ISO 13577-4:2014

INTERNATIONAL ISO
STANDARD 13577-4
First edition
2014-09-01
Industrial furnace and associated
processing equipment — Safety —
Part 4:
Protective systems
Fours industriels et équipements associés — Sécurité —
Partie 4: Systèmes de protection
Reference number
©
ISO 2014
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Design requirements for equipment in a protective system . 4
4.1 General . 4
4.2 Requirements for protective systems. 5
4.3 Fault assessment for the hardwired section of protective systems.15
4.4 Failure of utilities .15
4.5 Reset .15
Annex A (informative) Explanation of techniques and measures for avoiding systematic faults .16
Annex B (informative) Examples of techniques for avoiding failures from external wiring .18
Annex C (informative) Examples for the determination of safety integrity level SIL using the risk
graph method .22
Annex D (informative) Example of an extended risk assessment for one safety instrumented
function using the IEC 61511 method .39
Annex E (informative) Sample schematic diagrams of protective system .46
Annex F (normative) Hardwiring protective systems .61
Bibliography .71
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 244, Industrial furnaces and associated processing
equipment.
ISO 13577 consists of the following parts, under the general title Industrial furnaces and associated
processing equipment — Safety:
— Part 1: General requirements
— Part 2: Combustion and fuel handling systems
— Part 3: Generation and use of protective and reactive atmosphere gases
— Part 4: Protective systems
The following part is under preparation:
— Part 11: Requirements for arc furnaces
iv © ISO 2014 – All rights reserved

Introduction
This part of ISO 13577 was developed to specify the requirements of a protective system, which is a
safety-related electrical control system (SRECS) of industrial furnaces and associated processing
equipment (TPE).
Mandatory safety-related control functions of TPE are specified in ISO 13577-1, ISO 13577-2, and
ISO 13577-3.
It is intended that in designing the protective system of TPE, manufacturers of TPE choose from the four
methods provided in this part of ISO 13577.
This part of ISO 13577 is to be used together with the other parts of ISO 13577. Since ISO 13577 is a
type-C standard of ISO 12100, TPE are required to be designed in accordance with the principles of
ISO 12100. However, there are cases in which a risk assessment according to IEC 61511 (all parts) is
more suitable for the design of a TPE protective system.
This document is a type-C standard as stated in ISO 12100.
The machinery concerned and the extent to which hazards, hazardous situations, or hazardous events
are covered are indicated in the scope of this part of ISO 13577.
When requirements of this type-C standard are different from those which are stated in type-A or -B
standards, the requirements of this type-C standard take precedence over the requirements of the other
standards for machines that have been designed and built according to the requirements of this type-C
standard.
IEC 61511 (all parts) provides the option of a low-demand rate on the protective system. IEC 62061 or
ISO 13849-1 always assume high-demand applications.
Therefore, this part of ISO 13577 permits extended risk assessment for SRECS in which risk assessment
based on IEC 61511 (all parts) can be chosen as an alternative.
INTERNATIONAL STANDARD ISO 13577-4:2014(E)
Industrial furnace and associated processing equipment —
Safety —
Part 4:
Protective systems
1 Scope
This part of ISO 13577 specifies the requirements for protective systems used in industrial furnaces and
associated processing equipment (TPE).
The functional requirements to which the protective systems apply are specified in the other parts of
ISO 13577.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable to its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
1)
ISO 13574:— , Industrial furnaces and associated processing equipment — Vocabulary
ISO 13849-1:2006, Safety of machinery — Safety-related parts of control systems — Part 1: General
principles for design
IEC 60947-4-1, Low-voltage switchgear and controlgear — Part 4-1: Contactors and motor-starters -
Electromechanical contactors and motor-starters
IEC 60947-5-1, Low-voltage switchgear and controlgear — Part 5-1: Control circuit devices and switching
elements - Electromechanical control circuit devices
IEC 60204-1, Safety of machinery — Electrical equipment of machines — Part 1: General requirements
IEC 60730-2-5, Automatic electrical controls for household and similar use — Part 2-5: Particular
requirements for automatic electrical burner control systems
IEC 61508 (all parts):2010, Functional safety of electrical/electronic/programmable electronic safety-
related systems
IEC 61131-3, Programmable controllers — Part 3: Programming languages
IEC 61511 (all parts), Functional safety — Safety instrumented systems for the process industry sector
IEC 62061, Safety of machinery — Functional safety of safety-related electrical, electronic and programmable
electronic control systems
3 Terms and definitions
2)
For the purposes of this document, the terms and definitions given in ISO 13574:— and the following
apply.
1) To be published.
2) To be published.
3.1
final element
part of a protective system which implements the physical action necessary to achieve a safe state
Note 1 to entry: Examples are valves, switch gear, motors including their auxiliary elements, for example, a
solenoid valve and actuator if involved in the safety function.
[SOURCE: IEC 61511-1:2003, 3.2.24 modified: “instrumented system” had been changed to read
“protective system” in the definition.]
3.2
flame detector device
device by which the presence of a flame is detected and signaled
Note 1 to entry: It can consist of a flame sensor, an amplifier, and a relay for signal transmission.
2)
[SOURCE: ISO 13574:— , 2.65, modified: The second sentence in the original definition had been
presented as in the Note.]
3.3
functional safety
capability of a protective system or other means to reduce risk, to execute the actions required for
achieving or maintaining a safe state for the process and its related equipment
2)
[SOURCE: ISO 13574:— , 2.73]
3.4
logic function
function that performs the transformations between input information (provided by one or more input
functions or sensors) and output information (used by one or more output functions or final elements)
Note 1 to entry: Logic functions are executed by the logic solver of a protective system.
[SOURCE: IEC 61511-1:2003, 3.2.39, modified — “input functions” had been changed to read “input
functions or sensors” and “output function” had been changed to read “output function or final elements”
in the definition, and the second sentence in the original definition had been deleted; Note has been
added.]
3.5
logic solver
portion of a protective system that performs one or more logic function(s)
Note 1 to entry: Examples are electrical systems, electronic systems, programmable electronic systems, pneumatic
systems, and hydraulic systems. Sensors and final elements are not part of the logic solver.
[SOURCE: IEC 61511-1:2003, 3.2.40 modified: “either a BPCS or SIS” had been changed to read “a
protective system” in the definition; Note 1 in the original definition had been deleted.]
3.6
manual reset
action after a lockout of a safety device (e.g. automatic burner control) carried out manually by the
supervising operator
3)
[SOURCE: ISO 13574:— , 2.107]
3) To be published.
2 © ISO 2014 – All rights reserved

3.7
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety
function under foreseeable conditions
[SOURCE: ISO 13849-1:2006, 3.1.23]
3.8
product standard
standard for products and devices which are listed in ISO 13577 (all parts) except this part of ISO 13577
3)
[SOURCE: ISO 13574:— , 2.135 modified: “ISO 13577-4” has been changed to read “this part of ISO 13577”
in the definition.]
3.9
programmable logic control
PLC
electronic device designed for control of the logical sequence of events
[SOURCE: ISO 13574:—, 2.125]
3.10
protective system
instrumented system used to implement one or more safety-related instrumented functions which is
composed of any combination of sensor(s), logic solver(s), and final elements (for example, see Figure 2)
Note 1 to entry: This can include safety-related instrumented control functions or safety-related instrumented
protection functions or both.
[SOURCE: ISO 13574:—, 2.138]
3.11
safety bus
bus system and/or protocol for digital network communication between safety devices, which is designed
to achieve and/or maintain a safe state of the protective system in compliance with IEC 61508 (all
parts):2010 or IEC 60730-2-5
[SOURCE: ISO 13574:—, 2.164]
3.12
safety device
device that is used to perform protective functions, either on its own or as a part of a protective system
Note 1 to entry: Examples are sensors, limiters, flame monitors, burner control systems, logic systems, final
elements, and automatic shut-off valves.
3.13
safety integrity level
SIL
discrete level (one out of a possible four), corresponding to a range of safety integrity values, where
safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
Note 1 to entry: The target failure measures for the four safety integrity levels are specified in IEC 61508-1:2010,
Tables 2 and 3.
Note 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety
functions to be allocated to the E/E/PE safety-related systems.
Note 3 to entry: A safety integrity level (SIL) is not a property of a system, subsystem, element, or device. The
correct interpretation of the phrase “SIL n safety-related system” (where n is 1, 2, 3, or 4) is that the system is
potentially capable of supporting safety functions with a safety integrity level up to n.
[SOURCE: IEC 61508-4:2010, 3.5.8]
3.14
sensor
device that produces a signal based on a process variable
EXAMPLE Transmitters, transducers, process switches, and position switches.
3.15
system for permanent operation
system, which is intended to remain in the running position for longer than 24 h without interruption
[SOURCE: IEC 60730-2-5:2009, 2.5.101]
3.16
system for non-permanent operation
system, which is intended to remain in the running position for less than 24 h
[SOURCE: IEC 60730-2-5:2009, 2.5.102]
3.17
systematic capability
measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of an
element meets the requirements of the specified SIL, in respect of the specified element safety function,
when the element is applied in accordance with the instructions specified in the compliant item safety
manual for the element
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and
control of systematic faults (see IEC 61508-2 and IEC 61508-3).
Note 2 to entry: What qualifies as a relevant systematic failure mechanism depends on the nature of the
element. For example, for an element comprising solely software, only software failure mechanisms will need
to be considered. For an element comprising hardware and software, it is necessary to consider both systematic
hardware and software failure mechanisms.
Note 3 to entry: A systematic capability of SC N for an element, in respect of the specified element safety function,
means that the systematic safety integrity of SIL N has been met when the element is applied in accordance with
the instructions specified in the compliant item safety manual for the element.
[SOURCE: ISO 13574:—, 2.183]
4 Design requirements for equipment in a protective system
4.1 General
Electrical equipment shall comply with IEC 60204-1 and withstand the hazards identified in the risk
assessment required at the design stage. Electrical equipment shall be protected against damage. In
particular, it shall be robust to withstand damage during continuous operation.
Devices shall be used in accordance with the manufacturer’s instructions including safety manuals. Any
device used outside of its published technical specification shall be verified and validated to be suitable
for the intended application.
Devices of a protective system shall withstand the environmental conditions and fulfill their intended
function.
Sensors (e.g. pressure transmitters, temperature transmitters, flow transmitters) used in the protective
system shall be independent from the process control system.
Figure 1 is provided as an aid to understanding the relationship between the various elements of TPE and
their ancillary equipment, the heating system, the process control system, and the protective system.
4 © ISO 2014 – All rights reserved

Heating system
Processing
Process control system
chamber
e.g.
Fuel supply and
pressure control
conditioning
temperature control
(non-safety functions)
Burners
Auxiliary
equipment
Burner
Combustion Flue gas
system
chamber system
Ignition
Combustion air
device
Protective system
supply and pre-
e.g.
heating
prepurge
automatic burner control system
(safety functions)
Figure 1 — Block diagram of control and protective systems
An appropriate group of techniques and measures shall be used that are designed to prevent the
introduction of faults during the design and development of the hardware and software of the protective
system (see Annex A).
Failure due to short circuit in external wiring shall be avoided (see Annex B).
Requirements for testing and testing intervals for protective systems shall be specified in the instruction
handbook. Except as permitted by method D, the testing of all safety functions shall be performed at
least annually. Method D shall be used if the testing of all safety functions is performed beyond 1 y.
See Annex C and D for examples of SIL/PL determinations.
4.2 Requirements for protective systems
Any one or a combination of the four (4) methods shall be used to implement a protective system for the
safety function(s) requirements identified in ISO 13577 (all parts); however, only one method shall be
used for any one specific safety function. The four methods are the following:
— Method A as specified in 4.2.1;
— Method B as specified in 4.2.2;
— Method C as specified in 4.2.3;
— Method D as specified in 4.2.4.
Figure 2 shows the basic configuration of a protective system.
Safety function 1; Safety function 2; Safety function n;
Safety function 1; Safety function 2; Safety function n;
(e.g. pressure monitoring) (e.g. Flame monitoring)
(e.g. pressure monitoring) (e.g. Flame monitoring)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
(Method A, B, C or D) (Method A, B, C or D) (Method A, B, C or D)
Sensor(s) Sensor(s) Sensor(s)
...
(e.g. pressure switch) (e.g. lame sensor)
...
Logic Solver(s) Logic Solver(s) Logic Solver(s)
Final Element(s) Final Element(s)
Final Element(s)
(e.g. actuator) (e.g. automatic shut off valves)
Figure 2 — Basic configuration of a protective system
Figure 3 shows the basic characteristics of each method.
NOTE 1 Software interconnections are links between software function blocks, safety PLC inputs, and safety
PLC outputs. These are similar to hardwired interconnections between devices.
NOTE 2 Safety function software is either a software function block or program to perform safety logic
functions (e.g. prepurge, automatic burner control).
6 © ISO 2014 – All rights reserved

Method Method Method Method
A B C D
Safety PLC
Hardware SIL / PL capable components
Devices which comply with relevant product standards
Software
interconnections
Inter- Safety Bus
connections interconnections
Hardwired
interconnections
Safety PLC
Program
Language,
Extended Risk
assessment
Safety
function
software
Veriied and validated
Software
function blocks
Detailed
4.2.1 4.2.2
4.2.3 4.2.4
description
Figure 3 — Method overview
See Annex E for sample schematic diagrams of the various methods.
4.2.1 Method A
Method A shall be a hardwired system in which all devices (i.e. sensors, logic solver, and final elements
described in Figure 4) comply with the relevant product standards as specified in ISO 13577 (all parts).
The requirements of IEC 61508 (all parts), IEC 61511 (all parts), IEC 62061, and ISO 13849-1:2006 are
not applicable for this type of protective system.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— connections shall not be permitted through data communication buses;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— hardwiring shall be in accordance with Annex F.
Sensor(s) complying with the relevant product standard(s) as speciied in other parts
of ISO 13577, e.g. pressure detector acc. IEC 60730-2-6, lame detector according to
IEC 60730-2-5
hardwiring
as speciied in 4.2.1
Logic Solver(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic burner control system according to
IEC 60730-2-5
hardwiring
as speciied in 4.2.1
Final Element(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic shut-off valve(s) according to ISO 23551-1
Figure 4 — Hardware configuration of Method A
NOTE The safety devices used in 4.2.1 correspond to specific safety requirements, matched to the field of
application and the functional requirements made of these devices, as demanded in the corresponding products
standards for safety devices, e.g. automatic burner control systems, valve-proving systems, pressure-sensing
devices, automatic shut-off valves. Even without additional SIL/PL certification of these safety devices, the safety
requirements for use of safety devices are in compliance with relevant product standards. Implementation of a
protective system in accordance with 4.2.1 is one of several alternative methods.
8 © ISO 2014 – All rights reserved

4.2.2 Method B
Method B shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits. Safety PLCs are excluded (see Figure 5).
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— interconnections may be hardwired or through safety bus;
— hardwiring shall be in accordance with Annex F.
For devices which are not covered by product standards, the following requirements shall be fulfilled:
— the device shall be SIL 3 capable in accordance with IEC 61508 (all parts), IEC 62061, or IEC 61511
(all parts) or it shall be PL e capable in accordance with ISO 13849-1:2006;
— SIL/PL capability certification shall apply to the complete device, including the hardware and
software.
NOTE Verification and validations of SIL/PL certification for devices is typically carried out by a notified
body, accredited national testing laboratory, or by an organization in accordance with ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior use (i.e. proven in use), the requirements in IEC 61511 (all parts)
shall be followed.
All requirements in the safety handbook for the device shall be adhered to, such as the proof test interval.
NOTE See Annex C for examples of determining SIL/PL.
Sensor(s) complying with the relevant product standard(s) as speciied in other parts of
ISO 13577, e.g. pressure detector according to IEC 60730-2-6, lame detector according
to IEC 60730-2-5
AND / OR
Sensor(s) with deined systematic capability as speciied in 4.2.2,
e.g. SIL or PL capable pressure transmitter
hardwiring
as speciied in 4.2.2
Logic Solver(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577,e.g. automatic burner control system according to IEC 60730-2-5
AND / OR
Component(s) with deined systematic capability as speciied in 4.2.2,
e.g. safety relais(s)
hardwiring
as speciied in 4.2.2
Final Element(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic shut-off valve(s) according to ISO 23551-1
AND / OR
Final Element(s) with deined systematic capability as speciied in 4.2.2,
e.g. SIL or PL capable acuator
Figure 5 — Hardware configuration of Method B
4.2.3 Method C
Method C shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits and/or safety PLCs.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be permitted;
— the interconnections may be hardwired, through safety bus, or through software interconnections;
— hardwiring shall be in accordance with Annex F.
10 © ISO 2014 – All rights reserved

Safety function software is only permitted in the form of verified and validated SIL 3 capable software
function blocks (see Figure 6).
Safety functions shall be permitted within a safety-rated device (e.g. a safety PLC) or within an external
device covered by the relevant product standard.
For the devices (safety PLC, timers, etc.) which are NOT covered by product standards, the following
requirements shall be fulfilled:
— the devices shall be SIL 3 capable in accordance with IEC 61508 (all parts), IEC 62061, or IEC 61511
(all parts) or it shall be PL e capable in accordance with ISO 13849-1:2006;
— where a programmable device implements a safety function that is partly or entirely addressed in a
relevant product standard, the software function shall be verified and validated with respect to the
applicable requirements in the related product standard including but not limited to the sequences
and timings of the product standard;
— software interconnections in a programmable device shall be verified by a functional test;
— software programming languages for PLCs shall be in accordance with IEC 61131-3;
— software shall be locked and secured against unauthorized and unintentional changes.
NOTE Verification and validations of SIL/PL certification is typically carried out by a notified body, accredited
national testing laboratory, or by an organization in accordance with ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior use (i.e. proven in use), the requirements in IEC 61511 (all parts)
shall be followed.
All requirements in the safety manual for the device shall be adhered to such as the proof test interval.
NOTE See Annex C for examples of determining SIL/PL.
Sensor(s) complying with the relevant product standard(s) as speciied in other parts of
ISO 13577, e.g. pressure detector According to IEC 60730-2-6, lame detector according
to IEC 60730-2-5
AND / OR
Sensor(s) with deined systematic capability as speciied in 4.2.3,
e.g. SIL or PL capable pressure transmitter
hardwiring
as speciied in 4.2.3
Logic Solver(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic burner control system according to IEC 60730-2-5
AND / OR
Component(s) with deined systematic capability as speciied in 4.2.3,
e.g. safety relay(s)
AND / OR
Programmable logic solver with deined systematic capability as speciied
in 4.2.3, e.g. safety PLC
hardwiring
as speciied in 4.2.3
Final Element(s) complying with the relevant product standard(s) as speciied in other
parts of ISO 13577, e.g. automatic shut-off valve(s) according to ISO 23551-1
AND / OR
Final Element(s) with deined systematic capability as speciied in 4.2.3,
e.g. SIL or PL capable acuator
Figure 6 — Hardware configuration of Method C
4.2.3.1 Requirements for application software
4.2.3.1.1 In accordance with the required safety integrity level, the chosen programmable protective
equipment and its software shall meet the safety integrity requirements of the particular application:
— correctness of functionality;
— sequencing and time-related information;
— timing constraints;
12 © ISO 2014 – All rights reserved

— concurrency (software interrupts should be avoided);
— data structures and properties;
— design assumptions and dependencies;
— testability.
4.2.3.1.2 The proof of the items listed in 4.2.3.1.1 has to be carried out by verification and validation
steps according to the design and development phases within the life cycle of the software, including
— validity of the software requirement specification and
— completeness, consistency, understandability, and unambiguousness of documentation and
programs.
The application design representations shall be based on a notation (e.g. functional diagram), which
is unambiguously defined or restricted to unambiguously defined features; as far as practicable, the
application design shall minimize the safety-related part of the software. Where the software is to
implement both safety and non-safety functions then all of the software shall be treated as safety-related,
unless adequate independence between the functions can be demonstrated in the application design.
Where the software is to implement safety functions of different safety integrity levels, then all of the
software shall be treated as belonging to the highest safety integrity level unless adequate independence
between the safety functions of the different safety integrity levels can be shown in the application
design. The justification for independence shall be recorded in the relevant design documentation.
If software modules proven in operation are to be used as part of the application software, they shall
be clearly identified and documented. The software’s suitability in satisfying the requirements of a
particular application shall be justified. Suitability shall be based upon evidence of satisfactory operation
in a similar application or having been subject to the same verification and validation procedures as
would be expected for any newly developed software. For software modules proven in operation, the
extent of testing may be limited to the tests required to ensure proper implementation. Constraints
from the previous software environment (e.g. operating system and compiler dependencies) should be
evaluated. Depending on the nature of the software development, responsibility for conformance with
4.2.3.1 can vary from the supplier alone, the user alone, or both. The division of responsibility shall be
recorded. The proposed software architecture shall be based on a partitioning into devices/subsystems,
which can be identified to be part of the system software and of the plant-specific application software.
The following information shall be provided:
— whether they are new, existing, or proprietary;
— whether they have been previously verified, and if so, their verification conditions;
— whether each subsystem/device is safety-related or not;
— the software safety integrity level of the subsystem/device;
— identification, evaluation, and details of the significance of all hardware/software interactions;
— a notation used to represent the architecture which is unambiguously defined or restricted to
unambiguously defined features;
— identification of the design features used for maintaining the safety integrity of all data (this shall
include plant input-output data, communications data, operator interface data, maintenance data,
and internal database data).
4.2.4 Method D
Method D shall be in accordance with the full requirements of IEC 61508 (all parts), IEC 62061, IEC 61511
(all parts), or ISO 13849-1:2006 (see Figure 7).
NOTE See Annex D for the method in accordance with IEC 61511 (all parts).
Method D shall also fulfill the following requirements:
a) the flame detector device shall comply with IEC 60730-2-5;
b) all requirements of the PLC and all safety devices shall be used in accordance with all instructions
in the device manufacturer’s product safety manual including voting and testing frequency
requirements;
c) each functional safety requirement, as identified in ISO 13577 (all parts), shall be evaluated for
its need in accordance with the standards, such as IEC 61511 (all parts), ISO 13849-1:2006, and
IEC 62061, and implemented with the required SIL for each function. Safety functions of the safety-
related system, such as automatic burner control, valve proving, air/fuel ratio control, etc. shall
fulfill the intent of the safety requirements in the relevant product standards;
NOTE An extended risk assessment in Method D can take precedence over the safety requirements in
ISO 13577 (all parts). By nature of the extended risk assessment under Method D, the overall safety is not
reduced and meets or exceeds the intended requirements of ISO 13577 (all parts).
d) the interconnections may be hardwired, through safety bus, or through software interconnections;
e) hardwiring shall be in accordance with Annex F.
NOTE Verification and validations of SIL/PL certification is typically carried out by a notified body, accredited
national testing laboratory, or by an organization according to ISO/IEC 17025:2005.
Sensor(s) pursuant to the results of the extended risk assessment
according to IEC 61508, IEC 62061, IEC 61511 or ISO 13849
hardwiring
as speciƒied in 4.2.4
Logic Solver(s) pursuant to the results of the extended risk assessment
according to IEC 61508, IEC 62061, IEC 61511 or ISO 13849
hardwiring
as speciƒied in 4.2.4
Final Element(s) pursuant to the results of the extended risk assessment
according to IEC 61508, IEC 62061, IEC 61511 or ISO 13849
Figure 7 — Hardware configuration of Method D
14 © ISO 2014 – All rights reserved

4.3 Fault assessment for the hardwired section of protective systems
The protective system shall be designed such that the devices required in ISO 13577 (all parts) shall be
used as follows:
a) When relays are used in safety functions, the contacts shall be supervised and forced guided and
the current applied to all contacts shall be a maximum of 60 % of the contacts’ rating. Control relays
for safety shall be in accordance with IEC 60947-5-1 or the requested SIL/PL requirement. Power
relays for safety with or without mirror contacts shall be in accordance with IEC 60947-4-1 or the
requested SIL/PL requirement.
b) The device shall be wired in accordance with the manufacturer’s instructions.
c) For Methods B and C, when timers not complying with the relevant product standards as specified
in all the other parts of ISO 13577 are used in safety functions, timers shall have a systematic
capability of SC 3 (SIL 3 capable). Setting of adjustable timers shall be locked or sealed.
d) Overcurrent protection shall be provided to limit current in the safety circuit to below 60 % of the
lowest device contact rating.
e) Additional requirements are given in Annex F.
4.4 Failure of utilities
Loss of utilities (e.g. electrical power, instrument air) to the TPE shall result in safe state (e.g. lock-out).
Any restart shall be initiated by manual intervention only. The start-up and ignition sequence shall
apply (see ISO 13577-2:—, 4.2.7 or 4.3.7).
4.5 Reset
Unless permitted by Method D, on devices performing a safety function, reset after lock-out shall be
triggered manually after remedying the fault (see ISO 13574:—, 2.107).
A reset shall not override a safety function.
The design shall incorporate means to prevent unintended and permanent resets.
The design shall incorporate means to prevent unintended start of the TPE.
The instruction handbook shall include a requirement that the operator ensures safe operation prior to
initiating a reset.
The maximum number of resets within a defined time span shall be limited based on the risk assessment
and shall be specified in the instruction handbook.
When the manual reset is initiated without visible sight on the TPE, a safe operation shall be ensured
from the reset action and the actual status and relevant information of the process under control shall
be visible to the user.
Annex A
(informative)
Explanation of techniques and measures for avoiding systematic
faults
A.1 General
Random faults have physical causes (e.g. temperature extremes, corrosion, wear) and statistical
information can be used for a risk analysis. However, systematic faults originate from human errors
in the specification and design of the protective system. Systematic faults can be hidden until specific
conditions occur and might not be discovered for long periods of time. These specific conditions will
cause all equipment that was produced from that system to fail in the same manner. Consequently, it is
very important to guard against systematic faults from the beginning stages of a project.
A.2 Competency
Because systematic faults are human in nature, the people and their organization involved in the design
and development of protective systems need to be competent for the particular activities for which
they are responsible. Each person, department, organization, or other unit needs to be identified and
informed of the responsibilities assigned to them (including, where relevant, licensing authorities or
safety regulatory bodies). The following items need to be addressed in determining competency for
protective system design:
a) engineering knowledge, training, and experience appropriate to
1) the process application,
2) the applicable technology used (e.g. electrical, electronic, programming), and
3) the sensors and final elements;
b) safety engineering knowledge (e.g. process safety analysis);
c) knowledge of the legal and regulatory functional safety requirements;
d) adequate management and leadership skills appropriate to their role in the design;
e) understanding of the potential consequence of an event;
f) suitability to the novelty and complexity of the application and the technology.
Additional information on competency can be found in IEC 61511-1.
A.3 Avoidance of systematic faults
The following provide a summary of typical activities needed for avoidance of systematic faults during
the design stage. More details can be found in IEC 61508-2.
Choose a design method with features that facilitate the following:
a) transparency, modularity, and other features that control complexity;
16 © ISO 2014 – All rights reserved

b) clear and precise expression of
— functionality,
— subsystem and element interfaces,
— sequencing and time-related information, and
— concurrency and synchronization;
c) clear and precise documentation and communication of information;
d) verification and validation.
Use design features that make the protective system tolerant against systematic and random faults and
residual design faults in the hardware, software, and data communication process.
During the design, distinguish and identify those activities that can be carried out at the developer’s
premises from those that require access to the user’s site.
Formalize maintenance requirements during the design stage to ensure that the safety integrity
requirements of the protective systems continue to be met throughout its lifecycle.
Take into account human capabilities and limitations and the actions assigned to operators and
maintenance staff, including their likely level of training or awareness.
Plan the protective system integration tests and for the test plan documentation, including the following:
a) the types of tests to be performed and procedures to be followed;
b) the test environment, tools, configuration, and programs;
c) the pass/fail criteria.
Where applicable, use automatic testing tools and integrated development tools.
Annex B
(informative)
Examples of techniques for avoiding failures from external wiring
Figure B.1 shows how a possible short circuit at cable 2 would defeat the protective system. For normal
safety function, an open state of the pressure switch contacts would cause the logic solver to perform
an action through the final element to bring the system to a safe state. With a short circuit at cable 2, the
open state of either switch is not detected.
Enclosure with logic
Digital Sensor
e.g. Pressure switch
Digital Logic
Field
Terminals
Terminal box
Enclosure
Terminals
Not allowed!
Key
1 cable 1
2 cable 2
3 cable 3
Figure B.1 — Improper external wiring method
CAUTION — Figure B.1 shows an IMPROPER example of external wiring practice.
Figure B.2 shows a technique that can provide a sufficient level of protection for the safety function when
used with protective system methods A and B. All conductors are brought back to the main enclosure
through cable ducts or conduits, which provide sufficient protectio
...