9th

9th IFAC
IFAC Conference
Conference on
on Manufacturing
Manufacturing Modelling,
Modelling, Management
Management and
and
9th
9th IFAC
IFAC Conference
Control Conference on
on Manufacturing
Manufacturing Modelling,
Modelling, Management
Management and
and
Control
9th IFAC
Control Conference on Manufacturing Modelling, Management
Available online and
at www.sciencedirect.com
Berlin,
Control
9th IFAC
Berlin,
Control Germany, August
Conference
Germany, 28-30,
28-30, 2019
on Manufacturing
August 2019 Modelling, Management and
Berlin, Germany, August 28-30, 2019
Berlin,
Berlin, Germany,
Control Germany, August
August 28-30,
28-30, 2019
2019
Berlin, Germany, August 28-30, 2019 ScienceDirect
IFAC PapersOnLine 52-13 (2019) 1391–1396
“Safety
“Safety management
“Safety management system”
management system” and
system” and Significant
and Significant Plants
Significant Plants
Plants
“Safety management
“Safetyof
management
Critical system”
system”
Information and
and Significant
Significant
Infrastructure Plants
Plants
ofmanagement
“Safetyof Critical Information
Critical Information
system” Infrastructure
and Significant
Infrastructure Plants
of Critical Information
of Critical Information Infrastructure
Infrastructure
of Critical
Andrey Information * Infrastructure
Kalashnikov**,, Ekaterina
Andrey Kalashnikov Ekaterina Sakrutina
**
Sakrutina**
**
Andrey
Andrey Kalashnikov **,, Ekaterina Sakrutina**
Kalashnikov **, Ekaterina
Andrey Kalashnikov Ekaterina SakrutinaSakrutina** **
** ** Andrey Kalashnikov  , Ekaterina Sakrutina**Moscow 117997, Russia
*,,**** V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya,

**,** V.A.
V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya, Moscow 117997, Russia
V.A. Trapeznikov
Trapeznikov Institute of
of ***Control Sciences,
Sciences, 65 Profsoyuznaya,
Profsoyuznaya, Moscow Moscow 117997,
117997, Russia

,,** Institute Control 65 Russia
**
** V.A. Trapeznikov Institute
(e-mail:
(e-mail: of aokalash@ipu.ru,
Control Sciences,
aokalash@ipu.ru, 65**consoft@ipu.ru)
** Profsoyuznaya,
consoft@ipu.ru) Moscow 117997, Russia
** **
, V.A. Trapeznikov Institute (e-mail:
(e-mail: *aokalash@ipu.ru,
of *Control Sciences, 65
aokalash@ipu.ru, ** consoft@ipu.ru)
Profsoyuznaya, Moscow 117997, Russia
**consoft@ipu.ru)
(e-mail: *aokalash@ipu.ru, ** consoft@ipu.ru)
(e-mail:*aokalash@ipu.ru, **consoft@ipu.ru)
Abstract:
Abstract: IncreasingIncreasing
Increasing the the safety
the safety always
safety always
always was was
was one one
one of of the
of the main
main priorities
the main priorities for for significant
significant plants plants of of critical
critical
Abstract:
Abstract: Increasing the safety always was one of the main priorities
priorities for
for significant
significant plants
plants of
of critical
information
Abstract: infrastructure.
Increasing
information infrastructure. the
infrastructure. Under Under
safety
Under the the
always conditions
was
the conditions one of
conditions of intensive intensive
the main development
priorities
intensive development
development and for and putting
significant
and putting
putting in in
plants of critical
operation
in operation
operationcritical of
of
information
Abstract: Increasing the safety of
information
information infrastructure.
technologies,
infrastructure.
technologies, Underalways
Under
particular
particular the
theattentionwas one
conditions
conditions
attention is
is of
of the main
intensive
paying to
intensive
paying to priorities
development
issues
issues of
development
of for significant
providing
providingand
and putting
the
putting
the plants
safety.
safety.in of critical
in operation
One
operation
One of
of of
the
of
the
information
information technologies,
infrastructure.
technologies, particular
Under
particular the attention
conditions
attention is
is paying
of to
intensive
paying to issues of
development
issues of providing
providingand the
putting
the safety.
safety.in One
operation
One of
of the
of
the
solutions
information
solutions is
is creating
technologies,
creating the
the information
particular
information and
attention
and analytical
is paying system
analytical to issues
system “Safety management
of providing
“Safety management the safety. system”,
system”,One of which
which the
solutions
information
solutions is
is creating
technologies,
creating the
the information
particular
information and
attention
and analytical
is paying
analytical system
to issues
system “Safety
of
“Safety management
providing
management the system”,
safety.
system”,One which
of
which the
implements
solutions
implementsis monitoringmonitoring
creating the
monitoring information
information
information on
on and the safety
analytical
the safety
safety on the
on the basis
system
the by
basis“Safety system
by system
system regularities.
management
regularities. In
system”, the
In the paper,
which
the paper,
paper,
implements
solutions is monitoring
creating theinformation
information on the on basis by regularities. In
implements
important
implements
important functions
monitoring
functions of
of the
the information
“Safety
information
“Safety on and
on
management
management the analytical
the safetysystem”
safety
system” on
on are system
the
the
are basis“Safety
basis
considered
considered by
by system
in
system
in management
the
the regularities.
part
part of
of timely
regularities.
timely system”,
In the which
the paper,
identification
In paper,
identification
important
implements
important functions
monitoring
functions of
of the
the “Safety
information
“Safety management
on
management the system”
safety
system” on are
the
are considered
basis
considered by in
system
in the
the part of timely
regularities.
part of timely identification
In the paper,
identification
of threats
important
of threats and
threats functions vulnerabilities.
of the “Safety
and vulnerabilities.
vulnerabilities. Putting
management
Putting in operation
in operationsystem”
operation such
such systems
are systems
considered in
in inthe significant
thethesignificant
part of timely
significant plants
plants of critical
identification
of critical
critical
of
important
of and
threats functions
and of the will
vulnerabilities. “Safety Putting
management
Putting in system”
in engineering
operation such
suchare systems
considered
systems in
in inthe
thethe part of
significant timelyplants
plants of
identification
of critical
critical
information
of threats
information infrastructure
and vulnerabilities.
infrastructure will increase
Putting
increase the
in
the operation
engineering plants
such
plants performance
systems
performance in the safety. Copyright
significant
safety. Copyrightplants ©
© 2019
of
2019 IFAC
IFAC
information
of threats and
information infrastructure
vulnerabilities.
infrastructure will
will increase
Putting the
increase in engineering
the operation such
engineering plants
plants performance
systems
performance in the safety. Copyright
significant
safety. Copyrightplants ©
© 2019 IFAC
of critical
2019 IFAC
information
Keywords: infrastructure
safety management,will increase
safety the engineering
event, event plants
model, performance
risk, critical safety. Copyright
information © 2019 IFAC
infrastructure,
Keywords:
© 2019, IFAC
Keywords:
information safety
safety
infrastructure management,
(International
management,will safety
Federation
safety
increase ofthe event,
Automatic
event, event
event
engineering model,
Control)
model,
plants risk,bycritical
Hosting
risk,
performance critical
Elsevier information
Ltd.Copyright
All rights
information
safety. infrastructure,
© reserved.
infrastructure,
2019 IFAC
Keywords:
significant plant
Keywords:
significant safety
plant
safety management,
of critical
of critical
management, information
informationsafety event,
infrastructure.
safetyinfrastructure. event model, risk, critical information
event, event model, risk, critical information infrastructure, infrastructure,
significant
Keywords:
significant plant
safety of critical
management, information infrastructure.
safetyinfrastructure.
event, event model, risk, critical information infrastructure,
significant plant plant of
of critical
critical information
information infrastructure.
significant plant of critical information infrastructure. 

 Violation
Violation of
of regular
regular performance
performance of
of such
such plants
plants may
may lead
lead to
to
1. INTRODUCTION
1. INTRODUCTION
INTRODUCTION Violation of
Violation of regular
regular performance
performance of of such
such plants
plants may may leadlead to
to
1.
1. INTRODUCTION
 hard
Violation
hard consequences.
of regular The
consequences. The totality
performance
totality of
of critically
ofcritically
such plants important
may lead
important plants
to
plants
1. INTRODUCTION hard
Violation
hard consequences.
of
consequences.regular The
The totality
performance
totality of
of ofcritically
such
critically important
plants may
important plants
lead to
plants
Under
Under the
the conditions
conditions 1. of
of intensive
intensive
INTRODUCTION development
development and
and putting
putting in
in forms
hard
forms the
the entity
consequences.
entity of
of the
The
the notion
totality
notion ofof
of the
critically
the critically
important
critically important
plants
important
Under the conditions of intensive development and putting in forms
hard the entity
consequences. of the
The notion
totality ofof the
criticallycritically
important important
plants
Under
Under the of
operation
the
operation
operation
conditions
information
conditions
of
of information
information
of intensive
of intensive
technologies,
technologies,
technologies,
development
particular
development
particular
particular
andattention
and putting in
putting
attention is forms
in
is the
the entity
infrastructure.
forms
infrastructure.
infrastructure. entityFor of
For
For of the
the notion
successful
successful
successful notion of
of thethe critically
implementation
implementation
implementation
of
critically
of
important
of measures
important
measures
measures
of
of
of
Under
paid tothe
operation
operation conditions
of
issues
of information
of
information of intensive
providing technologies,
the development
safety
technologies, particular
of andattention
critically
particular putting
attention
important
attention
is
in
is
is forms
the the
infrastructure.
critically
infrastructure. entityFor of
important
For the
successful notion
infrastructure
successful of the
implementation
implementation critically
protection, of
of important
measures
one
measures of
needs
of
paid to
paid to issues
issues of of providing
providing the the safety
safety of of critically
critically important
important the the critically
critically important
important infrastructure
infrastructure protection,
protection, one one needs
needs
operation
paid
plants
paid to
to thatof
issues
issues
plants that information
of
involve
of
that involve providing
involve large large
providing technologies,
the safety
hydroengineering
the safety
large hydroengineering particular
of
of critically attention
important
constructions,
critically
hydroengineering constructions, important is infrastructure.
the
solving
the
solvingcritically
many
critically
many For successful
important
problems,
important
problems,
constructions, solving many problems, one of which is concerned with one implementation
infrastructure
of
infrastructure
one of which
which protection,
is
protection,
is of measures
concerned
concerned one
one of
needs
with
needs
with
plants
paid
plantsto issues
that of
involve providing
large the safety
hydroengineering of critically important
constructions, the
solvingcritically
creating many
aa systemimportant
problems,
of infrastructure
one
monitoring of which protection,
is concerned one needs
with
power
plants
power engineering
that involve large
engineering plants
plants (involving
hydroengineering
(involving nuclear
constructions,
nuclear power
power solving
creating many system problems,
of one of safety
monitoring whichthreats,
safety is concerned
threats, whose
whose main
with
main
power engineering plants (involving nuclear power creating
solving aaa system
system of monitoring
monitoring safety threats, whose main main
plants
power that
engineering),
power
engineering), involve
engineering
idle chemical
engineering
idle large
plantshydroengineering
plants
chemical (involving
(involving nuclear
manufacturing,
manufacturing, constructions,
transportation
nuclear
transportationpower creating
power creating many
creation
creation purpose
system
purpose problems,
is
is of
decreasing
of one an
monitoring
decreasing of safety
an whichthreats,
action
safety
action upisto
threats,
up to concerned
whose
aa minimal
whose main
minimal with
risk
risk
engineering),
power idle
engineering
engineering), idle chemical
plants
chemical manufacturing,
(involving
manufacturing, transportation
nuclear
transportationpower creation
creating
creation purpose
a system
purpose isof
is decreasing
monitoring
decreasing an safety
an action threats,
action up to
up to aa minimal
minimal
whose risk
main
risk
nodes, etc.
engineering),
nodes, etc. (Hashemian
idle chemical
(Hashemian and
and Feltus,
manufacturing,
Feltus, 2006;
2006; Jharko,
transportation
Jharko, 2008;
2008; level
creation
level and
and minimizing
purpose
minimizing appearing
is decreasing
appearing damage.
andamage.
action up One
One toofof the
a minimal
the solutions
risk
solutions
nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; level
creation and minimizing
purpose is appearing
decreasing an damage.
action One
up to ofa the solutions
minimal risk
engineering),
nodes,
nodes, etc.
Tsegaye
Tsegaye and
etc.
and idle chemical
(Hashemian
Flowerday,
(Hashemian
Flowerday, and manufacturing,
and
2014;
2014; Feltus,
Hamida
Feltus,
Hamida 2006;
et
2006;
et al.,
al., transportation
Jharko,
2015;
Jharko,
2015; 2008; level
2008;
Wang,
Wang, is
level
is
is
and
and minimizing
creating
creating
creating
the
minimizing
the
the
appearing
information
appearing
information
information
and
and
and
damage.
analytical
damage.
analytical
analytical
One of
of the
One system
system
system
the solutions
“Safety
solutions
“Safety
“Safety
Tsegaye
nodes, and
etc. Flowerday,
(Hashemian 2014;
and Hamida
Feltus, et
2006; al., 2015;
Jharko, Wang,
2008; level and minimizing appearing damage. One of the solutions
Tsegaye
2016;
Tsegaye
2016; and
and Flowerday,
Mononen
Mononen and
Flowerday,
and 2014;
2014; Hamida
Leviäkangas,
Leviäkangas, 2016;
Hamida
2016; et
et al.,
al., 2015;
Gnonia
Gnonia and
2015;
and Wang, is
Wang,
Salehb,
Salehb, is creating
creating the
management
management
management
information
thesystem”
information
system”
system”
(Labaka
(Labaka
(Labaka
and
and et etanalytical
al.,
analytical
al.,
etanalytical
2015;
2015;
al., 2015;
2015;
system
system Jharko
Jharko
Jharko
“Safety
and
“Safety
and
and
2016;
Tsegaye
2016; Mononen
and Flowerday,
Mononen and
and Leviäkangas,
2014; Hamida
Leviäkangas, 2016;
2016; Gnonia
et al., 2015;
Gnonia and
and Salehb,
Wang, management
Salehb, is creating 2017;
Sakrutina, thesystem”
information
Banda (Labaka
and and et
Goerlandt, al., 2018; system Jharko “Safety
Kalashnikov and
2017;
2016; Jharko,
Mononen
2017; Jharko, 2017;
Jharko, 2017; and PandaLabs,
Leviäkangas,
2017; PandaLabs,
PandaLabs, 2018). 2018).
2016; Advance
Gnonia
2018). Advance enterprises
and
Advance enterprises Salehb,
enterprises Sakrutina, management
Sakrutina, 2017; system”
2017; BandaBanda and(Labaka
and Goerlandt,et al.,
Goerlandt, 2018; 2015; Jharko
2018; Kalashnikov
Kalashnikov and
2017;
2016;
2017; Mononen
Jharko, 2017; and Leviäkangas,
PandaLabs, 2016;
2018). Gnonia
Advance and Salehb,
enterprises management
Sakrutina, 2017;system”
Banda (Labaka
and et
Goerlandt, al., 2015;
2018; Jharko
Kalashnikov and
in their
2017;
in their development
Jharko,
their development2017;
development have have
PandaLabs,
have crossedcrossed
crossed an an
2018). invisible
Advance
an invisible
invisible lineline separating
enterprises
line separating
separating and and Sakrutina,
Sakrutina,
and Sakrutina, 2017;
Sakrutina, 2018a, 2018a,
Banda 2018b;
2018a, 2018b; and
2018b; Li Li
Goerlandt,
Li and and Guldenmund,
2018;
and Guldenmund, Kalashnikov
Guldenmund, 2018; 2018;
2018;
in
2017;
in theirJharko,
development2017; PandaLabs,
have crossed 2018).
an Advance
invisible line enterprises
separating Sakrutina,
and Sakrutina, 2017; Banda
2018a, and
2018b; Goerlandt,
Li and 2018;
Guldenmund, Kalashnikov2018;
the
in world
thetheir
world of
of machines
development
machines haveand
andcrossedaggregates
aggregates from
from the
an invisible thelinevirtual
virtual world
world and
separating Wahlström,
Sakrutina,
Wahlström, 2018;
2018a,
2018; Jun
Jun and
2018b;
and Mingguang,
Li and Guldenmund,
Mingguang, 2019),
2019), which
2018;
which
the world of machines and aggregates from the virtual world Wahlström,
and Sakrutina,
Wahlström, 2018;
2018a,
2018; Jun2018b;
Jun and Li
and Mingguang,
and Guldenmund,2019), which which
2018;
in
the
of
the
of their
world
worlddevelopment
computer
computer of machines
of programs,
machines
programs, haveand
having
and
having crossed
aggregates
been
aggregates
been antransformed,
invisible
from
from the
transformed,thelinevirtual
in
virtual
in separating
world
entity,
world
entity, in
in implements
Wahlström,
implements monitoring
2018;
monitoring and Mingguang,
Juninformation
information on
Mingguang,
on the
the safety
safety2019),
2019), by
by system
which
system
of
the
of computer
world
computer of programs,
machines
programs, having
and
having been
aggregates
been transformed,
from
transformed,the in
virtual
in entity,
world
entity, in
in implements
Wahlström,
implements monitoring
2018;
monitoring Juninformation
and
information on the
Mingguang,
on the safety
safety2019), by system
by system
which
cyberphysical
of computer programs,
cyberphysical systems,having
systems, wherebeen
where computer code in
transformed,
computer code instructions regularities.
implements monitoring information on the safety by system
entity, in regularities.
instructions
cyberphysical
of computer systems,
programs, where
having computer code instructions regularities.
in regularities.
implements monitoring information on the safety by system
cyberphysical
control physical
cyberphysical
control physical systems,
world
systems,
world wherebeen
where
plants.
plants. Theses transformed,
computer
computer
Theses code in
code
cyberphysical
cyberphysical entity,
instructions
systems
instructions
systems regularities.
Action of computer attacks
control
are built
control
physical
cyberphysical
control physical
by use
physical
world
systems,
world
of
plants.
advanced
world where
plants. Theses
computer
Theses
IT-technologies
plants.IT-technologies
cyberphysical
code
cyberphysical
Theses cyberphysical and
systems
instructions
systems
unite with
systems regularities.
Action
Action of
of computer
computer attacks on
attacks on the
on the information-technological
the information-technological
information-technological
are
are built
built by
by use
use of
of advanced
advanced IT-technologies and
and unite
unite with
with Action
plant
Action of
of computer
structure,
computerleading attacks
to
attacks on
exiting
on the its
theits information-technological
technological
information-technological parameters
control
are
each
are built physical
other
built by use
and
byand with
usewith world
of the
of advanced plants.
advanced external Theses
IT-technologiescyberphysical
cyber-world
IT-technologies and
by
anduseuse systems
unite
uniteof with
wire
with plant
plant structure,
structure, leading
leading to
to exiting
exiting its technological parameters
technological parameters
each
each other
other and with the
the external
external cyber-world
cyber-world by
by use of
of wire
wire Action
plant
out
plant of of computer
structure,
normative
structure, leading attacks
limits
leading to
to set, onmay
exiting
exiting theits
its information-technological
technological
imply implementing
technological parameters
non-
parameters
are
each
and built
other by
wireless use
and with
with of advanced
the external
communication IT-technologies
external cyber-world
cyber-world
channels. and
by use unite
usemultiply with
of wire out of normative limits set,
wire out of normative limits set, may imply implementing may imply implementing non-
non-
each
and other
and wireless
wirelessand the
communication
communication channels. This
channels. by
This
This of
multiply
multiply out
plant
regular
out of
of normative
structure,
situations
normative limits
leading toset,
with
limits set, may
exiting
hard
may itsimply
and
imply implementing
technological
even
implementing non-
parameters
catastrophic
non-
each
and other
wirelessand with the
communication external cyber-world
channels. by use
This multiply of wire
multiply regular situations with hard and even catastrophic
simplifies
and wireless
simplifies
simplifies
their
their
effective
effective use
theircommunication
effective use
and
and development,
use channels.
and This
development,
development, but, regular
but,
but, out
regular
consequences.
regular
situations
of normative
situations
For
situations
with
limits
with set, hard
successful
with may
hard
hard
and
imply
and
implementation
and
even
implementing
even
even of
catastrophic
non-
catastrophic
protection
catastrophic
and wireless
simplifies their communication
effective use channels.
and This
development, multiply
but, consequences. For successful implementation of protection
simultaneously,
simplifies
simultaneously,
simultaneously,
their makes effective
makes
makes
them
themuse
them
vulnerable
vulnerable
vulnerable
in
in front
and development,
in front of
front of the consequences.
the
of but,
the regular
consequences.
measures
consequences. of
For
situations
For successful
with
successful
significant hardimplementation
and
implementation
plants of even
critical
of
of protection
catastrophic
protection
information
simplifies
simultaneously,
computer their makes
attacks
simultaneously, effective
threat
makes themuse
them
(Critical and development,
vulnerable
Infrastructure,
vulnerable in front
in 2016; of but,
of
front Critical the measures of
the measures of For successful
significant
significant implementation
plants
plants of critical ofinformation
of critical protection
information
computer
computer attacks
attacks threat
threat (Critical
(Critical Infrastructure,
Infrastructure, 2016;
2016; Critical
Critical consequences.
measures
infrastructure
measures of
of For
(SPCII), successful
significant
significant solving implementation
plants
plants of
aa number
of critical
criticalof ofproblems
protection
information
information is
simultaneously,
computer attacks
Infrastructure
computer makes
threat
Protection,
attacks them
(Critical
2016).
threat (Critical vulnerable
Infrastructure, in front
2016; of the
Critical
Infrastructure, 2016; Critical infrastructure infrastructure
infrastructure (SPCII),
(SPCII), solving
solving a number
number of
of problems
problems is
is
Infrastructure
Infrastructure Protection,
Protection, 2016).
2016). measures
needed, among
infrastructure of significant
(SPCII),
which
(SPCII), the plants
solving
safety
solving a of
number
threats
a number criticalof
monitoring
of information
problems
systems
problems is
is
computer attacks
Infrastructure
Infrastructure threat
Protection,
Protection, (Critical
2016).
2016). Infrastructure, 2016; Critical needed,
needed, among
among which
which the
the safety
safety threats
threats monitoring
monitoring systems
systems
A danger that introducing cyberphysical technologies bring to infrastructure
needed,
is the
needed,
is the
the main among
main
among
main one. one. (SPCII),
one. Inwhich
In
which the
In the solving
the
last
the
the last safety
years,
safety
last years,
years, the athenumber
threats
threatssystem
the system of
monitoring
causes
monitoring
system causes problems
causes of systems
of many
systems
of many
many is
A danger
danger that
that Protection,
Infrastructure
A introducing2016).
introducing cyberphysical technologies
cyberphysical technologies bring bring toto is
A
the
A danger that
technological
thedanger introducing
that introducing
technological process cyberphysical
and
and equipment
processcyberphysical equipment technologies
is
is increasingly
technologies bring to
bring to accidents
increasingly is
is the
needed,
accidents main
among
the mainat
accidents atone.
SPCII
atone.
SPCII In
which the
In thehavelast
the
havelastledyears,
safety
to the
threats
to aaa the
ledyears, system
considerable
system causes
considerable causes
monitoring of
increasing many
systems
of many
increasing of
of
the
A technological
danger thatby introducing process and equipment is increasingly
bring to accidentsis the mainat SPCII
one.
SPCII In thehave
havelastled
led to
years,
to considerable
aa the system causes
considerable increasing of
ofcontrol
increasing manyof
the
the technological
recognized
technological
recognized by processcyberphysical
process
specialists
specialists and
on
and
on equipment
the
equipment
the technologies
information
informationis
is increasingly
security.
increasingly
security. the
the interest
accidents
interest at to
to procedures
SPCII have
procedures of
led
of risks
to
risks identification
considerable
identification and
increasing
and of
control
recognized by specialists on the information
information security. the interest to procedures of risks identification and control
the technological
recognized
However,
recognized
However, by
by specialists
solving
solving process
the
the industrial
specialists
industrial and
on equipment
the
enterprises
on enterprises
the information cyber
cyber security. the
is increasingly
security.
protection
protection the interest
accidents
(Sakrutina,
interest
(Sakrutina,
(Sakrutina,
to
to procedures
at 2017),
SPCII have
as
procedures
2017),
2017), as
as
well
well
well
of
led
of risks
to
as to
risks
as
as to
to
identification
a considerable
development
identification
development
development
of
of
of
and
increasing
and control
proactiveof
control
proactive
proactive
However,
recognized
However, solving
by
solving the industrial
industrial
specialists
the on enterprises
the cyber protection
information
enterprises cyber protection
security. the
models.interest
(Sakrutina, The to procedures
2017),
main as
accentwell of
in risks
as to
proactive identification
development
models is ofand
done control
proactive
on the
problem,
However,
problem, in
in accordance
solving
accordance the industrialto
to the
the opinion
enterprises
opinion of
of the
cyber
the majority
protection
majority of
of (Sakrutina,
models. The The2017), as wellin
main accent
accent in as to development
proactive models is is of
done proactive
on the
the
problem, in accordance to the enterprises
opinion of the majority of models.
(Sakrutina, main
2017), as wellin proactive
as models
to development done
of on
proactive
However,
problem,
involved
problem,
involved orsolving
in
in
or accordance
associated
accordance
associated the industrial
with
with to
to thethe
the
the opinion
process
opinion
process of cyber
the
the majority
people,
of
people, isprotection
the
majority
is the of models.
of
case
case prophylactics
models.
prophylacticsThe
The main
of
main
of accent
threats
accent
threats of
in
of proactive
accident
proactive
accident models
(a
models
(a is
dangerous
is
dangerous done
done on
on the
event)
the
event)
involved
problem,
involved
extremely
involved
or
or
or
associated
inslowly.
accordance
associated
associated As
with
with
with
the
aato rule,
the
the process of
the opinion
process
meanwhile
process
people,
people,
people,
is the
theonemajority
is the case
is indicates
the case of prophylactics
case models.
prophylactics
appearance
prophylacticsTheby of
main
of
of
threats
threats
revealing
threats
of
accent dangerous
in
of accident
of proactive
accident
accident
(a
models
(a dangerous
(a dangerous
factors and is done
dangerous
event)
on the
event)
undertaking
event)
extremely
extremely slowly.
slowly. As
As a rule,
rule, meanwhile
meanwhile one
one indicates
indicates appearance
appearance by
by revealing
revealing dangerous
dangerous factors
factors and
and undertaking
undertaking
involved or associated with the process people, is the case prophylactics of threats of accident (a dangerous event)
extremely
different
extremely
different
slowly.
different reasons
slowly.
reasons
reasons andAs
and
and Asfactors
factors
factors
aa rule,
rule, meanwhile
complicating
meanwhile
complicating
complicating
and
and
one
one indicates
and moderating
moderating
moderating indicatesthe appearance
the
the
measures
appearance
measures on
measures onby
on revealing
decreasing
by revealingthe
decreasing
decreasing
the
thedangerous
risk.
dangerous
risk. Proactive
risk.
factors
Proactive and
and undertaking
models
factorsmodels
Proactive models provide
undertaking
provide an
provide
an
an
extremely
different
motion in slowly.
reasons
the and
direction Asfactors
of a therule, meanwhile
complicating
industrial and
plants one
moderating indicates
protection, the
or appearance
measures
evaluation
measures on
onofby revealing
decreasing
the risk
decreasing thedangerous
potential
the risk.
risk. of factors
Proactive
factors
Proactive and
models
revealed
models undertaking
provide
before
provide an
different
motion in
motion reasons
in the
the directionand
direction of factors
of the complicating
the industrial
industrial plants and moderating
plants protection,
protection, or the evaluation of
or evaluation of the
the risk
risk potential
potential of of factors
factors revealed
revealed before before an an
different
motion
being anin
being an
motion reasons
the
the direction
inobstacle
obstacle and
for factors
for such
direction suchof
of aathe complicating
industrial
motion
the at
at all.
industrial
motion and moderating
all.plants
plants protection,the
protection, or evaluation
or measures
accident
evaluation
accident will
accident
will
willonof the
the risk
ofdecreasing
appear
appear
appear riskandpotential
and the
potential
and risk.of
influence
influence
influence
factors
ofProactive
the
the
the
SPCII
factors
SPCII
SPCII
revealed
models
performance.
revealed
performance.
performance.
before
provide
before an an
being an obstacle for such a motion at all. evaluation of appear
the riskand potential of thefactors revealed before an
motion
being aninobstacle
being an the direction
obstacle for
for such
suchof aathe industrial
motion
motion at all.plants protection, or accident
at all. accident
Developing
will
will appear
the and
information
influence
influenceand the SPCII
SPCII
analytical
performance.
performance.
system “Safety
being an obstacle for such a motion at all. Developing
accident
Developing will the the
appearinformation
and influence
information and the
and analytical system “Safety
SPCII performance.
analytical system “Safety
Developing
management
Developing
management system” the
the information
system”
information
system” in in
in plantsand
plants
and
plants of analytical
of
analyticalcritical
of critical system
system
critical information “Safety
information
“Safety
information
management
management
Developing
management thesystem” information
system” in
in plants
plants of
of critical
and analytical criticalsystem information
“Safety
information
2405-8963 © 2019,
Copyright © 2019 IFAC
Copyright
IFAC (International Federation of Automatic Control)1408 management
Hosting by Elseviersystem”
Ltd. All in
rightsplants
reserved. of critical information
Peer review©
Copyright © 2019
under IFAC
2019 responsibility
IFAC 1408
of International Federation of Automatic
1408 Control.
Copyright
Copyright ©
© 2019
2019 IFAC
IFAC 1408
1408
10.1016/j.ifacol.2019.11.393
Copyright © 2019 IFAC 1408
2019 IFAC MIM
Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
1392
infrastructure, involving nuclear power engineering as well,
is implemented in the direction of achieving a high level of
the quality and profitability and is characterized by the
growth of the technical equipment and complexity of
processes.
The high requirements on the safety define the necessity of
applying and improving automated tools and systems of
diagnosing, timely detecting faults in technological processes
(threats, danger factors) prevent their consequences and
decrease losses of time, material, financial, and other sources.
The faults understood as non-conformities to assigned
Fig. 1. Evaluation of the safety status on the basis of the factor analysis
2. PROPERTIES OF THE “SAFETY MANAGEMENT
SYSTEM” IN THE POWER ENGINEERING
Increasing safety always was one of the main priorities for
power engineering plants. Nevertheless, due to the
conventional power engineering development and availability
of the probability of accidents of a different kind in the
international community opinion is present that conventional
reacting approaches to decrease the risk may be insufficient.
In the last years, system causes of many accidents in the
power engineering have led to consider increasing the interest
to procedures of the verification and risks management, as
1409
technologies are conditioned by different objective and
subjective causes.
Diagnostics and monitoring techniques applied in the power
engineering are mainly directing to increasing the safety and
providing the performability of engineering equipment and
are not sufficiently oriented to detecting faults in the activity
sphere that provide the profitability. Plants analysis in the full
sense shows that known diagnostic techniques become non-
effective to detect faults in processes; and new approaches
are needed, involving the development of danger factors
identification methods.
well as to developing safety control systems in the power
engineering that have three main characteristics:
 Systemacy – measures on the safety control will
implement by a developed Safety Program and will
be consequently applied;
 Proactivity – an approach, under which the main
accent is doing on the preventive measures by
revealing dangerous factors, and undertaking
measures to decrease the risk before a dangerous
 2019 IFAC MIM
Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396 1393
event be the case and will unfavourably influence
the safety status;
 Clearness – measures on the safety control are to be
documented, evident, and implemented separately of
other control activity kinds.
In papers devoted to safety control systems (Hsu, 2008; Liou
et al., 2008; Ding et al., 2015; Li et al., 2018), predictions of
the influence of different factors on the safety are
constructing by approximating statistical data and expert
evaluations, but, meanwhile, direct mathematical modelling
of the organizational mechanisms is not implementing.
Performing a safety control system in the power engineering
is to be a closed cycle of subsequently implemented
operations: revealing risk factors, evaluation of the danger
Fig. 2. Monitoring performance scheme.
Fig. 3. Relationship of residual risks.
1410
degree of the risk factors revealed, elaborating variants of
actions on the risk factors localization, informing regulatory
organs and decision support, analysis of the efficiency of
measures undertaken. Fig. 1 displays a schematic of the
safety status evaluation by the factor analysis, where the
methodology of the Deming's Shewhart cycle (PDCA) is
applied, for the persistent safety improvement. Applying the
approach proposed of constructing SMS is based on
monitoring the system efficiency, which is based on
identified critical safety parameters (CSP) (Kalashnikov and
Sakrutina, 2018a, 2018b) important for planning, monitoring,
evaluating, and modifying requirements to SMS. Fig. 2
displays the scheme of the monitoring performance on the
PDCA methodology basis.
The commonly corporative approach to the safety is intended
to implement persistent improving a safety system and
pursues the following primary goals:
 Operative and persistent decreasing the residual
system risk (see Fig. 3 – two connected types of
events are forwarding to the first line – accidents
and vulnerabilities that are covered by the safety
policy by the use concept and implementation drift);
 Evaluation of actual applicability and real efficiency
of the safety policy in order of its persistent
improvement.
Such an approach, which considerably depends on using
traces available in different components of an information
system, is unavoidably organized around the view of “event-
model”, as well as can be associated with the model of PDCA
that is conventionally using in the quality and safety analysis.
Thus, in the first turn, this assumes implementing of the
“Check” step of the PDCA model by very detailed
knowledge of threats and vulnerabilities.
2019 IFAC MIM
Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
1394
Recent trends in the safety branch show that considerable
progress can be achieved within several years with put in
operation of the information and analytical system “Safety
management system” in the scale of the nuclear power
engineering plant as a whole.
An analysis and evaluation of risks are impossible without
understanding the properties of the power engineering safety
control system. Concerning the power engineering system
this totality involves such elements a hardware tools,
software, supervisory control potential, ergonomics,
biomechanics, the human factor.
Safety risks management is not a linear process, in which one
component influences the next one. Safety risks management
is a multi-directed cyclic process, in which practically all
components can act and act on each other. There exists a
direct interconnection between organization purposes and
risks management process components being actions needed
to achieve them. This interconnection is representing at the
three-dimensional matrix (see Fig. 4).
Fig. 4. The interaction between the purposes and components
of the risks management process.
3. DANGERS IDENTIFICATION AND USED METHODS
Event – this is an event (accident, incident, alarm) having an
internal or external source concerning the organization and
influencing the achievement of goals set. Events influence
may be positive, negative, or mixed. Events negatively
influencing the organization activity are the risks.
A risk may be defined as potential damage, involving not safe
actions and/or conditions that may be finishing with
particular situations of any classification. A risk is a
specifying notion of danger and is considered an event danger
degree and event appearance frequency (event probability,
the absolute quantity of incidents of different kinds).
Determining risks concerning safety is the initial stage of the
1411
risks management, at which the identification of threats and
their analysis are implementing.
The purpose of the danger identification and risk process
analysis is to simplify the development of control decision
making to prevent possible risks.
By their character, methods of revealing danger factors can
implement by use of the following strategies:
Retroactive – a strategy that assumes reacting on
events/accidents by undertaking measures directed at
preventing their repeat in the future. The retroactive strategy
assumes receiving and analysing data on accidents,
engineering faults, events, etc.
Proactive – a strategy, under which the main accent is doing
on revealing danger factors and undertaking measures to
remove them before an event able to be negatively reflected
on safety indexes will appear. Under implementing this
strategy, active information sampling from different sources
is implementing. The accidents appearance risk can reduce to
minimal by revealing vulnerability features before they will
manifest themselves.
Prognostic – a strategy based on revealing potential danger
factors in the previous manufacturing activity and developing
measures on not enabling their manifestation. In its entity,
prognostic systems of sampling data on the safety are
statistical systems collecting and analysing a considerable
volume of adequate data that, per se, have no critical
meaning. Then, data obtained are uniting with data of the
retroactive and proactive systems of sampling information on
the safety.
The safety level evaluation is implementing by forming
situation evaluation indexes with accounting divisions
responsible for event appearance, predicted accidents types,
and the number of factors influencing these events.
4. EVALUATION OF SAFETY RISKS
The purpose and primary result of the analysis and evaluation
of the risks are developing correcting and/or preventing
measures/actions to support at an acceptable level the risks of
potential consequences of acting danger factors.
The most informative analysis of the power engineering plant
performance in the branch of safety assurance is the
multivariate principle of processing statistical data by
applying expert conclusions. Dangers in the risks
management system are documented and monitored. The
volume and content of the safety identification function cover
all manufacturing activity; meanwhile data sampling is
implemented both on retroactive and proactive and
prognostic schemes.
To determine the effect of applying the risk management
process and correctness of preventing measures, persistent
risks monitoring is to be implementing.
The appearance of a particular situation is nothing but
manifesting risks and dangers. To implement the multivariate
system analysis one needs to have an imagination about a
kind of the particular situation, so as events could classifying
following the degree of consequences heaviness.
 2019 IFAC MIM
Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396 1395
Events are classifying by the gradation influence on the
safety and correspondence to particular situations types.
To systematize the dangers identification process and to
evaluate the event risk degree, the risks matrix is applied,
which has the particular situations categories defined in
accordance to the frequency of situations appearance of a
given kind, and classes of particular situations in accordance
to an adopted categorization for each power engineering plat
type. The risk degree is a parameter defining measures of
action to prevent a situation. Each risk degree is to have a
corresponding action developed, oriented to decreasing the
risk degree of appearance of particular situations of the given
kind. Thus, an event appeared can be evaluated by the risk
index corresponding to the category, class, and degree of the
risk. The sense of using the risk degree is the possibility that
different events may be equal in the risk degree but different
in their danger and have different appearance probability.
The identification is the first and one of the primary stages of
the safety risks analysis. Risks, whose existence or properties
are not known, are impossible to be controlled. So, the
problem of detecting all risks is of extreme importance (A
Guide…, 2013).
In entity, the safety risks identification is reducing to
revealing possible problems. In the given case, as a
“problem” one can understand something that can stand
between the organization operating the power engineering
plant and its purposes in the safety branch. In other words,
one should come in advance to define what can go “not
correctly”, so as in the sequel to find how to remove or avoid
the danger revealed.
The safety risk identification is a process of finding,
composing a list and description of risks elements. The main
risk elements are:
 Causes that lead to the appearance of a dangerous
phenomenon;
 Types of actions that can lead to changing the safety
level;
 Consequences being losses due to the action and
their evaluation by the subject;
 Risk factors that influence the risk implementation
probability and consequences heaviness.
The safety risks identification process organization requires
answering many questions that, in particular, involve:
 Which information should be collecting;
 Information sources;
 Systematization/structuring and storage
information;
 Input information analysis.
The identification process is frequently reducing to
determining the so called “risk exposure”. The risk exposure
(Labaka et al., 2015; Kalashnikov and Sakrutina, 2018a,
2018b) is a “unit” of accounting risks, which is set by the
following parameters:
 The plant that can be damaged;
 The subject that will have losses due to damaging
the given plant in the result of the appearance of the
given event;
 Subject losses caused by damaging the given plant
in the result of the appearance of the indicated event.
For the full risk exposure description, one should determine
all the parameters. It is worthwhile to note that changing at
least one of the parameters denotes changing the risk
exposure.
As a result of the safety risks process identification, a risks
list will be containing:
 List of potential actions on correcting measures;
 Primary causes of the risk appearance;
 Specifying the risk category.
Input information (data on alarms/incidents) is the critical
element of the safety control system. Indeed, by data on
alarms/incidents one can obtain safety indexes and
quantitative risks evaluations. However, the quality of data
on alarms/incidents, which is available in organization
databases may influence the results (i.e., the result of the
analysis will restrict by the quality of data sets available).
This problem is worsening under an attempt of aggregation of
databases of different organizations.
5. CONCLUSIONS
The analysis and risk evaluation of operation of the
significant plants of the critical information infrastructure are
impossible without understanding all totality of systems of
significant plants, involving such elements, as hardware,
software, ergonomics, human factor (Jharko and Sakrutina,
2018; Kalashnikov and Sakrutina, 2018a, 2018b). This
system integrity is that its properties con not be reduced to
the simple sum of its subsystems, and exclusion of a one of
them leads to the system performance violation.
Putting in operation information and analytical systems
“Safety management system” in significant plants of the
critical information infrastructure provide the timely dangers
and vulnerabilities identification, as well as risks evaluation,
and, hence, will simplify developing control solutions to
prevent the appearance of events influencing the safety. The
systemic approach to the earl detecting dangers and
vulnerabilities is the vital component of safety assurance for
significant plants of critical information infrastructure.
Performing “Safety management system” within the make-up
of upper level systems of significant plants of critical
information infrastructure enables one to provide the normal
of plant operation and preserving critical safety parameters
within operation limits.
REFERENCES
Banda, O.A.V. and F. Goerlandt (2018). A STAMP-based
approach for designing maritime safety
managementsystems, Safety Science, vol. 109, pp. 109-
129.
1412
2019 IFAC MIM
Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
1396

Critical Infrastructure: Cyber-attacks on the backbone of Infrastructure, Proceedings of 2018 International

today’s economy. PandaSecurity. (2016).
Critical Infrastructure Protection – Governance Around the
World, Kaspersky Lab ICS CERT (2016).
Ding, C.G., Lin, H.-R., Wu, C.-H., and T.-D. Jane (2015).
Using LGM analysis to identify hidden contributors to
risk in the operation of a nuclear power plant, Safety
Science, vol. 75, pp. 64-71.
Gnonia, M.G. and J.H. Salehb (2017). Near-miss
management systems and observability-in-depth:
Handling safety incidents and accident precursors in
light of safety principles, Safety Science, vol. 91, pp.
154-167.
A Guide to the Project Management Body of Knowledge:
PMBOK(R) Guide. 5th Ed. Newtown Square,
Pennsylvania: Project Management Institute. (2013).
Hamida, Y., Amine, B., and B. Mostafa (2015). Toward
resilience management in critical information
infrastructure, Proceedings of the 5th World Congress on
Information and Communication Technologies (WICT),
pp. 101-106.
Hashemian, H.M. and M.A. Feltus (2006). On-Line
Condition Monitoring Applications in Nuclear Power
Plants, NPIC&HMIT, Albuquerque, NM, USA, pp. 568-
577.
Hsu, Y.-L. (2008). From reactive to proactive: using safety
survey to assess effectiveness of airline SMS, Journal of
Aeronautics, Astronautics and Aviation. Series A, vol.
40, no. 1, pp. 41-48.
Jharko, E. (2008). Design of Intelligent Information Support
Systems for Human-Operators of Complex Plants, IFAC
Proceedings Volumes, vol. 41, no. 2, pp. 2162-2167.
Jharko, E. (2017). Towards the problem of creating
information operator support systems for nuclear power
plants, Proceedings of the 2nd IEEE International
Conference on Control in Technical Systems (CTS), pp.
356-359.
Jharko, E. and E. Sakrutina (2016). On creating safety control
systems for high operation risk plants, Proceedings of
2016 International Siberian Conference on Control and
Communications (SIBCON 2016), pp. 1-6.
Jharko, E. and E. Sakrutina (2017). Towards the Problem of
Creating a Safety Management System in the
Transportation Area, IFAC-PapersOnLine, vol. 50, no. 1,
pp. 15610-15615.
Jharko, E. and E. Sakrutina (2018). Evaluation of Technical
and Economic Indexes and Providing Normal Operation
of Nuclear Power Plants, Proceedings of the 11th
International Conference “Management of Large-Scale
System Development” (MLSD). IEEE, pp. 1-5.
Jun, Sh. and Zh. Mingguang (2019). Framework and data
management of digital design system for nuclear power,
Annals of Nuclear Energy, vol. 124, pp. 418-425.
Kalashnikov, A. and E. Sakrutina (2018a). The Model of
Evaluating the Risk Potential for Critical Infrastructure
Plants of Nuclear Power Plants, Proceedings of the 11th
International Conference “Management of Large-Scale
System Development” (MLSD). IEEE, pp. 1-4.
Kalashnikov, A. and E. Sakrutina (2018b). Towards Risk
Potential of Significant Plants of Critical Information
Russian Automation Conference (RusAutoCon). IEEE, p.
1-6.
Labaka, L., Hernantes, J., and J.M. Sarriegi (2015).
Resilience framework for critical infrastructures: An
empirical study in a nuclear plant, Reliability
Engineering & System Safety, vol. 141, pp. 92-105.
Li, C.-Y., Wang, J.-H., Zhi, Y.-R., Wang, Z.-R., and J.-H.
Gong (2018). Simulation of the Chlorination Process
Safety Management System Based on System Dynamics
Approach, Procedia Engineering. vol. 211, pp. 332-342.
Li, Y. and F.W. Guldenmund (2018). Safety management
systems: A broad overview of the literature, Safety
Science, vol. 103, pp. 94-123.
Liou, J.H., Yen, L., and G.H. Tzeng (2008). Building an
effective safety management system for airlines, Journal
of Air Transport Management, vol. 14, no. 1, pp. 20-26.
Mononen, P. and P. Leviäkangas (2016). Transport safety
agency's success indicators – How well does a
performance management system perform?, Transport
Policy, vol. 45, pp. 230-239.
PandaLabs Annual Report, PandaSecurity. (2018).
Sakrutina, E. (2017). Some Functions of the “Safety
management system” in the Transportation Area Safety
Assurance, Proceedings of the IEEE International
Siberian Conference on Control and Communications
(SIBCON 2017), pp. 1-5.
Tsegaye, T. and S. Flowerday (2014). Controls for Protecting
Critical Information Infrastructure from Cyberattacks,
Proceedings of the World Congress on Internet Security
(WorldCIS 2014), pp. 24-29.
Wahlström, B. (2018). Systemic thinking in support of safety
management in nuclear power plants, Safety Science, vol.
109, pp. 201-218.
Wang, F., Wang Jiqun, Wang Jin, Li, Y., Hu, L., and Y. Wu
(2016). Risk monitor riskangel for risk-informed
applications in nuclear power plants, Annals of Nuclear
Energy, vol. 91, pp. 142-147.

1413