In the first post in this series, I gave an overview of how utilities can use the IEC 61508 standard as a framework to maintain high levels of safety while deploying IEDs on electric networks. In that post, I listed three steps toward that goal.
- Balance cost and safety
- Apply standards
- Create a maintenance plan
After sharing details about step 1 in my previous post, I want to move on to step 2 today—applying standards.
The IEC61508 standard is widely used by electronic device manufacturers or suppliers when any part of the safety function relies on the correct functioning of an electrical/electronic/programmable electronic system and where an application-sector standard does not exist.
IEC 61508 specifies the risk assessment and safety function design measures for fault avoidance and control. It provides a complete safety life cycle that accounts for risk of physical injury and environmental damage. Acceptable risk levels are determined and procedures for residual risk management over time are established.
The standard also requires that hardware can tolerate a certain level of random faults, as well as demonstrate safe operation in harsh environments. Furthermore, it calculates failure probability of each safety function.
In order to achieve the necessary Safety Integrity Level (SIL), the standard requires proof of residual risk, which is based on the probability of dangerous failure. The calculation is based on the equipment components that influence the entire safety loop (e.g., sensor, IED, actuator). Failure probabilities of each component are considered together so that the safety level of the holistic architecture can be determined.
The comprehensive IEC 61508 standard addresses hardware, software, systematic, environmental, and operational failures. It recommends a set of techniques and measures for controlling these failures.
Examples of the type of guidance provided in the hardware domain include the following:
- Verification of measured signals through analogue signal monitoring by comparative reading between current/voltage phases
- Processing unit verification by a second processing unit through the reciprocal exchange of data and by detecting differences
- Output verification by coil monitoring of relays
Recommendations to achieve required safety integrity on the software side include:
- Self test implementation to monitor electronics at start up, during IED operation, and to monitor program execution and data integrity
- Static and dynamic analysis tools
- Automated verification tools
- Certified tools for code generation
IEC 61508 also details requirements regarding development methods, project team competence, project management, change management, requirement tracking, and documentation.
Safety integrity level, company experience, and the complexity and uniqueness of the design each impact proper standard implementation. Because assessments that evaluate system reliability are relatively new in the power system domain, the current recommended practice is to use an accredited, independent organization to perform the assessment. Assessment by an external body ensures that appropriate techniques and measures are selected and applied. A third party can also ensure that quality levels are achieved without requiring each utility stakeholder to become an expert in functional safety.
In the future I’ll post more details about step three in this process—creating maintenance plans. In the meantime, you’re welcome to learn more about this topic from a free white paper I recently co-authored with my colleagues: Impact of IEC 61508 Standards on Intelligent Electrical Networks and Safety Improvement.
 A short comparison among several standards for critical software (IEC61508-3, UL1998, IEC60880) is provided in the whitepaper. With some specificity, the presented standards share the same objective to produce reliable and robust software with predefined behavior in case of fault. An independent assessment will verify all the phases of critical software development.