3.1: IEC 61508 Context
IEC 61508 Overview
Standard Structure
IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems
7-Part Standard:
IEC 61508
├── Part 1: General requirements (framework, safety lifecycle)
├── Part 2: Requirements for E/E/PE safety-related systems (hardware)
├── Part 3: Software requirements (SOFTWARE ← our focus)
├── Part 4: Definitions and abbreviations
├── Part 5: Examples of methods for determination of SILs
├── Part 6: Guidelines on application of Parts 2 and 3
└── Part 7: Overview of techniques and measures
Our Focus: Part 3 (Software) - Requirements for SIL 3 software development.
Safety Lifecycle (IEC 61508-1, Clause 6)
V-Model for Safety-Critical Systems
The following diagram maps the IEC 61508 safety lifecycle to the V-Model structure, showing how SIL levels drive the required verification rigor at each phase and how ASPICE capability levels provide complementary process coverage.
ASPICE ↔ IEC 61508 Mapping:
- ASPICE CL2 covers 60-70% of IEC 61508 Part 3 requirements
- Additional IEC 61508 requirements: Failure modes analysis, SIL verification calculations, diverse redundancy
SIL Determination (IEC 61508-5)
Hazard and Risk Analysis for ESD System
Scenario: Chemical reactor thermal runaway
Hazard: Exothermic reaction exceeds cooling capacity → pressure vessel rupture → toxic gas release
Consequence Severity:
- Catastrophic (S4): Multiple fatalities, environmental disaster
- Example: 2005 Buncefield explosion (UK) - 43 injuries, £1 billion damage
Risk Reduction Requirement:
- Tolerable Risk: 10⁻⁶ fatalities/year (chemical industry standard)
- Baseline Risk (no safety system): 10⁻² fatalities/year (historical data)
- Required Risk Reduction: 10⁻² / 10⁻⁶ = 10,000× reduction
SIL Allocation:
Risk Reduction Factor (RRF) Required: 10,000
IEC 61508-1 Table 2:
- SIL 1: RRF = 10 to 100 → PFDavg = 10⁻¹ to 10⁻²
- SIL 2: RRF = 100 to 1,000 → PFDavg = 10⁻² to 10⁻³
- SIL 3: RRF = 1,000 to 10,000 → PFDavg = 10⁻³ to 10⁻⁴ ← Target
- SIL 4: RRF = 10,000 to 100,000 → PFDavg = 10⁻⁴ to 10⁻⁵
Verdict: SIL 3 required for Emergency Shutdown System
PFDavg: Probability of Failure on Demand (average) - likelihood that safety function fails when needed.
LOPA Reference: For complex processes, Layer of Protection Analysis (LOPA) as per IEC 61511 (process sector) provides a systematic method to verify SIL allocation against multiple protection layers (BPCS, alarms, relief devices, ESD). LOPA worksheets complement the risk graph method shown above.
Safety Requirements Specification (SRS)
System-Level Safety Requirements (SYS.2 + IEC 61508)
Tool: IBM DOORS Next (requirement management)
Example Safety Function: Emergency Reactor Shutdown
Requirement ID: SIL3-SF-001 Title: Emergency Shutdown on High Temperature Type: Safety Function (SIL 3) Safety Integrity Level: SIL 3 (PFDavg < 10⁻⁴)
Functional Description:
The ESD system shall initiate emergency reactor shutdown when reactor
core temperature exceeds 350°C (High-High alarm threshold).
Safety Actions (within 2 seconds):
1. Close reactor feed valve (V-101)
2. Open emergency cooling valve (V-201)
3. Trip reactor agitator motor (M-301)
4. Activate plant-wide alarm (audible + visual)
Fail-Safe Behavior:
- On sensor failure: Assume unsafe condition, trigger shutdown
- On actuator failure: Manual intervention required (operator notified)
- On PLC failure: Watchdog triggers hardware-based shutdown (relay logic)
Safety Requirements:
- Response Time: ≤2 seconds from sensor detection to valve actuation
- Sensor Configuration: 2oo3 voting (2 out of 3 temperature sensors must agree)
- Actuator Redundancy: Dual solenoid valves (energize-to-trip)
- Diagnostic Coverage: ≥99% (self-tests detect 99% of faults)
- Proof Test Interval: 12 months (manual functional test)
Traceability:
- Derived From: [PHA-HAZARD-03] "Reactor overheat leading to thermal runaway"
- Allocated To: [SWE-SF-001] "Temperature monitoring and shutdown logic"
- Verified By: [FAT-TC-001] "High temperature trip test"
AI-Assisted Requirements Extraction
Process: Extract safety requirements from Process Hazard Analysis (PHA) document
Input: 120-page PHA report (HAZOP study) from ChemSafe Industries
Prompt to ChatGPT-4:
Analyze the attached PHA (Process Hazard Analysis) for a chemical reactor.
Extract all safety functions related to emergency shutdown.
For each safety function, provide:
1. Triggering condition (sensor, threshold)
2. Required SIL (based on consequence severity)
3. Safety actions (valves, motors, alarms)
4. Response time requirement
5. Fail-safe behavior
Context:
- Reactor operates at 300°C, 15 bar
- Hazardous material: methylamine (toxic, flammable)
- Existing safeguards: pressure relief valve (PRV), rupture disk
- Target: SIL 3 for critical functions
[Paste PHA excerpt]
AI Output (ChatGPT-4):
## Extracted Safety Functions
### SF-001: High Temperature Trip (SIL 3)
- **Trigger**: Reactor temperature ≥ 350°C (2oo3 voting)
- **SIL**: SIL 3 (consequence: catastrophic, likelihood: medium)
- **Actions**:
1. Close feed valve V-101 (fail-close)
2. Open emergency cooling V-201 (fail-open)
3. Trip agitator M-301
4. Alarm: REACTOR OVERHEAT
- **Response Time**: ≤2 seconds
- **Fail-Safe**: On sensor failure, assume unsafe → shutdown
### SF-002: High Pressure Trip (SIL 3)
- **Trigger**: Reactor pressure ≥ 18 bar (1oo2 voting)
- **SIL**: SIL 3
- **Actions**:
1. Close feed valve V-101
2. Open pressure vent V-301 (to flare system)
3. Alarm: REACTOR OVERPRESSURE
- **Response Time**: ≤1 second
- **Fail-Safe**: On sensor failure → shutdown
### SF-003: Low Cooling Flow (SIL 2)
- **Trigger**: Cooling water flow < 50 L/min (1oo1)
- **SIL**: SIL 2 (consequence: major, likelihood: low)
- **Actions**:
1. Reduce reactor feed rate (throttle V-101 to 30%)
2. Alarm: COOLING FLOW LOW
- **Response Time**: ≤5 seconds
- **Fail-Safe**: On sensor failure → reduce feed rate
[... 9 more safety functions extracted ...]
Time Saved: 40 hours → 15 hours (62% reduction)
Engineer Review: Safety engineer validates AI output against PHA, corrects 3 misinterpretations, approves final SRS.
AI-Extracted Safety Function Validation: Always validate AI-extracted safety functions through: (1) Cross-check with original PHA hazards, (2) Verify SIL allocation against risk assessment, (3) Confirm fail-safe directions with process engineers. AI accelerates extraction but human validation remains mandatory for IEC 61508 compliance.
Software Safety Requirements (SWE.1)
Derivation from System Requirements
System Requirement (SIL3-SF-001): Emergency shutdown on high temperature
Derived Software Requirements:
[SWE-SF-001] Temperature Sensor Acquisition
Software shall read 3x RTD (Resistance Temperature Detector) sensors
every 100ms via AI module SM 1531.
Input Range: 0-500°C (Pt100, 4-wire)
Resolution: 0.1°C
Plausibility Check: Reject readings outside 0-600°C
Timeout: Sensor failure if no valid data for 500ms
[SWE-SF-002] 2oo3 Voting Logic
Software shall implement 2-out-of-3 voting for temperature sensors.
Algorithm:
1. Sort 3 sensor readings: T1, T2, T3
2. Calculate median: T_median = T2 (middle value)
3. If median ≥ 350°C → Trigger shutdown
4. If any sensor fails → Switch to 1oo2 voting (use 2 remaining sensors)
5. If 2+ sensors fail → Enter safe state (shutdown)
Rationale: 2oo3 provides fault tolerance (1 sensor can fail without spurious trip)
[SWE-SF-003] Shutdown Sequence Execution
Software shall execute shutdown sequence within 2 seconds.
Sequence:
1. t=0ms: Detect T_median ≥ 350°C
2. t=100ms: Set shutdown flag (persistent, survives PLC restart)
3. t=200ms: Close feed valve V-101 (set DO to LOW, energize-to-close solenoid)
4. t=300ms: Open cooling valve V-201 (set DO to HIGH, de-energize-to-open)
5. t=400ms: Trip agitator motor M-301 (set DO to LOW, contactor opens)
6. t=500ms: Activate alarm (set DO to HIGH, horn + strobe light)
7. t=2000ms: Log event to SCADA (timestamp, sensor values, actions taken)
Timing Constraint: Total execution ≤ 2000ms (verified by cycle time measurement)
Traceability Matrix (auto-generated from DOORS):
| System Req | Software Req | Function Block | Test Case |
|---|---|---|---|
| SIL3-SF-001 | SWE-SF-001 | FB_ReadTempSensors | TC-SWE-SF-001-1 |
| SIL3-SF-001 | SWE-SF-002 | FB_2oo3_Voting | TC-SWE-SF-002-1 |
| SIL3-SF-001 | SWE-SF-003 | FB_ShutdownSequence | TC-SWE-SF-003-1 |
SIL Verification Methods (IEC 61508-1, Clause 10)
SIL Determination Framework
SIL Levels and their meanings:
| SIL | Risk Reduction Factor (RRF) | Probability of Failure on Demand (PFDavg) | Failure Rate (FIT) | Application |
|---|---|---|---|---|
| 1 | 10 to 100 | 0.1 to 0.01 (10⁻¹ - 10⁻²) | 100-1,000 FIT | Low-risk industrial (conveyors) |
| 2 | 100 to 1,000 | 0.01 to 0.001 (10⁻² - 10⁻³) | 10-100 FIT | Medium-risk (emergency stops) |
| 3 | 1,000 to 10,000 | 0.001 to 0.0001 (10⁻³ - 10⁻⁴) | 1-10 FIT | High-risk (chemical reactors, safety systems) |
| 4 | 10,000 to 100,000 | 0.0001 to 0.00001 (10⁻⁴ - 10⁻⁵) | <1 FIT | Critical systems (nuclear, aviation-equivalent) |
SIL 3 Decision Criteria:
IF Risk Reduction Required > 1,000× AND Risk Reduction Required ≤ 10,000×
THEN SIL 3 is appropriate
Example (Chemical reactor ESD):
├─ Baseline Risk: 10⁻² fatalities/year
├─ Tolerable Risk: 10⁻⁶ fatalities/year
├─ Required RRF: 10⁻² / 10⁻⁶ = 10,000×
├─ SIL Allocation: SIL 3 (RRF = 1,000-10,000)
└─ Conclusion: SIL 3 required
Hardware/Software SIL Allocation (IEC 61508-2, Clause 7.4)
System-Level SIL → Component-Level SIL:
Example: Chemical Reactor Emergency Shutdown (SIL 3 Required)
System Safety Function:
"Shutdown reactor within 2 seconds if temperature exceeds 350°C"
Required SIL: 3
Architecture Decision:
├─ Sensor Module (2-out-of-3 voting)
│ ├─ Temperature Sensor 1: Analog (0-500°C) → SIL 2
│ ├─ Temperature Sensor 2: Analog (0-500°C) → SIL 2
│ ├─ Temperature Sensor 3: RTD (Pt100) → SIL 2
│ └─ Voting Logic (2oo3): SIL 3
│
├─ Processing Module (Safety PLC)
│ ├─ Shutdown Logic (Function Blocks) → SIL 3
│ ├─ Watchdog Timer (detect PLC hang) → SIL 3
│ └─ Memory Test (detect RAM corruption) → SIL 2
│
└─ Actuator Module (Final Elements)
├─ Solenoid Valve (normally-closed) → SIL 2
├─ Cooling Valve (fail-open) → SIL 2
├─ Agitator Trip (de-energize to stop) → SIL 1
└─ Alarm (independent circuit) → SIL 1
Overall System SIL: min(SIL of critical path) = SIL 3 [PASS]
SIL Allocation Rules:
- Series Components: System SIL = min(component SILs)
- Redundant Components (2oo3): Can achieve higher SIL with lower-SIL components
- Diversity: Combine different technologies (analog sensors + digital processing) to reach SIL 3+
SIL Verification Methods (Proof of Compliance)
Method 1: Quantitative Failure Rate Analysis
Input Data:
- Component failure rates (FIT - failures per 10⁹ hours)
- Diagnostic coverage (% of failures detected by monitoring)
- Test interval (how often components are tested)
Calculation (IEC 61508-1 Annex C):
PFDavg = (λsu × τ) / 2 + (λsd × MTTR) / τ
WHERE:
PFDavg = Probability of Failure on Demand (target: 10⁻³ to 10⁻⁴ for SIL 3)
λsu = Undetected failure rate (FIT)
τ = Test interval (seconds)
λsd = Detected failure rate (FIT)
MTTR = Mean Time To Repair (seconds)
Example Calculation (Sensor Voting):
λsu = 10 FIT (per sensor) × 3 sensors / 2oo3 = 30 FIT
τ = 86,400 seconds (daily self-test)
λsd = 5 FIT (failures detected during test)
MTTR = 3,600 seconds (1 hour response time)
PFDavg = (30 × 86,400 / 2) + (5 × 3,600) / 86,400
= 1.296 × 10⁶ + 0.208 × 10⁻³
≈ 1.5 × 10⁻⁴
SIL Level: 10⁻⁴ < PFDavg < 10⁻³ → SIL 3 [PASS]
Method 2: Fault Tree Analysis (FTA)
Top Event: "Reactor does not shut down when temperature exceeds 350°C"
FTA Structure:
└─ TOP EVENT: ESD Failure
│
├─ AND GATE: Temperature Detection Fails AND Actuation Fails
│ ├─ Sensor voting < 2 successes (probability 10⁻⁴)
│ └─ Solenoid valve fails (probability 10⁻⁴)
│
└─ OR GATE: Any Single Point of Failure
├─ PLC executes wrong logic (software bug, probability 10⁻⁵)
├─ Common cause failure: Power loss (probability 10⁻⁶)
└─ Human error: Sensor miscalibration (probability 10⁻³ for annual calibration)
Result: Combined failure probability ≈ 10⁻⁴ → SIL 3 Achievable [PASS]
Diagnostic Coverage Checklist:
- [PASS] Sensor self-tests (open circuit, short circuit detection)
- [PASS] PLC watchdog (detects hang, forces shutdown)
- [PASS] Communications monitoring (detect broken links)
- [PASS] Actuator position feedback (detect valve failure to close)
- [PASS] Periodic functional test (annual manual verification)
Tool Qualification for Functional Safety (IEC 61508-3, Clause 7.4.4)
Which tools require qualification?
-
Software Development Tool (IEC 61503): Compiler, IDE
- Example: GCC compiler for STM32 microcontroller
- Requirement: Prove correct code generation
- Qualification Evidence: Compiler testing (code correctness proof)
-
Verification Tool (IEC 61508-3): Static analyzer, test coverage
- Example: TIA Code Inspector (Siemens PLC static analysis)
- Requirement: Prove tool correctly detects violations
- Qualification Evidence: Tool test suite (prove 100% detection of critical violations)
-
Configuration Tool (IEC 61508-3): PLC engineering environment
- Example: Siemens TIA Portal (IEC 61131-3 programming)
- Requirement: Verify correct compilation to IEC 61131 bytecode
- Qualification Evidence: Manufacturer-provided tool qualification report
-
SIMULATION Tool (IEC 61508-3): Hardware-in-loop simulator
- Example: dSPACE RTXC (real-time simulator)
- Requirement: Prove simulation model matches real hardware
- Qualification Evidence: Validation testing against real chemical reactor
Tool Qualification Process for SIL 3:
| Step | Activity | Evidence | Time |
|---|---|---|---|
| 1 | Obtain tool documentation | Release notes, manual | 0.5 days |
| 2 | Identify tool failures (per IEC 61508-3 Table B.2) | Known issues list | 1 day |
| 3 | Create tool test suite | 50+ test cases | 3 days |
| 4 | Execute test suite | Test report | 1 day |
| 5 | Measure diagnostic coverage | % violations detected | 1 day |
| 6 | Create tool qualification report | Formal document | 1 day |
| TOTAL | SIL 3 Tool Qualified | 7 days per tool |
Cost Impact:
- Per Tool: 1-2 person-weeks
- Small Project (3-5 tools): 1-2 months
- Larger Project (10+ tools): 2-3 months
Cost Avoidance Tip: Use manufacturer-qualified tools (e.g., Siemens TIA Portal has pre-existing IEC 61508 tool qualification). This eliminates Step 1-6 and saves 7 days per tool.
Systematic Capability (IEC 61508-3)
SIL 3 Software Development Requirements
IEC 61508-3 Table A.1: Techniques and measures for avoiding systematic faults
Required Practices for SIL 3 (selected examples):
| Technique | IEC 61508-3 Recommendation | Implementation |
|---|---|---|
| Formal methods | Recommended (R) | [FAIL] Not used (overkill for PLC) |
| Semi-formal methods | Highly Recommended (HR) | [PASS] UML diagrams for design |
| Structured methodology | Highly Recommended (HR) | [PASS] IEC 61131-3 structured programming |
| Modular approach | Highly Recommended (HR) | [PASS] Function Blocks (FBs) for reusability |
| Design diversity | Recommended (R) | [PASS] Dual sensors (radar + camera analog) |
| Defensive programming | Highly Recommended (HR) | [PASS] Range checks, watchdogs, fail-safes |
| Static analysis | Highly Recommended (HR) | [PASS] TIA Code Inspector (MISRA-like rules) |
| Dynamic testing | Highly Recommended (HR) | [PASS] HIL testing (dSPACE) |
| Probabilistic testing | Recommended (R) | [FAIL] Not used (deterministic testing sufficient) |
Verdict: All "Highly Recommended" practices implemented → Systematic Capability 3 (SC 3) achieved.
Tool Support for Systematic Capability: Siemens provides pre-certified tools (TIA Portal, S7-PLCSIM) with tool qualification reports. Third-party tools used (e.g., dSPACE, LDRA-equivalent) require tool qualification per IEC 61508-3, Clause 7.4.4. Budget 2-4 weeks for tool qualification activities.
IEC 61508 vs ASPICE Comparison
Work Product Mapping
| IEC 61508 Work Product | ASPICE Equivalent | Tool |
|---|---|---|
| Safety Requirements Specification (SRS) | SYS.2 System Requirements Spec | DOORS |
| Software Safety Requirements Spec | SWE.1 Software Requirements Spec | DOORS |
| Software Architecture Design | SWE.2 Software Architecture Design | TIA Portal (FBD diagrams) |
| Software Module Design | SWE.3 Detailed Design | TIA Portal (LAD/ST) |
| Software Module Test Report | SWE.4 Unit Test Report | S7-PLCSIM Advanced |
| Software Integration Test Report | SWE.5 Integration Test Report | dSPACE HIL |
| Software Validation Report | SWE.6 Qualification Test Report | SAT test protocol |
| Verification Report | SUP.2 Verification Strategy | QA checklist |
| Configuration Management Plan | SUP.8 Configuration Management | Git + TIA Portal Openness |
| Safety Manual | - | IEC 61508 specific (operating procedures) |
Overlap: ~70% of ASPICE CL2 work products satisfy IEC 61508 Part 3 requirements.
Additional IEC 61508 Requirements:
- Failure Modes and Effects Analysis (FMEA) for software modules
- SIL verification calculations (PFDavg, diagnostic coverage)
- Proof test procedures (periodic manual testing)
Summary
IEC 61508 Context for ESD Project:
| Aspect | Details |
|---|---|
| Target SIL | SIL 3 (PFDavg < 10⁻⁴) |
| Risk Reduction | 10,000× (baseline 10⁻² → tolerable 10⁻⁶) |
| Safety Functions | 12 (high temp trip, high pressure trip, low cooling, etc.) |
| Systematic Capability | SC 3 (rigorous development process) |
| Hardware Fault Tolerance | 1oo2 (pressure), 2oo3 (temperature) |
| Diagnostic Coverage | 99.4% (exceeds 99% requirement) |
| ASPICE Overlap | 70% of IEC 61508 satisfied by ASPICE CL2 |
AI Contribution:
- Requirements extraction: 40h → 15h (62% reduction)
- Traceability matrix: Auto-generated from DOORS
- Code review: AI pre-checks for defensive programming patterns
Next: Hardware-software co-design patterns for safety PLCs (26.02).