Académique Documents
Professionnel Documents
Culture Documents
Millions of devices that contain electronics, and use or produce electricity, rely on
IEC International Standards and Conformity Assessment Systems to perform, fit
and work safely together.
Founded in 1906, the IEC (International Electrotechnical Commission) is the worlds
leading organization for the preparation and publication of International Standards
for all electrical, electronic and related technologies. These are known collectively
as electrotechnology.
Over 10 000 experts from industry, commerce, government, test and research labs,
academia and consumer groups participate in IEC Standardization work.
2. IEC ORGANIZATION
National Committees
IEC members are National Committees (NCs) and there can only be one per
country. Individuals participate in the IEC's work through the National Committees,
see the section on experts and delegates for more information.
There is no single model for the structure of an NC. However, in order that it can
consider all the different aspects of a particular technical area, it must be fully
representative of all of the country's interests in the field of electrotechnical
standardization and conformity assessment. An NC's decision-making processes
should enable all stakeholders to have a real influence on its technical and
management activities.
On becoming a member of the IEC, each NC agrees to open access and balanced
representation from all private and public electrotechnical interests in its country.
TC65
AND
Generally, the significant hazards for equipment and any associated control
system
have to be identified by the specifier or developer via a hazard analysis. The analysis
identifies whether functional safety is necessary to
ensure adequate protection against
each significant hazard. If so, then it has to be taken into account in an appropriate
manner in the design. Functional
safety is just one method of dealing with hazards,
and other means for their elimination or reduction, such as inherent safety through
design, are of primary importance.
IEC 61508 defines appropriate means for achieving functional safety in the systems it
covers.
5.2. What systems does IEC 61508 cover?
IEC 61508 applies to safety related systemswhen one or more of such systems
incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices.
It covers possible hazards caused by failure of the safety functions to be performed by the
E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE
equipment itself (for example electric shock etc). It is generically based and applicable to
all E/E/PE safety-related systems irrespective of the application.
It is recognized that the consequences of failure could also have serious economic
implications and in such cases the standard could be used to specify any E/E/PE safetyrelated system used for the protection of equipment or product.
5.3.
The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:
5.4. How does IEC 61058 apply where E/E/PE technology makes up only a
small part of the safety-related system?
IEC 61508 is applicable to any safety related system that contains an E/E/PE device.
This applicability is appropriate because many requirements, particularly in IEC 61508-1,
are not technology specific. Indeed, early development phases (such as initial concept,
overall scope definition, hazard and risk analysis and specifying the overall safety
requirements) may take place before the implementation technology has been decided.
Even during later phases such as realisation, specific functional safety requirements apply
directly to non-E/E/PE devices, such as mechanical components, as well as E/E/PE
devices. For example, the requirements for hardware reliability and fault tolerance in IEC
61508-2 directly relate to the properties of all components in the E/E/PE safety-related
system, whether or not they include E/E/PE technology.
For low complexity E/E/PE safety-related systems, it is possible to comply with IEC 61508
while not meeting every requirement of the standard.
5.5. How does IEC 61508 apply to systems whose function is to avoid damage
to the environment or severe financial loss?
IEC 61508 is concerned with achieving functional safety, where safety is defined as
freedom from unacceptable risk of physical injury or damage to the health of people, either
directly or indirectly as a result of damage to property or to the environment (see 3.1 of
IEC 61508-4). So damage to long term health, including damage to property or the
environment that leads to damage to long term health, is explicitly within the scope of the
standard and is encompassed by the term safety.
It is recognised that the consequences of failure could also have serious economic
implications and in such cases the standard could be used to specify any E/E/PE system
used for the protection of equipment or product (1.2 e of IEC 61508-1).
The particular safety functions that are necessary, and the associated levels of
performance required of them, are determined by hazard and risk analysis (see for
example IEC 61508-5). An equivalent analysis of risk in terms of environmental or financial
hazards can be performed by replacing safety parameters with environmental or financial
parameters. Most of the subsequent requirements of the standard are as applicable for
"environmental functions" or "financial functions" as they are for safety functions. This
includes the required levels of performance, which are expressed in terms of the average
probability of failure to perform its design function on demand or the probability of a
dangerous failure per hour (see Tables 2 & 3 of IEC 61508-1).
5.8.
Now I've obtained a copy of the standard, how do I go about reading it?
Annex A of IEC 61508-5 provides introductory material on risk and safety integrity. In IEC
61508-1, the overall safety lifecycle requirements contained in clause 7 are summarized in
a lifecycle diagram in figure 2, with an overview of each phase in table 1. In addition,
5.9. Is application
Directive?
of
IEC
61508
compulsory
under
any
EC
No. EN 61508 does not have the status of a harmonized European standard,
and is not referred to by any EC Directive.
Although EN 61508 is a European Standard, it does not have the status of a
harmonised European standard in relation to any EC product directive and it is
not therefore listed in the EC Official Journal. However, this does not prevent
compliance with relevant parts of EN 61508 being used to support a
declaration of conformity with an EC product directive, if that is appropriate.
But because EN 61508 is not a harmonised European standard, compliance
with it does not provide a presumption of conformity with any directive. It
would therefore be necessary to explain in the product's technical file how
compliance with EN 61508 is being used to support compliance with specific
essential requirements of the particular directive.
There are also no plans to harmonize IEC 61511 or IEC 61513 under any EC
Directive. However:
and part 4 (excluding the annex). There are no normative requirements in parts
5, 6 and 7 of the standard.
Informative elements of the standard provide additional information intended
to assist its understanding or use, but with which it is not necessary to conform
in order to be able to claim compliance. The text in an informative element
cannot contain shall. Notes and footnotes are always informative.
In IEC 61508, the following are informative: the annexes of part 1; annex C of
part 3; the annex of part 4; and all annexes of parts 5, 6 and 7.
For the overall framework of the IEC 61508 series see IEC 61508-1, Figure 1
(page 10 of the preview).
D2) How does IEC 61508 apply to low complexity E/E/PE safety-related
systems?
If the standard is used for low complexity E/E/PE safety-related systems, where
dependable field experience exists which provides the necessary confidence
that the required safety integrity can be achieved, certain of the requirements
specified in the standard may be unnecessary and exemption from compliance
with such requirements is acceptable provided this is justified (4.2 of IEC
61508-1).
The standard does not state which requirements this applies to, which is for the
user of the standard to decide and justify. Note, however, that the conditions in
which this relaxation applies are very restrictive.
Note that annex C of IEC 61508-2 is also normative and contains requirements
that are necessary for compliance.
Annexes A and B of IEC 61508-3 contain the requirement that appropriate
techniques and measures shall be selected according to the safety integrity
level. Anyone claiming compliance with the standard is required to consider
which techniques or measures are most appropriate for the specific problems
encountered during the development of each E/E/PE safety-related system.
These may include techniques and measures recommended by the standard
and may include others; the tables give only recommendations as to which
techniques and measures may be appropriate.
A particular concern is raised by systematic factors in the failure of a safety
function. Systematic failure factors can arise in both hardware and software.
The effectiveness of the measures and precautions used to meet the target
failure measures for systematic safety integrity generally needs to be assessed
qualitatively.
Specifically for software, the IEC 61508-3 tables of recommended techniques
are not checklists by which systematic safety integrity in software can be
guaranteed. Many factors affect software safety integrity, and it is not possible
to give an algorithm for combining the techniques and measures that will
guarantee success in any given application. Software techniques will need to
be chosen judiciously with attention to several key factors including:
the developers' personal competence and experience in techniques;
the developers' familiarity with the application and likely difficulties;
the size or complexity of the application;
industry sector recommendations and recognized good practice; and
and international published standards.
These annexes contain a recommendation that the rationale for not following
the guidance for highly recommended or not recommended techniques or
measures should be detailed during the safety planning and agreed with the
assessor.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each
lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other
subclauses require some of this documentation to include a justification of the
choice of techniques and measures, even if all recommendations are followed.
See for example 7.3.2.2 e) and 7.4.2.9 of IEC 61508-2, and 7.4.3.2 a) of IEC
61508-3.
D5) I have contractual responsibility for some (but not all) of the
development phases for an E/E/PE safety-related system. What
information do I need in documentation from other parties to enable
me to comply with IEC 61508?
For an E/E/PE safety-related system to comply with IEC 61508, one or
more organizations or individuals have to be responsible for each
phase of the overall, E/E/PES and software safety lifecycles. Part of
the responsibility for each phase is to document information
Objectives
E/E/PE
safetyrelated
systems:
realisation
7.10.1 and
IEC 61508and IEC
61508-3:
To create
E/E/PE
safetyrelated
systems
conforming
to the
specificatio
n for the
E/E/PES
safety
requirement
s
(comprising
the
specificatio
n for the
E/E/PES
safety
functions
requirement
s and the
specificatio
n for the
E/E/PES
safety
integrity
requirement
s)
Scope
E/E/PE
safetyrelated
systems
Inputs
Outputs
Specificatio
n for the
E/E/PES
safety
requirement
s
Confirmatio
n that each
E/E/PE
safetyrelated
system
meets the
E/E/PES
safety
requirement
s
specificatio
n
We can see that a system supplier with responsibility for the realisation phase
needs documentation containing the specification for the E/E/PES safety
requirements. This will set out all the safety function requirements that have
been allocated to the E/E/PE safety-related system(s) and the safety integrity
requirements for each of these functions.
D6) Suppliers are quoting that their products conform to IEC 61508 for
a specific safety integrity level. Does this mean that using these
products is sufficient for me to comply with IEC 61508?
No. A safety integrity level is not directly applicable to individual
subsystems, elements or components. It applies to a safety function
carried out by the E/E/PE safety-related system.
IEC 61508 covers all components of the E/E/PE safety-related system, including
field equipment and specific project application logic. All these subsystems and
components, when combined to implement the safety function (or functions),
are required to meet the safety integrity level target of the relevant safety
functions. Any design using supplied subsystems and components that are all
quoted as suitable for the required safety integrity level target of the relevant
safety functions, together with the information associated with the supplied
subsystems and components, will have to be assessed to determine whether or
not the subsystems and components are in fact suitable. Suppliers of products
intended for use in E/E/PE safety-related systems should provide sufficient
information to facilitate a demonstration that the E/E/PE safety-related system
complies with IEC 61508.
D7) I supply subsystems, such as sensors or actuators, that are
intended for use in an E/E/PE safety-related system. What does IEC
61508 mean for me?
When a subsystem is integrated into an E/E/PE safety-related system in
accordance with IEC 61508, it is necessary to take into account the contribution
that the subsystem will make to the performance of the complete system in
relation to the safety integrity level of the safety function under consideration.
To do this, the system designer/integrator requires sufficient information on the
supplied subsystem in order that the system designer/integrator can validate
that the E/E/PE safety-related system, in respect of the specified safety
functions, meets the E/E/PES safety requirements specification. As a supplier of
subsystems intended for use in E/E/PE safety-related systems you should be
prepared to supply the required information, as detailed in 7.4.7.3 of IEC
61508-2. To summarise, the following information is required for each
subsystem:
human actions or errors that can place a demand on the E/E/PE safety-
the previous conditions of use of the subsystem are the same as, or
sufficiently close to, those which will be experienced in the E/E/PE safetyrelated system (see 7.4.7.7 of IEC 61508-2);
if the above conditions of use differ in any way, a demonstration is
necessary (using a combination of appropriate analytical techniques and
testing) that the likelihood of unrevealed systematic faults is low enough
to achieve the required safety integrity level of the safety functions which
use the subsystem (see 7.4.7.8 of IEC 61508-2);
the claimed failure rates have sufficient statistical basis (see 7.4.7.9 of
IEC 61508-2);
failure data collection is adequate (see 7.4.7.10 of IEC 61508-2);
evidence is assessed taking into account the complexity of the
subsystem, the contribution made by the subsystem to the risk
reduction, the consequences associated with a failure of the subsystem,
and the novelty of design (see 7.4.7.11 of IEC 61508-2); and
the application of the proven in use subsystem is restricted to those
functions and interfaces of the subsystem that meet the relevant
requirements (see 7.4.7.12 of IEC 61508-2).