Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 61508-4-2010: Functional Safety of E/E/PE Safety-Related Systems (Part 4)
💡 Engineering Insight: IEC 61508-4 is the terminological backbone of the entire functional safety series. A precise understanding of the 200+ defined terms is essential because functional safety concepts — particularly probabilistic metrics like PFDavg and architectural constraints like HFT — hinge on exact definitions that have specific technical meanings distinct from their everyday usage.
1. Scope and Role of Part 4
IEC 61508-4-2010 is the definitions and terminology part of the IEC 61508 series on functional safety of electrical/electronic/programmable electronic (E/E/PE) safety-related systems. While Parts 1 through 3 provide the normative requirements for management, design, and verification, Part 4 establishes the precise vocabulary that underpins all other parts. The standard contains over 200 defined terms arranged thematically, covering safety concepts, system architecture, failure modes, probabilistic metrics, and lifecycle phases.
This part is critical because functional safety engineering demands unambiguous communication. Terms such as “safe state,” “dangerous failure,” “diagnostic coverage,” and “safe failure fraction” carry precise technical meanings that directly determine compliance with SIL requirements. Misunderstanding these definitions is a common source of non-conformities in functional safety assessments.
⚠ Important Distinction: The term “failure” in IEC 61508-4 is subdivided with critical precision: a “dangerous undetected” (DU) failure contributes directly to PFDavg calculation for low-demand systems, while “dangerous detected” (DD) failures are managed through proof testing and do not contribute to unavailability in the same way.
2. Key Definitions and Terminology
The standard organises definitions into thematic categories. The following table presents the most critical definitions for practical functional safety engineering:
| Term | Definition (Abbreviated) | Engineering Significance |
|---|---|---|
| Safety Integrity Level (SIL) | Discrete level (1–4) specifying the target risk reduction for a safety function | Determines architectural constraints, diagnostic coverage, and systematic capability requirements |
| Safe Failure Fraction (SFF) | Fraction of total failures that are safe or dangerous detected | Limits hardware architectural constraints for a given SIL target |
| Diagnostic Coverage (DC) | Fraction of dangerous failures detected by automatic diagnostics | Directly determines SFF; typical target ≥ 90% for SIL 2, ≥ 99% for SIL 3 |
| Proof Test | Periodic test performed to detect DU failures in a safety system | Proof test interval directly affects PFDavg calculation and risk reduction |
| Common Cause Failure (CCF) | Failure of multiple channels due to a single shared cause | β-factor modelling essential for redundant architectures (typically β = 2–10%) |
| Demand Mode (Low/High/Continuous) | Frequency at which a safety function is required to act | Determines whether PFDavg (low demand) or PFH (high/continuous) applies |
| Systematic Capability (SC) | Measure of confidence in systematic safety integrity | Requires validated tools, techniques, and measures to avoid systematic design errors |
2.1 SIL Definition and Target Metrics
The standard defines four Safety Integrity Levels with specific target failure measures. For low-demand mode of operation, the average probability of failure on demand (PFDavg) targets are: SIL 1 (≥ 10-2 to < 10-1), SIL 2 (≥ 10-3 to < 10-2), SIL 3 (≥ 10-4 to < 10-3), and SIL 4 (≥ 10-5 to < 10-4). For high-demand or continuous mode, the probability of a dangerous failure per hour (PFH) targets are correspondingly more stringent. These target measures are not arbitrary — they represent the tolerable risk gap between the unmitigated hazard and the acceptable level defined through risk analysis.
3. Engineering Design Insights and Applications
Understanding Part 4 terminology is essential for applying the normative requirements of IEC 61508 correctly. Consider the practical impact of the “diagnostic coverage” definition. When designing a 1oo2 (one-out-of-two) architecture for a SIL 3 application, the architect must verify that the diagnostic coverage of each channel meets the minimum threshold. If DC is below 90%, the safe failure fraction drops below 90%, which restricts the hardware fault tolerance (HFT) requirements under the architectural constraints route specified in Part 2. In practice, this means that insufficient diagnostic coverage forces either more redundancy or higher-quality components — both with significant cost implications.
The “proof test” definition has profound practical implications. Proof testing must detect DU failures and restore the system to “as new” condition. The standard distinguishes between full proof testing, which reveals all DU failures (coverage = 1.0), and partial proof testing, which reveals only a subset. Partial proof testing is increasingly common in industry because full testing often requires process shutdown. When partial proof testing is applied, the residual DU failure rate must be factored into the PFDavg calculation, typically extending the assumed diagnostic interval or requiring compensatory measures.
🔥 Critical Warning: A common misunderstanding in functional safety engineering is equating “diagnostic coverage” with “proof test coverage.” These are distinct concepts in IEC 61508-4: diagnostic coverage refers to automatic on-line detection during normal operation, while proof test coverage refers to off-line testing. They serve different purposes and both must be addressed in the safety lifecycle.
💡 Engineering Practice: When calculating PFDavg for a redundant safety instrumented function, pay careful attention to the β-factor for common cause failures. A β of 5% (typical for well-designed diverse channels) means that 5% of all dangerous failures affect both channels simultaneously, negating the redundancy benefit. Using diverse technologies (e.g., one pressure transmitter based on diaphragm seal technology, another on resonant wire) can reduce β to 2% or lower.
The definition of “systematic capability” (SC) is increasingly important in modern functional safety. IEC 61508-4 clarifies that systematic capability is not a quantitative measure but a qualitative confidence level. Achieving SC 2 requires that the design process incorporates techniques such as formal design reviews, failure mode analysis, and structured testing as specified in Part 2 and Part 3. SC 3 requires additional measures including formal methods, diversity, and independent assessment. The trend in the process industries (via IEC 61511) and machinery (IEC 62061) is toward requiring SC 2 as a minimum for all SIL applications.
4. Frequently Asked Questions
Q1: What is the difference between “safe failure” and “dangerous failure”?
A safe failure causes the safety system to initiate a spurious action (e.g., a valve closes when it should not), leading to a process trip but no loss of safety. A dangerous failure prevents the safety system from responding when demanded (e.g., a valve fails to close on demand), creating a potential hazard. In PFDavg calculations, only dangerous failures (specifically DU failures) contribute to the probability of failure on demand.
Q2: What determines whether a safety function is “low demand” or “high demand”?
The classification depends on the demand rate on the safety function. Low demand mode means the frequency of demands is no more than one per year and no greater than twice the proof test frequency. High demand mode means demands occur more frequently. Continuous mode means the safety function is always active (e.g., a gas burner control system). The distinction determines which target metric (PFDavg vs. PFH) applies.
Q3: What is the “safe state” of a system?
The safe state is the state of the EUC (Equipment Under Control) and its control system when safety is achieved. For example, for a process heater, the safe state might be “fuel valves closed, purge cycle complete.” The safety function must be designed to achieve and maintain the safe state within the defined process safety time. A key design consideration is what happens after a spurious trip — operator reset procedures must prevent premature restart.
Q4: How does IEC 61508-4 define “architecture”?
Architecture is defined as the arrangement of hardware and software elements within a safety-related system. The standard defines specific architecture types (1oo1, 1oo2, 2oo2, 2oo3, etc.) in the context of fault tolerance requirements. Part 4 clarifies that architecture constraints are driven by both the required hardware fault tolerance (HFT) and the safe failure fraction (SFF), forming the basis of the architectural constraint route to SIL verification.
