Understanding IEC 61508

Muhammad Agha Hutama Syukron(1), John Muzibur Simamora(2)

email: aghahutama@gmail.com, john.simamora@pertamina.com
54/BPS/1/MPP/2018 – November 2018

Abstract
Systems comprised of electrical and/or electronic components have been used for many years to perform safety
functions in most application sectors. Computer-based systems (generically referred to as programmable electronic
systems (PESs)) are being used in all application sectors to perform non-safety functions and, increasingly, to perform
safety functions. If computer system technology is to be effectively and safely exploited, it is essential that those
responsible for making decisions have sufficient guidance on the safety aspects on which to make those decisions.
IEC 61508 is a basic functional safety standard applicable to all kinds of industry. It defines functional safety as:
“part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends
on the correct functioning of the Electrical/Electronic/Programmable Electronic safety-related system, other technology
safety-related systems and external risk reduction facilities.” The fundamental concept is that any safety-related system
must work correctly or fail in a predictable (safe) way.

Keywords : Hook Up, Drawing, Process, Pneumatic.

Introduction
IEC 61508 is an international standard published by
the International Electrotechnical Commission
consisting of methods on how to apply, design, deploy
and maintain automatic protection systems called safety-
related systems.
Theory
The standard has two fundamental principles: 1. An
engineering process called the safety life cycle is defined
based on best practices in order to discover and
eliminate design errors and omissions. 2. A probabilistic
failure approach to account for the safety impact of
device failures.
The safety life cycle has 16 phases which roughly
can be divided into three groups as follows:
1. Phases 1–5 address analysis
2. Phases 6–13 address realisation
3. Phases 14–16 address operation.
All phases are concerned with the safety function of
the system. The standard has seven parts:
• Parts 1–3 contain the requirements of the
standard (normative)
• Part 4 contains definitions
• Parts 5–7 are guidelines and examples for
development and thus informative.
Central to the standard are the concepts of
probabilistic risk for each safety function. The risk is
a function of frequency (or likelihood) of the
hazardous event and the event consequence severity.
The risk is reduced to a tolerable level by applying
safety functions which may consist of E/E/PES,
associated mechanical devices, or other
technologies. Many requirements apply to all
technologies but there is strong emphasis on
programmable electronics especially in Part 3.
IEC 61508 has the following views on risks:
• Zero risk can never be reached, only
probabilities can be reduced
• Non-tolerable risks must be reduced
(ALARP)
• Optimal, cost effective safety is achieved
when addressed in the entire safety lifecycle
Specific techniques ensure that mistakes and errors
are avoided across the entire life-cycle. Errors
introduced anywhere from the initial concept, risk
analysis, specification, design, installation,
maintenance and through to disposal could
undermine even the most reliable protection. IEC
61508 specifies techniques that should be used for
each phase of the life-cycle.

1

Hazard and Risk Analysis
The standard requires that hazard and risk
assessment be carried out for bespoke systems: 'The
EUC (equipment under control) risk shall be
evaluated, or estimated, for each determined
hazardous event'.
The standard advises that 'Either qualitative or
quantitative hazard and risk analysis techniques may
be used' and offers guidance on a number of
approaches. One of these, for the qualitative analysis
of hazards, is a framework based on 6 categories of
likelihood of occurrence and 4 of consequence.
These are typically combined into a risk class
matrix
Where:
• Class I: Unacceptable in any circumstance;
• Class II: Undesirable: tolerable only if risk
reduction is impracticable or if the costs are
grossly disproportionate to the improvement
gained;
• Class III: Tolerable if the cost of risk
reduction would exceed the improvement;
• Class IV: Acceptable as it stands, though it
may need to be monitored.
Safety integrity level
The safety integrity level (SIL) provides a target
to attain for each safety function. A risk assessment
effort yields a target SIL for each safety function.
For any given design the achieved SIL level is
evaluated by three measures:
1. Systematic Capability (SC) which is a measure
of design quality. Each device in the design has an
SC rating. The SIL of the safety function is limited
to smallest SC rating of the devices used.
Requirement for SC are presented in a series of
tables in Part 2 and quality control, management
processes, validation and verification techniques,
failure analysis etc. so that one can reasonably justify
that the final system attains the required SIL.
2. Architecture Constraints which are minimum
levels of safety redundancy presented via two
alternative methods - Route 1h and Route 2h.
3. Probability of Dangerous Failure Analysis.
Probabilistic analysis
The probability metric used in step 3 above depends
on whether the functional component will be
exposed to high or low demand:
• For systems that operate continuously
(continuous mode) or systems that operate
frequently (high demand mode), SIL
specifies an allowable frequency of
dangerous failure.
• For systems that operate intermittently (low
demand mode), SIL specifies an allowable
probability that the system will fail to
respond on demand.
IEC 61508 Certification
Certification is third party attestation that a
product, process, or system meets all requirements
of the certification program. Those requirements are
listed in a document called the certification scheme.
IEC 61508 certification programs are operated by
impartial third party organizations called
Certification Bodies (CB). These CBs are accredited
to operate following other international standards
including ISO/IEC 17065 and ISO/IEC 17025.
Certification Bodies are accredited to perform the
auditing, assessment, and testing work by an
Accreditation Body (AB).
Industry/application specific variants
Automotive software
ISO 26262 is an adaptation of IEC 61508 for
Automotive Electric/Electronic Systems. It is being
widely adopted by the major car manufacturers.
Rail software
IEC 62279 provides a specific interpretation of
IEC 61508 for railway applications. It is intended to
cover the development of software for railway
control and protection including communications,
signaling and processing systems.
2
Process industries
The process industry sector includes many types of
manufacturing processes, such as refineries,
petrochemical, chemical, pharmaceutical, pulp and
paper, and power. IEC 61511 is a technical standard
which sets out practices in the engineering of
systems that ensure the safety of an industrial
process through the use of instrumentation.

Nuclear power plants

IEC 61513 provides requirements and
recommendations for the instrumentation and
control for systems important to safety of nuclear
power plants. It indicates the general requirements
for systems that contain conventional hardwired
equipment, computer-based equipment or a
combination of both types of equipment.

Machinery
IEC 62061 is the machinery-specific implementation
of IEC 61508. It provides requirements that are
applicable to the system level design of all types of
machinery safety-related electrical control systems
and also for the design of non-complex subsystems
or devices.

Testing software
Software written in accordance with IEC 61508 may
need to be unit tested, depending up on the SIL
level it needs to achieve. The main requirement in
Unit Testing is to ensure that the software is fully
tested at the function level and that all possible
branches and paths are taken through the software.

References
· Control Systems Safety Evaluation and Reliability. ISA.
2010. ISBN 978-1-934394-80-9.
· Development Guidelines for Vehicle Based Software.
MISRA. 1994. ISBN 0952415607.

3
 4