TÜV Rheinland Group - ASI : Automation, Software, Information Technology

FAQ & Support

Functional Safety - FAQ

What are SIL levels?
The newly published international standard IEC 61508 ("Functional Safety of electrical/electronic/ programmable electronic safety-related systems") defines four SIL levels (1 to 4). (SIL = Safety Integrity Level.) There is no direct conversion between the AK categories and SIL levels, but for example in a typical application AK 5 and AK 6 might correspond to SIL 3. Because IEC 61508 is new, the DIN standards are still in common use.
IEC 61508 is a generic standard, and can be applied to any industry that uses programmable systems for safety functions. The SIL levels from IEC 61508 are also used in (draft) IEC 61511 (for the Process industry).

What are "AK" and "RC" ratings?
German standard DIN V 19250 ("Basic Safety Evaluation of Measuring and Control Protective Equipment") defines eight "AK" classes (1 to 8). AK = Anforderungsklasse = Requirement Class (RC). These ratings are used in DIN V VDE 0801 (for computers/PLC's), and more generally, in (draft) DIN 19251.

How do I get a "TUV rating" for my product?
TUV certifies to third-party standards: DIN, IEC, ANSI, UL, etc. (TUV does not write standards.) TUV Rheinland has for many years certified to the German DIN standards regarding functional safety of control equipment, PLC's, etc. (See AK ratings, above.) TUV also assesses SIL levels, in accordance to IEC 61508.

What standards apply for Functional Safety in US & Canada?

On a voluntary basis, IEC 61508 (and draft IEC 61511) can be used.
UL 1998 ("Software in Programmable Components") is used for some products. (Some consider that it is more applicable to application software than operating systems.). It has recently been slightly revised, but the main content is quite old.
In the USA and Canada, the Process Industry uses ANSI/ISA S84.01. This standard was designed to be compatible with draft versions of IEC 61508. Now that IEC 61508 has be published, ISA S84.01 is likely to be revised. Eventually, ISA S84.01 may be replaced/merged with IEC 61511.

What is the difference between IEC 61508 and ANSI/ISA S84.01?

IEC 61508 is for all industries. ANSI/ISA S84.01 is intended only for use in the Process industry.
ANSI/ISA S84.01 uses only three SIL levels (SIL 1 to 3), these are defined (almost) identically to SIL levels 1 to 3 in IEC 61508.
S84.01 does not address the complete product life-cycle, from design to decommissioning, IEC 61508 does. (For a complete analysis, see section 12 of S84.01.)

Who can certify to all the above standards?
We can! TUV Rheinland can certify to any of the above standards, as appropriate. For example, TUV can simultaneously evaluate a product to IEC, DIN and ANSI/ISA standard(s), and thus can determine both an AK and a SIL rating. TUV can also certify to UL standards, including UL 1998.

Is UL 1998 in TUV's Scope of Accreditation for NRTL?
No. And it isn't in UL's scope either! This is simply because OSHA have not included that standard in their NRTL program. However, both TUV and UL can test a product to UL 1998, and if it passes, can apply their mark, in our case, "TUVus".
(There are many other US standards that TUV can certify to, but which are not in the NRTL program. One notable example is ANSI/NFPA 79.)

What is Functional Safety?
For most products, a failure to function can cause loss of production, but is not usually a safety hazard. A standard safety assessment considers whether either normal operation or a failure of the product is likely to directly cause a hazard of physical injury, electrocution, fire, etc. However when a product is used for a safety function - for example a light curtain, safety-PLC, fire detection system, etc. - a failure of the product could expose people or equipment to other hazards. For these devices, a Functional Safety evaluation should be performed.

What is IEC 61508?
IEC 61508 is a seven part international standard for Programmable Electronic Systems used in safety-related situations. The full title is, "Functional safety of Electrical / Electronic / Programmable Electronic Safety-related systems" (E/E/PE or E/E/PES). IEC 61508 covers manufacturing and supplying devices to be certified for use in safety instrumented systems (SIS).
The standard is generic, and applies to safety-related control systems, PLC's, devices and components (including sensors, actuators and the operator interface). The main areas covered by the standard are:

measures and techniques for avoidance and control of faults during design and development of hardware, operating system software and application software
hardware fault tolerance of systems / subsystems (including "safe failure fraction" and diagnostic coverage)
probability of "failure to danger" of the subsystem (reliability modeling techniques)

What is IEC 61511?
IEC 61511, "Functional safety instrumented systems for the process industry sector", is a three-part international standard. It is still a draft (unpublished). It covers designing, integration, installation, using, maintaining, modifying, and decommissioning of SIS. As the title implies, this standard (unlike IEC 61508) is specific to the process industry.

What is a Safety PLC?
Standard PLC's (programmable logic controllers) are unsuitable for use for safety functions, because a single failure can cause them not to work as intended. They are not designed, and should not be used for, implementing an emergency stop system, nor to control a safety-critical process. However, a few manufacturers now make special PLC's ("Safety PLC's) that are designed and third-party approved for safety functions. These use redundant (two or three channel) and diverse architecture. This enables them to function correctly even in the presence of a fault. A diverse architecture helps to reduce common-mode failures due to systematic issues or component design flaws. Typical methods for achieving diversity include using a different brand of microprocessor on each channel (for example, Motorola, Siemens and Intel), different compilers and software libraries, different logic families (CMOS, TTL) on each channel, and so on. Safety PLC's must include extensive internal cross-checking and self-monitoring, so that a fault can be normally detected before an accumulation of faults leads to a hazard.
Note: the use of Safety PLC's is effectively restricted by some national regulations, that still specify the use of hardware-based, or even hardwired, circuits for certain purposes. (One example of a restriction is in US standard ANSI/NFPA 79.)

Contact

TUV Rheinland of North America, Inc. (Chicago Office)

Glyn R. Garside
1945 Techny Rd, Unit 4, NORTHBROOK, IL 60062-5357, USA

Tel ++1 - 847 - 562-9888 extn 25
Fax ++1 - 847 - 562-0688
mailto:ggarside@us.tuv.com
http://www.us.tuv.com