Safety Critical Systems – A brief history of the development of guidelines and standards

ESC Blog_Safety-Critical-Systems_A-brief-history-of-the-development-of-guidelines-and-standards

On a series of blogs ESC will be sharing the paper “Safety Critical Systems – A brief history of the development of guidelines and standards” written by Ron Bell OBE.

The paper was presented at the 25th Safety Critical Systems Symposium, (Developments in System Safety Engineering), Bristol, UK 9 April 2017 and was published in the proceedings of the symposium.

Ron Bell

This paper provides an overview of the development of standards and guidelines for safety critical systems over the past 35 years. In the context of this paper ‘safety critical systems’ refers to those systems that are intended to achieve, together with the other risk reduction measures, the necessary risk reduction to meet the required tolerable risk.

The period covered by the paper is from the time that concerns were raised about the adoption of programmable electronic systems for implementing safety functions to today. It is essentially a personal account based on experience and reflections of the developments have taken place with to respect of guidelines and standards and is not intended in any way to be an authoritative account covering all industrial sectors.

Acknowledgments:   In developing the paper, which is the basis of this blog, I was most grateful for the help given to me from the following people; Phil Bennett, Simon Brown, Brian Clarke, John Canning, Rainer Faller, Martin Goose, James Inge, Ken Simpson and David Ward“- Ron Bell


Safety Critical Systems – A brief history of the development of guidelines and standards

 1 Introduction

During the 1970s the design principles for safety critical systems, in the context of manufacturing industry and the process sector, were based on qualitative criteria and methods to increase the safety integrity of a basic design were based on design methods which included:

  1. Simplex or single-channel systems having no redundancy. This architecture would be regarded as a basic design having minimum safety performance.
  2. Dual channel systems with redundancy for sensors and final elements (e.g. Contactors/valves). This architecture would be regarded as having medium safety performance.
  3. Dual channel systems with redundancy for sensors and final elements with different forms of diagnostics for improving the diagnostic coverage of the critical elements. This architecture would be regarded as having a high safety performance.
  4. Fault criteria (“no single or double fault would cause the system to fail to a dangerous state”);
  5. Use of the concept of “Failure to safety” for specific failure modes (e.g. on failure of the power supply this would lead to a safe failure of the safety functions).

In the context of safety critical systems in the manufacturing sector the approach to safeguarding machinery using safety critical systems was based on BS 5304 “Code of practice: Safeguarding of machinery” and first published in 1975.  

Design features in this code of practice were essentially qualitative in nature as was the risk-based approach to selection of the various methods. The essentials in this guide existed, with various revisions, until well into the 1990s where such guidance was then provided by European Standards such as BS EN 954-1:1997 “Safety of machinery.

Safety related parts of control systems. General principles for design.”  This latter standard was based on qualitative approaches to the design with a qualitative risk assessment method (i.e. risk graph). Both BS 5304 and EN 954-1 related to safety critical systems based on non-programmable elements.

Based on the above design methods various elegant designs with great ingenuity were developed and were primarily focused on dangerous failures arising from random hardware failures, and well established good practice, to avoid or control systematic dangerous failures. Often they were so ingenious it was quite difficult in those days to determine objectively what performance level had been achieved since quantitative analysis was not the norm.

One of the earliest approaches using quantified analysis to address dangerous random hardware was adopted by the Heavy Organic Chemicals Division of ICI in their development of a High Integrity Protective System (HIPS) for what we would now refer to as a major hazards plant (Stewart & Hensley (1971)).

The approach adopted was to develop a quantified risk target based on process sector experience and to adopt a quantified approach to determining the Probability of Failure On demand (PFD) of the safety functions to be performed in respect of random hardware failures. This was truly ground-breaking territory in the industrial, non-nuclear, sector.

In the nuclear sector, several research documents were published which provided important building blocks for the future of functional safety. These were developed by the United Kingdom Atomic Energy Authority (UKAEA) through the Systems Reliability Service. Such publications included:

  • The variability of failure rate data (Edwards)
  • Defences against common-mode failures in redundancy systems; A guide for management designers and operators (Bourne et al.)
  • Reliability and Protection Against Failure in Computer Systems (Daniels)

During the early 1980s, both within the manufacturing sector and in the chemical process sector, increasing use was being made of computer-based systems for controlling equipment and plant. During this period, particularly in the manufacturing sector there was increasing use of programmable controlled robots.

This raised major challenges as to how to safeguard robots and in the early days the safety functions to be performed were invariably based on hardwired solutions. 

That is, to cater for a dangerous failure of the programmable element, carrying out an interlocking function, a non-programmable interlocking arrangement was designed to act in parallel with the programmable element to carry out the safety function in the event of a dangerous failure of programmable element.  The hardwired arrangement would invariably be based on electromechanical devices (e.g. relays, contactors).

In the period 1980-1990 there were many initiatives and developments relating to the safe use of Programmable Electronic Systems (PESs) although initially the focus was on safety critical software rather than safety critical systems. Some of these initiatives and developments are summarised in Table A.1.

Note: Table A.1 is not intended to be an authoritative catalogue of initiatives and developments during the 1980 to the mid-1990s but provide a snapshot of some of the key issues that are considered of importance to the author and the activities associated with IEC 61508.


Part 2 of the paper, focuses on the developments during 1980 – 1990s.

If you have any questions or would like more information just leave a message below or contact us here.