functional safety and functional security - australia r4 safety and... · author: stephen burke...

Copyright exida Asia Pacific © 2013

Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Vietnam +84 987 95 4497Germany +49 89 4900 0547USA +1 215 453 1720

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564

Exida Contacts

Functional Safety and Functional SecurityAustralia, 3rd ‐ 5th December 2013

Presenter: Steve Burke, CFSE, exida Asia Pacific

+65 9233 1597

Copyright exida Asia Pacific © 2013 [email protected]

What is…?

Today’s Objective

Introduce the Concept and Basic Principles of IEC 61511 for Process Safety

Introduce the Concept and Basic Principles of IEC 62443 for CyberSecurity


exida History

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services

“Independent provider of Tools, Services and Trainingsupporting Customers with Compliance and Certification to any Standards for Functional Safety, Cyber Security and Alarm

Management”

Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts

Dr. William GobleFormer Director Moore Products Co.Developed FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


What we do

EXPERTISE SCOPE

Tools

Training

Consultancy

Certification

INDUSTRIES

Process

Energy

Machine

Automotive

End Users

Manufacturer

Engineering

Integrators

CUSTOMERS

Functional Safety

Alarm Management

Cyber Security

Reliability


exida Tools – Process Industry


Global Functional Safety Certification Consultant3rd Party Accredited Certification Body Developer FMEDA TechniqueMechanical Failure DatabaseElectrical & Electronic Failure DatabaseInstrument & Equipment Failure DatabaseDevelopment Field Failure Database MethodologyGlobal Active Participation in IEC – ISO WorkgroupsFunctional Safety Engineering Tools

exida Industry Contributions


exida Library

exida publishes analysistechniques for functional safetyexida authors ISA best sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata

www.exida.comwww.exida.com


exida Customers (extract from 2000+)


Why do we need a Process Safety Standard?


What do accidents teach us?

Buncefield 2005

Bhopal 1984 BP Texas 2005

Seveso 1976


Primary Cause of Failures?

Specification

Changes after Commission

Operation and Maintenance

Design and Implementation

Installation and Commission

Source Health, Safety & Environmental Agency

The majority of accidents are:… Preventable if a systematic

Risk‐Based Approach is adopted…

The majority of accidents are:… Preventable if a systematic

Risk‐Based Approach is adopted…

More than 80% of Failures Before Startup

More than 80% of Failures Before Startup


Which Standard?


Which Standard?

IEC 61508Functional Safety for E/E/PES Safety Related Systems



Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available

Which Standard?





Which Standard?

IEC 61513Nuclear

IEC 61513Nuclear

IEC 61511Process IndustryIEC 61511

Process Industry



ISO 26262Road VehiclesISO 26262Road Vehicles

IEC 62061MachineryIEC 62061Machinery



Which Standard?

IEC 61513Nuclear

IEC 61513Nuclear

IEC 61511Process IndustryIEC 61511

Process Industry



ISO 26262Road VehiclesISO 26262Road Vehicles

End Users - Systems IntegratorsEnd Users - Systems Integrators

IEC 62061MachineryIEC 62061Machinery


Relationship IEC 61508 – IEC 61511

Manufacturers and Suppliers of DevicesIEC 61508


Process Sector Safety Instrumented System StandardsProcess Sector Safety Instrumented System Standards


Relationship IEC 61508 – IEC 61511



Safety Instrumented System designers, Integrators and users

IEC 61511

Safety Instrumented System designers, Integrators and users

IEC 61511

Process Sector Safety Instrumented System StandardsProcess Sector Safety Instrumented System Standards


Safety Instrumented System

An SIS is defined as a system composed of sensors, logic solvers and final elements designed for the purpose of:

1. Automatically taking an industrial process to a safe state when specified conditions are violated;

2. Permit process to move forward in a safe manner when specified conditions allow (permissive functions)

3. Taking action to mitigate the consequences of an industrial hazard.”

Equipment Under Control (EUC)

Power Supply

CPU Output Module

InputModule SIS

Power Supply

CPU Output Module

InputModule

Basic Process Control System (BPCS)


Safety Instrumented Function

A SIF is a specific, single set of actions and the corresponding equipment needed to identify a single hazard and act to bring the system to a safe state.

Different from a SIS, which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes

6

1SIF

LogicSolver

Sensors

Final elements

2


Safety Instrumented System

Sensors

Final elements

An SIS includes several Safety Instrumented Functions (SIF)

SIF 1

SIF 2

SIF 3SIF 4

LogicSolver

1

2

3

4

5

6

7

8SIF 5


Sensor

Logic Solver

SensingElement

SignalConditioning

SensingElement

SignalConditioning

SensingElement

Final ControlElement

SignalConditioning

Final ControlElement

Circuit Utilitiesi.e. Electrical Power,Instrument Air etc.

The actual implementation of any single safety instrumented function may include multiple sensors, signal conditioning modules, multiple final elements and dedicated circuit utilities like electrical power or instrument air.

Interconnections

Safety Instrumented Function (SIF)Implementation

Sensors Final Elements


RANDOMFailures RANDOMFailures

IEC 61511 – Protection Against:

SYSTEMATICFailures

SYSTEMATICFailures

Random Failures?Random Failures? Systematic Failures?Systematic Failures?


Random and Systematic Failures

Random FailuresA failure occurring at a random time, which results from one or more degradation mechanisms. Usually a permanent failure due to a system component loss of functionality – typically hardware related

Systematic FailuresA failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.Usually due to a design fault – wrong component, error in software program, etc.



IEC 61508 – Protect Against:

SYSTEMATICFailures

SYSTEMATICFailures

HOW?HOW? HOW?HOW?




SYSTEMATICFailures

SYSTEMATICFailures

Probabilistic Performance Based

Design


DesignHOW?HOW?


PROBABILISTIC BASED DESIGN


Safety Integrity Level


SIL 4

SIL 3

SIL 2

SIL 1

Used THREE ways:

1. To establish risk reduction requirements

2. To set probabilistic limits for hardware random failure

3. To establish engineering procedures to prevent systematic design errors


Safety Integrity Level – 1st Usage


SIL 4

SIL 3

SIL 2

SIL 1

Risk Reduction Factor

100000 to 10000

10000 to 1000

1000 to 100

100 to 10

1. Each safety instrumented function has a requirement to reduce risk. The order of magnitude level of risk reduction required is called a SIL level.


Safety Integrity Levels – 2nd Usage


SIL 4

SIL 3

SIL 2

SIL 1

Probability of failure on demand(Demand mode of operation)

>=10‐5 to <10‐4

>=10‐4 to <10‐3

>=10‐3 to <10‐2

>=10‐2 to <10‐1

Random Failure Probability2. A Safety Function

meets a SIL level if a calculated probability falls within the associated band on one of two different charts. This view looks at RANDOM FAILURES.

Copyright © 2013 exida


Safety Integrity Level‐ 3rd Usage


SIL 4

SIL 3

SIL 2

SIL 1

3. To establish engineering procedures to prevent systematic design errors

The equipment used to implement any safety instrumented function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.


SIS, SIF and SIL

One SIS may have multiple SIFs each with a different SIL.Therefore it is incorrect and ambiguous to define a

SIL for an entire safety instrumented system

Safety Instrumented

System








Spurious Trip

A spurious trip is a shutdown (taking the process to a safe state) that occurs when it is not needed (no demand).

• STR – Spurious Trip Rate = 1/MTTFS

• MTTFS ‐Mean Time To Failure Spurious, SAFE failure

• MTTFD ‐Mean Time To Dangerous Failure

Two areas of Concern:

• Shutdown and Startup can be most dangerous times

• Operations likes to run




SYSTEMATICFailures

SYSTEMATICFailures


Design


DesignHOW?HOW?




SYSTEMATICFailures

SYSTEMATICFailures


Design


Design

Detailed Engineering Process

Detailed Engineering Process


The IEC 61511 Safety Lifecycle



Management and Planning



Personnel Competency

Training, experience, and qualifications should all be addressed and documented

– System engineering knowledge– Safety engineering knowledge– Legal and regulatory requirements knowledge– More critical for novel systems or high SIL requirements

“Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.”

-IEC 61511, Part 1, Paragraph 5.2.2.2


Personnel Certification

Certified Functional Safety Expert (CFSE)• Operated by the CFSE Governing Board

– To improve the skills and formally establish the competency of those engaged in the practice of safety system application in the process and manufacturing industries.

• Certification audited by exida Certification

Certificate

• Attend Class• Exam (some)• Receive Certificate

Certification

• Experience/Education• References• Exam




Management and Planning Analysis PhaseAnalysis Phase

Realization PhaseRealization Phase

Operate and MaintainOperate and Maintain


Safety Lifecycle Tasks

Conceptual Process DesignIdentifying Potential RisksConsequence AnalysisLayer Of Protection AnalysisDevelop Non-SIS LayersDetermine Target SIL for SIFDocument Requirements

Analysis Realization

StartupOperationMaintenancePeriodic Proof TestsModificationsDecommissioning

Operation

Modify?

Modify?

Select SIS TechnologySelect SIS ArchitectureDetermine Test FrequencySIS Detailed DesignSIS InstallationSIS CommissioningSIS Initial Validation

Y

Y

N

N

How much safetydo I need?

How much safetydo I have

with my design?How will I keep

it safe?


SIF Design

The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)


Probability of Failure on Demand


PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess‐connection


SIF Design



What is…?

Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function

ArchitectureHardwareFault

Tolerance1oo1 01oo1D 01oo2 12oo2 02oo3 12oo2D 01oo2D 11oo3 2


What is…?

Safe Failure Fraction: A measurement of the likelihood of getting a dangerous failure that is NOT detected by automatic self diagnositcs

.

NOTE: Definitions refer to single channel architectures.


IEC 61508 Safe Failure Fraction

SFF = SD + SU + DD

SD + SU + DD + DU

= 1 ‐ DU

Total


Example FMEDA 3051S


Example 3051S

Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function

ArchitectureHardwareFault

Tolerance1oo1 01oo1D 01oo2 12oo2 02oo3 12oo2D 01oo2D 11oo3 2


SIF Design



Equipment Capability

• PFD: Probability of Failure on Demand

• Architectural Constraints

• Equipment Capability

In order to combat Systematic Failures, IEC 61511 requires equipment used in safety systems to meet one of two requirements:• IEC 61508 certification

• Certified under IEC61508 to the appropriate SIL level

• Prior Use• justification based on “Proven in Use” criteria


Prior Use

“Prior use” generally means:

• Documented, successful experience (no dangerous failures)

• A particular version of a particular instrument

• Similar conditions of use

Functionality/Application Environment

• We do not have the failure data!• I do not want to take responsibility for equipment justification!• We do not take the time to record all instrument failures! • This is a new instrument!• I cannot justify PRIOR USE!


Product Certification

Functional safety certification for devices is accomplished per IEC 61508Products are certified to a Safety Integrity Level (SIL)The result is typically a certificate and a certification report

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failures

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failures


Pressure for Certification

End User Demand• Offers easier specification

• More consistency through project teams

• Allows use of new technology

• Quickly becomes “Best Practice”

Vendor Demand• In mature markets, may be cost of entry (i.e. Logic Solvers)

• Establishes credibility in Safety Market

• Allows introduction of Technology with Credibility

• In new markets, may provide significant differentiation, limit competition and create higher margins

Process Industry• Mature market in Logic Solvers

and Traditional Sensors

• New Market in New Technologies, Sensors and Final Elements


Market Support

The exida web site also has a list of process industry instrumentation equipment with IEC 61508 certification. With several thousand unique visitors per month, this list has become the most popular global “purchase qualification list” for many buyers.


exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™

+Functional Security Certification ™

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)


REGULATIONS, STANDARDS AND BEST PRACTICES

Industrial Control Systems Cybersecurity


Current Events

Shamoon virus takes out 30,000 computers at Saudi AramcoUS Defense Secretary issues strong warning of cyber attacks on US critical infrastructureDHS issues alerts about coordinated attacks on gas pipeline operators


Control systems operate industrial plant equipment and critical processesTampering with these systems can lead to:– Death, Injury, Sickness– Environmental releases– Equipment Damage– Production loss / service interruption– Off‐spec / Dangerous product– Loss of Trade Secrets

Control system security is about preventing intentional or unintentional Interference with the proper operation of plant

Control System Cyber Security


Now use commercial technologyHighly connectedOffer remote accessTechnical information is publically availableHackers are now targeting control systems

Control Systems are more vulnerable today than ever before


Actual Incident Data

Malware(virus, worm, trojan)

IT Dept, Technician

Network device, software

Disgruntled employee

Hacker

© 2011 Security Incidents Organization


Regulations

Department of Homeland Security– 6 CFR part 27: Chemical Facility Anti‐Terrorism Standards (CFATS)

– National Cyber Security Division Control Systems Security Program (CSSP)

Department of Energy– Federal Energy Regulatory Commission (FERC)

18 CFR Part 40, Order 706 (mandates NERC CIPs 002‐009)

Nuclear Regulatory Commission– 10 CFR 73.54 Cyber Security Rule (2009)– RG 5.71


Standards

International Society for Automation (ISA)– ISA 62443 Industrial Automation and Control System (IACS)

Security (was ISA 99)

International Electrotechnical Commission (IEC)– IEC 62443 series of standards (equivalent to ISA 99)

National Institute for Standards and Technology

(NIST)– SP800‐82 Guide to Industrial Control Systems (ICS) Security


ISA / IEC 62443 Structure


The ICS Cybersecurity Lifecycle


Key Principles for Securing ICSStep 1 – Assess Existing SystemsStep 2 – Document Policies & ProceduresStep 3 – Train Personnel & ContractorsStep 4 – Segment the Control System NetworkStep 5 – Control Access to the SystemStep 6 – Harden the Components of the SystemStep 7 – Monitor & Maintain System Security


Questions and Discussion

functional safety and functional security - australia r4 safety and... · author: stephen burke...

Documents