SIL 3, SIL 4 Safety PLC's Why should we invest in safety? Functional safety standards SIL levels Source: HIMA

1. Why SIL3?
Josse Brys TUV Engineer
j.brys@hima.com

2. 22
Agenda
• Functional Safety
• Good planning if specifications are not right?
• What is the difference between a normal safety and SIL3 loop?
• How do systems achieve safety?
• Layers of protection
• Are you safe if you buy a SIL3 PLC?
• Safety & non safety in one application or separate safety and non-safety
• Cyber security

3. 33
HIMA
SIS
Introduction : HIMA helps to prevent:

4. 44
HIMA: Safety Systems Others: Safety is small part
of their business
HIMA
SIS
SIS
Others
Introduction HIMA
HIMA is focused on Safety Systems

5. 55
SIL 3, SIL4 Safety PLC’s
Railways TMC BCS ESD F&G HIPPS Pipeline Logistics Nuclear
HIMA solutions for
Introduction HIMA

6. 66
Safety ?
Why should we invest in safety?
‣ You think safety is expensive, try an accident…
‣ Today an accident cost more than 10x the investment in the process
‣ We have had terrible accidents in the past
‣ We learned, but accidents with serious impact still happen today

7. 77
Functional Safety Standards

8. 88
Safety Integrity Level - SIL
SIL is how we measure the performance of safety functions
carried out by safety instrumented systems
SIL has 3 sides to the story
‣ Process owners:
Which safety functions do I need and how much SIL do I need?
‣ Engineering companies, system integrators, product developers:
How do I build SIL compliant safety devices, functions or systems?
‣ Process operators:
How do I operate, maintain and repair safety functions and
systems to maintain the identified SIL levels?

9. 99
SIL levels
Risk reduction

10. 1010
SIL levels
Most famous SIL requirement is the Probability of Failure on Demand
PFDavg = Probability of Failure on Demand average

11. 1111
Functional Safety
A safety instrumented system is 100% functionally safe if
All random, common cause and systematic failures do not lead to
malfunctioning of the safety system and do not result in
‣ Injury or death of humans
‣ Spills to the environment
‣ Loss of equipment or production
‣ 100% functional safety does not exist but SIL 1, 2, 3 or 4 does

12. 1212
Common cause does not happen?
Complete plant flooded
because of heavy rainfall,
bad drainage and dike

13. 1313
Good planning if specifications are not right?
IEC 61508 Lifecycle Concept

14. 1414
Good planning if specifications are not right?
Lifecycle & Frequency of Failures

15. 1515
Good planning if specifications are not right?
Think the following:
Your specifications = a red car with a horse
What would you get?

16. 1616
A red car with a horse

17. 1717
A red car with a horse

18. 1818
What is the difference between a normal safety and SIL3 loop?
• SIL 1 Typically easy to achieve using standard components
• Through the selection of certified components, can achieve SIL 2 with
single channel sensing or final elements
• Still need to consider the systematic capability for the devices, however
these are less stringent for SIL 1 or 2
• Lifecycle cost typically the same as a normal BPCS loop.
NORMAL LOOP
BPCS = Basic Process Control System

19. 1919
• Redundancy requirements for sensing and final elements
Required by Tables 2 and 3 of 61508-2. Based on SFF
Safe Failure Fraction = A measure of the effectiveness of the fail safe design and/or the built-in diagnostic tests
Depending on the logic solver, can be single channel
• Proof Test Coverage can be a limiting factor
• Systematic requirements higher
Requires careful selection of devices to ensure this is achieved.
May rule out your normal supplier
• Life cycle cost much higher
What is the difference between a normal safety and SIL3 loop?
SIL 3 LOOP

20. 2020
• The higher the SIL the more techniques and measures are required to
detect, control and avoid human error
• SIL 1 Typically easy to achieve using a standard QMS system with added
competence requirements
• SIL 2 requires an “advanced” system with competence management and
reliance on testing
• SIL 3 has stringent requirements governing diversity in design,
competence of a high order and stringent testing requirements
What is the difference between a normal safety and SIL3 loop?

21. 2121
How do systems achieve safety?
Safety Instrumented System

22. 2222
How do systems achieve safety?
1oo3

23. 2323
How do systems achieve safety?
Input
Output
2oo3
A B C
Voting systems
2oo3 Voting
1oo2D
Diagnostic systems
Diagnostics
Diagnostics
Input
Output
µP µP
Diag. Diagnostics
Diagnostics
Diagnostics

24. 2424
How do systems achieve safety?

25. 2525
Layers of protection
Increase safety and cyber security
prevent
mitigate

26. 2626
Layers of protection
Specific
• must be specifically designed to be capable of preventing the consequences of the
potentially hazardous event
Independent
• must be completely independent from all other protection layers
Dependable
• must be capable of acting dependably to prevent the consequence from occurring
(systematic and random faults)
Auditable
• must be tested and maintained to ensure risk reduction is continually achieved

27. 2727
Layers of protection – The 3 “ENOUGHS”
• Big Enough
• Must be big enough to cope the with the potential hazard
• Fast Enough
• Must be fast enough to sense and react to prevent the potential
• Strong Enough
• Must be able to survive all arising situations when preventing the hazardous
event.

28. 2828
Are you safe if you buy a SIL3 PLC?
• NO!!!
• Need to consider Sensing and final elements
• Need to consider Systematic Capability
This applies to the integrator of the Logic Solver – important to look at their
quality system
Apples to the installer of the Safety Integrated Functions – important to look
at their quality system
• Need to carefully consider Proof Test Intervals and Proof test coverage
Short proof test intervals should be avoided as the testing requirements
often require plant shutdown
Incorrect to assume that the proof test is perfect
This can have a profound effect on the result because we are dealing with
very small numbers

29. 2929
Safety & non safety in one application or separate
safety and non-safety
• Considerations for separating:
Hazards are caused by the non safety application
Risk assessment not able to separate the causes
Required by Buncefield recommendation 3
– “physical and electrical independence”
Need for Cyber security
• Considerations for systematic capability!!!
Often the same person programming the non-safety will be programming
the safety!

30. 3030
Safety & non safety in one application or separate
safety and non-safety
prevent
mitigate

31. 3131
Safety & non safety in one application or separate
safety and non-safety
The risk we talk about is related to a hazard
‣ Risk is a combination of
‣ The severity of consequences (C)
‣ The frequency of occurrence (F)
‣ Risk = C x F
Risksafety = probability of a damage * potential of the damage

32. 3232
Security is a foundation for safety.
Functional safety Risksafety = probability of a damage * potential of the damage
World
Sys.
+Cyber security Risksecurity = threat * vulnerability * potential of the damage
World
Sys.
Safety
World
Sys.

33. 3333
Compartmentalize.
Avoid universal
access. Enterprise
Plant DMZ
Control
Center
SIS BPCS
Plant
Conduit
Conduit
Conduit
Internet

34. 3434
Security is a process.
Risk
analysis
Protect
Detect
React
Security is a process to reduce the risk
of damage due to external influence.
This process can be supported by
technical measures.
Source: IEC 62443-3-3
Both the IEC 61511 (safety) and the
draft of the IEC 62 443 (security)
demand to build systems in multiple
layers of protection. (Defense in the
Depth)
Enterprise
Plant DMZ
Control
Center
SIS BPCS
Plant
Conduit
Conduit
Conduit
Internet

35. 3535
Segregation of non safe networks.
Besides the usage of VLAN HIMax offers a
complete segregation. This interference free
implementation guarantees segregated
networks even for non safe protocols.
Max. Safety (SIL3).
Max. Availability for safeethernet.
Max. Availability for non safe
communication.
X-CPU
X-SB
RJ45
Safety-Net
X-COM
RJ45
Field Net
X-COM
RJ45
DCS-Net

36. 3636
Security is supported by HIMA Products:
High quality development process
HIMA products are developed for safety following the four eyes principle
Only documented ports for communication available no backdoor
Minimal attack surface, only required services are integrated.
Systematic use
separate system supports the avoidance of common cause failures and the
multi-layer protection concept.
Products with Security Features
Segregation of safety network (CPU) and non safety network (COM)
Standard Ethernet protocols can be used with any firewall.
blocking of control function via key switch
Display of program changes in the DCS system via CRC
Unused physical ports can be closed by using port-based VLAN.
High-quality programming environment
SILworX checks all software components prior to use.
Code comparison to detect changes in the user program.
2-level user management
Simple Project backup (one file)
User access in Windows is sufficient.
Secure OPC Server
runs as a service, no login to Windows is required.

37. 3737
Be reluctant to trust.
… even vendors of secure products have to admit failures.

38. 3838
Always the right solution ?
38
HIMA can help you getting the right solution and
have the right safety system you need!
Maximum security and availability