Safety-related parameters are control system variables whose incorrect setting immediately increases the risk to the user. Some of the most common include safe-reduced speed and safe standstill, but temperature, pressure and other process parameters can also be safety-related.
Defining what machine parameters are safety-related and then designing control hardware and software to meet the functional safety requirements is necessary to ensure the safety of workers and others who may be affected.
Contents
Safe drive parameters
IEC 61800-5-2 [2] defines operating modes like Safe Torque Off, Safe Stop 2, and several more. Safety-related parameters are at the heart of:
- Safe Stop 2 (SS2)
- Safe Operating Stop (SOS)
- Safe Standstill
You can read more about these operating modes in Safe Drive Control including Safe Torque Off (STO). To better understand those modes of operation, it is important to understand the requirements for safety-related parameters.
Defining “Safety-Related Parameter”
To better understand safety-related parameters, start with [1, 5.2.7].
5.2.7 Safety—related parameters
ISO 13849-1:2015
The following applies in addition to the requirements of Table 9.
When safety-related parameters, e.g. position, speed, temperature or pressure, deviate from preset limits the control system shall initiate appropriate measures (e.g. actuation of stopping, warning signal, alarm).
If errors in manual inputting of safety-related data in programmable electronic systems can lead to a hazardous situation, then a data checking system within the safety-related control system shall be provided, e.g. check of limits, format and/or logic input values.
Key concepts
- A safety function is a control function whose failure results in an immediate increase in risk. Therefore, if a control function for speed, temperature, pressure, etc. can fail in a way that will immediately increase the risk, then that control function is a safety function.
- Deviations from preset values must be detected. Some parameters, such as speed, have allowable deviations to take normal operating deviations into account.
- Where parameters are manually input or where they can be manually adjusted, e.g., via an HMI or other manual input controls, incorrect or out-of-range inputs must not be accepted. A data verification system is required.
- Errors in the safety-related parameters detected by the control system must result in appropriate control response, such as a safety-related stop or an alarm.
Real-life examples
Several failures related to safety-related parameters have come to light in the past few years, including the release of phosgene gas at the DuPont facility in Belle, WV and the Oldsmar, Florida water system hack.
DuPont Chemical
Over many years, a series of poor management and maintenance decisions led to the release of phosgene gas in January 2010. Phosgene is extremely poisonous and was used as a chemical weapon during World War I, where it was responsible for 85,000 deaths. It was a highly potent pulmonary irritant and quickly filled enemy trenches due to it being a heavy gas [17].
The plant in Belle had experienced several safety-related failures leading up to the phosgene release. The US Chemical Safety Board put together the video below about the accident. Incorrect equipment settings in the alarm monitoring system contributed to the incidents that just preceded the fatality [3], [16].
Watch for the description of the methyl chloride release starting at 2:23 and the handling of alarms generated by the plant control system at 2:50, 5:27, and 8:16. I’ll be discussing alarms and indicators in my 2022-10-10 post, so watch for that post if you are interested in alarms.
Oldsmar, Florida
Oldsmar is a city of about 15,000 people in Pinellas County, about 24 km (15 miles) west of Tampa, Florida.
In the water system hack, the attacker gained access to the water treatment system, briefly increasing sodium hydroxide (lye) levels from 100 parts per million (ppm) to 11,100 ppm. Sodium hydroxide is added to the water as an antiseptic. The hacker reduced the levels shortly after increasing them, however, had the levels been left where they were set, they could have put thousands at risk of being poisoned [4], [5], [18], [19].
Investigators say a plant operator monitoring the water plant in the Tampa Bay city of Oldsmar noticed breaches starting on Friday, 2021-02-05. The hacker was using the computer system’s mouse remotely — opening various functions on the screen and changing the sodium hydroxide in the water supply [12].
Contributing factors
Poor cybersecurity was a significant part of the problem [6]. The hacker gained access to the control system using TeamViewer, a remote access software platform installed on the system to permit remote system management. The software had been dormant for about six months before the hack. The system was set up with shared credentials. If the city had implemented cybersecurity protocols, the software would have been removed from the system once it was no longer required. Access credentials would have been closely controlled. A “zero trust” approach might have been implemented, ensuring that only those who specifically required access for their work would have been granted credentials for the system. Cybersecurity protocols for industrial machinery are required by ISO 12100 [7] and ISO/TR 22100-4 [8].
If the control system had been designed in conformity with ISO 13849, it would have had a data-checking system that would not have permitted an out-of-range setting. This would have ensured that, even with the cybersecurity failure, the attacker would not have been able to set the sodium hydroxide feed level above safe levels. In this case, no harm was done because a supervisor saw his mouse cursor moving on its own and the concentration being changed on his computer screen. He immediately reverted the setting [14]. So far, no motivation for this hack has been determined, and the attacker has yet to be identified.
Read more
Each of the safety-related parameters identified in the table comes with design challenges. You can read more about each in the following articles:
Safe speed and safe standstill
Fluctuations, loss and restoration of power sources
Indications and alarms (coming 2022-10-10)
Courses
If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:
- with a review of machinery risk assessment
- developing the Safety Requirement Specifications
- analyzing your design
- developing the validation documentation, and
- developing the validation test procedure
This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent and are still not confident about using ISO 13849, this course is a good choice for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.
References
[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO). 2015.
[2] Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional, IEC 61800-5-2. International Electrotechnical Commission (IEC). 2016.
[3] US Chemical Safety Board, Fatal Exposure: Tragedy at DuPont. 2011.
[4] A. Vera, “Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says”, CNN, 2021. [Online]. Available: https://www.cnn.com/2021/02/08/us/oldsmar-florida-hack-water-poison/index.html. [Accessed: 03- Sep- 2022].
[5] A. Marquardt, “Florida water treatment facility hack used a dormant remote access software, sheriff says”, CNN, 2021. [Online]. Available: https://www.cnn.com/2021/02/10/us/florida-water-poison-cyber/index.html. [Accessed: 03- Sep- 2022].
[6] B. Fung and A. Marquardt, “Hacked Florida water plant reused passwords and had aging Windows installations”, CNN, 2021. [Online]. Available: https://www.cnn.com/2021/02/11/us/florida-water-plant-hack/index.html. [Accessed: 03- Sep- 2022].
[7] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO). 2010.
[8] Safety of machinery — Relationship with ISO 12100 — Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects, ISO/TR 22100-4. International Organization for Standardization (ISO). 2018.
[9] “Oldsmar’s Cyber Attack Raises the Alarm for the Water Industry”, GovTech, 2021. [Online]. Available: https://www.govtech.com/sponsored/oldsmars-cyber-attack-raises-the-alarm-for-the-water-industry.html. [Accessed: 03- Sep- 2022].
[10] “Oldsmar Water Cyber Attack: Lessons Learned | Bedrock Automation®”, bedrockautomation.com, 2022. [Online]. Available: https://bedrockautomation.com/oldsmar-water-cyber-attack-lessons-learned/. [Accessed: 03- Sep- 2022].
[11] V. Comber-Wilen, “One year after the Oldsmar water breach, some experts question the utility’s cybersecurity”, WUSF Public Media, 2022. [Online]. Available: https://wusfnews.wusf.usf.edu/politics-issues/2022-02-04/one-year-after-the-oldsmar-water-breach-some-experts-question-the-utilitys-cybersecurity. [Accessed: 03- Sep- 2022].
[12] J. Pegues, “Feds tracking down hacker who tried to poison Florida town’s water supply”, cbsnews.com, 2021. [Online]. Available: https://www.cbsnews.com/news/florida-water-hack-oldsmar-treatment-plant/. [Accessed: 07- Sep- 2022].
[13] B. Krebs, “How Cyber Safe is Your Drinking Water Supply? – Krebs on Security”, krebsonsecurity.com, 2021. [Online]. Available: https://krebsonsecurity.com/2021/06/how-cyber-safe-is-your-drinking-water-supply/. [Accessed: 07- Sep- 2022].
[14] B. Krebs, “What’s most interesting about the Florida water system hack? That we heard about it at all. – Krebs on Security”, krebsonsecurity.com, 2021. [Online]. Available: https://krebsonsecurity.com/2021/02/whats-most-interesting-about-the-florida-water-system-hack-that-we-heard-about-it-at-all/. [Accessed: 07- Sep- 2022].
[15] L. Abshire, “UPDATE: Oldsmar Water Hack”, www.uscybersecurity.net. [Online]. Available: https://www.uscybersecurity.net/cyberNews/oldsmar-water-hack-update/. [Accessed: 07- Sep- 2022].
[16] “CSB Investigation Finds Three DuPont Accidents in Belle, West Virginia, Resulted from Numerous Safety Deficiencies including Lack of Safe Equipment Design, Ineffective Mechanical Integrity Programs, and Incomplete Investigations of Previous Near Misses – Investigations – News | CSB”, csb.gov, 2011. [Online]. Available: https://www.csb.gov/csb-investigation-finds-three-dupont-accidents-in-belle-west-virginia-resulted-from-numerous-safety-deficiencies-including-lack-of-safe-equipment-design-ineffective-mechanical-integrity-programs-and-incomplete-investigations-of-previous-near-misses/. [Accessed: 07- Sep- 2022].
[17] “Phosgene – Wikipedia”, en.wikipedia.org. [Online]. Available: https://en.wikipedia.org/wiki/Phosgene. [Accessed: 08- Sep- 2022].
[18] Cyberwire, Inc., “Almost too much lye in the water, down Florida-way. BlackTech’s new malware strain. Huawei says it’s OK if the White House calls.”, CyberWire Daily, 2021. [Online]. Available: https://podcasts.apple.com/ca/podcast/almost-too-much-lye-in-the-water-down-florida-way/id1071831261?i=1000508379551. [Accessed: 21- Sep- 2022].
[19] CyberWire, Inc., “Spyware in the Subcontinent. Notes on cyber fraud, cyber theft, and ransomware. The US gets a chief to lead response to Solorigate. Updates on the Florida water system cybersabotage.”, CyberWire Daily, 2021. [Online]. Available: https://podcasts.apple.com/ca/podcast/spyware-in-the-subcontinent-notes-on-cyber-fraud/id1071831261?i=1000508646610. [Accessed: 21- Sep- 2022].
© 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
