Life before IEC/EN 61508
Published on : Wednesday 01-02-2023
The story of the standard for functional safety begins in the 60s.
The publication of the first edition of the IEC/EN 61508 series (‘Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems’) in 2001 is generally considered the Big Bang of the functional safety world. In fact, however, the beginnings of functional safety go back much further. Philosophies and procedures changed over the course of history and this was reflected in the different previous standards. At Pepperl+Fuchs, functional safety has been an integral part of the development departments for almost 50 years. The result: A broad and increasingly varied product portfolio, and organisational measures and accompanying services.
On July 10, 1976, a chemical accident, which would later be dubbed the ‘Seveso disaster’, occurred north of Milan. An uncontrolled reaction led to overheating in the plant. There was no automatic cooling system or warning system. Highly toxic dioxin escaped through a safety valve, poisoning 1800 hectares of land in the surrounding communities. The consequences for humans, wildlife, and nature were catastrophic and lasted for years. In the following days, more than 3000 animal carcasses were found, and around 200 people were diagnosed with severe chloracne. As a result of this accident, it was decided that laws and regulations needed to be tightened to ensure the protection of people, plants, and the environment, ultimately resulting in the creation of IEC/EN 61508.
IEC/EN 61508 is a seven-part series of standards that sets the framework for the establishment of standards in the field of functional safety. Based on IEC/EN 61508, this series offers further standards that focus on specific areas of application, subject areas, and products. In fact, sector standards such as IEC/EN 61511 (process industry), IEC 62061 (mechanical engineering), ISO 26262 (automotive), and specific product standards such as VDMA 4315 for the safety of turbomachinery, were developed from this publication.
The series of standards stipulates requirements for the entire life cycle of plants and devices. The probability methodology contained therein additionally analyses the situations during the operation of an industrial plant and evaluates the resulting risks. This analysis provides a definition of the risk reduction required to reduce risks in the relevant plant to an acceptable residual risk level. IEC/EN 61508 replaces all previous safety standards such as DIN/VDE 19250, DIN/VDE 19251, and DIN/VDE 801
The Birth of Functional Safety in the '70s
In the '60s, efforts were already being made to improve plant safety. For example, the VDI/VDE guideline 2180 ‘Plant Safety through Measurement, Control and Regulation Technology’ requires the definition of responsibilities, limit values, functional tests for error detection, and a distinction between error types.
Pepperl+Fuchs began developing safety-relevant devices around 50 years ago. This was triggered by the demand for a safe shutdown of the main fuel supply in combustion plants. For this purpose, the first safety switch amplifier was developed in 1973, and soon after a proximity sensor was also developed for safety applications. The dynamic transmission principle of the switching signal of the previous switch amplifiers still forms the basis for safety devices for SIL 3 applications. The sensors were developed from standard sensors, which were extended so that sensor faults led to signal levels going in the ‘safe direction’, i.e., representing a ‘fail safe’ behavior.
Standards that were of significance in this context were, for example, DIN 4788 (‘Gas Burners; Gas Burners without Blowers’) or VDE 0116 (‘Electrical Equipment for Furnaces and Ancillary Equipment’).
The Seveso disaster accelerates development in the 80s
In the wake of the Seveso disaster, the topic of functional safety continued to gain momentum and develop more widely.
In 1980, the Hazardous Incident Ordinance (12th BImSchV) was issued. This serves to prevent and limit the consequences of faults. The associated documentation obligations of the operator led to further systematisation in the area of measurement, control, and regulation facilities.
The second edition of VDI/VDE 2180, published in 1986, stipulates the protection objectives for personnel and introduces a classification system for operating and safety equipment.
In 1989, (‘Control Technology; Fundamental Safety Aspects to Be Considered for Measurement and Control Equipment’) was published. Although this standard has never gone beyond the pre-standard stage, it was of fundamental importance for the further development of functional safety. This was the first time that a risk graph had been used to provide a qualitative description of risks. The eight requirement classes later resulted in the four SIL levels, classified based on the extent of harm.
a. SIL 1, AK 2, and 3: minor damage to plants and property
b. SIL 2, AK 4: major damage to plants, personal injury
c. SIL 3, AK 5, and 6: personal injury, some deaths, and
d. SIL 4, AK 7: disasters, many deaths and severe environmental pollution.
At Pepperl+Fuchs, the importance of this pre-standard was reflected in the corresponding development activities. Products were developed and certified for all standards in the 19250 series, which also received a great response. Although safety solutions that were compliant with standards were available, they were rarely suitable for applications in hazardous areas.
The new world of Standards: IEC/EN 61508
The turn of the millennium saw a paradigm shift, with IEC/EN 61508 (for manufacturers, 2002) and IEC 61511 (for users, 2005) becoming global standards and replacing national standards DIN V 19250, 251, and 0810. The focus shifted to safety life cycles, and the requirement classes of DIN V 19250 were replaced by Safety Integrity levels (SIL).
For manufacturers, the move to IEC/EN 61508 meant a new start in many respects. Whereas functional safety had until then been standardised predominantly in Europe, the topic suddenly became of global interest. When the standard was first published, there were naturally no correspondingly certified products. Traditionally, selected and suitable existing products were subjected to standardised evaluation and the safety indicators were determined. Since there are usually return statistics for existing products, these could be used to validate the calculated safety indicators. Today, around 20 years later, IEC/EN 61508 is established worldwide, and the second edition has been available since 2010. Products are generally no longer qualified via proven-in-use, but are developed and certified according to all aspects of IEC/EN 61508. The certifications take into account that the standard has been developed to exclude systematic failures and to be able to equip applications for which no empirical values are available.
Summary
After several decades, the eventful history of functional safety standards eventually culminated in global standard IEC/EN 61508. Pepperl+Fuchs has followed this path from the very beginning, not least to prevent disasters like the one at Seveso. Today, around 750 safety devices are available for a wide variety of applications; more than 300 of them for the interface technology sector alone, including SIL 3 isolated barriers for all signal types. Generally, products are externally certified on a voluntary basis instead of relying on self-assessments. But history has also shown that an impressive portfolio alone is not enough. For example, Pepperl+Fuchs has had a Functional Safety Management certificate for many years and therefore also ensures optimal organisational conditions for product development. With the introduction of IEC/EN 61508, an extensive training program for customers was also launched, which is still in place and being expanded today.
