SIST EN 61508-4:2007

6/29(16., 6,67(1

67$1'$5'
MDQXDU
)XQNFLMVNDYDUQRVWHOHNWULþQLKHOHNWURQVNLKSURJUDPLUOMLYLKHOHNWURQVNLK
YDUQRVWQLKVLVWHPRYGHO'HILQLFLMHLQNUDWLFH,(&
SRSUDYHN
LVWRYHWHQ(1
)XQFWLRQDOVDIHW\RIHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFVDIHW\UHODWHG
V\VWHPV3DUW'HILQLWLRQVDQGDEEUHYLDWLRQV,(&&RUULJHQGXP

,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .

---------------------- Page: 1 ----------------------

EUROPEAN STANDARD EN 61508-4
NORME EUROPÉENNE
EUROPÄISCHE NORM December 2001
ICS 25.040.40;29.020
English version
Functional safety of electrical/electronic/programmable electronic
safety-related systems
Part 4: Definitions and abbreviations
(IEC 61508-4:1998 + corrigendum 1999)
Sécurité fonctionnelle des systèmes Funktionale Sicherheit
électriques/électroniques/électroniques sicherheitsbezogener elektrischer/
programmables relatifs à la sécurité elektronischer/programmierbarer
Partie 4: Définitions et abréviations elektronischer Systeme
(CEI 61508-4:1998 + corrigendum 1999) Teil 4: Begriffe und Abkürzungen
(IEC 61508-4:1998 + Corrigendum 1999)
This European Standard was approved by CENELEC on 2001-07-03. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands,
Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61508-4:2001 E

---------------------- Page: 2 ----------------------

EN 61508-4:2001 - 2 -
Foreword
The text of the International Standard IEC 61508-4:1998 including its corrigendum April 1999,
prepared by SC 65A, System aspects, of IEC TC 65, Industrial-process measurement and control,
was submitted to the Unique Acceptance Procedure and was approved by CENELEC as EN 61508-4
on 2001-07-03 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2002-08-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2004-08-01
Annexes designated "normative" are part of the body of the standard.
Annexes designated "informative" are given for information only.
In this standard, annex ZA is normative and annex A is informative.
Annex ZA has been added by CENELEC.
IEC 61508 is a basic safety publication covering the functional safety of electrical, electronic and
programmable electronic safety-related systems. The scope states:
"This International Standard covers those aspects to be considered when electrical/electronic/
programmable electronic systems (E/E/PESs) are used to carry out safety functions. A major objective
of this standard is to facilitate the development of application sector international standards by the
technical committees responsible for the application sector. This will allow all the relevant factors
associated with the application, to be fully taken into account and thereby meet the specific needs of
the application sector. A dual objective of this standard is to enable the development of
electrical/electronic/ programmable electronic (E/E/PE) safety-related systems where application
sector international standards may not exist".
The CENELEC Report R0BT-004, ratified by 103 BT (March 2000) accepts that some IEC standards,
which today are either published or under development, are sector implementations of IEC 61508. For
example:
� IEC 61511, Functional safety - Safety instrumented systems for the process industry sector;
� IEC 62061, Safety of machinery – Functional safety of electrical, electronic and programmable
electronic control systems;
� IEC 61513, Nuclear power plants – Instrumentation and control for systems important to safety –
General requirements for systems.
The railways sector has also developed a set of European Standards (EN 50126; EN 50128 and
prEN 50129).
NOTE  EN 50126 and EN 50128 were based on earlier drafts of IEC 61508. prEN 50129 is based on the principles of the
latest version of IEC 61508.
This list does not preclude other sector implementations of IEC 61508 which could be currently under
development or published within IEC or CENELEC.
__________

---------------------- Page: 3 ----------------------

- 3 - EN 61508-4:2001
Endorsement notice
The text of the International Standard IEC 61508-4:1998 including its corrigendum April 1999 was
approved by CENELEC as a European Standard without any modification.
In the official version, for Bibliography, the following note has to be added for the standard indicated:
IEC 61131-3:1993 NOTE  Harmonized as EN 61131-3:1993 (not modified).
ISO 9000-3:1991 NOTE  Harmonized as EN 29000-3:1993 (not modified).
__________

---------------------- Page: 4 ----------------------

EN 61508-4:2001 - 4 -
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
This European Standard incorporates by dated or undated reference, provisions from other
publications. These normative references are cited at the appropriate places in the text and the
publications are listed hereafter. For dated references, subsequent amendments to or revisions of any
of these publications apply to this European Standard only when incorporated in it by amendment or
revision. For undated references the latest edition of the publication referred to applies (including
amendments).
NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
Publication Year Title EN/HD Year
IEC 60050-191 1990 International Electrotechnical --
Vocabulary (IEV) -- Chapter 191:
Dependability and quality of service
IEC 60050-351 1975 Chapter 351: Automatic control - -
IEC 61508-1 1998 Functional safety of EN 61508-1 2001
+ corr. May 1999 electrical/electronic/programmable
electronic safety-related systems
Part 1: General requirements
IEC 61508-2 2000 Part 2: Requirements for EN 61508-2 2001
electrical/electronic/programmable
electronic safety-related systems
IEC 61508-3 1998 Part 3: Software requirements EN 61508-3 2001
+ corr. April 1999
IEC 61508-5 1998 Part 5: Examples of methods for the EN 61508-5 2001
+ corr. April 1999 determination of safety integrity levels
IEC 61508-6 2000 Part 6: Guidelines on the application of EN 61508-6 2001
IEC 61508-2 and IEC 61508-3
IEC 61508-7 2000 Part 7: Overview of techniques and EN 61508-7 2001
measures
IEC Guide 104 1997 The preparation of safety publications--
and the use of basic safety publications
and group safety publications
ISO/IEC 2382-14 1998 Data processing - Vocabulary --
Part 14: Reliability, maintainability and
availability
ISO/IEC Guide 51 1990 Guidelines for the inclusion of safety--
aspects in standards
ISO 8402 1994 Quality management and quality EN ISO 8402 1995
assurance - Vocabulary

---------------------- Page: 5 ----------------------

INTERNATIONAL IEC
STANDARD
61508-4
First edition
1998-12
BASIC SAFETY PUBLICATION
Functional safety of electrical/electronic/
programmable electronic safety-related systems –
Part 4:
Definitions and abbreviations
 IEC 1998 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch  Web: www.iec.ch
PRICE CODE
U
Commission Electrotechnique Internationale
International Electrotechnical Commission
Международная Электротехническая Комиссия
For price, see current catalogue

---------------------- Page: 6 ----------------------

61508-4 © IEC:1998 – 3 –
CONTENTS
Page
FOREWORD . 5
INTRODUCTION . 9
Clause
1 Scope. 13
2 Normative references. 17
3 Definitions and abbreviations. 19
3.1 Safety terms. 19
3.2 Equipment and devices . 21
3.3 Systems: general aspects . 25
3.4 Systems: safety-related aspects . 29
3.5 Safety functions and safety integrity . 31
3.6 Fault, failure and error. 37
3.7 Lifecycle activities. 41
3.8 Confirmation of safety measures . 43
Annex A (informative) Bibliography . 49
Index. 51
Figures
1 Overall framework of this standard . 15
2 Programmable electronic system (PES): structure and terminology. 27
3 Electrical/electronic/programmable electronic system (E/E/PES):
structure and terminology . 27
4 Failure model . 39
Table
1 Abbreviations used in this standard . 19

---------------------- Page: 7 ----------------------

61508-4 © IEC:1998 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
_________
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 4: Definitions and abbreviations
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, the IEC publishes International Standards. Their preparation is
entrusted to technical committees; any IEC National Committee interested in the subject dealt with may
participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. The IEC collaborates closely with the International Organization
for Standardization (ISO) in accordance with conditions determined by agreement between the two
organizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the form
of standards, technical reports or guides and they are accepted by the National Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject
of patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61508-4 has been prepared by subcommittee 65A: System aspects,
of IEC technical committee 65: Industrial-process measurement and control.
The text of this standard is based on the following documents:
FDIS Report on voting
65A/265/FDIS 65A/275/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
Annex A is for information only.

---------------------- Page: 8 ----------------------

61508-4 © IEC:1998 – 7 –
IEC 61508 consists of the following parts, under the general title Functional safety of elec-
trical/electronic/programmable electronic safety-related systems:
– Part 1: General requirements
– Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
– Part 3: Software requirements
– Part 4: Definitions and abbreviations
– Part 5: Examples of methods for the determination of safety integrity levels
– Part 6: Guidelines on the application of parts 2 and 3
– Part 7: Overview of techniques and measures
This part 4 shall be read in conjunction with all other parts.
It has the status of a basic safety publication in accordance with IEC Guide 104.
The contents of the corrigendum of April 1999 have been included in this copy.

---------------------- Page: 9 ----------------------

61508-4 © IEC:1998 – 9 –
INTRODUCTION
Systems comprised of electrical and/or electronic components have been used for many years
to perform safety functions in most application sectors. Computer-based systems (generically
referred to as programmable electronic systems (PESs)) are being used in all application
sectors to perform non-safety functions and, increasingly, to perform safety functions. If
computer system technology is to be effectively and safely exploited, it is essential that those
responsible for making decisions have sufficient guidance on the safety aspects on which to
make those decisions.
This International Standard sets out a generic approach for all safety lifecycle activities for
systems comprised of electrical and/or electronic and/or programmable electronic components
(electrical/electronic/ programmable electronic systems (E/E/PESs)) that are used to perform
safety functions. This unified approach has been adopted in order that a rational and consistent
technical policy be developed for all electrically based safety-related systems. A major
objective is to facilitate the development of application sector standards.
In most situations, safety is achieved by a number of protective systems which rely on many
technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,
programmable electronic). Any safety strategy must therefore consider not only all the
elements within an individual system (for example sensors, controlling devices and actuators)
but also all the safety-related systems making up the total combination of safety-related
systems. Therefore, while this International Standard is concerned with electrical/elec-
tronic/programmable electronic (E/E/PE) safety-related systems, it may also provide a
framework within which safety-related systems based on other technologies may be
considered.
It is recognised that there is a great variety of E/E/PES applications in a variety of application
sectors and covering a wide range of complexity, hazard and risk potentials. In any particular
application, the required safety measures will be dependent on many factors specific to the
application. This International Standard, by being generic, will enable such measures to be
formulated in future application sector international standards.
This International Standard
– considers all relevant overall, E/E/PES and software safety lifecycle phases (for example,
from initial concept, through design, implementation, operation and maintenance to
decommissioning) when E/E/PESs are used to perform safety functions;
– has been conceived with a rapidly developing technology in mind; the framework is
sufficiently robust and comprehensive to cater for future developments;
– enables application sector international standards, dealing with safety-related E/E/PESs, to
be developed; the development of application sector international standards, within the
framework of this International Standard, should lead to a high level of consistency (for
example, of underlying principles, terminology, etc.) both within application sectors and
across application sectors; this will have both safety and economic benefits;
– provides a method for the development of the safety requirements specification necessary
to achieve the required functional safety for E/E/PE safety-related systems;

---------------------- Page: 10 ----------------------

61508-4 © IEC:1998 – 11 –
– uses safety integrity levels for specifying the target level of safety integrity for the safety
functions to be implemented by the E/E/PE safety-related systems;
– adopts a risk-based approach for the determination of the safety integrity level
requirements;
– sets numerical target failure measures for E/E/PE safety-related systems which are linked
to the safety integrity levels;
– sets a lower limit on the target failure measures, in a dangerous mode of failure, that can
be claimed for a single E/E/PE safety-related system; for E/E/PE safety-related systems
operating in
– a low demand mode of operation, the lower limit is set at an average probability of
-5
failure of 10 to perform its design function on demand,
– a high demand or continuous mode of operation, the lower limit is set at a probability of
–9
a dangerous failure of 10 per hour;
NOTE – A single E/E/PE safety-related system does not necessarily mean a single-channel architecture.
– adopts a broad range of principles, techniques and measures to achieve functional safety
for E/E/PE safety-related systems, but does not use the concept of fail safe which may be
of value when the failure modes are well defined and the level of complexity is relatively
low; the concept of fail safe was considered inappropriate because of the full range of
complexity of E/E/PE safety-related systems that are within the scope of the standard.

---------------------- Page: 11 ----------------------

61508-4 © IEC:1998 – 13 –
FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS –
Part 4: Definitions and abbreviations
1 Scope
1.1 This part of IEC 61508 contains the definitions and explanation of terms that are used in
parts 1 to 7 of this standard.
1.2 The definitions are grouped under general headings so that related terms can be
understood within the context of each other. But it should be noted that these headings are not
intended to add meaning to the definitions, and in this sense the headings should be
disregarded.
1.3 Parts 1, 2, 3 and 4 of this standard are basic safety publications, although this status does
not apply in the context of low complexity E/E/PE safety-related systems (see 3.4.4 of part 4).
As basic safety publications, they are intended for use by technical committees in the
preparation of standards in accordance with the principles contained in IEC Guide 104 and
ISO/IEC Guide 51. Parts 1, 2, 3, and 4 are also intended for use as stand-alone publications.
One of the responsibilities of a technical committee is, wherever applicable, to make use of
basic safety publications in the preparation of its publications. In this context, the requirements,
test methods or test conditions of this basic safety publication will not apply unless specifically
referred to or included in the publications prepared by those technical committees.
1.4 Figure 1 shows the overall framework for parts 1 to 7 of IEC 61508 and indicates the role
that IEC 61508-4 plays in the achievement of functional safety for E/E/PE safety-related
systems.
NOTE – In the USA and Canada, until the proposed process sector implementation of IEC 61508 (i.e. IEC 61511) is
published as an international standard in the USA and Canada, existing national process safety standards based on
IEC 61508 (i.e. ANSI/ISA S84.01-1996) can be applied to the process sector instead of IEC 61508.

---------------------- Page: 12 ----------------------

61508-4 © IEC:1998 – 15 –
Technical
requirements
PART 1
Development of the overall safety
requirements (concept, scope
definition, hazard and risk analysis)
(E/E/PE safety-related systems, other
PART 5
technology safety-related systems and
Risk based approaches
external risk reduction facilities)
to the development of
7.1 to 7.5
the safety integrity
requirements
Other
PART 1
requirements
Allocation of the safety
requirements to the E/E/PE
safety-related systems
Definitions and
PART 7
7.6
abbreviations
Overview of
techniques
and measures
PART 4
PART 6
Guidelines for the
Documentation
Realisation Realisation
application of
phase for phase for
IEC 61508-2 and Clause 5 and
E/E/PE safety- safety-related
IEC 61508-3 annex A
related systems software
PART 1
PART 2 PART 3
Management of
functional safety
Clause 6
PART 1
PART 1
Installation and commissioning
and safety validation of E/E/PE
Functional safety
safety-related systems
assessment
Clause 8
7.13 and 7.14
PART 1
PART 1
Operation and maintenance,
modification and retrofit,
decommissioning or disposal of
E/E/PE safety-related systems
7.15 to 7.17
IEC  1 656/98

Figure 1 — Overall framework of this standard

---------------------- Page: 13 ----------------------

61508-4 © IEC:1998 – 17 –
2 Normative references
The following normative documents contain provisions which, through reference in this text,
constitute provisions of this part of IEC 61508. For dated references, subsequent amendments
to, or revisions of, any of these publications do not apply. However, parties to agreements
based on this part of IEC 61508 are encouraged to investigate the possibility of applying the
most recent editions of the normative documents indicated below. For undated references, the
latest edition of the normative document referred to applies. Members of IEC and ISO maintain
registers of currently valid International Standards.
IEC 60050(191):1990, International Electrotechnical Vocabulary (IEV) – Chapter 191:
Dependability and quality of service
IEC 60050(351):1975, International Electrotechnical Vocabulary (IEV) – Chapter 351:
Automatic control
IEC 61508-1:1998, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 1: General requirements
IEC 61508-2:—, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 2: Requirements for electrical/electronical/programmable electronic
1)
safety-related systems
IEC 61508-3:1998, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 3: Software requirements
IEC 61508-5:1998, Functional safety of electrical/electronical/programmable electronic safety-
related systems – Part 5: Examples of methods for the determination of safety integrity levels
IEC 61508-6:—, Functional safety of electrical/electronical/programmable electronic safety-
1)
related systems – Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
IEC 61508-7:—, Functional safety of electrical/electronical/programmable electronic safety-
1)
related systems – Part 7: Overview of techniques and measures
IEC Guide 104:1997, The preparation of safety publications and the use of basic safety
publications and group safety publications
ISO/IEC 2382-14:1998, Data processing – Vocabulary – Part 14: Reliability, maintainability
and availability
ISO/IEC Guide 51:1990, Safety aspects – Guidelines for their inclusion in standards
ISO 8402:1994, Quality management and quality assurance – Vocabulary
________
1)
 To be published.

---------------------- Page: 14 ----------------------

61508-4 © IEC:1998 – 19 –
3 Definitions and abbreviations
For the purposes of this International Standard, the following definitions and the abbreviations
given in table 1 apply.
Table 1 — Abbreviations used in this standard
Abbreviation Full expression Definition and/or explanation of term
MooN M out of N channel architecture Annex B of IEC 61508-6
(for example 1oo2 is 1 out of 2 architecture, where
either of the two channels can perform the safety
function)
MooND M out of N channel architecture with diagnostics Annex B of IEC 61508-6
ALARP As low as is reasonably practicable Annex B of IEC 61508-5
E/E/PE Electrical/electronic/programmable electronic 3.2.6
E/E/PES Electrical/electronic/programmable electronic 3.3.3
system
EUC Equipment under control 3.2.3
PES Programmable electronic system 3.3.2
PLC Programmable logic controller Annex E of IEC 61508-6
SIL Safety integrity level 3.5.6
3.1 Safety terms
3.1.1
harm
physical injury or damage to the health of people either directly or indirectly as a result of
damage to property or to the environment
[ISO/IEC Guide 51:1990 (modified)]
NOTE – This definition will need to be addressed when carrying out a hazard and risk analysis (see IEC 61508-1, 7.4).
If the scope is to be widened (e.g to include environmental damage which may not give rise to physical injury or
damage to health) then this would need to be addressed in the Overall Scope Definition phase (see IEC 61508-1, 7.3).
3.1.2
hazard
potential source of harm [Guide 51 ISO/IEC:1990]
NOTE – The term includes danger to persons arising within a short time scale (for example, fire and explosion) and
also those that have a long-term effect on a person’s health (for example, release of a toxic substance).
3.1.3
hazardous situation
circumstance in which a person is exposed to hazard(s)
3.1.4
hazardous event
hazardous situation which results in harm
3.1.5
risk
combination of the probability of occurrence of harm and the severity of that harm
[ISO/IEC Guide 51:1990 (modified)]
NOTE – For more discussion on this concept see annex A of IEC 61508-5.
3.1.6
tolerable risk
risk which is accepted in a given context based on the current values of society
NOTE – See annex B of IEC 61508-5.

---------------------- Page: 15 ----------------------

61508-4 © IEC:1998 – 21 –
3.1.7
residual risk
risk remaining after protective measures have been taken
3.1.8
safety
freedom from unacceptable risk
3.1.9
functional safety
part of the overall safety relating to the EUC and the EUC control system which depends on the
correct functioning of the E/E/PE safety-related systems, other technology safety-related
systems and external risk reduction facilities
3.1.10
safe state
state of the EUC when safety is achieved
NOTE – In going from a potentially hazardous condition to the final safe state, the EUC may have to go through a
number of intermediate safe states. For some situations a safe state exists only so long as the EUC is continuously
controlled. Such continuous control may be for a short or an indefinite period of time.
3.1.11
reasonably foreseeable misuse
use of a product, process or service under conditions or for purposes not intended by the
supplier, but which can happen, induced by the product, process or service in combination with,
or as a result of, common human behaviour
3.2 Equipment and devices
3.2.1
functional unit
entity of hardware or software, or both, capable of accomplishing a specified purpose
NOTE – In IEV 191-01-01 the more general term “item” is used in place of functional unit. An item may sometimes
include people.
[ISO/IEC 2382-14-01-01]
3.2.2
software
intellectual creation comprising the programs, procedures, data, rules and any associated
documentation pertaining to the operation of a data processing system
NOTE 1 – Software is independent of the medium on which it is recorded.
NOTE 2 – This definition without note 1 differs from ISO 2382-1, and the full definition differs from ISO 9000-3, by
the addition of the word data.
3.2.3
equipment under control (EUC)
equipment, machinery, apparatus or plant used for manufacturing, process, transportation,
medical or other activities
NOTE – The EUC control system is separate and distinct from the EUC.

---------------------- Page: 16 -------
...