Professional Documents
Culture Documents
Abstract
Itisestimatedthatabout66%oftheProgrammableElectronicSystems(PES)runningintheprocess
industrywereinstalledbeforethepublicationoftodayscommonlyusedsafetystandards(IEC61508
andIEC61511/ISA84)
Someofthosesafetysystems,particularlytheonesinstalledbetweenthelate1980'sandearly2000,
areeither
1. GeneralpurposePLCs,
2. NotdesignedorcertifiedaccordingtotheIEC61508,
3. MightnotsatisfycurrentrequirementsonIEC61508
InsomecasestheywerenotimplementedaccordingtoISA84orIEC61511.
Thiswhitepapercoversthechangesinthesafetystandardsaffectingthosesystems,afollowup
whitepaperwilladdressthesafetylifecycleactivitiesinvolvedinmodifyingordecommissioningan
existingsystemtoinstallcertifiedSafetySystemsaccordingtotodaysstandards.
Keywords
ProgrammableElectronicSystem,SafetyInstrumentedSystem,FunctionalSafetyManagementSystem,
ProveninUse
Author
LuisM.Duran
TUVFSEng#902/07
ProductMarketingManagerSafetySystems
ABB
Houston,TX
email:luis.m.duran@us.abb.com
Whatistheissue?
TheeconomicgrowthofheavyregulatedindustriessuchasOil&GasandPower,increaseddemandfor
energyfromBRICseconomies,particularlyChinaandIndia,andtheincreasedacceptanceof
internationalfunctionalsafetystandards,especiallyaftermajorincidentsaredrivingthegrowthofthe
SafetyAutomationMarketintheProcessIndustries,growthestimatedin9%CAGR.
Thistrendislikelytocontinuefortheprocessindustries(whichincludenonnuclearpower,chemical,
petrochemical,refiningandoil&gasproduction)asabout66%oftheProgrammableElectronicSystems
usedinsafetyapplicationswereinstalledbetween11and30yearsago;beforeISA84,IEC61508orIEC
61511wereissuedandrecognizedasgoodengineeringpractices.1Thesamesourceindicatesthatmany
usershaveextendedthelifespanoftheirsystembeyondtheirsuppliersobsolescencenotice.
Additionallytherearemanyrelaybasedsafetysystemsthatmissedtheinitialwaveofautomationor
wereleftaloneasinstallingadigitalelectronicprogrammablesystemwasnoteconomicallyfeasiblefor
theplantinthoseapplicationsatthetime.
Prescriptivevs.PerformanceBaseFunctionalSafetyStandards
TheinternationalFunctionalSafetystandardIEC61508Functionalsafetyof
electrical/electronic/programmableelectronicsafetyrelatedsystemsisageneralstandardapplicableto
multipleindustries.InadditiontoIEC61508,thereareindustryspecificstandards.Fortheprocess
industries,theapplicableinternationalsafetystandardisIEC61511;ISAhasadoptedIEC61511intheir
latestrevisionofISA84.Althoughtherearesimilarchangesaffectingthemachinerysafetystandards,
thispaperwillonlycovertheprocessindustriesandIEC61511.
IEC61508andIEC61511/ISA84areknownasperformancebasedsafetystandards,contrastingwith
previousstandardsthatprescribethetypeofprotectivefunctionsneededtoreducerisk,performance
basestandardsrequireananalysisofthehazardsassociatedtotheprocess,theriskreduction
alternativesandthedeterminationoftheperformanceneededtoreducerisktoanacceptablelevel.
Grandfatherclause
Theconceptofthe"grandfatherclauseinISA84.0120041originatedwithOSHA1910.119.The
grandfatherclause'sintentistorecognizepriorgoodengineeringpractices(e.g.,ANSI/ISA84.011996)
andtoallowtheircontinuedusewithregardtoexistingSafetyInstrumentedSystems.
AccordingtoISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004
(IEC61511Mod)ForexistingSISdesignedandconstructedinaccordancewithcodes,standards,or
practicespriortotheissuanceofthisstandard(e.g.,ANSI/ISA84.011996),theowner/operatorshall
1
ARC,INSIGHT# 2010-53EMPH TheComingWaveofProcessSafetySystemMigration
determinethattheequipmentisdesigned,maintained,inspected,tested,andoperatinginasafe
manner.2
TheTechnicalReporthighlightstwoessentialsteps:
1) Confirmthatahazardandriskanalysishasbeendonetodeterminequalitativelyor
quantitativelythelevelofriskreductionneededforeachSIFintheSIS.
2) ConfirmthatanassessmentoftheexistingSIFhasbeenperformedtodeterminethatitdelivers
theneededlevelofriskreduction.
AccordingtoISATR84.00.042005AnnexA.2.3,ifthoseactivitieshavenotbeendone,theyshouldbe
scheduledforreviewatthenextappropriateopportunitywhichmeanifanyofthefollowing
conditionsismet:
ModificationstotheprocessunitthatimpactprocessriskmanagedbytheSIS;
Modificationstothecontrolsystemthatimpactprotectionlayersusedtoachievesafe
operation;
WhenanincidentornearmissinvestigationhasidentifiedanSISdeficiency;or
Whenthereviewofanotherprocessunitdesignedaccordingtosimilarpracticehasidentifiedan
SISdeficiency.
WherearetheSafetyCertificates?
Inreviewingprojectspecificationsduringthebiddingphaseofaproject,itiscommontofindISA84or
IEC61511asarequirementofmandatorycompliance.CompliancetoIEC61511impliesmorethana
certifiedsystem,particularlyatthetimeofdesignandimplementation.OnthesubjectofPES,this
standardrequiresthatcomponentsandsubsystemsselectedforuseinSIL1throughSIL3shalleitherbe
designedinaccordancewithIEC615082andIEC615083orcomplywiththeProveninUsecriteria.
Additionally,thesystemprogrammingtoolshoulduseLimitedVariabilityLanguages,definedinthe
standardassoftware programming language, whose notation is textual or graphical or has
characteristics of both, for commercial and industrial programmable electronic controllers with a range of
capabilities limited to their application4.
Asthereadermightanticipate,themajorityoftheProgrammableElectronicSystemsusedbefore1995
werenotcertifiedtothesamecriteriaasthosereleasedtothemarketoverthelasttenyears,legacy
systemsarelikelytobegeneralpurposesystems(i.e.standardPLC)oranearlyversionofSafety
PLCs/ProgrammableElectronicSystems(FirstGenerationSafetySystems).
ProveninUse
InordertokeepusingasystemthatisnotcertifiedaccordingtoIEC61508,theusermustdemonstrate
ProveninUseandsuchdemonstrationshallinclude:
1. ThemanufacturersQualityManagementsystem
2
ISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004(IEC61511Mod)
3
ISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004(IEC61511Mod)
4
IEC615084Functionalsafetyofelectrical/electronic/programmableelectronicsafetyrelatedsystemsPart4:
Definitionsandabbreviations
2. Adequateidentificationandspecificationofthecomponentsandsubsystems
3. Demonstrationoftheperformanceofthecomponentsorsubsystemsinsimilaroperating
profilesandphysicalenvironments
4. Thevolumeofoperatingexperience
Thedocumentedevidenceshalldemonstratethatthelikelihoodofanyfailureofthesubsystemislow
enoughsothattherequiredsafetyintegritylevel(s)ofthesafetyfunction(s)isachieved.
CertifiedtoIEC61508
IfthesystemhasanIEC61508certification,thenitsimportanttounderstandthecriteriausedbythe
thirdpartyassessorforissuingsuchcertificationtoaFirstGenerationSafetySystem.TheIEC61508
standardrecognizesthefollowingfourcriteriaintheassessmentofaSafetyPLCs/Programmable
ElectronicSystems:
HardwareSafetyIntegrity
Behaviorinpresenceoffailure
SafeFailureFraction
SystematicCapabilities
MostFirstGenerationSafetySystemswerecertifiedonthebasisoftheHardwareSafetyIntegritywhich
isrelatedtoredundancyandbehaviorinpresenceoffailure,andthesetwoconceptsweresufficientto
describetheirperformancethatatthetimeincludedfewandmaybelimitedsoftwarediagnostics.Many
ofthesesystemsusedRelayLadderLogicasaprogramminglanguagewhichwasarepresentationrelay
basedlogicandusefulatthetransitionpointbetweensaidtechnologyandtheemergingdigitalsystems.
SafeFailureFraction(SFF)andSystematicSafetyIntegrityarenewtermsformanyusers,particularly
SystematicCapabilitiesisanewconceptthatmanyoftheFirstGenerationofcertifiedsystemstodaydo
notsupportandisarequirementgainingmorevisibilityintheneweditionofIEC61508publishedin
2010.
Toreleaseacertifiedsystemfollowingthenewrevisionofthestandards,thevendorneedstostartby
establishingaFunctionalSafetyManagementSystem(FSMS)andhavingthedevelopmentorganization
certifiedbyanindependentassessor.TheFSMSrequiresthedesignprocesstodocumentandtrack
functionalrequirements,reviewfunctionalspecificationsandtestagainstrequirementsandvalidate
performanceandresultsduringthedevelopmentoftheproduct.Everystepneedstobeproperly
documented;thecompetenceofthepersonnelinvolvedineachstepisalsodocumented.Itmightbe
easierunderstandforthereaderiftheFSMSiscomparedtoaQualityAssuranceprocess,itwillbe
difficult,ifnotimpossible,toassureoreventestperformanceiftheperformancecriteriaisnotwell
definedanddocumented.
Overtimeitwillbeverychallengingforaproductvendortocertifyasystemtothelatestrevisionof
IEC61508iftheirdevelopmentorganizationwasnotpreviouslycertifiedandiftheirdesignpracticeslack
theFSMSandthedocumenttrailexplainedinthepreviousparagraphs.
ThereaderisprobablyfamiliarwiththediscussionsaroundthearchitectureofProgrammableElectronic
SystemsusedinsafetyapplicationsasthemajorityofFirstGenerationSafetySystemsusedredundancy
(HardwareSafetyIntegrity)tosatisfytherequirementsofLowDemandApplicationscommonlyfoundin
theprocessindustries.
ProductDevelopersintheSafetyAutomationmarketmightadoptdifferentdesignmethodologies,but
currentFunctionalSafetystandardsencouragetheuseofsoftwarediagnosticsanddiversetechnologies.
DiverseTechnology
Asindicatedbythisauthorinpreviouspublications5,technologyhasevolvedtoapointinwhichthere
aremultipleoptionstoaddressasimilartechnicalproblem.Forexample,byselectingtwoormoreof
thesetechnologies,diversitycanbeembeddedinthesystemdesign.
Examplesofdiverseimplementationincludeusingdifferentoperatingsystemsandthenusingdifferent
teamstodevelopthesoftwareonmultiplecooperatingmodules,orcombiningtwodifferent
technologies(suchasMicroProcessor(MPA)orMicrocontrollersandFieldProgrammableGateArrays
(FPGA))toperformthesamefunctionalityinparalleltoeachother.Unliketraditionalredundancy,by
applyingdiversetechnologies,thedesignachievesaredundancyschemewithminimumornocommon
causefailures.
IEC61508Edition2
ThereareotherconceptsaddedtoIEC61508Edition2thatmightaffectcomplianceandshouldbe
consideredwhenchoosingaPES.Thispaperwillconcentrateonlyonthefollowingthreeareas,butthe
authorencouragesthereadertoseekadditionalinformationonthetopic.
1. SystematicCapabilities
2. Competence
3. Security
SystematicCapabilities
Today,itswellunderstoodthatasystemcanbedesignedfollowingaverystrictdevelopmentprocess,
usingarocksolidFunctionalSafetyManagementSystemandevencertifiedbythebestindependent
5
Johnson,DuranProvidingIndependentLayersofProtectionwithIntegratedSafetySystems
authority,yetthesystemcanbeprogrammedinawaythatdisablesitssafeactionundersome
conditions.SystematicCapabilitiesshouldassistintheassessmentoftheprogrammingtoolstoavoid
thiskindofsituation.
SystematicCapabilitiesisaconceptdevelopedtoreplacestheterm:effectivenessagainstsystematic
failureandisameasure(onascaleof14)thatthesystematicsafetyintegrityofanelementfulfillsthe
givensafetyfunction,consideringtheinstructionsstatedintheproductsafetymanual.
Competence
Competencehasbeenrecommendedinthepreviouseditionofthestandard,howeveritisnowof
mandatorycompliance(normative).Thefollowingaretherequirements:
1. Organizationsinvolvedonsafetysystemprojectsoractivitiesshallappointoneormorepersons
withresponsibilityforoneormorephasesoftheSafetyLifecycle(perIEC61511)
2. Allpersons,departmentsororganizationsshallbeidentified,theresponsibilitiesclearlydefined
andcommunicated
3. Activitiesrelatedtomanagementoffunctionalsafetyshallbeappliedattherelevantphases
4. Allpersonsundertakingspecificactivitiesshallhavetheappropriatecompetence
5. Thecompetenceshallbedocumented
CompetenceisparticularlycriticalintheManagementofFunctionalSafetyandinthecaseofa
FunctionalSafetyAssessmentwhichinadditiontocompetencemayrequireindependentindividualsor
departmentsdependingontheconsequenceofthehazard.
Asconcerningasthecompetencerequirementsmaysound,itsimportanttohighlightthatthereare
competentresourcesavailableworldwide,eitherasindependentconsultantsorassociatedtoproduct
vendorsandavailabletosupportthroughouttheimplementationofthesafetylifecycle.
Security
InfrastructureSecurityandNetworkSecurityhavebeenthesubjectofseveralpapersandblogs.The
targetedattackoftheStuxtnetwormin20106,confirmedtheindustryconcerns.Thesubjectis
recognizedintherevisionofthestandard,notintheapplicationspecificsortospecifytherequirements
neededtomeetasecuritypolicythatmayberequired,butconsiderpotentialsecuritythreatstobe
addedtothesafetyrequirements.
Section7.4.(HazardAnalysis)oftheIEC61508standard,requiresthatinthecasethehazardanalysis
identifiesthatmalevolentorunauthorizedaction,constitutingasecuritythreat,isreasonably
foreseeable,thenasecuritythreatsanalysisshouldbecarriedout,followedbysection7.5.(Overall
6
Byres,HowardAnalysisoftheSiemensWinCC/PCS7StuxnetMalwareforIndustrialControlSystem
Professionals
SafetyRequirements)whereitrecommendsthatavulnerabilityanalysisshouldbeundertakeninorder
tospecifysecurityrequirements.
Summary
ThiswhitepaperexplainssomeofthechangesintheFunctionalSafetystandardsIEC61508andIEC
61511/ISA84andidentifiesthekeyelementstoassessifasafetysysteminstalledthelate1980'sand
early2000meetthecertificationrequirementsforapplicationsintheprocessindustries.
AnexistinginstallationisonlycoveredbytheISA84GrandfatherClauseiftheowner/operatorcan
demonstratethattheequipmentisdesigned,maintained,inspected,tested,andoperatinginasafe
manner.
SomeofthesystemsrunningtodaymightnotbecertifiedaccordingtoIEC61508,ifthatisthecaseand
accordingtoIEC61511thosesystemsshouldcomplywiththeProveninUsecriteria,whichrequires
theusertodemonstrateusingdocumentedevidencethatthelikelihoodofanyfailureofthesystemis
lowenoughsothattherequiredsafetyintegritylevel(s)ofthesafetyfunction(s)isachieved.
ForthosesystemscertifiedtothefirsteditionofIEC61508onlyonthebasisofHardwareFault
Tolerance(i.e.redundancyandarchitecture),therearetechnicalchallengesthatmightlimittheability
ofthosesystemtoretainthatcertificationwhentheindustrymovestoIEC61508Edition2,thiswill
occuronthenextproductreleasecycleforthosevendors.
InadditiontocriteriasuchasHardwareSafetyIntegrity,behaviorinpresenceoffailure,SafeFailure
Fraction(SFF)andSystematicCapabilities;thelatestrevisionofIEC61508(Edition2)introduce
additionalcriteriasuchassecurityandincreasedtheimportanceofsystematiccapabilitiesand
competence.
Competencewasmadenormativeinthelatestrevisionofthestandard,thisrequiresorganizations
involvedonsafetysystemprojectsoractivitiestoappointoneormorepersonswithresponsibilityfor
oneormorephasesoftheSafetyLifecycle(perIEC61511)andtheadoptionofaFunctionalSafety
ManagementSystem.
Thefollowupwhitepaperwilladdresshowtostartanassessmentofyourexistingsafetyinstrumented
systemandthesafetylifecycleactivitiesinvolvedinmodifyingordecommissioninganexistingsystem
toinstallcertifiedSafetySystemsaccordingtotodaysstandards.