prEN IEC 61508-6:2025

SLOVENSKI STANDARD
01-maj-2025
Funkcijska varnost električnih/elektronskih/elektronsko programirljivih varnostnih
sistemov - 6. del: Smernice za uporabo IEC 61508-2 in IEC 61508-3 (glej Funkcijska
varnost in IEC 61508)
Functional safety of electrical/electronic/programmable electronic safety-related systems
- Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (see Functional
Safety and IEC 61508)
Sécurité fonctionnelle des systèmes électriques / électroniques / électroniques
programmables relatifs à la sécurité - Partie 6: Lignes directrices pour l'application de la
cei 61508-2 et de la cei 61508-3
Ta slovenski standard je istoveten z: prEN IEC 61508-6:2025
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

65A/1171/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 61508-6 ED3
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2025-03-14 2025-06-06
SUPERSEDES DOCUMENTS:
65A/1061A/CD, 65A/1080B/CC
IEC SC 65A : SYSTEM ASPECTS
SECRETARIAT: SECRETARY:
United Kingdom Ms Stephanie Lavy
OF INTEREST TO THE FOLLOWING COMMITTEES: HORIZONTAL FUNCTION(S):
TC 8,TC 9,TC 22,TC 31,TC 44,TC 45,TC 56,TC 61,TC
62,TC 65,SC 65B,SC 65C,SC 65E,TC 66,TC 72, TC
77,TC 80,TC 108,SyC AAL,SyC SM,SC 41
ASPECTS CONCERNED:
Safety
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft
for Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they
are aware and to provide supporting documentation.
Recipients of this document are invited to submit, with their comments, notification of any relevant “In Some Countries”
clauses to be included should this proposal proceed. Recipients are reminded that the CDV stage is the final stage for
submitting ISC clauses. (SEE AC/22/2007 OR NEW GUIDANCE DOC).

TITLE:
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6:
Guidelines on the application of IEC 61508-2 and IEC 61508-3 (see Functional Safety and IEC 61508)

PROPOSED STABILITY DATE: 2027
NOTE FROM TC/SC OFFICERS:
“Due to committee meetings planned at the end of May in Pisa, Italy, it is appreciated to voluntarily submit
comments on this Part of the IEC 61508 series by 2025-05-12 already. Of course, there will be all comments
accepted for consideration be the committee arriving within the official circulation period, but it will help the
committee for starting their work on the project phase.”

file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions. You may not copy or
"mirror" the file or printed version of the document, or any part of it, for any other purpose without permission in writing from IEC.

– 2 – IEC CDV 61508-6  IEC 2025
1 CONTENTS
3 FOREWORD . 5
4 INTRODUCTION . 7
5 1 Scope . 9
6 2 Normative references . 11
7 3 Definitions and abbreviations . 11
8 Annex A (informative) Application of IEC 61508-2 and of IEC 61508-3 . 12
9 A.1 General . 12
10 A.2 Functional steps in the application of IEC 61508-2 . 14
11 A.3 Functional steps in the application of IEC 61508-3 . 17
12 A.4 Architecture considerations . 19
13 A.4.1 Architecture Description Identification and Overview . 20
14 A.4.2 Stakeholders and Concerns . 20
15 Annex B (informative) Example of technique for evaluating probabilities of hardware
16 failure . 22
17 B.1 General . 22
18 B.2 Considerations about basic probabilistic calculations . 23
19 B.2.1 Introduction . 23
20 B.2.2 Low demand E/E/PE safety-related system . 23
21 B.2.3 Continuous or high demand mode E/E/PE safety-related system . 24
22 B.3 Methods of calculating PFD or PFH of a system . 25
23 B.3.1 Other available guidance . 25
24 B.3.2 Reliability block diagram approach, assuming constant failure rate . 26
25 B.3.3 Average frequency of dangerous failure (for high demand or continuous
26 mode of operation) . 45
27 B.4 Determination of SILs for E/E/PE Safety-Related Systems with (a) Common
28 Functional Element(s) . 56
29 B.4.1 Necessity of multiple protection layers (Multi-PLs) . 56
30 B.4.2 Redundant channels (CHs) and multi-PLs . 57
31 B.4.3 Classification of independency between (E/E/PE) safety-related
32 systems . 59
33 B.4.4 Illustrative example of multi-PLs with common FEs classified into Case
34 2-2 . 59
35 B.5 Safety integrity and modes of operation of the systems with analytical
36 complexity . 63
37 B.6 Handling uncertainties . 63
38 B.7 References . 64
39 Annex C (informative) Calculation of diagnostic coverage and safe failure fraction –
40 worked example . 65
41 Annex D (informative) A methodology for quantifying the effect of hardware-related
42 common cause failures in E/E/PE systems . 69
43 D.1 General . 69
44 D.1.1 Introduction . 69
45 D.1.2 Brief overview . 69
46 D.1.3 Defence against common cause failures . 70
47 D.1.4 Approach adopted in the IEC 61508 series . 71
48 D.2 Scope of the methodology . 73

IEC CDV 61508-6  IEC 2025 – 3 –
49 D.3 Points taken into account in the methodology . 73
50 D.4 Using the β-factor to calculate the probability of failure in an E/E/PE safety-
51 related system due to common cause failures . 74
52 D.5 Redundancy at system level estimate of β . 75
53 D.6 Redundancy at PCB device level estimation of β . 78
54 D.7 Estimation of β suitable for complex semiconductor . 80
55 D.8 casecasecasecasecasecaseCaseCaseBinomial failure rate (Shock model) –
56 CCF approach . 81
57 D.9 References . 83
58 Annex E (informative) Example applications of systematic capability tables of
59 IEC 61508-3 . 84
60 E.1 General . 84
61 E.2 Example for safety integrity level 2 . 84
62 E.3 Example for safety integrity level 3 . 91
63 Annex F Annex F (informative) Examples on how to include failures of the diagnostic
64 function in the PFH / PFD calculation . 101
AVG
65 F.1 Possible approach A . 101
66 F.2 Possible approach B . 102
67 F.3 Possible approach C . 104
68 Annex G (informative) Failure rate estimation from field feedback, with confidence
69 intervals . 107
70 G.1 Introduction . 107
71 G.2 Assumptions for data collection . 107
72 G.3 Assumptions and notations for parameters estimation . 108
73 G.4 Failure rate estimation for detected failures . 108
74 G.5 Failure rate estimation for undetected failures. 109
75 G.6 Examples of failure rates estimation with upper confidence bound . 111
76 Annex H Guidance for robust safety architecture. . 113
77 Bibliography . 116
79 Figure A.1 – Application of IEC 61508-2 . 16
80 Figure A.2 – Application of IEC 61508-2 (Figure A.1 continued) . 17
81 Figure A.3 – Application of IEC 61508-3 . 19
82 Figure B.1 – Reliability Block Diagram of a whole safety loop . 23
83 Figure B.2 – Example configuration for two sensor channels . 28
84 Figure B.3 – Subsystem structure . 29
85 Figure B.4 – 1oo1 physical block diagram . 31
86 Figure B.5 – 1oo1 reliability block diagram . 31
87 Figure B.6 – 1oo2 physical block diagram . 32
88 Figure B.7 – 1oo2 reliability block diagram . 32
89 Figure B.8 – 2oo2 physical block diagram . 33
90 Figure B.9 – 2oo2 reliability block diagram . 33
91 Figure B.10 – 1oo2D physical block diagram. 34
92 Figure B.11 – 1oo2D reliability block diagram . 34
93 Figure B.12 – – 2oo3 physical block diagram . 35
94 Figure B.13 – 2oo3 reliability block diagram . 36
95 Figure B.14 – – Systems block diagram of biped nursing robot . 57

– 4 – IEC CDV 61508-6  IEC 2025
96 Figure B.15 – – Hazardous event described by FT of multi-PLs . 58
97 Figure B.16 – – Hazardous event described by FT of multi-CHs system . 58
98 Figure B.17 – – Reliability block diagrams of typical multi-PLs to control a collision risk
99 by biped nursing robot . 60
100 Figure D.1 – Relationship of common cause failures to the failures of individual
101 channels . 71
102 Figure D.2 – Implementing shock model with fault trees . 82
104 Table B.1 – Terms used in this annex (applies to 1oo1, 1oo2, 2oo2, 1oo2D, 1oo3 and
105 2oo3) . 28
106 Table B.9 – Example for a non-perfect proof test . 45
107 Table C.1 – Example calculations for diagnostic coverage and safe failure fraction . 66
108 Table C.2 – Diagnostic coverage and effectiveness for different elements . 67
109 Table D.1 – Scoring sensors/final elements . 75
110 Table D.2 – Scoring Logic Subsystems . 76
111 Table D.3 – Calculation of β and β . 77
DU DD
112 Table D.4 – Calculation of β for systems with levels of redundancy greater than 1oo2 . 78
113 Table D.5 – Example of a common cause failure analysis . 79
114 Table D.6 – Additional Modifier . 80
115 Table D.7 – Estimation of attributes of β-value . 80
116 Table D.8 – Measures to quantify a β-factor . 81
117 Table E.1 – Software safety requirements specification . 85
118 Table E.2 – Software design and development – software architecture design . 85
119 Table E.3 – Software design and development – support tools and programming
120 language . 87
121 Table E.4 – Software design and development – detailed design . 87
122 Table E.5 – Software design and development – software module testing and
123 integration . 88
124 Table E.6 – Programmable electronics integration (hardware and software) . 89
125 Table E.7 – Software aspects of system safety validation . 89
126 Table E.8 – Software modification . 90
127 Table E.9 – Software verification . 90
128 Table E.10 – Functional safety assessment . 91
129 Table E.11 – Software safety requirements specification . 92
130 Table E.12 – Software design and development – software architecture design . 92
131 Table E.13 – Software design and development – support tools and programming
132 language . 94
133 Table E.14 – Software design and development – detailed design . 94
134 Table E.15 – Software design and development – software module testing and
135 integration . 96
136 Table E.16 – Programmable electronics integration (hardware and software) . 97
137 Table E.17 – Software aspects of system safety validation . 97
138 Table E.18 – Modification . 98
139 Table E.19 – Software verification . 99
140 Table E.20 – Software life cycle through lifecycle activities . 99

IEC CDV 61508-6  IEC 2025 – 5 –
141 INTERNATIONAL ELECTROTECHNICAL COMMISSION
142 ____________
144 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/
145 PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS –
147 Part 6: Guidelines on the application
148 of IEC 61508-2 and IEC 61508-3
150 FOREWORD
151 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
152 all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
153 co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
154 in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
155 Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
156 preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
157 may participate in this preparatory work. International, governmental and non-governmental organizations liaising
158 with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
159 Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
160 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
161 consensus of opinion on the relevant subjects since each technical committee has representation from all
162 interested IEC National Committees.
163 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
164 Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
165 Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
166 misinterpretation by any end user.
167 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
168 transparently to the maximum extent possible in their national and regional publications. Any divergence between
169 any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
170 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
171 assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
172 services carried out by independent certification bodies.
173 6) All users should ensure that they have the latest edition of this publication.
174 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
175 members of its technical committees and IEC National Committees for any personal injury, property damage or
176 other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
177 expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
178 Publications.
179 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
180 indispensable for the correct application of this publication.
181 9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
182 patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
183 respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
184 may be required to implement this document. However, implementers are cautioned that this may not represent
185 the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
186 shall not be held responsible for identifying any or all such patent rights.
187 IEC 61508-6 has been prepared by subcommittee 65A: System aspects, of IEC technical
188 committee 65: Industrial-process measurement, control and automation.
189 This third edition cancels and replaces the second edition published in 2010. This edition
190 constitutes a technical revision.
191 This edition includes the following significant technical changes with respect to the previous
192 edition (the following list does refer to this document; other parts do mention specific further
193 details):
194 a) Document was upgraded to the 2024 version of the ISO/IEC Directives; this does
195 introduce a significant number of editorial changes, clause renumbering and rewording of the
196 information provided in Notes;

– 6 – IEC CDV 61508-6  IEC 2025
197 b) The following new Annexes have been created:
198 i) Annex F gives examples on how to include failures of the diagnostic function in the
199 calculation of the safety parameters;
200 ii) Annex G gives guidance on failure rate estimation from field feedback with
201 confidence intervals.
202 iii) Annex H gives guidance on rubust safety architecture.
203 c) New common cause method on on redundancy at PCB device level estimation of β (D.6)
204 and for estimation of β suitable for complex semiconductor (D.7) has been added;
205 d) Examples from TR 12489 have been included (Annex B).
206 e) Corrections and explainations have been made related to formulas and their applicability.
207 f) Various minor editorial errors have been corrected, the normative references and the
208 bibliography has been updated.
209 The text of this document is based on the following documents:
Draft Report on voting
XX/XX/FDIS XX/XX/RVD
211 Full information on the voting for its approval can be found in the report on voting indicated in
212 the above table.
213 The language used for the development of this document is English.
214 This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
215 accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
216 at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
217 described in greater detail at www.iec.ch/publications.
218 A list of all parts of the IEC 61508 series, published under the general title Functional safety of
219 electrical / electronic / programmable electronic safety-related systems, can be found on the
220 IEC website.
221 The committee has decided that the contents of this document will remain unchanged until the
222 stability date indicated on the IEC website under webstore.iec.ch in the data related to the
223 specific document. At this date, the document will be
224 • reconfirmed,
225 • withdrawn,
226 • replaced by a revised edition, or
227 • amended.
IEC CDV 61508-6  IEC 2025 – 7 –
230 INTRODUCTION
231 Systems comprised of electrical and/or electronic elements have been used for many years to
232 perform safety functions in most application sectors. Computer-based systems (generically
233 referred to as programmable electronic systems) are being used in all application sectors to
234 perform non-safety functions and, increasingly, to perform safety functions. If computer system
235 technology is to be effectively and safely exploited, it is essential that those responsible for
236 making decisions have sufficient guidance on the safety aspects on which to make these
237 decisions.
238 This document sets out a generic approach for all safety lifecycle activities for systems
239 comprised of electrical and/or electronic and/or programmable electronic (E/E/PE) elements
240 that are used to perform safety functions. This unified approach has been adopted in order that
241 a rational and consistent technical policy be developed for all electrically-based safety-related
242 systems. A major objective is to facilitate the development of product and application sector
243 documents based on the IEC 61508 series.
244 In most situations, safety is achieved by a number of systems which rely on many technologies
245 (for example mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic).
246 Any safety strategy should therefore consider not only all the elements within an individual
247 system (for example sensors, controlling devices and actuators) but also all the safety-related
248 systems making up the total combination of safety-related systems. Therefore, while this
249 document is concerned with E/E/PE safety-related systems, it may also provide a framework
250 within which safety-related systems based on other technologies may be considered.
251 It is recognized that there is a great variety of applications using E/E/PE safety-related systems
252 in a variety of application sectors and covering a wide range of complexity, hazard and risk
253 potentials. In any particular application, the required safety measures will be dependent on
254 many factors specific to the application. This International Standard, by being generic, will
255 enable such measures to be formulated in future product and application sector documents and
256 in revisions of those that already exist.
257 This document
258 – considers all relevant overall, E/E/PE system and software safety lifecycle phases (for
259 example, from initial concept, though design, implementation, operation and maintenance
260 to decommissioning) when E/E/PE systems are used to perform safety functions;
261 – has been conceived with a rapidly developing technology in mind; the framework is
262 sufficiently robust and comprehensive to cater for future developments;
263 – enables product and application sector documents, dealing with E/E/PE safety-related
264 systems, to be developed; the development of product and application sector documents,
265 within the framework of this standard, should lead to a high level of consistency (for
266 example, of underlying principles, terminology etc.) both within application sectors and
267 across application sectors; this will have both safety and economic benefits;
268 – provides a method for the development of the safety requirements specification necessary
269 to achieve the required functional safety for E/E/PE safety-related systems;
270 – adopts a risk-based approach by which the safety integrity requirements can be determined;
271 – introduces safety integrity levels for specifying the target level of safety integrity for the
272 safety functions to be implemented by the E/E/PE safety-related systems;
273 NOTE 1 The standard does not specify the safety integrity level requirements for any safety function, nor does
274 it mandate how the safety integrity level is determined. Instead it provides a risk-based conceptual framework
275 and example techniques.
276 – sets target failure measures for safety functions carried out by E/E/PE safety-related
277 systems, which are linked to the safety integrity levels;
278 – sets a lower limit on the target failure measures for a safety function carried out by a single
279 E/E/PE safety-related system. For E/E/PE safety-related systems operating in

– 8 – IEC CDV 61508-6  IEC 2025
280 – a low demand mode of operation, the lower limit is set at an average probability of a
–5
281 dangerous failure on demand of 10 ;
282 – a high demand or a continuous mode of operation, the lower limit is set at an average
–9 –1
283 frequency of a dangerous failure of 10 [h ];
284 NOTE 2 A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
285 NOTE 3 It can be possible to achieve designs of safety-related systems with lower values for the target safety
286 integrity for non-complex systems, but these limits are considered to represent what can be achieved for
287 relatively complex systems (for example programmable electronic safety-related systems) at the present time.
288 – sets requirements for the avoidance and control of systematic faults, which are based on
289 experience and judgement from practical experience gained in industry. Even though the
290 probability of occurrence of systematic failures cannot in general be quantified the standard
291 does, however, allow a claim to be made, for a specified safety function, that the target
292 failure measure associated with the safety function can be considered to be achieved if all
293 the requirements in the standard have been met;
294 – adopts a broad range of principles, techniques and measures to achieve functional safety
295 for E/E/PE safety-related systems, but does not explicitly use the concept of fail safe.
296 However, the concepts of “fail safe” and “inherently safe” principles may be applicable and
297 adoption of such concepts is acceptable providing the requirements of the relevant clauses
298 in the standard are met.
IEC CDV 61508-6  IEC 2025 – 9 –
300 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/
301 PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS –
303 Part 6: Guidelines on the application
304 of IEC 61508-2 and IEC 61508-3
308 1 Scope
309 1.1 This part of IEC 61508 contains information and guidelines on IEC 61508-2 and
310 IEC 61508-3.
311 – Annex A gives a brief overview of the requirements of IEC 61508-2 and IEC 61508-3 and
312 sets out the functional steps in their application.
313 – Annex B gives an example technique for calculating the probabilities of hardware failure
314 and should be read in conjunction with 7.4.3 and Annex C of IEC 61508-2 and Annex D.
315 – Annex C gives a worked example of calculating diagnostic coverage and should be read in
316 conjunction with Annex C of IEC 61508-2.
317 – Annex D gives a methodology for quantifying the effect of hardware-related common cause
318 failures on the probability of failure.
319 – Annex E gives worked examples of the application of the systematic capability tables
320 specified in Annex A of IEC 61508-3 for safety integrity levels 2 and 3.
321 – Annex F gives examples on how to include failures of the diagnostic function in the
322 calculation of the safety parameters.
323 – Annex G gives guidance on how to estimate the failure rates from field feedback with
324 confidence intervals and specifically in the context of compliance with route 2H
325 requirements in 7.4.4.3.3 of IEC 61508-2 or route 2S requirements as stated in 7.4.9.5 of
326 IEC 61508-2.
327 – Annex H gives guidance on robust safety architecture.
328 1.2 IEC 61508-1, IEC 61598-2, IEC 61508-3 and IEC 61508-4 are basic safety publications,
329 although this status does not apply in the context of low complexity E/E/PE safety-related
330 systems (see 3.4.3 of IEC 61508-4). This document provides further information to complement
331 these basic safety publications.
332 1.3 One of the responsibilities of a technical committee is, wherever applicable, to make use
333 of basic safety publications in the preparation of its publications. In this context, the
334 requirements, test methods or test conditions of this basic safety publication will not apply
335 unless specifically referred to or included in the publications prepared by those technical
336 committees.
337 1.4 Figure 1 shows the overall framework of the IEC 61508 series and indicates the role that
338 IEC 61508-6 plays in the achievement of functional safety for E/E/PE safety-related systems.

– 10 – IEC CDV 61508-6  IEC 2025
Technical Requirements Other Requirements
Part 1
Development of the overall
safety requirements
(concept, scope, definition,
hazard and risk analysis)
7.1 to 7.5
Part 5
Example of methods
for the determination
of safety integrity
levels
Part 1
Allocation of the safety requirements
to the E/E/PE safety-related systems
7.6
Part 1
Specification of the system safety
requirements for the E/E/PE
safety-related systems
7.10
Part 6
Guidelines for the
application of
Parts 2 & 3
Part 3
Part 2
Realisation phase Realisation phase
for E/E/PE for safety-related
safety-related software
systems
Part 7
Overview of
techniques and
measures
Part 1
Installation, commissioning
& safety validation of E/E/PE
safety-related systems
7.13 - 7.14
Part 1
Operation, maintenance,repair,
modification and retrofit,
decommissioning or disposal of
E/E/PE safety-related systems
7.15 - 7.17
340 Figure 1 – Overall framework of the IEC 61508 series
IEC CDV 61508-6  IEC 2025 – 11 –
343 2 Normative references
344 The following documents are referred to in the text in such a way that some or all of their content
345 constitutes requirements of this document. For dated references, only the edition cited applies.
346 For undated references, the latest edition of the referenced document (including any
347 amendments) applies.
348 IEC 61508-2:202X, Functional safety of electrical/electronic/programmable electronic safety-
349 related systems – Part 2: Requirements for electrical/electronic/programmable electronic
350 safety-related systems
351 IEC 61508-3:202X, Functional safety of electrical/electronic/programmable electronic safety-
352 related systems – Part 3: Software requirements
353 IEC 61508-4:202X, Functional safety of electrical/electronic/programmable electronic safety-
354 related systems – Part 4: Definitions and abbreviations
355 3 Definitions and abbreviations
356 For the purposes of this document, the definitions and abbreviations given in IEC 61508-4 apply.

– 12 – IEC CDV 61508-6  IEC 2025
357 Annex A
358 (informative)
360 Application of IEC 61508-2 and of IEC 61508-3
361 A.1 General
362 Machinery, process plant and other equipment may, in the case of malfunction (for example by
363 failures of electrical, electronic and/or programmable electronic devices), present risks to
364 people and the environment from hazardous events such as fires, explosions, radiation
365 overdoses, machinery traps, etc. Failures can arise from either physical faults in the device (for
366 example causing random hardware failures), or from systematic faults (for example human
367 errors made in the specification and design of a system cause systematic failure under some
368 particular combination of inputs), or from some environmental condition.
369 IEC 61508-1 provides an overall framework based on a risk approach for the prevention and/or
370 control of failures in electro-mechanical, electronic, or programmable electronic devices.
371 The overall goal is to ensure that plant and equipment can be safely automated. A key objective
372 of this standard is to prevent:
373 – failures of control systems triggering other events, which in turn could lead to danger (for
374 example fire, release of toxic materials, repeat stroke of a machine, etc.); and
375 – undetected failures in protection systems (for example in an emergency shut-down system),
376 making the systems unavailable when needed for a safety action.
377 IEC 61508-1 requires that a hazard and risk analysis at the process/machine level is carried
378 out to determine the amount of risk reduction necessary to meet the risk criteria for the
379 application. Risk is based on the assessment of both the consequence (or severity) and the
380 frequency (or probability) of the hazardous event.
381 IEC 61508-1 further requires that the amount of risk reduction established by the risk analysis
382 is used to determine if one or more safety-related systems are required and what safety
383 functions (each with a specified safety integrity) they are needed for.
384 IEC 61508-2 and IEC 61508-3 take the safety functions and safety integrity requirements
385 allocated to any system, designated as a E/E/PE safety-related system, by the application of
386 IEC 61508-1 and establish requirements for safety lifecycle activities which:
387 – should be applied during the specification, design and modification of the hardware and
388 software; and
389 – focus on means for preventing and/or controlling random hardware and systematic failures
390 (the E/E/PE system and software safety lifecycles) .
391 IEC 61508-2 and IEC 61508-3 do not give guidance on which level of safety integrity is
392 appropriate for a given required tolerable risk. This decision depends upon many factors,
—————————
Systems necessary for functional safety and containing one or more electrical (electro-mechanical), electronic or
programmable electronic (E/E/PE) devices are designated as E/E/PE safety-related systems and include all
equipment necessary to carry out the required safety function (see 3.5.1 of IEC 61508-4).
Safety integrity is specified as one of four discrete levels. Safety integrity level 4 is the highest and safety integrity
level 1 the lowest (see 3.5.4 and 3.5.8 of IEC 61508-4).
To enable the requirements of this standard to be clearly structured, a decision was made to order the
requirements using a development process model in which each stage follows in a defined order with little iteration
(sometimes referred to as a waterfall model). However, it is stressed that any lifecycle approach can be used
provided a statement of equivalence is given in the safety plan for the project (see Clause 7 of IEC 61508-1).

IEC CDV 61508-6  IEC 2025 – 13 –
393 including the nature of the application, the extent to which other systems carry out safety
394 functions and social and economic factors (see IEC 61508-1 and IEC 61508-5).
395 The requirements of IEC 61508-2 and IEC 61508-3 include:
396 – the application of measures and techniques , which are graded against the safety integrity
397 level, for the avoidance of systematic failures by preventative methods; and
398 – the control of systematic failures (including software failures) and random hardware failures
399 by design features such as fault detection, redundancy and architectural features (for
400 example diversity).
401 In IEC 61508-2, assurance that the safety integrity target has been satisfied for dangerous
402 random hardware failures is based on:
403 – hardware fault tolerance requirements (see Tables 2 and 3 of IEC 61508-2); and
404 – the diagnostic coverage and frequency of proof tests of subsystems and components, by
405 carrying out a reliability analysis using appropriate data.
406 In both IEC 61508-2 and IEC 61508-3, assurance that the safety integrity target has been
407 satisfied for systematic failures is gained by:
408 – the correct application of safety management procedures;
409 – the use of competent staff;
410 – the application of the specified safety lifecycle activities, including the specified techniques
411 and measures ; and
412 – an independent functional safety assessment .
413 The overall goal is to ensure that remaining systematic faults, commensurate with the safety
414 integrity level, do not cause a failure of the E/E/PE safety-related system.
415 IEC 61508-2 has been developed to provide requirements for achieving safety integrity in the
416 hardware of the E/E/PE safety-related systems including sensors and final elements.
417 Techniques and measures against both random hardware failures and systematic hardware
418 failures are required. These involve an appropriate combination of fault avoidance and failure
419 control measures as indicated above. Where manual action is needed for functional safety,
420 requirements are given for the operator interface. Also diagnostic test techniques and measures,
421 based on software and hardware (for example diversity), to detect random hardware failures
422 are specified in IEC 61508-2.
423 IEC 61508-3 has been developed to provide requirements for achieving systematic capability
424 for the software – both embedded (including diagnostic fault detection services) and application
425 software. IEC 61508-3 requires a combination of fault avoidance (quality assurance) and fault
426 tolerance approaches (software architecture), as there is no known way to prove the absence
427 of faults in reasonably complex safety-related software, especially the absence of specification
428 and des
...