Trusted ICS Safety Manual

Engineering Safe
Systems
Introduction  Trusted ICS
Structure  product is designed and certified for use
Fundamentals in safety-related applications
Generics  as with other safety-related bespoke
Specifics systems, requires additional measures to
ensure the system as a whole is
appropriate for its safety-related
application
Safety Manual covers these
additional measures from initial
Summary requirements through to
More Info. decommissioning
Introduction

Trusted ICS Safety Manual Training Page 2 of 24

Introduction  Safety Manual Structure
Structure  Introduction
Fundamentals  Overview, terminology, and fundamentals
Generics  Generic Safety Principles
Specifics  Lifecycle, Functional Safety Assessment,
Competency
 System Recommendations
 Architectures, Configuration, Programming,
Modification, Common Cause
 Checklists

Summary
More Info.

Safety Manual Structure

Trusted ICS Safety Manual Training Page 3 of 24

Introduction  Basic Safety and Functional Safety
Structure  Basic safety
Fundamentals  Hazards resulting from the equipment itself;
including fire, hot surfaces, electrical safety,
Generics
etc
Specifics  Functional Safety
 Ability of a safety-related system to carry out
the actions necessary to achieve or maintain
a safe state for the process and associated
equipment
Safety Manual is primarily
Summary concerned with Functional Safety
More Info.

Safety Fundamentals (1)

Trusted ICS Safety Manual Training Page 4 of 24

Introduction  Quantification of safety:
Structure  IEC 61508/61511 (SIL) – complete installation
Fundamentals  DIN V VDE 0801 (AK) – safety related system
DIN V VDE 0801 IEC61508 / 61511
Generics
1 No equivalent
Specifics 2
1
3
4 2
5
3
6
7 4

Summary But…its hazard

8 mitigation that’s
No equivalent

More Info. important!

Safety Fundaments (2)

Trusted ICS Safety Manual Training Page 5 of 24

Introduction  Process Safety Time
Structure  Period process can D angerous
C ondition
Fundamentals withstand incorrect A larm
Generics control‑output signal T hreshold
Specifics PST
Period between condition
T im e
arising and completion of
corrective action
 Function of process dynamics and level
of safety built into the process plant
Can range from milliseconds to hours, e.g.
turbine control PST may be around 100ms
Summary
 PSTE is element appropriate to system,
More Info.
excludes sensor and actuator delays
Safety Fundaments (3)

Trusted ICS Safety Manual Training Page 6 of 24

Introduction  Fault Tolerance, Degraded
Structure Operation and Safety
Fundamentals  For AK6, 2 simultaneous faults must NOT
Generics result in un-safe (X) condition
Specifics Note: fault tolerant is not necessarily fail safe
2 →X, 2 →1 →X, 3 →2 →X
 Trusted ICS Architectures
Fail-safe simplex (1→0)
Dual 1oo2D (2→1→0)
TMR 2oo3 (3 →2 →0)
Summary
TMR with spare (3 →3 →2 →0)
More Info.

Safety Fundaments (4)

Trusted ICS Safety Manual Training Page 7 of 24

Introduction  Safety Management
Structure  Policy and strategy to achievement
Fundamentals  Safety Planning
Generics  Define Lifecycle stages
Specifics  Define Safety Measures
 Define Techniques
 Define Responsibilities
 Records and documentation
 Configuration Control and Change
Management
Summary  Competency
More Info.

Safety Management

Trusted ICS Safety Manual Training Page 8 of 24

Introduction  Safety Lifecycle
Structure  Scope
Fundamentals  Functional Requirements
Generics  Safety Requirements
Specifics  System Engineering
 Application Programming
 System Production
 System Integration
 Safety Validation
 Installation and Commissioning
Summary
 O&M
More Info.  Modification
Safety Management  Decommissioning
Trusted ICS Safety Manual Training Page 9 of 24
Introduction  Functional Safety Assessment
Structure  Review of:
Fundamentals  Safety functions
Generics  Safety properties
 Include effects of internal and external
Specifics
failures
 Audit Team
 Include independent personnel
 At least once before hazards present

Summary
More Info.

Safety Management

Trusted ICS Safety Manual Training Page 10 of 24

 Introduction  High Density I/O Architectures
Structure  TMR
Fundamentals  TMR with spare
Generics  Repair:
Specifics Single slot H ealthy H ealthy H ealthy H ealthy H ealthy H ealthy

Architectures Adjacent slot A ctive

S tandby

E ducated
A ctive

S tandby

E ducated
A ctive

S tandby

E ducated
A ctive

S tandby

E ducated
A ctive

S tandby

E ducated
A ctive

S tandby

E ducated

1 2 1 2 1 2 1 2 1 2 1 2

SmartSlot
3 4 3 4 3 4 3 4 3 4 3 4

Sensors / Actuators
5 6 5 6 5 6 5 6 5 6 5 6
7 8 7 8 7 8 7 8 7 8 7 8
9 10 9 10 9 10 9 10 9 10 9 10
11 12 11 12 11 12 11 12 11 12 11 12
13 14 13 14 13 14 13 14 13 14 13 14

T8403 Trusted 24Vdc Digital Input

T8403 Trusted 24Vdc Digital Input

T8403 Trusted 24Vdc Digital Input

T8403 Trusted 24Vdc Digital Input

T8403 Trusted 24Vdc Digital Input

T8403 Trusted 24Vdc Digital Input

15 16 15 16 15 16 15 16 15 16 15 16

Configuration
17 18 17 18 17 18 17 18 17 18 17 18
19 20 19 20 19 20 19 20 19 20 19 20
21 22 21 22 21 22 21 22 21 22 21 22
23 24 23 24 23 24 23 24 23 24 23 24
25 26 25 26 25 26 25 26 25 26 25 26
27 28 27 28 27 28 27 28 27 28 27 28
29 30 29 30 29 30 29 30

Programming
29 30 29 30
31 32 31 32 31 32 31 32 31 32 31 32
33 34 33 34 33 34 33 34 33 34 33 34
35 36 35 36 35 36 35 36 35 36 35 36
37 38 37 38 37 38 37 38 37 38 37 38
39 40 39 40 39 40 39 40 39 40 39 40

“Common Cause”
 Majority fault:
Summary Logic ‘0’
More Info. State ‘0x07’
Value -2048
Architectures (1)

Trusted ICS Safety Manual Training Page 11 of 24

 Introduction  Low Density I/O
Structure  Choice of architectures
Fundamentals  Inputs: Simplex, 1oo2, 2oo2, 2oo3
 Outputs: Simplex, Guarded, Dual Guarded
Generics
 Fault (covert)
Specifics Architecture
1st 2nd
Architectures
Simplex IP X (t<TI), 0 (after TI)
Sensors / Actuators
Simplex OP X
Configuration
1oo2 Input 1 (t<TI), 0 (after TI) 0 (after TI)
Programming
2oo2 X (until TI), 1 (after TI) 0 (after TI)
“Common Cause”
2oo3 1 0
Summary Guarded 0 X
More Info. Dual Guarded 1 X

Architectures (2)
 TI + 2x scan time << PSTE then OK?
Trusted ICS Safety Manual Training Page 12 of 24
 Introduction  Energise to Action
Structure  Mitigation,
Fundamentals  Activation is hazard, or
Generics  AK1 to 4 (≤SIL2)
Specifics  Additional Measures
Architectures
 Redundant, independent power sources
Sensors / Actuators
 Power source monitoring
Configuration

Programming
 Line monitoring
“Common Cause”

Summary
More Info.

Architectures (3)

Trusted ICS Safety Manual Training Page 13 of 24

 Introduction  Sensor and Actuator
Structure Configurations
Fundamentals  Simplex field devices
Generics  Predicable failure?
Specifics  Testability?
Architectures  Redundant field devices
Sensors / Actuators  Allocation to I/O channels
Configuration – Consider effects of I/O failure
Programming
– Consider effects of power failure (and
discrimination)
“Common Cause”

Summary
More Info.

Architectures (4)

Trusted ICS Safety Manual Training Page 14 of 24

 Introduction  Processor
Structure  Timing
Fundamentals  Sleep period
Generics  Maximum allowed scan time

Specifics  Diagnostic access

Architectures  Processor changeover period and PST
Sensors / Actuators  SYSTEM.INI verification
Configuration

Programming

“Common Cause”

Summary
More Info.

Configuration (1)

Trusted ICS Safety Manual Training Page 15 of 24

 Introduction  High Density I/O
Structure  System Section
Fundamentals  IMB Timeout, System watchdog timeout,
Bypass timeout
Generics
 Power fail timeout
Specifics
 Force Section
Architectures
 Test only
Sensors / Actuators

Configuration
 Shutdown Section
 Energise to action
Programming

“Common Cause”
 Flags Section
 Line monitoring
Summary
More Info.

Configuration (2)

Trusted ICS Safety Manual Training Page 16 of 24

 Introduction  Module Replacement Configuration
Structure  Consistency
Fundamentals  Group where mixed is necessary
Generics  Effects of secondary module installation
Specifics  accuracy
Architectures  Primary and second slot configuration
Sensors / Actuators  Primary only start-up
Configuration  SmartSlot
Programming  Provision for start-up on secondary
“Common Cause”
– Enable Simulate
– Identical .ini settings
Summary
 SmartSlot cable testing
More Info.

Configuration (3)

Trusted ICS Safety Manual Training Page 17 of 24

 Introduction  I/O Forcing
Structure  Use maintenance overrides where
Fundamentals possible
Generics  Alternate removal:
Specifics  IEC1131 Workbench
Architectures
 ‘Panic’ input (via application)
Sensors / Actuators  Maintenance Overrides
Configuration  Conventional inputs
Programming
 Communications inputs
“Common Cause”
 Alternate initiation of safety functions
Summary  Resets
More Info.  Timed start-up overrides

Configuration (4)
 Peer Communications
Trusted ICS Safety Manual Training Page 18 of 24
 Introduction  Toolset Configuration
Structure  Access protection
 Language Selection
Fundamentals
 Function block
Generics  Subset
Specifics  Additional functions, languages, commands
Architectures
 Not ‘C’
 Not SFC
Sensors / Actuators

Configuration

Programming

“Common Cause”

Summary
More Info.

Programming (1)

Trusted ICS Safety Manual Training Page 19 of 24

 Introduction  Application Development
Structure  Partitioning
Fundamentals  Defensive Measures
Generics  Testable Blocks
Specifics  Individual Safety Related Functions
Architectures
 Minimise Logic Depth
Sensors / Actuators

Configuration
 Communications Interaction
Programming
 Overrides
“Common Cause”  Adjustment within safe limits
Summary
More Info.

Programming (2)

Trusted ICS Safety Manual Training Page 20 of 24

 Introduction  Program Testing
Structure  Response time measurement
Fundamentals  “Validators”
Generics  Cross reference checking
Specifics  Code Comparison
Architectures

Sensors / Actuators
 On-Line Modification
Configuration  Logic change only
Programming  Simulate
“Common Cause”  Use validators
Summary
More Info.

Programming (3)

Trusted ICS Safety Manual Training Page 21 of 24

 Introduction  Common Cause Faults
Structure  Climatic
Fundamentals  EMC
Generics  Power
Specifics  Your engineering, assembly, test, etc.
Architectures

Sensors / Actuators

Configuration

Programming

“Common Cause”

Summary
More Info.

Common Cause Faults

Trusted ICS Safety Manual Training Page 22 of 24

Introduction  Safety manual and TÜV certification
Structure report are mandatory for safety
Fundamentals applications
Generics  also has useful engineering guidance
Specifics  It is YOU that make the system safe
 Safety Manual is an aid
 Reviewing and testing can’t cover everything
 Think…
 Is it safe?
 What happens when…?
Summary
Remember the checklists are prompts
More Info.
to your thought process
Summary

Trusted ICS Safety Manual Training Page 23 of 24

Introduction  Safety Manual Checklists
Structure
 TÜV Certification Report
Fundamentals
 Triplex Support
Generics
 TÜV
Specifics
 Standards:
 IEC61508
 IEC61511
 DIN V VDE 0801
 ISO9000
Summary
More
More Info.
Info.

Further Information

Trusted ICS Safety Manual Training Page 24 of 24