- Email: [email protected]
Plant protection with integration
32
Feature
WORLD PUMPS
September 2013
Operating
Plant protection with integration Thanks to the prevalence of high-performance computing platforms, high-speed communications and large mass storage devices, industry has been able to craft integrated and high-tech environments. Here we examine the importance of hierarchical functional safety to protect pumps and other equipment.
T
he benefits of highly integrated environments include plant/business-wide operational efficiency plus the lower installation and maintenance costs associated with a single IT foundation. Accordingly, within many safety-critical industries, it is becoming increasingly tempting to implement safety functions, such as emergency shutdown (ESD), within plant control systems. This is, of course, of great convenience. But take things too far and all of one’s eggs might end up in a single basket. Indeed, in a report published in 2010 by the Scandinavia-based research organisation SINTEF, concern was expressed over the increasing levels of inadequate segmentation between Basic Process Control Systems (BPCSs) and Safety Instrumented Systems (SISs).
data storage devices, with generic/office IT. Hence, if a computer virus infects the latter the former will almost certainly be compromised. Is this all undue concern though? Coincidentally, in the same year the SINTEF report was published, a major OEM of automation framework software disclosed that one of its products was susceptible to the effects of a malware virus (a Trojan) that spreads via USB stick. It is not too difficult therefore to imagine a scenario in which a member of staff
uses (for convenience) a personal memory stick to transfer files in the office, and in doing so unwittingly infects the server. Accidental infections are not the only cause for concern though as, in recent years, a number of global oil, energy and petrochemical companies have been the targets of a series of coordinated cyber-attacks. The wake-up call to the threat was arguably the arrival of the ‘Stuxnet worm’ in July 2010. Designed to attack the automation products of a
Here, the inadequate segmentation includes not only the sharing of hardware resources but also the ability of some subordinate systems to influence superior ones; or as SINTEF observed in its report, signals in the wrong direction. Accordingly, the failure of a subordinate system (for whatever reason) could result in a safety-critical error in the overall system, with pumps and other equipment not behaving as intended. SINTEF also expressed concern over how, in many installations, BPCS increasingly shares resources, such as networks and www.worldpumps.com
Figure 1: Layered protection is best designed from the inside out, so that process instructions (particularly those that control safety-critical infrastructure) have to pass through a number of systems/functions such as Basic Process Control System (BPCS), Process Shutdown (PSD), Emergency Shutdown (ESD), and a High Integrity Pressure
0262 1762/13 © 2013 Elsevier Ltd. All rights reserved
Protection Solution (HIPPS). This architecture can also be viewed as a hierarchy (above). Any single safety function can shut-down a safety-critical asset, such as a pump or valve, and pass a trip signal up the hierarchy to the BPCS. But continued (restored) operation of that asset requires unanimous consent within the hierarchy.
WORLD PUMPS
Feature September 2013
TOPS Though we recommend safety systems be designed from the inside-out, by first of all ring-fencing safety-critical equipment with a fail-safe solution that is independent of control systems, there are some instances when it is necessary to enhance an existing system by adding a complementary layer of protection. For instance, as a direct result of the incident at the Buncefield fuel depot in Hertfordshire, in 2005 the UK Petroleum Industry Association (UKPIA) and the Tank Storage Association (TSA) announced, in September 2008, that their members had committed to the standards of BS EN 61508 Safety Integrity Levels and the installation of automatic shutdown systems at storage terminals; to prevent
overfilling of storage tanks which receive petrol via pipeline transfer.
In response to this initiative, which resulted from the Buncefield Major Incident Investigation Board (MIIB), HimaSella developed a Tank Overfill Protection Solution (TOPS). It is compatible with a wide range of detectors, can communicate with the DCSs of all leading manufacturers and utilises the HIMA HIMatrix family of programmable logic controllers, with suitable transmitters and valves, and can be used in loops up to and including SIL 3. TOPS works by receiving inputs from the level detectors in the storage tank and prevents overfill by automatically closing the valve on the filling pipeline.
major OEM of process control systems the worm was capable of making changes to logic in PLCs (and downloading process information) and then covering its tracks. Antivirus software rose quickly to the challenge and the Stuxnet worm was stopped, but not before many companies had spent considerable sums checking the integrity of their PLCs and, in many cases, shutting down processes to do investigations. Also, although the worm is dead, Stuxnet demonstrated how a site’s industrial control system (in this case SCADA) could be attacked and the PLC logic changed. Irrespective of how the software might be compromised though, be it accidentally or intentionally (cyber-attack), if process control systems are sharing resources with generic/office IT - and returning to SINTEF’s main observation that there is inadequate segmentation between BPCS and SIS then the result is system-wide vulnerability.
Layers As an overall philosophy the integration of control and safety [functions] has its roots in the petrochemical industry. The problem though, even within such a standards-rich industry, is that there are few hard-and-fast definitions of what the nature of any BPCS and SIS integration should be. It is though recognised that the safest approach to plant-wide safety is to ring-fence critical equipment with layers of protection; and that those layers
www.worldpumps.com
33
34
Feature
WORLD PUMPS
September 2013
safety function is effectively realised in hardwired circuitry only. In the event of a HIPPS triggering and closing its corresponding valve, a signal passes to the rest of the system (i.e. BPCS and SIS) in order for pumps to shut down automatically. This is effectively a signal passing up the hierarchy shown in figure 1. However, the overall system would be architected such that the BPCS, the PSD or (even) the ESD functions could not send a signal to reset the HIPPS. Such a signal passing down the hierarchy would, in SINTEF’s terminology, constitute a signal in the wrong direction. Instead a triggered HIPPS could only be reset following the alleviation of the over-pressure and using manual controls alongside the physical valve(s); i.e. in the field. Only then can a HIPPS OK signal pass up the hierarchy, and only if the higher levels are also OK can physical assets such as pumps, valves and other safety-critical equipment be operated again.
Above, HIMA’s HiQuad and HIMatrix PLC families.
should have varying degrees of interaction with the BPCS. Also, when building the layers, it is recommended to start from the inside and work out; beginning with a single-function, fail-safe technology that is completely independent of process control; and possibly even other safety functions. Here, the inner layer’s independence is effectively its immunity from being over-ruled.
Logical safety Whilst ring-fencing safety-critical equipment is best done using a solid-state (hardware only) solution around the asset, a Programmable Electronic System (PES) can be employed, provided the logic is programmed to be fail-safe. For example, in terms of pure logic, you could argue that a valve is either open or closed - so could be represented using a single channel; for example, logic 1 = Open, logic 0 = Closed. But what happens if the signal is lost? The absence of logic 1 would most likely be interpreted as a closed valve (when it may or may not be). Higher confidence in a valve’s status comes through the use of complementary pairs, and a valve can only be recognised as truly open if its Open signal is logic 1 and its Closed signal is 0 (i.e. Not Closed).
www.worldpumps.com
It is also at this first (inner) layer of protection that the functional logic needs to be appreciated. For example, within a nuclear reactor’s cooling system a pump assures safety through its operation – and two or more pumps may work together to provide redundancy. Conversely, a pump used to fill a fuel tank assures safety through shutting off when it is supposed to. Consider a pipeline for transferring oil. It must be protected along its length to prevent - or worst case limit - the environmental damages and financial losses/fines that would arise from escaping product. Accordingly, in addition to the pumps at the source, the pipeline will most likely have several valves along its length in order to isolate stretches; and of course halt flow from source to destination. An ESD would typically protect the pipeline by being able to shut down pumps and close valves; and the ESD function will probably be implemented using a software-based Programmable Electronic System (PES). In addition, and (importantly) independent to the ESD, many pipelines are also protected against over-pressure. For example, a number of pipelines in operation today are protected along their length by a High Integrity Pressure Protection Solution (HIPPS); implemented in HIMA’s Planar F solid state logic server. Being solid-state the
On best behaviour Once safety-critical components are protected by fail-safe technologies (which are as infallible as an electrical fuse) it is then easy to add further layers of protection. For example, the actuators on a servo valve can be fed from an ESD system. However, the ESD should only be able to keep the valve open if HIPPS allows it. Similarly, a PCS could also connect to the valve’s actuators, in which case it could only keep the valve open if both ESD and HIPPS allow it. Safety is effectively determined down at the binary level (see box – Logical Safety) and appreciating that the absence of a signal used to indicate that a valve is open does not mean that the valve is closed. The first (and inner) layer of protection around a piece of critical infrastructure should be implemented in fail-safe hardware/logic that can be integrated with other safety instrumented systems but not over-ruled by them. www.hima-sella.co.uk
Contact Richard Warrilow Declaration Limited E-mail: [email protected]
Feature
WORLD PUMPS
September 2013
Operating
Plant protection with integration Thanks to the prevalence of high-performance computing platforms, high-speed communications and large mass storage devices, industry has been able to craft integrated and high-tech environments. Here we examine the importance of hierarchical functional safety to protect pumps and other equipment.
T
he benefits of highly integrated environments include plant/business-wide operational efficiency plus the lower installation and maintenance costs associated with a single IT foundation. Accordingly, within many safety-critical industries, it is becoming increasingly tempting to implement safety functions, such as emergency shutdown (ESD), within plant control systems. This is, of course, of great convenience. But take things too far and all of one’s eggs might end up in a single basket. Indeed, in a report published in 2010 by the Scandinavia-based research organisation SINTEF, concern was expressed over the increasing levels of inadequate segmentation between Basic Process Control Systems (BPCSs) and Safety Instrumented Systems (SISs).
data storage devices, with generic/office IT. Hence, if a computer virus infects the latter the former will almost certainly be compromised. Is this all undue concern though? Coincidentally, in the same year the SINTEF report was published, a major OEM of automation framework software disclosed that one of its products was susceptible to the effects of a malware virus (a Trojan) that spreads via USB stick. It is not too difficult therefore to imagine a scenario in which a member of staff
uses (for convenience) a personal memory stick to transfer files in the office, and in doing so unwittingly infects the server. Accidental infections are not the only cause for concern though as, in recent years, a number of global oil, energy and petrochemical companies have been the targets of a series of coordinated cyber-attacks. The wake-up call to the threat was arguably the arrival of the ‘Stuxnet worm’ in July 2010. Designed to attack the automation products of a
Here, the inadequate segmentation includes not only the sharing of hardware resources but also the ability of some subordinate systems to influence superior ones; or as SINTEF observed in its report, signals in the wrong direction. Accordingly, the failure of a subordinate system (for whatever reason) could result in a safety-critical error in the overall system, with pumps and other equipment not behaving as intended. SINTEF also expressed concern over how, in many installations, BPCS increasingly shares resources, such as networks and www.worldpumps.com
Figure 1: Layered protection is best designed from the inside out, so that process instructions (particularly those that control safety-critical infrastructure) have to pass through a number of systems/functions such as Basic Process Control System (BPCS), Process Shutdown (PSD), Emergency Shutdown (ESD), and a High Integrity Pressure
0262 1762/13 © 2013 Elsevier Ltd. All rights reserved
Protection Solution (HIPPS). This architecture can also be viewed as a hierarchy (above). Any single safety function can shut-down a safety-critical asset, such as a pump or valve, and pass a trip signal up the hierarchy to the BPCS. But continued (restored) operation of that asset requires unanimous consent within the hierarchy.
WORLD PUMPS
Feature September 2013
TOPS Though we recommend safety systems be designed from the inside-out, by first of all ring-fencing safety-critical equipment with a fail-safe solution that is independent of control systems, there are some instances when it is necessary to enhance an existing system by adding a complementary layer of protection. For instance, as a direct result of the incident at the Buncefield fuel depot in Hertfordshire, in 2005 the UK Petroleum Industry Association (UKPIA) and the Tank Storage Association (TSA) announced, in September 2008, that their members had committed to the standards of BS EN 61508 Safety Integrity Levels and the installation of automatic shutdown systems at storage terminals; to prevent
overfilling of storage tanks which receive petrol via pipeline transfer.
In response to this initiative, which resulted from the Buncefield Major Incident Investigation Board (MIIB), HimaSella developed a Tank Overfill Protection Solution (TOPS). It is compatible with a wide range of detectors, can communicate with the DCSs of all leading manufacturers and utilises the HIMA HIMatrix family of programmable logic controllers, with suitable transmitters and valves, and can be used in loops up to and including SIL 3. TOPS works by receiving inputs from the level detectors in the storage tank and prevents overfill by automatically closing the valve on the filling pipeline.
major OEM of process control systems the worm was capable of making changes to logic in PLCs (and downloading process information) and then covering its tracks. Antivirus software rose quickly to the challenge and the Stuxnet worm was stopped, but not before many companies had spent considerable sums checking the integrity of their PLCs and, in many cases, shutting down processes to do investigations. Also, although the worm is dead, Stuxnet demonstrated how a site’s industrial control system (in this case SCADA) could be attacked and the PLC logic changed. Irrespective of how the software might be compromised though, be it accidentally or intentionally (cyber-attack), if process control systems are sharing resources with generic/office IT - and returning to SINTEF’s main observation that there is inadequate segmentation between BPCS and SIS then the result is system-wide vulnerability.
Layers As an overall philosophy the integration of control and safety [functions] has its roots in the petrochemical industry. The problem though, even within such a standards-rich industry, is that there are few hard-and-fast definitions of what the nature of any BPCS and SIS integration should be. It is though recognised that the safest approach to plant-wide safety is to ring-fence critical equipment with layers of protection; and that those layers
www.worldpumps.com
33
34
Feature
WORLD PUMPS
September 2013
safety function is effectively realised in hardwired circuitry only. In the event of a HIPPS triggering and closing its corresponding valve, a signal passes to the rest of the system (i.e. BPCS and SIS) in order for pumps to shut down automatically. This is effectively a signal passing up the hierarchy shown in figure 1. However, the overall system would be architected such that the BPCS, the PSD or (even) the ESD functions could not send a signal to reset the HIPPS. Such a signal passing down the hierarchy would, in SINTEF’s terminology, constitute a signal in the wrong direction. Instead a triggered HIPPS could only be reset following the alleviation of the over-pressure and using manual controls alongside the physical valve(s); i.e. in the field. Only then can a HIPPS OK signal pass up the hierarchy, and only if the higher levels are also OK can physical assets such as pumps, valves and other safety-critical equipment be operated again.
Above, HIMA’s HiQuad and HIMatrix PLC families.
should have varying degrees of interaction with the BPCS. Also, when building the layers, it is recommended to start from the inside and work out; beginning with a single-function, fail-safe technology that is completely independent of process control; and possibly even other safety functions. Here, the inner layer’s independence is effectively its immunity from being over-ruled.
Logical safety Whilst ring-fencing safety-critical equipment is best done using a solid-state (hardware only) solution around the asset, a Programmable Electronic System (PES) can be employed, provided the logic is programmed to be fail-safe. For example, in terms of pure logic, you could argue that a valve is either open or closed - so could be represented using a single channel; for example, logic 1 = Open, logic 0 = Closed. But what happens if the signal is lost? The absence of logic 1 would most likely be interpreted as a closed valve (when it may or may not be). Higher confidence in a valve’s status comes through the use of complementary pairs, and a valve can only be recognised as truly open if its Open signal is logic 1 and its Closed signal is 0 (i.e. Not Closed).
www.worldpumps.com
It is also at this first (inner) layer of protection that the functional logic needs to be appreciated. For example, within a nuclear reactor’s cooling system a pump assures safety through its operation – and two or more pumps may work together to provide redundancy. Conversely, a pump used to fill a fuel tank assures safety through shutting off when it is supposed to. Consider a pipeline for transferring oil. It must be protected along its length to prevent - or worst case limit - the environmental damages and financial losses/fines that would arise from escaping product. Accordingly, in addition to the pumps at the source, the pipeline will most likely have several valves along its length in order to isolate stretches; and of course halt flow from source to destination. An ESD would typically protect the pipeline by being able to shut down pumps and close valves; and the ESD function will probably be implemented using a software-based Programmable Electronic System (PES). In addition, and (importantly) independent to the ESD, many pipelines are also protected against over-pressure. For example, a number of pipelines in operation today are protected along their length by a High Integrity Pressure Protection Solution (HIPPS); implemented in HIMA’s Planar F solid state logic server. Being solid-state the
On best behaviour Once safety-critical components are protected by fail-safe technologies (which are as infallible as an electrical fuse) it is then easy to add further layers of protection. For example, the actuators on a servo valve can be fed from an ESD system. However, the ESD should only be able to keep the valve open if HIPPS allows it. Similarly, a PCS could also connect to the valve’s actuators, in which case it could only keep the valve open if both ESD and HIPPS allow it. Safety is effectively determined down at the binary level (see box – Logical Safety) and appreciating that the absence of a signal used to indicate that a valve is open does not mean that the valve is closed. The first (and inner) layer of protection around a piece of critical infrastructure should be implemented in fail-safe hardware/logic that can be integrated with other safety instrumented systems but not over-ruled by them. www.hima-sella.co.uk
Contact Richard Warrilow Declaration Limited E-mail: [email protected]