IEC 61508 is an umbrella standard, covering all industries and all aspects of the safety of electrical/electronic/programmable electronic safety-related systems from 'cradle to grave'. Paul Stevens looks at the standard and what its implications are.

When it comes to safety-related issues, there is no getting away from standards. One in particular that is currently causing concern throughout industry is IEC 61508, the series of standards for functional safety in industrial automation where electrical/electronic/electronic programmable (E/E/PE) safety-related systems are being used. Published by the International Electrotechnical Committee (IEC) in Geneva, Switzerland, IEC 61508 is made up of seven parts (see panel) and it will have far-reaching implications for equipment suppliers, specifiers, installers, users, and others. Indeed, the standard takes a cradle-to-grave approach to ensure that safety is considered at every stage, from concept through design and operation to decommissioning.
As well as giving blanket coverage to all stages in a project, the standard also covers all industries, including manufacturing, process and nuclear (Fig. 1). It is intended that IEC 61508 will be used as the basis for the preparation of industry-specific standards and this is already starting to happen; IEC 62061 is for the machinery sector, IEC 61511 is for the process sector and IEC 61513 is for the nuclear sector. Once these industry-specific standards are published they will supersede IEC 61508 for those industrial sectors but, until then, the generic standard must be observed. So far IEC 61508 has not been referred to in any of the New Approach European Directives. However, it is likely that this will start to happen over the next three to five years, and it is possible that the Machinery Directive will be the first. And knowing the rate at which standards are developed, this timescale is likely to be shorter than the time needed to prepare IEC 62061 for the machinery sector.
The first step towards complying with the requirements of IEC 61508 is to conduct a risk assessment. This will help to identify the safety integrity level (SIL) that is required. SILs are a new concept, introduced for the first time in IEC 61508, with SIL 1 being the lowest risk and SIL 4 being the highest. The next step will be the preparation of the Safety Requirements Specification, which is the document that defines the safety functions and the safety integrity to which those functions must be carried out. It is important to note that SILs relate to the integrity of systems, not individual components, and this fact has to be borne in mind later when a system (made up of discrete components) is being designed.

The Cass scheme

As with the ISO 9000 quality assurance series of standards, there is a need for companies to be certified as complying with the requirements of IEC 61508. The Cass (conformity assessment of safety-related systems) scheme has been developed by the industry as a whole, the intention being to provide a framework that is both rigorous and internationally acceptable, under which consistent certification of safety-related systems can take place. The Cass scheme is operated through independent third-party certification bodies that are accredited to the European and international standards for the certification of products and processes.
A not-for-profit company has been formed to set and operate the rules of Cass for the benefit of industry, and The Cass Scheme Limited has members representing all interested parties from industries as diverse as aerospace, transport and processes.
There are five assessment types within Cass as follows:
Type 1. Application independent (component assessment) - covers the assessment of the functional safety achieved by generic components or software programs that are independent of the application.
Type 2. Application-specific products - covers application-specific assessments of E/E/PE systems that have been configured for a particular application or task. Type 2a. Integrated system assessment will typically be for bespoke installations and Type 2b sub-system assessment will typically be for a part of an integrated system that has been assembled from components such as input interfaces, logic solvers and output interfaces, normally excluding any actuators and sensors.
Type 3. Operations and maintenance assessment - covers assessment of the operations and maintenance regimes for safety-related systems, and typically will be applicable to the end user or operator.
Type 4. Safety requirements assessment - covers assessment for the requirements capture and the hazard and risk analyses for an application-specific safety system. This will typically be applicable to the operator who is procuring a system.
Type 5. Functional safety capability assessment (FSCA) - is the assessment of an organisation's functional safety capability. Note that this relates to the processes, not to individual products or systems, and it will be common to a broad range of sectors, such as engineering organisations, end users and system integrators.
Whereas the other four types of assessment relate to specific products or systems, the FSCA relates to management procedures and demonstrates the capability of delivery.
In the same way that an ISO 9001 accreditation relates only to the specified scope of supply, an organisation's Cass assessment to IEC 61508 will also relate only to the activities, products or services specified.
The two implications of this are that organisations seeking Cass certification should consider extremely carefully what they wish to have certified, and organisations who are procuring from a Cass-certified supplier should check carefully to see if the scope is broad enough for their needs.
Cass has been formed in the UK primarily to serve the interests of UK-based organisations, but there is an equivalent body in Europe, CUIG (the European Core User Interest Group in programmable safety related systems). This is a group of European organisations working to promote the safe use of programmable electronic safety related systems. CUIG is supported by the European Commission as a three-year project in the Esprit programme of information technology research and development.