View
274
Download
0
Embed Size (px)
Citation preview
22
Agenda
• Functional Safety
• Good planning if specifications are not right?
• What is the difference between a normal safety and SIL3 loop?
• How do systems achieve safety?
• Layers of protection
• Are you safe if you buy a SIL3 PLC?
• Safety & non safety in one application or separate safety and non-safety
• Cyber security
44
HIMA: Safety Systems Others: Safety is small part of their business
HIMASIS
SIS
Others
Introduction HIMA
HIMA is focused on Safety Systems
55
SIL 3, SIL4 Safety PLC’s
Railways TMC BCS ESD F&G HIPPS Pipeline Logistics Nuclear
HIMA solutions for
Introduction HIMA
66
Safety ?
Why should we invest in safety?
‣ You think safety is expensive, try an accident…
‣ Today an accident cost more than 10x the investment in the process
‣We have had terrible accidents in the past
‣We learned, but accidents with serious impact still happen today
88
Safety Integrity Level - SIL
SIL is how we measure the performance of safety functions
carried out by safety instrumented systems
SIL has 3 sides to the story
‣ Process owners:
Which safety functions do I need and how much SIL do I need?
‣ Engineering companies, system integrators, product developers:
How do I build SIL compliant safety devices, functions or systems?
‣ Process operators:
How do I operate, maintain and repair safety functions and systems to maintain the identified SIL levels?
1010
SIL levels
Most famous SIL requirement is the Probability of Failure on Demand
PFDavg = Probability of Failure on Demand average
1111
Functional Safety
A safety instrumented system is 100% functionally safe if
All random, common cause and systematic failures do not lead to
malfunctioning of the safety system and do not result in
‣ Injury or death of humans
‣ Spills to the environment
‣ Loss of equipment or production
‣ 100% functional safety does not exist but SIL 1, 2, 3 or 4 does
1212
Common cause does not happen?
Complete plant floodedbecause of heavy rainfall,bad drainage and dike
1515
Good planning if specifications are not right?
Think the following:
Your specifications = a red car with a horse
What would you get?
1818
What is the difference between a normal safety and SIL3 loop?
• SIL 1 Typically easy to achieve using standard components
• Through the selection of certified components, can achieve SIL 2 with single channel sensing or final elements
• Still need to consider the systematic capability for the devices, however these are less stringent for SIL 1 or 2
• Lifecycle cost typically the same as a normal BPCS loop.
NORMAL LOOP
BPCS = Basic Process Control System
1919
• Redundancy requirements for sensing and final elements
� Required by Tables 2 and 3 of 61508-2. Based on SFF
Safe Failure Fraction = A measure of the effectiveness of the fail safe design and/or the built-in diagnostic tests
� Depending on the logic solver, can be single channel
• Proof Test Coverage can be a limiting factor
• Systematic requirements higher
� Requires careful selection of devices to ensure this is achieved. May rule out your normal supplier
• Life cycle cost much higher
What is the difference between a normal safety and SIL3 loop?
SIL 3 LOOP
2020
• The higher the SIL the more techniques and measures are required to detect, control and avoid human error
• SIL 1 Typically easy to achieve using a standard QMS system with added competence requirements
• SIL 2 requires an “advanced” system with competence management and reliance on testing
• SIL 3 has stringent requirements governing diversity in design, competence of a high order and stringent testing requirements
What is the difference between a normal safety and SIL3 loop?
2323
How do systems achieve safety?
Input
Output
2oo3
A B C
Voting systems
2oo3 Voting
1oo2D
Diagnostic systems
Diagnostics
Diagnostics
Input
Output
µP µP
Diag. Diagnostics
Diagnostics
Diagnostics
2626
Layers of protection
Specific
• must be specifically designed to be capable of preventing the consequences of the potentially hazardous event
Independent
• must be completely independent from all other protection layers
Dependable
• must be capable of acting dependably to prevent the consequence from occurring (systematic and random faults)
Auditable
• must be tested and maintained to ensure risk reduction is continually achieved
2727
Layers of protection – The 3 “ENOUGHS”
• Big Enough
• Must be big enough to cope the with the potential hazard
• Fast Enough
• Must be fast enough to sense and react to prevent the potential
• Strong Enough
• Must be able to survive all arising situations when preventing the hazardous event.
2828
Are you safe if you buy a SIL3 PLC?
• NO!!!
• Need to consider Sensing and final elements
• Need to consider Systematic Capability
� This applies to the integrator of the Logic Solver – important to look at their quality system
� Apples to the installer of the Safety Integrated Functions – important to look at their quality system
• Need to carefully consider Proof Test Intervals and Proof test coverage
� Short proof test intervals should be avoided as the testing requirements often require plant shutdown
� Incorrect to assume that the proof test is perfect
� This can have a profound effect on the result because we are dealing with very small numbers
2929
Safety & non safety in one application or separate safety and non-safety
• Considerations for separating:
� Hazards are caused by the non safety application
� Risk assessment not able to separate the causes
� Required by Buncefield recommendation 3
– “physical and electrical independence”
� Need for Cyber security
• Considerations for systematic capability!!!
� Often the same person programming the non-safety will be programming the safety!
3131
Safety & non safety in one application or separate safety and non-safety
The risk we talk about is related to a hazard
‣ Risk is a combination of
‣ The severity of consequences (C)
‣ The frequency of occurrence (F)
‣ Risk = C x F
Risksafety = probability of a damage * potential of the damage
3232
Security is a foundation for safety.
Functional safety Risksafety = probability of a damage * potential of the damage
WorldSys.
+Cyber security Risksecurity = threat * vulnerability * potential of the damage
WorldSys. Safety
WorldSys.
3333
Compartmentalize.
� Avoid universal
access. Enterprise
Plant DMZ
ControlCenter
SIS BPCS
Plant
Con
duit
Con
duit
Conduit
Internet
3434
Security is a process.
Risk analysis
Protect
Detect
React
Security is a process to reduce the riskof damage due to external influence. This process can be supported by technical measures.
Source: IEC 62443-3-3
Both the IEC 61511 (safety) and the draft of the IEC 62 443 (security) demand to build systems in multiple layers of protection . (Defense in the Depth)
Enterprise
Plant DMZ
ControlCenter
SIS BPCS
Plant
Con
duit
Con
duit
Conduit
Internet
3535
Segregation of non safe networks.
� Besides the usage of VLAN HIMax offers a complete segregation. This interference free implementation guarantees segregated networks even for non safe protocols.
� Max. Safety (SIL3).
� Max. Availability for safeethernet.
� Max. Availability for non safe communication.
X-CPUX-SB
RJ45
Safety-Net
X-COM
RJ45
Field Net
X-COM
RJ45
DCS-Net
3636
Security is supported by HIMA Products:
High quality development process� HIMA products are developed for safety following the four eyes principle �
Only documented ports for communication available � no backdoor� Minimal attack surface, only required services are integrated.
Systematic use� separate system supports the avoidance of common cause failures and the
multi-layer protection concept.Products with Security Features
� Segregation of safety network (CPU) and non safety network (COM)� Standard Ethernet protocols can be used with any firewall.� blocking of control function via key switch� Display of program changes in the DCS system via CRC� Unused physical ports can be closed by using port-based VLAN.
High-quality programming environment� SILworX checks all software components prior to use.� Code comparison to detect changes in the user program.� 2-level user management� Simple Project backup (one file)� User access in Windows is sufficient.
Secure OPC Server� runs as a service, no login to Windows is required.