Designing Control and Protection Systems with Regard to Integrated Functional Safety and Cybersecurity Aspects

: This article addresses current problems of risk analysis and probabilistic modelling for functional safety management in the life cycle of safety-related systems. Two main stages in the lifecycle of these systems are distinguished, namely the design and operation. The risk analysis and probabilistic modelling differ in these stages in view of available knowledge and data. Due to the complexity and uncertainty involved, both qualitative and quantitative information can be useful in risk analysis and probabilistic modelling. Some methodological aspects of the functional safety assessment are outlined that include modelling of dependent failures or cybersecurity and verifying the safety integrity level (SIL) under uncertainty. It is illustrated how the assumptions in the process of risk analysis and probabilistic modelling inﬂuence results obtained and, therefore, potentially the decisions taken in functional safety management. Programmable control and safety systems play an important role in mitigating and controlling risks in the operation of hazardous installations. This paper presents ways to deal with safety hazards involving such systems to be considered in risk analysis and integrated functional safety and cybersecurity management.


Introduction
Emerging threats have significant potential to destructively impact the operation of technical systems, hazardous facilities, and critical infrastructure systems or networks. Therefore, the risks of major accidents with severe consequences that can happen in hazardous industrial plants have to be systematically assessed and properly managed across the entire life cycle [1][2][3]. Safety and security issues are two different groups of functional requirements for industrial systems. It is one of the main causes that the analyses of safety and cybersecurity should not be integrated directly. They should be integrated with one of the specified approaches Common Criteria approach, SecureSafety (SeSa) methodology, the Ring protection model, and ISO-IEC 62443 standard technology. The guidelines and specified information of this method are presented in publications [1,2]. This article presents one of the proposed approaches that consists of integrated analysis safety and security in probabilistic modelling in the safety integrity level verification process. This integrated methodology has limited application in information technology (IT) applications, but has a lot of opportunities in operational technologies (OT) application. The proposed integrated approach is useful in the engineering design process control as well as in protection systems. Of course, it can also be used in all life cycles of critical installations. It is clear that automation systems in process installations have integral systematic proof tests, and the most sophisticated construction of the safety control systems. These systems are the most vulnerable to cyber-attacks via an industrial computer network.
One of the main objectives of functional safety analysis is determining the required safety integrity level (SIL) for the safety-related functions to be realized by safety-related systems. According to IEC 61508, to each SIL (1 ÷ 4) the interval probabilistic quantitative criterion is defined. Functional safety analysis procedure usually does not include security The SIL of given safety-related functions (SRF) is presented by numbers 1 to 4 and is bound to the needed risk reduction when the SRF is implemented in regard to IEC standards [1]. The assignment of safety requirements to protection function using the E/E/PE, and other technologies ( Figure 1) [4,17].
For safety functions implemented using the safety-related system two types of interval probabilistic criteria are defined in the IEC 61508 standard given (Table 1) for two modes of operation [4,5]: • the probability of failure (average) PFD avg for the safety function system operating on demand; or • the frequency (probability of a dangerous failure per hour) PFH.    The risk of potential hazardous events can be rationally reduced in the context of evaluated categories of the frequency of unwanted occurrence (W) and consequences (N) ( Table 2) [4]. The total probability of safety system failure for the case considered has to be reduced to the value shown on the right side of the arrow ↓ (to obtain reduced frequency (F) of given category from a to d). As shown, the required SIL level of the defined safety function to be implemented depends on the possibility of failing to avoid a hazardous event using other safety measures (x, y, or z as described below Table 2) [17]. In cases    The typical configuration of a safety system ( Figure 2) that consists of three subsystems, generally of koon configuration: (A) sensors, (B) safety PLC (Programmable Logic Controller), and (C) final elements. The risk of potential hazardous events can be rationally reduced in the context of evaluated categories of the frequency of unwanted occurrence (W) and consequences (N) ( Table 2) [4]. The total probability of safety system failure for the case considered has to be reduced to the value shown on the right side of the arrow ↓ (to obtain reduced frequency (F) of given category from a to d). As shown, the required SIL level of the defined safety function to be implemented depends on the possibility of failing to avoid a hazardous event using other safety measures (x, y, or z as described below Table 2) [17]. In cases The risk of potential hazardous events can be rationally reduced in the context of evaluated categories of the frequency of unwanted occurrence (W) and consequences (N) ( Table 2) [4]. The total probability of safety system failure for the case considered has to be reduced to the value shown on the right side of the arrow ↓ (to obtain reduced frequency (F) of given category from a to d). As shown, the required SIL level of the defined safety function to be implemented depends on the possibility of failing to avoid a hazardous event using other safety measures (x, y, or z as described below Table 2) [17]. In cases denoted as b a single SIS is not enough, and an additional protection layer has to be designed.
The risk matrix defined (Table 2) can be modified, e.g., to take into account some societal values and an aversion to major accidents with serious consequences. It would change SIL requirements to be assigned to the E/E/PE or SIS (increased SIL-high consequences), or the necessity to design an additional safety layer.
To fulfil requirements of a higher SIL (3 or 4) assigned to the safety function the appropriate configuration of the E/E/EP system or SIS is to be designed, e.g., 1oo2, 2oo3, or 2oo4.

Cybersecurity Approach
In cybersecurity there are two main approaches: Evaluation Assurance Level (EAL) and Security Assurance Level (SAL). Evaluation Assurance Level (EAL) based on Common Criteria standard [18], with EAL1 the minimal requirements to EAL7 high requirements. Each Evaluation Assurance Level can be described as: EAL1-functionally tested; EAL2structurally tested; EAL3-methodically tested and checked; EAL4-methodically tested, designed and reviewed; EAL5-semi-formally designed and tested; EAL6-semi-formally verified design and tested; EAL7-formally verified design and tested [18].
Another approach to cybersecurity evaluation for industrial control systems (ICS) is IEC 62443 [3]. A definition of Security Assurance Level (SAL) has been introduced in this standard. There are four security levels (SAL1 to 4) and they are assessed for a given security zone using a set of 7 functional requirements (Table 3). Table 3. Cybersecurity levels (SAL).

SAL1
Protection against casual or coincidental violation SAL2 Protection against intentional violation using simple means with low resources, generic skills, and low motivation SAL3 Protection against intentional violation using sophisticated means with moderate resources, system-specific skills and moderate motivation SAL4 Protection against intentional violation using sophisticated means with extended resources, system-specific skills, and high motivation The SAL is a cybersecurity measure concerning industrial control systems ICS. It is evaluated on a defined vector of seven requirements for a relevant cybersecurity zone [3]: where: AC-identification control, UC-use control, DI-data integrity DC-data confidentiality, RDF-restricted data flow, TRE-timely response, RA-resource availability.
Results of a cybersecurity analysis of a given industrial control system can be divided into some general categories, for example, a qualitative description with defined cybersecurity levels such as: low, medium, or high-level of cybersecurity [9]. The EAL [18] or SAL [3] determined for a given solution is taken into account during the functional safety analysis (Table 4) [9]. Due to the nature of threats and known vulnerabilities the security risk assessment shall be event-driven or under periodic cybersecurity review [19]. The possible effects of a security risk(s) (Figure 3) in this context to a safety-related control system [19,20].
where: AC-identification control, UC-use control, DI-data integrity DC-data confidentiality, RDF-restricted data flow, TRE-timely response, RA-resource availability.
Results of a cybersecurity analysis of a given industrial control system can be divided into some general categories, for example, a qualitative description with defined cybersecurity levels such as: low, medium, or high-level of cybersecurity [9]. The EAL [18] or SAL [3] determined for a given solution is taken into account during the functional safety analysis (Table 4) [9].  The safety risk assessment should be made in advance of any cybersecurity risk considerations [19]. The results: inherently safe design measures and safeguarding and risk reduction measures of a machine should then be analyzed regarding possible vulnerabilities against cyber-attacks (threats). The following are guidelines for the step-by-step approach to limit or restrict IT security threats and vulnerabilities [19,20].
Requirements concerning cybersecurity-related aspects will be considered regarding the requirements of a series of international standards, IEC 62443 [3], IEC, 63074 [20], ISO/IEC 15408 [18], ISO/IEC 27000 [21], ISO/IEC 27001 [22] and ISO/IEC 27005 [23]. In The safety risk assessment should be made in advance of any cybersecurity risk considerations [19]. The results: inherently safe design measures and safeguarding and risk reduction measures of a machine should then be analyzed regarding possible vulnerabilities against cyber-attacks (threats). The following are guidelines for the step-by-step approach to limit or restrict IT security threats and vulnerabilities [19,20].
Some of the risk factors to be taken into account when carrying out this type of analysis have an impact on the estimated value of the frequency or likelihood of some of the consequences [28]. The risk is defined as: where the frequency F of occurrence of some scenario associated with certain consequences C is dependent on several factors, including the reliability of technical solutions used in the analyzed system [9]. Analyzing such a system in terms of cybersecurity can result in detecting the existence of certain vulnerabilities, which may increase the risks associated with the overall system. In most cases, this will result in increasing the frequency of occurrence of a certain scenario, therefore, assuming that the consequences are C = const. Then, it can be said that: The system vulnerability can be measurable and expressed by the level of security, taking into account the countermeasures introduced to the system which may mitigate these vulnerabilities [11,27]. Considering the stage of identifying hazards in the system, which is a very important part of defining the required safety-related functions, there is a need for determining the possible causes, consequences, and frequency of occurrence for every described hazard or scenario [29].

The Risk Cube Methodology
The vulnerability of a system can be measurable and expressed through the level of information protection taking into account the countermeasures put in place to mitigate this vulnerability [1,30].
The risk of human, environmental and economic losses in the functional safety analysis is determined by taking into account the identified environmental hazards and technical disturbances (internal disturbances caused by human errors or external disturbances from the industrial installation).
In a broader perspective, the complementary analysis of information security should take into account threats related to the unfriendly intentions of intruders located inside or outside a given facility, as well as possible terrorist activities under certain conditions [1,2]. The risk measure R ij in the annual period and for the i-th threat and the j-defined emergency scenario in the considered facility/system is proposed to be determined in accordance with the formula: where: f i -frequency of occurrence of the i-th hazard situation (an event initiating an abnormal emergency situation) due to the intentional action; V ij -the vulnerability of a given object, expressed by the conditional probability that the i-th level of effects, emergency for this hazard situation, will occur; C ij -a measure of the consequences (e.g., human, environmental or economic losses) resulting from the emergency event under consideration; economic risk has a monetary unit value per year. The vulnerability can be reduced by using appropriate technical (security rings, security technologies) and organisational solutions (e.g., training programs, procedures in the security management system). The risk is similarly defined in the context of functional safety: where: f k -the frequency of k-th risk situation due to internal or external interference; PFD kj -the probability of failure to perform the safety-related function on demand for the system of the j-th level of effect; PFD kj is determined based on models in reference to the requirements of the general standard IEC 61508 or sector standard IEC 61511. Based on (4) and (5), assuming the additionality of the risk measures, the measure of aggregate risk associated with j-th level of effect can be estimated from the relationship: The determined risk measures can be used in the analysis of costs and effects of the proposed solutions of security systems, including layers of protection and ring ones, for functional safety and information security solutions, respectively. The practical importance, but also the challenge of developing new methods of risk analysis and assessment for the integrated functional safety and information security management of computer control and protection systems in conditions of usually high uncertainty should be stressed [9,31]. Table 5 contains a risk matrix on specific issues related to industrial network cybersecurity and its impact on the operation of the critical infrastructure system. The risk degree of R cs (cs-cybersecurity) in a given case is related to the security assurance level SAL.  Table 6 presents a risk matrix regarding information security issues in the critical infrastructure facility [2]. The degree of risk R sec (low, medium, high, or very high) in a given case is related to the evaluation assurance level EAL. The next table (Table 7) presents the risk matrix regarding functional safety issues. The degree of risk R fs (fs-functional safety) in a given case is referenced in safety integrity level SIL. Assuming that the criticality of consequences for functional safety and cybersecurity impacts are the same C fs = C cs = C, the integration can be presented as a Risk Cube.
The proposed integration of functional safety and cybersecurity issues at the risk analysis stage (Figures 4 and 5). Assuming that the criticality of consequences for functional safety and cybersecurity impacts are the same Cfs = Ccs = C, the integration can be presented as a Risk Cube.

Severity of the consequences
The proposed integration of functional safety and cybersecurity issues at the risk analysis stage (Figures 4 and 5).
Assuming that Cfs = Ccs = C: where: R-risk; Rfs-risk related to functional safety aspects; Rcs-risk related to cyber threats; C-criticality of effects; Cfs-criticality of consequences related to functional safety aspects; Ccs-criticality of consequences related to cyber threats; Pfs-the probability of  As above, functional safety and information security issues (expressed through the evaluation assurance level EAL) are integrated. Assuming that the criticality of consequences for functional safety and information security are the same Cfs = Csec = C, the integrated approach is presented in Figures 6 and 7 (Risk Cube (SIL-EAL)).  In this case: Assuming that C fs = C cs = C: where: R-risk; R fs -risk related to functional safety aspects; R cs -risk related to cyber threats; C-criticality of effects; C fs -criticality of consequences related to functional safety aspects; C cs -criticality of consequences related to cyber threats; P fs -the probability of failure; P cs -the probability of a cyber-attack; F fs -frequency of failure; F cs -frequency of a cyber-attack. As above, functional safety and information security issues (expressed through the evaluation assurance level EAL) are integrated. Assuming that the criticality of conse- quences for functional safety and information security are the same C fs = C sec = C, the integrated approach is presented in Figures 6 and 7 (Risk Cube (SIL-EAL)).
As above, functional safety and information security issues (expressed through the evaluation assurance level EAL) are integrated. Assuming that the criticality of consequences for functional safety and information security are the same Cfs = Csec = C, the integrated approach is presented in Figures 6 and 7 (Risk Cube (SIL-EAL)).
Assuming that Cfs = Csec = C: Taking into account the definition of risk as a combination of the frequency or probability of the occurrence of a failure event and the consequences of that event, a simplified method is proposed below to determine the required SIL, taking into account information security and cybersecurity aspects.
Such an analysis is based on data obtained in the process of hazard identification occurring in the technical system, as well as an estimation of the level of risk associated with them. Some of the risk factors taken into account in carrying out such analysis have an impact on the estimated value of frequency or probability [30]. The part of the risk related to frequency parameters most often concerns the issues of hardware reliability [32,33].
In the process of integration of functional safety issues with information security, the concept of the so-called two-parameter function can be used [2]. If a low level of information security is estimated in the critical infrastructure system under consideration, the SIL requirements for the safety function may change. For the SIL requirements to remain unchanged, it becomes necessary to reduce the risks associated with the level of information security [34]. This involves raising the cybersecurity requirements (e.g., higher EAL level) for the system under analysis.

SIL Determining with Cybersecurity Aspects
The functional safety and cybersecurity goals are now the input to derive functional safety and security requirements [11,35]. Both of those factors are responsible for the final level of security taken into account in the functional safety risk assessment process (Figure In this case: Assuming that C fs = C sec = C: Taking into account the definition of risk as a combination of the frequency or probability of the occurrence of a failure event and the consequences of that event, a simplified method is proposed below to determine the required SIL, taking into account information security and cybersecurity aspects.
Such an analysis is based on data obtained in the process of hazard identification occurring in the technical system, as well as an estimation of the level of risk associated with them. Some of the risk factors taken into account in carrying out such analysis have an impact on the estimated value of frequency or probability [30]. The part of the risk related to frequency parameters most often concerns the issues of hardware reliability [32,33].
In the process of integration of functional safety issues with information security, the concept of the so-called two-parameter function can be used [2]. If a low level of information security is estimated in the critical infrastructure system under consideration, the SIL requirements for the safety function may change. For the SIL requirements to remain unchanged, it becomes necessary to reduce the risks associated with the level of information security [34]. This involves raising the cybersecurity requirements (e.g., higher EAL level) for the system under analysis.

SIL Determining with Cybersecurity Aspects
The functional safety and cybersecurity goals are now the input to derive functional safety and security requirements [11,35]. Both of those factors are responsible for the final level of security taken into account in the functional safety risk assessment process ( Figure 8).
security and cybersecurity aspects.
Such an analysis is based on data obtained in the process of hazard identification occurring in the technical system, as well as an estimation of the level of risk associated with them. Some of the risk factors taken into account in carrying out such analysis have an impact on the estimated value of frequency or probability [30]. The part of the risk related to frequency parameters most often concerns the issues of hardware reliability [32,33].
In the process of integration of functional safety issues with information security, the concept of the so-called two-parameter function can be used [2]. If a low level of information security is estimated in the critical infrastructure system under consideration, the SIL requirements for the safety function may change. For the SIL requirements to remain unchanged, it becomes necessary to reduce the risks associated with the level of information security [34]. This involves raising the cybersecurity requirements (e.g., higher EAL level) for the system under analysis.

SIL Determining with Cybersecurity Aspects
The functional safety and cybersecurity goals are now the input to derive functional safety and security requirements [11,35]. Both of those factors are responsible for the final level of security taken into account in the functional safety risk assessment process ( Figure  8). . Procedure using cybersecurity factors in safety analysis [13]. Figure 8. Procedure using cybersecurity factors in safety analysis [13].
The SIL or PL is determined based on several quantitative factors in conjunction with qualitative factors during the process of development and safety life cycle management. There are several methods to determine the SIL or PL for a chosen safety function. Some of the popular ones include: Risk Matrix, Risk Graph [4,5,11,26,30].
A general scheme of considering the security analysis results in the SIL or PL determining process is important to present the approach (Figure 9). The SIL or PL is determined based on several quantitative factors in conjunction with qualitative factors during the process of development and safety life cycle management. There are several methods to determine the SIL or PL for a chosen safety function. Some of the popular ones include: Risk Matrix, Risk Graph [4,5,11,26,30].
A general scheme of considering the security analysis results in the SIL or PL determining process is important to present the approach (Figure 9).  Figure 9. The procedure of SIL or PL determining the cybersecurity aspects.

Probabilistic Modelling of Safety-Related Subsystems
The quantitative method based on the reliability block diagram (RBD) is used for Figure 9. The procedure of SIL or PL determining the cybersecurity aspects.

Probabilistic Modelling of Safety-Related Subsystems
The quantitative method based on the reliability block diagram (RBD) is used for verifying SIL. The probability of failure to perform the design safety function on demand can be evaluated the following formula: where: λ D -dangerous failure rate; t-time.
The average probability, assuming that all subsystems are tested with the T I , is calculated as formula (12) [4]: where: T I -test interval. The frequency of a dangerous failure can be evaluated based on a formula as shown below: where: λ avg -average failure rate; T-time interval. The architecture of equipment performing the safety function is represented by block diagrams distinguishing between subsystems and modules [36,37]. An example of the physical form of the E/E/PE system structure (BPCS or SIS) is shown in Figure 10.
where: λavg-average failure rate; T-time interval. The architecture of equipment performing the safety function is represented by block diagrams distinguishing between subsystems and modules [36,37]. An example of the physical form of the E/E/PE system structure (BPCS or SIS) is shown in Figure 10. There are three subsystems in the E/E/PE BPCS or SIS: sensors, logic solvers, and actuators. The presented structure consists of three sensors A, B, C configuration koo3, logical subsystem D (e.g., PLC), and actuators E and F (koo2). Figure 11 shows an example of the structure of an E/E/PE or SIS system in the form of a reliability block diagram, assuming that the sensors subsystem has a configuration 1oo3 and the actuators subsystem a configuration 1oo2.  There are three subsystems in the E/E/PE BPCS or SIS: sensors, logic solvers, and actuators. The presented structure consists of three sensors A, B, C configuration koo3, logical subsystem D (e.g., PLC), and actuators E and F (koo2). Figure 11 shows an example of the structure of an E/E/PE or SIS system in the form of a reliability block diagram, assuming that the sensors subsystem has a configuration 1oo3 and the actuators subsystem a configuration 1oo2. There are three subsystems in the E/E/PE BPCS or SIS: sensors, logic solvers, and actuators. The presented structure consists of three sensors A, B, C configuration koo3, logical subsystem D (e.g., PLC), and actuators E and F (koo2). Figure 11 shows an example of the structure of an E/E/PE or SIS system in the form of a reliability block diagram, assuming that the sensors subsystem has a configuration 1oo3 and the actuators subsystem a configuration 1oo2.  Figure 11. Reliability block diagram RBD of an example E/E/PE or SIS system structure.
In the above diagram the common cause failure (CCF) for the sensors' subsystem from elements A, B and C and for the actuators' subsystem CCF2 from elements E and F is considered [4,36,38]. In the system from Figure 10 Figure 12 shows the E/E/PE or SIS system fault tree from Figure 11 including the common cause failure. Figure 11. Reliability block diagram RBD of an example E/E/PE or SIS system structure.
In the above diagram the common cause failure (CCF) for the sensors' subsystem from elements A, B and C and for the actuators' subsystem CCF2 from elements E and F is considered [4,36,38]. In the system from Figure 10 Figure 12 shows the E/E/PE or SIS system fault tree from Figure 11 including the common cause failure. The average probability of failure on demand safety function for the system in Figure  11 can be determined from the sum of the probabilities for the individual subsystems.
Similarly, the average frequency of a dangerous failure per hour PFH (for the system operating in high demand or continuous mode) can be determined as: An example of the programmable electronic system with two channels (Figure 13) [4]. If the potential common cause failures were not included in the probabilistic evaluation of the system, the safety integrity level of the entire system would be incorrectly determined (or verified) [32,35,[36][37][38]. The illustration of the contribution of common cause failures to the failures of individual channels and the entire 1oo2 system (Figure 14).

Failures
Common cause The average probability of failure on demand safety function for the system in Figure 11 can be determined from the sum of the probabilities for the individual subsystems.
Similarly, the average frequency of a dangerous failure per hour PFH (for the system operating in high demand or continuous mode) can be determined as: An example of the programmable electronic system with two channels (Figure 13) [4]. The average probability of failure on demand safety function for the system in Figure  11 can be determined from the sum of the probabilities for the individual subsystems.
Similarly, the average frequency of a dangerous failure per hour PFH (for the system operating in high demand or continuous mode) can be determined as: An example of the programmable electronic system with two channels (Figure 13) [4]. If the potential common cause failures were not included in the probabilistic evaluation of the system, the safety integrity level of the entire system would be incorrectly determined (or verified) [32,35,[36][37][38]. The illustration of the contribution of common cause failures to the failures of individual channels and the entire 1oo2 system (Figure 14). If the potential common cause failures were not included in the probabilistic evaluation of the system, the safety integrity level of the entire system would be incorrectly determined (or verified) [32,[35][36][37][38]. The illustration of the contribution of common cause failures to the failures of individual channels and the entire 1oo2 system (Figure 14). If the potential common cause failures were not included in the probabilistic evaluation of the system, the safety integrity level of the entire system would be incorrectly determined (or verified) [32,35,[36][37][38]. The illustration of the contribution of common cause failures to the failures of individual channels and the entire 1oo2 system (Figure 14). The β factor method is usually used in the modelling of potential common cause failures. The β factor method ( Figure 15) can be also used to estimate the rate of the common The β factor method is usually used in the modelling of potential common cause failures. The β factor method ( Figure 15) can be also used to estimate the rate of the common cause failures, applicable to two channels operating in parallel with regard to the random hardware failures of these two channels [37,38]. cause failures, applicable to two channels operating in parallel with regard to the random hardware failures of these two channels [37,38].

Failures Common
Common cause failure Figure 15. Reliability block diagram for 1oo2 E/E/PE system.
The channel equivalent mean downtime tCE is evaluated from the equation [4]: where: tCE-a channel equivalent mean downtime for 1oo2 architecture; λD-dangerous failure rate; λDD-dangerous detected failure rate; λDU-dangerous undetected failure rate; TI-proof test interval; MTTR-mean time to repair. The voted group equivalent mean downtime tGE is expressed from the equation: where tGE-the voted group equivalent mean downtime for 1oo2 architecture. Taking into account Equations (16) and (17), the relations for the average probability of failure on demand for the 1oo2 architecture system is as follows: where: β-factor for common cause failure.
The failure rate λ of a system with an excess structure koon, consisting of n different elements, can be presented as the sum of the average independent failure rate λIavg and the dependent failure rate λC where: λIavg-average independent failure rate; λC-dependent failure rate. The β factor takes the form: Using formulas (20) and (21), the dependent failure rate can be described by the equation: The channel equivalent mean downtime t CE is evaluated from the equation [4]: where: t CE -a channel equivalent mean downtime for 1oo2 architecture; λ D -dangerous failure rate; λ DD -dangerous detected failure rate; λ DU -dangerous undetected failure rate; T I -proof test interval; MTTR-mean time to repair. The voted group equivalent mean downtime t GE is expressed from the equation: where t GE -the voted group equivalent mean downtime for 1oo2 architecture. Taking into account Equations (16) and (17), the relations for the average probability of failure on demand for the 1oo2 architecture system is as follows: where: β-factor for common cause failure.
The failure rate λ of a system with an excess structure koon, consisting of n different elements, can be presented as the sum of the average independent failure rate λ Iavg and the dependent failure rate λ C λ = λ Iavg + λ C (20) where: λ Iavg -average independent failure rate; λ C -dependent failure rate. The β factor takes the form: Using formulas (20) and (21), the dependent failure rate can be described by the equation: The average independent failure rate λ Iavg can be presented by the formula: where: λ Ii -average independent failure rate for a single i-th element; n-number of elements. Taking into account formulas (22) and (23), the dependent failure rate λ C can be described as follows: Considering the average value of the independent failure rate λ Iavg g as the geometric mean, the dependent failure rate can be determined from the formula below: The general β model is presented above. It is essential to take into account the common cause of failure in the constructed model. When the system will be composed of the same elements, the above formulas will be reduced to the form presented in the equations describing the case for identical elements. For the determination of the base value β for configuration 1oo2, the IEC 61508-6 score boards may be used [4].

Examples of Functional Safety Analysis with Cybersecurity
The high-pressure tank with liquid gas is considered, equipped with the E/E/PE safety-related system. The piping and instrumentation diagram (P&ID) with a safety loop of the protection system ( Figure 16). configuration 1oo2, the IEC 61508-6 score boards may be used [4].

Examples of Functional Safety Analysis with Cybersecurity
The high-pressure tank with liquid gas is considered, equipped with the E/E/PE safety-related system. The piping and instrumentation diagram (P&ID) with a safety loop of the protection system ( Figure 16). The E/E/PE safety-related system protecting the high-pressure tank should fulfil the requirement, according to the risk analysis results, of the safety integrity level SIL3 [10 −4 , 10 −3 ) ( Table 1). This system consists of the subsystems: the sensor, logic solver, and final element Figure 17.
In Figure 17.  The E/E/PE safety-related system protecting the high-pressure tank should fulfil the requirement, according to the risk analysis results, of the safety integrity level SIL3 [10 −4 , 10 −3 ) ( Table 1). This system consists of the subsystems: the sensor, logic solver, and final element Figure 17.  Table 8 shows the data assumed for the automatic safety function considered. The initial calculations showed that for a single sensor in this system it is not possible to fulfil the requirement of SIL3. Therefore, two paths of a sensor-converter (redundant architecture 1oo2) were then considered. The results (Table 9) of PFDavg are given for modified E/E/PE system with redundant sensors and different β factors assumed. According to the results obtained, the E/E/PE safety-related system fulfils the criterion of SIL3. Taking into account the different values of β factor for the pressure converter  Table 8 shows the data assumed for the automatic safety function considered. The initial calculations showed that for a single sensor in this system it is not possible to fulfil the requirement of SIL3. Therefore, two paths of a sensor-converter (redundant architecture 1oo2) were then considered. The results (Table 9) of PFD avg are given for modified E/E/PE system with redundant sensors and different β factors assumed.
According to the results obtained, the E/E/PE safety-related system fulfils the criterion of SIL3. Taking into account the different values of β factor for the pressure converter dPT and transducer I/I, the results vary significantly. For instance, for β = 0.05 the value of PFD avg for the sensor subsystem changes by an order of magnitude, and β = 0.1 PFD avg the change is two orders of magnitude. When the cybersecurity error failure event and related beta factor will be incorporated into the probabilistic model PFD avg CS = 0.01), the value of PFD avg for the E/E/PE system changes significantly [39,40]. For the case of β = 0.1, it is about 2 × 10 −3 . Taking into account the last column of Table 10 with PFD avg treated as the previous case, the SIL level of an E/E/PE system decreased from SIL3 to SIL2. Thus, incorporating dependency of events to the probabilistic model of the E/E/PE system usually increases significantly the PFD avg contributing to decreasing related SIL. The contribution of probabilities described above on the average failure probability on demand PFD avg is shown in Figure 18. In this figure, T AT is the interval of periodic automatic tests of a subsystem and T I is the interval to carry out the functional tests of a subsystem.   Figure 18. Elements of the average probability of an E/E/PE subsystem failure on demand.
In this figure, TAT is the interval of periodic automatic tests of a subsystem and TI is the interval to carry out the functional tests of a subsystem.

Verification of SIL under Uncertainty
As mentioned, for verifying the SIL the results of probabilistic modelling of the In this figure, T AT is the interval of periodic automatic tests of a subsystem and T I is the interval to carry out the functional tests of a subsystem.

Verification of SIL under Uncertainty
As mentioned, for verifying the SIL the results of probabilistic modelling of the E/E/PE safety-related system are to be compared with the probabilistic criteria given in Table 1. In practice, these results are often the point values and, in some cases, can have values just on the upper/lower limits of intervals for consecutive SILs.
The results from a probabilistic model depend on its parameters, which in general are characterized by uncertainty, expressed by a distribution or interval. PFD avg is averaged in time, not for uncertain parameters of the model.
The results of probabilistic modelling can be represented by intervals (Figure 19) by the bold interval. In general, such an interval can be fuzzy, having some interesting properties. A method to verify uncertain results with fuzzy interval criteria is proposed in the monographs [1,2]. In this figure, if we consider, for instance, SIL2, µSIL2 l (PFDavg) as the possible level to fulfil SIL2 lower limit probabilistic criterion; µSIL2 u (PFDavg)-the possibility level) to fulfil SIL2 upper limit probabilistic criterion. When µSILl(PFDavg) and µSIL u (PFDavg) are equal to 0.5 the SIL level is indicated unconditionally. When the µSIL2 l (PFDavg) and µSIL2 u (PFDavg) are close to 0 or 1 (lower/upper limits of the probability interval), the SIL is determined conservatively (lower level of SIL assumed) or additional analysis is undertaken concerning assumptions and sensitivity analyses of the probabilistic model.
PFDavg in formula (12) for a subsystem of the given architecture is calculated e.g., according to formula (18). If the value of probability PFDavgSYS is lower than a relevant probabilistic criterion value for given SIL (Table 1), then the designed safety-related system is considered as fulfilling this criterion.
The structure (Figures 20 and 21) of three E/E/PE safety-related systems that consist of subsystems: the pressure sensors (PS) of architecture (2oo3), the temperature sensors (TS) of architecture (2oo3), and valves (V) with redundancy (1oo2) and different structures of central processor unit (CPU), digital input modules (DI) and digital output modules (DO). In structure I the digital input module DI is 1oo2, CPU is 1oo1, and DO is 1oo1.  Below, a proposal is outlined for simplified verification of SIL for given E/E/PE system for the case when only point value of PFD avg is known but uncertainty issue will be incorporated in the verifying process through a more conservative determination of SIL. For instance, the point value of PFD avg was compared with fuzzy criteria values, l-lower and u-upper, (Figure 19) represented using the relevant membership function of a fuzzy criterion (for the given SIL), respectively µ SIL l (P cr ) and µ SIL u (P cr ). In this figure, if we consider, for instance, SIL2, µ SIL2 l (PFD avg ) as the possible level to fulfil SIL2 lower limit probabilistic criterion; µ SIL2 u (PFD avg )-the possibility level) to fulfil SIL2 upper limit probabilistic criterion. When µ SILl (PFD avg ) and µ SIL u (PFD avg ) are equal to 0.5 the SIL level is indicated unconditionally. When the µ SIL2 l (PFD avg ) and µ SIL2 u (PFD avg ) are close to 0 or 1 (lower/upper limits of the probability interval), the SIL is determined conservatively (lower level of SIL assumed) or additional analysis is undertaken concerning assumptions and sensitivity analyses of the probabilistic model.
PFD avg in formula (12) for a subsystem of the given architecture is calculated e.g., according to formula (18). If the value of probability PFD avgSYS is lower than a relevant probabilistic criterion value for given SIL (Table 1), then the designed safety-related system is considered as fulfilling this criterion.
The structure (Figures 20 and 21) of three E/E/PE safety-related systems that consist of subsystems: the pressure sensors (PS) of architecture (2oo3), the temperature sensors (TS) of architecture (2oo3), and valves (V) with redundancy (1oo2) and different structures of central processor unit (CPU), digital input modules (DI) and digital output modules (DO). In structure I the digital input module DI is 1oo2, CPU is 1oo1, and DO is 1oo1. probabilistic criterion value for given SIL (Table 1), then the designed safety-related system is considered as fulfilling this criterion.
The structure (Figures 20 and 21) of three E/E/PE safety-related systems that consist of subsystems: the pressure sensors (PS) of architecture (2oo3), the temperature sensors (TS) of architecture (2oo3), and valves (V) with redundancy (1oo2) and different structures of central processor unit (CPU), digital input modules (DI) and digital output modules (DO). In structure I the digital input module DI is 1oo2, CPU is 1oo1, and DO is 1oo1.  Figure 20. The structure I of E/E/PE safety-related system.
For the system in Figure 20 there are 10 minimal cuts sets: Therefore, the probability of PFD(t) takes the form:

PFD t q t q t q t q t q t q t q t q t q t q t q t q t q t q t q t q t q t q t
where: q-the probability of failure on single elements in subsystem structure. If the individual subsystems consist of the same elements, then the probability of PFD(t) is represented by the following relationship: Thus, for the example system in Figure 20, the average probability of failure PFDavg to perform the safety-related function on demand is:  2  2  2  I  avg  PS  I  PS  PS  D   2  2  2  I  I  PS  PS  TS  I  TS  TS  DU  D   2  2  2  I  I  TS  TS  DI  I  DI  DI  DU  D   I  DI  DI  DU The average frequency PFH dangerous failures for safety-related system continuous mode operation is described by the formula: Figure 21. FT structure I model of E/E/PE safety-related system.
For the system in Figure 20 there are 10 minimal cuts sets: Therefore, the probability of PFD(t) takes the form: where: q-the probability of failure on single elements in subsystem structure. If the individual subsystems consist of the same elements, then the probability of PFD(t) is represented by the following relationship: Thus, for the example system in Figure 20, the average probability of failure PFD avg to perform the safety-related function on demand is: The average frequency PFH dangerous failures for safety-related system continuous mode operation is described by the formula: Similarly, as for structure I, the probability relationships for systems II and III were determined. Structure II consists of digital input modules DI with redundancy (1oo2), the processors CPU (2oo3), and the digital output module DO (2oo3).
Structure III consists of digital input modules DI with redundancy (1oo2), the processors CPU (1oo2), and the digital output module DO (1oo2). PFD avg value for this E/E/PE safety-related system was calculated using the reliability data from Table 10 based on PDS Data Handbook. SINTEF [41]. Table 11 shows the results for different architectures of subsystems of the E/E/PE safety-related system considered. The analyst can assess results (Table 11) PFD avgSYS for various architectures of subsystems. However, special attention was paid to results relevant to the system structures in Figures 20, 22 and 23. The assessment of results obtained shows that for the structure on Figure 20 this value is equal to 2.41 × 10 −3 , fulfilling the requirement of SIL2. For structure on Figure 21, the results for subsystems are shown in Table 11 in bold, and the resulting value for the system is 9.7 × 10 −4 , fulfilling the requirement of SIL3. However, for the structure on Figure 22, this value is equal to 1.52 × 10 −3 , fulfilling the requirement only of SIL2. Structure III consists of digital input modules DI with redundancy (1oo2), the processors CPU (1oo2), and the digital output module DO (1oo2). PFDavg value for this E/E/PE safety-related system was calculated using the reliability data from Table 10 based on PDS Data Handbook. SINTEF [41]. Table 11 shows the results for different architectures of subsystems of the E/E/PE safety-related system considered. The analyst can assess results (Table 11) PFDavgSYS for various architectures of subsystems. However, special attention was paid to results relevant to the system structures in Figures 20, 22 and 23. The assessment of results obtained shows that for the structure on Figure 20 this value is equal to 2.41 × 10 −3 , fulfilling the requirement of SIL2. For structure on Figure 21, the results for subsystems are shown in Table 11 in bold, and the resulting value for the system is 9.7 × 10 −4 , fulfilling the requirement of SIL3. However, for the structure on Figure 22, this value is equal to 1.52 × 10 −3 , fulfilling the requirement only of SIL2.
In PFDavg calculation of the E/E/PE safety-related system, the point value near the upper/lower limit of the ranges (probabilistic criteria for SIL levels) can be obtained. For instance, for the structure in Figure 21 PFDavg is equal to 9.7 × 10 −4 , fulfilling formally the requirement of SIL3, but this value is near probabilistic criterion for SIL2. Similarly, for structure in Figure 22 PFDavg is equal to 1.52 × 10 −3 (SIL2), but the resulting value is near the probabilistic criterion for SIL3.
The PFDavg for the safety-related system was calculated as a point value. In Figure 24 the PFDavg point value was compared with SIL3 [10 −4 , 10 −3 ) interval criterion. A lower factor μSIL l for SIL3 is equal to 0.2, but the upper factor µSIL u for SIL3 level is equal to 0.8.  The result (µSIL3 l = 0.2 and µSIL3 u = 0.8) for the given PFDavg value is useful for making an easier decision in regards to the SIL classification for the E/E/PE safety-related system considered.

Conclusions
Functional safety is an important element of system safety. It addresses those parts of safety that relate to the function of a system and ensures that the system causes no harm in response to its potential inputs or failures. The task of a safety-related system in the critical industrial installation is the reduction of risk according to accident scenarios. In critical installations, safety functions are implemented through industrial automation and control systems. They are usually designed as electrical and programmable electronic systems according to the requirements of the IEC 61508 and the IEC 61511 for safety instrumented systems (SIS).
In this paper, the concept of integrated functional safety and cybersecurity analysis is outlined with an emphasis on uncertainty factors. System safety depends on the quality of the industrial installation, which can be enhanced by applying protection layers, e.g., basic process control system, alarm system, human operator, and safety instrumented system. The causes of accidents in critical infrastructure depend on prospective weaknesses, initiation events, and internal hazards. The main task of cybersecurity is to protect the system against potential threats (internal and external) that compromise its assets and the environment. These two issues, providing safety and providing security in engineering systems, have been treated separately for decades as two individual domains. Nowadays, when inadequate security impact safety, it is necessary to address them jointly.
Dealing in an integrated and comprehensive way with the functional safety and cybersecurity analysis in critical installations is extremely important and remains a challenging issue. It is relatively common during the early stages of analysis to omit the security issues related to data communication and access restrictions to the system and its associated components. Nevertheless, these aspects, when neglected, may significantly impact safety and negatively influence the results of the analysis. In this article, a methodology In PFD avg calculation of the E/E/PE safety-related system, the point value near the upper/lower limit of the ranges (probabilistic criteria for SIL levels) can be obtained. For instance, for the structure in Figure 21 PFD avg is equal to 9.7 × 10 −4 , fulfilling formally the requirement of SIL3, but this value is near probabilistic criterion for SIL2. Similarly, for structure in Figure 22 PFD avg is equal to 1.52 × 10 −3 (SIL2), but the resulting value is near the probabilistic criterion for SIL3.
The PFD avg for the safety-related system was calculated as a point value. In Figure 24 the PFD avg point value was compared with SIL3 [10 −4 , 10 −3 ) interval criterion. A lower factor µ SIL l for SIL3 is equal to 0.2, but the upper factor µ SIL u for SIL3 level is equal to 0.8. The result (µSIL3 l = 0.2 and µSIL3 u = 0.8) for the given PFDavg value is useful for making an easier decision in regards to the SIL classification for the E/E/PE safety-related system considered.

Conclusions
Functional safety is an important element of system safety. It addresses those parts of safety that relate to the function of a system and ensures that the system causes no harm in response to its potential inputs or failures. The task of a safety-related system in the critical industrial installation is the reduction of risk according to accident scenarios. In critical installations, safety functions are implemented through industrial automation and control systems. They are usually designed as electrical and programmable electronic systems according to the requirements of the IEC 61508 and the IEC 61511 for safety instrumented systems (SIS).
In this paper, the concept of integrated functional safety and cybersecurity analysis is outlined with an emphasis on uncertainty factors. System safety depends on the quality of the industrial installation, which can be enhanced by applying protection layers, e.g., basic process control system, alarm system, human operator, and safety instrumented system. The causes of accidents in critical infrastructure depend on prospective weaknesses, initiation events, and internal hazards. The main task of cybersecurity is to protect the system against potential threats (internal and external) that compromise its assets and the environment. These two issues, providing safety and providing security in engineering systems, have been treated separately for decades as two individual domains. Nowadays, when inadequate security impact safety, it is necessary to address them jointly. The result (µ SIL3 l = 0.2 and µ SIL3 u = 0.8) for the given PFD avg value is useful for making an easier decision in regards to the SIL classification for the E/E/PE safety-related system considered.

Conclusions
Functional safety is an important element of system safety. It addresses those parts of safety that relate to the function of a system and ensures that the system causes no harm in response to its potential inputs or failures. The task of a safety-related system in the critical industrial installation is the reduction of risk according to accident scenarios. In critical installations, safety functions are implemented through industrial automation and control systems. They are usually designed as electrical and programmable electronic systems according to the requirements of the IEC 61508 and the IEC 61511 for safety instrumented systems (SIS).
In this paper, the concept of integrated functional safety and cybersecurity analysis is outlined with an emphasis on uncertainty factors. System safety depends on the quality of the industrial installation, which can be enhanced by applying protection layers, e.g., basic process control system, alarm system, human operator, and safety instrumented system. The causes of accidents in critical infrastructure depend on prospective weaknesses, initiation events, and internal hazards. The main task of cybersecurity is to protect the system against potential threats (internal and external) that compromise its assets and the environment. These two issues, providing safety and providing security in engineering systems, have been treated separately for decades as two individual domains. Nowadays, when inadequate security impact safety, it is necessary to address them jointly.
Dealing in an integrated and comprehensive way with the functional safety and cybersecurity analysis in critical installations is extremely important and remains a challenging issue. It is relatively common during the early stages of analysis to omit the security issues related to data communication and access restrictions to the system and its associated components. Nevertheless, these aspects, when neglected, may significantly impact safety and negatively influence the results of the analysis. In this article, a methodology to integrate the functional safety and security issues was presented and outlined for the calculation of SIL's.
The approach proposed is illustrated on an example of a critical installation. Comprehensive integration of the functional safety and cybersecurity analysis in installations critical infrastructures is very important and it is currently a challenging issue. There is also a challenge to include cybersecurity aspects in designing distributed industrial control systems (ICS).
Future works will focus on designed computer-aided functional safety and cybersecurity integrated analysis software. and there is a chance to include the human reliability analysis in the functional safety and cybersecurity integrity approach. The limitation, in that case, would be limited time for diagnosis and action (time-window) for human reaction to protect the systems. For that reason, layers of protection for safety and cybersecurity are implemented in the industrial installation.