CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

INTRODUCTION
This conformity assessment template is for the assessment of Limited Variability Language (LVL)
software to IEC 61511:2017, Functional safety – Safety instrumented systems for the process industry
sector.
The following notes should be read prior to the assessment:

GENERAL NOTES
1. For general guidance on using CASS conformity assessment documents, refer to The CASS
Guide on using the CASS Methodology available from www.61508.org/cass (Document: ‘CASS-
Guide-A’).

2. Use of this template assumes acceptance of the CASS scheme liability disclaimer in ‘CASS-
Guide-A’.

3. This conformity assessment template does not replace the standard (IEC 61511:2017), it is
intended to be used in conjunction with a copy of the standard as a method to manage the
assessment of functional safety to support the assessor. The “Purpose of TOE” is a general
guide to provide context and scope, and it is the assessor’s responsibility to ensure compliance
with all the relevant clauses within the standard.

4. The assessor’s comment section shall be used for positive reporting including reference to the
document sections / clauses relevant to evidence compliance.

TEMPLATE SPECIFIC NOTES

1. This conformity assessment template is for the generic software LVL aspects from IEC 61511-1.

2. For the Functional Safety Management (FSM) and safety lifecycle aspects, see CASS-511-FSM –
Functional Safety Management (FSM).

3. For the Functional Safety Assessments (FSA) stages 1 – 5, this includes all clauses from 8 to 18,
refer to template CASS-511-FSA – Functional Safety Assessment (FSA).

4. For the assessment of the generic SIS operation and maintenance aspects from IEC 61511-1
clause 16, refer to template CASS-511-OP – Operations and Maintenance.

REFERENCES
 CASS-511-FSM – Functional Safety Management (FSM)
 CASS-511-FSA – Functional Safety Assessment (FSA)
 CASS-511-OP – Operation and Maintenance

ACRONYMS
The following acronyms are used in this template:
AP Application Program
CAS Conformity assessment of safety-related
S systems
COT Commercially off the shelf
S
FS Functional safety
FSA Functional safety assessment
FSM Functional safety management
LVL Limited Variability Language
PE Programmable electronic
SIF Safety instrumented function
SIL Safety integrity level
SIS Safety instrumented system
SRS Safety requirements specification
TOE Target of evaluation
V&V Verification & validation
821997258.docx - Page 1 of 11 © The CASS Scheme Association 2024
CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

VERSION HISTORY
Version Date Description of change
V1 19/06/2024 First issue

821997258.docx - Page 2 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure the overall FSM approach is in conformance with the IEC
1 Functional safety 61511 series of standards as relevant for the software.
5.2.1, Delete before use: This TOE is intended to
management For all SILs, ensure there is general 5.2.2.1, provide a general status on conformance
(overall) evidence for conformance with the FSM 5.2.2.2. for the FSM aspects related to software.
aspects of IEC 61511-1 in relation to the
software.
To ensure that competence management has been applied for the
2 AP competence software lifecycle and software development.
5.2.2.3. Delete before use: This TOE is intended to
For all SILs, ensure there is general consider only the software aspects of
evidence of competence management competence.
covering the software lifecycle and
software development. This includes
competence specific to the AP platform /
software and those performing AP
reviews.
To ensure the overall safety planning approach has considered the
3 AP safety planning relevant software aspects.
5.2.4. Delete before use: This TOE is intended to
For all SILs, ensure there is general consider only the planning related to the
evidence of safety planning for the software.
software lifecycle and development.
To ensure the software and associated tools are under configuration
4 AP configuration management and revision control.
5.2.7.1,
management For all SILs, ensure there is evidence of 5.2.7.2,
software and tool configuration 12.2.8.
management and software revision
control. This evidence includes aspects
for the backup and restoration of
software and parameters.

NOTE: This includes software or configurations for

sensors and final elements.

821997258.docx - Page 3 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that the AP is subject to written modification procedures
5 AP modification for controlling and authorizing changes.
12.2.8,
procedures For all SILs, ensure there are written 17.2.1,
modification procedures, a method for 17.2.3,
identifying / requesting changes, 17.2.8.
evidence for impact analysis and relevant
authorisation before changes.
To ensure that the AP is subject to written backup and restoration
6 AP backup and procedures.
12.2.8.
restoration For all SILs, ensure there are written
procedures backup / restoration procedures for the
specific AP and system.
To ensure the AP development fits with the overall safety lifecycle
7 AP safety lifecycle and that a specific AP safety lifecycle is defined and used.
6.2.1,
For all SILs, ensure the AP safety lifecycle 6.3.1.
has each phase defined in terms of its
elementary activities, objectives,
required input information, output results
and verification requirements. A simple
V-model like that defined in IEC
62061:2021 is useful.
To ensure that the verification of the AP is planned.
8 AP verification 7.2.1,
For all SILs, ensure that the verification of
planning 12.5.1.
the AP (using reviews, analysis,
simulation and tests) was planned with
written procedures / specifications.

821997258.docx - Page 4 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure the safety requirements are sufficient to design the SIS
9 AP safety application program and consider the traceability required from the
10.3.3,
requirements AP.
10.3.4,
For all SILs, ensure the application
10.3.5,
program requirements are derived from
the SIS SRS and include: 10.3.6,
 individual SIF requirements (including 11.5.
voting),
 any additional known requirements
(e.g., due to architecture, safety
manual limitations / constraints, due
to hardware, due to embedded
software, due to security).
 any requirements rooted in safety
planning.
To ensure that the AP, possibly supported by its platform /
10 AP and diagnostics subsystem, provides sufficient diagnostics for the SIS and SIL via
10.3.5,
monitoring of internal functions (e.g., watchdogs, data validation) or
external devices (e.g., sensors and final elements).
12.3.4.
For all SILs, ensure that, if relevant, the
built-in monitoring and diagnostics of the
AP platform / subsystem are
supplemented by designed monitoring
and diagnostics to support the
achievement of the SIL.

NOTE: The AP safety requirements and AP design

combined should define the overall monitoring and
diagnostics strategy.

821997258.docx - Page 5 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure the general approach for application program
11 AP subsystem development is appropriate and planned.
12.1,
selection For all SILs, ensure that the COTS 12.2.1 –
subsystem / platform for the application 12.2.7.
program is suitable for the application
and conforms with IEC 61508 and / or IEC
61511, as relevant.

NOTE: The COTS subsystem / platform should come

with a defined “coding standard” (limitations). If
not, a coding standard (rules) will need to be
defined.
To ensure any tool(s) used for the software lifecycle or software
12 AP tool assessment development is suitable for its assigned task and does not have a
5.2.6.1.6
negative impact on the SIS. Alternatively, to ensure the tool(s) output
was confirmed by verification procedures.
For all SILs, ensure there is a relevant
positive tool(s) assessment or specific
tool(s) output verification.
To ensure when a single AP covers various SILs (including non-SIL)
13 AP combining SIFs the approach is suitable for all SILs (cannot negatively impacted any
11.2.2,
SIF). 11.2.3.
For all SILs, ensure that the AP meets the
highest overall SIL, has sufficient
independence between SIFs, and any SIF
cannot negatively impact another SIF.
To ensure that the overall SIS security risk assessment has been
14 AP security and used to influence the AP.
8.2.4,
access control For all SILs, ensure that the AP design 11.7.3.2,
and coding has considered the relevant 11.7.3.4,
security risk and access control 12.4.2.
requirements.

821997258.docx - Page 6 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that the AP is part of the overall validation planning
15 AP safety validation including specific AP aspects.
15.2.1,
planning For all SILs, ensure that the AP validation 15.2.2,
plan covers all the functions, the 15.2.5,
technical strategy, the procedures to be 15.2.6.
used, the validation environment and the
pass / fail criteria.
To ensure application program design addresses all SIS logic
16 AP design including all process operating modes for each SIF including
12.3.
decomposition into modules if applicable.
For all SILs, ensure that a documented
application program design, derived from
and traceable to the SRS and application
program safety requirements, covers all
logic, each SIF and each operating mode.

To also ensure that the application

program design demonstrates:
 completeness with respect to the
SRS,
 correctness with respect to the SRS,
 freedom from ambiguity, and
 freedom from design faults.
To ensure that the communications approach for the AP subsystem /
17 AP communications platform is suitable for the application and SIL(s).
10.3.5,
For all SILs, ensure the communication / 11.2.14,
interface requirements are defined, the 11.7.4,
communication uses relevant safety 12.4.2.
techniques, and relevant failure modes
have been considered.

NOTE: If the communications PFH / PFD is excluded

from the SIF PFH / PFD calculation, check that this is
sufficiently insignificant to do so.
NOTE: This TOE may need to consider security
aspects for the communication link.

821997258.docx - Page 7 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that the application program development supports the
18 AP implementation required safety integrity and is derived from the AP safety
12.4,
requirement specification.
12.3.4.
For all SILs, ensure that the application
program development methodology
complies with the development tools and
restrictions of the SIS PE subsystem, is
produced in a structured manner (e.g.,
modularity), justifies the use of
previously developed libraries, and
details clear ownership / identification. To
also ensure AP implementation is
traceable to the AP safety requirements.
To ensure that the AP development complies with the constraints of
19 AP methodology and the supplier’s safety manual and that a methodology has been
12.6.
tools defined to reduce / prevent systematic errors.
For all SILs, ensure that there is evidence
for compliance with the AP platforms
safety manual. Also ensure that there is
evidence of defined techniques and
measures focussed on systematic
failures.
To ensure that the application program is appropriately verified.
20 AP verification and 12.5.3,
For all SILs, ensure that the application
testing 12.5.4,
program and any decomposition into
7.2.2.
modules is verified by a combination of
analysis, simulation, testing (using
written procedures and test
specifications). The verification must also
ensure that the coding standard has
been followed and complied with. To also
ensure that the scope of the testing is
appropriate for the application.

821997258.docx - Page 8 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that the application program is reviewed by a competent
21 AP review person not involved in the development.
12.5.2
For all SILs, ensure that application
program review(s) were structured,
undertaken and documented. To also
ensure that any review(s) was
undertaken by a competent person.
To ensure that the AP platform is configured and used as per the
22 AP subsystem manufacturer’s requirements and recommendations (e.g., as per any
12.4.1
compliance certificate and its safety manual).
For all SILs, ensure that AP program
review specifically considers the
requirements and recommendations from
the AP platforms safety manual.
To ensure the AP has been successfully integrated onto the target
23 SIS integration test platform / subsystem including interaction with a sample set of field
13
devices and or simulator.
For all SILs, ensure the AP integration is
performed, based on the initial
integration test requirements, with
documented test results.
To ensure that any modifications have been correctly requested,
24 AP modification V&V authorised, planned, and delivered including relevant verification or
12.5.5,
validation. 16.3.1.6,
For all SILs, ensure the modification 17.2.4,
procedures (incl. impact analysis) have 17.2.6,
been followed regardless of the lifecycle 17.2.8.
phase e.g., modification during testing,
modification during operation.

821997258.docx - Page 9 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that the AP is a key part of the overall SIS validation and
25 AP validation that AP competent persons take part in the SIS validation.
15.2.2.
considerations For all SILs, ensure that AP is portion of
the validation is carried out as planned
and carried out by at least one AP
competent person.
To ensure that software lifecycle and software development activities
26 AP FS audit are subject to FS audit(s).
5.6.2.1,
For all SILs, ensure that relevant aspects 5.6.2.2,
of the software lifecycle and software 5.6.2.3.
development have been audited in
relation to functional safety.

821997258.docx - Page 10 of 11 © The CASS Scheme Association 2024

CASS-511-LVL – SUBSYSTEM LVL SOFTWARE (IEC 61511-1)

IEC 61511
TOE Target of Supporting
Purpose of TOE reference Assessor’s comments
Ref. Evaluation (TOE) documents
s
To ensure that all AP documents are available and that they have
27 AP documentation been validated for accuracy, consistency, and traceability of the SIF.
12.5.6,
For all SILs, ensure that all the relevant 15.2.2,
documents are available and have been 17.2.5,
validated for accuracy, consistency and 17.2.7.
traceability of the SIF (from the overall
design through the AP), including:
 AP safety requirements specification.
 AP platform / subsystem safety
manual.
 AP verification and validation plans.
 AP design information (system and AP).
 AP coding standard / programming
procedures.
 AP libraries / pre-used functions list.
 AP verification / review records.
 AP test procedures.
 AP test specifications.
 AP testing results.
 AP modification information and
results.

821997258.docx - Page 11 of 11 © The CASS Scheme Association 2024