-
8/18/2019 IEC 61508 61511
1/20
1. INTRODUCTION - ABOUT IEC
Millions of devices that contain electronics, and use or produce
electricity, rely onIEC International Standards and Conformity
Assessment Systems to perform, fitand work safely together.
Founded in !"#, the IEC $International Electrotechnical
Commission% is the world&sleading organi'ation for the
preparation and pu(lication of International Standardsfor all
electrical, electronic and related technologies. )hese are known
collectivelyas *electrotechnology+.
ver " """ e-perts from industry, commerce, government, test and
research la(s,academia and consumer groups participate in IEC
Standardi'ation work.
2. IEC ORGANIZATION
)he IEC is a notforprofit, nongovernmental organi'ation, founded
in !"#, whichdevelops International Standards and operates
conformity assessment systems inthe fields of
electrotechnology.
The IEC is one of three global sister organizations (IEC,
ISO, ITU) thatdevelop International Standards for the world.
When appropriate, IEC ooperates with ISO (International
Organization for
Standardization) or ITU (International Teleo!!"niation Union)
toens"re that International Standards #t together sea!lessl$
ando!ple!ent eah other. %oint o!!ittees ens"re that
InternationalStandards o!bine all relevant &nowledge of e'perts
wor&ing in relatedareas.
)he IEC comprises one mem(er /ational Committee per
country, they each paymem(ership fees and in e-change can
participate fully in IEC work.
)he IEC operates on an annual (udget of appro-imately C0F 1"
million.
The Standardisation anage!ent oard is responsible for the
overall!anage!ent of the tehnial wor&.
The standards wor& of the Co!!ission is arried o"t
thro"gh tehnialo!!ittees and s"bo!!ittees, o!posed of
representatives of the *"lle!ber +ational Co!!ittees, eah
dealing with a parti"lar s"bet.
Tehnial o!!ittees are reated or disbanded b$ the
Standardizationanage!ent oard (S). The$ !a$ delegate part of their
sopes tos"bo!!ittees, in aordane with the -iretives.
Eah tehnial o!!ittee has a hair!an and a seretariat,
bothappointed b$ the S a!ongst representatives of *"ll e!ber
+ationalCo!!ittees.
http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/dyn/www/f?p=103:47:0::::FSP_ORG_ID,FSP_LANG_ID:3228,25http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/dyn/www/f?p=103:47:0::::FSP_ORG_ID,FSP_LANG_ID:3228,25http://www.iec.ch/dyn/www/f?p=103:5:0
-
8/18/2019 IEC 61508 61511
2/20
National CommitteesIEC mem(ers are /ational Committees
$/Cs% and there can only (e one per country. Individuals
participate in the IEC2s work through the /ational Committees,see
the section on e-perts and delegates for more information.
)here is no single model for the structure of an /C. 0owever, in
order that it canconsider all the different aspects of a particular
technical area, it must (e fullyrepresentative of all of the
country2s interests in the field of electrotechnicalstandardi'ation
and conformity assessment. An /C2s decisionmaking processesshould
ena(le all stakeholders to have a real influence on its technical
andmanagement activities.
n (ecoming a mem(er of the IEC, each /C agrees to open access
and (alancedrepresentation from all private and pu(lic
electrotechnical interests in its country.
Experts & delegatesExperts
E'perts are individ"als with speialist &nowledge in a
parti"lar tehnial#eld. Eah +C (+ational Co!!ittee) partiipating in
a tehnialo!!ittees wor& an appoint e'perts to ta&e part in
spei# tehnial
http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/about/profile/experts.htmhttp://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/about/profile/experts.htm
-
8/18/2019 IEC 61508 61511
3/20
wor& thro"gh wor&ing gro"ps, proet tea!s or
!aintenane tea!s.Categor$ / liaison organizations !a$ also
appoint e'perts to wor&inggro"ps and proet tea!s.
E'perts partiipate in IEC tehnial wor& in a personal apait$
and donot represent their o!pan$ 0 organization or +C.
*ind f"rther details in the -iretives regarding the
proed"res for theappoint!ent of e'perts.Delegates
-elegates are representatives of their +C at a TC (Tehnial
Co!!ittee)or SC (S"bo!!ittee) !eeting and sho"ld be f"ll$ briefed
b$ their +Cbefore attending a !eeting.
*or TC0SC !eetings, eah +C partiipating in the o!!ittee assigns
a1ead of delegation, who is responsible for spea&ing and voting
on behalf
of the +C d"ring the !eeting, b"t !a$ invite other delegates
fro! their+C delegation to spea& if re2"ired.
Young Professionals' Programme Toda$ there is learl$
a need for the IEC to be ever3!ore responsive tothe fast3hanging
!ar&ets b$ prod"ing International Standards that!eet needs
better and reah !ar&ets !ore 2"i&l$. The 4o"ng5rofessionals
5rogra!!e helps the IEC e!brae its global "lt"re anddevelop its
o!!"nit$ f"rther b$ eno"raging an even greater range
of people, of all ages and e'perienes, to partiipate in its
wor&.
The IEC 4o"ng 5rofessionals 5rogra!!e provides a gatewa$
for $o"ngprofessionals all over the world to beo!e !ore involved in
IEC wor&.5artiipants are hand3pi&ed b$ IEC +ational
Co!!ittees to representtheir o"ntr$ as f"t"re leaders on the
IEC global platfor!. Theprogra!!e e'plains IEC proed"res and
poliies and de!onstrates wh$partiipation at the global level is an
essential strategi tool in toda$sworld.
3. TECHNICAL COMMITTEES & SUBCOMMITTEES
http://www.iec.ch/standardsdev/how/management.htmhttp://www.iec.ch/standardsdev/how/liaisons.htmhttp://www.iec.ch/members_experts/refdocs/http://www.iec.ch/dyn/www/f?p=103:5:0http://www.iec.ch/standardsdev/how/management.htmhttp://www.iec.ch/standardsdev/how/liaisons.htmhttp://www.iec.ch/members_experts/refdocs/http://www.iec.ch/dyn/www/f?p=103:5:0
-
8/18/2019 IEC 61508 61511
4/20
So!e 678 TCs (Tehnial Co!!ittees) and SCs
(S"bo!!ittees),andabo"t 799 5roet Tea!s (5T) 0 aintenane Tea!s (T)
arr$ o"t thestandards wor& of the IEC. These wor&ing gro"ps
are o!posed of peoplefro! all aro"nd the world who are e'perts in
eletrotehnolog$. The great
!aorit$ of the! o!e fro! ind"str$, while others fro!
o!!ere,govern!ent, test laboratories, researh laboratories, aade!ia
andons"!er gro"ps also ontrib"te to the wor&.
TCs report to the S (Standardization anage!ent oard).
/ TC anfor! SCs if it #nds its sope too wide to enable all the
ite!s on its wor&progra!!e to be dealt with. The SCs report on
their wor& to the parent TC. The sope (or area of ativit$)
of eah TC and SC is de#ned b$ the TC0SC itself, and then
s"b!itted to the S or parent TC for approval.
TC !e!bership is o!posed of the IEC +Cs (+ational
Co!!ittees), all of
whih are free to ta&e part in the wor& of an$ given TC,
either as: 53e!bers (5artiipating !e!bers) who have the
obligation to
vote at all stages and to ontrib"te to !eetings; or
O3e!bers (Observer !e!bers) who follow the wor& as an
observer reeiving o!!ittee do"!ents and having the right
tos"b!it o!!ents and to attend !eetings.
IEC TCs and SCs prepare tehnial do"!ents on spei# s"bets
withintheir respetive sopes, whih are then s"b!itted to the *"ll
e!ber+ational Co!!ittees for vote with a view to their approval
as
International Standards. -istrib"tion of do"!ents for
standardsprod"tion is 699< eletroni, th"s i!proving e=ien$ and
red"ingosts.
IEC 5roet Co!!ittees are established b$ the S to prepare
individ"alstandards not falling within the sope of an e'isting
tehnial o!!itteeor s"bo!!ittee. 5roet Co!!ittees are disbanded one
the standardhas been p"blished.
Eah +ational Co!!ittee of the IEC handles the partiipation of
e'pertsfro! its o"ntr$. If $o" wo"ld li&e to partiipate in the
wor& of an IEC TC
or SC, please ontat $o"r +C. If $o"r o"ntr$ is not a !e!ber of
the IEC,please ontat the IEC Central O=e.
In all, so!e 69 999 e'perts worldwide partiipate in the tehnial
wor& of the IEC.
http://www.iec.ch/dyn/www/f?p=103:48:0::::FSP_ORG_ID,FSP_LANG_ID:3228,25http://www.iec.ch/dyn/www/f?p=103:5:0mailto:[email protected]://www.iec.ch/dyn/www/f?p=103:48:0::::FSP_ORG_ID,FSP_LANG_ID:3228,25http://www.iec.ch/dyn/www/f?p=103:5:0mailto:[email protected]
-
8/18/2019 IEC 61508 61511
5/20
4. IEC TECHNICA C!""ITTEE TC#$
TC#$% INDT(IA P(!CE "EA(E"ENT) C!NT(! ANDAT!"ATI!N
To prepare international standards for s$ste!s and
ele!ents "sed for ind"strialproess !eas"re!ent, ontrol and
a"to!ation. To oordinate standardizationativities whih a>et
integration of o!ponents and f"ntions into s"hs$ste!s inl"ding
safet$ and se"rit$ aspets. This wor& of standardization is tobe
arried o"t in the international #elds for e2"ip!ent and
s$ste!s.
TC#$ * +C!""ITTEE
C#$A% YTE" APECT To prepare international standards
regarding the generi aspets of s$ste!s "sed inind"strial proess
!eas"re!ent, ontrol and !an"fat"ring a"to!ation:
operationalonditions (inl"ding EC), !ethodolog$ for the assess!ent
of s$ste!s, f"ntionalsafet$, et.SC8?/ also has a safet$ pilot
f"ntion to prepare standards dealing with f"ntionalsafet$ of
eletrial0eletroni0progra!!able eletroni s$ste!s.
C#$+% "EA(E"ENT AND C!NT(! DE,ICE
To prepare international standards in the #eld of spei#
aspets of devies (hardwareand software) "sed in ind"strial proess
!eas"re!ent and ontrol, s"h as!eas"re!ent devies, anal$sing
e2"ip!ent, at"ators, and progra!!able logiontrollers, and overing
s"h aspets as interhangeabilit$, perfor!ane eval"ation,
and f"ntionalit$ de#nition. C#$C% INDT(IA NET-!(
To prepare international standards on wired, optial and
wireless ind"strial networ&sfor ind"strial3proess !eas"re!ent,
ontrol and !an"fat"ring a"to!ation, as well asfor instr"!entation
s$ste!s "sed for researh, develop!ent and testing p"rposes.
The sope inl"des abling, interoperabilit$, o3e'istene and
perfor!ane eval"ation. C#$E% DE,ICE AND INTE/(ATI!N IN
ENTE(P(IE YTE"
To prepare international standards speif$ing:(6) -evie
integration with ind"strial a"to!ation s$ste!s. The !odels
developed inthese standards address devie properties, lassi#ation,
seletion, on#g"ration,o!!issioning, !onitoring and basi
diagnostis.
(@) Ind"strial a"to!ation s$ste!s integration with enterprise
s$ste!s. This inl"destransations between b"siness and !an"fat"ring
ativities whih !a$ be ointl$developed with ISO TC6AB.
TC#$ * -or0ing /roups
W 6Ter!s and de#nitions
W 69Se"rit$ for ind"strial proess !eas"re!ent and ontrol
3 +etwor&
and s$ste! se"rit$ W 6@ 5DI diagra!s, 5DI- tools and
5CE3C/E tools
W6? -o"!ents for the 5roess Ind"str$
W 68 -igital *ator$ W 67 S$ste! interfae between
ind"strial failities and the s!art grid
W 6A Ca"se and E>et Table
-
8/18/2019 IEC 61508 61511
6/20
W 6 Fife3$le !anage!ent for s$ste!s and prod"ts "sed
in
ind"strial3proess !eas"re!ent, ontrol and a"to!ation
TC#$ * 1oint -or0ing /roups
1- 23 Safet$ re2"ire!ents for ind"strial3proess
!eas"re!ent,
ontrol and a"to!ation e2"ip!ent, e'l"ding f"ntional safet$
1- 24 Energ$ E=ien$ in Ind"strial /"to!ation (EEI/)
TC#$ * Adisor5 /roups
A/ 24 Chair!ens advisor$ gro"ps
4.2. ITAIAN "E"+E( !6 IEC TECHNICA C!""ITTEE TC#$
AND+C!""ITTEE C#$A) C#$+) C#$C) C#$E
IEC +ational Co!!ittee of Ital$COIT/TO EFETTGOTEC+ICO
IT/FI/+OHia Saardo, IT3@96B IF/+OItal$
4.7. TC#$ P+ICATI!N
IEC 899?93?6 3 IEH voab"lar$
IEC 86969 3 Safet$ re2"ire!ents for e2"ip!ent
IEC 8@BB 3 C$ber se"rit$
IEC 8@79A 3 -o"!entation re2"ire!ents
4.3. C#$A P+ICATI!N
IEC 86@8 3 EC
IEC 86?9A Series 3 *"ntional Safet$
IEC 86?66 3 *"ntional Safet$ proess ind"str$ setor
IEC 86?6@ 3 ath Control
4.4. C#$+ P+ICATI!N
-
8/18/2019 IEC 61508 61511
7/20
IEC 8666 (5FC)
IEC 86B 3 *"ntion lo&
IEC 89?B 3 Ind"strial3proess ontrol valves
IEC 86@97 3 E'pression of perfor!ane of gas anal$zers
4.$. C#$C P+ICATI!N
IEC 866?A Series 3 *ieldb"s
IEC 86?AA 3 5reision lo& s$nhronization
IEC 867AB 3 Ind"strial o!!"niation networ&s J
5ro#les
IEC 866A 3 Cabling
IEC 8@B 3 1igh availabilit$ a"to!ation networ&s
IEC 8@?6, IEC 8@896, IEC 8@7B 3 Wireless
IEC 8@8?7 3 Wireless oe'istene
4.#. C#$E P+ICATI!N
IEC 86A7 3 Eletroni atalog"es
IEC 8@@8B 3 Enterprise3ontrol s$ste! integration
IEC 86A9B 3 *"ntion lo&s 5roess Control and E--F
IEC 86B 3 eneri *"ntion lo&s -istrib"ted Control
IEC 8@7 3 Co!!issioning
IEC 8@A6 3 */T,S/T, and SIT
IEC 8@A@ 3 Eletrial and Instr"!entation Foop Che&
IEC 8@?B6 3 O5C U/
IEC 8@?B 3 *-T
IEC 8@76B J /"to!ation3F
See the TC8? strategi b"siness plan for f"rther
details.
http://www.iec.ch/cgi-bin/getfile.pl/sbp_65.pdf?dir=sbp&format=pdf&type=&file=65.pdfhttp://www.iec.ch/cgi-bin/getfile.pl/sbp_65.pdf?dir=sbp&format=pdf&type=&file=65.pdf
-
8/18/2019 IEC 61508 61511
8/20
3. IEC #3"4 SC5E
5.1. Is IEC 61508 ree!"#$ $% e'
6enerally, the significant ha'ards for e7uipment and any
associated control systemhave to (e identified (y the specifier or
developer via a ha'ard analysis. )he analysisidentifies whether
functional safety is necessary to ensure ade7uate protection
againsteach significant ha'ard. If so, then it has to (e taken into
account in an appropriatemanner in the design. Functional safety is
8ust one method of dealing with ha'ards,and other means for their
elimination or reduction, such as inherent safety throughdesign,
are of primary importance.
IEC #3"4 defines appropriate means for achieving functional
safety in the systems itcovers.
5.2. ()"$ s*s$es +%es IEC 61508 ,%!er'IEC #3"4 applies to
safety related systemswhen one or more of such systemsincorporate
electrical and9or electronic and9or programma(le electronic
$E9E95E% devices.It covers possi(le ha'ards caused (y failure of
the safety functions to (e performed (y theE9E95E safetyrelated
systems, as distinct from ha'ards arising from the E9E95Ee7uipment
itself $for e-ample electric shock etc%. It is generically (ased
and applica(le toall E9E95E safetyrelated systems irrespective of
the application.
It is recogni'ed that the conse7uences of failure could also
have serious economic
implications and in such cases the standard could (e used to
specify any E9E95E safetyrelated system used for the protection of
e7uipment or product.
http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2
-
8/18/2019 IEC 61508 61511
9/20
5.3. G!e e s%e r",$," e/"es
)he range of E9E95E safetyrelated systems to which IEC
#3"4 can (e applied includes:
emergency shutdown systems
fire and gas systems
tur(ine control
gas (urner management
crane automatic safeload indicators
guard interlocking and emergency stopping systems for
machinery
medical devices
dynamic positioning $control of a ship2s movement when in
pro-imity to an offshore
installation% railway signalling systems $including moving
(lock train signalling%
varia(le speed motor drives used to restrict speed as a
means of protection remote monitoring, operation or
programming of a networkena(led process plant
an information(ased decision support tool where erroneous
results affect safety
;elevant means of implementing safety functions include
electromechanical relays $i.e.electrical%, nonprogramma(le
solidstate electronics $i.e. electronic% and
programma(leelectronics. 5rogramma(le electronic safetyrelated
systems typically incorporateprogramma(le controllers, programma(le
logic controllers, microprocessors, applicationspecific integrated
circuits, or other programma(le devices $for e-ample
-
8/18/2019 IEC 61508 61511
10/20
For low comple-ity E9E95E safetyrelated systems, it is
possi(le to comply with IEC #3"4while not meeting every
re7uirement of the standard.
5.5. H% +%es IEC 61508 "* $% s*s$es )%se 7#,$%# s $% "!%+
+""4e
$% $)e e#!r%#e#$ %r se!ere 7#"#," %ss'
IEC #3"4 is concerned with achieving functional safety, where
safety i s defined asfreedom from unaccepta(le risk of
physical in8ury or damage to the health of people,
either directly or indirectly as a result of damage to
property or to the environment $see =. of IEC #3"4>%. So
damage to long term health, including damage to property or
theenvironment that leads to damage to long term health, is
e-plicitly within the scope of thestandard and is encompassed (y
the term safety .
It is recognised that the conse7uences of failure could also
have serious economicimplications and in such cases the standard
could (e used to specify any E9E95E system
used for the protection of e7uipment or product $.1 e of IEC
#3"4%.
)he particular safety functions that are necessary, and the
associated levels of performance re7uired of them, are
determined (y ha'ard and risk analysis $see for e-ample IEC
#3"43%. An e7uivalent analysis of risk in terms of environmental or
financialha'ards can (e performed (y replacing safety parameters
with environmental or financialparameters. Most of the su(se7uent
re7uirements of the standard are as applica(le for
-
8/18/2019 IEC 61508 61511
11/20
re7uirements relating to verification, management of functional
safety and functional safetyassessment are contained in .4,
clause # and clause 4 respectively.
Anne- A of IEC #3"4# gives an eightpage overview of
the re7uirements in IEC #3"41and IEC #3"4=.
In IEC #3"41, the E9E95ES safety lifecycle re7uirements
contained in clause aresummarised in a lifecycle diagram in figure
1, with an overview of each phase in ta(le .Bikewise, in IEC #3"4=,
the software safety lifecycle re7uirements contained in clause are
summarised in figure = with an overview in ta(le .
Any particular re7uirement of IEC #3"4 should (e
considered in the conte-t of its lifecyclephase $where applica(le%
and the stated o(8ectives for the re7uirements of that phase,clause
or su(clause. )he o(8ectives are always stated immediately (efore
there7uirements.
$.8. Is appli9ation of IEC #2$:; 9ompulsor5 under an5
ECDire9tie<
+o. E+ 86?9A does not have the stat"s of a har!onized E"ropean
standard,and is not referred to b$ an$ EC -iretive.
/ltho"gh E+ 86?9A is a E"ropean Standard, it does not have the
stat"s of ahar!onised E"ropean standard in relation to an$ EC
prod"t diretive and it isnot therefore listed in the EC O=ial
%o"rnal. 1owever, this does not prevento!pliane with relevant parts
of E+ 86?9A being "sed to s"pport adelaration of onfor!it$ with an
EC prod"t diretive, if that is appropriate."t bea"se E+ 86?9A is
not a har!onised E"ropean standard, o!plianewith it does not
provide a pres"!ption of onfor!it$ with an$ diretive. Itwo"ld
therefore be neessar$ to e'plain in the prod"ts tehnial #le how
o!pliane with E+ 86?9A is being "sed to s"pport o!pliane with
spei#essential re2"ire!ents of the parti"lar diretive.
There are also no plans to har!onize IEC 86?66 or IEC
86?6 "nder an$ EC-iretive. 1owever:
IEC 8@986, whih has been adopted in E"rope as E+ 8@986,
was a
har!onized E"ropean standard "nder the A070EC ahiner$
-iretive(an EC prod"t diretive) and will beo!e a har!onized
E"ropeanstandard "nder the @9980B@0EC ahiner$ -iretive. This is
possiblebea"se the sope of IEC 8@986 is restrited to prod"t
re2"ire!ents
rather than the whole safet$ life$le re2"ire!ents of IEC 86?9A,
whihgo be$ond what is appropriate for a prod"t diretive.
/ltho"ghhar!onization of E+ 8@986 !eans that o!pliane with it will
grant a
http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4
-
8/18/2019 IEC 61508 61511
12/20
pres"!ption of onfor!it$ with the relevant essential
re2"ire!ents of the ahiner$ -iretive, it will not prel"de the
"se of other wa$s of !eeting those re2"ire!ents (e.g. b$ the
appliation of other standards).
IEC 8@986, whih has been adopted in E"rope as E+ 8@986,
was a
har!onized E"ropean standard "nder the A070EC ahiner$
-iretive
(an EC prod"t diretive) and will beo!e a har!onized
E"ropeanstandard "nder the @9980B@0EC ahiner$ -iretive. This is
possiblebea"se the sope of IEC 8@986 is restrited to prod"t
re2"ire!entsrather than the whole safet$ life$le re2"ire!ents of
IEC 86?9A, whihgo be$ond what is appropriate for a prod"t diretive.
/ltho"ghhar!onization of E+ 8@986 !eans that o!pliane with it will
grant apres"!ption of onfor!it$ with the relevant essential
re2"ire!ents of the ahiner$ -iretive, it will not prel"de the
"se of other wa$s of !eeting those re2"ire!ents (e.g. b$ the
appliation of other standards).
IEC 86A993?3@ (E+ 86A993?3@) is a har!onized
E"ropean standard "nder
the @9980B@0EC ahiner$ -iretive.
Note: *or the latest position regarding E"ropean standards in
relation to-iretive @9980B@0EC on !ahiner$, see the Publications in
the Ofcial Journal
5.10. How can I request a technical interpretation for a
particular subclause of the standard?
It is the responsibility o your national committee to
answer questions put tothem about the standard. They will orward
your question to the relevantinternational committee where
appropriate. You are also welcome to submit anew question to be
added to these F! pa"es usin" our eedbac# acility.
#. IEC #3"4 CM5B@I/6 DI)0 )0E S)A/A;
D2= ->i9> re?uirements do I need to satisf5 in order to
9laim9omplian9e @it> t>e standard<
The ter! shall "sed in a re2"ire!ent indiates that
the re2"ire!ent is stritl$to be followed if onfor!ane to the
standard is to be lai!ed.
Where should (or it is recommended that ) is "sed, this
indiates that a!ongseveral possibilities one is reo!!ended as
parti"larl$ s"itable, witho"t!entioning or e'l"ding others, or that
a ertain o"rse of ation is preferredb"t not neessaril$
re2"ired. $ormative ele!ents set o"t the provisions to whih it
is neessar$ to onfor!in order to be able to lai! o!pliane with the
standard. The te't in anor!ative ele!ent "s"all$ ontains both shall
and should.In IEC 86?9A, thefollowing ontain nor!ative ele!ents:
part 6 (e'l"ding anne'es); part @(inl"ding anne'es); part (inl"ding
anne'es / and , e'l"ding anne' C);
http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://ec.europa.eu/enterprise/policies/european-standards/documents/harmonised-standards-legislation/list-references/machinery/index_en.htmhttp://www.iec.ch/functionalsafety/faq-ed1/page3.htm?iecfaq=4http://www.iec.ch/functionalsafety/feedback/page1.htmhttp://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page2.htm?iecfaq=4http://ec.europa.eu/enterprise/policies/european-standards/documents/harmonised-standards-legislation/list-references/machinery/index_en.htmhttp://www.iec.ch/functionalsafety/faq-ed1/page3.htm?iecfaq=4http://www.iec.ch/functionalsafety/feedback/page1.htm
-
8/18/2019 IEC 61508 61511
13/20
and part B (e'l"ding the anne'). There are no nor!ative
re2"ire!ents in parts?, 8 and 7 of the
standard. Inormative ele!ents of the standard provide
additional infor!ation intendedto assist its "nderstanding or "se,
b"t with whih it is not neessar$ to onfor!in order to be able to
lai! o!pliane. The te't in an infor!ative ele!ent
annot ontain shall. +otes and footnotes are alwa$s
infor!ative. In IEC 86?9A, the following are infor!ative: the
anne'es of part 6; anne' C ofpart ; the anne' of part B; and all
anne'es of parts ?, 8 and 7. *or the overall fra!ewor& of
the IEC 86?9A series see IEC 86?9A36, *ig"re 6 (page 69 of the
preview).
D7= Ho@ does IEC #2$:; appl5 to lo@ 9omplexit5 EEPE
safet5*relateds5stems<If the standard is "sed for low o!ple'it$
E0E05E safet$3related s$ste!s, wheredependable #eld e'periene
e'ists whih provides the neessar$ on#denethat the re2"ired safet$
integrit$ an be ahieved, ertain of the re2"ire!entsspei#ed in the
standard !a$ be "nneessar$ and e'e!ption fro! o!plianewith s"h
re2"ire!ents is aeptable provided this is "sti#ed (B.@ of
IEC86?9A36). The standard does not state whih
re2"ire!ents this applies to, whih is for the"ser of the standard
to deide and "stif$. +ote, however, that the onditions inwhih this
rela'ation applies are ver$ restritive.
D3= /ie me some pra9ti9al examplesIEC #2$:; separates t>e
spe9iB9ation of t>e safet5 fun9tions to eperformed into t@o
elements% the safet$ f"ntion re2"ire!ents (what the f"ntion
does); andthe safet$ integrit$ re2"ire!ents (the li&elihood of
a safet$ f"ntion being
perfor!ed satisfatoril$).
IEC 86?9A does not stip"late what safet$ f"ntion re2"ire!ents
nor whatsafet$ integrit$ re2"ire!ents are neessar$ for an$
parti"lar appliation. The safet$ integrit$
level (SIF 6, @, or B) orresponds to a range of
safet$integrit$ val"es, !eas"red for a spei#ed safet$ f"ntion in
ter!s of: the average probabilit$ of a dangero"s fail"re on
de!and (for low de!and
!ode of operation); or,the average fre2"en$ of a dangero"s
fail"re per ho"r (for high de!and or
ontin"o"s !ode of operation). +ote: *or !ode of operation
see IEC 86?9A3B, s"bla"se .?.6@. The safet$ integrit$
level, of a spei#ed safet$ f"ntion, alloated to the
E0E05E
http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2
-
8/18/2019 IEC 61508 61511
14/20
safet$3related s$ste! will a>et the degree of rigo"r to
whih a re2"ire!ent ofthe standard is to be satis#ed. "t other
fators will also a>et this (see B.6 ofIEC 86?9A36). So!e
ele!ents of the standard !a&e the dependene on safet$ integrit$
levele'pliit b$ grading the re2"ire!ents, for e'a!ple:
Table ? of IEC 86?9A36;7.B.@ and anne'es / and
of IEC 86?9A3@ and/nne'es / and of IEC 86?9A3.
D4= Is it ne9essar5 to 9>oose te9>ni?ues and measures from
t>osere9ommended in annexes A and + of IEC #2$:;*7 and IEC
#2$:;*3 in order to 9ompl5 @it> t>e standard<
Alt>oug> all four normatie annexes 9ontain re9ommendations
for t>euse of parti9ular te9>ni?ues and measures) t>e5
dier in @>at isre?uired for 9omplian9e.
In s"bla"se /.@ of IEC 86?9A3@, table /.6 provides the
re2"ire!ents for fa"ltsor fail"res that shall be deteted b$
tehni2"es and !eas"res to ontrolhardware fail"res. Tables /.@ to
/.6?, also in s"bla"se /.@ of IEC 86?9A3@,s"pport the re2"ire!ents
of table /.6 b$ recommendin" tehni2"es and!eas"res for
diagnosti tests and recommendin" !a'i!"! levels ofdiagnosti
overage that an be ahieved "sing the!. Therefore, in order too!pl$
with the standard, it is neessar$ to f"l#l the re2"ire!ents of
table /.6,b"t tables /.@ to /.6? s"ggest "st one set of
possibilities on how the
re2"ire!ents of table /.6 an be !et. In s"bla"se /. of IEC
86?9A3@, tables /.68 to /.6A recommend parti"lartehni2"es and
!eas"res, therefore it is not neessar$ to "se an$ of these inorder
to lai! o!pliane. 1owever, if $o" do not "se a tehni2"e or
!eas"rethat is highl$ reo!!ended for the safet$ integrit$ level,
then the rationalebehind not "sing it shall be detailed. /lso,
for ever$ tehni2"e or !eas"relisted in tables /.68 to /.6A that $o"
do "se, it shall be "sed to the e'tentneessar$ to give at
least the level of e>etiveness stated in the table. Table/.6
gives g"idane on what is intended b$ the ter!s low and
highe>etiveness for "st so!e of the tehni2"es and !eas"res.
The tehni2"es and !eas"res in anne' of IEC 86?9A3@
are recommended inthe sa!e wa$ as those in s"bla"se /.. It is
neessar$ to detail the rationalewherever a tehni2"e or !eas"re that
is highl$ reo!!ended for the safet$integrit$ level is not "sed, and
wherever a tehni2"e or !eas"re that ispositivel$ not reo!!ended for
the safet$ integrit$ level is "sed. /nd it isneessar$ to ahieve at
least the level of e>etiveness stated in the table foran$
tehni2"es or !eas"res that $o" do "se. Table .8 gives g"idane on
whatis intended b$ the ter!s low and high e>etiveness for !ost
of the tehni2"esand !eas"res. In anne'es / and of IEC 86?9A3@,
the table shading adds recommendations on how to selet and
o!bine the tehni2"es and !eas"res.
http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=3http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=0http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4
-
8/18/2019 IEC 61508 61511
15/20
+ote that anne' C of IEC 86?9A3@ is also nor!ative and ontains
re2"ire!entsthat are neessar$ for o!pliane. /nne'es / and of
IEC 86?9A3 ontain the re2"ire!ent that appropriatetehni2"es
and !eas"res shall be seleted aording to the safet$
integrit$level. /n$one lai!ing o!pliane with the standard is
re2"ired to onsider
whih tehni2"es or !eas"res are !ost appropriate for the spei#
proble!seno"ntered d"ring the develop!ent of eah
E0E05E safet$3related s$ste!. These !a$ inl"de tehni2"es
and !eas"res reo!!ended b$ the standardand !a$ inl"de others; the
tables give onl$ reo!!endations as to whihtehni2"es and !eas"res
!a$ be appropriate. / parti"lar onern is raised b$ s$ste!ati
fators in the fail"re of a safet$f"ntion. S$ste!ati fail"re fators
an arise in both hardware and software. The e>etiveness of
the !eas"res and prea"tions "sed to !eet the targetfail"re !eas"res
for s$ste!ati safet$ integrit$ generall$ needs to be
assessed2"alitativel$. Spei#all$ for software, the IEC 86?9A3
tables of reo!!ended tehni2"esare not he&lists b$ whih
s$ste!ati safet$ integrit$ in software an beg"aranteed. an$ fators
a>et software safet$ integrit$, and it is not possibleto give an
algorith! for o!bining the tehni2"es and !eas"res that
willg"arantee s"ess in an$ given appliation. Software tehni2"es
will need tobe hosen "diio"sl$ with attention to several &e$
fators inl"ding: the developers personal o!petene and
e'periene in tehni2"es;the developers fa!iliarit$ with the
appliation and li&el$ di="lties;
the size or o!ple'it$ of the appliation;ind"str$ setor
reo!!endations and reognized good pratie; andand international
p"blished standards. These anne'es ontain a
recommendation that the rationale for not followingthe g"idane
for highl$ reo!!ended or not reo!!ended tehni2"es or!eas"res sho"ld
be detailed d"ring the safet$ planning and agreed with
theassessor. In both IEC 86?9A3@ and IEC 86?9A3, the hoie of
tehni2"es for eahlife$le phase needs to be do"!ented (see la"se ?
of IEC 86?9A36). Other
s"bla"ses re2"ire so!e of this do"!entation to inl"de a
"sti#ation of thehoie of tehni2"es and !eas"res, even if all
reo!!endations are followed.See for e'a!ple 7..@.@ e) and 7.B.@. of
IEC 86?9A3@, and 7.B..@ a) of IEC86?9A3.
D$= I >ae 9ontra9tual responsiilit5 for some ut not all= of
t>edeelopment p>ases for an EEPE safet5*related s5stem.
->atinformation do I need in do9umentation from ot>er parties
to enaleme to 9ompl5 @it> IEC #2$:;<
6or an EEPE safet5*related s5stem to 9ompl5 @it>
IEC #2$:;) one ormore organiFations or indiiduals >ae to e
responsile for ea9>p>ase of t>e oerall) EEPE and soft@are
safet5 life959les. Part oft>e responsiilit5 for ea9> p>ase
is to do9ument information
http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1
-
8/18/2019 IEC 61508 61511
16/20
suG9ientl5) so t>at all p>ases t>at depend on t>at
information 9an eee9tiel5 performed see 9lause $ of IEC
#2$:;*2=. Table 6 of IEC 86?9A36 spei#es the infor!ation
neessar$ for eah phase ofthe overall safet$ life$le. Table 6 of IEC
86?9A3@ and table 6 of IEC 86?9A3 are the e2"ivalents for
the E0E05ES and software safet$ life$les.
*or e'a!ple, part of the entr$ fro! table 6 of IEC 86?9A36
for the phase %&%&P%saety'related systems(
realisation is reprod"ed below. It an be seen fro! thetable
that a s$ste! s"pplier with responsibilit$ for the realisation
phase needsdo"!entation ontaining the spei#ation for the E0E05ES
safet$re2"ire!ents. This will set o"t all the re2"ire!ents for the
safet$ f"ntions thathave been alloated to the E0E05E safet$3related
s$ste!(s) together with thesafet$ integrit$ re2"ire!ents for eah of
these safet$ f"ntions. afet5life959lep>ase
!e9ties 9ope Inputs !utputs
EEPEsafet5*relateds5stems%realisation
7.69.6 andIEC 86?9A3and IEC86?9A3: To
reateE0E05Esafet$3relateds$ste!s
onfor!ingto thespei#ation for
theE0E05ESsafet$re2"ire!ents(o!prisingthespei#atio
n for theE0E05ESsafet$f"ntionsre2"ire!ents and thespei#ation for
theE0E05ESsafet$integrit$re2"ire!ents)
E0E05Esafet$3relateds$ste!s
Spei#ation for theE0E05ESsafet$re2"ire!ents
Con#r!ation that eahE0E05Esafet$3relateds$ste!!eets
theE0E05ESsafet$re2"ire!ent
sspei#ation
http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5
-
8/18/2019 IEC 61508 61511
17/20
We an see that a s$ste! s"pplier with responsibilit$ for
the realisation phaseneeds do"!entation ontaining the spei#ation
for the E0E05ES safet$re2"ire!ents. This will set o"t all the
safet$ f"ntion re2"ire!ents that havebeen alloated to the E0E05E
safet$3related s$ste!(s) and the safet$ integrit$re2"ire!ents for
eah of these f"ntions.
D#= uppliers are ?uoting t>at t>eir produ9ts 9onform to
IEC #2$:; fora spe9iB9 safet5 integrit5 leel. Does t>is mean
t>at using t>eseprodu9ts is suG9ient for me to 9ompl5 @it>
IEC #2$:;<
No. A safet5 integrit5 leel is not dire9tl5 appli9ale to
indiidualsus5stems) elements or 9omponents. It applies to a safet5
fun9tion9arried out 5 t>e EEPE safet5*related
s5stem. IEC 86?9A overs all o!ponents of the E0E05E
safet$3related s$ste!, inl"ding#eld e2"ip!ent and spei# proet
appliation logi. /ll these s"bs$ste!s ando!ponents, when o!bined to
i!ple!ent the safet$ f"ntion (or f"ntions),are re2"ired to !eet the
safet$ integrit$ level target of the relevant safet$f"ntions. /n$
design "sing s"pplied s"bs$ste!s and o!ponents that are all2"oted
as s"itable for the re2"ired safet$ integrit$ level target of the
relevantsafet$ f"ntions, together with the infor!ation assoiated
with the s"pplieds"bs$ste!s and o!ponents, will have to be assessed
to deter!ine whether ornot the s"bs$ste!s and o!ponents are in fat
s"itable. S"ppliers of prod"tsintended for "se in E0E05E
safet$3related s$ste!s sho"ld provide s"=ientinfor!ation to
failitate a de!onstration that the E0E05E safet$3related
s$ste!o!plies with IEC 86?9A.
D= I suppl5 sus5stems) su9> as sensors or a9tuators) t>at
areintended for use in an EEPE safet5*related s5stem. ->at does
IEC#2$:; mean for me<
When a s"bs$ste! is integrated into an
E0E05E safet$3related s$ste! inaordane with IEC 86?9A, it
is neessar$ to ta&e into ao"nt the ontrib"tionthat the
s"bs$ste! will !a&e to the perfor!ane of the o!plete s$ste!
inrelation to the safet$ integrit$ level of the safet$ f"ntion
"nder onsideration. To do this, the s$ste! designer0integrator
re2"ires s"=ient infor!ation on thes"pplied s"bs$ste! in order that
the s$ste! designer0integrator an validate
that the E0E05E safet$3related s$ste!, in respet of the spei#ed
safet$f"ntions, !eets the E0E05ES safet$ re2"ire!ents spei#ation.
/s a s"pplier of s"bs$ste!s intended for "se in E0E05E
safet$3related s$ste!s $o" sho"ld beprepared to s"ppl$ the re2"ired
infor!ation, as detailed in 7.B.7. of IEC86?9A3@. To s"!!arise, the
following infor!ation is re2"ired for eahs"bs$ste!:
spei#ations overing f"ntional, interfae and environ!ental
aspets;
esti!ated fail"re rate (d"e to rando! hardware fail"res)
for eah fail"re
!ode;
diagnosti overage and diagnosti test interval; infor!ation
needed to enable the hardware fa"lt tolerane to be
deter!ined;
http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=6http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=6http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=6http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=6http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5
-
8/18/2019 IEC 61508 61511
18/20
infor!ation needed to identif$ the hardware and software
on#g"ration;
infor!ation needed to enable the derivation of the safe
fail"re fration;
do"!entar$ evidene of validation.
D;= Do I >ae to use t>ird part5 9ertiBed 9omponents in
order to9ompl5 @it> IEC #2$:;<
+o. The standard re2"ires a f"ntional safet$ assess!ent to
be arried o"t onall parts of the E0E05E safet$3related
s$ste! and for all phases of the life$le(see la"se A of IEC
86?9A36). The level of independene re2"ired of the
assessor ranges fro! anindependent person in the sa!e organization
for safet$ integrit$ level 6 to anindependent organization for
safet$ integrit$ level B. The re2"ired level ofindependene for
safet$ integrit$ levels @ and is a>eted b$ additionalfators
inl"ding s$ste! o!ple'it$, novelt$ of design and previo"s
e'perieneof the developers. There is also a spei# re2"ire!ent that
the assessor shallbe o!petent for the ativities to be
"nderta&en.
D8= Is t>ere an5 9orrelation et@een t>e leel of
independen9ere?uired for fun9tional safet5 assessment and t>e
need for t>ird part59ertiB9ation<
The level of independene re2"ired sho"ld be disting"ished
fro! the onept of third3part$ erti#ation whih is not a
re2"ire!ent in IEC 86?9A. *or so!eo!panies even the re2"ire!ent for
independent persons and depart!ents!a$ have to be !et b$ "sing an
e'ternal organization b"t this does not !eanthat the e'ternal
organisation has neessaril$ to be a erti#ation bod$. The
e'ternal bod$, in s"h a sit"ation, sho"ld have the o!petene and
theappropriate level of independene to "nderta&e the tas&.
The e'ternal bod$!a$ or !a$ not be a erti#ation
bod$. Conversel$, o!panies that have internal organizations
s&illed in ris&assess!ent and the appliation of
safet$3related s$ste!s, whih areindependent of and separate (b$
wa$s of !anage!ent and other reso"res)fro! those responsible for
the !ain develop!ent, !a$ be able to "se their ownreso"res to !eet
the re2"ire!ents for an independent organization (note @ [email protected]@
of IEC 86?9A36).
See .A.69, .A.66 and .A.6@ of IEC 86?9A3B for de#nitions of
independentperson, independent depart!ent and independent
organization respetivel$.
D2:= In @>at @a5s do I need to 9onsider t>e impa9t of
>umana9tiities on t>e operation of an EEPE safet5*related
s5stem<
IEC 86?9A re2"ires h"!an fator iss"es to be onsidered in the
deter!inationof hazards and hazardo"s events (7.B.@. of IEC
86?9A36) and in the design ofthe E0E05E safet$3related
s$ste! (7.B.?. of IEC 86?9A3@). *or E0E05E safet$3related
protetion s$ste!s, there are three prinipal areas that need to
be
onsidered: h"!an ations or errors that an plae a
de!and on the E0E05E safet$3
http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=8http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=7http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=8http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5
-
8/18/2019 IEC 61508 61511
19/20
related protetion s$ste! J these need to be identi#ed and
2"anti#ed; h"!an fail"re to respond e>etivel$ to alar!s or
ta&e other ations that
wo"ld otherwise red"e the de!and on the E0E05E
safet$3relatedprotetion s$ste!;
h"!an fail"re in testing and !aintenane of the E0E05E
safet$3related
protetion s$ste!, red"ing its e>etiveness and inreasing
the
probabilit$ of fail"re on de!and.
D22= Can an EEPE safet5*related s5stem 9ontain >ard@are
andorsoft@are t>at @as not produ9ed a99ording to IEC #2$:;) and
still9ompl5 @it> t>e standard proen in use=<
It ma5 e possile to use a proven in use argument as an
alternatieto meeting t>e design re?uirements for dealing @it>
s5stemati9failure 9auses in IEC #2$:;) in9luding >ard@are and
soft@are. +ut it isessential to note t>at proen in use 9annot e
used as an alternatieto meeting t>e re?uirements for%
arhitet"ral onstraints on hardware safet$ integrit$ (see
[email protected] of IEC
86?9A3@); the 2"anti#ation of dangero"s fail"res of the
safet$ f"ntion d"e to
rando! hardware fa"lts (see 7.B..@ of IEC 86?9A3@); and
s$ste! behavio"r on detetion of fa"lts (see 7.B.8 of IEC
86?9A3@).
See 7.B.@.@ of IEC 86?9A3@ for a s"!!ar$ of design
re2"ire!ents, inl"dingreferenes to !ore detailed s$ste!ati hardware
re2"ire!ents in the standard.
/ proven in "se lai! relies on the availabilit$ of historial
data for bothrando! hardware and s$ste!ati fail"res, and on
anal$tial tehni2"es andtesting if the previo"s onditions of "se of
the s"bs$ste! di>er in an$ wa$ fro!those whih will be e'periened
in the E0E05E safet$3related s$ste!. 7.B.7.8 ofIEC 86?9A3@
re2"ires that:
the previo"s onditions of "se of the s"bs$ste! are the
sa!e as, or
s"=ientl$ lose to, those whih will be e'periened in the E0E05E
safet$3related s$ste! (see 7.B.7.7 of IEC 86?9A3@);
if the above onditions of "se di>er in an$ wa$, a
de!onstration is
neessar$ ("sing a o!bination of appropriate anal$tial tehni2"es
andtesting) that the li&elihood of "nrevealed s$ste!ati fa"lts
is low eno"ghto ahieve the re2"ired safet$ integrit$ level of
the safet$ f"ntions whih"se the s"bs$ste! (see 7.B.7.A of IEC
86?9A3@);
the lai!ed fail"re rates have s"=ient statistial basis
(see 7.B.7. of
IEC 86?9A3@); fail"re data olletion is ade2"ate (see
7.B.7.69 of IEC 86?9A3@);
evidene is assessed ta&ing into ao"nt the o!ple'it$
of the
s"bs$ste!, the ontrib"tion !ade b$ the s"bs$ste! to the
ris&red"tion, the onse2"enes assoiated with a fail"re of the
s"bs$ste!,and the novelt$ of design (see 7.B.7.66 of IEC 86?9A3@);
and
the appliation of the proven in "se s"bs$ste! is
restrited to thosef"ntions and interfaes of the s"bs$ste! that !eet
the relevantre2"ire!ents (see 7.B.7.6@ of IEC 86?9A3@).
http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page4.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=2http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4
-
8/18/2019 IEC 61508 61511
20/20
[email protected] of IEC 86?9A3 allows the "se of standard or
previo"sl$ developedsoftware witho"t the availabilit$ of historial
data b"t with the e!phasis onanal$sis and testing. This onept
sho"ld be disting"ished fro! the proven in"se onept desribed
above.
D27= Do 9ontrol s5stems t>at pla9e demands on a
safet5*relateds5stem >ae to e t>emseles designated as
safet5*related s5stems<
[email protected] of IEC 86?9A36 gives the re2"ire!ents that appl$
for the ontrol s$ste!not to be designated as a safet$3related
s$ste!. In s"!!ar$, these are: allowing for a dangero"s
fail"re rate of the ontrol s$ste! higher than the
!a'i!"! de#ned b$ the standard for a safet$3related s$ste! (i.e.
higherthan 693? dangero"s fail"res per ho"r);
providing an ade2"ate de!onstration that the dangero"s fail"re
rate allowed
for is ahieved ([email protected] of IEC 86?9A36 ontains f"rther
details);deter!ining all reasonabl$ foreseeable dangero"s fail"re
!odes of the ontrol
s$ste!;ens"ring that the ontrol s$ste! is separate and
independent fro! all safet$3
related s$ste!s. It sho"ld be noted that the dangero"s
fail"re rate referred to in the abovere2"ire!ents relate to a
spei#ed dangero"s fail"re !ode of a f"ntion beingperfor!ed b$ the
ontrol s$ste! whih o"ld, in the onte't of the 2"estion,plae a
de!and on a safet$3related s$ste!.
D23= Ho@ do ele9tromagneti9 immunit5 limits depend on t>e
safet5integrit5 leel< nder reie@=
7.@..@ (e) of IEC 86?9A3@ (see also assoiated notes)
states: The E0E05ESsafet$ integrit$ re2"ire!ents spei#ation shall
ontain the eletro!agnetii!!"nit$ li!its (see IEC 869993636) that
are re2"ired to ahieveeletro!agneti o!patibilit$ J the
eletro!agneti i!!"nit$ li!its sho"ld bederived ta&ing into
ao"nt both the eletro!agneti environ!ent (see IEC869993@3?) and the
re2"ired safet$ integrit$ levels.
IEC 86?9A does not give a !ethod for deter!ining eletro!agneti
i!!"nit$re2"ire!ents aording to the safet$ integrit$ level. These
sho"ld be deidedta&ing into ao"nt the eletro!agneti environ!ent
that the safet$3relateds$ste! will be e'posed to d"ring "se.
In priniple, the i!!"nit$ li!its sho"ldbe set at a level whih will
not be e'eeded in the operating environ!ent. Inpratie, it is di="lt
to g"arantee that dist"rbane levels will alwa$s be belowa set
li!it. The higher the i!!"nit$ li!it, the lower the probabilit$
that adist"rbane will e'eed the li!it d"ring "se; therefore it !a$
be neessar$ toset inreased i!!"nit$ li!its as safet$ integrit$
levels inrease, espeiall$where there is "nertaint$ abo"t the
dist"rbane levels that are li&el$ to bepresent in the operating
environ!ent.
http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page1.htm?iecfaq=5http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=4http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1http://www.iec.ch/functionalsafety/faq-ed1/page5.htm?iecfaq=1
