Acceptable behaviour - throughout the entire system please
25 August 2011
It is increasingly being recognised that where the integration of Process Control Systems (PCS) and Safety Instrumented Systems (SIS) involves the sharing of hardware and networking resources the responsiveness, effectiveness and even the very role of the safety systems/functions can be compromised. Andy Tonge, Hima-Sella’s Sales Manager, advises against placing all your eggs in one basket.
Figure 1: Layered Protection
In a report published in 2010 by the Scandinavia-based research organisation SINTEF concern was expressed over the increasing levels of inadequate segmentation between PCS and SIS.
Here, ‘inadequate segmentation’ not only includes the sharing of hardware resource but also the ability of some subordinate systems to influence superior ones, or as SINTEF observed: “signals in the wrong direction”. Accordingly, failure of a subordinate system (for whatever reason) could result in a safety-critical error in the overall system.
SINTEF also expressed concern over how, in many installations, PCS increasingly shares resources, such as networks and data storage devices, with generic/office IT.
In such instances, if a computer virus were to infect an office server then the PCS would almost certainly be compromised as well. For example, in 2010 a major OEM of automation framework software disclosed that one of its products was susceptible to the effects of a malware virus (a Trojan) that spreads via USB stick.
More recently, in February 2011, it was reported in the engineering press that since November 2009 many global oil, energy and petrochemical companies have been the targets of a series of coordinated cyber-attacks (dubbed Night Dragon) that aim to harvest sensitive data.
Whether compromised by an infected USB stick brought onto site by an employee or by a cyber-attack from the other side of the world, if generic/office IT is sharing resources with PCS (which in turn has inadequate segmentation from SIS) then personnel, equipment and the environment could be at risk.
Earlier this year I penned an article explaining how safety is effectively determined down at the binary level; and by appreciating that, for example, the absence of a signal indicating that a valve is Open does not mean that it is Closed. Here, think traffic lights. If you only had sight of the top part of a traffic light (the red) and it was not illuminated would you proceed?
That article (which can be found online at www.hazardexonthenet.net in the Features section) relates primarily to the protection of pipelines through the addition of High Pressure Protection Solutions (HIPPS) to safety critical valves.
Once safety-critical components/assets are protected, system- and network-level forms of protection can then be layered around them. Indeed, when building those layers, it is most advisable to start from the inside and ring-fence it using a single-function, fail-safe technology (like HIPPS) that is independent of process control and even other safety functions. Note: the inner layer’s independence does not mean it is not integrated. Rather its independence is derived from the fact that it cannot be influenced.
For example, the actuators on a servo valve can be fed from an Emergency Shutdown (ESD) system. However, the ESD should only be able to keep the valve open if HIPPS continues to permit the condition. Similarly, a Process Control System (PCS) could also connect to the valve’s actuators, in which it should only be allowed to keep the valve open if both ESD and HIPPS continue to grant permission. In more extreme cases, there would be a valve controlled by the PCS, and a separate valve controlled by the ESD.
With reference to figure 1, all process instructions have to pass through a number of layers (starting with the Basic Process Control System, BPCS) to influence a valve protected by HIPPS. Any single function can shut-down a safety-critical asset, such as a valve, but the continued operation of that asset requires unanimous consent within the hierarchy. In other words, the system is integrated but its behaviour is such that signals are always in the right direction (as SINTEF would view things).
Let’s talk business
Having discussed how PCS and SIS should interact, let us now consider how best to achieve an Integrated Safety and Control System (ISCS). From a business perspective there are three models of engagement.
The first is to engage with a Main Automation Contractor (MAC), Main Instrument Vendor (MIV) or the OEM of a Distributed Control System (DCS). Such an engagement model will tend to be sold as ‘service-plus-hardware’. The initial outlay will typically be low but the system-level integration will most likely be done using protocols which are proprietary to the MAC or DCS vendor; so you may have to use the same company for subsequent site/system upgrades (hence the temptingly low initial outlay). Note: Hima-Sella has worked successfully with the MAC/MIV/DCS vendors on projects such as the Rosetta gas field, Egypt and the Buzzard field in the North Sea, as a subcontractor, delivering integrated yet independent layered protection.
The second option is to source and integrate the safety system and DCS yourself; which affords a great deal of freedom of choice when selecting safety and control systems; if you have the experience to tackle the integration and certification. Typical examples of Hima-Sella’s work under this scenario include the Karsto Expansion Project, Norway and Woqod LPG Plant, Doha.
The third engagement model, which is rapidly gaining most credence within the industry, is quite literally to “put safety first” and use a safety systems specialist as the overall integrator to ensure control system vendors deliver integration without compromising plant safety. For example, Hima-Sella was responsible for system-level integration on the Hunterston A nuclear power station in Scotland and the ONGC (India) platform HIPPS solution (as subcontractor to the valve manufacturer to integrate a total SIL certified solution).
In conclusion, integration has immense benefits from a process control perspective but it is essential for the safety systems to have increasingly higher levels of independence (and authority if you will) the closer you get to safety-critical assets.
The image shows the inner layer of protection (a High Integrity Pressure Protection Solution, HIPPS, protecting a valve) should be implemented in fail-safe hardware/logic that can be integrated with other safety instrumented systems but not over-ruled by them.
Contact Details and Archive...