No standard adequately addresses instrument failure modes for security and safety

Sept. 5, 2017

The Namur NE43 standard gives guidance on how a sensor fault can be indicated to a control system by means of the 4-20mA signal. However, it doesn’t address cyber security considerations.

Recently, the Automation & Control Engineering Linkedin site asked the following question: Instrument Failure Mode- Fail High or Fail Low- Which Standard Covers This? Namur NE43 provides guidance on how a sensor fault can be indicated to a control system by means of the 4-20mA signal. Namur 43 defines a sensor fault when the current is below 3,6 mA or above 21 mA. According to Namur 43, process control systems such as PLCs or DCSs can identify faulty sensors, and production can be adjusted or stopped to avoid production loss or off-spec product. However, Namur 43 does not identify a sensor to be faulted if it is still in the 4-20maA range even if the sensor is no longer working. There have been several cases where 4-20 mA sensors have failed within the 4-20 mA range but were not identified as failures. Additionally, there have been cases when the sensors haven’t failed yet logic set them to failed conditions. The Bellingham, WA Olympic Pipeline rupture identified in http://www.controlglobal.com/blogs/unfettered/insecure-process-sensors-can-create-safety-security-and-resilience-vulnerabilities/ demonstrates how setting sensor values to a fixed "failed" condition can lead to Loss of Safety. Because there is a lack of authentication and cyber security in the process sensors and sensor protocols such as HART, Wireless HART, Profibus, and Fieldbus are cyber vulnerable, the existing approach set forth in Namur 43 may not be safe. As I am not aware of any cyber security or safety standard that addresses the impact of process sensor (4-20mA analog or digital) cyber security and safety, sensors will be a significant point of discussion at the October 23-26 ICS Cyber Security Conference in Atlanta.

Joe Weiss