Table A.1, in subclause A.2 of IEC 61508-2, provides the requirements for faults or failures that shall be detected by techniques and measures to control hardware failures. Tables A.2 to A.15, also in subclause A.2 of IEC 61508-2, support the requirements of table A.1 by recommending techniques and measures for diagnostic tests and recommending maximum levels of diagnostic coverage that can be achieved using them. Therefore, in order to comply with the standard, it is necessary to fulfil the requirements of table A.1, but tables A.2 to A.15 suggest just one set of possibilities on how the requirements of table A.1 can be met.
In subclause A.3 of IEC 61508-2, tables A.16 to A.18 recommend particular techniques and measures, therefore it is not necessary to use any of these in order to claim compliance. However, if you do not use a technique or measure that is highly recommended for the safety integrity level, then the rationale behind not using it shall be detailed. Also, for every technique or measure listed in tables A.16 to A.18 that you do use, it shall be used to the extent necessary to give at least the level of effectiveness stated in the table. Table A.19 gives guidance on what is intended by the terms low and high effectiveness for just some of the techniques and measures.
The techniques and measures in annex B of IEC 61508-2 are recommended in the same way as those in subclause A.3. It is necessary to detail the rationale wherever a technique or measure that is highly recommended for the safety integrity level is not used, and wherever a technique or measure that is positively not recommended for the safety integrity level is used. And it is necessary to achieve at least the level of effectiveness stated in the table for any techniques or measures that you do use. Table B.6 gives guidance on what is intended by the terms low and high effectiveness for most of the techniques and measures.
In annexes A and B of IEC 61508-2, the table shading adds recommendations on how to select and combine the techniques and measures.
Note that annex C of IEC 61508-2 is also normative and contains requirements that are necessary for compliance.
Annexes A and B of IEC 61508-3 contain the requirement that appropriate techniques and measures shall be selected according to the safety integrity level. Anyone claiming compliance with the standard is required to consider which techniques or measures are most appropriate for the specific problems encountered during the development of each E/E/PE safety-related system. These may include techniques and measures recommended by the standard and may include others; the tables give only recommendations as to which techniques and measures may be appropriate.
A particular concern is raised by systematic factors in the failure of a safety function. Systematic failure factors can arise in both hardware and software. The effectiveness of the measures and precautions used to meet the target failure measures for systematic safety integrity generally needs to be assessed qualitatively.
Specifically for software, the IEC 61508-3 tables of recommended techniques are not checklists by which systematic safety integrity in software can be guaranteed. Many factors affect software safety integrity, and it is not possible to give an algorithm for combining the techniques and measures that will guarantee success in any given application. Software techniques will need to be chosen judiciously with attention to several key factors including:
- the developers’ personal competence and experience in techniques;
- the developers’ familiarity with the application and likely difficulties;
- the size or complexity of the application;
- industry sector recommendations and recognized good practice; and
- national and international published standards.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each lifecycle phase needs to be documented (see clause 5 of IEC 61508-1). Other subclauses require some of this documentation to include a justification of the choice of techniques and measures, even if all recommendations are followed. See for example 7.3.2.2 e) and 7.4.2.9 of IEC 61508-2, and 7.4.3.2 a) of IEC 61508-3.
