Cybersecurity in Critical Machinery Monitoring Systems
Security has always been a priority in the process industry. As we progress in the digitization of systems, new needs and challenges arise. The security of these systems has not always met expectations.
@Meggitt seeks to address some of these shortcomings in monitoring systems with the new VM 600 Mk2 systems, which are certified for cybersecurity according to the IEC 62443 standard and SIL 2 certification by design according to the IEC 61508 standard (H1-2022).
Machinery Protection Systems and SIL Protection Levels
Currently, the standardization of Machinery Protection Systems (MPS) is carried out according to API 670, while complying with international safety standards such as IEC 61508 and IEC 61511.
IEC 61508: Functional safety of electronic/programmable/electronic safety-related systems. It is an international standard covering the entire safety lifecycle of safety systems and is aimed at system providers, original equipment manufacturers (OEMs), and equipment used in such safety systems.
IEC 61511: Functional safety – Instrumented safety systems for the process industry sector. It is an international standard that sets requirements for system engineering to ensure the safety of an industrial process using instrumentation. It is aimed at end-user applications and is specific to the process industry sector.
API 670: Machinery protection systems. It is a widely recognized standard that describes the minimum requirements for Machinery Protection Systems (MPS) using measurements such as vibration, position, speed, piston rod drop, phase reference, overspeed, and/or temperature. It includes requirements for sensors and monitoring system hardware, covering specifications, procurement, installation, documentation, and testing of such systems.
The main goal of these three complementary standards is to help ensure the proper design and use of Instrumented Safety Systems (SIS) with systematically defined Safety Integrity Levels (SIL) to reduce the risk in a process to a tolerable level. This follows general hardware and software safety lifecycle procedures while maintaining associated documentation.
The best practice is to follow a safety lifecycle:
- Identification of Risks
- Safety Requirements
- SIL Verification
- Operation and Maintenance of the Safety System
Identification of Risks
Once the conceptual design of an industrial process is completed, a detailed assessment must be conducted for the identification and systematic analysis of risks.
The actual risk observed without a safety system (MPS) is compared to the tolerable risk. If the actual risk is lower than the tolerable risk, then an MPS may not need to be considered as part of an SIS. If the actual risk (without MPS) exceeds the tolerable risk, risk reduction methods must be applied, typically including the installation of an MPS functioning as an SIS.
Note: The required degree of risk reduction is determined by the assessment.
In IEC 61508/61511 standards, functional safety classifies the required degree of risk reduction into four Safety Integrity Levels: SIL 1, SIL 2, SIL 3, and SIL 4. The higher the SIL level, the greater the degree of risk reduction, the lower the probability of a system malfunction, and therefore, the higher the associated safety level.
In practice, SIL 4 safety systems are so complex and costly that they are not economically viable. If a SIL 4 system is required to be considered safe, there is likely a fundamental issue in the design of the process itself that needs examination.
The next step is to develop a Safety Requirements Specification (SRS). This specification describes all aspects of the required safety system, including the testing procedure and acceptance criteria for SIS (MPS) validation tests. The SRS is crucial for complying with application safety standards, so plant owners/operators, consultants, and suppliers must contribute to its production according to plant requirements.
Note: IEC 61511 Parts 1 and 2 describe the installation, commissioning, and validation of safety systems in more detail. API 670 suggests that if a safety system requires SIL 2 or higher, any system or equipment not certified SIL 2 by an independent certification body, such as Exida or TÜV, should not be considered (API 670, 5th edition, Appendix L, section L.6.7.2 c).
For each step of the industrial process, the SIS must be verified against the SRS. In the end, the entire SIS must be tested in accordance with the testing procedure and acceptance criteria included in the SRS. If the safety system cannot meet all requirements, the safety lifecycle must restart from the beginning to produce an updated SRS reflecting necessary changes.
It is important to note that the mere use of equipment and products with SIL certifications does not automatically guarantee SIL compliance of the safety system; it only ensures the necessary systematic capability (SC) and hardware fault tolerance (HFT/voting architecture) to meet SIL requirements.
Therefore, SIL verifications must always be performed for each Instrumented Safety Function (SIF) that is part of an SIS. This includes calculations of average probability of failure on demand (PFDavg) based on application-specific information and safety properties of the elements forming the SIS, such as Proof Test Coverage (PTC) and Proof Test Interval (PTI), site safety index, mission time, mean time to repair (MTTR), etc. – not solely based on supplier recommendations. This is why SIL verification is one of the most critical steps in the safety lifecycle.
API 670 (5th edition, Appendix L, section L.7.1.x) also defines some responsibilities of the end user to help ensure safety requirements are met.
Operation and Maintenance of the Safety System
It is also the responsibility of the end user to ensure that an appropriate safety management team is established to set up operation and maintenance procedures for any safety system. These procedures typically include pre-startup safety reviews, safe startup of the SIS, periodic maintenance, and on-site functional testing.