Concepts Iec61508

University of Bielefeld Faculty of Technology
The Concepts of IEC 61508

An Overview and Analysis
Prof. Peter B. Ladkin Ph

ladkin!rvs.uni"#ielefeld.de
Sommersemester 2001
!otivation$ Clear Concepts
%once&ts must #e clear in order to ena#le easy and uniform use in engineering 'f conce&ts are unclear( then

reasoning is not easily seen to #e )in*correct mistakes are harder to detect
There are various conce&ts of risk and ha+ard ,hich are effective for engineering &ur&oses( and -hich are not.
,hich are effective in -hich domains( and -hich not.

$ 2
23 !"r# 2005
!otivation$ Effective !ethods
/ffective methods have three characteristics
They 0-ork1

They are a&&lica#le to the domain of interest They ena#le &assa#le assessments of risk and safety"critical failure They can #e used -ithin an engineering organisation 2ood arguments e3ist concerning a&&lica#ility and correctness
,e kno- -hy they -ork
,e have inde&endent means to check the results
Summary4 good engineering means kno-ing -hat methods are a&&lica#le( -here( -hy and ho-.
$ 3
23 !"r# 2005
&asic Concepts of 'yste( 'afety
Basic ontological conce&ts
system( environment( #oundary( o#5ects( fluents( state( state change( event( #ehavior( near and far #ehaviors( necessary causal factor plus Likelihood( Severity Likelihood( %onse8uences
6ccident
7a+ard
9isk
$ %
23 !"r# 2005
&asic Concepts in de !oivre) *eveson) IEC 61508
$ 23 !"r# 2005 5
+e !oivre
6#raham de :oivre(

e :ensura Sortis( 1;11
in the Philoso&hical Transactions of the 9oyal Society 0The 9isk of losing any sum is the reverse of /3&ectation< and the true measure of it is( the &roduct of the Sum adventured multi&lied #y the Pro#a#ility of the Loss.1 Severity4 0the Sum adventured1
$ 23 !"r# 2005 6
+e !oivre$ -is.
Risk4 e3&ected value of loss = &)%3*.S)%3*

%34 a loss event S)%3*4 the severity of the loss event
Accident4 here( the loss event Hazard4 ..
$ 23 !"r# 2005 ,
*eveson$ 'afeware definitions /10
Accident4 0an undesired and un&lanned )#ut not necessarily une3&ected* event that results in )at least* a s&ecified level of loss.1 Hazard4 0a state or set of conditions of a system ... that( together -ith other conditions in the environment of the system ...( -ill lead inevita#ly to an accident1

defined -ith res&ect to the environment -hat constitutes a ha+ard de&ends on the #oundary of the system
$
23 !"r# 2005
*eveson$ 'afeware definitions /20
Hazard )cont>d*
Severity )or damage*4 0the -orst &ossi#le accident that could result from the ha+ard given the environment in its most unfavora#le state1 Likelihood of occurence Hazard level4 0com#ination of severity and likelihood of occurrence1
Risk: 0the ha+ard level com#ined -ith )1* the likelihood of the
ha+ard leading to an accident ... and )2* ha+ard e3&osure or duration1
Safety4 0freedom from accidents or losses1

$ 1
23 !"r# 2005
Interpretation of 'afeware definitions
6ccident
an un-anted event a system state( -hich in com#ination -ith the most unfortunate environment state( results inevita#ly in )is a sufficient causal factor of* an accident Level of loss )on a ratio scale*
7a+ard
Severity
9isk
= &)7*.&)%3 ? 7*.S)%3*

%34 an accident that results from@through 7 S)%3*4 the severity of the$ accident %3
10
23 !"r# 2005
2a#ard$ 3ariant +efinitions
Leveson4 system state
6 commercial aircraft encounters thunderstorm tur#ulence -hich causes loss of control and #reaku&
,hen the environment contains such tur#ulence( and the aircraft is flying( then an accident is inevita#le 't follo-s that flying states of the aircraft are ha+ard states
/nvironment state
'n this e3am&le( as in the game of golf or of real tennis( the 0ha+ard1 is more intuitively an environmental state
2lo#al State )Aackson 1BBC< Sim&son D Stoker 2002* '/% E1C0F4 0&otential source of harm1

seems to allo- systemGenvironment state )global state* #ut then( it seems to allo- lots of things
$ 11
23 !"r# 2005
Co(parison of 'afeware and +e !oivre -is.
7o- do = &)7*.&)%3 ? 7*.S)%3* and = &)%3*.S)%3* com&are. 71( 71( ... (7k a collection of mutually e3clusive ha+ards such that each accident ha&&ens through one of them Then #y a #asic calculation in conditional &ro#a#ility &)%3* H = &)7i*.&)%3 ? 7i* Thus &)%3*.S)%3* H = &)7i*.&)%3 ? 7i*.S)%3* 6nd summing over all %3 yields the result
)9e&eat*4 71( 71( ... (7k a collection of mutually exclusive hazards such that each accident happens through one of them ,ithout this assum&tion( the sums may not #e the same $
12
23 !"r# 2005
IEC 61508$ +efinitions /10
7arm
0&hysical in5ury or damage to the health of &eo&le either directly( or indirectly as a result of damage to &ro&erty or to the environment1 0&otential source of harm1 0ha+ardous situation -hich results in harm1 0circumstance in -hich a &erson is e3&osed to ha+ard)s*1
$ 13
7a+ard
7a+ardous event
7a+ardous situation
23 !"r# 2005
IEC 61508$ +efinitions /20
9isk
0com#ination of the &ro#a#ility of occurrence of harm and the severity of that harm1 0risk -hich is acce&ta#le in a given conte3t #ased on the current values of society1 0freedom from unacce&ta#le risk1
Tolera#le 9isk
Safety
$ 23 !"r# 2005 1%
Co((ents on IEC 61508 definitions /10
There is no definition of accident
0ha+ardous event1 comes close( #ut is a 0situation1 #ut US aviation regs )1I %F9 FJ0 KFJ0.2* allo- an accident to #e significant aircraft damage alone similarly -ith US6F %lass 6 misha&s )the severest sort*
7arm is limited to &ersonal in5ury
efinition of ha+ard is unclear

Basic 8uestion4 is it a state or an event. ,hat is a 0source1. ,hat is a 0&otential source1. Potential source of harm. Source of &otential harm. $
15
23 !"r# 2005
9isk
ho- does one com#ine &ro#a#ility of harm -ith severity of harm.
Lne can 0com#ine1 in an ar#itrary num#er of -ays
'f severity is 8uantitative( does@can 0com#ine1 mean 0multi&ly1. 'f so( then risk is defined here to #e a multi&lication 'n de :oivre D Leveson( it is a sum
$ 23 !"r# 2005 16
-is. in IEC 61508$ Clear4
't is certain ' shall suffer some degree of harm -hile using my #icycle )from a trivial scratch from a &art once a month( to falling off once a decade( to #eing run over* The &ro#a#ility of harm is 1 Severity is varia#le from trivial to catastro&hic ,hich 0severity1 do ' use. %all it S 7o- do ' 0com#ine1 S -ith 1. 't cannot mean the actual harm that -ill in fact occur( since that -ould render the conce&t unusa#le for calculation in advance( as '/% E1C0F re8uires during system develo&ment )0/U% risk1( 0tolera#le risk1( 0residual risk1*
$ 1,
23 !"r# 2005
2ood definitions )good &rograms* define terms )varia#les* #efore they use them ) ef"use test( used a lot in static analysis of &rograms* Usa#le definitions try to #e &recise reduce or eliminate am#iguity limit the num#er of undefined conce&ts #e clear to the intended inter&reters :y o&inion4 '/% E1C0F does not do -ell on these criteria( similar to many )#ut #y no means all* engineering standards
$ 18
23 !"r# 2005
56nda(ental Concepts of IEC 61508

System Lifecycle Fuctional Safety 9isk and 9isk 9eduction System Su#division Safety 'ntegrity Level )S'L* 6s Lo- 6s 9easona#ly Practica#le )6L69P*
$ 23 !"r# 2005 11
Concepts 1$ 'yste( *ifecycle
The System Life %ycle :odel

etailed The safety task list follo-s the model
$ 23 !"r# 2005 20
The IEC 61508 'afety *ifecycle

1 2 3 % 5
Concept Overall scope definition
2a#ard and ris. analysis
Overall safety re76ire(ents
'afety re76ire(ents allocation
Overall plannin8 OveralI 6 operation , and (aintenance plannin8 Overall safety validation plannin8
1
OveralI
Safety-related systems: E/E/PES
10
installation and F co((issionin8 plannin8
Safety-related systems: other technology
11
External risk reduction facilities
-ealisation
)see /@/@P/S safety lifecycle*
-ealisation
-ealisation
12 13
Overall installation and co((issionin8
Overall safety validation
Back to appropriate overall safety lifecycle phase (odification 15 Overall and retrofit
1% (aintenance and repair
Overall operation)
$ 23 !"r# 2005
16
+eco((issionin8 or disposal
21
The E9E9:E' /'6;0syste( 'afety *ifecycle

&o= 1 in fi86re 2
E/E/PES safety lifecycle

11
'afety<related syste(s$ E9E9:E'
-ealisation
E9E9:E' safety re76ire(ents specification

112 'afety inte8rity re76ire(ents specification
1 1 1 'afety f6nctions re76ire(ents specification
12
E9E9:E' safety validation plannin8
13
E9E9:E' desi8n and develop(ent
1 % E9E9:E' inte8ration
15
E9E9:E' operation and (aintenance proced6res
16 One E9E9:E' safety lifecycle for each E9E9:E safety<related syste(
E9E9:E' safety validation
To ;o= 1% in fi86re 2 To ;o= 12 in fi86re 2
23 !"r# 2005
22
The '> 'afety *ifecycle

Soft!are safety lifecycle
11
'oftware safety re76ire(ents specification

112 'afety inte8rity re76ire(ents specification
E/E/PES safety lifecycle (see figure 3

12
1 1 1 'afety f6nctions re76ire(ents specification
'oftware safety validation plannin8
13
'oftware desi8n and develop(ent
1%
:E inte8ration /hardware9software0
1 5 'oftware operation and (odification proced6res
16
'oftware safety validation
To ;o= 1% in fi86re 2 To ;o= 12 in fi86re 2
$ 23 !"r# 2005 23
The *ifecycle

Lne needs a lifecycle model The E1C0F lifecycle model is as good as any and more detailed than most 7o-ever( there is no guidance on ho- to fit it to a ty&ical system develo&ment lifecycle
$ 23 !"r# 2005 2%
A Typical +evelop(ent *ifecycle
9e8uirements
/licitation( 6nalysis( S&ecification
esign S&ecification %oding
%ode develo&ment( Testing 'ntegration( 'ntegration"Testing Further develo&ment according to ne- re8uirements( :odification through error correction and failure correction
'm&lementation
0:aintenance1
ecommissioning
$ 25
23 !"r# 2005
Co(parison of *ifecycle !odels
,e need to harmonise the '/% E1C0F lifecycle model and the ty&ical system develo&ment lifecycle model used in a firm &resumed to #e straightfor-ard( #ut ho- do -e kno-. ,ho has done it. There are three sorts of different re8uirements in '/% E1C0F )Fenton@Meil( 1BBF* For the final &roduct )the S% system* For documentation

S&ecifications at the various levels 6nalysis and re&orting documents( e.g. the Safety %ase checks and sign"offs to #e conducted #y 8ualified &ersonnel
$ 26
For resources
23 !"r# 2005
Concepts 2$ 56nctional 'afety
Functional Safety

Safety &ro&hyla3is restricts itself to safety functions Safety functions are actions( that are 0intended to achieve or maintain a safe state for the /U%( in res&ect of a s&ecific ha+ardous event1 9ecall that a ha+ardous event results in harm. 'f harm is to #e avoided #y means of the safety function( then the function should inhi#it the s&ecific ha+ardous events -hich are &recursors of the harm
9emem#er4 not all ma5or safety issues are functionalN

$ 2,
23 !"r# 2005
Concepts 3$ -is. ? its -ed6ction
9isk 9eduction

There is no such thing as 0Oero 9isk1 The Safety Functions )SF* are concerned -ith risk reduction
There is an E ! risk4 0risk arising from the /U% or its interaction -ith the /U% control system P/U%%SQ1 There is a tolerable risk There is a residual risk4 0risk remaining after &rotective measures have #een taken1 evelo&ers must assess the /U% risk and the tolera#le risk )to calculate the re8uired safety integrity level( S'L* as -ell as the residual risk( -hich must #e as lo" as reasonably practicable )6L69P*
$ 28
23 !"r# 2005
Concepts %$ 'yste( '6;division
Three"-ay classification of )su#*system ty&es

/8ui&ment under control )/U%* /U% control system )/U%%S* Safety"9elated System )S9S* The /U%%S can #e classified as an S9S or not )#ut the criterion( in clause ;.C.2.I( is a logical tautologyNN*
Safety"9elated System
6n S9S is 0a designated Psu#Qsystem that

im&lements the re8uired safety functions ....... and is intended to achieve Pin &ossi#le com#ination -ith othersQ the necessary safety integrity for $the re8uired safety functions1
21
23 !"r# 2005
-is. -ed6ction
-esid6al ris. Tolera;le ris. E@C ris.
Aecessary ris. red6ction Act6al ris. red6ction

:artial ris. covered ;y other technolo8y safety<related syste(s :artial ris. covered ;y E9E9:E safety<related syste(s :artial ris. covered ;y e=ternal ris. red6ction facilities
Increasin8 ris.
-is. red6ction achieved ;y all safety<related syste(s and e=ternal ris. red6ction facilities $
23 !"r# 2005 30
Iss6es$ -is. -ed6ction
9isk 9eduction must #e calculated
on the #asis of &articular statistics

9isk of /U%@/U%%S -ithout S9Ss 9isk of /U%@/U%%S G S9Ss 6cce&ta#le 9isk )socially derived*
The statistics don>t al-ays e3istN
7o- often do they e3ist. There is some sce&ticism )Fo-ler 2000*
$ 23 !"r# 2005 31
Concepts 5$ 'I*
Safety 'ntegrity Level )S'L*
/ach S9S is assigned a S'L( -hich re&resents the &ro#a#ility that the S9S fulfils its safety function)s* That is( the S'L of an S9S re&resents o#5ectively the relia#ility of its safety function)s* )a product re#uirement* The S'L is assigned according to the re8uired risk reduction )from /U% risk at least to the tolera#le risk* 6 8uantitative difference is made #et-een

%ontinuous"o&eration )high"demand* functions Lo-"demand functions )kno-n else-here as on"demand functions*
evelo&ment of an S9S -ith a designated S'L re8uires a certain develo&ment &rocess )a process re#uirement*
$ 32
23 !"r# 2005
'I*s) contin6ed
S'L )cont>d*
' shall ignore the difference #et-een lo-"demand and high" demand modes Four levels of increasing relia#ility )S'L 1 R S'L I*

'm&licitly five( -ith S'L 0( a#out -hich nothing is said /ach level re8uires a relia#ility of 10S)")nG1** to 10S)"n* dangerous failures &er hour@&er demand 7ighest recognised level ist nHF )S'L I( continuous mode*
$ 23 !"r# 2005 33
'I* Ta;le$ 2i8h<+e(and9Contin6o6s !ode
Safety integrity level 4 3 2 1
High demand or continuous mode of operation (Probability of a dangerous failure per hour) 10-9 to < 10-8 10-8 to < 10-7 10-7 to < 10-6 10-6 to < 10-5
$ 23 !"r# 2005 3%
Iss6es with 'I*s
The distinction #et-een lo-"demand and high" demand modes may -ell disa&&ear in the ne3t release of E1C0F )Simon Bro-n( 200C* 6 S'L is valid for a particular S$%component in a particular system&environment given a )socially" determined* particular tolerable risk
7o-ever( organisations such as the TTUs are starting to 0certify1 com&onents inde&endent of s&ecific a&&lication There is a real danger that a S'L -ill #e seen as a &ro&erty of the com&onent( -hich it is not )9edmill 2000( 7amilton"9ees( 1BBB*
$ 35
23 !"r# 2005
Iss6es with 'I*s /!artyn Tho(as0
S'Ls are unhel&ful to soft-are develo&ers
S'L 1 target failure rates are already #eyond &ractical verification )Little-ood"Strigini 1BBJ( Butler"Finelli 1BBJ* S'Ls 1"I su#divide a &ro#lem s&ace in -hich there is no sensi#le distinction to #e made amongst a&&lica#le develo&ment and assurance methods For many recommended methods( there is little or no evidence that they reduce failure rates There is increasing evidence that those methods -hich do reduce failure rates also save money4 they should #e used at any S'L
$ 36
23 !"r# 2005
Iss6es with 'I*s /!artyn Tho(as0
S'Ls set develo&ers im&ossi#le targets
so the focus shifts from &roviding ade8uate safety )&roduct* to fulfilling the recommendations of the standard )&rocess* But there is little correlation #et-een &rocess &ro&erties and safety
Focus shift from &roduct to &rocess does not hel& safety )Mote4 There are conce&ts of S'L in other standards -hich suffer from only some of these &ro#lems. PBL*
$ 3,
23 !"r# 2005
Iss6es with 'I*s
7ighest S'L re8uirement4

Less than one dangerous failure every 10SF o&"hours )But more than one dangerous failure every 10SB o&" hoursNN aft.*
The com#inatorics doesn>t -ork out for
%ommercial aviation )-hich re8uires lo-er failure rates for certain critical su#systems( and the general history suggests this can #e achieved* The automo#ile industry )-hich has a real re8uirement of S9S relia#ility of u& to 10S10 o&"hours &er failureNN*
$ 38
23 !"r# 2005
Concepts 6$ A*A-:
The 6L69P Princi&le
To calculate the re8uired risk reduction( one must use the 6s Lo- 6s 9easona#ly Practica#le )6L69P* &rinci&le Lrigins4 /nglish la
Lord 6s8uith( 1BIB significantly reinforced4 Lord %ullen )1BFB*( Pi&er 6l&ha oil &latform fire investigation 6cce&ta#le4 so lo- that it can for all &ractical &ur&oses #e ignored 'ntolera#le4 so high as to #e unacce&ta#le in all circumstances The 6L69P region4 the region #et-een acce&ta#le and intolera#le( in -hich the system develo&er is re8uired to reduce the risk to #e 0as lo- as reasona#ly &ractica#le1 $
31
9isks are classified into three4

23 !"r# 2005
A*A-:
6L69P )cont>d*
'n legal cases( the UV 7S/ regards the 6L69P &rinci&le as having #een fulfilled if a develo&er is a#le to esta#lish that a system -as develo&ed in accordance -ith '/% E1C0F ):ark Bo-ell( UV 7S/( mailing"list comment( 200I* So it seems as if '/% E1C0F re8uires 6L69P( #ut to conform -ith 6L69P one needs only to do everything else Logically( this makes 6L69P redundantNN
't -ould hel& to resolve this confusion

$
23 !"r# 2005
%0
The A*A-: :rinciple

Intolera;le re8ion The A*A-: or tolera;ility re8ion
)9isk is undertaken only if a #enefit is desired* 9isk cannot #e 5ustified e3ce&t in e3traordinary circumstances Tolera#le only if further risk reduction is im&ractica#le or if its cost is grossly dis&ro&ortionate to the im&rovement gained
6s the risk is reduced( the less( &ro&ortionately( it is necessary to s&end to reduce it further to satisfy 6L69P. The conce&t of diminishing &ro&ortion is sho-n #y the triangle.
&roadly accepta;le re8ion

)Mo need for detailed -orking to demonstrate 6L69P*
't is necessary to maintain assurance that risk remains at this level
Ae8li8i;le ris.
$ 23 !"r# 2005 %1
Tolera;le -is. Tar8et$ B6antitative -is. Classification !atri= /-C!0 E=a(ple
Frequency Frequent Probable Occasional Remote Improbable Incredible Catastrophic I I I II III IV Critical I I II III III IV
Consequence Marginal I II III III IV IV Negligible II III III IV IV IV
$ 23 !"r# 2005 %2
Interpretation of -is. Classes
Risk class Class I Class II Class III Class IV
Interpretation Intolerable risk Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained Tolerable risk if the cost of risk reduction would exceed the improvement gained Negligible risk
$ 23 !"r# 2005 %3
Iss6es$ A*A-: and -is. Classes

9isk %lasses ' and 'U fit -ith 6L69P 9isk %lasses '' and ''' don>t o#viously fit -ith 6L69P
'n the region in -hich 9isk %lasses '' and ''' a&&ly( one is re8uired to use the 6L69P risk"reduction &rinci&le 6L69P re8uires in #oth cases that4 risk shall #e reduced so far as reasona#ly &ractica#le 6L69P does not )o#viously* say4
9isk reduction may cease -hen cost is grossly dis&or&ortional to #enefits. Mo 9%6 is im&lied 6s risk is reduced( the less it is necessary &ro&ortionately to s&end to reduce it further But #oth of these claims are in the '/% E1C0F e3&lanatory diagramN
$ %%
23 !"r# 2005
Iss6es$ -elation ;etween 'I* and A*A-: /-ed(ill) 20000
6 S'L is an a &riori re8uirement
't is assigned in the Safety"9e8uirements"6nalysis task
6L69P is a dynamic re8uirement
't -ill #e assigned and handled in the
esign task
't is there#y &ossi#le that in a &articular case 6L69P -ould re8uire a further reduction in risk #eyond that set #y the S'L
$
23 !"r# 2005
%5
*eveson et al $ Accident Concepts
$ 23 !"r# 2005 %6
+iffic6lt E=a(ple
There is an e3am&le in -hich the Leveson"9isk does not e8ual the e3&ected level of loss )Ladkin 1BB;*
Mot every accident se8uence &asses through a ha+ard state There is a stochastic de&endence amongst the &ossi#le accident se8uences
$ 23 !"r# 2005 %,
IEC 61508 :art 5$ 2ow to 2ave an Accident
$ 23 !"r# 2005 %8
IEC 61508$ Accident
'/% E1C0F understands 7a+ardous /vent as4
something that can come to &ass( inde&endently of the severity of its harmful conse8uences a 0situation1( -hich in turn is a 0circumstance1
't seems similar to the conce&t of an accident )-hich ho-ever is an event*( #ut in -hich the severity is a#stracted a-ay

:ay#e an 0accident ty&e1. Let>s forget the 0situation1@1circumstance1 im&recision
The conce&ts a&&ear to #e interdefina#le( given the #asic ontology )Ladkin( 200I* $
%1
23 !"r# 2005
Advanta8e of the IEC 61508 -efine(ent
The refinement of accidents into ha+ardous events and e3&licit severity may -ell #e a&&ro&riate for( say( &rocess control. /3am&le4 6 &ressure vessel #reaches )event ty&e( encom&assing many event ty&es from leaks to e3&losions* Severity4 's the #reach small or large. ,as near#y e8ui&ment heavily damaged( lightly damaged( or not at all. ,ere near#y &eo&le in5ured. Severely in5ured. ,ere some killed. 6nd ho- many of those &eo&le -ere there.
$ 50
23 !"r# 2005
'6((ary of !aCor IEC 61508 Concepts
Lifecycle4 hel&ful #ut a very &articular model. Mot clear ho- it

fits -ith traditional lifecycle models
Safety Functions@S9Ss4 a restricted conce&t 9isk 9eduction4 generally a good idea( #ut a&&lication is
restricted #oth in suita#ility to the a&&lication domain and statistically
J system"ty&es4 restricted( sometimes misleading conce&t S'L4 restricted and misleading 6L69P4 in &rinci&le strong( in &ractice -eak. 't strains
against &roven techni8ues such as 9isk :atri3 classification. 6 legal &rinci&le -hose technical translation is not yet clear.
$
23 !"r# 2005
51
The End
Thanks for listeningN
$ 23 !"r# 2005 52

Concepts Iec61508

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Concepts Iec61508

Загружено:

Авторское право:

Доступные форматы

University of Bielefeld Faculty of Technology

The Concepts of IEC 61508

Prof. Peter B. Ladkin Ph

University of Bielefeld Faculty of Technology

!otivation$ Clear Concepts

reasoning is not easily seen to #e )in*correct mistakes are harder to detect

,hich are effective in -hich domains( and -hich not.

University of Bielefeld Faculty of Technology

!otivation$ Effective !ethods

/ffective methods have three characteristics

,e kno- -hy they -ork

,e have inde&endent means to check the results

University of Bielefeld Faculty of Technology

&asic Concepts of 'yste( 'afety

Basic ontological conce&ts

University of Bielefeld Faculty of Technology

&asic Concepts in de !oivre) *eveson) IEC 61508

University of Bielefeld Faculty of Technology

e :ensura Sortis( 1;11

University of Bielefeld Faculty of Technology

Risk4 e3&ected value of loss = &)%3*.S)%3*

%34 a loss event S)%3*4 the severity of the loss event

Accident4 here( the loss event Hazard4 ..

University of Bielefeld Faculty of Technology

*eveson$ 'afeware definitions /10

University of Bielefeld Faculty of Technology

*eveson$ 'afeware definitions /20

Safety4 0freedom from accidents or losses1

University of Bielefeld Faculty of Technology

Interpretation of 'afeware definitions

University of Bielefeld Faculty of Technology

2a#ard$ 3ariant +efinitions

Leveson4 system state

University of Bielefeld Faculty of Technology

Co(parison of 'afeware and +e !oivre -is.

University of Bielefeld Faculty of Technology

IEC 61508$ +efinitions /10

University of Bielefeld Faculty of Technology

IEC 61508$ +efinitions /20

University of Bielefeld Faculty of Technology

Co((ents on IEC 61508 definitions /10

There is no definition of accident

7arm is limited to &ersonal in5ury

efinition of ha+ard is unclear

University of Bielefeld Faculty of Technology

Co((ents on IEC 61508 definitions /20

ho- does one com#ine &ro#a#ility of harm -ith severity of harm.

Lne can 0com#ine1 in an ar#itrary num#er of -ays

University of Bielefeld Faculty of Technology

-is. in IEC 61508$ Clear4

University of Bielefeld Faculty of Technology

Co((ents on IEC 61508 definitions /30

University of Bielefeld Faculty of Technology

56nda(ental Concepts of IEC 61508

University of Bielefeld Faculty of Technology

Concepts 1$ 'yste( *ifecycle

The System Life %ycle :odel

etailed The safety task list follo-s the model

University of Bielefeld Faculty of Technology

The IEC 61508 'afety *ifecycle

2a#ard and ris. analysis

Overall safety re76ire(ents

'afety re76ire(ents allocation

Safety-related systems: E/E/PES

Risk4 e3&ected value of loss = &)%3.S)%3