There are numerous functional safety standards. Most are based on IEC 61508, the foundational safety integrity level (SIL) standard. IEC 61511 is the SIL standard for the process industry. ISO 26262 is applicable to safety in automotive systems. ISO 13849 is a safety standard that applies to parts of machinery control systems that provide safety functions (called safety-related parts of a control system).
IEC 61508, ‘Functional Safety of Electrical/Electronic/Programmable Electronic (E/E/PE) Safety-related Systems’ is broadly applicable to all industries. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems, and external risk reduction facilities.”
IEC 61508 is focused on hazards that arise when safety functions fail with the goal of reducing the risk of failure to a defined level. It’s based on the requirement that any safety-related system must work correctly or fail in a predictable and safe manner and has two baseline principles:
- Safety life cycle design engineering employs best practices to identify and eliminate any design errors or omissions.
- Probabilistic failure analysis to identify the safety impact of specific device failures.
There are numerous industry-specific adaptions of IEC 61508, including:
- ISO 26262 for automotive electric/electronic systems.
- EN 50128 for railway applications.
- IEC 62304 for medical devices.
- IEC 62061 for machinery system design.
Edition matters
IEC 61511 is a derivation of IEC 61508 for the process industry, and so are many other functional safety standards. For example, the hierarchy shown in Figure 1 doesn’t change, but the editions of the various standards continue to evolve, and they don’t necessarily coincide with the current edition of IEC 61508, which is IEC61058:2010. For the other standards, the current editions are:
- IEC 61511-1:2016.
- IEC 62061:2021.
- BS EN 50495:2010.
- ISO 26262-1:2018.
What’s a SIL?
SIL ratings are defined in IEC 61508 in relationship to the expected frequency and severity of hazards. They are probabilistic functions designed to quantify the potential danger level. There are four SIL levels. The higher the SIL level, the greater the risk of failure and the stricter the corresponding safety requirements. To achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a minimum safe failure fraction. The four SIL levels with the corresponding probability of failure and risk reduction factors are:
- SIL 4, probability of failure ≥105 to <104, and risk reduction factor of 100,000 to 10,000.
- SIL 3, ≥104 to <103 and 10,000 to 1,000.
- SIL 2, ≥103 to <102 and 1,000 to 100.
- SIL 1, ≥102 to <10 and 100 to 10.
Those SIL definitions are specific to IEC 61508. Other functional safety standards build on that foundation, but often with quite different metrics (Table 1). DO-178C Software Considerations in Airborne Systems and Equipment Certification has 5 SIL levels. IEC 62304 is titled “Medical device software — software lifecycle processes” and is a functional safety standard like IEC 61508 but with three levels. Software safety integrity levels (SSILs) are defined in EN 50128 and are used for railway systems.
When one standard isn’t enough
In the case of automotive safety, ISO 26262 can be supplemented with other standards. ISO 26262 only applies to:
- Assembly-line produced road vehicles.
- Cars that weigh less than 3.5 tons.
- Electrical and electronic components and systems.
ISO 26262 is detailed but not comprehensive. It does not include sections covering misuses or automated driving. ISO PAS 21448 (SOTIF) was developed to fill in those gaps. SOTIF takes a more holistic view of the vehicle and addresses some aspects of autonomous driving, where system failure is not the source of the safety hazard, but the hazard arises due to an unspecified behavior of the vehicle.
For so-called specialty vehicles like trucks and vans, IEC 26262 doesn’t apply. For those vehicles, the functional safety standard is IEC 61508. However, there can be additional functional domains in ancillary systems not related to the primary functioning of the vehicle. For example, in a tow truck or lift truck, the tow or lift systems must meet general machinery functional safety standards like ISO13849 or the IEC62061 (Figure 2).
Summary
IEC 61508 is the foundational functional safety standard. However, there are numerous industry and application-specific functional safety standards that build on that foundation, often with quite different ways of quantifying functional safety. A single platform like a lift truck can have multiple functional safety domains that must meet various standards.
References
ISO13849 and ISO26262 for the same domain, CAN in Automation
The long awaited IEC 61511 edition 2 and what it means for the process industry, Institution of Chemical Engineers
What Is IEC 61508? Determining Safety Integrity Levels (SILs), Perforce
What is ISO 26262? Why is ISO 26262 needed?, Spyrosoft
Leave a Reply