why sil3 (eng)

Why SIL3?

Josse Brys TUV [email protected]

22

Agenda

• Functional Safety

• Good planning if specifications are not right?

• What is the difference between a normal safety and SIL3 loop?

• How do systems achieve safety?

• Layers of protection

• Are you safe if you buy a SIL3 PLC?

• Safety & non safety in one application or separate safety and non-safety

• Cyber security

33

HIMASIS

Introduction : HIMA helps to prevent:

44

HIMA: Safety Systems Others: Safety is small part of their business

HIMASIS

SIS

Others

Introduction HIMA

HIMA is focused on Safety Systems

55

SIL 3, SIL4 Safety PLC’s

Railways TMC BCS ESD F&G HIPPS Pipeline Logistics Nuclear

HIMA solutions for

Introduction HIMA

66

Safety ?

Why should we invest in safety?

‣ You think safety is expensive, try an accident…

‣ Today an accident cost more than 10x the investment in the process

‣We have had terrible accidents in the past

‣We learned, but accidents with serious impact still happen today

77

Functional Safety Standards

88

Safety Integrity Level - SIL

SIL is how we measure the performance of safety functions

carried out by safety instrumented systems

SIL has 3 sides to the story

‣ Process owners:

Which safety functions do I need and how much SIL do I need?

‣ Engineering companies, system integrators, product developers:

How do I build SIL compliant safety devices, functions or systems?

‣ Process operators:

How do I operate, maintain and repair safety functions and systems to maintain the identified SIL levels?

99

SIL levels

Risk reduction

1010

SIL levels

Most famous SIL requirement is the Probability of Failure on Demand

PFDavg = Probability of Failure on Demand average

1111

Functional Safety

A safety instrumented system is 100% functionally safe if

All random, common cause and systematic failures do not lead to

malfunctioning of the safety system and do not result in

‣ Injury or death of humans

‣ Spills to the environment

‣ Loss of equipment or production

‣ 100% functional safety does not exist but SIL 1, 2, 3 or 4 does

1212

Common cause does not happen?

Complete plant floodedbecause of heavy rainfall,bad drainage and dike

1313

Good planning if specifications are not right?

IEC 61508 Lifecycle Concept

1414


Lifecycle & Frequency of Failures

1515


Think the following:

Your specifications = a red car with a horse

What would you get?

1616

A red car with a horse

1717

A red car with a horse

1818

What is the difference between a normal safety and SIL3 loop?

• SIL 1 Typically easy to achieve using standard components

• Through the selection of certified components, can achieve SIL 2 with single channel sensing or final elements

• Still need to consider the systematic capability for the devices, however these are less stringent for SIL 1 or 2

• Lifecycle cost typically the same as a normal BPCS loop.

NORMAL LOOP

BPCS = Basic Process Control System

1919

• Redundancy requirements for sensing and final elements

� Required by Tables 2 and 3 of 61508-2. Based on SFF

Safe Failure Fraction = A measure of the effectiveness of the fail safe design and/or the built-in diagnostic tests

� Depending on the logic solver, can be single channel

• Proof Test Coverage can be a limiting factor

• Systematic requirements higher

� Requires careful selection of devices to ensure this is achieved. May rule out your normal supplier

• Life cycle cost much higher


SIL 3 LOOP

2020

• The higher the SIL the more techniques and measures are required to detect, control and avoid human error

• SIL 1 Typically easy to achieve using a standard QMS system with added competence requirements

• SIL 2 requires an “advanced” system with competence management and reliance on testing

• SIL 3 has stringent requirements governing diversity in design, competence of a high order and stringent testing requirements


2121

How do systems achieve safety?

Safety Instrumented System

2222


1oo3

2323


Input

Output

2oo3

A B C

Voting systems

2oo3 Voting

1oo2D

Diagnostic systems

Diagnostics

Diagnostics

Input

Output

µP µP

Diag. Diagnostics

Diagnostics

Diagnostics

2424


2525

Layers of protection

Increase safety and cyber security

prevent

mitigate

2626

Layers of protection

Specific

• must be specifically designed to be capable of preventing the consequences of the potentially hazardous event

Independent

• must be completely independent from all other protection layers

Dependable

• must be capable of acting dependably to prevent the consequence from occurring (systematic and random faults)

Auditable

• must be tested and maintained to ensure risk reduction is continually achieved

2727

Layers of protection – The 3 “ENOUGHS”

• Big Enough

• Must be big enough to cope the with the potential hazard

• Fast Enough

• Must be fast enough to sense and react to prevent the potential

• Strong Enough

• Must be able to survive all arising situations when preventing the hazardous event.

2828

Are you safe if you buy a SIL3 PLC?

• NO!!!

• Need to consider Sensing and final elements

• Need to consider Systematic Capability

� This applies to the integrator of the Logic Solver – important to look at their quality system

� Apples to the installer of the Safety Integrated Functions – important to look at their quality system

• Need to carefully consider Proof Test Intervals and Proof test coverage

� Short proof test intervals should be avoided as the testing requirements often require plant shutdown

� Incorrect to assume that the proof test is perfect

� This can have a profound effect on the result because we are dealing with very small numbers

2929

Safety & non safety in one application or separate safety and non-safety

• Considerations for separating:

� Hazards are caused by the non safety application

� Risk assessment not able to separate the causes

� Required by Buncefield recommendation 3

– “physical and electrical independence”

� Need for Cyber security

• Considerations for systematic capability!!!

� Often the same person programming the non-safety will be programming the safety!

3030


prevent

mitigate

3131


The risk we talk about is related to a hazard

‣ Risk is a combination of

‣ The severity of consequences (C)

‣ The frequency of occurrence (F)

‣ Risk = C x F

Risksafety = probability of a damage * potential of the damage

3232

Security is a foundation for safety.

Functional safety Risksafety = probability of a damage * potential of the damage

WorldSys.

+Cyber security Risksecurity = threat * vulnerability * potential of the damage

WorldSys. Safety

WorldSys.

3333

Compartmentalize.

� Avoid universal

access. Enterprise

Plant DMZ

ControlCenter

SIS BPCS

Plant

Con

duit

Con

duit

Conduit

Internet

3434

Security is a process.

Risk analysis

Protect

Detect

React

Security is a process to reduce the riskof damage due to external influence. This process can be supported by technical measures.

Source: IEC 62443-3-3

Both the IEC 61511 (safety) and the draft of the IEC 62 443 (security) demand to build systems in multiple layers of protection . (Defense in the Depth)

Enterprise

Plant DMZ

ControlCenter

SIS BPCS

Plant

Con

duit

Con

duit

Conduit

Internet

3535

Segregation of non safe networks.

� Besides the usage of VLAN HIMax offers a complete segregation. This interference free implementation guarantees segregated networks even for non safe protocols.

� Max. Safety (SIL3).

� Max. Availability for safeethernet.

� Max. Availability for non safe communication.

X-CPUX-SB

RJ45

Safety-Net

X-COM

RJ45

Field Net

X-COM

RJ45

DCS-Net

3636

Security is supported by HIMA Products:

High quality development process� HIMA products are developed for safety following the four eyes principle �

Only documented ports for communication available � no backdoor� Minimal attack surface, only required services are integrated.

Systematic use� separate system supports the avoidance of common cause failures and the

multi-layer protection concept.Products with Security Features

� Segregation of safety network (CPU) and non safety network (COM)� Standard Ethernet protocols can be used with any firewall.� blocking of control function via key switch� Display of program changes in the DCS system via CRC� Unused physical ports can be closed by using port-based VLAN.

High-quality programming environment� SILworX checks all software components prior to use.� Code comparison to detect changes in the user program.� 2-level user management� Simple Project backup (one file)� User access in Windows is sufficient.

Secure OPC Server� runs as a service, no login to Windows is required.

3737

Be reluctant to trust.

� … even vendors of secure products have to admit failures.

3838

Always the right solution ?

38

HIMA can help you getting the right solution and have the right safety system you need!

Maximum security and availability