Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 63158: Formal Description of Function Blocks for Safety-Related Systems in Industrial Automation
A technical framework for specification and verification of function block behavior in IEC 61508 / IEC 61499 safety applications
Introduction to Function Block Formalization for Safety
Modern industrial automation systems increasingly rely on function blocks as the fundamental building blocks of control logic. Standards such as IEC 61499 (distributed control systems) and IEC 61131-3 (programmable controllers) have established function block diagrams as a primary programming paradigm. However, when these function blocks are deployed in safety-related applications governed by IEC 61508 (functional safety), the need for unambiguous, mathematically rigorous specification becomes paramount. IEC TR 63158 addresses this gap by providing a formal description framework for function blocks used in safety-related systems.
IEC TR 63158 is not a replacement for IEC 61499 or IEC 61131-3. Rather, it extends those standards with formal semantics that enable automated verification, test case generation, and unambiguous communication between system designers, software engineers, and safety assessors.
The core problem that IEC TR 63158 solves is semantic ambiguity. Informal function block specifications — described in natural language or with incomplete execution semantics — can lead to subtle implementation errors that are difficult to detect through testing alone. Consider a simple safety function that monitors a pressure sensor and triggers an emergency shutdown when pressure exceeds a threshold. In an informal specification, questions arise: What is the exact timing relationship between sensor input sampling and output actuation? How does the function block behave during initialization or after a communication fault? What are the precise conditions under which the safety function degrades or fails? IEC TR 63158’s formal description addresses these questions with mathematical precision.
| Semantic Aspect | Informal Description | Formal Description (IEC TR 63158) | Benefit |
|---|---|---|---|
| Execution order | “Process inputs then update outputs” | Clocked synchronous data-flow with explicit firing rules | Deterministic behavior across platforms |
| Timing behavior | “Respond within 100 ms” | Timed automaton with worst-case execution time bounds | Verifiable latency guarantees |
| Error handling | “Detect faults appropriately” | Explicit fault states with transition conditions and recovery paths | Complete coverage of failure modes |
| Data dependencies | “Uses sensor value X” | Directed data-flow graph with type constraints and range checks | Automatic consistency verification |
| Composability | “Blocks can be combined” | Algebraic composition rules with interface contracts | Safe composition without side effects |
Formal Semantics and Execution Models
IEC TR 63158 defines three formal execution models for safety-related function blocks: the synchronous model, where all blocks execute in lockstep on a common clock (suitable for time-triggered safety systems); the asynchronous model, where blocks execute independently and communicate via buffered channels (suitable for distributed safety systems); and the hybrid model, which combines synchronous clusters with asynchronous inter-cluster communication (suitable for multi-rate safety systems). The choice of execution model has profound implications for the safety case — particularly for the systematic capability (SC) rating in IEC 61508 context.
A critical engineering insight from the report: the asynchronous execution model introduces nondeterminism in function block communication timing. To achieve SIL 3 or SIL 4 under IEC 61508, safety designers must either implement a bounded-delay communication protocol with proof of worst-case latency, or restrict the architecture to the synchronous model. IEC TR 63158 provides formal proof obligations for each approach.
The formalization uses two complementary mathematical frameworks: Timed Automata for modeling temporal behavior and Data-Flow Equations for modeling functional behavior. A safety-related function block is described as a tuple (States, Inputs, Outputs, Clock, Transitions, Invariants), where Transitions are guarded by input events and timing constraints, and Invariants define safety properties that must hold in each state. This dual formalism enables both model checking (exhaustive verification of safety properties) and runtime monitoring (detecting property violations during operation).
| Execution Model | Timing Determinism | Hardware Requirements | Max Achievable SIL | Typical Applications |
|---|---|---|---|---|
| Synchronous | Fully deterministic | Single controller or synchronized multicore | SIL 4 | Turbine control, reactor protection |
| Asynchronous (bounded delay) | Bounded nondeterminism | Distributed controllers with time-triggered network | SIL 3 | Conveyor systems, process plants |
| Asynchronous (unbounded) | Nondeterministic | Standard fieldbus or Ethernet | SIL 2 | Material handling, packaging |
| Hybrid | Cluster-deterministic | Mixed architecture with sync domains | SIL 3 | Automotive manufacturing, robotics cells |
Formal Verification and Practical Implementation
One of the most valuable contributions of IEC TR 63158 is its guidance on formal verification techniques for function block safety cases. The report describes three verification approaches: model checking (exhaustive state-space exploration to verify safety properties such as “output Q is never asserted when input S is false”), theorem proving (mathematical proof of functional correctness for data-flow equations), and abstract interpretation (static analysis to compute safe approximations of function block behavior). The standard provides detailed criteria for selecting the appropriate verification technique based on the complexity of the function block and the required SIL level.
From a practical engineering standpoint, the report offers concrete guidance on implementing the formal description in existing development workflows. It defines a mapping between the formal function block specification and commonly used implementation languages (structured text, ladder logic, C++ with safety restrictions), including the specific coding rules that must be followed to preserve semantic equivalence between the formal model and the deployed code. The report also addresses the critical topic of function block composition — when two formally verified function blocks are composed, the resulting composite may or may not preserve the original safety properties. IEC TR 63158 defines a composition contract methodology where each block exposes its assumptions and guarantees, enabling compositional verification.
Several major industrial automation vendors have adopted the IEC TR 63158 framework for their safety function block libraries. A case study cited in the report describes a safety shutdown function block for chemical process control: using the formal description approach, 87% of potential failure modes were identified during the specification phase (before any code was written), compared to approximately 45% with traditional informal specification methods.
Frequently Asked Questions
Q1: Is IEC TR 63158 applicable to legacy safety systems that use conventional relay logic or hardwired safety circuits?
The framework is primarily designed for software-based function blocks. However, the formal description methodology can be applied to legacy systems if their behavior is first abstracted into a function block model. This reverse-engineering approach is useful for safety case updates and modernization projects.
The framework is primarily designed for software-based function blocks. However, the formal description methodology can be applied to legacy systems if their behavior is first abstracted into a function block model. This reverse-engineering approach is useful for safety case updates and modernization projects.
Q2: What tool support exists for the formal description methods specified in the report?
Several tools support IEC TR 63158 formalisms: UPPAAL (timed automata model checking), NuSMV (symbolic model verification), and commercial tools like 3S CoDeSys Safety and Siemens Safety Matrix. Open-source projects such as FBDK (Function Block Development Kit) have also added experimental support for the formal semantics defined in the report.
Several tools support IEC TR 63158 formalisms: UPPAAL (timed automata model checking), NuSMV (symbolic model verification), and commercial tools like 3S CoDeSys Safety and Siemens Safety Matrix. Open-source projects such as FBDK (Function Block Development Kit) have also added experimental support for the formal semantics defined in the report.
Q3: How does the formal description handle time-variant behavior such as component aging or drift?
The report addresses this through the concept of “parameterized formal models” where time-dependent parameters (e.g., sensor drift rates, actuator wear) are modeled as additional inputs to the function block. Safety properties are then verified across the entire parameter range, ensuring that the safety function remains valid throughout the equipment’s operational lifetime.
The report addresses this through the concept of “parameterized formal models” where time-dependent parameters (e.g., sensor drift rates, actuator wear) are modeled as additional inputs to the function block. Safety properties are then verified across the entire parameter range, ensuring that the safety function remains valid throughout the equipment’s operational lifetime.
Q4: Does the formal framework support on-line modification (reconfiguration) of safety function blocks?
IEC TR 63158 includes a section on dynamic reconfiguration, defining a “reconfiguration manager” function block that coordinates state transfer between old and new configurations while maintaining safety invariants during the transition. The formal model ensures that no hazardous state is reachable during reconfiguration, even if the old and new blocks have different execution rates or data interfaces.
IEC TR 63158 includes a section on dynamic reconfiguration, defining a “reconfiguration manager” function block that coordinates state transfer between old and new configurations while maintaining safety invariants during the transition. The formal model ensures that no hazardous state is reachable during reconfiguration, even if the old and new blocks have different execution rates or data interfaces.
