Introduction

The IEC 61508:2010 is the second edition and the current international standard issued by the International Electrotechnical Commission (IEC) for the functional safety of electrical, electronic, and programmable electronic (E/E/PE) systems related to safety. The standard provides a safety-based risk approach to ensure the safety of a system that needs protection from hazards internal or external to the system.

IEC 61508:2010 is an umbrella performance-based standard primarily for manufacturers and suppliers of devices and is also applied directly to industries where industry-specific standards do not exist. To support the standard, IEC has since developed industry-specific derivative standards, such as:

• IEC 61513 defines requirements and recommendations for the instrumentation and control of systems critical to the safety of nuclear power plants
• IEC 61511 sets out practices for designers, integrators, and users of the engineering of systems that ensure the safety of an industrial process in the process industry sector. The scope of this standard includes several types of manufacturing processes, such as refineries, petrochemical, chemical, pharmaceutical, pulp and paper, and power
• IEC 62061 provides requirements that apply to the system-level design of all types of machinery safety-related electrical control systems
• IEC 62279 covers the development of software for railway control and protection

The IEC organization has identified the following safety-related systems to which the standard can be applied:

• Emergency shutdown systems
• Fire and gas systems
• Turbine control
• Gas burner management
• Crane automatic safe-load indicators
• Guard interlocking and emergency stopping systems for machinery
• Medical devices
• Dynamic positioning to control a ship’s movement when in proximity to an offshore installation
• Railway signaling systems including moving block train signaling
• Variable speed motor drives used to restrict speed as a means of protection
• Remote monitoring, operation or programming of a network-enabled process plant
• Information-based decision support tools where erroneous results affect safety

This article provides an overview of the IEC 61508 standard.

The seven parts of IEC 61508

The IEC 61508 standard lists the requirements for ensuring industrial systems are designed, executed, operated, and maintained to give the required safety integrity level (SIL). The standard specifies techniques that all stakeholders in the supply chain can follow to avoid systematic failures and ensure the use of common terminology and system parameters.

The standard is in seven (7) parts:

IEC 61508-1

Part one defines the overall safety lifecycle process and applies to the performance of the E/E/PE system in the industrial process. The standard employs qualitative or quantitative techniques to identify the process risk to the safety-related system. These techniques may focus on activities like project management, quality assurance, and configuration management.

IEC 61508-2

Part two provides requirements and objectives for the safety development of the E/E/PE system.

IEC 61508-3

Part three provides objectives for the safety development of the software residing in the E/E/PE system.

IEC 61508-4

Part four provides the definitions, abbreviations, and terminology used in the safety process that must be adhered to maintain consistency.

IEC 61508-5

Part five provides the formal approach for determining the Safety Integrity Level (SIL) of the safety system (SIS or SRS).

IEC 61508-6

Part six offers guidelines for applying IEC 61508 parts two and three.

IEC 61508-7

The final part of IEC 61508 provides the safety techniques and measures relevant to parts two and three. These are industry-wide methods that the standard employs for safety.

Scope of IEC 61508

The IEC 61508 standard’s primary focus is the E/E/PE safety-related systems whose failure could impact the safety of persons and/or the environment. Since the consequences of such a failure could have profound economic implications, the standard is also applicable to any E/E/PE system used for the protection of equipment or product. The extended application of the IEC 61508 functional safety standard means the standard can be used to specify and implement systems where the functional performance criteria are not safety and maybe asset or environmental protection.

Key concepts

Hazard & Risk Analysis

The standard’s fundamental principle is that safety requirements should be based on analyzing the risks posed by the equipment under control (EUC) and its control system. Hazard and risk analysis consists of three (3) stages: hazard identification, analysis, and risk assessment.

• The standard defined a hazard as a “potential source of harm.” Since the EUC and its control system may pose many hazards, each carrying its own risk, each hazard’s fault conditions must be considered.
• Hazard analysis is the study of the sequence of events leading to the various identified hazards and their consequences.
• Risk assessment is the evaluation or estimation of each hazardous event’s risk during the hazard identification stage. It is the user’s responsibility to decide how to do this. However, the standard mentions that the hazard risk assessment may be met by “either qualitative or quantitative hazard and risk analysis techniques.”

ALARP

The ALARP principle is a tool used to determine the tolerable risk. It is generally recognized that there is a level of risk that is considered negligible and another which is intolerable under any circumstance. A risk would be accepted between these two extremes or not depending on a cost/benefit analysis. The ALARP principle dictates that a risk in this region of undefined tolerance should be made “as low as reasonably practicable (ALARP),” meaning it should be reduced if the reduction is cost-effective proportionate to the benefit gained.

Safety Integrity Level (SIL)

Part 4 of the standard (IEC 61508-4) defines safety integrity as the “probability of an E/E/PE safety-related system satisfactorily performing the specified safety functions under all the stated conditions within a stated period of time.” A safety integrity level (SIL) is defined as “a discrete level (one of 4) for specifying the safety integrity requirements of safety functions.”

The standard defines four safety integrity levels. Α SIL is a measure of the intended reliability of a system or function. To deduce a SIL, the following applies: the more significant the required risk reduction, the more reliable the safety-related system needs to be, and therefore, the higher its SIL.

Safety requirements specifications

Once the risks that need reduction are identified, safety requirements statements can be made. The standard notes that safety requirements consist of two elements, a safety function, and an associated safety integrity level. Safety requirements may initially be defined in “high-level” terms of what risk reduction needs to be achieved — for example, “the probability of risk X must be reduced from occasional to improbable.”

As a second step, requirements must be refined into safety functions to achieve the required risk reductions. Finally, the safety functions must be allocated to safety-related systems. The system’s design trade-offs may be necessary to balance the desired safety level and the overall cost.

Safety lifecycle

The safety lifecycle is core to the IEC 61508 standard. The difference with other lifecycles dealing with the development of a single system or product is that the safety lifecycle may address several systems — the EUC, its control system, and any other safety-related systems where safety functions are enabled.

Phases 1 and 2 of the safety lifecycle addresses the safety implications of the EUC, its control system, and their environments at the system level. These phases define the overall concept of safety lifecycle, for example, the purpose of the EUC, its physical boundary, its system-level hazards, and any legislation which applies to it and its safety.

Phase 3 of the safety lifecycle is where the hazards and risks posed by the EUC and its control system are assessed. Once the necessary risk reduction has been defined, the means of achieving it are specified as overall safety requirements in Phase 4.

Safety requirements are then designed as safety functions in Phase 5, and finally, they are allocated to safety-related systems. This is the phase where all design issues are addressed, such as how the risks are to be reduced, which risks can be grouped and mitigated by a single countermeasure, and whether specific safety functions must be separated from others. This step is repeated until the high-level safety requirement allocation is “optimum.”

Phases 9, 10, and 11 deal with the development of the safety-related systems, which may be E/E/PE systems, other technology systems, or external facilities. Parts 2 and 3 of the standard apply to these phases.

Phases 6, 7, and 8 are overarching planning steps of “overall” importance in the safety lifecycle. Finally, Phases 12 to 16 apply to the overall deployment, operation, and maintenance of the safety system and demonstrate that the standard covers the management of functional safety throughout a system’s life.

IEC 61508 and cybersecurity

The second edition of IEC 61508 addresses cybersecurity in an informative way. It requires:

• Malevolent and unauthorized actions have to be considered during hazard and risk analysis.
• Security threat analysis and vulnerability analysis should be carried out if a hazard analysis identifies a malicious or unauthorized cyber event as being reasonably foreseeable.
• Cyber requirements need to be specified once the cybersecurity vulnerability and threat analyses are conducted.
• Guidance on cybersecurity risk analysis must be sought from the IEC 62443 standard

However, the IEC 61508 standard itself does not advise on:

• Cybersecurity threats and measures
• Methods to determine when a cybersecurity analysis is needed
• How a cybersecurity analysis would need to be conducted

Benefits for all stakeholders

The IEC 61508 standard benefits all functional safety stakeholders.

From a manufacturer’s perspective, the certification of a critical system to comply with the safety requirements of IEC 61508 dramatically enhances the credibility of their product. The higher the safety integrity level (SIL) that suppliers can demonstrate to clients, the more significant is their competitive advantage and the more increased chances of them winning the client contracts.

High-quality architecture to ensure public safety is essential to the success of these safety-related or safety-critical systems. IEC 61508 certification gives both hardware and software vendors significant advantages over their competitors, enough to justify the investment of time and money.

On the other hand, industries should invest in functional safety for many good reasons:

• Safety of people. It is vital to minimize the risks that might affect employees, contractors, and the general population.
• Protection of mission-critical equipment.
• Protection of the environment.
• Regulatory and legislative compliance. When an accident occurs, auditors will analyze the in-depth degree of compliance, leading to severe legal consequences for the company.
• Lower insurance policy costs.
• Brand reputation. Even a small-scale incident can have an immediate reputational impact through social media and networks. The brand image is one of the greatest assets for companies; a reputational hit could damage profits and shareholder confidence.
• Safeguard production reliability and safety. The loss of production resulting from an accident can be substantial and can even have tremendous implications, such as its closure.

How ORIGNIX helps

ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyber Process Risk Assessment (cyberPRA) methodology is based on ISA/IEC 62443 and IEC 61511 (part of the IEC 61508 umbrella) industry standards. The assessment identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.

To learn how our customers benefit, visit our website.