The safety life cycle

An international standard for safety management IEC 61508 (IEC, 1998) has been developed for protection systems, such as a system that stops a train if it passes a red signal. In this standard, safety specification focuses on the specification of the protection system and is seen as a separate activity from specifying the requirements of the protected system. I explain the relationship between protection systems and the system being protected in Chapter 13, Dependability engineering, in the section on dependable systems architectures.

Figure 1 is a simplified form of Redmill’s presentation of the standard safety life cycle (Redmill, 1998). As you can see, this standard covers all aspects of safety management from initial scope definition through planning and system development to system decommissioning.

Figure 1. The IEC 61508 safety life cycle

In this model, it is assumed that a control system controls some equipment that has associated high-level safety requirements. These high-level requirements generate two types of more detailed safety requirements that apply to the protection system for the equipment:

  1. Functional safety requirements that define the safety functions of the system
  2. Safety integrity requirements that define the reliability and availability of the protection system. These are based on the expected usage of the protection system and are intended to ensure that it will work when it is needed. Systems are classified using a safety integrity level (SIL) from 1 to 4. Each SIL level represents a higher level of reliability; the more critical the system, the higher the SIL required.

The first stages of the IEC 61508 safety life cycle define the scope of the system, assess the potential system hazards and estimate the risks they pose. This is followed by safety requirements specification and the allocation of these safety requirements to different sub-systems. The development activity involves planning and implementation. The safety-critical system itself is designed and implemented, as are related external systems that may provide additional protection. In parallel with this, the safety validation, the installation, and the operation and maintenance of the system are planned.

Safety management does not stop on delivery of the system. After delivery, the system must be installed as planned so that the hazard analysis remains valid. Safety validation is then carried out before the system is put into use. Safety must also be managed during the operation and (particularly) the maintenance of the system. Many safety-related systems problems arise because of a poor maintenance process so it is particularly important that the system is designed for maintainability. Finally, safety considerations that may apply during decommissioning (e.g., disposal of hazardous material in circuit boards) should also be taken into account.


IEC. 1998. Standard IEC 61508. Functional safety of electrical/electronic/programmable electronic safety-related systems.

Redmill, F. 1998. IEC 61508: principles and use in the management of safety. IEE Computing and Control Engineering, 9 (10), 205–13.

(c) Ian Sommerville 2008