Functional safety — according to international standard IEC 61508, known as the SIL standard — can be verified at every stage of a product’s life cycle. Safety integrity levels (SILs) determine the amount of risk reduction.
BY: SIMON FRIDLYAND
IEC 61508 is an international standard for the ‘functional safety’ of electrical, electronic and programmable electronic equipment. This document is considered to be a map for the future as far as electrical/electronic/programmable electronic (E/E/PE) safety-related systems are concerned. It also has an impact on the vast range of industrial machinery and equipment that incorporates such systems.
The standard was created in the mid-1980s when the International Electrotechnical Committee Advisory Committee of Safety (IEC-ACOS) set up a task force to consider standardization issues raised by the use of programmable electronic systems (PES). At that time, many regulatory bodies forbade the use of any software-based equipment in safety-critical applications because of the poor reliability of such systems.
The resulting IEC 61508 standard is divided into seven parts.
Part 1: General requirements (required for compliance)
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems (required for compliance)
Part 3: Software requirements (required for compliance)
Part 4: Definitions and abbreviations (supporting information)
Part 5: Examples of methods for the determination of safety integrity levels (supporting information)
Part 6: Guidelines on the application of parts 2 and 3 (supporting information)
Part 7: Overview of techniques and measures (supporting information).
Parts 1, 3, 4 and 5 were approved in 1998. Parts 2, 6 and 7 were approved in February 2000.
The standard focuses attention on risk-based safety-related system design, which should result in far more cost-effective system implementations. The standard also requires the attention to detail that is vital to any safe system design. Because of these features and the large degree of international acceptance for a single set of documents, many consider the standard to be a major advance for the technical world.
Objectives of the standard
IEC 61508 is a basic safety publication of the International Electrotechnical Commission (IEC). As such, it is an umbrella document covering multiple industries and applications.
A primary objective of the standard is to help individual industries develop supplemental standards that are tailored specifically to those industries based on the original 61508 standard. A secondary goal of the standard is to enable the development of E/E/PE safety-related systems where specific application sector standards do not already exist.
Several such industry specific standards have now been developed, with more on the way. IEC 61511 has been written for the process industries, IEC 62061 has been written to address machinery safety, IEC 61513 is for the nuclear industry, while EN 50128 has been written to address safety-related software for the railroad industry. All of these standards build directly on IEC 61508 and reference it accordingly.
Scope of the standard
The IEC 61508 standard covers safety-related systems when one or more of such systems incorporates mechanical/ electrical/electronic/programmable electronic devices. These devices can include anything from ball valves, solenoid valves, electrical relays and switches through to complex Programmable Logic Controllers (PLCs).
The standard specifically covers possible hazards created when failures of the safety functions performed by E/E/PE safety-related systems occur. The overall program aims to insure that the safety-related E/E/PE system brings about a safe state when called upon to do so, which is defined as ‘functional safety.’
IEC 61508 does not cover safety issues like electric shock, hazardous falls, long-term exposure to a toxic substance, etc., as these issues are covered by other standards. IEC 61508 also does not cover low-safety E/E/PE systems where a single E/E/PE system is capable of providing the necessary risk reduction and the required safety integrity of the E/E/PE system is less than safety integrity level 1, for example, when the E/E/PE system is only available 90% of the time or less.
Concepts behind the standard
The standard is based on two fundamental concepts: the safety life cycle and safety integrity levels. The safety life cycle is defined as an engineering process that includes all of the steps necessary to achieve the required functional safety.
The basic philosophy behind the safety life cycle is to develop and document a safety plan, execute that plan, document its execution (to show that the plan has been met) and continue to follow that safety plan through to decommissioning with further appropriate documentation throughout the life of the system.
Changes along the way must similarly follow the pattern of planning, execution, validation and documentation. Although the standard is written in the context of a bespoke system, the requirements are applicable to general product design and development.
Safety integrity levels (SILs) are order of magnitude levels of risk reduction. There are four SILs defined in IEC 61508. SIL1 has the lowest level of risk reduction. SIL4 has the highest level of risk reduction. This table displays the associated average probability of its failure to perform its design functions on demand.
Integrity demand mode
Level of operation
4 >=10-5 to 3 >=10-4 to 2 >=10-3 to 1 >=10-2 to
IEC 61508 makes it possible to verify that safety considerations were made at every phase of a product’s life cycle. The standard instills confidence that a plant can run more efficiently and profitably without decreasing the levels of safety required to protect personnel, the facility and the surrounding community.
Simon Fridlyand, P.Eng., is president of S.A.F.E. Engineering Inc., a Toronto-based company specializing in industrial health and safety issues and PSR compliance. For more information, visit www.safeengineering.ca.