Independent protection layer issues offer second front

Excerpts from the April 2007 issue of Industrial Automation Insider newsletter, Andrew Bond, editor. For more information, go to www.iainsider.co.uk. Reused with permission.

By Andrew Bond

Share Print Related RSS

By Andrew Bond, Editor, Industrial Automation Insider

Andrew BondIf you thought that the comparative silence over the past few months meant that the arguments over integrated Safety Instrumented Systems (SISs) were over and that the more traditional safety system vendors were now going to meekly roll up their tents and steal away, think again. The TMR (Triple Modular Redundant) faction, led by Invensys’ Triconex business unit, may have shifted its ground, but it certainly doesn’t believe it’s beaten yet; indeed, if anything, it reckons the tide is running back in its favor.

Strict Separation
As evidence, Invensys points to the results of a survey it recently conducted among chemical, oil and gas process plant operating companies which found that 78% of more than 200 respondents adhered to strict separation of safety and control for safety protection, 74% indicated that Independent Protection Layers (IPLs) were critical, and 66% cited common cause as a major concern. On the other hand only 8% were not concerned about ‘diversity,’ while 89% said that their ability to choose best in class for both safety and control was important.

That formed the basis of the message delivered by Premier Consulting Services (PCS) senior safety consultant Robin McCrea-Steele when he briefed journalists in a series of one-on-one meetings as he passed through London last month on his way back from running a TÜV course in Mumbai, India. 

PCS likes to present itself as an independent, no-axe-to-grind consultancy. How valid that claim is only its clients can judge. Suffice it to say, however, that it is part of Invensys and, while its consultants’ business cards make no mention of the Triconex connection, it shares the same 15345 Barranca Parkway address in Irvine, Calif., as the TMR system vendor.

McCrea-Steele’s original intention had been to give UK journalists a preview of the paper he had planned to present at the TÜV Symposium scheduled to take place in Galveston, Texas, in the last week of April. Unfortunately, however, TÜV seems to have lost its nerve when it had only 40% of the planned registration level by the end of March, and perhaps failing to appreciate that US events typically receive a significant proportion of their total bookings in the last two weeks, pulled the plug on the event.

“TÜV cancelled way too early,” said McCrea-Steel, who was quick to reject our suggestion that the lack of bookings might reflect a lack of interest in process safety issues in the US. “Quite to the contrary, there is a growing awareness and interest in all these safety topics,” he said.

Common Platform
Meanwhile, what had he planned to say? When his colleague Bob Adamski led the first counter attack against Emerson’s, ABB’s and Yokogawa’s then recently announced integrated SIS offerings back in 2005, the principal focus of the attack had been their 1oo2D architecture, which Adamski described as “old technology” which would, he suggested “lead to more nuisance trips.” This time around McCrea–Steele’s argument seems rather more subtle and takes as its prime target the use of a common hardware platform which, he suggests, undermines the whole concept of defense in depth and of independent protection layers (IPLs), which requires that control and safety should be completely independent. If the basic process control system (BPCS), as the DCS is referred to in safety jargon, and the SIS are based on the same hardware platform; were designed by the same team; and use the same HMI and configuration tools, then, he argues, it is impossible to prove that they cannot give rise to common cause or systematic failures. “The problem is in the interpretation of the standards,” said McCrae-Steele. “IEC 61511-1 clause 9.5 doesn’t say that you need physical separation or diversity but other clauses imply otherwise.”

So how come TÜV feels able to certify these systems? Because, says McCrae-Steele, “TÜV certifies the safety system in isolation. The certification will validate the non-interference of failures in the DCS affecting the SIS safety functions, but if the SIS is embedded in the control system, that eliminates the credit that could have been taken for a DCS as an IPL.”

DeltaV SIS
To back up his argument, he cites the Spectral Design 2006 report for Suncor Energy on Emerson’s DeltaV SIS, specifically quoting the paragraphs which, while acknowledging that “the BPCS and SIS are in fact two separate systems, even when installed on the same carrier,” went on to argue that “In order to gain any credit for independence in this case, it must be demonstrated that a failure of a BPCS or common component will not induce a failure on any SIS component. This requirement could not adequately be satisfied at this time due to the fact that common communication traces are used by both the BPCS and SIS equipment, on the same carrier.”

What McCrae-Steele didn’t say to us and neglects to mention in his paper, however, is that Spectral Design nevertheless felt able to say at the end of its report that “The general conclusion of this study is that the DeltaV SIS is suitable for use in Suncor’s operating, maintenance and business environments,” while the Executive Summary states that “The DeltaV SIS will adequately perform safety functions and should be considered for use by Suncor.”

In essence what McCrae–Steele is arguing is that if you’re using a BPCS and an SIS based on the same hardware platform, as would be the case if ABB’s system 800xA HI, Yokogawa’s ProSafe RS and, arguably to a lesser extent, DeltaV SIS were used with their respective DCSs, then you shouldn’t be able to count them as separate IPLs since the layer of protection analysis (LOPA) assumes that the role of the BPCS is to reduce the number of demands on the SIS. That in turn implies that an unsafe condition can only occur if the BPCS and the SIS fail separately and simultaneously.

However, McCrae-Steele argues, if the BPCS and the SIS are based on the same hardware platform, they could suffer a common cause or systematic failure. Consequently, an analysis which results in SIL 1 and SIL 2 safety-instrumented functions (SIFs) based on the assumption that the BPCS and DCS are providing IPLs, should end up with mostly SIL 2 and SIL 3 SIFs when the common platform is taken into account. Moreover, one with SIL 3 requirements would be raised to SIL 4, which would send the whole scheme back to the drawing board.

Cyber Security
McCrae–Steele’s other major concern centers on cyber security and the possibility that closer integration with the DCS and hence, potentially, with the outside world, opens the safety system up to the risk of malicious attack. A process plant manager’s worst nightmare, he suggests, is that of “A DCS-embedded safety system where a malicious cyber attacker penetrates the firewalls of the control system connected to the site LAN or corporate WAN, disables the SIS, and uses the DCS to blow up the plant.” However, having argued that “The safety system, as the last line of defense, needs to be protected,” he seems to undermine his own position by suggesting that the solution is “smart integration at the information, configuration, asset management and HMI levels,” which sounds a lot like the current Triconex solution. Given that, as he suggests, “all systems are vulnerable,” it is difficult to see how “smart integration” renders the safety system any less vulnerable to malicious cyber attack than any other form of integration.

It is clear that Triconex is opening up a new front in its battle with the integrated SIS lobby and one which may give some potential users of integrated systems pause for thought. Whether, by adopting a position which some may deem over-alarmist, McCrae-Steele has weakened rather than strengthened the case for independent systems will be for others to judge. It is unfortunate that, by canceling its Galveston symposium, TÜV has removed the opportunity for an early debate on the issues raised.

Are FDT and EDDL on Course for Convergence?
With representation on the FDT Joint Interest Group, the Fieldbus Foundation and Profibus International, ABB is probably in as good a position as anyone to assess the current state of play between the advocates of FDT/DTM and EDDL. Officially the ABB position is that expressed by Instrumentation Group vice president of Technology Sean Keeping, namely that EDDL and FDT/DTM are complementary rather than competitive. “We support both, and both have their uses in our equipment and systems,” he told the ‘What’s New in Instrumentation’ workshop at ABB Automation World. “We don’t see one dying and the other winning.”

However when we asked him whether there were now signs of movement towards some form of convergence or even a merging of FDT and EDDL, he said that this was indeed being discussed but there was as yet no timescale for such a move. Keeping, who is close to the FDT Group, was confirming what we had already heard from ABB’s senior vice president, Global Marketing Group, Mark Taft, namely that there are signs of a rapprochement between the FDT and EDDL camps. Taft sits on the Fieldbus Foundation board of directors and might perhaps therefore be expected to be more aware of EDDL thinking.

Joint Panel
More details of these developments may emerge later this month when the EDDL Cooperation Team and the FDT Group are jointly hosting an “Editor Panel” at Hannover Fair. The EDDL Cooperation Team brings together the HART Communications Foundation, the Fieldbus Foundation, the OPC Foundation and the Profibus Nutzer Organization and was responsible for the development of a single EDDL specification which is common to HART, Profibus and Foundation fieldbus. Interestingly, the invitation came from John Weet of PR agency HHC Lewis whose principal client is Emerson Process Management.

We asked Weet if he could comment on whether the forthcoming event had anything to do with rumors of the hatchet being buried between EDDL and FDT, but he played the suggestion back with a straight bat, saying that he couldn’t make any comment ahead of the event, but that he would “keep you in touch with what is going on as soon as I am authorized to do so.”

These developments, if developments they be, come at a time when rumors have also been circulating in Europe of problems with interoperability testing of FDT/DTM-based devices.

The latest figures from Profibus International show that a total of 3.4 million Profibus nodes were sold in 2006. This, it is claimed – although it’s surely not necessarily the same thing – brings the total number of Profibus nodes installed world-wide to 18.8 million, making it almost certain that the target of 20 million nodes by 2008 set in 2004 will be comfortably exceeded. “We actually sold more nodes last year than any other fieldbus organization …,” observed North American PTO executive director Mike Bryant, before claiming rather more contentiously that “The pattern set in discrete automation was repeated in process automation, and Profibus remains by far the strongest candidate for fieldbus applications in both market sectors.”

As Control magazine’s Walt Boyes helpfully points out in his "SoundOff" blog, both Profibus and Foundation fieldbus can only make their respective claims about installed nodes by pretending that HART isn’t a fieldbus.

Fieldbus or no, it’s giving most users what they’re looking for, which is remote diagnostics and integration with their asset management solutions. Current estimates put the HART device population at 22 million and, with Wireless HART now close to becoming a reality, a further surge seems a racing certainty. Set against that, PI’s proud boast of 630,000 installed PA devices by the end of 2006 looks pretty meager and isn’t made much more impressive by adding in all the non-PA devices in process applications which, it says, brings the total to 3.3 million. That, it claims, is five times more than any other fieldbus but, as no doubt Boyes would point out, it’s still just 15% of the installed HART population.

Fears of a fieldbus-like debacle, coupled with the apparent outbreak of common sense among their Wireless HART colleagues, seems to have concentrated minds wonderfully at the recent meeting of the ISA-SP100.11a working group in Karlsruhe, Germany. The 60 attendees unanimously approved the scope and systems architecture of Release 1 of the draft standard which it now anticipates will be complete by October 2007, making agreement on a standard by 2008 a real possibility. “The standard will be simple to use and will be focused on serving process industry applications without excluding factory automation,” said the working group’s lead editor and co-chair Pat Kinney.

This first release is aimed at Class 1(non-critical) to Class 5 applications, such as monitoring, and will include only 2.4 GHz 802.15.4-2006 radios using channel-hopping to support co-existence and increase reliability. There will be a single application layer which will “provide simple, flexible and scaleable security addressing major industrial threats”, says the ISA press release which adds that it will also offer field device meshing and star capability, which should keep both Emerson and Honeywell happy. 

The working group also agreed that the second release will include critical Class 1 to 5 applications in addition to monitoring as well as additional gateway and network manager functionality as needed.

Mitsubishi’s Wonderware Deal Threatens Citect
In recent years Mitsubishi in the U.K. has offered its own versions of independent SCADA vendors’ products to complement its range of PLCs. Back in the ’90s that meant rebadging Intellution’s Fix and iFIX products as, respectively, MX32 and MX2000, but when Intellution was acquired in 2002 by rival PLC vendor GE Fanuc, that deal was laid to rest after a decent interval, and a new arrangement was reached with Australian SCADA vendor Citect. Under that arrangement, not only was Citect SCADA rebadged as MX4 SCADA, but also Citect’s MES offering was taken on as MX4 Business.

When Schneider acquired Citect last year after an extended tussle with U.S. private equity interests, the usual assurances were given that there would be no change in existing arrangements, and that Mitsubishi would continue to use the Citect products. Now, however, if news from Japan is anything to go by, it looks rather as if the Citect deal may be about to go the same way as the Intellution one.

Preferred Solution
That news, announced at last month’s MP2 (MELSEC Process Partners) Technical Forum, was of an agreement between Mitsubishi and Wonderware under which both companies will facilitate and promote the use of Wonderware software with Mitsubishi hardware. Mitsubishi leads the Japanese PLC market, and Wonderware is already widely used there both with its and other vendors’ systems. Mitsubishi will now recommend InTouch to customers as its preferred monitoring solution, especially for those with medium-to-large scale installations, and the two companies have also undertaken to develop tighter integration of InTouch with Mitsubishi’s PX Developer integrated development environment. They’re also going to develop specific enhancements including integration of Mitsubishi components into InTouch faceplate displays, streamlined process I/O communications, tag-data interoperability and integration of alarms. Further collaboration is also planned in the area of MES to enable Mitsubishi users to take advantage of Invensys Wonderware’s ArchestrA technology and to develop object models for plant entities.

Given such a level of integration with Wonderware in Japan, it’s hard to believe that Mitsubishi will continue its relationship with Citect in the U.K. for much longer – or that John Bailey will pass up the opportunity to bring Mitsubishi within the Wonderware U.K. fold. The only thing putting him off is perhaps the possibility of the Mitsubishi jinx ensuring the early acquisition of Wonderware by yet another hardware vendor!

Citect has added Rockwell’s RSView to the growing list of HMI/SCADA systems for which Switch2Citect importers are available. With Fix32, iFix, InTouch and FactoryLink already covered, it claims that over 50% of the world’s installed base of HMI/SCADA systems can now be converted to CitectSCADA, while further planned importers, including those for WinCC, Wizcon and Genesis32 will soon bring that figure to 65%. Users can “try before they buy” by sending in three displays from their existing system to see how they import before purchasing.

Still mystified by the Wonderware System Platform? We’re reliably informed by an entirely objective observer that by far the best and clearest explanation is to be found on the Wonderware South Africa web site. Given the preponderance of South African influence in the development of a number of key Wonderware products, that probably shouldn’t come as a surprise. What is a surprise is that the page hasn’t yet been syndicated around the Wonderware world.

Emerson Reorganizes for Assault on SCADA Market
Following last year’s acquisition of Bristol Babcock, Emerson has formed a new Remote Automation Solutions division to bring together its Bristol, Fisher, Daniel and Mobrey remote technology products and services into a single business targeting the oil, gas, water and wastewater treatment industries. The new division is to be headed up by former Bristol president Jack Kelly, who will be president. Jon Milliken, former president of the Flow Computer Division, will be executive vice president. Divisional headquarters will be at the former Bristol HQ in Watertown, Conn., with manufacturing facilities there and in Marshalltown, Iowa, Pickering in the U.K. and Nuevo Laredo, Mexico.

Wireless Expertise
Emerson has long had ambitions in the oil & gas, pipeline and utilities SCADA market, and anticipates exploiting its rapidly developing wireless expertise to give it a competitive edge. It sees the new organization strengthening its position in areas such as integrated remote measurement and control solutions, autonomous wireless instrumentation, seamless communication integration and system health diagnostics. The new division will, however, continue to offer flow computers, remote terminal units (RTUs), presets, instruments and engineering services under the Bristol, Bristol ControlWave, FloBoss ROC and Danload product brands through existing sales channels without any disruption in service to customers.

“By bringing the industry-leading remote automation technologies and expertise together, Emerson will provide customers with unmatched leading-edge measurement and control technology for remote installations where ruggedness, reliability, low power and resistance to tough environments are required,” said Kelly.

Emerson has introduced new loop performance software as part of the DeltaV version 9.3 release. Designed to monitor, analyze, diagnose and improve control loop performance, DeltaV InSight includes all the basic monitoring and tuning capabilities of its DeltaV Tune and DeltaV Inspect forerunners.

GE Fanuc Anticipates Biodiesel Boom
GE Fanuc is working with Santa Clara, Calif.-based SunBio Systems to produce skid-mounted, “quick-start” biodiesel production systems ranging in size from university-grade research and development pilot plants to mid-sized installations producing up to 60,000 tonnes of biofuels per year. The plants are controlled by GE Fanuc Series 90-30 controllers and I/O with Proficy Machine Edition software, and QuickPanel touch screen operator interfaces.

One the SunBio systems is to be used by Silicon Valley Biodiesel of Sunnyvale, Calif., which produces biodiesel for the local market from local recycled fats, oils and greases. Its first production facility is located in Sanger, Calif., and it plans to use the SunBio platform coupled with GE Fanuc’s control solutions to start up five more plants in California over the next two years. “We had several very specific needs for this project, and all are being met by the SunBio/GE Fanuc solution,” said Silicon Valley Biodiesel founder and president Walt Bacharowski, who added that “We also like the fact that the system’s web access allows SunBio Systems to stay engaged with us to provide process advice when needed.”

Silicon Valley Biodiesel required that the instrumentation and automation systems for the various plants provided overall control and visibility into the remote locations with reporting to a central facility, standard operating procedures for the automation system and biodiesel processes, data historian facilities which would make it possible to run statistical process analysis and control to optimize processes and web access to easily view operations from any location.


  About the Author

Andrew Bond is the editor of the Industrial Automation Insider newsletter. For more information, go to www.iainsider.co.uk.
 

Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments