IEC 61508 is an international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES).
IEC 61508 is a basic functional safety standard applicable to all kinds of industry. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.” The fundamental concept is that any safety-related system must work correctly or fail in a predictable (safe) way.
The standard has two fundamental principles: 1. An engineering process called the safety life cycle is defined based on best practices in order to discover and eliminate design errors and omissions. 2. A probabilistic failure approach to account for the safety impact of device failures.
The safety life cycle has 16 phases which roughly can be divided into three groups as follows:
All phases are concerned with the safety function of the system.
The standard has seven parts:
Central to the standard are the concepts of probabilistic risk for each safety function. The risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity. The risk is reduced to a tolerable level by applying safety functions which may consist of E/E/PES, associated mechanical devices, or other technologies. Many requirements apply to all technologies but there is strong emphasis on programmable electronics especially in Part 3.
IEC 61508 has the following views on risks:
Specific techniques ensure that mistakes and errors are avoided across the entire life-cycle. Errors introduced anywhere from the initial concept, risk analysis, specification, design, installation, maintenance and through to disposal could undermine even the most reliable protection. IEC 61508 specifies techniques that should be used for each phase of the life-cycle.
The standard requires that hazard and risk assessment be carried out for bespoke systems: 'The EUC (equipment under control) risk shall be evaluated, or estimated, for each determined hazardous event'.
The standard advises that 'Either qualitative or quantitative hazard and risk analysis techniques may be used' and offers guidance on a number of approaches. One of these, for the qualitative analysis of hazards, is a framework based on 6 categories of likelihood of occurrence and 4 of consequence.
Categories of likelihood of occurrence
|Category||Definition||Range (failures per year)|
|Frequent||Many times in system lifetime||> 10−3|
|Probable||Several times in system lifetime||10−3 to 10−4|
|Occasional||Once in system lifetime||10−4 to 10−5|
|Remote||Unlikely in system lifetime||10−5 to 10−6|
|Improbable||Very unlikely to occur||10−6 to 10−7|
|Incredible||Cannot believe that it could occur||< 10−7|
|Catastrophic||Multiple loss of life|
|Critical||Loss of a single life|
|Marginal||Major injuries to one or more persons|
|Negligible||Minor injuries at worst|
These are typically combined into a risk class matrix
The safety integrity level (SIL) provides a target to attain for each safety function. A risk assessment effort yields a target SIL for each safety function. For any given design the achieved SIL level is evaluated by three measures:
1. Systematic Capability (SC) which is a measure of design quality. Each device in the design has an SC rating. The SIL of the safety function is limited to smallest SC rating of the devices used. Requirement for SC are presented in a series of tables in Part 2 and Part 3. The requirements include appropriate quality control, management processes, validation and verification techniques, failure analysis etc. so that one can reasonably justify that the final system attains the required SIL.
2. Architecture Constraints which are minimum levels of safety redundancy presented via two alternative methods - Route 1h and Route 2h.
3. Probability of Dangerous Failure Analysis
The probability metric used in step 3 above depends on whether the functional component will be exposed to high or low demand:
|SIL|| Low demand mode:
average probability of failure on demand
| High demand or continuous mode: |
probability of dangerous failure per hour
|1||≥ 10−2 to < 10−1||≥ 10−6 to < 10−5|
|2||≥ 10−3 to < 10−2||≥ 10−7 to < 10−6|
|3||≥ 10−4 to < 10−3||≥ 10−8 to < 10−7 (1 dangerous failure in 1140 years)|
|4||≥ 10−5 to < 10−4||≥ 10−9 to < 10−8|
Certification is third party attestation that a product, process, or system meets all requirements of the certification program. Those requirements are listed in a document called the certification scheme. IEC 61508 certification programs are operated by impartial third party organizations called Certification Bodies (CB). These CBs are accredited to operate following other international standards including ISO/IEC 17065 and ISO/IEC 17025. Certification Bodies are accredited to perform the auditing, assessment, and testing work by an Accreditation Body (AB). There is often one national AB in each country. These ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the International Accreditation Forum (IAF) for work in management systems, products, services, and personnel accreditation or the International Laboratory Accreditation Cooperation (ILAC) for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs. IEC 61508 certification programs have been established by several global Certification Bodies. Each has defined their own scheme based upon IEC 61508 and other functional safety standards. The scheme lists the referenced standards and specifies procedures which describes their test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program. IEC 61508 certification programs are being offered globally by several well recognized CBs including exida, TÜV Rheinland, TÜV Sud, and TÜV Nord. Most certifications of currently manufactured automatic protection equipment (sensors, logic solvers, and final element devices) have been completed by exida and TÜV Rheinland.
ISO 26262 is an adaptation of IEC 61508 for Automotive Electric/Electronic Systems. It is being widely adopted by the major car manufacturers.
Before the launch of ISO 26262, the development of software for safety related automotive systems was predominantly covered by the Motor Industry Software Reliability Association guidelines. The MISRA project was conceived to develop guidelines for the creation of embedded software in road vehicle electronic systems. A set of guidelines for the development of vehicle based software was published in November 1994. This document provided the first automotive industry interpretation of the principles of the, then emerging, IEC 61508 standard.
Today MISRA is most widely known for its guidelines on how to use the C and C++ languages. MISRA C has gone on to become the de facto standard for embedded C programming in the majority of safety-related industries, and is also used to improve software quality even where safety is not the main consideration. MISRA has also developed guidelines for the use of model based development.
IEC 62279 provides a specific interpretation of IEC 61508 for railway applications. It is intended to cover the development of software for railway control and protection including communications, signaling and processing systems.
The process industry sector includes many types of manufacturing processes, such as refineries, petrochemical, chemical, pharmaceutical, pulp and paper, and power. IEC 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation.
IEC 61513 provides requirements and recommendations for the instrumentation and control for systems important to safety of nuclear power plants. It indicates the general requirements for systems that contain conventional hardwired equipment, computer-based equipment or a combination of both types of equipment.
IEC 62061 is the machinery-specific implementation of IEC 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
Software written in accordance with IEC 61508 may need to be unit tested, depending up on the SIL level it needs to achieve. The main requirement in Unit Testing is to ensure that the software is fully tested at the function level and that all possible branches and paths are taken through the software. In some higher SIL level applications, the software code coverage requirement is much tougher and an MCDC code coverage criterion is used rather than simple branch coverage. To obtain the MCDC (modified condition decision coverage) coverage information, one will need a Unit Testing tool, sometimes referred to as a Software Module Testing tool.
This article is a discussion of ASIL as a means of classifying hazards, particularly to provide a context for comparison with other methods of classifying hazards, risk, quality, or reliability. For a more thorough description of ASIL, methods of its assessment, and its roles within ISO 26262 processes, see ISO 26262 (Automotive Safety Integrity Level).Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.
There are four ASILs identified by the standard: ASIL A, ASIL B, ASIL C, ASIL D. ASIL D dictates the highest integrity requirements on the product and ASIL A the lowest. Hazards that are identified as QM do not dictate any safety requirements.Cantata
A cantata (; Italian: [kanˈtaːta]) (literally "sung", past participle feminine singular of the Italian verb cantare, "to sing") is a vocal composition with an instrumental accompaniment, typically in several movements, often involving a choir.
The meaning of the term changed over time, from the simple single voice madrigal of the early 17th century, to the multi-voice "cantata da camera" and the "cantata da chiesa" of the later part of that century, from the more substantial dramatic forms of the 18th century to the usually sacred-texted 19th-century cantata, which was effectively a type of short oratorio. Cantatas for use in the liturgy of church services are called church cantata or sacred cantata; other cantatas can be indicated as secular cantata. Several cantatas were, and still are, written for special occasions, such as Christmas cantatas. Christoph Graupner, Georg Philipp Telemann and Johann Sebastian Bach composed cycles of church cantatas for the occasions of the liturgical year.Failure modes, effects, and diagnostic analysis
Failure modes, effects, and diagnostic analysis (FMEDA) is a systematic analysis technique to obtain subsystem / product level failure rates, failure modes and diagnostic capability. The FMEDA technique considers:
All components of a design,
The functionality of each component,
The failure modes of each component,
The effect of each component failure mode on the product functionality,
The ability of any automatic diagnostics to detect the failure,
The design strength (de-rating, safety factors) and
The operational profile (environmental stress factors).Given a component database calibrated with field failure data that is reasonably accurate
, the method can predict product level failure rate and failure mode data for a given application. The predictions have been shown to be more accurate than field warranty return analysis or even typical field failure analysis given that these methods depend on reports that typically do not have sufficient detail information in failure records.The name was given by Dr. William M. Goble in 1994 to the technique that had been in development since 1988 by Dr. Goble and other engineers now at exida.Functional safety
Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely human errors, hardware failures and operational/environmental stress.Hercules (processors)
Hercules is a line of ARM architecture-based microcontrollers from Texas Instruments built around one or more ARM Cortex cores. This "Hercules safety microcontroller platform" includes series microcontrollers specifically targeted for Functional Safety applications, through such hardware-base fault correction/detection features as dual cores that can run in lock-step, full path ECC, automated self testing of memory and logic, peripheral redundancy, and monitor/checker cores.
This line includes the TMS470M, TMS570 and RM4 families. These families were "Designed specifically for IEC 61508 and ISO 26262 safety critical applications". However, they differ significantly in the degree of support for these safety standards:
TMS470Value Line Transportation and Safety MCUs
Supports Safety for
IEC 61508 systemsRM4High Performance Industrial and Medical Safety MCUs
Developed to Safety Standards
IEC 61508 SIL-3TMS570High Performance Transportation and Safety MCUs
Developed to Safety Standards
IEC 61508 SIL-3
ISO 26262 ASIL DIn particular, TMS570 support for ASIL D is accomplished through dual lock-step cores.High-integrity pressure protection system
A high-integrity pressure protection system (HIPPS) is a type of safety instrumented system (SIS) designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus preventing loss of containment through rupture (explosion) of a line or vessel. Therefore, a HIPPS is considered as a barrier between a high-pressure and a low-pressure section of an installation.IEC 61131
IEC 61131 is an IEC standard for programmable controllers. It was known as IEC 1131 before the change in numbering system by IEC. The parts of the IEC 61131 standard are prepared and maintained working group 7, programmable control systems, of subcommittee SC 65B of Technical Committee TC65 of the IEC.IEC 61511
IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".ISO 26262
ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems in production automobiles defined by the International Organization for Standardization (ISO) in 2011.Klocwork
Klocwork is a software company with headquarters in Burlington, MA, USA and R&D based in Ottawa, ON, Canada. Klocwork was founded in 2001 as a spin-out of Nortel Networks and has over 1,000 customers who use its software development tools. Klocwork says their tool help "developers create more secure and reliable software by analyzing source code on-the-fly, simplifying peer code reviews, and extending the life of complex software."SafetyBUS p
SafetyBUS p is a standard for failsafe fieldbus communication in automation technology.
It meets SIL 3 of IEC 61508 and Category 4 of EN 954-1 or Performance Level "e" of the successor standard EN 13849-1.Safety instrumented system
A safety instrumented system (SIS) consists of an engineered set of hardware and software controls which are especially used on critical process systems.Safety integrity level
Safety integrity level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF).
The requirements for a given SIL are not consistent among all of the functional safety standards. In the functional safety standards based on the IEC 61508 standard, four SILs are defined, with SIL 4 the most dependable and SIL 1 the least. A SIL is determined based on a number of quantitative factors in combination with qualitative factors such as development process and safety life cycle management.Spurious trip level
Spurious trip level (STL) is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious trips caused by the safety system. There is no limit to the number of spurious trip levels.
Safety functions and systems are installed to protect people, the environment and for asset protection. A safety function should only activate when a dangerous situation occurs. A safety function that activates without the presence of a dangerous situation (e.g., due to an internal failure) causes economic loss. The spurious trip level concept represents the probability that safety function causes a spurious (unscheduled) trip.
The STL is a metric that is used to specify the performance level of a safety function in terms of the spurious trips it potentially causes. Typical safety systems that benefit from an STL level are defined in standards like IEC 61508 IEC 61511, IEC 62061, ISA S84, EN 50204 and so on. An STL provides end-users of safety functions with a measurable attribute that helps them define the desired availability of their safety functions. An STL can be specified for a complete safety loop or for individual devices.
For end-users there is always a potential conflict between the cost of safety solutions and the loss of profitability caused by spurious trips of these safety solutions. The STL concept helps the end-users to end this conflict in a way that safety solutions provide both the desired safety and the desired process availability.Standardization in oil industry
Purpose This site seeks to promote deeper standardization within the oil and energy industry by highlighting areas where standardization has worked very well and where it has not and why, and provoking discussions on the path forward for better standardization.
The overall purpose of the document is to issue a guideline on the application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry, and thereby simplify the use of the standards.
According to the PSA management regulations (§1 and §2), performance requirements shall be established for all safety barriers on an installation. For instrumented safety systems, special reference is made to IEC 61508 and this document as the recommended standard for specification, design and operation of such safety systems.
Whereas IEC 61508 describes a fully risk based approach for determining SIL (Safety Integrity Level) requirements, this document provides minimum SIL requirements for the most common instrumented safety functions on a petroleum production installation (ref. chapter 7). Deviations from these requirements may however be identified
(ref. section 7.7), and in such case the overall methodology and documentation should be in accordance with IEC 61508.TargetLink
TargetLink is a software for automatic code generation, based on a subset of Simulink/Stateflow models, produced by dSPACE GmbH. TargetLink requires an existing MATLAB/Simulink model to work on.
TargetLink generates both ANSI-C and production code optimized for specific processors. It also supports the generation of AUTOSAR-compliant code for software components for the automotive sector.
The management of all relevant information for code generation takes place in a central data container, called the Data Dictionary.
Testing of the generated code is implemented in Simulink, which is also used for the specification of the underlying simulation models. TargetLink supports three simulation modes to test the generated code:
Model-in-the-loop simulation (MIL): this mode allows the model design to be checked. An MIL simulation is also known as a floating-point simulation, since the variables are typically floating-point variables.
Software-in-the-loop (SIL): the simulation is based on the execution of generated code, which runs on a PC system. The variables are typically plain or fixed point numbers.
Processor-in-the-loop (PIL): in a PIL simulation, the generated code runs on the target hardware or on an evaluation board. So-called real-time frames are included, making it possible to transfer the simulation results as well as memory consumption and runtime information to the PC.The Motor Industry Software Reliability Association (MISRA) published official MISRA modeling guidelines for TargetLink in late 2007,
which are particularly important for functional safety of safety-critical applications. In 2009, TÜV SÜD certified TargetLink for use during the development of safety-critical systems to ISO DIS 26262 and IEC 61508.ThreadX
ThreadX, developed and marketed by Express Logic of San Diego, California, United States, is a highly deterministic, embedded real-time operating system (RTOS) written mostly in the C (programming language).Time-triggered architecture
Time-triggered architecture (abbreviated as TTA), also known as a time-triggered system, is a computer system that executes one or more sets of tasks according to a pre-determined and set task schedule. Implementation of a TT system will typically involve use of a single interrupt that is linked to the periodic overflow of a timer. This interrupt may drive a task scheduler (a restricted form of real-time operating system). The scheduler will—in turn—release the system tasks at predetermined points in time.