Why SIL3?

Josse Brys TUV Engineer

j.brys@hima.com
Agenda

• Functional Safety
• Good planning if specifications are not right?
• What is the difference between a normal safety and SIL3 loop?
• How do systems achieve safety?
• Layers of protection
• Are you safe if you buy a SIL3 PLC?
• Safety & non safety in one application or separate safety and non-safety
• Cyber security

2
Introduction : HIMA helps to prevent:

HIMA
SIS

3
Introduction HIMA

HIMA is focused on Safety Systems

SIS

HIMA
Others
SIS

HIMA: Safety Systems Others: Safety is small part

of their business

4
Introduction HIMA

SIL 3, SIL4 Safety PLC’s

HIMA solutions for

Railways TMC BCS ESD F&G HIPPS Pipeline Logistics Nuclear

5
Safety ?

Why should we invest in safety?

‣ You think safety is expensive, try an accident…
‣ Today an accident cost more than 10x the investment in the process
‣ We have had terrible accidents in the past
‣ We learned, but accidents with serious impact still happen today

6
Functional Safety Standards

7
Safety Integrity Level - SIL

SIL is how we measure the performance of safety functions

carried out by safety instrumented systems
SIL has 3 sides to the story
‣ Process owners:
Which safety functions do I need and how much SIL do I need?
‣ Engineering companies, system integrators, product developers:
How do I build SIL compliant safety devices, functions or systems?
‣ Process operators:
How do I operate, maintain and repair safety functions and
systems to maintain the identified SIL levels?

8
SIL levels

Risk reduction

9
SIL levels

Most famous SIL requirement is the Probability of Failure on Demand

PFDavg = Probability of Failure on Demand average

10
Functional Safety

A safety instrumented system is 100% functionally safe if

All random, common cause and systematic failures do not lead to
malfunctioning of the safety system and do not result in
‣ Injury or death of humans
‣ Spills to the environment
‣ Loss of equipment or production
‣ 100% functional safety does not exist but SIL 1, 2, 3 or 4 does

11
Common cause does not happen?

Complete plant flooded

because of heavy rainfall,
bad drainage and dike

12
Good planning if specifications are not right?

IEC 61508 Lifecycle Concept

13
Good planning if specifications are not right?

Lifecycle & Frequency of Failures

14
Good planning if specifications are not right?

Think the following:

Your specifications = a red car with a horse

What would you get?

15
A red car with a horse

16
A red car with a horse

17
 What is the difference between a normal safety and SIL3 loop?

NORMAL LOOP

• SIL 1 Typically easy to achieve using standard components

• Through the selection of certified components, can achieve SIL 2 with
single channel sensing or final elements
• Still need to consider the systematic capability for the devices, however
these are less stringent for SIL 1 or 2
• Lifecycle cost typically the same as a normal BPCS loop.
BPCS = Basic Process Control System

18
 What is the difference between a normal safety and SIL3 loop?

SIL 3 LOOP
• Redundancy requirements for sensing and final elements
Required by Tables 2 and 3 of 61508-2. Based on SFF
Safe Failure Fraction = A measure of the effectiveness of the fail safe design and/or the built-in diagnostic tests

Depending on the logic solver, can be single channel

• Proof Test Coverage can be a limiting factor
• Systematic requirements higher
Requires careful selection of devices to ensure this is achieved.
May rule out your normal supplier
• Life cycle cost much higher

19
 What is the difference between a normal safety and SIL3 loop?

• The higher the SIL the more techniques and measures are required to
detect, control and avoid human error
• SIL 1 Typically easy to achieve using a standard QMS system with added
competence requirements
• SIL 2 requires an “advanced” system with competence management and
reliance on testing
• SIL 3 has stringent requirements governing diversity in design,
competence of a high order and stringent testing requirements

20
How do systems achieve safety?

Safety Instrumented System

21
How do systems achieve safety?

1oo3

22
How do systems achieve safety?

Input Input

Diag. Diagnostics

µP µP Diagnostics
A B C
Diagnostics

Diagnostics
2oo3 Voting
Diagnostics

2oo3 1oo2D

Output Output

Voting systems Diagnostic systems

23
How do systems achieve safety?

24
Layers of protection

mitigate

prevent

Increase safety and cyber security

25
Layers of protection

Specific
• must be specifically designed to be capable of preventing the consequences of the
potentially hazardous event
Independent
• must be completely independent from all other protection layers
Dependable
• must be capable of acting dependably to prevent the consequence from occurring
(systematic and random faults)
Auditable
• must be tested and maintained to ensure risk reduction is continually achieved

26
 Layers of protection – The 3 “ENOUGHS”

• Big Enough
• Must be big enough to cope the with the potential hazard
• Fast Enough
• Must be fast enough to sense and react to prevent the potential
• Strong Enough
• Must be able to survive all arising situations when preventing the hazardous
event.

27
 Are you safe if you buy a SIL3 PLC?

• NO!!!
• Need to consider Sensing and final elements
• Need to consider Systematic Capability
This applies to the integrator of the Logic Solver – important to look at their
quality system
Apples to the installer of the Safety Integrated Functions – important to look
at their quality system
• Need to carefully consider Proof Test Intervals and Proof test coverage
Short proof test intervals should be avoided as the testing requirements
often require plant shutdown
Incorrect to assume that the proof test is perfect
This can have a profound effect on the result because we are dealing with
very small numbers

28
 Safety & non safety in one application or separate
safety and non-safety

• Considerations for separating:

Hazards are caused by the non safety application
Risk assessment not able to separate the causes
Required by Buncefield recommendation 3
– “physical and electrical independence”
Need for Cyber security

• Considerations for systematic capability!!!

Often the same person programming the non-safety will be programming
the safety!

29
Safety & non safety in one application or separate
safety and non-safety

mitigate

prevent

30
Safety & non safety in one application or separate
safety and non-safety

The risk we talk about is related to a hazard

‣ Risk is a combination of
‣ The severity of consequences (C)
‣ The frequency of occurrence (F)
‣ Risk = C x F

Risksafety = probability of a damage * potential of the damage

31
Security is a foundation for safety.

Functional safety Risk safety = probability of a damage * potential of the damage

World
Sys.

Cyber security
+
Risksecurity = threat * vulnerability * potential of the damage

World
Sys.

World
Safety Sys.

32
Compartmentalize.

Avoid universal
Internet

Conduit
access. Enterprise

Plant DMZ

Conduit
Control
Center

SIS BPCS
Conduit

Plant

33
Security is a process.

React
Internet

Conduit
Risk Enterprise
Detect
analysis
Plant DMZ
Protect

Conduit
Security is a process to reduce the risk Control
of damage due to external influence. Center
This process can be supported by
technical measures.

SIS BPCS
Both the IEC 61511 (safety) and the
Conduit
draft of the IEC 62 443 (security)
demand to build systems in multiple
layers of protection. (Defense in the
Depth) Plant

Source: IEC 62443-3-3

34
 Segregation of non safe networks.

Safety-Net Field Net DCS-Net Besides the usage of VLAN HIMax offers a
complete segregation. This interference free
implementation guarantees segregated
networks even for non safe protocols.

Max. Safety (SIL3).

RJ45
Max. Availability for safeethernet.
X-CPU
X-COM X-COM Max. Availability for non safe
X-SB
communication.

RJ45 RJ45

35
Security is supported by HIMA Products:

High quality development process

HIMA products are developed for safety following the four eyes principle
Only documented ports for communication available no backdoor
Minimal attack surface, only required services are integrated.
Systematic use
separate system supports the avoidance of common cause failures and the
multi-layer protection concept.
Products with Security Features
Segregation of safety network (CPU) and non safety network (COM)
Standard Ethernet protocols can be used with any firewall.
blocking of control function via key switch
Display of program changes in the DCS system via CRC
Unused physical ports can be closed by using port-based VLAN.
High-quality programming environment
SILworX checks all software components prior to use.
Code comparison to detect changes in the user program.
2-level user management
Simple Project backup (one file)
User access in Windows is sufficient.
Secure OPC Server
runs as a service, no login to Windows is required.

36
Be reluctant to trust.

… even vendors of secure products have to admit failures.

37
Always the right solution ?

HIMA can help you getting the right solution and

have the right safety system you need!

Maximum security and availability

38
38