Andy Tonge of Hima-Sella believes the best approach to plant-wide safety is to ring-fence critical hardware with layers of protection that are independent of process control. He explains why…

The prevalence of high-performance computing platforms, high-speed communications and large mass storage devices has made it possible to craft highly integrated industrial environments. However, within many safety-critical industries it is becoming increasingly tempting to implement safety functions within plant control systems. This may be convenient, but you may end up with your proverbial eggs in one basket.

For example, in a report published in 2010 by the Scandinavia-based research organisation SINTEF, concern was expressed over the increasing levels of inadequate segregation between Basic Process Control Systems (BPCSs) and Safety Instrumented Systems (SISs). Here, the ‘inadequate segregation’ includes not only the sharing of hardware resources but also the ability of some subordinate systems to influence superior ones; or as SINTEF observed in its report, “signals in the wrong direction”.

Accordingly, the failure of a subordinate system could result in a safety-critical error in the overall system. SINTEF also expressed concern over how, in many installations, BPCS increasingly shares resources (such as networks and data storage devices) with generic/ office IT. Hence, if a computer virus infects the latter, the former will almost certainly be compromised. Is this all undue concern though? Not at all.

In 2010 a major OEM of automation framework software disclosed that one of its products was susceptible to the effects of a malware virus that spreads via USB stick. A member of staff need only use a personal – and unknowingly infected – memory stick to transfer files in the office and the company’s server is placed at risk.

Accidental infections are not the only cause for concern. In February 2011 the engineering press reported that since November 2009 many global oil, energy and petrochemical companies have been the targets of a series of coordinated cyber-attacks (dubbed “Night Dragon”). And in late 2010 the Stuxnet ‘internet worm’ made the news as the first-known virus designed to target infrastructure such as power stations.

Whatever the reason for a cyber-attack though, if process control systems are sharing resources with generic/office IT then the result is system-wide vulnerability.

As an overall philosophy the integration of control and safety [functions] has been around for several years; and SINTEF in its report was not against integration per se.

Irrespective of how BPCS and SIS might be integrated, it is recognised that the safest approach to plant-wide safety is to ring-fence critical hardware (such as valves) with layers of protection; and that those layers should have varying degrees of interaction with the BPCS. Moreover, when building the layers, it is recommended to start from the inside and work out; beginning with a single-function, fail-safe technology that is independent of process control and possibly even other safety functions. Here, the inner layer’s independence is effectively its immunity from being over-ruled.

Consider a pipeline transferring oil. It must be protected along its length to prevent, or worst case limit, the environmental damages and financial losses/fines that would arise from escaping product. Accordingly, a pipeline will typically have several valves along its length in order to isolate stretches.

For example, in Thailand a dual-purpose pipeline runs from the refinery at Sriracha and supplies standard fuel to receiving areas in Saraburi and Lamlukka, and aviation fuel to Bangkok Airport. Programmable Electronic Systems (PES) provide an Emergency Shutdown (ESD) function within the control stations of the refinery and three receiving areas – plus several valve stations along the length of the pipeline.

In addition, and independent of the ESD function, each of the valves is protected by a High Integrity Pressure Protection System (HIPPS); that is implemented in a solid state logic solver (i.e. hardwired digital circuitry). In the event of a HIPPS triggering and closing the valve it protects, a signal would pass to the rest of the system so that other processes might shut down.

However, the overall system is architected such that neither the BPCS nor the SIS can influence the HIPPS. If they could, then that, in SINTEF’s terminology, would be a case of “signals in the wrong direction”. HIPPS is only capable of being reset following the alleviation of the over-pressure and using manual controls alongside the physical valve(s).

Having protected the critical hardware, the outer layers of protection would have increasing levels of integration with the BPCS in order to form a top-down hierarchy of authority (in terms of process instructions reaching critical assets – see figure 1). However, in terms of permitting a process instruction to reach any given critical asset, the hierarchy works from the bottom up; and it is in this way that a ‘hierarchy of fail-safe control’ can link your processing business objectives to their achievement.