As Industrial plants have become much more complex, we look at some of the critical requirements and safety expertise for critical infrastructures and Industrial plants.
Industrial plants have become much more complex in the past few years, as have legal requirements. How does this affect operators and safety engineers? Are their qualifications still enough? Here we take a look at the situation and offer advice.
By now, most have realized that Industry 4.0 is not just hype that will disappear by itself. Fundamental processes will change, if they haven’t already, especially in automation technology. For plant manufacturers and operators, this also means that legal requirements will become stricter.
When I started my first project as a safety engineer ten years ago, the situation was very different. IEC standards were still quite new and not effectively implemented, and no one was talking about cybersecurity.
Requirements have become much greater
Since then, the scope of functional safety has become considerably greater and the innovation cycle significantly shorter. Demonstrating safety has become a much more complex undertaking, involving many different tasks. Take for instance the development of software for plant control. In the past, people simply developed what was needed for functional safety. Today that is unthinkable. First of all, comprehensive specifications must be drawn up. What functions are needed? How should these be implemented? How will they be tested? What dependencies could occur with other systems and plants? What risks can you expect, and what can be done to minimize them? These are all considerations that must be answered in advance.
Plants that must adhere to the Seveso III Directive (source: https://en.wikipedia.org/wiki/Directive_2012/18/EU) or emissions regulations will need to provide inspection organizations with the answers to these questions. But even in cases where the plant manufacturer or operator is not yet obliged to comply with applicable standards, they should still do so. In the event of an incident, a state prosecutor will quickly become involved. Any company that has not worked in accordance to standards will have a problem. A reverse onus clause applies and the operator must prove that they are not responsible for the accident. Honestly speaking, would you be able to prove that you were not responsible in such a situation?
A single action is not enough
So how can you face these heightened demands? First of all, you need to examine these three areas more closely:
1. Technology: To gain certification, newly developed safety controllers must ensure safety by design and fulfill requirements that are much stricter than in the past. Cybersecurity will play an increasing role in this, which we will explore later in this article.
2. Organization: Do your existing processes fit the changing safety situation? Is your risk management measured sufficiently? There is no answer to these questions that will apply across the board – they require detailed analysis.
3. Qualification: Do you have sufficient up-to-date safety expertise or are you able to access it from external sources? Even if this is this case, it is important to ensure knowledge is regularly refreshed and shared, for example in certified training courses.
One-off actions are not enough, especially with regard to organization and qualification. At the latest, plants and processes that are subject to Seveso III must be subjected to risk analysis and assessment every five years. With this, you can also see whether new risks have emerged or document any unnecessarily hazardous operations.
In times of increased cyberattacks, it is likely that this time period will shorten in the future. Hackers are using ever more sophisticated methods in order to gain access to systems. Since the TRISIS/TRITON attack at the end of 2017, the Industry can no longer ignore the issue.
Two options for better plant safety
There are two ways to address the changing safety market. It is possible for you to establish the necessary competencies yourself. There are training courses on offer for individual safety engineers as well as whole teams. You will of course require the staff resources for this. This path can be difficult to plan, especially in view of the worsening labor market.
Another way is to outsource the three areas mentioned above. Your supplier for safety controllers must then ensure that any hardware you use meets all requirements and can be adapted to meet future standards. They should also have the knowledge to advise you on creating a comprehensive safety concept and even develop it if required. Engineers supplied by the external service provider must be guaranteed as certified, and the supplier should be able to prove this.
Cybersecurity requires experience
In light of the abovementioned cyberattacks, it is worth choosing a service provider that has gained expertise in cybersecurity over many years. Since the issue has been covered in all kinds of media, corresponding safety services are growing in presence all over.
It certainly makes sense to question whether they are backed up with sufficient experience.
By: Ivo Hanspach, Director of Product Management, HIMA