Designing Control and Protection Systems with Regard to Integrated Functional Safety and Cybersecurity Aspects

Abstract

This article addresses current problems of risk analysis and probabilistic modelling for functional safety management in the life cycle of safety-related systems. Two main stages in the lifecycle of these systems are distinguished, namely the design and operation. The risk analysis and probabilistic modelling differ in these stages in view of available knowledge and data. Due to the complexity and uncertainty involved, both qualitative and quantitative information can be useful in risk analysis and probabilistic modelling. Some methodological aspects of the functional safety assessment are outlined that include modelling of dependent failures or cybersecurity and verifying the safety integrity level (SIL) under uncertainty. It is illustrated how the assumptions in the process of risk analysis and probabilistic modelling influence results obtained and, therefore, potentially the decisions taken in functional safety management. Programmable control and safety systems play an important role in mitigating and controlling risks in the operation of hazardous installations. This paper presents ways to deal with safety hazards involving such systems to be considered in risk analysis and integrated functional safety and cybersecurity management.

1. Introduction

Emerging threats have significant potential to destructively impact the operation of technical systems, hazardous facilities, and critical infrastructure systems or networks. Therefore, the risks of major accidents with severe consequences that can happen in hazardous industrial plants have to be systematically assessed and properly managed across the entire life cycle [1,2,3]. Safety and security issues are two different groups of functional requirements for industrial systems. It is one of the main causes that the analyses of safety and cybersecurity should not be integrated directly. They should be integrated with one of the specified approaches Common Criteria approach, SecureSafety (SeSa) methodology, the Ring protection model, and ISO-IEC 62443 standard technology. The guidelines and specified information of this method are presented in publications [1,2]. This article presents one of the proposed approaches that consists of integrated analysis safety and security in probabilistic modelling in the safety integrity level verification process. This integrated methodology has limited application in information technology (IT) applications, but has a lot of opportunities in operational technologies (OT) application. The proposed integrated approach is useful in the engineering design process control as well as in protection systems. Of course, it can also be used in all life cycles of critical installations. It is clear that automation systems in process installations have integral systematic proof tests, and the most sophisticated construction of the safety control systems. These systems are the most vulnerable to cyber-attacks via an industrial computer network.

One of the main objectives of functional safety analysis is determining the required safety integrity level (SIL) for the safety-related functions to be realized by safety-related systems. According to IEC 61508, to each SIL (1 ÷ 4) the interval probabilistic quantitative criterion is defined. Functional safety analysis procedure usually does not include security aspects. In the case of a distributed control and protection system, it can have practical significance, and may affect the results of determination as well as verifying SIL, taking into account functional safety analysis [1,2].

An important part of the safety and security management system is the functional safety and security sub-system. Its purpose is to reduce some risks using safety-related technology of the programmable control and protection systems, such as electric/electronic/programmable electronic (E/E/PE) systems [4] or safety instrumented systems (SISs) [5]. These systems are applied for implementing defined safety-related functions (SRF) and are characterized by appropriate configuration/architecture to fulfil relevant safety integrity requirements.

If the layers of protection in a hazardous plant have to be applied due to high risk, then the layer of protection analysis (LOPA) is of interest [6,7]. In such a plant, an alarm system (AS) should be properly designed to include a relevant human-system interface. An important issue is to design a safety-related decision support system. This article addresses some methodological issues of the functional safety and security analysis and management in hazardous plants, as well as those in which the layer of protection according to defense in depths (DinD) concept is applied in industrial installation [5]. Cybersecurity factors contribute positively to maintaining the high reliability and productivity of industrial plants [8,9]. If these factors are not properly considered and shaped in practice, they can influence the system negatively, either before or during abnormal situations and potential accidents [1].

We emphasize that the functional safety and cybersecurity management in a life cycle should be treated as a complex interdisciplinary problem with a number of coordinated tasks requiring integration of relevant knowledge and data from various sources using suitable and effective methods with regard to uncertainty issues [8,10]. Some important areas of functional safety analysis and management are identified that require additional research effort to develop more integrated methods and tools (next-generation) that would support functional safety analysts, designers, and users of functional safety technology in a more compatible way [11,12]. The results of this effort would be valuable for functional safety specialists [13], who face methodological difficulties, such as designers or operators in the industry [14,15,16].

2. Issues of Determining the Required Safety Integrity Level of Safety Functions

2.1. Functional Safety Requirements

The SIL of given safety-related functions (SRF) is presented by numbers 1 to 4 and is bound to the needed risk reduction when the SRF is implemented in regard to IEC standards [1]. The assignment of safety requirements to protection function using the E/E/PE, and other technologies (Figure 1) [4,17].

For safety functions implemented using the safety-related system two types of interval probabilistic criteria are defined in the IEC 61508 standard given (

Table 1. SIL probabilistic criteria.

SIL	PFDavg	PFH [h−1]
4	[10−5, 10−4)	[10−9, 10−8)
3	[10−4, 10−3)	[10−8, 10−7)
2	[10−3, 10−2)	[10−7, 10−6)
1	[10−2, 10−1)	[10−6, 10−5)

) for two modes of operation [4,5]:

• the probability of failure (average) PFD_avg for the safety function system operating on demand; or
• the frequency (probability of a dangerous failure per hour) PFH.

The typical configuration of a safety system (Figure 2) that consists of three subsystems, generally of koon configuration: (A) sensors, (B) safety PLC (Programmable Logic Controller), and (C) final elements.

The risk of potential hazardous events can be rationally reduced in the context of evaluated categories of the frequency of unwanted occurrence (W) and consequences (N) (

Table 2. Example of an extended risk matrix for determining safety integrity level.

Categories: Fatality → Frequency ↓	NA (10−3, 10−2] Injury	NB (10−2, 10−1] More Injuries	NC (10−1, 1] Single Fatality	ND (1, 10] Several Fatalities	NE (10, 102] Many Fatalities
W3 [a−1], Fd (1, 10] Frequent	a	SIL3x SIL2y; ↓10−3 SIL1x	SIL4z SIL3y; ↓10−4 SIL2x	bz SIL4y; ↓10−5 SIL3x	bz by bx
W2 [a−1], Fc (10−1, 1] Probable		SIL2z SIL1y; ↓10−2 ax	SIL3z SIL2y; ↓10−3 SIL1x	SIL4z SIL3y; ↓10−4 SIL2x	bz SIL4y; ↓10−5 SIL3x
W1 [a−1], Fb (10−2, 10−1] Occasional		SIL1z ay; ↓10−1	SIL2z SIL1y; ↓10−2 ax	SIL3x SIL2y; ↓10−3 SIL1x	SIL4z SIL3y; ↓10−4 SIL2x
W0 [a−1], Fa (10−3, 10−2] Seldom			SIL1z ay; ↓10−1	SIL2z SIL1y; ↓10−2 ax	SIL3x SIL2y; ↓10−3 SIL1x

) [4]. The total probability of safety system failure for the case considered has to be reduced to the value shown on the right side of the arrow ↓ (to obtain reduced frequency (F) of given category from a to d). As shown, the required SIL level of the defined safety function to be implemented depends on the possibility of failing to avoid a hazardous event using other safety measures (x, y, or z as described below Table 2) [17]. In cases denoted as b a single SIS is not enough, and an additional protection layer has to be designed.

The risk matrix defined (Table 2) can be modified, e.g., to take into account some societal values and an aversion to major accidents with serious consequences. It would change SIL requirements to be assigned to the E/E/PE or SIS (increased SIL—high consequences), or the necessity to design an additional safety layer.

To fulfil requirements of a higher SIL (3 or 4) assigned to the safety function the appropriate configuration of the E/E/EP system or SIS is to be designed, e.g., 1oo2, 2oo3, or 2oo4.

2.2. Cybersecurity Approach

In cybersecurity there are two main approaches: Evaluation Assurance Level (EAL) and Security Assurance Level (SAL). Evaluation Assurance Level (EAL) based on Common Criteria standard [18], with EAL1 the minimal requirements to EAL7 high requirements. Each Evaluation Assurance Level can be described as: EAL1- functionally tested; EAL2—structurally tested; EAL3—methodically tested and checked; EAL4—methodically tested, designed and reviewed; EAL5—semi-formally designed and tested; EAL6—semi-formally verified design and tested; EAL7—formally verified design and tested [18].

Another approach to cybersecurity evaluation for industrial control systems (ICS) is IEC 62443 [3]. A definition of Security Assurance Level (SAL) has been introduced in this standard. There are four security levels (SAL1 to 4) and they are assessed for a given security zone using a set of 7 functional requirements (

Table 3. Cybersecurity levels (SAL).

SAL1	Protection against casual or coincidental violation
SAL2	Protection against intentional violation using simple means with low resources, generic skills, and low motivation
SAL3	Protection against intentional violation using sophisticated means with moderate resources, system-specific skills and moderate motivation
SAL4	Protection against intentional violation using sophisticated means with extended resources, system-specific skills, and high motivation

).

The SAL is a cybersecurity measure concerning industrial control systems ICS. It is evaluated on a defined vector of seven requirements for a relevant cybersecurity zone [3]:

$$SAL=\{AC, UC, DI, DC, RDF, TRE, RA\}$$

(1)

where: AC—identification control, UC—use control, DI—data integrity DC—data confidentiality, RDF—restricted data flow, TRE—timely response, RA—resource availability.

Results of a cybersecurity analysis of a given industrial control system can be divided into some general categories, for example, a qualitative description with defined cybersecurity levels such as: low, medium, or high-level of cybersecurity [9]. The EAL [18] or SAL [3] determined for a given solution is taken into account during the functional safety analysis (

Table 4. Levels of cybersecurity (EALs and SALs).

Evaluation Assurance Level	Security Assurance Level	Cybersecurity
EAL1	SAL1	Low
EAL2	SAL1	Low
EAL3	SAL2	Medium
EAL4	SAL2	Medium
EAL5	SAL3	High
EAL6	SAL4	High
EAL7	SAL4	High

) [9].

Due to the nature of threats and known vulnerabilities the security risk assessment shall be event-driven or under periodic cybersecurity review [19]. The possible effects of a security risk(s) (Figure 3) in this context to a safety-related control system [19,20].

The safety risk assessment should be made in advance of any cybersecurity risk considerations [19]. The results: inherently safe design measures and safeguarding and risk reduction measures of a machine should then be analyzed regarding possible vulnerabilities against cyber-attacks (threats). The following are guidelines for the step-by-step approach to limit or restrict IT security threats and vulnerabilities [19,20].

Requirements concerning cybersecurity-related aspects will be considered regarding the requirements of a series of international standards, IEC 62443 [3], IEC, 63074 [20], ISO/IEC 15408 [18], ISO/IEC 27000 [21], ISO/IEC 27001 [22] and ISO/IEC 27005 [23]. In general, a security risk assessment is based on a product/system in its environment to which threats and known vulnerabilities are applied [24]. This activity aims to define relevant (counter) measures to fulfil the overall security objectives [24,25,26,27].

Some of the risk factors to be taken into account when carrying out this type of analysis have an impact on the estimated value of the frequency or likelihood of some of the consequences [28]. The risk is defined as:

$$R=F\times C$$

(2)

where the frequency F of occurrence of some scenario associated with certain consequences C is dependent on several factors, including the reliability of technical solutions used in the analyzed system [9].

Analyzing such a system in terms of cybersecurity can result in detecting the existence of certain vulnerabilities, which may increase the risks associated with the overall system. In most cases, this will result in increasing the frequency of occurrence of a certain scenario, therefore, assuming that the consequences are C = const. Then, it can be said that:

$$F^{\Uparrow }\to R^{\Uparrow }\iff V^{\Uparrow }$$

(3)

The system vulnerability can be measurable and expressed by the level of security, taking into account the countermeasures introduced to the system which may mitigate these vulnerabilities [11,27]. Considering the stage of identifying hazards in the system, which is a very important part of defining the required safety-related functions, there is a need for determining the possible causes, consequences, and frequency of occurrence for every described hazard or scenario [29].

2.3. The Risk Cube Methodology

The vulnerability of a system can be measurable and expressed through the level of information protection taking into account the countermeasures put in place to mitigate this vulnerability [1,30].

The risk of human, environmental and economic losses in the functional safety analysis is determined by taking into account the identified environmental hazards and technical disturbances (internal disturbances caused by human errors or external disturbances from the industrial installation).

In a broader perspective, the complementary analysis of information security should take into account threats related to the unfriendly intentions of intruders located inside or outside a given facility, as well as possible terrorist activities under certain conditions [1,2]. The risk measure R_ij in the annual period and for the i-th threat and the j-defined emergency scenario in the considered facility/system is proposed to be determined in accordance with the formula:

$$R_{ij}^{}=f_i^{}\cdot V_{ij}^{}\cdot C_{ij}^{}$$

(4)

where: f_i—frequency of occurrence of the i-th hazard situation (an event initiating an abnormal emergency situation) due to the intentional action; V_ij—the vulnerability of a given object, expressed by the conditional probability that the i-th level of effects, emergency for this hazard situation, will occur; C_ij—a measure of the consequences (e.g., human, environmental or economic losses) resulting from the emergency event under consideration; economic risk has a monetary unit value per year.

The vulnerability can be reduced by using appropriate technical (security rings, security technologies) and organisational solutions (e.g., training programs, procedures in the security management system). The risk is similarly defined in the context of functional safety:

$$R_{kj}^{}=f_k^{}\cdot PF{D}_{kj}^{}\cdot C_{kj}^{}$$

(5)

where: f_k—the frequency of k-th risk situation due to internal or external interference; PFD_kj—the probability of failure to perform the safety-related function on demand for the system of the j-th level of effect; PFD_kj is determined based on models in reference to the requirements of the general standard IEC 61508 or sector standard IEC 61511.

Based on (4) and (5), assuming the additionality of the risk measures, the measure of aggregate risk associated with j-th level of effect can be estimated from the relationship:

$$R_j={\displaystyle \sum _i{R}_{ij}^{}}+{\displaystyle \sum _k{R}_{kj}^{}}$$

(6)

The determined risk measures can be used in the analysis of costs and effects of the proposed solutions of security systems, including layers of protection and ring ones, for functional safety and information security solutions, respectively. The practical importance, but also the challenge of developing new methods of risk analysis and assessment for the integrated functional safety and information security management of computer control and protection systems in conditions of usually high uncertainty should be stressed [9,31].

Table 5. Risk Matrix Regarding Cybersecurity Issues at the Critical Infrastructure Facility.

The Degree of Risk Rcs and the Associated Security Assurance Level SAL		Probability and/or Frequency of a Cyber-Attack
		Low	Medium	High	Very High
Severity of the consequences C	catastrophic	medium Rcs SAL2	high Rcs SAL3	very high Rcs SAL4	very high Rcs SAL4
	critical	medium Rcs SAL2	high Rcs SAL3	very high Rcs SAL4	very high Rcs SAL4
	marginal	low Rcs SAL1	medium Rcs SAL2	medium Rcs SAL2	high Rcs SAL3
	minor	low Rcs SAL1	low Rcs SAL1	medium Rcs SAL2	high Rcs SAL3

contains a risk matrix on specific issues related to industrial network cybersecurity and its impact on the operation of the critical infrastructure system. The risk degree of R_cs (cs—cybersecurity) in a given case is related to the security assurance level SAL.

Table 6. Risk Matrix Regarding Information Security Issues in a Critical Infrastructure Facility.

The Degree of Rsec Risk and the Associated Evaluation Assurance Level EAL		Probability and/or Frequency of a Cyber-Attack
		Low	Medium	High	Very High
Severity of the consequences C	catastrophic	medium Rsec EAL3	high Rsec EAL5	very high Rsec EAL6	very high Rsec EAL7
	critical	medium Rsec EAL2	medium Rsec EAL4	very high Rsec EAL6	very high Rsec EAL6
	marginal	low Rsec EAL1	medium Rsec EAL3	high Rsec EAL5	high Rsec EAL5
	minor	low Rsec EAL1	low Rsec EAL2	medium Rsec EAL4	medium Rsec EAL4

presents a risk matrix regarding information security issues in the critical infrastructure facility [2]. The degree of risk R_sec (low, medium, high, or very high) in a given case is related to the evaluation assurance level EAL.

The next table (

Table 7. Risk Matrix for Functional Safety Issues.

Rfs Risk and Associated SIL Safety Integrity Level		Probability and/or Frequency of Failure
		Low	Medium	High	Very High
Severity of the consequences C	catastrophic	medium Rfs SIL2	high Rfs SIL3	very high Rfs SIL4	very high Rfs b
	critical	medium Rfs SIL2	high Rfs SIL3	very high Rfs SIL4	very high Rfs SIL4
	marginal	low Rfs SIL1	medium Rfs SIL2	high Rfs SIL3	high Rfs SIL3
	minor	very low Rfs a	low Rfs SIL1	medium Rfs SIL2	medium Rfs SIL2

) presents the risk matrix regarding functional safety issues. The degree of risk R_fs (fs—functional safety) in a given case is referenced in safety integrity level SIL.

Assuming that the criticality of consequences for functional safety and cybersecurity impacts are the same C_fs = C_cs = C, the integration can be presented as a Risk Cube.

The proposed integration of functional safety and cybersecurity issues at the risk analysis stage (Figure 4 and Figure 5).

In this case:

$$\begin{array}{l}R=R_{\mathrm{fs}}+R_{\mathrm{cs}}=\\ =C_{\mathrm{fs}}\cdot P_{\mathrm{fs}}(\underset{}{or} F_{\mathrm{fs}})+C_{\mathrm{cs}}\cdot P_{\mathrm{cs}}(\underset{}{or} F_{\mathrm{cs}})=\\ =C\cdot P(\underset{}{or} F)\end{array}$$

(7)

Assuming that C_fs = C_cs = C:

$$R=C\cdot \left(P_{\mathrm{fs}}\right(\underset{}{or} F_{\mathrm{fs}})+P_{\mathrm{cs}}\cdot (\underset{}{or} F_{\mathrm{cs}}\left)\right)$$

(8)

where: R—risk; R_fs—risk related to functional safety aspects; R_cs—risk related to cyber threats; C—criticality of effects; C_fs—criticality of consequences related to functional safety aspects; C_cs—criticality of consequences related to cyber threats; P_fs—the probability of failure; P_cs—the probability of a cyber-attack; F_fs—frequency of failure; F_cs—frequency of a cyber-attack.

As above, functional safety and information security issues (expressed through the evaluation assurance level EAL) are integrated. Assuming that the criticality of consequences for functional safety and information security are the same C_fs = C_sec = C, the integrated approach is presented in Figure 6 and Figure 7 (Risk Cube (SIL-EAL)).

In this case:

$$\begin{array}{l}R=R_{\mathrm{fs}}+R_{\sec }=\\ =C_{\mathrm{fs}}\cdot P_{\mathrm{fs}}(\underset{}{or} F_{\mathrm{fs}})+C_{\sec }\cdot P_{\sec }(\underset{}{or} F_{\sec })=\\ =C\cdot P(\underset{}{or} F)\end{array}$$

(9)

Assuming that C_fs = C_sec = C:

$$R=C\cdot \left(P_{\mathrm{fs}}\right(\underset{}{or} F_{\mathrm{fs}})+P_{\sec }\cdot (\underset{}{or} F_{\sec }\left)\right)$$

(10)

Taking into account the definition of risk as a combination of the frequency or probability of the occurrence of a failure event and the consequences of that event, a simplified method is proposed below to determine the required SIL, taking into account information security and cybersecurity aspects.

Such an analysis is based on data obtained in the process of hazard identification occurring in the technical system, as well as an estimation of the level of risk associated with them. Some of the risk factors taken into account in carrying out such analysis have an impact on the estimated value of frequency or probability [30]. The part of the risk related to frequency parameters most often concerns the issues of hardware reliability [32,33].

In the process of integration of functional safety issues with information security, the concept of the so-called two-parameter function can be used [2]. If a low level of information security is estimated in the critical infrastructure system under consideration, the SIL requirements for the safety function may change. For the SIL requirements to remain unchanged, it becomes necessary to reduce the risks associated with the level of information security [34]. This involves raising the cybersecurity requirements (e.g., higher EAL level) for the system under analysis.

2.4. SIL Determining with Cybersecurity Aspects

The functional safety and cybersecurity goals are now the input to derive functional safety and security requirements [11,35]. Both of those factors are responsible for the final level of security taken into account in the functional safety risk assessment process (Figure 8).

The SIL or PL is determined based on several quantitative factors in conjunction with qualitative factors during the process of development and safety life cycle management. There are several methods to determine the SIL or PL for a chosen safety function. Some of the popular ones include: Risk Matrix, Risk Graph [4,5,11,26,30].

A general scheme of considering the security analysis results in the SIL or PL determining process is important to present the approach (Figure 9).

3. Safety Integrity Level Calculation

3.1. Probabilistic Modelling of Safety-Related Subsystems

The quantitative method based on the reliability block diagram (RBD) is used for verifying SIL. The probability of failure to perform the design safety function on demand can be evaluated the following formula:

$$\begin{array}{l}PFD\left(t\right)\cong (1-e^{-{\lambda }_{\mathrm{D}}\cdot t})\cong \\ \cong 1-1+{\lambda }_{\mathrm{D}}\cdot t-\frac{{\lambda }_{\mathrm{D}}^2\cdot t^2}{2!}+\frac{{\lambda }_{\mathrm{D}}^3\cdot t^3}{3!}+\dots \\ when {\lambda }_{\mathrm{D}}\cdot t<<1\\ PFD\left(t\right)\cong (1-e^{-{\lambda }_{\mathrm{D}}\cdot t})\cong {\lambda }_{\mathrm{D}}\cdot t\end{array}$$

(11)

where: λ_D—dangerous failure rate; t—time.

The average probability, assuming that all subsystems are tested with the T_I, is calculated as formula (12) [4]:

$$PF{D}_{\mathrm{avg}}=\frac{1}{T_{\mathrm{I}}}{\displaystyle \underset{0}{\overset{T_{\mathrm{I}}}{\int }}PFD\left(t\right)dt}$$

(12)

where: T_I—test interval.

The frequency of a dangerous failure can be evaluated based on a formula as shown below:

$$\begin{array}{l}PFH\cong \frac{F\left(t\right)}{t}\underset{t\in (0,T)}{{\displaystyle \Rightarrow }}\frac{F\left(T\right)}{T}\cong \frac{1-R\left(T\right)}{T}=\\ =1-\frac{\exp (-{\displaystyle \underset{0}{\overset{T}{\int }}\lambda \left(t\right)dt)}}{T}=\frac{1-\exp (-{\lambda }_{\mathrm{avg}}\cdot T)}{T}\\ when {\lambda }_{\mathrm{avg}}\cdot T<<1\\ PFH\cong \frac{{\lambda }_{\mathrm{avg}}\cdot T}{T}={\lambda }_{\mathrm{avg}}\end{array}$$

(13)

where: λ_avg—average failure rate; T—time interval.

The architecture of equipment performing the safety function is represented by block diagrams distinguishing between subsystems and modules [36,37]. An example of the physical form of the E/E/PE system structure (BPCS or SIS) is shown in Figure 10.

There are three subsystems in the E/E/PE BPCS or SIS: sensors, logic solvers, and actuators. The presented structure consists of three sensors A, B, C configuration koo3, logical subsystem D (e.g., PLC), and actuators E and F (koo2).

Figure 11 shows an example of the structure of an E/E/PE or SIS system in the form of a reliability block diagram, assuming that the sensors subsystem has a configuration 1oo3 and the actuators subsystem a configuration 1oo2.

In the above diagram the common cause failure (CCF) for the sensors’ subsystem from elements A, B and C and for the actuators’ subsystem CCF2 from elements E and F is considered [4,36,38]. In the system from Figure 10, five minimum cuts can be distinguished: {A, B, C}; {CCF1}; {D}; {E, F}; {CCF2}

Figure 12 shows the E/E/PE or SIS system fault tree from Figure 11 including the common cause failure.

The average probability of failure on demand safety function for the system in Figure 11 can be determined from the sum of the probabilities for the individual subsystems.

$$PF{D}_{\mathrm{avg}}\cong PF{D}_{\mathrm{avg}}^{\mathrm{ABC}}+PF{D}_{\mathrm{avg}}^{\mathrm{CCF}1}+PF{D}_{\mathrm{avg}}^{\mathrm{D}}+PF{D}_{\mathrm{avg}}^{\mathrm{EF}}+PF{D}_{\mathrm{avg}}^{\mathrm{CCF}2}$$

(14)

Similarly, the average frequency of a dangerous failure per hour PFH (for the system operating in high demand or continuous mode) can be determined as:

$$PFH\cong PF{H}_{}^{\mathrm{ABC}}+PF{H}_{}^{\mathrm{CCF}1}+PF{H}_{}^{\mathrm{D}}+PF{H}_{}^{\mathrm{EF}}+PF{H}_{}^{\mathrm{CCF}2}$$

(15)

An example of the programmable electronic system with two channels (Figure 13) [4].

If the potential common cause failures were not included in the probabilistic evaluation of the system, the safety integrity level of the entire system would be incorrectly determined (or verified) [32,35,36,37,38]. The illustration of the contribution of common cause failures to the failures of individual channels and the entire 1oo2 system (Figure 14).

The β factor method is usually used in the modelling of potential common cause failures. The β factor method (Figure 15) can be also used to estimate the rate of the common cause failures, applicable to two channels operating in parallel with regard to the random hardware failures of these two channels [37,38].

The channel equivalent mean downtime t_CE is evaluated from the equation [4]:

$$t_{\mathrm{CE}}=\frac{{\lambda }_{\mathrm{DU}}}{{\lambda }_{\mathrm{D}}}(\frac{T_{\mathrm{I}}}{2}+MTTR)+\frac{{\lambda }_{\mathrm{DD}}}{{\lambda }_{\mathrm{D}}}\cdot MTTR$$

(16)

where: t_CE—a channel equivalent mean downtime for 1oo2 architecture; λ_D—dangerous failure rate; λ_DD—dangerous detected failure rate; λ_DU—dangerous undetected failure rate; T_I—proof test interval; MTTR—mean time to repair.

The voted group equivalent mean downtime t_GE is expressed from the equation:

$$t_{\mathrm{GE}}=\frac{{\lambda }_{\mathrm{DU}}}{{\lambda }_{\mathrm{D}}}(\frac{T_{\mathrm{I}}}{3}+MTTR)+\frac{{\lambda }_{\mathrm{DD}}}{{\lambda }_{\mathrm{D}}}\cdot MTTR$$

(17)

where t_GE—the voted group equivalent mean downtime for 1oo2 architecture.

Taking into account Equations (16) and (17), the relations for the average probability of failure on demand for the 1oo2 architecture system is as follows:

$$PF{D}_{\mathrm{avg}1oo2}\cong 2\cdot {\left[\right(1-\beta \left){\lambda }_{\mathrm{D}}\right]}^2{t}_{\mathrm{CE}}\cdot t_{\mathrm{GE}}+\beta \cdot {\lambda }_{\mathrm{DU}}(\frac{T_{\mathrm{I}}}{2}+MTTR)$$

(18)

where: β—factor for common cause failure.

$$PF{H}_{1oo2}\cong 2\cdot {\left[\right(1-\beta \left){\lambda }_{\mathrm{D}}\right]}^2{t}_{\mathrm{CE}}+\beta \cdot {\lambda }_{\mathrm{DU}}$$

(19)

The failure rate λ of a system with an excess structure koon, consisting of n different elements, can be presented as the sum of the average independent failure rate λ_Iavg and the dependent failure rate λ_C

$$\lambda ={\lambda }_{\mathrm{Iavg}}+{\lambda }_{\mathrm{C}}$$

(20)

where: λ_Iavg—average independent failure rate; λ_C—dependent failure rate.

The β factor takes the form:

$$\beta =\frac{{\lambda }_{\mathrm{C}}}{{\lambda }_{\mathrm{C}}+{\lambda }_{\mathrm{Iavg}}}=\frac{{\lambda }_C}{\lambda }$$

(21)

Using formulas (20) and (21), the dependent failure rate can be described by the equation:

$${\lambda }_{\mathrm{C}}=\beta \cdot \lambda$$

(22)

The average independent failure rate λ_Iavg can be presented by the formula:

$${\lambda }_{\mathrm{Iavg}}=\frac{{\displaystyle \sum _{i=1}^n{\lambda }_{\mathrm{I}i}}}{n}=\frac{{\displaystyle \sum _{i=1}^n(1-\beta ){\lambda }_i}}{n}$$

(23)

where: λ_Ii—average independent failure rate for a single i-th element; n—number of elements.

Taking into account formulas (22) and (23), the dependent failure rate λ_C can be described as follows:

$$\begin{array}{c}{\lambda }_{\mathrm{C}}=\frac{\beta \cdot {\lambda }_{\mathrm{Iavg}}}{(1-\beta )}=\frac{\beta \left(\frac{{\displaystyle \sum _{i=1}^n{\lambda }_{\mathrm{I}i}}}{n}\right)}{(1-\beta )}=\frac{\beta (1-\beta \left)\right(\frac{{\displaystyle \sum _{i=1}^n{\lambda }_i}}{n})}{(1-\beta )}\\ {\lambda }_{\mathrm{C}}=\beta \left(\frac{{\displaystyle \sum _{i=1}^n{\lambda }_i}}{n}\right)\end{array}$$

(24)

Considering the average value of the independent failure rate λ_Iavg^g as the geometric mean, the dependent failure rate can be determined from the formula below:

$$\begin{array}{l}{\lambda }_{{\mathrm{C}}^{\mathrm{g}}}=\frac{\beta \cdot {\lambda }_{\mathrm{Iavg}}{}^{\mathrm{g}}}{(1-\beta )}=\frac{\beta \cdot \sqrt[n]{{\lambda }_{\mathrm{I}1}\cdot {\lambda }_{\mathrm{I}2}\cdot \dots }\cdot {\lambda }_{\mathrm{I}n}}{(1-\beta )}=\\ =\frac{\beta \cdot (1-\beta )\cdot \sqrt[n]{{\lambda }_1\cdot {\lambda }_2\cdot \dots }\cdot {\lambda }_n}{(1-\beta )}\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{\lambda }_{{\mathrm{C}}^{\mathrm{g}}}=\beta \cdot \sqrt[n]{{\lambda }_1\cdot {\lambda }_2\cdot \dots }\cdot {\lambda }_n\end{array}$$

(25)

The general β model is presented above. It is essential to take into account the common cause of failure in the constructed model. When the system will be composed of the same elements, the above formulas will be reduced to the form presented in the equations describing the case for identical elements. For the determination of the base value β for configuration 1oo2, the IEC 61508-6 score boards may be used [4].

3.2. Examples of Functional Safety Analysis with Cybersecurity

The high-pressure tank with liquid gas is considered, equipped with the E/E/PE safety-related system. The piping and instrumentation diagram (P&ID) with a safety loop of the protection system (Figure 16).

The E/E/PE safety-related system protecting the high-pressure tank should fulfil the requirement, according to the risk analysis results, of the safety integrity level SIL3 [10⁻⁴, 10⁻³) (Table 1). This system consists of the subsystems: the sensor, logic solver, and final element Figure 17.

In Figure 17. dPT—the pressure converter; I/I—the transducer, PLC—the programmable logic controller; SOV—the solenoid open valve; SDV—the shutdown valve; HLS—the high-level sensor.

Table 8. Reliability data.

Subsystem	dPT	I/I	PLC	SDV	SOV
λDU [h−1]	2.24 × 10−7	1.1 × 10−7	5.2 × 10−11	1 × 10−7	1.14 × 10−8
TI [y]	1	1	1	1	1

shows the data assumed for the automatic safety function considered. The initial calculations showed that for a single sensor in this system it is not possible to fulfil the requirement of SIL3.

Therefore, two paths of a sensor–converter (redundant architecture 1oo2) were then considered. The results (

Table 9. Results for different β factor for redundant E/E/PE system.

Subsystem	PFDavg
	β = 0	β = 0.05	β = 0.1
dPT (1oo2)	1.28 × 10−6	5.02 × 10−5	9.92 × 10−5
I/I (1oo2)	3.09 × 10−7	2.44 × 10−5	4.84 × 10−5
PLC	2.28 × 10−7	2.28 × 10−7	2.28 × 10−7
SDV	4.38 × 10−4	4.38 × 10−4	4.38 × 10−4
SOV	4.99 × 10−5	4.99 × 10−5	4.99 × 10−5
System	5.38 × 10−4	5.63 × 10−4	6.36 × 10−4
SIL	3	3	3

) of PFD_avg are given for modified E/E/PE system with redundant sensors and different β factors assumed.

According to the results obtained, the E/E/PE safety-related system fulfils the criterion of SIL3. Taking into account the different values of β factor for the pressure converter dPT and transducer I/I, the results vary significantly. For instance, for β = 0.05 the value of PFD_avg for the sensor subsystem changes by an order of magnitude, and β = 0.1 PFD_avg the change is two orders of magnitude.

When the cybersecurity error failure event and related beta factor will be incorporated into the probabilistic model PFD_avg^CS = 0.01), the value of PFD_avg for the E/E/PE system changes significantly [39,40]. For the case of β = 0.1, it is about 2 × 10⁻³. Taking into account the last column of

Table 10. Reliability data.

	PS	TS	DI	CPU	DO	V
λ [h−1]	4 × 10−6	2 × 10−6	1.2 × 10−6	2.2 × 10−6	6.5 × 10−7	1.6 × 10−6
FS [%]	50%	50%	50%	50%	50%	50%
λD [h−1]	2 × 10−6	1 × 10−6	5.46 × 10−7	1.04 × 10−6	3.1 × 10−7	6.5 × 10−7
λS [h−1]	2 × 10−6	1 × 10−6	5.46 × 10−7	1.04 × 10−6	3.1 × 10−7	6.5 × 10−7
DC [%]	90%	90%	90%	90%	90%	90%
λDD [h−1]	1.8 × 10−6	9 × 10−7	4.91 × 10−7	9.38 × 10−7	2.79 × 10−7	5.85 × 10−7
λDU [h−1]	2 × 10−7	1 × 10−7	5.46 × 10−8	1.04 × 10−7	3.1 × 10−8	6.5 × 10−8
λSD [h−1]	1.8 × 10−6	9 × 10−7	4.91 × 10−7	9.38 × 10−7	2.79 × 10−7	5.85 × 10−7
λSU [h−1]	2 × 10−7	1 × 10−7	5.46 × 10−8	1.04 × 10−7	3.1 × 10−8	6.5 × 10−8
MTTR [h]	8	8	8	8	8	8
TI [y]	1	1	1	1	1	1
β	0.02	0.02	0.02	0.02	0.02	0.02

with PFD_avg treated as the previous case, the SIL level of an E/E/PE system decreased from SIL3 to SIL2. Thus, incorporating dependency of events to the probabilistic model of the E/E/PE system usually increases significantly the PFD_avg contributing to decreasing related SIL.

The contribution of probabilities described above on the average failure probability on demand PFD_avg is shown in Figure 18. In this figure, T_AT is the interval of periodic automatic tests of a subsystem and T_I is the interval to carry out the functional tests of a subsystem.

In this figure, T_AT is the interval of periodic automatic tests of a subsystem and T_I is the interval to carry out the functional tests of a subsystem.

4. Verification of SIL under Uncertainty

As mentioned, for verifying the SIL the results of probabilistic modelling of the E/E/PE safety-related system are to be compared with the probabilistic criteria given in Table 1. In practice, these results are often the point values and, in some cases, can have values just on the upper/lower limits of intervals for consecutive SILs.

The results from a probabilistic model depend on its parameters, which in general are characterized by uncertainty, expressed by a distribution or interval. PFD_avg is averaged in time, not for uncertain parameters of the model.

The results of probabilistic modelling can be represented by intervals (Figure 19) by the bold interval. In general, such an interval can be fuzzy, having some interesting properties. A method to verify uncertain results with fuzzy interval criteria is proposed in the monographs [1,2].

Below, a proposal is outlined for simplified verification of SIL for given E/E/PE system for the case when only point value of PFD_avg is known but uncertainty issue will be incorporated in the verifying process through a more conservative determination of SIL. For instance, the point value of PFD_avg was compared with fuzzy criteria values, l—lower and u—upper, (Figure 19) represented using the relevant membership function of a fuzzy criterion (for the given SIL), respectively µ_SIL^l(P_cr) and µ_SIL^u(P_cr).

In this figure, if we consider, for instance, SIL2, μ_SIL2^l(PFD_avg) as the possible level to fulfil SIL2 lower limit probabilistic criterion; μ_SIL2^u(PFD_avg)—the possibility level) to fulfil SIL2 upper limit probabilistic criterion. When μ_SILl(PFD_avg) and μ_SIL^u(PFD_avg) are equal to 0.5 the SIL level is indicated unconditionally. When the μ_SIL2^l(PFD_avg) and μ_SIL2^u(PFD_avg) are close to 0 or 1 (lower/upper limits of the probability interval), the SIL is determined conservatively (lower level of SIL assumed) or additional analysis is undertaken concerning assumptions and sensitivity analyses of the probabilistic model.

PFD_avg in formula (12) for a subsystem of the given architecture is calculated e.g., according to formula (18). If the value of probability PFD_avgSYS is lower than a relevant probabilistic criterion value for given SIL (Table 1), then the designed safety-related system is considered as fulfilling this criterion.

The structure (Figure 20 and Figure 21) of three E/E/PE safety-related systems that consist of subsystems: the pressure sensors (PS) of architecture (2oo3), the temperature sensors (TS) of architecture (2oo3), and valves (V) with redundancy (1oo2) and different structures of central processor unit (CPU), digital input modules (DI) and digital output modules (DO). In structure I the digital input module DI is 1oo2, CPU is 1oo1, and DO is 1oo1.

For the system in Figure 20 there are 10 minimal cuts sets:

$$\begin{array}{l}{K}_1=\{\mathrm{PS}1,\mathrm{PS}2\},K_2=\{\mathrm{PS}1,\mathrm{PS}3\},K_3=\{\mathrm{PS}2,\mathrm{PS}3\},K_4=\{\mathrm{TS}1,\mathrm{TS}2\},K_5=\{\mathrm{TS}1,\mathrm{TS}3\},\\ K_6=\{\mathrm{TS}2,\mathrm{TS}3\},K_7=\{\mathrm{DI}1,\mathrm{DI}2\},K_8=\left\{\mathrm{CPU}\right\},K_9=\left\{\mathrm{DO}\right\},K_{10}=\{\mathrm{V}1,\mathrm{V}2\}\end{array}$$

Therefore, the probability of PFD(t) takes the form:

$$\begin{array}{l}PFD\left(t\right)\cong q_{\mathrm{PS}1}\left(t\right)\cdot q_{\mathrm{PS}2}\left(t\right)+q_{\mathrm{PS}1}\left(t\right)\cdot q_{\mathrm{PS}3}\left(t\right)+q_{\mathrm{PS}2}\left(t\right)\cdot q_{\mathrm{PS}3}\left(t\right)+\\ \hspace{1em}\hspace{1em}+q_{\mathrm{TS}1}\left(t\right)\cdot q_{\mathrm{TS}2}\left(t\right)+q_{\mathrm{TS}1}\left(t\right)\cdot q_{\mathrm{TS}3}\left(t\right)+q_{\mathrm{TS}2}\left(t\right)\cdot q_{\mathrm{TS}3}\left(t\right)+\\ \hspace{1em}\hspace{1em}+q_{\mathrm{DI}1}\left(t\right)\cdot q_{\mathrm{DI}2}\left(t\right)+q_{\mathrm{CPU}}\left(t\right)+q_{\mathrm{DO}}\left(t\right)+q_{\mathrm{V}1}\left(t\right)\cdot q_{\mathrm{V}2}\left(t\right)\end{array}$$

(26)

where: q—the probability of failure on single elements in subsystem structure.

If the individual subsystems consist of the same elements, then the probability of PFD(t) is represented by the following relationship:

$$PFD\left(t\right)\cong 3\cdot q_{\mathrm{PS}}{\left(t\right)}^2+3\cdot q_{\mathrm{TS}}{\left(t\right)}^2+q_{\mathrm{DI}}{\left(t\right)}^2+q_{\mathrm{CPU}}\left(t\right)+q_{\mathrm{DO}}\left(t\right)+q_{\mathrm{V}}{\left(t\right)}^2$$

(27)

Thus, for the example system in Figure 20, the average probability of failure PFD_avg to perform the safety-related function on demand is:

$$\begin{array}{l}PF{D}_{\mathrm{avg}}\cong 3{\left(\right(1-{\beta }_{\mathrm{PS}}){\lambda }_{{\mathrm{D}}^{\mathrm{PS}}})}^2(\frac{T_{\mathrm{I}}^2}{3}+T_{\mathrm{I}}\cdot MTT{R}_{\mathrm{PS}}+MTT{R}_{\mathrm{PS}}^2)+\\ +{\beta }_{\mathrm{PS}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{PS}}}(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{PS}})+3{\left(\right(1-{\beta }_{\mathrm{TS}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{TS}}}\right)}^2(\frac{T_{\mathrm{I}}^2}{3}+T_{\mathrm{I}}\cdot MTT{R}_{\mathrm{TS}}+MTT{R}_{\mathrm{TS}}^2)+\\ +{\beta }_{\mathrm{TS}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{TS}}}(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{TS}})+{\left(\right(1-{\beta }_{\mathrm{DI}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{DI}}}\right)}^2(\frac{T_{\mathrm{I}}^2}{3}+T_{\mathrm{I}}\cdot MTT{R}_{\mathrm{DI}}+MTT{R}_{\mathrm{DI}}^2)+\\ +{\beta }_{\mathrm{DI}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{DI}}}(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{DI}})+{\lambda }_{{\mathrm{DU}}^{\mathrm{CPU}}}\frac{T_{\mathrm{I}}}{2}+{\lambda }_{{\mathrm{D}}^{\mathrm{CPU}}}\cdot MTT{R}_{\mathrm{CPU}}+{\lambda }_{{\mathrm{DU}}^{\mathrm{DO}}}\frac{T_{\mathrm{I}}}{2}+\\ +{\lambda }_{{\mathrm{D}}^{\mathrm{DO}}}\cdot MTT{R}_{\mathrm{DO}}+{\left(\right(1-{\beta }_{\mathrm{V}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{V}}}\right)}^2(\frac{T_{\mathrm{I}}^2}{3}+T_{\mathrm{I}}\cdot MTT{R}_{\mathrm{V}}+MTT{R}_{\mathrm{V}}^2)+\\ +{\beta }_{\mathrm{V}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{V}}}(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{V}})\end{array}$$

(28)

The average frequency PFH dangerous failures for safety-related system continuous mode operation is described by the formula:

$$\begin{array}{l}PFH\cong 6{\left(\right(1-{\beta }_{\mathrm{PS}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{PS}}}\right)}^2(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{PS}})+{\beta }_{\mathrm{PS}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{PS}}}+\\ +6{\left(\right(1-{\beta }_{\mathrm{TS}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{TS}}}\right)}^2(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{TS}})+{\beta }_{\mathrm{TS}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{TS}}}+\\ +2{\left(\right(1-{\beta }_{\mathrm{DI}}\left){\lambda }_{{\mathrm{D}}^{\mathrm{DI}}}\right)}^2(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{DI}})+{\beta }_{\mathrm{DI}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{DI}}}+\\ +{\lambda }_{{\mathrm{DU}}^{\mathrm{CPU}}}+{\lambda }_{{\mathrm{DU}}^{\mathrm{DO}}}+2{\left(\right(1-{\beta }_{\mathrm{V}}{)\mathsf{\lambda }}_{{\mathrm{D}}^{\mathrm{V}}})}^2(\frac{T_{\mathrm{I}}}{2}+MTT{R}_{\mathrm{V}})+{\beta }_{\mathrm{V}}\cdot {\lambda }_{{\mathrm{DU}}^{\mathrm{V}}}\end{array}$$

(29)

Similarly, as for structure I, the probability relationships for systems II and III were determined. Structure II consists of digital input modules DI with redundancy (1oo2), the processors CPU (2oo3), and the digital output module DO (2oo3).

Structure III consists of digital input modules DI with redundancy (1oo2), the processors CPU (1oo2), and the digital output module DO (1oo2). PFD_avg value for this E/E/PE safety-related system was calculated using the reliability data from Table 10 based on PDS Data Handbook. SINTEF [41].

Table 11. Result for different E/E/PE architectures.

	PS	TS	DI	CPU	DO	V
PFDavg1oo1	8.78 × 10−3	4.39 × 10−3	2.39 × 10−3	4.57 × 10−3	1.36 × 10−3	2.85 × 10−3
PFDavg1oo2	2.76 × 10−4	1.13 × 10−4	5.53 × 10−5	1.19 × 10−4	2.96 × 10−5	6.76 × 10−5
PFDavg2oo3	4.77 × 10−4	1.63 × 10−4	7.03 × 10−5	1.73 × 10−4	3.45 × 10−5	8.88 × 10−5
SILelem	3	3	4	3	4	4
PFDavgSYS	9.7 × 10−4
SILSYS	3

shows the results for different architectures of subsystems of the E/E/PE safety-related system considered.

The analyst can assess results (Table 11) PFD_avgSYS for various architectures of subsystems. However, special attention was paid to results relevant to the system structures in Figure 20Figure 22 and Figure 23. The assessment of results obtained shows that for the structure on Figure 20 this value is equal to 2.41 × 10⁻³, fulfilling the requirement of SIL2. For structure on Figure 21, the results for subsystems are shown in Table 11 in bold, and the resulting value for the system is 9.7 × 10⁻⁴, fulfilling the requirement of SIL3. However, for the structure on Figure 22, this value is equal to 1.52 × 10⁻³, fulfilling the requirement only of SIL2.

In PFD_avg calculation of the E/E/PE safety-related system, the point value near the upper/lower limit of the ranges (probabilistic criteria for SIL levels) can be obtained. For instance, for the structure in Figure 21 PFD_avg is equal to 9.7 × 10⁻⁴, fulfilling formally the requirement of SIL3, but this value is near probabilistic criterion for SIL2. Similarly, for structure in Figure 22 PFD_avg is equal to 1.52 × 10⁻³ (SIL2), but the resulting value is near the probabilistic criterion for SIL3.

The PFD_avg for the safety-related system was calculated as a point value. In Figure 24 the PFD_avg point value was compared with SIL3 [10⁻⁴, 10⁻³) interval criterion. A lower factor μ_SIL^l for SIL3 is equal to 0.2, but the upper factor μ_SIL^u for SIL3 level is equal to 0.8.

The result (μ_SIL3^l = 0.2 and μ_SIL3^u = 0.8) for the given PFD_avg value is useful for making an easier decision in regards to the SIL classification for the E/E/PE safety-related system considered.

5. Conclusions

Functional safety is an important element of system safety. It addresses those parts of safety that relate to the function of a system and ensures that the system causes no harm in response to its potential inputs or failures. The task of a safety-related system in the critical industrial installation is the reduction of risk according to accident scenarios. In critical installations, safety functions are implemented through industrial automation and control systems. They are usually designed as electrical and programmable electronic systems according to the requirements of the IEC 61508 and the IEC 61511 for safety instrumented systems (SIS).

In this paper, the concept of integrated functional safety and cybersecurity analysis is outlined with an emphasis on uncertainty factors. System safety depends on the quality of the industrial installation, which can be enhanced by applying protection layers, e.g., basic process control system, alarm system, human operator, and safety instrumented system. The causes of accidents in critical infrastructure depend on prospective weaknesses, initiation events, and internal hazards. The main task of cybersecurity is to protect the system against potential threats (internal and external) that compromise its assets and the environment. These two issues, providing safety and providing security in engineering systems, have been treated separately for decades as two individual domains. Nowadays, when inadequate security impact safety, it is necessary to address them jointly.

Dealing in an integrated and comprehensive way with the functional safety and cybersecurity analysis in critical installations is extremely important and remains a challenging issue. It is relatively common during the early stages of analysis to omit the security issues related to data communication and access restrictions to the system and its associated components. Nevertheless, these aspects, when neglected, may significantly impact safety and negatively influence the results of the analysis. In this article, a methodology to integrate the functional safety and security issues was presented and outlined for the calculation of SIL’s.

The approach proposed is illustrated on an example of a critical installation. Comprehensive integration of the functional safety and cybersecurity analysis in installations critical infrastructures is very important and it is currently a challenging issue. There is also a challenge to include cybersecurity aspects in designing distributed industrial control systems (ICS).

Future works will focus on designed computer-aided functional safety and cybersecurity integrated analysis software. and there is a chance to include the human reliability analysis in the functional safety and cybersecurity integrity approach. The limitation, in that case, would be limited time for diagnosis and action (time-window) for human reaction to protect the systems. For that reason, layers of protection for safety and cybersecurity are implemented in the industrial installation.