Considering Security Aspects in Safety Environment. Dipl.-Ing. Evzudin Ugljesa

Transcription

1 Considering Security spects in Safety Environment Dipl.-ng. Evzudin Ugljesa

2 Overview ntroduction Definitions of safety relevant parameters Description of the oo4-architecture Calculation of the FD-Value Markov Model of the oo4-architecture Calculation of the MTTF-value Evzudin Ugljesa

3 Overview Safety-ntrusion Description of the oo4s-architecture Markov Model of the oo4s-architecture Exemplary Calculation of the MTTF-value Exemplary Calculation of the FD-value Conclusion Evzudin Ugljesa 3

4 ntroduction Spreading of failure rates (λ) Evzudin Ugljesa 4

5 ntroduction Fault tolerance is a particular technique that allows building systems that preserve the delivery of their expected or a minimum service, despite the presence of errors caused by faults within the system itself. Evzudin Ugljesa 5

6 ntroduction EC 658 defines the redundancy in safety systems with Hardware Fault Tolerance, which determines how many failures can occur in a redundant system without impairing the functional safety. Redundant architectures are, depending on the planed structure, efficient means to achieve either the reliability, safety or both. Redundancy classification: hardware redundancy (more hardware than needed) software redundancy (different version of tasks) time redundancy (scheduler has some extra time) information redundancy (detected and /or recovered) Evzudin Ugljesa 6

7 Common Cause Failure Common cause failures, result from a single cause, may affect more than one channel. These may result from a systematic fault or an external stress leading to an early random hardware failure. Evzudin Ugljesa 7

8 Description of the oo4-architecture Specification of oo4-safety related architecture: Four independent channels, with an input circle, nput channel Safe logic solver Output channel Output channel a safe processing unit and nput channel B Safe logic solver Output channel Output channel two serial output circles. Sensor nput channel 3 C Safe logic solver Output channel Output channel nput channel 4 D Safe logic solver Output channel Output channel ctuator connecting element Operating mode of oo4-architecture: To trigger the safe function at least two of the four channels must work correctly. dangerous breakdown of the system is generated if three of the four channels have dangerous failures themselves. Evzudin Ugljesa 8

9 FD-Calculations for Single Failures General FD avg -equation: FD avg,single (T) = 4 6 ( λ D ) 3 T 3 4 D FD avg single (T ) = T = D D D3 3 T 4 T ( t ) Single failures result from the FD of a oo3-system, extended with the factor four, because in four channels there are four possibilities that in two channels a failure exist: 4 ( t) ( t) 3 The result for single failures for the case that all channels have the same failure rate λ = λ = λ = λ with = t CE t GE t SE ( t) The probability of single failure for the oo4-system (for a case that all channels have the same failure rate) is FD avg,single (T) = ( λ D ) 3 T 3 Evzudin Ugljesa 9

10 FD-Calculations for CCF When determining the FD avg this kind of failure is rated for a multi channel system through the β-factor: There are two CCF modes and with assumptions that: λ = β λ C = β λ C D λ a dangerous undetected common cause failure occurs within the time period T MTTR (with the weight β) and a dangerous detected common cause failure occurs within the repair time MTTR (with the weight β D ). The FD avg, β value for common cause failures with the weight β: FD avg, β = βλ D D D ( T MTTR) MTTR Evzudin Ugljesa β λ

11 FD avg -equation for oo4-system The FD avg equation of a oo4-system taking into account the normal failures and the common cause failures: FD avg 3 3 T ( T ) = ( λ D ) T β λ MTTR β D λ MTTR Single failures Common-Cause failures ote: The CCF occur in all system channels at the same time and the probability of a CCF is the same in a oo-, oo3- and a oo4-system Evzudin Ugljesa

12 Markov model of a oo4-architecture The arrows represents the transition functions of the System. Labels of transitions correspond to events like repair or life-time. nput channel Safe logic solver Output channel Output channel nput channel B Safe logic solver Output channel Output channel Sensor nput channel 3 C Safe logic solver Output channel Output channel nput channel 4 D Safe logic solver Output channel Output channel ctuator connecting element Evzudin Ugljesa

13 Markov model of a oo4-architecture Evzudin Ugljesa 3

14 Markov model of a oo4-architecture Evzudin Ugljesa 4

15 Markov model of a oo4-architecture Evzudin Ugljesa 5

16 Markov model of a oo4-architecture Evzudin Ugljesa 6

17 Markov model of a oo4-architecture Evzudin Ugljesa 7

18 Markov model of a oo4-architecture Evzudin Ugljesa 8

19 Mathematical description of MTTF This steps are necessary to determine the MTTF for a system: Determine the -matrix (also known as reliability matrix). Determine the M-matrix. M = Determine the -matrix. = M Determine the MTTF value. To calculate the MTTF value from a system described as a Markov model the sum of all elements from the first row of the -matrix has to be calculated. ote: for the oo4 Markov model exists the transition matrix which includes a 6 x 6 matrix. Evzudin Ugljesa 9

20 MTTF-equation for oo4-system The MTTF term of a oo4-system has the following form, particularly the parameters to 4 : MTTF oo4 = λ 4λ λ 3 λ 3 6 Evzudin Ugljesa

21 Safety-ntrusion Supervisory Control and Data cquisition System Evzudin Ugljesa

22 Safety-ntrusion Critical systems are systems in which defects could have a dramatic impact on: human life, the environment or significant assets. Safety critical software is the software that implements a critical decision-making process, controls or monitors safety critical functions, intervenes when an unsafe condition is present or imminent, handles safety critical data including display of safety critical information used to verify and validate safety critical software Evzudin Ugljesa

23 Safety-ntrusion Several standards and guidelines give advice on the development of qualitative and quantitative criteria to evaluate safety related systems, in order to apply these in safety critical applications. Stuxnet-Virus (Buschehr/ ran in the end of ovember ) The impact and consequences of this Safety-ntrusion are not known! Evzudin Ugljesa 3

24 Safety-ntrusion Targeted ttack : 355 Respondents Evzudin Ugljesa 4

25 Safety-ntrusion Types of attacks experienced by percent of respondents Regressive! uality! : 49 Respondents Evzudin Ugljesa 5

26 Safety-ntrusion Failure Rates in the case of Safety-ntrusion Evzudin Ugljesa 6

27 oo4s-safety Safety-ntrusion Model dditional System States due to Safety-ntrusion Evzudin Ugljesa 7

28 oo4s-safety Safety-ntrusion Model Hardware dependent states (light-colored) Software dependent states (dark-colored) State 8 State 9 Evzudin Ugljesa 8

29 oo4s-safety Safety-ntrusion Model Markov Model with 9 States Evzudin Ugljesa 9

30 oo4s-safety Safety-ntrusion Model Safety-ntrusion Markov model under the condition of one-way influence (Software Hardware) Evzudin Ugljesa 3

31 oo4s-safety Safety-ntrusion Model Safety-ntrusion Dangerous Detected CCF have directly a influence on Hardware Dangerous Detected CCD Evzudin Ugljesa 3

32 Evzudin Ugljesa 3 Safety Safety-ntrusion MTTF ntrusion MTTF = K K K K K K K K K K K ) ( 4 3 LT D LT LT R D S S S oo µ µ α δ µ µ µ µ µ µ λ µ µ λ β λ λ α λ Complexity of a Markov Model (oos = x Matrix ; oo4s = 9x9 Matrix)

33 Safety-ntrusion MTTF The oo4s-safety-ntrusion Matrix with 9x9 States is too large in order to display on one slide λ λ 5 α 6 α 7 δ D α α 8 α α 9 ( β λ λ δ α α ) Evzudin Ugljesa 33

34 Evzudin Ugljesa 34 Safety Safety-ntrusion MTTF ntrusion MTTF = S oo = S oo = = M n n n = M ote: Each parameter stands for Matrix by its own!

35 Evzudin Ugljesa 35 Safety Safety-ntrusion MTTF ntrusion MTTF = n = = 6 ) ( ) ( α α α α α α α α α α α 4 3 =

36 Safety-ntrusion MTTF Comparing the MTTF results for oo4 and oo4s architecture MTTF oo4 = 4 λ 4 λ 3 λ λ MTTF oo4s = b α 4α 4λ 6 α b 5 α 9 4λ b α ( 5 4c ( 5 7 λ ( 7 4b ) 6 8 4α α 5 α ) 4α 8 ) 43c 6 5b δ D α α Evzudin Ugljesa 36

37 Safety-ntrusion FD Comparing the FD results for oo4 and oo4s architecture FD avg,oo4 = 4 λ 3 D t CE t GE t SE β λ T MTTR β D λ MTTR FD avg,oo4 S = 8 6 λ 3 D α 3 D t CEλ t GEλ t SEλ t CEα t GEα t SEα T β λ MTTR λ β D λ MTTR λ δ α 5 MTTR α δ D α MTTR α T ote: Common-Cause Faler is the dominant Factor! Evzudin Ugljesa 37

38 Summary Common cause defense can only be achieved through a number of mechanisms: hysical separation of redundant units: The worst implementation has redundant circuits on the same circuit board. The best implementation allows redundant circuits to be located in different cabinets. Diversity: The worst implementation has identical HW (and SW) in redundant units. The best implementation uses diverse components that respond differently to a common stressor. Robustness of HW (and SW): Other important parameters include the overall ruggedness of the system (and the use of a systematic audited SW development process). The right implementation of these three items allows the decrease of the β-factor as a critical parameter to an acceptable level. Evzudin Ugljesa 38

39 Conclusion Finally it can be concluded that the purpose of this presentation was to show the systematic approach from the set up of Markov model to the final step of calculating the MTTF value. Two different perception of a oo4-architecture were examined as a well known oo4-system and a oo4s-system architecture. This systematic approach can be applied to different safety related architectures and systems. dditionally in this presentation has been a new theory presented. Furthermore we must draw a distinction between developing threats and actual successful attacks. The method needs to be evaluated on realistic system to establish what level of accuracy can be achieved in practice. ( we work on it!) Evzudin Ugljesa 39

40 uestions? oo?! oo?! oo3?! Evzudin Ugljesa 4