Functional integrity certification exida

Functional Integrity Certification ™Functional Integrity Certification The First Combined Certification for Functional Safety and Functional Security

Shanghai, 16 March 2011Koen Leekens

Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505

Exida Contacts

Copyright exida LLC ® 2000-2011

g gGermany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34

Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564

“SAFETY” is not “SECURITY”

Piper Alpha 1988Piper Alpha 1988“Lessons learned” improve Safety


“Disabled” Safety is not SAFE!

Incident with “Certified” BoilerAnti‐Virus Software

Prevents Safety ShutdownSource Source www.securityincidents.orgwww.securityincidents.org


y gy g

“Disabled” Safety is not SAFE!

Advanced Technologyintroduces

Advanced Technologyintroducesintroduces

new THREATS?introduces

new THREATS?

Explosion of “Certified” BoilerpAnti‐Virus Software

Prevents Safety ShutdownSource Source www.security incidents.orgwww.security incidents.org


y gy g

exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™

+Functional Security Certification ™Functional Security Certification

“I i i d i h i h hi“I i i d i h i h hi“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)


Who we are

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product Servicesg g p

Today: LARGEST Functional Safety and Cyber Security consultancy and certification body worldwide

“Provide independent services and tools to help customers comply to any industry standards for Functional Safety, Cyber p y y y f f y, y

Security and Alarm Management”

Rainer FallerÜ

Dr. William GobleFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts

Former Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


Author of IEC 61508 parts

Where we are


What we do

EXIDA SCOPE

Functional Safety

SERVICES

Tools INDUSTRIESProcess Industry End Users

CUSTOMERS

Cyber Security

Training

C lt

Industry

Automotive

M hi

End Users

Equipment Manufacturery

Consultancy

Certification

Machine Industry

Power I d

Engineering Companies

S tReliability

Alarm Management

Reference Materials

Industry

Rail

System Integrators


Management

The exida Library

exida publishes analysistechniques for functional qsafety

exida authors ISA best sellers for a tomationbest‐ sellers for automationsafety and reliability

exida authorsindustry data handbook onequipment failureequipment failuredata

www exida comwww exida com


www.exida.comwww.exida.com

exida Customers (extract from 2000+)


What is…?

Functional Safety:


What is…?

Functional Safety:“Part of overall safety to protect against incidents caused by f f y p g yincorrect functioning of components/systems”


Why Functional Safety?

To provide a safer working environment for people, that is to save lives and protect the environmentsave lives and protect the environment

To demonstrate compliance with regulatory requirements, that is to avoid fines

To protect investments in plant and equipment and insure continuous operations, that is to save money


What is…?

SIL: “The Safety Integrity Level is a measure for the effectiveness of the risk reduction that each individual Safety ff f f yFunction is expected to provide”


History of Functional Safety Standards1960 1990 1995 2000 2005 2010 20151960 1990 1995 2000 2005 2010 2015

RELAYPredictable F il

RELAYPredictable F il


FailuresFailures


PLCFailure Modes?

PLCFailure Modes?Modes?Modes?


DIN 31000DIN 31000


Safety PLC“AK‐Classes” Safety PLC“AK‐Classes”

S84.01 1996S84.01 1996


DIN 31000DIN 31000DIN V 19250DIN V 19250


Safety Loop“Functional”Safety Loop“Functional”

ISO 26262ISO 26262

IEC 61511IEC 61511

IEC 62061IEC 62061S84.01 2004S84.01 2004

IEC 61508IEC 61508IEC 61513IEC 61513

S84.01 1996S84.01 1996


DIN 31000DIN 31000DIN V 19250DIN V 19250


Safety Loop“Functional”Safety Loop“Functional”

ISO 26262ISO 26262Also Secure?Also Secure?

IEC 61511IEC 61511

IEC 62061IEC 62061S84.01 2004S84.01 2004

IEC 61508IEC 61508IEC 61513IEC 61513

S84.01 1996S84.01 1996


DIN 31000DIN 31000DIN V 19250DIN V 19250

Which Standard?

6 086 08IEC 61508Functional Safety for E/E/PES Safety Related Systems

IEC 61508Functional Safety for E/E/PES Safety Related Systems


Which Standard?

6 086 08IEC 61508Functional Safety for E/E/PES Safety Related Systems


IEC 61513IEC 61513 IEC 61511IEC 61511 ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear

IEC 61513Nuclear

IEC 61511Process IndustryIEC 61511

Process IndustryISO 26262Road VehiclesISO 26262Road Vehicles

IEC 62061MachineryIEC 62061Machinery


Which Standard?

Device Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not AvailableDevice Manufacturers or Sector Specific Not Available

IEC 61513IEC 61513 IEC 61511IEC 61511



ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear

IEC 61513Nuclear





Which Standard?

Device Manufacturers - Sector Specific Not AvailableDevice Manufacturers - Sector Specific Not AvailableDevice Manufacturers Sector Specific Not AvailableDevice Manufacturers Sector Specific Not Available

IEC 61513IEC 61513 IEC 61511IEC 61511



ISO 26262ISO 26262IEC 62061IEC 62061IEC 61513Nuclear

IEC 61513Nuclear




End Users - Systems IntegratorsEnd Users - Systems Integrators


What do accidents teach us?

Buncefield 2005Seveso 1976


Bhopal 1984 Flixborough1974

Primary Cause of Failures?

Installation and Commission

SpecificationOperation and

Design and Implementation

Changes after

Operation and Maintenance

More than More than Changes after Commission

Source Health, Safety & Environmental AgencySource Health, Safety & Environmental Agency80% of Failures Before Startup 80% of Failures Before Startup

The majority of accidents are:… Preventable if a systematic

Risk‐Based Approach is adopted

The majority of accidents are:… Preventable if a systematic

Risk‐Based Approach is adopted


Risk Based Approach is adopted…Risk Based Approach is adopted…

IEC 61508/61511 Key Aspects

Safety Integrity Levels to protect against Random Failures

Physical or Hardware Failures

Safety Lifecycle to protect against Systematic Failures

Insufficient Processes and Procedures

Both protection measures are Both protection measures are

“H i i l t f t i th f t t“H i i l t f t i th f t t

measures areImportant

measures areImportant

“Having incomplete safety is worse than no safety at all because people are lulled into complacency

thinking that safety is managed”

“Having incomplete safety is worse than no safety at all because people are lulled into complacency

thinking that safety is managed”


thinking that safety is managed thinking that safety is managed

Product Certification

Functional safety certification for devices is accomplished per IEC 61508p

Products are certified to a Safety Integrity Level (SIL)

The result is typically a certificate and a certification report

SIL CertificationSIL CertificationSIL Certification Vendor showed

sufficient protection

SIL Certification Vendor showed

sufficient protection against Random and Systematic Failuresagainst Random and Systematic Failures


Certification versus Prior Use?

CertificateCertificate Prior UsePrior Use

Certificateby VendorCertificateby Vendor

Justification by User

Justification by Userby Vendorby Vendor by Userby User


How to certify a device?



1. Analyze Hardware Reliability




2. Analyze Gaps between existing processes and IEC 615082. Analyze Gaps between existing processes and IEC 61508





Fix Product and Process GapsFix Product and Process GapsProcess GapsProcess Gaps





Fix Product and Process GapsFix Product and Process Gaps


3. Safety Justification Report listing how the requirements FixProductand FixProductand

Process GapsProcess Gaps

are met

Exida Tools for 1,2 and 3Exida Tools for 1,2 and 3


,,






3. Safety Justification Report listing how the requirements f P d d P

FixProductand FixProductand


are met for Product and Process

4. Final Assessment by Independent 3rd Party







3. Safety Justification Report listing how the requirements f P d d P





5 Certificate and Certification Report5. Certificate and Certification Report


So what about Functional Security?

Security vulnerabilities impact the operation of the Safety Systemy

Safety ONLY is not

Safety ONLY is not

i l d

enoughenough

Disgruntled Contractor “Hacks” Pipeline Leak Detection System


Source Source www.securityncidents.orgwww.securityncidents.org

What is…?

Functional Security: “Protection against intentional or unintentional interference g fwith the proper operation of systems/components”


Which Standards?

ISA‐99ISA 99

IEC 62443

SP800‐82

CSA Z246.1


Functional Security Certification ™

1. Analyze Hardware Reliability (ISCI)

2. Analyze Gaps between existing processes and ISA‐992. Analyze Gaps between existing processes and ISA 99



3. Security Justification Report listing how the requirements t f P d t d P







Functional Security Certification ™

1. Analyze Hardware Reliability (ISCI)

2. Analyze Gaps between existing processes and ISA‐992. Analyze Gaps between existing processes and ISA 99



Security is d f

Security is d f

3. Security Justification Report listing how the requirements t f P d t d P


Process GapsProcess Gapspatterned to Safetypatterned to Safety





Who can certify Safety and Security?

Verify Market Recognition: Competency defined by Customers

8.3%25.9%Other

OtherNobody Certifies h CERTIFIER

Nobody Certifies h CERTIFIER

0.0%

1.7%

0.9%

TUV Sud

WurldtechWurldtech

the CERTIFIERthe CERTIFIER

12.2%

3.1%

6.9%TUV RhinelandTUV Rhineland

TUV Sud

60.7%17.2%exida

exida

1.7%1.7%TUV Nord

TUV Nord Yellow – International list Blue ‐ North America list


Other includes: SIRA, CSA, FM, UL, BASEEFA, INERIS, DNV and many

Who can certify Safety and Security?

Verify Market Recognition: Competency defined by Customersy g p y y

Verify Experience: Number of CertificationsFast

Time‐to‐MarketFast

Time‐to‐Market

Number of Certificates - Currently Marketed ProductsCertification Agency Sensors Logic Solvers Final Element Total Number of Certificates - Currently Marketed ProductsCertification Agency Sensors Logic Solvers Final Element Totalg y gTUV X 5 2 4 11TUV Y 4 3 0 7TUV Z 4 14 9 27

g y gTUV X 5 2 4 11TUV Y 4 3 0 7TUV Z 4 14 9 27exida 32 6 55 93

9/17/2010

exida 32 6 55 93

9/17/2010


How to select the certifier?NOBODY CERTIFIES THE CERTIFIER

Verify Market Recognition: Competency defined by Customers

Verify Experience: Number of Certifications

Verify Excellence / Competency: Involvement of the company with the IEC and ISA standards for Safety and Securityy y

Verify availability of 3rd party Assessment of Certifier

Market Support Data: Provision of Failure Rate Databases, Books, Whitepapers TemplatesWhitepapers, Templates…

Broad Capabilities: Functional safety and Functional Security Certification


“Bypassed” Safety is not SAFE!

Piper Alpha 1988“Lessons learned” improve

Disgruntled Contractor “Hacks” Pipeline Leak

Source Source www.security incidents.orgwww.security incidents.org

SafetyDetection System



The Best Safety is Useless when

The Best Safety is Useless when DISABLEDDISABLED







BothSAFETY and SECURITY

BothSAFETY and SECURITY

MatterMatter






Security Certified Control Systems


exida Functional Integrity Certification™

Functional Integrity Certification™

Functional Safety Certification ™+

Functional Security Certification ™y

“I i i d i h i h hi“I i i d i h i h hi“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)

“Integrity is doing the right thing, even if nobody is watching.”

(Anonymous)



Functional integrity certification exida

Education

analyzegapsbetweenexistingprocessesandiec61508fixproductandprocessgapsfixproductandprocessgapsfixproductandprocess

finalassessmentbyindependent3rd

certification

sector specific

existing processes

device manufacturers

preventableifasystematicriskbased

analyze gaps