- Email: [email protected]
“Safety management system” and Significant Plants of Critical Information Infrastructure
9th IFAC 9th IFAC Conference Conference on on Manufacturing Manufacturing Modelling, Modelling, Management Management and and 9th Control 9th IFAC IFAC Conference Conference on on Manufacturing Manufacturing Modelling, Modelling, Management Management and and Control 9th IFAC Conference on Manufacturing Modelling, Management and Available online at www.sciencedirect.com Control Berlin, Germany, August 28-30, Control 9th IFAC Conference on Manufacturing Modelling, Management and Berlin, Germany, August 28-30, 2019 2019 Control Berlin, Germany, August 28-30, 2019 Berlin, Control Berlin, Germany, Germany, August August 28-30, 28-30, 2019 2019 Berlin, Germany, August 28-30, 2019
ScienceDirect
IFAC PapersOnLine 52-13 (2019) 1391–1396
“Safety “Safety management management system” system” and and Significant Significant Plants Plants “Safety management system” and Significant Plants “Safety management system” and Significant Plants “Safetyof management system” and Significant Plants Critical Information Infrastructure ofmanagement Critical Information Information Infrastructure “Safetyof system” and Significant Plants Critical Infrastructure of Critical Information Infrastructure of Critical Information Infrastructure * ** of Critical Information Infrastructure Andrey ** Ekaterina Sakrutina Sakrutina** Andrey Kalashnikov Kalashnikov**,, Ekaterina
Sakrutina** Andrey Kalashnikov **,, Ekaterina Andrey Andrey Kalashnikov Kalashnikov **, Ekaterina Ekaterina Sakrutina Sakrutina** ** ** ** , Ekaterina Sakrutina**Moscow 117997, Russia Andrey Kalashnikov ** V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya, *,,** V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya, Moscow 117997, Russia **,** V.A. of Sciences, Profsoyuznaya, ** ** Profsoyuznaya, V.A. Trapeznikov Trapeznikov Institute Institute of ***Control Control Sciences, 65 65 Profsoyuznaya, Moscow Moscow 117997, 117997, Russia Russia [email protected], (e-mail: ,,** of Control Sciences, 65 Moscow 117997, Russia **[email protected]) [email protected], [email protected]) (e-mail: ** V.A. Trapeznikov Institute ** ** * ** [email protected], [email protected]) (e-mail: **[email protected]) , V.A. Trapeznikov Institute of *Control Sciences, 65 Profsoyuznaya, Moscow 117997, Russia [email protected], (e-mail: [email protected], [email protected]) (e-mail: * ** (e-mail:*[email protected], **[email protected]) Abstract: Increasing the safety always was one of the main Abstract: Increasing Increasing the the safety safety always always was was one one of of the the main main priorities priorities for for significant significant plants plants of of critical critical Abstract: priorities for significant plants of critical Abstract: Increasing the safety always was one of the main priorities for significant plants of information infrastructure. Under the conditions intensive development and putting in operation of Abstract: Increasing the safety always was one of the main priorities for significant plants of critical critical information infrastructure. infrastructure. Under Under the the conditions conditions of intensive intensive development development and and putting putting in in operation operation of information of Abstract: Increasing the safety was one of main priorities for significant plants of critical information infrastructure. Under the conditions intensive development and in of technologies, particular is paying to issues of providing the safety. One of the infrastructure. Underalways theattention conditions of the intensive development and putting putting in operation operation of information technologies, particular attention is paying to issues of providing the safety. One of the information technologies, particular attention is paying to issues of providing the safety. One of the information infrastructure. Under the conditions of intensive development and putting in operation of technologies, particular attention is paying to issues of providing the safety. One of the solutions is creating the information and analytical “Safety management system”, which information technologies, particular attention is paying system to issues of providing the safety. One of the solutions is creating the information and analytical system “Safety management system”, which solutions is creating the information and analytical system “Safety management system”, which information technologies, particular attention is paying to issues of providing the safety. One of the solutions is creating the information and analytical system “Safety management system”, which implements monitoring information on the safety on the basis by system regularities. In the paper, solutions creating the information analytical system management system”, which implementsis monitoring monitoring information on and the safety safety on the the basis“Safety by system system regularities. In the the paper, paper, implements information on the on basis by regularities. In solutions is monitoring creating the information analytical system management system”, which implements information on the on the basis by regularities. In the important functions of the “Safety management system” considered in the part of timely identification implements monitoring information on and the safety safety on are the basis“Safety by system system regularities. In the paper, paper, important functions of the “Safety management system” are considered in the part of timely identification important functions of the “Safety management system” are considered in the part of timely identification implements monitoring information on the safety on the basis by system regularities. In the paper, important functions of the “Safety management system” are considered in the part of timely identification of threats and vulnerabilities. Putting in operation such systems in the significant plants of critical important of the “Safety management system” are systems considered part of timely identification of threats threats functions and vulnerabilities. vulnerabilities. Putting in operation operation such in in thethesignificant significant plants of critical critical of and Putting in such in the plants of important of the will “Safety management system” are systems considered part of timely identification of threats functions and vulnerabilities. Putting in engineering operation such systems in in thethe significant plants of critical critical Copyright © 2019 IFAC information infrastructure increase the plants performance safety. of threats and vulnerabilities. Putting in operation such systems in the significant plants of Copyright © 2019 IFAC information infrastructure will increase the engineering plants performance safety. Copyright © IFAC information infrastructure will plants performance of threats and vulnerabilities. Putting the in engineering operation such systems in the safety. significant plants of critical Copyright © 2019 2019 IFAC information infrastructure will increase increase the engineering plants performance safety. Copyright © 2019 IFAC information infrastructure will increase the engineering plants performance safety. Keywords: safety management, safety event, event model, risk, critical information infrastructure, Keywords: safety management, safety event, event model, risk,bycritical critical information infrastructure, © 2019, IFAC (International Federation ofthe Automatic Control) Hosting Elsevier Ltd.Copyright All rights reserved. Keywords: safety management, safety event, event model, risk, information infrastructure, © 2019 IFAC information infrastructure will increase engineering plants performance safety. Keywords: safety management, safety event, event model, risk, critical information infrastructure, significant plant plant of critical critical information infrastructure. Keywords: safety management, safetyinfrastructure. event, event model, risk, critical information infrastructure, significant of information significant plant of critical information infrastructure. Keywords: safety management, safetyinfrastructure. event, event model, risk, critical information infrastructure, significant of information significant plant plant of critical critical information infrastructure. significant plant of critical information infrastructure. Violation of regular performance of such plants may lead to Violation of regular performance of such plants may lead to 1. INTRODUCTION Violation of of regular regular performance performance of of such such plants plants may may lead lead to to 1. INTRODUCTION INTRODUCTION Violation hard consequences. The totality of critically important plants 1. Violation of regular The performance ofcritically such plants may lead to hard consequences. totality of important plants 1. INTRODUCTION hard consequences. The totality of critically important plants 1. INTRODUCTION Violation of regular performance of such plants may lead to hard consequences. The totality of critically important plants forms the entity of the notion the critically important Under the conditions of intensive development and putting in hard consequences. The totality ofof critically important plants forms the entity of the notion of the critically important Under the conditions of intensive development and putting in 1. INTRODUCTION forms the entity of the notion of the critically important Under the conditions of intensive development and putting in hard consequences. The totality of critically important plants the the of important Under the of conditions of intensive intensive development andattention putting in in infrastructure. For successful implementation of of operation information technologies, particular is forms the entity entity of the notion notion of the the critically critically important Under the conditions of development and putting infrastructure. For of successful implementation of measures measures of operation of information technologies, particular attention is forms infrastructure. For successful implementation of measures of operation of information technologies, particular is Under the conditions of intensive development andattention putting in forms the entity of the notion of the critically important infrastructure. For successful implementation of measures of operation of information technologies, particular attention is the critically important infrastructure protection, one needs paid to issues of providing the safety of critically important infrastructure. For successful implementation of measures of operation of information technologies, particular attention is the critically critically important important infrastructure infrastructure protection, protection, one one needs needs paid to to issues issues of of providing providing the the safety safety of of critically critically important important the paid infrastructure. For successful implementation of measures of the critically important infrastructure protection, one needs operation of information technologies, particular attention is paid to issues of providing the safety of critically important solving many problems, one of which is concerned with plants that involve large hydroengineering constructions, the critically important infrastructure protection, one needs paid to issues of providing the safety of critically important solving many problems, one of which is concerned with plants that that involve involve large large hydroengineering hydroengineering constructions, constructions, solving many problems, one of which is concerned with plants the critically important infrastructure protection, one needs solving many problems, one of which is concerned with paid to issues of providing the safety of critically important plants that involve large hydroengineering constructions, creating aa system of monitoring whose main power engineering plants (involving nuclear power solving many problems, one of safety whichthreats, is concerned with plants that involve large hydroengineering constructions, creating system of monitoring safety threats, whose main power engineering plants (involving nuclear power creating system of monitoring monitoring safety threats, whose main main power engineering plants (involving nuclear power solving problems, one an of safety whichthreats, isto concerned with aaa system of whose plants that involve large constructions, power engineering plants (involving power creation purpose is decreasing action up aa minimal risk engineering), idle chemical chemical manufacturing, transportation creating many system of monitoring safety threats, whose main power engineering plantshydroengineering (involving nuclear nuclear power creating creation purpose is decreasing an action up to minimal risk engineering), idle manufacturing, transportation creation purpose isof decreasing an safety action threats, up to to aa minimal minimal risk engineering), idle chemical manufacturing, transportation creating a system monitoring whose main creation purpose is decreasing an action up risk power engineering plants (involving nuclear power engineering), idle chemical manufacturing, transportation level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creation purpose is decreasing andamage. action up toof a minimal risk engineering), idle chemical manufacturing, transportation level and minimizing appearing One the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creation purpose is decreasing an action up to a minimal risk and appearing damage. One of engineering), idle chemical transportation 2008; nodes, (Hashemian and Feltus, 2006; Jharko, is creating the information and analytical “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, level and minimizing minimizing appearing damage. One system of the the solutions solutions nodes, etc. etc. (Hashemian and manufacturing, Feltus, 2006; Jharko, 2008; level is creating the information and analytical system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, is creating the information and analytical system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creating information and analytical system “Safety Tsegaye and 2014; et al., Wang, management (Labaka al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, is creating the thesystem” information and et analytical system “Safety Tsegaye and Flowerday, Flowerday, 2014; Hamida Hamida et al., 2015; 2015; Wang, is management system” (Labaka et al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, management system” (Labaka etanalytical al., 2015; 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, is creating 2017; thesystem” information and system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, management (Labaka et al., Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, Sakrutina, Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises management system” (Labaka et al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, Sakrutina, 2017; 2017; Banda Banda and and Goerlandt, Goerlandt, 2018; 2018; Kalashnikov Kalashnikov 2017; Jharko, Jharko, 2017; 2017; PandaLabs, PandaLabs, 2018). 2018). Advance Advance enterprises enterprises Sakrutina, 2017; 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, management system” (Labaka et al., 2015; Jharko and Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises and Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; in their development have crossed an invisible line separating Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises and Sakrutina, Sakrutina, 2018a, 2018a, 2018b; 2018b; Li Li and and Guldenmund, Guldenmund, 2018; 2018; in their their development development have have crossed crossed an an invisible invisible line line separating separating and in Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov and Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises in their development have crossed an invisible line separating Wahlström, 2018; Jun and Mingguang, 2019), which the world of and aggregates from virtual world Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; in development have an invisible separating Wahlström, 2018; Jun and Mingguang, 2019), which thetheir world of machines machines andcrossed aggregates from the theline virtual world and Wahlström, 2018; Jun2018b; and Li Mingguang, 2019), which which the world of machines and aggregates from the virtual world and Sakrutina, 2018a, and Guldenmund, 2018; Wahlström, 2018; Jun and 2019), in their development have crossed antransformed, invisible separating the world of machines and aggregates from virtual world implements monitoring on the safety by system of computer having been in entity, in Wahlström, 2018; Juninformation and Mingguang, Mingguang, 2019), which the world of programs, machines and aggregates from the theline virtual world implements monitoring information on the safety by system of computer programs, having been transformed, in entity, in implements monitoring information on the the safety safety by system system of computer programs, having been transformed, in entity, in Wahlström, 2018; Jun and Mingguang, 2019), which implements monitoring information on by the world of machines and aggregates from the virtual world of computer programs, having been transformed, in entity, in regularities. cyberphysical systems,having wherebeen computer code in instructions implements monitoring information on the safety by system of computer programs, transformed, entity, in regularities. cyberphysical systems, where computer code instructions regularities. cyberphysical systems, where computer code instructions implements monitoring information on the safety by system of computer programs, having transformed, entity, in regularities. cyberphysical systems, where computer code instructions control physical world plants. Theses cyberphysical systems regularities. cyberphysical systems, wherebeen computer code in instructions control physical world plants. Theses cyberphysical systems Action of computer attacks control physical world plants. Theses cyberphysical systems regularities. Action of computer attacks on on the the information-technological information-technological cyberphysical systems, where computer code instructions control physical world plants. Theses cyberphysical systems are built by use of advanced IT-technologies and unite with Action of computer attacks on the information-technological control physical world plants.IT-technologies Theses cyberphysical systems are built by use of advanced and unite with Action of computer attacks on the information-technological plant structure, leading to exiting its technological parameters are built by use of advanced IT-technologies and unite with Action of computer attacks on theits information-technological control physical world plants. Theses cyberphysical systems plant structure, leading to exiting its technological parameters parameters are built by use of advanced IT-technologies and unite with plant structure, leading to exiting technological each other and with the external cyber-world by use of wire are built byand usewith of advanced IT-technologies anduse unite with each other the external cyber-world by of wire Action of computer attacks onmay theits information-technological plant structure, leading to exiting technological parameters out of normative limits set, imply implementing noneach other and with the external cyber-world by use of wire plant structure, leading to exiting its technological parameters are built by use of advanced IT-technologies and unite with out of normative limits set, may imply implementing noneach other and with with the external external cyber-world cyber-world by use usemultiply of wire wire out of normative limits set, may imply implementing nonand wireless communication channels. each and the by of and other wireless communication channels. This This multiply out of normative limits may implementing nonplant structure, leading toset, exiting itsimply technological parameters regular situations with hard and even catastrophic and wireless communication channels. This multiply out of normative limits set, may imply implementing noneach other and with the external cyber-world by use of wire regular situations with hard and even catastrophic and wireless communication channels. This multiply multiply situations with and even catastrophic simplifies their effective and but, and wireless This simplifies theircommunication effective use use channels. and development, development, but, regular out of normative limits set, hard may imply implementing nonregular situations with hard and even catastrophic consequences. For successful implementation of protection simplifies their effective use and development, but, regular situations with hard and even catastrophic consequences. For successful implementation of protection and wireless communication channels. This multiply simplifies their effective use and development, but, For successful implementation of protection simultaneously, them vulnerable in the simplifies their makes effective and development, regular situations with hard and even catastrophic simultaneously, makes themuse vulnerable in front front of of but, the consequences. consequences. For successful implementation of protection measures of significant plants of critical information simultaneously, makes them vulnerable in front of the consequences. successful implementation protection measures of of For significant plants of critical critical ofinformation information simplifies their makes effective and development, simultaneously, them vulnerable in front of the significant plants of computer attacks threat (Critical Infrastructure, simultaneously, makes themuse vulnerable in 2016; front Critical of but, the measures consequences. For successful implementation ofproblems protection computer attacks threat (Critical Infrastructure, 2016; Critical measures of significant plants of critical information infrastructure (SPCII), solving aa number of is computer attacks threat (Critical Infrastructure, 2016; Critical measures of significant plants of critical information infrastructure (SPCII), solving number of problems is simultaneously, makes them vulnerable in front of the computer attacks threat (Critical Infrastructure, 2016; Critical infrastructure (SPCII), solving a number of problems is Infrastructure Protection, 2016). computer attacks threat (Critical Infrastructure, 2016; Critical infrastructure measures of significant plants of critical information Infrastructure Protection, 2016). (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems Infrastructure Protection, 2016). infrastructure (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems computer attacks threat (Critical Infrastructure, 2016; Critical Infrastructure Protection, 2016). needed, among which the safety threats monitoring systems Infrastructure Protection, 2016). infrastructure (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems is the main one. In the last years, the system causes of many A danger that introducing cyberphysical technologies bring to needed, among which the safety threats monitoring systems is the the main main one. one. In In the the last last years, years, the the system system causes causes of of many many A danger danger that that Protection, introducing2016). cyberphysical technologies technologies bring bring to to is Infrastructure A introducing cyberphysical is the main one. In the last years, the system causes of many needed, among which the safety threats monitoring systems A danger that introducing cyberphysical technologies bring to accidents at SPCII have led to considerable increasing of the technological process and is is the mainat In the system causes of many A that introducing technologies bring to accidents accidents atone. SPCII havelast ledyears, to aaa the considerable increasing of thedanger technological processcyberphysical and equipment equipment is increasingly increasingly SPCII have led to considerable increasing of the technological process and equipment is increasingly is the mainat one. In the last years, system causes ofcontrol many SPCII have led to aa the considerable increasing of A danger thatby introducing technologies bring to accidents the technological process and equipment is the interest to procedures of risks identification and recognized specialists on the information security. accidents at SPCII have led to considerable increasing of the technological processcyberphysical and equipment is increasingly increasingly the interest to procedures of risks identification and control recognized by specialists on the information security. interest to procedures of risks identification and control recognized by specialists on the information information security. the interest to procedures of risks identification and control accidents at 2017), SPCII have led to a considerable increasing of the technological process and equipment is increasingly the security. recognized by on (Sakrutina, as well as to development of proactive However, solving the industrial enterprises cyber protection the interest to procedures of risks identification and control recognized by specialists specialists on enterprises the information security. the (Sakrutina, 2017), as well as to development of proactive However, solving the industrial cyber protection (Sakrutina, 2017), as well as to development of proactive However, solving the industrial industrial enterprises cyber protection protection the interest to procedures of risks identification and control (Sakrutina, 2017), as well as to development of proactive recognized by specialists on the information security. However, solving the enterprises cyber models. The main accent in proactive models is done on the problem, in accordance to the opinion of the majority of (Sakrutina, as wellin to development proactive However, solving the industrial enterprises cyber protection models. The The2017), main accent accent in as proactive models is is of done on the the problem, in accordance to the opinion of the majority of models. main proactive models done on problem, in accordance to the enterprises opinion of the majority of (Sakrutina, 2017), as wellin as to development of proactive The main accent proactive models is done on the However, solving the industrial cyber protection problem, in accordance to opinion of the of prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case models. The main accent in proactive models is done on the problem, in accordance to the the opinion of the majority majority of models. prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case of threats of accident (a dangerous event) involved or associated with the process of people, is the the case case models. Theby main accent dangerous in models is done on the problem, inslowly. accordance the theonemajority of prophylactics prophylactics of threats of accident (a event) process people, is involved or associated with the appearance revealing factors and undertaking extremely As aato rule, meanwhile prophylactics of threats of proactive accident (a dangerous dangerous event) involved or associated with the opinion process people, is indicates the case appearance by revealing dangerous factors and undertaking extremely slowly. As rule, meanwhile one indicates appearance by revealing dangerous factors and undertaking extremely slowly. As a rule, meanwhile one indicates prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case revealing dangerous factors and extremely slowly. aa rule, meanwhile one measures on decreasing the risk. Proactive models provide an different and factors complicating and the appearance by revealingthe dangerous factorsmodels and undertaking undertaking extremely slowly. As rule, meanwhile one indicates indicates measures on onby decreasing the risk. Proactive Proactive models provide an an different reasons reasons andAs factors complicating and moderating moderating the appearance measures decreasing risk. provide different reasons and factors complicating and moderating the extremely slowly. As a the rule, meanwhile one indicates appearance by revealing dangerous factors and undertaking measures on decreasing the risk. Proactive models provide an different reasons and factors complicating and moderating the evaluation of the risk potential of factors revealed before motion in the direction of industrial plants protection, or measures on decreasing the risk. Proactive models provide different reasons and factors complicating and moderating the evaluation of of the the risk risk potential potential of of factors factors revealed revealed before before an motion in in the the direction direction of of the the industrial industrial plants plants protection, protection, or or evaluation an motion the potential factors revealed before measures onof the risk.of models provide different reasons and factors complicating and moderating motion the of industrial protection, or accident will appear and influence the SPCII performance. being for motion at evaluation ofdecreasing the risk riskand potential ofProactive factors revealed before an an motion inobstacle the direction direction of aathe the industrial plants protection,the or evaluation accident will will appear and influence the SPCII performance. being an anin obstacle for such such motion at all. all.plants accident appear influence the SPCII performance. being an obstacle for such a motion at all. evaluation of appear the riskand potential of the factors revealed before an will influence SPCII performance. motion the direction of aathe industrial being for motion at accident will appear and influence the SPCII performance. being an aninobstacle obstacle for such such motion at all. all.plants protection, or accident Developing the information and analytical system “Safety Developing the information and the analytical system “Safety “Safety accident will the appear and influence SPCII performance. being an obstacle for such a motion at all. Developing information and analytical system Developing the information and analytical system “Safety management system” in plants of critical information Developing the information and analytical system “Safety management system” system” in in plants plants of of critical critical information information management management in of information Developing information and analytical system “Safety management thesystem” system” in plants plants of critical critical information 2405-8963 © 2019, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. management system” in plants of critical information Copyright © 2019 IFAC 1408 Copyright 2019 IFAC 1408 Peer review© under of International Federation of Automatic Control. Copyright © 2019 responsibility IFAC 1408 Copyright © 1408 Copyright © 2019 2019 IFAC IFAC 1408 10.1016/j.ifacol.2019.11.393 1408 Copyright © 2019 IFAC
2019 IFAC MIM 1392 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
infrastructure, involving nuclear power engineering as well, is implemented in the direction of achieving a high level of the quality and profitability and is characterized by the growth of the technical equipment and complexity of processes. The high requirements on the safety define the necessity of applying and improving automated tools and systems of diagnosing, timely detecting faults in technological processes (threats, danger factors) prevent their consequences and decrease losses of time, material, financial, and other sources. The faults understood as non-conformities to assigned
technologies are conditioned by different objective and subjective causes. Diagnostics and monitoring techniques applied in the power engineering are mainly directing to increasing the safety and providing the performability of engineering equipment and are not sufficiently oriented to detecting faults in the activity sphere that provide the profitability. Plants analysis in the full sense shows that known diagnostic techniques become noneffective to detect faults in processes; and new approaches are needed, involving the development of danger factors identification methods.
Fig. 1. Evaluation of the safety status on the basis of the factor analysis 2. PROPERTIES OF THE “SAFETY MANAGEMENT SYSTEM” IN THE POWER ENGINEERING
well as to developing safety control systems in the power engineering that have three main characteristics:
Increasing safety always was one of the main priorities for power engineering plants. Nevertheless, due to the conventional power engineering development and availability of the probability of accidents of a different kind in the international community opinion is present that conventional reacting approaches to decrease the risk may be insufficient. In the last years, system causes of many accidents in the power engineering have led to consider increasing the interest to procedures of the verification and risks management, as 1409
Systemacy – measures on the safety control will implement by a developed Safety Program and will be consequently applied;
Proactivity – an approach, under which the main accent is doing on the preventive measures by revealing dangerous factors, and undertaking measures to decrease the risk before a dangerous
2019 IFAC MIM Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
event be the case and will unfavourably influence the safety status;
Clearness – measures on the safety control are to be documented, evident, and implemented separately of other control activity kinds.
In papers devoted to safety control systems (Hsu, 2008; Liou et al., 2008; Ding et al., 2015; Li et al., 2018), predictions of the influence of different factors on the safety are constructing by approximating statistical data and expert evaluations, but, meanwhile, direct mathematical modelling of the organizational mechanisms is not implementing. Performing a safety control system in the power engineering is to be a closed cycle of subsequently implemented operations: revealing risk factors, evaluation of the danger
1393
degree of the risk factors revealed, elaborating variants of actions on the risk factors localization, informing regulatory organs and decision support, analysis of the efficiency of measures undertaken. Fig. 1 displays a schematic of the safety status evaluation by the factor analysis, where the methodology of the Deming's Shewhart cycle (PDCA) is applied, for the persistent safety improvement. Applying the approach proposed of constructing SMS is based on monitoring the system efficiency, which is based on identified critical safety parameters (CSP) (Kalashnikov and Sakrutina, 2018a, 2018b) important for planning, monitoring, evaluating, and modifying requirements to SMS. Fig. 2 displays the scheme of the monitoring performance on the PDCA methodology basis.
Fig. 2. Monitoring performance scheme. The commonly corporative approach to the safety is intended to implement persistent improving a safety system and pursues the following primary goals:
Fig. 3. Relationship of residual risks.
Operative and persistent decreasing the residual system risk (see Fig. 3 – two connected types of events are forwarding to the first line – accidents and vulnerabilities that are covered by the safety policy by the use concept and implementation drift);
Evaluation of actual applicability and real efficiency of the safety policy in order of its persistent improvement.
Such an approach, which considerably depends on using traces available in different components of an information system, is unavoidably organized around the view of “eventmodel”, as well as can be associated with the model of PDCA that is conventionally using in the quality and safety analysis. Thus, in the first turn, this assumes implementing of the “Check” step of the PDCA model by very detailed knowledge of threats and vulnerabilities. 1410
2019 IFAC MIM 1394 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Recent trends in the safety branch show that considerable progress can be achieved within several years with put in operation of the information and analytical system “Safety management system” in the scale of the nuclear power engineering plant as a whole. An analysis and evaluation of risks are impossible without understanding the properties of the power engineering safety control system. Concerning the power engineering system this totality involves such elements a hardware tools, software, supervisory control potential, ergonomics, biomechanics, the human factor. Safety risks management is not a linear process, in which one component influences the next one. Safety risks management is a multi-directed cyclic process, in which practically all components can act and act on each other. There exists a direct interconnection between organization purposes and risks management process components being actions needed to achieve them. This interconnection is representing at the three-dimensional matrix (see Fig. 4).
risks management, at which the identification of threats and their analysis are implementing. The purpose of the danger identification and risk process analysis is to simplify the development of control decision making to prevent possible risks. By their character, methods of revealing danger factors can implement by use of the following strategies: Retroactive – a strategy that assumes reacting on events/accidents by undertaking measures directed at preventing their repeat in the future. The retroactive strategy assumes receiving and analysing data on accidents, engineering faults, events, etc. Proactive – a strategy, under which the main accent is doing on revealing danger factors and undertaking measures to remove them before an event able to be negatively reflected on safety indexes will appear. Under implementing this strategy, active information sampling from different sources is implementing. The accidents appearance risk can reduce to minimal by revealing vulnerability features before they will manifest themselves. Prognostic – a strategy based on revealing potential danger factors in the previous manufacturing activity and developing measures on not enabling their manifestation. In its entity, prognostic systems of sampling data on the safety are statistical systems collecting and analysing a considerable volume of adequate data that, per se, have no critical meaning. Then, data obtained are uniting with data of the retroactive and proactive systems of sampling information on the safety. The safety level evaluation is implementing by forming situation evaluation indexes with accounting divisions responsible for event appearance, predicted accidents types, and the number of factors influencing these events. 4. EVALUATION OF SAFETY RISKS The purpose and primary result of the analysis and evaluation of the risks are developing correcting and/or preventing measures/actions to support at an acceptable level the risks of potential consequences of acting danger factors.
Fig. 4. The interaction between the purposes and components of the risks management process. 3. DANGERS IDENTIFICATION AND USED METHODS Event – this is an event (accident, incident, alarm) having an internal or external source concerning the organization and influencing the achievement of goals set. Events influence may be positive, negative, or mixed. Events negatively influencing the organization activity are the risks. A risk may be defined as potential damage, involving not safe actions and/or conditions that may be finishing with particular situations of any classification. A risk is a specifying notion of danger and is considered an event danger degree and event appearance frequency (event probability, the absolute quantity of incidents of different kinds). Determining risks concerning safety is the initial stage of the
The most informative analysis of the power engineering plant performance in the branch of safety assurance is the multivariate principle of processing statistical data by applying expert conclusions. Dangers in the risks management system are documented and monitored. The volume and content of the safety identification function cover all manufacturing activity; meanwhile data sampling is implemented both on retroactive and proactive and prognostic schemes. To determine the effect of applying the risk management process and correctness of preventing measures, persistent risks monitoring is to be implementing. The appearance of a particular situation is nothing but manifesting risks and dangers. To implement the multivariate system analysis one needs to have an imagination about a kind of the particular situation, so as events could classifying following the degree of consequences heaviness.
1411
2019 IFAC MIM Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Events are classifying by the gradation influence on the safety and correspondence to particular situations types. To systematize the dangers identification process and to evaluate the event risk degree, the risks matrix is applied, which has the particular situations categories defined in accordance to the frequency of situations appearance of a given kind, and classes of particular situations in accordance to an adopted categorization for each power engineering plat type. The risk degree is a parameter defining measures of action to prevent a situation. Each risk degree is to have a corresponding action developed, oriented to decreasing the risk degree of appearance of particular situations of the given kind. Thus, an event appeared can be evaluated by the risk index corresponding to the category, class, and degree of the risk. The sense of using the risk degree is the possibility that different events may be equal in the risk degree but different in their danger and have different appearance probability. The identification is the first and one of the primary stages of the safety risks analysis. Risks, whose existence or properties are not known, are impossible to be controlled. So, the problem of detecting all risks is of extreme importance (A Guide…, 2013). In entity, the safety risks identification is reducing to revealing possible problems. In the given case, as a “problem” one can understand something that can stand between the organization operating the power engineering plant and its purposes in the safety branch. In other words, one should come in advance to define what can go “not correctly”, so as in the sequel to find how to remove or avoid the danger revealed. The safety risk identification is a process of finding, composing a list and description of risks elements. The main risk elements are:
Causes that lead to the appearance of a dangerous phenomenon;
Types of actions that can lead to changing the safety level;
Consequences being losses due to the action and their evaluation by the subject;
Risk factors that influence the risk implementation probability and consequences heaviness.
The safety risks identification process organization requires answering many questions that, in particular, involve:
Which information should be collecting;
Information sources;
Systematization/structuring information;
Input information analysis.
and
storage
of
1395
The plant that can be damaged;
The subject that will have losses due to damaging the given plant in the result of the appearance of the given event;
Subject losses caused by damaging the given plant in the result of the appearance of the indicated event.
For the full risk exposure description, one should determine all the parameters. It is worthwhile to note that changing at least one of the parameters denotes changing the risk exposure. As a result of the safety risks process identification, a risks list will be containing:
List of potential actions on correcting measures;
Primary causes of the risk appearance;
Specifying the risk category.
Input information (data on alarms/incidents) is the critical element of the safety control system. Indeed, by data on alarms/incidents one can obtain safety indexes and quantitative risks evaluations. However, the quality of data on alarms/incidents, which is available in organization databases may influence the results (i.e., the result of the analysis will restrict by the quality of data sets available). This problem is worsening under an attempt of aggregation of databases of different organizations. 5. CONCLUSIONS The analysis and risk evaluation of operation of the significant plants of the critical information infrastructure are impossible without understanding all totality of systems of significant plants, involving such elements, as hardware, software, ergonomics, human factor (Jharko and Sakrutina, 2018; Kalashnikov and Sakrutina, 2018a, 2018b). This system integrity is that its properties con not be reduced to the simple sum of its subsystems, and exclusion of a one of them leads to the system performance violation. Putting in operation information and analytical systems “Safety management system” in significant plants of the critical information infrastructure provide the timely dangers and vulnerabilities identification, as well as risks evaluation, and, hence, will simplify developing control solutions to prevent the appearance of events influencing the safety. The systemic approach to the earl detecting dangers and vulnerabilities is the vital component of safety assurance for significant plants of critical information infrastructure. Performing “Safety management system” within the make-up of upper level systems of significant plants of critical information infrastructure enables one to provide the normal plant operation and preserving critical safety parameters within operation limits. REFERENCES
The identification process is frequently reducing to determining the so called “risk exposure”. The risk exposure (Labaka et al., 2015; Kalashnikov and Sakrutina, 2018a, 2018b) is a “unit” of accounting risks, which is set by the following parameters:
Banda, O.A.V. and F. Goerlandt (2018). A STAMP-based approach for designing maritime safety managementsystems, Safety Science, vol. 109, pp. 109129.
1412
2019 IFAC MIM 1396 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Critical Infrastructure: Cyber-attacks on the backbone of today’s economy. PandaSecurity. (2016). Critical Infrastructure Protection – Governance Around the World, Kaspersky Lab ICS CERT (2016). Ding, C.G., Lin, H.-R., Wu, C.-H., and T.-D. Jane (2015). Using LGM analysis to identify hidden contributors to risk in the operation of a nuclear power plant, Safety Science, vol. 75, pp. 64-71. Gnonia, M.G. and J.H. Salehb (2017). Near-miss management systems and observability-in-depth: Handling safety incidents and accident precursors in light of safety principles, Safety Science, vol. 91, pp. 154-167. A Guide to the Project Management Body of Knowledge: PMBOK(R) Guide. 5th Ed. Newtown Square, Pennsylvania: Project Management Institute. (2013). Hamida, Y., Amine, B., and B. Mostafa (2015). Toward resilience management in critical information infrastructure, Proceedings of the 5th World Congress on Information and Communication Technologies (WICT), pp. 101-106. Hashemian, H.M. and M.A. Feltus (2006). On-Line Condition Monitoring Applications in Nuclear Power Plants, NPIC&HMIT, Albuquerque, NM, USA, pp. 568577. Hsu, Y.-L. (2008). From reactive to proactive: using safety survey to assess effectiveness of airline SMS, Journal of Aeronautics, Astronautics and Aviation. Series A, vol. 40, no. 1, pp. 41-48. Jharko, E. (2008). Design of Intelligent Information Support Systems for Human-Operators of Complex Plants, IFAC Proceedings Volumes, vol. 41, no. 2, pp. 2162-2167. Jharko, E. (2017). Towards the problem of creating information operator support systems for nuclear power plants, Proceedings of the 2nd IEEE International Conference on Control in Technical Systems (CTS), pp. 356-359. Jharko, E. and E. Sakrutina (2016). On creating safety control systems for high operation risk plants, Proceedings of 2016 International Siberian Conference on Control and Communications (SIBCON 2016), pp. 1-6. Jharko, E. and E. Sakrutina (2017). Towards the Problem of Creating a Safety Management System in the Transportation Area, IFAC-PapersOnLine, vol. 50, no. 1, pp. 15610-15615. Jharko, E. and E. Sakrutina (2018). Evaluation of Technical and Economic Indexes and Providing Normal Operation of Nuclear Power Plants, Proceedings of the 11th International Conference “Management of Large-Scale System Development” (MLSD). IEEE, pp. 1-5. Jun, Sh. and Zh. Mingguang (2019). Framework and data management of digital design system for nuclear power, Annals of Nuclear Energy, vol. 124, pp. 418-425. Kalashnikov, A. and E. Sakrutina (2018a). The Model of Evaluating the Risk Potential for Critical Infrastructure Plants of Nuclear Power Plants, Proceedings of the 11th International Conference “Management of Large-Scale System Development” (MLSD). IEEE, pp. 1-4. Kalashnikov, A. and E. Sakrutina (2018b). Towards Risk Potential of Significant Plants of Critical Information
Infrastructure, Proceedings of 2018 International Russian Automation Conference (RusAutoCon). IEEE, p. 1-6. Labaka, L., Hernantes, J., and J.M. Sarriegi (2015). Resilience framework for critical infrastructures: An empirical study in a nuclear plant, Reliability Engineering & System Safety, vol. 141, pp. 92-105. Li, C.-Y., Wang, J.-H., Zhi, Y.-R., Wang, Z.-R., and J.-H. Gong (2018). Simulation of the Chlorination Process Safety Management System Based on System Dynamics Approach, Procedia Engineering. vol. 211, pp. 332-342. Li, Y. and F.W. Guldenmund (2018). Safety management systems: A broad overview of the literature, Safety Science, vol. 103, pp. 94-123. Liou, J.H., Yen, L., and G.H. Tzeng (2008). Building an effective safety management system for airlines, Journal of Air Transport Management, vol. 14, no. 1, pp. 20-26. Mononen, P. and P. Leviäkangas (2016). Transport safety agency's success indicators – How well does a performance management system perform?, Transport Policy, vol. 45, pp. 230-239. PandaLabs Annual Report, PandaSecurity. (2018). Sakrutina, E. (2017). Some Functions of the “Safety management system” in the Transportation Area Safety Assurance, Proceedings of the IEEE International Siberian Conference on Control and Communications (SIBCON 2017), pp. 1-5. Tsegaye, T. and S. Flowerday (2014). Controls for Protecting Critical Information Infrastructure from Cyberattacks, Proceedings of the World Congress on Internet Security (WorldCIS 2014), pp. 24-29. Wahlström, B. (2018). Systemic thinking in support of safety management in nuclear power plants, Safety Science, vol. 109, pp. 201-218. Wang, F., Wang Jiqun, Wang Jin, Li, Y., Hu, L., and Y. Wu (2016). Risk monitor riskangel for risk-informed applications in nuclear power plants, Annals of Nuclear Energy, vol. 91, pp. 142-147.
1413
ScienceDirect
IFAC PapersOnLine 52-13 (2019) 1391–1396
“Safety “Safety management management system” system” and and Significant Significant Plants Plants “Safety management system” and Significant Plants “Safety management system” and Significant Plants “Safetyof management system” and Significant Plants Critical Information Infrastructure ofmanagement Critical Information Information Infrastructure “Safetyof system” and Significant Plants Critical Infrastructure of Critical Information Infrastructure of Critical Information Infrastructure * ** of Critical Information Infrastructure Andrey ** Ekaterina Sakrutina Sakrutina** Andrey Kalashnikov Kalashnikov**,, Ekaterina
Sakrutina** Andrey Kalashnikov **,, Ekaterina Andrey Andrey Kalashnikov Kalashnikov **, Ekaterina Ekaterina Sakrutina Sakrutina** ** ** ** , Ekaterina Sakrutina**Moscow 117997, Russia Andrey Kalashnikov ** V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya, *,,** V.A. Trapeznikov Institute of Control Sciences, 65 Profsoyuznaya, Moscow 117997, Russia **,** V.A. of Sciences, Profsoyuznaya, ** ** Profsoyuznaya, V.A. Trapeznikov Trapeznikov Institute Institute of ***Control Control Sciences, 65 65 Profsoyuznaya, Moscow Moscow 117997, 117997, Russia Russia [email protected], (e-mail: ,,** of Control Sciences, 65 Moscow 117997, Russia **[email protected]) [email protected], [email protected]) (e-mail: ** V.A. Trapeznikov Institute ** ** * ** [email protected], [email protected]) (e-mail: **[email protected]) , V.A. Trapeznikov Institute of *Control Sciences, 65 Profsoyuznaya, Moscow 117997, Russia [email protected], (e-mail: [email protected], [email protected]) (e-mail: * ** (e-mail:*[email protected], **[email protected]) Abstract: Increasing the safety always was one of the main Abstract: Increasing Increasing the the safety safety always always was was one one of of the the main main priorities priorities for for significant significant plants plants of of critical critical Abstract: priorities for significant plants of critical Abstract: Increasing the safety always was one of the main priorities for significant plants of information infrastructure. Under the conditions intensive development and putting in operation of Abstract: Increasing the safety always was one of the main priorities for significant plants of critical critical information infrastructure. infrastructure. Under Under the the conditions conditions of intensive intensive development development and and putting putting in in operation operation of information of Abstract: Increasing the safety was one of main priorities for significant plants of critical information infrastructure. Under the conditions intensive development and in of technologies, particular is paying to issues of providing the safety. One of the infrastructure. Underalways theattention conditions of the intensive development and putting putting in operation operation of information technologies, particular attention is paying to issues of providing the safety. One of the information technologies, particular attention is paying to issues of providing the safety. One of the information infrastructure. Under the conditions of intensive development and putting in operation of technologies, particular attention is paying to issues of providing the safety. One of the solutions is creating the information and analytical “Safety management system”, which information technologies, particular attention is paying system to issues of providing the safety. One of the solutions is creating the information and analytical system “Safety management system”, which solutions is creating the information and analytical system “Safety management system”, which information technologies, particular attention is paying to issues of providing the safety. One of the solutions is creating the information and analytical system “Safety management system”, which implements monitoring information on the safety on the basis by system regularities. In the paper, solutions creating the information analytical system management system”, which implementsis monitoring monitoring information on and the safety safety on the the basis“Safety by system system regularities. In the the paper, paper, implements information on the on basis by regularities. In solutions is monitoring creating the information analytical system management system”, which implements information on the on the basis by regularities. In the important functions of the “Safety management system” considered in the part of timely identification implements monitoring information on and the safety safety on are the basis“Safety by system system regularities. In the paper, paper, important functions of the “Safety management system” are considered in the part of timely identification important functions of the “Safety management system” are considered in the part of timely identification implements monitoring information on the safety on the basis by system regularities. In the paper, important functions of the “Safety management system” are considered in the part of timely identification of threats and vulnerabilities. Putting in operation such systems in the significant plants of critical important of the “Safety management system” are systems considered part of timely identification of threats threats functions and vulnerabilities. vulnerabilities. Putting in operation operation such in in thethesignificant significant plants of critical critical of and Putting in such in the plants of important of the will “Safety management system” are systems considered part of timely identification of threats functions and vulnerabilities. Putting in engineering operation such systems in in thethe significant plants of critical critical Copyright © 2019 IFAC information infrastructure increase the plants performance safety. of threats and vulnerabilities. Putting in operation such systems in the significant plants of Copyright © 2019 IFAC information infrastructure will increase the engineering plants performance safety. Copyright © IFAC information infrastructure will plants performance of threats and vulnerabilities. Putting the in engineering operation such systems in the safety. significant plants of critical Copyright © 2019 2019 IFAC information infrastructure will increase increase the engineering plants performance safety. Copyright © 2019 IFAC information infrastructure will increase the engineering plants performance safety. Keywords: safety management, safety event, event model, risk, critical information infrastructure, Keywords: safety management, safety event, event model, risk,bycritical critical information infrastructure, © 2019, IFAC (International Federation ofthe Automatic Control) Hosting Elsevier Ltd.Copyright All rights reserved. Keywords: safety management, safety event, event model, risk, information infrastructure, © 2019 IFAC information infrastructure will increase engineering plants performance safety. Keywords: safety management, safety event, event model, risk, critical information infrastructure, significant plant plant of critical critical information infrastructure. Keywords: safety management, safetyinfrastructure. event, event model, risk, critical information infrastructure, significant of information significant plant of critical information infrastructure. Keywords: safety management, safetyinfrastructure. event, event model, risk, critical information infrastructure, significant of information significant plant plant of critical critical information infrastructure. significant plant of critical information infrastructure. Violation of regular performance of such plants may lead to Violation of regular performance of such plants may lead to 1. INTRODUCTION Violation of of regular regular performance performance of of such such plants plants may may lead lead to to 1. INTRODUCTION INTRODUCTION Violation hard consequences. The totality of critically important plants 1. Violation of regular The performance ofcritically such plants may lead to hard consequences. totality of important plants 1. INTRODUCTION hard consequences. The totality of critically important plants 1. INTRODUCTION Violation of regular performance of such plants may lead to hard consequences. The totality of critically important plants forms the entity of the notion the critically important Under the conditions of intensive development and putting in hard consequences. The totality ofof critically important plants forms the entity of the notion of the critically important Under the conditions of intensive development and putting in 1. INTRODUCTION forms the entity of the notion of the critically important Under the conditions of intensive development and putting in hard consequences. The totality of critically important plants the the of important Under the of conditions of intensive intensive development andattention putting in in infrastructure. For successful implementation of of operation information technologies, particular is forms the entity entity of the notion notion of the the critically critically important Under the conditions of development and putting infrastructure. For of successful implementation of measures measures of operation of information technologies, particular attention is forms infrastructure. For successful implementation of measures of operation of information technologies, particular is Under the conditions of intensive development andattention putting in forms the entity of the notion of the critically important infrastructure. For successful implementation of measures of operation of information technologies, particular attention is the critically important infrastructure protection, one needs paid to issues of providing the safety of critically important infrastructure. For successful implementation of measures of operation of information technologies, particular attention is the critically critically important important infrastructure infrastructure protection, protection, one one needs needs paid to to issues issues of of providing providing the the safety safety of of critically critically important important the paid infrastructure. For successful implementation of measures of the critically important infrastructure protection, one needs operation of information technologies, particular attention is paid to issues of providing the safety of critically important solving many problems, one of which is concerned with plants that involve large hydroengineering constructions, the critically important infrastructure protection, one needs paid to issues of providing the safety of critically important solving many problems, one of which is concerned with plants that that involve involve large large hydroengineering hydroengineering constructions, constructions, solving many problems, one of which is concerned with plants the critically important infrastructure protection, one needs solving many problems, one of which is concerned with paid to issues of providing the safety of critically important plants that involve large hydroengineering constructions, creating aa system of monitoring whose main power engineering plants (involving nuclear power solving many problems, one of safety whichthreats, is concerned with plants that involve large hydroengineering constructions, creating system of monitoring safety threats, whose main power engineering plants (involving nuclear power creating system of monitoring monitoring safety threats, whose main main power engineering plants (involving nuclear power solving problems, one an of safety whichthreats, isto concerned with aaa system of whose plants that involve large constructions, power engineering plants (involving power creation purpose is decreasing action up aa minimal risk engineering), idle chemical chemical manufacturing, transportation creating many system of monitoring safety threats, whose main power engineering plantshydroengineering (involving nuclear nuclear power creating creation purpose is decreasing an action up to minimal risk engineering), idle manufacturing, transportation creation purpose isof decreasing an safety action threats, up to to aa minimal minimal risk engineering), idle chemical manufacturing, transportation creating a system monitoring whose main creation purpose is decreasing an action up risk power engineering plants (involving nuclear power engineering), idle chemical manufacturing, transportation level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creation purpose is decreasing andamage. action up toof a minimal risk engineering), idle chemical manufacturing, transportation level and minimizing appearing One the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creation purpose is decreasing an action up to a minimal risk and appearing damage. One of engineering), idle chemical transportation 2008; nodes, (Hashemian and Feltus, 2006; Jharko, is creating the information and analytical “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, level and minimizing minimizing appearing damage. One system of the the solutions solutions nodes, etc. etc. (Hashemian and manufacturing, Feltus, 2006; Jharko, 2008; level is creating the information and analytical system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, is creating the information and analytical system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, level and minimizing appearing damage. One of the solutions nodes, etc. (Hashemian and Feltus, 2006; Jharko, 2008; creating information and analytical system “Safety Tsegaye and 2014; et al., Wang, management (Labaka al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, is creating the thesystem” information and et analytical system “Safety Tsegaye and Flowerday, Flowerday, 2014; Hamida Hamida et al., 2015; 2015; Wang, is management system” (Labaka et al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, management system” (Labaka etanalytical al., 2015; 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, is creating 2017; thesystem” information and system “Safety Tsegaye and Flowerday, 2014; Hamida et al., 2015; Wang, management (Labaka et al., Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, Sakrutina, Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises management system” (Labaka et al., 2015; Jharko and 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, Sakrutina, 2017; 2017; Banda Banda and and Goerlandt, Goerlandt, 2018; 2018; Kalashnikov Kalashnikov 2017; Jharko, Jharko, 2017; 2017; PandaLabs, PandaLabs, 2018). 2018). Advance Advance enterprises enterprises Sakrutina, 2017; 2016; Mononen and Leviäkangas, 2016; Gnonia and Salehb, management system” (Labaka et al., 2015; Jharko and Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises and Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; in their development have crossed an invisible line separating Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises and Sakrutina, Sakrutina, 2018a, 2018a, 2018b; 2018b; Li Li and and Guldenmund, Guldenmund, 2018; 2018; in their their development development have have crossed crossed an an invisible invisible line line separating separating and in Sakrutina, 2017; Banda and Goerlandt, 2018; Kalashnikov and Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; 2017; Jharko, 2017; PandaLabs, 2018). Advance enterprises in their development have crossed an invisible line separating Wahlström, 2018; Jun and Mingguang, 2019), which the world of and aggregates from virtual world Sakrutina, 2018a, 2018b; Li and Guldenmund, 2018; in development have an invisible separating Wahlström, 2018; Jun and Mingguang, 2019), which thetheir world of machines machines andcrossed aggregates from the theline virtual world and Wahlström, 2018; Jun2018b; and Li Mingguang, 2019), which which the world of machines and aggregates from the virtual world and Sakrutina, 2018a, and Guldenmund, 2018; Wahlström, 2018; Jun and 2019), in their development have crossed antransformed, invisible separating the world of machines and aggregates from virtual world implements monitoring on the safety by system of computer having been in entity, in Wahlström, 2018; Juninformation and Mingguang, Mingguang, 2019), which the world of programs, machines and aggregates from the theline virtual world implements monitoring information on the safety by system of computer programs, having been transformed, in entity, in implements monitoring information on the the safety safety by system system of computer programs, having been transformed, in entity, in Wahlström, 2018; Jun and Mingguang, 2019), which implements monitoring information on by the world of machines and aggregates from the virtual world of computer programs, having been transformed, in entity, in regularities. cyberphysical systems,having wherebeen computer code in instructions implements monitoring information on the safety by system of computer programs, transformed, entity, in regularities. cyberphysical systems, where computer code instructions regularities. cyberphysical systems, where computer code instructions implements monitoring information on the safety by system of computer programs, having transformed, entity, in regularities. cyberphysical systems, where computer code instructions control physical world plants. Theses cyberphysical systems regularities. cyberphysical systems, wherebeen computer code in instructions control physical world plants. Theses cyberphysical systems Action of computer attacks control physical world plants. Theses cyberphysical systems regularities. Action of computer attacks on on the the information-technological information-technological cyberphysical systems, where computer code instructions control physical world plants. Theses cyberphysical systems are built by use of advanced IT-technologies and unite with Action of computer attacks on the information-technological control physical world plants.IT-technologies Theses cyberphysical systems are built by use of advanced and unite with Action of computer attacks on the information-technological plant structure, leading to exiting its technological parameters are built by use of advanced IT-technologies and unite with Action of computer attacks on theits information-technological control physical world plants. Theses cyberphysical systems plant structure, leading to exiting its technological parameters parameters are built by use of advanced IT-technologies and unite with plant structure, leading to exiting technological each other and with the external cyber-world by use of wire are built byand usewith of advanced IT-technologies anduse unite with each other the external cyber-world by of wire Action of computer attacks onmay theits information-technological plant structure, leading to exiting technological parameters out of normative limits set, imply implementing noneach other and with the external cyber-world by use of wire plant structure, leading to exiting its technological parameters are built by use of advanced IT-technologies and unite with out of normative limits set, may imply implementing noneach other and with with the external external cyber-world cyber-world by use usemultiply of wire wire out of normative limits set, may imply implementing nonand wireless communication channels. each and the by of and other wireless communication channels. This This multiply out of normative limits may implementing nonplant structure, leading toset, exiting itsimply technological parameters regular situations with hard and even catastrophic and wireless communication channels. This multiply out of normative limits set, may imply implementing noneach other and with the external cyber-world by use of wire regular situations with hard and even catastrophic and wireless communication channels. This multiply multiply situations with and even catastrophic simplifies their effective and but, and wireless This simplifies theircommunication effective use use channels. and development, development, but, regular out of normative limits set, hard may imply implementing nonregular situations with hard and even catastrophic consequences. For successful implementation of protection simplifies their effective use and development, but, regular situations with hard and even catastrophic consequences. For successful implementation of protection and wireless communication channels. This multiply simplifies their effective use and development, but, For successful implementation of protection simultaneously, them vulnerable in the simplifies their makes effective and development, regular situations with hard and even catastrophic simultaneously, makes themuse vulnerable in front front of of but, the consequences. consequences. For successful implementation of protection measures of significant plants of critical information simultaneously, makes them vulnerable in front of the consequences. successful implementation protection measures of of For significant plants of critical critical ofinformation information simplifies their makes effective and development, simultaneously, them vulnerable in front of the significant plants of computer attacks threat (Critical Infrastructure, simultaneously, makes themuse vulnerable in 2016; front Critical of but, the measures consequences. For successful implementation ofproblems protection computer attacks threat (Critical Infrastructure, 2016; Critical measures of significant plants of critical information infrastructure (SPCII), solving aa number of is computer attacks threat (Critical Infrastructure, 2016; Critical measures of significant plants of critical information infrastructure (SPCII), solving number of problems is simultaneously, makes them vulnerable in front of the computer attacks threat (Critical Infrastructure, 2016; Critical infrastructure (SPCII), solving a number of problems is Infrastructure Protection, 2016). computer attacks threat (Critical Infrastructure, 2016; Critical infrastructure measures of significant plants of critical information Infrastructure Protection, 2016). (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems Infrastructure Protection, 2016). infrastructure (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems computer attacks threat (Critical Infrastructure, 2016; Critical Infrastructure Protection, 2016). needed, among which the safety threats monitoring systems Infrastructure Protection, 2016). infrastructure (SPCII), solving a number of problems is needed, among which the safety threats monitoring systems is the main one. In the last years, the system causes of many A danger that introducing cyberphysical technologies bring to needed, among which the safety threats monitoring systems is the the main main one. one. In In the the last last years, years, the the system system causes causes of of many many A danger danger that that Protection, introducing2016). cyberphysical technologies technologies bring bring to to is Infrastructure A introducing cyberphysical is the main one. In the last years, the system causes of many needed, among which the safety threats monitoring systems A danger that introducing cyberphysical technologies bring to accidents at SPCII have led to considerable increasing of the technological process and is is the mainat In the system causes of many A that introducing technologies bring to accidents accidents atone. SPCII havelast ledyears, to aaa the considerable increasing of thedanger technological processcyberphysical and equipment equipment is increasingly increasingly SPCII have led to considerable increasing of the technological process and equipment is increasingly is the mainat one. In the last years, system causes ofcontrol many SPCII have led to aa the considerable increasing of A danger thatby introducing technologies bring to accidents the technological process and equipment is the interest to procedures of risks identification and recognized specialists on the information security. accidents at SPCII have led to considerable increasing of the technological processcyberphysical and equipment is increasingly increasingly the interest to procedures of risks identification and control recognized by specialists on the information security. interest to procedures of risks identification and control recognized by specialists on the information information security. the interest to procedures of risks identification and control accidents at 2017), SPCII have led to a considerable increasing of the technological process and equipment is increasingly the security. recognized by on (Sakrutina, as well as to development of proactive However, solving the industrial enterprises cyber protection the interest to procedures of risks identification and control recognized by specialists specialists on enterprises the information security. the (Sakrutina, 2017), as well as to development of proactive However, solving the industrial cyber protection (Sakrutina, 2017), as well as to development of proactive However, solving the industrial industrial enterprises cyber protection protection the interest to procedures of risks identification and control (Sakrutina, 2017), as well as to development of proactive recognized by specialists on the information security. However, solving the enterprises cyber models. The main accent in proactive models is done on the problem, in accordance to the opinion of the majority of (Sakrutina, as wellin to development proactive However, solving the industrial enterprises cyber protection models. The The2017), main accent accent in as proactive models is is of done on the the problem, in accordance to the opinion of the majority of models. main proactive models done on problem, in accordance to the enterprises opinion of the majority of (Sakrutina, 2017), as wellin as to development of proactive The main accent proactive models is done on the However, solving the industrial cyber protection problem, in accordance to opinion of the of prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case models. The main accent in proactive models is done on the problem, in accordance to the the opinion of the majority majority of models. prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case of threats of accident (a dangerous event) involved or associated with the process of people, is the the case case models. Theby main accent dangerous in models is done on the problem, inslowly. accordance the theonemajority of prophylactics prophylactics of threats of accident (a event) process people, is involved or associated with the appearance revealing factors and undertaking extremely As aato rule, meanwhile prophylactics of threats of proactive accident (a dangerous dangerous event) involved or associated with the opinion process people, is indicates the case appearance by revealing dangerous factors and undertaking extremely slowly. As rule, meanwhile one indicates appearance by revealing dangerous factors and undertaking extremely slowly. As a rule, meanwhile one indicates prophylactics of threats of accident (a dangerous event) involved or associated with the process people, is the case revealing dangerous factors and extremely slowly. aa rule, meanwhile one measures on decreasing the risk. Proactive models provide an different and factors complicating and the appearance by revealingthe dangerous factorsmodels and undertaking undertaking extremely slowly. As rule, meanwhile one indicates indicates measures on onby decreasing the risk. Proactive Proactive models provide an an different reasons reasons andAs factors complicating and moderating moderating the appearance measures decreasing risk. provide different reasons and factors complicating and moderating the extremely slowly. As a the rule, meanwhile one indicates appearance by revealing dangerous factors and undertaking measures on decreasing the risk. Proactive models provide an different reasons and factors complicating and moderating the evaluation of the risk potential of factors revealed before motion in the direction of industrial plants protection, or measures on decreasing the risk. Proactive models provide different reasons and factors complicating and moderating the evaluation of of the the risk risk potential potential of of factors factors revealed revealed before before an motion in in the the direction direction of of the the industrial industrial plants plants protection, protection, or or evaluation an motion the potential factors revealed before measures onof the risk.of models provide different reasons and factors complicating and moderating motion the of industrial protection, or accident will appear and influence the SPCII performance. being for motion at evaluation ofdecreasing the risk riskand potential ofProactive factors revealed before an an motion inobstacle the direction direction of aathe the industrial plants protection,the or evaluation accident will will appear and influence the SPCII performance. being an anin obstacle for such such motion at all. all.plants accident appear influence the SPCII performance. being an obstacle for such a motion at all. evaluation of appear the riskand potential of the factors revealed before an will influence SPCII performance. motion the direction of aathe industrial being for motion at accident will appear and influence the SPCII performance. being an aninobstacle obstacle for such such motion at all. all.plants protection, or accident Developing the information and analytical system “Safety Developing the information and the analytical system “Safety “Safety accident will the appear and influence SPCII performance. being an obstacle for such a motion at all. Developing information and analytical system Developing the information and analytical system “Safety management system” in plants of critical information Developing the information and analytical system “Safety management system” system” in in plants plants of of critical critical information information management management in of information Developing information and analytical system “Safety management thesystem” system” in plants plants of critical critical information 2405-8963 © 2019, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. management system” in plants of critical information Copyright © 2019 IFAC 1408 Copyright 2019 IFAC 1408 Peer review© under of International Federation of Automatic Control. Copyright © 2019 responsibility IFAC 1408 Copyright © 1408 Copyright © 2019 2019 IFAC IFAC 1408 10.1016/j.ifacol.2019.11.393 1408 Copyright © 2019 IFAC
2019 IFAC MIM 1392 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
infrastructure, involving nuclear power engineering as well, is implemented in the direction of achieving a high level of the quality and profitability and is characterized by the growth of the technical equipment and complexity of processes. The high requirements on the safety define the necessity of applying and improving automated tools and systems of diagnosing, timely detecting faults in technological processes (threats, danger factors) prevent their consequences and decrease losses of time, material, financial, and other sources. The faults understood as non-conformities to assigned
technologies are conditioned by different objective and subjective causes. Diagnostics and monitoring techniques applied in the power engineering are mainly directing to increasing the safety and providing the performability of engineering equipment and are not sufficiently oriented to detecting faults in the activity sphere that provide the profitability. Plants analysis in the full sense shows that known diagnostic techniques become noneffective to detect faults in processes; and new approaches are needed, involving the development of danger factors identification methods.
Fig. 1. Evaluation of the safety status on the basis of the factor analysis 2. PROPERTIES OF THE “SAFETY MANAGEMENT SYSTEM” IN THE POWER ENGINEERING
well as to developing safety control systems in the power engineering that have three main characteristics:
Increasing safety always was one of the main priorities for power engineering plants. Nevertheless, due to the conventional power engineering development and availability of the probability of accidents of a different kind in the international community opinion is present that conventional reacting approaches to decrease the risk may be insufficient. In the last years, system causes of many accidents in the power engineering have led to consider increasing the interest to procedures of the verification and risks management, as 1409
Systemacy – measures on the safety control will implement by a developed Safety Program and will be consequently applied;
Proactivity – an approach, under which the main accent is doing on the preventive measures by revealing dangerous factors, and undertaking measures to decrease the risk before a dangerous
2019 IFAC MIM Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
event be the case and will unfavourably influence the safety status;
Clearness – measures on the safety control are to be documented, evident, and implemented separately of other control activity kinds.
In papers devoted to safety control systems (Hsu, 2008; Liou et al., 2008; Ding et al., 2015; Li et al., 2018), predictions of the influence of different factors on the safety are constructing by approximating statistical data and expert evaluations, but, meanwhile, direct mathematical modelling of the organizational mechanisms is not implementing. Performing a safety control system in the power engineering is to be a closed cycle of subsequently implemented operations: revealing risk factors, evaluation of the danger
1393
degree of the risk factors revealed, elaborating variants of actions on the risk factors localization, informing regulatory organs and decision support, analysis of the efficiency of measures undertaken. Fig. 1 displays a schematic of the safety status evaluation by the factor analysis, where the methodology of the Deming's Shewhart cycle (PDCA) is applied, for the persistent safety improvement. Applying the approach proposed of constructing SMS is based on monitoring the system efficiency, which is based on identified critical safety parameters (CSP) (Kalashnikov and Sakrutina, 2018a, 2018b) important for planning, monitoring, evaluating, and modifying requirements to SMS. Fig. 2 displays the scheme of the monitoring performance on the PDCA methodology basis.
Fig. 2. Monitoring performance scheme. The commonly corporative approach to the safety is intended to implement persistent improving a safety system and pursues the following primary goals:
Fig. 3. Relationship of residual risks.
Operative and persistent decreasing the residual system risk (see Fig. 3 – two connected types of events are forwarding to the first line – accidents and vulnerabilities that are covered by the safety policy by the use concept and implementation drift);
Evaluation of actual applicability and real efficiency of the safety policy in order of its persistent improvement.
Such an approach, which considerably depends on using traces available in different components of an information system, is unavoidably organized around the view of “eventmodel”, as well as can be associated with the model of PDCA that is conventionally using in the quality and safety analysis. Thus, in the first turn, this assumes implementing of the “Check” step of the PDCA model by very detailed knowledge of threats and vulnerabilities. 1410
2019 IFAC MIM 1394 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Recent trends in the safety branch show that considerable progress can be achieved within several years with put in operation of the information and analytical system “Safety management system” in the scale of the nuclear power engineering plant as a whole. An analysis and evaluation of risks are impossible without understanding the properties of the power engineering safety control system. Concerning the power engineering system this totality involves such elements a hardware tools, software, supervisory control potential, ergonomics, biomechanics, the human factor. Safety risks management is not a linear process, in which one component influences the next one. Safety risks management is a multi-directed cyclic process, in which practically all components can act and act on each other. There exists a direct interconnection between organization purposes and risks management process components being actions needed to achieve them. This interconnection is representing at the three-dimensional matrix (see Fig. 4).
risks management, at which the identification of threats and their analysis are implementing. The purpose of the danger identification and risk process analysis is to simplify the development of control decision making to prevent possible risks. By their character, methods of revealing danger factors can implement by use of the following strategies: Retroactive – a strategy that assumes reacting on events/accidents by undertaking measures directed at preventing their repeat in the future. The retroactive strategy assumes receiving and analysing data on accidents, engineering faults, events, etc. Proactive – a strategy, under which the main accent is doing on revealing danger factors and undertaking measures to remove them before an event able to be negatively reflected on safety indexes will appear. Under implementing this strategy, active information sampling from different sources is implementing. The accidents appearance risk can reduce to minimal by revealing vulnerability features before they will manifest themselves. Prognostic – a strategy based on revealing potential danger factors in the previous manufacturing activity and developing measures on not enabling their manifestation. In its entity, prognostic systems of sampling data on the safety are statistical systems collecting and analysing a considerable volume of adequate data that, per se, have no critical meaning. Then, data obtained are uniting with data of the retroactive and proactive systems of sampling information on the safety. The safety level evaluation is implementing by forming situation evaluation indexes with accounting divisions responsible for event appearance, predicted accidents types, and the number of factors influencing these events. 4. EVALUATION OF SAFETY RISKS The purpose and primary result of the analysis and evaluation of the risks are developing correcting and/or preventing measures/actions to support at an acceptable level the risks of potential consequences of acting danger factors.
Fig. 4. The interaction between the purposes and components of the risks management process. 3. DANGERS IDENTIFICATION AND USED METHODS Event – this is an event (accident, incident, alarm) having an internal or external source concerning the organization and influencing the achievement of goals set. Events influence may be positive, negative, or mixed. Events negatively influencing the organization activity are the risks. A risk may be defined as potential damage, involving not safe actions and/or conditions that may be finishing with particular situations of any classification. A risk is a specifying notion of danger and is considered an event danger degree and event appearance frequency (event probability, the absolute quantity of incidents of different kinds). Determining risks concerning safety is the initial stage of the
The most informative analysis of the power engineering plant performance in the branch of safety assurance is the multivariate principle of processing statistical data by applying expert conclusions. Dangers in the risks management system are documented and monitored. The volume and content of the safety identification function cover all manufacturing activity; meanwhile data sampling is implemented both on retroactive and proactive and prognostic schemes. To determine the effect of applying the risk management process and correctness of preventing measures, persistent risks monitoring is to be implementing. The appearance of a particular situation is nothing but manifesting risks and dangers. To implement the multivariate system analysis one needs to have an imagination about a kind of the particular situation, so as events could classifying following the degree of consequences heaviness.
1411
2019 IFAC MIM Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Events are classifying by the gradation influence on the safety and correspondence to particular situations types. To systematize the dangers identification process and to evaluate the event risk degree, the risks matrix is applied, which has the particular situations categories defined in accordance to the frequency of situations appearance of a given kind, and classes of particular situations in accordance to an adopted categorization for each power engineering plat type. The risk degree is a parameter defining measures of action to prevent a situation. Each risk degree is to have a corresponding action developed, oriented to decreasing the risk degree of appearance of particular situations of the given kind. Thus, an event appeared can be evaluated by the risk index corresponding to the category, class, and degree of the risk. The sense of using the risk degree is the possibility that different events may be equal in the risk degree but different in their danger and have different appearance probability. The identification is the first and one of the primary stages of the safety risks analysis. Risks, whose existence or properties are not known, are impossible to be controlled. So, the problem of detecting all risks is of extreme importance (A Guide…, 2013). In entity, the safety risks identification is reducing to revealing possible problems. In the given case, as a “problem” one can understand something that can stand between the organization operating the power engineering plant and its purposes in the safety branch. In other words, one should come in advance to define what can go “not correctly”, so as in the sequel to find how to remove or avoid the danger revealed. The safety risk identification is a process of finding, composing a list and description of risks elements. The main risk elements are:
Causes that lead to the appearance of a dangerous phenomenon;
Types of actions that can lead to changing the safety level;
Consequences being losses due to the action and their evaluation by the subject;
Risk factors that influence the risk implementation probability and consequences heaviness.
The safety risks identification process organization requires answering many questions that, in particular, involve:
Which information should be collecting;
Information sources;
Systematization/structuring information;
Input information analysis.
and
storage
of
1395
The plant that can be damaged;
The subject that will have losses due to damaging the given plant in the result of the appearance of the given event;
Subject losses caused by damaging the given plant in the result of the appearance of the indicated event.
For the full risk exposure description, one should determine all the parameters. It is worthwhile to note that changing at least one of the parameters denotes changing the risk exposure. As a result of the safety risks process identification, a risks list will be containing:
List of potential actions on correcting measures;
Primary causes of the risk appearance;
Specifying the risk category.
Input information (data on alarms/incidents) is the critical element of the safety control system. Indeed, by data on alarms/incidents one can obtain safety indexes and quantitative risks evaluations. However, the quality of data on alarms/incidents, which is available in organization databases may influence the results (i.e., the result of the analysis will restrict by the quality of data sets available). This problem is worsening under an attempt of aggregation of databases of different organizations. 5. CONCLUSIONS The analysis and risk evaluation of operation of the significant plants of the critical information infrastructure are impossible without understanding all totality of systems of significant plants, involving such elements, as hardware, software, ergonomics, human factor (Jharko and Sakrutina, 2018; Kalashnikov and Sakrutina, 2018a, 2018b). This system integrity is that its properties con not be reduced to the simple sum of its subsystems, and exclusion of a one of them leads to the system performance violation. Putting in operation information and analytical systems “Safety management system” in significant plants of the critical information infrastructure provide the timely dangers and vulnerabilities identification, as well as risks evaluation, and, hence, will simplify developing control solutions to prevent the appearance of events influencing the safety. The systemic approach to the earl detecting dangers and vulnerabilities is the vital component of safety assurance for significant plants of critical information infrastructure. Performing “Safety management system” within the make-up of upper level systems of significant plants of critical information infrastructure enables one to provide the normal plant operation and preserving critical safety parameters within operation limits. REFERENCES
The identification process is frequently reducing to determining the so called “risk exposure”. The risk exposure (Labaka et al., 2015; Kalashnikov and Sakrutina, 2018a, 2018b) is a “unit” of accounting risks, which is set by the following parameters:
Banda, O.A.V. and F. Goerlandt (2018). A STAMP-based approach for designing maritime safety managementsystems, Safety Science, vol. 109, pp. 109129.
1412
2019 IFAC MIM 1396 Berlin, Germany, August 28-30, 2019 Andrey Kalashnikov et al. / IFAC PapersOnLine 52-13 (2019) 1391–1396
Critical Infrastructure: Cyber-attacks on the backbone of today’s economy. PandaSecurity. (2016). Critical Infrastructure Protection – Governance Around the World, Kaspersky Lab ICS CERT (2016). Ding, C.G., Lin, H.-R., Wu, C.-H., and T.-D. Jane (2015). Using LGM analysis to identify hidden contributors to risk in the operation of a nuclear power plant, Safety Science, vol. 75, pp. 64-71. Gnonia, M.G. and J.H. Salehb (2017). Near-miss management systems and observability-in-depth: Handling safety incidents and accident precursors in light of safety principles, Safety Science, vol. 91, pp. 154-167. A Guide to the Project Management Body of Knowledge: PMBOK(R) Guide. 5th Ed. Newtown Square, Pennsylvania: Project Management Institute. (2013). Hamida, Y., Amine, B., and B. Mostafa (2015). Toward resilience management in critical information infrastructure, Proceedings of the 5th World Congress on Information and Communication Technologies (WICT), pp. 101-106. Hashemian, H.M. and M.A. Feltus (2006). On-Line Condition Monitoring Applications in Nuclear Power Plants, NPIC&HMIT, Albuquerque, NM, USA, pp. 568577. Hsu, Y.-L. (2008). From reactive to proactive: using safety survey to assess effectiveness of airline SMS, Journal of Aeronautics, Astronautics and Aviation. Series A, vol. 40, no. 1, pp. 41-48. Jharko, E. (2008). Design of Intelligent Information Support Systems for Human-Operators of Complex Plants, IFAC Proceedings Volumes, vol. 41, no. 2, pp. 2162-2167. Jharko, E. (2017). Towards the problem of creating information operator support systems for nuclear power plants, Proceedings of the 2nd IEEE International Conference on Control in Technical Systems (CTS), pp. 356-359. Jharko, E. and E. Sakrutina (2016). On creating safety control systems for high operation risk plants, Proceedings of 2016 International Siberian Conference on Control and Communications (SIBCON 2016), pp. 1-6. Jharko, E. and E. Sakrutina (2017). Towards the Problem of Creating a Safety Management System in the Transportation Area, IFAC-PapersOnLine, vol. 50, no. 1, pp. 15610-15615. Jharko, E. and E. Sakrutina (2018). Evaluation of Technical and Economic Indexes and Providing Normal Operation of Nuclear Power Plants, Proceedings of the 11th International Conference “Management of Large-Scale System Development” (MLSD). IEEE, pp. 1-5. Jun, Sh. and Zh. Mingguang (2019). Framework and data management of digital design system for nuclear power, Annals of Nuclear Energy, vol. 124, pp. 418-425. Kalashnikov, A. and E. Sakrutina (2018a). The Model of Evaluating the Risk Potential for Critical Infrastructure Plants of Nuclear Power Plants, Proceedings of the 11th International Conference “Management of Large-Scale System Development” (MLSD). IEEE, pp. 1-4. Kalashnikov, A. and E. Sakrutina (2018b). Towards Risk Potential of Significant Plants of Critical Information
Infrastructure, Proceedings of 2018 International Russian Automation Conference (RusAutoCon). IEEE, p. 1-6. Labaka, L., Hernantes, J., and J.M. Sarriegi (2015). Resilience framework for critical infrastructures: An empirical study in a nuclear plant, Reliability Engineering & System Safety, vol. 141, pp. 92-105. Li, C.-Y., Wang, J.-H., Zhi, Y.-R., Wang, Z.-R., and J.-H. Gong (2018). Simulation of the Chlorination Process Safety Management System Based on System Dynamics Approach, Procedia Engineering. vol. 211, pp. 332-342. Li, Y. and F.W. Guldenmund (2018). Safety management systems: A broad overview of the literature, Safety Science, vol. 103, pp. 94-123. Liou, J.H., Yen, L., and G.H. Tzeng (2008). Building an effective safety management system for airlines, Journal of Air Transport Management, vol. 14, no. 1, pp. 20-26. Mononen, P. and P. Leviäkangas (2016). Transport safety agency's success indicators – How well does a performance management system perform?, Transport Policy, vol. 45, pp. 230-239. PandaLabs Annual Report, PandaSecurity. (2018). Sakrutina, E. (2017). Some Functions of the “Safety management system” in the Transportation Area Safety Assurance, Proceedings of the IEEE International Siberian Conference on Control and Communications (SIBCON 2017), pp. 1-5. Tsegaye, T. and S. Flowerday (2014). Controls for Protecting Critical Information Infrastructure from Cyberattacks, Proceedings of the World Congress on Internet Security (WorldCIS 2014), pp. 24-29. Wahlström, B. (2018). Systemic thinking in support of safety management in nuclear power plants, Safety Science, vol. 109, pp. 201-218. Wang, F., Wang Jiqun, Wang Jin, Li, Y., Hu, L., and Y. Wu (2016). Risk monitor riskangel for risk-informed applications in nuclear power plants, Annals of Nuclear Energy, vol. 91, pp. 142-147.
1413