Isyourcurrentsafetysystemcomplianttotoday'ssafetystandard?

Abstract

Itisestimatedthatabout66%oftheProgrammableElectronicSystems(PES)runningintheprocess
industrywereinstalledbeforethepublicationoftodayscommonlyusedsafetystandards(IEC61508
andIEC61511/ISA84)

Someofthosesafetysystems,particularlytheonesinstalledbetweenthelate1980'sandearly2000,
areeither
1. GeneralpurposePLCs,
2. NotdesignedorcertifiedaccordingtotheIEC61508,
3. MightnotsatisfycurrentrequirementsonIEC61508

InsomecasestheywerenotimplementedaccordingtoISA84orIEC61511.

Thiswhitepapercoversthechangesinthesafetystandardsaffectingthosesystems,afollowup
whitepaperwilladdressthesafetylifecycleactivitiesinvolvedinmodifyingordecommissioningan
existingsystemtoinstallcertifiedSafetySystemsaccordingtotodaysstandards.

Keywords
ProgrammableElectronicSystem,SafetyInstrumentedSystem,FunctionalSafetyManagementSystem,
ProveninUse

Author
LuisM.Duran
TUVFSEng#902/07
ProductMarketingManagerSafetySystems
ABB
Houston,TX
email:luis.m.duran@us.abb.com

Whatistheissue?
TheeconomicgrowthofheavyregulatedindustriessuchasOil&GasandPower,increaseddemandfor
energyfromBRICseconomies,particularlyChinaandIndia,andtheincreasedacceptanceof
internationalfunctionalsafetystandards,especiallyaftermajorincidentsaredrivingthegrowthofthe
SafetyAutomationMarketintheProcessIndustries,growthestimatedin9%CAGR.

Thistrendislikelytocontinuefortheprocessindustries(whichincludenonnuclearpower,chemical,
petrochemical,refiningandoil&gasproduction)asabout66%oftheProgrammableElectronicSystems
usedinsafetyapplicationswereinstalledbetween11and30yearsago;beforeISA84,IEC61508orIEC
61511wereissuedandrecognizedasgoodengineeringpractices.1Thesamesourceindicatesthatmany
usershaveextendedthelifespanoftheirsystembeyondtheirsuppliersobsolescencenotice.

Additionallytherearemanyrelaybasedsafetysystemsthatmissedtheinitialwaveofautomationor
wereleftaloneasinstallingadigitalelectronicprogrammablesystemwasnoteconomicallyfeasiblefor
theplantinthoseapplicationsatthetime.

Prescriptivevs.PerformanceBaseFunctionalSafetyStandards
TheinternationalFunctionalSafetystandardIEC61508Functionalsafetyof
electrical/electronic/programmableelectronicsafetyrelatedsystemsisageneralstandardapplicableto
multipleindustries.InadditiontoIEC61508,thereareindustryspecificstandards.Fortheprocess
industries,theapplicableinternationalsafetystandardisIEC61511;ISAhasadoptedIEC61511intheir
latestrevisionofISA84.Althoughtherearesimilarchangesaffectingthemachinerysafetystandards,
thispaperwillonlycovertheprocessindustriesandIEC61511.

IEC61508andIEC61511/ISA84areknownasperformancebasedsafetystandards,contrastingwith
previousstandardsthatprescribethetypeofprotectivefunctionsneededtoreducerisk,performance
basestandardsrequireananalysisofthehazardsassociatedtotheprocess,theriskreduction
alternativesandthedeterminationoftheperformanceneededtoreducerisktoanacceptablelevel.

Grandfatherclause
Theconceptofthe"grandfatherclauseinISA84.0120041originatedwithOSHA1910.119.The
grandfatherclause'sintentistorecognizepriorgoodengineeringpractices(e.g.,ANSI/ISA84.011996)
andtoallowtheircontinuedusewithregardtoexistingSafetyInstrumentedSystems.

AccordingtoISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004
(IEC61511Mod)ForexistingSISdesignedandconstructedinaccordancewithcodes,standards,or
practicespriortotheissuanceofthisstandard(e.g.,ANSI/ISA84.011996),theowner/operatorshall

1
ARC,INSIGHT# 2010-53EMPH TheComingWaveofProcessSafetySystemMigration

determinethattheequipmentisdesigned,maintained,inspected,tested,andoperatinginasafe
manner.2

TheTechnicalReporthighlightstwoessentialsteps:
1) Confirmthatahazardandriskanalysishasbeendonetodeterminequalitativelyor
quantitativelythelevelofriskreductionneededforeachSIFintheSIS.
2) ConfirmthatanassessmentoftheexistingSIFhasbeenperformedtodeterminethatitdelivers
theneededlevelofriskreduction.

AccordingtoISATR84.00.042005AnnexA.2.3,ifthoseactivitieshavenotbeendone,theyshouldbe
scheduledforreviewatthenextappropriateopportunitywhichmeanifanyofthefollowing
conditionsismet:

ModificationstotheprocessunitthatimpactprocessriskmanagedbytheSIS;
Modificationstothecontrolsystemthatimpactprotectionlayersusedtoachievesafe
operation;
WhenanincidentornearmissinvestigationhasidentifiedanSISdeficiency;or
Whenthereviewofanotherprocessunitdesignedaccordingtosimilarpracticehasidentifiedan
SISdeficiency.

WherearetheSafetyCertificates?
Inreviewingprojectspecificationsduringthebiddingphaseofaproject,itiscommontofindISA84or
IEC61511asarequirementofmandatorycompliance.CompliancetoIEC61511impliesmorethana
certifiedsystem,particularlyatthetimeofdesignandimplementation.OnthesubjectofPES,this
standardrequiresthatcomponentsandsubsystemsselectedforuseinSIL1throughSIL3shalleitherbe
designedinaccordancewithIEC615082andIEC615083orcomplywiththeProveninUsecriteria.
Additionally,thesystemprogrammingtoolshoulduseLimitedVariabilityLanguages,definedinthe
standardassoftware programming language, whose notation is textual or graphical or has
characteristics of both, for commercial and industrial programmable electronic controllers with a range of
capabilities limited to their application4.

Asthereadermightanticipate,themajorityoftheProgrammableElectronicSystemsusedbefore1995
werenotcertifiedtothesamecriteriaasthosereleasedtothemarketoverthelasttenyears,legacy
systemsarelikelytobegeneralpurposesystems(i.e.standardPLC)oranearlyversionofSafety
PLCs/ProgrammableElectronicSystems(FirstGenerationSafetySystems).

ProveninUse
InordertokeepusingasystemthatisnotcertifiedaccordingtoIEC61508,theusermustdemonstrate
ProveninUseandsuchdemonstrationshallinclude:

1. ThemanufacturersQualityManagementsystem

2
ISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004(IEC61511Mod)
3
ISATR84.00.042005Part1GuidelinesfortheImplementationofANSI/ISA84.00.012004(IEC61511Mod)
4
IEC615084Functionalsafetyofelectrical/electronic/programmableelectronicsafetyrelatedsystemsPart4:
Definitionsandabbreviations

2. Adequateidentificationandspecificationofthecomponentsandsubsystems
3. Demonstrationoftheperformanceofthecomponentsorsubsystemsinsimilaroperating
profilesandphysicalenvironments
4. Thevolumeofoperatingexperience

Thedocumentedevidenceshalldemonstratethatthelikelihoodofanyfailureofthesubsystemislow
enoughsothattherequiredsafetyintegritylevel(s)ofthesafetyfunction(s)isachieved.

CertifiedtoIEC61508
IfthesystemhasanIEC61508certification,thenitsimportanttounderstandthecriteriausedbythe
thirdpartyassessorforissuingsuchcertificationtoaFirstGenerationSafetySystem.TheIEC61508
standardrecognizesthefollowingfourcriteriaintheassessmentofaSafetyPLCs/Programmable
ElectronicSystems:

HardwareSafetyIntegrity
Behaviorinpresenceoffailure
SafeFailureFraction
SystematicCapabilities

MostFirstGenerationSafetySystemswerecertifiedonthebasisoftheHardwareSafetyIntegritywhich
isrelatedtoredundancyandbehaviorinpresenceoffailure,andthesetwoconceptsweresufficientto
describetheirperformancethatatthetimeincludedfewandmaybelimitedsoftwarediagnostics.Many
ofthesesystemsusedRelayLadderLogicasaprogramminglanguagewhichwasarepresentationrelay
basedlogicandusefulatthetransitionpointbetweensaidtechnologyandtheemergingdigitalsystems.

SafeFailureFraction(SFF)andSystematicSafetyIntegrityarenewtermsformanyusers,particularly
SystematicCapabilitiesisanewconceptthatmanyoftheFirstGenerationofcertifiedsystemstodaydo
notsupportandisarequirementgainingmorevisibilityintheneweditionofIEC61508publishedin
2010.

Toreleaseacertifiedsystemfollowingthenewrevisionofthestandards,thevendorneedstostartby
establishingaFunctionalSafetyManagementSystem(FSMS)andhavingthedevelopmentorganization
certifiedbyanindependentassessor.TheFSMSrequiresthedesignprocesstodocumentandtrack
functionalrequirements,reviewfunctionalspecificationsandtestagainstrequirementsandvalidate
performanceandresultsduringthedevelopmentoftheproduct.Everystepneedstobeproperly
documented;thecompetenceofthepersonnelinvolvedineachstepisalsodocumented.Itmightbe
easierunderstandforthereaderiftheFSMSiscomparedtoaQualityAssuranceprocess,itwillbe
difficult,ifnotimpossible,toassureoreventestperformanceiftheperformancecriteriaisnotwell
definedanddocumented.

Overtimeitwillbeverychallengingforaproductvendortocertifyasystemtothelatestrevisionof
IEC61508iftheirdevelopmentorganizationwasnotpreviouslycertifiedandiftheirdesignpracticeslack
theFSMSandthedocumenttrailexplainedinthepreviousparagraphs.

ThereaderisprobablyfamiliarwiththediscussionsaroundthearchitectureofProgrammableElectronic
SystemsusedinsafetyapplicationsasthemajorityofFirstGenerationSafetySystemsusedredundancy
(HardwareSafetyIntegrity)tosatisfytherequirementsofLowDemandApplicationscommonlyfoundin
theprocessindustries.

ProductDevelopersintheSafetyAutomationmarketmightadoptdifferentdesignmethodologies,but
currentFunctionalSafetystandardsencouragetheuseofsoftwarediagnosticsanddiversetechnologies.

DiverseTechnology
Asindicatedbythisauthorinpreviouspublications5,technologyhasevolvedtoapointinwhichthere
aremultipleoptionstoaddressasimilartechnicalproblem.Forexample,byselectingtwoormoreof
thesetechnologies,diversitycanbeembeddedinthesystemdesign.

Examplesofdiverseimplementationincludeusingdifferentoperatingsystemsandthenusingdifferent
teamstodevelopthesoftwareonmultiplecooperatingmodules,orcombiningtwodifferent
technologies(suchasMicroProcessor(MPA)orMicrocontrollersandFieldProgrammableGateArrays
(FPGA))toperformthesamefunctionalityinparalleltoeachother.Unliketraditionalredundancy,by
applyingdiversetechnologies,thedesignachievesaredundancyschemewithminimumornocommon
causefailures.

IEC61508Edition2
ThereareotherconceptsaddedtoIEC61508Edition2thatmightaffectcomplianceandshouldbe
consideredwhenchoosingaPES.Thispaperwillconcentrateonlyonthefollowingthreeareas,butthe
authorencouragesthereadertoseekadditionalinformationonthetopic.

1. SystematicCapabilities
2. Competence
3. Security

SystematicCapabilities
Today,itswellunderstoodthatasystemcanbedesignedfollowingaverystrictdevelopmentprocess,
usingarocksolidFunctionalSafetyManagementSystemandevencertifiedbythebestindependent

5
Johnson,DuranProvidingIndependentLayersofProtectionwithIntegratedSafetySystems

authority,yetthesystemcanbeprogrammedinawaythatdisablesitssafeactionundersome
conditions.SystematicCapabilitiesshouldassistintheassessmentoftheprogrammingtoolstoavoid
thiskindofsituation.

SystematicCapabilitiesisaconceptdevelopedtoreplacestheterm:effectivenessagainstsystematic
failureandisameasure(onascaleof14)thatthesystematicsafetyintegrityofanelementfulfillsthe
givensafetyfunction,consideringtheinstructionsstatedintheproductsafetymanual.

Competence
Competencehasbeenrecommendedinthepreviouseditionofthestandard,howeveritisnowof
mandatorycompliance(normative).Thefollowingaretherequirements:

1. Organizationsinvolvedonsafetysystemprojectsoractivitiesshallappointoneormorepersons
withresponsibilityforoneormorephasesoftheSafetyLifecycle(perIEC61511)
2. Allpersons,departmentsororganizationsshallbeidentified,theresponsibilitiesclearlydefined
andcommunicated
3. Activitiesrelatedtomanagementoffunctionalsafetyshallbeappliedattherelevantphases
4. Allpersonsundertakingspecificactivitiesshallhavetheappropriatecompetence
5. Thecompetenceshallbedocumented

CompetenceisparticularlycriticalintheManagementofFunctionalSafetyandinthecaseofa
FunctionalSafetyAssessmentwhichinadditiontocompetencemayrequireindependentindividualsor
departmentsdependingontheconsequenceofthehazard.

Asconcerningasthecompetencerequirementsmaysound,itsimportanttohighlightthatthereare
competentresourcesavailableworldwide,eitherasindependentconsultantsorassociatedtoproduct
vendorsandavailabletosupportthroughouttheimplementationofthesafetylifecycle.

Security
InfrastructureSecurityandNetworkSecurityhavebeenthesubjectofseveralpapersandblogs.The
targetedattackoftheStuxtnetwormin20106,confirmedtheindustryconcerns.Thesubjectis
recognizedintherevisionofthestandard,notintheapplicationspecificsortospecifytherequirements
neededtomeetasecuritypolicythatmayberequired,butconsiderpotentialsecuritythreatstobe
addedtothesafetyrequirements.

Section7.4.(HazardAnalysis)oftheIEC61508standard,requiresthatinthecasethehazardanalysis
identifiesthatmalevolentorunauthorizedaction,constitutingasecuritythreat,isreasonably
foreseeable,thenasecuritythreatsanalysisshouldbecarriedout,followedbysection7.5.(Overall

6
Byres,HowardAnalysisoftheSiemensWinCC/PCS7StuxnetMalwareforIndustrialControlSystem
Professionals

SafetyRequirements)whereitrecommendsthatavulnerabilityanalysisshouldbeundertakeninorder
tospecifysecurityrequirements.

Summary
ThiswhitepaperexplainssomeofthechangesintheFunctionalSafetystandardsIEC61508andIEC
61511/ISA84andidentifiesthekeyelementstoassessifasafetysysteminstalledthelate1980'sand
early2000meetthecertificationrequirementsforapplicationsintheprocessindustries.

AnexistinginstallationisonlycoveredbytheISA84GrandfatherClauseiftheowner/operatorcan
demonstratethattheequipmentisdesigned,maintained,inspected,tested,andoperatinginasafe
manner.

SomeofthesystemsrunningtodaymightnotbecertifiedaccordingtoIEC61508,ifthatisthecaseand
accordingtoIEC61511thosesystemsshouldcomplywiththeProveninUsecriteria,whichrequires
theusertodemonstrateusingdocumentedevidencethatthelikelihoodofanyfailureofthesystemis
lowenoughsothattherequiredsafetyintegritylevel(s)ofthesafetyfunction(s)isachieved.

ForthosesystemscertifiedtothefirsteditionofIEC61508onlyonthebasisofHardwareFault
Tolerance(i.e.redundancyandarchitecture),therearetechnicalchallengesthatmightlimittheability
ofthosesystemtoretainthatcertificationwhentheindustrymovestoIEC61508Edition2,thiswill
occuronthenextproductreleasecycleforthosevendors.

InadditiontocriteriasuchasHardwareSafetyIntegrity,behaviorinpresenceoffailure,SafeFailure
Fraction(SFF)andSystematicCapabilities;thelatestrevisionofIEC61508(Edition2)introduce
additionalcriteriasuchassecurityandincreasedtheimportanceofsystematiccapabilitiesand
competence.

Competencewasmadenormativeinthelatestrevisionofthestandard,thisrequiresorganizations
involvedonsafetysystemprojectsoractivitiestoappointoneormorepersonswithresponsibilityfor
oneormorephasesoftheSafetyLifecycle(perIEC61511)andtheadoptionofaFunctionalSafety
ManagementSystem.

Thefollowupwhitepaperwilladdresshowtostartanassessmentofyourexistingsafetyinstrumented
systemandthesafetylifecycleactivitiesinvolvedinmodifyingordecommissioninganexistingsystem
toinstallcertifiedSafetySystemsaccordingtotodaysstandards.