functional safety and functional security - australia r4 safety and... · author: stephen burke...
TRANSCRIPT
Copyright exida Asia Pacific © 2013
Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Vietnam +84 987 95 4497Germany +49 89 4900 0547USA +1 215 453 1720
Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564
Exida Contacts
Functional Safety and Functional SecurityAustralia, 3rd ‐ 5th December 2013
Presenter: Steve Burke, CFSE, exida Asia Pacific
+65 9233 1597
Copyright exida Asia Pacific © 2013 [email protected]
What is…?
Today’s Objective
Introduce the Concept and Basic Principles of IEC 61511 for Process Safety
Introduce the Concept and Basic Principles of IEC 62443 for CyberSecurity
Copyright exida Asia Pacific © 2013 [email protected]
exida History
Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Services
“Independent provider of Tools, Services and Trainingsupporting Customers with Compliance and Certification to any Standards for Functional Safety, Cyber Security and Alarm
Management”
Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts
Dr. William GobleFormer Director Moore Products Co.Developed FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books
Copyright exida Asia Pacific © 2013 [email protected]
What we do
EXPERTISE SCOPE
Tools
Training
Consultancy
Certification
INDUSTRIES
Process
Energy
Machine
Automotive
End Users
Manufacturer
Engineering
Integrators
CUSTOMERS
Functional Safety
Alarm Management
Cyber Security
Reliability
Copyright exida Asia Pacific © 2013 [email protected]
exida Tools – Process Industry
Copyright exida Asia Pacific © 2013 [email protected]
Global Functional Safety Certification Consultant3rd Party Accredited Certification Body Developer FMEDA TechniqueMechanical Failure DatabaseElectrical & Electronic Failure DatabaseInstrument & Equipment Failure DatabaseDevelopment Field Failure Database MethodologyGlobal Active Participation in IEC – ISO WorkgroupsFunctional Safety Engineering Tools
exida Industry Contributions
Copyright exida Asia Pacific © 2013 [email protected]
exida Library
exida publishes analysistechniques for functional safetyexida authors ISA best sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata
www.exida.comwww.exida.com
Copyright exida Asia Pacific © 2013 [email protected]
exida Customers (extract from 2000+)
Copyright exida Asia Pacific © 2013 [email protected]
Why do we need a Process Safety Standard?
Copyright exida Asia Pacific © 2013 [email protected]
What do accidents teach us?
Buncefield 2005
Bhopal 1984 BP Texas 2005
Seveso 1976
Copyright exida Asia Pacific © 2013 [email protected]
Primary Cause of Failures?
Specification
Changes after Commission
Operation and Maintenance
Design and Implementation
Installation and Commission
Source Health, Safety & Environmental Agency
The majority of accidents are:… Preventable if a systematic
Risk‐Based Approach is adopted…
The majority of accidents are:… Preventable if a systematic
Risk‐Based Approach is adopted…
More than 80% of Failures Before Startup
More than 80% of Failures Before Startup
Copyright exida Asia Pacific © 2013 [email protected]
Which Standard?
Copyright exida Asia Pacific © 2013 [email protected]
Which Standard?
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Copyright exida Asia Pacific © 2013 [email protected]
Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available
Which Standard?
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Copyright exida Asia Pacific © 2013 [email protected]
Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available
Which Standard?
IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process Industry
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
ISO 26262Road VehiclesISO 26262Road Vehicles
IEC 62061MachineryIEC 62061Machinery
Copyright exida Asia Pacific © 2013 [email protected]
Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available
Which Standard?
IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process Industry
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
ISO 26262Road VehiclesISO 26262Road Vehicles
End Users - Systems IntegratorsEnd Users - Systems Integrators
IEC 62061MachineryIEC 62061Machinery
Copyright exida Asia Pacific © 2013 [email protected]
Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not Available
Which Standard?
IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process Industry
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
ISO 26262Road VehiclesISO 26262Road Vehicles
End Users - Systems IntegratorsEnd Users - Systems Integrators
IEC 62061MachineryIEC 62061Machinery
Copyright exida Asia Pacific © 2013 [email protected]
Relationship IEC 61508 – IEC 61511
Manufacturers and Suppliers of DevicesIEC 61508
Manufacturers and Suppliers of DevicesIEC 61508
Process Sector Safety Instrumented System StandardsProcess Sector Safety Instrumented System Standards
Copyright exida Asia Pacific © 2013 [email protected]
Relationship IEC 61508 – IEC 61511
Manufacturers and Suppliers of DevicesIEC 61508
Manufacturers and Suppliers of DevicesIEC 61508
Safety Instrumented System designers, Integrators and users
IEC 61511
Safety Instrumented System designers, Integrators and users
IEC 61511
Process Sector Safety Instrumented System StandardsProcess Sector Safety Instrumented System Standards
Copyright exida Asia Pacific © 2013 [email protected]
Safety Instrumented System
An SIS is defined as a system composed of sensors, logic solvers and final elements designed for the purpose of:
1. Automatically taking an industrial process to a safe state when specified conditions are violated;
2. Permit process to move forward in a safe manner when specified conditions allow (permissive functions)
3. Taking action to mitigate the consequences of an industrial hazard.”
Equipment Under Control (EUC)
Power Supply
CPU Output Module
InputModule SIS
Power Supply
CPU Output Module
InputModule
Basic Process Control System (BPCS)
Copyright exida Asia Pacific © 2013 [email protected]
Safety Instrumented Function
A SIF is a specific, single set of actions and the corresponding equipment needed to identify a single hazard and act to bring the system to a safe state.
Different from a SIS, which can encompass multiple functions and act in multiple ways to prevent multiple harmful outcomes
6
1SIF
LogicSolver
Sensors
Final elements
2
Copyright exida Asia Pacific © 2013 [email protected]
Safety Instrumented System
Sensors
Final elements
An SIS includes several Safety Instrumented Functions (SIF)
SIF 1
SIF 2
SIF 3SIF 4
LogicSolver
1
2
3
4
5
6
7
8SIF 5
Copyright exida Asia Pacific © 2013 [email protected]
Sensor
Logic Solver
SensingElement
SignalConditioning
SensingElement
SignalConditioning
SensingElement
Final ControlElement
SignalConditioning
Final ControlElement
Circuit Utilitiesi.e. Electrical Power,Instrument Air etc.
The actual implementation of any single safety instrumented function may include multiple sensors, signal conditioning modules, multiple final elements and dedicated circuit utilities like electrical power or instrument air.
Interconnections
Safety Instrumented Function (SIF)Implementation
Sensors Final Elements
Copyright exida Asia Pacific © 2013 [email protected]
RANDOMFailures RANDOMFailures
IEC 61511 – Protection Against:
SYSTEMATICFailures
SYSTEMATICFailures
Random Failures?Random Failures? Systematic Failures?Systematic Failures?
Copyright exida Asia Pacific © 2013 [email protected]
Random and Systematic Failures
Random FailuresA failure occurring at a random time, which results from one or more degradation mechanisms. Usually a permanent failure due to a system component loss of functionality – typically hardware related
Systematic FailuresA failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation, or other relevant factors.Usually due to a design fault – wrong component, error in software program, etc.
Copyright exida Asia Pacific © 2013 [email protected]
RANDOMFailures RANDOMFailures
IEC 61508 – Protect Against:
SYSTEMATICFailures
SYSTEMATICFailures
HOW?HOW? HOW?HOW?
Copyright exida Asia Pacific © 2013 [email protected]
RANDOMFailures RANDOMFailures
IEC 61508 – Protect Against:
SYSTEMATICFailures
SYSTEMATICFailures
Probabilistic Performance Based
Design
Probabilistic Performance Based
DesignHOW?HOW?
Copyright exida Asia Pacific © 2013 [email protected]
PROBABILISTIC BASED DESIGN
Copyright exida Asia Pacific © 2013 [email protected]
Safety Integrity Level
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
Used THREE ways:
1. To establish risk reduction requirements
2. To set probabilistic limits for hardware random failure
3. To establish engineering procedures to prevent systematic design errors
Copyright exida Asia Pacific © 2013 [email protected]
Safety Integrity Level – 1st Usage
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
Risk Reduction Factor
100000 to 10000
10000 to 1000
1000 to 100
100 to 10
1. Each safety instrumented function has a requirement to reduce risk. The order of magnitude level of risk reduction required is called a SIL level.
Copyright exida Asia Pacific © 2013 [email protected]
Safety Integrity Levels – 2nd Usage
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
Probability of failure on demand(Demand mode of operation)
>=10‐5 to <10‐4
>=10‐4 to <10‐3
>=10‐3 to <10‐2
>=10‐2 to <10‐1
Random Failure Probability2. A Safety Function
meets a SIL level if a calculated probability falls within the associated band on one of two different charts. This view looks at RANDOM FAILURES.
Copyright © 2013 exida
Copyright exida Asia Pacific © 2013 [email protected]
Safety Integrity Level‐ 3rd Usage
Safety Integrity Level
SIL 4
SIL 3
SIL 2
SIL 1
3. To establish engineering procedures to prevent systematic design errors
The equipment used to implement any safety instrumented function must be designed using procedures intended to prevent systematic design errors. The rigor of the required procedure is a function of SIL level.
Copyright exida Asia Pacific © 2013 [email protected]
SIS, SIF and SIL
One SIS may have multiple SIFs each with a different SIL.Therefore it is incorrect and ambiguous to define a
SIL for an entire safety instrumented system
Safety Instrumented
System
Safety Instrumented Function
Safety Instrumented Function
Safety Instrumented Function
Safety Integrity Level
Safety Integrity Level
Safety Integrity Level
Copyright exida Asia Pacific © 2013 [email protected]
Spurious Trip
A spurious trip is a shutdown (taking the process to a safe state) that occurs when it is not needed (no demand).
• STR – Spurious Trip Rate = 1/MTTFS
• MTTFS ‐Mean Time To Failure Spurious, SAFE failure
• MTTFD ‐Mean Time To Dangerous Failure
Two areas of Concern:
• Shutdown and Startup can be most dangerous times
• Operations likes to run
Copyright exida Asia Pacific © 2013 [email protected]
RANDOMFailures RANDOMFailures
IEC 61508 – Protect Against:
SYSTEMATICFailures
SYSTEMATICFailures
Probabilistic Performance Based
Design
Probabilistic Performance Based
DesignHOW?HOW?
Copyright exida Asia Pacific © 2013 [email protected]
RANDOMFailures RANDOMFailures
IEC 61508 – Protect Against:
SYSTEMATICFailures
SYSTEMATICFailures
Probabilistic Performance Based
Design
Probabilistic Performance Based
Design
Detailed Engineering Process
Detailed Engineering Process
Copyright exida Asia Pacific © 2013 [email protected]
The IEC 61511 Safety Lifecycle
Copyright exida Asia Pacific © 2013 [email protected]
The IEC 61511 Safety Lifecycle
Management and Planning
Management and Planning
Copyright exida Asia Pacific © 2013 [email protected]
Personnel Competency
Training, experience, and qualifications should all be addressed and documented
– System engineering knowledge– Safety engineering knowledge– Legal and regulatory requirements knowledge– More critical for novel systems or high SIL requirements
“Persons, departments, or organizations involved in safety lifecycle activities shall be competent to carry out the activities for which they are accountable.”
-IEC 61511, Part 1, Paragraph 5.2.2.2
Copyright exida Asia Pacific © 2013 [email protected]
Personnel Certification
Certified Functional Safety Expert (CFSE)• Operated by the CFSE Governing Board
– To improve the skills and formally establish the competency of those engaged in the practice of safety system application in the process and manufacturing industries.
• Certification audited by exida Certification
Certificate
• Attend Class• Exam (some)• Receive Certificate
Certification
• Experience/Education• References• Exam
Copyright exida Asia Pacific © 2013 [email protected]
The IEC 61511 Safety Lifecycle
Management and Planning
Management and Planning Analysis PhaseAnalysis Phase
Realization PhaseRealization Phase
Operate and MaintainOperate and Maintain
Copyright exida Asia Pacific © 2013 [email protected]
Safety Lifecycle Tasks
Conceptual Process DesignIdentifying Potential RisksConsequence AnalysisLayer Of Protection AnalysisDevelop Non-SIS LayersDetermine Target SIL for SIFDocument Requirements
Analysis Realization
StartupOperationMaintenancePeriodic Proof TestsModificationsDecommissioning
Operation
Modify?
Modify?
Select SIS TechnologySelect SIS ArchitectureDetermine Test FrequencySIS Detailed DesignSIS InstallationSIS CommissioningSIS Initial Validation
Y
Y
N
N
How much safetydo I need?
How much safetydo I have
with my design?How will I keep
it safe?
Copyright exida Asia Pacific © 2013 [email protected]
SIF Design
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2013 [email protected]
Probability of Failure on Demand
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess‐connection
Copyright exida Asia Pacific © 2013 [email protected]
SIF Design
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2013 [email protected]
What is…?
Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function
ArchitectureHardwareFault
Tolerance1oo1 01oo1D 01oo2 12oo2 02oo3 12oo2D 01oo2D 11oo3 2
Copyright exida Asia Pacific © 2013 [email protected]
What is…?
Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function
ArchitectureHardwareFault
Tolerance1oo1 01oo1D 01oo2 12oo2 02oo3 12oo2D 01oo2D 11oo3 2
Copyright exida Asia Pacific © 2013 [email protected]
What is…?
Safe Failure Fraction: A measurement of the likelihood of getting a dangerous failure that is NOT detected by automatic self diagnositcs
.
NOTE: Definitions refer to single channel architectures.
Copyright exida Asia Pacific © 2013 [email protected]
IEC 61508 Safe Failure Fraction
SFF = SD + SU + DD
SD + SU + DD + DU
= 1 ‐ DU
Total
Copyright exida Asia Pacific © 2013 [email protected]
Example FMEDA 3051S
Copyright exida Asia Pacific © 2013 [email protected]
Example 3051S
Hardware Fault Tolerance: The quantity of failures that can be tolerated while maintaining the safety function
ArchitectureHardwareFault
Tolerance1oo1 01oo1D 01oo2 12oo2 02oo3 12oo2D 01oo2D 11oo3 2
Copyright exida Asia Pacific © 2013 [email protected]
SIF Design
The SIL achieved is the minimum of:1. SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)2. SILAC : Hardware Fault Tolerance 3. SILCAP:Capability to prevent Systematic Failures (SILCAP)
Copyright exida Asia Pacific © 2013 [email protected]
Equipment Capability
• PFD: Probability of Failure on Demand
• Architectural Constraints
• Equipment Capability
In order to combat Systematic Failures, IEC 61511 requires equipment used in safety systems to meet one of two requirements:• IEC 61508 certification
• Certified under IEC61508 to the appropriate SIL level
• Prior Use• justification based on “Proven in Use” criteria
Copyright exida Asia Pacific © 2013 [email protected]
Prior Use
“Prior use” generally means:
• Documented, successful experience (no dangerous failures)
• A particular version of a particular instrument
• Similar conditions of use
Functionality/Application Environment
• We do not have the failure data!• I do not want to take responsibility for equipment justification!• We do not take the time to record all instrument failures! • This is a new instrument!• I cannot justify PRIOR USE!
Copyright exida Asia Pacific © 2013 [email protected]
Product Certification
Functional safety certification for devices is accomplished per IEC 61508Products are certified to a Safety Integrity Level (SIL)The result is typically a certificate and a certification report
SIL Certification Vendor showed
sufficient protection against Random and Systematic Failures
SIL Certification Vendor showed
sufficient protection against Random and Systematic Failures
Copyright exida Asia Pacific © 2013 [email protected]
Pressure for Certification
End User Demand• Offers easier specification
• More consistency through project teams
• Allows use of new technology
• Quickly becomes “Best Practice”
Vendor Demand• In mature markets, may be cost of entry (i.e. Logic Solvers)
• Establishes credibility in Safety Market
• Allows introduction of Technology with Credibility
• In new markets, may provide significant differentiation, limit competition and create higher margins
Process Industry• Mature market in Logic Solvers
and Traditional Sensors
• New Market in New Technologies, Sensors and Final Elements
Copyright exida Asia Pacific © 2013 [email protected]
Market Support
The exida web site also has a list of process industry instrumentation equipment with IEC 61508 certification. With several thousand unique visitors per month, this list has become the most popular global “purchase qualification list” for many buyers.
Copyright exida Asia Pacific © 2013 [email protected]
exida Functional Integrity Certification™
Functional Integrity Certification™
Functional Safety Certification ™
+Functional Security Certification ™
“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
Copyright exida Asia Pacific © 2013 [email protected]
REGULATIONS, STANDARDS AND BEST PRACTICES
Industrial Control Systems Cybersecurity
Copyright exida Asia Pacific © 2013 [email protected]
Current Events
Shamoon virus takes out 30,000 computers at Saudi AramcoUS Defense Secretary issues strong warning of cyber attacks on US critical infrastructureDHS issues alerts about coordinated attacks on gas pipeline operators
Copyright exida Asia Pacific © 2013 [email protected]
Control systems operate industrial plant equipment and critical processesTampering with these systems can lead to:– Death, Injury, Sickness– Environmental releases– Equipment Damage– Production loss / service interruption– Off‐spec / Dangerous product– Loss of Trade Secrets
Control system security is about preventing intentional or unintentional Interference with the proper operation of plant
Control System Cyber Security
Copyright exida Asia Pacific © 2013 [email protected]
Now use commercial technologyHighly connectedOffer remote accessTechnical information is publically availableHackers are now targeting control systems
Control Systems are more vulnerable today than ever before
Copyright exida Asia Pacific © 2013 [email protected]
Actual Incident Data
Malware(virus, worm, trojan)
IT Dept, Technician
Network device, software
Disgruntled employee
Hacker
© 2011 Security Incidents Organization
Copyright exida Asia Pacific © 2013 [email protected]
Regulations
Department of Homeland Security– 6 CFR part 27: Chemical Facility Anti‐Terrorism Standards (CFATS)
– National Cyber Security Division Control Systems Security Program (CSSP)
Department of Energy– Federal Energy Regulatory Commission (FERC)
18 CFR Part 40, Order 706 (mandates NERC CIPs 002‐009)
Nuclear Regulatory Commission– 10 CFR 73.54 Cyber Security Rule (2009)– RG 5.71
Copyright exida Asia Pacific © 2013 [email protected]
Standards
International Society for Automation (ISA)– ISA 62443 Industrial Automation and Control System (IACS)
Security (was ISA 99)
International Electrotechnical Commission (IEC)– IEC 62443 series of standards (equivalent to ISA 99)
National Institute for Standards and Technology
(NIST)– SP800‐82 Guide to Industrial Control Systems (ICS) Security
Copyright exida Asia Pacific © 2013 [email protected]
ISA / IEC 62443 Structure
Copyright exida Asia Pacific © 2013 [email protected]
The ICS Cybersecurity Lifecycle
Copyright exida Asia Pacific © 2013 [email protected]
Key Principles for Securing ICSStep 1 – Assess Existing SystemsStep 2 – Document Policies & ProceduresStep 3 – Train Personnel & ContractorsStep 4 – Segment the Control System NetworkStep 5 – Control Access to the SystemStep 6 – Harden the Components of the SystemStep 7 – Monitor & Maintain System Security
Copyright exida Asia Pacific © 2013 [email protected]
Questions and Discussion