IEC61508-COMPLIANT SAFETY

SYSTEM

AKAI Hajime *1

The ProSafe-RS Safety System has been developed in compliance with the
IEC61508 international functional safety standard and has been certified by a third-
party certification body as conforming to the standard. This international standard is
based on risk management concepts and is widely accepted across the process industry
for plant safety. In this article, we will discuss the main points of IEC61508, the
concept of risk management and the standard's requirements for safety systems.

INTRODUCTION second means still fails to provide a level of tolerable residual

risks, then one must adopt yet another safety means, and so on. In

T he recent variety of industrial and railway accidents

happening right before our very eyes make us painfully
aware that “safety” must be put first and foremost. “Safety first”
this hierarchy, quantitative goals for the risk reduction of the
safety means in each layer are clearly defined. In the safety
systems discussed in this paper, the quantitative targets for
is a concept accepted by everyone and there is no room for contributing to risk reduction are specified and how to achieve
disagreement. However, the author feels that, in some cases, the those targets are the key technical points.
concrete objectives of “safety first” are not actually clear, and the By way of a technical explanation, in the following pages,
grasp of the hazards is insufficient. this paper focuses on describing the part of international safety
With regard to industrial safety, the IEC61508, which is the standard IEC61508, used as the criterion of safety systems, which
international standard for safety systems, sets down a policy of relates to risk management and the part in which realization of
deciding on quantitative goals for risk reduction and for realizing safety systems is specified.
those goals using concrete means. This approach to safety has
been slow to gain popularity in Japan compared with Europe and RISK REDUCTION IN IEC61508
the United States, but it has been gaining a lot of attention as
companies reflect on the industrial accidents and the like which The title of IEC61508 is “Functional safety of electrical/
have occurred over the past few years. This approach to safety, electronic/programmable electronic safety-related systems” and
which has this standard as its background, bases its line of the title of Japanese standard JIS C 0508 prepared by translating
thinking on the idea that safety is “absence of intolerable risks,” this international standard IEC61508 is the same as above, of
rather than the conventional idea of safety as being “a non- course, in Japanese. This standard is applicable to any cases for
hazardous state.” When we assume that there are no defects in a achieving safety using an electrical circuit, electronic circuit, or a
means for ensuring safety, we work to eliminate defects in that programmable electronic system (E/E/PES: Electrical/Electronic/
safety means, but this means that we ignore taking steps to Programmable Electronic System), as shown by its title. Process
prepare for the remote possibility of a defect occurring. Even if industries, machine manufacturing industries, traffic and
one safety means is adopted, there is no such thing as a perfect transportation, medical equipment, etc., are introduced as the
system, so thinking in terms of a hierarchical system of protection major industries it applies to. In 2003, IEC61511 (Functional
becomes inescapable: that is, one has to adopt another safety safety: Safety Instrumented System for the process industry
means outside of the first one to cover any remaining risks. If the sector) was published under the umbrella of IEC61508 for
process industries which employ this standard most frequently.
“Safety Instrumented System” is applied to emergency shutdown
*1 IA Systems Business Division, IA Business Headquarters systems and fire and gas protection systems in industrial plants.

IEC61508-compliant Safety System 29

 Emergency response 1 Concept

In-plant emergency response

2 Overall scope definition
Mitigation
Safety instrumented systems
Mechanical mitigation systems 3 Hazard and risk analysis
Operator supervision

Prevention 4 Overall safety requirements

Safety instrumented systems
Mechanical protection systems
Process alarms with operator corrective action 5 Safety requirements allocation

Control and monitoring

Basic process control systems Overall planning Safety-
Monitoring system (process alarms) Safety- External
related
related risk
Overall Overall systems:
systems: reduction
Process operation Overall installation 9 E/E/PES 10 Other 11 facilities
and safety and technology
6 mainte- 7 validation 8 commis-
nance planning sioning
planning planning Realization Realization Realization

Figure 1 Hierarchical Plant Protection and

Overall installation and
Safety Instrumented System (SIS) 12 commissioning
Back to appropriate overall
safety lifecycle phase
13 Overall safety validation

A safety instrumented system is composed of sensors to detect

Overall operation, Overall modification and
14 maintenance and repair 15 retrofit
process abnormalities; logic solvers to conduct preset algorithms
using information from sensors to start up actuators such as cut- Decommissioning or
16
disposal
off valves; and actuators. The safety systems described in this
article are those that are positioned to this logic solver. Figure 1
shows the concept of hierarchical protection for achieving the Figure 2 Safety Lifecycle
“plant safety” and the positioning of safety instrumented systems.
These contents are specified in IEC61511. position is detected. In addition, determining the safety integrity
As described at the beginning of this paper, IEC61508 defines requirements is specified together with this safety functions
a quantitative index for risk reduction and specifies the requirements. The safety integrity requirement is a requested
management of safety related systems by lifecycles. In the specification in which the extent of reducing risks in a plant is
following explanation of IEC61508, a description will be made quantized. “Functional safety” which appears in the title of
by taking an example of applying the standard to process IEC61508 means the safety realized by the risk reduction means
industries, that is, in the case of a safety instrumented system. shown above.
Figure 2 shows the safety lifecycle in IEC61508. The very While risk is represented by multiplying the size of the harm
important positioning in IEC61508 is “Hazard and risk analysis,” by the frequency of the occurrence of the harm, and the safety
shown in the third box in this figure. This stage specifies the instrumented system serves to reduce the frequency of the
clarification of hazards and hazardous events generated in a plant occurrence of the harm. In this standard, the Safety Integrity
and its control devices (DCS or the like). The specification Level (SIL) is introduced as a method for expressing the safety
requires carrying out risk assessment in the plant by taking into integrity requirement. The safety integrity level is classified into
consideration methods for eliminating hazards, by assessing the four levels (SIL1 to SIL4) as shown in Table 1. In IEC61508, the
ease with which hazardous events occur, and by clarifying safety integrity level is handled by dividing it into a low demand
possible damage caused by hazardous events. Means for risk mode (in short, the actuation demand occurs once a year or less)
analysis are not limited, and so several techniques are introduced and a high demand/continuous mode, considering the frequency
in the standard such as a Hazard and Operability study (HAZOP of actuation demand for safety-related systems. The safety
study). instrumented system installed in plants is classified into the low
Next, risk reduction measures necessary for the hazardous demand mode. A measure for the safety integrity level in the low
events grasped in the above assessment are determined in the demand mode is Probability of Failure on Demand (PFD). PFD is
“overall safety requirements.” As means for reducing risks, there the probability with which the safety instrumented system does
are other safety-related systems (e.g. relief valves) and external not operate due to a failure when actuation of the system is
risk reduction facilities in addition to the safety instrumented requested. Thus, the smaller the probability, the higher the safety
system, and safety functions requirements are specified for each integrity level becomes.
of them. In the case of the safety instrumented system, for If we look at the safety integrity level from the viewpoint of
example, the specification includes closing a cut-off valve when the safety integrity requirement: for example, specifying SIL3 as
any abnormality in the temperature, pressure or level of a certain the safety integrity requirement for a safety instrumented system

30 Yokogawa Technical Report English Edition, No. 40 (2005)

 Table 1 Safety Integrity Level (SIL) lowered simply based on assumptions about the reliability of that
Safety integrity level Low demand mode system.
(SIL) (PFD)
4 ≥ 10-5 to < 10-4
ACHIEVING A SAFETY INSTRUMENTED
3 ≥ 10-4 to < 10-3
SYSTEM COMPLYING WITH STANDARD
2 ≥ 10-3 to < 10-2
IEC61508
1 ≥ 10-2 to < 10-1

Concrete construction of the safety instrumented system is

described in the box “Safety-related system: E/E/PES” in the
to be introduced, means that the safety instrumented system is lifecycle of IEC61508 (Figure 2). With respect to the design of
asked to reduce the frequency with which the original hazardous the safety instrumented system meeting the safety integrity level,
situation occurs, to 1/1000 or less, because PFD of SIL3 is 10-4 or the standard requires a response to “random hardware failures” of
above, and less than 10-3. In other words, for example, by the components used in equipment and preparation of preventive
installing a safety instrumented system in a plant where no measures for “systematic failures” named in the standard, such as
countermeasures are in place and a hazardous event may occur improper specification, design, and operation of equipment.
once every 10 years, it becomes possible to achieve an (1) Response to random hardware failures
improvement to a reduction in this frequency to once or less in Since Probability of Failure on Demand (PFD), which is the
every 10,000 years. index of the safety integrity level (SIL), is the probability of
With respect to determining the safety integrity level (SIL), equipment losing its ability to function due to a failure when
the social “safety” index should be referred to. This is a subject its actuation request is generated, it can be understood to be
outside the scope of the IEC standard. As described at the the ratio of non-operation of the equipment. In the case of
beginning of this paper, it is understood that the idea that safety is control systems, hardware failures are treated by classifying
“a state in which risks are sufficiently small and well within the them into the part where failures can be detected through self-
tolerable limit,” greatly affects this determination. If we examine diagnosis and the part where failures cannot be detected
examples in European coutries, the annual mortality rate for a through self-diagnosis. However, in safety instrumented
person due to accident is frequently targeted at 10-5 to 10-6. systems, failures in each part are further classified whether
Although the annual mortality rate due to traffic accidents in each of them is a ‘safe failure’ (the output is conducted in the
Japan is about 10-4, the author himself aims for an even lower direction in which the plant is shut down or there is no
figure than this average value, and we should seek a rate lower impact) or a ‘dangerous failure’ (the output function to shut
than 10-4, even for disasters due to other causes and regardless of down the plant is lost). That is, failures are classified into
business operation and residential environment. Considering detected safe failures, undetected safe failures, detected
these facts, this index in European countries makes sense. dangerous failures and undetected dangerous failures. Since
This “overall safety requirements” also shows the relation to the detected dangerous failures can be detected through self-
the control systems. Figure 1 indicates the positioning of the diagnosis, the outputs can be lead to the safe area using
safety instrumented system in plant safety management. When a another means. The problem is the treatment of undetected
process which is the control object and a control system to control dangerous failures. Since this type of failure cannot be
that process lead to any abnormality, the safety instrumented detected by self-diagnosis, it can be detected only by the
system serves to prevent the occurrence of a hazardous event. The operation test (proof test) carried out during regular
safety instrumented system is also applied to Fire and Gas inspections. For non-redundant equipment, PFD is expressed
Protection Systems (F & G) to mitigate the effects of outbreaks of by the equation below when representing this proof test
fire or the discharge of toxic gases. As described here, this is a interval with T.
concept whereby the safety of overall systems can be achieved PFD =λDUT/2 ····································································· (1)
only when the safety functions in each hierarchical layer fulfill Recently available equipment is a microprocessor-applied
their respective abilities. product using digital integrated circuits, and the equipment
Based on this concept, this standard is stating that the safety realizes the required PFD by means of thorough high-level
instrumented system must be separated from the control system. self-diagnosis. Something to be noted in particular, is the fact
For example, this means that shared or common sensors must not that there is no change in the input and output signals of safety
be used for these two systems just because the same process instrumented systems in most cases in their operating
variables are being observed. This is because if one sensor fails, environments. Accordingly, self-diagnosis circuits must be
then it is possible that both the control functions and the safety realized on the assumption that no change occurs in all signals
functions will be lost at the same time. In addition, it also states normally.
that requirements for actuation of the safety instrumented system Then, to what extent, is self-diagnosis required to be actually
must be estimated by deeming the safety integrity level of the realized? Let's take a safety system complying with SIL3 as
control system to be less than SIL1. This means that, even if a an example. The safety instrumented system is composed of
more highly reliable control system is used, the requested safety sensors, a safety system (logic solver) and actuators as
integrity level for a safety instrumented system must not be described earlier, and the overall system PFD (sys) is

IEC61508-compliant Safety System 31

 expressed by equation (2) below. body TÜV that its responses to both random hardware
PFD (sys) = PFD (sensor) + PFD (safety system) + PFD failures and systematic failures described above comply with
(actuator) ··········································································· (2) the standard IEC61508.
For the safety controller, PFD (safety system) is expected to
be less than 15% of overall PFD in actual engineering. The CONCLUSION
remainder of PFD is allocated to those of sensor and actuator.
That is, since PFD (sys) is less than 10-3 and more than or Safety is the top priority in all industries. Contrary to the
equal to 10-4 for SIL3, it becomes necessary that PFD (safety conventional concept pointing to zero danger, that is, absolute
system) should be 1.5⫻10-4 or less. While for the proof test safety, the safety management based on risks introduced here
interval, there is a domestic Japanese plant which has been in may be understood as bringing some compromise due to the
continuous operation for four years, and there is an overseas words “tolerable risk.” However, it should be understood that
example of operation without shutdown for further long grasping the hazards in a plant by implementing strict risk
periods. Therefore, a proof test for a short interval cannot be analysis requires concrete risk reduction means and this is a
accepted. Consideration of a proof test interval of 10 years severer requirement. The concept of hierarchical protection does
(assumed to be 100,000 hours for simplification) results in the not tolerate any little mitigation for protection inside the absolute
conclusion that the undetected dangerous failure value is stronghold against hazards, even if there were to be such a
3⫻10-9/h (3 fit) or less using equation (1). Since 3 fit is a small stronghold. The concept also does not provide a basis for
value which is far below the failure rate of one component, it lowering the safety integrity level of a safety instrumented system
is known that the level cannot be achieved as long as the simply because of high reliability in control devices. A safety
diagnosis coverage of approximately 100% is realized. This instrumented system complying with the standard is certified by
situation is clearly different from that of general highly being provided with an eminent self-diagnosis function different
reliable equipment in which safety is considered from a from general equipment. It is predicted that safety instrumented
balance with economy. systems which can contribute to the improvement of safety even
(2) Response to systematic failures more, as compared with the realization of conventional safety
Among responses to systematic failures, measures for functions using relays, will come into even more widespread use
software design are important. As for the software design, in the future.
Part 3 of IEC61508 specifies that a description of
specifications be given so that misunderstandings cannot REFERENCES
occur, to carry out design corresponding to such a description
as above using sufficiently managed design tools, to verify (1) IEC61508 First edition: Functional safety of electrical/
competent module levels and system levels planned in the electronic/programmable electronic safety-related systems
pre-design stage, and to implement strict management (2) Shimizu Kyuuji, Fukuda Takafumi, Mechanical safety
including impact analysis in changing design, and shows a engineering, Yokendo, 2000, 188p. in Japanese
structure which can prevent systematic failures. This part of (3) Sekiguchi Takashi, Satoh Yoshinobu, Machine safety,
IEC61508 also specifies that the actual development and Functional safety practice manual, Nikkan Kogyo Shimbun,
design processes are executed as specified and that these are 2001, pp. 220-243 in Japanese
to be verified by a third party.
The safety system “ProSafe-RS” recently developed by * “Prosafe” is a registered trademark of Yokogawa Electric
Yokogawa Electric Corporation is certified by the third party Corporation.

32 Yokogawa Technical Report English Edition, No. 40 (2005)