IEC 61069: Industrial Automation System Assessment — An Engineer’s Guide to Scientifically Selecting Control Systems

1. The IEC 61069 Architecture: Seven Properties and One Framework

1.1 The 8-Part Standard Structure

The IEC 61069:2016 2nd edition represents a comprehensive reorganization of the original 1991/1999 editions into a consistent, modular structure:

1.2 The BCS Model: A Universal Abstraction for Control Systems

One of the core innovations of IEC 61069 is the Basic Control System (BCS) conceptual model. It abstracts any industrial control system into five functional interfaces, providing a uniform reference for assessment regardless of vendor or platform:

• Process/Machine Interface Functions: Sensor signal acquisition and actuator drive output — the “hands and eyes” of the control system.
• Data Processing Functions: Control algorithms, logic processing, data recording, alarm management — the “brain” of the system.
• Communication Functions: Fieldbus, industrial Ethernet, wireless links — the “nervous system.”
• Human Interface Functions: Operator HMI stations, engineering workstations, alarm panels — the “face” of the system.
• External System Interface Functions: MES, ERP, cloud interfaces — the “diplomat” connecting to the enterprise.

1.3 SRD vs. SSD: The Two-Document Assessment Engine

IEC 61069 introduces a powerful dual-document concept that forms the backbone of every assessment:

• SRD (System Requirements Document): Authored by the user (end-user or system integrator), defining what is needed from the target system — functional lists, performance targets, dependability expectations, environmental constraints. The SRD is the yardstick of the assessment.
• SSD (System Specification Document): Provided by the supplier, describing what the system actually delivers in terms of functions, performance parameters, and properties. The SSD is the target being measured.

Assessment, at its core, is the structured process of comparing every SSD claim against the corresponding SRD requirement, judging the degree of compliance across each property dimension.

2. The Seven System Properties: Deep Technical Analysis

2.1 Functionality (Part 2) — “What Can the System Do?”

Functionality assessment answers the most fundamental question: can the system perform the required control tasks? This seemingly simple question has multiple layers:

• Function Coverage: Does the SSD function list cover every function defined in the SRD? Gaps are generally unacceptable.
• Functional Margin: Is there headroom for expansion? Common benchmarks include I/O point reservation (typically no less than 20%).
• Functional Correctness: Are core functions — PID regulation, sequential control, interlock protection — implemented correctly per applicable standards?

A vital concept in functionality assessment is the function-module-element decomposition hierarchy: each function can be broken into modules, and each module into elements. Assessment should proceed through all three levels to avoid missing low-level implementation gaps.

2.2 Performance (Part 3) — “How Well Does the System Perform?”

Performance assessment quantifies the speed, accuracy, and efficiency with which the system executes its functions under specified operating conditions. Key metrics include:

2.3 Dependability (Part 4) — “How Long Can You Trust the System?”

Dependability is among the most comprehensive properties in IEC 61069, encompassing availability, reliability, recoverability, and fault tolerance. In critical infrastructure (power plants, chemical processing, water treatment), dependability is often the single most important factor in vendor ranking.

Core assessment dimensions:

• Availability: The probability that the system is in a functional state under given conditions. Calculated as A = MTBF / (MTBF + MTTR). Critical systems target 99.99% (“four nines”) or higher.
• Reliability: The ability to perform required functions under stated conditions for a stated time interval. Quantified as MTBF (Mean Time Between Failures).
• Redundancy Architecture: Controller redundancy (hot-standby/warm-standby), network redundancy (ring/dual-star), power supply redundancy, I/O redundancy — each with different switchover times and cost implications.
• Fault Recovery: Is controller switchover bumpless? Does network self-healing complete within the process safety time? Does the operator display automatically restore to the pre-fault state after a system restart?

2.4 Operability (Part 5) — “How Usable Is the System?”

Operability measures the system’s capability to be used effectively, efficiently, and satisfactorily by operators under normal operating conditions. It is frequently undervalued in tender evaluations, yet it is the property that most directly affects daily productivity over the system’s 15-20 year lifecycle.

Key technical considerations:

• HMI Quality: Alarm priority layering, navigation depth, color coding consistency (see ISA-101), trend interaction design.
• Workflow Efficiency: The number of steps and time required to complete common operator tasks (e.g., start/stop a pump set, switch PID controller mode).
• Error Prevention: Are critical operations protected by confirmation dialogs? Is access control granular and role-appropriate? Are interlock conditions pre-evaluated and communicated to the operator before action?
• Situation Awareness: Can the operator comprehend the overall process state in a single glance? (Refer to the ISA-101 HMI design standard).

2.5 Safety (Part 7) — “How Safe Is the System?”

IEC 61069-7 builds system safety assessment on a hazard-harm-propagation path analytical framework, structurally aligned with the functional safety philosophy of IEC 61508/61511:

1. Hazard Reduction: Eliminating or minimizing the possibility of hazard sources through design.
2. Hazard Isolation: Confining hazards within defined zones to prevent propagation (e.g., intrinsic safety barriers, network firewalls).
3. Immunity / Robustness: The system’s ability to resist harmful internal and external influences (EMC disturbances, overvoltage, cyber attacks) without entering a hazardous state.
4. Aversion: The capability to detect a hazard and proactively transition to a safe state (fail-safe fallback behavior).
5. Mitigation: Limiting the scope of damage after a hazard has materialized (e.g., physical containment, pressure relief systems).

Propagation path analysis is one of the unique contributions of IEC 61069-7. It requires assessors to trace every possible propagation path from a hazard source to a harm receiver (personnel, environment, equipment, production) and verify adequate layers of defense along each path. This paradigm is highly complementary to the bow-tie risk model.

2.6 Maintainability and Security

Maintainability (Part 6) addresses the time, resources, and skills required to restore a system to normal operation after a failure. Key metrics include MTTR, diagnostic coverage, online module replacement capability, and remote diagnostic functions. Excellent maintainability design means that when a fault occurs at 2 AM, the on-duty engineer does not need to call a system specialist — the system itself tells them what failed and how to fix it.

Among the Other Properties (Part 8), cybersecurity stands out as increasingly critical. While detailed treatment is found in the IEC 62443 series, IEC 61069-8 provides a unified framework for integrating cybersecurity attributes — access controls, network segmentation, audit logging, patch management policies — into the broader system assessment.

2.7 Seven Properties at a Glance

3. The Structured Assessment Process and Engineering Practice

3.1 The Five-Step Assessment Methodology

IEC 61069-1 defines a universal assessment workflow applicable to every system property:

1. Define the Assessment Objective: Clarify why the assessment is being done (vendor selection? upgrade decision? compliance audit?). Define scope and depth.
2. Design and Layout of the Assessment: Select which system properties to assess (all seven or a subset?), assign weights to each property. For example, a nuclear power plant control system assigns maximum weight to safety and dependability; a food packaging line may prioritize performance and operability.
3. Planning the Assessment Program: Define metrics, select evaluation techniques (analytical vs. empirical), establish a timeline, and allocate resources.
4. Execute the Assessment: Collect SRD and SSD documents, perform analytical evaluation (document reviews, modeling), conduct empirical evaluation where necessary (benchmark tests, witnessed factory acceptance testing), and record all findings.
5. Reporting the Assessment: Consolidate results across all property dimensions, present an integrated conclusion with recommendations. The report should clearly distinguish between assessment facts and subjective judgments.

3.2 Analytical vs. Empirical Evaluation

IEC 61069 defines two complementary evaluation techniques:

3.3 Influencing Factors — The Critical Step Most Assessments Skip

Section 5.3 of IEC 61069-1 dedicates significant attention to influencing factors (derived from IEC TS 62603-1) that can materially impact all seven system properties. These factors are frequently overlooked during evaluation:

• Installation Environment: Indoor/outdoor, cleanroom/dusty, temperature and humidity ranges.
• Corrosive and Erosive Influences: Concentration levels of gaseous contaminants (H₂S, SO₂, Cl₂) and solid aerosols in the atmosphere.
• EMC Requirements: RF radiated fields (up to 10 V/m), electrical fast transient/burst (up to 4 kV), surge (up to 4 kV), conducted disturbances, voltage dips, and short interruptions.
• Power Supply Quality: Voltage deviation, frequency deviation, harmonic distortion, short-term interruptions.
• Mechanical Stress: Vibration spectra, shock, seismic requirements.
• Sub-system Integration: Third-party device interoperability, legacy system compatibility, data format conversion.

4. From Standard to Selection Decision: Evaluation Matrix and Common Traps

4.1 Building a Weighted Vendor Evaluation Matrix

Translating IEC 61069’s seven properties into an actionable vendor selection matrix requires tailoring weights to the specific industry context:

Note: The weight allocations above are entirely context-dependent. A chemical/petrochemical facility places safety first (30%), while a food and beverage plant — with faster production cadences and frequent product changeovers — prioritizes performance and operability. There is no universal weight assignment; this is an engineering judgment call.

4.2 Common Assessment Traps and How to Avoid Them

1. The “More Functions = Better System” Fallacy: A system may come with a 2,000-page feature list, but only 70% are relevant to your process. The remaining 30% of “extra features” add no value but increase complexity, training costs, and potential failure modes. Evaluate applicable functions, not total function count.
2. Ignoring Total Cost of Ownership (TCO): Comparing only hardware purchase prices while ignoring 20 years of software licensing, spare parts, training, upgrades, and decommissioning costs. The IEC 61069 framework should incorporate full lifecycle cost analysis.
3. Vendor Lock-In Risk: Choosing a system with proprietary communication protocols or programming environments locks all future expansions, upgrades, and spare parts into that vendor’s ecosystem. Assessment should explicitly score vendor lock-in risk.
4. Datasheet Numbers vs. Field Truth: A vendor SSD quoting MTBF = 50 years may derive from accelerated life testing in a laboratory, not from statistical analysis of thousands of units operating in real field conditions. Always demand field reliability tracking data (field return statistics).
5. Skipping Operator Participation: Making decisions based on technical specifications in a conference room, without ever having actual operators interact with candidate systems. The result: technically perfect specifications accompanied by daily operator frustration.

FAQ