Legacy systems and today’s safety standards

It is estimated that about 66% of the programmable electronic systems (PES) running in the process industry were installed before the publication of today’s commonly used safety standards (IEC 61508 and IEC 61511/ISA 84).

The economic growth of heavily regulated industries such as the oil and gas industry and the power industry, the increased demand for energy from BRICs economies, particularly China and India, and the increased acceptance of international functional safety standards, especially after major incidents, are driving the growth of the safety automation market in the process industries, with a growth estimated at 9% CAGR.

This trend is likely to continue for the process industries as about 66% of the programmable electronic systems (PES) used in safety applications were installed between 11 and 30 years ago; before ISA 84, IEC 61508 or IEC 61511 were issued and recognised as good engineering practices.¹ Many users have also extended the life span of their system beyond their supplier’s obsolescence notice.^ibid

Additionally, there are many relay‐based safety systems that missed the initial wave of automation, or were left alone, as installing a digital electronic programmable system was not economically feasible for the plant in those applications at the time.

Prescriptive versus performance-based functional safety standards

The international functional safety standard IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety‐related Systems is a general standard applicable to multiple industries. In addition to IEC 61508, there are industry-specific standards. For the process industries, the applicable international safety standard is IEC 61511; ISA has adopted IEC 61511 in its latest revision of ISA84. Although there are similar changes affecting the machinery safety standards, this article will only cover the process industries and IEC 61511.

IEC 61508 and IEC 61511/ISA 84 are known as performance-based safety standards, contrasting with previous standards that prescribe the type of protective functions needed to reduce risk. Performance-based standards require an analysis of the hazards associated with the process, the risk reduction alternatives and the determination of the performance needed to reduce risk to an acceptable level.

Grandfather clause

The concept of the ‘grandfather clause’ in ISA‐84.01‐2004‐1 originated with OSHA 1910.119. The grandfather clause’s intent is to recognise prior good engineering practices (such as ANSI/ISA‐84.01‐1996) and to allow their continued use with regard to existing safety instrumented systems.

According to ISA‐TR84.00.04‐2005 Part 1 Guidelines for the Implementation of ANSI/ISA‐84.00.01‐2004 (IEC 61511 Mod): “For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issuance of this standard (e.g., ANSI/ISA‐84.01‐1996), the owner/operator shall determine that the equipment is designed, maintained, inspected, tested, and operating in a safe manner.”²

The technical report highlights two essential steps:

1. Confirm that a hazard and risk analysis has been done to determine qualitatively or quantitatively the level of risk reduction needed for each SIF in the SIS.
2. Confirm that an assessment of the existing SIF has been performed to determine that it delivers the needed level of risk reduction.

According to ISA‐TR84.00.04‐2005 Annex A.2², if those activities have not been done, they should be scheduled for review at the “next appropriate opportunity”, which means if any of the following conditions is met:

• Modifications are made to the process unit that impact process risk managed by the SIS.
• Modifications are made to the control system that impact protection layers used to achieve safe operation.
• When an incident or near miss investigation has identified an SIS deficiency.
• When the review of another process unit designed according to similar practice has identified an SIS deficiency.

Where are the safety certificates?

In reviewing project specifications during the bidding phase of a project, it is common to find ISA 84 or IEC 61511 as a requirement for mandatory compliance. Compliance to IEC 61511 implies more than a certified system, particularly at the time of design and implementation. On the subject of PES, this standard requires that components and subsystems selected for use in SIL 1 through SIL 3 shall either be designed in accordance with IEC 61508‐2 and IEC 61508‐3 or comply with the ‘Proven‐in‐Use’ criteria. Additionally, the system programming tool should use limited variability languages, defined in the standard as “software programming language, whose notation is textual or graphical or has characteristics of both, for commercial and industrial programmable electronic controllers with a range of capabilities limited to their application”³.

As the reader might anticipate, the majority of the programmable electronic systems used before 1995 were not certified to the same criteria as those released to the market over the last 10 years. Legacy systems are likely to be general-purpose systems (like a standard PLC) or an early version of safety PLC/PES (first-generation safety system).

Proven-in-Use

In order to keep using a system that is not certified according to IEC 61508, the user must demonstrate ‘Proven-in-Use’ and such demonstration shall include:

1. The manufacturer’s quality management system.
2. Adequate identification and specification of the components and subsystems.
3. Demonstration of the performance of the components or subsystems in similar operating profiles and physical environments.
4. The volume of operating experience.

The documented evidence shall demonstrate that the likelihood of any failure of the subsystem is low enough so that the required safety integrity level(s) of the safety function(s) is achieved.

Certified to IEC61508

If the system has an IEC61508 certification, then it is important to understand the criteria used by the third-party assessor for issuing such certification to a first generation safety system. The IEC 61508 standard recognises the following four criteria in the assessment of Safety PLCs/Programmable Electronic Systems:

• Hardware safety integrity
• Behaviour in the presence of failure
• Safe failure fraction (SFF)
• Systematic capabilities

Most first-generation safety systems were certified on the basis of hardware safety integrity, which is related to redundancy and behaviour in the presence of failure, and these two concepts were sufficient to describe their performance that at the time included few and maybe limited software diagnostics. Many of these systems used relay ladder logic as a programming language, which was a representation relay-based logic and useful at the transition point between said technology and the emerging digital systems.

SFF and systematic safety integrity are new terms for many users, and particularly Systematic Capabilities is a new concept that many of the first generation of certified systems today do not support, although it is a requirement gaining more visibility in the newer edition of IEC 61508 published in 2010.

To release a certified system following the newer revision of the standards, the vendor needs to start by establishing a functional safety management system (FSMS) and having the development organisation certified by an independent assessor. The FSMS requires the design process to document and track functional requirements, to review functional specifications and test against requirements, and to validate performance and results during the development of the product. Every step needs to be properly documented; the competence of the personnel involved in each step is also documented. It might be easier to understand for the reader if the FSMS is compared to a quality assurance process - it will be difficult, if not impossible, to assure or even test performance if the performance criteria are not well defined and documented.

Over time it will be very challenging for a product vendor to certify a system to the latest revision of IEC61508 if their development organisation was not previously certified and if their design practices lack the FSMS and the document trail explained in the previous paragraphs.

The reader is probably familiar with the discussions around the architecture of programmable electronic systems used in safety applications, as the majority of first-generation safety systems used redundancy (hardware safety integrity) to satisfy the requirements of low demand applications commonly found in the process industries.

Product developers in the safety automation market might adopt different design methodologies, but current functional safety standards encourage the use of software diagnostics and diverse technologies.

Diverse technology

Technology has evolved to a point at which there are multiple options to address a similar technical problem. For example, by selecting two or more of these technologies, diversity can be embedded in the system design.

Examples of diverse implementation include using different operating systems and then using different teams to develop the software on multiple cooperating modules, or combining two different technologies (such as microprocessors or microcontrollers and field programmable gate arrays (FPGAs)) to perform the same functionality in parallel to each other. Unlike traditional redundancy, the application of diverse technologies achieves a redundancy scheme with minimum or no common cause failures.

IEC 61508 Edition 2

There are other concepts added to IEC 61508 Edition 2 that might affect compliance and should be considered when choosing a PES. This article will concentrate only on the following three areas, but the author encourages the reader to seek additional information on the topic.

1. Systematic capabilities
2. Competence
3. Security

Systematic capabilities

Today it is well understood that a system can be designed following a very strict development process, using a rock‐solid FSMS, and even certified by the best independent authority, yet the system can be programmed in a way that disables its safe action under some conditions. Systematic capabilities should assist in the assessment of the programming tools to avoid this kind of situation.

Systematic capabilities is a concept developed to replace the term ‘effectiveness against systematic failure’ and is a measure (on a scale of 1‐4) that the systematic safety integrity of an element fulfils the given safety function, considering the instructions stated in the product safety manual.

Competence

Competence has been recommended in the previous edition of the standard; however, it is now mandatory for compliance (normative). The following are the requirements:

1. Organisations involved on safety system projects or activities shall appoint one or more persons with responsibility for one or more phases of the safety lifecycle (as per IEC61511).
2. All persons, departments or organisations shall be identified, and the responsibilities clearly defined and communicated.
3. Activities related to the management of functional safety shall be applied at the relevant phases.
4. All persons undertaking specific activities shall have the appropriate competence.
5. The competence shall be documented.

Competence is particularly critical in the management of functional safety and in the case of a functional safety assessment may apply to independent individuals or departments depending on the consequence of the hazard.

As concerning as the competence requirements may sound, it is important to highlight that there are competent resources available worldwide, either as independent consultants or associated with product vendors, and available to provide support throughout the implementation of the safety lifecycle.

Security

Infrastructure security and network security have been the subject of several papers and blogs. The targeted attack of the Stuxnet worm in 2010⁴ confirmed the industry concerns. The subject is recognised in the revision of the standard - not in the application specifics or to specify the requirements needed to meet a security policy - but advises potential security threats should be added to the safety requirements.

Section 7.4 (Hazard Analysis) of the IEC 61508 standard requires that in the case that the hazard analysis identifies the potential for malevolent or unauthorised action constituting a security threat is reasonably foreseeable, then a security threat analysis should be carried out. Following this, Section 7.5. (Overall Safety Requirements) recommends that a vulnerability analysis should be undertaken in order to specify security requirements.

Summary

This article explains some of the changes in the functional safety standards IEC 61508 and IEC 61511/ISA 84 and identifies the key elements to assess if a safety system installed the late 1980s and early 2000s meets the certification requirements for applications in the process industries.

An existing installation is only covered by the ISA84 grandfather clause if the owner/operator can demonstrate that the equipment is designed, maintained, inspected, tested and operating in a safe manner. In addition, if a system is not be certified according to IEC61508, then according to IEC 61511 those systems should comply with the Proven‐in‐Use criteria. For those systems certified to the first edition of IEC 61508 only on the basis of hardware fault tolerance, there are technical challenges that might limit the ability of those systems to retain that certification when the industry moves to IEC 61508 Edition 2.

IEC 61508 Edition 2 also introduces additional criteria such as security and increases the importance of systematic capabilities and competence. The notion of competence requires organisations involved on safety system projects or activities to appoint one or more persons with responsibility for one or more phases of the safety lifecycle (per IEC61511) and the adoption of a functional safety management system.

References

1.  ARC Advisory Group, 2010, INSIGHT# 2010-53EMPH The Coming Wave of Process Safety System Migration
2.  ISA Europe, 2005, ISA‐TR84.00.04‐2005 Part 1 Guidelines for the Implementation of ANSI/ISA‐84.00.01‐2004 (IEC 61511 Mod)
3.  International Electrotechnical Commission, 1998, IEC 61508-4 Functional safety of electrical/electronic/programmable electronic safety‐related systems-Part 4: Definitions and abbreviations
4.  Byres E, Howard S, 2010, Analysis of the Siemens WinCC/PCS 7 “Stuxnet” Malware for Industrial Control System Professionals, Tofino Security