1. Functional Integrity Certification
Functional Integrity Certification ™
The First Combined Certification for Functional Safety and Functional Security
Shanghai, 16 March 2011
Koen Leekens
Exida Contacts
Singapore +65 6222 5160 Canada +1 403 475 1943
Shanghai +86 21 5171 7250 United Kingdom +44 2476 456 195
Hong Kong
g g +852 2633 7727 Netherlands +31 318 414 505
Germany +49 89 4900 0547 Australia / NZL +64 3 472 7707
USA +1 215 453 1720 Mexico +52 55 5611 9858
Switzerland +41 22 364 14 34 South Africa +27 31 267 1564
Copyright exida LLC ® 2000-2011
2. “SAFETY” is not “SECURITY”
Piper Alpha 1988
Piper Alpha 1988
“Lessons learned” improve Safety
Copyright exida LLC ® 2000-2011
3. “Disabled” Safety is not SAFE!
Incident with “Certified” Boiler
Anti‐Virus Software
Prevents Safety Shutdown
Source www.securityincidents.org
y g
Copyright exida LLC ® 2000-2011
4. “Disabled” Safety is not SAFE!
Advanced Technology
introduces
introduces
new THREATS?
Explosion of “Certified” Boiler
p
Anti‐Virus Software
Prevents Safety Shutdown
Source www.security incidents.org
y g
Copyright exida LLC ® 2000-2011
5. exida Functional Integrity Certification™
Functional Integrity Certification™
Functional Safety Certification ™
+
Functional Security Certification
Functional Security Certification ™
“Integrity is doing the right thing,
“I i i d i h i h hi
even if nobody is watching.”
(Anonymous)
Copyright exida LLC ® 2000-2011
6. Who we are
Founded in 1999 by experts from Manufacturers, End Users,
g g p
Engineering Companies and TÜV Product Services
Today: LARGEST Functional Safety and Cyber Security
consultancy and certification body worldwide
“Provide independent services and tools to help customers
comply to any industry standards for Functional Safety, Cyber
py y y f f y, y
Security and Alarm Management”
Rainer Faller Dr. William Goble
Former Head of TÜV Product Services
Ü Former Director Moore Industries
Chairman German IEC 61508 Developed FMEDA Technique (PhD)
Global Intervener ISO 26262 / IEC 61508 Author of several Safety Books
Author of several Safety Books Author of several Reliability Books
Author of IEC 61508 parts
Copyright exida LLC ® 2000-2011
8. What we do
EXIDA SCOPE
Functional SERVICES
INDUSTRIES
Safety Tools CUSTOMERS
Process
Industry End Users
End Users
Cyber Training Equipment
Automotive
y
Security Manufacturer
Consultancy
C lt Machine
M hi
Industry Engineering
Companies
Reliability Certification Power
Industry
I d System
S t
Integrators
Alarm Reference Rail
Management Materials
Copyright exida LLC ® 2000-2011
9. The exida Library
exida publishes analysis
q
techniques for functional
safety
exida authors ISA
best‐ sellers for automation
best sellers for a tomation
safety and reliability
exida authors
industry data
handbook on
equipment failure
equipment failure
data
www.exida.com
www exida com
Copyright exida LLC ® 2000-2011
11. What is…?
Functional Safety:
Copyright exida LLC ® 2000-2011
12. What is…?
Functional Safety:
f f y p g y
“Part of overall safety to protect against incidents caused by
incorrect functioning of components/systems”
Copyright exida LLC ® 2000-2011
13. Why Functional Safety?
To provide a safer working environment for people, that is to
save lives and protect the environment
save lives and protect the environment
To demonstrate compliance with regulatory requirements,
that is to avoid fines
To protect investments in plant and equipment and insure
continuous operations, that is to save money
Copyright exida LLC ® 2000-2011
18. History of Functional Safety Standards
1960 1990 1995 2000 2005 2010 2015
Safety Loop
“Functional”
ISO 26262
IEC 62061
S84.01 2004
IEC 61511
IEC 61513
IEC 61508
S84.01 1996
DIN V 19250
DIN 31000
Copyright exida LLC ® 2000-2011
19. History of Functional Safety Standards
1960 1990 1995 2000 2005 2010 2015
Safety Loop
“Functional”
Also Secure? ISO 26262
IEC 62061
S84.01 2004
IEC 61511
IEC 61513
IEC 61508
S84.01 1996
DIN V 19250
DIN 31000
Copyright exida LLC ® 2000-2011
20. Which Standard?
IEC 61508
6 08
Functional Safety for E/E/PES Safety Related Systems
Copyright exida LLC ® 2000-2011
21. Which Standard?
IEC 61508
6 08
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 61513 IEC 62061
IEC 62061 IEC 61511
IEC 61511 ISO 26262
ISO 26262
Nuclear Machinery Process Industry Road Vehicles
Copyright exida LLC ® 2000-2011
22. Which Standard?
Device Manufacturers or Sector Specific Not Available
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 61513 IEC 62061
IEC 62061 IEC 61511
IEC 61511 ISO 26262
ISO 26262
Nuclear Machinery Process Industry Road Vehicles
Copyright exida LLC ® 2000-2011
23. Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
IEC 61513 IEC 62061
IEC 62061 IEC 61511
IEC 61511 ISO 26262
ISO 26262
Nuclear Machinery Process Industry Road Vehicles
End Users - Systems Integrators
Copyright exida LLC ® 2000-2011
24. What do accidents teach us?
Seveso 1976 Buncefield 2005
Bhopal 1984 Flixborough 1974
Copyright exida LLC ® 2000-2011
25. Primary Cause of Failures?
Installation and
Commission
Design and
Implementation
Specification
Operation and
Maintenance
More than Changes after
80% of Failures Commission
Source Health, Safety & Environmental Agency
Before Startup
The majority of accidents are:
… Preventable if a systematic
Risk Based Approach is adopted…
Risk‐Based Approach is adopted
Copyright exida LLC ® 2000-2011
26. IEC 61508/61511 Key Aspects
Safety Integrity Levels to protect against Random Failures
Physical or Hardware Failures
Safety Lifecycle to protect against Systematic Failures
Insufficient Processes and Procedures
Both protection
measures are
measures are
Important
“Having incomplete safety is worse than no safety at
“H i i l t f t i th f t t
all because people are lulled into complacency
thinking that safety is managed
thinking that safety is managed”
Copyright exida LLC ® 2000-2011
27. Product Certification
Functional safety certification for devices is accomplished
p
per IEC 61508
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report
SIL Certification
SIL Certification
Vendor showed
sufficient protection
against Random and
Systematic Failures
Copyright exida LLC ® 2000-2011
28. Certification versus Prior Use?
Certificate Prior Use
Certificate Justification
by Vendor
by Vendor by User
by User
Copyright exida LLC ® 2000-2011
33. How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 61508
Analyze Gaps between existing processes and IEC 61508
Process Gaps
Process Gaps
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Process Gaps
Process Gaps
3. Safety Justification Report listing how the requirements
are met
Exida Tools
for 1,2 and 3
,
Copyright exida LLC ® 2000-2011
34. How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 61508
Analyze Gaps between existing processes and IEC 61508
Process Gaps
Process Gaps
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Process Gaps
Process Gaps
3. Safety Justification Report listing how the requirements
are met for Product and Process
f P d dP
4. Final Assessment by Independent 3rd Party
Copyright exida LLC ® 2000-2011
35. How to certify a device?
1. Analyze Hardware Reliability
2. Analyze Gaps between existing processes and IEC 61508
Analyze Gaps between existing processes and IEC 61508
Process Gaps
Process Gaps
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Process Gaps
Process Gaps
3. Safety Justification Report listing how the requirements
are met for Product and Process
f P d dP
4. Final Assessment by Independent 3rd Party
5. Certificate and Certification Report
5 Certificate and Certification Report
Copyright exida LLC ® 2000-2011
37. What is…?
Functional Security:
g f
“Protection against intentional or unintentional interference
with the proper operation of systems/components”
Copyright exida LLC ® 2000-2011
38. Which Standards?
ISA 99
ISA‐99
IEC 62443
SP800‐82
CSA Z246.1
Copyright exida LLC ® 2000-2011
39. Functional Security Certification ™
1. Analyze Hardware Reliability (ISCI)
2. Analyze Gaps between existing processes and ISA‐99
Analyze Gaps between existing processes and ISA 99
Process Gaps
Process Gaps
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Process Gaps
Process Gaps
3. Security Justification Report listing how the requirements
are met for Product and Process
tf P d t dP
4. Final Assessment by Independent 3rd Party
5. Certificate and Certification Report
5 Certificate and Certification Report
Copyright exida LLC ® 2000-2011
40. Functional Security Certification ™
1. Analyze Hardware Reliability (ISCI)
2. Analyze Gaps between existing processes and ISA‐99
Analyze Gaps between existing processes and ISA 99
Process Gaps
Process Gaps
Security is Fix Product and
Fix Product and
Fix Product and
Fix Product and
Fix Product and
Process Gaps
Process Gaps
patterned to Safety
d f
3. Security Justification Report listing how the requirements
are met for Product and Process
tf P d t dP
4. Final Assessment by Independent 3rd Party
5. Certificate and Certification Report
5 Certificate and Certification Report
Copyright exida LLC ® 2000-2011
41. Who can certify Safety and Security?
Verify Market Recognition: Competency defined by Customers
Other 25.9% Nobody Certifies
Other 8.3%
the CERTIFIER
h CERTIFIER
Wurldtech 0.9%
Wurldtech 0.0%
TUV Sud 1.7%
TUV Sud 3.1%
TUV Rhineland 6.9%
TUV Rhineland 12.2%
TUV Nord 1.7%
TUV Nord 1.7%
Yellow – International list
Blue ‐ North America list
exida 17.2%
exida 60.7%
Other includes: SIRA, CSA, FM, UL, BASEEFA, INERIS, DNV and many
Copyright exida LLC ® 2000-2011
42. Who can certify Safety and Security?
y g p y y
Verify Market Recognition: Competency defined by Customers
Verify Experience: Number of Certifications
Fast
Time‐to‐Market
Number of Certificates - Currently Marketed Products
Certification Agency Sensors
g y Logic Solvers Final Element Total
g
TUV X 5 2 4 11
TUV Y 4 3 0 7
TUV Z 4 14 9 27
exida 32 6 55 93
9/17/2010
Copyright exida LLC ® 2000-2011
43. How to select the certifier?
NOBODY CERTIFIES THE CERTIFIER
Verify Market Recognition: Competency defined by Customers
Verify Experience: Number of Certifications
Verify Excellence / Competency: Involvement of the company with the
IEC and ISA standards for Safety and Security
y y
Verify availability of 3rd party Assessment of Certifier
Market Support Data: Provision of Failure Rate Databases, Books,
Whitepapers, Templates…
Whitepapers Templates
Broad Capabilities: Functional safety and Functional Security Certification
Copyright exida LLC ® 2000-2011
44. “Bypassed” Safety is not SAFE!
Disgruntled Contractor Piper Alpha 1988
“Hacks” Pipeline Leak “Lessons learned” improve
Detection System Safety
Source www.security incidents.org
Copyright exida LLC ® 2000-2011
45. “Bypassed” Safety is not SAFE!
The Best Safety is
Useless when
DISABLED
Disgruntled Contractor Piper Alpha 1988
“Hacks” Pipeline Leak “Lessons learned” improve
Detection System Safety
Source www.security incidents.org
Copyright exida LLC ® 2000-2011
46. “Bypassed” Safety is not SAFE!
Both
SAFETY and SECURITY
Matter
Disgruntled Contractor Piper Alpha 1988
“Hacks” Pipeline Leak “Lessons learned” improve
Detection System Safety
Source www.security incidents.org
Copyright exida LLC ® 2000-2011