1.

INTRODUCTION - ABOUT IEC

Millions of devices that contain electronics, and use or produce electricity, rely on
IEC International Standards and Conformity Assessment Systems to perform, fit
and work safely together.
Founded in 1906, the IEC (International Electrotechnical Commission) is the worlds
leading organization for the preparation and publication of International Standards
for all electrical, electronic and related technologies. These are known collectively
as electrotechnology.
Over 10 000 experts from industry, commerce, government, test and research labs,
academia and consumer groups participate in IEC Standardization work.
2. IEC ORGANIZATION

The IEC is a not-for-profit, non-governmental organization, founded in 1906, which

develops International Standards and operates conformity assessment systems in
the fields of electrotechnology.
The IEC is one of three global sister organizations (IEC, ISO, ITU) that
develop International Standards for the world.
When appropriate, IEC cooperates with ISO (International Organization for
Standardization) or ITU (International Telecommunication Union) to
ensure that International Standards fit together seamlessly and
complement each other. Joint committees ensure that International
Standards combine all relevant knowledge of experts working in related
areas.
The IEC comprises one member National Committee per country, they each pay
membership fees and in exchange can participate fully in IEC work.
The IEC operates on an annual budget of approximately CHF 20 million.
The Standardisation Management Board is responsible for the overall
management of the technical work.
The standards work of the Commission is carried out through technical
committees and subcommittees, composed of representatives of the Full
Member National Committees, each dealing with a particular subject.
Technical committees are created or disbanded by the Standardization
Management Board (SMB). They may delegate part of their scopes to
subcommittees, in accordance with the Directives.
Each technical committee has a chairman and a secretariat, both
appointed by the SMB amongst representatives of Full Member National
Committees.

National Committees
IEC members are National Committees (NCs) and there can only be one per
country. Individuals participate in the IEC's work through the National Committees,
see the section on experts and delegates for more information.
There is no single model for the structure of an NC. However, in order that it can
consider all the different aspects of a particular technical area, it must be fully
representative of all of the country's interests in the field of electrotechnical
standardization and conformity assessment. An NC's decision-making processes
should enable all stakeholders to have a real influence on its technical and
management activities.
On becoming a member of the IEC, each NC agrees to open access and balanced
representation from all private and public electrotechnical interests in its country.

Experts & delegates

Experts
Experts are individuals with specialist knowledge in a particular technical
field. Each NC (National Committee) participating in a technical
committee's work can appoint experts to take part in specific technical

work through working groups, project teams or maintenance teams.

Category A liaison organizations may also appoint experts to working
groups and project teams.
Experts participate in IEC technical work in a personal capacity and do
not represent their company / organization or NC.
Find further details in the Directives regarding the procedures for the
appointment of experts.
Delegates
Delegates are representatives of their NC at a TC (Technical Committee)
or SC (Subcommittee) meeting and should be fully briefed by their NC
before attending a meeting.
For TC/SC meetings, each NC participating in the committee assigns a
Head of delegation, who is responsible for speaking and voting on behalf
of the NC during the meeting, but may invite other delegates from their
NC delegation to speak if required.
Young Professionals' Programme
Today there is clearly a need for the IEC to be ever-more responsive to
the fast-changing markets by producing International Standards that
meet needs better and reach markets more quickly. The Young
Professionals' Programme helps the IEC embrace its global culture and
develop its community further by encouraging an even greater range of
people, of all ages and experiences, to participate in its work.
The IEC Young Professionals' Programme provides a gateway for young
professionals all over the world to become more involved in IEC work.
Participants are hand-picked by IEC National Committees to represent
their country as future leaders on the IEC global platform. The
programme explains IEC procedures and policies and demonstrates why
participation at the global level is an essential strategic tool in today's
world.

3. TECHNICAL COMMITTEES & SUBCOMMITTEES

Some 176 TCs (Technical Committees) and SCs (Subcommittees),and

about 700 Project Teams (PT) / Maintenance Teams (MT) carry out the
standards work of the IEC. These working groups are composed of people
from all around the world who are experts in electrotechnology. The great
majority of them come from industry, while others from commerce,
government, test laboratories, research laboratories, academia and
consumer groups also contribute to the work.
TCs report to the SMB (Standardization Management Board). A TC can
form SCs if it finds its scope too wide to enable all the items on its work
programme to be dealt with. The SCs report on their work to the parent
TC. The scope (or area of activity) of each TC and SC is defined by the
TC/SC itself, and then submitted to the SMB or parent TC for approval.
TC membership is composed of the IEC NCs (National Committees), all of
which are free to take part in the work of any given TC, either as:
P-Members (Participating members) who have the obligation to
vote at all stages and to contribute to meetings; or
O-Members (Observer members) who follow the work as an
observer receiving committee documents and having the right to
submit comments and to attend meetings.
IEC TCs and SCs prepare technical documents on specific subjects within
their respective scopes, which are then submitted to the Full Member
National Committees for vote with a view to their approval as
International Standards. Distribution of documents for standards
production is 100% electronic, thus improving efficiency and reducing
costs.
IEC Project Committees are established by the SMB to prepare individual
standards not falling within the scope of an existing technical committee
or subcommittee. Project Committees are disbanded once the standard
has been published.
Each National Committee of the IEC handles the participation of experts
from its country. If you would like to participate in the work of an IEC TC
or SC, please contact your NC. If your country is not a member of the IEC,
please contact the IEC Central Office.
In all, some 10 000 experts worldwide participate in the technical work of
the IEC.

4. IEC TECHNICAL COMMITTEE TC65

TC65:
INDUSTRIAL
PROCESS
MEASUREMENT,
CONTROL
AND
AUTOMATION
To prepare international standards for systems and elements used for industrial
process measurement, control and automation. To coordinate standardization
activities which affect integration of components and functions into such
systems including safety and security aspects. This work of standardization is to
be carried out in the international fields for equipment and systems.
TC65 - SUBCOMMITTEES
SC65A: SYSTEM ASPECTS
To prepare international standards regarding the generic aspects of systems used in
industrial process measurement, control and manufacturing automation: operational
conditions (including EMC), methodology for the assessment of systems, functional
safety, etc.
SC65A also has a safety pilot function to prepare standards dealing with functional
safety of electrical/electronic/programmable electronic systems.
SC65B: MEASUREMENT AND CONTROL DEVICES
To prepare international standards in the field of specific aspects of devices (hardware
and software) used in industrial process measurement and control, such as
measurement devices, analysing equipment, actuators, and programmable logic
controllers, and covering such aspects as interchangeability, performance evaluation,
and functionality definition.
SC65C: INDUSTRIAL NETWORKS
To prepare international standards on wired, optical and wireless industrial networks
for industrial-process measurement, control and manufacturing automation, as well as
for instrumentation systems used for research, development and testing purposes.
The scope includes cabling, interoperability, co-existence and performance evaluation.
SC65E: DEVICES AND INTEGRATION IN ENTERPRISE SYSTEMS
To prepare international standards specifying:
(1) Device integration with industrial automation systems. The models developed in
these standards address device properties, classification, selection, configuration,
commissioning, monitoring and basic diagnostics.
(2) Industrial automation systems integration with enterprise systems. This includes
transactions between business and manufacturing activities which may be jointly
developed with ISO TC184.

TC65 - Working Groups

WG 1Terms and definitions

WG 10Security for industrial process measurement and control - Network
and system security
WG 12 P&I diagrams, P&ID tools and PCE-CAE tools
WG15 Documents for the Process Industry
WG 16 Digital Factory
WG 17 System interface between industrial facilities and the smart grid
WG 18 Cause and Effect Table

WG 19 Life-cycle management for systems and products used in

industrial-process measurement, control and automation

TC65 - Joint Working Groups

JW 13 Safety requirements for industrial-process measurement,

control and automation equipment, excluding functional safety
JW 14 Energy Efficiency in Industrial Automation (EEIA)

TC65 - Advisory Groups

AG 14 Chairmen's advisory groups

4.1. ITALIAN MEMBER OF IEC TECHNICAL COMMITTEE

SUBCOMMITTEES SC65A, SC65B, SC65C, SC65E

IEC National Committee of Italy

COMITATO ELETTROTECNICO ITALIANO
Via Saccardo, 9
IT-20134 MILANO
Italy
4.2. TC65 PUBLICATIONS

IEC 60050-351 - IEV vocabulary

IEC 61010 - Safety requirements for equipment

IEC 62443 - Cyber security

IEC 62708 - Documentation requirements

4.3. SC65A PUBLICATIONS

IEC 61326 - EMC

IEC 61508 Series - Functional Safety

IEC 61511 - Functional Safety process industry sector

IEC 61512 - Batch Control

4.4. SC65B PUBLICATIONS

TC65

AND

IEC 61131 (PLC)

IEC 61499 - Function Block

IEC 60534 - Industrial-process control valves

IEC 61207 - Expression of performance of gas analyzers

4.5. SC65C PUBLICATIONS

IEC 61158 Series - Fieldbus

IEC 61588 - Precision clock synchronization

IEC 61784 - Industrial communication networks Profiles

IEC 61918 - Cabling

IEC 62439 - High availability automation networks

IEC 62591, IEC 62601, IEC 62734 - Wireless

IEC 62657 - Wireless coexistence

4.6. SC65E PUBLICATIONS

IEC 61987 - Electronic catalogues

IEC 62264 - Enterprise-control system integration

IEC 61804 - Function Blocks Process Control and EDDL

IEC 61499 - Generic Function Blocks Distributed Control

IEC 62337 - Commissioning

IEC 62381 - FAT,SAT, and SIT

IEC 62382 - Electrical and Instrumentation Loop Check

IEC 62541 - OPC UA

IEC 62543 - FDT

IEC 62714 Automation-ML

See the TC65 strategic business plan for further details.

5. IEC 61508 - SCOPE

5.1.

Is IEC 61508 relevant to me?

Generally, the significant hazards for equipment and any associated control
system
have to be identified by the specifier or developer via a hazard analysis. The analysis
identifies whether functional safety is necessary to
ensure adequate protection against
each significant hazard. If so, then it has to be taken into account in an appropriate
manner in the design. Functional
safety is just one method of dealing with hazards,
and other means for their elimination or reduction, such as inherent safety through
design, are of primary importance.
IEC 61508 defines appropriate means for achieving functional safety in the systems it
covers.
5.2. What systems does IEC 61508 cover?
IEC 61508 applies to safety related systemswhen one or more of such systems
incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices.
It covers possible hazards caused by failure of the safety functions to be performed by the
E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE
equipment itself (for example electric shock etc). It is generically based and applicable to
all E/E/PE safety-related systems irrespective of the application.
It is recognized that the consequences of failure could also have serious economic
implications and in such cases the standard could be used to specify any E/E/PE safetyrelated system used for the protection of equipment or product.

5.3.

Give me some practical examples

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

emergency shut-down systems

fire and gas systems
turbine control
gas burner management
crane automatic safe-load indicators
guard interlocking and emergency stopping systems for machinery
medical devices
dynamic positioning (control of a ship's movement when in proximity to an offshore
installation)
railway signalling systems (including moving block train signalling)
variable speed motor drives used to restrict speed as a means of protection
remote monitoring, operation or programming of a network-enabled process plant
an information-based decision support tool where erroneous results affect safety

Relevant means of implementing safety functions include electro-mechanical relays (i.e.

electrical), non-programmable solid-state electronics (i.e. electronic) and programmable
electronics. Programmable electronic safety-related systems typically incorporate
programmable controllers, programmable logic controllers, microprocessors, application
specific integrated circuits, or other programmable devices (for example "smart" devices
such as sensors/transmitters/actuators).
In every case, the standard applies to the entire E/E/PE safety-related system (for
example from sensor, through control logic and communication systems, to final actuator,
including any critical actions of a human operator). For safety functions to be effectively
specified and implemented, it is essential to consider the system as a whole. The physical
extent of an E/E/PE safety-related system is solely determined by the safety function.

5.4. How does IEC 61058 apply where E/E/PE technology makes up only a
small part of the safety-related system?
IEC 61508 is applicable to any safety related system that contains an E/E/PE device.
This applicability is appropriate because many requirements, particularly in IEC 61508-1,
are not technology specific. Indeed, early development phases (such as initial concept,
overall scope definition, hazard and risk analysis and specifying the overall safety
requirements) may take place before the implementation technology has been decided.
Even during later phases such as realisation, specific functional safety requirements apply
directly to non-E/E/PE devices, such as mechanical components, as well as E/E/PE
devices. For example, the requirements for hardware reliability and fault tolerance in IEC
61508-2 directly relate to the properties of all components in the E/E/PE safety-related
system, whether or not they include E/E/PE technology.

For low complexity E/E/PE safety-related systems, it is possible to comply with IEC 61508
while not meeting every requirement of the standard.

5.5. How does IEC 61508 apply to systems whose function is to avoid damage
to the environment or severe financial loss?
IEC 61508 is concerned with achieving functional safety, where safety is defined as
freedom from unacceptable risk of physical injury or damage to the health of people, either
directly or indirectly as a result of damage to property or to the environment (see 3.1 of
IEC 61508-4). So damage to long term health, including damage to property or the
environment that leads to damage to long term health, is explicitly within the scope of the
standard and is encompassed by the term safety.
It is recognised that the consequences of failure could also have serious economic
implications and in such cases the standard could be used to specify any E/E/PE system
used for the protection of equipment or product (1.2 e of IEC 61508-1).
The particular safety functions that are necessary, and the associated levels of
performance required of them, are determined by hazard and risk analysis (see for
example IEC 61508-5). An equivalent analysis of risk in terms of environmental or financial
hazards can be performed by replacing safety parameters with environmental or financial
parameters. Most of the subsequent requirements of the standard are as applicable for
"environmental functions" or "financial functions" as they are for safety functions. This
includes the required levels of performance, which are expressed in terms of the average
probability of failure to perform its design function on demand or the probability of a
dangerous failure per hour (see Tables 2 & 3 of IEC 61508-1).

5.6. What does IEC 61508 consist of?

The standard is published in parts as shown in the table below. Only parts 1 to 4 contain
normative requirements.
5.7. Can I get hold of the standard for free, for example by downloading from
the internet?
No, IEC 61508 is a priced publication. You can purchase it online from the IEC, or obtain it
from the national standards body in your own country.
You can download for free the first few pages of an IEC standard from the IEC webstore.
These previews contain the contents, foreword, introduction, scope and normative
references.

5.8.

Now I've obtained a copy of the standard, how do I go about reading it?

Annex A of IEC 61508-5 provides introductory material on risk and safety integrity. In IEC
61508-1, the overall safety lifecycle requirements contained in clause 7 are summarized in
a lifecycle diagram in figure 2, with an overview of each phase in table 1. In addition,

requirements relating to verification, management of functional safety and functional safety

assessment are contained in 7.18, clause 6 and clause 8 respectively.
Annex A of IEC 61508-6 gives an eight-page overview of the requirements in IEC 61508-2
and IEC 61508-3.
In IEC 61508-2, the E/E/PES safety lifecycle requirements contained in clause 7 are
summarised in a lifecycle diagram in figure 2, with an overview of each phase in table 1.
Likewise, in IEC 61508-3, the software safety lifecycle requirements contained in clause 7
are summarised in figure 3 with an overview in table 1.
Any particular requirement of IEC 61508 should be considered in the context of its lifecycle
phase (where applicable) and the stated objectives for the requirements of that phase,
clause or subclause. The objectives are always stated immediately before the
requirements.

5.9. Is application
Directive?

of

IEC

61508

compulsory

under

any

EC

No. EN 61508 does not have the status of a harmonized European standard,
and is not referred to by any EC Directive.
Although EN 61508 is a European Standard, it does not have the status of a
harmonised European standard in relation to any EC product directive and it is
not therefore listed in the EC Official Journal. However, this does not prevent
compliance with relevant parts of EN 61508 being used to support a
declaration of conformity with an EC product directive, if that is appropriate.
But because EN 61508 is not a harmonised European standard, compliance
with it does not provide a presumption of conformity with any directive. It
would therefore be necessary to explain in the product's technical file how
compliance with EN 61508 is being used to support compliance with specific
essential requirements of the particular directive.
There are also no plans to harmonize IEC 61511 or IEC 61513 under any EC
Directive. However:

IEC 62061, which has been adopted in Europe as EN 62061, was a

harmonized European standard under the 98/37/EC Machinery Directive
(an EC product directive) and will become a harmonized European
standard under the 2006/42/EC Machinery Directive. This is possible
because the scope of IEC 62061 is restricted to product requirements
rather than the whole safety lifecycle requirements of IEC 61508, which
go beyond what is appropriate for a product directive. Although
harmonization of EN 62061 means that compliance with it will grant a

presumption of conformity with the relevant essential requirements of

the Machinery Directive, it will not preclude the use of other ways of
meeting those requirements (e.g. by the application of other standards).

IEC 62061, which has been adopted in Europe as EN 62061, was a

harmonized European standard under the 98/37/EC Machinery Directive
(an EC product directive) and will become a harmonized European
standard under the 2006/42/EC Machinery Directive. This is possible
because the scope of IEC 62061 is restricted to product requirements
rather than the whole safety lifecycle requirements of IEC 61508, which
go beyond what is appropriate for a product directive. Although
harmonization of EN 62061 means that compliance with it will grant a
presumption of conformity with the relevant essential requirements of
the Machinery Directive, it will not preclude the use of other ways of
meeting those requirements (e.g. by the application of other standards).
IEC 61800-5-2 (EN 61800-5-2) is a harmonized European standard under
the 2006/42/EC Machinery Directive.

Note: For the latest position regarding European standards in relation to

Directive 2006/42/EC on machinery, see the Publications in the Official Journal

5.10. How can I request a technical interpretation for a particular

subclause of the standard?
It is the responsibility of your national committee to answer questions put to
them about the standard. They will forward your question to the relevant
international committee where appropriate. You are also welcome to submit a
new question to be added to these FAQ pages using our feedback facility.

6. IEC 61508 COMPLYING WITH THE STANDAR

D1) Which requirements do I need to satisfy in order to claim
compliance with the standard?
The term shall used in a requirement indicates that the requirement is strictly
to be followed if conformance to the standard is to be claimed.
Where should (or it is recommended that) is used, this indicates that among
several possibilities one is recommended as particularly suitable, without
mentioning or excluding others, or that a certain course of action is preferred
but not necessarily required.
Normative elements set out the provisions to which it is necessary to conform
in order to be able to claim compliance with the standard. The text in a
normative element usually contains both shall and should.In IEC 61508, the
following contain normative elements: part 1 (excluding annexes); part 2
(including annexes); part 3 (including annexes A and B, excluding annex C);

and part 4 (excluding the annex). There are no normative requirements in parts
5, 6 and 7 of the standard.
Informative elements of the standard provide additional information intended
to assist its understanding or use, but with which it is not necessary to conform
in order to be able to claim compliance. The text in an informative element
cannot contain shall. Notes and footnotes are always informative.
In IEC 61508, the following are informative: the annexes of part 1; annex C of
part 3; the annex of part 4; and all annexes of parts 5, 6 and 7.
For the overall framework of the IEC 61508 series see IEC 61508-1, Figure 1
(page 10 of the preview).
D2) How does IEC 61508 apply to low complexity E/E/PE safety-related
systems?
If the standard is used for low complexity E/E/PE safety-related systems, where
dependable field experience exists which provides the necessary confidence
that the required safety integrity can be achieved, certain of the requirements
specified in the standard may be unnecessary and exemption from compliance
with such requirements is acceptable provided this is justified (4.2 of IEC
61508-1).
The standard does not state which requirements this applies to, which is for the
user of the standard to decide and justify. Note, however, that the conditions in
which this relaxation applies are very restrictive.

D3) Give me some practical examples

IEC 61508 separates the specification of the safety functions to be
performed into two elements:
the safety function requirements (what the function does); and
the safety integrity requirements (the likelihood of a safety function being
performed satisfactorily).
IEC 61508 does not stipulate what safety function requirements nor what
safety integrity requirements are necessary for any particular application.
The safety integrity level (SIL 1, 2, 3 or 4) corresponds to a range of safety
integrity values, measured for a specified safety function in terms of:
the average probability of a dangerous failure on demand (for low demand
mode of operation); or,
the average frequency of a dangerous failure per hour (for high demand or
continuous mode of operation).
Note: For mode of operation see IEC 61508-4, subclause 3.5.12.
The safety integrity level, of a specified safety function, allocated to the E/E/PE

safety-related system will affect the degree of rigour to which a requirement of

the standard is to be satisfied. But other factors will also affect this (see 4.1 of
IEC 61508-1).
Some elements of the standard make the dependence on safety integrity level
explicit by grading the requirements, for example:
Table 5 of IEC 61508-1;
7.4.2 and annexes A and B of IEC 61508-2 and
Annexes A and B of IEC 61508-3.
D4) Is it necessary to choose techniques and measures from those
recommended in annexes A and B of IEC 61508-2 and IEC 615083 in order to comply with the standard?
Although all four normative annexes contain recommendations for the
use of particular techniques and measures, they differ in what is
required for compliance.
In subclause A.2 of IEC 61508-2, table A.1 provides the requirements for faults
or failures that shall be detected by techniques and measures to control
hardware failures. Tables A.2 to A.15, also in subclause A.2 of IEC 61508-2,
support the requirements of table A.1 by recommending techniques and
measures for diagnostic tests and recommending maximum levels of
diagnostic coverage that can be achieved using them. Therefore, in order to
comply with the standard, it is necessary to fulfil the requirements of table A.1,
but tables A.2 to A.15 suggest just one set of possibilities on how the
requirements of table A.1 can be met.
In subclause A.3 of IEC 61508-2, tables A.16 to A.18 recommend particular
techniques and measures, therefore it is not necessary to use any of these in
order to claim compliance. However, if you do not use a technique or measure
that is highly recommended for the safety integrity level, then the rationale
behind not using it shall be detailed. Also, for every technique or measure
listed in tables A.16 to A.18 that you do use, it shall be used to the extent
necessary to give at least the level of effectiveness stated in the table. Table
A.19 gives guidance on what is intended by the terms low and high
effectiveness for just some of the techniques and measures.
The techniques and measures in annex B of IEC 61508-2 are recommended in
the same way as those in subclause A.3. It is necessary to detail the rationale
wherever a technique or measure that is highly recommended for the safety
integrity level is not used, and wherever a technique or measure that is
positively not recommended for the safety integrity level is used. And it is
necessary to achieve at least the level of effectiveness stated in the table for
any techniques or measures that you do use. Table B.6 gives guidance on what
is intended by the terms low and high effectiveness for most of the techniques
and measures.
In annexes A and B of IEC 61508-2, the table shading adds recommendations
on how to select and combine the techniques and measures.

Note that annex C of IEC 61508-2 is also normative and contains requirements
that are necessary for compliance.
Annexes A and B of IEC 61508-3 contain the requirement that appropriate
techniques and measures shall be selected according to the safety integrity
level. Anyone claiming compliance with the standard is required to consider
which techniques or measures are most appropriate for the specific problems
encountered during the development of each E/E/PE safety-related system.
These may include techniques and measures recommended by the standard
and may include others; the tables give only recommendations as to which
techniques and measures may be appropriate.
A particular concern is raised by systematic factors in the failure of a safety
function. Systematic failure factors can arise in both hardware and software.
The effectiveness of the measures and precautions used to meet the target
failure measures for systematic safety integrity generally needs to be assessed
qualitatively.
Specifically for software, the IEC 61508-3 tables of recommended techniques
are not checklists by which systematic safety integrity in software can be
guaranteed. Many factors affect software safety integrity, and it is not possible
to give an algorithm for combining the techniques and measures that will
guarantee success in any given application. Software techniques will need to
be chosen judiciously with attention to several key factors including:
the developers' personal competence and experience in techniques;
the developers' familiarity with the application and likely difficulties;
the size or complexity of the application;
industry sector recommendations and recognized good practice; and
and international published standards.
These annexes contain a recommendation that the rationale for not following
the guidance for highly recommended or not recommended techniques or
measures should be detailed during the safety planning and agreed with the
assessor.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each
lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other
subclauses require some of this documentation to include a justification of the
choice of techniques and measures, even if all recommendations are followed.
See for example 7.3.2.2 e) and 7.4.2.9 of IEC 61508-2, and 7.4.3.2 a) of IEC
61508-3.
D5) I have contractual responsibility for some (but not all) of the
development phases for an E/E/PE safety-related system. What
information do I need in documentation from other parties to enable
me to comply with IEC 61508?
For an E/E/PE safety-related system to comply with IEC 61508, one or
more organizations or individuals have to be responsible for each
phase of the overall, E/E/PES and software safety lifecycles. Part of
the responsibility for each phase is to document information

sufficiently, so that all phases that depend on that information can be

effectively performed (see clause 5 of IEC 61508-1).
Table 1 of IEC 61508-1 specifies the information necessary for each phase of
the overall safety lifecycle. Table 1 of IEC 61508-2 and table 1 of IEC 61508-3
are the equivalents for the E/E/PES and software safety lifecycles.
For example, part of the entry from table 1 of IEC 61508-1 for the phase E/E/PE
safety-related systems: realisation is reproduced below. It can be seen from the
table that a system supplier with responsibility for the realisation phase needs
documentation containing the specification for the E/E/PES safety
requirements. This will set out all the requirements for the safety functions that
have been allocated to the E/E/PE safety-related system(s) together with the
safety integrity requirements for each of these safety functions.
Safety
lifecycle
phase

Objectives

E/E/PE
safetyrelated
systems:
realisation

7.10.1 and
IEC 61508and IEC
61508-3:
To create
E/E/PE
safetyrelated
systems
conforming
to the
specificatio
n for the
E/E/PES
safety
requirement
s
(comprising
the
specificatio
n for the
E/E/PES
safety
functions
requirement
s and the
specificatio
n for the
E/E/PES
safety
integrity
requirement
s)

Scope

E/E/PE
safetyrelated
systems

Inputs

Outputs

Specificatio
n for the
E/E/PES
safety
requirement
s

Confirmatio
n that each
E/E/PE
safetyrelated
system
meets the
E/E/PES
safety
requirement
s
specificatio
n

We can see that a system supplier with responsibility for the realisation phase
needs documentation containing the specification for the E/E/PES safety
requirements. This will set out all the safety function requirements that have
been allocated to the E/E/PE safety-related system(s) and the safety integrity
requirements for each of these functions.
D6) Suppliers are quoting that their products conform to IEC 61508 for
a specific safety integrity level. Does this mean that using these
products is sufficient for me to comply with IEC 61508?
No. A safety integrity level is not directly applicable to individual
subsystems, elements or components. It applies to a safety function
carried out by the E/E/PE safety-related system.
IEC 61508 covers all components of the E/E/PE safety-related system, including
field equipment and specific project application logic. All these subsystems and
components, when combined to implement the safety function (or functions),
are required to meet the safety integrity level target of the relevant safety
functions. Any design using supplied subsystems and components that are all
quoted as suitable for the required safety integrity level target of the relevant
safety functions, together with the information associated with the supplied
subsystems and components, will have to be assessed to determine whether or
not the subsystems and components are in fact suitable. Suppliers of products
intended for use in E/E/PE safety-related systems should provide sufficient
information to facilitate a demonstration that the E/E/PE safety-related system
complies with IEC 61508.
D7) I supply subsystems, such as sensors or actuators, that are
intended for use in an E/E/PE safety-related system. What does IEC
61508 mean for me?
When a subsystem is integrated into an E/E/PE safety-related system in
accordance with IEC 61508, it is necessary to take into account the contribution
that the subsystem will make to the performance of the complete system in
relation to the safety integrity level of the safety function under consideration.
To do this, the system designer/integrator requires sufficient information on the
supplied subsystem in order that the system designer/integrator can validate
that the E/E/PE safety-related system, in respect of the specified safety
functions, meets the E/E/PES safety requirements specification. As a supplier of
subsystems intended for use in E/E/PE safety-related systems you should be
prepared to supply the required information, as detailed in 7.4.7.3 of IEC
61508-2. To summarise, the following information is required for each
subsystem:

specifications covering functional, interface and environmental aspects;

estimated failure rate (due to random hardware failures) for each failure
mode;
diagnostic coverage and diagnostic test interval;
information needed to enable the hardware fault tolerance to be
determined;

information needed to identify the hardware and software configuration;

information needed to enable the derivation of the safe failure fraction;
documentary evidence of validation.

D8) Do I have to use third party certified components in order to

comply with IEC 61508?
No. The standard requires a functional safety assessment to be carried out on
all parts of the E/E/PE safety-related system and for all phases of the lifecycle
(see clause 8 of IEC 61508-1).
The level of independence required of the assessor ranges from an
independent person in the same organization for safety integrity level 1 to an
independent organization for safety integrity level 4. The required level of
independence for safety integrity levels 2 and 3 is affected by additional
factors including system complexity, novelty of design and previous experience
of the developers. There is also a specific requirement that the assessor shall
be competent for the activities to be undertaken.
D9) Is there any correlation between the level of independence
required for functional safety assessment and the need for third party
certification?
The level of independence required should be distinguished from the concept of
third-party certification which is not a requirement in IEC 61508. For some
companies even the requirement for independent persons and departments
may have to be met by using an external organization but this does not mean
that the external organisation has necessarily to be a certification body. The
external body, in such a situation, should have the competence and the
appropriate level of independence to undertake the task. The external body
may or may not be a certification body.
Conversely, companies that have internal organizations skilled in risk
assessment and the application of safety-related systems, which are
independent of and separate (by ways of management and other resources)
from those responsible for the main development, may be able to use their own
resources to meet the requirements for an independent organization (note 2 of
8.2.12 of IEC 61508-1).
See 3.8.10, 3.8.11 and 3.8.12 of IEC 61508-4 for definitions of independent
person, independent department and independent organization respectively.
D10) In what ways do I need to consider the impact of human
activities on the operation of an E/E/PE safety-related system?
IEC 61508 requires human factor issues to be considered in the determination
of hazards and hazardous events (7.4.2.3 of IEC 61508-1) and in the design of
the E/E/PE safety-related system (7.4.5.3 of IEC 61508-2). For E/E/PE safetyrelated protection systems, there are three principal areas that need to be
considered:

human actions or errors that can place a demand on the E/E/PE safety-

related protection system these need to be identified and quantified;

human failure to respond effectively to alarms or take other actions that
would otherwise reduce the demand on the E/E/PE safety-related
protection system;
human failure in testing and maintenance of the E/E/PE safety-related
protection system, reducing its effectiveness and increasing the
probability of failure on demand.

D11) Can an E/E/PE safety-related system contain hardware and/or

software that was not produced according to IEC 61508, and still
comply with the standard (proven in use)?
It may be possible to use a proven in use argument as an alternative
to meeting the design requirements for dealing with systematic
failure causes in IEC 61508, including hardware and software. But it is
essential to note that proven in use cannot be used as an alternative
to meeting the requirements for:

architectural constraints on hardware safety integrity (see 7.4.2.1 of IEC

61508-2);
the quantification of dangerous failures of the safety function due to
random hardware faults (see 7.4.3.2 of IEC 61508-2); and
system behaviour on detection of faults (see 7.4.6 of IEC 61508-2).

See 7.4.2.2 of IEC 61508-2 for a summary of design requirements, including

references to more detailed systematic hardware requirements in the standard.
A proven in use claim relies on the availability of historical data for both
random hardware and systematic failures, and on analytical techniques and
testing if the previous conditions of use of the subsystem differ in any way from
those which will be experienced in the E/E/PE safety-related system. 7.4.7.6 of
IEC 61508-2 requires that:

the previous conditions of use of the subsystem are the same as, or
sufficiently close to, those which will be experienced in the E/E/PE safetyrelated system (see 7.4.7.7 of IEC 61508-2);
if the above conditions of use differ in any way, a demonstration is
necessary (using a combination of appropriate analytical techniques and
testing) that the likelihood of unrevealed systematic faults is low enough
to achieve the required safety integrity level of the safety functions which
use the subsystem (see 7.4.7.8 of IEC 61508-2);
the claimed failure rates have sufficient statistical basis (see 7.4.7.9 of
IEC 61508-2);
failure data collection is adequate (see 7.4.7.10 of IEC 61508-2);
evidence is assessed taking into account the complexity of the
subsystem, the contribution made by the subsystem to the risk
reduction, the consequences associated with a failure of the subsystem,
and the novelty of design (see 7.4.7.11 of IEC 61508-2); and
the application of the proven in use subsystem is restricted to those
functions and interfaces of the subsystem that meet the relevant
requirements (see 7.4.7.12 of IEC 61508-2).

7.4.2.11 of IEC 61508-3 allows the use of standard or previously developed

software without the availability of historical data but with the emphasis on
analysis and testing. This concept should be distinguished from the proven in
use concept described above.
D12) Do control systems that place demands on a safety-related
system have to be themselves designated as safety-related systems?
7.5.2.4 of IEC 61508-1 gives the requirements that apply for the control system
not to be designated as a safety-related system. In summary, these are:
allowing for a dangerous failure rate of the control system higher than the
maximum defined by the standard for a safety-related system (i.e. higher
than 10-5 dangerous failures per hour);
providing an adequate demonstration that the dangerous failure rate allowed
for is achieved (7.5.2.4 of IEC 61508-1 contains further details);
determining all reasonably foreseeable dangerous failure modes of the control
system;
ensuring that the control system is separate and independent from all safetyrelated systems.
It should be noted that the dangerous failure rate referred to in the above
requirements relate to a specified dangerous failure mode of a function being
performed by the control system which could, in the context of the question,
place a demand on a safety-related system.
D13) How do electromagnetic immunity limits depend on the safety
integrity level? (Under review)
7.2.3.2 (e) of IEC 61508-2 (see also associated notes) states: The E/E/PES
safety integrity requirements specification shall contain the electromagnetic
immunity limits (see IEC 61000-1-1) that are required to achieve
electromagnetic compatibility the electromagnetic immunity limits should be
derived taking into account both the electromagnetic environment (see IEC
61000-2-5) and the required safety integrity levels.
IEC 61508 does not give a method for determining electromagnetic immunity
requirements according to the safety integrity level. These should be decided
taking into account the electromagnetic environment that the safety-related
system will be exposed to during use. In principle, the immunity limits should
be set at a level which will not be exceeded in the operating environment. In
practice, it is difficult to guarantee that disturbance levels will always be below
a set limit. The higher the immunity limit, the lower the probability that a
disturbance will exceed the limit during use; therefore it may be necessary to
set increased immunity limits as safety integrity levels increase, especially
where there is uncertainty about the disturbance levels that are likely to be
present in the operating environment.