IEC 61508 - Wikipedia

IEC 61508 is an international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, ... IEC61508 FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch Thisarticlehasmultipleissues.Pleasehelpimproveitordiscusstheseissuesonthetalkpage.(Learnhowandwhentoremovethesetemplatemessages) Thisarticleincludesalistofgeneralreferences,butitlackssufficientcorrespondinginlinecitations.Pleasehelptoimprovethisarticlebyintroducingmoreprecisecitations.(April2021)(Learnhowandwhentoremovethistemplatemessage) Thisarticlerelieslargelyorentirelyonasinglesource.Relevantdiscussionmaybefoundonthetalkpage.Pleasehelpimprovethisarticlebyintroducingcitationstoadditionalsources.Findsources: "IEC61508" – news ·newspapers ·books ·scholar ·JSTOR(April2021) (Learnhowandwhentoremovethistemplatemessage) IEC61508isaninternationalstandardpublishedbytheInternationalElectrotechnicalCommissionconsistingofmethodsonhowtoapply,design,deployandmaintainautomaticprotectionsystemscalledsafety-relatedsystems.ItistitledFunctionalSafetyofElectrical/Electronic/ProgrammableElectronicSafety-relatedSystems(E/E/PE,orE/E/PES). IEC61508isabasicfunctionalsafetystandardapplicabletoallindustries.Itdefinesfunctionalsafetyas:“partoftheoverallsafetyrelatingtotheEUC(EquipmentUnderControl)andtheEUCcontrolsystemwhichdependsonthecorrectfunctioningoftheE/E/PEsafety-relatedsystems,othertechnologysafety-relatedsystemsandexternalriskreductionfacilities.”Thefundamentalconceptisthatanysafety-relatedsystemmustworkcorrectlyorfailinapredictable(safe)way. Thestandardhastwofundamentalprinciples: Anengineeringprocesscalledthesafetylifecycleisdefinedbasedonbestpracticesinordertodiscoverandeliminatedesignerrorsandomissions. Aprobabilisticfailureapproachtoaccountforthesafetyimpactofdevicefailures. Thesafetylifecyclehas16phaseswhichroughlycanbedividedintothreegroupsasfollows: Phases1–5addressanalysis Phases6–13addressrealisation Phases14–16addressoperation. Allphasesareconcernedwiththesafetyfunctionofthesystem. Thestandardhassevenparts: Parts1–3containtherequirementsofthestandard(normative) Part4containsdefinitions Parts5–7areguidelinesandexamplesfordevelopmentandthusinformative. Centraltothestandardaretheconceptsofprobabilisticriskforeachsafetyfunction.Theriskisafunctionoffrequency(orlikelihood)ofthehazardouseventandtheeventconsequenceseverity.TheriskisreducedtoatolerablelevelbyapplyingsafetyfunctionswhichmayconsistofE/E/PES,associatedmechanicaldevices,orothertechnologies.ManyrequirementsapplytoalltechnologiesbutthereisstrongemphasisonprogrammableelectronicsespeciallyinPart3. IEC61508hasthefollowingviewsonrisks: Zeroriskcanneverbereached,onlyprobabilitiescanbereduced Non-tolerablerisksmustbereduced(ALARP) Optimal,costeffectivesafetyisachievedwhenaddressedintheentiresafetylifecycle Specifictechniquesensurethatmistakesanderrorsareavoidedacrosstheentirelife-cycle.Errorsintroducedanywherefromtheinitialconcept,riskanalysis,specification,design,installation,maintenanceandthroughtodisposalcouldundermineeventhemostreliableprotection.IEC61508specifiestechniquesthatshouldbeusedforeachphaseofthelife-cycle. ThesevenpartsofthefirsteditionofIEC61508werepublishedin1998and2000.Thesecondeditionwaspublisedin2010. Contents 1Hazardandriskanalysis 2Safetyintegritylevel 2.1Probabilisticanalysis 3IEC61508certification 4Industry/applicationspecificvariants 4.1Automotive 4.2Rail 4.3Processindustries 4.4Powerplants 4.5Machinery 5Testingsoftware 6Seealso 7References 8Furtherreading 8.1Relatedsafetystandards 8.2Textbooks 9Externallinks Hazardandriskanalysis[edit] Thestandardrequiresthathazardandriskassessmentbecarriedoutforbespokesystems:'TheEUC(equipmentundercontrol)riskshallbeevaluated,orestimated,foreachdeterminedhazardousevent'. Thestandardadvisesthat'Eitherqualitativeorquantitativehazardandriskanalysistechniquesmaybeused'andoffersguidanceonanumberofapproaches.Oneofthese,forthequalitativeanalysisofhazards,isaframeworkbasedon6categoriesoflikelihoodofoccurrenceand4ofconsequence. Categoriesoflikelihoodofoccurrence Category Definition Range(failuresperyear) Frequent Manytimesinlifetime >10−3 Probable Severaltimesinlifetime 10−3to10−4 Occasional Onceinlifetime 10−4to10−5 Remote Unlikelyinlifetime 10−5to10−6 Improbable Veryunlikelytooccur 10−6to10−7 Incredible Cannotbelievethatitcouldoccur <10−7 Consequencecategories Category Definition Catastrophic Multiplelossoflife Critical Lossofasinglelife Marginal Majorinjuriestooneormorepersons Negligible Minorinjuriesatworst Thesearetypicallycombinedintoariskclassmatrix Consequence Likelihood Catastrophic Critical Marginal Negligible Frequent I I I II Probable I I II III Occasional I II III III Remote II III III IV Improbable III III IV IV Incredible IV IV IV IV Where: ClassI:Unacceptableinanycircumstance; ClassII:Undesirable:tolerableonlyifriskreductionisimpracticableorifthecostsaregrosslydisproportionatetotheimprovementgained; ClassIII:Tolerableifthecostofriskreductionwouldexceedtheimprovement; ClassIV:Acceptableasitstands,thoughitmayneedtobemonitored. Safetyintegritylevel[edit] Thesafetyintegritylevel(SIL)providesatargettoattainforeachsafetyfunction.AriskassessmenteffortyieldsatargetSILforeachsafetyfunction.ForanygivendesigntheachievedSILisevaluatedbythreemeasures: 1.SystematicCapability(SC)whichisameasureofdesignquality.EachdeviceinthedesignhasanSCrating.TheSILofthesafetyfunctionislimitedtosmallestSCratingofthedevicesused.RequirementforSCarepresentedinaseriesoftablesinPart2andPart3.Therequirementsincludeappropriatequalitycontrol,managementprocesses,validationandverificationtechniques,failureanalysisetc.sothatonecanreasonablyjustifythatthefinalsystemattainstherequiredSIL. 2.ArchitectureConstraintswhichareminimumlevelsofsafetyredundancypresentedviatwoalternativemethods-Route1handRoute2h. 3.ProbabilityofDangerousFailureAnalysis[1] Probabilisticanalysis[edit] Theprobabilitymetricusedinstep3abovedependsonwhetherthefunctionalcomponentwillbeexposedtohighorlowdemand: highdemandisdefinedasmorethanonceperyearandlowdemandisdefinedaslessthanorequaltoonceperyear(IEC-61508-4). Forfunctionsthatoperatecontinuously(continuousmode)orfunctionsthatoperatefrequently(highdemandmode),SILspecifiesanallowablefrequencyofdangerousfailure. Forfunctionsthatoperateintermittently(lowdemandmode),SILspecifiesanallowableprobabilitythatthefunctionwillfailtorespondondemand. Notethedifferencebetweenfunctionandsystem.Thesystemimplementingthefunctionmightbeinoperationfrequently(likeanECUfordeployinganair-bag),butthefunction(likeair-bagdeployment)mightbeindemandintermittently. SIL Lowdemandmode:averageprobabilityoffailureondemand Highdemandorcontinuousmode:probabilityofdangerousfailureperhour 1 ≥10−2to<10−1 ≥10−6to<10−5 2 ≥10−3to<10−2 ≥10−7to<10−6 3 ≥10−4to<10−3 ≥10−8to<10−7(1dangerousfailurein1140years) 4 ≥10−5to<10−4 ≥10−9to<10−8 IEC61508certification[edit] Certificationisthirdpartyattestationthataproduct,process,orsystemmeetsallrequirementsofthecertificationprogram.Thoserequirementsarelistedinadocumentcalledthecertificationscheme.IEC61508certificationprogramsareoperatedbyimpartialthirdpartyorganizationscalledcertificationbodies(CB).TheseCBsareaccreditedtooperatefollowingotherinternationalstandardsincludingISO/IEC17065andISO/IEC17025.Certificationbodiesareaccreditedtoperformtheauditing,assessment,andtestingworkbyanaccreditationbody(AB).ThereisoftenonenationalABineachcountry.TheseABsoperatepertherequirementsofISO/IEC17011,astandardthatcontainsrequirementsforthecompetence,consistency,andimpartialityofaccreditationbodieswhenaccreditingconformityassessmentbodies.ABsaremembersoftheInternationalAccreditationForum(IAF)forworkinmanagementsystems,products,services,andpersonnelaccreditationortheInternationalLaboratoryAccreditationCooperation(ILAC)forlaboratoryaccreditation.AMultilateralRecognitionArrangement(MLA)betweenABswillensureglobalrecognitionofaccreditedCBs.IEC61508certificationprogramshavebeenestablishedbyseveralglobalCertificationBodies.EachhasdefinedtheirownschemebaseduponIEC61508andotherfunctionalsafetystandards.Theschemeliststhereferencedstandardsandspecifiesprocedureswhichdescribestheirtestmethods,surveillanceauditpolicy,publicdocumentationpolicies,andotherspecificaspectsoftheirprogram.IEC61508certificationprogramsarebeingofferedgloballybyseveralrecognizedCBsincludingIntertek,SGS-TÜVSaar,TÜVNord,TÜVRheinland,TÜVSÜDandUL. Industry/applicationspecificvariants[edit] Automotive[edit] ISO26262isanadaptationofIEC61508forAutomotiveElectric/ElectronicSystems.Itisbeingwidelyadoptedbythemajorcarmanufacturers.[2] BeforethelaunchofISO26262,thedevelopmentofsoftwareforsafetyrelatedautomotivesystemswaspredominantlycoveredbytheMotorIndustrySoftwareReliabilityAssociation(MISRA)guidelines.[3]TheMISRAprojectwasconceivedtodevelopguidelinesforthecreationofembeddedsoftwareinroadvehicleelectronicsystems.[3]AsetofguidelinesforthedevelopmentofvehiclebasedsoftwarewaspublishedinNovember1994.[4]Thisdocumentprovidedthefirstautomotiveindustryinterpretationoftheprinciplesofthe,thenemerging,IEC61508standard.[3] TodayMISRAismostwidelyknownforitsguidelinesonhowtousetheCandC++languages.[5]MISRAChasgoneontobecomethedefactostandardforembeddedCprogramminginthemajorityofsafety-relatedindustries,andisalsousedtoimprovesoftwarequalityevenwheresafetyisnotthemainconsideration. Rail[edit] IEC62279providesaspecificinterpretationofIEC61508forrailwayapplications.Itisintendedtocoverthedevelopmentofsoftwareforrailwaycontrolandprotectionincludingcommunications,signalingandprocessingsystems. Processindustries[edit] Theprocessindustrysectorincludesmanytypesofmanufacturingprocesses,suchasrefineries,petrochemical,chemical,pharmaceutical,pulpandpaper,andpower.IEC61511isatechnicalstandardwhichsetsoutpracticesintheengineeringofsystemsthatensurethesafetyofanindustrialprocessthroughtheuseofinstrumentation. Powerplants[edit] IEC61513providesrequirementsandrecommendationsfortheinstrumentationandcontrolforsystemsimportanttosafetyofnuclearpowerplants.Itindicatesthegeneralrequirementsforsystemsthatcontainconventionalhardwiredequipment,computer-basedequipmentoracombinationofbothtypesofequipment.AnoverviewlistofsafetynormsspecificfornuclearpowerplantsispublishedbyISO.[6] Machinery[edit] IEC62061isthemachinery-specificimplementationofIEC61508.Itprovidesrequirementsthatareapplicabletothesystemleveldesignofalltypesofmachinerysafety-relatedelectricalcontrolsystemsandalsoforthedesignofnon-complexsubsystemsordevices. Testingsoftware[edit] SoftwarewritteninaccordancewithIEC61508mayneedtobeunittested,dependingupontheSILitneedstoachieve.ThemainrequirementinUnitTestingistoensurethatthesoftwareisfullytestedatthefunctionlevelandthatallpossiblebranchesandpathsaretakenthroughthesoftware.InsomehigherSILlevelapplications,thesoftwarecodecoveragerequirementismuchtougherandanMC/DCcodecoveragecriterionisusedratherthansimplebranchcoverage.ToobtaintheMC/DC(modifiedcondition/decisioncoverage)coverageinformation,onewillneedaUnitTestingtool,sometimesreferredtoasaSoftwareModuleTestingtool. Seealso[edit] Functionalsafety Safetystandards FMEDA Spurioustriplevel Time-triggeredsystem(AsoftwarearchitectureusedtoachieveIEC61508compliance) Softwarequality References[edit] ^ControlSystemsSafetyEvaluationandReliability.ISA.2010.ISBN 978-1-934394-80-9. ^Hamann,Reinhold;Sauler,Jürgen;Kriso,Stefan;Grote,Walter;Mössinger,Jürgen(2009-04-20)."ApplicationofISO26262inDistributedDevelopmentISO26262inReality".SAETechnicalPaperSeries.400CommonwealthDrive,Warrendale,PA,UnitedStates:SAEInternational.doi:10.4271/2009-01-0758.{{citejournal}}:CS1maint:location(link) ^abc"MISRAWebsite>MISRAHome>AbriefhistoryofMISRA".www.misra.org.uk.Retrieved2021-02-23. ^DevelopmentGuidelinesforVehicleBasedSoftware.MISRA.1994.ISBN 0952415607. ^"MISRAWebsite>News".www.misra.org.uk.Retrieved2021-02-23. ^"ISO-27.120.20-Nuclearpowerplants.Safety".www.iso.org.Retrieved2021-02-23. Furtherreading[edit] Relatedsafetystandards[edit] ISO26262(isanadaptionofIEC61508[1]withminordifferences[2]) IEC60730[3](Household) DO-178C(Aerospace) Textbooks[edit] W.Goble,"ControlSystemsSafetyEvaluationandReliability"(3rdEditionISBN 978-1-934394-80-9,Hardcover,458pages). I.vanBeurden,W.Goble,"SafetyInstrumentedSystemDesign-TechniquesandDesignVerification"(1stEditionISBN 978-1-945541-43-8,430pages). M.J.M.Houtermans,"SILandFunctionalSafetyinaNutshell"(RisknowlogyBestPractices,1stEdition,eBookinPDF,ePub,andiBookformat,40Pages)SILandFunctionalSafetyinaNutshell-eBookintroducingSILandFunctionalSafety M.Medoff,R.Faller,"FunctionalSafety-AnIEC61508SIL3CompliantDevelopmentProcess"(3rdEdition,ISBN 978-1-934977-08-8Hardcover,371pages,www.exida.com) C.O'Brien,L.Stewart,L.Bredemeyer,"FinalElementsinSafetyInstrumentedSystems-IEC61511CompliantSystemsandIEC61508CompliantProducts"(1stEdition,2018,ISBN 978-1-934977-18-7,Hardcover,305pages,www.exida.com) Münch,Jürgen;Armbrust,Ove;Soto,Martín;Kowalczyk,Martin.“SoftwareProcessDefinitionandManagement“,Springer,2012. M.Punch,"FunctionalSafetyfortheMiningIndustry–AnIntegratedApproachUsingAS(IEC)61508,AS(IEC)62061andAS4024.1."(1stEdition,ISBN 978-0-9807660-0-4,inA4paperback,150pages). D.Smith,KSimpson,"SafetyCriticalSystemsHandbook:AStraightforwardGuidetoFunctionalSafety,IEC61508(2010Edition)AndRelatedStandards,IncludingProcessIEC61511andMachineryIEC62061andISO13849"(3rdEditionISBN 978-0-08-096781-3,Hardcover,288Pages). Externallinks[edit] IEC61508-1:2010Functionalsafetyofelectrical/electronic/programmableelectronicsafety-relatedsystems-Parts1 "IEC61508"atInternationalElectrotechnicalCommission IECFunctionalSafetyzone 61508AssociationAcross-industrygroupoforganizationswithaninterestinachievingadependableandcost-effectivemethodfordemonstratingcompliancewithIEC61508andrelatedstandards. vteIECstandardsIECstandards 60027 60034 60038 60062 60063 60068 60112 60228 60269 60297 60309 60320 60364 60446 60559 60601 60870 60870-5 60870-6 60906-1 60908 60929 60958 61030 61131 61131-3 61131-9 61158 61162 61334 61355 61360 61400 61499 61508 61511 61784 61850 61851 61883 61960 61968 61970 62014-4 62026 62056 62061 62196 62262 62264 62304 62325 62351 62365 62366 62379 62386 62455 62680 62682 62700 63110 63119 63382 ISO/IECstandards 646 2022 4909 5218 6429 6523 7810 7811 7812 7813 7816 7942 8613 8632 8652 8859 9126 9293 9496 9529 9592 9593 9899 9945 9995 10021 10116 10165 10179 10646 10967 11172 11179 11404 11544 11801 12207 13250 13346 13522-5 13568 13816 13818 14443 14496 14651 14882 15288 15291 15408 15444 15445 15504 15511 15693 15897 15938 16262 17024 17025 18000 18004 18014 19752 19757 19770 19788 20000 20802 21000 21827 23000 23003 23008 23270 23360 24707 24727 24744 24752 26300 27000 27000-series 27002 27040 29110 29119 33001 38500 42010 80000 81346 Related InternationalElectrotechnicalCommission ^"RelationshipbetweenISO26262andIEC61508".ez.analog.com.Retrieved2021-04-11. ^"AutomotivevsIndustrialFunctionalSafety".ez.analog.com.Retrieved2021-04-11. ^"IEC60730-1:2013+AMD1:2015+AMD2:2020CSV|IECWebstore".webstore.iec.ch.Retrieved2021-04-11. Retrievedfrom"https://en.wikipedia.org/w/index.php?title=IEC_61508&oldid=1085092670" Categories:ElectricalstandardsIECstandardsSafetyengineeringHiddencategories:CS1maint:locationArticleslackingin-textcitationsfromApril2021Allarticleslackingin-textcitationsArticlesneedingadditionalreferencesfromApril2021AllarticlesneedingadditionalreferencesArticleswithmultiplemaintenanceissuesUseOxfordspellingfromJanuary2012 Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Languages CatalàDeutschFrançais한국어Italiano日本語中文 Editlinks