Software Compliance - Article #8

This is the eighth in a series of short articles on IEC 61508. IEC 61508 is required whenever a computer-based system is used to carry out a safety function. The purpose of these articles is to give the reader an appreciation for this international standard.

IEC 61508-3 is to realize Electrical/Electronic/Programmable Electronic Systems (E/E/PESs) Software for safety. The crux of IEC 61508-3 is clause 7. Clause 7 requires an understanding of the software development processes. The objectives of IEC 61508-3 are:

1. define the software safety development processes to achieve the required functional safety.
2. document all information relevant to functional safety of the software.

IEC 61508-2 addresses random hardware failures and systematic failures. See previous articles in this series. Software does not break. Therefore, IEC 61508-3, clause 7, addresses only systematic failures.

Unlike random hardware failures, systematic failures cannot be predicted quantitatively. IEC 61508-7 describes techniques and measures to mitigate systematic failures for software qualitatively. This means the software development processes determine the software safety. The higher the safety integrity level (SIL), the more rigorous the techniques and measures from IEC 61508-7, to reduce the likelihood of systematic failures during the software development processes.

IEC 61508-2, subclause 7.4.3, introduces safety integrity levels (SILs) for specifying the target level of safety integrity for the safety functions to be implemented by the E/E/PES. The software is obligated to meet the same SIL as its E/E/PES. IEC 61508-4 defines SIL as a “discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest safety integrity and safety integrity level 1 has the lowest.” The tables in IEC 61508-3, Annex A, address systematic failures in terms of a SIL.

Discussions today in industry literature about safety integrity levels for software and compliance to IEC 61508-3 are almost non-existent. The world’s best FMECA cannot make the E/E/PES software safe. What is needed now is industry understanding of systematic failures for compliance to IEC 61508-3. Future articles in this series will explain systematic failures for compliance to IEC 61508-3.

The next article in this series will address the software development processes (Objective 1).

Paul Bodeau is a member of the Safety Division with over 25 years of diversified engineering experience, mostly in safety firmware development for military and civilian aviation. Mr. Bodeau can be reached at (661) 260-1210, or pbodeau@WhyNotEngineering.com.