In our latest blog series, we turn our attention to the standard that has influenced safety in many industries and the relevant standards defined for them. As a prelude to new Lorit Consultancy training courses and new team members joining us in 2021, we focus on IEC 61508.
In the subsequent parts of this blog series, we look at the relationship between IEC 61508 and other standards and we compare the differences between the functional safety techniques used in each.
IEC 61508 overview
IEC 61508 is a seven-part functional safety standard used in many different industries, often the standard of choice if no other industry specific reference standard exists, as a consultancy we worked on a project in the mining industry a couple of years back utilising IEC 61508. As indicated in Figure 1 from the initial pinning down of high-level requirements in the scope and concept phases we move to the hazard and risk analysis. From either quantitative or qualitative analysis, we arrive at safety integrity level (SIL) from the evaluation of each hazardous event.
Figure 1: IEC 61508 Workflow
Safety integrity level
The SIL is both a requirement for the level of integrity required in the product architecture and also a measure of its fulfilment. SIL is defined based on a failure in time (FIT) rates for both high and low demand systems, which defines the operating life-cycle and in terms of the rate at which dangerous failures could be tolerated. For SIL4 high demand we are looking at acceptance of one dangerous failure in the region of 1000 million to 100 million system operating hours.
|SIL||Low demand mode:|
average probability of failure on demand
|High demand or continuous mode:|
probability of dangerous failure per hour
|1||≥ 10−2 to < 10−1||≥ 10−6 to < 10−5|
|2||≥ 10−3 to < 10−2||≥ 10−7 to < 10−6|
|3||≥ 10−4 to < 10−3||≥ 10−8 to < 10−7|
|4||≥ 10−5 to < 10−4||≥ 10−9 to < 10−8|
Table 1: SIL versus demand
Dangerous failures, safe failures and failure fractions
Metrics are an essential part of safety related analysis as they are in many sectors. Not all failures in a system will lead to a hazardous event these would be deemed to be safe failures. Failures that result in a hazardous or potentially hazardous event are deemed to be dangerous failures. In IEC 61508 metrics are built based on the diagnostic coverage of any safety mechanisms and the assessment of whether failures are dangerous or safe, and hence whether are detectable or not. This gives a method of determining the compliance of a system.
Electrical / Electronic / Programmable (E/E/PE) systems
As the focus of IEC 61508 is on electrical, electronic and programmable systems, then parts 2 and 3 of the standard are key in the definition of the safety of a system. Part 2 focuses on hardware, that can be either programmable or not, in the case of a e.g. logic devices. Part 3 handles software topics in IEC 61508. Parts 6 and 7 give good guidance on how to apply the processes in parts 2 and 3.
The four parts guide teams through the requirement capture to the commissioning of the system (and actually through to decommissioning). Guidance of diagnostic techniques and architectural decisions relating to safety are well covered in these sections. In our third blog in the series, we shall look at how some of these techniques are applied.
Commissioning, maintenance and decommissioning
IEC 61508 also has good coverage of the areas around commissioning, maintenance and decommissioning. Maintenance being a key topic as systems may require service updates and repair, during their useful service life. Decommissioning is becoming more of key topic in the world of software, a subject covered in IEC 82304-1 on standalone medical device software, and one we will revisit in part 3 of this blog series.
In summary IEC 61508 is still the key standard for functional safety particularly in industries that are not covered by a dedicated standard. The format and structure of IEC 61508 is good and it has a logical workflow, however, there are pros and cons with every standard, and we shall visit some of these in the next parts of this series.
By Alastair Walker, Consultant