2. 22
Agenda
• Functional Safety
• Good planning if specifications are not right?
• What is the difference between a normal safety and SIL3 loop?
• How do systems achieve safety?
• Layers of protection
• Are you safe if you buy a SIL3 PLC?
• Safety & non safety in one application or separate safety and non-safety
• Cyber security
6. 66
Safety ?
Why should we invest in safety?
‣ You think safety is expensive, try an accident…
‣ Today an accident cost more than 10x the investment in the process
‣ We have had terrible accidents in the past
‣ We learned, but accidents with serious impact still happen today
8. 88
Safety Integrity Level - SIL
SIL is how we measure the performance of safety functions
carried out by safety instrumented systems
SIL has 3 sides to the story
‣ Process owners:
Which safety functions do I need and how much SIL do I need?
‣ Engineering companies, system integrators, product developers:
How do I build SIL compliant safety devices, functions or systems?
‣ Process operators:
How do I operate, maintain and repair safety functions and
systems to maintain the identified SIL levels?
10. 1010
SIL levels
Most famous SIL requirement is the Probability of Failure on Demand
PFDavg = Probability of Failure on Demand average
11. 1111
Functional Safety
A safety instrumented system is 100% functionally safe if
All random, common cause and systematic failures do not lead to
malfunctioning of the safety system and do not result in
‣ Injury or death of humans
‣ Spills to the environment
‣ Loss of equipment or production
‣ 100% functional safety does not exist but SIL 1, 2, 3 or 4 does
12. 1212
Common cause does not happen?
Complete plant flooded
because of heavy rainfall,
bad drainage and dike
18. 1818
What is the difference between a normal safety and SIL3 loop?
• SIL 1 Typically easy to achieve using standard components
• Through the selection of certified components, can achieve SIL 2 with
single channel sensing or final elements
• Still need to consider the systematic capability for the devices, however
these are less stringent for SIL 1 or 2
• Lifecycle cost typically the same as a normal BPCS loop.
NORMAL LOOP
BPCS = Basic Process Control System
19. 1919
• Redundancy requirements for sensing and final elements
Required by Tables 2 and 3 of 61508-2. Based on SFF
Safe Failure Fraction = A measure of the effectiveness of the fail safe design and/or the built-in diagnostic tests
Depending on the logic solver, can be single channel
• Proof Test Coverage can be a limiting factor
• Systematic requirements higher
Requires careful selection of devices to ensure this is achieved.
May rule out your normal supplier
• Life cycle cost much higher
What is the difference between a normal safety and SIL3 loop?
SIL 3 LOOP
20. 2020
• The higher the SIL the more techniques and measures are required to
detect, control and avoid human error
• SIL 1 Typically easy to achieve using a standard QMS system with added
competence requirements
• SIL 2 requires an “advanced” system with competence management and
reliance on testing
• SIL 3 has stringent requirements governing diversity in design,
competence of a high order and stringent testing requirements
What is the difference between a normal safety and SIL3 loop?
23. 2323
How do systems achieve safety?
Input
Output
2oo3
A B C
Voting systems
2oo3 Voting
1oo2D
Diagnostic systems
Diagnostics
Diagnostics
Input
Output
µP µP
Diag. Diagnostics
Diagnostics
Diagnostics
26. 2626
Layers of protection
Specific
• must be specifically designed to be capable of preventing the consequences of the
potentially hazardous event
Independent
• must be completely independent from all other protection layers
Dependable
• must be capable of acting dependably to prevent the consequence from occurring
(systematic and random faults)
Auditable
• must be tested and maintained to ensure risk reduction is continually achieved
27. 2727
Layers of protection – The 3 “ENOUGHS”
• Big Enough
• Must be big enough to cope the with the potential hazard
• Fast Enough
• Must be fast enough to sense and react to prevent the potential
• Strong Enough
• Must be able to survive all arising situations when preventing the hazardous
event.
28. 2828
Are you safe if you buy a SIL3 PLC?
• NO!!!
• Need to consider Sensing and final elements
• Need to consider Systematic Capability
This applies to the integrator of the Logic Solver – important to look at their
quality system
Apples to the installer of the Safety Integrated Functions – important to look
at their quality system
• Need to carefully consider Proof Test Intervals and Proof test coverage
Short proof test intervals should be avoided as the testing requirements
often require plant shutdown
Incorrect to assume that the proof test is perfect
This can have a profound effect on the result because we are dealing with
very small numbers
29. 2929
Safety & non safety in one application or separate
safety and non-safety
• Considerations for separating:
Hazards are caused by the non safety application
Risk assessment not able to separate the causes
Required by Buncefield recommendation 3
– “physical and electrical independence”
Need for Cyber security
• Considerations for systematic capability!!!
Often the same person programming the non-safety will be programming
the safety!
30. 3030
Safety & non safety in one application or separate
safety and non-safety
prevent
mitigate
31. 3131
Safety & non safety in one application or separate
safety and non-safety
The risk we talk about is related to a hazard
‣ Risk is a combination of
‣ The severity of consequences (C)
‣ The frequency of occurrence (F)
‣ Risk = C x F
Risksafety = probability of a damage * potential of the damage
32. 3232
Security is a foundation for safety.
Functional safety Risksafety = probability of a damage * potential of the damage
World
Sys.
+Cyber security Risksecurity = threat * vulnerability * potential of the damage
World
Sys.
Safety
World
Sys.
34. 3434
Security is a process.
Risk
analysis
Protect
Detect
React
Security is a process to reduce the risk
of damage due to external influence.
This process can be supported by
technical measures.
Source: IEC 62443-3-3
Both the IEC 61511 (safety) and the
draft of the IEC 62 443 (security)
demand to build systems in multiple
layers of protection. (Defense in the
Depth)
Enterprise
Plant DMZ
Control
Center
SIS BPCS
Plant
Conduit
Conduit
Conduit
Internet
35. 3535
Segregation of non safe networks.
Besides the usage of VLAN HIMax offers a
complete segregation. This interference free
implementation guarantees segregated
networks even for non safe protocols.
Max. Safety (SIL3).
Max. Availability for safeethernet.
Max. Availability for non safe
communication.
X-CPU
X-SB
RJ45
Safety-Net
X-COM
RJ45
Field Net
X-COM
RJ45
DCS-Net
36. 3636
Security is supported by HIMA Products:
High quality development process
HIMA products are developed for safety following the four eyes principle
Only documented ports for communication available no backdoor
Minimal attack surface, only required services are integrated.
Systematic use
separate system supports the avoidance of common cause failures and the
multi-layer protection concept.
Products with Security Features
Segregation of safety network (CPU) and non safety network (COM)
Standard Ethernet protocols can be used with any firewall.
blocking of control function via key switch
Display of program changes in the DCS system via CRC
Unused physical ports can be closed by using port-based VLAN.
High-quality programming environment
SILworX checks all software components prior to use.
Code comparison to detect changes in the user program.
2-level user management
Simple Project backup (one file)
User access in Windows is sufficient.
Secure OPC Server
runs as a service, no login to Windows is required.
37. 3737
Be reluctant to trust.
… even vendors of secure products have to admit failures.
38. 3838
Always the right solution ?
38
HIMA can help you getting the right solution and
have the right safety system you need!
Maximum security and availability