IEC 61508

Last updated

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES).

Contents

IEC 61508 is a basic functional safety standard applicable to all industries. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.” The fundamental concept is that any safety-related system must work correctly or fail in a predictable (safe) way.

The standard has two fundamental principles:

  1. An engineering process called the safety life cycle is defined based on best practices in order to discover and eliminate design errors and omissions.
  2. A probabilistic failure approach to account for the safety impact of device failures.

The safety life cycle has 16 phases which roughly can be divided into three groups as follows:

  1. Phases 1–5 address analysis
  2. Phases 6–13 address realisation
  3. Phases 14–16 address operation.

All phases are concerned with the safety function of the system.

The standard has seven parts:

Central to the standard are the concepts of probabilistic risk for each safety function. The risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity. The risk is reduced to a tolerable level by applying safety functions which may consist of E/E/PES, associated mechanical devices, or other technologies. Many requirements apply to all technologies but there is strong emphasis on programmable electronics especially in Part 3.

IEC 61508 has the following views on risks:

Specific techniques ensure that mistakes and errors are avoided across the entire life-cycle. Errors introduced anywhere from the initial concept, risk analysis, specification, design, installation, maintenance and through to disposal could undermine even the most reliable protection. IEC 61508 specifies techniques that should be used for each phase of the life-cycle. The seven parts of the first edition of IEC 61508 were published in 1998 and 2000. The second edition was published in 2010.

Hazard and risk analysis

The standard requires that hazard and risk assessment be carried out for bespoke systems: 'The EUC (equipment under control) risk shall be evaluated, or estimated, for each determined hazardous event'.

The standard advises that 'Either qualitative or quantitative hazard and risk analysis techniques may be used' and offers guidance on a number of approaches. One of these, for the qualitative analysis of hazards, is a framework based on 6 categories of likelihood of occurrence and 4 of consequence.

Categories of likelihood of occurrence

CategoryDefinitionRange (failures per year)
FrequentMany times in lifetime> 10−3
ProbableSeveral times in lifetime10−3 to 10−4
OccasionalOnce in lifetime10−4 to 10−5
RemoteUnlikely in lifetime10−5 to 10−6
ImprobableVery unlikely to occur10−6 to 10−7
IncredibleCannot believe that it could occur< 10−7

Consequence categories

CategoryDefinition
CatastrophicMultiple loss of life
CriticalLoss of a single life
MarginalMajor injuries to one or more persons
NegligibleMinor injuries at worst

These are typically combined into a risk class matrix

Consequence
LikelihoodCatastrophicCriticalMarginalNegligible
FrequentIIIII
ProbableIIIIIII
OccasionalIIIIIIIII
RemoteIIIIIIIIIV
ImprobableIIIIIIIVIV
IncredibleIVIVIVIV

Where:

Safety integrity level

The safety integrity level (SIL) provides a target to attain for each safety function. A risk assessment effort yields a target SIL for each safety function. For any given design the achieved SIL is evaluated by three measures:

1. Systematic Capability (SC) which is a measure of design quality. Each device in the design has an SC rating. The SIL of the safety function is limited to smallest SC rating of the devices used. Requirement for SC are presented in a series of tables in Part 2 and Part 3. The requirements include appropriate quality control, management processes, validation and verification techniques, failure analysis etc. so that one can reasonably justify that the final system attains the required SIL.

2. Architecture Constraints which are minimum levels of safety redundancy presented via two alternative methods - Route 1h and Route 2h.

3. Probability of Dangerous Failure Analysis [1]

Probabilistic analysis

The probability metric used in step 3 above depends on whether the functional component will be exposed to high or low demand:

Note the difference between function and system. The system implementing the function might be in operation frequently (like an ECU for deploying an air-bag), but the function (like air-bag deployment) might be in demand intermittently.

SIL Low demand mode:
average probability of failure on demand
High demand or continuous mode:
probability of dangerous failure per hour
1≥ 10−2 to < 10−1≥ 10−6 to < 10−5
2≥ 10−3 to < 10−2≥ 10−7 to < 10−6
3≥ 10−4 to < 10−3≥ 10−8 to < 10−7 (1 dangerous failure in 1140 years)
4≥ 10−5 to < 10−4≥ 10−9 to < 10−8

IEC 61508 certification

Certification is third party attestation that a product, process, or system meets all requirements of the certification program. Those requirements are listed in a document called the certification scheme. IEC 61508 certification programs are operated by impartial third party organizations called certification bodies (CB). These CBs are accredited to operate following other international standards including ISO/IEC 17065 and ISO/IEC 17025. Certification bodies are accredited to perform the auditing, assessment, and testing work by an accreditation body (AB). There is often one national AB in each country. These ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the International Accreditation Forum (IAF) for work in management systems, products, services, and personnel accreditation or the International Laboratory Accreditation Cooperation (ILAC) for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs. IEC 61508 certification programs have been established by several global Certification Bodies. Each has defined their own scheme based upon IEC 61508 and other functional safety standards. The scheme lists the referenced standards and specifies procedures which describes their test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program. IEC 61508 certification programs are being offered globally by several recognized CBs including exida, Intertek, SGS-TÜV Saar, TÜV Nord, TÜV Rheinland, TÜV SÜD and UL.

Industry/application specific variants

Automotive

ISO 26262 is an adaptation of IEC 61508 for Automotive Electric/Electronic Systems. It is being widely adopted by the major car manufacturers. [2]

Before the launch of ISO 26262, the development of software for safety related automotive systems was predominantly covered by the Motor Industry Software Reliability Association (MISRA) guidelines. [3] The MISRA project was conceived to develop guidelines for the creation of embedded software in road vehicle electronic systems. [3] A set of guidelines for the development of vehicle based software was published in November 1994. [4] This document provided the first automotive industry interpretation of the principles of the, then emerging, IEC 61508 standard. [3]

Today MISRA is most widely known for its guidelines on how to use the C and C++ languages. [5] MISRA C has gone on to become the de facto standard for embedded C programming in the majority of safety-related industries, and is also used to improve software quality even where safety is not the main consideration.

Rail

IEC 62279 provides a specific interpretation of IEC 61508 for railway applications. It is intended to cover the development of software for railway control and protection including communications, signaling and processing systems. EN 50128 and EN 50657 are equivalent CENELEC standards of IEC 62279. [6]

Process industries

The process industry sector includes many types of manufacturing processes, such as refineries, petrochemical, chemical, pharmaceutical, pulp and paper, and power. IEC 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation.

Power plants

IEC 61513 provides requirements and recommendations for the instrumentation and control for systems important to safety of nuclear power plants. It indicates the general requirements for systems that contain conventional hardwired equipment, computer-based equipment or a combination of both types of equipment. An overview list of safety norms specific for nuclear power plants is published by ISO. [7]

Machinery

IEC 62061 is the machinery-specific implementation of IEC 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.

Testing software

Software written in accordance with IEC 61508 may need to be unit tested, depending up on the SIL it needs to achieve. The main requirement in Unit Testing is to ensure that the software is fully tested at the function level and that all possible branches and paths are taken through the software. In some higher SIL level applications, the software code coverage requirement is much tougher and an MC/DC code coverage criterion is used rather than simple branch coverage. To obtain the MC/DC (modified condition/decision coverage) coverage information, one will need a Unit Testing tool, sometimes referred to as a Software Module Testing tool.

See also

Related Research Articles

<span class="mw-page-title-main">Safety-critical system</span> System whose failure would be serious

A safety-critical system or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.

IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".

Software safety is an engineering discipline that aims to ensure that software, which is used in safety-related systems, does not contribute to any hazards such a system might pose. There are numerous standards that govern the way how safety-related software should be developed and assured in various domains. Most of them classify software according to their criticality and propose techniques and measures that should be employed during the development and assurance:

In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.

MISRA C is a set of software development guidelines for the C programming language developed by The MISRA Consortium. Its aims are to facilitate code safety, security, portability and reliability in the context of embedded systems, specifically those systems programmed in ISO C / C90 / C99.

A high-integrity pressure protection system (HIPPS) is a type of safety instrumented system (SIS) designed to prevent over-pressurization of a plant, such as a chemical plant or oil refinery. The HIPPS will shut off the source of the high pressure before the design pressure of the system is exceeded, thus preventing loss of containment through rupture (explosion) of a line or vessel. Therefore, a HIPPS is considered as a barrier between a high-pressure and a low-pressure section of an installation.

Spurious trip level (STL) is defined as a discrete level for specifying the spurious trip requirements of safety functions to be allocated to safety systems. An STL of 1 means that this safety function has the highest level of spurious trips. The higher the STL level the lower the number of spurious trips caused by the safety system. There is no limit to the number of spurious trip levels.

The Motor Industry Software Reliability Association (MISRA) is an organization that produces guidelines for the software developed for electronic components used in the automotive industry. It is a collaboration between numerous vehicle manufacturers, component suppliers and engineering consultancies.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

TargetLink is a software for automatic code generation, based on a subset of Simulink/Stateflow models, produced by dSPACE GmbH. TargetLink requires an existing MATLAB/Simulink model to work on. TargetLink generates both ANSI-C and production code optimized for specific processors. It also supports the generation of AUTOSAR-compliant code for software components for the automotive sector. The management of all relevant information for code generation takes place in a central data container, called the Data Dictionary.

IEC 62443 is a series of standards that address cybersecurity for operational technology in automation and control systems. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the ISA99 committee of the International Society for Automation.

<span class="mw-page-title-main">Parasoft C/C++test</span> Integrated set of tools

Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applications. It supports software development practices that are part of development testing, including static code analysis, dynamic code analysis, unit test case generation and execution, code coverage analysis, regression testing, runtime error detection, requirements traceability, and code review. It's a commercial tool that supports operation on Linux, Windows, and Solaris platforms as well as support for on-target embedded testing and cross compilers.

ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions. The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

IEC/EN 62061, ”Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems”, is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

Hercules is a line of ARM architecture-based microcontrollers from Texas Instruments built around one or more ARM Cortex cores. This "Hercules safety microcontroller platform" includes a series of microcontrollers specifically targeted for Functional Safety applications, through such hardware-base fault correction/detection features as dual cores that can run in lock-step, full path ECC, automated self testing of memory and logic, peripheral redundancy, and monitor/checker cores.

Cantata++, commonly referred to as Cantata in newer versions, is a commercial computer program designed for dynamic testing, with a focus on unit testing and integration testing, as well as run time code coverage analysis for C and C++ programs. It is developed and marketed by QA Systems, a multinational company with headquarters in Waiblingen, Germany.

High-integrity software is software whose failure may cause serious damage with possible "life-threatening consequences." "Integrity is important as it demonstrates the safety, security, and maintainability of... code." Examples of high-integrity software are nuclear reactor control, avionics software, automotive safety-critical software and process control software.

[H]igh integrity means that the code:

References

  1. Control Systems Safety Evaluation and Reliability. ISA. 2010. ISBN   978-1-934394-80-9.
  2. Hamann, Reinhold; Sauler, Jürgen; Kriso, Stefan; Grote, Walter; Mössinger, Jürgen (2009-04-20). "Application of ISO 26262 in Distributed Development ISO 26262 in Reality". SAE Technical Paper Series. 1. Warrendale, PA: SAE International. doi:10.4271/2009-01-0758.
  3. 1 2 3 "MISRA Web site > MISRA Home > A brief history of MISRA". www.misra.org.uk. Archived from the original on 2021-06-25. Retrieved 2021-02-23.
  4. Development Guidelines for Vehicle Based Software. MISRA. 1994. ISBN   0952415607.
  5. "MISRA Web site > News". www.misra.org.uk. Retrieved 2021-02-23.
  6. Hadj-Mabrouk, Habib (1 November 2020). "Application of Case-Based Reasoning to the safety assessment of critical software used in rail transport". Safety Science. 131: 104928. doi:10.1016/j.ssci.2020.104928. ISSN   0925-7535.
  7. "ISO - 27.120.20 - Nuclear power plants. Safety". www.iso.org. Retrieved 2021-02-23.

Further reading

Textbooks

  1. "Relationship between ISO 26262 and IEC 61508". ez.analog.com. Retrieved 2021-04-11.
  2. "Automotive vs Industrial Functional Safety". ez.analog.com. Retrieved 2021-04-11.
  3. "IEC 60730-1:2013+AMD1:2015+AMD2:2020 CSV | IEC Webstore". webstore.iec.ch. Retrieved 2021-04-11.