The Hidden Costs of Successful Safety

It's not easy to keep process applications safe, but it can be even harder to find help to do it right. In this environment, safety depends on asking the right questions. In his "SIL 201" presentation on July 17 at the 2007 North American Foxboro User Group conference in Boston, Luis Duran, described many of the hidden costs and side effects associated with safety instrumented systems (SISs), especially those embedded with distributed control systems (DCSs). Duran is product marketing manager for Triconex, which is an Invensys company. Duran covered some of the safety-related questions that he says users need to ask their DCS vendors, even though many suppliers don't want to answer them. "When vendors hear these questions, many of them start to dance around a lot," he said. How do you justify one month of lab-testing as good enough?" To put it another way, if a safety system is good enough for the lab, does that mean it's good enough for your plant? "The truth is, what most vendors call "˜good enough,' might not be," said Duran. "Ask your vendor exactly where, under what circumstances, and for how long they prove their systems "˜in use.' For many vendors, "˜proven' means they tested their system on a test bed, under ideal lab conditions, for one month at best, which are conditions that hardly represent the harsh real-automation-world." What does the fine print in your TÃœV report really say? There are hidden costs in the fine print. "It's extremely important to assess your SIS entire TÃœV report before you sign the PO," adds Duran. "You may find your vendor's numerous "˜use restrictions.' " For example, an example of one TÃœV statement says, "Both controllers of a redundant pair must succeed in de-energizing outputs when a demand to trip occurs. A dangerous undetected failure results in a system failure for the pair whether the dangerous undetected failure occurs in one or both controllers." Duran added the translation of this should be, "Beware skipping over the fine print and use restrictions, or you could be in for some nasty and costly surprises come implementation, start-up and commissioning time." Does your TUV certification actually mean I'll hit my production targets? Not necessarily. "TÃœV certification alone doesn't mean you'll hit your uptime and productivity goals," said Duran. "TÃœV certification says nothing about how vulnerable a system is to spurious trips. Those "˜use restrictions' in your vendor's TÃœV report tell you that their systems"”even if certified to SIL 3"”are built on an architecture that's prone to spurious trips. These trips can negatively impact your uptime and ability to hit production targets, while also increasing risk. All of which costs you." What's the downside to an embedded one-size-fits-all solution? Users must ask what costs truly come with a DCS-embedded system. The argument in favor of buying a combined safety and control system from one vendor is that it's a perfectly safe way to save money. However, using an embedded SIS/BPCS architecture actually eliminates a layer of protection because the SIS and DCS are literally embedded together, unprotected, and catching what that other has got, explained Duran. "This means your DCS-embedded system greatly increases your risk, which requires more documentation, more field instrument redundancy, more testing, and more maintenance. All of this adds up to more costs," he says. Why do hackers love DCS-embedded safety systems so much? The industry is greatly concerned about cyber attacks, and your SIS vendor should be too. In a recent column, Control magazine reported that: "Three cyber security researchers from the U.S. Department of Energy's Idaho National  Laboratory demonstrated how to use a laptop via the Internet to hack through two firewalls, get onto a process control network, read the internals of a device controller, and turn on a pump, all without being detected." Duran adds this scenario is especially scary if a vendor's SIS system comes embedded with its DCS. "Without those independent layers of protection, DCS-embedded systems are easy prey for hackers," added Duran. "As a result, vendors such as Triconex have received the Achilles Certification, which is a series of cyber security tests performed by Wurldtech Securities Inc. This certification is a testament of the robustness and security of the Tricon Safety System platform against cyber attacks." What makes your instrumentation so intelligent and supposedly safer? What vendors call "intelligent" field instrumentation is really just added instrumentation, so users need to beware of the claim that "diagnostics on the instrumentation will make the plant safer," according to Duran. "Field-device diagnostics are great for asset management. However, they do not increase safety." he said. "Instrument diagnostics alone are insufficient to ensure safety. In order to write a diagnostic routine, you must anticipate the failure you're testing for. By definition then, diagnostics can't detect unforeseen modes of failure." Do you allow risk-free, cost-free, easy-to-use online modifications? This may seem like a minor question, but your vendor's answer can lead to major added costs. Many SIS vendors don't allow you to make system modifications online. Many require multiple manual steps that take longer and increase opportunity for costly and risky human error. "If your vendor claims to provide online modifications, be sure to ask exactly how that process works," added Duran. "Is it risk-free and hassle-free? Does it affect the controlled process?' If your system is so simple, why do I need to hire your maintenance guys? If an SIS is so easy to use, why does its vendor want to lock you into an expensive maintenance contract? Is it because the vendor designed a proprietary system that no one but its specialized, expensive maintenance personnel can maintain? And, every time you call for maintenance, will there be an added cost to your installation? You say you do critical applications; why should I believe you? Users may prefer to rely on one single source for all applications, and not just safety instrumented systems, but critical control applications as well. DCS vendors relatively new to SIS don't have the experience to handle various critical applications, or the platform capable of performing them. "Don't trust your safety and critical control needs to people without the experience to back it up," concluded Duran. "Few companies have the experience to be true single source for all your safety and critical control applications."
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>I'm confused about something, Walt. I thought Achilles certification was just about robustness of the IP stack of a device, not really a 'security' certification (at least that's what I got from their presentation at PCSF 2007). Am I reading that wrong? They didn't seem to indicate if Tricon's safety system is an integrated SIS or not.</p> <p>One thing that worries me is that the FUD and lack of understanding out there seems to keep people from really addressing the problem of cybersecurity in control systems (i.e. "hey my DCS is Achilles certified! we're secure!")</p>


RSS feed for comments on this page | RSS feed for all comments