View
2.158
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Shanghai: Oil Gas Petrochemical Seminar: exida presentation (Koen Leekens)
Citation preview
Functional Integrity Certification ™Functional Integrity Certification The First Combined Certification for Functional Safety and Functional Security
Shanghai, 16 March 2011Koen Leekens
Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727
Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505
Exida Contacts
Copyright exida LLC ® 2000-2011
g gGermany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34
Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564
“SAFETY” is not “SECURITY”
Piper Alpha 1988Piper Alpha 1988“Lessons learned” improve Safety
Copyright exida LLC ® 2000-2011
“Disabled” Safety is not SAFE!
Incident with “Certified” BoilerAnti‐Virus Software
Prevents Safety ShutdownSource Source www.securityincidents.orgwww.securityincidents.org
Copyright exida LLC ® 2000-2011
y gy g
“Disabled” Safety is not SAFE!
Advanced Technologyintroduces
Advanced Technologyintroducesintroduces
new THREATS?introduces
new THREATS?
Explosion of “Certified” BoilerpAnti‐Virus Software
Prevents Safety ShutdownSource Source www.security incidents.orgwww.security incidents.org
Copyright exida LLC ® 2000-2011
y gy g
exida Functional Integrity Certification™
Functional Integrity Certification™
Functional Safety Certification ™
+Functional Security Certification ™Functional Security Certification
“I i i d i h i h hi“I i i d i h i h hi“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
Copyright exida LLC ® 2000-2011
Who we are
Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Servicesg g p
Today: LARGEST Functional Safety and Cyber Security consultancy and certification body worldwide
“Provide independent services and tools to help customers comply to any industry standards for Functional Safety, Cyber p y y y f f y, y
Security and Alarm Management”
Rainer FallerÜ
Dr. William GobleFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts
Former Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books
Copyright exida LLC ® 2000-2011
Author of IEC 61508 parts
Where we are
Copyright exida LLC ® 2000-2011
What we do
EXIDA SCOPE
Functional Safety
SERVICES
Tools INDUSTRIESProcess Industry End Users
CUSTOMERS
Cyber Security
Training
C lt
Industry
Automotive
M hi
End Users
Equipment Manufacturery
Consultancy
Certification
Machine Industry
Power I d
Engineering Companies
S tReliability
Alarm Management
Reference Materials
Industry
Rail
System Integrators
Copyright exida LLC ® 2000-2011
Management
The exida Library
exida publishes analysistechniques for functional qsafety
exida authors ISA best sellers for a tomationbest‐ sellers for automationsafety and reliability
exida authorsindustry data handbook onequipment failureequipment failuredata
www exida comwww exida com
Copyright exida LLC ® 2000-2011
www.exida.comwww.exida.com
exida Customers (extract from 2000+)
Copyright exida LLC ® 2000-2011
What is…?
Functional Safety:
Copyright exida LLC ® 2000-2011
What is…?
Functional Safety:“Part of overall safety to protect against incidents caused by f f y p g yincorrect functioning of components/systems”
Copyright exida LLC ® 2000-2011
Why Functional Safety?
To provide a safer working environment for people, that is to save lives and protect the environmentsave lives and protect the environment
To demonstrate compliance with regulatory requirements, that is to avoid fines
To protect investments in plant and equipment and insure continuous operations, that is to save money
Copyright exida LLC ® 2000-2011
What is…?
SIL: “The Safety Integrity Level is a measure for the effectiveness of the risk reduction that each individual Safety ff f f yFunction is expected to provide”
Copyright exida LLC ® 2000-2011
History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015
RELAYPredictable F il
RELAYPredictable F il
Copyright exida LLC ® 2000-2011
FailuresFailures
History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015
PLCFailure Modes?
PLCFailure Modes?Modes?Modes?
Copyright exida LLC ® 2000-2011
DIN 31000DIN 31000
History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015
Safety PLC“AK‐Classes” Safety PLC“AK‐Classes”
S84.01 1996S84.01 1996
Copyright exida LLC ® 2000-2011
DIN 31000DIN 31000DIN V 19250DIN V 19250
History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015
Safety Loop“Functional”Safety Loop“Functional”
ISO 26262ISO 26262
IEC 61511IEC 61511
IEC 62061IEC 62061S84.01 2004S84.01 2004
IEC 61508IEC 61508IEC 61513IEC 61513
S84.01 1996S84.01 1996
Copyright exida LLC ® 2000-2011
DIN 31000DIN 31000DIN V 19250DIN V 19250
History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015
Safety Loop“Functional”Safety Loop“Functional”
ISO 26262ISO 26262Also Secure?Also Secure?
IEC 61511IEC 61511
IEC 62061IEC 62061S84.01 2004S84.01 2004
IEC 61508IEC 61508IEC 61513IEC 61513
S84.01 1996S84.01 1996
Copyright exida LLC ® 2000-2011
DIN 31000DIN 31000DIN V 19250DIN V 19250
Which Standard?
6 086 08IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Copyright exida LLC ® 2000-2011
Which Standard?
6 086 08IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61513IEC 61513 IEC 61511IEC 61511 ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process IndustryISO 26262Road VehiclesISO 26262Road Vehicles
IEC 62061MachineryIEC 62061Machinery
Copyright exida LLC ® 2000-2011
Which Standard?
Device Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not Available
IEC 61513IEC 61513 IEC 61511IEC 61511
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process IndustryISO 26262Road VehiclesISO 26262Road Vehicles
IEC 62061MachineryIEC 62061Machinery
Copyright exida LLC ® 2000-2011
Which Standard?
Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not AvailableDevice Manufacturers Sector Specific Not AvailableDevice Manufacturers Sector Specific Not Available
IEC 61513IEC 61513 IEC 61511IEC 61511
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61508Functional Safety for E/E/PES Safety Related Systems
ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear
IEC 61513Nuclear
IEC 61511Process IndustryIEC 61511
Process IndustryISO 26262Road VehiclesISO 26262Road Vehicles
IEC 62061MachineryIEC 62061Machinery
End Users - Systems IntegratorsEnd Users - Systems Integrators
Copyright exida LLC ® 2000-2011
What do accidents teach us?
Buncefield 2005Seveso 1976
Copyright exida LLC ® 2000-2011
Bhopal 1984 Flixborough1974
Primary Cause of Failures?
Installation and Commission
SpecificationOperation and
Design and Implementation
Changes after
Operation and Maintenance
More than More than Changes after Commission
Source Health, Safety & Environmental AgencySource Health, Safety & Environmental Agency80% of Failures Before Startup 80% of Failures Before Startup
The majority of accidents are:… Preventable if a systematic
Risk‐Based Approach is adopted
The majority of accidents are:… Preventable if a systematic
Risk‐Based Approach is adopted
Copyright exida LLC ® 2000-2011
Risk Based Approach is adopted…Risk Based Approach is adopted…
IEC 61508/61511 Key Aspects
Safety Integrity Levels to protect against Random Failures
Physical or Hardware Failures
Safety Lifecycle to protect against Systematic Failures
Insufficient Processes and Procedures
Both protection measures are Both protection measures are
“H i i l t f t i th f t t“H i i l t f t i th f t t
measures areImportant
measures areImportant
“Having incomplete safety is worse than no safety at all because people are lulled into complacency
thinking that safety is managed”
“Having incomplete safety is worse than no safety at all because people are lulled into complacency
thinking that safety is managed”
Copyright exida LLC ® 2000-2011
thinking that safety is managed thinking that safety is managed
Product Certification
Functional safety certification for devices is accomplished per IEC 61508p
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report
SIL CertificationSIL CertificationSIL Certification Vendor showed
sufficient protection
SIL Certification Vendor showed
sufficient protection against Random and Systematic Failuresagainst Random and Systematic Failures
Copyright exida LLC ® 2000-2011
Certification versus Prior Use?
CertificateCertificate Prior UsePrior Use
Certificateby VendorCertificateby Vendor
Justification by User
Justification by Userby Vendorby Vendor by Userby User
Copyright exida LLC ® 2000-2011
How to certify a device?
Copyright exida LLC ® 2000-2011
How to certify a device?
1. Analyze Hardware Reliability
Copyright exida LLC ® 2000-2011
How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508
Copyright exida LLC ® 2000-2011
How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508
Fix Product and Process GapsFix Product and Process GapsProcess GapsProcess Gaps
Copyright exida LLC ® 2000-2011
How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508
Fix Product and Process GapsFix Product and Process Gaps
Fix Product and Process GapsFix Product and Process Gaps
3. Safety Justification Report listing how the requirements FixProductand FixProductand
Process GapsProcess Gaps
are met
Exida Tools for 1,2 and 3Exida Tools for 1,2 and 3
Copyright exida LLC ® 2000-2011
,,
How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508
Fix Product and Process GapsFix Product and Process Gaps
Fix Product and Process GapsFix Product and Process Gaps
3. Safety Justification Report listing how the requirements f P d d P
FixProductand FixProductand
Process GapsProcess Gaps
are met for Product and Process
4. Final Assessment by Independent 3rd Party
Copyright exida LLC ® 2000-2011
How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508
Fix Product and Process GapsFix Product and Process Gaps
Fix Product and Process GapsFix Product and Process Gaps
3. Safety Justification Report listing how the requirements f P d d P
FixProductand FixProductand
Process GapsProcess Gaps
are met for Product and Process
4. Final Assessment by Independent 3rd Party
5 Certificate and Certification Report5. Certificate and Certification Report
Copyright exida LLC ® 2000-2011
So what about Functional Security?
Security vulnerabilities impact the operation of the Safety Systemy
Safety ONLY is not
Safety ONLY is not
i l d
enoughenough
Disgruntled Contractor “Hacks” Pipeline Leak Detection System
Copyright exida LLC ® 2000-2011
Source Source www.securityncidents.orgwww.securityncidents.org
What is…?
Functional Security: “Protection against intentional or unintentional interference g fwith the proper operation of systems/components”
Copyright exida LLC ® 2000-2011
Which Standards?
ISA‐99ISA 99
IEC 62443
SP800‐82
CSA Z246.1
Copyright exida LLC ® 2000-2011
Functional Security Certification ™
1. Analyze Hardware Reliability (ISCI)
2. Analyze Gaps between existing processes and ISA‐992. Analyze Gaps between existing processes and ISA 99
Fix Product and Process GapsFix Product and Process Gaps
Fix Product and Process GapsFix Product and Process Gaps
3. Security Justification Report listing how the requirements t f P d t d P
FixProductand FixProductand
Process GapsProcess Gaps
are met for Product and Process
4. Final Assessment by Independent 3rd Party
5 Certificate and Certification Report5. Certificate and Certification Report
Copyright exida LLC ® 2000-2011
Functional Security Certification ™
1. Analyze Hardware Reliability (ISCI)
2. Analyze Gaps between existing processes and ISA‐992. Analyze Gaps between existing processes and ISA 99
Fix Product and Process GapsFix Product and Process Gaps
Fix Product and Process GapsFix Product and Process Gaps
Security is d f
Security is d f
3. Security Justification Report listing how the requirements t f P d t d P
FixProductand FixProductand
Process GapsProcess Gapspatterned to Safetypatterned to Safety
are met for Product and Process
4. Final Assessment by Independent 3rd Party
5 Certificate and Certification Report5. Certificate and Certification Report
Copyright exida LLC ® 2000-2011
Who can certify Safety and Security?
Verify Market Recognition: Competency defined by Customers
8.3%25.9%Other
OtherNobody Certifies h CERTIFIER
Nobody Certifies h CERTIFIER
0.0%
1.7%
0.9%
TUV Sud
WurldtechWurldtech
the CERTIFIERthe CERTIFIER
12.2%
3.1%
6.9%TUV RhinelandTUV Rhineland
TUV Sud
60.7%17.2%exida
exida
1.7%1.7%TUV Nord
TUV Nord Yellow – International list Blue ‐ North America list
Copyright exida LLC ® 2000-2011
Other includes: SIRA, CSA, FM, UL, BASEEFA, INERIS, DNV and many
Who can certify Safety and Security?
Verify Market Recognition: Competency defined by Customersy g p y y
Verify Experience: Number of CertificationsFast
Time‐to‐MarketFast
Time‐to‐Market
Number of Certificates - Currently Marketed ProductsCertification Agency Sensors Logic Solvers Final Element Total Number of Certificates - Currently Marketed ProductsCertification Agency Sensors Logic Solvers Final Element Totalg y gTUV X 5 2 4 11TUV Y 4 3 0 7TUV Z 4 14 9 27
g y gTUV X 5 2 4 11TUV Y 4 3 0 7TUV Z 4 14 9 27exida 32 6 55 93
9/17/2010
exida 32 6 55 93
9/17/2010
Copyright exida LLC ® 2000-2011
How to select the certifier?NOBODY CERTIFIES THE CERTIFIER
Verify Market Recognition: Competency defined by Customers
Verify Experience: Number of Certifications
Verify Excellence / Competency: Involvement of the company with the IEC and ISA standards for Safety and Securityy y
Verify availability of 3rd party Assessment of Certifier
Market Support Data: Provision of Failure Rate Databases, Books, Whitepapers TemplatesWhitepapers, Templates…
Broad Capabilities: Functional safety and Functional Security Certification
Copyright exida LLC ® 2000-2011
“Bypassed” Safety is not SAFE!
Piper Alpha 1988“Lessons learned” improve
Disgruntled Contractor “Hacks” Pipeline Leak
Source Source www.security incidents.orgwww.security incidents.org
SafetyDetection System
Copyright exida LLC ® 2000-2011
“Bypassed” Safety is not SAFE!
The Best Safety is Useless when
The Best Safety is Useless when DISABLEDDISABLED
Piper Alpha 1988“Lessons learned” improve
Disgruntled Contractor “Hacks” Pipeline Leak
Source Source www.security incidents.orgwww.security incidents.org
SafetyDetection System
Copyright exida LLC ® 2000-2011
“Bypassed” Safety is not SAFE!
BothSAFETY and SECURITY
BothSAFETY and SECURITY
MatterMatter
Piper Alpha 1988“Lessons learned” improve
Disgruntled Contractor “Hacks” Pipeline Leak
Source Source www.security incidents.orgwww.security incidents.org
SafetyDetection System
Copyright exida LLC ® 2000-2011
Security Certified Control Systems
Copyright exida LLC ® 2000-2011
exida Functional Integrity Certification™
Functional Integrity Certification™
Functional Safety Certification ™+
Functional Security Certification ™y
“I i i d i h i h hi“I i i d i h i h hi“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
“Integrity is doing the right thing, even if nobody is watching.”
(Anonymous)
Copyright exida LLC ® 2000-2011
Copyright exida LLC ® 2000-2011