[Translate to English:]

The IEC 61508: functional safety of control systems

The IEC 61508 series of standards (in Germany: DIN EN 61508) is entitled "Functional safety of electrical/electronic/programmable electronic safety-related systems", or short E/E/PE (original: Functional safety of electrical/electronic/programmable electronic safety-related systems). It is the international basic standard for safety-related control systems in the context of complex systems, installations and processes. We will explain what this means in detail and inform you about the structure of the standard and its key concepts.

Content

  • The basic standard for functional safety
    • IEC 61508 in combination with functional safety?
    • What is the IEC 61508 series of standards?
  • The structure of IEC 61508
  • Consulting and development according to the IEC 61508 standard
  • Key concepts
    • What are systematic errors and random errors?
    • What is the residual risk?
  • Safety integrity levels (SIL)
  • Developing functionally safe systems according to IEC 61508: Training and consulting

 

Basic standard for functional safety

Legislation requires that a product placed on the market "does not endanger the safety and health of persons when used as intended or in a foreseeable manner" (§3(1) sentence 2 ProdSG). The specific safety requirements that a product must fulfil are defined by EU directives, national laws and regulations - in Germany, the Product Safety Act (ProdSG) and related regulations - as well as by directly applicable EU regulations (e.g., the Medical Device Regulation).
Depending on the relevant hazards, safety has various aspects, such as electrical safety, fire safety or functional safety.

IEC 61508 in combination with functional safety?

Functional safety (or short: safety) refers to the protection of people and environment from function-related hazards in technical devices or systems, such as those caused by failures, malfunctions or incorrect operation. This protection is ensured by the prevention of possible errors or by the interception of errors by the control system.
Accordingly, IEC 61508 (Part 4) defines functional safety as the part of overall safety - in this context the overall safety is related to a product or a system ("equipment under control" (EUC) = operable installation/device) and its control system - "which depends on the correct functioning of the E/E/PE safety-related system and on other risk-mitigation measures". Safety-related systems are all part of a device or a system that performs automated safety functions.

Learn more about „Functional safety - a systematic implementation“

What is the IEC 61508 series of standards?

IEC 61508 addresses the requirements for safety-related E/E/PE systems regardless of their specific area of application. This series - or, to be precise, part 1-4 of it - is thus a basic safety standard (or "horizontal standard", type A standard) from which numerous industry or sector standards are derived (see Fig. 1). However, IEC EN 61508 is not harmonized; its application therefore does not automatically lead to the presumption of conformity with the relevant European directive and to the reversal of the burden of proof.

Horizontal standard IEC 61508 and its derived standards - figure

Fig. 1: Horizontal standard IEC 61508 and its derived standards (Source: DKE)

The structure of IEC 61508 standard

The IEC 61508 standard consists of seven parts, supplemented by an introductory technical report ("Part 0": IEC/TR 61508-0:2005 Functional Safety and IEC 61508), which, however, only considers the first version of the standard:

  • IEC 61508-1:2010 General Requirements; 
  • IEC 61508-2:2010 Requirements for safety-related electrical/electronical/programmable electronic systems;
  • IEC 61508-3:2010 Requirements for software;
  • IEC 61508-4:2010 Terms and abbreviations;
  • IEC 61508-5:2010 Examples for determining the safety integrity level;
  • IEC 61508-6:2010 Application guideline for IEC 61508-2 and IEC 61508-3;
  • IEC 61508-7:2010 Application guidance on procedures and measures.

Thus, parts 1-3 specify the normative requirements for safety-related E/E/PE systems (hardware and software) and are supplemented by the definition of terms in Part 4. Part 5-7 provide guidance on the application of the normative requirements (see Fig. 2).
Part 1, 3, 4 and 5 were first published in 1998, followed by part 2, 6 and 7 in 2000. The series is currently available in version 2.0 issued in 2010, while version 3.0 is being announced for 2027.
The currently valid IEC 61508 can be purchased from Beuth-Verlag or VDE-Verlag.

 

Structure of the standard IEC 61508

Fig. 2: Structure of the standard IEC 61508 (Source: DKE)

 

Consulting and development according to IEC 61508

The safety experts at NewTec are highly familiar with IEC 61508. NewTec advises and supports you in the development of safety-related systems and accompanies your path to certification or approval.
Learn more on the topic of NTSafetySolutions and the complete package for the development of functionally safe solutions.

 

Key concepts

To guarantee the functional safety of a system, the safety-relevant parts of the protection and control devices must reliably ensure that the system is brought to a safe state in the event of an error. To this end, both systematic and random errors must be taken into account.

What are systematic and random errors?

Systematic errors are deterministic and can only be prevented by modifying the development or the manufacturing processes, the operating procedures, the documentation or similar factors. Errors due to wrong assumptions, faulty specification, faulty design, incorrect software or faults in the dimensioning of components may serve as an example. Random (hardware) errors, by contrast, must be detected and controlled by monitoring measures.
Accordingly, IEC 61508 takes the framework of the "safety life cycle" as the basis for E/E/PE overall system, hardware and software. The safety life cycle comprises 16 defined phases - reaching from concept to development, operation and maintenance to decommissioning. Phase 3 constitutes the hazard analysis and risk analysis. In this phase in a systematic risk assessment, the risks which emanate from the system and its possible errors must be determined in the context of a systematic risk assessment and reduced to an acceptable residual risk (A state of 100 percent safety / absence of risks is not achievable).
The risks in potentially dangerous situations are assessed according to their probability of occurrence and the severity of their impact (reaching from insignificant to catastrophic) and are set in proportion to the acceptable risk of the respective situation. This determines the extent to which these risks - their probability of occurrence and/or their impact - must be reduced by measures. The residual risk remaining after the application of these measures must be smaller than the acceptable risk.

What is the residual risk?

The so-called residual risk is often equated with the acceptable risk. This is not correct. IEC 61508-4:2010 defines risk as the combination of the probability of occurrence of a damage and the severity of this damage (definition 3.1.6). The residual risk is the risk that remains after protective measures have been taken (definition 3.1.8), which includes both safety-related E/EE/PE systems and other risk-reducing measures, especially non-electrical systems (e.g., hydraulic or pneumatic), physical structures (e.g., protective fences), and organizational measures (e.g., training and prohibitions). The residual risk must be reduced to a level which is below the tolerable risk and be defined as "risk that is accepted in a given context based on society's current values" (3.1.7).

 

Safety requirement levels (SIL)

Depending on the risk mitigation requested in each case, there are certain requirements for safety integrity. In IEC 61508-4 the term safety integrity is defined as the probability that a safety-related system satisfactorily performs the required risk-mitigating safety functions within the specified context (3.5.4). Safety integrity is divided into four Safety Integrity Levels (SIL): SIL 1 to SIL 4. With regard to random errors, the levels impose increasing requirements in relation to the requested probabilities or frequencies of dangerous errors of a specific safety function (IEC 61508-1, tables 2 and 3). To avoid systematic errors, a higher SIL also imposes significantly higher requirements on verification as well as the application of additional methods.

The standard describes in detail how risks are assessed and how SILs are assigned to safety-related systems and the components of those systems. In addition, IEC 61508 provides a specific guideline for conception and development (e.g. in system architecture), for required activities, for operational organizational structures and processes of a company as well as for the comprehensible documentation of all these instances. The latter is the prerequisite both for certifications and for the proof of the conformity of products' and systems' compliance with the standard.

 

Developing functionally safe systems according to IEC 61508: Training courses and workshops

Would you like to know more? NewTec offers a range of training courses and workshops on functional safety and IEC 61508 - always closely related to the practice of development.
Have a look at our training program!

 
DEUTSCHENGLISH中国