Features
Setting the Standard
Dr Peter Clarke explains how process plants can benefit through proper and careful adoption of the IEC 61511 safety standard.
Read More >>Demanding Software Security Assurance
Users Wonder, “How Dependable, Trustworthy and Resilient Is My Supplier’s Software?”
By John Cusimano, Director, exida Security Services Division
In an October 2010 article at SearchSecurity.com, Mark Weatherford, vice president and chief security officer at NERC, was quoted as saying, “Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
He went on to say, “This is not an indictment of [the] control system industry; it’s an indictment of the IT business in general. We’re still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time.”
It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.
These suppliers have a responsibility to ensure that their products are safe, secure and reliable. But, while they undoubtedly all strive to meet this expectation, achieving it has become increasingly difficult, as even the simplest of products have evolved to rely on sophisticated software that often isn’t even written by the supplier. Couple the increased vulnerability of automation products due to software complexity with the emerging threat posed by viruses such as Stuxnet, and it is easy to see why Weatherford is calling for suppliers to focus on software security assurance for their customers.
Wikipedia defines software security assurance (SSA) as “the process of ensuring that software is designed to operate at a level of security consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.”
Read More >>A NORMA DE SISTEMAS INSTRUMENTADOS DE SEGURANÇA PARA BRASILEIROS
Em diversas edições da Revista InTech América do Sul foram publicados, por vários autores, artigos sobre Sistemas Instrumentados de Segurança e as normas internacionais que norteiam as melhores práticas aplicadas a tais projetos. Agora chegou a vez de falar sobre as normas brasileiras!
Read More >>Position Paper on IEC 61508 2010 Definitions Regarding Minimum Hardware Fault Tolerance
The release of IEC 61508 2010 has led to several discussions on how certain new, updated, and unmodified definitions need to be interpreted. The controversy relates to the determination of the required minimum hardware fault tolerance / architectural constraints interpretation.
This position paper explains the position that exida has taken with regard to this issue. The position paper is structured in two parts; the position and the rational for the position including counter arguments received over the last couple of months. The exida position is also implemented in the exida exSILentia safety lifecycle tool.
Read More >>3 Important Factors in Evaluating your SIL Certified Device
Today there is a growing trend by end-users to require equipment manufacturers to get their safety devices IEC 61508 (SIL) Certified. That is an excellent trend for a number of reasons. One reason is because in order to get a device SIL Certified, a company must first determine the device’s failure rates and failure modes. This is usually done by having a Failure Modes Effects and Diagnostic Analysis, (FMEDA) performed. Among other things, an FMEDA Report will detail the device’s Architectural Constraints and its λDU (Dangerous Undetected Failure Rate). With any given values for maintenance parameters, (Test Interval, Test Coverage, and Repair Time), you can determine the device’s PFDavg (Average Probability of Failure on Demand ). Both the Architectural Constraints and the PFDavg of a device, together with its IEC 61508 Certification, are critical in evaluating whether or not a given device may be suitable for use in a Safety Function with a given SIL requirement. And both of these characteristics, together with IEC 61508 Certification, are what concern a Safety Engineer in his evaluation.
Read More >>FMEDA – Accurate Product Failure Metrics
The letters FMEDA form an acronym for “Failure Modes Effects and Diagnostic Analysis.” The name was given by one of the authors in 1994 to describe a systematic analysis technique that had been in development since 1988 to obtain subsystem / product level failure rates, failure modes and diagnostic capability.
Real Time Operating Systems for IEC 61508
In today’s world many potentially dangerous pieces of equipment are controlled by embedded software. This equipment includes cars, trains, airplanes, oil refineries, chemical processing plants, nuclear power plants and medical devices. As embedded software becomes more pervasive so too do the risks associated with it. As a result, the issue of software safety has become a very hot topic in recent years. The leading international standard in this area is IEC 61508: Functional safety of electrical/electronic/ programmable electronic safety-related systems. This standard is generic and not specific to any industry, but has already spun off a number of industry specific derived standards, and can be applied to any industry that does not have its own standard in place. Several industry specific standards such as EN50128 (Railway), DO-178B (Aerospace), IEC 60880 (Nuclear) and IEC 601-1-4 (Medical Equipment), are already in place. Debra Herrmann (Herrmann, 1999) has found a total of 19 standards related to software safety and reliability cut across industrial sectors and technologies. These standards’ popularity is on the rise, and more and more embedded products are being developed that conform to these standards. Since an increasing number of embedded products also use an embedded real time operating system (RTOS), it has become inevitable that products with an RTOS are being designed to conform to such standards. This creates an important question for designers: how is my RTOS going to effect my certification? This article will attempt to explore the challenges and advantages of using an RTOS in products that will undergo certification.
Read More >>Field Failure Data – the Good, the Bad and the Ugly
There are many benefits to a company when they have access to good field failure data. Most of the benefits are categorized as saving money. At the same time, most of the expenditure to get good failure data is already being spent. Given a small incremental cost of added data collection and better data analysis, the benefits could be achieved.
Good high quality field failure data has often been described as the ultimate source of failure data. However, not all field failure studies are high quality. Some field studies simply do not have the needed information. Some field studies make unrealistic assumptions. The results can be quite different depending on methods and assumptions. Some methods produce optimistic results that can result in bad designs and unsafe processes.
Read More >>Using Alarm Management to make Your Plant Safer
Recent industrial accidents at Texas City, Buncefield (UK) and Institute, WV have highlighted the connection between poor alarm management and process safety incidents. At Texas City key level alarms failed to notify the operator of the unsafe and abnormal conditions that existed within the tower and blowdown drum. The resulting explosion and fire killed 15 people and injured 180 more. The tank overflow and resultant fire at the Buncefield Oil Depot resulted in a £1 billion (1.6 billion USD) loss. It could have been prevented if the tank’s high level safety switch, per design, had notified the operator of the high level condition or had automatically shut off the incoming flow. At the Bayer facility (Institute, WV) improper procedures, worker fatigue, and lack of operator training on a new control system caused the residue treater to be overcharged with Methomyl - leading to an explosion and chemical release.
Read More >>Development of a Mechanical Component Failure Database
In this article, we present a methodology to derive component failure rate and failure mode data for mechanical components used in automation systems based on warranty and field failure data as well as expert opinion. We describe a process for incorporating new component information into the database as it becomes available. The method emphasizes random mechanical component failures of importance in the world of safety analysis as opposed to the wear-out and aging mechanical failures that have dominated mechanical reliability analysis. The method provides a level of accuracy significantly better than warranty failure data analysis alone. The derived database has the same form as that for electrical/electronics databases used in FMEDA analyses used to show compliance with international performance-based safety standards. Thus, the mechanical database can be used in conjunction with existing electrical/electronics databases to perform required probabilistic safety analysis on automation systems comprised of both electrical and mechanical components.
Read More >>