CLC IEC/TR 63069:2020

SLOVENSKI STANDARD
01-julij-2020
Meritve, krmiljenje in avtomatizacija v industrijskih procesih - Ogrodje za
funkcionalno varnost in zaščito (IEC/TR 63069:2019)
Industrial-process measurement, control and automation - Framework for functional
safety and security (IEC/TR 63069:2019)
Industrielle Prozess-Leittechnik, Steuerungs- und Automatisierungstechnik -
Rahmenbedingungen für Funktionale Sicherheit und IT-Sicherheit (IEC/TR 63069:2019)
Mesure, commande et automation dans les processus industriels – Cadre pour la
sécurité et la sûreté fonctionnelle (IEC/TR 63069:2019)
Ta slovenski standard je istoveten z: CLC IEC/TR 63069:2020
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT CLC IEC/TR 63069

RAPPORT TECHNIQUE
TECHNISCHER BERICHT
February 2020
ICS 13.110; 25.040.40; 29.020
English Version
Industrial-process measurement, control and automation -
Framework for functional safety and security
(IEC/TR 63069:2019)
Mesure, commande et automation dans les processus Industrielle Prozess-Leittechnik, Steuerungs- und
industriels – Cadre pour la sécurité et la sûreté fonctionnelle Automatisierungstechnik - Rahmenbedingungen für
(IEC/TR 63069:2019) Funktionale Sicherheit und IT-Sicherheit
(IEC/TR 63069:2019)
This Technical Report was approved by CENELEC on 2020-01-27.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. CLC IEC/TR 63069:2020 E

European foreword
This document (CLC IEC/TR 63069:2020) consists of the text of IEC/TR 63069:2019 prepared by
IEC/TC 65 "Industrial-process measurement, control and automation".
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.

Endorsement notice
The text of the International Technical Report IEC/TR 63069:2019 was approved by CENELEC as a
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 61508-1 NOTE Harmonized as EN 61508-1
IEC 61508-2 NOTE Harmonized as EN 61508-2
IEC 61508-3 NOTE Harmonized as EN 61508-3
IEC 61508-4:2010 NOTE Harmonized as EN 61508-4:2010 (not modified)
IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 62443-2-4:2015 NOTE Harmonized as EN IEC 62443-2-4:2019 (not modified)
IEC 62443-3-3:2013 NOTE Harmonized as EN IEC 62443-3-3:2019 (not modified)
IEC 62443-4-1 NOTE Harmonized as EN IEC 62443-4-1

Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 61508 series Functional safety of EN 61508 series
electrical/electronic/programmable
electronic safety-related systems
IEC 62443 series Industrial communication networks - - series
Network and system security
IEC TR 63069 ®
Edition 1.0 2019-05
TECHNICAL
REPORT
colour
inside
Industrial-process measurement, control and automation – Framework for

functional safety and security

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.40; 29.020 ISBN 978-2-8322-6925-1

– 2 – IEC TR 63069:2019  IEC 2019
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
0.1 Purpose of this document . 6
0.2 Background. 6
0.3 Issues on the terminology . 6
0.4 Target audience . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, symbols, abbreviated terms and conventions . 7
3.1 Terms and definitions defined for this document . 7
3.2 Abbreviated terms . 15
3.3 Explanation for common terms with different definitions . 15
4 Context of security related to functional safety . 20
4.1 Description of functions. 20
4.2 Security environment . 20
5 Guiding principles . 22
6 Life cycle recommendations for co-engineering . 22
6.1 General . 22
6.2 Managing security related safety aspects . 25
7 Risk assessment considerations . 25
7.1 Risk assessment at higher level . 25
7.2 Trade-off analysis . 26
7.3 Considerations for threat-risk assessment . 26
7.3.1 General . 26
7.3.2 Recommendations to the threat-risk assessment . 27
7.3.3 Considerations related to security countermeasures . 27
7.3.4 Vulnerabilities and examples of root causes . 27
7.4 Malevolent and unauthorized actions . 27
7.4.1 General . 27
7.4.2 Reasonably foreseeable misuse (safety) . 28
7.4.3 Prevention of malevolent and unauthorized actions (security) . 28
7.4.4 Combination of password protection measures . 28
8 Incident response readiness and incident handling . 28
8.1 General . 28
8.2 Incident response readiness . 28
8.3 Incident handling . 28
Bibliography . 30

Figure 1 – Overview of functions of an IACS . 20
Figure 2 – Safety domain and security domain . 21
Figure 3 – Security environment . 21
Figure 4 – Safety and security interaction . 23
Figure 5 – Safety and security risk assessments as part of a risk assessment at higher
level . 26

IEC TR 63069:2019  IEC 2019 – 3 –
Table 1 – Terms with multiple definitions . 15
Table 2 – Recommended activities in life cycle stages . 24

– 4 – IEC TR 63069:2019  IEC 2019
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC
Publication(s)"). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a Technical Report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC TR 63069 has been prepared by IEC technical committee TC 65: Industrial-process
measurement, control and automation.
The text of this Technical Report is based on the following documents:
Draft DTR Report on voting
65/698/DTR 65/713A/RVDTR
Full information on the voting for the approval of this Technical Report can be found in the
report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

IEC TR 63069:2019  IEC 2019 – 5 –
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
– 6 – IEC TR 63069:2019  IEC 2019
INTRODUCTION
0.1 Purpose of this document
Many sector specific guides, standards and technical specifications have been developed in
the fields of safety and security. However, a generic document for framework for safety and
security is largely expected by industry actors. Even the terms "safety" and "security" are
sometimes used for different meanings in these documents. As a result, it can be difficult to
apply them holistically at the same time to a manufacturing system.
0.2 Background
Security has become a new factor to be considered in system engineering. The parts of the
IEC 61508 series published in 2010 took into account that security can impact functional
safety.
In IEC TC 65 (Industrial-process measurement, control and automation), considerable
concerns arose with respect to the impacts of security incidents to safety functions in IACS
(industrial automation and control systems); many complex systems of that kind are becoming
connected systems (particularly by interaction based on wireless connectivity from
sensors/actuators to complete plants, grids, etc.) for maintenance and operations. The overall
question was: "How to design and manage safety and security – in cooperation, integrated, or
separate system?"
0.3 Issues on the terminology
Definitions of some terms, such as "safety", "security" and "risk", are sometimes different in
different documents. Although they are consistent in a set of documents in each area of safety
and security, they can be inconsistent when both standards are applied at the same time.
From these reasons, the terminology is carefully used in this document.
0.4 Target audience
The target audience of this document includes, but is not limited to,
– asset owners (including those responsible for concept and governance),
– system integrators (including those responsible for design and realisation),
– product suppliers (including those responsible for design and realisation),
– service providers (including operators and maintainers), and
– authorities (including those responsible for assessment and audit).

IEC TR 63069:2019  IEC 2019 – 7 –
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY

1 Scope
This document explains and provides guidance on the common application of IEC 61508 (all
parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and
automation.
This document can apply to other industrial sectors where IEC 61508 (all parts) and
IEC 62443 (all parts) are applied.
NOTE Usage or reference of this document for industry specific sector standards is encouraged.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
IEC 62443 (all parts), Security for industrial automation and control systems
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions defined for this document
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
NOTE Within this document, new terms and definitions are created only if not provided by the IEC 61508 series or
the IEC 62443 series.
3.1.1
incident handling
actions of detecting, reporting, assessing, responding to, dealing with, and learning from
security incidents
[SOURCE: ISO/IEC 27035-1:2016, 3.6, modified – The words "information security incidents"
has been replaced by "security incidents".]
3.1.2
incident response
actions taken to mitigate or resolve a security incident, including those taken to protect and
restore the normal operational conditions of an IACS and the information stored in it
[SOURCE: ISO/IEC 27035-1:2016, 3.7, modified – The words "information security incident"
were replaced by "security incident", and "information system" was replaced by "IACS".]

– 8 – IEC TR 63069:2019  IEC 2019
3.1.3
safety domain
safety activities carried out by assigned persons or organizations and their outcomes
according to IEC 61508 (all parts)
3.1.4
security domain
security activities carried out by assigned persons or organizations and their outcomes
according to IEC 62443 (all parts)
3.1.5
security environment
area of consideration where all relevant security countermeasures are in place and effective
3.1.6
access
ability and means to communicate with or otherwise interact with a system in order to use
system resources
Note 1 to entry: Access may involve physical access (authorization to be allowed physically in an area,
possession of a physical key lock, PIN code, or access card or biometric attributes that allow access) or logical
access (authorization to log in to a system and application, through a combination of logical and physical means).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.1]
3.1.7
architecture
specific configuration of hardware and software elements in a system
[SOURCE: IEC 61508-4:2010, 3.3.4]
3.1.8
asset
physical or logical object owned by or under the custodial duties of an organization, having
either a perceived or actual value to the organization
Note 1 to entry: In the case of industrial automation and control systems the physical assets that have the largest
directly measurable value may be the equipment under control.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.6]
3.1.9
attack
assault on a system that derives from an intelligent threat – i.e., an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system
Note 1 to entry: There are different commonly recognized classes of attack:
• An "active attack" attempts to alter system resources or affect their operation.
• A "passive attack" attempts to learn or make use of information from the system but does not affect system
resources.
• An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider") – i.e., an entity
that is authorized to access system resources but uses them in a way not approved by those who granted the
authorization.
• An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system
(including an insider attacking from outside the security perimeter). Potential outside attackers range from
amateur pranksters to organized criminals, international terrorists, and hostile governments.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.9]

IEC TR 63069:2019  IEC 2019 – 9 –
3.1.10
availability
ability of an item to be in a state to perform a required function under given conditions at a
given instant or over a given time interval, assuming that the required external resources are
provided
Note 1 to entry: This ability depends on the combined aspects of the reliability performance, the maintainability
performance and the maintenance support performance.
Note 2 to entry: Required external resources, other than maintenance resources do not affect the availability
performance of the item.
Note 3 to entry: In French the term "disponibilité" is also used in the sense of "instantaneous availability"."
[SOURCE: IEC TS 62443-1-1:2009, 3.2.16]
3.1.11
confidentiality
assurance that information is not disclosed to unauthorized individuals, processes, or devices
[SOURCE: IEC TS 62443-1-1:2009, 3.2.28]
3.1.12
countermeasure
action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can cause, or by discovering and
reporting it so that corrective action can be taken
Note 1 to entry: The term "control" is also used to describe this concept in some contexts. The term
countermeasure has been chosen for IEC TS 62443-1-1 to avoid confusion with the term "control" in the context of
process control.
Note 2 to entry: The words "minimizing the harm" in this definition do not relate to functional safety.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.33, modified – Addition of Note 2 to entry.]
3.1.13
dangerous failure
failure of an element and/or subsystem and/or system that plays a part in implementing the
safety function that:
a) prevents a safety function from operating when required (demand mode) or causes a
safety function to fail (continuous mode) such that the EUC is put into a hazardous or
potentially hazardous state; or
b) decreases the probability that the safety function operates correctly when required
[SOURCE: IEC 61508-4:2010, 3.6.7]
3.1.14
defence in depth
provision of multiple security protections, especially in layers, with the intent to delay if not
prevent an attack
Note 1 to entry: Defence in depth implies layers of security and detection, even on single systems, and provides
the following features:
• attackers are faced with breaking through or bypassing each layer without being detected;
• a flaw in one layer can be mitigated by capabilities in other layers;
• a system security becomes a set of layers within the overall network security.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.40]

– 10 – IEC TR 63069:2019  IEC 2019
3.1.15
essential function
function or capability that is required to maintain health, safety, the environment and
availability for the equipment under control
Note 1 to entry: Essential functions include, but are not limited to, the safety instrumented function (SIF), the
control function and the ability of the operator to view and manipulate the equipment under control. The loss of
essential functions is commonly termed loss of protection, loss of control and loss of view respectively. In some
industries additional functions such as history may be considered essential.
[SOURCE: IEC 62443-3-3:2013, 3.1.22]
3.1.16
functional safety
part of the overall safety relating to the EUC and the EUC control system that depends on the
correct functioning of the E/E/PE safety-related systems and other risk reduction measures
[SOURCE: IEC 61508-4:2010, 3.1.12]
3.1.17
harm
physical injury or damage to the health of people or damage to property or the environment
[SOURCE: IEC 61508-4:2010, 3.1.1]
3.1.18
hazard
potential source of harm
Note 1 to entry: The term includes danger to persons arising within a short time scale (for example, fire and
explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic
substance).
[SOURCE: IEC 61508-4:2010, 3.1.2]
3.1.19
incident
event that is not part of the expected operation of a system or service that causes or may
cause, an interruption to, or a reduction in, the quality of the service provided by the system
[SOURCE: IEC 62443-2-1:2010, 3.1.18]
3.1.20
industrial automation and control systems
IACS
collection of personnel, hardware, and software that can affect or influence the safe, secure,
and reliable operation of an industrial process
Note 1 to entry: These systems include, but are not limited to:
• industrial control systems, including distributed control systems (DCSs), programmable logic controllers
(PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition
(SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context,
process control systems include basic process control system and safety instrumented system (SIS) functions,
whether they are physically separate or integrated.)
• associated information systems such as advanced or multivariable control, online optimizers, dedicated
equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant
information management systems.
• associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing
operations functionality to continuous, batch, discrete, and other processes.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.57]

IEC TR 63069:2019  IEC 2019 – 11 –
3.1.21
integrity
quality of a system reflecting the logical correctness and reliability of the operating system,
the logical completeness of the hardware and software implementing the protection
mechanisms, and the consistency of the data structures and occurrence of the stored data
Note 1 to entry: In a formal security mode, integrity is often interpreted more narrowly to mean protection against
unauthorized modification or destruction of information.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.60]
3.1.22
risk
combination of the probability of occurrence of harm and the severity of that harm
Note 1 to entry: For more discussion on this concept see Annex A of IEC 61508-5:2010.
[SOURCE: IEC 61508-4:2010, 3.1.6, modified – The domain has been added between angle
brackets.]
3.1.23
risk
expectation of loss expressed as the probability that a particular threat will exploit
a particular vulnerability with a particular consequence
[SOURCE: IEC TS 62443-1-1:2009, 3.2.87, modified – The domain has been added between
angle brackets.]
3.1.24
safe state
state of the EUC when safety is achieved
[SOURCE: IEC 61508-4:2010, 3.1.13, modified – Deletion of the note.]
3.1.25
safety
freedom from unacceptable risk
[SOURCE: IEC 61508-4:2010, 3.1.11]
3.1.26
safety function
function to be implemented by an E/E/PE safety-related system or other risk reduction
measures, that is intended to achieve or maintain a safe state for the EUC, in respect of a
specific hazardous event
EXAMPLE Examples of safety functions include:
– functions that are required to be carried out as positive actions to avoid hazardous situations (for example
switching off a motor); and
– functions that prevent actions being taken (for example preventing a motor starting).
[SOURCE: IEC 61508-4:2010, 3.5.1]
3.1.27
safety integrity
probability of an E/E/PE safety-related system satisfactorily performing the specified safety
functions under all the stated conditions within a stated period of time

– 12 – IEC TR 63069:2019  IEC 2019
Note 1 to entry: The higher the level of safety integrity, the lower the probability that the safety-related system will
fail to carry out the specified safety functions or will fail to adopt a specified state when required.
Note 2 to entry: There are four levels of safety integrity (see 3.5.8 of IEC 61508-4:2010).
Note 3 to entry: In determining safety integrity, all causes of failures (both random hardware failures and
systematic failures) that lead to an unsafe state should be included, for example hardware failures, software
induced failures and failures due to electrical interference. Some of these types of failure, in particular random
hardware failures, may be quantified using such measures as the average frequency of failure in the dangerous
mode of failure or the probability of a safety-related protection system failing to operate on demand. However,
safety integrity also depends on many factors that cannot be accurately quantified but can only be considered
qualitatively.
Note 4 to entry: Safety integrity comprises hardware safety integrity (see 3.5.7 of IEC 61508-4:2010) and
systematic safety integrity (see 3.5.6 of IEC 61508-4:2010).
Note 5 to entry: This definition focuses on the reliability of the safety-related systems to perform the safety
functions.
[SOURCE: IEC 61508-4:2010, 3.5.4, modified – The text between brackets has been deleted.]
3.1.28
safety integrity level
SIL
discrete level (one out of a possible four), corresponding to a range of safety integrity values,
where safety integrity level 4 has the highest level of safety integrity and safety integrity level
1 has the lowest
Note 1 to entry: The target failure measures (see 3.5.17 of IEC 61508-4:2010) for the four safety integrity levels
are specified in Tables 2 and 3 of IEC 61508-1.
Note 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety
functions to be allocated to the E/E/PE safety-related systems.
Note 3 to entry: A safety integrity level (SIL) is not a property of a system, subsystem, element or component.
The correct interpretation of the phrase "SIL n safety-related system" (where n is 1, 2, 3 or 4) is that the system is
potentially capable of supporting safety functions with a safety integrity level up to n.
[SOURCE: IEC 61508-4:2010, 3.5.8]
3.1.29
safety-related system
designated system that both
– implements the required safety functions necessary to achieve or maintain a safe state for
the EUC; and
– is intended to achieve, on its own or with other E/E/PE safety-related systems and other
risk reduction measures, the necessary safety integrity for the required safety functions
Note 1 to entry: The term refers to those systems, designated as safety-related systems, that are intended to
achieve, together with the other risk reduction measures (see 3.4.2 of IEC 61508-4:2010), the necessary risk
reduction in order to meet the required tolerable risk (see 3.1.7 of IEC 61508-4:2010). See also Annex A of
IEC 61508-5:2010.
Note 2 to entry: Safety-related systems are designed to prevent the EUC from going into a dangerous state by
taking appropriate action on detection of a condition which may lead to a hazardous event. The failure of a safety-
related system would be included in the events leading to the determined hazard or hazards. Although there may
be other systems having safety functions, it is the safety-related systems that have been designated to achieve, in
their own right, the required tolerable risk. Safety-related systems can broadly be divided into safety-related control
systems and safety-related protection systems.
Note 3 to entry: Safety-related systems may be an integral part of the EUC control system or may interface with
the EUC by sensors and/or actuators. That is, the required safety integrity level may be achieved by implementing
the safety functions in the EUC control system (and possibly by additional separate and independent systems as
well) or the safety functions may be implemented by separate and independent systems dedicated to safety.
Note 4 to entry: A safety-related system may
a) be designed to prevent the hazardous event (i.e. if the safety-related systems perform their safety functions
then no harmful event arises);

IEC TR 63069:2019  IEC 2019 – 13 –
b) be designed to mitigate the effects of the harmful event, thereby reducing the risk by reducing the
consequences;
c) be designed to achieve a combination of a) and b).
Note 5 to entry: A person can be part of a safety-related system. For example, a person could receive information
from a programmable electronic device and perform a safety action based on this information, or perform a safety
action through a programmable electronic device.
Note 6 to entry: A safety-related system includes all the hardware, software and supporting services (for example,
power supplies) necessary to carry out the specified safety function (sensors, other input devices, final elements
(actuators) and other output devices are therefore included in the safety-related system).
Note 7 to entry: A safety-related system may be based on a wide range of technologies including electrical,
electronic, programmable electronic, hydraulic and pneumatic.
[SOURCE: IEC 61508-4:2010, 3.4.1]
3.1.30
security
a) measures taken to protect a system
b) condition of a system that results from the establishment and maintenance of measures to
protect the system
c) condition of system resources being free from unauthorized access and from unauthorized
or accidental change, destruction, or loss
d) capability of a computer-based system to provide adequate confidence that unauthorized
persons and systems can neither modify the software and its data nor gain access to the
system functions, and yet to ensure that this is not denied to authorized persons and
systems
e) prevention of illegal or unwanted penetration of, or interference with the proper and
intended operation of an industrial automation and control system
Note 1 to entry: Measures can be controls related to physical security (controlling physical access to computing
assets) or logical security (capability to login to a given system and application).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.99]
3.1.31
security incident
adverse event in a system or network, or the threat of the occurrence of such an event
[SOURCE: IEC TS 62443-1-1:2009, 3.2.106]
3.1.32
security level
SL
level corresponding to the required effectiveness of countermeasures and inherent security
properties of devices and systems for a zone or conduit based on assessment of risk for the
zone or conduit
[SOURCE: IEC TS 62443-1-1:2009, 3.2.108, modified – The abbreviated term "SL" has been
added.]
3.1.33
security patch
software patch that is relevant to the security of a software component
Note 1 to entry: For the purpose of this definition, firmware is considered software.
Note 2 to entry: Software patches may address known or potential vulnerabilities, or simply improve the security
of the software component, including its reliable operation.
[SOURCE: IEC 62443-2-4:2015, 3.1.17]

– 14 – IEC TR 63069:2019  IEC 2019
3.1.34
security perimeter
boundary (logical or physical) of the domain in which a security policy or security architecture
applies, i.e., the boundary of the space in which security services protect system resources
[SOURCE: IEC TS 62443-1-1:2009, 3.2.110]
3.1.35
security zone
grouping of logical or physical assets that share common security requirements
Note 1 to entry: All unqualified uses of the term "zone" in this document should be assumed to refer to a security
zone.
Note 2 to entry: A zone has a clear border with other zones. The security policy of a zone is typically enforced by
a combination of mechanisms both at the zone edge and within the zone. Zones can be hierarchical in the sense
that they can be comprised of a collection of sub-zones.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.117]
3.1.36
systematic capability
measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety
integrity of an element meets the requirements of the specified SIL, in respect of the specified
element safety function, when the element is applied in accordance with the instructions
specified in the compliant item safety manual for the element
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and
control of systematic faults (see IEC 61508-2 and IEC 61508-3).
Note 2 to entry: What is a relevant systematic failure mechanism will depend on the nature of the element. For
example, for an element comprising solely software, only software failure mechanisms will need to be considered.
For an element comprising hardware and software, it will be necessary to consider both systematic hardware and
software failure mechanisms.
Note 3 to entry: A Systematic capability of SC N for an element, in respect of the specified element safety
function, means that the systematic safety integrity of SIL N has been met when the element is applied in
accordance with the instructions specified in the compliant item safety manual for the element.
[SOURCE: IEC 61508-4:2010, 3.5.9]
3.1.37
threat
potential for violation of security, which exists when there is a circumstance, capability, action,
or event that could breach security and cause harm
[SOURCE: IEC TS 62443-1-1:2009, 3.2.125]
3.1.38
threat agent
causative agent of a threat action
[SOURCE: IEC TS 62443-1-1:2009, 3.2.127]
3.1.39
vulnerability
flaw or weakness in a system's design, implementation, or operation and management that
could be exploited to violate the system's integrity or security policy
[SOURCE: IEC TS 62443-1-1:2009, 3.2.135]

IEC TR 63069:2019  IEC 2019 – 15 –
3.2 Abbreviated terms
BPCS Basic Process Control System
DCS Distributed Control System
DoS Denial of Service
E/E/PE Electrical/Electronic/Programmable Electronic
EUC Equipment Under Control
HFT Hardware Fault Tolerance
IACS Industrial Automation and Control Systems
PLC Programmable Logic Controller
RTU Remote Terminal Unit
SC Systematic Capability
SCADA Supervisory Control And Data Acquisition
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SL Security Level
3.3 Explanation for common terms with different definitions
Some terms have different definitions in the IEC 61508 series and IEC 62443 series. For them,
explanation is given in Table 1.
The meaning of each appearance of these terms in the body of this document is clarified by
indicating which definition is intended in the context as follows.
The domain identification "" following a term indicates that the meaning of this term is
intended as defined by IEC 61508 (all parts). Similarly, the domain identification ""
indicates the meaning is intended as defined by IEC 62443 (all parts).
NOTE 1 When a term that can have a domain identifier is used without domain identifier, the term is intended as a
general term.
Table 1 provides additional information on the existing terms and definitions of IEC 61508
(all parts) and IEC 62443 (all parts).
NOTE 2 Table 1 does not include notes to entry for the definitions.
Table 1 – Terms with multiple definitions
Term Definition from the Definition from the Remark
IEC 61508 series IEC 62443 series
safety freedom from freedom from unacceptable Both definitions refer to risk
unacceptable risk risk .
[SOURCE: IEC 61508- [SOURCE: IEC TS 62443-1- NOTE Safety is related to the
4:2010, 3.1.11] 1:2009, 3.2.94] aspects of functional safety in the
IEC 61508 series only and might
be understood differently within
other standards (e.g. electrical
safety or mechanical safety).
– 16 – IEC TR 63069:2019  IEC 2019
Term Definition from the Definition from the Remark
IEC 61508 series IEC 62443 series
a) measures taken to protect
security The IEC Guide 120 provides a
a system
compact and useful definition:
b) condition of a system that
condition that results from the
results from the
establishment and maintenance of
establishment and
protective measures that ensure a
maintenance of measures
state of inviolability from hostile
to protect the system
acts or influences
c) condition of system
[SOURCE: IEC Guide 120: 2008,
resources being free from
3.13]
unauthorized access and
from unauthorized or
accidental change,
destruction, or loss
d) capability of a computer-
based system to provide
adequate confidence that
unauthorized persons and
systems can neither
modify the software and
its data nor gain access to
the system functions, and
yet to ensure that this is
not denied to authorized
persons and systems
e) prevention of illegal or
unwanted penetration of,
or interference with the
pr
...