Remotely actuated control functions

Một phần của tài liệu Bsi bs en 60730 1 2016 (Trang 215 - 219)

H.11.12.4.1.1 General

Remotely actuated control functions may be connected to separate, independent devices, which may themselves contain control functions or provide other information. Any data exchange between these devices shall not compromise the integrity of class B control function or class C control function.

H.11.12.4.1.2 Type of data

Message types for data exchange in a control function or functions shall be allocated to class A control function, class B control function or class C control function. Regarding the safety or protective relevance or influence, message types or data exchange shall be allocated only to class B control function or class C control functions, see Table H.10.

Table H.10 – Data exchange

Data Safety relevant Non safety relevant

Operating data Messages such as “RESET from safe state” Messages such as on/off instructions, room temperature information

Configuration parameters Messages modifying parameters that determine related class B control function or class C control function

Messages modifying parameters that determine performance related functions Software modules Modules downloaded into a system, that

determine related class B control function or class C control function

Modules downloaded into a system, that determine performance related functions

H.11.12.4.1.3 Communication of safety related data H.11.12.4.1.3.1 Transmission

Safety relevant data shall be transmitted authentically concerning:

– data corruption;

– address corruption;

– wrong timing or sequence.

Data variation or corrupted data shall not lead to an unsafe state. Before the use of transmitted data, it shall be ensured that the above items are addressed using the measures as given in Annex H of the same or higher software class used by that function.

Compliance is checked by assessment according to Annex H.

NOTE 1 Special attention is drawn to Table H.1, component 6, with regard to the following items:

- data deletion from the original message;

- data insertion into the original message;

- corruption of the data in the original message;

- change in sequence of data in the original message;

- make a non-authentic message look like an authentic message;

- incomplete address;

- corruption of the address of the original message;

- wrong address;

- more addresses;

- receive message more than once;

- delay in transmitting or receiving the message;

- wrong sequence of sending/receiving.

In addition to the items in Note 1, the following failure modes shall be addressed:

– permanent “auto-sending” or repetition, – interruption of data transfer.

NOTE 2 Additional examples of measures are given in Table H.11.

H.11.12.4.1.3.2 Access to data exchange

All types of access to class B control function or class C control function related data exchange systems shall be clearly restricted.

Table H.11 – Examples of defences against unauthorised access and transmission failure modes

Defences Threats Sequence

number Time stamp Time-

out Feedback

message Sourced destination

identifier

Identification

procedure Safety

code Cyrpto- graphic techniques Repetition of a

message x x

Deletion of data in

message x

Insertion of data in

message x x x x

Changed sequence of

data in message x x

Corrupted data in

message X a x

Delay in sending /

receiving the message x x

Masquerade, making an inauthentic message look like an authentic message

x x x

Examples of defences against unauthorized access can also be found in the applications covered by EN 50159 (2011).

a See Table H.1, items 6.1 and 6.2.

H.11.12.4.1.3.3 Revision of Class B and Class C software

Requirements of H.11.12.3 shall apply to class B and class C software revisions. In addition, hardware configuration management shall be required, and measures shall be taken to ensure the control maintains its protective functions in accordance with this standard.

NOTE Hardware configuration management is meant to be in addition to software verification in order to maintain the integrity of the control. System level implications are taken into consideration.

H.11.12.4.1.4 For remotely actuated control function operation, the duration or limits of operation shall be set before switching on, unless an automatic switching off is realized at the end of a cycle or the system is designed for permanent operation.

For class B control function or class C control function related operating data, configuration parameters and/or software modules are allowed to be transmitted via communication, if adequate hardware/software measures are taken to prevent unauthorized access to the control function. Examples of which are given in Table H.11.

For access to data exchange of class B control function or class C control function related operating data through public networks, appropriate cryptographical techniques shall be implemented. See H.11.12.4.5.

NOTE Aspects concerning security are found under the work of ISO/IEC JTC 1/SC 27 (TC 205).

!

"

Compliance is checked by software inspection.

H.11.12.4.2 Care shall be taken that priority over control functions shall not lead to a hazardous condition.

Compliance is checked by inspection.

H.11.12.4.3 Remote reset action

H.11.12.4.3.1 The remote reset action shall be manually initiated. When the reset function is initiated by a hand-held device at least two manual actions are required to activate a reset.

NOTE The two manual actions are considered to be discrete and separate.

H.11.12.4.3.2 Reset functions shall be capable of resetting the system as intended.

H.11.12.4.3.3 Unintended resets from safe state shall not occur.

H.11.12.4.3.4 Any fault of the reset function shall not cause the control or controlled function to result in a hazardous condition, and shall be evaluated for its Class B classification.

H.11.12.4.3.5 For reset functions initiated by manual action not in visible sight of the appliance, the following additional requirements apply:

– the actual status and relevant information of the process under control shall be visible to the user before, during and after the reset action;

– the maximum number of reset actions within a time period shall be declared (for example, 5 actions within a time span of 15 min). Following this, any further reset shall be denied unless the appliance is physically checked.

H.11.12.4.3.6 Consideration for the evaluation of reset functions on the final application

The reset function shall be evaluated on the final application.

NOTE Not all types of remote reset functions may be found suitable for some applications.

If the reset is activated by manual switching of a thermostat or device with similar function, this shall be declared by the manufacturer and be suitable in the final application.

H.11.12.4.4 Software download and installation

H.11.12.4.4.1 Software updates provided by the manufacturer and transmitted to the control via remote communication shall be checked prior to its use:

– against corruption through communication ensuring Hamming distance 3 for software class B, or Hamming distance 4 for software class C. (Refer to Table H.1 for external communication.);

– if the software version is compatible with the hardware version of the control according to the version management documentation.

Additionally, the software which performs the above mentioned checks shall contain measures to control the fault/error conditions specified in H.11.12.2.

H.11.12.4.4.2 In case of software download via remote communication, the cryptographic techniques in H.11.12.4.5 shall be provided. In addition to the requirements in H.11.12.4.5, identification procedures shall also be provided for the software packages.

!

"

The cryptographic techniques employed shall be part of the control, and not rely upon part of the router or similar data transmission device itself, and shall be performed prior to transmission.

H.11.12.4.4.3 For each update of software, the control shall have provisions for authorization by the user and a version ID number which shall be accessible.

H.11.12.4.4.4 The installation of class B software or class C software is permitted when during and after the software installation process the control remains in compliance with the requirements of this standard.

Compliance is checked by software inspection.

H.11.12.4.5 Cryptographical techniques

In cases where class B control function or class C control function related operating data, configuration parameters and/or software modules are transmitted over a public network, and/or where software updates are provided by the manufacturer via remote communication, cryptographic techniques shall be employed.

Compliance is checked by software inspection and review of technical documentation which provides adherence to the commonly accepted data integrity protection methods.

NOTE Examples of commonly accepted cryptographic techniques are defined and described in ISO/IEC 9796, ISO/IEC 9797, ISO/IEC 9798, ISO/IEC 10118, ISO/IEC 11770, ISO/IEC 14888, ISO/IEC 15946, ISO/IEC 18033, ISO/IEC 29192, as well as ISO/IEC 19772.

Một phần của tài liệu Bsi bs en 60730 1 2016 (Trang 215 - 219)

Tải bản đầy đủ (PDF)

(292 trang)