Understanding Key Changes in IEC 61508:2010
A UL White Paper Understanding Key Changes in IEC 61508:2010 Understanding Key Changes in IEC 61508:2010 The Importance of Functional Safety Development First published in 1998, IEC 61508 is the principal standard of functional safety. The second edition of the standard — IEC 61508:2010 — has been in effect since April 2010, and covers those aspects to be considered when electrical/electronic/programmable electronic (E/E/PE) systems are used to carry out safety functions. This second edition cancels and replaces the first edition, as it constitutes a technical revision. A major objective of this standard is to facilitate the development of product and application sector international standards by the related technical committees. This will allow all the relevant factors associated with the product or application to be taken into account fully and thereby meet the specific needs of users of the product and application sector. A second objective of this standard is to enable the development of E/E/PE safety-related systems where product or application sector international standards do not exist. The significant and basic aspects This paper addresses key changes of functional safety development, in five critical areas of focus: evaluation, and verification remain in the second edition, including the overall 1)Traceability safety lifecycle, use of the V-Model for 2)Elements implementation of software development 3)On-chip redundancy in particular, and the assessment of performance using Failure Mode Effects Analysis (FMEA) and other probabilistic 4)EMC requirements 5)Clearer definitions of failure types calculations. However, important changes have particular impact on component Traceability manufacturers, resulting in a higher The need for traceability is clarified degree of confidence for manufacturers, in the new edition. “When we start integrators, and end users alike. looking through the whole product development process, all phases ultimately trace to one another,” says Anura Fernando, research engineer, predictive modeling and risk analysis, at Underwriters Laboratories (UL). page 2 Understanding Key Changes in IEC 61508:2010 Viewed from a broader perspective, components that feed into the supply rather than as a single component or chain. Understanding the requirements device that is being developed with 61508 for components relative to the different compliance, the concept of traceability safety integrity levels (SILs) can provide a can carry through to the overall supply level of assurance for systems integrators. chain. When a component is integrated By having visibility into the component into a system, the end user can look at development process, they understand what has been done at the component that using the same types of processes to level to see how all the developmental build a larger system provides a consistent activities tie together at that level, as mechanism for risk management. well as how they tie together at the sub-assembly level and the system level. “Traceability is probably the key element in building the overall safety case “When we talk about traceability from for a safety-related control system an individual product perspective, we’re or subsystem,” says Thomas Maier, looking at everything that goes into the principal engineer, functional safety, at development effort, all the way from UL. “Only if you have full traceability — the product concept to the validation from requirements and hazard analysis of the product,” says Fernando. through concept design, down through every single component and every single All the stages of development are line of code that goes into the system or involved in traceability: developing subsystem (and further traceability to all requirements for the product, the test cases and test results) — do you determining the product design, applying have a chance to build a really conclusive proper verification techniques to make safety case for these complex systems.” "Only if you have full traceability — from requirements and hazard analysis through concept design, down through every single component and every single line of code that goes into the system or subsystem (and further traceability to all the test cases and test results) — do you have a chance to build a really conclusive safety case for these complex systems." —Thomas Maier, principal engineer sure that the product is being designed and implemented correctly, implementing Traceability is also essential if working the verified product, testing to assure that change management processes are to each process has been achieved according be in place. Whenever a safety-related to specification, then finally testing certified product has been released to ensure that the product’s original and a “bug” is discovered or some requirements have been met — that changes are indicated, it is important the customer’s need for the product has to discover what is impacted by been satisfied. “From a risk management the proposed change: which parts, perspective, these kinds of things elements, or software functions will help to minimize systematic failures be affected. “The only way to find and defects that can be introduced that out is if you have thorough and into a product,” explains Fernando. detailed traceability,” Maier concludes. From a supply chain perspective, the Elements second edition provides additional “Element” is a newly introduced concept guidelines about what is required consisting of inputs, some safety-related in the second edition of IEC 61508; from a traceability perspective for logic, and safety-related output. In IEC all the development and verification terms, this is called an E/E/PE system. page 3 calculations are now performed based on this concept. An element can be considered the lowest-level item from which a safety-related system is composed; it is at the base of the functional safety hierarchy. “As the lowest-level item, elements are where you begin,” says Maier. For example, the SIL parameter “safe failure fraction” is now to be determined for elements, and no longer for subsystems. At the top of the hierarchy is the system, a complete, safety-related control system Understanding Key Changes in IEC 61508:2010 This safety-related control system can be being independent of each other), you It is electromagnetic immunity that decomposed into subsystems: an input may achieve a kind of bonus regarding is of critical importance to functional subsystem, then the logic subsystem, the systematic capability these elements safety. All the immunity phenomena and then an output subsystem leading have to fulfill. For example, if the that are known and specified in the to the actuators. So subsystems, overall objective is SIL 2, then each of standards need to be considered. What connected in series, are what build a the two elements would only have to is important for functional safety — complete, safety-related control system. fulfill a systematic capability of SIL 1. what is required by the second version These subsystems can be further On-Chip Redundancy decomposed into the elements. Elements The second edition of IEC 61508 defines of electromagnetic immunity are implement, for example, redundant stringent requirements for on-chip considered to decrease the probability channels. They can be connected in redundancy. Special architectural that electromagnetic phenomena could series and in parallel, if they belong requirements for integrated circuits (ICs) cause loss of the safety function. to different channels. For example, a with on-chip redundancy are given in a microprocessor can be an element in normative annex of the standard. This Emissions are also included with a safety-related logic subsystem. requirement is being driven by emerging immunity; but, in the United States, technologies such as Field Programmable the Federal Communications Grid Arrays (FPGAs) and advances in Commission (FCC) typically deals with Application Specific Integrated Circuits electromagnetic emissions. A few (ASICs) that are helping to drive down areas of functional safety (e.g., the costs by incorporating more functionality elevator industry) are required to look onto a single chip. A group of techniques at emissions and immunity because a and measures essential to preventing system can itself generate emissions the introduction of faults during the that could exceed tested immunity design and development of these levels. But this is the exception. If you develop a programmable safety relay, you select an architecture — say a two-channel one. Each of these channels needs to have a microprocessor — a microcontroller; in IEC 61508 terms, each of these microcontrollers would be an element. So to fulfill a certain SIL of the subsystem or safety-related control system, you have to fulfill hardware requirements and provide probability calculations concerning components has been introduced in the new version of the standard. of IEC 61508 — is that testing go beyond the normal levels so that higher levels “One should be clear in making a distinction between emission reliability that address random EMC Requirements requirements and immunity hardware failures. You also have to The focus on electromagnetic requirements,” says Maier. “Functional fulfill requirements concerning the use compatibility (EMC) has increased safety is overwhelmingly about immunity of stringent processes and methods for significantly in the second edition of and being protected against any the development of software. These IEC 61508. In the old standard, the EMC electromagnetic emissions that could requirements address systematic failures. requirements were not expressed very be expected in a certain environment.” Synthesis of Elements explicitly. They were sometimes forgotten “The equation, ‘SIL 1 plus SIL 1 equals SIL 2’ has to do with the synthesis of elements,” says Maier. This means that, if you have two elements that are redundant (two elements that implement two channels, each channel page 4 or not as respected as they should have been. Now this has changed. “You cannot do a functional safety evaluation without looking at environmental impacts, and electromagnetic phenomena are among the most important environmental impacts to consider,” notes Maier. EMC is critical because it is a major common cause failure. As noted above, if you design a functionally safe product, it often has a level of redundancy: two channels that perform the safety function. This is how fault tolerance is achieved. Electromagnetic impacts could destroy or disturb Understanding Key Changes in IEC 61508:2010 both channels at exactly the same it was always a bit doubtful that no to advisory consultative services that time, meaning the loss of the safety part failures could be considered for can train, coach, and educate your staff. function. That’s a “common cause.” calculating the safe failure fraction. The second edition of IEC 61508 makes it For more information on how we can help “If you have a safety-related control very clear that these two types of failures you with the second edition of IEC 61508 signal, that signal is supposed to look must not be considered in doing the and other functional safety issues, please a particular way,” says Fernando. calculation of the safe failure fraction. contact Kevin Connelly at 1.631.546.2691, “Electromagnetic interference can or by e-mail at [email protected], distort the signal so that it looks very “Under the first edition, this was not different, and this distortion (i.e. clearly stated,” says Maier. Component change in waveform or waveshape) manufacturers could, in principle, has the potential to cause the embellish their figures. “You could make system to respond in an unexpected, them look better by including no part and possibly unsafe way.” failures and inventing some additional no or visit us at ul.com/functionalsafety. effect failures to improve the percentage Two IEC standards specifically address of non-dangerous failures,” notes Maier. EMC requirements in relation to functional safety: the technical Now you are only allowed to consider specification IEC/TS 61000-1-2 and real safe failures and real dangerous IEC 61326-3-1. These are referred to failures. All other failures that are not in the second edition of IEC 61508. part of the safety circuit or have no effect Clearer Definitions of Failure Types on the behavior of the safety circuit must not be taken into consideration. same definitions of a safe failure and Something Else You Should Know a dangerous failure; but, it goes on to Since UL personnel have participated define a new “no effect failure” and a in the writing of the second IEC 61508 “no part failure” that are important to standard, we are ideally positioned to understand. A no effect failure is the help you understand its nuances. The second edition of IEC 61508 has the failure of a component that is part of the safety-related circuit, but which has no Whether you are an experienced effect on the safety function at all when manufacturer that currently has products it fails — it doesn’t make the system fall certified under the first edition of IEC to the safe side or the dangerous side. A 61508 and are now looking to convert to no part failure is a failure of a component the second edition, or you are new to the that is somewhere in the system, but is functional safety space and the second not related to the safety related circuits. edition is your first involvement with functional safety certification, UL is here The first edition of IEC 61508 allowed to help. What’s more, UL has people who the consideration of no effect failures can assist every step of the way, from our as being safe failures. Furthermore, functional safety mark, to certification, page 5 Copyright © 2011 Underwriters Laboratories Inc. All rights reserved. No part of this document may be copied or distributed without the prior written consent of Underwriters Laboratories Inc. 4/11 BDI 110420
© Copyright 2024