Академический Документы
Профессиональный Документы
Культура Документы
$384.00
(PX-TCP2: 2-port
Modbus TCP Coupler)
$36.00
(PX-172-1: 2-point
AC Input)
$63.00
(PX-248: 8-point
DC Output)
$24.00
(PX-970: AC Power
Feed Terminal)
$277.00
(PX-334-K:
Thermocouple)
TM
Distributing I/O
for your process
saves space, wiring
and money!
1-800-633-0405
S
S
Cover Story
30 / Harness big data
features
Support & protect
CONTROL (ISSN 1049-5541) is published monthly by PUTMAN Media COMPANY (also publishers of CONTROL DESIGN, CHEMICAL PROCESSING, FOOD PROCESSING, THE JOURNAL, Pharmaceutical
Manufacturing, PLANT SERVICES and SMART INDUSTRY), 1501 E. Woodfield Rd., Ste. 400N, Schaumburg, IL 60173. (Phone 630/467-1300; Fax 630/467-1124.) Address all correspondence to Editorial and Executive Offices,
same address. Periodicals Postage Paid at Schaumburg, IL, and at additional mailing offices. Printed in the United States. Putman Media 2016. All rights reserved. The contents of this publication may not be reproduced in whole or part
without consent of the copyright owner. POSTMASTER: Send address changes to CONTROL, P.O. Box 3428, Northbrook, IL 60065-3428. SUBSCRIPTIONS: Qualified-reader subscriptions are accepted from Operating Management in the
control industry at no charge. To apply for qualified-reader subscription, fill in subscription form. To non-qualified subscribers in the Unites States and its possessions, subscriptions are $96.00 per year. Single copies are $15. International subscriptions
are accepted at $200 (Airmail only.) CONTROL assumes no responsibility for validity of claims in items reported. Canada Post International Publications Mail Product Sales Agreement No. 40028661. Canadian Mail Distributor Information:
Frontier/BWI,PO Box 1051,Fort Erie,Ontario, Canada, L2A 5N8.
N o v e m b e r / 2 0 1 6 www.controlglobal.com
Endress+Hauser, Inc
2350 Endress Place
Greenwood, IN 46143
info@us.endress.com
888-ENDRESS
www.us.endress.com
On-site
On-line
Hands-on
or in the
Classroom
Departments
11 / Editors page
Cubs win
The Chicago baseball team isnt the
only group of loveable losers ending a
drought.
12 / Control online
15 / Feedback
16 / Lessons learned
20 / On the bus
22 / Without wires
Redefining determinism
Today, even Ethernet and wireless are
almost always fast enough.
24 / In process
29 / Resources
FOPDT modeling
A good way and a better way to test a first
order plus dead time model.
51 / Roundup
53 / Exclusive
54 / Products
You choose.
A blended training
approach to help you keep
up with todays challenges
Customize your training
experience through the
unique offerings provided
to you through our Process
Training University. Whether
it be on-site, on-line or
in the classroom, choose
a training package that is
tailored to meet your needs.
55 / Control talk
58 / Control report
Busy fall
Big data, cybersecurity, election results or
other chores all need the same response
from you.
www.us.endress.com/training
Circulation aUdited december 2015
Food & Kindred Products
12,824
Chemicals & Allied Products
10,797
Systems Integrators & Engineering Design Firms 8,103
Pharmaceuticals
4,405
Primary Metal Industries
4,290
Petroleum Refining & Related Industries
4,198
Miscellaneous Manufacturers
3,171
3,451
3,380
2,874
1,604
803
120
60,020
N o v e m b er / 2 0 1 6 www.controlglobal.com
Control
Allied has the relay you need to keep it.
N a t i o n a l C o n t r o l s C o r p.
1.800.433.5700
Allied Electronics, Inc 2015. Allied Electronics and the Allied Electronics logo are trademarks of Allied Electronics, Inc.
An Electrocomponents Company.
EDITORS PAGE
Cubs win
PAUL STUDEBAKER
management systems so it alerts the right people, and maybe even sends them a work order.
Well, as you probably know, on Nov. 2, the
Cubs won the World Series, ending the teams
108-year streak as loveable losers. Thats nice.
But the week before, at the Emerson Global Users Exchange in Austin, I learned the company
is making a major-league push into rest-of-plant
asset condition monitoring.
As part of Emersons Plantweb digital ecosystem, the companys pervasive sensing initiative uses wireless and fieldbus to connect a new
generation of low-cost sensors and provides analytics for insights into asset performance.
This year, the company added technologies
to monitor pipes and vessels for corrosion and
erosion; medium-voltage switchgear for hot
spots, partial discharges and humidity; toxic
gases; and process temperatures with sophisticated surface-mount sensor/transmitters. There
also are pressure gauge, steam trap, relief valve
and power monitoring applications.
A new Asset Health Advisor performs diagnostics and provides alerts for predictive maintenance. It takes in heat exchangers, blowers,
compressors, cooling towers and pumps.
By building condition monitoring and predictive technologies into the plant, whether by
making them part of the automation system or
by using a separate Industrial Internet of Things
(IIoT) infrastructure, Emerson and other automation, sensor and analytics suppliers are reducing the needs for handhelds, for making
rounds, and even for specialized training, as
much of the knowledge is being built into software applications or made available via monitoring and analysis by off-site experts.
Its great that the Cubs have ended the Curse
of the Billy Goat. Im even happier that soon,
asset management wont require so much time
at the feet of crusty reliability gurus.
EDITOR IN CHIEF
pstudebaker@putman.net
Their handhelds,
cameras and sample
containers gather
dust, and the fresh
trainees knowledge
slips away as their
days are again filled
with emergencies.
N o v e m b e r / 2 0 1 6 www.controlglobal.com
11
CONTROL ONLINE
SPECIAL REPORT
The latest critical trends in I/O systems take advantage of the versatility and communications
capabilities of intelligent, congurable I/O. Being able to install universal I/O based on approximate point count, then congure or recongure it later to match the needed process variables
allows construction and installation to proceed independent from engineering, taking I&C off the
critical path. Intelligent I/O transmits more than just the measured and manipulated variables,
opening the possibilities for integrating capabilities from condition monitoring and predictive
maintenance to all the potential of the Industrial Internet of Things (IIoT). Heres the latest I/O
system coverage from the annals of Control. For a deeper dive into I/O technology, applications
and analysis, download the March 2015 Control State of Technology Report on I/O Systems.
Trends in HMI/SCADA
SPECIAL REPORT
WHITE PAPERS
Sponsored by
12
www.controlglobal.com N O V E M B E R / 2 0 1 6
At the 2016 Yokogawa User Conference, Sandy Vasser told how he and
his team at ExxonMobil set out to
improve their own project execution
processes, and catalyzed industry
change in the process.
http://www.controlglobal.com/articles/2016/yokogawa-article-1
ControlGlobal E-News
Multimedia Alerts
INDUSTRIAL
COMPUTERS
FIELD GUIDE
& RESOURCES
Industrial computers, PCs and many of their counterpart devices can take
almost any form these days, and serve in almost any setting thanks to
miniaturization, diskless and fanless technologies, more capable software
and other advances. This is good news for users and applications in harsh
environments, but it can be hard to sort out all the available options.
Here is a bounty of instructional materials, products and
other resources that can help you do just that.
BEGIN
Go to www.controlglobal.com and
follow instructions to register for our
free weekly e-newsletters.
e-NEWSLETTERS
PROVEN
WORLDWIDE
YASKAWA AMERICA
YASKAWA.COM
1-800-YASKAWA
Safety Measures
Hard Hat
Goggles
High-Visibility Vest
Remote Mount
Capability Keeps
Workers Off Top of Tank
for Switch Modification
Insulated Gloves
Advanced
Self Diagnostics
Assures Reliable
Performance
Safety Harness
Best-in-Class
Safe Failure Fraction
>91%
Steel-Toed
Boots
Dual-Point
Option for Two-Alarm
Safety Protocol
echotel.magnetrol.com
FEEDBACK
editorial team
Editor in Chief: PAUL STUDEBAKER
pstudebaker@putman.net
Executive Editor: JIM MONTAGUE
jmontague@putman.net
Digital Managing Editor: KYLE SHAMORIAN
kshamorian@putman.net
Contributing Editor: JOHN REZABEK
publishing team
VP, Content and Group Publisher: KEITH LARSON
klarson@putman.net
VP, Sales & Publishing Director: TONY DAVINO
630/467-1300 x 408, tdavino@putman.net
Midwest/Southeast Regional Sales Manager: GREG ZAMIN
gzamin@putman.net,
630/551-2500, Fax: 630/551-2600
Northeast/Mid-Atlantic Regional Sales Manager: DAVE FISHER
508/543-5172, Fax 508/543-3061
dfisher@putman.net
Classifieds Manager: LORI GOLDBERG
lgoldberg@putman.net
Subscriptions/Circulation: JERRY CLARK, JACK JONES
888/64 4-1803
executive team
foster reprints
Corporate Account Executive: RHONDA BROWN
219-878-6094, rhondab@fosterprinting.com
Ready to win
Top 50 automation suppliers jockey for
advantage when the market returns
MEASURE THICK FLOWS
FAST BOILER CONTROL
QATARGAS CUTS FLARES
HAZARDOUS WIRELESS
al-safety-discussion-for-hollywood-tropes]
is that it seeks to demonize big oil. In one
of its most egregious moments, it makes it
look as if the control panel operator knew
something was going to happen, but held
back the information because of company
direction. In the official review, the operator said the information/data flow to view
the process was terrible enough that when
the crap hit the fan, she was completely befuddled and confused. This is not the fault
of an operator. It has been blamed on human error, and now in the Hollywood version, on political complicity.
The real fault lies in poor human factors in the control system HMI. Billions
of dollars have been invested in researching the interaction of humans with operating equipment. The blowout was potentially avoidable, but engineering mistakes
will always be there. The point is, once the
engineering failed, the tragedy could have
been mitigated, perhaps even avoided. So,
while a company may not be complicit in
direct actions to prevent the loss of human
life, its lack of making access to tools that
could have given humans visibility into
the incident is disappointing. Like most
companies, theyre content with technology thats decades in arrears because it is
sufficient, when in actuality it is not. ROI
is hard to measure for human factors until
the holes in the Swiss cheese line up.
STEPHEN APPLE
stephen.apple@schneider-electric.com
N O V E M B E R / 2 0 1 6 www.controlglobal.com
15
LESSONS LEARNED
liptakbela@aol.com
People asked
whether the autopilot
was on or off at the
time of the Tesla
crash in Florida.
This is the wrong
question.
16
www.controlglobal.com N O V E M B E R / 2 0 1 6
LESSONS LEARNED
2
3
G
L
VC
U
R
3
4
www.controlglobal.com N O V E M B E R / 2 0 1 6
reduced because all computer systems can fail, and even if they dont
fail, their software can be hacked or
be insufficiently sophisticated to recognize complex situations.
Its for this reason that the software
packages in operation (Figure 1) can
safely handle only simpler tasks such
as changing lanes, stopping at red
lights, parking or keeping safe distances between vehicles, but they
cant yet distinguish between, say, a
pedestrian trying to hitch a ride or a
police officer flagging the car down.
Such fuzzy conditions havent yet
been effectively enshrined in computer code, while the human driver
can usually recognize them.
A great advantage of smart cars is
that the software of the whole fleet
can be improved over the air whenever new information becomes available. In other words, whenever the
causes of an accident are determined
and the software is modified to prevent reoccurance of that accident,
the revised software package can be
immediately transmitted wirelessly
to the entire fleet. As a result, the
safety of the fleet can be continually
improved.
Advocates of driverless cars argue
that using the autopilot is less safe
than autonomous driving because
even if the drivers hands are on the
steering wheel, the driver, being passive, cant be expected to snap back
and make split-second decisions
when needed. They refer to studies
that have found that the time needed
to wake up the average driver is 17
seconds, and a car moving at 65 mph
travels five football fields during that
time. Yet as of today, driver-assisted
collision avoidance software (autopilot) is better developed, and so for
some years more, the hands on the
wheel mode of driving is likely to
prevail.
Its also interesting to note that the
major process control firms (ABB,
Emerson, Honeywell, Schneider
Electric, Siemens, Yokogawa, etc.)
seem to be doing very little to develop sensors and control software
for this new market. Newer companies are starting to fill this gap, such
as Nirenberg Nouroscience, Otto or
Saips in the fields of machine and
computer vision, and Velodyne in
the area of miniaturized lidar (laser
imaging and ranging), etc.
[The next part in this series will discuss the capabilities of todays sensors,
potential for developing additional or
better ones, and improvements in control software packages needed to improve smart car safety.]
Bla Liptk, PE, control consultant and editor of the
Instrument Engineers Handbook is seeking new
co-authors for the new edition of that multi-volume
work. He can be reached at liptakbela@aol.com.
GE Digital
DRIVE SMART
OPERATOR DECISIONS
With just a glance, operators can recognize which
information requires attention, what it indicates, and
the right actions to take. Thats the power of GEs high
performance HMI/SCADA in your design. Enable your
end users to transform business through increased
efficiency and reduced costs.
On the Bus
contributing Editor
JRezabek@ashland.com
www.controlglobal.com N o v e m b e r / 2 0 1 6
PLC WITH
BUILT-IN
VPN & FIREWALL
TY
RI
ECU
-IN
T
L
I
BU
IIoT
READY
10/24/16 10:30 AM
WITHOUT WIRES
Redefining determinism
IAN VERHAPPEN
www.controlglobal.com N o v e m b e r / 2 0 1 6
Gear Up for
Reduced Downtime
479-646-4711
Unmatched Quality
Superior Reliability
Energy Efficient
Stock and Custom Orders
In Process
Operational Certainty
Train stressed the continuing advantages
of Emersons Top Quartile and Project
Certainty programs for improving their
engineering, products and services. Plus,
he announced that Emerson is introducing its Operational Certainty consulting
practice with expanded project execution methods, workshops and services.
By helping customers leverage the
best practices of Top Quartile perform24
www.controlglobal.com N o v e m b e r / 2 0 1 6
Supreme sessions
Earnings assist
Michael Train, executive president,
Emerson Automartion Solutions, reports
Top-Quartile practices can help customers improve their earnings by 15%.
Innovations aplenty
To provide users with even better tools
and services, Emerson debuted a host
of other solutions, services and initiatives at the event. They included:
Launching its expanded Plantweb
digital ecosystem, a scalable portfolio
of standards-based hardware, software,
intelligent devices and services for securely implementing the Industrial Internet of Things (IoT) with measurable
business performance improvement;
Collaborating with Microsoft to
help manufacturers realize business
impact and value of the Industrial Internet of Things (IoT) with help from
Emersons revamped Plantweb digital
ecosystem and Connected Services,
powered by Microsoft Azure IoT Suite.
In Process
www.controlglobal.com N o v e m b e r / 2 0 1 6
Big-time sustainability
Dr. Tsuyoshi Ted Abe, vice president and
CMO, Yokogawa Electric Corp., reported
that its goal is sustainable processes.
ICS Cybersecurity
event gathers experts
and solutions
Security experts from industry, government, academia and elsewhere
presented and exchanged their experiences at ICS Cybersecurity Conference 2016, Oct. 24-27 at Georgia
Tech University in Atlanta. They represented multiple worldwide industries, government and military defense
departments, industrial control system (ICS) suppliers, cybersecurity researchers, consultants and educators.
The keynote address was delivered by
Adm. Michael Rogers, director of the
IN PROCESS
Simplifying processes.
Enhancing connectivity.
Delivering reliability.
Technical Features
Windows
28
www.controlglobal.com N O V E M B E R / 2 0 1 6
Embedded Standard 7
NIC cards and up to four video outputs
Visunet RM Shell 4.1 pre-installed
Supports RDP, VNC, and ICA protocols
ACP ThinManager-ready and Emerson DRDC options
Dual
Resources
Level measures up
Controls Monthly Resource Guide
BOILER DRUM INSPECTION GUIDE
The 2016 edition of Clark Reliances
Boiler Inspection Guidelines for Drum
Level Instrumentation is easy to understand and concisely presents ASME
Section I water gauge inspection requirements for handy, on-the-job reference by boiler operators. It includes
code requirements for water columns,
water gauge valves, gauge glass, remote
level indicators, magnetic water level
gauges and water column isolation
shutoff valves, as well as 2015 Code
changes and CSD-1 requirements
and recommendations from Section 7.
The guide also lists the most common
non-compliant, drum-level arrangements and solutions. Copies are available at www.boilerinspectionguide.
com, and free to qualified recipients.
Cl ark-Reliance Corp.
4 40-572-1500; w w w.clark-reliance.com
Flo-Corp.
w w w.flo-corp.com
If you know of any tools and resources we didnt include, send them to ControlMagazine@Putman.net with
Resource in the subject line, and well add them to the website.
N o v e m b e r / 2 0 1 6 www.controlglobal.com
29
30
www.controlglobal.com N O V E M B E R / 2 0 1 6
B I G D ATA
weather, market and pricing data (Figure 1). Main sources
include OSIsoft PI, SCADA, SQL databases and SAP. Avangrid wanted to examine and better visualize its existing
OSIsoft content, so it could understand operations better
and improve decisions.
Avangrid especially wanted to more accurately report and get
paid by the ISO for lost generating capacity during required
curtailment periods, but it needed deeper turbine ramp-down
cost data to prove its economic losses. We knew we were losing
money, but determining the actual impact required investigating years of turbine data, says Brandon Lake, senior business
systems analyst at Avangrid Renewables.
To that end, Avangrid enlisted Seeq Corp. (www.seeq.
com) and its data investigation and discovery software,
which integrates information from historians, databases and
analyzers without altering existing systems. Its software uses
a property-graph database geared toward querying relationships across nodes to work with data and relationships between data in objects called capsules, which store time
periods of interest and related data used to compare machine and process states, save data annotations, enable calculations, and perform other tasks.
Lake reports that Avangrid tried to compile ramp-down data
before using Excel, but it took too much time and labor. With
Seeqs software, we were able to isolate shutdown events, add
analytics and determine what was happening in just hours,
says Lake. In the past, this would have taken days or weeks.
Once its participating wind farms isolated shutdowns and
ramp-down events, determined curtailment times, added
pricing and other setpoints, and determined differential
power-generation scenarios to determine losses, Seeq could
export the data to Excel and identify revenue the wind farms
could claim. Depending on its ISO contracts and wind
availability or curtailment, Lake reports that Avangrid saves
$30,000 to $100,000 per year.
Business systems
IoT sensors
Cloud IoT
platform
Context
Context
Control
network
Historian
Manufacturing
systems
Business
systems
CASH BLOWS IN
Figure 1: The 400-MW Klondike Wind Power Projects in Sherman
County, Ore. (top) is one of several Avangrid Renewables wind
farms in the U.S. using Seeq data investigation and discovery
software (bottom) to integrate information from historians,
databases and analyzers, and recover lost-generation revenue
from the local grid. Source: Avangrid
31
B I G D ATA
cause predictive analytics and machine
learning use the same mathematics as
APC, such as neural networks to model
relations between data parameters.
The
promise
of
The
promise
of
The
promise
of
The
promise
of
precision
every
time.
The
promise
of
precision
every
time.
The
promise
of
precision
every
time.
precision
every
time.
precision
every
precision every time.
time.
32
www.controlglobal.com N O V E M B E R / 2 0 1 6
Structured
Reference and
master data
Enterprise
integration
Transaction
data
Data
warehouse
Analytic
capabilities
Unstructured
Machine
generated
Distributed
file system
Text, image,
audio, video
Key value
data store
Map
reduce
Discovery
lab
Data
warehouse
Analytic
capabilities
WARNING
Call 1-800-544-7769
or visit info.turck.us/sensors
B i g d ata
mation (www.rockwellautomation.com).
On a typical QEP pad and production facility, well locations are protected
through constant monitoring of protective shutdown devices; alarm and event
logs are used to review and track specific information and recent events; and
standardized ControlLogix PLCs and
RSLogix software are helping us meet
our aggressive schedules and maintain
safe, standard process controls, explains Herbert. Understanding local
regulations and requirements upfront
and having good controls is a big help,
but ControlLogix enables the remote
I/O points at our remote pads to provide
useful information to our central con34
www.controlglobal.com N o v e m b e r / 2 0 1 6
WARNING
Call 1-800-544-7769
or visit info.turck.us/connectivity
B i g d ata
Major big data tools
To bring in and use big and non-traditional information
streams, there are many software packages, data management and storage methods, new communication protocols,
programming tools, and cloud-computing services, coming
mostly from the IT side. Heres an incomplete list and glossary of the primary players:
Cassandra (http://cassandra.apache.org), or Apache
Cassandra, is a free and open-source distributed database management system designed to handle lots of
data across servers with high availability and no single
point of failure
Cloudera (www.cloudera.com) provides Apache Hadoop-based software, support, services and training
Dynamic SQL is a programming method that lets users
build SQL statements dynamically at runtime
Hadoop (http://hadoop.apache.org/Hadoop) is an opensource, Java-based programming framework that supports processing and storage of large data sets in a
distributed computing setting. Its part of the Apache
project sponsored by Apache Software Foundation
Mongo DB (www.mongodb.com)is a free, open-source,
cross-platform, document-oriented database program
www.controlglobal.com N o v e m b e r / 2 0 1 6
SAFETY SYSTEMS
Cybersecurity
in the SIS world
Find and slay the dragons lurking in
ybersecurity is a growing concern in the process industries, and a number of good articles have been written
about it for industrial control systems (ICS)many full
of doom and gloom. Here, we will divide the ICS into two
parts: safety instrumented systems (SIS) and all other ICS
components, which we lump into the basic process control
system (BPCS). There are distinct differences between the
SIS and BPCS in function, design and cybersecurity.
The SIS and BPCS differ in regard to cybersecurity from
a process safety perspective, how traditional SIS design practices can help provide cybersecurity, and how cybersecurity
concerns can affect the design of the SIS.
This article examines some of the differences between
the BPCS and the SIS, SIS vulnerabilities to cyberattack
and other security concerns unique to the SIS. It also covers
how traditional SIS design can help with cybersecurity, and
how traditional design practices of the SIS are affected by
cybersecurity. Due to its size limits, one article cant cover
all aspects of designing or securing a SIS in the presence
of cybersecurity threats, but its instead intended to provide
food for thought on this topic.
38
www.controlglobal.com N o v e m b e r / 2 0 1 6
Governmentand statesupported
Terrorists
Company
Public
tor
vec
eat
Thr
Its important to note that operating a chemical plant or refinery is complex, with many checks and balances as well
as human beings to provide 24/7 oversight and some level
of resilience. A cyberattack is really a cyber-physical attack
because it involves a system with direct connections to the
real world, as opposed to attacking a computer and data. A
process plant is also a system designed to work in the presence of failures (even multiple ones) and uncertainty, even
if the failure mode is unknown, whether it be a cyberattack,
control valve failure, pump failure, etc.
For example, if a tower is over-pressurized, chances are
youll have an independent, high-pressure alarm, possibly a
high pressure override of the tower reboiler, an SIS and a relief valve protecting it, plus operator observations. This illustrates how defense-in-depth achieves process safety, which
also provides protection against a cyberattack as an initiating
Threat vector
BPCS
SCAI
SIS
Unknown unknowns
SAFETY SYSTEMS
The role of the SIS in safety
Its important to understand how process safety is achieved
through functional safety, and how the SIS fits into the overall picture. Achieving process safety using functional safety
typically involves a defense-in-depth protective scheme consisting of independent protection layers (IPLs).
In Figure 2, we can see the SIS is not the only IPL in the
layer of protection scheme. Some IPLs are subject to direct
cyberattack and some are not. Modern design of functional
safety protection systems (FSPS) for hazardous processes is
all about preventing a hazardous condition, even in the presence of failures of some of the IPLs. The cyberattack threat
does not change that paradigm, but rather adds additional
potential failure modes of the BPCS and process equipment
that may lead to potential safety demands of unknown frequency (an important risk consideration).
A fundamental SIS design principle is that failure of
the BPCS to control the process for any reason should not
cause a simultaneous failure of the SIS protecting the process. This does not change with the introduction of the
cyberattack threat; if a cyberattack has compromised the
BPCS, it should be substantially more difficult for the
same attack to compromise the SIS either synchronously
or asynchronously.
Defense-in-depth and the related principle of requiring
multiple failures or difficultiesa tortuous path before
you have a successful cyberattackare important protective concepts. This also applies to the BPCS, where safety
controls, alarms and interlocks (SCAI) and other protective
safeguards should present a difficult path to defeat them all
to cause a loss of process safety protection and situational
awareness of the operator.
Acceptable
risk level
Layers of protection
Risk inherent
in the process
SCAI
Other (safety
valves, etc.)
Alarms
SIS
BPCS
Process
Risk
RISK REDUCTION
Figure 2: Reducing risk typically involves a defense-in-depth
scheme of independent layers of protection including the basic
process control system (BPCS); safety controls, alarms and interlocks (SCAI); and the safety instrumented system (SIS).
have a few hundred data points, mostly reads with a limited number of writes. The BPCS will typically talk to the
SIS through only one communication path per SIS. The SIS
will also have its own internal communication structure.
In most cases, the SIS is implemented on different hardware, in some cases by a different manufacturer than the
BPCS equipment.
The SIS is periodically proof-tested, while the BPCS is
many times operated to failure. This provides a mechanism
for detecting unauthorized changes.
39
SAFETY SYSTEMS
include those in this assessment. This should be coordinated
with the cybersecurity efforts on the BPCS. The identified vulnerabilities should be eliminated or their risk minimized.
Potential vulnerabilities include remote access, uncontrolled
writes, ability to program remotely, configuration database indirect attacks and cyberattacks via manufacturer or third-party
software.
Red flags include any computer equipment that is Windows-based, commercial off-the-shelf (COTS) technology,
open systems, connections to the enterprise or Internet, the
ability to write to the SIS, SIS equipment under lock and key,
and/or portable media (USB ports, memory sticks, CDs, etc.).
Ethernet and Ethernet switches (too vulnerable) are a no-no in
a SIS zone or to cross the boundary. Wireless may be an open
invitation and should be avoided in a SIS.
Dont connect to what you dont have to connect to. Risk vs.
benefit has to be factored in, particularly when convenience is
considered.
Implement intrusion detection, including monitoring for
changes in software and safety-critical parameters. Fortunately,
BPCS communication
Digital Analog/discrete
Conduits
(typical)
Remote access
SIS
zone
Remote access
SIS
controller
Run/off/
program/
remote switch
Windows
vulnerabilities
Original, patch
and update
software
Removable media
(memory sticks,
CDs, etc.)
Safe operating
parameters database
Original, patch and
update software
Engineering
station
Unknown
Unknownthreat
threatvector
vector
Unauthorized
access
SIS
Field
Physical access
Unknown gap
Windows
vulnerabilities
Original, patch and
update software
Remote access
Windows
vulnerabilities
Calibration
AMS
Unauthorized access
Unauthorized access
40
www.controlglobal.com N o v e m b e r / 2 0 1 6
SAFETY SYSTEMS
ICSs typically have extensive logging, and the SIS should log to
them all changes in parameters and SIS accesses for programming, maintenance, etc. A cyberattack response plan should
be put into place, including operator procedures and a recovery
plan. Failure to plan is planning on failure.
BPCS, enterprise network or outside world, even through firewalls. It should be verified with the SIS logic solver manufacturer that their key-lock cant be overridden externally through
a communication link of any sort
Read requests from the BPCS are common to transfer
the SIS status to the BPCS. These should be limited in scope.
It should be verified that problems with the PLC communication processor/port (e.g. denial of service attacks, incorrect or
garbled read requests, etc.) cant affect the PLCs safety logic
cycle or its safety functionality.
Writes: the safest approach is to not allow any writes to the
SIS logic solver from the BPCS. Most SIS logic solvers can
limit writes to specific memory locations (e.g. will not accept
writes to other locations). DCS, PLC or foreign device gateways
may also allow only certain tags be read or written to the SIS.
These features should be implemented. If you must write to a
SIS logic solver, you might consider an analog or digital input
to transfer the data.
Deep-packet inspection (DPI) security appliances and
data diodes can stop all writes, and in some cases can whitelist
read and write tags or memory locations. These security appliances must be able to get down to the write command and the
write tag or memory location to be effective. The safety PLC
should also ensure that write data values are within an acceptable range.
Non-digital SIS logic solvers such as relay logic and tripamps are directly immune to a cyber attack. Indirectly, they
may have a small cyber vulnerability if the database for their
trip and alarm points is corrupted by a cyber attack. These systems can be used as a back-up safety PLCs safety instrumented
functions (SIF). In small applications or localized systems, they
can provide a cyber-immune solution.
SIS field devices are less prone to cyberattack because the
vast majority of their outputs are 4-20 mA or on/off 24 VDC/120
VAC, which are notoriously hard to hack. Safety protocols have
been developed for digital fieldbus communications between
field devices, but are not very common for SIS. When these are
used, they may be more exposed than a 4-20 mA loop to a cyberattack. When a fieldbus safety protocol is used, the transmitters should be connected point-to-point, and high-speed Ethernet (HSE) should be avoided for SIS service.
A hardware security jumper blocks changing any of the parameters of a field transmitter, including changes via HART or
fieldbus. SIS field sensors and other applicable SIS field devices
should always have their security hardware jumper engaged in
normal operating service. Software lockouts should not be used
unless theyre the only security feature available. If an AMS system is present via HART, it should have read-only access for
SIS field devices, even if the security jumper is not engaged. All
SIS transmitters should have a deviation alarm where feasible.
4-20 mA smart transmitters typically communicate via a
HART communicator during calibration and maintenance.
There is a cybersecurity exposure due to the software in the
communicator, but it must come indirectly through corruption
N o v e m b e r / 2 0 1 6 www.controlglobal.com
41
SAFETY SYSTEMS
of the software from the communicators manufacturer.
Calibration tools are another potential cybersecurity vulnerability for SIS field devices because modern ones are digitally based, and may communicate with a database or AMS
system that would typically be on a Windows machine connected to the site enterprise network. Corruption of the calibration database could lead to miscalibration of safety transmitters.
Keeping a computer backup of the calibration data, trip and
alarm points, transmitter parameters and programs is a good
practice, and historical copies should be kept in case the current one gets corrupted. This will help you recover from a cyber
or internal security attack. Remember, plan ahead.
Final elements, such as solenoids, valves, motor starters, etc.
are typically immune to cyber attack. If your valve has a digital
valve controller or a smart positioner, it may be possible for a cyberattack to spuriously trip or cycle the SIS valve. These devices
may be communicated with by a portable Windows-based
computer, and may be subject to a cyber attack.
Bypasses are points in the SIS logic solver that are commonly a write from the BPCS to the SIS to bypass a particular sensor to allow maintenance. Erroneous activation by the
BPCS or SIS would defeat a SIF or part of a SIF. The common
practice of having a manual, bypass-enable switch that must
Get
Data
...On the Go!
C ONNECT C ONFIGURE D OCUMENT
DevComDroid Communicator App
Full DD access to HART instruments using
your Android device
DevCom2000 Communicator Software
Full DD access to HART instruments using your
Windows device
HART Modems (Interface Hardware)
Bluetooth, USB and RS232 models
be activated, with a short timeframe to enable a bypass and bypasses that time-out are good practices. Also, having a bypass
alarm generated from the SIS that restrikes periodically when
in bypass, and remotely monitoring the bypass state, are also
good practices, again, making it more difficult for a cyber intruder to enable the bypasses undetected.
Manual shutdown: IEC 61511-1 states that a manual
means (for example, emergency stop pushbutton), independent
of the logic solver, shall be provided to actuate the SIS final
elements unless otherwise directed by the safety requirement
specifications. This was put in place because there was a fear
that the PLC logic solver would not operate when required, the
PLC might go into a loop, or it might begin operating erratically (sounds applicable to a cyberattack). However, primarily
for convenience and cost reduction, its been the practice of
many people, to use the otherwise directed by the safety requirement specifications to route the manual shutdown to the
SIS logic solver because they rationalize that the logic solver is
highly reliable. From a cybersecurity perspective, this is a bad
practice because if the SIS logic solver is compromised, so may
be the manual shutdowns in this logic solver. This takes away
the operators ability to quickly implement a manual shutdown
to bring the plant to a safe state. This is particularly worrisome
for SIF where there are no other IPLs associated with the hazardous scenario.
Also, companies often have procedures that are gun-drilled
(exact and ingrained) for shutting down the plant due to power
loss, cooling water loss, etc. It makes sense that you should have
a gun-drilled procedures to shut down your plant if you suffer a
cyber attack that compromises process safety.
Reset function: Software resets may provide some protection against a cyberattack that cycles the safety PLC outputs,
but may be compromised by a knowledgeable attacker. Field
manual resets on the solenoids physically prevent the shutdown
valve from cycling, and are immune to cyber attacks.
42
www.controlglobal.com N O V E M B E R / 2 0 1 6
Growing gracefully
Our motor controls and facility communications were hardwired before 2006, so if we wanted to change or add a step in
the production process, wed often to rewire entire areas of the
facility, says Wade Hazel, engineering manager at Acadian.
We began automating the Cornwallis facility during 20062008, but this modernization wasnt enough to meet growing
demand, so we decided to build onto the existing plant to add
capacity, and automate the new equipment to increase process
control and efficiency.
Hazel adds that Acadian supplier Graybar (www.graybar.
com) knew it was already using Allen-Bradley CompactLogix
programmable automation controllers (PACs) from Rockwell Automation (www.rockwellautomation.com), so it proposed adding Allen-Bradley Centerline motor control centers
(MCCs) with IntelliCenter software and EtherNet/IP networking. This meant Acadian could expand its capacity by integrating with existing controllers, and avoid adding hardwiring for
motor controls (Figure 1). Consisting of variable-speed drives
(VSD) and full-voltage starters, the MCCs and supporting
automation let Acadian increase seaweed processing by 50%
during 2008-09.
However, demand continued to swell, so Acadians management decided to build the new Deveau Center plant across the
street with three times the space. This included underground
piping for moving product between the plants, three more
ControlLogix PACs, expanded Centerline and Intellicenter applications, plantwide EtherNet/IP for monitoring and motion
control, and Rockwell Software Studio 5000 to set up and configure the PACs and MCCs. The new plant was finished in
2014, and its already running at 40% more capacity than its
earlier version, and can expand capacity another 250%.
This facility isnt static, added Hazel. We may need to
change functions one day, do improvements the next, or add
new processes. With all controls connected via EtherNet/IP,
many former hardwires became virtual wires, so we can make
changes faster at a lower cost. Integrated MCCs and controllers
N O V E M B E R / 2 0 1 6 www.controlglobal.com
43
from Vascat S.A. and a 250-kW Powerflex 755 inverter drive from
mata copper mine near Santiago in Chile. Source: Codelco and ABB
then its only 40-50% efficient at half speed, he explains. Synchronous reluctance gets that efficiency back up to 70% at half
speed, which is why were rolling them out.
Rotating evolution
Integrating microprocessors, intelligence, networking and
other functions into motors and drives enable them to achieve
remarkable gains, but these advances have also altered their basic nature. Process and discrete controls are more the same
now, and their technologies are adapting to fit, says Robert Sor, product marketing manager for general-purpose,
Sinamic and VG drives, Siemens (www.siemens.com). PLCs
and other process controllers arent much different now, and
many drives are much the same, even though their AC motors
may run at different speeds. In fact, increasing pressure for efficiency has pushed drives to evolve until they can now do what
servo drives did just a few years ago.
Because theyre easier and less costly to deploy, drives are
spreading to rotating equipment that hasnt used them before,
according to Sor. Over the past five to seven years, drives are
appearing on more pump jacks, fans, pumps and positive-displacement pumps. These used to have contactors and starters
because there were less concerns about saving power. However,
with the oil and gas industry down, people want to save money,
and theyre doing it with smaller, smarter and less costly drives,
and more precise variable-frequency drives (VFD).
Sor adds that similar efforts to save are spurring adoption of
more efficient, relatively higher-tech motors, such as synchronous reluctance motors. A manufacturer may add variable
speed to a motor that usually runs at full speed and 60 Hz, but
44
www.controlglobal.com N O V E M B E R / 2 0 1 6
PROTECT PUMPS
DRY RUNNING CAVITATION BEARING FAILURE OVERLOAD
MONITOR PUMP POWER
Best Sensitivity
Digital Display
TWO ADJUSTABLE SET POINTS
Relay Outputs
Adjustable Delay Timers
4-20 MILLIAMP ANALOG OUTPUT
COMPACT EASY MOUNTING
Only 3.25 x 6.25 x 2
Starter Door Panel
Raceway
Wall
UNIQUE RANGE FINDER SENSOR
Works on Wide-range of Motors
Simplies Installation
WWW.LOADCONTROLS.COM
Alarm Annunciators
& Event Recorders
Products ideal for all
process and power alarm
applications
High Integrity Design
(high availability)
Serial and Ethernet
Communications
- Modbus RTU, DNP3 &
IEC61850 protocols
N o v e m b e r / 2 0 1 6 www.controlglobal.com
45
FOPDT modeling
R. RUSSELL RHINEHART
PV
russ@r3eda.com
75
70
65
60
55
50
45
40
35
30
150
155
160
165
170
46
www.controlglobal.com N o v e m b e r / 2 0 1 6
60
1.2
1.2
50
1.0
60
40
.081.2
50
30
.061.0
40
20
.04.08
Input(s)
60
30
10
.02.06
20
0
0
20
40
10
0
SKYLINE
PATTERN
0
20
40
60
Time
60
Time
80
80
100
0 .04
120
.02
100
0
120
number
of excitations.
41
20
39
42
38
41
37
20
36
39
35
38
34
370
Response Response
Input(s)
PV
PV
sponse variable, (t), to indicate that its the model, not ple twists on the method.
Howver, this approach requires operator attention for
the process. And, I used the prime mark to indicate that
an
extended time to wait for four steady-state periods;
the model influence, response and time are each a deviamay
create process deviations that impact downstream
tion from the initial steady conditions as well as the time
75
quality; requires the human to interpret the signal to pro70
for the step-and-hold influence. In figure 1, the change
65
vide data for the mathematical analysis; only uses a small
happens at a time of 155. Although t = 155, at that instant
60
part of the data generated; and can be substantially con75
t = 0. Similarly, the initial process value is y = 37, but the
55
70
founded by uncontrolled disturbances.
50
deviation value is y = 0.
65
45
In the computer era, by contrast, nonlinear least squares
Although the concept for the model is a response to 4060
a
regression
is simple to implement, and a skyline input
55
step-and-hold influence from an initial steady state, and
35
50
function has advantages in operational duration, magnithough this makes for convenient analytical solutions, 30it
45150
155
160
165
170
tude of upsets,
and number
of excitations
over classical
is a generic model, and not so restricted when solved with
40
Time (step-and-hold happened at 155)
methods. A skyline pattern in the controller output could
35
numerical methods. And, though the model can be equiv2.
alently stated in Laplace or z-transform notation, I wont!30 150look like Figure
155
160
165
170
The nonlinear regression method seeks to fit the model
The classic textbook method to generate FOPDT modTime (step-and-hold happened at 155)
els is the reaction curve technique, a pre-computer era to all data points, not just the selected several points in
method. Its simple to understand and implement, and it a classic reaction curve fit. So, it better reject noise and
can be derived from the analytical solution of the ODE, disturbances.
The skyline and regression method does not require
so it serves the current content of undergraduate engioperator attention or judgment, which lessens the posneering education appropriately. However, I be-
20
40
36
60
Time
80
100
120
35
34
20
40
60
Time
80
100
120
SKYLINE RESPONSE
Figure 3: The data (dots) and best FOPDT model (solid curve) from the
input sequence in Figure 2 for a pilot-scale process flow rate shows
that the model is not perfect, but is a very good representation of the
process dynamics.
N o v e m b e r / 2 0 1 6 www.controlglobal.com
47
Pressure
Data
Acquisition
Automation
Same Icons in White
ons in White
100,000 Products
Customized Solutions
Expert Technical Support
Easy Online Ordering
Fast Delivery
omega.com
1-888-826-6342
COPYRIGHT 2016 OMEGA ENGINEERING, INC ALL RIGHTS RESERVED
48
www.controlglobal.com N o v e m b e r / 2 0 1 6
Pressure
N o v e m b e r / 2 0 1 6 www.controlglobal.com
49
P
System curve (P2)
Pressure
25
P1@35%
30
35
40
Flow
(%)
P2@48%
td
t63%
B
B1=63%B
Time
0
Process gain:
td
t63%
K = B/A
0.9A
Proportional Gain P = B.td.t
Integral Time
Process gain:
I = 3.33td
K = B/A0.9A/Btdt, and integral time I = 3.33td.
0.9A
Proportional Gain P = B.td.t
If you experience an
Integral Timeovershoot
I = 3.33td
(which
50
www.controlglobal.com N o v e mb e r / 2 0 1 6
R oundup
LB System remote
I/O has more power
in less space with
high-performance,
compact modules plugged into a backplane. Energy-saving power management and low-power dissipation allow
maximum packing density. Its partition ensures required
clearance of 50 millimeters. Bus and power supply can be
redundant with a maximum of 80 analog and 184 digital
inputs and outputs.
Pepperl+Fuchs
330-425-3555; www.pepperl-fuchs.us
With a new shield clamp and an exclusive latching spring, 790 Series
adjustable busbars provide excellent
shield contact and performance.
The adjustable carriers are available
with 70-80 mm heights. Busbars
can be cut to any length. Other advantages include pre-connection to
the DIN rail adapter to cut installation time, and adjustable
T-connectors that allow horizontal and vertical positioning.
Wago Corp.
800-DIN-RAIL (346-7245); www.wago.us
Allen-Bradley Bulletin
5069 compact I/O expands Logix capabilities. With two 1-Gb
Ethernet ports, this I/O
system scans 10 times
faster than previous versions for greater productivity. It
can include as many as 31 local I/O modules without
expanding. When used as local I/O with Allen-Bradley
CompactLogix 5380 controllers, scheduled outputs improve I/O response time to as fast as 0.2 milliseconds.
Rockwell Automation
http://ab.rockwellautomation.com/IO/Chassis-Based
N o v e m b e r / 2 0 1 6 www.controlglobal.com
51
ROUNDUP
52
Simatic ET200AL
I/O has IP65/67
protection in a
compact, rugged,
lightweight design
thats easily mounted in tight spaces. Quickly confi gured
with TIA Portal engineering software, ET 200AL I/O is
available with M8 and M12 modules, increasing channel
density with more I/O points per module. Up to 2-A actuators can be connected per module, and it has SIL 2 safely
trip actuators.
Siemens
http://w3.siemens.com/mcms/distributed-io
www.controlglobal.com N O V E M B E R / 2 0 1 6
CONTROL EXCLUSIVE
53
PRODUCT INTRODUCTIONS
54
www.controlglobal.com N O V E M B E R / 2 0 1 6
C O N T R O L TA L K
GREG MCMILL AN
STAN WEINER, PE
controltalk@putman.net
Creatively invest your work ethic into new horizons and opportunities. For the top 10
reasons to migrate, see the online version at www.controlglobal.com/articles/2016/
how-to-succeed-in-career-and-system-migration.
N o v e m b e r / 2 0 1 6 www.controlglobal.com
55
C o n t r o l Ta l k
limited somewhat on the instrumentation side, so we convinced a retired 3M technician to give us a hand. He has
been with us ever since, and been instrumental in the success of our projects. Were now fortunate to have another
PI&CS resident engineer, an additional maintenance controls
engineer, and some technicians working on these systems.
Were responsible for the migration of about 20 reactors
and the tank farm. We decided on one controller per reactor
to maximize independent maintainability, since these reactors are going up and down. Weve completed over a dozen
of the reactors, and have about a half dozen to go. Each system can have 300-1,200 inputs and outputs.
Greg: Ive had process engineers ask to keep the process vari-
solescence?
www.controlglobal.com N o v e m b e r / 2 0 1 6
Bill: Modernizing the control systems has led to better performance, principally by using signal selection and split range to
increase versatility, particularly in jacket loops. We also have
much more functionality and support available for the new
DCS. I really appreciate being able to focus on learning how
to get the most out of a new DCS rather than investing my
time getting by with an old DCS with no future.
CLASSIFIEDS
8.
9.
10.
11.
12.
13.
14.
No.copies single
issue
46,950
46,185
44,423
44,150
73
73
44,496
44,223
1227
1452
29
100
We Love to Buy
PLC/DCS
Sensors/Drives
Motor Control
Industrial Automation
www.santaclarasystems.com
1256
1552
45,752
45,775
1198
410
h. Total
46,950
46,185
97.25 %
96.61 %
No.copies 12
months
No.copies single
issue
15,876
16,249
b. Total Requested and Paid Print Copies (Line 15c) +Requested/Paid Electronic Copies (Line 16a)
60,372
60,472
c. Total Requested Copy Distribution (Line 15f) +Requested/Paid Electronic Copies (Line 16a)
61,601
62,024
98.00%
97.50%
d. Percent Paid and/or Requested Circulation (Both Print & Electronic Copies) (16b divided by 16c i 100)
I certify that 50% of all my distributed copies (electronic and print) are legitimate requests or paid copies.
17. Publication of Statement of Ownership for a Requester Publication is required and will be printed in the November 2016
issue of this publication.
18. Signature and Title of Editor, Publisher, Business Manager, or Owner
Jeremy L. Clark, VP of Circulation Date: 09/30/2016
I certify that all information furnished on this form is true and complete. I understand that anyone who furnishes false or
misleading information on this form or who omits material or information requested on the form may be subject to criminal
sanctions (including fines and imprisonment) and/or civil sanctions(including civil penalties).
SCS_1111_Classified.indd 1
AD INDEX
11/11/11 9:53 AM
ABB6
Mac-Weld 32
Allied Electronics 10
Magnetrol International 14
AutomationDirect2
Omega Engineering48
Orion Instruments3
Baldor Electric 23
Pepperl+Fuchs,
PA Division28
Endress+Hauser8, 9
Turck 33, 35
FCI 37
VEGA Americas 17
GE Digital 19
Wago 21
Load Controls 45
Yaskawa America 13
Control Report
Busy fall
Jim Montague
e xecutive Editor
jmontague@putman.net
Ignoring change is
actually a response,
of course, but its
not a very good
one, even though it
doesnt require
much effort..
58
www.controlglobal.com N o v e m b e r / 2 0 1 6
The Emerson logo is a trademark and service mark of Emerson Electric Co. 2016 Fisher Controls International LLC. D352205X012 MBB104