IEC 61508: Designing Functionally Safe Power in Advanced Control Systems
As electrical, electronic, and programmable electronic (E/E/PE) systems have become more widely used and more complex, mitigating the risk of a failure causing harm to people has become more important.
To address the consequence of failure, the IEC 61508 standard sets the requirements for the functional safety of E/E/PE systems. Functional safety is part of the overall concept of safety relating to an Equipment Under Control (EUC) or an entire system.
What is IEC 61508?
Published by the IEC, the IEC 61508 standard is internationally accepted as the benchmark for functional safety[1]. It provides structured methodologies to enable the design, implementation, and maintenance of E/E/PE systems, ensuring their safety throughout their entire product lifecycle, from concept and design through implementation and operation.
Specifically, IEC 61508 is an essential standard for ensuring the reliability, fault tolerance, and correct operation of safety-related systems that require precise control and power management. It relates to hazards that might be caused by electronic equipment failing to perform properly or creating safety-related hazards, rather than covering risks due to the equipment itself, such as electric shocks, which would be covered by the Low Voltage Directive 2014/35/EU.
NEED SUPPORT? CONTACT OUR POWER EXPERTS
Functional safety also relies on active systems, rather than passive systems. For instance, a functional safety example is a level-detecting switch in a tank containing a dangerous liquid that closes a valve when the level is too high. Alternatively, a passive safety system (but not related to functional safety) would be a fire-resistant door.[2]
Examples of systems where IEC 61508 is relevant include remote monitoring and operation of a process plant, interlocks and guards for machinery, and emergency shutdown systems, among many others. IEC 61508 is a generic, standalone standard, and there are also multiple other related standards for specific industries and applications, such as
Complying with IEC 61508 improves product safety, as well as reduces potential liabilities. This creates opportunities with new customers or markets that also look for compliance.
SIL ratings and risk
IEC 61508 adopts a risk-based approach. It assesses the likelihood of any harmful event occurring and the severity of its consequences. From this, a tolerable risk can be determined.
The standard describes two types of failure: random hardware failures, such as material defects and worn-out parts, and systematic failures, which can result from errors in design and implementation. Random failures can be addressed through diagnostics, predictive maintenance, and the ability of hardware to tolerate faults and still operate. Addressing systematic failures needs rigorous processes, verification and validation.
When considering functional safety, the concept of safety integrity level (SIL) is important. The SIL relates to the relative risk of failure that a system presents.
IEC 61508 defines four SILs, with SIL 1 associated with the lowest level of risk reduction and SIL 4 denoting the highest risk reduction factor. The appropriate SIL is determined by understanding the tolerable risk and the risk reduction measures in place.
For example, a hazardous random event might be predicted to occur once every ten years. Implementing a risk reduction measure to SIL 1 may reduce the likelihood by a factor of 80, or one occurrence every 800 years. In this case, the severity of the consequence is unchanged. Alternatively, other safety functions could reduce or mitigate the consequences of a hazard.
With the framework provided by IEC 61508, engineers can evaluate the functional safety of the systems they are designing and obtain a quantitative measure of safety that can be compared to accepted industry standards.
How to comply: development processes and certification
Figure 1: IEC 61508 industrial functional safety components (source: https://www.microchip.com/en-us/solutions/technologies/functional-safety/iec-61508)
To comply with IEC 61508, engineers need to adopt a ‘safety-oriented design’ approach with thorough risk assessment and failure analysis. Hardware and software must be designed to tolerate both systematic and random failures. Detailed documentation must be completed throughout, as this will be required for certification.
From a power electronics perspective, functional safety is most relevant when considering controllable power devices, normally through software, such as integrated motor drivers, as opposed to discrete power components, such as MOSFETs.
As part of the development process, engineers need to understand what is happening when a subsystem or component fails, and how this impacts the functional safety of their system. This can be achieved by using systematic analysis techniques, such as Failure Modes, Effects, and Diagnostic Analysis (FMEDA), which extends the well-known FMEA procedure to address functional safety, and to calculate the failure rates of a system or component and the effects of these failures.[3] The IEC 61508 standard specifies how FMEDA should be used with safety-related systems.[4]
The FMEDA process looks at how and why potential failures can occur, and the consequences of these failures.
It also examines the effectiveness of existing diagnostic measures in detecting and addressing failures, utilising historical or vendor-supplied data to determine failure rates and other relevant parameters. From this analysis, quantifiable reliability metrics, such as failure in time (FIT) rates, can be calculated for the system.
Technology
Power: designing solutions with power at the core
We provide you with the right insights and expertise when you need it most, so you can make the right decisions for your product, and your business.
Understanding and complying with power safety regulations is critical. Visit our power safety and regulations overview to find articles on energy efficiency, ISO 26262, EMC & EMI, and IEC 61508.
SEE OVERVIEWOnce the product or system is ready, the manufacturer developing it needs to rigorously test and validate all aspects of its operation to ensure it meets IEC 61508 and any other relevant safety standards. The manufacturer also needs to maintain comprehensive documentation on the product throughout the design process, including hazard analysis, design specifications, and test results.
Now, it’s time to go to an external, accredited certification body, such as exida or TÜV SÜD. The manufacturer will provide the certification body with all necessary documentation and evidence of safety compliance. The certification body will audit the manufacturer’s development processes and assess if the product or system is compliant. All being well, the certification body will then issue an IEC 61508 certificate, verifying the product’s compliance.
The importance of collaboration
By working with vendors who provide suitable support, design engineers can simplify their compliance processes and reduce the time and complexity required to develop IEC 61508 safety systems.
This support includes hardware that is pre-certified as IEC 61508 compliant, software development tools, extensive documentation (including FMEDA data), and safety management training.
For instance, NXP’s SafeAssure program[5] connects design engineers with experts to share their safety knowledge, as well as providing collaboration with partners, and is based around the company’s reliable, safety-qualified products. NXP is certified by TÜV SÜD for compliance up to SIL 3 according to IEC 61508.
NXP’s portfolio of 5 V PMIC (power management ICs) integrates both switching and linear regulators required for a total system solution and simplifies design due to their tight integration alongside NXP MCUs and MPUs[6]. The PMICs can be configured via one-time programmable (OTP) memory and combined to provide a system solution that includes deliverables for ASIL B/ ASIL D / SIL 2 functional safety requirements.
Similarly, Microchip offers PMICs that integrate multiple voltage regulators and control circuits into a single chip, as well as system on modules (SOMs) that combine a PMIC and an MPU, along with other devices.[7] Another example of suitable functional-safety ready products for industrial applications is the PIC16, PIC18 and AVR range of microcontrollers (MCUs) from Microchip.[8] These provide relevant hardware safety features, along with comprehensive documentation such as FMEDA reports and safety manuals, and a functional safety development ecosystem.
These MCUs have a wide range of uses in safety-critical industrial applications. For example, they can act as controllers for gas and air quality sensors, pressure sensors, circuit breakers, and user-controlled mechanical and capacitive switches. They are also commonly used as safety co-processors, where a PIC or AVR MCU is located next to a primary MCU or microprocessor. The co-processor can then implement a dedicated safety mechanism or can achieve higher SIL levels due to redundancy.
Factory automation with intelligent power switches (IPS)
We have already mentioned some example applications related to functional safety and IEC 61508, including process control and emergency shutdown systems. Let’s now look at a specific sector: factory automation.
Smart factories can be dangerous places with high-power loads, robots, automated machinery, power drives, and heavy electrical equipment. To keep operators safe, an effective safety infrastructure based on functional safety principles is essential.
To make safety management simpler for design engineers, this is one application where the safety features embedded in products (by vendors) are invaluable. For example, ST offers intelligent power switches (IPS) with built-in safety features, which it describes as “SIL ready”. The IPS integrates a control section (logic interface, drivers, protection and diagnostics) with a power switching stage. It is designed to safely drive loads in low-voltage applications up to 60 V, including high-side, low-side, and push-pull configurations.[9]
Other ST solutions for safety in smart factories include high-performance STM32 microcontrollers, current-limited termination (CLT) ICs, and protection devices. It also offers programmable safety controllers (PSC), which combine a central processing unit (CPU) with multiple inputs and outputs to receive sensor data and drive actuators.[10] On the power side, its range includes power management ICs incorporating step-down switching regulators with adjustable current limitation to match fail-safe requirements.
ST also helps developers with a large ecosystem of hardware and software evaluation and development tools, including X-CUBE-STL, its functional safety design package, which is designed to achieve IEC 61508 (SIL 2 / SIL 3) certification with STM32 microcontrollers. It provides documentation to help designers achieve functional safety standard certifications, including FMEDA information.
Conclusions
Functional safety is a vital consideration in designing electrical and electronic products. Complying with standards such as IEC 61508 is critical. As power becomes a more central differentiator in modern applications, engineers need to understand the underlying concepts of functional safety and how to apply them during the power design process.
Expert advice from a partner, such as Avnet Silica, can make this process as straightforward as possible, combined with the close collaboration and extensive support offered by semiconductor vendors such as NXP, Microchip and ST.
References
- https://iec.ch/functional-safety
- https://www.iec.ch/functional-safety/faq
- https://www.gt-engineering.it/en/insights/machinery-safety/fmea-fmeca-fmeda-gt-engineering/
- https://fiixsoftware.com/glossary/fmeda/
- https://www.nxp.com/products/nxp-product-information/nxp-product-programs/safeassure-functional-safety-products:FNCTNLSFTY
- https://www.nxp.com/products/power-management/pmics-and-sbcs/5-v-pmic-solutions:5V-SOLUTIONS
- https://www.microchip.com/en-us/products/power-management/pmic-power-management-ics
- https://www.microchip.com/en-us/products/microcontrollers/8-bit-mcus/functional-safety/iec-61508-industrial
- https://www.st.com/content/st_com/en/products/power-management/intelligent-power-switches/high-side-switches/iso8200aq.html
- https://www.st.com/en/applications/factory-automation/programmable-safety-controller.html
Other safety and regulatory articles
Working on a power project?
Our experts bring insights that extend beyond the datasheet, availability and price. The combined experience contained within our network covers thousands of projects across different customers, markets, regions and technologies. We will pull together the right team from our collective expertise to focus on your application, providing valuable ideas and recommendations to improve your product and accelerate its journey from the initial concept out into the world.
Like what you see?
Follow us on LinkedIn
Follow our dedicated power page on LinkedIn for the latest power updates and news from our team of power experts.