Risk assessment on scada system

What are the factors to be considered in Risk assessment of scada system.
Basis item on risk assessment of scada system

There biggest question is your category of software risk - that would dictate your whole engineering and verification or validation cycle.

If your SCADA software is custom written (say Wonderware or WinCC or Citect etc. - strictly written for your application) then you are probably “Category 5” and need a full V-Model approach. Some canned approaches to SCADA might still use a COTS package (such as Wonderware etc.) but be highly non-customisable (that is you and 100 other customers are using exactly the same Wonderware application and the only difference is some set points. In this case you start to move down in levels of risk.

Once that is out of the way then you have completed your preliminary risk assessment. You can do a URS, FS etc. Asynchronous to your design cycle you need to complete a functional risk assessment. This is basically a criticality assessment but against the functionality (and hardware) of your SCADA package rather than say all your GMP Critical instruments.

The whole FRA thing is discussed quite well in GAMP5 and also you can read about similar things but specific to 21 CFR Part 11 in the ISPE guide on ER/ES.

Some people like to put the FRA in with say the FS, but I personally like it to be separate that way it isn’t locked in with the rest of your design cycle. The FRA is a living document and I see it as going through more iterations than say the FS or DS etc. You don’t want to go through the rigour of updating an FS just because a Boston Grid changed on a tiddly piece of risk analysis.

So you will have an FRA - what can go wrong, can we detect it, can we fix it, Boston Grids etc. This will help with your verification/validation etc. etc. all as outlined in GAMP5.

Ask your supplier and/or OEM for their template of “boiler plate” FRA items.


Hi Arti

It is difficult to answer your question without further details.

Risk assessments are used for a multitude of tasks, so obviously they vary an awful lot. If your risk assessment is to be use at the start of a project to determine product and process safety, it is going to be a totally different risk assessment to the one that would be used to scope and justify the degree of validation that the equipment requires.

So your first task is to detail exactly what risk(s) you want to assess?

Alex Kennedy