Subscribe, Like, Rate...
Related Content

View more by Tom-M

EZ Spotlight Topics
Can Designers Really Ignore Part 1 of IEC 61508?

Can Designers Really Ignore Part 1 of IEC 61508?

Tom-M
4 minute read time.

The IEC 61508 standard comes in 7 parts. There is a part 0 which is a technical report and hasn’t been updated since 2005. Parts 1, 2 and 3 contain normative requirements (i.e. things you must do to claim conformance), part 4 is normative but only contains definitions and parts 5,6 and 7 are informative in that they give assistance in how to apply parts 1, 2 and 3. A nice overview of the various parts of IEC 61508 is given in figure 1 of part 1.

Figure 1 - an overview of the parts of IEC 61508

Other interesting views of the standard are given in figures 2 and 3.

Figure 2 - overall safety lifecycle according to IEC 61508

The box 10 above is further elaborated in figures 3 and 4 of IEC 61508-1 and mostly relates to what is contained in parts 1 and 2. This begs the question as to whether only box 10 above is  relevant to people developing hardware or software elements; including integrated circuits.

The activities in boxes 1 through 16 are summarized in table 1 of IEC 61508-1 and further expanded on in its sub-clauses 7.2 (concept) to 7.17 (decommissioning or disposal).

Figure 3 top 1.5 rows of IEC 61508-1 table 1

For software, design part 3 contains the main software requirements and for a hardware element, sub-system or system part 2 contains the requirements. Part 2 is the most important part for an integrated circuit manufacturer (an upcoming blog will discuss the topic of whether Verilog and VHDL used to design digital circuits are hardware or software).

The question then is how relevant is part 1 of IEC 61508 for an IC manufacturer such as Analog Devices?

Indeed, how important is it for machine builders and the like noting that IEC 62061:2005 states “Subsystem(s) incorporating complex components shall comply with IEC 61508-2 and IEC 61508-3 for the required SIL” with no mention of part 1?

When reading standards, it is always good to start with the scope.

Figure 4 Excerpt from the scope of IEC 61508-2

The scope of part 2 offers some guidance...

  • Item a) says you must at least read and understand part 1
  • Item d) shows how part 2 follows part 1 to implement the items from the design requirements specification extracted from the system safety requirements specification from part 1 and this is re-enforced by the V-model for an ASIC development given in IEC 61508-2:2010 figure 3; where the E/E/PE system safety requirements specification is drawn to the left of the V model along with the E/E/PE system architecture stage.

Figure 5 - V model for an ASIC from IEC 61508-2

Taking all the above on board I generated the following table of relevance of the clauses and main sub-clauses of IEC 61508 part 1 for an integrated circuit development.

When preparing this table, I used the SEooC definition from ISO 26262-1:2018.

Figure 6 - Definition of an SEooC from ISO 26262

Using the SEooC definition separates two uses cases

Case 1 – A customer comes to ADI looking for an IC developed in compliance to IEC 61508 for use in their system or sub-system and hands a safety requirements specification to the ADI team.

Case 2 – ADI wants to design an IC for use in safety systems but doesn’t have a lead customer and therefore must assume an environment and generate the IC safety requirements for ourselves.

I equate case 2 to an SEooC.

Figure 7 - Relevance of clauses and sub-clauses of part 1 to an IC development

Some of the clauses from part 1 and some from clauses 4, 5, 6 and 8 are easy to identify as part 2 refers to them directly and gives little or no other guidance on the topic.

Figure 8 - Example of a direct reference to part 1 in IEC 61508 part 2

Others such as 7.7, 7.8, 7.12, 7.13 are clearly not applicable to an IC development. Still others are replaced by their own clauses in part 2 such as sub-clause 7.8 on “overall safety validation planning”.

What remains then from part 1 are clauses such as 7.2 (concept), 7.3 (overall scope definition), 7.4 (hazard and risk analysis), 7.5 (overall safety requirements) and 7.6 (overall safety requirements allocation) which I believe are necessary for the IC developer to comply with if doing an SEooC.

For instance, if doing an open market/SEooC integrated circuit unless you implement the requirements from the 7.2 (concept) phase how do we know what the end use environment of our IC will be in order to generate the ASIC safety design requirements. The assumptions made during phases 7.2 to 7.6 above would then need to be documented in the safety manual and the person designing the IC into their system would have to make sure the ADI assumptions match the actual system safety requirements specification or implement some sort of compensating measures.

The above view is supported by IEC 61508-2:2010 7.2.2.1 which states that the specification of the E/E/PE system design requirements shall be derived from the E/E/PE system safety requirements, specified in 7.10 of IEC 61508-1. Which IEC 61508-1 in turn says is “7.10 E/E/PE system safety requirements specification

While the discussion in this blog has centered on an IC development, I believe most of the ideas expressed would apply to hardware items such as temperature transmitters and analog input output cards for a PLC.

Note – this discussion is based on IEC 61508:2010.

Tags: safety expert Industrial Automation Technology (IAT) adisafetyblogs Industrial Automation Technology cyber security Show More
    •  Analog Employees 
    in reply to herdingCats

    The phases you reference are concept, overall scope definition, hazard and risk analysis, overall safety requirements and overall safety requirements allocation. I sympathezie with your points above but still think you should go through those stays even with a reduced level of detail. You are also free to combine the documenation for these phases. Take the concept phase. Perhaps your C is intended for motor control in the concept phase you would outline the environment the chip must operate in etc. You could say that the IC designers know this but it is good to right it down and document it. Its amazing what people can forgot and it makes life easier for those who might not understand such an environment. Similarly for the hazard and risk analysis you can identify functions such as STO that the IC will play a role in and so expose requirements required for STO (safe torque off from IEC 61800-5-2). In addition it will help your QA and safety assessors who might not be subject matter experts to understand the decisions you are making. I think standards such as IEC 61508 should be viewed holistically. I don't believe you can pick and choose the bits to apply (accepting you can tailor the process) and several of the clauses are complementary and depend on all  the previous steps being done to get the maximum benefit from the measures given to prevent the introduction of design errors. 

    •  in reply to herdingCats

      In the above case, I submit its all about intended vs unintended operation. The safety manual shall outline all assumptions of use including any prescribed conditions (connections etc..) to make sure the CPU meets its intended operation and unintended detection function in context to what the CPU does. What value is additional guidance from (7.2 to 7.6) which would be made up example? I have thousands of customers each are running different applications. I do see application notes as examples valuable but not in the context of a safety manual.

      •  in reply to Tom-M

        Say i'm a CPU manufacture that specifies limits in the operation environment (clock, temperature etc). Within this CPU design I provide a method to detect unintended operation which in this case a second CPU which operates in lockstep (a.k.a a diagnostic). I also provide testing to attest to the quality of the diagnostic. Other than the assumptions of use with relates to perhaps startup, connections to I/O (address, data, control plane - errors IRQ etc) and other operating parameters that enables the CPU to execute the intended ISA which is in the safety manual that is in-context to the care and feeding of the CPU and its diagnostic capability how does this relate to clauses 7.2 thru 7.6?

        •  Analog Employees 
        in reply to herdingCats

        in this case the developer needs to make assumptions and list those assumptions in their safety manual. The system integrator must then verify that the assumptions made by the developer are consistent with their use case of the SEooC. In some cases making the right assumptions can be easy in other cases in can be difficult. Make the wrong assumptions and it means you SEooC device will not be suitable for use in some or all of you target applications. 

        •

          This issue I have is one of scope. The major issue for SEooC's is characterizing intended functionality and detection of unintended functional behavior. If the intended functionality meets the requirement of the system integrator then detecting unintended functional behavior becomes key. Since the manufacture of an SEooC has no knowledge of the system integrator's concept, hazard and risk analysis, overall safety requirements and overall safety requirement allocation i would assume these do not apply.