The Importance of Functional Safety,

Alarms and Cybersecurity for Safety

Instrumented Systems
 Agenda
Introduction
Importance of Safety &
Cyber Security
Importance of Safety &
Alarm Management
Conclusion

2
Introduction

 Modern SIS & BPCS utilize more intelligent and

connected devices:
+ Open architectures provide vulnerabilities to cyber
attacks
+ Recent incidents have highlighted this problem
 Operators can be overwhelmed during process
upsets and/or emergency situations
+ Accidents have been attributed to alarm floods
confusing operators
+ Diagnostics often provides a large amount of information SIS, BPCS and Operator Response
that end up being treated as “alarms” when they should to Alarm are Layers of Protection
be alerts/advisory

3
 Functional Safety
& Cybersecurity
How Your SIS Can be Infected!

4
What is IACS Security?
 Prevention of intentional or unintentional interference with
the proper operation of industrial automation and control
systems via the use of:
+ computers, networks, operating systems, applications
+ other programmable configurable components of the system
 Goes by many names:
+ SCADA Security
+ PCN Security
+ Industrial Automation and Control System Security
+ Control System Cyber Security
+ Industrial Network Security
+ Electronic Security for Industrial Automation
and Control Systems

5
Functional Safety & Cyber
The final task in the assessment or FEED phase is to Groupings of Requirements
document the system-level cyber security requirements  Access Control requirements
+ Identification and authentication
 Scope and purpose of the system of users
 Physical and environmental security requirements + User roles and privileges
+ User administration
 General cyber security requirements
 Confidentiality, Integrity and
 Zone and Conduit specific requirements Availability requirements
 Monitoring and reporting
requirements

ISA 62443-3-3 “System security requirements and security levels” is the standard that
provides the overall system level cyber security requirements for IACS (Industrial
automation and control system).
Additional guidance is provided by ISATR84.00.09 “Cybersecurity Related to the Functional
Safety Lifecycle”

6
Changes in IEC61511-1 - 2016

IEC61511-1 2016 now requires end users to ensure

that adequate steps have been taken to protect the SIS
from cyber attacks:
 Perform a Risk Assessment
 Document potential threats that could exploit
vulnerabilities
 Understand the risks posed by these threats
(i.e. Consequence & Likelihood)
 Consideration of all lifecycle phases and
requirements for additional risk reduction

7
What Are IACS Vulnerabilities?

 Commercial Off-the Shelf Technology  Remote Access

(COTS) and protocols + 24/7 access for engineering, operations or
+ Integration of technology such as MS technical support means more insecure or
Windows, SQL, and TCP/IP means that rogue connections to control system
process control systems are now vulnerable  Public Information
to the same viruses, worms and trojans that
affect IT systems + Manuals on how to use control system are
publicly available passwords
 Enterprise Integration
+ Enterprise integration (using plant, corporate
and even public networks) means that
process control systems (legacy) are now
being subjected to stresses they were not
designed for

8
Pathways into the Control Network
Infected Remote
Internet Support


Office LAN

Unauthorized
Connections
Mis-Configured Infected
 Laptops
Firewalls  
Modems
Plant Network

Control LAN

External
PLC Networks

RS-232 Links 

9
Why is IACS Security Important for SIS?

 SIS/Control/SCADA systems control “real-world” devices

and processes
 Failure or unpredictable operation of a SIS/Control/SCADA
system can lead to serious consequences:
+ Production loss / service interruption
+ Off spec / dangerous product
+ Environmental releases
+ Sickness / injury / death
 IACS equipment has been shown to be more sensitive to
excessive network traffic

10
Why Is This Important?

 Modern SIS systems and BPCS Management Agenda

communicate via a Process Control
Network
 Use of Ethernet and open standard
protocols provide vulnerabilities
 Don’t be nostalgic – Understand the
history
 Understand the economic drivers of:
+ Commercial Off-The-Shelf
Technology

 Compromising an SIS via a cyber + Remote Access

incursion could have drastic effects due + Network Systems

to loss of safety functions  Prevent the SIS from being

compromised to avoid potential
disastrous outcomes

11
 Functional Safety
& Alarm Management
How Your SIS Can be Affected! SIL 2 SIL 1
(RRF = 667) (RRF = 10) (RRF = 15)

SIS Alarm BPCS Mechanical

Process

Zero High
Risk
12
Safety & Alarm Management

 What is the main purpose of having an effective alarm

management system?
a) Ensure safe operations
b) Prevent unplanned shutdowns, damage to equipment,
and process safety incidents
c) As a tool to help the operator perform their role
d) To ensure compliance with standards (ISA-18.2) and
regulations (OSHA PSM)

Can prevent safety incidents and

help the operator keep the process
within normal operating limits
(optimized production)

13
What is the purpose of an Alarm?

 To make operators aware of abnormal Shutdown Ineffective

Response
situations
 To help operators diagnose the source of
an upset Abnormal

 To guide them to an appropriate response Alarm

in order to prevent an impending (likely) Effective

Normal
consequence Response

Each alarm is important. If there is

no response, or the response is
ineffective, then something bad
(the consequence) will occur

14
Common Alarm Management Issues
 Alarm Overload
(Too many alarms for the operator, which
compromises the BPCS/Alarm protection
layer, increasing demands on the SIS,
leading to increased risk)
 Alarm Floods
 Nuisance Alarms
+ Chattering Alarms
+ Standing / Stale Alarms
The presence of these issues diminishes the usefulness
+ Bad Actors / Frequently Occurring of the alarm system
+ Redundant Alarms
+ Alarms which have no response
 Alarms with the Wrong Priority

15
ISA-18.2 Standard
Philosophy

Identification

Rationalization
Management
of Change
Detailed Design Audit

Implementation

Operation

Monitoring & Assessment

Maintenance

Alarm Management Lifecycle

Recognized as “Good Engineering Practice” by insurance companies and regulatory agencies (OSHA)

16
What is an Alarm? (ISA-18.2)
 An audible and/or visual means of indicating to the
operator an equipment malfunction, process deviation or
other abnormal condition requiring a (timely) response.
(ISA-18.2/ IEC 62682)
 Notifications

Events
Operator Action No Operator Action
Type of Event
Required Required (Informational)
Alarm Rationalization
Alerts Alarms helps to ensure alarms meet
Abnormal Alarm Alerts
these criteria

Expected Prompt Message

Prompts

17
Key Design Principles

 Every alarm MUST have a defined

response
 Adequate time MUST be allowed for the
operator to implement a defined response
 Every alarm that is presented to the
operator MUST be useful, relevant and
unique
 Operators MUST not get more alarms than If Operator Response (Action) Can
they can reasonably respond to Not Be Defined → Not an alarm*
 Alarms MUST be prioritized and *Ref EEMUA 191 (2013)
understandable

18
Safety Alarms
 Safety Alarm (Safety Related Alarm) SAFEGUARDS
An alarm that is classified as critical to
process safety or to the protection of human
life or the environment. (ISA-18.2-2016)
 Specification
Define what is considered a Safety Alarm
IPLs
for your site
+ Prevention vs. Mitigation
+ Loss of Key Utility (power, air…)
+ SIS Diagnostic Fault SAFETY ALARMS
+ SIS Trip Failure
+ Defined as an IPL
+ Loss of Containment
+ Toxic Gas Detection

19
Key Requirements for Safety Alarms

 Alarm Rationalization (including

classification)
 Measure Alarm System Performance &
Address Issues
 Operator Training / Alarm Response
Procedures

New standard :ISA-84.91.03 “Functional Safety: Safety

Controls, Alarms, and Interlocks for the Process Sector”
will define requirements

20
Alarm Rationalization
 Determine whether alarm is justified &
necessary (based on criteria in alarm
philosophy document)
 Document alarm purpose / objective (cause,
consequence, corrective action, response
time)
 Document design (limit, priority,
classification…)
 Record Results in a Master Alarm Database
(MADB)

Goal is to create the minimum set of

alarms needed to keep the plant safe and
within normal operating limits.

21
Alarm Rationalization

 Reduces alarm load on the operator

 Maintains demand rate defined for the SIS
 Reduces the chance to miss critical alarms
 Removes nuisance alarms (chattering, fleeting or stale alarms)
 Eliminates redundant alarms (avoids the risk of confusion)
 Operator response is quicker, more consistent, and more effective
 Increases system integrity (improve operator trust of alarm system)
 Alarms are prioritized for correct action
 Optimizes the risk reduction of alarms used as a safety layer of protection

22
Alarm Response Procedures / Operator Training

 To respond effectively, the operator needs to

understand the alarm’s basis
+ What happened? (Likely cause(s) for the alarm)
+ What will happen if I don’t respond?
(Consequences of Inaction)
+ What should I do? (Operator Action)
+ How can I verify its not a false alarm?
(Confirmation)
+ How much time do I have to respond?

23
Monitoring & Assessment of Alarm System Performance

 Must evaluate alarm performance and proactively address issues

(overload, nuisance alarms)
 Each activation of Safety Alarms must be reviewed / investigated

24
Conclusion
Including Cyber Security and Alarm Rationalization
when considering SIS applications will enhance
performance and improve safety
 Performing a Cyber risk assessment when
performing PHAs will save time and money later on
when assessment and implementation will become
more costly
 Identifying alarms during PHAs, as potential
protection layers, will ensure prioritization and enable
a master alarm database to be created early on
 SIS designers will have to consider these
requirements for implementation

25
Thank You For Listening

Questions?
Sensiaglobal.com