EN 61508-3:2001

6/29(16., 6,67(1

67$1'$5'
MDQXDU
)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLK
YDUQRVWQLKVLVWHPRYGHO3URJUDPVNH]DKWHYH,(&
SRSUDYHN
LVWRYHWHQ(1
)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHG
V\VWHPV3DUW6RIWZDUHUHTXLUHPHQWV,(&&RUULJHQGXP
,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .
EUROPEAN STANDARD EN 61508-3
NORME EUROPÉENNE
EUROPÄISCHE NORM December 2001
ICS 25.040.40
English version
Functional safety of electrical/electronic/programmable electronic
safety-related systems
Part 3: Software requirements
(IEC 61508-3:1998 + corrigendum 1999)
Sécurité fonctionnelle des systèmes Funktionale Sicherheit
électriques/électroniques/électroniques sicherheitsbezogener elektrischer/
programmables relatifs à la sécurité elektronischer/programmierbarer
Partie 3: Prescriptions concernant les elektronischer Systeme
logiciels Teil 3: Anforderungen an Software
(CEI 61508-3:1998 + corrigendum 1999) (IEC 61508-3:1998 + Corrigendum 1999)
This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61508-3:2001 E
Foreword
The text of the International Standard IEC 61508-3:1998 including its corrigendum April 1999,
prepared by SC 65A, System aspects, of IEC TC 65, Industrial-process measurement and control,
was submitted to the Unique Acceptance Procedure and was approved by CENELEC as EN 61508-3
on 2001-07-03 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2002-08-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2004-08-01
Annexes designated "normative" are part of the body of the standard.
Annexes designated "informative" are given for information only.
In this standard, annexes A, B and ZA are normative and annex C is informative.
Annex ZA has been added by CENELEC.
IEC 61508 is a basic safety publication covering the functional safety of electrical, electronic and
programmable electronic safety-related systems. The scope states:
"This International Standard covers those aspects to be considered when electrical/electronic/
programmable electronic systems (E/E/PESs) are used to carry out safety functions. A major objective
of this standard is to facilitate the development of application sector international standards by the
technical committees responsible for the application sector. This will allow all the relevant factors
associated with the application, to be fully taken into account and thereby meet the specific needs of
the application sector. A dual objective of this standard is to enable the development of
electrical/electronic/programmable electronic (E/E/PE) safety-related systems where application sector
international standards may not exist".
The CENELEC Report R0BT-004, ratified by 103 BT (March 2000) accepts that some IEC standards,
which today are either published or under development, are sector implementations of IEC 61508. For
example:
� IEC 61511, Functional safety - Safety instrumented systems for the process industry sector;
� IEC 62061, Safety of machinery – Functional safety of electrical, electronic and programmable
electronic control systems;
� IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety –
General requirements for systems.
The railways sector has also developed a set of European Standards (EN 50126; EN 50128 and
prEN 50129).
NOTE  EN 50126 and EN 50128 were based on earlier drafts of IEC 61508. prEN 50129 is based on the principles of the
latest version of IEC 61508.
This list does not preclude other sector implementations of IEC 61508 which could be currently under
development or published within IEC or CENELEC.
__________
- 3 - EN 61508-3:2001
Endorsement notice
The text of the International Standard IEC 61508-3:1998 including its corrigendum April 1999 was
approved by CENELEC as a European Standard without any modification.
__________
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions of any
of these publications apply to this European Standard only when incorporated in it by amendment or
revision. For undated references the latest edition of the publication referred to applies (including
amendments).
NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
Publication Year Title EN/HD Year
IEC 61508-1 1998 Functional safety of EN 61508-1 2001
+ corr. May 1999 electrical/electronic/programmable
electronic safety-related systems
Part 1: General requirements
IEC 61508-2 2000 Part 2: Requirements for EN 61508-2 2001
electrical/electronic/programmable
electronic safety-related systems
IEC 61508-4 1998 Part 4: Definitions and abbreviations EN 61508-4 2001
+ corr. April 1999
IEC 61508-5 1998 Part 5: Examples of methods for the EN 61508-5 2001
+ corr. April 1999 determination of safety integrity levels
IEC 61508-6 2000 Part 6: Guidelines on the application of EN 61508-6 2001
IEC 61508-2 and IEC 61508-3
IEC 61508-7 2000 Part 7: Overview of techniques and EN 61508-7 2001
measures
ISO/IEC Guide 51 1990 Guidelines for the inclusion of safety--
aspects in standards
IEC Guide 104 1997 The preparation of safety publications--
and the use of basic safety publications
and group safety publications
INTERNATIONAL IEC
STANDARD
61508-3
First edition
1998-12
BASIC SAFETY PUBLICATION
Functional safety of electrical/electronic/
programmable electronic safety-related systems –
Part 3:
Software requirements
 IEC 1998 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
X
Commission Electrotechnique Internationale
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

61508-3  IEC:1998 – 3 –
CONTENTS
Page
FOREWORD . 7
INTRODUCTION . 9
Clause
1 Scope. 13
2 Normative references. 19
3 Definitions and abbreviations . 19
4 Conformance to this standard . 19
5 Documentation . 19
6 Software quality management system . 21
6.1 Objectives. 21
6.2 Requirements . 21
7 Software safety lifecycle requirements . 23
7.1 General . 23
7.2 Software safety requirements specification. 35
7.3 Software safety validation planning . 39
7.4 Software design and development. 43
7.5 Programmable electronics integration (hardware and software) . 55
7.6 Software operation and modification procedures. 57
7.7 Software safety validation . 57
7.8 Software modification. 61
7.9 Software verification . 65
8 Functional safety assessment . 73
Annex A (normative) Guide to the selection of techniques and measures . 75
Annex B (normative) Detailed tables . 87
Annex C (informative) Bibliography . 95
Tables
1 Software safety lifecycle: overview. 29
A.1 Software safety requirements specification (see 7.2). 77
A.2 Software design and development: software architecture design (see 7.4.3). 77
A.3 Software design and development: support tools and programming language
(see 7.4.4). 79
A.4 Software design and development: detailed design (see 7.4.5 and 7.4.6) . 79

61508-3  IEC:1998 – 5 –
Table Page
A.5 Software design and development: software module testing and integration
(see 7.4.7 and 7.4.8) . 81
A.6 Programmable electronics integration (hardware and software) (see 7.5) . 81
A.7 Software safety validation (see 7.7) . 81
A.8 Modification (see 7.8) . 83
A.9 Software verification (see 7.9) . 83
A.10 Functional safety assessment (see clause 8) . 85
B.1 Design and coding standards (referenced by table A.4). 87
B.2 Dynamic analysis and testing (referenced by tables A.5 and A.9) . 87
B.3 Functional and black-box testing (referenced by tables A.5, A.6 and A.7) . 89
B.4 Failure analysis (referenced by table A.10) . 89
B.5 Modelling (referenced by table A.7). 89
B.6 Performance testing (referenced by tables A.5 and A.6) . 91
B.7 Semi-formal methods (referenced by tables A.1, A.2 and A.4) . 91
B.8 Static analysis (referenced by table A.9) . 91
B.9 Modular approach (referenced by table A.4). 93
Figures
1 Overall framework of this standard. 17
2 E/E/PES safety lifecycle (in realisation phase) . 25
3 Software safety lifecycle (in realisation phase) . 25
4 Relationship between and scope of IEC 61508-2 and 61508-3 . 27
5 Software safety integrity and the development lifecycle (the V-model) . 27
6 Relationship between the hardware and software architectures of programmable
electronics. 35

61508-3  IEC:1998 – 7 –
FUNCTIONAL SAFETY OF
ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONIC
SAFETY-RELATED SYSTEMS –
Part 3: Software requirements
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International Organization
for Standardization (ISO) in accordance with conditions determined by agreement between the two
organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical reports or guides and they are accepted by the National Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61508-3 has been prepared by subcommittee 65A: System aspects,
of IEC technical committee 65: Industrial-process measurement and control.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/269/FDIS 65A/277/RVD
Full information on the voting for the approval of this standard can be found in the voting report
indicated in the above table.
Annexes A and B form an integral part of this standard.
Annex C is for information only.
IEC 61508 consists of the following parts, under the general title Functional safety of electrical/
electronic/programmable electronic safety-related systems:
– Part 1: General requirements
– Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
– Part 3: Software requirements
– Part 4: Definitions and abbreviations
– Part 5: Examples of methods for the determination of safety integrity levels
– Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
– Part 7: Overview of techniques and measures
The contents of the corrigendum of April 1999 have been included in this copy.

61508-3  IEC:1998 – 9 –
INTRODUCTION
Systems comprised of electrical and/or electronic components have been used for many years
to perform safety functions in most application sectors. Computer-based systems (generically
referred to as programmable electronic systems (PESs)) are being used in all application
sectors to perform non-safety functions and, increasingly, to perform safety functions. If
computer system technology is to be effectively and safely exploited, it is essential that those
responsible for making decisions have sufficient guidance on the safety aspects on which to
make those decisions.
This International Standard sets out a generic approach for all safety lifecycle activities for
systems comprised of electrical and/or electronic and/or programmable electronic components
(electrical/electronic/ programmable electronic systems (E/E/PESs)) that are used to perform
safety functions. This unified approach has been adopted in order that a rational and consistent
technical policy be developed for all electrically-based safety-related systems. A major
objective is to facilitate the development of application sector standards.
In most situations, safety is achieved by a number of protective systems which rely on many
technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,
programmable electronic). Any safety strategy must therefore consider not only all the
elements within an individual system (for example sensors, controlling devices and actuators),
but also all the safety-related systems making up the total combination of safety-related
systems. Therefore, while this International Standard is concerned with electrical/electronic/
programmable electronic (E/E/PE) safety-related systems, it may also provide a framework
within which safety-related systems based on other technologies may be considered.
It is recognized that there is a great variety of E/E/PES applications in a variety of application
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular
application, the required safety measures will be dependent on many factors specific to the
application. This International Standard, by being generic, will enable such measures to be
formulated in future application sector international standards.
This International Standard
– considers all relevant overall, E/E/PES and software safety lifecycle phases (for example,
from initial concept, through design, implementation, operation and maintenance to
decommissioning) when E/E/PESs are used to perform safety functions;
– has been conceived with a rapidly developing technology in mind; the framework is
sufficiently robust and comprehensive to cater for future developments;
– enables application sector international standards, dealing with safety-related E/E/PESs, to
be developed; the development of application sector international standards, within the
framework of this International Standard, should lead to a high level of consistency (for
example, of underlying principles, terminology etc.) both within application sectors and
across application sectors; this will have both safety and economic benefits;
– provides a method for the development of the safety requirements specification necessary
to achieve the required functional safety for E/E/PE safety-related systems;
– uses safety integrity levels for specifying the target level of safety integrity for the safety
functions to be implemented by the E/E/PE safety-related systems;

61508-3  IEC:1998 – 11 –
– adopts a risk-based approach for the determination of the safety integrity level
requirements;
– sets numerical target failure measures for E/E/PE safety-related systems which are linked
to the safety integrity levels;
– sets a lower limit on the target failure measures, in a dangerous mode of failure, that can
be claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systems
operating in
• a low demand mode of operation, the lower limit is set at an average probability of
–5
failure of 10 to perform its design function on demand,
• a high demand or continuous mode of operation, the lower limit is set at a probability of
–9
a dangerous failure of 10 per hour;
NOTE – A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
– adopts a broad range of principles, techniques and measures to achieve functional safety
for E/E/PE safety-related systems, but does not use the concept of fail safe, which may be
of value when the failure modes are well defined and the level of complexity is relatively
low. The concept of fail safe was considered inappropriate because of the full range of
complexity of E/E/PE safety-related systems that are within the scope of the standard.

61508-3  IEC:1998 – 13 –
FUNCTIONAL SAFETY OF
ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONIC
SAFETY-RELATED SYSTEMS –
Part 3: Software requirements
1 Scope
1.1 This part of IEC 61508
a) is intended to be utilised only after a thorough understanding of IEC 61508-1 and
IEC 61508-2;
b) applies to any software forming part of a safety-related system or used to develop a safety-
related system within the scope of IEC 61508-1 and IEC 61508-2. Such software is termed
safety-related software.
– Safety-related software includes operating systems, system software, software in
communication networks, human-computer interface functions, support tools and
firmware as well as application programs.
– Application programs include high level programs, low level programs and special
purpose programs in limited variability languages (see 3.2.7 of IEC 61508-4).
c) requires that the software safety functions and software safety integrity levels are specified.
NOTE 1 – If this has already been done as part of the specification of the E/E/PE safety-related systems (see
7.2 of IEC 61508-2), then it does not have to be repeated in this part.
NOTE 2 – Specifying the software safety functions and software safety integrity levels is an iterative procedure;
see figures 2 and 6.
NOTE 3 – See clause 5 and annex A of IEC 61508-1 for documentation structure. The documentation structure
may take account of company procedures, and of the working practices of specific application sectors.
d) establishes requirements for safety lifecycle phases and activities which shall be applied
during the design and development of the safety-related software (the software safety
lifecycle model). These requirements include the application of measures and techniques,
which are graded against the safety integrity level, for the avoidance of and control of faults
and failures in the software.
e) provides requirements for information relating to the software safety validation to be passed
to the organisation carrying out the E/E/PES integration.
f) provides requirements for the preparation of information and procedures concerning
software needed by the user for the operation and maintenance of the E/E/PE safety-
related system.
g) provides requirements to be met by the organisation carrying out modifications to safety-
related software.
h) provides, in conjunction with IEC 61508-1 and IEC 61508-2, requirements for support tools
such as development and design tools, language translators, testing and debugging tools,
configuration management tools.
NOTE 4 – Figures 4 and 6 show the relationship between IEC 61508-2 and IEC 61508-3.

61508-3  IEC:1998 – 15 –
1.2  Parts 1, 2, 3 and 4 of this standard are basic safety publications, although this status
does not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.4 of
part 4). As basic safety publications, they are intended for use by technical committees in the
preparation of standards in accordance with the principles contained in IEC Guide 104 and
ISO/IEC Guide 51. Parts 1, 2, 3, and 4 are also intended for use as stand-alone publications.
One of the responsibilities of a technical committee is, wherever applicable, to make use of
basic safety publications in the preparation of its publications. In this context, the requirements,
test methods or test conditions of this basic safety publication will not apply unless specifically
referred to or included in the publications prepared by those technical committees.
NOTE – In the USA and Canada, until the proposed process sector implementation of IEC 61508 (i.e. IEC 61511) is
published as an international standard in the USA and Canada, existing national process safety standards based on
IEC 61508 (i.e. ANSI/ISA S84.01-1996) can be applied to the process sector instead of IEC 61508.
1.3 Figure 1 shows the overall framework of parts 1 to 7 IEC 61508, and indicates the role
that IEC 61508-3 plays in the achievement of functional safety for E/E/PE safety-related
systems. Annex A of IEC 61508-6 describes the application of IEC 61508-2 and IEC 61508-3.

61508-3  IEC:1998 – 17 –
Technical
requirements
PART 1
Development of the overall safety
requirements (concept, scope
definition, hazard and risk analysis)
(E/E/PE safety-related systems, other
PART 5
technology safety-related systems and
Risk based approaches
external risk reduction facilities)
to the development of
7.1 to 7.5
the safety integrity
requirements
Other
PART 1
requirements
Allocation of the safety
requirements to the E/E/PE
safety-related systems
Definitions and
PART 7
7.6
abbreviations
Overview of
techniques
and measures
PART 4
PART 6
Guidelines for the
Documentation
Realisation Realisation
application of
phase for phase for
parts 2 and 3 Clause 5 and
E/E/PE safety- safety-related
annex A
related systems software
PART 1
PART 2
PART 3
Management of
functional safety
Clause 6
PART 1
PART 1
Installation and commissioning
and safety validation of E/E/PE
Functional safety
safety-related systems
assessment
Clause 8
7.13 and 7.14
PART 1
PART 1
Operation and maintenance,
modification and retrofit,
decommissioning or disposal of
E/E/PE safety-related systems
7.15 to 7.17
IEC  1 686/98
Figure 1 – Overall framework of this standard

61508-3  IEC:1998 – 19 –
2 Normative references
The following normative documents contain provisions which, through reference in this text,
constitute provisions of this part of IEC 61508. At the time of publication, the editions indicated
were valid. All normative documents are subject to revision, and parties to agreements based
on this part of IEC 61508 are encouraged to investigate the possibility of applying the most
recent editions of the normative documents indicated below. Members of IEC and ISO maintain
registers of currently valid International Standards.
Functional safety of electrical/electronical/programmable electronic safety-
IEC 61508-1:1998,
related systems – Part 1: General requirements
IEC 61508-2, — Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 2: Requirements for electrical/electronical/programmable electronic
1)
safety-related systems
IEC 61508-4:1998, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 4: Definitions and abbreviations of terms
IEC 61508-5:1998, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 5: Examples of methods for the determination of safety integrity levels
IEC 61508-6: —, Functional safety of electrical/electronical/programmable electronic safety-
1)
related systems – Part 6: Guidelines on the application of parts 2 and 3
IEC 61508-7: —, Functional safety of electrical/electronical/programmable electronic safety-
1)
related systems – Part 7: Overview of techniques and measures
ISO/IEC Guide 51:1990, Guidelines for the inclusion of safety aspects in standards
IEC Guide 104:1997, Guide to the drafting of safety standards, and the role of Committees with
safety pilot functions and safety group functions
3 Definitions and abbreviations
For the purposes of this standard, the definitions and abbreviations given in IEC 61508-4 apply.
4 Conformance to this standard
The requirements for conformance to this standard are given in clause 4 of IEC 61508-1.
5 Documentation
The objectives and requirements for documentation are given in clause 5 of IEC 61508-1.
___________
1)
To be published.
61508-3  IEC:1998 – 21 –
6 Software quality management system
6.1 Objectives
The objectives are as detailed in 6.1 of IEC 61508-1.
6.2 Requirements
6.2.1 The requirements are as detailed in 6.2 of IEC 61508-1 with the following additional
requirements.
6.2.2 The functional safety planning shall define the strategy for the software procurement,
development, integration, verification, validation and modification to the extent required by the
safety integrity level of the E/E/PE safety related system.
NOTE – The philosophy of this approach is to use the functional safety planning as an opportunity to customise this
standard to take account of the varying safety integrity which is required in the E/E/PE safety-related system
components. 7.4.2.8 of part 3 should be taken into account when E/E/PE safety-related system components of
differing safety integrity levels are to be used together.
6.2.3 Software configuration management should
a) apply administrative and technical controls throughout the software safety lifecycle, in order
to manage software changes and thus ensure that the specified requirements for software
safety continue to be satisfied;
b) guarantee that all necessary operations have been carried out to demonstrate that the
required software safety integrity has been achieved;
c) maintain accurately and with unique identification all configuration items which are
necessary to maintain the integrity of the E/E/PE safety-related system. Configuration items
include at least the following: safety analysis and requirements; software specification and
design documents; software source code modules; test plans and results; pre-existing
software components and packages which are to be incorporated into the E/E/PE safety-
related system; all tools and development environments which are used to create or test, or
carry out any action on, the software of the E/E/PE safety-related system;
d) apply change-control procedures to prevent unauthorized modifications; to document
modification requests; to analyse the impact of a proposed modification, and to approve or
reject the request; to document the details of, and the authorisation for, all approved
modifications; to establish configuration baseline at appropriate points in the software
development, and to document the (partial) integration testing which justifies the baseline
(see 7.8); to guarantee the composition of, and the building of, all software baselines
(including the rebuilding of earlier baselines);
NOTE 1 – Management decision and authority is needed to guide and enforce the use of administrative and
technical controls.
e) document the following information to permit a subsequent audit: configuration status,
release status, the justification for and approval of all modifications, and the details of the
modification;
f) formally document the release of safety-related software. Master copies of the software and
all associated documentation should be kept to permit maintenance and modification
throughout the operational lifetime of the released software.
NOTE 2 – For further information on configuration management, see ISO/IEC 12207.

61508-3  IEC:1998 – 23 –
7 Software safety lifecycle requirements
7.1 General
7.1.1 Objective
The objective of the requirements of this subclause is to structure the development of the
software into defined phases and activities (see table 1 and figures 2 to 5).
7.1.2 Requirements
7.1.2.1 A safety lifecycle for the development of software shall be selected and specified
during safety planning in accordance with clause 6 of IEC 61508-1.
NOTE – A safety lifecycle model which satisfies the requirements of clause 7 of IEC 61508-1 may be suitably
customised for the particular needs of the project or organisation.
7.1.2.2 Quality and safety assurance procedures shall be integrated into safety lifecycle
activities.
7.1.2.3 Each phase of the software safety lifecycle shall be divided into elementary activities
with the scope, inputs and outputs specified for each phase.
NOTE 1 – For further information on lifecycle phases, see ISO/IEC 12207.
NOTE 2 – Clause 5 of IEC 61508-1 considers the outputs from the safety lifecycle phases. In the development of
some E/E/PE safety-related systems, the output from some safety lifecycle phases may be a distinct document,
while the documented outputs from several phases may be merged. The essential requirement is that the output of
the safety lifecycle phase be fit for its intended purpose. In simple developments, some safety lifecycle phases may
also be merged (see 7.4.5).
7.1.2.4 Provided that the software safety lifecycle satisfies the requirements of figure 3 and
table 1, it is acceptable to tailor the depth, number and work-size of the phases of the V-model
(see figure 5) to take account of the safety integrity and the complexity of the project.
NOTE – The full list of lifecycle phases in table 1 is suitable for large newly developed systems. In small systems, it
might be appropriate, for example, to merge the phases of software system design and architectural design.
7.1.2.5 It is acceptable to order the software project differently from the organization of this
standard (i.e. use another software safety lifecycle model), provided all the objectives and
requirements of this clause are met.
7.1.2.6 For each lifecycle phase, appropriate techniques and measures shall be used.
Annexes A and B (guide to the selection of techniques and measures) give recommendations.
Selecting techniques from annexes A and B does not guarantee by itself that the required
safety integrity will be achieved.
7.1.2.7 The results of the activities in the software safety lifecycle shall be documented (see
clause 5).
7.1.2.8 If at any stage of the software safety lifecycle, a change is required pertaining to an
earlier lifecycle phase, then that earlier safety lifecycle phase and the following phases shall be
repeated.
61508-3  IEC:1998 – 25 –
Box 9 in figure 2
of IEC 61508-1 E/E/PES safety lifecycle
Safety-related
systems:
9.1 E/E/PES safety requirements
E/E/PES
specification
Safety functions Safety integrity
Realisation
9.1.1 9.1.2
requirements requirements
specification
specification
E/E/PES safety E/E/PES design
9.3
9.2
and development
validation planning
E/E/PES
E/E/PES operation and
9.4
9.5
integration maintenance procedures
E/E/PES safety
9.6
validation
One E/E/PES safety
lifecycle for each
To box 14
E/E/PE safety-related
in figure 2
system
of IEC 61508-1
To box 12 in figure 2 of IEC 61508-1
IEC  1 687/98
Figure 2 – E/E/PES safety lifecycle (in realisation phase)
Software safety lifecycle
Software safety requirements
9.1
specification
Safety functions Safety integrity
9.1.1
9.1.2
requirements requirements
specification specification
E/E/PES
safety
lifecycle
(see figure 2)
Software design
Software safety
9.2 9.3
and development
validation planning
PE integration Software operation and
9.4 9.5
(hardware/software) modification procedures
Software safety
9.6
validation
To box 14
in figure 2
To box 12 in figure 2 of IEC 61508-1
of IEC 61508-1
IEC  1 688/98
Figure 3 – Software safety lifecycle (in realisation phase)

61508-3  IEC:1998 – 27 –
Scope of
IEC 61508-2
E/E/PES safety
E/E/PES
requirements
architecture
specification
Hardware safety requirements
Scope of Non-programmable
Programmable
Software safety
hardware
electronic hardware
IEC 61508-3 requirements
Programmable Non-programmable
Software design
electronics design hardware design
and development
and development
and development
Programmable electronics
E/E/PES
integration (hardware and
integration
software)
IEC  1 689/98
Figure 4 – Relationship between and scope of IEC 6158-2 and IEC 61508-3
E/E/PES safety Software safety Validation
Validation
Validated
requirements requirements
testing
software
specification specification
Integration testing
E/E/PES Software
(components, subsystems
architecture architecture
and programmable
electronics)
Integration
Software system
testing
design
(module)
Module Module
design testing
Output
Verification
CODING
IEC  1 690/98
Figure 5 – Software safety integrity and the development lifecycle (the V-model)

61508-3  IEC:1998 – 29 –
Table 1 – Software safety lifecycle: overview
Inputs
Safety lifecycle Objectives Scope Require- Outputs
(information
phase ments (information
required)
subclause produced)
Figure 3 Title
box
number
9.1 Software safety To specify the requirements for PES; 7.2.2 E/E/PES Software safety
requirements software safety in terms of the Software safety requirements
specification requirements for software safety system. requirements specification.
functions and the requirements for specification
software safety integrity; (IEC 61508-2).
To specify the requirements for the
software safety functions for each
E/E/PE safety-related system
necessary to implement the required
safety functions;
To specify the requirements for
software safety integrity for each
E/E/PE safety-related system
necessary to achieve the safety
integrity level specified for each
safety function allocated to that
E/E/PE safety-related system.
9.2 Software safety To develop a plan for validating PES; 7.3.2 Software Software safety
validation the software safety. software safety validation plan.
planning system. requirements
specification.
9.3 Software design Architecture: PES; 7.4.3 Software Software
and software safety architecture design
To create a software architecture
development system. requirements description;
that fulfils the specified requirements
specification;
software
for software safety with respect to
the required safety integrity level; E/E/PES architecture
hardware integration test
To review and evaluate the
architecture specification;
requirements placed on the software
design (from
software/
by the hardware architecture of the
IEC 61508-2).
E/E/PE safety-related system, programmable
including the significance of E/E/PE electronics
hardware/software interactions for integration test
specification (the
safety of the equipment under
same as
control.
IEC 61508-2
requires).
9.3 Software Support tools and programming PES; 7.4.4 Software Development tools
design and safety and coding
languages:
development software requirements standards;
To select a suitable set of tools,
system; specification;
including languages and compilers, selection of
software development tools.
for the required safety integrity level,
support
architecture
over the whole safety lifecycle of the
tools;
design
software which assists verification,
validation, assessment and description.
program-
modification.
ming
language.
61508-3  IEC:1998 – 31 –
Table 1 (continued)
Safety lifecycle Objectives Scope Require- Inputs Outputs
phase ments (information (information
subclause required) produced)
Figure 3 Title
box
number
9.3 Software Major 7.4.5 Software Software system
Detailed design and development
design and components architecture design
(software system design):
development and design specification;
To design and implement software
subsystems description;
software system
that fulfils the specified requirements
of software
support tools integration test
for software safety with respect to
architectural
and coding specification.
the required safety integrity level,
design.
which is analysable and verifiable, standards.
and which is capable of being safely
modified.
9.3 Software Detailed design and development Software 7.4.5 Software Software module
design and system system design design
(individual software module
development design. specification; specification;
design):
support tools software module
To design and implement software
and coding test specification.
that fulfils the specified requirements
standards.
for software safety with respect to
the required safety integrity level,
which is analysable and verifiable,
and which is capable of being safely
modified.
9.3 Software Detailed code implementation: Individual 7.4.6 Software Source code
design and software module design listing;
To design and implement software
development modules. specification;
code review report.
that fulfils the specified requirements
for software safety with respect to support tools
the required safety integrity level, and coding
standards.
which is analysable and verifiable,
and which is capable of being safely
modified.
9.3 Software Software module testing: Software 7.4.7 Software Software module
design and modules. module test test results;
To verify that the requirements for
development specification;
verified and tested
software safety (in terms of the
required software safety functions source code software modules.
and the software safety integrity) listing;
have been achieved – to show that
code review
each software module performs its
report.
intended function and does not
perform unintended functions.
9.3 Software Software 7.4.8 Software Software system
Software integration testing:
design and architecture; system integration test
To verify that the requirements for
development integration test results;
software safety (in terms of the software
specification.
required software safety functions system. verified and tested
software system.
and the software safety integrity)
have been achieved – to show that
all software modules, components
and subsystems interact correctly to
perform their intended function and
do not perform unintended functions.

61508-3  IEC:1998 – 33 –
Table 1 (concluded)
Inputs
Safety lifecycle Objectives Scope Require- Outputs
(information
phase ments (information
required)
subclause produced)
Figure 3 Title
box
number
9.4 Programmable To integrate the software onto the Program- 7.5.2 Software Software
electronics target programmable electronic mable architecture architecture
integration hardware; electronics integration test integration test
hardware; specification; results;
(hardware and To combine the software and
software) hardware in the safety-related integrated programmable programmable
programmable electronics to software. electronics electronics
ensure their compatibility and to integration test integration test
meet the requirements of the specification results;
intended safety
...