IEC 61508
From Wikipedia, the free encyclopedia
IEC 61508 is titled "Functional safety of electrical/electronic/programmable electronic safety-related systems".
This standard defines the concept of the Safety Integrity Level. Also, methodologies of establishing, proving and documenting the SIL.
IEC 61508 allows for the standalone certification of a software component, unlike DO-178B/ED-12B.
The documentation requirements of IEC 61508 are similar to DO-178B/ED-12B, but tend to lean more heavily on design, usage, and manufacturing, due to the standalone component aspects of this certification. One of the most critical documents is the Safety Manual, which contains the rules and guidelines on how to use the software component in a system that is certified.
The international standard IEC 61508 “Functional safety of electrical / electronic / programmable electronic safety-related systems (E/E/PES)” is intended to be a basic safety standard applicable to all kinds of industry. IEC 61508 defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.”
The standard covers the complete safety life cycle, and may need interpretation to develop sector specific standards. It has its origins in the process control industry sector. The safety life cycle has 16 phases which roughly can be divided into three groups as follows: phases 1-5 address analysis, phases 6-13 address realisation and phases 14-16 address operation. All phases are concerned with the safety function of the system. The standard has seven parts. Part 1-3 is the “actual” standard (normative), while 4-7 are guidelines and examples for development and thus informative. The parts of the standard are further explained later.
Central to the standard are the concepts of risk and safety function. The risk is a function of severity and probability. The risk can be reduced to a level that is tolerable by applying a safety function that consists of E/E/PES systems and other technologies. Only the E/E/PES risk reduction systems are considered in IEC 61508. The necessary risk reduction is the risk when no safety functions are applied minus the tolerable risk. The risk should be reduced to a level that is As Low As Reasonably Practicable (ALARP). IEC 61508 has the following views on risks:
- zero risk can never be reached
- safety must be considered from the beginning
- non-tolerable risks must be reduced (ALARP)
The standard concerns functional safety of electrical/electronic/programmable electronic safety-systems. The safety classification is divided into four Safety Integrity Levels (SIL) depending on the result of the risk analysis. SIL 1 is the lowest and SIL 4 is the (safest) highest. Methods and practices for system development for a certain SIL level are recommended in the standard.
The SIL of a certain system can be measured qualitatively or approximated quantatively. Note in Table 6.1.3 that had the high demand SILs been expressed as “per annum” then the columns would have appeared numerically similar. However, being different parameters, they are not even the same dimensionally.
The reason for there being two tables (high and low demand) is that there are two ways in which the integrity target may need to be described. The difference may be illustrated with an example. Consider the brakes of a car. It is the rate of failure which is of concern because we suffer the hazard immediately when one occurs. Hence the high demand column below. Consider also the car air bag. This is a low demand safety system in the sense that demands on it are infrequent (several years apart). Failure rate of the device is of little use to describe the integrity since the hazard is not incurred immediately when failure occurs. Therefore we have to take into consideration the test interval. What is of interest is the combination of failure rate and down time and we therefore specify the probability of failure on demand. In IEC 61508 the high demand assumption is called for when the demand on a safety related function is greater that once per annum and the low demand assumption when it is less frequent.
