61508 Pdf
Su Strawderman
Central to the standard are the concepts of probabilistic risk for each safety function. The risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity. The risk is reduced to a tolerable level by applying safety functions which may consist of E/E/PES, associated mechanical devices, or other technologies. Many requirements apply to all technologies but there is strong emphasis on programmable electronics especially in Part 3.
Specific techniques ensure that mistakes and errors are avoided across the entire life-cycle. Errors introduced anywhere from the initial concept, risk analysis, specification, design, installation, maintenance and through to disposal could undermine even the most reliable protection. IEC 61508 specifies techniques that should be used for each phase of the life-cycle.The seven parts of the first edition of IEC 61508 were published in 1998 and 2000. The second edition was published in 2010.
The standard requires that hazard and risk assessment be carried out for bespoke systems: 'The EUC (equipment under control) risk shall be evaluated, or estimated, for each determined hazardous event'.
The standard advises that 'Either qualitative or quantitative hazard and risk analysis techniques may be used' and offers guidance on a number of approaches. One of these, for the qualitative analysis of hazards, is a framework based on 6 categories of likelihood of occurrence and 4 of consequence.
The safety integrity level (SIL) provides a target to attain for each safety function. A risk assessment effort yields a target SIL for each safety function. For any given design the achieved SIL is evaluated by three measures:
1. Systematic Capability (SC) which is a measure of design quality. Each device in the design has an SC rating. The SIL of the safety function is limited to smallest SC rating of the devices used. Requirement for SC are presented in a series of tables in Part 2 and Part 3. The requirements include appropriate quality control, management processes, validation and verification techniques, failure analysis etc. so that one can reasonably justify that the final system attains the required SIL.
Note the difference between function and system. The system implementing the function might be in operation frequently (like an ECU for deploying an air-bag), but the function (like air-bag deployment) might be in demand intermittently.
Before the launch of ISO 26262, the development of software for safety related automotive systems was predominantly covered by the Motor Industry Software Reliability Association (MISRA) guidelines.[3] The MISRA project was conceived to develop guidelines for the creation of embedded software in road vehicle electronic systems.[3] A set of guidelines for the development of vehicle based software was published in November 1994.[4] This document provided the first automotive industry interpretation of the principles of the, then emerging, IEC 61508 standard.[3]
Today MISRA is most widely known for its guidelines on how to use the C and C++ languages.[5] MISRA C has gone on to become the de facto standard for embedded C programming in the majority of safety-related industries, and is also used to improve software quality even where safety is not the main consideration.
IEC 62279 provides a specific interpretation of IEC 61508 for railway applications. It is intended to cover the development of software for railway control and protection including communications, signaling and processing systems. EN 50128 and EN 50657 are equivalent CENELEC standards of IEC 62279.[6]
The process industry sector includes many types of manufacturing processes, such as refineries, petrochemical, chemical, pharmaceutical, pulp and paper, and power. IEC 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation.
IEC 61513 provides requirements and recommendations for the instrumentation and control for systems important to safety of nuclear power plants. It indicates the general requirements for systems that contain conventional hardwired equipment, computer-based equipment or a combination of both types of equipment. An overview list of safety norms specific for nuclear power plants is published by ISO.[7]
IEC 62061 is the machinery-specific implementation of IEC 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
Software written in accordance with IEC 61508 may need to be unit tested, depending up on the SIL it needs to achieve. The main requirement in Unit Testing is to ensure that the software is fully tested at the function level and that all possible branches and paths are taken through the software. In some higher SIL level applications, the software code coverage requirement is much tougher and an MC/DC code coverage criterion is used rather than simple branch coverage. To obtain the MC/DC (modified condition/decision coverage) coverage information, one will need a Unit Testing tool, sometimes referred to as a Software Module Testing tool.
If I understand right, checking for MISRA compliance might be sufficient, and it looks like SonarCloud supports this (e.g., Assess if my C code is compliant with MISRA C 2023 standard), but it would be helpful to see some explicit qualifications, e.g., like LDRA shows here.
We strive to help developers with Clean Code. Its intersection with various standards is a place where we tend to help.
In general, SonarQube and SonarCloud do not aim to be strict compliance tools. It explains that we have no plan so far to be an IEC 61508-certified tool.
Electricity is inherently dangerous and electrotechnical equipment represents many risks that require mitigation. Those can be caused by electric shock, hot surfaces, moving parts or hazardous substances, to name but a few. They can impact people, critical infrastructure, economies or the environment. The IEC has a dedicated technical advisory committee on safety (ACOS) which guides and coordinates IEC work on safety in standardization and together with conformity assessment helps ensure that safety issues are properly addressed.
With the expansion of intelligent systems such as robotics, the internet of things or artificial intelligence, new and complex safety requirements are emerging. The increasing presence of machines in factories, logistics, mobility or healthcare, require safety procedures to protect the people interacting with them.
At home, at work or in public spaces, we are surrounded by an increasing number of electrical and electronic devices and systems. Functional safety focuses on electronics and related software and activates built-in safety mechanisms to reduce potential risks that could harm somebody or destroy something to a tolerable level.
The sensors in automatic doors ensure that they open fast enough and close safely behind you. The detection of smoke by a sensor triggers the activation of a water sprinkler system inside an apartment building. An overflow valve is activated when a certain level of liquid or pressure has been reached.
The IEC 61508 series provides functional safety standards for the lifecycle of electrical, electronic or programmable electronic (E/E/PE) systems and products. It addresses those parts of a device or system that perform automated safety functions including, for example, sensors, control logic, actuators and micro-processors.
IEC 61508 allows for the development of a uniform technical approach that can be applied to all safety systems in electronics and related software. It is a horizontal standard applicable across a wide range of sectors.
The standard requires the analysis of the potential risks or hazards of a given system or device. It provides categories to determine the level of likelihood of a potential hazard and the consequences should it occur. IEC 61508 defines four safety integration levels (SIL) to indicate the degree to which a system will meet its specified safety functions.
Safety considerations are an integral part of the design process. Risks must be identified and managed at the early stages of product development. Due to the integration of electronic devices, audio, video, IT and communication technologies, hazard-based safety engineering (HBSE) has become increasingly necessary.
With HBSE, potentially hazardous situations are clearly identified and safeguards are put in place to increase product safety. Since safety requirements are outcome-based rather than prescriptive, HBSE which is part of IEC 62368-1, can be applied to a wide range of systems and devices.
The EN 61508 series "Functional safety of electrical, electronic and programmable electronic safety-related systems" is regarded as the generic safety standard, dealing with the functional safety of electrical, electronic and programmable electronic systems, irrespective of the application. As such it is the main standard covering the functional safety of control systems. This standard is used to define the requirements of safety systems in plant safety. It's worth noting that EN 61508 has not been harmonised. Only its sector standard EN 62061 can claim this.
The first part of the standard examines the complete safety lifecycle, with detailed requirements for the procedure and content of the individual steps. This part is of particular significance for machine builders and safety component manufacturers.
This standard also focuses on the design of electrical systems and their associated software. Manufacturers of safety components probably reap the greatest benefit from this standard.
As the EN 61508 series is not listed in the Official Journal of the EU for implementation as a European standard (not harmonised), it lacks "presumption of conformity": so if the standard is used on its own, a control system designer cannot presume that the relevant requirements of the specific European directive have been met. However, IEC and ISO standards frequently refer to IEC 61508. To a certain extent, therefore, they regain their significance through the back door.
64591212e2