IEC 61508: Functional safety of electrical/electronic/programmable ...

Tecniche per il progetto di sistemi elettronici tolleranti ai guasti, luglio 2006 

IEC 61508: Functional safety of 

electrical/electronic/programmable 

electronic safety-related systems 

Maurizio Rebaudengo, 

Matteo Sonza Reorda 

Politecnico di Torino 

Dipartimento di Automatica e Informatica 

The challange 

• Electrical, electronic or programmable electronic 

systems increasingly carry out safety functions. 

These systems are usually complex, making it 

impossible in practice to fully determine every 

failure mode or to test all possible behaviours. 

• It is difficult to predict the safety performance, 

although testing is still essential. 

• The challenge is to design the system in such a 

way as to prevent dangerous failures or to control 

them when they arise. 

2 

Examples of systems, subsystems & 

devices under consideration 

• electro-mechanical 

• solid state electronic 

• programmable electronic 

 

 

 

 

 

 

 

Low complexity 

Low complexity/Complex 

Complex 

programmable Controllers 

programmable Logic Controllers 

microprocessor based systems; 

application specific integrated circuits (ASICs) 

intelligent sensors/transmitters/actuators etc. 

digital communication systems (e.g. bus systems) 

internet based technologies 

3 

Safety Requirements 

Specifications (SRS) 

• Specifications containing all the 

requirements of the safety functions that 

have to be performed by the safety-related 

systems. 

4 

Safety Integrity Level (SIL) 

• The basic concept of IEC 61508 is the 

definition of SIL: 

• discrete level for specifying the safety integrity 

requirements of the safety functions to be 

located to the E/E/PE safety-related systems. 

Safe Failure Fraction (SFF) 

• The ratio between the safe failures (i.e., 

failures which don't have the potential to 

put the safety-related system in a 

hazardous state) and detected dangerous 

failures over the sum of all the possible 

failures (safe + dangerous). 

5 

6 

M. Rebaudengo, M. Sonza Reorda, M. Violante 1


Hardware Fault Tolerance (HFT) 

• A hardware fault tolerance of N means that 

N+1 faults could cause a loss of the safety 

function. 

SIL/SFF/HFT 

HFT 

SFF 0 1 2 

< 60% SIL1 SIL2 

60% - 90% SIL1 SIL2 SIL3 

90% - 99% SIL2 SIL3 SIL4 

> 99% SIL3 SIL4 SIL4 

7 

8 

SIL/SFF/HFT (cont.) 

• With a HFT equal to 0, a SFF equal or 

greater than 99% is required in order that 

the system or component can be granted 

as SIL3. 

FMEA 

• The commonly used way to provide the 

information required by the SRS is to 

perform a FMEA 

9 

10 

Sensible zone 

• A set of sensible zones are identified from the 

design. 

• A sensible zone is the elementary failure point in 

which one or more faults converge to lead a 

failure 

• Valid definitions of sensible zones are: 

• memory elements such registers, flip-flops 

• primary input and primary outputs 

• critical nets 

Observation point 

• The observation points are selected where 

the main effect of each sensible zone 

failure mode is evaluated. 

• The observation point is: 

• a primary output 

• an alarm of the diagnostic. 

11 

12 



Fault injection 

• The IEC 61508 highly recommends the use 

of Fault Injection in order to estimate the 

behavior of the sensible zones 

Faults and failures 

• IEC 61508 specifies faults or failures to be 

detected or to be analyzed in the derivation 

of Safe Failure Fraction. 

13 

14 

IEC 61508 flow 

SRS 

FMEA 

Fault Injection 

SFF report 

15

IEC 61508: Functional safety of electrical/electronic/programmable ...

Create successful ePaper yourself

Delete template?

Save as template?