include arson, sabotage, theft, and many more. A cyberattack is only relevant for systems that are connected to a cyber network (e.g. Internet, or mobile phone network). A threat may be used by a threat actor to attack the system. The system may have a number of vulnerabilities (i.e. weaknesses) that may be exploited by the threat actor to make a “successful” attack.
With the development of new technologies, such as cyber‐physical systems, the Internet of Things (IoT), smart‐grids, smart cities, remote operation and maintenance, and many more, cyberattacks come more frequently and we can now hardly open a newspaper without articles about cyberattacks. Many of these attacks are directed toward critical infrastructure and industrial control and safety systems.
The structure of a security failure is illustrated in Figure 3.11. A threat, a threat actor, and a vulnerability are required “inputs” for a security failure. The threat actor uses a threat to attack the system, and the threat inspires the threat actor. The attack can only be successful if the system has one or more vulnerabilities.
A security failure is not a random event, but the consequence of a deliberate action made by the threat actor. To reduce the likelihood of security failures, vulnerabilities should be identified and removed during system design.
Figure 3.11 The structure of a security failure.
Additional Types of Failures
When an item fails, the failure is often claimed to be caused by the control of the item, the input/output to/from the item, or misuse of the item. These causes are usually outside the boundary of the item and not something the manufacturer of the item can be responsible for.
Control failures. A control failure is an item failure caused by an improper control signal or noise, that is, due to factors outside the boundary of the item. A repair action may or may not be required to return the item to a functioning state. Failures caused by inadequate, or not followed operating procedures may also be classified as control failures.
Input/output failures. An input/output failure is a failure caused by inadequate or lacking item inputs or outputs, that is, due to factors outside the boundary of the item. For a washing machine, the washing service is stopped due to inadequate or lacking supply of electricity, water, or detergent, or due to inadequacies of the drainage system. Input/output failures will stop the service provided by the item but will usually not leave the item in a failed state. The item may not need any repair after an input/output failure. Input/output failures tell very little about the reliability of the item as such.
Misuse/mishandling failure. A misuse/mishandling failure is a failure that occurs because the item is used for a purpose that it was not designed for, or is mishandled. The mishandling may be due to a human error or a deliberate action such as sabotage. Some laws and standards (e.g. EU‐2006/42/EC) require that foreseeable misuse shall be considered and compensated for in the design and development of the item, and be covered in the operating context of the item.
The categories of failures listed above are not fully mutually exclusive. Some control failures may, for example, also be due to systematic causes.
Remark 3.2 (Functionally unavailable)
The US Nuclear Regulatory Commission (NRC) introduces the term functionally unavailable for an item that is capable of operation, but where the function normally provided by the item is unavailable due to lack of proper input, lack of support function from a source outside the component (i.e. motive power, actuation signal), maintenance, testing, the improper interference of a person, and so on.
The NRC‐term is seen to cover failures/faults of several of the categories above, most notably input/output and control failures.
Failures Named According to the Cause of Failure
Failures are sometimes named according to (i) the main cause of the failure, such as corrosion failure, fatigue failure, aging failure, calibration failure, systematic failure, and so forth, (ii) the type of technology that fails, such as mechanical failure, electrical failure, interface failure, and software bug, and (iii) the life cycle phase in which the failure cause originates, such as design failure, manufacturing failure, and maintenance failure.
When using this type of labeling, we should remember that the failure description does not tell how the failure is manifested, that is, which failure mode that occurs. The same failure mode may occur due to many different failure causes.
3.6.3 Failure Mechanisms
A failure mechanism is a physical, chemical, logical, or other process or mechanism that may lead to failure. Examples of failure mechanisms include wear, corrosion, fatigue, hardening, swelling, pitting, and oxidation. Failure mechanisms are hence specific failure causes as shown in Figure 3.12.
Figure 3.12 Failure causes and mechanisms. A failure mechanism is a specific type of failure cause.
Each mechanism can have its root in different stages of the item's life cycle. Wear can, for instance, be a result of wrong material specification (design failure), usage outside specification limits (misuse failure), poor maintenance, inadequate lubrication (mishandling failure), and so on.
A failure mechanism may be seen as a process that leads to a failure cause.
3.6.4 Software Faults
An increasing number of item functions are being replaced by software‐based functions and a fair proportion of item failures are caused by software bugs. IEV defines a software fault/bug as:
Definition 3.7 (Software fault/bug)
State of a software item that prevents it from performing as required (IEV 192‐04‐02).
Combined with a particular demand or trigger, the software bug may lead to item failure. Such a failure is a systematic failure and is sometimes called a software failure (see Figure 3.10). If the trigger is a random event, the software failure is random. Software bugs are difficult to reveal and software development projects therefore include a detailed process for finding and correcting bugs. This process is called debugging.
Software does not deteriorate and software bugs do not occur at random in the operational phase. They have been programmed into the software and remain until the software is modified. New software bugs are often introduced when new patches or new versions of the software are installed to remove known bugs. The same software failure occurs each time the same activation condition or trigger occurs. If relevant activating conditions or triggers do not occur, the software bug remains undetected. Installations
