Iec tr 61508 0 2005

RAPPORT TECHNIQUE CEI IEC TECHNICAL REPORT TR 61508 0 Première édition First edition 2005 01 Sécurité fonctionnelle des systèmes électriques/électroniques/électroniques programmables relatifs à la séc[.]

Qu’est ce que la sécurité fonctionnelle ?

Let's start with the definition of safety It refers to the absence of any risk of physical injury or harm to individuals, which may arise directly or indirectly from the degradation of properties or the environment.

La sécurité fonctionnelle est une partie de la sécurité au sens général, qui dépend d’un système ou d’un équipement répondant correctement aux entrées de ce dernier

A functional safety device, such as a thermal sensor placed within an electric motor's winding to deactivate the motor before overheating occurs, exemplifies effective safety measures However, a specific insulation designed to withstand high temperatures does not qualify as a functional safety device, even though it pertains to safety and can protect against the same hazard.

Ni la sécurité, ni la sécurité fonctionnelle ne peuvent être déterminées sans prendre en considération le système en son entier et l’environnement avec lequel il interagit.

Fonctions de sécurité et systèmes relatifs à la sécurité

Significant risks associated with equipment and its control systems in their intended environment must be identified by those specifying or developing them through a risk analysis This analysis determines the necessity of functional safety to provide adequate protection against each significant risk If required, functional safety should be appropriately integrated into the design Functional safety is one method for addressing risks, while other approaches, such as achieving safety through design, are crucial for eliminating or reducing risks.

The term related to safety refers to systems designed to perform specific functions that ensure risks are kept at an acceptable level These functions are, by definition, related to functional safety To achieve functional safety, two types of requirements must be met.

• les exigences de sécurité fonctionnelle (ce que la fonction fait), et

• les exigences d’intégrité de sécurité (la probabilité que la fonction de sécurité soit réalisée avec satisfaction)

Functional safety requirements arise from risk analysis, while safety integrity requirements stem from risk assessment A higher level of safety integrity correlates with a lower probability of dangerous failure.

Any system, regardless of its technology, that incorporates safety functions is considered a security system A security system can operate independently from other control equipment, or the control system itself may include safety functions In the latter scenario, the control system of the equipment is related to safety The highest levels of safety integrity demand strict adherence to engineering standards in the security system.

Provided by IHS under license with IEC

Safety is defined as the absence of unacceptable risks that could lead to physical injury or harm to individuals, whether directly or indirectly, due to damage to property or the environment.

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs

An overtemperature protection device that utilizes a thermal sensor in an electric motor's windings to deactivate the motor before overheating exemplifies functional safety In contrast, while specialized insulation designed to endure high temperatures contributes to safety, it does not qualify as functional safety, even though it addresses the same hazard.

Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact

3.2 Safety functions and safety-related systems

Identifying significant hazards for equipment and its control systems in the intended environment is essential for specifiers or developers through a hazard analysis This analysis assesses the need for functional safety to provide adequate protection against each identified hazard If functional safety is deemed necessary, it must be integrated appropriately into the design While functional safety is a crucial approach to managing hazards, prioritizing inherent safety through design is also vital for their elimination or reduction.

Safety-related systems are designed to perform specific functions that maintain risks at an acceptable level, known as safety functions To achieve functional safety, two types of requirements must be met.

• safety function requirements (what the function does) and

• safety integrity requirements (the likelihood of a safety function being performed satisfactorily)

Safety function requirements stem from hazard analysis, while safety integrity requirements are based on risk assessment A higher safety integrity level correlates with a reduced likelihood of dangerous failures.

A safety-related system is defined as any system, regardless of the technology used, that performs safety functions This system can operate independently from equipment control systems, or the control system itself may fulfill safety functions, thereby classifying it as a safety-related system Achieving higher levels of safety integrity requires more stringent engineering practices for these systems.

Exemple de sécurité fonctionnelle

Consider a machine equipped with a circular blade that is safeguarded by a hinged rigid cover The cover can be lifted for routine cleaning, and it is designed to lock in a way that disconnects the motor's electrical circuit and engages a brake when removed This mechanism ensures that the blade stops before it can pose a risk to the operator.

A risk analysis and risk assessment are essential to ensure safety The risk analysis identifies hazards associated with blade cleaning, indicating that the cover should not be raised more than 5 mm before the brake is activated and the blade stops Additionally, it may be determined that the blade must stop within 1 second or less Together, these analyses outline the safety function The risk assessment establishes performance requirements for this safety function, aiming to ensure that safety integrity is adequate to prevent anyone from being exposed to unacceptable risks related to this hazardous event.

The harm caused by a failure in safety functions can range from a serious injury, such as an amputation of the operator's hand, to minor injuries like bruises The level of risk is influenced by how often the safety cover needs to be reattached, which can occur multiple times a day or less than once a month As the severity of potential injuries increases and the frequency of risk exposure rises, the required safety integrity level also escalates.

The safety integrity of a safety function relies on all necessary equipment for its proper execution, including the lock, its associated electrical circuit, the motor, and the braking system The safety function and its integrity define the required behaviors for the systems in question within a specific environment.

In summary, risk analysis identifies necessary actions to prevent dangerous events related to the blade Risk assessment provides the required safety integrity for the locking system to ensure that the risk is acceptable These two components are essential for effective safety management.

The essential question of "What safety function must be implemented?" addresses the requirements of the safety function, while "What level of certainty is needed for the safety function to be achieved?" pertains to the integrity requirements of safety Together, these elements form the foundation of functional safety.

Défis rencontrés dans l’atteinte de la sécurité fonctionnelle

Safety functions are increasingly implemented through electrical, electronic, or programmable electronic systems These systems are typically complex, making it practically impossible to fully identify every failure mode or test all possible behaviors While predicting the performance of safety functions is challenging, testing remains a crucial aspect.

Le défi est de concevoir le système de telle sorte que toutes les défaillances dangereuses soient écartées ou maintenues sous contrôle si elles apparaissent

Des défaillances dangereuses peuvent survenir du fait de:

• spécifications incorrectes du système, matériel ou logiciel;

• omissions d’exigences de sécurité dans les spécifications (par exemple, défaillance dans le développement de fonctions de sécurité pertinentes dans différents modes opératoires);

• mécanismes de défaillance aléatoire de matériel;

• mécanismes de défaillance systématique de matériel;

A machine features a rotating blade safeguarded by a hinged solid cover, which allows for easy access during routine cleaning This cover is equipped with an interlock system that automatically de-energizes the motor and engages a brake when lifted, ensuring the blade stops before it poses any risk to the operator.

To achieve safety, it is essential to conduct both hazard analysis and risk assessment The hazard analysis specifically identifies the risks associated with cleaning the blade, indicating that the hinged cover should not be lifted beyond a certain limit.

The safety function is characterized by the blade's ability to stop within 5 mm without activating the brake, with a stopping time of 1 second or less A thorough risk assessment establishes the performance requirements necessary to maintain the safety integrity of this function, ensuring that individuals are not exposed to unacceptable risks related to hazardous events.

The consequences of a safety function failure can range from minor injuries, such as bruises, to severe outcomes like amputation of the operator's hand The associated risk is influenced by the frequency of cover lifting, which can occur multiple times daily or less than once a month Consequently, the required level of safety integrity escalates with both the potential severity of injuries and the frequency of exposure to hazards.

The safety integrity of a safety function relies on all essential equipment, including the interlock, electrical circuit, and motor and braking system, to ensure proper execution Both the safety function and its integrity define the expected behavior of the systems within a specific environment.

In summary, hazard analysis determines the necessary actions to prevent hazardous events related to the blade, while risk assessment establishes the required safety integrity of the interlocking system to ensure acceptable risk levels These two components—defining the safety function requirements and determining the necessary degree of certainty for its execution—form the core principles of functional safety.

3.4 Challenges in achieving functional safety

Safety functions are now predominantly managed by complex electrical, electronic, or programmable electronic systems Due to their intricate nature, it is often impractical to identify every potential failure mode or to test all possible behaviors While predicting safety performance remains challenging, thorough testing continues to be a crucial component of ensuring reliability.

The challenge is to design the system in such a way as to prevent dangerous failures or to control them when they arise Dangerous failures may arise from

• incorrect specifications of the system, hardware or software;

• omissions in the safety requirements specification (e.g failure to develop all relevant safety functions during different modes of operation);

• influences environnementales (par exemple phénomènes électromagnétiques, thermiques ou mécaniques);

• perturbations du système d’alimentation en tension (par exemple, pertes, tensions réduites, reconnexion d’alimentation)

La CEI 61508 expose des exigences pour réduire ces défaillances et elle est décrite dans l’article suivant

4 La CEI 61508 – Sécurité fonctionnelle des systèmes E/E/PE relatifs à la sécurité

Objectifs

La CEI 61508 a pour but de:

• permettre l’utilisation du potentiel des technologies E/E/PE pour améliorer à la fois la sécurité et son cỏt;

• permettre aux développements technologiques de participer à la structure globale de la sécurité;

• apporter une assise technique, une approche système, avec suffisamment de souplesse pour le futur;

• apporter une approche fondée sur le risque pour déterminer la performance requise pour le système de sécurité;

The aim is to provide a general standard that can be directly utilized by the industry, while also serving as a foundation for the development of additional sector-specific standards, such as those for machinery, chemical production facilities, medical applications, or railways Additionally, it can aid in creating product standards, for instance, for power drive systems.

• apporter aux utilisateurs et aux lộgislateurs un moyen d’accroợtre leur confiance dans l’utilisation des technologies basées sur l’informatique;

• énoncer des exigences fondées sur des principes communs sous-jacents afin de faciliter:

 l’efficacitộ de la chaợne d’approvisionnement pour les fournisseurs de sous-systốmes et de composants de secteurs différents,

 la compréhension des exigences (c’est-à-dire de clarifier ce qui doit être spécifié),

 le développement de techniques et de mesures utilisables quels que soient les secteurs, en augmentant les ressources utilisables,

 le développement des services d’évaluation de la conformité, si nécessaire

The IEC 61508 standard does not address the precautions needed to prevent unqualified individuals from compromising or negatively impacting the functional safety achieved by E/E/PE systems related to safety.

Systèmes E/E/PE relatifs à la sécurité

IEC 61508 pertains to functional safety achieved through safety systems primarily based on electrical, electronic, and programmable electronic technologies (E/E/PE), specifically focusing on E/E/PE systems related to safety.

La norme est générique en cela qu’elle s’applique à tous ces systèmes quelle que soit leur application

• environmental influences (e.g electromagnetic, temperature, mechanical phenomena);

• supply system voltage disturbances (e.g loss of supply, reduced voltages, re-connection of supply)

IEC 61508 contains requirements to minimise these failures and is described in the next clause

4 IEC 61508 – Functional safety of E/E/PE safety-related systems

• release the potential of E/E/PE technology to improve both safety and economic performance;

• enable technological developments to take place within an overall safety framework;

• provide a technically sound, system based approach, with sufficient flexibility for the future;

• provide a risk-based approach for determining the required performance of safety-related systems;

The article emphasizes the importance of establishing a universally applicable standard that can be directly utilized by various industries This standard not only aids in the development of sector-specific standards, such as those for machinery, chemical processing plants, medical equipment, or rail systems, but also supports the creation of product standards, including those for power drive systems.

• provide a means for users and regulators to gain confidence when using computer-based technology;

• provide requirements based on common underlying principles to facilitate:

 improved efficiencies in the supply chain for suppliers of subsystems and components to various sectors,

 improvements in communication and requirements (i.e to increase clarity of what needs to be specified),

 the development of techniques and measures that could be used across all sectors, increasing available resources,

 the development of conformity assessment services if required

IEC 61508 does not cover the precautions that may be necessary to prevent unauthorized persons damaging, and/or otherwise adversely affecting, the functional safety achieved by

IEC 61508 focuses on functional safety through safety-related systems implemented in electrical, electronic, or programmable electronic (E/E/PE) technologies This standard is applicable to E/E/PE safety-related systems across various applications, making it a generic framework for ensuring safety in these technologies.

Certain requirements of the standard pertain to development activities where technological choices have not yet been made This includes the overall development of safety requirements, such as concept, scope definition, risk analysis, and risk assessment If there is a possibility of using E/E/PE technologies, it is essential that the standard is applied in a way that the functional safety requirements for any E/E/PE system related to safety are determined methodologically and based on risk.

Other requirements of the standard are not only specific to E/E/PE technologies; they also pertain to documentation, functional safety management, functional safety assessment, and competencies All requirements that are not technology-specific can be beneficial for other safety systems, even if those systems fall outside the scope of the standard.

Les exemples ci-dessous sont des systèmes E/E/PE relatifs à la sécurité:

• systèmes d’arrêt d’urgence dans les usines chimiques à risque;

• indicateur de charge de sécurité d’une grue;

• systèmes de verrouillage et d’arrêt d’urgence de machinerie;

• moteur à vitesse variable utilisé pour réduire la vitesse au titre de moyen de protection;

• systèmes de verrouillage et de contrôle de l’exposition pour un appareil médical de radiothérapie;

• positionnement dynamique (contrôle des mouvements d’un bateau à proximité d’une installation offshore);

• commande de vol électrique d’un avion;

• indicateurs lumineux d’une automobile, freinage anti-blocage, et système de gestion du moteur;

• surveillance à distance, opérations de programmation d’un procédé d’usine par réseau;

• un outil d’aide à la décision dont des résultats erronés affectent la sécurité

An E/E/PE safety system encompasses all components necessary to perform safety functions, including sensors, actuators, control logic, communication systems, and critical human intervention actions.

The definition of the E/E/PE system related to safety is derived from the broader concept of safety, which encompasses the absence of unacceptable risks of physical injury and health damage to individuals Harm can occur indirectly as a result of damage to property or the environment However, some systems may be initially designed to prevent failures at a significant economic cost The IEC 61508 standard can be utilized to develop any E/E/PE system with critical functions, such as the protection of equipment or products.

Approche technique

Utilize a risk-based approach to identify the integrity requirements for the safety of E/E/PE systems, including examples that demonstrate how this can be effectively achieved.

Utilize a comprehensive safety lifecycle model as a technical framework to ensure that functional safety is achieved in safety-related E/E/PE systems.

The standard outlines requirements for development activities where the implementation technology is not yet finalized, emphasizing the need for comprehensive safety requirements, including concept definition, hazard analysis, and risk assessment If there is a potential use of E/E/PE technologies, the standard mandates a methodical, risk-based approach to establish the functional safety requirements for any safety-related systems involving E/E/PE technologies.

The standard includes additional requirements that extend beyond E/E/PE technology, encompassing documentation, functional safety management, safety assessments, and competence These non-technology-specific requirements can also be beneficially applied to other safety-related systems, even though they fall outside the standard's scope.

The following are examples of E/E/PE safety-related systems:

• emergency shut-down system in a hazardous chemical process plant;

• guard interlocking and emergency stopping systems for machinery;

• variable speed motor drive used to restrict speed as a means of protection;

• system for interlocking and controlling the exposure dose of a medical radiotherapy machine;

• dynamic positioning (control of a ship’s movement when in proximity to an offshore installation);

• fly-by-wire operation of aircraft flight control surfaces;

• automobile indicator lights, anti-lock braking and engine-management systems;

• remote monitoring, operation or programming of a network-enabled process plant;

• an information-based decision support tool where erroneous results affect safety

An E/E/PE safety-related system encompasses all components essential for executing the safety function, including sensors, control logic, communication systems, and final actuators, as well as any critical actions performed by human operators.

E/E/PE safety-related systems are defined by their ability to ensure freedom from unacceptable risks, including physical injury and health damage to individuals, which can also occur indirectly through property or environmental damage Additionally, certain systems may focus on safeguarding against failures that could lead to significant economic consequences The IEC 61508 standard is applicable for developing any E/E/PE system with critical functions, such as protecting equipment or products.

• uses a risk based approach to determine the safety integrity requirements of E/E/PE safety-related systems, and includes a number of examples of how this can be done;

• uses an overall safety lifecycle model as the technical framework for the activities necessary for ensuring functional safety is achieved by the E/E/PE safety-related systems;

The article addresses security activities throughout the entire lifecycle, starting from the initial concept to decommissioning It includes risk analysis and assessment, development of functional safety requirements, specification, design, implementation, operation, maintenance, and modifications.

• embrasse les aspects systèmes (incluant tous les sous-systèmes intervenant dans les fonctions de sécurité, matériel et logiciel) et les mécanismes de défaillance (défaillances systématiques et matériels aléatoires);

• contient les exigences pour la prévention des défaillances (évitant l’introduction de pannes) et les exigences pour maợtriser les dộfaillances (assurer la sộcuritộ mờme si des pannes sont présentes);

• spécifie les techniques et les mesures qui sont nécessaires pour atteindre l’intégrité de sécurité requise.

Niveaux d’intégrité de sécurité

The IEC 61508 standard defines four safety integrity levels (SIL) for safety functions, ranging from the lowest level, SIL 1, to the highest level, SIL 4 Each level has specific requirements that must be met to achieve the corresponding safety integrity level The standards impose more stringent requirements for higher SILs to minimize the probability of dangerous failures.

An E/E/PE system related to safety typically performs multiple safety functions If the safety integrity requirements for these functions differ, and unless there is sufficient independence between them, the requirements applicable to the highest integrity level must be applied to the entire E/E/PE safety system.

If a single E/E/PE system can fulfill all required safety functions and the safety integrity level is below SIL 1, then IEC 61508 does not apply.

Exemple de sécurité fonctionnelle revisitée

Functional safety requirements and security integrity requirements form the specification for functional safety These requirements must be fully defined before starting the design of the E/E/PE system related to safety.

Dans l’exemple décrit dans l’Article 3, les exigences de sécurité fonctionnelle pour l’événe- ment dangereux particulier peuvent être énoncées comme suit

When the tilting cover is lifted by 5 mm or more, the motor must be deactivated, and the brake should be engaged to ensure the blade stops within one second The safety integrity level for this safety function must be SIL2.

The specification of safety function requirements pertains to the overall behavior of the E/E/PE system in relation to safety within a specific environment In this example, the safety-related E/E/PE system includes a locking switch, electrical circuit, contacts, motor, and brake.

The article outlines the comprehensive safety lifecycle, encompassing all activities from the initial concept and hazard analysis to risk assessment, development of safety requirements, specification, design, implementation, operation, maintenance, and modification, culminating in final decommissioning and disposal.

• encompasses system aspects (comprising all the subsystems carrying out the safety functions, including hardware and software) and failure mechanisms (random hardware and systematic);

• contains both requirements for preventing failures (avoiding the introduction of faults) and requirements for controlling failures (ensuring safety even when faults are present);

• specifies the techniques and measures that are necessary to achieve the required safety integrity

IEC 61508 defines four safety integrity levels (SILs) for safety functions, ranging from safety integrity level 1 (SIL1), the lowest, to safety integrity level 4 (SIL4), the highest The standard outlines the necessary requirements to attain each SIL, with more stringent criteria at higher levels to ensure a reduced likelihood of dangerous failures.

An E/E/PE safety-related system typically encompasses multiple safety functions When the safety integrity requirements for these functions vary, the highest relevant safety integrity level's requirements must be applied to the entire system, provided there is insufficient independence in their implementation.

If an E/E/PE system can deliver all necessary safety functions and the required safety integrity is below SIL1 standards, IEC 61508 is not applicable.

4.5 Example of functional safety revisited

The safety function requirements and the safety integrity requirements constitute the functional safety requirements specification These requirements must be fully determined before designing the E/E/PE safety-related system

In the example described in Clause 3, the functional safety requirements for the specific hazardous event could be stated as follows

When the hinged cover is lifted by 5 mm or more, the motor will be de-energized, and the brake will engage, ensuring the blade stops within 1 second This safety function is designed to meet a safety integrity level of SIL2.

The functional safety requirements specification addresses the overall behavior of the safety-related system within a specific environment In this context, the E/E/PE safety-related system encompasses components such as the guard interlock switch, electrical circuit, contactors, motor, and brake.

Structure de la CEI 61508

La CEI 61508 comprend les parties suivantes, présentées sous le titre général Sécurité fonctionnelle des systèmes électriques/ électroniques/électroniques programmables relatifs à la sécurité:

Partie 0: La sécurité fonctionnelle et la CEI 61508

Partie 2: Prescriptions pour les systèmes électriques/électroniques/électroniques programmables relatifs à la sécurité Partie 3: Prescriptions concernant les logiciels

Partie 5: Exemples de méthodes de détermination des niveaux d'intégrité de sécurité Partie 6: Lignes directrices pour l'application de la CEI 61508-2 et de la CEI 61508-3 Partie 7: Présentation de techniques et mesures

Une carte des exigences est donnée en Figure 1

IEC 61508 consists of the following parts, under the general title Functional safety of electrical/electronic/programmable electronic safety-related systems:

Part 0: Functional safety and IEC 61508

Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems Part 3: Software requirements

Part 5: Examples of methods for the determination of safety integrity levels

Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3

Part 7: Overview of measures and techniques

A requirements map is shown in Figure 1

Lignes directrices pour la mise en œuvre des parties 2 et 3

Présentation des techniques et mesures

Approches basées sur le risque pour le développement des exigences d’intégrité de sécurité

Phase de réalisation pour les systèmes E/E/PE relatifs à la sécurité

Phase de réalisation des logiciels relatifs à la sécurité

Allocation des exigences de sécurité aux systèmes E/E/PE relatifs à la sécurité

Installation, mise en service et validation de la sécurité des systèmes E/E/PE relatifs à la sécurité

Exploitation et maintenance, modification et remise à niveau, mise hors service ou au rebut des systèmes E/E/PE relatifs à la sécurité

Gestion de la sécurité fonctionnelle

The development of global safety requirements encompasses the concept, definition of the application domain, and hazard and risk analysis This includes safety-related E/E/PE systems, safety systems based on alternative technologies, and external risk reduction devices.

Figure 1 – Carte des exigences pour les parties 1 à 7 de la CEI 61508

Figure 1 – Requirements map for parts 1 to 7 of IEC 61508

Guidelines for the application of parts 2 and 3

Overview of techniques and measures

Risk based approaches to the development of the safety integrity requirements

Realisation phase for E/E/PE safety- related systems

Realisation phase for safety-related softwar e

Allocation of the safety requirements to the E/E/PE safety-related systems

Development of the overall safety requirements (concept, scope definition, hazard and risk analysis) (E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities)

Installation and commissioning and safety validation of E/E/PE safety-related systems

Operation and maintenance, modification and retrofit, decommisioning or disposal of E/E/PE safety-related systems

Management of functional safety PART 1

La CEI 61508, base pour d’autres normes

Standard writers must address functional safety in their safety standards if the risk analysis conducted by the study committee indicates the need for adequate protection against significant risks or hazardous events.

Parts 1 to 4 of IEC 61508 are fundamental IEC safety publications One of the responsibilities of IEC study committees is to utilize these parts of IEC 61508, when possible, in the development of their own sector-specific or product standards that address E/E/PE safety-related systems within their application domain For further details, refer to IEC Guide 104 and ISO/IEC Guide 51.

IEC 61508 serves as the foundation for published sector-specific standards, such as those in the process industry It is also widely utilized in the development of other sector-specific standards and product norms Consequently, it significantly influences the development of safety-related E/E/PE systems and products across various sectors.

Les normes sectorielles spécifiques basées sur la CEI 61508:

• sont destinées aux concepteurs de systèmes, aux intégrateurs de systèmes et aux utilisateurs;

• prennent en compte les pratiques spécifiques au secteur, qui peuvent autoriser des exigences moins complexes;

• utilisent la terminologie propre au secteur pour gagner en clarté;

• peuvent spécifier des contraintes particulières appropriées au secteur;

• le plus souvent donnent le lien avec les exigences de la CEI 61508 pour des conceptions détaillées de sous-systèmes;

• peuvent permettre à l’utilisateur final d’atteindre la sécurité fonctionnelle sans avoir à considérer la CEI 61508 elle-même

The fundamental safety publication status of IEC 61508 does not apply to low-complexity E/E/PE safety-related systems (refer to section 4.2 of IEC 61508-1) There are safety-related E/E/PE systems with well-defined component failure modes, allowing for a complete determination of their behavior under fault conditions For instance, a system may include one or more switches that activate one or more contacts to disable an electric motor, potentially using electromechanical relays.

La CEI 61508 comme norme autonome

Toutes les parties de la CEI 61508 peuvent être directement utilisées par l’industrie comme des publications autonomes Ceci inclut l’utilisation de la norme:

• comme un ensemble d’exigences générales pour les systèmes E/E/PE relatifs à la sécurité pour lesquels l’application de normes sectorielles ou de normes produit est inexistante ou inappropriée;

Suppliers of E/E/PE components or subsystems provide essential hardware and software for various sectors, including detectors, small actuators, programmable controllers, and data communication systems.

• par les constructeurs de système pour respecter les spécifications des utilisateurs de systèmes E/E/PE relatifs à la sécurité;

• par les utilisateurs pour spécifier des exigences en termes de sécurité fonctionnelle ainsi que les exigences de performance de ces fonctions de sécurité;

4.7 IEC 61508 as a basis for other standards

Standards writers must incorporate functional safety into their safety standards when a Technical Committee's hazard analysis indicates that it is essential for effectively mitigating significant hazards or hazardous events.

Parts 1 to 4 of IEC 61508 serve as fundamental safety publications IEC Technical Committees are tasked with incorporating these parts into the development of sector or product standards that involve E/E/PE safety-related systems For further information, refer to IEC Guide 104 and ISO/IEC standards.

IEC 61508 serves as the foundational standard for various sector-specific standards, such as those in the process industry Its influence extends to the creation of additional sector and product standards, shaping the development of electrical, electronic, and programmable electronic safety-related systems and products across all industries.

Sector specific standards based on IEC 61508:

• are aimed at system designers, system integrators and users;

• take account of specific sector practice, which can allow less complex requirements;

• use sector terminology to increase clarity;

• may specify particular constraints appropriate for the sector;

• usually rely on the requirements of IEC 61508 for detailed design of subsystems;

• may allow end users to achieve functional safety without having to consider IEC 61508 themselves

The IEC 61508 basic safety publication status does not apply to low complexity E/E/PE safety-related systems, as outlined in section 4.2 of IEC 61508-1 These systems feature well-defined failure modes for each component, allowing for a complete understanding of the system's behavior under fault conditions An example of such a system includes limit switches that control contactors to de-energize an electric motor, potentially using interposing electromechanical relays.

4.8 IEC 61508 as a stand-alone standard

All parts of IEC 61508 can be used directly by industry as “stand-alone” publications This includes use of the standard:

• as a set of general requirements for E/E/PE safety-related systems where no application sector or product standards exist or where they are not appropriate;

• by suppliers of E/E/PE components and subsystems for use in all sectors (e.g hardware and software of sensors, smart actuators, programmable controllers, data communication);

• by system builders to meet user specifications for E/E/PE safety-related systems;

• by users to specify requirements in terms of the safety functions to be performed together with the performance requirements of those safety functions;

• pour faciliter le maintien de l’intégrité fonctionnelle “telle qu’à la conception” de systèmes

• pour apporter un cadre technique à l’évaluation de la conformité et aux services de certification;

• comme base pour mener les évaluations des activités du cycle de vie de la sécurité.

What is functional safety?

Safety is defined as the absence of unacceptable risks that could lead to physical injury or harm to individuals, whether directly or indirectly through damage to property or the environment.

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs

An overtemperature protection device that utilizes a thermal sensor in an electric motor's windings to de-energize the motor before overheating exemplifies functional safety In contrast, while specialized insulation designed to endure high temperatures contributes to safety, it does not qualify as functional safety, even though it addresses the same hazard.

Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact.

Safety functions and safety-related systems

Identifying significant hazards for equipment and its control systems in their intended environment is essential for specifiers or developers through a hazard analysis This analysis assesses the need for functional safety to provide adequate protection against each identified hazard If functional safety is deemed necessary, it must be integrated appropriately into the design While functional safety is a crucial approach to managing hazards, prioritizing inherent safety through design is also vital for their elimination or reduction.

Safety-related systems are designed to perform specific functions that maintain risks at an acceptable level, known as safety functions To achieve functional safety, two types of requirements must be met.

• safety function requirements (what the function does) and

• safety integrity requirements (the likelihood of a safety function being performed satisfactorily)

Safety function requirements stem from hazard analysis, while safety integrity requirements are based on risk assessment A higher safety integrity level correlates with a reduced likelihood of dangerous failures.

A safety-related system is defined as any system, regardless of the technology used, that performs safety functions This system can operate independently from equipment control systems, or the control system itself may fulfill safety functions, thereby classifying it as a safety-related system Achieving higher levels of safety integrity requires more stringent engineering practices for these safety-related systems.

Consider a machine equipped with a circular blade that is safeguarded by a hinged rigid cover The cover can be lifted for routine cleaning, and it is designed to lock in a way that disconnects the motor's electrical circuit and engages a brake when removed This mechanism ensures that the blade stops before it can pose a risk to the operator.

A risk analysis and risk assessment are essential to ensure safety The risk analysis identifies hazards associated with blade cleaning, indicating that the cover should not be lifted more than 5 mm before the brake is activated and the blade stops Additionally, it may reveal that the blade must stop within 1 second or less Together, these analyses outline the safety function The risk assessment determines the performance requirements for this safety function, aiming to ensure that safety integrity is adequate to prevent anyone from being exposed to unacceptable risks related to this hazardous event.

The harm caused by a failure in safety functions can range from a serious injury, such as an amputation of the operator's hand, to minor injuries like bruises The level of risk is influenced by how often the safety cover needs to be reattached, which can occur multiple times a day or less than once a month As the severity of potential injuries increases and the frequency of risk exposure rises, the required safety integrity level also escalates.

The safety integrity of a safety function relies on all necessary equipment for its proper execution, including the lock, its associated electrical circuit, the motor, and the braking system The safety function and its integrity define the required behaviors for the systems in question within a specific environment.

In summary, risk analysis identifies necessary actions to prevent dangerous events related to the blade Risk assessment provides the required safety integrity for the locking system to ensure that the risk is acceptable These two components are essential for effective safety management.

The essential aspects of functional safety are defined by the question, "What safety function must be implemented?" which addresses the requirements of the safety function, and "What level of certainty is needed for the safety function to be fulfilled?" which pertains to the integrity requirements of safety.

3.4 Défis rencontrés dans l’atteinte de la sécurité fonctionnelle

Safety functions are increasingly implemented through electrical, electronic, or programmable electronic systems These systems are typically complex, making it practically impossible to fully identify every failure mode or test all possible behaviors While predicting the performance of safety functions is challenging, testing remains a crucial aspect.

Le défi est de concevoir le système de telle sorte que toutes les défaillances dangereuses soient écartées ou maintenues sous contrôle si elles apparaissent

Des défaillances dangereuses peuvent survenir du fait de:

• spécifications incorrectes du système, matériel ou logiciel;

• omissions d’exigences de sécurité dans les spécifications (par exemple, défaillance dans le développement de fonctions de sécurité pertinentes dans différents modes opératoires);

• mécanismes de défaillance aléatoire de matériel;

• mécanismes de défaillance systématique de matériel;

Example of functional safety

A machine equipped with a rotating blade features a hinged solid cover for safety This cover allows for easy access to the blade for routine cleaning It is designed with an interlock system that de-energizes the motor and engages a brake when lifted, ensuring the blade stops before it poses any risk to the operator.

To achieve safety, it is essential to conduct both hazard analysis and risk assessment The hazard analysis specifically identifies the risks associated with cleaning the blade, indicating that the hinged cover should not be lifted beyond a certain limit.

The safety function is characterized by the blade's ability to stop within 5 mm without activating the brake, with a stopping time of 1 second or less A thorough risk assessment establishes the performance requirements necessary to maintain the safety integrity of this function, ensuring that individuals are not exposed to unacceptable risks related to hazardous events.

The consequences of a safety function failure can range from minor injuries, such as bruises, to severe outcomes like amputation of the operator's hand The associated risk is influenced by the frequency of cover lifting, which can occur multiple times daily or less than once a month Consequently, the required level of safety integrity escalates with both the potential severity of injuries and the frequency of exposure to the hazard.

The safety integrity of a safety function relies on the proper operation of all essential equipment, including the interlock, electrical circuit, and motor and braking system Both the safety function and its integrity define the expected behavior of the systems within a specific environment.

The hazard analysis determines the necessary actions to prevent hazardous events related to the blade, while the risk assessment establishes the required safety integrity of the interlocking system to ensure acceptable risk levels These two components—defining the safety function requirements and the necessary degree of certainty for its execution—form the core principles of functional safety.

Challenges in achieving functional safety

Safety functions are now predominantly managed by complex electrical, electronic, or programmable electronic systems Due to their complexity, it is often impractical to identify every potential failure mode or to test all possible behaviors While predicting safety performance remains challenging, thorough testing continues to be crucial.

The challenge is to design the system in such a way as to prevent dangerous failures or to control them when they arise Dangerous failures may arise from

• incorrect specifications of the system, hardware or software;

• omissions in the safety requirements specification (e.g failure to develop all relevant safety functions during different modes of operation);

• influences environnementales (par exemple phénomènes électromagnétiques, thermiques ou mécaniques);

• perturbations du système d’alimentation en tension (par exemple, pertes, tensions réduites, reconnexion d’alimentation)

La CEI 61508 expose des exigences pour réduire ces défaillances et elle est décrite dans l’article suivant

4 La CEI 61508 – Sécurité fonctionnelle des systèmes E/E/PE relatifs à la sécurité

La CEI 61508 a pour but de:

• permettre l’utilisation du potentiel des technologies E/E/PE pour améliorer à la fois la sécurité et son cỏt;

• permettre aux développements technologiques de participer à la structure globale de la sécurité;

• apporter une assise technique, une approche système, avec suffisamment de souplesse pour le futur;

• apporter une approche fondée sur le risque pour déterminer la performance requise pour le système de sécurité;

The aim is to provide a general standard that can be directly utilized by the industry, while also facilitating the development of additional sector-specific standards, such as those for machinery, chemical production plants, medical applications, or railways, as well as product standards like power drive systems.

• apporter aux utilisateurs et aux lộgislateurs un moyen d’accroợtre leur confiance dans l’utilisation des technologies basées sur l’informatique;

• énoncer des exigences fondées sur des principes communs sous-jacents afin de faciliter:

 l’efficacitộ de la chaợne d’approvisionnement pour les fournisseurs de sous-systốmes et de composants de secteurs différents,

 la compréhension des exigences (c’est-à-dire de clarifier ce qui doit être spécifié),

 le développement de techniques et de mesures utilisables quels que soient les secteurs, en augmentant les ressources utilisables,

 le développement des services d’évaluation de la conformité, si nécessaire

The IEC 61508 standard does not address the precautions necessary to prevent unqualified individuals from compromising or affecting the functional safety achieved by safety-related E/E/PE systems.

4.2 Systèmes E/E/PE relatifs à la sécurité

IEC 61508 pertains to functional safety achieved through safety systems primarily based on electrical, electronic, and programmable electronic technologies (E/E/PE), specifically focusing on E/E/PE systems related to safety.

La norme est générique en cela qu’elle s’applique à tous ces systèmes quelle que soit leur application

• environmental influences (e.g electromagnetic, temperature, mechanical phenomena);

• supply system voltage disturbances (e.g loss of supply, reduced voltages, re-connection of supply)

IEC 61508 contains requirements to minimise these failures and is described in the next clause

4 IEC 61508 – Functional safety of E/E/PE safety-related systems

Objectives

• release the potential of E/E/PE technology to improve both safety and economic performance;

• enable technological developments to take place within an overall safety framework;

• provide a technically sound, system based approach, with sufficient flexibility for the future;

• provide a risk-based approach for determining the required performance of safety-related systems;

This article presents a universally applicable standard designed for direct use by various industries, while also facilitating the development of specific sector standards, such as those for machinery, process chemical plants, medical equipment, or rail systems Additionally, it supports the creation of product standards, including those for power drive systems.

• provide a means for users and regulators to gain confidence when using computer-based technology;

• provide requirements based on common underlying principles to facilitate:

 improved efficiencies in the supply chain for suppliers of subsystems and components to various sectors,

 improvements in communication and requirements (i.e to increase clarity of what needs to be specified),

 the development of techniques and measures that could be used across all sectors, increasing available resources,

 the development of conformity assessment services if required

IEC 61508 does not cover the precautions that may be necessary to prevent unauthorized persons damaging, and/or otherwise adversely affecting, the functional safety achieved by

E/E/PE safety-related systems

IEC 61508 focuses on functional safety through safety-related systems implemented in electrical, electronic, or programmable electronic technologies This standard is applicable to E/E/PE safety-related systems across various applications, making it a generic framework for ensuring safety in these technologies.

Certain requirements of the standard pertain to development activities where technological choices have not yet been made This includes the overall development of security requirements, such as concept, scope definition, risk analysis, and risk assessment If there is a possibility of using E/E/PE technologies, it is essential that the standard is applied in a way that the functional safety requirements for any E/E/PE system related to safety are methodically determined and risk-based.

The standard includes requirements that extend beyond E/E/PE technologies, encompassing documentation, functional safety management, functional safety assessment, and competencies These non-technology-specific requirements can be beneficial for other safety systems, even if they fall outside the standard's scope.

Les exemples ci-dessous sont des systèmes E/E/PE relatifs à la sécurité:

• systèmes d’arrêt d’urgence dans les usines chimiques à risque;

• indicateur de charge de sécurité d’une grue;

• systèmes de verrouillage et d’arrêt d’urgence de machinerie;

• moteur à vitesse variable utilisé pour réduire la vitesse au titre de moyen de protection;

• systèmes de verrouillage et de contrôle de l’exposition pour un appareil médical de radiothérapie;

• positionnement dynamique (contrôle des mouvements d’un bateau à proximité d’une installation offshore);

• commande de vol électrique d’un avion;

• indicateurs lumineux d’une automobile, freinage anti-blocage, et système de gestion du moteur;

• surveillance à distance, opérations de programmation d’un procédé d’usine par réseau;

• un outil d’aide à la décision dont des résultats erronés affectent la sécurité

An E/E/PE safety system encompasses all components necessary to perform safety functions, including sensors, actuators, control logic, communication systems, and critical human intervention actions.

The definition of the E/E/PE system related to safety is derived from the broader concept of safety, which encompasses the absence of unacceptable risks of physical injury and health damage to individuals Harm can occur indirectly as a result of damage to property or the environment However, some systems may be initially designed to withstand failures at a significant economic cost The IEC 61508 standard can be utilized to develop any E/E/PE system with critical functions, such as the protection of equipment or products.

Utilize a risk-based approach to identify the integrity requirements for the safety of E/E/PE systems, including examples that demonstrate how this can be effectively achieved.

Utilize a comprehensive safety lifecycle model as a technical framework to ensure that functional safety is achieved in E/E/PE systems related to safety.