Skip to content

Commit

Permalink
Realign Safety decision points IEC 61508 (#439)
Browse files Browse the repository at this point in the history 
* add safety impact 2.0.0 to reflect IEC 61508 categories

* update human impact to reflect IEC 61508 change in safety impact

* update public safety impact to reflect IEC 61508 change in safety impact

* update mission and well being examples

unrelated to safety changes, this was just an update missed previously

* include prior versions in docs

* improve description strings for inclusion as markdown

* improve description strings for inclusion as markdown

* catch up generated docs

* minor doc edits for consistency
  • Loading branch information
@ahouseholder
ahouseholder authored Feb 7, 2024
1 parent 9f516b3 commit 524ad63
Show file tree
Hide file tree
Showing 19 changed files with 346 additions and 98 deletions.
29 changes: 29 additions & 0 deletions data/json/decision_points/human_impact_2_0_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"namespace": "ssvc",
"version": "2.0.1",
"key": "HI",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
"description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
"description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
6 changes: 3 additions & 3 deletions data/json/decision_points/mission_and_well-being_impact_1_0_0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,17 @@
{
"key": "L",
"name": "Low",
"description": "Mission Prevalence Minimal and Public Well-Being Impact Minimal"
"description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
"description": "Mission Prevalence Support and Public Well-Being Impact Minimal or Material"
"description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
"description": "Mission Prevalence Essential or Public Well-Being Impact Irreversible"
"description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
}
19 changes: 19 additions & 0 deletions data/json/decision_points/public_safety_impact_2_0_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"namespace": "ssvc",
"version": "2.0.1",
"key": "PSI",
"name": "Public Safety Impact",
"description": "A coarse-grained representation of impact to public safety.",
"values": [
{
"key": "M",
"name": "Minimal",
"description": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
"description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
4 changes: 2 additions & 2 deletions data/json/decision_points/public_well-being_impact_1_0_0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@
{
"key": "M",
"name": "Material",
"description": "(Any one or more of these conditions hold.) \n\n*Physical harm*: Does one or more of the following:\n\n- Causes physical distress or injury to system users.\n- Introduces occupational safety hazards.\n- Reduces and/or results in failure of cyber-physical system safety margins.\n\n*Environment*: Major externalities (property damage, environmental damage, etc.) are\nimposed on other parties. \n\n*Financial*: Financial losses likely lead to bankruptcy of multiple persons. \n \n*Psychological*: Widespread emotional or psychological harm, sufficient to necessitate\ncounseling or therapy, impact populations of people. \n"
"description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
{
"key": "I",
"name": "Irreversible",
"description": "(Any one or more of these conditions hold.)\n \n*Physical harm*: One or both of the following are true:\n\n- Multiple fatalities are likely.\n- The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed.\n\n*Environment*: Extreme or serious externalities (immediate public health threat, environmental damage leading to small\necosystem collapse, etc.) are imposed on other parties.\n\n*Financial*: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially\ncollapse.\n\n*Psychological*: N/A \n"
"description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
]
}
29 changes: 29 additions & 0 deletions data/json/decision_points/safety_impact_2_0_0.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"namespace": "ssvc",
"version": "2.0.0",
"key": "SI",
"name": "Safety Impact",
"description": "The safety impact of the vulnerability. (based on IEC 61508)",
"values": [
{
"key": "N",
"name": "Negligible",
"description": "Any one or more of these conditions hold. Physical harm: Minor injuries at worst (IEC 61508 Negligible). Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
"name": "Marginal",
"description": "Any one or more of these conditions hold. Physical harm: Major injuries to one or more persons (IEC 61508 Marginal). Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
"key": "R",
"name": "Critical",
"description": "Any one or more of these conditions hold. Physical harm: Loss of life (IEC 61508 Critical). Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
{
"key": "C",
"name": "Catastrophic",
"description": "Any one or more of these conditions hold. Physical harm: Multiple loss of life (IEC 61508 Catastrophic). Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
]
}
2 changes: 1 addition & 1 deletion docs/_generated/decision_points/human_impact.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
human_impact_2_0_0.md
human_impact_2_0_1.md
19 changes: 19 additions & 0 deletions docs/_generated/decision_points/human_impact_2_0_1.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!-- This content is autogenerated by doctools.py. Do not Edit. -->
!!! note "Human Impact v2.0.1"

=== "Text"

Human Impact is a combination of Safety and Mission impacts.

| Value | Definition |
|:-----|:-----------|
| Low | Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled) |
| Medium | (Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled)) |
| High | (Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure) |
| Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
=== "JSON"

```json
{% include "../../../data/json/decision_points/human_impact_2_0_1.json" %}
```
6 changes: 3 additions & 3 deletions docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@

| Value | Definition |
|:-----|:-----------|
| Low | Mission Prevalence Minimal and Public Well-Being Impact Minimal |
| Medium | Mission Prevalence Support and Public Well-Being Impact Minimal or Material |
| High | Mission Prevalence Essential or Public Well-Being Impact Irreversible |
| Low | Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal |
| Medium | Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material) |
| High | Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible) |
=== "JSON"

Expand Down
2 changes: 1 addition & 1 deletion docs/_generated/decision_points/public_safety_impact.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
public_safety_impact_2_0_0.md
public_safety_impact_2_0_1.md
17 changes: 17 additions & 0 deletions docs/_generated/decision_points/public_safety_impact_2_0_1.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<!-- This content is autogenerated by doctools.py. Do not Edit. -->
!!! note "Public Safety Impact v2.0.1"

=== "Text"

A coarse-grained representation of impact to public safety.

| Value | Definition |
|:-----|:-----------|
| Minimal | Safety Impact:Negligible |
| Significant | Safety Impact:(Marginal OR Critical OR Catastrophic) |
=== "JSON"

```json
{% include "../../../data/json/decision_points/public_safety_impact_2_0_1.json" %}
```
33 changes: 2 additions & 31 deletions docs/_generated/decision_points/public_well-being_impact_1_0_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,37 +8,8 @@
| Value | Definition |
|:-----|:-----------|
| Minimal | The effect is below the threshold for all aspects described in material. |
| Material | (Any one or more of these conditions hold.)

*Physical harm*: Does one or more of the following:

- Causes physical distress or injury to system users.
- Introduces occupational safety hazards.
- Reduces and/or results in failure of cyber-physical system safety margins.

*Environment*: Major externalities (property damage, environmental damage, etc.) are
imposed on other parties.

*Financial*: Financial losses likely lead to bankruptcy of multiple persons.

*Psychological*: Widespread emotional or psychological harm, sufficient to necessitate
counseling or therapy, impact populations of people.
|
| Irreversible | (Any one or more of these conditions hold.)

*Physical harm*: One or both of the following are true:

- Multiple fatalities are likely.
- The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed.

*Environment*: Extreme or serious externalities (immediate public health threat, environmental damage leading to small
ecosystem collapse, etc.) are imposed on other parties.

*Financial*: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially
collapse.

*Psychological*: N/A
|
| Material | Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. |
| Irreversible | Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A |
=== "JSON"

Expand Down
2 changes: 1 addition & 1 deletion docs/_generated/decision_points/safety_impact.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
safety_impact_1_0_0.md
safety_impact_2_0_0.md
19 changes: 19 additions & 0 deletions docs/_generated/decision_points/safety_impact_2_0_0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!-- This content is autogenerated by doctools.py. Do not Edit. -->
!!! note "Safety Impact v2.0.0"

=== "Text"

The safety impact of the vulnerability. (based on IEC 61508)

| Value | Definition |
|:-----|:-----------|
| Negligible | Any one or more of these conditions hold. Physical harm: Minor injuries at worst (IEC 61508 Negligible). Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. |
| Marginal | Any one or more of these conditions hold. Physical harm: Major injuries to one or more persons (IEC 61508 Marginal). Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. |
| Critical | Any one or more of these conditions hold. Physical harm: Loss of life (IEC 61508 Critical). Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A. |
| Catastrophic | Any one or more of these conditions hold. Physical harm: Multiple loss of life (IEC 61508 Catastrophic). Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A. |
=== "JSON"

```json
{% include "../../../data/json/decision_points/safety_impact_2_0_0.json" %}
```
7 changes: 6 additions & 1 deletion docs/reference/decision_points/human_impact.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Even small deviations in safety are unlikely to go unnoticed or unaddressed.
We suspect that the presence of regulatory oversight for safety issues and its absence at the lower end of the mission impact scale influences this behavior.
Because of this higher sensitivity to safety concerns, we chose to retain a four-level resolution for the safety dimension.
We then combine Mission Impact with Situated Safety impact and map them onto a 4-tiered scale (Low, Medium, High, Very High).
The mapping is shown in the following table.
The mapping is shown in the table above.

## Safety and Mission Impact Decision Points for Industry Sectors

Expand All @@ -38,3 +38,8 @@ For considerations on how organizations might communicate SSVC information to th
see [Guidance on Communicating Results](../../../howto/communicating_results.md).


## Prior Versions

{% include-markdown "../../_generated/decision_points/human_impact_2_0_0.md" %}

{% include-markdown "../../_generated/decision_points/mission_and_well-being_impact_1_0_0.md" %}
7 changes: 6 additions & 1 deletion docs/reference/decision_points/public_safety_impact.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,12 @@ This is a compound decision point, therefore it is a notational convenience.
Suppliers necessarily have a rather coarse-grained perspective on the broadly defined [Safety Impact](../safety_impact.md) Decision Point.
Therefore we simplify the above into a binary categorization:

- _Significant_ is when any impact meets the criteria for an impact of Major, Hazardous, or Catastrophic in the
- _Significant_ is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the
[Safety Impact](../safety_impact.md) table.
- _Minimal_ is when none do.

## Prior Versions

{% include-markdown "../../_generated/decision_points/public_safety_impact_2_0_0.md" %}

{% include-markdown "../../_generated/decision_points/public_well-being_impact_1_0_0.md" %}
5 changes: 5 additions & 0 deletions docs/reference/decision_points/safety_impact.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,3 +211,8 @@ resiliency</td>
Deployers are anticipated to have a more fine-grained perspective on the safety impacts broadly defined in [Safety Impact](#table-safety-impact).
We defer this topic for now because we combine it with [*Mission Impact*](#mission-impact) to simplify implementation for deployers.


## Prior Versions

{% include-markdown "../../_generated/decision_points/safety_impact_1_0_0.md" %}

Loading

0 comments on commit 524ad63

Please sign in to comment.