7/25/2019 INtech Magazine 324483-MAYJUN 2014

1/69

www.isa.org/intech

A PUBLICATION OF THE INTERNATIONAL SOCIETY OF AUTOMATION

May/June 2014

Integrating DCS I/O

Embedded vision

Multigenerational systems

Mobile user interfaces

Flow spotlight

http://www.isa.org/intechhttp://www.isa.org/intech

7/25/2019 INtech Magazine 324483-MAYJUN 2014

2/69

Hands-on training through real-life simulation.

A one-of-a-kind training opportunityWhat makes Endress+Hauser unique is our PTU (ProcessTraining Unit) network - full scale, working process systems

with on-line instrumentation and controls. Customers gainhands-on experience with the types of operation, diagnosticsand troubleshooting found in real-life process plants.

These mini process plants feature Endress+Hauserinstruments integrated with the PlantPAx process automationsystem from Rockwell Automation and are designed for theSXUSRVH RI HGXFDWLQJ HOG WHFKQLFLDQV WKURXJK UHDOOLIH

simulations and hands-on experience. Various communicationprotocols are fully operational, including: EtherNet/IPTM,

HART, PROFIBUSPA, and FOUNDATIONTMFieldbus.

Visitww w.us.endress.com/trainingfor information

on training opportunities near you!

For information on free events and special seminars, including

PTU tours, visitww w.us.endress.com/special-events

Check out our online training -End User Academy (EUA)!

Allow field technicians to gain the valuable

training needed in order to run your plant safely,

smoothly and more efficiently without spendingtoo much time away from your process.

Test drive a sample online training course today:

ww w.us.endress.com/eua

Endress+Hauser, Inc2350 Endress PlaceGreenwood, IN 46143info@us.endress.com

ww w.us.endress.com

Sales: 888-ENDRESSService: 800-642-8737Fax: 317-535-8498

http://www.us.endress.com/traininghttp://www.us.endress.com/traininghttp://www.us.endress.com/traininghttp://www.us.endress.com/special-eventshttp://www.us.endress.com/special-eventshttp://www.us.endress.com/special-eventshttp://www.us.endress.com/euamailto:info@us.endress.comhttp://www.us.endress.com/http://www.us.endress.com/http://www.us.endress.com/mailto:info@us.endress.comhttp://www.us.endress.com/euahttp://www.us.endress.com/special-eventshttp://www.us.endress.com/training

7/25/2019 INtech Magazine 324483-MAYJUN 2014

3/69

The Moore Industries NET Concentrator

System connects instruments and systems via

Ethernet, MODBUS and wireless technologies,while protecting your data from the real world.

The NCSs rugged industrial design protects

against RFI/EMI, ground loops, vibration and

the most severe temperature extremes:

-40C to +85C (-40F to +185F).

Whether youre managing a local process, or

need to collect data from locations across the

globe, our NET Concentrator System

is ready for your real world.

Wireless Network Module

for More Remote Locations

www.miinet.com/Solvers_IO

Visit our website and download one of our Process

Control and Distributed I/O Networks Problem

Solvers. Learn more about our Remote I/O products at:

Call Us at 800-999-2900!

Demand Moore Reliability

Remote I/O Has Never Been

More Rugged and Reliable

Whatever Your Extreme

http://www.miinet.com/Solvers_IOhttp://www.miinet.com/Solvers_IO

7/25/2019 INtech Magazine 324483-MAYJUN 2014

4/694 INTECH MAY/JUNE 2014 WWW.ISA.ORG

PROCESS AUTOMATION

20 Integrating DCS I/Oto an existing PLCBy Debashis Sadhukhan and John Mihevic

At the NASA Glenn Research Center, existing pro-

grammable logic controller (PLC) I/O was replaced

with distributed control system I/O, while keeping

the existing PLC sequence logic.

FACTORY AUTOMATION

26 Industrial automationand embedded vision:A powerful combination

By Brian Dipert

Traditional automated manufacturing systems have

relied on parts arriving in fixed orientations and

locations, making manufacturing processes complex

and limiting flexibility. New vision technologies are

enabling flexible and make-to-order manufacturing.

SYSTEM INTEGRATION

32 Integratingmultigenerationalautomation systems

By Chad Harper

Are you planning to add new elements to your

existing automation system? One system integratorsays it can be done, but proceed with caution.

AUTOMATION IT

38 Mobile HMI entersa new era

By Richard Clark

New technologies are improving remote access

to PC-based and Windows-embedded HMIs from

smartphones and tablets.

COVER STORY

Top ten differencesbetween ICS and IT

cybersecurityby Lee Neitzel and Bob Huba

Ten of the most important differences between ICS

and IT system security needs are identified and

described. Understanding these differences can leadto cooperation and collaboration between these

historically disconnected camps.

12

SPECIAL SECTION: ENTERPRISE ASSET MANAGEMENT

42 Enterprise assetmanagement

By Harry H. Kohal

Enterprise asset management should be well

defined and consistently implemented. Although

the software exists to facilitate this, manage-

ment and maintenance are often on different

pages. The daily reality of disposable attitudes

versus the quest to maintain, declining expertise,

and lack of focus from the top down cloud the

practice of enterprise asset management.

May/June 2014 | Vol 61, Issue 3 Setting the Standard for Automation www.isa.org

http://www.isa.org/http://www.isa.org/http://www.isa.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

5/69

Setting the Standard for Automation

www.isa.org/InTechDEPARTMENTS

8 Your LettersEfficient pumping applications

10 Automation UpdateUSA Science & Engineering

Festival, AMT talks to Congress,

By the Numbers, and more

48 Channel ChatPediatric hospital works with CSIA

member to develop unique test

chamber

50 Association NewsAre you qualified; certification review

54 Automation BasicsThe art of level instrument selection

58 Workforce DevelopmentPartner with your local community

college

59 StandardsIACS cybersecurity

60 Products and ResourcesSpotlight on flow

COLUMNS

7 Talk to MeSilo opportunities

46 Executive CornerCreating working information

capital within your enterprise

66 The Final SayWireless process instrumentation:

An end users perspective

RESOURCES

64 Index of Advertisers

65 Datafiles

65 Classified Advertising

65 ISA Jobs

2014 InTech ISSN 0192-303X

InTechis published bimonthly by the International Society of Automation (ISA).Vol. 61, Issue 3.

Editorial and advertising offices are at 67 T.W. Alexander Drive, P.O. Box 12277, Research Triangle Park, NC

27709; phone 919-549-8411; fax 919-549-8288; emailinfo@isa.org. InTechand the ISA logo are registered

trademarks of ISA. InTechis indexed in Engineering Index Service and Applied Science & Technology Index

and is microfilmed by NA Publishing, Inc., 4750 Venture Drive, Suite 400, P.O. Box 998, Ann Arbor, MI 48106.

Subscriptions: For members in the U.S., $9.52 annually is the nondeductible portion from dues. Other sub-

scribers: $155 in North America; $215 outside North America. Multi-year rates available on request. Single copy

and back issues: $20 + shipping.

Opinions expressed or implied are those of persons or organizations contributing the information and are not to be

construed as those of ISA Services Inc. or ISA.

Postmaster: Send Form 3579 to InTech, 67 T.W. Alexander Drive, P.O. Box 12277, Research Triangle Park, NC

27709. Periodicals postage paid at Durham and at additional mailing office.

Printed in the U.S.A.

Publications mail agreement: No. 40012611. Return undeliverable Canadian addresses to P.O. Box

503, RPO West Beaver Creek, Richmond Hill, Ontario, L48 4RG

For permission to make copies of articles beyond that permitted by Sections 107 and 108 of U.S.

Copyright Law, contact Copyright Clearance Center atwww.copyright.com. For permission to copy articles

in quantity or for use in other publications, contact ISA. Articles published before 1980 may be copied for a

per-copy fee of $2.50.

To order REPRINTSfrom InTech, contact Jill Kaletha at 866-879-9144 ext. 168 or jillk@fosterprinting.com.

List Rentals: For information, contact ISA at info@isa.org or call 919-549-8411.

InTechmagazine incorporates Industrial Computingmagazine.

WEB EXCLUSIVE

FDI meets plants deviceintegration needsPlant sensors and controllers use various industrial

networking protocols that require separate software

to configure. Field device integration (FDI) is a new

device integration technology that combines elec-

tronic device description language and provides

a single device package that can streamline

engineering, commissioning, and maintenance.

Read more at:www.isa.org/intech/201406WEB.

InTechprovides the most thought-provoking and authoritative coverage of automationtechnologies, applications, and strategies to enhance automation professionals on-the-jobsuccess. Published by the industrys leading organization, ISA, InTechaddresses the most

critical issues facing the rapidly changing automation industry.

ISA just launched its coolest

new mobile app, InTech

Plusfor the iPad, which

delivers interactive techni-

cal content and tools in a fresh and

engaging new way. You can download

InTech Plusfor free through the Apple

App Store atwww.apple.com/itunes/.

Other formats are under development.

For more information about InTech

Plus, contact Susan Colwell at

+1 919-990-9305 orscolwell@isa.org.

INTECH MAY/JUNE 2014 5

http://www.isa.org/InTechmailto:info@isa.orgmailto:info@isa.orgmailto:info@isa.orghttp://www.copyright.com/http://www.copyright.com/mailto:jillk@fosterprinting.commailto:info@isa.orghttp://www.isa.org/intech/201406WEBhttp://www.isa.org/intech/201406WEBhttp://www.apple.com/itunes/http://www.apple.com/itunes/mailto:scolwell@isa.orgmailto:scolwell@isa.orgmailto:scolwell@isa.orghttp://www.apple.com/itunes/http://www.isa.org/intech/201406WEBmailto:info@isa.orgmailto:jillk@fosterprinting.comhttp://www.copyright.com/mailto:info@isa.orghttp://www.isa.org/InTech

7/25/2019 INtech Magazine 324483-MAYJUN 2014

6/69

Being a field calibration technician is a tough job: you need to have many skills

and carry multiple devices, environmental conditions can be challenging and

constantly changing, documentation of data takes time and is difficult in the

field and work efficiency requirements are demanding. However, having the

right gear makes the work much easier and also more efficient.Learn more at beamex.com/readyforthefield

www.beamex.cominfo@beamex.com

Ready for the fi eld?

http://beamex.com/readyforthefieldhttp://beamex.com/readyforthefieldmailto:info@beamex.commailto:info@beamex.commailto:info@beamex.comhttp://www.beamex.com/http://beamex.com/readyforthefieldhttp://beamex.com/readyforthefield

7/25/2019 INtech Magazine 324483-MAYJUN 2014

7/69

Perspectives from the Editor | talk to me ISA INTECHSTAFF

CHIEF EDITOR

Bill Lydonblydon@isa.org

PUBLISHER

Susan Colwellscolwell@isa.org

PRODUCTION EDITOR

Lynne Franke

lfranke@isa.org

ART DIRECTOR

Colleen Casperccasper@isa.org

SENIOR GRAPHIC DESIGNER

Pam Kingpking@isa.org

GRAPHIC DESIGNER

Lisa Starcklstarck@isa.org

CONTRIBUTING EDITOR

Charley Robinsoncrobinson@isa.org

ISA PRESIDENT

Peggie W. Koon, Ph.D.

PUBLICATIONS VICE PRESIDENT

David J. Adler, CAP, P.E.

EDITORIAL ADVISORY BOARD

CHAIRMAN

Steve Valdez

GE Sensing

Joseph S. Alford Ph.D., P.E., CAP

Eli Lilly (retired)

Joao Miguel BassaIndependent Consultant

Eoin RiainRead-out, Ireland

Vitor S. Finkel, CAPFinkel Engineers & Consultants

Guilherme Rocha LovisiBayer Technology Services

David W. Spitzer, P.E.Spitzer and Boyes, LLC

James F. TateraTatera & Associates Inc.

Michael FedenyszenR.G. Vanderweil Engineers, LLP

Dean Ford, CAPWestin Engineering

David HobartHobart Automation Engineering

Allan Kern, P.E.Tesoro Corporation

There has been a great deal of dis-

cussion about isolated silos in in-

dustry creating barriers to growth,

but they also offer opportunities for those

willing to take the initiative. The termsilo

thinking is used in business to describe

the mindset when departments do not

share information and collaborate with

others in the same company. That is a

problem and an opportunity. In the past,departments and disciplines in manufac-

turing companies have worked to opti-

mize their particular areas to be the most

efficient and productive, improving con-

trols and automation. Now automation

professionals can take the initiative and

apply their systems skills and thinking to

view manufacturing more broadly and

holistically, considering the big picture.

Using this focus, automation profes-

sionals can engage with people in other

groups in the organization to accomplish

bigger organizational goals.

Consider taking a risk to get people

from various groups to focus on some

problems and opportunities to bring a

wider range of knowledge and know-how

to create better solutions. The exchange

of knowledge and the inevitable collabo-

ration between people can be amazing.

In the process, people develop mutual

respect, expertise, and skills. Making im-

provements together encourages trust,

Making improvements

together encourages trust,

creates empowerment, and

breaks people out of the

my department mentality

and into the our organiza-

tion mentality.

Silo opportunitiesBy Bill Lydon, InTech, Chief Editor

creates empowerment, and breaks people

out of the my department mentality

and into the our organization mentality.

A great example is the shift occurring

in industry where the manufacturing au-

tomation and information technology

groups had been standing alone, each

defending its own turf. In many organi-

zations, the groups are now collaborat-

ing and creating more efficient and re-sponsive operating results. The ISA-95

standard for the integration of enterprise

and control systems is a good focal point

for these discussions with models and

terminology.

Sometimes the lack of collaboration

between siloed groups comes into

sharp focus when there are problems.

Part of my career dealt with fixing large

projects in the field that went off the

track, with every group blaming the

others for the problems. A favorite andfigurative way to describe these situ-

ations was everyone forms a circle and

points right at the person next to him

or her. This certainly describes the phe-

nomenon. You can solve problems and

create new ideas by engaging people in

focusing on common goals and working

together to solve problems. This holistic

view leads to the birth of new ideas in

many situations.

Cooperative actions do not need to

start as big projects. They can start by

simply discussing issues over coffee and

asking people from other departments

or groups if they have observations and

ideas. This interaction can naturally lead

to collaboration.

Specialization has made companies

strong, but it has worked against cooper-

ative efforts. It is important to remember

that everyone has an intellect, and that

two or more heads are better than one

to generate ideas and solutions.

Siloed departments can achieve big

improvements by working together. n

INTECH MAY/JUNE 2014 7

mailto:blydon@isa.orgmailto:blydon@isa.orgmailto:scolwell@isa.orgmailto:scolwell@isa.orgmailto:lfranke@isa.orgmailto:lfranke@isa.orgmailto:ccasper@isa.orgmailto:ccasper@isa.orgmailto:pking@isa.orgmailto:pking@isa.orgmailto:lstarck@isa.orgmailto:lstarck@isa.orgmailto:crobinson@isa.orgmailto:crobinson@isa.orgmailto:crobinson@isa.orgmailto:lstarck@isa.orgmailto:pking@isa.orgmailto:ccasper@isa.orgmailto:lfranke@isa.orgmailto:scolwell@isa.orgmailto:blydon@isa.org

7/25/2019 INtech Magazine 324483-MAYJUN 2014

8/69

Efficient pumping

applications

Drive energy savings: Im-

prove performance and low-

er downtime [March/April

2014 InTech] is an informa-

tive presentation about vari-able speed drives and their

applications. However, the

section entitled, Enhancing

efficiency in pumping ap-

plications could have been

written more clearly.

The speeds and savings

presented in this section

apply to fan and blower

applications with no static headas is

stated about 80 percent into the section.

This should have been located at the startof the section, and it should have been

retitled as something like, Enhanced ef-

ficiency in fan and blower applications.

The example in the first paragraph

of the section appears to confuse valve

position with motor speed.

Pumping appli-

cations can exhibit

significantly lower

energy savings as

compared to fans

and blowers due to

static head. A moredetailed explana-

tion is presented in

my book, Variable

Speed Drives: Prin-

ciples and Applica-

tions for Energy

Cost Savings (ISA).

The remainder of

the article was in-

terestingespecially the regenerative

drive applications, because they are not

often presented in the literature.David W. Spitzer, P.E.

Please send us your comments and ques-

tions, and share your ideas with other

InTech readers! Contact the editors at

intechmagazine@isa.org.

your letters| Readers Respond

Effective Alarm Managementshouldnt cause you stress

or put you at risk...

Ronan Engineering has the

solution for monitoring your

most critical alarm processes.

Excellence in Monitoring & Measurement for 54 Years

For more information:info.ronan.com/annunciators

(800) 327-6626

1. Identifycritical processes

2. Integrate reliableannunciator with

current PLC or DCS control system

We Know Safety.We Know Reliability.ISO 9001: 2008

programmable computer annunciators | solid-state annunciators | sequence of events recordersRonan provides economical solutions in custom enclosures for redundant alarm monitoring.

Source:Automation.com

mailto:intechmagazine@isa.orgmailto:intechmagazine@isa.orgmailto:intechmagazine@isa.orghttp://info.ronan.com/annunciatorshttp://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://info.ronan.com/annunciatorsmailto:intechmagazine@isa.org

7/25/2019 INtech Magazine 324483-MAYJUN 2014

9/69

In addition, its forged one-piece body

minimizes leak paths and offers you a choice

in end connections, including all popular

tube fitting configurations. Plus, the drop in

fit design allows for easy replacement. So if

youre looking for a choice, choose SSP,

where innovation begins once the standard

has been met. Call us at 330-425-4250

ext.169 or visitmySSPusa.com.After all,

you deserve a choice.

8250 Boyle Parkway, Twinsburg, OH 44087 | 330- 425-4250 | mySSPusa.com

Get Your Sample Today!Call 330-425-4250 ext.169

ormySSPusa.com/EB

NOW YOU HAVE A CHOICE

Now you have a choice when it comes to

specifying one-piece instrumentation ball

valves. Introducing FloLok EB Encapsulated

Ball Valve from SSP. With unique features like

its blow-out proof stem to maximize safety,

and one-piece packing --in all sizes-- to

ensure reliable and representative samples.

http://mysspusa.com/http://mysspusa.com/http://mysspusa.com/EBhttp://mysspusa.com/EBhttp://mysspusa.com/EBhttp://mysspusa.com/http://mysspusa.com/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

10/6910 INTECH MAY/JUNE 2014 WWW.ISA.ORG

New IndustrialInternet ConsortiumAT&T, Cisco, GE, IBM, and Intel have

formed the Industrial Internet Consor-tium (IIC), an open membership group

focused on breaking down the barri-

ers of technology silos to support bet-

ter access to big data with improved

integration of the physical and digital

worlds. The consortium will enable or-

ganizations to more easily connect and

optimize assets, operations, and data.

An ecosystem of companies, re-

searchers, and public agencies is

emerging to drive adoption of indus-

trial Internet applications, a founda-tional element for accelerating the

Internet of Things. The IIC is a not-

for-profit group that will take the lead

in establishing interoperability across

various industrial environments for a

more connected world. Specifically,

the IICs charter will be to encourage

innovation by:

n Using existing and creating new in-

dustry use cases and test beds for

real-world applications

n

Delivering best practices, referencearchitectures, and case studies to

ease deployment of connected tech-

nologies

n Influencing the global standards de-

velopment process for Internet and

industrial systems

n Facilitating open forums to share

and exchange ideas, practices, les-

sons, and insights

n Building confidence around innova-

tive approaches to security

The IIC is open to any business, orga-

nization, or entity with an interest in ac-

celerating the industrial Internet. In ad-

dition to gaining an immediate, visible

platform for their opinions, consortium

members will join in developing critical

relationships with leaders in technology,

manufacturing, academia, and the gov-

ernment on working committees. The

IIC will be managed by Object Manage-

ment Group, a nonprofit trade associa-

tion in Boston, Mass. The fee structure

and membership application forms are

available at www.iiconsortium.org. n

Youth engage at USA Science &Engineering Festival

R

epresentatives and volunteer members of ISA and its umbrella organization,

The Automation Federation, demonstrated fundamental processes of indus-trial automation to young people at the third USA Science & Engineering

Festival, conducted 2527 April 2014 in Washington, D.C.

More than 325,000 people

mostly primary and secondary

students and their families

attended the event, the U.S.s

only national science festival,

at the Walter E. Washington

Convention Center. This years

festival marked the largest

event ever in the history of the

citys convention center.

The USA Science & Engineering Festival

plays an important role in encouraging

young people to pursue learning in science,

technology, engineering, and mathemat-

ics (STEM) and in expanding awareness

about the virtues of STEM-related career

fields, including automation. Through their

participation and exhibition at the festivaland other events like it, ISA and the Automation Federation broaden awareness and

understanding of the automation fielda foundational step in cultivating the next

generation of automation professionals. n

automation update| News from the Field This content is courtesy of

AMT tells Congress to shape upThe board of directors of the Association for Manufacturing Technology (AMT) sent

a letter to the U.S. congressional leadership requesting action on a bipartisan manu-

facturing agenda in 2014. The letter urges House and Senate leaders to consider leg-

islation where there is common ground. It points to several initiatives with bipartisan

support that would strengthen U.S. manufacturing if enacted into law, including reau-

thorization of the America COMPETES Act, renewal of trade promotion authority, and

passage of tax, regulatory, and immigration reforms.

The Revitalize American Manufacturing and Innovation Act (RAMI) recently passed

the Senate Commerce, Science, and Transportation Committee. The bipartisan bill, in-

troduced by Senators Sherrod Brown (D-OH) and Roy Blunt (R-MO), would establish a

national network of regional manufacturing institutes modeled after America Makes,

the pilot institute in Youngstown, Ohio that is focused on additive manufacturing (also

known as 3-D printing). The Senate RAMI bill includes an amendment requiring the

President to submit an updated National Strategic Plan for Advanced Manufacturingto

Congress every four years.

The administration announced three new institutes earlier this year, including the

Digital Manufacturing and Design Institute (DMDI) in Chicago. AMT is a partner in both

America Makes and the DMDI. n

http://www.isa.org/http://www.iiconsortium.org/http://www.iiconsortium.org/http://automation.com/http://www.iiconsortium.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

11/69INTECH MAY/JUNE 2014 11

$1.8 billionFlow Research says the increased cost of oil

and heightened demand for natural gas have

put a premium on custody transfer in the

flowmeter markets. Coriolis flowmeter sup-

pliers have responded with an entirely new

line of Coriolis flowmeters: those with linesizes of 8 to 14 inches. Formerly, only Rheonik

(now part of GE Measurement) offered Co-

riolis meters in line sizes above 6 inches. Now

other suppliers have jumped in to take advan-

tage of the growing demand for these high-

value applications. The companies include

Micro Motion (part of Emerson Process Man-

agement), Endress+Hauser, and KROHNE.

A research study from Flow Research,

The World Market for Coriolis Flowmeters,

4th Edition, finds that the Coriolis flowme-

ter market is among todays fastest growingflowmeter markets, spurred by growing en-

ergy requirements. Worldwide sales for Co-

riolis flowmeters in 2011 were $1.1 billion,

with a projected compound annual growth

rate of 10.6 percent through 2016. The fore-

cast is for the worldwide Coriolis market to

exceed $1.8 billionin 2016.

The study also finds that Coriolis flowme-

ters are the most accurate meter available

today and that end users continue to view

this quality as decisive within many measure-

ment applications. The worldwide growth

in liquefied natural gas as an energy source

is another real driver of Coriolis sales. Flow

Research expects this trend to continue. The

largest single industry segment for Coriolis

flowmeter usage remains chemical, where

growth will be strong throughout the study

period. The food and beverage and phar-

maceutical industries also have a significant

number of users. The study also found that

the downstream oil and gas industry pres-

ents interesting new opportunities for Corio-

lis meters to loosen the hold that traditional

technologies have had on this market.n

5,938In the first quarter of 2014, the robotics mar-

ket in North America posted its second-highest

quarter ever in terms of robots ordered, accord-

ing to new statistics from Robotic Industries

Association (RIA), the industrys trade group.

A total of5,938robots valued at $338 million

were ordered by companies in North America

in first quarter 2014, coming in just shy of the

all-time record of 6,235 robots valued at $385

million in fourth quarter 2012. Units ordered

grew 1 percent, while order dollars fell 1 per-cent when compared to first quarter 2013

figures. When sales by North American robot

suppliers to companies outside North America

are included, the total is 6,491 robots valued

at $372 million.

The automotive industry is still the largest

customer for robotics in North America, rep-

resenting 58 percent of total orders, but non-

automotive industries have continued their

rapid growth. The top industries in terms of

growth for first quarter 2014 were food and

consumer goods (+91 percent), plastics andrubber (+55 percent), and life sciences (+36

percent). RIA estimates that some 228,000

robots are now at use in U.S. factories, placing

the U.S. second only to Japan in robot use.n

$559.2 millionUpcoming brownfield and greenfield proj-

ects in the oil and gas and power genera-

tion industries will sustain the demand for

automation and control solutions (ACS)

in the Commonwealth of Independent

States (CIS). Among the countries in the re-

gion (Kazakhstan, Azerbaijan, Uzbekistan,

Ukraine, Belarus, Armenia, Kyrgyzstan,

Tajikistan, and Moldova), Kazakhstan and

Azerbaijan will remain market hot spots.

Scheduled oil and gas exploration activities

as well as the anticipated modernization of

the industrial automation sectors pave the

way for ACS adoption.

Analysis from Frost & Sullivan, Strategic

Analysis of the Automation and Control

Solutions Market in CIS Countries, finds

that the market earned revenues of $443.8

million in 2013 and estimates this to reach

$559.2 millionin 2017. While program-

mable logic controllers and safety instru-

mented systems will continue to dominate

the market, the distributed control system

segment is expected to have the highest

growth rate.

One of the key challenges in the CIS ACS

market is the lack of a well-qualified work-

force. Innovative ACS systems require pro-

fessional engineering resources for installa-

tion, operation, and repair, and the shortage

of skilled assets affects project performance

and customer service support for ACS prod-

ucts. Another restraint is the economic

downturn that has compelled customers to

tighten budgets, resulting in the temporary

shelving of present projects and the delay of

future ones. High inflation rates further curb

the purchasing power of customers and

limit investments in automation. n

150,000Bosch Rexroth opened a new hydraulics

manufacturing and distribution center in

Bethlehem, Penn. The facility houses the

companys valve and manifold manufactur-

ing center for mobile and industrial hydrau-

lics, while the new logistics and distribution

facility handles shipments to more than

500 customers, including its nationwide

network of drive and control distributors.

This $2.2 million Brodhead Road expan-

sion adds about 150,000 square feet, giv-

ing the company approximately 200,000

square feet over two buildings for the dis-

tribution and manufacturing operation. n

Automation by the Numbers

News from the Field | automation updateThis content is courtesy of

http://automation.com/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

12/69

Top ten differences

between ICS andIT cybersecurityUnderstanding the different needs of ICS and ITsystem security leads to cooperation and collaborationbetween historically disconnected camps

By Lee Neitzel and

Bob Huba

In many, if not most plants with industrial

control systems (ICSs), ICS engineers and

their internal information technology (IT)

counterparts have very different perspec-

tives on cybersecurity. Not surprisingly, these dif-

ferent perspectives often lead to conflicts when

connecting an ICS to the plants IT system.

In the past, because ICSs used proprietary hard-ware and software, this interconnection focused

primarily on just being able to communicate. The

introduction of Ethernet and Microsoft Windows

into ICSs in the mid-1990s, followed by the devel-

opment of OPC interfaces, greatly simplified this

problem, but at the cost of exposing the ICS to se-

curity threats previously known only to IT systems.

Further, with the rapid increase of attacks on

industrial systems in the past few years, chief in-

formation officers are often held responsible for

cybersecurity for the entire plant, including their

ICSs. Unfortunately, not all IT security solutions

are suitable for ICSs because of fundamental dif-

ferences between ICS and IT systems. In addition,

plants often have multiple production processes

and ICSs, and some are naturally more critical

than others. As a result, it is not uncommon for se-

curity to be handled differently among the various

ICSs in a plant.

This article discusses how ICSs differ from IT

systems as they relate to cybersecurity. It is im-

portant that IT and ICS professionals jointly un-

derstand the following top ten differences and

develop workable security solutions that benefit

the whole organization.

Difference #1: Security objectivesOne of the biggest differences between ICS and

plant IT security is the main security objective of

each. Plant IT systems are business systems whose

primary cybersecurity objective is to protect data

(confidentiality). In contrast, the main cybersecurity

objective of an ICS is to maintain the integrity of its

production process and the availability of its com-ponents. Protection of information is still important,

but loss of production translates into an immediate

loss of income. Examples of threats to production in-

tegrity include those that degrade production, cause

loss of view/control, damage production equip-

ment, or result in possible safety issues.

One of the consequences of ICSs focusing on

the production process is that ICS security is im-

plemented using a comprehensive set of defense-

in-depth layers to isolate the ICS and the physical

process from the plant IT system. This isolation is

the topic of difference #2.

Difference #2: Network segmentationThe first difference encountered when connect-

ing ICS and IT systems is how they are segmented

and protected. IT systems are usually composed

of interconnected subnets (short for subnet-

works) with some level of Internet connectivity.

As a result, access controls and protection from

the Internet is a primary focus of IT network secu-

rity. It is not uncommon to see sophisticated fire-

walls, proxy servers, intrusion detection/preven-

tion devices, and other protective mechanisms at

the boundary with the Internet.

12 INTECH MAY/JUNE 2014 WWW.ISA.ORG

http://www.isa.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

13/69

Inside this boundary, the remainder of the IT

network is segmented into subnets that are gener-

ally aligned with organizational and geographical

boundaries. Because access between these sub-

nets is usually required, security between them

is typically limited. However, all traffic from them

must pass through the Internet security boundaryto access the Internet. ICS networks, on the other

hand, can be viewed as industrial intranets with

two overriding security requirements. First, no ac-

cess to the Internet or to email should be allowed

from ICS networks. Second, ICS networks should

be rigorously defended from other plant networks,

especially those with Internet access.

To meet these requirements, ICSs usually employ

network security devices (e.g., firewalls) for isola-

tion from the plant IT system. Only workstations

and servers within the ICS that act as gateways

should allow ICS access through these ICS perim-eter security devices. This prevents other devices

on the ICS control network from being directly ac-

cessible from the plant network. These gateways

should have an additional network card that allows

them to connect the ICS control network. In gen-

eral, only devices authorized to access the ICS from

the plant network should be aware of these ICS net-

work security devices and therefore be able to send

messages through them to ICS gateways.

ICSs should be further insulated from the plant

IT system by a demilitarized zone (DMZ) that sits

between the plant network and the ICS. The DMZis an intranet that should be hidden from the plant

network by an undiscoverable network security

device. All external access to the ICS should first

pass through this device and then be terminated

in DMZ servers. DMZ servers provide clients on the

plant network with ICS data and events that these

servers independently obtain through separate

and isolated communications with the ICS. The

network security device that connects the DMZ to

the ICS should be configured to allow only these

isolated communications to ensure that all ICS ac-

cess goes through the DMZ servers.

As a further precaution, the DMZ should use

private subnet addresses that are independent

of subnet addresses used in the plant network to

prevent plant network messages from being er-

roneously routed to the DMZ. Similarly, the ICS

should use private subnet addresses that are in-

dependent of DMZ addresses.

ICS networks often have remote input/output

(I/O) systems, whereas IT networks do not. In these

systems, I/O devices are installed in remote geo-

graphical locations and are often connected to the

ICS via modems over public networks, virtual pub-

lic networks (VPNs), and satellite links. Care must

INTECH MAY/JUNE 2014 13

COVER STORY

be taken, because these

connections can give

rise to security issues.

Difference #3:Network topology

Closely related to net-work segmentation dif-

ferences are network

topology differences.

Many IT systems are

large when compared to a typical ICS and contain

data centers, intranets, and Wi-Fi networks. ICSs,

on the other hand, are often small and have only a

configuration database and data/event historians.

It is not uncommon for an IT system to have

hundreds if not thousands of nodes whose num-

bers change daily as employees come and go, as

applications evolve, and as mobile devices are con-nected and disconnected. In contrast, most ICSs

are an order of magnitude smaller, and generally

have statically defined configurations.

IT network configurations, including VPNs, and

network security devices have to keep up with

these changes. As a result, IT systems extensively

use many automated tools, such as dynamic host

configuration protocol (DHCP), to manage their

network topologies. These and other tools are cost

effective only in large-scale systems and are consid-

ered expensive and complex by ICS standards.

ICSs typically remain relatively static for years. Arigorous change management process is normally

mandatory to ensure all changes are approved and

tested. In addition, the use of DHCP and Wi-Fi seg-

ments are discouraged in the ICS for security rea-

sons. In addition, ICS networks that connect ICS

workstations with controller-level devices are nor-

mally redundant to prevent a network failure from

affecting the operation of the control system. This

network redundancy is typically proprietary to the

ICS vendor with custom addressing models and swi-

tchover logic. As a result, the tools and techniques

FAST FORWARD

Differences in ICS and IT security objectivescause competing and often conflicting secu-rity solutions.

Differences in ICS and IT system character-istics lead to different defense-in-depth

strategies. Differences in ICS and IT operational char-

acteristics cause differences in how securitymechanisms are implemented and used.

Those responsible for cybersecurity within an organization must understand the

differences between ICS and IT systems in order to work together effectively.

7/25/2019 INtech Magazine 324483-MAYJUN 2014

14/69

IT uses to maintain its dynamic network

topologies are often not suitable or appli-

cable to statically defined ICS networks.

Difference #4: Functional partitioningICS and IT systems are functionally

partitioned in different ways. The mostcommon approach taken by IT systems

is to divide the system into various ad-

ministrative partitions to better restrict

user access to information assets. The

IT department typically implements the

partitions using Windows Domains and

operating system objects, such as files.

Domains and organizational units typi-

cally represent business units/geographi-

cal entities within an organization, to

which users and computers are assigned.

Groups are used to control access to thesecomputers and their objects (files, folders,

executables, etc.) through the definition

of access control lists (ACLs).

Each object contains an ACL that

identifies who has been granted/denied

access to the object. To simplify the pro-

cess of pairing users with objects, groups

are defined and assigned to objects, and

then users are assigned to groups. As a re-

sult, only users/roles who are trusted to

access an object are granted permission

to do so. The careful definition of groups/roles can thereby be used to partition an

IT system into trust levels.

ICS partitioning is much different. The

ICS is partitioned into three levels (0, 1,

and 2), as defined by the ISA95/Purdue

reference model. Level 0 represents the

physical process; Level 1 is control and

monitoring; and Level 2 is supervisorycontrol. Because of the nature of the de-

vices used in these ICS levels, it is neces-

sary to map trust levels to the device. In

this case, trust means how much a device

is trusted to behave as expected.

At Level 1, field devices perform I/O

operations on the physical process (Level

0). Because they operate on the physi-

cal process, field devices have the high-

est level of trust. Trust generally is ascer-

tained through design reviews, functional

testing, and experience. Devices whosebehavior is questionable should not be

trusted and should not be used in Level 1.

Field devices use proprietary designs

and firmware. Many can communicate

digitally using standard, industrial proto-

cols such as HART, Foundation Fieldbus,

Profibus, DeviceNet, and Modbus. With

the exception of wireless, field device

protocols rarely include security features.

Therefore, access to field devices must be

protected by external means. Unfortu-

nately, network security devices, such asfirewalls, that are commonly used in IT

systems are not applicable. These indus-

trial protocols are not based on Ethernet

or TCP/IP. Instead, physical and proce-

dural security often restricts access to field

devices and their communication links.

In addition, device firmware needs pro-

tection, including protection of upgradefiles and the processes used to install them

(e.g., flash upgrades and over-the-wire up-

grades). Currently, the firmware upgrade

process often has limited security features.

At Level 2 are distributed control system

controllers, programmable logic control-

lers, remote terminal units (RTUs), remote

I/O devices, and other similar devices. Be-

cause they read and write field device pa-

rameters, controller-level devices require

the second highest level of trust, generally

attained through testing and experience.Controller-level devices, other than

some RTUs and other remote devices,

usually have limited security-related fea-

tures and rely on the Level 2 control net-

work for protection. ICS vendors often

use industrial grade, proprietary firewalls

and Ethernet switches in the control net-

work to separate it into two layers, the

workstation layer and the control layer.

These network devices have three pri-

mary security objectives: to lock down the

network to prevent unauthorized devicesfrom connecting to it, to protect controller-

level devices from unauthorized contact,

and to prevent them from being saturated

with network traffic by rate-controlling the

network traffic flowing to them.

IT typically does not have the policies,

procedures, tools, and expertise in place

to manage the ICS vendor-specific Level 2

network and controller-level devices and

the Level 1 I/O devices.

Also at Level 2, and sitting above con-

troller-level devices, are the workstations/

serversconfiguration/engineering,

maintenance, operator, historian sta-

tionsall having direct connectivity to

the controllers, and all using components

and operating systems familiar to IT, such

as PCs, Windows, and Ethernet. Level 2

workstations and servers have the third

highest level of trustworthiness in the

ICS. They provide the buffer between the

outside world (Level 3 and beyond) and

the process, so outside direct access to

controller-level devices should not be al-

lowed. Access to controller-level devices

14 INTECH MAY/JUNE 2014 WWW.ISA.ORG

COVER STORY

Compared to a typical IT system, most ICSs contain relatively few workstations and

other computing components, a crucial difference that greatly affects the feasibility

of implementing certain cybersecurity measures.

http://www.isa.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

15/69

Another I/O change? Great.So another wiring schedule.Another marshalling design.And another cabinet...Just make it all go away!

YOU CAN DO THAT

The Emerson logo is a trademark and a service mark of Emerson Electric Co. 2014 Emerson Electric Co.

Electronic marshalling eliminates the rework, the redesign and the headaches.

With DeltaV Electronic Marshalling, Emerson lets you make I/O changes where and

when you need them without costly engineering and schedule delays. Our new DeltaV

CHARacterization Module (CHARM) completely eliminates the cross-wiring from the marshalling panel to the

I/O card regardless of signal type so youre no longer held to predefined specifications. All those wires,gone. All that time and engineering, gone. See how easy it can be by scanning the code below or by visiting

IOonDemandCalculator.com

http://ioondemandcalculator.com/http://ioondemandcalculator.com/http://ioondemandcalculator.com/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

16/69

should be limited to Level 2 workstations

and servers approved by the ICS vendor.

The trust levels of Level 2 workstations

and servers are lower than controller-level

and field devices for three reasons:

They run commercial operating sys-

tems and software (e.g., SQL data-base software) with vulnerabilities

that are continuously being discov-

ered and exploited.

They have a better chance of being

infected or compromised, because

they can be accessed by Level 3.

They have users who may not always

follow policies and procedures

some may plug in nonverified USB

sticks, plug in their smartphones to

charge, or bring in their own software

that has not been tested to operatecorrectly with the ICS.

The trust levels associated with field

devices, controller-level devices, and

workstations are inherent to most con-

trol systems. Understanding them and

maintaining separation/isolation be-

tween them is a responsibility that is

normally not present in IT systems.

Difference #5: Physical componentsClosely related to functional partitioning

and trust levels are the physical compo-nents used to implement ICS and IT sys-

tems. IT systems are primarily composed

of off-the-shelf networks, workstations,

and servers that IT can access and admin-

ister. As a result, IT departments are able

to define security policies for these com-

ponents and enforce them with off-the-

shelf security-related applications and de-

vices, such as firewalls, antivirus systems,

and patch management systems.

In contrast, ICSs are not IT systems do-

ing control, as it may sometimes appear,

but instead are tightly integrated proprie-

tary systems. With the exception of work-

stations and servers, ICSs are composed

of components that are generally custom

built and foreign to IT. This often includes

network devices built for industrial use,

including Ethernet switches and firewalls.

And, although ICS workstations and serv-

ers are typically based on Windows, they

are usually hardened by the ICS vendor to

the point that their software, other than

the operating system, is custom built, and

their security policies are set to industry

standards that may conflict with the poli-

cies used within the IT system.

Consequently, IT security cannot just be

mapped onto the ICS. Instead, the compo-

nents used in the ICS may, and often do,

require security-related ICS vendor-spe-

cific tools unknown to IT systems, such ascustom event logs, port lockdown mecha-

nisms, and features for disabling USB ports.

Difference #6: User accountsIT systems generally support two levels

of users: users known to the operating

system (e.g., Windows users) and users

of specific applications (e.g., order-entry

systems). Operating system user accounts

are used to authenticate the user dur-

ing login and to identify which operating

system resources the user can access. ITsystem administrators often administer

operating system user accounts with Win-

dows Domains/Active Directory. When

multiple domains are present, IT admin-

istration establishes trusts between spe-

cific domains to let users access resources

across domain boundaries.

IT systems also often contain applica-

tions, such as database applications, that

have their own user accounts that can

be independent of operating system ac-

counts. For these applications, the usermust go through a separate login screen

before being allowed to access the data.

ICSs also use operating system user ac-

counts and domains. However, allowing IT

systems users to access the ICS by establish-

ing trusts from IT system domains to the

ICS domain is generally not recommended,

since it reduces isolation of the ICS.

ICSs also have their own application-spe-

cific users. Unlike IT applications, however,

the ICS is really a complete distributed sys-

tem composed of configuration, operation,

and maintenance applications, databases,

and event journals. ICSs almost always use

role-based access controls for granting/

denying access to control data and devices.

Operators, process engineers, and mainte-

nance engineers are examples of these roles.

To manage access to these elements of

the ICS, ICSs typically have an ICS-specific

user management application. Although

in principle this is similar to IT application

security, the complexity, scope, and tech-

nical expertise required to administer ICS

users is closely related to the nature of the

process being controlled, which is generally

not familiar to IT system administrators.

Finally, authorizing access from the

plant network to the ICS becomes more

difficult because of these differences. Do

all external users become users of the ICS

and its domain, or do DMZ server appli-cations provide access to authorized IT

system users but connect to the ICS using

ICS credentials? Also, how is traceabil-

ity maintained for auditable ICS transac-

tions? Answering these questions normally

requires collaboration between the ICS

and IT systems administrators.

Difference #7: SISPlant safety is a critical part of plant opera-

tion, and ICSs, therefore, often include in-

tegrated, yet distinct, safety instrumentedsystems (SISs). The SIS is responsible for

maintaining the safe operation of the pro-

cess by placing the process into a safe state

when process conditions that threaten

safety are detected. IT systems have no

systems analogous to the SIS.

SIS networks are usually proprietary

and must be securely segmented and iso-

lated from ICS networks. In addition, the

SIS decision-making component, com-

monly called the logic solver, is also a cus-

tom, proprietary component, separateeven from other components used in the

ICS. Also, SIS-specific standards that in-

clude security are currently under devel-

opment in ISA84. As a result, commonly

used IT tools and network devices are not

applicable to SIS network security.

Managing the security of an ICS in-

cludes an often manual effort to ensure

that the SIS is protected from the ICS and

from external interference, and that its in-

tegrity has not been compromised. These

are capabilities not normally within the

scope of IT systems professionals.

Difference #8: Untested softwareIT systems are typically open systems,

which allow them to run off-the-shelf

software and to evolve over time. Evolu-

tion includes adding new software; up-

dating workstation, server, and network

device hardware and software; replacing

components as needed; and even adding

new components to the system. Keeping

systems current is one of the approaches

taken in IT systems to maintain security.

16 INTECH MAY/JUNE 2014 WWW.ISA.ORG

COVER STORY

http://www.isa.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

17/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

18/69

seldom used in IT systems.

Mechanisms to prevent unapproved

software from being run are not as com-

monplace. While antivirus software can

detect infected software, it cannot detect

untested or unapproved software. For this,

whitelisting is gaining acceptance in IT sys-tems. Whitelisting complements antivirus

programs by allowing only approved and

authentic (uninfected) executables to run.

However, because of the checks necessary

to validate an executable each time it is

run, performance is affected.

Software that has been approved to ex-

ecute in an IT system often has not been

rigorously tested for compatibility with the

IT system. All software that is allowed to

run on an ICS must be tested to ensure it

will not interfere with the ICS.

Difference #9: PatchingIT systems normally have patch manage-

ment software that automatically installs

security updates very quickly after their

release. On the other hand, it is not un-

common for patches to be deferred or

postponed indefinitely in ICSs. ICS patch-

ing requires testing, approval, scheduling,

and validation to ensure safe and repeat-

able control. Scheduling is required be-

cause of the potential disruption to opera-tions, such as reboots. Reboots can cause

a temporary loss of view/control, and

worse, they can fail, often requiring tech-

nical intervention to return a failed com-

ponent to service. As a result of the effort

required and because of the associated

risks, patching is often not performed on

an operational ICS, or at least not on the

same schedule as IT system patching.

In addition, because the lifespan of ICSs

is so long, patches for many older systems

are no longer available. For example, there

are many ICSs still in operation that run

Windows NT and Windows XP.

The challenge for ICSs, which is not

shared by IT systems, is to keep unpatched

systems secure. Typically this is done

through compensating security mecha-

nisms in an ICSs defense-in-depth strategy.

Difference #10: Security inconveniencesAs most of us probably agree, cybersecurity

measures add a degree of inconvenience to

our jobs. Who has not had to wait while op-

erating system patches are being installed?

Or who has not had to call the service desk

to report that he or she is locked out and

needs to have a password reset? But as

cumbersome as they can be, we have all

learned to live with these inconveniences.

However, in an ICS environment, such

inconveniences may not be tolerable, es-pecially those that decrease performance.

Imagine not receiving a critical system

alarm in time to respond to it, or having

to handle it while the workstation decides

to reboot itself. Also, having to use a long

and complex password during a process

upset may not be acceptable. While many

of these inconveniences are not specific

to ICSs, they can be intolerable to them.

As a result, security measures that are

acceptable in IT systems may not be ac-

ceptable in an ICS. If indiscriminatelyemployed in an ICS, IT security measures

may pose one of the biggest threats to

ICS security. Because they are so painful

or disruptive, they often result in the se-

curity mechanisms being bypassed, dis-

abled, postponed, or otherwise ignored.

Not only will this expose the ICS to vul-

nerabilities, but it will also negatively af-

fect attitudes of ICS users toward future

attempts to secure the ICS.

We have examined how ICSs differ

from IT systems with respect to cyber-security. Unfortunately, failure to un-

derstand these differences often leads to

conflicts between IT and ICS administra-

tors, which leads to a less-than-optimal

security solution for the plant. These

discussion points should help promote

communications and resolve conflicts.n

ABOUT THE AUTHORS

Lee Neitzel (Lee.Neitzel@Emerson.com),

senior engineer at Emerson Process Man-

agement, has been involved in security andnetwork standards for more than 25 years.

He is currently the IEC project leader for in-

tegrating the WIB Process Control Domain

Security Requirements for Vendors spec-

ification into the ISA-99/IEC 62443 security

standards. Bob Huba(Bob.Huba@Emerson.

com), system security architect, has been

with Emerson Process Management for 36

years. He is active in the development of

the ISA-99/IEC 62443 standards.

View the online version at www.isa.org/intech/20140601.

18 INTECH MAY/JUNE 2014 WWW.ISA.ORG

ICSs, however, are typically closed and

implemented to a specific hardware config-

uration and operating system version (e.g.,

service pack), and may not run properly ifeither is changed. As a result, all updates,

including patches and virus definition files,

have to be thoroughly tested with the ICS

before being approved for installation.

Likewise, all new software added to the

ICS that is not supplied or supported by

the vendor should be thoroughly tested for

compatibility with the ICS. In some cases,

as with those regulated by the Food and

Drug Administration, the ICS and IT sys-

tems associated with the regulated prod-

uct must be validated, and once validated,cannot be updated with new software

without being revalidated. But for typi-

cal IT systems, this rigor is not common.

Running software that has not been tested

with the specific ICS is a serious concern,

because of its potential to cause conflicts

or failures within the ICS or introduce vul-

nerabilities of its own. Therefore, all soft-

ware to be run in an ICS should be tested

and approved using a formal operations

change management process.

The most common way to protect

against the introduction of unapproved

software is to restrict installation privileges

and to use access control lists for program

directories. However, these mechanisms

do not protect against executables that can

be copied to the directory and run without

being installed. Mechanisms to prevent

this type of software from being loaded

onto a workstation include disabling USB

ports and CD/DVD drives and tight control

or elimination of shared drives. Although

these are commonly employed techniques

in ICS workstations and servers, they are

COVER STORY

Unlike their IT counterparts, ICS users need

additional role-based access controls so

that each person can access only the areas

of the ICS needed to do a particular job.

mailto:Lee.Neitzel@Emerson.commailto:Bob.Huba@Emerson.commailto:Bob.Huba@Emerson.commailto:Bob.Huba@Emerson.commailto:Bob.Huba@Emerson.comhttp://www.isa.org/intech/20140601http://www.isa.org/mailto:Bob.Huba@Emerson.commailto:Bob.Huba@Emerson.comhttp://www.isa.org/http://www.isa.org/intech/20140601mailto:Lee.Neitzel@Emerson.com

7/25/2019 INtech Magazine 324483-MAYJUN 2014

19/69

secure plan(t)

Proactive Protection for your Process Control Systems.

Honeywell offers a systemic approach to help mitigate the risks of the evolving cyber

threat landscape. Industrial IT Solutions is a complete portfolio of services and tools that

employ best practices in process control and cyber security. Honeywell global experts

help users develop a security scheme to preserve key assets and ensure data availability,integrity and confidentiality. Honeywells Industrial IT solutions deliver a more predictable

and secure environment regardless of control system vendor or location.

Securing a reliable, productive operation.

For more information go to becybersecure.comOr visit our blog atinsecurity.honeywellprocess.com

Also,follow us @insecculture

2013 Honeywell International, Inc. All right reserved.

http://becybersecure.com/http://becybersecure.com/http://insecurity.honeywellprocess.com/http://insecurity.honeywellprocess.com/http://insecurity.honeywellprocess.com/http://becybersecure.com/http://insecurity.honeywellprocess.com/http://becybersecure.com/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

20/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

21/69

PROCESS AUTOMATION

INTECH MAY/JUNE 2014 21

FAST FORWARD

l I/O parts for repair and replacement weredifficult to find.

l The new I/O system has improved through-put speed from the I/O to the operatorscreens.

l Advantages of the new I/O system includediagnostic capability and calibration.

miles of process piping and 600 valves to connect

the above systems to the various test facilities. A

DCS/PLC/pressure and surge controller system

consisting of nearly 100 proportional, integral, de-

rivative (PID) control loops and more than 12,000

I/O points monitors and controls the vast amount

of equipment across the facility. More than 12miles of dual-redundant data highway cable is in-

stalled to interface with the control/data system

for these essential services.

Historically, the equipment for controlling and

monitoring the process consisted of a PLC proces-

sor and its associated I/O distributed near process

equipment. The PLC communicated to the DCS

controller via the Modbus RTU protocol. The DCS

controller then communicated to the operator

console via a proprietary data highway network.

Reasons for conversion to DCS I/OAlthough the existing I/O was adequate at one

time, the need for its replacement became more

apparent as the technology changed. While the ex-

isting I/O was readily available in the 1990s, more

recently parts for repair and replacement were dif-

ficult to find. An upgrade to the new replacement

PLC I/O was available, but it provided none of the

benefits of the DCS I/O. The DCS I/O had much

faster speed and a quality status, which was not

available on a Modbus RTU serial link with a trans-

mission rate of 19,200 baud.

The choice was to either replace the entire PLCsystem with the DCS system at one time, which

required massive logic conversion and testing, or

perform a two-phase implementation approach.

The first phase would replace the PLC I/O with

the DCS I/O. Then the second phase would in-

volve converting PLC logic to DCS logic. The split

approach was chosen to minimize downtime and

prevent a complicated check-out process.

Hardware installationThe components for this application include a

new DCS controller, a DCS I/O, and new 24-V

dual-redundant power supplies for the I/O. The

PLC processor remains and communicates strictly

to the old DCS controller, which in turn commu-

nicates to the new DCS controller that talks to the

new DCS I/O. As with the old system, the primary

function of the new system is to provide process

control of the equipment via the DCS, which is

made available to operators at a remote location.

The basic system architecture is shown in figure 1.

In all cases, existing wiring could be reused as

part of the new scheme. The new I/O was mounted

in the existing I/O space. The old field wires were

terminated on the new I/O. The 24-V I/O power

supplies were installed

in an existing cabinet.

A new DCS controller,

connected to the new

DCS I/O via fiber, was

installed in the same

cabinet as the old DCScontroller. The new

DCS controller com-

municates to the old

DCS controller via a backplane that provided a

local control highway within the cabinet.

Software installationThe software for this application includes DCS

controller software that allows communication

between the old DCS controller and the new DCS

controller. The PLC receives the necessary data for

sequence logic from the new DCS controller. Nofield I/O connects to the PLC. All PID algorithms

are processed in the new DCS controller and pres-

sure and surge controllers, which communicate to

the old DCS controller via Modbus.

System architectureThe new DCS I/O is installed in the current PLC

I/O location. Wires from the field were removed

from the PLC I/O and terminated on the new DCS

I/O. The new DCS I/O connects to the new DCS

controller via a fiber optics network. The old DCS

controller utilizes a custom foreign device inter-face C program and Modbus RTU protocol to

communicate to the PLC. The old and new DCS

controllers communicate with the operator con-

sole via a proprietary data highway.

One of the powerful features of the new I/O

is the troubleshooting capability via the DCS

Figure 1. Basic system architecture

Field devices Field devices Field devices

DCS cabinet Operator console

Data highway Data highway

Old Current Future

DCS controller DCS controller DCS controller DCS controller

Backplane

Modbus RTU Modbus RTUFiber Fiber

PLC I/O Pressure/surgecontroller

Pressure/surgecontroller

Pressure/surgecontroller

DCS I/O DCS I/OPLC

7/25/2019 INtech Magazine 324483-MAYJUN 2014

22/6922 INTECH MAY/JUNE 2014 WWW.ISA.ORG

Global manufacturer of process control

and factory automation solutions

For more information:

Call: 1-800-Go-Festo

1-800-463-3786

www.festo.us

Ball ValveAssembliesExpertise from a

single source

q Pre-engineered and

pre-assembled with a single

acting or double acting

actuator

q Just bolt on a Festo sensor

box, positioner or Namur

valve to complete theassembly

q Simple solutions for

controlling liquid, gas or

granular media from a single

source

diagnostic. It also provides bad qual-

ity status on the operator console in

the case of signal failure. With the old

PLC I/O system, analog data was con-

verted to digital counts (04095). The

problem with this conversion is there

is no under or over range. The livezero of a 4- to 20-mA signal is lost. This

is a very important feature.

Before DCS and human-machine in-

terface (HMI), when pushbuttons and

meters were the interface to the op-

erators, zero-based meterswhether

voltage or currentwere common. The

problem with zero-based measurement

readouts is the inability to distinguish a

true zero reading from a failed transduc-

er. With the PLC there was also no way

to distinguish a zero reading (4 mA = 0counts) from a failed transducer (0 mA

= 0 counts).

High-speed PID loops (100-ms sam-

pling time) and analog data used for

measurement and alarming is pro-

cessed through the new DCS I/O. Only

sequence data is processed through the

PLC processor.

Testing of new I/OSome problems were encountered while

commissioning the new I/O installation.One of these involved minor wiring er-

rors on the drawings, which made it hard

to find the field devices for HMI screen-

to-field device point testing. This was

a relatively easy fix. Verification of the

drawings before demolition, although

time consuming, would have lessened

downtime and would have resulted in a

net saving of time. Having the same PLC

logic reduced troubleshooting, by isolat-

ing errors to the I/O cabinet.

General evaluationAlthough the PLC I/O was sufficient by

prior standards, the organization be-

lieved that the newer industrial tech-

nologies were at the very least worthy of

a trial in the CPS application. No histori-

cal data is presented here to detail the

performance of the traditional PLC I/O

system versus the new DCS I/O system,

but years of experience with them does

give one an overall appreciation for the

strengths and shortcomings of the vin-

tage technology. All said, this type of I/O

has, except perhaps in less demanding

roles, outlived its usefulness in modern

control and data acquisition systems.

Thus far, the new I/O is very accurate.

There is no indication of failing or drift-

ing from the original calibrations. How-

ever, one drawback to the system is thatfor the present the signal update time in

the PLC is 4 to 5 seconds compared to 2

to 3 seconds with the old I/O. However,

the signals that are not needed in the

PLC are scanned at the field device and

available to the operator console in 2 sec-

onds. The 4- to 5-second delay is due to

the transfer rate from the new I/O to the

old DCS controller in addition to the field

device interface (FDI) of 2 to 3 seconds.

This update rate is tolerable, however,

for these noncritical process sequencepoints. With the new I/O, the FDI is gone,

therefore eliminating the overhead of the

C program and the 19,200 baud serial

transmission rate. The time required for

the new DCS controller to scan all its

associated I/O is 250 milliseconds.

Future applicationsThere is a plan to convert the PLC pro-

gram to a DCS controller program, there-

by reducing two controllers (the PLC and

the old DCS controller) to one controllerand reducing the 4- to 5-second response

time for sequence points to 2 seconds.

BenefitsThe new DCS I/O provides simple in-

stallation, more accurate data, and im-

proved diagnostic capability compared

to the old I/O systems at GRC. Therefore,

in the long term, we foresee the utiliza-

tion of DCS I/O as an enhancement to

our facility DCS and a benefit to users. n

ABOUT THE AUTHORS

Debashis Sadhukhan (Debashis.Sad-

hukhan-1@nasa.gov), process controls

system manager at NASA Glenn Research

Center (GRC), has been employed at GRC

since 1991 and is experienced in integra-

tion of DCS and PLC systems. He is cur-

rently president of the ISA Cleveland Sec-

tion and bulletin editor. John Mihevic was

DCS control system manager at GRC until

his retirement in 2007.

View the online version at www.isa.org/intech/20140602.

PROCESS AUTOMATION

http://www.isa.org/http://www.festo.us/mailto:Debashis.Sadhukhan-1@nasa.govmailto:Debashis.Sadhukhan-1@nasa.govmailto:Debashis.Sadhukhan-1@nasa.govmailto:Debashis.Sadhukhan-1@nasa.govhttp://www.isa.org/intech/20140602mailto:Debashis.Sadhukhan-1@nasa.govmailto:Debashis.Sadhukhan-1@nasa.govhttp://www.isa.org/intech/20140602http://www.festo.us/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

23/69

Food-processing and pharmaceutical plants are harsh environments for electronics. Your critical systems must

withstand water and chemicals used during wash-down including the electronics inside every computer

enclosure. The NEMA 4X Titan from ITSENCLOSURES is made specifically for these extreme conditions. The Titan

is constructed of 14-gauge Type 304 stainless steel to handle corrosive cleaners and chemicals that would break

down a lesser enclosure. The Titan features a 24-inch (16:9) viewing window and a generously sized work surface.

Should a Titan ever fail due to manufacturer defect, ITSENCLOSURES will replace it immediately so your business

does not skip a beat. To learn more about IceStation TITAN, call 1.800.423.9911 or visitITSENCLOSURES.com.

Every day, IceStation enclosures are washed

down with harsh chemicals and water. And every

day, the electronics inside remain dry and clean.

http://itsenclosures.com/http://itsenclosures.com/http://itsenclosures.com/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

24/69

STEPS TO ENSURE MES SUCCESS

The question isnt What can manufacturingexecution systems do? Its What cant

they do? Whether youre monitoring ormanaging equipment, labor, product quality,recipes or batches, theres an MES for you.

But because MES upgrades andenhancements offer such a wide rangeof functionality, defining the initial scopeis a critical step thats often overlooked.The resulting abundance of data can be sooverwhelming that many companies simplyabandon the initiative rather than reassess

their approach.

Crawl Before You Walk

In a recent blog post, John Clemons, director of

manufacturing IT at MAVERICK Technologies,

recommends an approach that most of us will find

strikingly familiar: Crawl before you walk, and walk

before you run. This advice hearkens back to some of

our earliest memories, yet it remains just as valuable

when applied to MES projects.

Because MES is so comprehensive and complex,Clemons warns against biting off more than you can

chew. Starting small and building is the best road to

success with MES, he writes. Trying to make MES

be all things to all people will almost

certainly ensure it fails.

Start with the Snags

Perhaps youre looking to improve overall

equipment effectiveness (OEE). Or maybe you want

to reduce yield losses. Both are great ways to start

applying MES. In either case, you want to begin

by focusing intently on areas where you alreadyknow bottlenecks exist. By limiting your MES

measurements to problem equipment, you can home

in on root causes and resolve them individually to

improve overall efficiency and performance.

Statistical process control (SPC) is another

worthwhile jumping-off point for MES. Similar to

OEE and yields, with SPC youll want to identify the

processes, equipment or lines that seem to produce

the greatest variability. But then youll want to take

Manufacturing execution systems (MES) are applicable to so many processes

that it can be tempting to try and optimize everything at once. Heres whydoing too much too soon is often the downfall of early MES efforts.

7/25/2019 INtech Magazine 324483-MAYJUN 2014

25/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

26/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

27/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

28/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

29/69

7/25/2019 INtech Magazine 324483-MAYJUN 2014

30/69

Michael Bradingis chief technical officer of the Automotive Industrial and Medi-

cal business unit at Aptina Imaging. He has a B.S. in communication engineering

from the University of Plymouth.

Tim Droz heads the SoftKinetic U.S. organization, delivering 3-D ToF and ges-ture solutions to international customers, such as Intel and Texas Instruments. Droz

earned a BSEE from the University of Virginia, and a M.S. in electrical and computer

engineering from North Carolina State University.

Pedro Gelabert is a senior member of the technical staff and a systems engineer

at Texas Instruments. He received his B.S. and Ph.D. in electrical engineering from

the Georgia Institute of Technology. He is a member of the Institute of Electrical and

Electronics Engineers, holds four patents, and has published more than 40 papers,

articles, user guides, and application notes.

Carlton Heardis a product manager at National Instruments, responsible for vi-

sion hardware and software. Heard has a bachelors degree in aerospace and me-

chanical engineering from Oklahoma State University.

Yvonne Linis the marketing manager for medical and industrial imaging at Xilinx.Lin holds a bachelors degree in electrical engineering from the University of Toronto.

Thomas Maier is a sales and field application engineer at Bluetechnix and has

been working on embedded systems for more than 10 years, particularly on various

embedded image processing applications on digital signal processor architectures.

After completing the Institution of Higher Education at Klagenfurt, Austria, in the

area of telecommunications and electronics, he studied at the Vienna University of

Technology. Maier has been at Bluetechnix since 2008.

Manjunath Somayajiis the Imaging Systems Group manager at Aptina Imaging,

where he leads algorithm development efforts on novel multi-aperture/array-camera

platforms. He received his M.S. and Ph.D. from Southern Methodist University (SMU)

and his B.E. from the University of Mysore, all in electrical engineering. He was for-

merly a research assistant professor in SMUs electrical engineering department. Priorto SMU, he worked at OmniVision-CDM Optics as a senior systems engineer.

Danil Van Nieuwenhoveis the chief technical officer at SoftKinetic. He received

an engineering degree in electronics with great distinction at the VUB (Free University

of Brussels) in 2002. Van Nieuwenhove holds multiple patents and is the author of

several scientific papers. In 2009, he obtained a Ph.D. on CMOS circuits and devices

for 3-D time-of-flight imagers. As co-founder of Optrima, he brought its proprietary

3-D CMOS time-of-flight sensors and imagers to market.

30 INTECH MAY/JUNE 2014 WWW.ISA.ORG

to machine safety, necessary for re-

shaping factory automation.

Depth sensingAs already mentioned, 3-D cameras can

deliver notable advantages over their 2-D

precursors in manufacturing environ-ments. Several depth sensor technology

alternatives exist, each with strengths,

shortcomings, and common use cases

(table 1 and reference 1). Stereoscopic vi-

sion, combining two 2-D image sensors,

is currently the most common 3-D sensor

approach. Passive (i.e., relying solely on

ambient light) range determination via

stereoscopic vision uses the disparity in

viewpoints between a pair of near-iden-

tical cameras to measure the distance to

a subject of interest. In this approach, thecenters of perspective of the two cameras

are separated by a baseline or inter-pu-

pillary distance to generate the parallax

necessary for depth measurement.

Microsofts Kinect is todays best-

known structured light-based 3-D sen-

sor. The structured light approach,

like the time-of-flight technique to be

discussed next, is an example of an ac-

tive scanner, because it generates its own

electromagnetic radiation and analyzes

the reflection of this radiation from the

object. Structured light projects a set of

patterns onto an object, capturing the re-

sulting image with an offset image sensor.

Similar to stereoscopic vision techniques,

this approach takes advantage of the

known camera-to-projector separation to

locate a specific point between them and

compute the depth with triangulation al-

gorithms. Thus, image processing and tri-

angulation algorithms convert the distor-

tion of the projected patterns, caused by

surface roughness, into 3-D information.

An indirect time-of-flight (ToF) sys-

tem obtains travel-time information by

measuring the delay or phase-shift of

a modulated optical signal for all pix-

els in the scene. Generally, this optical

signal is situated in the near-infrared

portion of the spectrum so as not to

disturb human vision. The ToF sensor

in the system consists of an array of

pixels, where each pixel is capable of

determining the distance to the scene.

Each pixel measures the delay of the

received optical signal with respect to

the sent signal. A correlation function

is performed in each pixel, followed by

averaging or integration. The resulting

correlation value then represents the

travel time or delay. Since all pixels ob-

tain this value simultaneously, snap-

shot 3-D imaging is possible.

Vision processingVision algorithms typically require high

computing performance. And unlike

many other applications, where stan-

dards mean that there is strong com-

monality among algorithms used by

different equipment designers, no such

standards that constrain algorithm

choice exist in vision applications. On

the contrary, there are often many ap-

proaches to choose from to solve a par-

ticular vision problem. Therefore, vision

FACTORY AUTOMATION

Contributors (members of Embedded Vision Alliance)

3-D cameras can deliver

notable advantages over their

2-D precursors in manufac-

turing environments. Sev-

eral depth sensor technologyalternatives exist, each with

strengths, shortcomings, and

common use cases.

http://www.isa.org/http://www.isa.org/

7/25/2019 INtech Magazine 324483-MAYJUN 2014

31/69INTECH MAY/JUNE 2014 31

FACTORY AUTOMATION

algorithms are very diverse, and tend to

change fairly rapidly over time. And, of

course, industrial automation systems

are usually required to fit into tight cost

and power consumption envelopes.

Achieving the combination of high

performance, low cost, low power, andprogrammability is challenging (ref-

erence 2). Special-purpose hardware

typically achieves high performance

at low cost, but with little programma-

bility. General-purpose CPUs provide

programmability, but with weak perfor-

mance, poor cost effectiveness, or low

energy efficiency. Demanding vision

processing applications most often use

a combination of processing elements,

which might include, for example:

a general-purpose CPU for heuristics,complex decision making, network

access, user interface, storage man-

agement, and overall control

a high-performance digital signal

processor for real-time, moderate-

rate processing with moderately

complex algorithms

one or more highly parallel engines

for pixel-rate processing with simple

algorithms

Although any processor can in theory

be used for vision processing in in-dustrial automation systems, the most

promising types today are the:

high-performance CPU

graphics processing unit with a CPU

digital signal processor with

accelerator(s) and a CPU

field programmable gate arrays

with a CPU

ABOUT THE AUTHOR

Brian Dipert (dipert@BDTI.com) is editor-

in-chief at the Embedded Vision Alliance.He is also a senior analyst at Berkeley De-

sign Technology, Inc., and editor-in-chief

ofInsideDSP, the companys online news-

letter dedicated to digital signal process-

ing technology. Dipert has a B.S. in elec-

trical engineering from Purdue University.

His professional career began at Mag-

navox Electronics Systems in Fort Wayne,

Ind. Dipert subsequently spent eight years

at Intel Corporation in Folsom, Calif. He

then spent 14 years at EDN Magazine.

View the online version at www.isa.org/intech/20140603.

REFERENCES

1. 3-D Sensors Bring Depth Discernment to Embedded Vision Designs

www.embedded-vision.com/platinum-members/embedded-vision-alliance/embedded-vision-

training/documents/pages/3d-sensors-depth-discernment

2. Processing Options for Implementing Vision Capabilities in Embedded Systems

www.embedded-vision.com/platinum-members/bdti/embedded-vision-training/documents/

pages/processing-options-implementing-visio

Platinum Sponsor

Gold Sponsors

Improve safety,security, and

efficiency.Registertoday!

Process Control& SafetySymposium2014

69 October 2014Houston Marriott West Loop by the GalleriaHouston, T