IEC 61508 assigns four software and hardware safety integrity levels (SILs) to required measures of risk reduction. Guidance is then provided on the system configuration, level of subsystem fault tolerance and diagnostic coverage, and safety life-cycle measures required to achieve the designated hardware SIL, and the software methods and life-cycle measures required to achieve the designated software SIL. It also provides guidance on qualitative methods for establishing the SIL level required. Part 2 of the standard places architectural constraints on the hardware configuration by setting minimum fault tolerance and diagnostic coverage requirements for each element or subsystem. It should be noted that IEC 61508 limits the risk reductions which can be claimed for a safety related E/E/PES which operated in low demand mode or continuous mode to no better than 10-6 and 10-9 respectively for SIL4.
The requirement is more demanding for subsystems which do not have well defined behaviour modes or behaviour (e.g. programmable systems). The standard requires that a reliability model of the system architecture be created and the reliability predicted and compared with the target safety integrity level to confirm that the required risk reduction has been achieved.
It is necessary to demonstrate that the required level of integrity has been achieved in the design, installation, operation and maintenance of the system.
It should be noted that the integrity of a safety related system is critically dependant upon the detection and correction of dangerous failures. Where there is a low level of diagnostic coverage, as is usually the case with lower integrity systems, then the integrity is critically dependent upon the proof test interval. Where there is a high level of diagnostic coverage to automatically reveal failures on-line, for example for high demand high integrity systems, then the integrity is also heavily dependant upon the frequency of diagnostic checks, and the mean time to repair the equipment, which includes the diagnostic test interval.
SIL levels are now being quoted for proprietary subsystems (and certified by test bodies). Quoted SILs should be associated with proof test intervals, diagnostic coverage and fault tolerance criteria. They are useful for evaluation of architectural constraints, but do not eliminate the requirement to confirm that the requires safety integrity level for the safety function provided by the system has been achieved. Software includes high level user application programmes and parameter settings.