FAQs about Functional Safety

What is functional safety?

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is achieved when every specified safety function is carried out and the level of performance required of each safety function is met.

For example, an overtemperature protection device, using a thermal sensor in the windings of an electric motor to de-energise the motor before they can overheat, is an instance of functional safety. But providing specialised insulation to withstand high temperatures is not an instance of functional safety (although it is still an instance of safety and could protect against exactly the same hazard).

A safety-related system comprises everything (hardware, software and human elements) necessary to carry out one or more safety functions, where failure of the safety function would give rise to a significant increase in the risk to the safety of persons and/or the environment.

A safety-related system can comprise stand-alone equipment dedicated to perform a particular safety function (such as a fire detection system) or can be integrated into other plant or equipment (such as motor speed control in a machine tool).

3.4.1 of IEC 61508-4 gives a formal definition.

E/E/PE is an abbreviation of electrical/electronic/programmable electronic. 3.2.6 of IEC 61508-4 defines this as based on electrical and/or electronic and/or programmable electronic technology.

A safety integrity level is one of four levels, each corresponding to a range of target likelihood of failures of a safety function. Note that a safety integrity level is a property of a safety function rather than of a system or any part of a system.

A safety integrity level (SIL) applies to an end-to-end safety function of the safety-related system. Like any other system component, software has no safety integrity level in isolation from the safety-related system. When integrated into a system, software may be capable of supporting a particular safety function at some safety integrity level, depending on how the software was specified, designed, implemented, verified, etc. SILn software is a short way of saying "software developed using appropriate techniques and measures to ensure that the software meets the systematic failure requirements of a specific safety function X at SILn?.

Hardware suffers physical degradation and the resulting random failure rates can be described numerically using well established methods of statistical reliability. In contrast, software does not degrade physically, and all failures result from systematic factors in its construction and use. It is not currently widely accepted that conventional reliability analysis can be applied to systematic behavior. Therefore, the standard recognizes that a quantitative demonstration that the target failure measures for safety integrity levels in tables 2 and 3 of IEC 61508-1 have been met is in general possible only for random hardware failures (see note 8 of 7.6.2.9 of IEC 61508-1). The effectiveness of the measures and precautions used to meet the target failure measures for systematic safety integrity (and specifically software) generally needs to be assessed qualitatively.

However, despite the above difficulties, tables 2 and 3 of IEC 61508-1 provide a valuable framework for comparing different levels of achievement of systematic safety integrity.

A safety integrity level (SIL) is not a property of a system, subsystem or component. The correct interpretation of this phrase is that the system, subsystem or component is capable of supporting safety functions with a safety integrity level up to n. This in itself is not sufficient to achieve a safety function of the required safety integrity level.

The safety integrity level capability of a subsystem determines the highest safety integrity level that can be claimed for any safety function that uses the subsystem. For this reason, the term safety integrity level claim limit is sometimes used instead. A SILn capability or claim limit (where n is 1, 2, 3 or 4) is determined for each subsystem by achieving 1 or 2 below.

1. The design requirements for SILn to prevent and control systematic faults in accordance with IEC 61508-2 and IEC 65108-3; or
2. The proven in use requirements for SILn in accordance with 7.4.7.6 to 7.4.7.10 of IEC 61508-2.

Other information about the system, subsystem or component is also necessary to facilitate a demonstration that the required safety integrity level of the safety function in the E/E/PE safety-related system will be achieved.

This is the critical activity that ensures functional safety has actually been achieved. Those carrying out the functional safety assessment shall be competent, shall have adequate independence and shall consider the activities carried out and the outputs obtained during each phase of every lifecycle and judge the extent to which the objectives and requirements of IEC 61508 have been met. See clause 8 of IEC 61508-1 for further details.

IEC 61508 describes two modes of operation for a safety function. These are low demand mode of operation and high demand or continuous mode of operation. The terms are formally defined in 3.5.12 of IEC 61508-4.

In order to understand these two modes, it is necessary first of all to understand the division between a demand mode of operation and a continuous mode of operation.

A safety function operating in demand mode is only performed when required (i.e. on demand) in order to transfer the equipment under control (EUC) into a specified state. The E/E/PE safety-related system that performs the safety function has no influence on the EUC until there is a demand for the safety function to be performed. Examples include protection systems on chemical plants that respond to failures of the EUC or EUC control system and anti-lock braking systems on automotive vehicles.

A safety function operating in continuous mode operates to retain the EUC within its normal safe state. That is, the E/E/PE safety-related system continuously controls the EUC, and a dangerous failure of the E/E/PE safety-related system will lead to a hazard unless other safety-related systems or external risk reduction facilities intervene. Examples include speed control associated with machinery, burner control of furnaces or fly-by-wire operation of aircraft flight control surfaces.

IEC 61508 distinguishes between:

• low demand mode of operation, and
• high demand or continuous mode of operation.

Modes of operation are used in IEC 61508 to describe two types of safety function carried out by E/E/PE safety-related system. The modes are relevant when relating the target failure measure of a safety function to be implemented by an E/E/PE safety-related system to the safety integrity level. IEC 61508 relates the safety integrity level of a safety function to:

• the average probability of failure to perform its design function on demand (in the case of low demand mode - see table 2 of IEC 61508-1), or
• the probability of a dangerous failure per hour (in the case of high demand or continuous mode - see table 3 of IEC 61508-1). The probability of a dangerous failure per hour is sometimes referred to as the dangerous failure rate (i.e. dangerous failures per hour).

Low demand mode, as defined in 3.5.12 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is no greater than one per year and no greater than twice the proof test frequency.

High demand or continuous mode, as defined in 3.5.12 of IEC 61508-4, is where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof test frequency. In the context of this definition, continuous is regarded as very high demand.

The equipment under control (EUC) is equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities (3.2.3 of IEC 61508-4). If any reasonably foreseeable action or inaction leads to hazards with an intolerable risk arising from the EUC, then safety functions are necessary to achieve or maintain a safe state for the EUC. These safety functions are carried out by one or more safety-related systems.

Therefore, the EUC is the set of all equipment, machinery, apparatus or plant that gives rise to hazards for which the safety-related system is required. In the case of a safety-related protection system on an offshore platform, for example, the EUC is all parts of the platform that could affect the safety requirements.

Is IEC 61508 relevant to me?

Generally, the significant hazards for equipment and any associated control system have to be identified by the specifier or developer via a hazard analysis. The analysis identifies whether functional safety is necessary to ensure adequate protection against each significant hazard. If so, then it has to be taken into account in an appropriate manner in the design. Functional safety is just one method of dealing with hazards, and other means for their elimination or reduction, such as inherent safety through design, are of primary importance.

IEC 61508 defines appropriate means for achieving functional safety in the systems it covers.

IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices. It covers possible hazards caused by failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE equipment itself (for example electric shock etc). It is generically based and applicable to all E/E/PE safety-related systems irrespective of the application.

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

• emergency shut-down systems,
• fire and gas systems,
• turbine control,
• gas burner management,
• crane automatic safe-load indicators,
• guard interlocking and emergency stopping systems for machinery,
• medical devices,
• dynamic positioning (control of a ship's movement when in proximity to an offshore installation),
• fly-by-wire operation of aircraft flight control surfaces,
• railway signalling systems (including moving block train signalling),
• variable speed motor drives used to restrict speed as a means of protection,
• automobile indicator lights, anti-lock braking and engine-management systems,
• remote monitoring, operation or programming of a network-enabled process plant,
• an information-based decision support tool where erroneous results affect safety.

Relevant means of implementing safety functions include electro-mechanical relays (i.e. electrical), non-programmable solid-state electronics (i.e. electronic) and programmable electronics. Programmable electronic safety-related systems typically incorporate programmable controllers, programmable logic controllers, microprocessors, application specific integrated circuits, or other programmable devices (for example "smart” sensors, transmitters and actuators).

In every case, the standard applies to the entire E/E/PE safety-related system (for example from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator). For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole.

IEC 61508 is applicable to any sfatey-related system that contains an E/E/PE device.

This applicability is appropriate because many requirements, particularly in IEC 61508-1, are not technology specific. Indeed, early development phases (such as initial concept, overall scope definition, hazard and risk analysis and specifying the overall safety requirements) may take place before the implementation technology has been decided.

Even during later phases such as realisation, specific functional safety requirements apply directly to non-E/E/PE devices, such as mechanical components, as well as E/E/PE devices. For example, the requirements for hardware reliability and fault tolerance in IEC 61508-2 directly relate to the properties of all components in the E/E/PE safety-related system, whether or not they include E/E/PE technology.

For low complexity E/E/PE safety-related systems, it is possible to comply with IEC 61508 while not meeting every requirement of the standard.

IEC 61508 is concerned with achieving functional safety, where safety is defined as freedom from unacceptable risk of physical injury or damage to the health of people, either directly or indirectly as a result of damage to property or to the environment (see 3.1 of IEC 61508-4). So damage to long term health, including damage to property or the environment that leads to damage to long term health, is explicitly within the scope of the standard and is encompassed by the term safety.

It is recognised that the consequences of failure could also have serious economic implications and in such cases the standard could be used to specify any E/E/PE system used for the protection of equipment or product (1.2 e of IEC 61508-1).

The particular safety functions that are necessary, and the associated levels of performance required of them, are determined by hazard and risk analysis (see for example IEC 61508-5). An equivalent analysis of risk in terms of environmental or financial hazards can be performed by replacing safety parameters with environmental or financial parameters. Most of the subsequent requirements of the standard are as applicable for "environmental functions” or "financial functions” as they are for safety functions. This includes the required levels of performance, which are expressed in terms of probability of failure.

The standard is published in seven parts as shown in the table below. Only the first four parts contain normative requirements.

IEC 61508 ("Functional safety of E/E/PE safety-related systems") part structure:

1. IEC 61508-1: General requirements
2. IEC 61508-2: Requirements for E/E/PE safety-related systems
3. IEC 61508-3: Software requirements
4. IEC 61508-4: Definitions and abbreviations
5. IEC 61508-5: Examples of methods for the determination of safety integrity levels
6. IEC 61508-6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
7. IEC 61508-7: Overview of techniques and measures

Annex A of IEC 61508-5 provides introductory material on risk and safety integrity. In IEC 61508-1, the overall safety lifecycle requirements contained in clause 7 are summarized in a lifecycle diagram in figure 2, with an overview of each phase in table 1. In addition, requirements relating to verification, management of functional safety and functional safety assessment are contained in 7.18, clause 6 and clause 8 respectively.

Annex A of IEC 61508-6 gives an eight-page overview of the requirements in IEC 61508-2 and IEC 61508-3.

In IEC 61508-2, the E/E/PES safety lifecycle requirements contained in clause 7 are summarised in a lifecycle diagram in figure 2, with an overview of each phase in table 1. Likewise, in IEC 61508-3, the software safety lifecycle requirements contained in clause 7 are summarised in figure 3 with an overview in table 1.

Any particular requirement of IEC 61508 should be considered in the context of its lifecycle phase (where applicable) and the stated objectives for the requirements of that phase, clause or subclause. The objectives are always stated immediately before the requirements.

No. It allows both quantitative and qualitative approaches (see annexes C, D and E of IEC 61508-5).

Note that risk analysis generally requires a wide range of expertise. It will usually be necessary for a team to work together and reach agreement.

Annex D of IEC 61508-5 describes in principle a risk graph method for determining safety integrity levels, using a generalised example. The example figures in annex D are not definitive and their use will not necessarily result in an adequate level of safety for any particular application.

It is essential that a risk graph is designed so that it takes into account the relevant influences on the risk (ie the risk parameters) associated with the target application. The process of validating that the use of a risk graph will lead to tolerable residual risks is sometimes referred to as calibration.

If a risk graph is used for applications where authoritative good practice in considering the safety of plant and operations has traditionally included quantitative risk assessment, it should be calibrated in quantitative terms. This will include describing all the risk parameters in numerical terms and basing the design of the risk graph on explicit, quantified tolerable residual risk targets. A properly calibrated risk graph will lead to quantified residual risks that are at, or below, the tolerable risk targets.

Otherwise, if a risk graph is used for applications where qualitative techniques for risk assessment are more appropriate, it will be necessary to demonstrate that it will lead to solutions that are consistent with authoritative good practice.

The restricted range of applications for which the risk graph applies should be clearly stated so that users of the risk graph are aware of its limitations.

How do the requirements of IEC 61508 change with respect to the safety integrity level of the safety functions allocated to the E/E/PE safety-related system?

IEC 61508 separates the specification of the safety functions to be performed into two elements:

• the safety function requirements (what the function does); and
• the safety integrity requirements (the likelihood of a safety function being performed satisfactorily).

IEC 61508 does not stipulate what safety function requirements nor what safety integrity requirements are necessary for any particular application.

The safety integrity level (SIL 1, 2, 3 or 4) corresponds to a range of safety integrity values, measured in terms of average probability of failure to perform a safety function on demand or in terms of probability of dangerous failure of a safety function per hour.

The safety integrity level allocated to the E/E/PE safety-related system will affect the degree of rigour to which a requirement of the standard is to be satisfied. But other factors will also affect this (see 4.1 of IEC 61508-1).

No. A safety integrity level is not directly applicable to individual subsystems or components. It applies to a safety function carried out by the E/E/PE safety-related systems.

IEC 61508 covers all components of the E/E/PE safety-related system, including field equipment and specific project application logic. All these subsystems and components, when combined to implement the safety function (or functions), are required to meet the safety integrity level target of the relevant functions. Any design using supplied subsystems and components that are all quoted as suitable for the required safety integrity level target of the relevant functions will not necessarily comply with the requirements for that safety integrity level target. A simple example is when the subsystem or component is incorrectly installed.

Suppliers of products intended for use in E/E/PE safety-related systems should provide sufficient information to facilitate a demonstration that the E/E/PE safety-related system complies with IEC 61508.

When a subsystem is integrated into an E/E/PE safety-related system in accordance with IEC 61508, it is necessary to take into account the contribution that the subsystem will make to the performance of the complete system in relation to safety integrity. To do this, the system designer/integrator requires certain information relating to the design and reliability of the subsystem. As a supplier of subsystems intended for use in E/E/PE safety-related systems you should be prepared to supply the required information, as detailed in 7.4.7.3 of IEC 61508-2. To summarise, the following information is required for each subsystem:

• specifications covering functional, interface and environmental aspects;
• estimated failure rate (due to random hardware failures) for each failure mode;
• diagnostic coverage and diagnostic test interval;
• hardware fault tolerance;
• information needed to identify the hardware and software configuration;
• information needed to enable the derivation of the safe failure fraction;
• documentary evidence of validation; and
• safety integrity level capability.

No. The standard requires a functional safety assessment to be carried out on all parts of the E/E/PE safety-related system and for all phases of the lifecycle (see clause 8 of IEC 61508-1).

The level of independence required of the assessor ranges from an independent person in the same organization for safety integrity level 1 to an independent organization for safety integrity level 4. The required level of independence for safety integrity levels 2 and 3 is affected by additional factors including system complexity, novelty of design and previous experience of the developers. There is also a specific requirement that the assessor shall be competent for the activities to be undertaken.

This will depend upon the company organization and expertise within the company. For some companies even the requirement for independent persons and departments may have to be met by using an external organization. Conversely, companies that have internal organizations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization (note 2 of 8.2.12 of IEC 61508-1).

See 3.8.10, 3.8.11 and 3.8.12 of IEC 61508-4 for definitions of independent person, independent department and independent organization respectively.

IEC 61508 requires human factor issues to be considered in the determination of hazards and hazardous events (7.4.2.3 of IEC 61508-1) and in the design of the E/E/PE safety-related system (7.4.5.3 of IEC 61508-2). For E/E/PE safety-related protection systems, there are three principal areas that need to be considered:

• human actions or errors that can place a demand on the E/E/PE safety-related protection system - these need to be identified and quantified;
• human failure to respond effectively to alarms or take other actions that would otherwise reduce the demand on the E/E/PE safety-related protection system;
• human failure in testing and maintenance of the E/E/PE safety-related protection system, reducing its effectiveness and increasing the probability of failure on demand.

It may be possible to use a proven in use argument as an alternative to meeting the design requirements for dealing with systematic failure causes in IEC 61508, including hardware and software. But it is essential to note that proven in use cannot be used as an alternative to meeting the requirements for:

• architectural constraints on hardware safety integrity (see 7.4.2.1 of IEC 61508-2);
• the quantification of dangerous failures of the safety function due to random hardware faults (see 7.4.3.2 of IEC 61508-2); and
• system behaviour on detection of faults (see 7.4.6 of IEC 61508-2).

See 7.4.2.2 of IEC 61508-2 for a summary of design requirements, including references to more detailed systematic hardware requirements in the standard.

A proven in use claim relies on the availability of historical data for both random hardware and systematic failures, and on analytical techniques and testing if the previous conditions of use of the subsystem differ in any way from those which will be experienced in the E/E/PE safety-related system. 7.4.7.6 of IEC 61508-2 requires that:

• the previous conditions of use of the subsystem are the same as, or sufficiently close to, those which will be experienced in the E/E/PE safety-related system (see 7.4.7.7 of IEC 61508-2);
• if the above conditions of use differ in any way, a demonstration is necessary (using a combination of appropriate analytical techniques and testing) that the likelihood of unrevealed systematic faults is low enough to achieve the required safety integrity level of the safety functions which use the subsystem (see 7.4.7.8 of IEC 61508-2);
• the claimed failure rates have sufficient statistical basis (see 7.4.7.9 of IEC 61508-2);
• failure data collection is adequate (see 7.4.7.10 of IEC 61508-2);
• evidence is assessed taking into account the complexity of the subsystem, the contribution made by the subsystem to the risk reduction, the consequences associated with a failure of the subsystem, and the novelty of design (see 7.4.7.11 of IEC 61508-2); and
• the application of the proven in use subsystem is restricted to those functions and interfaces of the subsystem that meet the relevant requirements (see 7.4.7.12 of IEC 61508-2).

7.5.2.4 of IEC 61508-1 gives the requirements that apply for the control system not to be designated as a safety-related system. In summary, these are:

• allowing for a dangerous failure rate of the control system higher than the maximum defined by the standard for a safety-related system (ie higher than 10-5 dangerous failures per hour);
• providing an adequate demonstration that the dangerous failure rate allowed for is achieved (7.5.2.4 of IEC 61508-1 contains further details);
• determining all reasonably foreseeable dangerous failure modes of the control system;
• ensuring that the control system is separate and independent from all safety-related systems.

7.2.3.2 e of IEC 61508-2 (see also associated notes) states: The E/E/PES safety integrity requirements specification shall contain the electromagnetic immunity limits (see IEC 61000-1-1) that are required to achieve electromagnetic compatibility - the electromagnetic immunity limits should be derived taking into account both the electromagnetic environment (see IEC 61000-2-5) and the required safety integrity levels.

What is the international status of IEC 61508?

Adoption of IEC International Standards by any country, whether it is a member of the IEC or not, is entirely voluntary. IEC National Committees undertake to apply IEC International Standards transparently to the maximum extent possible in their national and regional standards. Any divergence between the IEC International Standard and the corresponding national or regional standard shall be clearly indicated in the latter.

The extent to which IEC 61508 applies in different industry sectors will depend on whether any application sector standards based on IEC 61508 have been developed.

Parts 1, 2, 3 and 4 of IEC 61508 are designated as IEC basic safety publications. This means that IEC Technical Committees will have to use these parts in the preparation of each of their own sector standards that has E/E/PE safety-related systems within its scope. IEC 61508 will therefore have far reaching implications across all IEC application sectors.

Note that basic safety publication status does not apply in the context of low complexity E/E/PE safety-related systems or where the required safety integrity of the E/E/PE system is less than the lowest safety integrity level in IEC 61508.

The following application sector standards have been published

IEC 61513: Nuclear power plants - Instrumentation and control for systems important to safety - General requirements for systems

IEC 61511-1: Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements

IEC 61511-2: Functional safety - Safety instrumented systems for the process industry sector - Part 2: Guidelines for the application of IEC 61511-1

IEC 61511-3: Functional safety - Safety instrumented systems for the process industry sector - Part 3: Guidance for the determination of the required safety integrity levels

In development are IEC 62061 for the machinery sector and IEC 61800-5-2 for power drive systems.

Other standards may also be under development.

Yes. A major objective of the standard is to enable the development of E/E/PE safety-related systems where application sector international standards do not exist.

Many requirements of IEC 61508, particularly in IEC 61508-2 and IEC 61508-3, are not repeated in the application sector or product standards but are referenced instead. The result is that most users of application sector or product standards will need IEC 61508 also.

The following sites provide details of IEC 61508 which are specific to individual countries:

• Germany: DKE (www.dke.de, in German)
• Denmark: Dansk Standard (www.ds.dk, in Danish and English)
• United Kingdom: IEE Professional Network - Functional Safety (www.iee.org)

If your country is not listed, contact your national commitee for further information.

Yes. The seven parts of IEC 61508 were published by CENELEC in December 2001 as EN 61508.

All CENELEC member countries had to implement EN 61508 at national level by August 2002, either by publishing an identical national standard or by endorsement. Any conflicting national standards of CENELEC member countries had to be withdrawn by August 2004.

No. EN 61508 does not have the status of a harmonized European standard, and is not referred to by any EC Directive.

However, this does not prevent compliance with relevant parts of EN 61508 being used to support a declaration of conformity with an EC product directive, if that is appropriate. But because EN 61508 is not a harmonised European standard, there is no presumption of conformity with any directive. Therefore it would be necessary to explain in the technical file how compliance with EN 61508 is being used to support compliance with specific essential requirements of the particular directive.

There are also no plans to harmonize IEC 61511 or IEC 61513 under any EC Directive, and no decision concerning IEC 61800-5-2 has yet been made. However, it is intended that IEC 62061, when published, will be adopted as a harmonised European standard under the Machinery Directive (an EC product directive). This has been made possible by restricting the scope of IEC 62061 to include product requirements only. Harmonization will grant a presumption of conformity with some of the essential requirements of the Machinery Directive, but will not preclude the use of other ways (eg other standards) of meeting those requirements.