Functional Safety for Managers - Process Safety and Cyber Security in Oil & Gas Industry
Sudhir Pai
Country Head, India
exida Consulting India Pvt Ltd

Frequent industrial accidents led to the creation of IEC61508 Standards; however there is a scope for improvement by Companies operating in the Process Industry (chemical, petrochemical, refining, O & G and others ) to adopt recommendations of the Standard. Cyber attacks are also venerable to the industry. The article details on Functional Safety and Cybersecurity Management to safeguard the Industrial Automation Control Systems (IACS) & Safety Instrumented Systems (SIS) across the industries.

It is correct to state that frequent Industrial accidents led to the creation of IEC61508 Standards. Studies conducted by HSE 1, EPA & OSHA2,3 found that human errors (Systematic Failures) are the main cause of accidents and that focussing on programmable equipment & software alone is insufficient; 'A Lifecycle approach is needed'. There are numerous ways in which human factors might impact functional safety and cybersecurity.

The lessons learned over the past 3 decades, have been compiled into a series of standards resulting in the release of the first draft of IEC615084 in 1998, followed by a full release in 2000 and subsequent revision in 2010. The IEC61508 standard became the 'umbrella' or 'base' safety standard for Industry mainly targeted at the manufacturers of products. The IEC61508 Standard has branched into different Sector specific standards; The IEC615115 standard targeted at the process industries released in 2003, and subsequent release in 2016.

It is 15 years since the IEC61511 Standard was first released and there is significant scope for improvement by Companies operating in the Process Industry (chemical, petrochemical, refining, O & G and others) to adopt recommendations of the Standard. Presently companies have adopted the Standard recommendations to varying degrees; some companies have a reasonably well-defined safety programme complying to many of the Standards recommendations, while some companies are still non-starters. Most companies have implemented safety practices in snippets without a complete understanding of the Safety Lifecycle.

With time, Cyber-attacks have taken many forms and threaten Industrial Automation Control Systems (IACS) & Safety Instrumented Systems (SIS). An unprecedented number of security vulnerabilities have been exposed in industrial control products. The 2016 version of IEC61511 Standard emphasises the need for cybersecurity through-out the entire lifecycle of the IACS & SIS. The IEC624436 series of standards are probably the most widely used set of standards in the industry for IACS & SIS cyber security.

Functional Safety and cybersecurity have similar and related thought processes throughout the lifecycle. Management of Functional safety and Cyber for IACS can be illustrated in Figure 17.

Figure (1): Management of Functional Safety & Cyber Security

Integration of cybersecurity into the overall process safety lifecycle is a means to achieve improved safety in a manner that is both efficient and cost effective. In doing so, the requirements to address cybersecurity in IEC 61511 are addressed.

Experience has shown that many companies management teams have little or no understanding of Management of Functional Safety and Cybersecurity (FSM). The purpose of this paper is to provide managers with an overview of their role and responsibility with regards to FSM.

Following Best Practices
Both IEC61511 and IEC62443 series of Standards are User Focused Standards (IEC62443 also has recommendations for manufac turers of automation products ); B oth standards are based on implementation of Best Practices and strongly recommend a Safety Lifecycle (SLC) approach towards safety. The Safety Lifecycle approach is a sound, methodical and holistic approach towards safety to
  • Ensure the problems of the past are not repeated
  • Provide a consistent approach to identifying and mitigating risk in accordance with a company's tolerable risk, following best practices.
  • Provide a means of achieving optimum design that balances risk reduction with performance
  • Provide a means to consistently measure per form

Table 1: Safety Lifecycle approaches for Functional Safety and Cybersecurity

The Safety Lifecycle approach towards Functional Safety and Cybersecurity are divided into the following three main phases8. The basic need of the Industry is to develop a proper understanding of all the Safety Life - cycle phases.
- Assess Phase
- Design & Implementation (or Realization) Phase and
- Operation & Maintain Phase

The comprehensive goals of each phase are shown in Table 18,9: Each phase consists of multiple process steps. Additionally, there is an overall program governing the entire lifecycle i.e. Management of Func tional Safety and Cybersecurity (FSM) which is vital to the long-term success of the Safety Lifecycle.

Functional Safety Management10
As stated above, the FSM embodies those activities that are vital to the long-term success of the program. By definition, FSM governs the whole of the SLC and its associated activities; it's essentially the 'glue' that holds everything together. The primary purpose of FSM is to ensure that SLC roles and responsibilities are defined and assigned to competent and empowered individuals and/or groups. It requires specifying the key activities of those responsible and developing procedures to support these activities.

FSM essentially deals with the 3 Ps:
  • Personnel - ensuring personnel involved in SLC activities are properly trained and competent to perform those activities
  • Procedures - are developed that are easily understood, are being followed and implemented correctly
  • Paper work - documentary evidence to support competency and to demonstrate that procedures are being followed and implemented correctly;
It is essential for managers working on SLC tasks to also be competent to understand the importance of complying with procedures and following the SLC activities and documentary requirements. The fundamental purpose of implementing FSM is to help eliminate and/or reduce the risk of human errors being introduced during SLC activities, that could have a detrimental effect on overall safety and cybersecurity.

FSM is driven by corporate culture. Organizations need senior management support for the success of a FSM program. Implementing cost reduction measures across the board without understanding the repercussions on safety can, and has, in some cases, been the direct cause of accidents and loss of life. Managers need to be aware of this and to understand the role they play in ensuring functional safety and cybersecurity management programs are well maintained.

Developing a FSM Program
The IEC61511 and IEC62443 Standards require that a policy and strategy for achieving functional safety/cybersecurity needs to be identified together with the means and methods for evaluating their achievement, which is required to be communicated within the organization.

Developing a FSM program star ts by examining the existing quality management system and programs in place. Many end user companies have some form of ISO9000 compliant Quality System and procedures in place. This is the best place to start, thereby looking to leverage the existing quality system. A simple 'gap' assessment can be performed to see where the existing system has 'gaps' in relation to the Organizations tolerable levels of risk and security. For example -
- Looking for an organizational chart that defines the roles and responsibilities of the people, department and organizations responsible for SLC activities
- Supporting documentation that specifies the management and technical activities required for each phase of the SLC, which could be in the form of a flow diagram
- Specifying the roles and responsibilities for key positions, departments and organizations
- If a supplier or third party sub - contractors are used for key activities , then this needs to be defined. Fur thermore, all supplier and sub- contractors to be competent to carry out SLC tasks, so there needs to be a process, procedure and method for qualifying and approving the use of sub - contractors.

How to Accomplish FSM
The first task in implementing FSM is to appoint at least one (or more) qualified and competent person(s) to lead the func tional safety and cyber security activity. This person(s) or team will be responsible and accountable to management for ensuring that the SLC is being followed and that the relevant phases are being complied with.

As part of the FSM plan, procedures will need to be developed and implemented to ensure that each of the SLC goals listed in Table(1) are achieved. As with most plans, it's essential to ensure that the plan is monitored and updated as necessary through out the entire SLC. The level of detail required will need to be appropriate for the role that the individual or organization is performing in the SLC.

It is important to ensure that procedures are in place to investigate to root cause and to remedy any non-compliances and/or recommendations highlighted during any phase of the SLC. Documentary evidence needs to be available to substantiate and/or support any decisions.

Just because a company hasn't had a major accident or security breach, doesn't mean an Organization can become complacent and ignore or neglect the SLC approach. A common phrase in cybersecurity is - It's not a question of 'If' you have cyber-attack, but a question of 'when' you have a cyber-attack .

It was the late Trevor Kletz, Professor of Process Safety at Texas A & M11, and world-renowned expert in Process Safety, who coined the phrase "if you think safety's expensive, then try an accident". The reason is that accidents can cost a company a lot of money, plus loss of its reputation and company image. Moreover, if the company is found to be negligent then there could be further repercussions in terms of penalties and/or fines for safety violations and even potential jail time for its executives.

So, what is the benefit of adopting a SLC approach to functional safety and cybersecurity? The short answer: it pays.

In conclusion, having the right culture within the Organization towards Functional Safety and Cyber security is very important. Managers need to take responsibility for their own competency and to make sure they are suitably educated so they know what to look for and what measures to be taken to ensure an effective FSM program is in place. If there is an incident and/or security breach that results in the loss of life, financial losses and/or environmental damage, then ignorance will be no excuse.

1. [HSE] UK Health and Safety Executive 1992 - A Guide to the Offshore Installations (Safety Case) Regulations 1992 London: HMSO
2. [EPA] United States Environmental Protection Agency
3. [OSHA] Occupational Safety and Health Administration (OSHA) Process Safety Management (PSM) standard (29 CFR 1910.119)
4. [IEC61508] IEC 61508, Edition 2, Functional safety of electrical/ electronic/programmable electronic safety - related systems, Parts 17, 2010 , International Electrotechnical Commission, Geneva, Switzerland
5. [IEC 61511-1] International Electrotechnical Commission (IEC ) 61511-1 Functional Safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and software requirements:2016 edition
6. ANSI/ISA 62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program, 2009
7. Whitepaper "Cybersecurity Risk Assessments in the Safety Lifecycle" by Harold W Thomas, LLC, 2016
8. Safety Instrumented System Design, Techniques and Design Verification by Iwan van Beurden and William M. Goble, ISA Publication (ISBN: 978-1-945541 -43-8)
9. Whitepaper "The ICS Cybersecurity Lifecycle" by John Cusimano and Gene Cammack, exida Consulting LLC, 2013
10. Whitepaper "Functional Safety For Managers - What Managers Need to Know" by S.N. Gandy, exida Consulting LLC, 2018
11. Kletz, T., Hazop and Hazan - Identifying and Assessing Process Industry Hazards, 4th Edition, 1999, Taylor & Francis Group, New York, NY, USA