iTeh Standards logo
EURUSD
Your shopping cart is empty.
IEC

IEC TR 63069:2019

(Main)

Industrial-process measurement, control and automation - Framework for functional safety and security

Industrial-process measurement, control and automation - Framework for functional safety and security

IEC TR 63069:2019 (E) explains and provides guidance on the common application of IEC 61508 (all parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and automation.
This document can apply to other industrial sectors where IEC 61508 (all parts) and IEC 62443 (all parts) are applied.

General Information

Status
Published
Publication Date
19-May-2019
ICS
13.110 - Safety of machinery
25.040.40 - Industrial process measurement and control
29.020 - Electrical engineering in general
Technical Committee
TC 65 - Industrial-process measurement, control and automation
Current Stage
PPUB - Publication issued
Start Date
20-May-2019
Completion Date
14-Jun-2019
Ref Project
IEC TR 63069:2019 - Industrial-process measurement, control and automation - Framework for functional safety and securityIEC TR 63069:2019 - Industrial-process measurement, control and automation - Framework for functional safety and security
PreviousNext
Technical report
IEC TR 63069:2019 - Industrial-process measurement, control and automation - Framework for functional safety and security
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC TR 63069 ®
Edition 1.0 2019-05
TECHNICAL
REPORT
colour
inside
Industrial-process measurement, control and automation – Framework for
functional safety and security
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
IEC TR 63069 ®
Edition 1.0 2019-05
TECHNICAL
REPORT
colour
inside
Industrial-process measurement, control and automation – Framework for

functional safety and security

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 13.110; 25.040.40; 29.020 ISBN 978-2-8322-6925-1

– 2 – IEC TR 63069:2019  IEC 2019
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
0.1 Purpose of this document . 6
0.2 Background. 6
0.3 Issues on the terminology . 6
0.4 Target audience . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, symbols, abbreviated terms and conventions . 7
3.1 Terms and definitions defined for this document . 7
3.2 Abbreviated terms . 15
3.3 Explanation for common terms with different definitions . 15
4 Context of security related to functional safety . 20
4.1 Description of functions. 20
4.2 Security environment . 20
5 Guiding principles . 22
6 Life cycle recommendations for co-engineering . 22
6.1 General . 22
6.2 Managing security related safety aspects . 25
7 Risk assessment considerations . 25
7.1 Risk assessment at higher level . 25
7.2 Trade-off analysis . 26
7.3 Considerations for threat-risk assessment . 26
7.3.1 General . 26
7.3.2 Recommendations to the threat-risk assessment . 27
7.3.3 Considerations related to security countermeasures . 27
7.3.4 Vulnerabilities and examples of root causes . 27
7.4 Malevolent and unauthorized actions . 27
7.4.1 General . 27
7.4.2 Reasonably foreseeable misuse (safety) . 28
7.4.3 Prevention of malevolent and unauthorized actions (security) . 28
7.4.4 Combination of password protection measures . 28
8 Incident response readiness and incident handling . 28
8.1 General . 28
8.2 Incident response readiness . 28
8.3 Incident handling . 28
Bibliography . 30

Figure 1 – Overview of functions of an IACS . 20
Figure 2 – Safety domain and security domain . 21
Figure 3 – Security environment . 21
Figure 4 – Safety and security interaction . 23
Figure 5 – Safety and security risk assessments as part of a risk assessment at higher
level . 26

Table 1 – Terms with multiple definitions . 15
Table 2 – Recommended activities in life cycle stages . 24

– 4 – IEC TR 63069:2019  IEC 2019
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as "IEC
Publication(s)"). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a Technical Report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC TR 63069 has been prepared by IEC technical committee TC 65: Industrial-process
measurement, control and automation.
The text of this Technical Report is based on the following documents:
Draft DTR Report on voting
65/698/DTR 65/713A/RVDTR
Full information on the voting for the approval of this Technical Report can be found in the
report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
– 6 – IEC TR 63069:2019  IEC 2019
INTRODUCTION
0.1 Purpose of this document
Many sector specific guides, standards and technical specifications have been developed in
the fields of safety and security. However, a generic document for framework for safety and
security is largely expected by industry actors. Even the terms "safety" and "security" are
sometimes used for different meanings in these documents. As a result, it can be difficult to
apply them holistically at the same time to a manufacturing system.
0.2 Background
Security has become a new factor to be considered in system engineering. The parts of the
IEC 61508 series published in 2010 took into account that security can impact functional
safety.
In IEC TC 65 (Industrial-process measurement, control and automation), considerable
concerns arose with respect to the impacts of security incidents to safety functions in IACS
(industrial automation and control systems); many complex systems of that kind are becoming
connected systems (particularly by interaction based on wireless connectivity from
sensors/actuators to complete plants, grids, etc.) for maintenance and operations. The overall
question was: "How to design and manage safety and security – in cooperation, integrated, or
separate system?"
0.3 Issues on the terminology
Definitions of some terms, such as "safety", "security" and "risk", are sometimes different in
different documents. Although they are consistent in a set of documents in each area of safety
and security, they can be inconsistent when both standards are applied at the same time.
From these reasons, the terminology is carefully used in this document.
0.4 Target audience
The target audience of this document includes, but is not limited to,
– asset owners (including those responsible for concept and governance),
– system integrators (including those responsible for design and realisation),
– product suppliers (including those responsible for design and realisation),
– service providers (including operators and maintainers), and
– authorities (including those responsible for assessment and audit).

INDUSTRIAL-PROCESS MEASUREMENT, CONTROL AND AUTOMATION –
FRAMEWORK FOR FUNCTIONAL SAFETY AND SECURITY

1 Scope
This document explains and provides guidance on the common application of IEC 61508 (all
parts) and IEC 62443 (all parts) in the area of industrial-process measurement, control and
automation.
This document can apply to other industrial sectors where IEC 61508 (all parts) and
IEC 62443 (all parts) are applied.
NOTE Usage or reference of this document for industry specific sector standards is encouraged.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
IEC 62443 (all parts), Security for industrial automation and control systems
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions defined for this document
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
NOTE Within this document, new terms and definitions are created only if not provided by the IEC 61508 series or
the IEC 62443 series.
3.1.1
incident handling
actions of detecting, reporting, assessing, responding to, dealing with, and learning from
security incidents
[SOURCE: ISO/IEC 27035-1:2016, 3.6, modified – The words "information security incidents"
has been replaced by "security incidents".]
3.1.2
incident response
actions taken to mitigate or resolve a security incident, including those taken to protect and
restore the normal operational conditions of an IACS and the information stored in it
[SOURCE: ISO/IEC 27035-1:2016, 3.7, modified – The words "information security incident"
were replaced by "security incident", and "information system" was replaced by "IACS".]

– 8 – IEC TR 63069:2019  IEC 2019
3.1.3
safety domain
safety activities carried out by assigned persons or organizations and their outcomes
according to IEC 61508 (all parts)
3.1.4
security domain
security activities carried out by assigned persons or organizations and their outcomes
according to IEC 62443 (all parts)
3.1.5
security environment
area of consideration where all relevant security countermeasures are in place and effective
3.1.6
access
ability and means to communicate with or otherwise interact with a system in order to use
system resources
Note 1 to entry: Access may involve physical access (authorization to be allowed physically in an area,
possession of a physical key lock, PIN code, or access card or biometric attributes that allow access) or logical
access (authorization to log in to a system and application, through a combination of logical and physical means).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.1]
3.1.7
architecture
specific configuration of hardware and software elements in a system
[SOURCE: IEC 61508-4:2010, 3.3.4]
3.1.8
asset
physical or logical object owned by or under the custodial duties of an organization, having
either a perceived or actual value to the organization
Note 1 to entry: In the case of industrial automation and control systems the physical assets that have the largest
directly measurable value may be the equipment under control.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.6]
3.1.9
attack
assault on a system that derives from an intelligent threat – i.e., an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system
Note 1 to entry: There are different commonly recognized classes of attack:
• An "active attack" attempts to alter system resources or affect their operation.
• A "passive attack" attempts to learn or make use of information from the system but does not affect system
resources.
• An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider") – i.e., an entity
that is authorized to access system resources but uses them in a way not approved by those who granted the
authorization.
• An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system
(including an insider attacking from outside the security perimeter). Potential outside attackers range from
amateur pranksters to organized criminals, international terrorists, and hostile governments.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.9]

3.1.10
availability
ability of an item to be in a state to perform a required function under given conditions at a
given instant or over a given time interval, assuming that the required external resources are
provided
Note 1 to entry: This ability depends on the combined aspects of the reliability performance, the maintainability
performance and the maintenance support performance.
Note 2 to entry: Required external resources, other than maintenance resources do not affect the availability
performance of the item.
Note 3 to entry: In French the term "disponibilité" is also used in the sense of "instantaneous availability"."
[SOURCE: IEC TS 62443-1-1:2009, 3.2.16]
3.1.11
confidentiality
assurance that information is not disclosed to unauthorized individuals, processes, or devices
[SOURCE: IEC TS 62443-1-1:2009, 3.2.28]
3.1.12
countermeasure
action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can cause, or by discovering and
reporting it so that corrective action can be taken
Note 1 to entry: The term "control" is also used to describe this concept in some contexts. The term
countermeasure has been chosen for IEC TS 62443-1-1 to avoid confusion with the term "control" in the context of
process control.
Note 2 to entry: The words "minimizing the harm" in this definition do not relate to functional safety.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.33, modified – Addition of Note 2 to entry.]
3.1.13
dangerous failure
failure of an element and/or subsystem and/or system that plays a part in implementing the
safety function that:
a) prevents a safety function from operating when required (demand mode) or causes a
safety function to fail (continuous mode) such that the EUC is put into a hazardous or
potentially hazardous state; or
b) decreases the probability that the safety function operates correctly when required
[SOURCE: IEC 61508-4:2010, 3.6.7]
3.1.14
defence in depth
provision of multiple security protections, especially in layers, with the intent to delay if not
prevent an attack
Note 1 to entry: Defence in depth implies layers of security and detection, even on single systems, and provides
the following features:
• attackers are faced with breaking through or bypassing each layer without being detected;
• a flaw in one layer can be mitigated by capabilities in other layers;
• a system security becomes a set of layers within the overall network security.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.40]

– 10 – IEC TR 63069:2019  IEC 2019
3.1.15
essential function
function or capability that is required to maintain health, safety, the environment and
availability for the equipment under control
Note 1 to entry: Essential functions include, but are not limited to, the safety instrumented function (SIF), the
control function and the ability of the operator to view and manipulate the equipment under control. The loss of
essential functions is commonly termed loss of protection, loss of control and loss of view respectively. In some
industries additional functions such as history may be considered essential.
[SOURCE: IEC 62443-3-3:2013, 3.1.22]
3.1.16
functional safety
part of the overall safety relating to the EUC and the EUC control system that depends on the
correct functioning of the E/E/PE safety-related systems and other risk reduction measures
[SOURCE: IEC 61508-4:2010, 3.1.12]
3.1.17
harm
physical injury or damage to the health of people or damage to property or the environment
[SOURCE: IEC 61508-4:2010, 3.1.1]
3.1.18
hazard
potential source of harm
Note 1 to entry: The term includes danger to persons arising within a short time scale (for example, fire and
explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic
substance).
[SOURCE: IEC 61508-4:2010, 3.1.2]
3.1.19
incident
event that is not part of the expected operation of a system or service that causes or may
cause, an interruption to, or a reduction in, the quality of the service provided by the system
[SOURCE: IEC 62443-2-1:2010, 3.1.18]
3.1.20
industrial automation and control systems
IACS
collection of personnel, hardware, and software that can affect or influence the safe, secure,
and reliable operation of an industrial process
Note 1 to entry: These systems include, but are not limited to:
• industrial control systems, including distributed control systems (DCSs), programmable logic controllers
(PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition
(SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context,
process control systems include basic process control system and safety instrumented system (SIS) functions,
whether they are physically separate or integrated.)
• associated information systems such as advanced or multivariable control, online optimizers, dedicated
equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant
information management systems.
• associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing
operations functionality to continuous, batch, discrete, and other processes.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.57]

3.1.21
integrity
quality of a system reflecting the logical correctness and reliability of the operating system,
the logical completeness of the hardware and software implementing the protection
mechanisms, and the consistency of the data structures and occurrence of the stored data
Note 1 to entry: In a formal security mode, integrity is often interpreted more narrowly to mean protection against
unauthorized modification or destruction of information.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.60]
3.1.22
risk
combination of the probability of occurrence of harm and the severity of that harm
Note 1 to entry: For more discussion on this concept see Annex A of IEC 61508-5:2010.
[SOURCE: IEC 61508-4:2010, 3.1.6, modified – The domain has been added between angle
brackets.]
3.1.23
risk
expectation of loss expressed as the probability that a particular threat will exploit
a particular vulnerability with a particular consequence
[SOURCE: IEC TS 62443-1-1:2009, 3.2.87, modified – The domain has been added between
angle brackets.]
3.1.24
safe state
state of the EUC when safety is achieved
[SOURCE: IEC 61508-4:2010, 3.1.13, modified – Deletion of the note.]
3.1.25
safety
freedom from unacceptable risk
[SOURCE: IEC 61508-4:2010, 3.1.11]
3.1.26
safety function
function to be implemented by an E/E/PE safety-related system or other risk reduction
measures, that is intended to achieve or maintain a safe state for the EUC, in respect of a
specific hazardous event
EXAMPLE Examples of safety functions include:
– functions that are required to be carried out as positive actions to avoid hazardous situations (for example
switching off a motor); and
– functions that prevent actions being taken (for example preventing a motor starting).
[SOURCE: IEC 61508-4:2010, 3.5.1]
3.1.27
safety integrity
probability of an E/E/PE safety-related system satisfactorily performing the specified safety
functions under all the stated conditions within a stated period of time

– 12 – IEC TR 63069:2019  IEC 2019
Note 1 to entry: The higher the level of safety integrity, the lower the probability that the safety-related system will
fail to carry out the specified safety functions or will fail to adopt a specified state when required.
Note 2 to entry: There are four levels of safety integrity (see 3.5.8 of IEC 61508-4:2010).
Note 3 to entry: In determining safety integrity, all causes of failures (both random hardware failures and
systematic failures) that lead to an unsafe state should be included, for example hardware failures, software
induced failures and failures due to electrical interference. Some of these types of failure, in particular random
hardware failures, may be quantified using such measures as the average frequency of failure in the dangerous
mode of failure or the probability of a safety-related protection system failing to operate on demand. However,
safety integrity also depends on many factors that cannot be accurately quantified but can only be considered
qualitatively.
Note 4 to entry: Safety integrity comprises hardware safety integrity (see 3.5.7 of IEC 61508-4:2010) and
systematic safety integrity (see 3.5.6 of IEC 61508-4:2010).
Note 5 to entry: This definition focuses on the reliability of the safety-related systems to perform the safety
functions.
[SOURCE: IEC 61508-4:2010, 3.5.4, modified – The text between brackets has been deleted.]
3.1.28
safety integrity level
SIL
discrete level (one out of a possible four), corresponding to a range of safety integrity values,
where safety integrity level 4 has the highest level of safety integrity and safety integrity level
1 has the lowest
Note 1 to entry: The target failure measures (see 3.5.17 of IEC 61508-4:2010) for the four safety integrity levels
are specified in Tables 2 and 3 of IEC 61508-1.
Note 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety
functions to be allocated to the E/E/PE safety-related systems.
Note 3 to entry: A safety integrity level (SIL) is not a property of a system, subsystem, element or component.
The correct interpretation of the phrase "SIL n safety-related system" (where n is 1, 2, 3 or 4) is that the system is
potentially capable of supporting safety functions with a safety integrity level up to n.
[SOURCE: IEC 61508-4:2010, 3.5.8]
3.1.29
safety-related system
designated system that both
– implements the required safety functions necessary to achieve or maintain a safe state for
the EUC; and
– is intended to achieve, on its own or with other E/E/PE safety-related systems and other
risk reduction measures, the necessary safety integrity for the required safety functions
Note 1 to entry: The term refers to those systems, designated as safety-related systems, that are intended to
achieve, together with the other risk reduction measures (see 3.4.2 of IEC 61508-4:2010), the necessary risk
reduction in order to meet the required tolerable risk (see 3.1.7 of IEC 61508-4:2010). See also Annex A of
IEC 61508-5:2010.
Note 2 to entry: Safety-related systems are designed to prevent the EUC from going into a dangerous state by
taking appropriate action on detection of a condition which may lead to a hazardous event. The failure of a safety-
related system would be included in the events leading to the determined hazard or hazards. Although there may
be other systems having safety functions, it is the safety-related systems that have been designated to achieve, in
their own right, the required tolerable risk. Safety-related systems can broadly be divided into safety-related control
systems and safety-related protection systems.
Note 3 to entry: Safety-related systems may be an integral part of the EUC control system or may interface with
the EUC by sensors and/or actuators. That is, the required safety integrity level may be achieved by implementing
the safety functions in the EUC control system (and possibly by additional separate and independent systems as
well) or the safety functions may be implemented by separate and independent systems dedicated to safety.
Note 4 to entry: A safety-related system may
a) be designed to prevent the hazardous event (i.e. if the safety-related systems perform their safety functions
then no harmful event arises);

b) be designed to mitigate the effects of the harmful event, thereby reducing the risk by reducing the
consequences;
c) be designed to achieve a combination of a) and b).
Note 5 to entry: A person can be part of a safety-related system. For example, a person could receive information
from a programmable electronic device and perform a safety action based on this information, or perform a safety
action through a programmable electronic device.
Note 6 to entry: A safety-related system includes all the hardware, software and supporting services (for example,
power supplies) necessary to carry out the specified safety function (sensors, other input devices, final elements
(actuators) and other output devices are therefore included in the safety-related system).
Note 7 to entry: A safety-related system may be based on a wide range of technologies including electrical,
electronic, programmable electronic, hydraulic and pneumatic.
[SOURCE: IEC 61508-4:2010, 3.4.1]
3.1.30
security
a) measures taken to protect a system
b) condition of a system that results from the establishment and maintenance of measures to
protect the system
c) condition of system resources being free from unauthorized access and from unauthorized
or accidental change, destruction, or loss
d) capability of a computer-based system to provide adequate confidence that unauthorized
persons and systems can neither modify the software and its data nor gain access to the
system functions, and yet to ensure that this is not denied to authorized persons and
systems
e) prevention of illegal or unwanted penetration of, or interference with the proper and
intended operation of an industrial automation and control system
Note 1 to entry: Measures can be controls related to physical security (controlling physical access to computing
assets) or logical security (capability to login to a given system and application).
[SOURCE: IEC TS 62443-1-1:2009, 3.2.99]
3.1.31
security incident
adverse event in a system or network, or the threat of the occurrence of such an event
[SOURCE: IEC TS 62443-1-1:2009, 3.2.106]
3.1.32
security level
SL
level corresponding to the required effectiveness of countermeasures and inherent security
properties of devices and systems for a zone or conduit based on assessment of risk for the
zone or conduit
[SOURCE: IEC TS 62443-1-1:2009, 3.2.108, modified – The abbreviated term "SL" has been
added.]
3.1.33
security patch
software patch that is relevant to the security of a software component
Note 1 to entry: For the purpose of this definition, firmware is considered software.
Note 2 to entry: Software patches may address known or potential vulnerabilities, or simply improve the security
of the software component, including its reliable operation.
[SOURCE: IEC 62443-2-4:2015, 3.1.17]

– 14 – IEC TR 63069:2019  IEC 2019
3.1.34
security perimeter
boundary (logical or physical) of the domain in which a security policy or security architecture
applies, i.e., the boundary of the space in which security services protect system resources
[SOURCE: IEC TS 62443-1-1:2009, 3.2.110]
3.1.35
security zone
grouping of logical or physical assets that share common security requirements
Note 1 to entry: All unqualified uses of the term "zone" in this document should be assumed to refer to a security
zone.
Note 2 to entry: A zone has a clear border with other zones. The security policy of a zone is typically enforced by
a combination of mechanisms both at the zone edge and within the zone. Zones can be hierarchical in the sense
that they can be comprised of a collection of sub-zones.
[SOURCE: IEC TS 62443-1-1:2009, 3.2.117]
3.1.36
systematic capability
measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety
integrity of an element meets the requirements of the specified SIL, in respect of the specified
element safety function, when the element is applied in accordance with the instructions
specified in the compliant item safety manual for the element
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and
control of systematic faults (see IEC 61508-2 and IEC 61508-3).
Note 2 to entry: What is a relevant systematic failure mechanism will depend on the nature of the element. For
example, for an element comprising solely software, only software failure mechanisms will need to be considered.
For an element comprising hardware and software, it will be necessary to consider both systematic hardware and
software failure mechanisms.
Note 3 to entry: A Systematic capability of SC N for an element, in respect of the specified element safety
function, means that the systematic safety integrity of SIL N has been met when the element is applied in
accordance with the instructions specified in the compliant item safety manual for the element.
[SOURCE: IEC 61508-4:2010, 3.5.9]
3.1.37
threat
potential for violation of security, which exists when there is a circumstance, capability, action,
or event that could breach security and cause harm
[SOURCE: IEC TS 62443-1-1:2009, 3.2.125]
3.1.38
threat agent
causative agent of a threat action
[SOURCE: IEC TS 62443-1-1:2009, 3.2.127]
3.1.39
vulnerability
flaw or weakness in a system's design, implementation, or operation and management that
could be exploited to violate the system's integrity or security policy
[SOURCE: IEC TS 62443-1-1:2009, 3.2.135]

3.2 Abbreviated terms
BPCS Basic Process Control System
DCS Distributed Control System
DoS Denial of Service
E/E/PE Electrical/Electronic/Programmable Electronic
EUC Equipment Under Control
HFT Hardware Fault Tolerance
IACS Industrial Automation and Control Systems
PLC Programmable Logic Controller
RTU Remote Terminal Unit
SC Systematic Capability
SCADA Supervisory Control And Data Acquisition
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SL Security Level
3.3 Explanation for common terms with different definitions
Some terms have different definitions in the IEC 61508 series and IEC 62443 series. For them,
explanation is given in Table 1.
The meaning of each appearance of these terms in the body of this document is clarified by
indicating which definition is intended in the context as follows.
The domain identification "" following a term indicates that the meaning of this term is
intended as defined by IEC 61508 (all parts). Similarly, the domain identification ""
indicates the meaning is intended as defined by IEC 62443 (all parts).
NOTE 1 When a term that can have a domain identifier is used without domain identifier, the term is intended as a
general term.
Table 1 provides additional information on the existing terms and definitions of IEC 61508
(all parts) and IEC 62443 (all parts).
NOTE 2 Table 1 does not include notes to entry for the definitions.
Table 1 – Terms with multiple definitions
Term Definition from the Definition from the Remark
IEC 61508 series IEC 62443 series
safety freedom from freedom from unacceptable Both definitions refer to risk
unacceptable risk risk .
[SOURCE: IEC 61508- [SOURCE: IEC TS 62443-1- NOTE Safety is related to the
4:2010, 3.1.11] 1:2009, 3.2.94] aspects of functional safety in the
IEC 61508 series only and might
be understood differently within
other standards (e.g. electrical
safety or mechanical safety).
– 16 – IEC TR 63069:2019  IEC 2019
Term Definition from the Definition from the Remark
IEC 61508 series IEC 62443 series
a) measures taken to protect
security The IEC Guide 120 provides a
a system
compact and useful definition:
b) condition of a system that
condition that results from the
results from the
establishment and maintenance of
establishment and
protective measures that ensure a
maintenance of measures
state of inviolability from hostile
to protect the system
acts or influences
c) condition of system
[SOURCE: IEC Guide 120: 2008,
resources being free from
3.13]
unauthorized access and
from unauthorized or
accidental change,
destruction, or loss
d) capability of a computer-
based system to provide
adequate confidence that
unauthorized persons and
systems can neither
modify the software and
its data nor gain access to
the system functions, and
yet to ensure that this is
not denied to authorized
persons and systems
e) prevention of illegal or
unwanted penetration of,
or interference with the
proper and intended
operation of an industrial
automation and control
system
[SOURCE: IEC TS 62443-1-
1:2009, 3.2.99]
risk combination of the expectation of loss expressed The difference in the definition
probability of as the probability that a results from the different views of
occurrence of harm particular threat will exploit a security vs. safety in respect to the
and the severity of particular vulnerability with a consequence. Where the
that harm particular consequence consequence in safety is related to
harm, the consequence related to
[SOURCE: IEC 61508- [SOURCE: IEC TS 62443-1-
security incidents might not be
4:2010 , 3.1.6] 1:2009 , 3.2.87]
known.
– Risk (safety):
• hazard causes;
• more focused on harm.
– Risk (security):
• threat/attack causes;
• more focus on business,
financial and operational
impacts.
safety function function to be The term is only needed within the
implemented by an safety domain.
E/E/PE safety-related
system or other risk
reduction measures,
that is intended to
achieve or maintain a
safe state for the EUC,
in respect of a specific
hazardous event (see
3.4.1 and 3.4.2)
[SOURCE: IEC 61508-
4:2010, 3.5.1]
Term Definition from the Definition from the Remark
IEC 61508 series IEC 62443 series
safety-related designated system See safety instrumented system
system that both (SIS) for IEC 62443 (all parts).
– implements the
required safety
functions
necessary to
achieve or
maintain a safe
state for the EUC;
and
– is intended to
achieve, on its
own or with other
E/E/PE safety-
related systems
and other risk
reduction
measures, the
necessary safety
integrity for the
required safety
functions
[SOURCE: IEC 61508-
4:2010, 3.4.1]
essential function or capability that is Refer to 4.2 for further
function required to maintain health, explanation.
safety, the environment and
availability for the equipment
under control
[SOURCE: IEC 62443-3-
3:2013, 3.1.22]
basic process system that responds to input Refer to 4.2 for further
control system signals from the process, its explanation.
(BPCS) associated equipment, other
programmable systems and/or
an operator and generates
output signals causing the
process and its associated
equipment to operate in the
desired manner but does not
perform any safety
instrumented functions (SIF)
[SOURCE: IEC 62443-2-
4:2015, 3.1.4]
safety system used to implement Refer to 4.2 for further
instrumented functional safety explanation.
system (SIS)
[SOURCE: IEC 62443-2-
4:2015, 3.1.14]
system used to implement one
or more safety-related
functions
[SOURCE: IEC 62443-3-
3:2013,
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

IEC
IEC 61508-1:2010(Main)
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements (see Functional Safety and IEC 61508)

Looking for deeper insights? Check out IEC 61508:2010 CMV, which includes commented versions of Parts 1 to 7 of IEC 61508. These commented versions highlight the changes made from previous editions and provide explanations from a world-leading expert on the reasons behind the most significant changes.
IEC 61508-1:2010 covers those aspects to be considered when electrical/electronic/programmable electronic (E/E/PE) systems are used to carry out safety functions. A major objective of this standard is to facilitate the development of product and application sector international standards by the technical committees responsible for the product or application sector. This will allow all the relevant factors, associated with the product or application, to be fully taken into account and thereby meet the specific needs of users of the product and the application sector. A second objective of this standard is to enable the development of E/E/PE safety-related systems where product or application sector international standards do not exist. This second edition cancels and replaces the first edition published in 1998. This edition constitutes a technical revision. It has been subject to a thorough review and incorporates many comments received at the various revision stages. It has the status of a basic safety publication according to IEC Guide 104.
This publication is of high relevance for Smart Grid.

  • Standard
    127 pages
    English and French language
    sale 15% off
IEC
IEC 61508-1:1998/COR1:1999(Corrigendum)
Corrigendum 1 - Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements

Sets out a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic components (electrical / electronic / programmable electronic systems (E/E/PESs)) that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy be developed for all electrically-based safety-related systems. Is intended to facilitate the development of application sector standards. Has the status of a basic safety publication in accordance with IEC Guide 104.

  • Standard
    3 pages
    English and French language
    sale 15% off
IEC
IEC 61508-1:1998(Main)
Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements (see www.iec.ch/61508)

Sets out a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic components (electrical / electronic / programmable electronic systems (E/E/PESs)) that are used to perform safety functions. This unified approach has been adopted in order that a rational and consistent technical policy be developed for all electrically-based safety-related systems. Is intended to facilitate the development of application sector standards. Has the status of a basic safety publication in accordance with IEC Guide 104. The contents of the corrigendum of April 1999 have been included in this copy.

  • Standard
    58 pages
    English language
    sale 15% off
  • Standard
    58 pages
    French language
    sale 15% off
  • Standard
    115 pages
    English and French language
    sale 15% off
IEC
IEC 62541-100:2025(Main)
OPC unified architecture - Part 100: Devices

IEC 62541-100:2025 defines the information model associated with Devices. This document describes three models which build upon each other as follows:
• The (base) Device Model is intended to provide a unified view of devices and their hardware and software parts irrespective of the underlying device protocols.
• The Device Communication Model adds Network and Connection information elements so that communication topologies can be created.
• The Device Integration Host Model finally adds additional elements and rules required for host systems to manage integration for a complete system. It enables reflecting the topology of the automation system with the devices as well as the connecting communication networks.
This document also defines AddIns that can be used for the models in this document but also for models in other information models. They are:
• Locking model – a generic AddIn to control concurrent access,
• Software update model – an AddIn to manage software in a Device.
This second edition cancels and replaces the first edition published in 2015. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a a ComponentType that can be used to model any HW or SW element of a device has been defined and a SoftwareType has been added as subtype of ComponentType;
b the new OPC UA interface concept and defined interfaces for Nameplate, DeviceHealth, and SupportInfo has been added.
c) a new model for Software Update (Firmware Update) has been added;
d) a new entry point for documents where each document is represented by a FileType instance has been specified;
e) a model that provides information about the lifetime, related limits and semantic of the lifetime of things like tools, material or machines has been added.

  • Standard
    152 pages
    English language
    sale 15% off
  • Standard
    158 pages
    French language
    sale 15% off
  • Standard
    310 pages
    English and French language
    sale 15% off
IEC
IEC TR 61169-1-8:2025(Main)
Radio-frequency connectors - Part 1-8: Electrical test methods - Voltage standing wave ratio for a single connector by double connector method

IEC TR 61169-1-8:2025 provides a test method for voltage standing wave ratio (VSWR, hereinafter) of single RF connector by double-connector method. This document is applicable to single RF cable connectors and single microstrip RF connectors as well as single adapters if an estimation of the VSWR of a single completely installed RF-connector is used and a time domain feature is not available on the vector network analyzer.

  • Technical report
    18 pages
    English language
    sale 15% off
IEC
IEC 62541-7:2025(Main)
OPC Unified Architecture - Part 7: Profiles

IEC 62541-7: 2025 specifies value and structure of Profiles in the OPC Unified Architecture.
OPC UA Profiles are used to segregate features with regard to testing of OPC UA products and the nature of the testing. The scope of this document includes defining functionality that can only be tested. The definition of actual TestCases is not within the scope of this document, but the general categories of TestCases are covered by this document.
Most OPC UA applications will conform to several, but not all of the Profiles.
This fourth edition cancels and replaces the third edition published in 2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) Profiles and ConformanceUnits are not part of this document, but are solely managed in a public database as described in Clause 1.

  • Standard
    160 pages
    English language
    sale 15% off
  • Standard
    173 pages
    French language
    sale 15% off
  • Standard
    333 pages
    English and French language
    sale 15% off
IEC
IEC 61757-1-4:2025(Main)
Fibre optic sensors - Part 1-4: Strain measurement - Distributed sensing based on Rayleigh scattering

IEC 61757-1-4:2025 defines the terminology, structure, and measurement methods of distributed fibre optic sensors for absolute strain measurements based on spectral correlation analysis of Rayleigh backscattering signatures in single-mode fibres, where the fibre is the distributed strain measurement element in a measurement range from about 10 m to tens of km. This document also applies to hybrid sensor systems that combine the advantages of Brillouin and Rayleigh backscattering effects to obtain optimal measurement quality. This document also specifies the most important features and performance parameters of these distributed fibre optic strain sensors defines procedures for measuring these features and parameters. This part of IEC 61757 does not apply to point measurements or to dynamic strain measurements. Distributed strain measurements using Brillouin scattering in single-mode fibres are covered in IEC 61757-1-2. The most relevant applications of this strain measurement technique are listed in Annex A, while Annex B provides a short description of the underlying measurement principle.

  • Standard
    27 pages
    English language
    sale 15% off
  • Standard
    29 pages
    French language
    sale 15% off
  • Standard
    56 pages
    English and French language
    sale 15% off
IEC
IEC TS 62607-6-27:2025(Main)
Nanomanufacturing - Key control characteristics - Part 6-27: Graphene-related products - Field-effect mobility for layers of two-dimensional materials: field-effect transistor method

IEC TS 62607-6-27:2025, which is a Technical Specification, establishes a standardized method to determine the key control characteristic
• field-effect mobility
for semiconducting two-dimensional (2D) materials by the
• field-effect transistor (FET) method.
For two-dimensional semiconducting materials, the field-effect mobility is determined by fabricating a FET test structure and measuring the transconductance in a four-terminal configuration.
- This method can be applied to layers of semiconducting two-dimensional materials, such as graphene, black phosphorus (BP), molybdenum disulfide (MoS₂), molybdenum ditelluride (MoTe₂), tungsten disulfide (WS₂), and tungsten diselenide (WSe₂).
- The four-terminal configuration improves accuracy by eliminating parasitic effects from the probe contacts and cables

  • Technical specification
    19 pages
    English language
    sale 15% off
IEC
IEC TS 63414:2025(Main)
Artificial pollution tests on high-voltage polymeric insulators to be used on AC and DC systems

IEC TS 63414:2025 is applicable for the determination of the AC and DC pollution flashover and withstand voltage characteristics of insulators with polymeric housing, to be used outdoors in HV applications and exposed to polluted environments. This is also applicable for insulators with hydrophobic coatings. This document refers to AC systems with a rated voltage greater than 1 000 V and DC systems with a rated voltage greater than 1 500 V.
The object of this technical specification is to prescribe standardized test methods, requirements and procedures for artificial pollution tests applicable to polymeric insulators for overhead lines including traction lines, station post and hollow insulators of equipment. Available test experience with polymeric station post and hollow insulators, especially for DC applications, is limited.
The proposed tests are not applicable to ceramic and glass insulators without polymeric housing, to greased insulators or to special types of insulators (e.g., insulators with semiconducting glaze).
Differently to ceramic and glass insulators without polymeric housing:
- The pollution performance of insulators with polymeric housing varies with the hydrophobicity condition of the surface. The specific conditions simulated by standardized tests might not represent the actual dynamic field conditions.
- The determination of the flashover and/or withstand voltage under pollution conditions is not enough for dimensioning. Additional constraints related to possible ageing are also to be considered.
- If the Hydrophobicity Transfer Material (HTM) test according to IEC TR 62039 confirms that an insulator is non-HTM, it can be tested according to IEC 60507 or IEC TS 61245.

  • Technical specification
    39 pages
    English language
    sale 15% off
IEC
IEC 62541-4:2025(Main)
OPC unified architecture - Part 4: Services

IEC 62541-4:2025 is available as IEC 62541-4:2025 RLV which contains the International Standard and its Redline version, showing all changes of the technical content compared to the previous edition.IEC 62541-4:2025 defines the OPC Unified Architecture (OPC UA) Services. The Services defined are the collection of abstract Remote Procedure Calls (RPC) that are implemented by OPC UA Servers and called by OPC UA Clients. All interactions between OPC UA Clients and Servers occur via these Services. The defined Services are considered abstract because no particular RPC mechanism for implementation is defined in this document. IEC 62541‑6 specifies one or more concrete mappings supported for implementation. For example, one mapping in IEC 62541‑6 is to UA-TCP UA-SC UA-Binary. In that case the Services described in this document appear as OPC UA Binary encoded payload, secured with OPC UA Secure Conversation and transported via OPC UA TCP. Not all OPC UA Servers implement all of the defined Services. IEC 62541‑7 defines the Profiles that dictate which Services must be implemented in order to be compliant with a particular Profile. A BNF (Backus-Naur form) for browse path names is described in Annex A. This fourth edition cancels and replaces the third edition published in 2020. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
a) addition of new definitions to Method Call Service to allow optional Method arguments;
b)addition of reference to SystemStatusChangeEventType for event monitored item error scenarios;
c) enhancement of the general description of how determining if a Certificate is trusted;
d) addition of support for ECC;
e) addition of revisedAggregateConfiguration to AggregateFilterResult structure;
f) addition of INVALID to the BrowseDirection enumeration data type;
g) addition of INVALID to the TimestampsToReturn enumeration data type;
h) addition of definitions that make sure the subscription functionality works if retransmission queues are optional;
i) addition of client checks has been added to be symmetric to the Server Certificate check has been added;
j) clarification that ‘local’ top level domain is not appended by server into certificate and not checked by client when returned from LDS-ME;
k) addition of a definition for expiration behaviour of IssuedIdentityTokens;
l) addition of status code Good_PasswordChangeRequired to ActivateSession;
m) restriction of AdditionalInfo to servers in debug mode;
n) addition of new status code Bad_ServerTooBusy;
o) addition of definition for cases where server certificate must be contained in GetEndpoints response.

  • Standard
    245 pages
    English language
    sale 15% off
  • Standard
    257 pages
    French language
    sale 15% off
  • Standard
    502 pages
    English and French language
    sale 15% off