Posts Tagged ‘Safety & IEC 61508’

IEC 61508: SIL Certification for COPA-DATA

Thursday, February 12th, 2015

The most important objective in relation to our intended SIL certification was to amend the structures, processes and requirements that had existed for years at COPA-DATA to the requirements of IEC 61508. The requirements should be implemented in such a way that they can be integrated into our daily working life.

In doing so, it was helpful that our product development was operated on the basis of a V-model and on well-established tools used in lifecycle management for example, which have been in use for years. As part of the SIL project, special central definitions for safety-related developments were created and amendments to existing methods were carried out together with TÜV Süd. The most important were

Safety lifecycle:

Defines the complete lifecycle of a safety-related component. From planning through development and testing to defect management and the provision of the components.

Safety plan:

The safety plan is used during a development project as a type of project management handbook.

Templates for requirements and performance specification:

Special templates for safety-related components ensure complete coverage of the requirement and forwards and backwards traceability.

SIL programming guidelines:

Special coding guidelines on the basis of MISRA 2012 and corresponding checks through static code analyses ensure that there are no systematic programming errors.

Safety handbook:

Describes the implementation and test results of a safety-related component and provides the user with information on correct use.


Adaptation of all tools that are used as part of the lifecycle for the enhanced processes and requirements of IEC 61508.


Training of the employees involved in the specifics of IEC 61508.

The audit for our certification in accordance with SIL 2 ultimately took place in summer 2014 and was carried out by TÜV Süd Munich, an independent and neutral body. In doing so, our processes, procedures, tools, quality standards and documentation were tested for their suitability for safety-critical systems. In fall 2014, TÜV Süd confirmed that all necessary requirements for the display of the official certificate for SIL 2 had been met.

zenon can thus be used in safety-critical applications for process visualization and control. Numerous safety-related functions support our customers in the creation of safe applications. In addition, certification by TÜV Süd creates the necessary underlying conditions for safety-compliant implementation.

IEC 61508 and the Safety Integrity Level: Relevance for software and component manufacturers

Thursday, February 5th, 2015

zenon for railwayIn the previous blog posts we already described the IEC 61508 safety standard and the so called “Safety Integrity Level”:

The Safety Integrity Level (SIL) is a system to evaluate the reliability and safety of electric, electronic and programmable electronic systems (E/E/PE systems). It is based on the IEC 61508 standard. COPA-DATA is SIL 2 certified which means the HMI/SCADA software zenon can be used for process visualization and control in safety-critical applications.

But why should software development be certified in accordance with SIL?

Relevance for software and component manufacturers

The set of standards describes the lifecycle of the complete safety-orientated system. This starts with the planning and ends with the decommissioning of E/E/PE systems with safety-related functions.

IEC 61508 is subdivided into seven parts, whereby only parts one to four are normative; parts five to seven are for information only. Of the seven parts, Parts 1 and 3 are of particular interest to the software industry.

Part 1: General requirements

IEC 61508 defines part 1 as a “general basic standard”. This can be used if there is no application-specific standard derived from it. It primarily defines a superordinate safety lifecycle in order to be able to handle all necessary activities and tasks systematically. In all phases of this lifecycle, measures for the management, verification and evaluation of the functional safety are carried out and – most of all – documented. This also applies for the creation and maintenance of software. The requirements for this are primarily defined in Part 3.

Part 3: Requirements for software

This part describes techniques and procedures for how software should be developed and documented. A detailed safety lifecycle is also defined for software for the overall system. The individual safety requirements for the software must be derived from the requirements of an E/E/PE system and the safety requirements defined there. In addition, Part 3 describes development techniques for each SIL and provides notes on how to select the appropriate procedure for designing and developing the software.

Software planning and development in accordance with IEC 61508-3 forces the manufacturer to precisely define its processes and procedures. Working stages must be documented and checked with precision. The work in each working stage must be checked by a second person.

zenon_IEC-61508_SIL2We have been practicing all these measures for many years with the development of our zenon Product Family and thus benefit from a correspondingly large knowledge base. Because we already meet the requirements of the IEC 61508-3 standard in many areas, it was a no-brainer that we should subject ourselves to SIL certification.

In our next blog post we will go more in details of the SIL certification for COPA-DATA.


How zenon safeguards your mission critical application: The Safety Integrity Level

Thursday, January 22nd, 2015

Last time we discussed the necessity of safety and reliability concepts for specific processes. The IEC61508 safety standard uses the so called “Safety Integrity Level” to create a guide for all activities along the lifecycle of a mission critical system.

The “Safety Integrity Level”

An initial evaluation step is necessary to analyze the possible hazards and risks stemming from processes. The possible dangers for people, the environment and material assets are closely investigated. This leads to the so called “Safety Integrity Level” (SIL), which determines “the relative level of risk reduction” to be attained development-wise.

In other words, the SIL determines how to shape the development process in order to reasonably attain a respective risk coverage. Appropriate counter measures may affect both the technical implementation as well as all the related development and verification steps. Based on the given SIL level, specific demands regarding management processes, failure analysis, quality control or validation and verification techniques have to be fulfilled. The higher the SIL level, the higher the demands. In the end, the identified risks have to be appropriately refined and effectively controlled.


Preparatory steps in safety relevant applications

zenon in mission critical applications

zenon has proven its reliability in various applications. zenon provides means to attain highest reliability in mission critical 24/7 operations – just think of redundancy, topology, user management, alarming, audit-trail and editing history, access limitation, load management, data validation or zenon´s superior security features.

On top of that, COPA-DATA is certified according to IEC61508/SIL2. TÜV SÜD Rail GmbH confirms COPA-DATA’s ability to develop software components for zenon according to the high development quality criteria of the safety standard.


Functional safety is a vital topic which requires a stable and reliable system backbone, also on the HMI/SCADA level. With zenon you are well prepared to achieve the requirements you need, not just reliably, but also safely.

How to safeguard your mission critical application, a focus on IEC 61508

Thursday, January 15th, 2015

tunne_automationToday, many routines and products from our daily lives are based on technology driven processes. Each process demands for control solutions to meet the specific process requirements in the first order. But regardless of the pure fulfillment of these functional requirements there is very often potential for hazards which may arise from the process in specific situations or along with its specific boundary conditions.

Just think of a traffic management system, which orchestrates the masses of vehicles on the streets and crossings, or in tunnels. Reliability is key to maintain coordination for a smooth traffic flow or to launch emergency programs, once an incident is recognized.

In another case it could be a chemical reactor which requires tight physical monitoring and, in case of abnormal behavior, a reliable control sequence for an immediate shutdown procedure.

For a production machine or a robot cell, physical operator interaction may be required from time to time. Any kind of uncontrolled machine behavior can lead to threatening situations for the operator.

All the examples mentioned above call for specific considerations and measures to cope with potentially hazardous situations. Any kind of malfunction could lead to severe damage to specific assets or even threaten human lives. This calls for concepts to guarantee functional safety.

A generic standard for functional safety: The IEC 61508

A number of standards and methods have been published to address the need for functional safety in industrial applications. The international standard IEC 61508 provides a comprehensive framework for the systematic conception, development, verification and validation of applications under consideration of the “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems” (E/E/PES).

The IEC 61508 is a generic standard. It is not specifically bound to any industry. There are, however specializations of the standard, such as:
•    EN 50129 Railway Applications – Communication, Signaling and Processing Systems
•    EN 62061 Safety of Machinery
•    ISO CD 26262: Road Vehicles – Functional Safety

The IEC 61508 defines the required engineering measures to take whenever electric, electronic and software components are utilized to control process components, the so called “Equipment Under Control” (EUC). This of course becomes specifically relevant, once an application involves potentially dangerous situations. The “Safety Integrity Level” is used as a measurement to indicate “how dangerous” specific conditions can get and, in turn, how sophisticated respective countermeasures have to be.