EN 61508-2:2001

6/29(16., 6,67(1

67$1'$5'
MDQXDU
)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLK
YDUQRVWQLKVLVWHPRYGHO=DKWHYH]DHOHNWULþQHHOHNWURQVNHSURJUDPLUOMLYH
HOHNWURQVNHYDUQRVWQHVLVWHPH,(&
LVWRYHWHQ(1
)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHG
V\VWHPV3DUW5HTXLUHPHQWVIRUHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLF
VDIHW\UHODWHGV\VWHPV,(&
,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .
EUROPEAN STANDARD EN 61508-2
NORME EUROPÉENNE
EUROPÄISCHE NORM December 2001
ICS 25.040.40
English version
Functional safety of electrical/electronic/programmable electronic
safety-related systems
Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems
(IEC 61508-2:2000)
Sécurité fonctionnelle des systèmes Funktionale Sicherheit
électriques/électroniques/électroniques sicherheitsbezogener elektrischer/
programmables relatifs à la sécurité elektronischer/programmierbarer
Partie 2: Prescriptions pour les systèmes elektronischer Systeme
électriques/électroniques/électroniques Teil 2: Anforderungen an
programmables relatifs à la sécurité sicherheitsbezogene elektrische/
(CEI 61508-2:2000) elektronische/programmierbare
elektronische Systeme
(IEC 61508-2:2000)
This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61508-2:2001 E
Foreword
The text of the International Standard IEC 61508-2:2000, prepared by SC 65A, System aspects, of
IEC TC 65, Industrial-process measurement and control, was submitted to the Unique Acceptance
Procedure and was approved by CENELEC as EN 61508-2 on 2001-07-03 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2002-08-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2004-08-01
Annexes designated "normative" are part of the body of the standard.
In this standard, annexes A, B, C and ZA are normative.
Annex ZA has been added by CENELEC.
IEC 61508 is a basic safety publication covering the functional safety of electrical, electronic and
programmable electronic safety-related systems. The scope states:
"This International Standard covers those aspects to be considered when electrical/electronic/
programmable electronic systems (E/E/PESs) are used to carry out safety functions. A major objective
of this standard is to facilitate the development of application sector international standards by the
technical committees responsible for the application sector. This will allow all the relevant factors
associated with the application, to be fully taken into account and thereby meet the specific needs of
the application sector. A dual objective of this standard is to enable the development of
electrical/electronic/programmable electronic (E/E/PE) safety-related systems where application sector
international standards may not exist".
The CENELEC Report R0BT-004, ratified by 103 BT (March 2000) accepts that some IEC standards,
which today are either published or under development, are sector implementations of IEC 61508. For
example:
� IEC 61511, Functional safety - Safety instrumented systems for the process industry sector;
� IEC 62061, Safety of machinery – Functional safety of electrical, electronic and programmable
electronic control systems;
� IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety –
General requirements for systems.
The railways sector has also developed a set of European Standards (EN 50126; EN 50128 and
prEN 50129).
NOTE  EN 50126 and EN 50128 were based on earlier drafts of IEC 61508. prEN 50129 is based on the principles of the
latest version of IEC 61508.
This list does not preclude other sector implementations of IEC 61508 which could be currently under
development or published within IEC or CENELEC.
__________
- 3 - EN 61508-2:2001
Endorsement notice
The text of the International Standard IEC 61508-2:2000 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following note has to be added for the standard indicated:
IEC 61000-4 NOTE  Harmonized in the EN 61000-4 series (not modified).
IEC 60870-5-1 NOTE  Harmonized as EN 60870-5-1:1993 (not modified).
__________
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions of any
of these publications apply to this European Standard only when incorporated in it by amendment or
revision. For undated references the latest edition of the publication referred to applies (including
amendments).
NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
Publication Year Title EN/HD Year
IEC 60050-371 1984 International electrotechnical vocabulary--
(IEV) - Chapter 371: Telecontrol
IEC 60300-3-2 1993 Dependability management --
Part 3: Application guide
Section 2: Collection of dependability
data from the field
IEC 61000-1-1 1992 Electromagnetic compatibility (EMC)--
Part 1: General
Section 1: Application and interpretation
of fundamental definitions and terms
IEC 61000-2-5 1995 Part 2-5: Environment - Classification of--
electromagnetic environments - Basic
EMC publication
IEC 61508-1 1998 Functional safety of EN 61508-1 2001
+ corr. May 1999 electrical/electronic/programmable
electronic safety-related systems
Part 1: General requirements
IEC 61508-3 1998 Part 3: Software requirements EN 61508-3 2001
+ corr. April 1999
IEC 61508-4 1998 Part 4: Definitions and abbreviations EN 61508-4 2001
+ corr. April 1999
IEC 61508-5 1998 Part 5: Examples of methods for the EN 61508-5 2001
+ corr. April 1999 determination of safety integrity levels
IEC 61508-6 2000 Part 6: Guidelines on the application of EN 61508-6 2001
IEC 61508-2 and IEC 61508-3
IEC 61508-7 2000 Part 7: Overview of techniques and EN 61508-7 2001
measures
IEC Guide 104 1997 The preparation of safety publications--
and the use of basic safety publications
and group safety publications
- 5 - EN 61508-2:2001
Publication Year Title EN/HD Year
ISO/IEC Guide 51 1990 Guidelines for the inclusion of safety--
aspects in standards
IEEE 352 1987 IEEE guide for general principles of--
reliability analysis of nuclear power
generating station safety systems

INTERNATIONAL IEC
STANDARD
61508-2
First edition
2000-05
BASIC SAFETY PUBLICATION
Functional safety of electrical/electronic/
programmable electronic safety-related systems –
Part 2:
Requirements for electrical/electronic/
programmable electronic safety-related systems
 IEC 2000 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
XB
Commission Electrotechnique Internationale
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

61508-2 © IEC:2000 – 3 –
CONTENTS
Page
FOREWORD . 7
INTRODUCTION . 11
Clause
1 Scope . 15
2 Normative references. 21
3 Definitions and abbreviations . 23
4 Conformance to this standard . 23
5 Documentation. 23
6 Management of functional safety. 23
7 E/E/PES safety lifecycle requirements . 23
7.1 General. 23
7.2 E/E/PES safety requirements specification. 31
7.3 E/E/PES safety validation planning . 35
7.4 E/E/PES design and development. 37
7.5 E/E/PES integration . 71
7.6 E/E/PES operation and maintenance procedures . 73
7.7 E/E/PES safety validation . 77
7.8 E/E/PES modification. 79
7.9 E/E/PES verification. 79
8 Functional safety assessment . 83
Annex A (normative) Techniques and measures for E/E/PE safety-related systems:
control of failures during operation . 85
A.1 General. 85
A.2 Hardware safety integrity. 87
A.3 Systematic safety integrity. 105
Annex B (normative) Techniques and measures for E/E/PE safety-related systems:
avoidance of systematic failures during the different phases of the lifecycle . 117
Annex C (normative) Diagnostic coverage and safe failure fraction . 137
C.1 Calculation of diagnostic coverage and safe failure fraction of a subsystem . 137
C.2 Determination of diagnostic coverage factors . 139
Bibliography . 143

61508-2 © IEC:2000 – 5 –
Page
Figure 1 – Overall framework of IEC 61508 . 19
Figure 2 – E/E/PES safety lifecycle (in realisation phase). 25
Figure 3 – Relationship and scope for IEC 61508-2 and IEC 61508-3. 27
Figure 4 – Relationship between the hardware and software architectures of
programmable electronics . 39
Figure 5 – Example limitation on hardware safety integrity for a single-channel
safety function. 49
Figure 6 – Example limitation on hardware safety integrity for a multiple-channel
safety function. 53
Table 1 – Overview – Realisation phase of the E/E/PES safety lifecycle. 29
Table 2 – Hardware safety integrity: architectural constraints on type A safety-related
subsystems . 47
Table 3 – Hardware safety integrity: architectural constraints on type B safety-related
subsystems . 47
Table A.1 – Faults or failures to be detected during operation or to be analysed in
the derivation of safe failure fraction. 89
Table A.2 – Electrical subsystems . 91
Table A.3 – Electronic subsystems. 93
Table A.4 – Processing units . 93
Table A.5 – Invariable memory ranges . 95
Table A.6 – Variable memory ranges. 95
Table A.7 – I/O units and interface (external communication) . 97
Table A.8 – Data paths (internal communication) . 97
Table A.9 – Power supply. 99
Table A.10 – Program sequence (watch-dog) . 99
Table A.11 – Ventilation and heating system (if necessary) . 101
Table A.12 – Clock . 101
Table A.13 – Communication and mass-storage. 103
Table A.14 – Sensors . 103
Table A.15 – Final elements (actuators) . 105
Table A.16 – Techniques and measures to control systematic failures caused by
hardware and software design. 109
Table A.17 – Techniques and measures to control systematic failures caused by
environmental stress or influences . 111
Table A.18 – Techniques and measures to control systematic operational failures . 113
Table A.19 – Effectiveness of techniques and measures to control systematic failures . 115
Table B.1 – Recommendations to avoid mistakes during specification of E/E/PES
requirements (see 7.2) . 121
Table B.2 – Recommendations to avoid introducing faults during E/E/PES design and
development (see 7.4). 12 3
Table B.3 – Recommendations to avoid faults during E/E/PES integration (see 7.5). 125
Table B.4 – Recommendations to avoid faults and failures during E/E/PES operation
and maintenance procedures (see 7.6). 127
Table B.5 – Recommendations to avoid faults during E/E/PES safety validation
(see 7.7) . 129
Table B.6 – Effectiveness of techniques and measures to avoid systematic failures . 131

61508-2 © IEC:2000 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International
Organization for Standardization (ISO) in accordance with conditions determined by agreement between the
two organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical specifications, technical reports or guides and they are accepted by the National
Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61508-2 has been prepared by subcommittee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control.
It has the status of a basic safety publication according to IEC Guide 104.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/294/FDIS 65A/303/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 3.

61508-2 © IEC:2000 – 9 –
Annexes A, B, and C form an integral part of this standard.
IEC 61508 consists of the following parts, under the general title Functional safety of
electrical/electronic/programmable electronic safety-related systems:
– Part 1: General requirements
– Part 2: Requirements for electrical/electronic/programmable electronic safety-related sys-
tems
– Part 3: Software requirements
– Part 4: Definitions and abbreviations
– Part 5: Examples of methods for the determination of safety integrity levels
– Part 6: Guidelines on the application of parts 2 and 3
– Part 7: Overview of techniques and measures
The committee has decided that the contents of this publication will remain unchanged
until 2006. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
61508-2 © IEC:2000 – 11 –
INTRODUCTION
Systems comprised of electrical and/or electronic components have been used for many years
to perform safety functions in most application sectors. Computer-based systems (generically
referred to as programmable electronic systems (PESs)) are being used in all application
sectors to perform non-safety functions and, increasingly, to perform safety functions. If
computer system technology is to be effectively and safely exploited, it is essential that those
responsible for making decisions have sufficient guidance on the safety aspects on which to
make those decisions.
This International Standard sets out a generic approach for all safety lifecycle activities for
systems comprised of electrical and/or electronic and/or programmable electronic components
(electrical/electronic/programmable electronic systems (E/E/PESs)) that are used to perform
safety functions. This unified approach has been adopted in order that a rational and
consistent technical policy be developed for all electrically based safety-related systems. A
major objective is to facilitate the development of application sector standards.
In most situations, safety is achieved by a number of protective systems which may rely on
many technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,
programmable electronic). Any safety strategy must therefore consider not only all the
elements within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related systems making up the total combination of safety-related
systems. Therefore, while this International Standard is concerned with electrical/electronic/
programmable electronic (E/E/PE) safety-related systems, it may also provide a framework
within which safety-related systems based on other technologies may be considered.
It is recognised that there is a great variety of E/E/PES applications in a variety of application
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular
application, the required safety measures will be dependent on many factors specific to the
application. This International Standard, by being generic, will enable such measures to be
formulated in future application sector International Standards.
This International Standard
– considers all relevant overall, E/E/PES and software safety lifecycle phases (for example,
from initial concept, through design, implementation, operation and maintenance to
decommissioning) when E/E/PESs are used to perform safety functions;
– has been conceived with a rapidly developing technology in mind; the framework is
sufficiently robust and comprehensive to cater for future developments;
– enables application sector International Standards, dealing with safety-related E/E/PESs,
to be developed; the development of application sector International Standards, within the
framework of this International Standard, should lead to a high level of consistency (for
example, of underlying principles, terminology, etc.) both within application sectors and
across application sectors; this will have both safety and economic benefits;
– provides a method for the development of the safety requirements specification necessary
to achieve the required functional safety for E/E/PE safety-related systems;
– uses safety integrity levels for specifying the target level of safety integrity for the safety
functions to be implemented by the E/E/PE safety-related systems;

61508-2 © IEC:2000 – 13 –
– adopts a risk-based approach for the determination of the safety integrity level
requirements;
– sets numerical target failure measures for E/E/PE safety-related systems which are linked
to the safety integrity levels;
– sets a lower limit on the target failure measures, in a dangerous mode of failure, that can
be claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systems
operating in
– a low demand mode of operation, the lower limit is set at an average probability of
–5
failure of 10 to perform its design function on demand,
– a high demand or continuous mode of operation, the lower limit is set at a probability

–9
of a dangerous failure of 10 per hour;
NOTE  A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
– adopts a broad range of principles, techniques and measures to achieve functional safety
for E/E/PE safety-related systems, but does not rely on the concept of fail safe which may
be of value when the failure modes are well defined and the level of complexity is relatively
low. The concept of fail safe was considered inappropriate because of the full range of
complexity of E/E/PE safety-related systems that are within the scope of the standard.

61508-2 © IEC:2000 – 15 –
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems
1 Scope
1.1 This part of IEC 61508
a) is intended to be used only after a thorough understanding of IEC 61508-1, which
provides the overall framework for the achievement of functional safety;
b) applies to any safety-related system, as defined by IEC 61508-1, which contains at least
one electrical, electronic or programmable electronic based component;
c) applies to all subsystems and their components within an E/E/PE safety-related system
(including sensors, actuators and the operator interface);
d) specifies how to refine the information developed in accordance with IEC 61508-1,
concerning the overall safety requirements and their allocation to E/E/PE safety-related
systems, and specifies how the overall safety requirements are refined into E/E/PES
safety functions requirements and E/E/PES safety integrity requirements;
e) specifies requirements for activities that are to be applied during the design and
manufacture of the E/E/PE safety-related systems (i.e. establishes the E/E/PES safety
lifecycle model), except for software, which is dealt with by IEC 61508-3 (see figures 2
and 3) – these requirements include the application of techniques and measures, which
are graded against the safety integrity level, for the avoidance of, and control of, faults
and failures;
f) specifies the information necessary for carrying out the installation, commissioning and
final safety validation of the E/E/PE safety-related systems;
g) does not apply to the operation and maintenance phase of the E/E/PE safety-related
systems – this is dealt with in IEC 61508-1 – however, IEC 61508-2 does provide
requirements for the preparation of information and procedures needed by the user for the
operation and maintenance of the E/E/PE safety-related systems;
h) specifies requirements to be met by the organisation carrying out any modification of
the E/E/PE safety-related systems.
NOTE 1  This part of IEC 61508 is mainly directed at suppliers and/or in-company engineering departments, hence
the inclusion of requirements for modification.
NOTE 2  The relationship between IEC 61508-2 and IEC 61508-3 is illustrated in figure 3.
1.2 IEC 61508-1, IEC 61508-2, IEC 61508-3 and IEC 61508-4 are basic safety publications,
although this status does not apply in the context of low complexity E/E/PE safety-related
systems (see 3.4.4 of IEC 61508-4). As basic safety publications, they are intended for use by
technical committees in the preparation of standards in accordance with the principles
contained in IEC Guide 104 and ISO/IEC Guide 51. IEC 61508 is also intended for use as a
stand-alone standard.
61508-2 © IEC:2000 – 17 –
One of the responsibilities of a technical committee is, wherever applicable, to make use of
basic safety publications in the preparation of its publications. In this context, the
requirements, test methods or test conditions of this basic safety publication will not apply
unless specifically referred to or included in the publications prepared by those technical
committees.
NOTE 1  The functional safety of an E/E/PE safety-related system can only be achieved when all related
requirements are met. Therefore, it is important that all related requirements are carefully considered and
adequately referenced.
NOTE 2  In the USA and Canada, until the proposed sector implementation of IEC 61508 (i.e. IEC 61511) is
published as an international standard in the USA and Canada, existing national process safety standards based
on IEC 61508 (i.e. ANSI/ISA-S84.01) can be applied to the process sector instead of IEC 61508.
1.3 Figure 1 shows the overall framework for parts 1 to 7 of IEC 61508 and indicates the role
that IEC 61508-2 plays in the achievement of functional safety for E/E/PE safety-related
systems. Annex A of IEC 61508-6 describes the application of IEC 61508-2 and IEC 61508-3.

61508-2 © IEC:2000 – 19 –
Technical
requirements
PART 1
Development of the overall safety
requirements (concept, scope
definition, hazard and risk analysis)
(E/E/PE safety-related systems, other PART 5
technology safety-related systems and
Risk based approaches
external risk reduction facilities)
to the development of
7.1 to 7.5
the safety integrity
requirements
Other
PART 1
requirements
Allocation of the safety
requirements to the E/E/PE
safety-related systems
PART 7
Definitions and
7.6
abbreviations
Overview of
techniques
and measures
PART 4
PART 6
Guidelines for the
Documentation
Realisation Realisation
application of
phase for phase for Clause 5 and
parts 2 and 3
E/E/PE safety- safety-related annex A
related systems software
PART 1
PART 2 PART 3
Management of
functional safety
Clause 6
PART 1
PART 1
Installation and commissioning
and safety validation of E/E/PE
safety-related systems Functional safety
assessment
Clause 8
7.13 and 7.14
PART 1
PART 1
Operation and maintenance,
modification and retrofit,
decommissioning or disposal
f
E/E/PE safety-related systems
7.15 to 7.17
IEC  312/2000
Figure 1 – Overall framework of IEC 61508

61508-2 © IEC:2000 – 21 –
2 Normative references
The following normative documents contain provisions which, through reference in this text,
constitute provisions of this part of IEC 61508. For dated references, subsequent
amendments to, or revisions of, any of these publications do not apply. However, parties to
agreements based on this part of IEC 61508 are encouraged to investigate the possibility of
applying the most recent editions of the normative documents indicated below. For undated
references, the latest edition of the normative document referred to applies. Members of IEC
and ISO maintain registers of currently valid International Standards.
IEC 60050(371):1984, International Electrotechnical Vocabulary – Chapter 371: Telecontrol
IEC 60300-3-2:1993, Dependability management – Part 3: Application guide – Section 2:
Collection of dependability data from the field
IEC 61000-1-1:1992, Electromagnetic compatibility (EMC) – Part 1: General – Section 1:
Application and interpretation of fundamental definitions and terms
IEC 61000-2-5:1995, Electromagnetic compatibility (EMC) – Part 2: Environment – Section 5:
Classification of electromagnetic environments – Basic EMC publication
IEC 61508-1:1998, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 1: General requirements
IEC 61508-3:1998, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 3: Software requirements
IEC 61508-4:1998, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 4: Definitions and abbreviations
IEC 61508-5:1998, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 5: Examples of methods for the determination of safety integrity levels
IEC 61508-6, Functional safety of electrical/electronic/programmable electronic safety-related
1)
systems – Part 6: Guidelines on the application of parts 2 and 3
IEC 61508-7:2000, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 7: Overview of techniques and measures
IEC Guide 104:1997, The preparation of safety publications and the use of basic safety
publications and group safety publications
ISO/IEC Guide 51:1990, Guidelines for the inclusion of safety aspects in standards
IEEE 352:1987, IEEE guide for general principles of reliability analysis of nuclear power
generating station safety systems
———————
1)
To be published.
61508-2 © IEC:2000 – 23 –
3 Definitions and abbreviations
For the purposes of this part of IEC 61508, the definitions and abbreviations given in
IEC 61508-4 apply.
4 Conformance to this standard
The requirements for conformance to this standard are as detailed in clause 4 of IEC 61508-1.
5 Documentation
The requirements for documentation are as detailed in clause 5 of IEC 61508-1.
6 Management of functional safety
The requirements for management of functional safety are as detailed in clause 6 of
IEC 61508-1.
7 E/E/PES safety lifecycle requirements
7.1 General
7.1.1 Objectives and requirements: General
7.1.1.1  This subclause sets out the objectives and requirements for the E/E/PES safety
lifecycle phases.
NOTE  The objectives and requirements for the overall safety lifecycle, together with a general introduction to the
structure of the standard, are given in IEC 61508-1.
7.1.1.2  For all phases of the E/E/PES safety lifecycle, table 1 indicates
− the objectives to be achieved;
− the scope of the phase;
− a reference to the subclause containing the requirements;
− the required inputs to the phase;
− the outputs required to comply with the subclause.
7.1.2 Objectives
The first objective of the requirements of this subclause is to structure, in a
7.1.2.1
systematic manner, the phases in the E/E/PES safety lifecycle that shall be considered in
order to achieve the required functional safety of the E/E/PE safety-related systems.
7.1.2.2  The second objective of the requirements of this subclause is to document all
information relevant to the functional safety of the E/E/PE safety-related systems throughout
the E/E/PES safety lifecycle.
61508-2 © IEC:2000 – 25 –
7.1.3 Requirements
7.1.3.1  The E/E/PES safety lifecycle that shall be used in claiming conformance with this
standard is that specified in figure 2. If another E/E/PES safety lifecycle is used, it shall be
specified during functional safety planning (see clause 6 of IEC 61508-1), and all the
objectives and requirements of each subclause of IEC 61508-2 shall be met.
NOTE  The relationship and scope for IEC 61508-2 and IEC 61508-3 are shown in figure 3.
7.1.3.2  The procedures for management of functional safety (see clause 6 of IEC 61508-1)
shall run in parallel with the E/E/PES safety lifecycle phases.
7.1.3.3  Each phase of the E/E/PES safety lifecycle shall be divided into elementary
activities, with the scope, inputs and outputs specified for each phase (see table 1).
7.1.3.4  Unless justified during functional safety planning, the outputs of each phase of the
E/E/PES safety lifecycle shall be documented (see clause 5 of IEC 61508-1).
7.1.3.5  The outputs for each E/E/PES safety lifecycle phase shall meet the objectives and
requirements specified for each phase (see 7.2 to 7.9).
Box 9 in figure 2
E/E/PES safety lifecycle
of part 1
Safety-related
E/E/PES safety requirements
9.1
systems:
specification
E/E/PES
Safety functions Safety integrity
Realisation
9.1.1 9.1.2
requirements requirements
specification specification
E/E/PES design and
E/E/PES safety
9.2 9.3
development
validation planning
including software
E/E/PES installation,
(see IEC 61508-3)
commissioning,
9.5
operation, and
maintenance procedures
9.4
E/E/PES integration
One E/E/PES safety E/E/PES safety
9.6
lifecycle for each validation
To box 14
E/E/PE safety-related
in figure 2
system
of part 1
To box 12 in figure 2 of part 1
IEC  313/2000
NOTE See also IEC 61508-6, A.2(b).
Figure 2 – E/E/PES safety lifecycle (in realisation phase)

61508-2 © IEC:2000 – 27 –
Scope of
part 2
E/E/PES safety
E/E/PES
requirements
architecture
specification
Hardware safety requirements
specification
Scope of
Software safety
Non-programmable
Programmable
part 3 requirements
hardware
electronic hardware
Software design
Non-programmable
Programmable
and
electronics design hardware design
development
and development and development
Programmable electronics
E/E/PES
integration (hardware and
integration
software)
IEC  314/2000
Figure 3 – Relationship and scope for IEC 61508-2 and IEC 61508-3

61508-2 © IEC:2000 – 29 –
Table 1 – Overview – Realisation phase of the E/E/PES safety lifecycle
Safety lifecycle phase or
activity
Require-
Objectives Scope Inputs Outputs
ments
Figure 2
subclause
box Title
number
9.1 E/E/PES safety To specify the E/E/PE 7.2.2 Description of E/E/PES safety
requirements requirements for each safety-related allocation of requirements
specification E/E/PE safety-related systems safety
Requirements for software
system, in terms of the requirements
safety as an input to the
required safety functions (see 7.6 of
software safety
and the required safety IEC 61508-1)
requirements specification
integrity, in order to
achieve the required
functional safety
9.2 E/E/PES safety To plan the validation of E/E/PE 7.3.2 E/E/PES safety Plan for the safety
validation the safety of the E/E/PE safety-related requirements validation
lanning safety-related systems systems
of the E/E/PE safety-
related systems
9.3 E/E/PES To design the E/E/PE E/E/PE 7.4.2 E/E/PES safety Design of the E/E/PE
design and safety-related systems to safety-related to requirements safety related systems in
development meet the requirements for systems 7.4.9 conformance with the
safety functions and E/E/PES safety
safety integrity requirements
Plan for the E/E/PES
integration test
PES architectural
information as an input to
the software requirements
specification
9.4 E/E/PES To integrate and test the E/E/PE 7.5.2 E/E/PES design Fully functioning E/E/PE
integration E/E/PE safety-related safety-related safety-related systems in
E/E/PES
systems systems conformance with the
integration test
E/E/PES design
plan
Results of E/E/PES
Programmable
integration tests
electronics
hardware and
software
9.5 E/E/PES To develop procedures to E/E/PE 7.6.2 E/E/PES safety E/E/PES installation,
installation, ensure that the functional safety-related requirements commissioning, operation
commission in, safety of the E/E/PE systems and maintenance
E/E/PES design
operation, and safety-related systems is EUC procedures for each
maintenance maintained during individual E/E/PES
procedures operation and
maintenance
9.6 7.7.2
E/E/PES safety To validate that the E/E/PE E/E/PES safety Fully safety validated
validation E/E/PE safety-related safety-related requirements E/E/PE safety-related
systems meet, in all systems systems
Plan for the
respects, the
safety validation Results of E/E/PES safety
requirements for safety in
of the E/E/PE validation
terms of the required
safety-related
safety functions and the
systems
required safety integrity
– E/E/PES To make corrections, E/E/PE 7.8.2 E/E/PES safety Results of E/E/PES
modification enhancements or safety-related requirements modification
adaptations to the E/E/PE systems
safety-related systems,
ensuring that the required
safety integrity level is
achieved and maintained
– E/E/PES To test and evaluate the E/E/PE 7.9.2 As above – As above – depends on the
verification outputs of a given phase safety-related depends on the phase
to ensure correctness and systems phase
Results of the verification
consistency with respect
Plan for the of the E/E/PE safety-
to the products and
verification of related systems for each
standards provided as
the E/E/PE phase
input to that phase
safety-related
systems for
each phase
– E/E/PES To investigate and arrive E/E/PE 8 Plan for Results of E/E/PES
functional at a judgement on the safety-related E/E/PES functional safety
safety functional safety achieved systems functional safety assessment
assessment by the E/E/PE safety- assessment
related systems
61508-2 © IEC:2000 – 31 –
7.2 E/E/PES safety requirements specification
NOTE  This phase is box 9.1 of figure 2.
7.2.1 Objective
The objective of the requirements of this subclause is to specify the requirements for each
E/E/PE safety-related system, in terms of the required safety functions and the required
safety integrity, in order to achieve the required functional safety.
NOTE  The safety functions may, for example, be required to put the EUC into a safe state or to maintain a safe
state.
7.2.2 General requirements
7.2.2.1  The specification of the E/E/PES safety requirements shall be derived from the
allocation of safety requirements, specified in 7.6 of IEC 61508-1, and from those
requirements specified during functional safety planning (see clause 6 of IEC 61508-1). This
information shall be made available to the E/E/PES developer.
NOTE  Caution should be exercised if non-safety functions and safety functions are implemented in the same
E/E/PE safety-related system. While this is allowed in the standard, it may lead to greater complexity and increase
the difficulty in carrying out E/E/PE safety lifecycle activities (for example design, validation, functional safety
assessment and maintenance).
7.2.2.2  The E/E/PES safety requirements shall be expressed and structured in such a way
that they are
a) clear, precise, unambiguous, verifiable, testable, maintainable and feasible; and
b) written to aid comprehension by those who are likely to utilise the information at any stage
of the E/E/PES safety lifecycle.
7.2.2.3 The specification of the E/E/PES safety requirements shall contain the requirements
for the E/E/PES safety functions (see 7.2.3.1) and the requirements for E/E/PES safety
integrity (see 7.2.3.2).
7.2.3 E/E/PES safety requirements
7.2.3.1  The E/E/PES safety functions requirements specification shall contain
a) a description of all the safety functions necessary to achieve the required functional
safety, which shall, for each safety function,
– provide comprehensive detailed requirements suffici
...