ISO 13577-4:2014
(Main)Industrial furnace and associated processing equipment — Safety — Part 4: Protective systems
Industrial furnace and associated processing equipment — Safety — Part 4: Protective systems
ISO 13577-4:2014 specifies the requirements for protective systems used in industrial furnaces and associated processing equipment (TPE). The functional requirements to which the protective systems apply are specified in the other parts of ISO 13577.
Fours industriels et équipements associés — Sécurité — Partie 4: Systèmes de protection
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 13577-4
First edition
2014-09-01
Industrial furnace and associated
processing equipment — Safety —
Part 4:
Protective systems
Fours industriels et équipements associés — Sécurité —
Partie 4: Systèmes de protection
Reference number
ISO 13577-4:2014(E)
©
ISO 2014
---------------------- Page: 1 ----------------------
ISO 13577-4:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 13577-4:2014(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Design requirements for equipment in a protective system . 4
4.1 General . 4
4.2 Requirements for protective systems. 5
4.3 Fault assessment for the hardwired section of protective systems.15
4.4 Failure of utilities .15
4.5 Reset .15
Annex A (informative) Explanation of techniques and measures for avoiding systematic faults .16
Annex B (informative) Examples of techniques for avoiding failures from external wiring .18
Annex C (informative) Examples for the determination of safety integrity level SIL using the risk
graph method .22
Annex D (informative) Example of an extended risk assessment for one safety instrumented
function using the IEC 61511 method .39
Annex E (informative) Sample schematic diagrams of protective system .46
Annex F (normative) Hardwiring protective systems .61
Bibliography .71
© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 13577-4:2014(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 244, Industrial furnaces and associated processing
equipment.
ISO 13577 consists of the following parts, under the general title Industrial furnaces and associated
processing equipment — Safety:
— Part 1: General requirements
— Part 2: Combustion and fuel handling systems
— Part 3: Generation and use of protective and reactive atmosphere gases
— Part 4: Protective systems
The following part is under preparation:
— Part 11: Requirements for arc furnaces
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 13577-4:2014(E)
Introduction
This part of ISO 13577 was developed to specify the requirements of a protective system, which is a
safety-related electrical control system (SRECS) of industrial furnaces and associated processing
equipment (TPE).
Mandatory safety-related control functions of TPE are specified in ISO 13577-1, ISO 13577-2, and
ISO 13577-3.
It is intended that in designing the protective system of TPE, manufacturers of TPE choose from the four
methods provided in this part of ISO 13577.
This part of ISO 13577 is to be used together with the other parts of ISO 13577. Since ISO 13577 is a
type-C standard of ISO 12100, TPE are required to be designed in accordance with the principles of
ISO 12100. However, there are cases in which a risk assessment according to IEC 61511 (all parts) is
more suitable for the design of a TPE protective system.
This document is a type-C standard as stated in ISO 12100.
The machinery concerned and the extent to which hazards, hazardous situations, or hazardous events
are covered are indicated in the scope of this part of ISO 13577.
When requirements of this type-C standard are different from those which are stated in type-A or -B
standards, the requirements of this type-C standard take precedence over the requirements of the other
standards for machines that have been designed and built according to the requirements of this type-C
standard.
IEC 61511 (all parts) provides the option of a low-demand rate on the protective system. IEC 62061 or
ISO 13849-1 always assume high-demand applications.
Therefore, this part of ISO 13577 permits extended risk assessment for SRECS in which risk assessment
based on IEC 61511 (all parts) can be chosen as an alternative.
© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 13577-4:2014(E)
Industrial furnace and associated processing equipment —
Safety —
Part 4:
Protective systems
1 Scope
This part of ISO 13577 specifies the requirements for protective systems used in industrial furnaces and
associated processing equipment (TPE).
The functional requirements to which the protective systems apply are specified in the other parts of
ISO 13577.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable to its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
1)
ISO 13574:— , Industrial furnaces and associated processing equipment — Vocabulary
ISO 13849-1:2006, Safety of machinery — Safety-related parts of control systems — Part 1: General
principles for design
IEC 60947-4-1, Low-voltage switchgear and controlgear — Part 4-1: Contactors and motor-starters -
Electromechanical contactors and motor-starters
IEC 60947-5-1, Low-voltage switchgear and controlgear — Part 5-1: Control circuit devices and switching
elements - Electromechanical control circuit devices
IEC 60204-1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements
IEC 60730-2-5, Automatic electrical controls for household and similar use — Part 2-5: Particular
requirements for automatic electrical burner control systems
IEC 61508 (all parts):2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems
IEC 61131-3, Programmable controllers — Part 3: Programming languages
IEC 61511 (all parts), Functional safety — Safety instrumented systems for the process industry sector
IEC 62061, Safety of machinery — Functional safety of safety-related electrical, electronic and programmable
electronic control systems
3 Terms and definitions
2)
For the purposes of this document, the terms and definitions given in ISO 13574:— and the following
apply.
1) To be published.
2) To be published.
© ISO 2014 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 13577-4:2014(E)
3.1
final element
part of a protective system which implements the physical action necessary to achieve a safe state
Note 1 to entry: Examples are valves, switch gear, motors including their auxiliary elements, for example, a
solenoid valve and actuator if involved in the safety function.
[SOURCE: IEC 61511-1:2003, 3.2.24 modified: “instrumented system” had been changed to read
“protective system” in the definition.]
3.2
flame detector device
device by which the presence of a flame is detected and signaled
Note 1 to entry: It can consist of a flame sensor, an amplifier, and a relay for signal transmission.
2)
[SOURCE: ISO 13574:— , 2.65, modified: The second sentence in the original definition had been
presented as in the Note.]
3.3
functional safety
capability of a protective system or other means to reduce risk, to execute the actions required for
achieving or maintaining a safe state for the process and its related equipment
2)
[SOURCE: ISO 13574:— , 2.73]
3.4
logic function
function that performs the transformations between input information (provided by one or more input
functions or sensors) and output information (used by one or more output functions or final elements)
Note 1 to entry: Logic functions are executed by the logic solver of a protective system.
[SOURCE: IEC 61511-1:2003, 3.2.39, modified — “input functions” had been changed to read “input
functions or sensors” and “output function” had been changed to read “output function or final elements”
in the definition, and the second sentence in the original definition had been deleted; Note has been
added.]
3.5
logic solver
portion of a protective system that performs one or more logic function(s)
Note 1 to entry: Examples are electrical systems, electronic systems, programmable electronic systems, pneumatic
systems, and hydraulic systems. Sensors and final elements are not part of the logic solver.
[SOURCE: IEC 61511-1:2003, 3.2.40 modified: “either a BPCS or SIS” had been changed to read “a
protective system” in the definition; Note 1 in the original definition had been deleted.]
3.6
manual reset
action after a lockout of a safety device (e.g. automatic burner control) carried out manually by the
supervising operator
3)
[SOURCE: ISO 13574:— , 2.107]
3) To be published.
2 © ISO 2014 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 13577-4:2014(E)
3.7
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety
function under foreseeable conditions
[SOURCE: ISO 13849-1:2006, 3.1.23]
3.8
product standard
standard for products and devices which are listed in ISO 13577 (all parts) except this part of ISO 13577
3)
[SOURCE: ISO 13574:— , 2.135 modified: “ISO 13577-4” has been changed to read “this part of ISO 13577”
in the definition.]
3.9
programmable logic control
PLC
electronic device designed for control of the logical sequence of events
[SOURCE: ISO 13574:—, 2.125]
3.10
protective system
instrumented system used to implement one or more safety-related instrumented functions which is
composed of any combination of sensor(s), logic solver(s), and final elements (for example, see Figure 2)
Note 1 to entry: This can include safety-related instrumented control functions or safety-related instrumented
protection functions or both.
[SOURCE: ISO 13574:—, 2.138]
3.11
safety bus
bus system and/or protocol for digital network communication between safety devices, which is designed
to achieve and/or maintain a safe state of the protective system in compliance with IEC 61508 (all
parts):2010 or IEC 60730-2-5
[SOURCE: ISO 13574:—, 2.164]
3.12
safety device
device that is used to perform protective functions, either on its own or as a part of a protective system
Note 1 to entry: Examples are sensors, limiters, flame monitors, burner control systems, logic systems, final
elements, and automatic shut-off valves.
3.13
safety integrity level
SIL
discrete level (one out of a possible four), corresponding to a range of safety integrity values, where
safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
Note 1 to entry: The target failure measures for the four safety integrity levels are specified in IEC 61508-1:2010,
Tables 2 and 3.
Note 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety
functions to be allocated to the E/E/PE safety-related systems.
Note 3 to entry: A safety integrity level (SIL) is not a property of a system, subsystem, element, or device. The
correct interpretation of the phrase “SIL n safety-related system” (where n is 1, 2, 3, or 4) is that the system is
potentially capable of supporting safety functions with a safety integrity level up to n.
© ISO 2014 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 13577-4:2014(E)
[SOURCE: IEC 61508-4:2010, 3.5.8]
3.14
sensor
device that produces a signal based on a process variable
EXAMPLE Transmitters, transducers, process switches, and position switches.
3.15
system for permanent operation
system, which is intended to remain in the running position for longer than 24 h without interruption
[SOURCE: IEC 60730-2-5:2009, 2.5.101]
3.16
system for non-permanent operation
system, which is intended to remain in the running position for less than 24 h
[SOURCE: IEC 60730-2-5:2009, 2.5.102]
3.17
systematic capability
measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an
element meets the requirements of the specified SIL, in respect of the specified element safety function,
when the element is applied in accordance with the instructions specified in the compliant item safety
manual for the element
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and
control of systematic faults (see IEC 61508-2 and IEC 61508-3).
Note 2 to entry: What qualifies as a relevant systematic failure mechanism depends on the nature of the
element. For example, for an element comprising solely software, only software failure mechanisms will need
to be considered. For an element comprising hardware and software, it is necessary to consider both systematic
hardware and software failure mechanisms.
Note 3 to entry: A systematic capability of SC N for an element, in respect of the specified element safety function,
means that the systematic safety integrity of SIL N has been met when the element is applied in accordance with
the instructions specified in the compliant item safety manual for the element.
[SOURCE: ISO 13574:—, 2.183]
4 Design requirements for equipment in a protective system
4.1 General
Electrical equipment shall comply with IEC 60204-1 and withstand the hazards identified in the risk
assessment required at the design stage. Electrical equipment shall be protected against damage. In
particular, it shall be robust to withstand damage during continuous operation.
Devices shall be used in accordance with the manufacturer’s instructions including safety manuals. Any
device used outside of its published technical specification shall be verified and validated to be suitable
for the intended application.
Devices of a protective system shall withstand the environmental conditions and fulfill their intended
function.
Sensors (e.g. pressure transmitters, temperature transmitters, flow transmitters) used in the protective
system shall be independent from the process control system.
Figure 1 is provided as an aid to understanding the relationship between the various elements of TPE and
their ancillary equipment, the heating system, the process control system, and the protective system.
4 © ISO 2014 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 13577-4:2014(E)
Heating system
Processing
Process control system
chamber
e.g.
Fuel supply and
pressure control
conditioning
temperature control
(non-safety functions)
Burners
Auxiliary
equipment
Burner
Combustion Flue gas
system
chamber system
Ignition
Combustion air
device
Protective system
supply and pre-
e.g.
heating
prepurge
automatic burner control system
(safety functions)
Figure 1 — Block diagram of control and protective systems
An appropriate group of techniques and measures shall be used that are designed to prevent the
introduction of faults during the design and development of the hardware and software of the protective
system (see Annex A).
Failure due to short circuit in external wiring shall be avoided (see Annex B).
Requirements for testing and testing intervals for protective systems shall be specified in the instruction
handbook. Except as permitted by method D, the testing of all safety functions shall be performed at
least annually. Method D shall be used if the testing of all safety functions is performed beyond 1 y.
See Annex C and D for examples of SIL/PL determinations.
4.2 Requirements for protective systems
Any one or a combination of the four (4) methods shall be used to implement a protective system for the
safety function(s) requirements identified in ISO 13577 (all parts); however, only one method shall be
used for any one specific safety function. The four methods are the following:
— Method A as specified in 4.2.1;
— Method B as specified in 4.2.2;
— Method C as specified in 4.2.3;
— Method D as specified in 4.2.4.
Figure 2 shows the basic configuration of a protective system.
© ISO 2014 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 13577-4:2014(E)
Safety function 1; Safety function 2; Safety function n;
Safety function 1; Safety function 2; Safety function n;
(e.g. pressure monitoring) (e.g. Flame monitoring)
(e.g. pressure monitoring) (e.g. Flame monitoring)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
Sensor(s) Sensor(s) Sensor(s)
...
(e.g. pressure switch) (e.g. lame sensor)
...
Logic Solver(s) Logic Solver(s) Logic Solver(s)
Final Element(s) Final Element(s)
Final Element(s)
(e.g. actuator) (e.g. automatic shut off valves)
Figure 2 — Basic configuration of a protective system
Figure 3 shows the basic characteristics of each method.
NOTE 1 Software interconnections are links between software function blocks, safety PLC inputs, and safety
PLC outputs. These are similar to hardwired interconnections between devices.
NOTE 2 Safety function software is either a software function block or program to perform safety logic
functions (e.g. prepurge, automatic burner control).
6 © ISO 2014 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 13577-4:2014(E)
Method Method Method Method
A B C D
Safety PLC
Hardware SIL / PL capable components
Devices which comply with relevant product standards
Software
interconnections
Inter- Safety Bus
connections interconnections
Hardwired
interconnections
Safety PLC
Program
Language,
Extended Risk
assessment
Safety
function
software
Veriied and validated
Software
function blocks
Detailed
4.2.1 4.2.2
4.2.3 4.2.4
description
Figure 3 — Method overview
See Annex E for sample schematic diagrams of the various methods.
© ISO 2014 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO 13577-4:2014(E)
4.2.1 Method A
Method A shall be a hardwired system in which all devices (i.e. sensors, logic solver, and final elements
described in Figure 4) comply with the relevant product standards as specified in ISO 13577 (all parts).
The requirements of IEC 61508 (all parts), IEC 61511 (all parts), IEC 62061, and ISO 13849-1:2006 are
not applicable for this type of protective system.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— connections shall not be permitted through data communication buses;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— hardwiring shall be in accordance with Annex F.
Sensor(s) complying with the relevant product standard(s) as speciied in other parts
of ISO 13577, e.g. pressure detector acc. IEC 60730-2-6, lame detector according to
IEC 60730-2-5
hardwiring
as speciied in 4.2.1
Logic Solver(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic burner control system according to
IEC 60730-2-5
hardwiring
as speciied in 4.2.1
Final Element(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic shut-off valve(s) according to ISO 23551-1
Figure 4 — Hardware configuration of Method A
NOTE The safety devices used in 4.2.1 correspond to specific safety requirements, matched to the field of
application and the functional requirements made of these devices, as demanded in the corresponding products
standards for safety devices, e.g. automatic burner control systems, valve-proving systems, pressure-sensing
devices, automatic shut-off valves. Even without additional SIL/PL certification of these safety devices, the safety
requirements for use of safety devices are in compliance with relevant product standards. Implementation of a
protective system in accordance with 4.2.1 is one of several alternative methods.
8 © ISO 2014 – All rights reserved
---------------------- Page: 13 ----------------------
ISO 13577-4:2014(E)
4.2.2 Method B
Method B shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits. Safety PLCs are excluded (see Figure 5).
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— interconnections may be hardwired or through safety bus;
— hardwiring shall be in accordance with Annex F.
For devices which are not covered by product standards, the following requirements shall be fulfilled:
— the device shall be SIL 3 capable in accordance with IEC 61508 (all parts), IEC 62061, or IEC 61511
(all parts) or it shall be PL e capable in accordance with ISO 13849-1:2006;
— SIL/PL capability certification shall apply to the complete device, including the hardware and
software.
NOTE Verification and validations of SIL/PL certification for devices is typically carried out by a notified
body, accredited national testing laboratory, or by an organization in accordance with ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior use (i.e. proven in use), the requirements in IEC 61511 (all parts)
shall be followed.
All requirements in the safety handbook for the device shall be adhered to, such as the proof test interval.
NOTE See Annex C for examples of determining SIL/PL.
© ISO 2014 – All rights reserved 9
---------------------- Page: 14 ----------------------
ISO 13577-4:2014(E)
Sensor(s) complying with the relevant product standard(s) as speciied in other parts of
ISO 13577, e.g. pressure detector according to IEC 60730-2-6, lame detector according
to IEC 60730-2-5
AND / OR
Sensor(s) with deined systematic capability as speciied in 4.2.2,
e.g. SIL or PL capable pressure transmitter
hardwiring
as speciied in 4.2.2
Logic Solver(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577,e.g. automatic burner control system according to IEC 60730-2-5
AND / OR
Component(s) with deined systematic capability as speciied in 4.2.2,
e.g. safety relais(s)
hardwiring
as speciied in 4.2.2
Final Element(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic shut-off valve(s) according to ISO 23551-1
AND / OR
Final Element(s) with deined systematic capability as speciied in 4.2.2,
e.g. SIL or PL capable acuator
Figure 5 — Hardware configuration of Method B
4.2.3 Method C
Method C shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits and/or safety PLCs.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— the interconnections may be hardwired, through safety bus, or through software interconnections;
— hardwiring shall be in accordance with Annex F.
10 © ISO 2014 – All rights reserved
---------------------- Page: 15 ----------------------
ISO 13577-4:2014(E)
Safety function software is only permitted in the form of verified and validated SIL 3 capable software
function blocks (see Figure 6).
Safety functions shall be permitted within a safety-rated device (e.g. a safety PLC) or within an external
device covered by the relevant product standard.
For the devices (safety PLC, timers, etc.) which are NOT covered by product standards, the following
requirements shall be fulfilled:
— the devices shall be SIL 3 capable in accordance with IEC 61508 (all parts), IEC 62061, or IEC 61511
(all parts) or it shall be PL e capable in accordance with ISO 13849-1:2006;
— where a programmable device implements a safety function that is partly or entirely addressed in a
relevant product standard, the software function shall be verified and validated with respect to the
applicable requirements in the related product standard including but not limited to the sequences
and timings of the product standard;
— software interconnections in a programmable device shall be verified by a functional test;
— software programming languages for PLCs shall be in accordance with IEC 61131-3;
— software shall be locked and secured against unauthorized and unintentional changes.
NOTE Verification and validations of SIL/PL certification is typically carried out by a notified body, accredited
national testing laboratory, or by an organization in accordance with ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior u
...
DRAFT INTERNATIONAL STANDARD ISO/DIS 13577-4
ISO/TC 244 Secretariat: JISC
Voting begins on Voting terminates on
2013-05-27 2013-08-27
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
Industrial furnace and associated processing equipement —
Safety —
Part 4:
Protective systems
Fours industriels et équipements associés — Sécurité —
Partie 4: Systèmes de protection
ICS 13.180; 25.180.01
To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
© International Organization for Standardization, 2013
---------------------- Page: 1 ----------------------
ISO/DIS 13577-4
COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/DIS 13577-4
Contents Page
Foreword .v
Introduction.vi
1. Scope.7
2. Normative references.7
3. Terms and definitions .7
4. Design requirements for equipment in a Protective System.10
4.1 General .10
4.2 Requirements for protective systems.11
4.2.1. Method A .13
4.2.2. Method B .13
4.2.3. Method C .15
Method D.18
4.2.4. 18
4.3 Fault assessment for the hardwired section of protective systems.19
4.4 Failure of utilities.20
4.5 Reset.20
Annex A (informative) Explanation of techniques and measures for avoiding systematic faults .21
A.1 General.21
A.2 Competency .21
A.3 Avoidance of systematic faults.21
Annex B (informative) Examples of techniques for avoiding failures from external wiring .23
Annex C (informative) Examples for the determination of safety integrity level SIL using the risk
graph method.27
C.1 General.27
C.2 Examples for the determination of the required SIL/PL.28
C.2.1 Example 1 – Table C.1.28
C.2.2 Example 2 – Table C.2.28
C.2.3 Example 3 – Table C.3.28
C.2.4 Example 4 – Table C.4.28
C.2.5 User's guide for risk graph according IEC 61511 (i.e. Table C.3 and C.4).43
Annex D (informative) Example of an extended risk assessment for one safety instrumented
function using IEC 61511 method.47
D.1 General.47
D.2 Concept description of equipment under control.47
D.3 Hazard and risk assessment .47
D.3.1 Initiating events .47
D.3.2 Hazard – process deviation – insufficient combustion air.48
D.4 Consequences.48
D.5 Event tree example.49
D.6 Safety System Functional Requirements.49
D.6.1 Safe State .50
D.6.2 Demand Rate.50
D.6.3 Spurious Trip Rate .50
D.6.4 Proof Test Interval.50
D.6.5 Process Safety Time .50
D.6.6 System Response Time .50
D.7 Safety Sensor Functional Requirements .50
D.8 Logic Solver Requirements Including Alarming, External Comparision and HMI.52
D.9 Final Element Requirements .52
© ISO 2013 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/DIS 13577-4
D.10 Manual Intervention Requirements. 53
D.11 Startup Requirements . 53
Annex E (informative) Example schematics of protective system . 55
Annex F (normative) Hardwiring protective systems for methods A, B and C . 62
F.1 General. 62
F.2 Protection against faults of the logic solver/box . 62
F.3 Measures to avoid faults. 63
F.4 Hardware design. 63
F.4.1 General requirements of the hardware. 63
F.4.2 Hard-wired section of the protective system. 63
Bibliography. 72
The table of contents is an optional preliminary element, but is necessary if it makes the document easier to
consult. The table of contents shall be entitled “Contents” and shall list clauses and, if appropriate, subclauses
with titles, annexes together with their status in parentheses, the bibliography, indexes, figures and tables.
The order shall be as follows: clauses and subclauses with titles; annexes (including clauses and subclauses
with titles if appropriate); the bibliography; indexes; figures; tables. All the elements listed shall be cited with
their full titles. Terms in the “Terms and definitions” clause shall not be listed in the table of contents.
iv © ISO 2013 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DIS 13577-4
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 13577-4 was prepared by Technical Committee ISO/TC 244, Industrial furnaces and associated
processing equipment, Subcommittee SC , .
This second/third/. edition cancels and replaces the first/second/. edition (), [clause(s) / subclause(s) /
table(s) / figure(s) / annex(es)] of which [has / have] been technically revised.
ISO 13577 consists of the following parts, under the general title Industrial furnaces and associated
processing equipment — Safety:
Part 4: Protective systems
Part 1: General requirements
Part 2: Requirements for combustion and fuel handling systems
Part 3: Generation and use of protective and reactive atmosphere gases
© ISO 2013 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/DIS 13577-4
Introduction
This document was developed to specify the requirement of a protective system which is a safety related
electrical control system (SRECS) of industrial furnaces and associated processing equipment (TPE).
Mandatory safety-related control functions of TPE are specified in the other parts of ISO 13577.
This part of ISO 13577 provides 4 methods which manufacturers of TPE are to choose in designing the
protective system of TPE.
This document is part of a Type C standard as defined in ISO 12100. Since ISO 13577 is a Type-C Standard
of ISO 12100, TPE are required to be designed in accordance with the principles of ISO 12100. However,
there are cases in which a risk assessment according to IEC 61511 is more suitable for the design of a TPE
protective system.
IEC 61511 provides the option of low demand rate on the protective system. IEC 62061 or ISO 13849-1
always assume high demand applications.
Therefore, this part of ISO 13577 permits extended risk assessment for SRECS in which risk assessment
based on IEC 61511 may be chosen as an alternative. .
vi © ISO 2013 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/DIS 13577-4
1 Industrial furnaces and associated processing equipment —
2 Safety — Part 4: Protective systems
3 1. Scope
4 This part of ISO 13577 specifies the requirements for protective systems used in industrial furnaces and
5 associated processing equipment (TPE).
6 The functional requirements to which the protective systems apply are specified in the other parts of ISO
7 13577.
8 2. Normative references
9 The following referenced documents are indispensable for the application of this document. For dated
10 references, only the edition cited applies. For undated references, the latest edition of the referenced
11 document (including any amendments) applies.
12 ISO 13574, Industrial furnaces and associated thermal processing equipment —Vocabulary
13 ISO 13577-1, Industrial furnaces and associated thermal processing equipment — Safety – Part 1: General
14 requirements
15 ISO 13577-2, Industrial furnaces and associated thermal processing equipment — Safety – Part 2:
16 Combustion and fuel handling systems
17 ISO 13577-3, Industrial furnaces and associated thermal processing equipment — Safety – Part 3: Generation
18 and use of protective and reactive atmosphere gases
19 ISO 13849-1, Safety of machinery -- Safety-related parts of control systems -- Part 1: General principles for
20 design
21 IEC 60204-1, Safety of machinery - Electrical equipment of machines - Part 1: General requirements
22 IEC 60730-2-5, Automatic electrical controls for household and similar use - Part 2-5: Particular requirements
23 for automatic electrical burner control systems
24 IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safety-related systems
25 IEC 61131-3, Programmable controllers - Part 3: Programming languages
26 IEC 61511 (all parts), Functional safety - Safety instrumented systems for the process industry sector
27 IEC 62061, Safety of machinery - Functional safety of safety-related electrical, electronic and programmable
28 electronic control systems
29 3. Terms and definitions
30 For the purposes of this document, the terms and definitions given in ISO 13574 and the following apply.
© ISO 2013 – All rights reserved 7
---------------------- Page: 7 ----------------------
ISO/DIS 13577-4
31 3.1
32 final element
33 The device(s) controlled by the logic solver to affect the process being monitored by the sensor. In a
34 protective system, it is the part that physically acts (e.g. actuator, automatic shutoff valve, relay, etc…) to bring
35 the safety function to a safe state.
36 3.2
37 flame detector device
38 device by which the presence of a flame is detected and signaled; it can consist of a flame sensor, an
39 amplifier and a relay for signal transmission
40 NOTE This term and definition is given in ISO 13574
41 3.3
42 functional safety
43 capability of a protective system or other means to reduce risk, to execute the actions required for achieving
44 or maintaining a safe state for the process and its related equipment
45 NOTE This term and definition is given in ISO 13574
46 3.4
47 logic function
48 function which performs the transformations between input information (provided by one or more input
49 functions or sensors) and output information (used by one or more output functions or final elements); logic
50 functions are executed by the logic solver of a protective system.
51 [SOURCE: IEC 61511-1:2003 3.2.39 modified]
52 3.5
53 logic solver
54 portion of a protective system that performs one or more logic function(s).
55 NOTE Examples are: electrical systems, electronic systems, programmable electronic systems, pneumatic systems,
56 hydraulic systems. Sensors and final elements are not part of the logic solver.
57 [SOURCE: IEC 61511-1:2003 3.2.40 modified]
58 3.6
59 manual reset
60 action after a lock-out of a safety device (e. g. automatic burner control) carried out manually by the
61 supervising operator
62 NOTE This term and definition is given in ISO 13574
63 3.7
64 performance level
65 PL
66 discrete level used to specify the ability of safety-related parts of control systems to perform a safety function
67 under foreseeable conditions
68 [SOURCE: ISO 13849-1:2006 3.1.23]
69 3.8
70 product standard
71 the standards for products and devices which are listed in the other parts of ISO 13577
72 3.9
73 programmable logic control
74 PLC
75 electronic device designed for control of the logical sequence of events
8 © ISO 2013 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/DIS 13577-4
76 NOTE This term and definition is given in ISO 13574
77 3.10
78 protective system
79 instrumented system used to implement one or more safety related instrumented functions. A protective
80 system is composed of any combination of sensor(s), logic solver(s), and final elements. (For example see
81 figure 2).
82 NOTE This can include either safety related instrumented control functions or safety related instrumented protection
83 functions or both.
84 [SOURCE: IEC 61511-1:2003, 3.2.72 modified]
85 3.11
86 safety bus
87 A bus system and / or protocol for digital network communication between safety devicedevices that is designed to
88 achieve and / or maintain a safe state of the protective system in compliance with IEC 61508 or IEC 60730-2-5.
89 3.12
90 safety device
91 A device which is used to perform protective functions, either on its own or as a part of a protective system
92 (e.g. sensors, limiters, flame monitors, burner control systems, logic systems, final elements, automatic shut-
93 off valves etc.)
94 3.13
95 safety integrity level
96 SIL
97 discrete level (one out of a possible four), corresponding to a range of safety integrity values, where safety
98 integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
99 NOTE 1 the target failure measures for the four safety integrity levels are specified in Table 2 and 3 of IEC 61508-1.
100 NOTE 2 Safety integrity levels are used for specifying the safety integrity requirements of the safety functions to be
101 allocated to the E/E/PE safety-related systems.
102 NOTE 3 A safety integrity level (SIL) is not a property of a system, subsystem, element or device. The correct
103 interpretation of the phrase "SIL n safety-related system" (where n is 1, 2, 3 or 4) is that the system is potentially capable
104 of supporting safety functions with a safety integrity level up to n.
105 [SOURCE: IEC 61508-4:2010 3.5.8]
106 3.14
107 sensor
108 Limiter, transducer or any other monitoring device which outputs a signal and/or cuts out and only reverses
109 the output signal in the event of a specific change in the performance quantity (e.g. pressure, temperature,
110 flow, level).
111 3.15
112 systematic capability
113 measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an
114 element meets the requirements of the specified SIL, in respect of the specified element safety function, when
115 the element is applied in accordance with the instructions specified in the compliant item safety manual for the
116 element
117 NOTE 1 Systematic capability is determined with reference to the requirements for the avoidance and control of
118 systematic faults (see IEC 61508-2 and IEC 61508-3).
119 NOTE 2 What is a relevant systematic failure mechanism will depend on the nature of the element. For example, for an
120 element comprising solely software, only software failure mechanisms will need to be considered. For an element
121 comprising hardware and software, it will be necessary to consider both systematic hardware and software failure
122 mechanisms.
© ISO 2013 – All rights reserved 9
---------------------- Page: 9 ----------------------
ISO/DIS 13577-4
123 NOTE 3 A Systematic capability of SC N for an element, in respect of the specified element safety function, means that
124 the systematic safety integrity of SIL N has been met when the element is applied in accordance with the instructions
125 specified in the compliant item safety manual for the element.
126 [SOURCE: IEC 61508-4:2010 3.5.9]
127 4. Design requirements for equipment in a Protective System.
128 4.1 General
129 Electrical equipment shall comply with IEC 60204-1 and withstand the hazards identified in the risk
130 assessment required at the design stage. Electrical equipment shall be protected against damage. In
131 particular it shall be robust to withstand damage during continuous operation.
132 Devices shall be used in accordance with the manufacturer's instructions including safety manuals. Any
133 device used outside of its published technical specification shall be verified and validated to be suitable for the
134 intended application.
135 Devices of a protective system shall withstand the environmental conditions and fulfill their intended function.
136 Figure 1 is provided as an aid to understanding the relationship between the various elements of TPE and
137 their ancillary equipment, the heating system, the process control system and the protective system.
138
139 Figure 1 — Block diagram of control and protective systems
140 An appropriate group of techniques and measures shall be used that are designed to prevent the introduction
141 of faults during the design and development of the hardware and software of the protective system. See
142 Informative Annex A.
143 Failure due to short circuit in external wiring shall be avoided. See Informative Annex B.
144 Requirements for testing and testing intervals for protective systems shall be specified in the instruction
145 handbook. Except as permitted by Method D, the testing of all safety functions shall be performed at least
146 annually. Method D shall be used if the testing of all safety functions is performed beyond 1 year.
147 See informative Annex C and D for examples of SIL/PL determinations.
10 © ISO 2013 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/DIS 13577-4
148 4.2 Requirements for protective systems
149 Any one or a combination of the four (4) methods below shall be used to implement a protective system for
150 the safety function(s) requirements identified in other parts of 13577, however, only one method shall be used
151 for any one specific safety function:
152 Method A as specified in 4.2.1,
153 Method B as specified in 4.2.2,
154 Method C as specified in 4.2.3,
155 Method D as specified in 4.2.4.
156 Figure 2 is showing the basic configuration of a protective system.
Safety function 1; Safety function 2; Safety function n;
Safety function 1; Safety function 2; Safety function n;
(e.g. pressure monitoring) (e.g. Flame monitoring)
(e.g. pressure monitoring) (e.g. Flame monitoring)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
Sensor(s) Sensor(s) Sensor(s)
(e.g. pressure switch) (e.g. flame sensor)
Logic Solver(s) Logic Solver(s)
Logic Solver(s)
Final Element(s)
Final Element(s)
Final Element(s)
(e.g. automatic shut off
(e.g. actuator)
valves)
157
158 Figure 2 — Basic configuration of a protective system
159 Figure 3 is showing the basic characteristics of each method.
© ISO 2013 – All rights reserved 11
---------------------- Page: 11 ----------------------
ISO/DIS 13577-4
Method Method Method Method
Safety PLC
Hardware SIL / PL capable components
Components which comply with relevant product standards
Software
interconnections
Inter-
Safety Bus
connections interconnections
Hardwired
interconnections
Safety PLC
Program
Language,
Extended Risk
assessment
Safety
function
software
Verified and validated
Software
function blocks
Detailed
4.2.1 4.2.2 4.2.3 4.2.4
description
160
161 Figure 3 — Method overview
162 See informative Annex E for example schematics by the various methods.
12 © ISO 2013 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/DIS 13577-4
163 4.2.1. Method A
164 Method A shall be a hardwired system in which all devices (i.e. Sensors, Logic solver and Final elements
165 described in Figure 4) comply with the relevant product standards as specified in other parts of ISO 13577.
166 The requirements of IEC 61508, IEC 61511, IEC 62061 and ISO 13849 are not applicable for this type of
167 protective system.
168 The following requirements for hardwiring shall be fulfilled:
169 all logic solvers shall be supplied by the devices and via the direct interconnections between the devices;
170 connections shall not be permitted via data communication buses;
171 devices with fixed program language, which meet the relevant product standards, shall be permitted;
172 be in accordance with Annex F.
173
174 Figure 4 — Hardware configuration of Method A
175 NOTE The safety devices used here correspond to specific safety requirements, matched to the field of application
176 and the functional requirements made of these devices, as demanded in the corresponding Products Standards for safety
177 devices e.g. automatic burner control systems, valve proving systems, pressure sensing devices, automatic shut-off
178 valves. Even without additional SIL/PL certification of these safety devices, the safety requirements for use of safety
179 devices are in compliance with relevant Product Standards. Implementation of a protective system per clause 4.1.1) must
180 thus be viewed as one of several alternative methods.
181 4.2.2. Method B
182 Method B shall be a combination of devices meeting the relevant product standards and/or SIL/PL capable
183 devices for which no relevant product standard exits. Safety PLCs are excluded (see Figure 5).
184 The following requirements for hardwiring shall be fulfilled:
185 All logic solvers shall be supplied by the devices and via the direct interconnections between the devices.
© ISO 2013 – All rights reserved 13
---------------------- Page: 13 ----------------------
ISO/DIS 13577-4
186 Devices with fixed program language, which meet the relevant product standards, shall be permitted.
187 The interconnections may be hardwired or via safety bus.
188 be in accordance with Annex F
189 For the devices which are covered by product standards, the requirements of 4.2.1 shall be fulfilled.
190 For the devices which are not covered by product standards the following requirements shall be fulfilled:
191 The device shall be SIL 3 capable according IEC 61508, IEC 62061 or IEC 61511 or it shall be PL e
192 capable according ISO 13849-1
193 SIL/PL capability
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.