SIS write-protect (key-switch / engineering mode)
Demonstrate that Safety Instrumented Systems are protected from unauthorized or inadvertent modification through effective physical write-protect mechanisms, engineering mode access controls, and change management procedures that enforce dual authorization before safety logic can be altered.
Description
What this control does
Safety Instrumented System (SIS) write-protect controls prevent unauthorized modification of critical safety logic by requiring physical key-switch activation or engineering mode authorization before configuration changes can be made. When engaged, the control locks programmable logic controllers (PLCs), safety controllers, and embedded firmware from logic uploads, parameter changes, or firmware updates. This physical and logical barrier ensures that only authorized maintenance personnel with both physical access and procedural authority can alter safety-critical programming that governs emergency shutdown systems, interlock sequences, and process safety functions.
Control objective
What auditing this proves
Demonstrate that Safety Instrumented Systems are protected from unauthorized or inadvertent modification through effective physical write-protect mechanisms, engineering mode access controls, and change management procedures that enforce dual authorization before safety logic can be altered.
Associated risks
Risks this control addresses
- Unauthorized personnel remotely uploading malicious or faulty logic to SIS controllers, disabling safety interlocks during a process upset
- Inadvertent overwrite of tested safety logic during routine maintenance or troubleshooting activities, introducing latent safety failures
- Insider threat actors disabling trip functions or modifying setpoints to cause process equipment damage or safety incidents
- Malware or ransomware propagating to SIS networks and modifying controller configurations without physical presence detection
- Undocumented changes to safety logic bypassing functional safety lifecycle validation and pre-startup safety review requirements
- Physical tampering with SIS devices by contractors or visitors lacking proper authorization or safety competency verification
- Remote access sessions exploiting engineering workstations to modify safety programs while physical key-switches remain in run mode
Testing procedure
How an auditor verifies this control
- Obtain complete inventory of all SIS controllers, safety PLCs, and embedded safety devices including make, model, firmware version, and physical location.
- Review site procedures governing engineering mode activation, key-switch operation, and authorization requirements for entering program or configuration mode.
- Physically inspect a representative sample of SIS controllers to verify presence and operational status of key-switches, mode selectors, or physical write-protect mechanisms.
- Confirm that key-switches are in the protected position (RUN, OPERATE, or equivalent non-program mode) during normal operations through walk-down verification.
- Review access logs, audit trails, or engineering workstation records for the past 12 months to identify all instances where engineering mode was activated or write-protection was disabled.
- Cross-reference each engineering mode activation against corresponding change control records, management of change documentation, and authorization signatures.
- Test the write-protect function by attempting to upload modified logic or change parameters while controllers are in protected mode, verifying rejection by the system.
- Verify that engineering mode activation triggers alerts, notifications, or logging mechanisms that are monitored by operations or security personnel.
Where this control is tested