Safety and security: a joint endeavour

10 September 2017

There is a need to understand the interaction between safety and security in production processes, says Dr Alexander Horch.

Figure 1: IEC 61511 prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures.
Figure 1: IEC 61511 prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures.

Every production process has inherent risks. One of the most recent addition to this being cyber criminality. To achieve the greatest degree of safety and security in production processes, it is vital to implement effective separation of the process control and safety systems, as required by standards for functional safety and cyber security. There is a lot at stake – the health of employees, the assets of the company and the environment.

For a better understanding of the interaction between safety and security, it is helpful to clarify several terms. There are numerous definitions of safety. A general definition is that safety is the absence of danger. This means that a condition is safe when there are no prevailing hazards. Often it is not possible to eliminate all potential risks, especially in complex systems and a more usual definition of safety is that it is the absence of unacceptable risks.

Reducing risks to an acceptable level is the task of functional safety. The safety of an application depends on the function of a corresponding technical system, such as a safety controller. If this system fulfils its protective function, the application is regarded as functionally safe. This can be clarified by the following two examples: oil flowing out of a pipeline and endangering people in the vicinity is a safety issue. A system that cannot prevent icing in a pipeline, even though that is exactly its task, and a critical situation subsequently arises, is a functional safety issue.

Functional safety systems protect people, facilities and the environment. For example, they start up or shut down systems when hazardous situations arise suddenly and people do not respond or are not able to respond, or when other safety precautions are not adequate. They are intended to prevent accidents and avoid downtime of equipment or systems.

Separate layers reduce risks
The process industry is becoming increasingly aware of the importance of relevant standards for the safety and profitability of systems. The IEC 61511 standard for functional safety defines the best way to reduce the risk of incidents and downtime. It prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures (see Figure 1). Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process.

IEC 61511 also prescribes independence, diversity and physical separation for each protection level. To fulfil these requirements, the functions of the different layers need to be sufficiently independent of each other. It is not sufficient to use different I/O modules for the different layers because automation systems are also dependent on functions in I/O bus systems, CPUs and software. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations and philosophies. In concrete terms, this means that the system architecture must, fundamentally, be designed so that no component in the process control system level or the safety level can be used simultaneously.

Rising risk 
In the last 10 years, the risk of cyber attacks on industrial systems has risen significantly, due to increasing digitalisation. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety. System operators need to be aware of these risks and actively address them. This can be achieved in a variety of ways. Unlike functional safety systems, which are mainly intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation and attacks intended to disrupt production processes or steal industrial secrets.

Safety and security have, therefore, become more closely meshed topics. Cyber security plays a key role, particularly for safety-oriented systems, because it forms the last line of defence against a potential catastrophe.

Standards define the framework
Compliance with international standards is necessary in the design, operation and specification of safety controllers. IEC 61508 is the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic and programmable electronic devices). The IEC 61511 standard, which is derived from the basic standard, is the fundamental standard for the process industry and defines the applicable criteria for the selection of safety function components.

The IEC 62443 series of standards for IT security in networks and systems, which effectively forms the standard for cyber security, must also be considered. It specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full life cycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS) and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthourised access (see Figure 2).

Figure 2: IEC 62443 requires separate zones for the enterprise network, control room, SIS and BPCS, each of which must be protected by a firewall to prevent unauthourised access.
Figure 2: IEC 62443 requires separate zones for the enterprise network, control room, SIS and BPCS, each of which must be protected by a firewall to prevent unauthourised access.

Cyber security by design
Safety and security are closely related aspects of process systems, which must be considered separately and as a whole.

Standardised hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult or impossible to assess the risks analytically, which could arise from a system update. For example, updates to the process control system could affect the functions of the safety system integrated into the control system.

To avoid critical errors with unforeseeable consequences in safety-relevant processes, as a result of control system updates, the process control system must be technologically separate from the safety system. For effective cyber security, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cyber security in mind, right from the start. This applies equally to the firmware and the application software.

Effective protection 
A proprietary operating system, specifically designed for safety-oriented applications, runs on HIMA’s autonomous safety controllers. It includes all functions of a safety PLC and excludes all other functions, making it immune to typical attacks on IT systems. In HIMA’s controllers, the CPU and the communication processor are separate, for  operational security even in the event of an attack on the communication processor. The controllers allow several physically separate networks to be operated on a single communication processor or processor module. This prevents direct access to an automation network from a connected development workstation. In addition, unused interfaces can be disabled individually.

Furthermore, the SILworX configuration, programming and diagnostic tool runs in a Windows environment and works in a manner as independent as possible from Windows functions. This enables secure operation without interference from other programs or updates. It provides maximum protection against operator errors and creates a set of proven data components for programming the safety PLC.

Nevertheless, SILworX allows automatic import of configuration data from outside systems into the proven data set via interfaces. In addition, the programming tool supports two-level user management. This allows user permissions to be set individually.

A common feature of the process industry standard and the cyber security standard is that both require separation of the safety system (SIS) and the basic process control system (BPCS). This independence of safety systems is a good idea from practical and economic perspectives. The SIS and BPCS have, for example, very different life cycles and rates of change. System operators are  therefore free to choose ‘best-of-breed’ solutions from different manufacturers.

Systems that are independent of the process technology and which can be easily integrated into process control systems despite physical separation, offer the highest degree of safety and security in safety-critical applications. Practical experience shows that they are the best way to increase the operational reliability and availability of process systems, and thereby to improve the profitability of production processes.

Dr Alexander Horch is head of the R&D and product management business area at HIMA Paul Hildebrandt.

Contact Details and Archive...

Print this page | E-mail this page