ABSTRACT
Safety is demonstrated not by compliance with prescribed processes, but by assessing hazards, mitigating those hazards, and showing that the residual risk is acceptable. The generic model used in International Electrotechnical Commission (IEC) 61508 is of a piece of industrial equipment that can inherently give rise to safety hazards, and a safety function that monitors it and moves it into a safe state when a hazardous situation is detected. IEC 61508 and its derivatives are firmly rooted in the idea that the study of device safety is the study of device failure. Dangerous situations occur when control actions do not enforce safety, when control actions are incorrectly co-ordinated between controllers, and when the control structure gets out of line with the process being controlled, causing the controller to issue an inappropriate control action. Systems where behavior has been learned, rather than being programmed explicitly, are particularly vulnerable to limitations in the intended functional.
