Which factor ensures your it systems are functioning correctly and providing accurate information?

2.1.1 IEC 60300-1

Dependability management. Part 1: Dependability program management. Initially, mainly performance issues including availability, reliability, and maintainability were covered. Major topic headings include: Dependability management system, management responsibility, resource management, product realization, measurement analysis, improvement, and appendices. Currently, IEC 60300-2 is withdrawn and included in Part 1. IEC 60300-1:2014 establishes a framework of dependability management. It now includes products, systems, processes, and services involving hardware software and human factors also. This standard provides guidelines to management and their personnel for optimization of dependability.

Dependability

Dependability is the measure of a system or product's condition during a mission, provided that it is operational and available at the beginning of the mission. Dependability can also be described as the probability that a system or product will accomplish its assigned mission, again provided that it was available for operation at the beginning of the mission. System reliability significantly impacts the dependability of an unmanned system/item.

Careful consideration given to maintainability and human factors during the design of manned systems and equipment can improve dependability. The dependability of a system or product is defined as [4]

(3.37)Ds=OM(1−OR)+OR

where Ds is the dependability.

OM is the operational maintainability and is expressed as probability that the system or product will be repaired or restored to a given operational state or retained in that state within a specified time period, when maintenance tasks are conducted by properly trained persons following the procedures prescribed.

OR is the operational reliability.

At OM = 0, Equation 3.37 reduces to complete operational reliability.

4 DEPENDABILITY

Industry, hospitals, households, etc., are not interested in security of infrastructure as long as for example power supply is dependable.

Dependability covers (Laprie, 1992) safety, security, reliability, availability, maintainability, etc. The reliability alone for supply of electricity by 99% during time interval of interest would not be satisfying if in the 1% outside of the supply of energy dangerous voltage peaks can happen.

Of course dependability of one infrastructure is only one part of the real dependability, which it is strived for in a hyper-systcm. Transportations consist of different infrastructures like infrastructure for road and rail transportation as well as the tasks for supply comprise also the infrastructure for logistics and storages. All this possible systems and modes of transportation have to be taken in account for evaluating the dependability of a task for supply. An example is the famous Luftbrücke for Berlin. In this case it was switched from land to air transportation as the dependability of one solution was not available any more.

But dependability is only one objective among others in a system especially in the hyper-system. Energy supply shows that not only short-range economical objectives reduce investment needed for an acceptable level of dependability rather environmental objectives have a strong impact at present. The strategy to enforce energy saving and to switch to alternative energies production is hampering wilfully the elimination of dangerous shortage on capacity of power production. A similar situation is given for road traffic.

Dependability

Dependability quantifies several dimensions to predict how well and how long a system will operate. Dependability focuses on material strengths and failure modes; dependability reveals little about design flaws, unless a specific calculation reveals that the design violates a physical principle.

Dependability considers both wear-out and random latent failures in materials and components. Historically, the study of reliability has explained and modeled mechanisms of wear-out and random latent failures reasonably well. Models include mechanical systems and electronic semiconductors.

The calculations for reliability, time-to-repair, and availability have limitations. These calculations are standard formulas that serve very well in comparing different design approaches. These calculations, however, are seldom accurate for absolute predictions of reliability because they apply to steady-state conditions and there are many unknowns, such as stresses and susceptibility factors. Dependability, and specifically reliability, cannot predict failure from situations where environmental extremes, operating stresses exceed design limits, and similar types of abuse inflict the system.

See Appendix A for a basic description of the mathematics of dependability.

1 INTRODUCTION

Dependability attributes, like safety, reliability and availability, have become essential parameters on industrial automation systems design. Nowadays fieldbuses have a central role in these systems, with large application domains which extend to almost any area in manufacturing and process industries. They are presently the backbone of distributed industrial control architectures, providing a communication infrastructure which supports control, monitoring and supervision applications (Thomesse, 2005).

Industrial environments are characterized by the existence of a high diversity of equipments which are source of large patterns of electromagnetic interferences (EMI). These interferences induce faults in electronics circuits that disturb their normal Operation. In communication systems these types of faults usually affect the transmission medium and related circuits, since, in most situations, these are the system components most exposed to them. EMI faults are generally characterized by occurring in bursts, a long latent period followed by relatively short period of presence, and by having a short duration (transient faults) (Kim et al., 2000).

In this context faults produce errors on transmitted messages by corrupting their contents. To recover from these situations fieldbus networks implement several fault-tolerant mechanisms. However, this creates a communication overhead by introducing delivery delays in messages which could imply performance degradation in the control system. When messages have real-time requirements, which is common in control systems, these problems can seriously disturb the system operation and can even lead to its failure (Shin and Kim, 1992; Kim and Shin, 1994).

The importance assumed presently by these control systems compels to evaluate their dependability (Navet, et al., 2005). In a distributed system, determining the dependability of the communication channel is of particular importance, especially when this component is susceptible to EMI problems. Therefore in these systems it is vital to evaluate how the system dependability is affected by faults on communication (Broster, et al., 2002).

This paper deals with a specific fieldbus: CAN (Controller Area Network) (Bosh, 1991). It proposes a model that enables to evaluate the network dependability with respect to deadline failures in the presence of transient faults induced by external sources (EMI). Shortly, the effect of faults on the real-time properties of the network is investigated.

In contrast to most of the previous works (Tindell, et al., 1995; Punnekkat, et al., 2000; Hansson et al., 2002) a stochastic model is used to describe the fault occurrence and its duration, which guarantees a better representation of the phenomena involved. Although some recent works have already included this aspect (Navet, et al., 2000; Broster, et al., 2002; Broster, et al,. 2004), this paper provides a more realistic fault model, a representation of the network behavior much closer to the real operation conditions and the use of less pessimistic assumptions. The combination of all these aspects will provide more accurate dependability results.

2 Dependability Measures

The dependability characteristics of a system or a component can be expressed either qualitatively, in terms of attributes and features describing the system capacities and properties, or in terms of quantitative measures. As the occurrence or activation of faults in a system may lead to performance degradation without leading to system failure, dependability, and performance are strongly related. Thus, the evaluation of system performance under faulty conditions, in addition to dependability measures, will allow characterizing completely the system behavior from the dependability point of view.

We distinguish two kinds of dependability measures: comprehensive and specific measures. Comprehensive measures characterize the system globally at the service delivery level while specific measures characterize particular aspects of a system or a component (e.g., the fault-tolerance mechanisms or the system behavior in presence of faults). In the following we first provide examples of comprehensive measures, then examine specific measures and finally we address performance-related measures.

1.0.2 Dependability

Dependability is the ability of a system to deliver its intended level of service to its users [5]. Also it can be conceived as the reliance on a system for the quality of services it provides during an extended interval of time. There are attributes, measures, means, and impairments pertinent to dependability. Fault tolerance is one of the means of dependability, as shown in Fig. XI/1.0.2-1. Various contributing factors as shown are elaborated in the following:

Attributes: There are three major attributes of dependability to signify the properties expected of the system. These are briefly discussed as follows:

Availability: Availability A(t) of a system at time t is the probability that the system is functioning correctly at the instant of time t, where A(t) stands for instantaneous availability. The interval of availability is given by:

(XI/1.0.2-1)A(T)=1T∫0TA(t) dt

At steady state it shall be:

(XI/1.0.2-2)A(∞)=limT→∞1T∫0TA(t)dt

For further details see Clause 1.1.4. In this connection two other terms are also important: “probability of failure” and “mean time to repair” (see Chapter VII).

Safety: Safety S(t) of a system at time t is the probability that the system either performs its function correctly or not in a fail safe manner in the interval [0, t], given that the system was operating correctly at time 0. The issue here is fail safe operation or not.

Reliability: As already discussed in earlier chapters, given that the system was performing correctly at time 0, reliability R(t) of a system at time t is the probability that the system operates without a failure in the interval [0, t]. Reliability is a measure of the continuous delivery of correct service.

Measure: All these attributes need to be suitably measured to get an idea of the dependability of the system. Major issues like availability, safety, and reliability were discussed earlier and hence are not repeated here. Apart from these there shall be a few other measurable issues such as performability, testability (self-explanatory), and maintainability.

Performability signifies how the system performs with respect to dependability.

Maintainability: This is the probability of a system/subsystem being repaired. Major factors affecting maintainability shall include but are not limited to the following:

Troubleshooting and troubleshooting tools

Fault diagnosis and isolation

Fault alarms

Training of personnel

Accessibility

Addition and removal of components

In various intelligent systems, maintainability has reached such a position that it is possible to perform online addition/removal of cards, partial editing of programs, as well as diagnostics via fieldbus systems/Highway Addressable Remote Transducer (HART) [6].

Means: There are several means for dependability. Fault tolerance is one of them and was defined earlier. The other means are:

Fault forecasting is a set of techniques for estimating the number of faults, possibilities of occurrence in the future, as well as their consequences. This evaluation can be qualitative or quantitative. The former technique only ranks them. The following are the issues here:

Estimate faults:

Present number

Future number

Consequences

Qualitatively:

Causes of faults

Quantitatively:

Failure rate

Time to failure

Time between failures

Fault prevention techniques: These are aimed at preventing the introduction or occurrence of faults in the system. Fault prevention is achieved by quality control techniques during the specification, implementation, and fabrication stages of the design process. Design reviews, component screening, and testing (burn-in, power supply failure, etc.) used for hardware are also types of prevention technique. For software, structural programming, modularization, and formal verification techniques are used.

Fault tolerance: As defined earlier, fault tolerant designs are aimed at development of systems that could function correctly in the presence of faults. This is primarily achieved by some kind of redundancy to detect or mask a fault. Masking/detections are followed by fault location, containment, and recovery.

Fault removal: Fault removal techniques are used for reduction of the quantity of faults during the developmental phase as well as during the operational life of a system:

Developmental stage: Verification, diagnosis, and correction.

Operational stage: Corrective and preventive maintenance.

Impairment: This consists of fault, error, and failure, as already defined. The relation between them is detailed in Fig. XI/1.0.2-1. These are dealt with in detail in subsequent subclauses.

13.8.9 Security Issues

Dependability has been defined in Section 1.4 to describe the ability of a system to deliver a service that can be trusted, service being a system’s behaviour as perceived by the user (see the paper Dependability and its threats: A Taxonomy by Algurdis Avizienis, Jean-Claude Laprie and Brian Randell – freely available on-line). In the paper Reference Model and Its Use Cases by C. Cachin, J. Camenisch, M. Dacier, Y. Deswarte, J. Dobson, D. Horne, K. Kursawe, J. C. Laprie, J. C. Lebraud, D. Long, I. McCutcheon, J. Muller, F. Petzold, B. Pfitzmann, D. Powell, B. Randell, M. Schunter, V. Shoup, P. Verissimo, G. Trouessin, R. J. Stroud, M. Waidner and I. S. Welch (paper freely available on-line), the definition of dependability used is that property of a computer system such that reliance can justifiably be placed on the service it delivers and there is a discussion of the issues involved in defining a consistent framework for ensuring dependability with distributed applications in the face of a wide class of threats. Security in industrial networks is just as important as security in commercial networks. There needs to be confidentiality of equipment operation and configuration, also resistance to incorrect or malicious actions. There needs to be an architecture used which can tolerate such threats as the spread of malicious software and the failure of communication paths as a result of virus have to be guarded against. Hence unauthorised access to the network has to be prevented, firewalls used to restrict electronic access, and communication channels need to be made secure by the use of cryptographic algorithms. There need to be mechanisms to defend the automation networks themselves. Devices need to know that the sender or receiver of a message is a trusted entity or be able to determine that a message has not been maliciously tampered with while in transit. ODVA in their discussion and specification of CIP (see Section 13.8.8) considered that:

Any network connected to a device should generally be considered to have very limited trust.

All entities, both people and devices, that attach to a network should be considered untrusted until they can be authenticated.

Access to a device over a network should not be allowed until authorised by the device.

Physical access to a device will be limited to only trusted individuals.

Also, there is a need to ensure that the architecture used should be adequately robust towards accidental physical faults and accidental design faults.

C. Cachin et al. identify six meaningful security methods for ensuring or assessing security:

vulnerability prevention, e.g. the use of rigorous design and system management procedures;

intrusion/attack prevention, e.g. prevention of an intruder gaining access to a system because of a poor choice of user password;

intrusion tolerance, e.g. the provision of a service capable of implementing the systems functions despite intrusion;

vulnerability removal, e.g. the reduction of the number or severity of vulnerabilities by model checking and testing specifically aimed at identifying such vulnerabilities;

vulnerability forecasting, e.g. estimating the presence, creation and consequences of vulnerabilities and

intrusion forecasting, e.g. gathering statistics about the frequency and nature of attacks.

For a discussion of the issues involved, see the on-line paper referred to above, namely Reference Model and Its Use Cases by C. Cachin et al., and also Guide to industrial control systems (ICS) security – supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control system configurations such as programmable logic controllers (PLC) by Keith Stouffer, Joe Falco and Karen Scarfone (National Institute of Standards and Technology 2011).

Dependability

Dependability is a collective term used only for non-quantitative descriptions of the following:

Reliability (R): How often does it fail?. This can be expressed in terms of time as ‘Mean Time Between Failure’ (MTBF).

Availability (A): Can it be used when you want it?. This is a measure of the ability to satisfy demand.

Maintainability (M): How easy is it to fix?. This is expresses in terms of time as ‘Mean Time To Repair’ (MTTR).

Durability (D): It is defined as the ability to continue to meet the performance goals after a specified extended period of time. It can be expressed in terms of time as ‘Mean Time Between Overhaul’ (MTBO).

1.5 Dependability

Dependability is defined as the ability to meet success criteria, under given conditions of use and maintenance. It is affected by the attributes of reliability, maintainability and availability. For example the risk to life and limb as a result of an accident or emergency can be reduced by the speed it takes for the victims to be rushed to a hospital. People depend on the emergency ambulance service to fulfil this function. If an ambulance breaks down, the availability of the service is reduced by the period it takes for the maintenance work needed to return the ambulance into service. However, if a backup is there to take the place of the failed ambulance, then the availability of an ambulance is unaffected and the service is dependable. The backup or spare ambulance is kept idle until an ambulance breaks down and so it is said to be redundant. This is costly but is needed to ensure a reliable service; a point often overlooked by management when they want to cut costs.