EN 61508-6:2001

6/29(16., 6,67(1

67$1'$5'
MDQXDU
)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLK
YDUQRVWQLKVLVWHPRYGHO6PHUQLFH]DXSRUDER,(&LQ,(&
,(&
LVWRYHWHQ(1
)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHG
V\VWHPV3DUW*XLGHOLQHVRQWKHDSSOLFDWLRQRI,(&DQG,(&
,(&
,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .
EUROPEAN STANDARD EN 61508-6
NORME EUROPÉENNE
EUROPÄISCHE NORM December 2001
ICS 25.040.40
English version
Functional safety of electrical/electronic/programmable electronic
safety-related systems
Part 6: Guidelines on the application
of IEC 61508-2 and IEC 61508-3
(IEC 61508-6:2000)
Sécurité fonctionnelle des systèmes Funktionale Sicherheit
électriques/électroniques/électroniques sicherheitsbezogener elektrischer/
programmables relatifs à la sécurité elektronischer/programmierbarer
Partie 6: Lignes directrices pour elektronischer Systeme
l'application de la CEI 61508-2 et Teil 6: Anwendungsrichtlinie für
de la CEI 61508-3 IEC 61508-2 und IEC 61508-3
(CEI 61508-6:2000) (IEC 61508-6:2000)
This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61508-6:2001 E
Foreword
The text of the International Standard IEC 61508-6:2000, prepared by SC 65A, System aspects, of
IEC TC 65, Industrial-process measurement and control, was submitted to the Unique Acceptance
Procedure and was approved by CENELEC as EN 61508-6 on 2001-07-03 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2002-08-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2004-08-01
Annexes designated "normative" are part of the body of the standard.
Annexes designated "informative" are given for information only.
In this standard, annex ZA is normative and annexes A to E are informative.
Annex ZA has been added by CENELEC.
IEC 61508 is a basic safety publication covering the functional safety of electrical, electronic and
programmable electronic safety-related systems. The scope states:
"This International Standard covers those aspects to be considered when electrical/electronic/
programmable electronic systems (E/E/PESs) are used to carry out safety functions. A major objective
of this standard is to facilitate the development of application sector international standards by the
technical committees responsible for the application sector. This will allow all the relevant factors
associated with the application, to be fully taken into account and thereby meet the specific needs of
the application sector. A dual objective of this standard is to enable the development of
electrical/electronic/programmable electronic (E/E/PE) safety-related systems where application sector
international standards may not exist".
The CENELEC Report R0BT-004, ratified by 103 BT (March 2000) accepts that some IEC standards,
which today are either published or under development, are sector implementations of IEC 61508. For
example:
� IEC 61511, Functional safety - Safety instrumented systems for the process industry sector;
� IEC 62061, Safety of machinery – Functional safety of electrical, electronic and programmable
electronic control systems;
� IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety –
General requirements for systems.
The railways sector has also developed a set of European Standards (EN 50126; EN 50128 and
prEN 50129).
NOTE  EN 50126 and EN 50128 were based on earlier drafts of IEC 61508. prEN 50129 is based on the principles of the
latest version of IEC 61508.
This list does not preclude other sector implementations of IEC 61508 which could be currently under
development or published within IEC or CENELEC.
__________
- 3 - EN 61508-6:2001
Endorsement notice
The text of the International Standard IEC 61508-6:2000 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61078 NOTE  Harmonized as EN 61078:1993 (not modified).
IEC 61131-3 NOTE  Harmonized as EN 61131-3:1993 (not modified).
__________
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions of any
of these publications apply to this European Standard only when incorporated in it by amendment or
revision. For undated references the latest edition of the publication referred to applies (including
amendments).
NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
Publication Year Title EN/HD Year
IEC 61508-1 1998 Functional safety of EN 61508-1 2001
+ corr. May 1999 electrical/electronic/programmable
electronic safety-related systems
Part 1: General requirements
IEC 61508-2 2000 Part 2: Requirements for EN 61508-2 2001
electrical/electronic/programmable
electronic safety-related systems
IEC 61508-3 1998 Part 3: Software requirements EN 61508-3 2001
+ corr. April 1999
IEC 61508-4 1998 Part 4: Definitions and abbreviations EN 61508-4 2001
+ corr. April 1999
IEC 61508-5 1998 Part 5: Examples of methods for the EN 61508-5 2001
+ corr. April 1999 determination of safety integrity levels
IEC 61508-7 2000 Part 7: Overview of techniques and EN 61508-7 2001
measures
IEC Guide 104 1997 The preparation of safety publications--
and the use of basic safety publications
and group safety publications
ISO/IEC Guide 51 1990 Guidelines for the inclusion of safety--
aspects in standards
INTERNATIONAL IEC
STANDARD
61508-6
First edition
2000-04
Functional safety of electrical/electronic/
programmable electronic safety-related systems –
Part 6:
Guidelines on the application of
IEC 61508-2 and IEC 61508-3
 IEC 2000 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
XB
Commission Electrotechnique Internationale
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

61508-6 © IEC:2000 – 3 –
CONTENTS
Page
FOREWORD .11
INTRODUCTION . 15
Clause
1 Scope . 19
2 Normative references. 23
3 Definitions and abbreviations . 23
Annex A (informative) Application of IEC 61508-2 and of IEC 61508-3 . 25
A.1 General. 25
A.2 Functional steps in the application of IEC 61508-2. 29
A.3 Functional steps in the application of IEC 61508-3. 37
Annex B (informative) Example technique for evaluating probabilities of hardware failure . 41
B.1 General. 41
B.2 Average probability of failure on demand (for low demand mode of operation) . 49
B.3 Probability of failure per hour (for high demand or continuous mode
of operation) . 75
B.4 References . 91
Annex C (informative) Calculation of diagnostic coverage and safe failure fraction:
worked example . 93
Annex D (informative) A methodology for quantifying the effect of hardware-related
common cause failures in E/E/PE systems . 101
D.1 General. 101
D.2 Brief overview . 101
D.3 Scope of the methodology. 109
D.4 Points taken into account in the methodology . 109
D.5 Using the β-factor to calculate the probability of failure in an E/E/PE
safety-related system due to common cause failures . 111
D.6 Using the tables to estimate β. 113
D.7 Examples of the use of the methodology. 121
D.8 References . 123
Annex E (informative) Example applications of software safety integrity tables
of IEC 61508-3 . 125
E.1 General. 125
E.2 Example for safety integrity level 2 . 125
E.3 Example for safety integrity level 3 . 135
Bibliography . 145

61508-6 © IEC:2000 – 5 –
Page
Figure 1 – Overall framework of IEC 61508 . 21
Figure A.1 – Application of IEC 61508-2. 33
Figure A.2 – Application of IEC 61508-2 (continued) . 35
Figure A.3 – Application of IEC 61508-3. 39
Figure B.1 – Example configuration for two sensor channels . 45
Figure B.2 – Subsystem structure. 49
Figure B.3 – 1oo1 physical block diagram . 51
Figure B.4 – 1oo1 reliability block diagram . 51
Figure B.5 – 1oo2 physical block diagram . 53
Figure B.6 – 1oo2 reliability block diagram . 55
Figure B.7 – 2oo2 physical block diagram . 55
Figure B.8 – 2oo2 reliability block diagram . 55
Figure B.9 – 1oo2D physical block diagram . 57
Figure B.10 – 1oo2D reliability block diagram. 57
Figure B.11 – 2oo3 physical block diagram . 59
Figure B.12 – 2oo3 reliability block diagram . 59
Figure B.13 – Architecture of an example for low demand mode of operation . 69
Figure B.14 – Architecture of an example for high demand or continuous mode of
operation. 87
Figure D.1 – Relationship of common cause failures to the failures of individual channels. 105
Table B.1 – Terms and their ranges used in this annex (applies to 1oo1, 1oo2, 2oo2,
1oo2D and 2oo3). 47
Table B.2 – Average probability of failure on demand for a proof test interval of six months
and a mean time to restoration of 8 h . 61
Table B.3 – Average probability of failure on demand for a proof-test interval of one year
and mean time to restoration of 8 h . 63
Table B.4 – Average probability of failure on demand for a proof-test interval of two years
and a mean time to restoration of 8 h . 65
Table B.5 – Average probability of failure on demand for a proof-test interval of 10 years
and a mean time to restoration of 8 h . 67
Table B.6 – Average probability of failure on demand for the sensor subsystem in the
example for low demand mode of operation (one year proof-test interval and 8 h MTTR) . 69
Table B.7 – Average probability of failure on demand for the logic subsystem in the
example for low demand mode of operation (one year proof-test interval and 8 h MTTR) . 71
Table B.8 – Average probability of failure on demand for the final element subsystem in
the example for low demand mode of operation (one year proof-test interval and
8 h MTTR). 71

61508-6 © IEC:2000 – 7 –
Page
Table B.9 – Example for a non-perfect proof test. 75
Table B.10 – Probability of failure per hour (in high demand or continuous mode of
operation) for a proof-test interval of one month and a mean time to restoration of 8 h. 79
Table B.11 – Probability of failure per hour (in high demand or continuous mode of
operation) for a proof test interval of three months and a mean time to restoration of 8 h . 81
Table B.12 – Probability of failure per hour (in high demand or continuous mode of
operation) for a proof test interval of six months and a mean time to restoration of 8 h. 83
Table B.13 – Probability of failure per hour (in high demand or continuous mode of
operation) for a proof-test interval of one year and a mean time to restoration of 8 h. 85
Table B.14 – Probability of failure per hour for the sensor subsystem in the example
for high demand or continuous mode of operation (six month proof-test interval and
8 h MTTR). 87
Table B.15 – Probability of failure per hour for the logic subsystem in the example
for high demand or continuous mode of operation (six month proof-test interval and
8 h MTTR). 89
Table B.16 – Probability of failure per hour for the final element subsystem in the example
for high demand or continuous mode of operation (six month proof-test interval
and 8 h MTTR) . 89
Table C.1 – Example calculations for diagnostic coverage and safe failure fraction . 97
Table C.2 – Diagnostic coverage and effectiveness for different subsystems . 99
Table D.1 – Scoring programmable electronics or sensors/final elements. 115
Table D.2 – Value of Z: programmable electronics . 119
Table D.3 – Value of Z: sensors or final elements. 119
Table D.4 – Calculation of β or β . 121
D
Table D.5 – Example values for programmable electronics. 123
Table E.1 – Software safety requirements specification (see 7.2 of IEC 61508-3). 127
Table E.2 – Software design and development: software architecture design (see 7.4.3
of IEC 61508-3). 129
Table E.3 – Software design and development: support tools and programming language
(see 7.4.4 of IEC 61508-3) . 129
Table E.4 – Software design and development: detailed design (see 7.4.5 and 7.4.6
of IEC 61508-3) (this includes software system design, software module design
and coding) . 131
Table E.5 – Software design and development: software module testing and integration
(see 7.4.7 and 7.4.8 of IEC 61508-3). 131
Table E.6 – Programmable electronics integration (hardware and software) (see 7.5
of IEC 61508-3). 131
Table E.7 – Software safety validation (see 7.7 of IEC 61508-3) . 133
Table E.8 – Software modification (see 7.8 of IEC 61508-3) . 133
Table E.9 – Software verification (see 7.9 of part 3) . 133
Table E.10 – Functional safety assessment (see clause 8 of IEC 61508-3) . 135

61508-6 © IEC:2000 – 9 –
Page
Table E.11 – Software safety requirements specification (see 7.2 of IEC 61508-3). 137
Table E.12 – Software design and development: software architecture design (see 7.4.3
of IEC 61508-3). 137
Table E.13 – Software design and development: support tools and programming language
(see 7.4.4 of IEC 61508-3) . 139
Table E.14 – Software design and development: detailed design (see 7.4.5 and 7.4.6
of IEC 61508-3) (this includes software system design, software module design
and coding) . . 139
Table E.15 – Software design and development: software module testing and integration
(see 7.4.7 and 7.4.8 of IEC 61508-3). 141
Table E.16 – Programmable electronics integration (hardware and software) (see 7.5
of IEC 61508-3). . 141
Table E.17 – Software safety validation (see 7.7 of IEC 61508-3). 141
Table E.18 – Modification (see 7.8 of IEC 61508-3). 143
Table E.19 – Software verification (see 7.9 of IEC 61508-3). 143
Table E.20 – Functional safety assessment (see clause 8 of IEC 61508-3) . 143

61508-6 © IEC:2000 – 11 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 6: Guidelines on the application of IEC 61508-2
and IEC 61508-3
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International
Organization for Standardization (ISO) in accordance with conditions determined by agreement between the
two organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical specifications, technical reports or guides and they are accepted by the National
Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
IEC 61508-6 has been prepared by subcommittee 65A: System aspects, of IEC technical
committee 65: Industrial-process measurement and control.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/295/FDIS 65A/304/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 3.
Annexes A to E are for information only.
IEC 61508 consists of the following parts, under the general title Functional safety of
electrical/electronic/programmable electronic safety-related systems:
– Part 1: General requirements
– Part 2: Requirements for electrical/electronic/programmable electronic safety-related
systems
61508-6 © IEC:2000 – 13 –
– Part 3: Software requirements
– Part 4: Definitions and abbreviations
– Part 5: Examples of methods for the determination of safety integrity levels
– Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
– Part 7: Overview of techniques and measures
The committee has decided that the contents of this publication will remain unchanged until
2005. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
61508-6 © IEC:2000 – 15 –
INTRODUCTION
Systems comprised of electrical and/or electronic components have been used for many years
to perform safety functions in most application sectors. Computer-based systems (generically
referred to as programmable electronic systems (PESs)) are being used in all application
sectors to perform non-safety functions and, increasingly, to perform safety functions. If
computer system technology is to be effectively and safely exploited, it is essential that those
responsible for making decisions have sufficient guidance on the safety aspects on which to
make those decisions.
This International Standard sets out a generic approach for all safety lifecycle activities for
systems comprised of electrical and/or electronic and/or programmable electronic components
(electrical/ electronic/programmable electronic systems (E/E/PESs)) that are used to perform
safety functions. This unified approach has been adopted in order that a rational and
consistent technical policy be developed for all electrically based safety-related systems. A
major objective is to facilitate the development of application sector standards.
In most situations, safety is achieved by a number of protective systems which rely on many
technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,
programmable electronic). Any safety strategy must therefore consider not only all the
elements within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related systems making up the total combination of safety-related
systems. Therefore, while this International Standard is concerned with electrical/
electronic/programmable electronic (E/E/PE) safety-related systems, it may also provide a
framework within which safety-related systems based on other technologies may be
considered.
It is recognized that there is a great variety of E/E/PES applications in a variety of application
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular
application, the exact prescription of safety measures is dependent on many factors specific
to the application. This International Standard, by being generic, will enable such a
prescription to be formulated in future application sector international standards.
This International Standard
– considers all relevant overall, E/E/PES and software safety lifecycle phases (for example,
from initial concept, through design, implementation, operation and maintenance to
decommissioning) when E/E/PESs are used to perform safety functions;
– has been conceived with a rapidly developing technology in mind; the framework is
sufficiently robust and comprehensive to cater for future developments;
– enables application sector international standards, dealing with safety-related E/E/PESs,
to be developed; the development of application sector international standards, within the
framework of this International Standard, should lead to a high level of consistency (for
example, of underlying principles, terminology, etc.) both within application sectors and
across application sectors; this will have both safety and economic benefits;
– provides a method for the development of the safety requirements specification necessary
to achieve the required functional safety for E/E/PE safety-related systems;
– uses safety integrity levels for specifying the target level of safety integrity for the safety
functions to be implemented by the E/E/PE safety-related systems;

61508-6 © IEC:2000 – 17 –
– adopts a risk-based approach for the determination of the safety integrity level
requirements;
– sets numerical target failure measures for E/E/PE safety-related systems which are linked
to the safety integrity levels;
– sets a lower limit on the target failure measures, in a dangerous mode of failure, that can
be claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systems
operating in
• a low demand mode of operation, the lower limit is set at an average probability of
–5
failure of 10
to perform its design function on demand,
• a high demand or continuous mode of operation, the lower limit is set at a probability
–9
of a dangerous failure of 10 per hour;
NOTE A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
– adopts a broad range of principles, techniques and measures to achieve functional safety
for E/E/PE safety-related systems, but does not rely on the concept of fail-safe, which may
be of value when the failure modes are well-defined and the level of complexity is
relatively low – the concept of fail-safe was considered inappropriate because of the full
range of complexity of E/E/PE safety-related systems that are within the scope of the
standard.
61508-6 © IEC:2000 – 19 –
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
1 Scope
1.1 This part of IEC 61508 contains information and guidelines on IEC 61508-2 and
IEC 61508-3.
– Annex A gives a brief overview of the requirements of IEC 61508-2 and IEC 61508-3 and
sets out the functional steps in their application.
– Annex B gives an example technique for calculating the probabilities of hardware failure
and should be read in conjunction with 7.4.3 and annex C of IEC 61508-2 and annex D.
– Annex C gives a worked example of calculating diagnostic coverage and should be read in
conjunction with annex C of IEC 61508-2.
– Annex D gives a methodology for quantifying the effect of hardware-related common
cause failures on the probability of failure.
– Annex E gives worked examples of the application of the software safety integrity tables
specified in annex A of IEC 61508-3 for safety integrity levels 2 and 3.
1.2 IEC 61508-1, IEC 61508-2, IEC 61508-3 and IEC 61508-4 are basic safety publications,
although this status does not apply in the context of low complexity E/E/PE safety-related
systems (see 3.4.4 of IEC 61508-4). As basic safety publications, they are intended for use by
technical committees in the preparation of standards in accordance with the principles
contained in IEC Guide 104 and IEC/ISO Guide 51. IEC 61508 is also intended for use as a
stand-alone standard.
1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use
of basic safety publications in the preparation of its publications. In this context, the
requirements, test methods or test conditions of this basic safety publication do not apply
unless specifically referred to or included in the publications prepared by those technical
committees.
NOTE In the USA and Canada, until the proposed process sector implementation of IEC 61508 (i.e. IEC 61511)
is published as an international standard, existing national process safety standards based on IEC 61508 (i.e.
ANSI/ISA S84.01-1996) can be applied to the process sector instead of IEC 61508.
1.4 Figure 1 shows the overall framework for parts 1 to 7 of this standard and indicates the
role that IEC 61508-6 plays in the achievement of functional safety for E/E/PE safety-related
systems.
61508-6 © IEC:2000 – 21 –
Technical
requirements
PART 1
Development of the overall safety
requirements (concept, scope
definition, hazard and risk analysis)
PART 5
(E/E/PE safety-related systems, other
technology safety-related systems and
Risk based approaches
external risk reduction facilities)
to the development of
7.1 to 7.5
the safety integrity
requirements
PART 1 Other
requirements
Allocation of the safety
requirements to the E/E/PE
safety-related systems
Definitions and
PART 7
7.6
abbreviations
Overview of
techniques
and measures
PART 4
PART 6
Realisation Realisation Guidelines for the
Documentation
phase for phase for application of
E/E/PE safety- safety-related parts 2 and 3 Clause 5 and
related systems software
annex A
PART 1
PART 2 PART 3
Management of
functional safety
Clause 6
PART 1
PART 1
Installation and commissioning
and safety validation of E/E/PE
Functional safety
safety-related systems
assessment
Clause 8
7.13 and 7.14
PART 1
PART 1
Operation and maintenance,
modification and retrofit,
decommissioning or disposal of
E/E/PE safety-related systems
7.15 to 7.17
IEC  318/2000
Figure 1 – Overall framework of IEC 61508

61508-6 © IEC:2000 – 23 –
2 Normative references
The following normative documents contain provisions which, through reference in this text,
constitute provisions of this part of IEC 61508. For dated references, subsequent
amendments to, or revisions of, any of these publications do not apply. However, parties to
agreements based on this part of IEC 61508 are encouraged to investigate the possibility of
applying the most recent editions of the normative documents indicated below. For undated
references, the latest edition of the normative document referred to applies. Members of ISO
and IEC maintain registers of currently valid International Standards.
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
IEC Guide 104:1997, Guide to the drafting of safety standards and the rôle of committees with
safety pilot functions and safety group functions
IEC/ISO Guide 51:1990, Guidelines for the inclusion of safety aspects in standards
3 Definitions and abbreviations
For the purpose of this standard, the definitions and abbreviations given in IEC 61508-4
apply.
61508-6 © IEC:2000 – 25 –
Annex A
(informative)
Application of IEC 61508-2 and of IEC 61508-3
A.1 General
Machinery, process plant and other equipment may, in the case of malfunction (for example
by failures of electro-mechanical, electronic and/or programmable electronic devices), present
risks to people and the environment from hazardous events such as fires, explosions,
radiation overdoses, machinery traps, etc. Failures can arise from either physical faults in the
device (for example causing random hardware failures), or from systematic faults (for example
human errors made in the specification and design of a system cause systematic failure under
some particular combination of inputs), or from some environmental condition.
IEC 61508-1 provides an overall framework based on a risk approach for the prevention
and/or control of failures in electro-mechanical, electronic, or programmable electronic
devices.
The overall goal is to ensure that plant and equipment can be safely automated. A key
objective of this standard is to prevent
– failures of control systems triggering other events, which in turn could lead to danger (for
example fire, release of toxic materials, repeat stroke of a machine, etc.); and
– undetected failures in protection systems (for example in an emergency shut-down
system), making the systems unavailable when needed for a safety action.
IEC 61508-1 requires that a hazard and risk analysis at the process/machine level is carried
out to determine the amount of risk reduction necessary to meet the risk criteria for the
application. Risk is based on the assessment of both the consequence (or severity) and the
frequency (or probability) of the hazardous event.
IEC 61508-1 further requires that the amount of risk reduction established by the risk analysis
1)
is used to determine if one or more safety-related systems are required and what safety
2)
functions (each with a specified safety integrity ) they are needed for.
IEC 61508-2 and IEC 61508-3 take the safety functions and safety integrity requirements
allocated to any system, designated as a E/E/PE safety-related system, by the application of
IEC 61508-1 and establish requirements for safety lifecycle activities which
– are to be applied during the specification, design and modification of the hardware and
software; and
– focus on means for preventing and/or controlling random hardware and systematic failures
3)
(the E/E/PES and software safety lifecycles ).
––––––––––––
1)
Systems necessary for functional safety and containing one or more electrical (electro-mechanical), electronic
or programmable electronic (E/E/PE) devices are designated as E/E/PE safety-related systems and include all
equipment necessary to carry out the required safety function (see 3.4.1 of IEC 61508-4).
2)
Safety integrity is specified as one of four discrete levels. Safety integrity level 4 is the highest and safety
integrity level 1 the lowest (see 7.6.2.9 of IEC 61508-1).
3)
To enable the requirements of this standard to be clearly structured, a decision was made to order the
requirements using a development process model in which each stage follows in a defined order with little iteration
(sometimes referred to as a waterfall model). However, it is stressed that any lifecycle approach can be used
provided a statement of equivalence is given in the safety plan for the project (see clause 6 of IEC 61508-1).

61508-6 © IEC:2000 – 27 –
IEC 61508-2 and IEC 61508-3 do not give guidance on which level of safety integrity is
appropriate for a given required tolerable risk. This decision depends upon many factors,
including the nature of the application, the extent to which other systems carry out safety
functions and social and economic factors (see IEC 61508-1 and IEC 61508-5).
The requirements of IEC 61508-2 and IEC 61508-3 include
1)
– the application of measures and techniques , which are graded against the safety
2)
integrity level, for the avoidance of systematic failures by preventative methods; and
– the control of systematic failures (including software failures) and random hardware
failures by design features such as fault detection, redundancy and architectural features
(for example diversity).
In IEC 61508-2, assurance that the safety integrity target has been satisfied for dangerous
random hardware failures is based on
– hardware fault tolerance requirements (see tables 2 and 3 of IEC 61508-2); and
– the diagnostic coverage and frequency of proof tests of subsystems and components, by
carrying out a reliability analysis using appropriate data.
In both IEC 61508-2 and IEC 61508-3, assurance that the safety integrity target has been
satisfied for systematic failures is gained by
– the correct application of safety management procedures;
– the use of competent staff;
– the application of the specified safety lifecycle activities, including the specified
3)
techniques and measures ; and
4)
– an independent functional safety assessment .
The overall goal is to ensure that remaining systematic faults, commensurate with the safety
integrity level, do not cause a failure of the E/E/PE safety-related system.
IEC 61508-2 has been developed to provide requirements for achieving safety integrity in the
5)
hardware of the E/E/PE safety-related systems including sensors and final elements.
Techniques and measures against both random hardware failures and systematic hardware
failures are required. These involve an appropriate combination of fault avoidance and failure
control measures as indicated above. Where manual action is needed for functional safety,
requirements are given for the operator interface. Also diagnostic test techniques and
measures, based on software and hardware (for example diversity), to detect random
hardware failures are specified in IEC 61508-2.
––––––––––––
1)
The required techniques and measures for each safety integrity level are shown in the tables in annexes A
and B of IEC 61508-2 and IEC 61508-3.
2)
Systematic failures cannot usually be quantified. Causes include: specification and design faults in hardware
and software; failure to take account of the environment (for example temperature); and operation-related faults
(for example poor interface).
3)
Alternative measures to those specified in the standard are acceptable provided justification is documented
during safety planning (see clause 6 of IEC 61508-1).
4)
Independent assessment does not always imply third party assessment (see clause 8 of IEC 61508-1).
5)
Including fixed built-in software or software equivalents (also called firmware), such as application-specific
integrated circuits.
61508-6 © IEC:2000 – 29 –
IEC 61508-3 has been developed to provide requirements for achieving safety integrity for the
software – both embedded (including diagnostic fault detection services) and application
software. IEC 61508-3 requires a combination of fault avoidance (quality assurance) and fault
tolerance approaches (software architecture), as there is no known way to prove the absence
of faults in reasonably complex safety-related software, especially the absence of
specification and design faults. IEC 61508-3 requires the adoption of such software
engineering principles as: top down design; modularity; verification of each phase of the
development lifecycle; verified software modules and software module libraries; and clear
documentation to facilitate verification and validation. The different levels of software require
different levels of assurance that these and related principles have been correctly applied.
The developer of the software may or may not be separate from the organization developing
the whole E/E/PES. In either case, close cooperation is needed, particularly in developing the
architecture of the programmable electronics where trade-offs between hardware and
software architectures need to be considered for their safety impact (see figure 4 of IEC
61508-2).
A.2 Functional steps in the application of IEC 61508-2
The functional steps in the application of IEC 61508-2 are shown in figures A.1 and A.2. The
functional steps in the application of IEC 61508-3 are shown in figure A.3.
Functional steps for IEC 61508-2 (see figures A.1 and A.2) are as follows.
a) Obtain the allocation of safety requirements (see IEC 61508-1). Update the safety
planning as appropriate during E/E/PES development.
b) Determine the requirements for E/E/PES safety, including the sa
...