Part 3 – Safety Critical Systems – A brief history of the development of guidelines and standards
This week we are publishing the 3rd and final part of the “Safety Critical Systems – A brief history of the development of guidelines and standards” paper.
This final part focuses on the IEC 61508 and the standards influenced by, derived and based on IEC 61508.
We would like to thank everyone for the great response, likes and shares, and if you have any questions or would like more information just leave a message below or contact us here.
“Acknowledgments: In developing the paper, which is the basis of this blog, I was most grateful for the help given to me from the following people; Phil Bennett, Simon Brown, Brian Clarke, John Canning, Rainer Faller, Martin Goose, James Inge, Ken Simpson and David Ward”.
Safety Critical Systems – A brief history of the development of guidelines and standards
3. IEC 61508
A key standard that emerged from the various activities during the 1980 to the-mid-1990s was IEC 61508. This eight-part standard was published during the period 1998-2000 (i.e. Part 1-7) and Part 0 (which was a very basic introduction to functional safety was published in 2005.
IEC 61508 has the status of being a standalone standard (i.e. it can be used on its own) but it is also a Basic Safety Standard which means that other standards within IEC are required to comply with the requirements specified in that standard
3.1 Structure of IEC 61508
The overall title of IEC 61508 is ‘Functional safety of electrical, electronic and programmable electronic (E/E/PE) safety-related systems’. The Parts are as listed in Table 1.
|0||Functional safety and IEC 61508|
|2||Requirements for electrical/electronic/programmable electronic safety-related systems|
|4||Definitions and abbreviations|
|5||Examples of methods for the determination of safety integrity levels|
|6||Guidelines on the application of parts 2 and 3|
|7||Overview of techniques and measures|
Parts 1, 2, 3 contain all the normative requirements (e.g. X shall be undertaken) and some informative requirements (e.g. Y should be undertaken). Parts 0, 5, 6 and 7 do not contain any normative requirements.
Parts 1, 2, 3 and 4 of IEC 61508 are IEC basic safety publications. One of the responsibilities of IEC Technical Committees is, wherever practicable, to make use of IEC 61508, in its role as a basic publication, in the preparation of their own sector or product standards that have E/E/PE safety-related systems within their scope.
IEC 61508 is both a standalone standard and can also be used as the basis for sector and product standards. In its latter role, it has been used to develop standards for the process, nuclear and railway industries and for machinery and power drive systems and has influenced the automotive sector (see 3.3).
It will continue to influence, the development of E/E/PE safety-related systems and products across all sectors. This concept is illustrated in Figure 1.
The application of IEC 61508 as a standalone standard includes the use of the standard:
- as a set of general requirements for E/E/PE safety-related systems where no application sector or product standards exist or where they are not appropriate
- by suppliers of E/E/PE components and subsystems for use in all sectors (e.g. hardware and software of sensors, smart actuators, programmable controllers)
- by system integrators to meet user specifications for E/E/PE safety-related systems
- by users to specify requirements in terms of the safety functions to be performed together with the performance requirements of those safety functions
- to facilitate the maintenance of the ‘as designed’ safety integrity of E/E/PE safety-related systems
- to provide the technical framework for conformity assessment and certification services as a basis for carrying out assessments of safety lifecycle activities.
Product or application sector international standards based on IEC 61508:
- are aimed at system designers, system integrators and users
- take account of sector-specific practice
- use terminology applicable in the sector to increase understanding for its intended users
- may specify constraints appropriate for the sector
- usually rely on the requirements of IEC 61508 for the design of subsystems.
3.2 Some of the key features of IEC 61508
- It enables the development of product and sector international standards, dealing with E/E/PE safety-related systems. This should lead to a high level of consistency (for example, of underlying principles, terminology etc.) both within and across application sectors; this will have both safety and economic benefits
- It provides a method for the development of the safety requirements specification necessary to achieve the required functional safety for E/E/PE safety-related systems
- It uses safety integrity levels (SILs) for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PE safety-related systems
- It adopts a risk-based approach for the determination of the safety integrity level requirements
- It sets numerical target failure measures for E/E/PE safety-related systems that are linked to the safety integrity levels
- It sets a lower limit on the target failure measures, in a dangerous mode of failure, that can be claimed for a single E/E/PE safety-related system. For E/E/PE safety-related systems operating in:
- a low demand mode of operation, the lower limit is set at an average probability of failure of 10–5 to perform its design function on demand
- a high demand or continuous mode of operation, the lower limit is set at an average frequency of dangerous failure of 10–9 per hour.
4. Standards influenced/ derived/ based on IEC 61508
As indicated above, IEC 61508 can be used as the basis for sector and product standards and many standards have been influence or derived or based on IEC 61508. Several those standards are indicated below with the date they were originally published:
- 2003: IEC 61511: Functional safety – Safety instrumented systems for the process industry sector
Note: The scope covers the requirements for the specification, design, installation, operation and maintenance of a safety instrumented system (SIF).
- 2003: CENELEC, EN50128: Railway applications – Communication, signalling and processing systems – Software for railway control and protection systems 2000
- 2003: CENELEC, EN50129: Railway applications – Communication, signalling and processing systems – Safety related electronic systems for signalling
Note: These CENELEC standards are railway-specific adaptation of IEC 61508. However, it is important to understand that they share common aspects but also differ in some key areas. (Braband, Hirao & Luedeke).
- 2005: IEC 62061: Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems
Note: the scope covers the requirements and make recommendations for the design, integration and validation of safety-related electrical, electronic and programmable electronic control systems (SRECS) for machines.
- 2007: IEC 61800-5-2: Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional
Note: The scope covers the requirements and makes recommendations for the design and development, integration and validation of safety related power drive systems (PDS(SR)) in terms of their functional safety considerations.
- 2010: IEC 61784-3: Industrial communication networks – Profiles – Part 3: Functional safety fieldbuses – General rules and profile definition
Note: The scope covers the safety communication layer (services and protocol) based on CPF 1 of IEC 61784-1 and IEC 61158 Types 1 and 9. It identifies the principles for functional safety communications defined in IEC 61784-3 that are relevant for this safety communication layer.
- 2011: ISO 26262: Road Vehicles – Functional safety
Note: Scope is restricted to passenger cars. Work has started on Edition 2 of ISO 26262 (expected publication 2018). Edition 2 scope will now include motorcycles and truck/bus vehicles as well as new part specifically concerned with application of the standard to semiconductor devices.
- 2012: IEC 61131-6: Programmable controllers – Part 6: Functional safety
- 2016: IEC 61000-1-2: Electromagnetic compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena
5 Concluding comments
The history of the development of guidelines and standards for what we now call functional safety have, simply put, three distinct phases:
- Phase 1 (1980 – 1990): Development and determination of the essential building blocks to achieve functional safety
- Phase 2 (1990-2000): Refinements of the ideas developed and development of guidance based on emerging draft international draft standard IEC 61508
- Phase 3 (2000-to date):
- Implementation of the developed published standards in relation to safety critical products and the development of sector and product standards based on IEC 61508
- Adoption of the developed published standards by sectors that had been involved previously in their development. In such a situation, the migration to adoption of the standards was part of a planned process
- Adoption of the developed published standards by sectors that had not been involved previously in their development. In such a situation, the migration to adoption of the standards is a challenge to those sectors. Also, in such situations it interesting to know that the end user is often a key driver in requiring conformance to those standards
In the context of IEC 61508, the revision process for IEC 61508 Edition 2 is just beginning. It is important that Edition 3 of IEC 61508 maintains the rigour of the performance levels (e.g. that is to meet the requirements of a specified SIL) but is also sufficiently flexible to meet the demands of those wishing to use the standard in new application areas (e.g. defence and aerospace) and where new Routes to compliance may need to be developed. Whatever Route is chosen there should be confidence that the performance level achieved is the same for all Routes.
In the period 1980-1990 there were many initiatives and developments relating to the safe use of Programmable Electronic Systems (PESs) although initially the focus was on safety critical software rather than safety critical systems. Some of these initiatives and developments are summarised in Table A.1.
Note: Table A.1 is not intended to be an authoritative catalogue of initiatives and developments during the 1980 to the mid-1990s but provide a snapshot of some of the key issues that are considered of importance to the author and the activities associated with IEC 61508.
 Part 0 has the status of a Technical Report and is purely informative.
 In IEC standards, a normative requirement is prefaced by ‘shall’ and if that requirement is relevant in the application then it is necessary to comply with the requirement. A requirement prefaced by ‘should’ is informative and can be considered as a recommendation but is not normative in respect of compliance to relevant requirements in the standard.
Bell R (1986); Assessment Architecture and Performance of Industrial Programmable Electronic Systems (PES) with Particular Reference to Robotic Safety. In Daniels, Safety and Reliability of Programmable Electronic Systems, Elsevier Applied Science Publishers Ltd 1986 (ISBN 1-85166-017-8).
Bourne et al. Defences against common-mode failures in redundancy systems; A guide for management designers and operators. Published by the United Kingdom Atomic Energy, Safety and Reliability Directorate (1981)
Braband, Hirao & Luedeke; The Relationship between the CENELEC Railway Signalling Standards and the Other Safety Standards. Article in SIGNAL + SRAHT (95) 12/2003.
Competence: Safety, Competency and Commitment-Competency Guidelines for Safety-Related System Practitioners. Published by the IEE in 1999. Updated in 2007. Available from: http://www.theiet.org/resources/books/policy/comp-crit.cfm.
Daniels (1979); Reliability and Protection Against Failure in Computer Systems; published by the United Kingdom Atomic Energy Authority, National Centre of Systems Reliability.
Edwards (1979). The variability of failure rate data. Published by the United Kingdom Atomic Energy Authority, Systems Reliability Service.
HSE PES; Programmable Electronic Systems in Safety-Related Applications: 1. An Introductory Guide; 2. General Technical Guidelines. Health & Safety Executive ISBN 0 11 883906 3 Crown Copyright
Inge http://safety.inge.org.uk/20070625-Inge2007_The_Safety_Case-U.htm and Safety Critical Systems Club Newsletter; September 1993].
Managing competence #1: Managing competence for safety-related systems- Part 1: Key Guidance. (Managing competence #1). First published 2007. Available from: http://www.hse.gov.uk/humanfactors/topics/mancomppt1.pdf
Managing competence #2: Managing competence for safety-related systems- Part 2: Supplementary Material. First published 2007. Available from: http://www.hse.gov.uk/humanfactors/topics/mancomppt2.pdf
Out of Control: Why control systems go wrong and how to prevent failure. First published 1995. Available from: http://www.hse.gov.uk/pUbns/priced/hsg238.pdf.
Tolerability: The Tolerability of Risk from Nuclear Power Stations (1988 and Revised 1992). Available from: http://www.onr.org.uk/documents/tolerability.pdf.
IET- Safety Practices Report; A study of the computer-based systems safety practices of UK, European and US industry (1989). Principal Author P. A. Bennett; ISBN 0 86241 700 0
SafeIT (1990)- A UK Government Consultation Document on the Safety of Computer-controlled Systems; SafeIT-1: The Safety of Programmable Electronic Systems. SafeIT-2: Standards framework. Published by the Interdepartmental Committee on Engineering (ICSE)
R2P2: Reducing Risks, Protecting People: HSE’s decision-making process. First published in 2001 ISBN 0 7176 2151 0. Available from: http://www.hse.gov.uk/risk/theory/r2p2.pdf.
Stewart & Hensley (1971); High Integrity Protective Systems on Hazardous Chemical Plants. Published by United Kingdom Atomic Energy Authority, Systems Reliability Service.