A discussion whether to implement wireless, or where, is not a subject that analyzer engineers and technicians are likely to be asked to lead. But it is certainly a subject where we are likely to be asked to weigh in. This author has not witnessed a lot of discussion or technology about wireless communications with analyzers, but it is not difficult to imagine its implementations for the future.
Though wireless is still too vulnerable to security and reliability uncertainties to be used for critical closed control loops, it can still be used for less critical applications. Wireless broadcast bands are licensed (by FCC for exclusive use) and unlicensed (free access). One would first think that the licensed would be more secure from accidental or intentional intrusion, but with “frequency hopping”, unlicensed bands have advantages of: (1) no cost, (2) no time, (3) no licensing hassle, (4) many suppliers, and (5) lower start-up costs (7).
Control system security efforts are not likely to be led by analyzer engineers and technicians, but there is little doubt that analyzer systems are touched by security issues and that analyzer personnel must be familiar at all times with corporate and site control systems security measures. The 2001 terrorist attacks on the US certainly heightened security awareness, but even before that, the author saw intensified security within analyzer systems deployment. This intensification was evident with locked analyzer shelters, enclosures, and cabinets.
Because most analyzer systems are complex integrations of chemical, electronic, and mechanical devices, most analyzer folks quickly grew protective of “their” analyzer installations being susceptible to tampering, littering from unrelated maintenance waste, pilferage of spare parts and manuals, use of analyzer areas for break periods (unauthorized or not), and other activities unrelated to or detrimental to analyzer work. Therefore, analyzer shelters, enclosures, and cabinets were quickly locked to “outsiders”, with keys being available only to analyzer, operations, and safety/security personnel.
After the terrorist attacks, control systems generally received security scrutiny because control system tampering was believed to potentially lead to greater loss of life than financial system hacking. In the wake of this concern, all but “need to be there” personnel were denied entry to DCS rack rooms, PLCs, some PCs, and consoles. The belief was that with enough information, critical controls and trips could be overridden by hackers with much resulting destruction.
The “Top Ten Vulnerabilities” to control systems was recently published (8). Though we will neither reproduce them nor discuss them in detail here; the general rules appear to be to isolate control systems (including analyzer system computer hardware and software) as completely as possible by eliminating shared hardware and software, eliminating dial-up connections, erecting firewalls, “stress testing” control system security and eliminating unsecured wireless connections. See (9) for additional security tips.
Safety Instrumented System (SIS) and Safety Integrity Level (SIL) (ANSI/ISA-S84.00.01-2004, IEC 61511 Modified) refers to the system for handling critical trips. The part of the control system related to production, quality, and financial issues is the trip system related to “normal” operations. The SIS is for handling “critical trips” is for personnel protection, process loss prevention, and environmental protection. The SIS and the normal control system should be physically separate, so that if the normal system (DCS, PLC, PC, etc.) fails, the SIS will immediately take over and shut the process down in a safe and orderly fashion to avert disaster. (IEC 61508 should also be consulted.)
The SIL defines the level of performance needed to achieve a safety objective. SIL 1, SIL 2, and SIL 3 designate the probabilities of failure on demand (PFD); the higher the SIL number, the better the safety performance (10). The SILs are associated with the following architectures:
- SIL 1 – One-out-of-one. Single sensor, single logic solver, single final control element.
- SIL 2 – May include redundancy for sensor, logic solver, and/or final control element.
- SIL 3 – At least double redundant sensor, logic solver, and final control element.
- SIL 4 – Sufficiently high severity to be used largely in transportation, nuclear, and aerospace industries. SIL 4 is not normally used in the process industries.
Analyzer personnel are not likely to lead the SIL determination effort, but we need to be ready to participate in and constructively contribute to the SIL sessions. One source suggested holding the SIL meeting after the HAZOP while the P&ID information is still fresh on everyone’s mind; combining the meetings risks diluting the efforts for both (11).
Gary D. Nichols is control systems engineer at Jacobs Engineering Group. He can be reached at firstname.lastname@example.org.