For many people, the words “wireless” and “security” in the same project remain incompatible, yet as we continue to advance and gain confidence in these new technologies, it is likely to only be a matter of time. As we know, safety systems are based on the concept of Independent Protection Layers (IPL). ISA-84, which is responsible for development of safety system standards, has taken the first step by developing Technical Report (TR) "ISA-TR84.00.08-2017, Guidance for Application of Wireless Sensor Technology to Non-SIS Independent Protection Layers," published last year.
The report describes additional lifecycle considerations that should be addressed when wireless technology is used in an IPL where the risk reduction claimed is less than or equal to 10, which is similar to what is claimed by a basic process control system (BPCS). The TR presumes that the risk analysis team has already determined that the protection layer, including the wireless sensor, network and communications, meets the specificity and independence criteria. The authority having jurisdiction (typically the owner/operator or local regulatory authority), as part of their Layers of Protection analysis, can assign a risk reduction factor of less than or equal to 10 (non-SIS IPL) to wireless-based systems, with the TR providing the guidance and considerations for the use of wireless systems in the process sector.
To assist in achieving the benefits of the IPL, the TR provides information on how to establish a design that satisfies the dependability and auditability criteria. Included in those considerations are:
- Mesh as well as point/multipoint systems access the control system at Level 1 (I/O) or Level 3 (process control) and are part of the control network entering the control system on the same side of the DMZ. There are, however, some organizations that connect their wireless sensor networks through the DMZ, in which case this TR would no longer be valid without additional analysis by the owner/operator.
- Some means should be provided to automatically detect and flag stale data at the host end of the data path.
- A network manager and security manager are necessary for each wireless system.
- The host interface should incorporate diagnostic notifications (i.e. stale data, low battery, loss of signal, unauthorized configuration changes, and loss of gateway connection) necessary to monitor the basic health of the wireless sensor network.
- Overall IPL Response Time (IRT) including wireless sensor latency should include failure detection and interference.
- Systems relying on a publication method should be designed to respond in a fail-safe manner whenever it is determined that data is stale.
- An operator response plan to the wireless notifications should include operator response time and actions required to mitigate safety issues. A critical scenario that should be considered in the response plan is the case of a general failure of the wireless network that results in complete loss of view to an area.
- A revision management system should be in place to keep the devices and systems at the proper revision and embedded software levels. When changes are made to application program, embedded software or utility software, those changes should be reviewed to identify any impact on the overall safety availability or reliability of the equipment.
Additional guidance in the document includes Table 3, which shows a matrix of security threats and countermeasures for wireless sensor networks as well as two tiers of suggested key performance indicators (KPIs) with five high-priority and eight low-priority KPIs intended to give an indication of the health of the system.
Due to the additional uncertainties of measurement and communication timing inherent in the application of wireless technology, implementation of safety instrumented functions has been specifically been excluded from the document.
There are other initiatives underway to improve safety buses and verify the integrity of their communications, with some of those lessons being applicable to the wireless realm and transferable to this digital communications platform.
Though wireless is not yet quite ready for safety systems, at least in the process realm, it will likely only be a matter of time. Applying wireless as an IPL is simply step one in the process.
About the author: Ian Verhappen