IEC 61508: are we opening Pandora’s Box?

In 2010, the leading body for International Standards for all electrical, electronic and related technologies – The International Electrotechnical Commission (IEC) – released the second edition of IEC 61508 (Functional safety of electrical/ electronic/ programmable electronic safety-related systems).

This brings changes to the way we define ‘safe failure’ as standards for validating and certifying instrumentation are now much harder to reach.

It also introduces the new hardware compliance route – Route 2H – permitting the use of component reliability data from field-based failure data and consequently requiring a greater need for data for collection and analysis. 

Luis Garcia, a Certified Functional Safety Expert with more than 20 years of experience in the field, has authored a paper on the impacts of the IEC61508 changes, providing an in-depth view on the scope of this new standard and how to best work with these new requirements.

Q: What industries will be most affected by the recent update of IEC 61508?
A: Everybody relies on IEC 61508 and IEC 61511. For example, manufacturers and users of Safety Instrumented Systems (SIS) such as Process, Oil & Gas and Chemical industries and essentially all processes that involve any degree of risk.

While zero risk is a target, it isn’t really obtainable but there are ways to diminish this risk to an acceptable level.

Q: What are some of the challenges of this new edition of IEC61508?
A: The new IEC 61508 – 2010 changes greatly improved the existing standard in my view.  In the review of the ‘safe failure’ definition in this white paper, accuracy was improved in a way that better protects against statistical abuses.

However, this change has now made field instruments much harder to certify, as they have to follow field data collection based methodologies that are much harder to perform.

Therefore, it’s important for business, government and other relevant organisations to work together to develop sound methodologies for data collection.

This may include companies that deal with safety lifecycle services, user associations, unions, government and special safety-orientated organisations.

I know organisations that have developed software and methodologies for field data collection and this kind of knowledge should be shared with other similar companies to promote a greater level of safety.

Q: Can you explain ‘Safe Failure’ and the relationship with dormant safety systems?
A: In general, all safety systems are dormant but unlike the name suggests, dormant safety systems are not inactive but rather they will remain idle until required.

Take for example, the airbags in your car – they do not act until necessary and we cannot measure their performance unless a demand is placed on them: How good is the integrity your vehicle’s airbag?; Does it work effectively?

If the airbag does not deploy when needed, we call this ‘on-demand failure’ On the other hand, if the bag deploys when it is NOT needed, we call this ‘safe failure’, despite the fact that this could also create a hazard. When looking at dormant safety systems, we are only interested in evaluating its failures and failures modes.

Q: Is there any relationship between IEC 61508 and wireless, and what role is wireless playing in process safety currently and into the future?
A: If you are talking about internal communication within the logic solver, then this communication has to be “interference free” with respect to its safety performance. For example, we can connect failsafe I/O remotely via wireless Ethernet using Profinet.

Profinet provides Profisafe profile, which is media independent, hence approved for wireless communication up to SIL3. On the other hand, using wireless field devices as a part of the Safety Instrumented Function (SIF) is a different issue.

There is an ISA technical group working on a Technical Report (guidance) with regards to this subject which is still in draft and due to be released soon. The IEC61508 standard does not explicitly mention such application.

Q: What are some of the common safety concerns in the process industry?
A: In general, safety concerns relate to the safety of human life, the environment as well as assets and equipment. In addition, there are other concerns such as further consequences in financial losses, company image, litigation, etc.

The key priority for safety systems is to perform when required, just like an airbag in a car or a parachute in an aircraft. Today, cyber security is an increasing new concern, and it is a part in the design of any new safety system (controls, alarms and interlocks).

In fact, everything points to the fact that the new IEC 61511 will include a clause about cyber security, in particular harnessing the concept of ‘defence in depth’.

This principle, applied to a safety/ security environment, provides a multilayer security shell, comprised of plant security, network security and system integrity protection measures, and is the best security guarantee for SIS protection.

Q: How do you define and implement fault exclusions?
A: 100% faults exclusions are impossible to obtain. You need fault tolerance with detection, protection and redundancy. There are two types of redundancy – one to obtain safety, achieved through voting redundant resources, and one for fault tolerance, such as hot-standby redundancy for high availability.

Until the 1990s, safety was obtained by redundancy while reliability was obtained by diagnosing the health of redundant voting resources. Since then, in modern systems, diagnostics have been used to protect outputs, making them safe.

Flexible Modular Redundancy (FMR) is the architectural philosophy Siemens uses to achieve high levels of fault tolerance while maintaining a very high safety performance. This is possible thanks to a high diagnostic coverage.

Because of its flexibility, this type of Programmable Logic Solvers accommodates all types of different and complex field device architectures. In such cases, redundancy is used purely to increase system availability.

Luis Garcia will be presenting his paper on new IEC61508 standard at the Safety Controls & Instrumented Systems Conference in Sydney as well as conducting a one-day general seminar on process safety.

Details of both events are provided below:

Safety Controls & Instrumented Systems Conference
Date: 16th – 18th April 2013
Venue: Novotel Darling Harbour, NSW
Phone: 1300 138 522
Email: conferences@idc-online.com

Siemens Process Safety Seminar
Date: Monday 15th April 2013
Venue: Park Royal Darling Harbour, NSW
Phone: 03 9721 7371
Email: marek.lisik@siemens.com