SIST EN 61069-5:1998

SLOVENSKI STANDARD
SIST EN 61069-5:1998
01-november-1998
Industrial-process measurement and control - Evaluation of system properties for
the purpose of system assessment - Part 5: Assessment of system dependability
(IEC 61069-5:1994)
Industrial-process measurement and control - Evaluation of system properties for the
purpose of system assessment -- Part 5: Assessment of system dependability
Leittechnik für industrielle Prozesse - Ermittlung der Systemeigenschaften zum Zweck
der Eignungsbeurteilung eines Systems -- Teil 5: Eignungsbeurteilung der System-
Verläßlichkeit
Mesure et commande dans les processus industriels - Appréciation des propriétés d'un
système en vue de son évaluation -- Partie 5: Evaluation de la sûreté de fonctionnement
d'un système
Ta slovenski standard je istoveten z: EN 61069-5:1995
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
SIST EN 61069-5:1998 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

NORME CEI
INTERNATIONALE IEC
61069-5
INTERNATIONAL
Première édition
STANDARD
First edition
1994-12
Mesure et commande dans les processus
industriels –
Appréciation des propriétés d'un système
en vue de son évaluation –
Partie 5:
Evaluation de la sûreté de fonctionnement
d'un système
Industrial-process measurement and control –
Evaluation of system properties for
the purpose of system assessment –
Part 5:
Assessment of system dependability
© IEC 1994 Droits de reproduction réservés — Copyright - all rights reserved
Aucune partie de cette publication ne peut être reproduite ni No part of this publication may be reproduced or utilized in
utilisée sous quelque forme que ce soit et par aucun any form or by any means, electronic or mechanical,
procédé, électronique ou mécanique, y compris la photo- including photocopying and microfilm, without permission in
copie et les microfilms, sans l'accord écrit de l'éditeur. writing from the publisher.
International Electrotechnical Commission 3, rue de Varembé Geneva, Switzerland
Telefax: +41 22 919 0300 e-mail: inmail@iec.ch IEC web site http: //www.iec.ch
CODE PRIX
Commission Electrotechnique Internationale
V
PRICE CODE
International Electrotechnical Commission
IEC McHfayHapoAHaR 3neKTpoTexHwieceaR HOMHCCHA
Pour prix, voir catalogue en vigueur
• • For price, see current catalogue

---------------------- Page: 2 ----------------------

– 3 –
1069-5©IEC:1994
CONTENTS
Page
FOREWORD 5
INTRODUCTION 9
Clause
13
1 Scope
13
2 Normative references
15
3 Definitions
17
4 Dependability properties
17 4.1 General
17
4.2 Dependability
4.3 Availability 19
21
4.4 Reliability
21
4.5 Maintainability
21
4.6 Credibility
23
4.7 Security
23
4.8 Integrity
23
5 Review of the system requirements document
6 Review of the system specification document 25
27
7 Assessment procedure
27
7.1 General
27 7.2 Analysis of the 'system requirements document and system specification document
7.3 Designing the assessment programme 31
33
7.4 Assessment programme
35
8 Evaluation techniques
35
8.1 General
35
8.2 Qualitative evaluation techniques
37
8.3 Quantitative evaluation techniques
43
9 Execution and reporting of the assessment
Figures
1 General layout of IEC 1069 11
17
2 Dependability hierarchy
Annexes
A Example of required information and documentation format for a master-slave
47
control task in a system requirements document
B Example of required information and documentation format for master-slave
51
control task in a system specification document
53
C Credibility tests
61
D Bibliography

---------------------- Page: 3 ----------------------

1069-5 ©IEC:1994 —5—
INTERNATIONAL ELECTROTECHNICAL COMMISSION
INDUSTRIAL-PROCESS MEASUREMENT AND CONTROL -
EVALUATION OF SYSTEM PROPERTIES FOR
THE PURPOSE OF SYSTEM ASSESSMENT -
Part 5: Assessment of system dependability
FOREWORD
1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization
comprising all national electrotechnical committees (IEC National Committees). The object of the IEC is to
promote international cooperation on all questions concerning standardization in the electrical and
electronic fields. To this end and in addition to other activities, the IEC publishes International Standards.
Their preparation is entrusted to technical committees; any IEC National Committee interested in
the subject dealt with may participate in this preparatory work. International, governmental and
non-governmental organizations liaising with the IEC also participate in this preparation. The IEC
collaborates closely with the International Organization for Standardization (ISO) in accordance with
conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of the IEC on technical matters, prepared by technical committees on
which all the National Committees having a special interest therein are represented, express, as nearly as
possible, an international consensus of opinion on the subjects dealt with.
3) They have the form of recommendations for international use published in the form of standards, technical
reports or guides and they are accepted by the National Committees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC International
Standards transparently to the maximum extent possible in their national and regional standards. Any
divergence between the IEC Standard and the corresponding national or regional standard shall be clearly
indicated in the latter.
International Standard IEC 1069-5 has been prepared by sub-committee 65A: System
aspects, of IEC technical committee 65: Industrial-process measurement and control.
The text of this part is based on the following documents:
DIS Report on voting
65A(CO)37 65A/166/RVD
Full information on the voting for the approval of this part can be found in the report on
voting indicated in the above table.
Annexes A, B, C and D are for information only.
The relation of this part to the other parts of IEC 1069 and the relative place of this part
within the standard is shown in figure 1.
Part 1 provides the overall guidance and as such is intended as a stand-alone
publication.
Part 2 details the assessment methodology.
Parts 3 to 8 provide guidance on the assessment of specific groups of properties.

---------------------- Page: 4 ----------------------

1069-5 © I EC:1994 - 7 -
The division of properties in parts 3 to 8 have been chosen so as to group together related
properties.
IEC 1069 consists of the following parts, under the general title:
Industrial-process
measurement and control - Evaluation of system properties for the purpose of system
assessment:
Part 1: General considerations and methodology
Part
2: Assessment methodology
Part 3: Assessment of system functionality
(under consideration)
rt
Pa 4: Assessment of system pe rformance (under consideration)
Part
5: Assessment of system dependability
rt
Pa 6: Assessment of system operability (under consideration)
Part 7: Assessment of system safety
(under consideration)
Part
8: Assessment of non-task-related system properties (under consideration)

---------------------- Page: 5 ----------------------

1069-5 © IEC:1994 _ 9 –
INTRODUCTION
This part of IEC 1069 deals with the method which should be used to assess the depend-
ability of industrial-process measurement and control systems. Assessment of a system is
the judgement, based on evidence, of the system's suitability for a specific mission or
class of missions.
To obtain total evidence would require a complete (i.e. under all influencing conditions)
evaluation of all system properties relevant to the specific mission or class of missions.
Since this is rarely practical, the rationale on which an assessment of a system should be
based is:
–
to identify the criticality of each of the relevant system properties;
–
to plan for evaluation of the relevant system properties with a cost-effective dedi-
cation of effort to the various properties.
In conducting an assessment of a system, it is crucial to bear in mind the need to gain a
maximum increase in confidence in the suitability of a system within practical cost and
time constraints.
An assessment can only be carried out if a mission has been stated (or given) or if any
mission can be hypothesized. In the absence of a mission, no assessment can be made;
however, evaluations (as defined in IEC 1069-1) can still be specified and be carried out
for use in assessments performed by others. In such cases, the standard can be used as a
guide for planning an evaluation and it provides procedures for performing evaluations,
since evaluations are an integral part of assessment.

---------------------- Page: 6 ----------------------

1069-5 ©IEC:1994 - 11 -
Part 1:
General considerations
and methodology
Scope
Definitions
Basis of assessment
Assessment considerations
The system
Properties
Influencing conditions
Assessment procedures
Definition of the objective
Design and layout
Part 2:
Methodology
Analysis of objectives
Analysis of system requirements
Analysis of system specification
Planning
Design of assessment programme
Facilities
Expertise
Time
Funds
Protocol Execution of assessment programme
Monitor and control
Part 3: Functionality
Part 4: Performance
Part 5: Dependability
Part 6: Operability
Part 7: Safety
Part 8: NTR Properties
Assessment report
Figure 1 - General layout of IEC 1069

---------------------- Page: 7 ----------------------

1069-5 © IEC:1994 - 13 -
INDUSTRIAL-
PROCESS MEASUREMENT AND CONTROL -
EVALUATION OF SYSTEM PROPERTIES FOR
THE PURPOSE OF SYSTEM ASSESSMENT -
Part 5: Assessment of system dependability
1 Scope
This part of IEC 1069 describes in detail the method to be used to systematically assess
the dependability of industrial-process measurement and control systems.
The assessment methodology detailed in IEC 1069-2 is applied to obtain the dependability
assessment programme.
The subsidiary dependability properties are analyzed, and criteria to be taken into account
when assessing dependability are described.
2 Normative references
The following normative documents contain provisions which, through reference in this
text, constitute provisions of this pa rt of IEC 1069. At the time of publication, the editions
indicated were valid. All normative documents are subject to revision, and pa rties making
agreements based on this pa rt of IEC 1069 are encouraged to investigate the possibility of
applying the most recent editions of the normative documents indicated below. Members
of IEC and ISO maintain registers of currently valid International Standards.
IEC 50(191): 1990,
International Electrotechnical Vocabulary (lEV) - Chapter 191:
Dependability and quality of service
IEC 68: Environmental testing
IEC 300-3-2: 1993,
Dependability management - Part 3: Application guide - Section 2:
Collection of dependability data from the field.
IEC 706-4: 1992, Guide on maintainability of equipment - Pa
rt 4 - Section 8: Maintenance
and maintenance support planning
IEC 801: Electromagnetic compatibility for industrial-process measurement and control
equipment
IEC 812: 1985,
Analysis techniques for system reliability - Procedure for failure mode and
effects analysis (FMEA)
IEC 863: 1986,
Presentation of reliability, maintainability and availability predictions
IEC 1000: Electromagnetic compatibility (EMC)
IEC 1025: 1990,
Fault tree analysis (FTA)
IEC 1069-1: 1991,
Industrial-process measurement and control - Evaluation of system
properties for the purpose of system assessment - Part 1: General considerations and
methodology

---------------------- Page: 8 ----------------------

- 15 -
1069-5 © I EC:1994
IEC 1069-2: 1993, Industrial-process measurement and control - Evaluation of system
properties for the purpose of system assessment - Pa rt 2: Assessment methodology
IEC 1070: 1991, Compliance test procedures for steady-state availability
IEC 1078: 1991, Analysis techniques for dependability - Reliability block diagram method
IEC 1132: 199x, Failure rate prediction of items having a series structure (in preparation)
IEC 1165: 199x, Application of Markov techniques (in preparation)
3 Definitions
For the purpose of this part of IEC 1069 the following definitions apply.
The definitions marked with an * are identical with those given in IEC 50(191). In order
that the definitions are understood consistently throughout all parts of IEC 1069, these
definitions are commented upon in notes at the end of this clause.
The extent to which a system can be relied upon to perform
3.1 dependability:
exclusively and correctly a task under given conditions at a given instant of time or over a
given time interval, assuming that the required external resources are provided.
3.2 reliability*: The ability of an item to perform a required function under given
conditions for a given time inte rval.
3.3 maintainability`: The ability of an item under given conditions of use, to be retained
in, or restored to, a state in which it can perform a required function, when maintenance is
performed under given conditions and using stated procedures and resources.
3.4 availability*: The ability of an item to be in a state to perform a required function
under given conditions at a given instant or over a given time interval, assuming that the
required external resources are provided.
3.5 integrity: The assurance provided by a system that the tasks will be performed
correctly unless notice is given of any state of the system, which could lead to the
contrary.
3.6 security: The assurance provided by a system that any incorrect input, or un-
authorized access is denied.
3.7 credibility: The extent to which a system is able to recognize and signal the state of
the system and to withstand incorrect inputs or unauthorized access.
NOTE - For the purpose of this standard, it is understood that:
- "an item" is an industrial-process measurement and control system;
- "a required function" is a task. In case of an evaluation, a "task" should be understood as a "system
task". Task and function are defined in 2.2.4 and 2.2.5 of IEC 1069-1.

---------------------- Page: 9 ----------------------

1069-5 ©IEC:1994 -17 -
4 Dependability properties
4.1 General
For a system to be dependable it is necessary that it is ready to perform its functions. This
is an availability issue and depends on the frequency of the system failures (reliability)
and the time necessary to restore the system (maintainability).
However, in practice, when the system is ready to perform its function, this does not mean
that it is sure that the functions are performed correctly.
This is a credibility issue, which depends:
- on the ability of the system to provide warning should it fail into a state in which it is
not able to perform some or all of its functions correctly (integrity);
- on the ability of the system to reject any incorrect inputs or unauthorized access to
the system (security).
To assess the dependability of a system, it is therefore necessary to identify and assess
the subsidiary properties that determine the dependability.
The relation between dependability and its subsidiary properties is shown in figure 2.
Dependability

Availability Credibility
Reliability Maintainability Integrity Security
Figure 2 - Dependability hierarchy
4.2 Dependability
Dependability cannot be assessed directly. It is necessary to assess each subsidiary
property individually.
Each subsidiary property is dependent upon the architectural arrangement of the system
modules and the dependability properties of these modules.
The relation of subsidiary dependability properties of these modules to the dependability
of the system may be very complex.
Each subsidiary property at the system level may be dependent upon several subsidiary
properties at the module level.

---------------------- Page: 10 ----------------------

1069-5 © IEC:1994 — 19 —
For example:
—
if the system architecture includes redundancy, the system availability is dependent
upon the integrity properties of the redundant modules;
— if the architecture includes system security mechanisms, the system security is
dependent upon the availability properties of modules that perform the security
mechanism;
—
if the architecture includes modules that check data transferred internally from other
parts of the system, then system integrity is dependent upon the security properties of
these modules.
Dependability cannot be described by a single number. Some of its properties can be
expressed as probabilities, other properties are deterministic; some aspects can be
quantified, other aspects can only be described in a qualitative way.
When a system performs several system tasks, its dependability may vary across those
tasks. For each of these tasks, a separate analysis is required.
Availability
4.3
Availability of the system is dependent upon the availabilities of the individual parts of
the system and the way in which these parts cooperate in performing the system tasks.
The way in which parts cooperate may include functional redundancy (homogeneous or
diverse), functional fall-back and degradation. Availability is dependent in practice upon
the procedures used and the resources available for maintaining the system. The avail-
ability of the system may differ with respect to each of its tasks. Availability of the system
for each task can be quantified in two ways.
4.3.1 To predict the availability of a system, its availability can be calculated as:
mean time to failure
availability —
(mean time to failure + mean time to restoration)
where
— "availability" is the availability of the system for the given task;
—
"mean time to failure" is the mean of the time from restoration of a system into a
state of performing its given task(s) to the time the system fails to do so;
— "mean time to restoration" is the mean of the total time required to restore per-
formance of the given task from the time the system failed to perform that task.
4.3.2 For a system in operation, the availability can be calculated as:
total time the system has been able to perform the task
availability —
total time the system has been expected to perform the task

---------------------- Page: 11 ----------------------

1069-5 ©IEC:1994 - 21 -
4.4 Reliability
Reliability of a system is dependent upon the reliability of the individual parts of the
system and the way in which these parts cooperate in performing the system task(s).
The way in which parts cooperate may include functional redundancy (homogeneous or
diverse), functional fall-back and degradation.
Reliability of the system may differ with respect to each of its tasks. Reliability can be
quantified for individual tasks, with varying degrees of predictive confidence.
The reliability of the individual hardware parts of the system can be predicted using the
parts count method. Reliability of the system can then be predicted by synthesis. It should
be noted, that for the software modules of systems, there are no reliability prediction meth-
ods available that provide high levels of confidence.
Mechanisms to analyze software reliability are described in 4.6 of IEC Committee draft
56(Secretariat)319:
Software reliability and maintainability requirements analysis (under
consideration), listed in annex D.
4.5 Maintainability
The maintainability of a system is dependent upon the maintainability of individual parts
and the physical and functional structure of the system. The physical structure affects
ease of access, replaceability, etc. The functional structure affects ease of diagnosis, etc.
When quantifying the maintainability of a system, all actions required to restore the system
to the state where it is fully capable of performing its tasks should be included. This shall
include actions such as the time necessary to detect the fault, to notify maintenance, to
diagnose and remedy the cause, to adjust and check, etc.
The quantification of maintainability should be augmented with qualitative statements by
checking the provision for and the coverage of the following items:
notification of the occurrence of the failures: lights, alert messages, reports, etc.;
access: ease of access for personnel and for connecting measuring instruments,
modularity, etc.;
-
diagnostics: direct fault identification, diagnostic tools which have no influence on
the system by itself, remote maintenance support facilities, statistical error checking
and reporting;
-
repairability/replaceability: modularity, unambiguous identification of modules and
elements, minimum need for special tools, minimum repercussions on other elements
or modules, when elements or modules are replaced;
- check-out: guided maintenance procedures, minimum check-out requirements.
4.6 Credibility
The credibility of a system is dependent upon the integrity and security mechanisms imple-
mented as functions performed by the system elements.
An integrity mechanism is implemented by an element checking the outputs of other
elements.

---------------------- Page: 12 ----------------------

1069-5 © IEC:1994 — 23 —
A security mechanism is implemented by an element checking the inputs to other
elements.
Credibility mechanisms include:
a) a check on
— correct performance of functions (e.g. by watchdog, using known data); and/or
— correct data (e.g. validity check, parity check, etc.);
b) an action, such as:
— self-correction;
— confinement;
— notification of action, etc.
These mechanisms can be used to provide integrity and/or security.
To analyze the credibility mechanisms, the fault injection techniques described in 8.3.2.2
can be used.
Credibility is deterministic and some aspects can be quantified.
4.7 Security
The security of a system is dependent upon mechanisms implemented at the boundary of
the system to detect and prevent incorrect inputs and unauthorized access.
Security is deterministic and some aspects can be quantified.
4.8 Integrity
The integrity is dependent upon mechanisms implemented at the output elements of the
system to check for correct outputs. It also depends upon mechanisms implemented within
the system to detect and prevent incorrect transitions of signals or data between pa rts of
the system. These internal mechanisms are integrity or security mechanisms with respect
to the associated pa rts, each of which may be considered as a system by itself.
Integrity is deterministic and some aspects can be quantified.
5 Review of the system requirements document
The system requirements document should be reviewed to check that all the tasks to be
performed by the system and the dependability requirements have been addressed and
are listed in the manner described in IEC 1069-2.
If a mission has process safety implications and the system is required to perform safety
related tasks, IEC committee draft 65A(Secretariat)123: Functional safety of electrical/
electronic/programmable electronic system (under consideration), listed in annex D, should
be consulted to check the consistency of the system requirements.

---------------------- Page: 13 ----------------------

1069-5 ©IEC:1994 — 25 —
The effectiveness of the dependability assessment is strongly dependent upon the
comprehensiveness of the statement of requirements, and its results on what is considered
to be a failure.
For this reason the system requirements document shall be reviewed to check that for
each of the system tasks the following are clearly stated:
— the relative importance of the task;
— the definition of what is considered to be a failure of the task;
the criteria of the failure in terms of the dependability properties;
-
the operational and operating environment.
The specification of a failure in quantitative or qualitative terms should follow the format
given in IEC committee draft 56(Secretariat)318: Guide on specifying dependability charac-
(under consideration), listed in annex D.
teristics
Where the dependability characteristic is influenced by human factors, these should be
properly described and quantified (if possible) to permit the proper assessment of their
influence.
To establish that the necessary information has been provided, the dependability require-
ments shall be considered both in relation to individual tasks and in relation to the total
system mission.
Annex A gives guidance on the type of information and documentation format the system
requirements document should give to enable the dependability properties to be assessed.
6 Review of the system specification document
The specification document should be reviewed to check that the dependability properties
for each of the required tasks are listed as described in IEC 1069-2.
Particular attention should be paid to verify that information is given on:
— the system functions supporting each task and the modules and elements, both
hardware and software, supporting each of these functions;
— the alternative routes supported by the system to perform each task and how these
alternative routes are activated;
— credibility mechanisms (security and integrity) provided and how these are
supported;
— reliability and availability of each task as well as of the supporting functions,
modules and elements;
— maintainability characteristics;
— operational and environmental characteristics and limits of use for the modules and
elements.
Annex B gives guidance on the type of information and documentation format the system
specification document should give to enable the dependability properties to be assessed.

---------------------- Page: 14 ----------------------

1069-5 ©IEC:1994 — 27 —
7 Assessment procedure
7.1
General
The assessment should follow the procedure as laid down in clause 7 of IEC 1069-2.
The objective of the assessment shall be clearly stated. Guidance is given in 4.1 of
IEC 1069-1.
The information given in the system requirements document (SRD) and the system speci-
fication document (SSD) should be complete and precise to enable the assessment of the
dependability. If at any phase of the assessment information is missing or incomplete,
the originators of the system requirements document and the system specification
document should be consulted with specific questions to obtain the required further
information.
A list of items to be considered for the assessment can be found in IEC 863.
7.2 Analysis of the system requirements document and system specification document
7.2.1
Collation of documented information
For the purpose of the assessment of dependability, information shall be extracted from
the system requirements document (SRD) and the system specification document (SSD)
as described in 7.2 of IEC 1069-2.
The dependability properties required for each of the tasks shall be extracted from the
system requirements document in quantitative/qualitative terms, noting the influencing
conditions under which these dependabilities are required.
Each task should be described in terms of its inputs, outputs and operation.
For each input, notes should be made of:
permissible states and corresponding permissible output state(s);
- non-permissible states and corresponding action(s) required.
For each output, notes should be made of:
- permissible states;
-
non-permissible states and corresponding action(s) required.
For each of the tasks, the following should be clearly stated:
— what constitutes a failure;
- permissible frequency of occurrence;
- action to be taken;
-
maximum time allowed to restore the task;
- as far as applicable, influencing conditions as described in IEC 1069-1.

---------------------- Page: 15 ----------------------

1069-5 ©IEC:1994 - 29 -
All information on the dependability requirements and the dependability data provided for
the system shall be drawn together and cross-related, to compile precise and concise
statements of the following:
- the functional boundaries of the system;
- items for which the system does not comply with the requirements;
- functions provided to perform the required tasks and alternative data paths linking
the functions to support the required task(s);
the allocation of the functions provided to the system modules and elements, each
-
with data of their dependability properties;
- the global pre-knowledge available and extent to which the dependability properties
should be assessed.
The analysis shall include an examination of the manner in which alternative paths
through the system are initiated, i.e.:
- in a static manner by changing the system configuration; or
- dynamically, either automatically, for example, by credibility mechanisms or manu-
ally, for example, by a keyboard action.
7.2.2 Influencing conditions
The dependability of a system can be affected by the following influencing conditions
listed in 4.4 of IEC 1069-1:
the task imposed on the system, e.g. system overload, etc.;
-
- the process connected to the system, e.g. electrical noise;
the external systems connected to the system, e.g. electrical noise, etc.;
-
- the utilities (air, electricity, etc.) serving the system, e.g. voltage variations;
the environment in which the system is placed; humidity, temperature, etc.
-
For each of the dependability properties the primary influencing conditions are as follows.
a) Reliability is influenced by the influencing conditions:
- utilities, the influence is partly predictable using IEC committee draft 56(Secre-
tariat)383: Use of failure rate data intended for reliability prediction of components
in electronic equipment - Reference conditions - Stress models for their conversion
(under consideration), listed in annex D;
- environment, the influence is partly predictable using IEC committee draft
56(Secretariat)383 listed in annex D;
- services, due to the handling, storage
...