Electrical, electronic and programmable electronic systems increasingly carry out safety functions to guard workers and the public against injury or death and the environment against pollution. The international functional safety standard IEC 61508 was revised in 2010 and this is the first comprehensive guide available to the revised standard.

 As Functional Safety is applicable to many industries, this book will have a wide readership beyond the chemical and process sector, including oil and gas, power...

See more details below

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$71.49 price
(Save 42%)$125.00 List Price


Electrical, electronic and programmable electronic systems increasingly carry out safety functions to guard workers and the public against injury or death and the environment against pollution. The international functional safety standard IEC 61508 was revised in 2010 and this is the first comprehensive guide available to the revised standard.

 As Functional Safety is applicable to many industries, this book will have a wide readership beyond the chemical and process sector, including oil and gas, power generation, nuclear, aircraft, and automotive industries, plus project, instrumentation, design, and control engineers

• The only comprehensive guide to IEC 61508, updated to cover the 2010 amendments, that will ensure engineers are compliant with the latest process safety systems design and operation standards

• Helps readers understand the process required to apply safety critical systems standards

• Real world approach helps users to interpret the standard, with case studies and best practice design examples throughout

Read More Show Less

Product Details

  • ISBN-13: 9780080967820
  • Publisher: Elsevier Science
  • Publication date: 11/11/2010
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 288
  • File size: 4 MB

Meet the Author

Dr. David J Smith BSc, PhD, CEng, FIEE, HonFSaRS, FIQA, MIGasE, has been directly concerned with reliability, safety and software quality for 30 years. He has written a number of books on the subject as well as numerous papers. His PhD thesis was on the subject of reliability prediction accuracy and common cause failure. He chairs the IGasE panel which develops its guidelines on safety-related systems (now in its third edition). He has also made contributions to IEC 61508.
Kenneth G. L. Simpson, MPhil, FIEE, FInstMC, MIGasE, has been associated with safety-related systems design and also with their assessment for 25 years. He is a member of the IEC61508 drafting committee and also of the I Gas E panel which writes the gas industry guidance. Following a career in aerospace, Ken has spent 20 years in the control system industry and is a Director of Silvertech International plc, a leading designer of safety and control systems. He has written a number of papers on the topic and gives frequent talks.
Read More Show Less

Read an Excerpt

Safety Critical Systems Handbook

A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition) and Related Standards Including: Process IEC 61511, Machinery IEC 62061 and ISO 13849
By David J Smith Kenneth GL Simpson


Copyright © 2011 Dr David J Smith and Kenneth G L Simpson
All right reserved.

ISBN: 978-0-08-096782-0

Chapter One

The Meaning and Context of Safety Integrity Targets

Chapter Outline 1.1 Risk and the Need for Safety Targets 4 1.2 Quantitative and Qualitative Safety Targets 7 1.3 The Life-cycle Approach 10 Section 7.1 of Part 1 10 Concept and scope [Part 1 – 7.2 and 7.3] 11 Hazard and risk analysis [Part 1 – 7.4] 12 Safety requirements and allocation [Part 1 – 7.5 and 7.6] 12 Plan operations and maintenance [Part 1 – 7.7] 12 Plan the validation [Part 1 – 7.8] 12 Plan installation and commissioning [Part 1 – 7.9] 12 The safety requirements specification [Part 1 – 7.10] 12 Design and build the system [Part 1 – 7.11 and 7.12] 12 Install and commission [Part 1 – 7.13] 12 Validate that the safety-systems meet the requirements [Part 1 – 7.14] 12 Operate, maintain, and repair [Part 1 – 7.15] 13 Control modifications [Part 1 – 7.16] 13 Disposal [Part 1 – 7.17] 13 Verification [Part 1 – 7.18] 13 Functional safety assessments [Part 1 – 8] 13 1.4 Steps in the Assessment Process 13 Step 1. Establish Functional Safety Capability (i.e. Management) 13 Step 2. Establish a Risk Target 13 Step 3. Identify the Safety Related Function(s) 14 Step 4. Establish SILs for the Safety-related Elements Step 5. Quantitative Assessment of the Safety-related System 14 Step 6. Qualitative Assessment Against the Target SILs 14 Step 7. Establish ALARP 1.5 Costs 15 1.5.1 Costs of Applying the Standard 15 1.5.2 Savings From Implementing the Standard 1.5.3 Penalty Costs from not Implementing the Standard 1.6 The Seven Parts of IEC 61508 16

1.1 Risk and the Need for Safety Targets

There is no such thing as zero risk. This is because no physical item has zero failure rate, no human being makes zero errors and no piece of software design can foresee every operational possibility.

Nevertheless public perception of risk, particularly in the aftermath of a major incident, often calls for the zero risk ideal. However, in general most people understand that this is not practicable, as can be seen from the following examples of everyday risk of death from various causes:

All causes (mid-life including medical) 1 x 10-3 pa All accidents (per individual) 5 x 10-4 pa Accident in the home 4 x 10-4 pa Road traffic accident 6 x 10-5 pa Natural disasters (per individual) 2 x 10-6 pa

Therefore the concept of defining and accepting a tolerable risk for any particular activity prevails.

The actual degree of risk considered to be tolerable will vary according to a number of factors such as the degree of control one has over the circumstances, the voluntary or involuntary nature of the risk, the number of persons at risk in any one incident and so on. This partly explains why the home remains one of the highest areas of risk to the individual in everyday life since it is there that we have control over what we choose to do and are therefore prepared to tolerate the risks involved.

A safety technology has grown up around the need to set target risk levels and to evaluate whether proposed designs meet these targets, be they process plant, transport systems, medical equipment or any other application.

In the early 1970s people in the process industries became aware that, with larger plants involving higher inventories of hazardous material, the practice of learning by mistakes (if indeed we do) was no longer acceptable. Methods were developed for identifying hazards and for quantifying the consequences of failures. They were evolved largely to assist in the decision-making process when developing or modifying plant. External pressures to identify and quantify risk were to come later.

By the mid 1970s there was already concern over the lack of formal controls for regulating those activities which could lead to incidents having a major impact on the health and safety of the general public. The Flixborough incident in June 1974, which resulted in 28 deaths, focused UK public and media attention on this area of technology. Many further events, such as that at Seveso (Italy) in 1976 through to the Piper Alpha offshore disaster and more recent Paddington (and other) rail incidents, have kept that interest alive and have given rise to the publication of guidance and also to legislation in the UK.

The techniques for quantifying the predicted frequency of failures are just the same as those previously applied to plant availability, where the cost of equipment failure was the prime concern. The tendency in the last few years has been towards a more rigorous application of these techniques (together with third party verification) in the field of hazard assessment. They include Fault Tree Analysis, Failure Mode & Effect Analysis, Common Cause Failure Assessment and so on. These will be explained in Chapters 5 and 6.

Hazard assessment of process plant, and of other industrial activities, was common in the 1980s but formal guidance and standards were rare and somewhat fragmented. Only Section 6 of the Health and Safety at Work Act 1974 underpinned the need to do all that is reasonably practicable to ensure safety. However, following the Flixborough disaster, a series of moves (including the Seveso directive) led to the CIMAH (Control of Industrial Major Accident Hazards) regulations, 1984, and their revised COMAH form (Control of Major Accident Hazards) in 1999. The adoption of the Machinery Directive by the EU, in 1989, brought the requirement for a documented risk analysis in support of CE marking.

Nevertheless, these laws and requirements do not specify how one should go about establishing a target tolerable risk for an activity, nor do they address the methods of assessment of proposed designs nor provide requirements for specific safety-related features within design.

The need for more formal guidance has long been acknowledged. Until the mid 1980s risk assessment techniques tended to concentrate on quantifying the frequency and magnitude of consequences arising from given risks. These were sometimes compared with loosely defined target values but, being a controversial topic, such targets (usually in the form of fatality rates) were not readily owned up to or published.

EN 1050 (Principles of risk assessment), in 1996, covered the processes involved in risk assessment but gave little advice on risk reduction. For machinery control EN 954-1 (see Chapter 10) provided some guidance on how to reduce risks associated with control systems but did not specifically include PLCs (programmable logic controllers) which were separately addressed by other IEC (International Electrotechnical Commission) and CENELEC (European Committee for Standardization) documents.

The proliferation of software during the 1980s, particularly in real time control and safety systems, focused attention on the need to address systematic failures since they could not necessarily be quantified. In other words whilst hardware failure rates were seen as a credibly predictable measure of reliability, software failure rates were generally agreed not to be predictable. It became generally accepted that it was necessary to consider qualitative defenses against systematic failures as an additional, and separate, activity to the task of predicting the probability of so called random hardware failures.

In 1989, the HSE (Health and Safety Executive) published guidance which encouraged this dual approach of assuring functional safety of programmable equipment. This led to IEC work, during the 1990s, which culminated in the international safety Standard IEC 61508 – the main subject of this book. The IEC Standard is concerned with electrical, electronic and programmable safety-related systems where failure will affect people or the environment. It has a voluntary, rather than legal, status in the UK but it has to be said that to ignore it might now be seen as "not doing all that is reasonably practicable" in the sense of the Health and Safety at Work Act and a failure to show "due diligence". As use of the Standard becomes more and more widespread it can be argued that it is more and more "practicable" to use it. The Standard was revised and re-issued in 2010. Figure 1.1 shows how IEC 61508 relates to some of the current legislation.

The purpose of this book is to explain, in as concise a way as possible, the requirements of IEC 61508 and the other industry-related documents (some of which are referred to as 2nd tier guidance) which translate the requirements into specific application areas.

The Standard, as with most such documents, has considerable overlap, repetition, and some degree of ambiguity, which places the onus on the user to make interpretations of the guidance and, in the end, apply his/her own judgement.

The question frequently arises as to what is to be classified as safety-related equipment. The term 'safety-related' applies to any hard-wired or programmable system where a failure, singly or in combination with other failures/errors, could lead to death, injury or environmental damage. The terms "safety-related" and "safety-critical" are often used and the distinction has become blurred. "Safety-critical" has tended to be used where failure alone, of the equipment in question, leads to a fatality or increase in risk to exposed people. "Safety-related" has a wider context in that it includes equipment in which a single failure is not necessarily critical whereas coincident failure of some other item leads to the hazardous consequences.

A piece of equipment, or software, cannot be excluded from this safety-related category merely by identifying that there are alternative means of protection. This would be to pre-judge the issue and a formal safety integrity assessment would still be required to determine whether the overall degree of protection is adequate.

1.2 Quantitative and Qualitative Safety Targets

In an earlier paragraph we introduced the idea of needing to address safety-integrity targets both quantitatively and qualitatively:

Quantitatively: where we predict the frequency of hardware failures and compare them with some tolerable risk target. If the target is not satisfied then the design is adapted (e.g. provision of more redundancy) until the target is met.

Qualitatively: where we attempt to minimize the occurrence of systematic failures (e.g. software errors) by applying a variety of defenses and design disciplines appropriate to the severity of the tolerable risk target.

It is important to understand why this twofold approach is needed. Prior to the 1980s, system failures could usually be identified as specific component failures (e.g. relay open circuit, capacitor short circuit, motor fails to start). However, since then the growth of complexity (including software) has led to system failures of a more subtle nature whose cause may not be attributable to a catastrophic component failure. Hence we talk of:

Random hardware failures: which are attributable to specific component failures and to which we attribute failure rates. The concept of "repeatability" allows us to model proposed systems by means of associating past failure rates of like components together to predict the performance of the design in question. and Systematic failures: which are not attributable to specific component failures and are therefore unique to a given system and its environment. They include design tolerance/ timing related problems, failures due to inadequately assessed modifications and, of course, software. Failure rates cannot be ascribed to these incidents since they do not enable us to predict the performance of future designs.


Excerpted from Safety Critical Systems Handbook by David J Smith Kenneth GL Simpson Copyright © 2011 by Dr David J Smith and Kenneth G L Simpson. Excerpted by permission of Butterworth-Heinemann. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

A quick overview

The 2010 version of IEC 61508


Part A: The Concept of Safety Integrity 1

Chapter 1 The Meaning and Context of Safety Integrity Targets

1.1 Risk and the Need for Safety Targets

1.2 Quantitative and Qualitative Safety Targets

1.3 The Life-cycle Approach

1.4 Steps in the Assessment Process

1.5 Costs

1.6 The Seven Parts of IEC 61508

Chapter 2 Meeting IEC 61508 Part 1

2.1 Establishing Integrity Targets

2.2 ALARP (“As low as Reasonably Practicable

2.3 Functional Safety Management and Competence

IEC 61508 Part 1

Chapter 3 Meeting IEC 61508 Part 2

3.1 Organizing and Managing the Life-cycle

3.2 Requirements Involving the Specification

3.3 Requirements for Design and Development

3.4 Integration and Test (Referred to as Verification

3.5 Operations and Maintenance

3.6 Validation (Meaning Overall Acceptance Test and the Close Out-of Actions)

3.7 Safety Manuals

3.8 Modifications

3.9 Acquired Sub-systems

3.10 “Proven in Use” (Referred to as Route 2s in the Standard

3.11 ASICs and CPU Chips

3.12 Conformance Demonstration Template

IEC 61508 Part 2

Chapter 4 Meeting IEC 61508 Part 3

4.1 Organizing and Managing the Software Engineering

4.2 Requirements Involving the Specification

4.3 Requirements for Design and Development

4.4 Integration and Test (Referred to as Verification

4.5 Validation (Meaning Overall Acceptance Test and Close Out of Actions

4.6 Safety Manuals

4.7 Modifications

4.8 Alternative Techniques and Procedures

4.9 Data Driven Systems

4.10 Some Technical Comments

4.11 Conformance Demonstration Template

IEC 61508 Part 3

Chapter 5 Reliability Modeling Techniques

5.1 Failure Rate and Unavailability

5.2 Creating a Reliability Model

5.3 Taking Account of Auto-test

5.4 Human Factors

Chapter 6 Failure Rate and Mode Data

6.1 Data Accuracy

6.2 Sources of Data

6.3 Data Ranges and Confidence Levels

6.4 Conclusions

Now try the exercise and the example, which are Chapters 11 and 12.

Chapter 7 Demonstrating and Certifying Conformance

7.1 Demonstrating Conformance

7.2 The Current Framework for Certification

7.3 Self Certification (Including Some Independent Assessment

7.4 Preparing for Assessment

7.5 Summary

Part B: Specific Industry Sectors

Chapter 8 Second-tier Documents e Process, Oil and Gas Industries

8.1 IEC International Standard 61511: Functional Safety - Safety Instrumented Systems for the Process Industry Sector

8.2 Institution of Gas Engineers and Managers IGEM/SR/15: Programmable Equipment in Safety-related Applications e 5th Edition 2010

8.3 Guide to the Application of IEC 61511 to Safety Instrumented Systems in the UK Process Industries

8.4 ANSI/ISA-84.00.01 (2004) e Functional Safety, Instrumented Systems for the Process Sector

8.5 Recommended Guidelines for the Application of IEC 61508 and IEC 61511 in the Petroleum Activities on the Norwegian Continental Shelf OLF-070

Chapter 9 Machinery Sector

9.1 EN ISO 14121

9.2 EN ISO 13849

9.3 BS EN 62061

Chapter 10 Other Industry Sectors

10.1 Rail

10.2 UK MOD Documents

10.3 Earth Moving Machinery

10.4 C Coding Standard (MISRA e Motor Industries Research Association) e Development Guidelines for Vehicle Based Programmable Systems

10.5 Automotive

10.6 IEC International Standard 61513: Nuclear Power Plants - Instrumentation and Control for Systems Important to Safety - General Requirements for Systems

10.7 Avionics

10.8 Medical e IEC 60601 Medical Electrical Equipment, General Requirements for Basic Safety and Essential Performance

10.9 Stage and Theatrical Equipment

10.10 Electrical Power Drives

10.11 Documents which are now Withdrawn

Part C: Case Studies in the Form of Exercises and Examples

Chapter 11 Pressure Control System (Exercise)

11.1 The Unprotected System

11.2 Protection System

11.3 Assumptions

11.4 Reliability Block Diagram

11.5 Failure Rate Data

11.6 Quantifying the Model

11.7 Proposed Design and Maintenance Modifications

11.8 Modeling Common Cause Failure (Pressure Transmitters)

11.9 Quantifying the Revised Model

11.10 ALARP

11.11 Architectural Constraints

Chapter 12 Burner Control Assessment (Example)

Executive Summary&Recommendations

12.1 Objectives

12.2 Integrity Requirements

12.3 Assumptions

12.4 Results

12.5 Failure Rate Data

12.6 References

Annex I Fault tree details

Chapter 13 SIL targeting e some practical examples

13.1 A Problem Involving EUC/SRS Independence

13.2 A hand-held Alarm Intercom, Involving Human error in the Mitigation

13.3 Maximum Tolerable Failure Rate Involving Alternative Propagations to Fatality

13.4 Hot/cold Water Mixer Integrity

13.5 Scenario Involving High Temperature Gas to a Vessel

13.6 Example using the LOPA Technique

Chapter 14 Hypothetical Rail Train Braking System (Example)

14.1 The Systems

14.2 The SIL Targets

14.3 Assumptions

14.4 Failure Rate Data

14.5 Reliability Models

Chapter 15 Rotorcraft Accidents and Risk Assessment

15.1 Helicopter Incidents

15.2 Floatation Equipment Risk Assessment

Chapter 16 Hydro-electric Dam and Tidal Gates

16.1 Flood-gate Control System

16.2 Spurious opening of either of two tidal lock gates involving a trapped vessel

Appendix 1 Functional Safety Management

Appendix 2 Assessment Schedule (Checklist)

Appendix 3 Betaplus CCF Model, Scoring Criteria

Appendix 4 Assessing Safe Failure Fraction and Diagnostic Coverage

Appendix 5 Answers to Examples

Appendix 6 References

Appendix 7 Quality and Safety Plan

Appendix 8 Some Terms and Jargon of IEC 61508


Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)