrated Approach Using AS(IEC)61508, AS(IEC) 62061 and AS4024.1." (1st Edition, ISBN 978-0-9807660-0-4, in A4 paperback, 150 pages).
- D.Smith, K Simpson, "Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety, IEC 61508 (2010 Edition) And Related Standards, Including Process IEC 61511 and Machinery IEC 62061 and ISO 13849" (3rd Edition ISBN 978-0-08-096781-3, Hardcover, 288 Pages).