The IEC 61508 is an international standard series for the development of electrical, electronic and programmable electronic (E / E / PE) systems, a security function to perform. It is published by the International Electrotechnical Commission ( IEC ). The European Committee for Standardization (CEN) adopted the standard with the same content as EN 61508 .
The series consists of seven parts and is entitled Functional Safety of Safety- Related Electrical / Electronic / Programmable Electronic Systems . It was first published in 1998. A new edition has been available since 2010, and a German translation has also been available since February 2011.
Content and purpose
The application of the standard in companies is mainly driven by product liability law . In Germany in particular, according to Section 4 of the ProdHaftG, the manufacturer of the end product is held jointly liable for liability (as well as for possible damage to the image) even if the cause was exclusively a sub-supplier. In the course of their application, the manufacturer can demonstrate in the product liability process that he has applied a recognized method for risk assessment and for safe product development and manufacture.
The aim of this standard is to define procedures that make it possible to manufacture products which, according to the current state of the art, do not represent any disproportionate or unacceptable dangers for users and the environment. The standard describes which aspects are to be taken into account in which way at the beginning of the development, how the product architecture should be designed (for example through single-channel or multi-channel systems), which activities and operational organizational structures are necessary, how these are to be documented and that all steps must be laid down in the manufacturer's internal documentation for his product in a comprehensible and traceable manner. The so-called "life cycle model" is assumed in the standard; In other words, a product is considered from the first planning stage through the market launch and the change procedure to its decommissioning and disposal. For all these phases of life, the manufacturer must produce evidence of the processes that the product has gone through. He also has to prove that his higher-level internal processes are suitable for manufacturing products whose function - even in the event of failure - does not cause unreasonable damage to people, equipment and the environment.
In practice, more and more companies require their suppliers to demonstrate the development and manufacture of their products in accordance with this or a comparable standard ( e.g. ISO 26262 in the automotive sector) in order to be qualified as a supplier by the customer. In addition, the assessment / certification of the products by an independent testing company, which is accredited and qualified (e.g. according to EN ISO / IEC 17025 - "General requirements for the competence of testing and calibration laboratories"), is required perform. However, there is no obligation to apply the standard if the products are not subject to laws or regulations that are superordinate to the standard, e.g. B. the European Machinery Directive, are subject to an inspection obligation. A distinction is made between issuing a test report / certificate from the commissioned test institute and a so-called EC type-examination certificate by a notified body. Products that fall under Appendix IV of the European Machinery Directive require an EC type-examination certificate with a globally unique number.
The IEC 61508 assumes that, according to the current state of the art, there is no possibility of manufacturing a number of similar products, which is constantly growing over the production period, at an economically justifiable expense in such a way that they function 100% error-free in their entirety over the period of their operation or internally Fully diagnose errors and respond appropriately. Here security and availability are in contradiction to one another, since high security can only be achieved by restricting the usability (e.g. through frequent tests in which the product has to be taken out of service and is not available for the intended purpose). The highest recognized diagnostic coverage, for example, is therefore also assumed to be 99.9%.
Depending on the degree of risk that the product causes in its area of application, the requirements for measures for error prevention, error control and necessary documentation increase.
In addition to the documentation, an important point of the normative recommendations is also reviews, in which the milestones achieved in the added value are independently checked for form and content. Reviews are procedures for avoiding errors based on the assumption that the participation of several people with comparable qualifications in a procedure also means a reduced frequency of errors. The procedures according to which these are to be carried out are described in the so-called " V-Model " as part of the product validation. Here, too, the degree of independence of the test depends on the degree of risk.
Scope and scope
The standard can be applied to all safety-related systems that contain electrical, electronic or programmable electronic components (E / E / PES) and the failure of which means a significant risk for people, equipment or the environment. However, it is not harmonized in the EU according to the New Approach . Therefore, their fulfillment alone cannot contribute to the presumption of conformity with the European directives. It does not apply to any specific application. Systems that perform a safety function on request are, for example, the anti-lock braking system in a motor vehicle and systems that are dependent on the constant execution of the safety function, for example the control unit of a launch vehicle . According to the standard, the functions of the safety-related systems form the functional safety of the overall system. The IEC 61508 is designated as a "basic safety standard", which means that it can serve as the basis for application-specific standards.
The following published or work in progress standards represent the implementation of IEC 61508 for a specific application area:
- IEC 61511 : Functional safety - safety systems for the process industry
- IEC 61513 : Nuclear power plants - Control technology for systems with safety-related significance - General system requirements
- EN 50128 : Railway applications - Telecommunication technology, signaling technology and data processing systems - Safety-relevant electronic systems for signaling technology
- IEC 62061 : Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
- ISO 26262 : Road vehicles - Functional safety
- ISO 25119: Tractors and machinery for agriculture and forestry - Safety-related parts of control systems - Functional Safety
The scope of the standard extends from concept, planning , development , implementation, commissioning , maintenance , modification up to decommissioning and deinstallation of both the hazardous system and the safety-related (risk-reducing) systems. The standard describes the entirety of these phases as the "entire safety life cycle ".
One element is the determination of the safety requirement level ("Safety Integrity Level" - SIL; there are SIL 1 to SIL 4). This is a measure of the necessary or achieved risk-reducing effectiveness of safety functions. If no safety-relevant requirements apply, the development is to be carried out according to the normal standards of operational quality management (referred to as QM in the standard). SIL 1 has the lowest requirements according to the standard. If, after the development of safety-related systems, it can be shown that the requirements for a SIL are met for the safety functions, the SIL serves as a measure of the effectiveness of the safety functions. Since the effectiveness can be achieved both through the reliability of the exercise of the safety function in the event of a hazard and through the immediate shutdown of the systems causing the hazard in the event of a fault detection in the safety-related systems even outside of hazardous situations, one cannot speak of "reliability" of the safety function alone. The necessary SIL can be determined by a hazard and risk analysis . SIL 4 represents such a high safety requirement level that it is not relevant in practice in most areas, for example in the area of the safety of machines or cars .
The calculation bases for PFH ( probability of dangerous failure per hour - probability of dangerous failure per hour) and PFD ( probability of dangerous failure on demand - probability of dangerous failure on demand ) are provided as essential parameters for the reliability of the safety function of devices . The former relates to high-demand systems, ie those with a high demand rate (“high”: at least one demand per year), the latter to low-demand systems that are operated less than once a year during their operating life. The latter are primarily important in the process industry, whereby the more extensive IEC 61511 should be used for this branch of industry . The particular problem with a low-demand application is that the vast majority of devices that perform a safety function carry out an internal diagnosis by regularly changing the status of their switching elements (switching on in the morning during operation, switching off in the evening), but this status change is not guaranteed in some systems that have been in continuous operation for months or years. In the case of forcibly guided relays in accordance with EN 50205, which are installed in large numbers in safety devices, the diagnosis of these relays must therefore be assumed to be 0% and no longer 99% if the status changes regularly.
The probability of individual failures increases proportionally with the number of products on the market and their aging, with failures whose causes are systematic (e.g. errors in the software, incorrect dimensioning of components, faulty or inaccurate tools or measuring equipment) for all products concern, while random errors only affect a certain proportion of the products. A "systematic error" that became known worldwide was the year 2000 problem , as millions of electronic devices and systems were based on microchips and their software, which only allowed the year to be encoded with two digits. Systematic errors - which can remain undetected for a long time because the triggering boundary conditions are rare or unlikely - are therefore given special attention, and extensive tables are provided in the standard to avoid them, showing suitable measures to avoid these errors.
The types of failure ("Failure Modes") are divided according to the direction in which they go: "safe" and dangerous or "unsafe". Since the safety function of a device can and must be clearly described, states such as "somewhat dangerous" are not standardized. These two states are further broken down with the addition of the diagnosis, so that among the conceivable possible types of errors: "safe-detected", "safe undetected", "dangerous-detected" , "Dangerous-undetected", the latter are to be assessed as critical, since they remain undetected by the "diagnosis" and can lead to the false assumption that the device is functioning properly. Systematic errors can only be detected inadequately by diagnostic devices, since the implementation of the diagnosis itself can also be based on the incorrect assumptions that led to the systematic error. The IEC 61511 lists even more extensive subcategories of the types of errors that are relevant for the process industry.
“Diagnosis” is defined in the standard as an automatically running process, the effectiveness of which does not depend on human intervention. (The self-test of an emergency stop relay may serve as an example, which runs through an internal cycle when it is switched on, which includes all safety-relevant switching elements and only "unlocks" the device if its function is guaranteed.) A special form of diagnosis is So-called repeat test (“proof test”), which must be carried out at fixed and mathematically calculable intervals (proof test interval) if the internal diagnosis is not sufficient to ensure reliable operation over a long period of time. From a mathematical point of view, this is the case when the PFD (t) value of the device leaves the permissible time interval for the respective SIL. I. d. As a rule, components have to be replaced during a “proof test” in order to put the device in a “like new” state so that the PFD (t) value falls back into a subcritical range. For simple switching devices, for economic reasons, in practice the aim is to make the proof test interval at least as long as the service life of the device.
The SIL can be read or calculated from the parameters PFH and PFD (as well as some other values not considered here). In addition, the SFF (Safe Failure Fraction) is introduced, a measure of the proportion of all conceivable errors going in the safe direction. In general, only those failures are considered as "errors" which can arise due to aging processes or environmental influences when operating within the specified operating parameters. Manipulation or improper use are not part of the error analysis , which takes place in a so-called FMEA (Failure Modes and Effects Analysis) or FMEDA (Failure Modes, Effects and Diagnostics Analysis).
In general, it can be said that two- or multi-channel systems in which each channel can trigger the safety function on its own can achieve a higher SIL with less technical effort than systems that have only one channel. The flow of information through a safety chain (safety loop) is referred to as the channel, starting with the request for the safety function (e.g. by a sensor, proximity detector, light barrier or button), ending with the actuator or final control element that ensures the safe state a machine. In the case of single-channel systems, a considerably greater amount of diagnostics is necessary so that errors can be detected within the so-called "Process Safety Time" before they can have dangerous effects. Systems are further subdivided into “Type A” and “Type B”, with the latter containing complex circuits such as microchips, whereas Type A systems only consist of discrete elements.
The highly abstract IEC 61508 almost completely covers EN ISO 13849-1 , which is easier to use in practice, in terms of the performance level (PL) of a device. Otherwise, however, it goes far beyond its content. A SIL can be translated directly into a performance level (PL) in tabular form. However, when considering errors in accordance with IEC 61508 within an FMEA, only the first error is considered, so that categories 3 and 4 (in accordance with EN ISO 13849-1), which guarantee two or more failures, can only be achieved by using the procedures in accordance with EN ISO 13849 -1 must be proven. In contrast to EN ISO 13849-1, IEC 61508 or the sector standard IEC 62061 derived from it is geared towards electronic systems, while EN ISO 13849-1 can also be used for mechanical systems.
The standard IEC 61508 "Functional safety of safety-related electrical / electronic / programmable electronic systems" consists of the following parts:
- Part 0: Functional safety and IEC 61508 (IEC / TR 61508-0: 2005-10)
- Part 1: General requirements (IEC 61508-1: 2010)
- Part 2: Requirements for safety-related electrical / electronic / programmable electronic systems (IEC 61508-2: 2010)
- Part 3: Requirements for software (IEC 61508-3: 2010)
- Part 4: Terms and abbreviations (IEC 61508-4: 2010)
- Part 5: Examples for determining the safety integrity level (IEC 61508-5: 2010)
- Part 6: Application guideline for IEC 61508-2 and IEC 61508-3 (IEC 61508-6: 2010)
- Part 7: Application notes on procedures and measures (IEC 61508-7: 2010)
The latest version of IEC 61508, Edition 2.0, was published on April 30, 2010. In Germany this was done by DKE Committee 914.
- J. Börcsök: Electronic security systems . Hüthig GmbH & Co. KG, Heidelberg 2004, ISBN 3-7785-2939-0 .
- H. Hölscher, J. Rader: Microcomputers in security technology . Verlag TÜV Rheinland, Cologne 1984, ISBN 3-88585-180-6 .
- P. Wratil, M. Kieviet: Security technology for components and systems . Hüthig GmbH & Co. KG, Heidelberg 2007, ISBN 3-7785-2984-6 .
- Guide to the IEC 61508 standard (5 parts)
- Presentation of the Fraunhofer Institute
- Online version of IEC 61508-1: 2010 (preview)