Stay Safe and Secure Together - Control Global · Stay Safe and Secure Together ... keting director...

Stay Safe and Secure

Together

ECOSTRUXURE TRICONEX USER GROUP 2018The editors of Control report on breaking news and session highlights

October 16 - 17 • Galveston, Texas, USA

A Special Report by the editors of Control

'Profitable Safety' Provides New Lens to View SIS Investments

Live from EcoStruxure Triconex User Group 2018

TABLE OF CONTENTSSchneider Electric wants you to think differently about safety 3

Panel traces dynamic evolution of SIS best practices 5

Triconex technology making safety yet more profitable 7

BASF undertakes inventory of safety instrumented functions 9

Anatomy of a cyber-attack and successful recovery 11

Latest safety controller boasts small footprint, fast I/O bus 12

Safety excellence cuts costs, boosts profits at Petronas 14

Schneider Electric solutions make safety pay off 15

Focus on resilience to cultivate Safety II mindset 18

Closing the loop on safety system maintenance 20

Trident retrofit packs high availability into small footprint 22

Industrial IoT tech not ready for safety system prime time 24


SCHNEIDER ELECTRIC WANTS YOU TO THINK DIFFERENTLY ABOUT SAFETYBy Keith Larson

As digital technology continues its inexorable transformation of industrial processes, Schneider Electric is taking a leading role in reconceiving those process and business variables we could once only manage into ones we can now control.

Production efficiency was first, asset reliability was second, and now the company is taking aim at process safety—all toward helping industrial companies to fully leverage their automation infrastructure as profit engines for their businesses.

“We’re already affecting either the top line or the bottom line in everything we do,” said Steve Elliott, senior mar-keting director for Schneider Electric Process Automation control and safety offerings. “By applying new, stronger and secure process safety systems and components, Schneider Electric customers are better able to mitigate risks, elimi-nate incidents that lead to downtime and drive measurable operational profitability improvements, safely,” Elliott said.

The company’s expertise in the optimization of process efficiency is packaged within its EcoStruxure Control Advisor solution. Further, having pioneered the concept of real-time accounting, its EcoStruxure Profit Advisor allows process manufacturers to view in real-time the profitability of their operations. The company’s EcoStrux-ure Maintenance Advisor, meanwhile, helps companies to predict and prevent equipment failures that can lead to unscheduled, profit-sapping downtime. Now, it wants to change how you think about safety, and how the sys-tems and processes designed with the primary mission of protecting people and production assets can now help to improve the profitability of operations as well.

Under the conference theme of “Profitable Safety,” Elliott was among the Schneider Electric Process Automation

leadership team who addressed this morning’s keynote session of the EcoStruxure Triconex User Group meeting in Galveston, Texas.

Know your limitations“During the design of any plant with potentially hazardous conditions, processors have long acknowledged not only the safety integrity level (SIL) needed to reduce potential risks to an acceptable level, but also safety’s environmental and commercial counterparts,” Elliott said.

But it’s only with the recent introduction of advanced safety controller technologies—such as the company’s latest

“We’re already affecting either the top line or the bottom line in everything we do.” Schneider Electric’s Steve Elliott explained how the company’s EcoStruxure Triconex safety solutions can help to actively manage the profitability of process operations.


EcoStruxure Triconex Tricon CX—along with powerful analytics and data visibility among a plant’s varied assets and decision-makers that processors can possess a real-time understanding of where the plant is within that window of safe operations. A real-time knowledge of where the plant is with respect to those safety limits allows processors to operate more closely to that threshold when such opera-tions enhance profitability.

“By leveraging our innovative applications and analytics, which take advantage of secured connectivity, digitization and big data, our EcoStruxure Triconex customers are better able to exploit their business and operating data so they can better understand the impact safety has on the real-time profitability of their operations.” added Mike Chmilewski, vice president, Process Safety, Schneider Electric Process Automation. The company’s industry leading engineering tools also enhance the productivity and accuracy of those charged with designing and main-taining process safety systems.

The power of digitalizationIn today’s competitive global economy, manufacturers are under constant pressure to improve overall business per-formance, but many still are unaware of the various ways superior levels of safety can drive profitability.

“Since a manufacturer’s primary business objective is to drive profitability from its operations, protecting the safety of the plant’s people, assets, and environment has traditionally been viewed as a necessary cost of doing business,” said Craig Resnick, vice president, consulting, ARC Advisory Group. “However, by helping end users link the safety of their assets with the profitability of their operations, manufacturers can transform the value of their safety systems. Today’s advanced safety systems are invest-ments, not expenses. Because they can quickly gather and analyze data, they enable plant managers and operators to accurately predict when their operations will exceed

acceptable safety thresholds. These newfound abilities to avoid near misses and unexpected outages have a direct, positive impact on overall business performance.”

According to a recent ARC Advisory Group study, 92 percent of respondents in global manufacturing organiza-tions strongly support the use of robust and capable devices to enable real-time decision making, with near-unanimous agreement about the concept. Users have long recognized the value of being able to process data and execute pro-grams as close to the manufacturing process as possible, with the aim of maximizing process efficiency and reducing or virtually eliminating the time between acquiring data and acting on it. This requires manufacturers to digitize their operations so they can benefit from increased access to and visibility into operating and business data.

“Emerging Industrial IoT technologies, such as digita-lization, analytics and visual clues, when appropriately applied, open the door to new opportunities that empower better, highly accurate operating and business decisions in real time,” Resnick said.

Using advanced, value-focused Triconex technologies, as well as the company’s patented real-time accounting models and dynamic performance measures, the industrial work-force is now capable of analyzing past, present and even future incidents to improve safety risk, which significantly heightens their ability to eliminate unscheduled downtime.

“IIoT-driven algorithms can be configured to identify looming threats to equipment and safety, allowing opera-tors to act before incidents occur,” said Resnick. “By better identifying, planning and managing these operating and business risks, process manufacturers not only reduce the likelihood of unexpected production outages and downtime, they also have greater control over operational profitability. This continuous, closed-loop approach is how solutions, such as Schneider Electric’s EcoStruxure Triconex systems, can help them to shift from managing safety as a cost center to controlling it as a profit center.”

Today’s advanced safety systems are investments, not expenses.

Craig Resnick, vice president, consulting, ARC Advisory Group


PANEL TRACES DYNAMIC EVOLUTION OF SIS BEST PRACTICESBy Jim Montague

If designing, maintaining and continuously updating safety instrumented systems (SIS) is the most important job of SIS professionals, then the second most important task of the SIS community is maintaining and continu-ously updating the changeable standards on which their process safety programs are based.

“The most important aspect of safety standards is that they give practitioners a common and uniform vocabu-lary for carrying out their safety efforts,” said Dr. Farshad Hendi, safety practice leader, Americas and Europe, Schneider Electric. “They also enable good engineer-ing practices, and provide a framework and baseline for benchmarking.”

To update users on the latest updates and direction of SIS standards efforts, Hendi moderated an expert panel at this week’s EcoStruxure Triconex User Group conference in Galveston, Texas. Its members included Herman Storey, CTO, Herman Storey Consulting; Dennis Zetterberg, safety systems team lead for Chevron Energy Technol-ogy Co.; and Scott Mourier, process automation SIS expertise area leader, Dow Chemical Co.

“It’s a very exciting time for process safety because of the changes we’re seeing to IEC 61511 and the efforts of its working groups, and because IEC 61508 is going to undergo a major revamp soon,” added Hendi. “The same goes for the ISA 100 and ISA 108 standards.”

IEC 61511 survey and reportHendi reminded the audience that just as the first edition of IEC 61511: Functional Safety—Safety Instrumented Systems (SIS) for the Process Industry Sector, was released in 2003, and later clarified some confusing sections as part of its second edition released in 2016, its developers are continuing to refine the standard with further input from end users.

“Many aspects of IEC 61511 are good, but some need to be made clearer,” explained Hendi. “The second edition tried to shift more towards functional safety management, and add security, allocation of safety functions, and address architectural constraints. However, after the second edi-tion was published, there were more reactions to it. As a result, its committee decided to conduct a survey to gather more feedback.” This online survey went out to potential respondents worldwide, and garnered responses from more than 250 end users and other process safety practitioners, mainly in the U.S., Europe and Australia.

Process safety panelists including (L to R) consultant Herman Storey, Dennis Zetterberg of Chevron, and Scott Mourier of Dow Chemical provided updates about IEC 61511, ISA 100 and other safety standards, and charted the recent efforts of their committees and working groups.


Zetterberg reported the IEC 61511 committee sought to learn what parts of the standard were still confusing for users and what still required clarification. “So, we began developing a technical report, TR-IEC 61511-4 that would highlight all the clauses, including the rational for why they were put in, and highlight the differences between the first and second editions,” said Zetterberg. “It also had a brief explanation of the typical process sector approaches to the application of each primary clause.”

Though specific results haven’t been released beyond the IEC 61511 committee and the survey’s respondents yet, Zetterberg reported they’re generally seeking better definitions for the standard as it compares to IEC 61508, and answers to many questions about protection layers, architectural constraints, HAZOPS and risk assessment procedures, and hazardous safety lifecycles. “For exam-ple, the respondents want to know more about functional safety audits, how to get process safety right, and how to do validation to make sure they’ve done the right things,” added Zetterberg.

Hendi added, “TR-IEC 61511-4 is also trying to provide some simpler language when talking about the standard, such as what’s the rationale behind the clauses, and address-ing misconceptions that can rise when moving from the first to second editions.”

Storey reported that TR-IEC 61511-4 is less than 50 pages, and that the IEC 61511 committee is presently in the process of reviewing it. He added that it’s scheduled to be released to the worldwide IEC 61511 committee in December for review, and the editorial process may be completed in mid-2019.

ISA 84 and technical reportsSimilarly, the panel covered how the ISA 84 standard, launched in 1996, evolved to become IEC Mod 61511 in 2004, and was just designated as ISA 61511 earlier this year.

“Many process safety efforts have many of the same members, but not a lot of collaboration,” said Mourier. “As a result, there’s going to be more collaboration as we go forward to find the best practices for application-spe-cific areas. ISA will continue to have a key role, including collaboration within the ISA 84 committees developing technical reports about clauses in the standards, or about lifecycle and maintenance calculations.”

Zetterberg added, “If anyone wants to have input into the third edition, I’d recommend getting involved at ISA.org. If anyone just wants to make comments, they can submit them, and we’ll make they get included.”

One of the main technical reporting efforts is TR 84.00.05: Guidance on the Identification of Safety Instru-mented Functions (SIF) in Burner Management Systems (BMS). The panel reported the committee is researching how some ISA 61511 principles may be applied to exist-ing BMS equipment. “The effort here is informative to see if we can apply performance-based material from ISA 84, but this isn’t prescriptive,” said Zetterberg. “We met in May, and already have a lot of feedback. The next step is to revise the scope of TR 84.00.05, and try to col-laborate with other standards, but we’re not saying what it should have.”

Another primary technical report area is TR 84.00.07, Guidance on the Evaluation of Fire, Combustible Gas and Toxic Gas System Effectiveness, which its committee members have been working on for two years, and includes items such as the location and testing of detectors. Zetter-berg reported it’s also not meant to replace prescriptive requirements, but just to help users mitigate risk.

Likewise, Storey added that TR 84.00.08,Guidance for Application of Wireless Sensor Technology to Non-SIS Independent Protection Layers, consists of a broad push by users that want to implement wireless solutions for some safety-related tasks, such as tank overflow monitoring appli-cations. “This report is done and published, but it’s still a complicated issue because it’s been hard for users to evalu-ate what to do without an existing standard,” explained Storey. “Still, they’ll decide what to do next soon.”

ISA 100 and the Industrial IoTStorey reported that even though the ISA 100.11a wireless standard has been published as IEC 62734, its developers are presently mulling how to extend it to help users better integrate Industrial Internet of Things (IIoT) solutions and expected benefits.

“The Wireless Compliance Institute is coordinating this effort, so wireless functions will be able to run on any available technology, and also have different layers on top of ISA 100,11a,” explained Storey. “We’re already done technical reports on backhaul and wireless manage-ment technologies, and one of the main lessons from all this is: if you want safe and secure networks, then you’ve got to manage them.”

Similarly, Story added that ISA 108/IEC 63082: Intel-ligent Device Management, is seeking to achieve and sustain functional performance requirements for a variety of smart components, which includes how to diagnose, calibrate and test them.


TRICONEX TECHNOLOGY MAKING SAFETY YET MORE PROFITABLEBy Paul Studebaker

CEOs, plant managers and marketing people say, “Safety is our #1 priority,” but do their invest-ments match their rhetoric? “Safety is too often seen as a cost, not something that adds market value,” said Chris Stogner, Triconex offer director, Schneider Electric Process Automation. “But getting safety wrong is not an option. An incident can do permanent damage to brand equity.

“So how do we get safety funded? Profitability depends on safety. A plant that’s tripping all the time is not profit-able. If it’s profitable but unsafe, it may lose its license.”

Stogner co-presented “Triconex Technology Update” with Steve Elliott, senior director, marketing, Schneider Electric Process Automation, at this week’s EcoStruxure Triconex User Group conference in Galveston, Texas.

Plants are driven by imperatives from production com-mitments and delivering shareholder value to maintaining their license to operate, their reputation and their duty to protect people and the environment. “Now, some coun-tries are changing the way they fine and prosecute safety violations,” Stogner said. “They will put you in jail.”

Opportunities to improve safety are available via digita-lization, connectivity, big data and analytics, digital twins and the cloud, but not without risk. “Cybersecurity has gone from theoretical to actual costs,” Stogner said. “Apps and analytics are giving opportunities for better safety, but also greater cyber risks.”

Some risk is inevitable. “The best safety system would be none—an inherently safe process,” Stogner said, “But we need the products of unsafe processes, so we need safety systems. The question becomes, how do we con-tain the costs?”

The ghost of Triconex pastTo understand where EcoStruxure Triconex systems are today and where they’re going, it helps to understand the trajectory of the past few years, said Elliott, starting in 2012, when Triconex closed the loop on safety systems. “We added the ability to measure what’s happening, com-pare it to the system design, identify the integrity gap, and close it.” In 2013, Peter Martin, vice president of innovation and marketing, Schneider Electric, attributed a financial aspect to the gap and explained how to make decisions that balanced production, commercial and safety results.

In 2015, Martin and the company received a patent on software that quantifies the value of the risk reduc-tion contributed by a safety instrumented function (SIF). Triconex also added automated testing, which has since “manifested in a standard,” Elliott said.

“Validation took 16 hours instead of the previous 54 hours per burner, and the facility was able to start up four days earlier. Four days of runtime would buy a lot of Triconex systems.” Chris Stogner, Triconex offer director, co-presented “Triconex Technology Update” with Steve Elliott, senior director, marketing, Schneider Electric, at the 2018 Triconex User Group conference this week in Galveston, Texas.


2016 brought IEC 61511 Edition 2, in which section 16 specifies that “the required SIL of each SIF is maintained during operation and maintenance” and “the SIS is oper-ated and maintained in a way that sustains the required safety integrity.” Further, “Discrepancies between the expected behavior and the actual behavior of the SIS shall be analyzed and where necessary, modifications made such that the required safety is maintained.”

In 2017, along with innovation at the connected prod-ucts and edge control levels, “Analytics brought a wealth of research, competence and skill,” Elliott said. “Now, safety can be profitable if you focus on the interrelation-ship among productivity, performance and profit.”

Triconex technology todayThis year brings a significant number of innovations across the Triconex product line. Here are just the high points—each product has more:

Trip Analyzer is “a lighter version of SIF Manager, a software tool that does high-speed datalogging of what happened during a trip,” Stogner said. Today, everybody has their own way to analyze a trip, gathering informa-tion from disparate sources such as the safety system, DCS and historian. “Now, you can get a report that tells exactly what happened, with actual vs. design intervals.” If the system works as designed, “You can get a credit for a proof test.”

Trip Analyzer also offers pre- and post-event trends. “Anything that can get into the historian can be tracked,” Stogner said. “Some of the early adopters are saying it takes them one-third less time to analyze and restart. That’s a much faster return to profitability.”

SIF Manager supports the IEC 61511 part 16 clauses with automatic analysis and reporting of SIF demand rate per-formance, bypass performance, trip performance statistics, device failure statistics, live statistics, proof test tracking, fault tracking, dynamic PFD calculation and more.

Implementing SIF Manager at a 540,000 BBL/day, $25M revenue per day refinery with 2,000 SIFs and 10,000 SIS devices, on a three-year plant turnaround cycle with two safety audits per year, a five-year SIF validation cycle and four to seven 4-7 trips per year (average) calculates to an ROI of six months based on labor savings, or two days based on reduced turnaround time.

Among 2018’s “apps and analytics,” Stogner said, Safety View ABM 2.0 “eliminates the chance that a critical alarm will go unnoticed.” It keeps bypasses “done properly and visible, not in the DCS or out on the floor.”

EcoStruxure Maintenance Advisor pulls in data from HART-enabled devices, contextualizes it, “makes it easy to see what to do, and to generate a work order,” Stogner said.

Triconex Safety Validator offers faster validation and “the only TÜV certified safety logic validation,” Stogner said. There’s no reason to write procedures from scratch because they’re generated in the software. “I can hit the ‘play’ button, go out and have lunch, come back and see how the testing went.”

At Chevron in Pascagoula, installation of six new burners “took half the time for the factory acceptance test (FAT),” Stogner said. “Validation took 16 instead of the previous 54 hours per burner, and the facility was able to start up four days earlier. Four days of runtime would buy a lot of Triconex systems,” Stogner said.

It also provides management of change. “If you make a small change, do you have to re-verify the whole system?” Stogner asked. “It’s up to you—you can do the analysis, or with this, you can just test it all, automatically.” A free trial version is available for up to 4 months.

Tofino Firewall has been updated to handle up to 254 nodes with support for extended alias, Tricon CX and HART pass-through.

Tricon 11.4 is the “first post-attack-investigation version,” Stogner said, referring to the well-publicized but ultimately unsuccessful Triton malware attack in 2017. “By the way, that was a 17-year-old system. That attack would have been prevented if the user had followed the recommendations in the user guide.” On the new version, so as to not tip off any hackers, “We’re not talking about all the ways it works.”

Safety Suite now supports Tricon CX, with TriStation V4.16 and Enhanced Diagnostic Monitor V2.13. Diag-nostics have configurable limits, and HART devices can be configured from TriStation.

“Diagnostic Expert is merging a couple of applications into one,” Stogner said. “It includes TriLogger capability and an OPC UA server.” TriStation 5.x means “If you are using more than one version, you no longer need a sepa-rate install for each version,” Stogner said. “From here out, the latest version of 5.x will open earlier 5.x versions.”

System Advisor change tracker knows “when, who, the old value and the new value,” Stogner said, “So, TriSta-tion upgrades won’t require printouts and page-by-page comparison to highlight changes.”

Tricon CX is “released and ready for purchase,” Stogner said. Now at V11.4, it has an approved component list on “one certificate, one TÜV approval.” Containing the “ghost of Triconex past,” it has the same contents in a more


cost-effective footprint—50% smaller, 67% lighter in weight, so it can be added to racks in the existing space. It’s also rated ISA Secure and RoHS, and “We’re working on marine.”

“It takes the best of Tricon,” Stogner added, uses an external power supply and handling up to 15 I/O modules per chassis. A unified communication module (UCM) puts it directly on a EcoStruxure Foxboro DCS; a new supervised 24 Vdc digital input has 1 ms sequence of events (SOE); a fast analog input offers 5 msec updates; and HART pass-through allows auto-mated HART device configuration, documentation and test.

Safety Intelligent Enclosures can be bought by I/O count, installed in the field, then configured to the final I/O type with software and plug-ins. They can be installed in daisy-chain, star or mixed topologies. “One box has four modules, 64 points, and two guys can install it by hand,” Stogner said. “No A/C, no purge—it’s rated to 55 °C (130 °F) ambient. We did accelerated life test-ing, running two weeks at 4 cycles per day from -20 °C to 70 °C with no failures. That’s equivalent to 20 years at up to 55 °C.”

BASF UNDERTAKES INVENTORY OF SAFETY INSTRUMENTED FUNCTIONSBy Paul Studebaker

Industrial IoT-style digitalization offers functional advan-tages for safety systems, such as easier modifications, the ability to assess the health status of safety PLCs (SPLCs) and field devices such as HART transmitters, as well as integration with an asset management system (AMS) to streamline work order generation.

“But connectivity comes with cybersecurity risks,” said Dr. Martin Roser, senior automation manager, Automa-tion Technology, Regulated Automation Solutions, BASF SE. For example, if a hacker modifies a controller function block, the system might not trip on a hazardous situation. Or a field device might be modified—for example, the span of a thermocouple transmitter could be changed so the control thinks the process is in range when it’s overheated.

Roser described how BASF is using a standards-based approach to set the stage for digitalization while ensur-ing cybersecurity of its safety instrumented systems (SIS) and the safety instrumented functions (SIFs) they support during the session, “Automation Security and the SIF Life-cycle” this week at the EcoStuxure Triconex User Group conference this week in Galveston, Texas.

How to allow ITThe IEC standard 61511:2016 Functional Safety – Safety Instrumented Systems for the Process Industry offers essen-tial advice on cybersecurity, Roser began. Security should be designed in using standardized risk assessments, stan-dard solutions, secure architecture, design rules and security checklists. Cyber security should be considered at design review, factory acceptance test and site accep-tance test. In operation, ongoing risk assessment should be performed at periodic reviews, on modifications, and in the event of an incident.

“IEC 61511 2016 advises users to perform a risk assess-ment, but doesn’t advise how,” Roser said. “Furthermore, IEC 62443 Industrial Network and System Security stipu-lates that it should be possible for a non-security expert to perform a risk assessment. But how?”

For guidance, BASF references NAMUR NA 163, Security Risk Assessment for Safety Instrumented Sys-tems. Among other things, NA 163 “defines the minimum security requirements for systems to communicate,” Roser said. NAMUR is an international association of automation


users. It currently numbers 158 member companies in Europe, China and the United States.

NA 163 defines Zone A, containing the core SIS (logic solver, sensors, final ele-ments); Zone B, the extended SIS (including the engineering station, HMI, and inter-faces with asset management tools), and the peripheral zone outside A and B, where you find the DCS, process information man-agement system (PIMS), IT architecture, etc. It makes recommendations based on the type of connection (within or between zones), the type of communication (analog or digital without HART vs. protocol-based vs IP) and the physical security of the asset. NA 163 recommends that components be used in accordance with the manufacturers’ standards, the network be classified according to NA 163 zones, and an assess-ment be made of the possible connections.

In one example, an SPLC and DCS are to be time-syn-chronized, share alarms and provide incident assessment for authorities. The SPLC is in Zone A, the DCS is in the peripheral zone, and none of the devices are in Zone B. The manufacturer recommends an OPC server between the SPLC and DCS, with a proprietary protocol between the SPLC and OPC server, OPC A&E between the OPC server and DCS, and NTP through the OPC server for time synchronization.

Review according to NA 163 would change that to a dedicated radio clock for the SPLC (to reduce the number of protocols and hence the surface for a network attack). It would also add a stateful firewall at the border between zones A and B restricted to data traffic (no reengineering).

SPLC asset inventory at BASFCyber vulnerabilities are becoming increasingly appar-ent, with incidents occurring due to vulnerabilities of many vendors’ systems. When the details of an incident

are made public, the first question is whether you have one of those components or systems. So, to defend your facilities, “You need an SPLC asset inventory,” Roser said. “Do you know your systems? “Do you have CPU MP 3008, firmware 10.0-10.4 (Trisis incident, August 2017)? HIMA X-CPU 01, serial 985213001…6001 (March, 2018)? Siemens SIMATIC S7-400 (May 2018)? Yokogawa STAR-DOM controllers (June 2018)?”

BASF has 353 production sites in 80 countries. “Just one site at Verbund site has 39,000 employees, 2,000 buildings and 200 production lines,” Roser said. “I don’t know.” So, BASF is in the process of making a detailed safety system asset inventory “for safety, security and lifecycle issues,” Roser said. Their first step was to identify their Schneider SPLCS and know the details of each system, host, module and network interface. Step 2 is to similarly identify the other system vendors’ components. Step 3 is to compile that information into a high-level inventory list.

Step 4 is a detailed information assessment. “Some of this information is only on the back sides of the backplanes,” Rosen said. “We’re sending an army of engineers into the field to build a database. It’s a lot of work.”

Step 5 will be to keep the inventory up to date. “We want to define internal workflows and have automated retrieval and export of asset inventories,” Rosen said. “Vendor sup-port is going to be essential for a sustainable solution.”

“Some of this information is only on the back sides of the backplanes. We’re sending an army of engineers into the field to build a database.” BASF’s Martin Roser on the non-trivial task of compiling an enterprise-wide inventory of safety system components.


ANATOMY OF A CYBER-ATTACK AND SUCCESSFUL RECOVERYBy Jim Montague

Recovering from a serious cybersecurity attack requires all kinds of resilience. This includes many logical technical fixes, but it also demands a large dose of less-obvious professional and personal resolve.

Despite these multiple challenges, this is exactly the journey that Schneider Electric and its client undertook during the past year after its end user—a large oil and gas refinery and petrochemical facility in the Middle East—was subjected to a premeditated, focused and sustained cyber intrusion and attack. An unknown attacker injected the TRISIS/Triton malware into a Tricon safety instrumented system (SIS) engineering workstation running EcoStrux-ure Triconex software, which had been left in “program” mode. When the malware attempted a reprogram, the controller recognized an anomaly and took the plant to a safe state via a shutdown in August 2017.

A subsequent misstep by the malware was detected by the SIS, which triggered a safe shutdown of the related application. The incident was reported in December 2017, and Schneider Electric’s recovery, remediation and investigation efforts have been ongoing since that time. “The truth is this cyber attack could have been at any site or safety system, but in retrospect it’s probably fortunate that it happened to a Tricon system that was able detect the problem, and bring the application to a safe state,” said Gary Williams, cybersecurity services offer leader, Schneider Electric.

An update on the TRISIS/Triton cyber attack and Schneider Electric’s response, entitled “From Fact to Fic-tion: What Happens After a Cyber Incident,” was presented by Williams and Steve Elliott, senior director of market-ing, Schneider Electric Process Automation, this week at the Triconex User Group conference in Galveston, Texas.

Intrusion evolutionElliott reported that the affected equipment had been installed at the Middle Eastern plant in 2007. Since then, the refinery had expanded its applications, and invested about $18 billion to implement petrochemical and finished products applications. It also conduced a major inspec-tion and turnaround, which included more than 25,000 contractors and other personnel onsite.

Williams added that, though the attack began in August 2017, the intrusion may have started about two years ear-lier. This is because the malware had to penetrate several layers of the plant’s network to reach its distributed control system (DCS) and the SIS that was ultimately affected. “We still don’t know the intent of this attack,” said Williams.

Whatever the motivation, Williams explained that Schneider Electric has a three-part procedure for effec-tive cybersecurity—isolate, identify and eliminate.

“Isolate means disconnecting cables and communications, and basically ‘putting police tape around a compromised area,’ so it can be examined later.” Gary Williams, cybersecurity services offer leader, Schneider Electric, detailed his company’s response to the recent TRISIS/Triton malware attack on its Middle East refinery/petrochemical end-user customer.


“It’s important to understand that isolate doesn’t mean turning off machines or other equipment because this could eliminate all the evidence for forensic investigation of an attack,” said Williams. “In this case, isolate means disconnecting cables and communications, and basically ‘putting police tape around a compromised area,’ so it can be examined later.

“For us, this means comparing the software on a work-station or other device to a virgin copy of its software. This lets us identify what code should be there and what should not. Once we find out that some unauthorized or unknown code has been added, we can hit the emergency button and escalate the process. Only three parties know what really happened: the attacker, the forensics team, and the end user.”

Williams added that, once the malware was identified and eliminated, the plant’s owner advised all its sites to follow Schneider Electric’s recommendations on intrusions, such as enhanced password management. For its part, Schneider Electric also alerted software patching entities, and gave them a solution for preventing similar attacks elsewhere.

“We also developed a tool that other users could employ to check their systems,” he added. “And, we were invited to Washington, D.C., where we participated in several autopsy efforts to help understand the technicalities of attacks, which is the beginning of developing policies and procedures in the hope that future standards can incor-porate some of the lessons learned.”

Collateral damageThough not directly related to process control, Elliott reported that Schneider Electric has also had to cope with a tide of factually lacking and/or erroneous media reports about the incident, and even observed some equipment sup-pliers seeking to capitalize and make online sales in its wake.

“There were a lot of blog posts that just seemed to want to create an audience, but had few facts. There are now 390,000 mentions of ‘Triton’ on Google,” added Elliott. “It also seemed like in about 48 hours, Triton was also sud-denly a topic of many upcoming conference sessions. The first we attended was the S4 conference, where we again tried to be as transparent as possible, even though we had to remain quiet about some details until we had the true facts.”

Beyond following Williams’ technical advice about following IEC 62443 security recommendations for imple-menting “zones and conduits” in industrial networks—and having suppliers’ contact information handy—Elliott added that process control and automation users and suppliers must jointly address cybersecurity threats.

“This is not just our problem or one user’s problem. This is an industry-wide problem,” concluded Elliott. “We all have to work together, including getting govern-ments and legislators involved. And, cybersecurity isn’t just about safety systems, but also about every kind of process automation system. We have to work together to beat these attacks.”

LATEST SAFETY CONTROLLER BOASTS SMALL FOOTPRINT, FAST I/O BUSBy Keith Larson

Front and center in the Innovation Hub at this week’s EcoStruxure Triconex User Group meeting in Galveston, Texas, is release 11.4 of Schneider Elec-tric’s Tricon CX, the company’s powerful safety system that enables secure connectivity among systems, assets

and people, and allows for better real-time operations and business decision-making.

“Tricon CX is an extension of the market-leading Tricon platform,” noted Chris Stogner, ExoStruxure Triconex offer director, Schneider Electric Process Automation.


“It’s the same triple-modular-redundant (TMR) archi-tecture proven in more than 20,000 Triconex systems operating in more than 80 countries but with expanded system capacity, capability and performance packed into a 50% smaller and 67% lighter form factor.” This com-pact design and extended feature set enable customers to more easily expand existing, replace obsolete and imple-ment new systems, Stogner said.

Along with more robust cyber-hardening and enhanced performance, the new Tricon CX v11.4 can handle up to 750,000 TMR I/O distributed across 254 peer-to-peer nodes. Other key features include:• A new high-performance I/O bus that goes further,

faster. The fault-tolerant 1GB I/O bus and fiber-optic adaptors allow for greater distances—up to 20 kilome-ters—greater system flexibility, and enhanced end-to-end performance.

• A smaller footprint and flexible architecture that, to-gether with Triconex Safety Intelligent Enclosures and Tricon CX Universal Safety I/O, significantly reduce system engineering and installation costs, while short-ening project schedules and reducing delivery risk.

• A new version of TriStation that allows the Tricon CX safety system to be engineered and configured faster, in-cluding the ability to open legacy project files without the need to install, upgrade, or maintain the programming software; and the addition of HART container, which al-lows intelligent device configuration and detection.

• The all new Triconex Diagnostic Expert that resolves maintenance issues faster and more accurately, includ-ing: Enhanced Diagnostic Monitor, which makes it quick and easy to understand system health and iden-tify issues; new Sequence of Event recorder and play-back for faster event analysis and identification of pro-cess upsets and outages; and high-speed data logging for quick and accurate resolution of operational issues.

Not secure = not safe“The global manufacturing and critical infrastructure industry is faced with increasingly frequent and sophis-ticated cyberattacks, which are occurring across all geographies and segments, regardless of which control and safety systems the end users have installed,” said Mike Chmilewski, vice president, Process Safety, Schneider Elec-tric Process Automation.“To help our customers combat these dangers, we applied the unique insights, expertise and knowledge we acquired in the past year to enhance the Tricon CX so that it is able to withstand multiple threats and attack methods.”

Tricon CX is compliant with the IEC 62443 cybersecu-rity standard and is certified by TÜV Rheinland for use in safety applications up to Safety Integrity Level 3. It is also ISASecure EDSA Level-1 certified, the industry’s leading cybersecurity certification for industrial control and safety systems and components. This has resulted in further security enhancements in Tricon CX v11.4 to mitigate sophisticated methods of attack.

“Strengthening the Tricon controller continues the security journey we committed to when we were the first to receive safety and cybersecurity certifications from TÜV Rheinland,” said Chmilewski. “With its recent security enhancements, dual certifications and standards compli-ance, and because it was designed in accordance with our recognized security development lifecycle process, Tricon CX remains highly secure while also delivering the highest degree of operational availability of any safety system. It keeps customers on a path for a safer, more secure future, and it serves as the best example of how Triconex safety systems—the most dependable in the industry with more than one billion hours logged without dangerous failure—are helping our customers drive measurable, real-time improvements to their operational profitably, safely and securely.”

“It’s the same triple-modular-redundant (TMR) architecture proven in more than 20,000 Triconex systems operating in more than 80 countries but with expanded system capacity, capability and performance packed into a 50% smaller and 67% lighter form factor.” Schneider Electric’s new Tricon CX controller (left) carries on uninterrupted the legacy of the company’s industry-leading Tricon TMR safety controllers.


SAFETY EXCELLENCE CUTS COSTS, BOOSTS PROFITS AT PETRONASBy Paul Studebaker

“Similar to airplane cockpit instrumentation, the plant instrumentation must be working perfectly or the plant is not fit and safe to oper-ate,” said Sharul Rashid, principal engineer, instrument control systems, Petronas. The safety system is a critical layer of protection. “When alarms come in, they have to be attended to, or you get Bhopal.”

Petroliam Nasional Berhad (Petronas) is Malaysia’s fully integrated oil and gas multinational, ranked among the largest Fortune 500 corporations. It has assets in more than 65 countries, is among the world’s top five oil and gas companies (in terms of production), and is the most prof-itable company in Asia. Rashid’s refinery is on Malaysia’s east coast. Its total of about 15,000 tags include 1,086 fire & gas, 3,202 safeguarding and 11,918 DCS tags.

At Petronas, “We have been successfully using structured approach to properly manage the instrumented protective function/safety instrumented function (IPF/SIF) lifecycle.” IPF Classification is divided into three categories based on the nature of business process. The plant instrument team is responsible to:1. Ensure that all IPF in the existing plant are classified

via an IPF study, to be conducted by GTS (Group Technical Services).

2. Ensure that data used for the IPF study are the latest and updated.

3. Be the custodian of the master copy of the final-ized report

The management of change (MOC) project team is responsible to:

1. Ensure that new IPF tags are classified via IPF Study to be conducted by GTS.

2. Properly hand over to the instrument and mainte-nance teams all the related IPF documents.

When the plant was new, an instrumented protective function (IPF) study showed using one out of two voting (1oo2) transmitters resulted in poor availability. Two out of three (2oo3) was more reliable, but 1oo2 was used where it met the safety requirements.

At hand-off and every five years, IPFs are studied and reclassified as needed. “Once you have made the study, don’t put it on the shelf. Study it, and implement the changes it suggests as a project,” Rashid said. “If the current

“Allowing a one-hour delay on 100 loops, at $10,000 per loop, can significantly improve profitability.” Petronas’ Sharul Rashid discussed how safety instrumented functions at one of the company’s refineries in Malaysia.Safety is typically viewed as a necessary expense. It isn’t free, but doing it right can improve profits when it reduces the costs of unreliability, as demonstrated by a Petronas refinery in Malaysia and explained at the EcoStruxure Triconex User Group meeting this week in Galveston, Texas.


configuration doesn’t meet the requirements, close the gaps. But, if the CAPEX is very expensive, we must apply ALARP (as low as reasonably practical).”

Projects also can be driven by profitability. Lost pro-duction due to lack of availability has a cost, and that is considered in the safety review. “At Petronas, we have to design to meet both safety and availability criteria,” Rashid said. The product loss equation (PLE) changes with the price of oil, which can change the cost of availability and drive a change from less reliable 1oo2 to more reliable 2oo3 if the cost of the change is not prohibitive.

“Safety standards are many and confusing, and you need to keep up on them,” Rashid said. “A lot of things change when the standards change. It’s a constant challenge.” Being inno-vative and applying the latest standards has allowed Petronas to perform safety system projects that improve profitability.

For example, NAMUR safety standards allow up to one hour for response to a transmitter alarm. Petronas may place a time-limited, automatic over-ride on 1oo2 systems to allow the plant to respond to a transmitter malfunction

without tripping the safety system, Rashid said. “Allowing a one-hour delay on 100 loops, at $10,000 per loop, can significantly improve profitability.”

In other cases, 1oo2 can be converted to 2oo3 by adding a transmitter. Where wiring costs are prohibitive, it might be a wireless transmitter. Where another penetration is not practical, it may be possible to use a nearby process transmitter. “When it is not practical to add a transmitter due to penetration or wiring costs, we can use a control transmitter with a barrier,” Rashid said. “One channel goes to the DCS, and the other channel from the barrier goes to the safety system.”

In this case, it’s necessary to provide a procedure for maintenance to override the safety system when needed for control system maintenance.

The refinery also takes full advantage of valve and trans-mitter self-diagnostics, automatic safety system testing, and other condition-monitoring techniques to improve reliability. It’s just one way they help keep Petronas safely near the top of the Fortune 500.

SCHNEIDER ELECTRIC SOLUTIONS MAKE SAFETY PAY OFFBy Jim Montague

In an era when every control component, automation application and process facility must contribute to per-vasive business goals of running lean and doing more with less, safety instrumented systems (SIS) and supporting solutions must also do their part to aid overall corporate efforts—of course, without compromising their essential mission of protecting health and well-being.

However, while many people can talk about process safety being a good investment or aiding profitability, few can show end users how to make it happen in their own applications. One organization that can is Schnei-der Electric, which presented a detailed roadmap for making process safety profitable in a multi-booth tour of its Innovation Hub exhibit hall at its EcoStruxure

Triconex User Group conference this week in Galves-ton, Texas.

Shorter path to profitThe first exhibit showed how three software solutions, EcoStruxure Foxboro DCS, EcoStruxure Maintenance Advisor and EcoStruxure Profit Advisor, coordinate their on-screen capabilities to streamline production tasks for control room operators, and grant them the awareness to make better decisions.

For instance, Steve Tiller, technical sales consultant, Schneider Electric, reported that EcoStruxure Foxboro DCS can detect a valve or other field device via its I/O card, monitor its regular performance, and arrange to


remove it for service if its process variable or other parameter shows it’s not work-ing right. However, far from stopping at performance optimization, EcoStrux-ure Foxboro DCS also reaches out to EcoStruxure Profit Advisor, which cal-culates and communicates back the expected profit loss that will occur by taking the field device out of service for an hour, week or other time period.

“This added revenue information means operators cam make better decisions back on the operations side,” added Tiller.

This coordination between EcoStruxure Foxboro DCS and EcoStruxure Profit Advisor employs Seeq software for analytics and display, so users don’t have to build graph-ics. These two software packages also work in conjunction with EcoStruxure Maintenance Advisor, which can receive alerts about the valve or field devices, and automatically notify maintenance personnel. “For example, an alarm on an EcoStruxure Foxboro DCS screen will show up on EcoStruxure Maintenance Advisor, along with basic data, such as when the transmitter was last maintained, which makes it much easier for users to triage their tasks,” said Tiller.

At the same time, Elliott added that collected failure rate data shared by EcoStruxure Foxboro DCS and EcoStrux-ure Maintenance Advisor can also go to safety system personnel to aid their initiatives and further boost poten-tial safety and profitability.

“These complementary, integrated software offerings give users all the range and options for integrating their DCS,” said Steve Elliott, senior director of marketing, Schneider Electric Process Automation. “This is impor-tant because upstream applications are more about simply turning equipment on and off, while downstream appli-cations have a lot more different steps, which mean they all need different operating philosophies and methods.”

Expert in the fieldThe Innovation Hub also featured Schneider Electric’s recent release of its EcoStruxure Field Device Expert software that that improves how engineers commission, configure and maintain field devices throughout plant life-cycles. Field Device Expert’s Intelligent Commissioning Wizard completely automates detection, configuration, commissioning and testing of HART field instrumentation connected to an EcoStruxure Foxboro DCS. This is useful because automatic binding and configuration of HART devices has been shown to reduce commissioning sched-ules by more than 75% and achieve faster time to profit.

“Users simply click on a new device, and EcoStruxure Field Device Expert goes through the system to help find and commission it,” said Elliott. “Replacement devices are also recognized, and the software looks for their informa-tion, too, and maps them to the template. Users just install two wires, hit a button, and the Commissioning Wizard goes and find what they need.”

Validating safetyTo help reduce project scheduling and time to startup, EcoStruxure Safety Validator software can test function blocks, safety logic, SIFs and all kinds of related opera-tions scenarios, according to Alejandro Fung, technical sales consultant, Schneider Electric.

“Safety testing is usually very manual, but EcoStruxure Safety Validator reduces a lot of the human effort that used to be required,” explained Fung. “EcoStruxure Safety

“EcoStruxure Tricon CX v11.4 expands system capacity, capability and performance while still being 100% compatible with existing Tricon systems,” Mark Turner, manager of Triconex safety products, Schneider Electric, on the company’s latest safety controller release.


Validator also reduces testing time by enabling automatic reuse of scripts, documenting changes, and flagging fails. It also issues a final report that users can sign off on, and replaces a lot of paper along with that former manual labor.”

Fung reported that EcoStruxure Safety Validator can also test each SIF, and is intelligent enough to inform users to check certain aspects. “It’s also highly integrated with Tricon controllers and EcoStruxure Foxboro DCS, which lets users run their tests in minutes instead of days,” said Fung.

Elliott added that, “We had one customer with 90 burner management systems (BMSs) and 15 standard function blocks, and they reported saving two days during the functional acceptance test (FAT) for each BMS by using EcoStruxure Safety Validator. This resulted in a total sav-ings of 180 days, plus they also saved added time on other coding and testing.”

Seeing the systemAs many once-separate process systems join hands and work together, it can get hard to determine where one function ends and another begins. To outflank this dif-ficulty, EcoStruxure System Advisor follows individual device tags all the way through their systems, and keep track of any changes to them, according to Domenico Napoli, global offer manager, System Advisor and Control Advisor, Schneider Electric.

“This is a fully documented system that captures all programs, library names, tags and hardware,” said Napoli. “It tracks changes between versions from the first to the last and everything in between, and it also has audit capa-bilities for further documentation and access to essential information.”

Analyze and manage tripsTo help users make sure they’re meeting their design tar-gets and testing, EcoStruxure SIF Manager Trip Advisor enables them to deal with unplanned outages by under-standing why their trips are happening.

“EcoStruxure SIF Manager Trip Advisor lets users streamline their trip investigations, reduce the effort spent on them by 30%, and also improve their SIF performance,” said Caleb Mellbom, technical sales consultant, Schneider Electric. “EcoStruxure SIF Manager Trip Advisor shows everything a user could want to track related to a trip, dis-plays trends in real time, and makes a report for each trip, including response time and sequence of events. These reports are available as PDFs, so they’re also easy to share.”

Mellbom added that a trip arrives with a time stamp, so it’s filterable, while an editor function lets users gen-erate quarterly or monthly reports based on each event. “There’s also a legend so even users that are unfamiliar with the software can identify the root cause,” he added. “EcoStruxure SIF Manager Trip Advisor gives users a snapshot of conditions at the time of a trip, centraliz-ing the variables and other data collected from multiple sources in one report.”

Alarming and bypassingSimilarly, EcoStruxure Safety View Alarm and Bypass software communicates with Schneider Electric’s Tricon safety platform, and runs independently of its user’s DCS and HMI to enable safer operations.

“When high-priority alarms occur, and bypass man-agement is needed to help replace devices, EcoStruxure Safety View Alarm and Bypass can work around the usual control system, and talk directly to the Tricon safety con-troller,” explained Ryan Nelson, technical sales consultant, Schneider Electric.

“We’re showing asset performance on an operations risk matrix, so supervisors and manager can see what’s happening with their safety portfolio and if they’re at an acceptable risk threshold,” said Elliott.

Farshad Hendi, safety practice leader, Americas and Europe, Schneider Electric, demonstrated a proof of concept for an EcoStruxure Triconex software suite that will even provide an enterprise view of the safety perfor-mance of all of a user’s assets. This solution is presently in beta testing, and is scheduled to be released early in 2019.

“This solution abstracts information about safety in a configurable green, yellow, orange and red matrix,” Hendi explained. “It shows users where they are now, but it can also help them forecast what will happen if they put some equipment in bypass or conduct a test. This can indicate if what they’re doing is likely to be a wise decision or not by showing the consequences of their actions on the matrix.”

Latest safety controllerThe Innovation Hub was highlighted by EcoStruxure Tricon CX v11.4, which Schneider Electric reports is its most secure, powerful safety controller. Designed to empower users to plan for, identify and manage real-time operating and business risks, it helps drive measurable oper-ational profitability and do it safely. Its new features include:

Online upgrades without operational interruption.


New fault-tolerant 1 GB I/O bus and fiber-optic adap-tors that allow greater distances, system flexibility and enhanced end-to-end performance.

Reduced system engineering and installation costs, while shortening project schedules and reducing risk, via intelligent enclosures and universal safety I/O.

Faster systems engineering and configuration.Faster maintenance issue resolution and greater accu-

racy via Enhanced Diagnostic Monitor software; new Sequence of Events recorder and playback for faster event analysis and identification of process upsets and outages;

and high-speed data logging for quick and accurate reso-lution of operational issues.

“EcoStruxure Tricon CX v11.4 expands system capacity, capability and performance while still being 100% com-patible with existing Tricon systems,” said Mark Turner, manager of Triconex safety products, Schneider Elec-tric. “It provides triple modular redundancy in a smaller form factor, so users can deploy it in existing systems. It also has supervisory digital inputs, HART pass-through capability, OPC-UA for bringing in common data, and cybersecurity protection.”

FOCUS ON RESILIENCE TO CULTIVATE SAFETY II MINDSETBy Paul Studebaker

When tasked to improve safety, most people try to minimize what goes wrong by providing procedures and having workers follow them. When workers don’t do that and something goes wrong, we tend to try to fix something, update the procedures and retrain the workers. “Some people call it, ‘Buy a tool, hold a meeting,’” said Steve Cutchen, investigator, U.S. Chemical Safety Board, at this week’s EcoStruxure Tri-conex User Group conference in Galveston, Texas. “What most people think about now is what we call Safety I. Some new concepts are leading us to Safety II.”

The U.S. Chemical Safety Board investigates incidents and makes specific recommendations to improve safety based on the results of those investigations. In one incident, a refinery had a puddle on the floor due to an overhead pipe dripping about once every five seconds. “It was puz-zling because there was no pipe flange at the drip location,” Cutchen said. “A rather large group of refinery employees had gathered around, trying to identify the cause of the leak, when the pipe blew out, releasing an opaque cloud that engulfed the employees and drifted over the neigh-boring city.”

How we got to Safety IToday, the accepted practice is to try to have as few things as possible go wrong. Management writes procedures and in their vision, people follow them. “People work as we imagine they do,” Cutchen said.

The current concept of safety dates back to the late 1960s, when management targeted people as the immediate cause of unintended outcomes. Management implemented pro-grams like “Take 2 and Stop, Think, Act, Review (STAR). We did job safety analysis and had ‘stop work’ rules if a hazard was perceived,” Cutchen said. “The implication was, it’s always the person. It’s about reducing mistakes. To reduce mistakes, make people care more.”

Then managers started looking at the systems them-selves, and latent problems. They implemented process hazard analysis, management of change, safety instru-mented systems, integrity levels and layers of protection.

Next, they started to target non-routine as well as routine operations. “These include startups, shutdowns, online cleaning of heat exchangers, etc. using procedures from the shelf,” Cutchen said. “Again, work-as-imagined, with operational discipline.”


But unplanned things happen, in particular, abnormal operations bring unforeseen situations. “You can’t pre-specify every task, so abnormal operations have to be worked out on the fly, then we write a new procedure,” Cutchen said. “But system fixing becomes endless, like whack-a-mole. Work as-done doesn’t always match work-as-imagined. And at the times of highest risk, procedural operations aren’t there.

“In abnormal operation, there is no predeterminable path from cause to effect. This is a characteristic of com-plexity. This is why there is a necessity for resilience, and the genesis of Safety II.”

Simple, complicated, complex, chaoticWhat is a complex system? “For example, you are a com-plex system,” said Cutchen. “You are the way you are for many reasons, including your genes, how you were nur-tured and raised, your experiences, etc. To understand complexity, start with simplicity.”

A simple system works in an obvious way, with a clear and unchanging cause and effect, and a predeterminable path. “You do X, you get Y, like a light switch by the door. It’s always there and if you flip it, you get light,” Cutchen said. The operator approach is sense-categorize-respond, to apply the best practice.

A complicated system has a predeterminable path, but understanding cause and effect requires analysis, which results in an expert procedure. An example would be making a cheesecake—there are many ways to do it. You could go to the store, buy a mix and follow the directions, or learn from your grandmother how it’s done. The operator approach is sense-analyze-respond, to apply a chosen good practice.

But a complex system has no predeterminable path, only guidelines and constraints. Cause and effect are only apparent in hindsight, “like raising children,” Cutshen said. “Suppose one of them asks permission to go to a friend’s house for a party and for the first time, there will be boys and girls there. You don’t know the cause and effect, so

you ask questions and get more information before you decide what to do.” The operator approach is probe-sense-respond, to apply a unique, constrained practice.

Finally, a chaotic system has no predeterminable path and no visible constraints. Causes and effects have no apparent relationship. For example, most people would experience a tire blowout on the freeway as chaotic. The approach is act-sense-respond, applying a fast, novel prac-tice to stabilize the situation.

From human error to human resilienceSafety systems started as ways to target human impact on unintended outcomes, using tools to prevent mistakes. “We realized the solution extended beyond the person, and it’s our systems that need to be improved, so we look for latent causes,” Cutchen said. “Then you realize the system-fixing is endless—it’s impossible to identify every error--provoking situation, to pre-specify every task. Work-as-done does not always match work–as–imagined.”

The key is learning from responses to complexity. “It’s not that people are the cause of things going wrong a frac-tion of the time. It’s that people are the cause of things going right almost all the time,” Cutchen said. “When people respond to complexity, they do the right thing almost all the time.”

The natural human response to complexity is resilience. People demonstrate resilience when they resolve conflicts, anticipate hazards, accommodate variation and change, cope with surprise, work around obstacles, detect and recover from miscommunications and mis-assessments, and close gaps between plans and real situations. “People are good at this stuff because people are resilient,” Cutcheon said.

Realizing that people are resilient and using that strength gets us to Safety II. Adverse outcomes are not the result of unusual actions in usual conditions, they are the result of usual actions in unusual conditions.

“In abnormal operation, there is no predeterminable path from cause to effect. This is a characteristic of complexity.” Steve Cutchen, U.S. Chemical Safety Board investigator, discussed the importance of human resilience in safely dealing with complexity.


Contrast Safety I with Safety II: In Safety I, people are error-prone, a liability or hazard; in Safety II, people take actions based on decisions that seem correct at the time.

In Safety I, the goal is that as few things as possible go wrong. In Safety II, the goal is that as many things as pos-sible go right.

In Safety I, the operational discipline is to execute work–as–imagined and reprimand for failure. In Safety II, leadership inspires resilient action and collaboration toward common goals.

A Safety I risk assessment is a classification of known hazards to reduce frequency and consequences. In Safety II, risk assessment includes searching for boundaries where procedural controls become ineffective.

Safety I investigations use hindsight to critique technical, human, and organizational failures. Safety II investigations recognize that hazardous activities normally go right—what was different this time?

Safety I is reactive: respond when something happens or is categorized as unacceptable risk. Safety II is proactive: anticipate complexity and set guidelines. “Strive to merge work–as–imagined and work–as–done,” Cutchen said.

Cultivate resilienceComplex systems require a resilient response. The refinery with the leaking pipe was Chevron’s in Richmond, Cali-fornia. Eighteen Chevron employees were caught in the

opaque vapor cloud. All but one escaped just before the cloud ignited. The last survived, and six suffered minor injuries. In the weeks following the incident, nearby medical facilities received more than 15,000 members of the public.

“Instead of shutting down, the workers wanted to daylight the source of the leak so they could diagnose it. They were pulling insulation when it ruptured. It turns out the insula-tion bands were reinforcing the line,” Cutchen said. “Many of the employees survived by dropping to their knees and crawling along the curbing to find their way out of the cloud.”

To put your facility on the path to Safety II, “You need to implement traditional safety system improvements, error-preventing tools and strong process safety manage-ment systems,” Cutchen said. “But also pay attention to the hair on the back of your neck. Recognize and incor-porate good lessons from work–as–done.

“To diagnose complexity, discover where procedures are not enough. Harness human response, and learn the reasons things go right. Collaborate to create system robust-ness—to create the ability to handle the unexpected. This is implementation of resilience.”

Start by finding a task where work–as–imagined can be improved by implementing lessons from work–as–done. “Maybe it’s your interlock bypass system, maybe something else where a procedure is not being followed,” Cutchen said. “Fix it, then find another. Make work easy to do right and hard to do wrong. That’s it.”

CLOSING THE LOOP ON SAFETY SYSTEM MAINTENANCEBy Jim Montague

Everyone knows all potential hazards and every pos-sible safety threat can’t be eliminated, but they also know we can each get closer to zero incidents—and do it using tools and capabilities that are typically already in place and available.

“Safety systems and their requirements can be very com-plex, so we want to simplify as much as possible,” said safety

systems consultant Daniel Poston, P.E., TÜV FS Eng. “Random failures are predictable by understanding the failure modes that need to be tested. Systematic safety issues and failures are real, but they’re rarely addressed appro-priately because there’s no plan or they aren’t addressed in initial designs. As a result, we need to develop more


robust processes that minimize and elimi-nate systematic errors before they happen.”

Poston presented “Goal Zero Functional Safety: Safety System Lifecycle Execution with Small Company Resources,” this week at the EcoStruxure Triconex User Group conference in Galveston, Texas.

Random vs. systematicTo head off hazards, threats and incidents at the pass, Poston explained that end users must start with the right criteria for their applications and facilities, which means they often look to safety standards for guidance. For example, IEC 61511, 2nd edition, has section 3.2.23 on functional safety that advises, “Part of the overall safety relating to the process and the basic process control system (BPCS) depends on the correct functioning of the safety instrumented system (SIS) and other layers, such as mitigation, prevention, control/moni-toring and process.”

This lays the groundwork for determining, designing in, implementing and achieving safety integrity, which section 3.2.68 defines as the ability of an SIS to perform its safety instrumented function (SIF), according to Poston. “To determine safety integrity, all causes of random hardware and systematic failures that lead to an unsafe state can be included, such as hardware failures, software induced fail-ures and failures due to electrical interference,” he stated. “Some of these failures, especially random hardware fail-ures, may be quantified using measures such as average dangerous failure frequency or the probability of failure on demand. However, safety integrity also depends on many systematic factors that can’t be accurately quantified, and are often considered qualitatively throughout the lifecycle.

“Random and systematic failures must be considered to achieve required safety integrity. Some can be put into designs, but not all.” Poston added that:• Random hardware failures (section 3.2.58) typically

occur at predictable rates but at unpredictable times.

• Systematic failures (section 3.2.81) are related to pre-existing faults, and can only be eliminated by mod-ifying designs, processes, operational procedures or documentation.

• Combined cause failures (section 3.2.6.1) are con-current failures of different devices that result from one event.

Plan, operate and maintainOnce safety integrity has been designed into a system or application as much as possible, and problematic issues have been removed, Poston reported that safety becomes more of a maintenance issue. This is where the safety planning/operate and maintain (section 5.2.5.3) takes over by advising, “Procedures shall be implemented to evaluate the performance of the SIS against its safety requirements to identify and prevent systematic failures that could jeopardize safety.” Meanwhile, section 16.2.2 details maintenance procedures to be followed when faults or failures occur in an SIS, such as fault diagnostics and repair, revalidation, maintenance reporting and tracking.

“If systematic faults still exist, we need to identify and eliminate them,” said Poston. “This can be difficult because systematic issues can also creep into designs. The impact of systematic error on safety integrity also depends on the complexity of the process system, number of people involved, and the safety level they’re trying to achieve. All of these contribute to where and how much attention needs to be paid to safety.”

“You really have to make safety a closed-loop system.” Dan Posten discussed the importance of creating a collaborative platform for planning, executing and validating maintenance of a plant’s safety instrumented functions.


Functional safety managementTo handle all these operational factors but still keep sys-tems running safely, Poston reported that functional safety management (FSM) principles and tools offer the most useful methods and procedures. “FSM depends on the cor-rect functioning of the SIS,” he explained. “This includes creating a plan; putting processes in place to execute it; following those processes; validating that those processes were followed; and correcting errors. You really have to make safety a closed-loop system.”

For a large process application, facility or organiza-tion with hundreds of SIFs including many at SIL 2 or higher, Poston added that designing a safety system can be extremely complicated, and will involve people from

all related disciplines. To determine challenges, minimize errors and fill gaps in procedures, he recommended that users employ software tools like Microsoft SharePoint that many already have installed.

“In a typical FSM project, users can transfer their pro-cess hazards analysis (PHA) to SharePoint and an Excel spreadsheet; create safety functions and safety requirement specifications (SRS); manage project issues and action items; and coordinate training, competencies, functional safety analysis (FSA), management of change (MOC) and procedures. All of these can be tied into a good FSM process tool. Later, they can compare what they thought would happen to what really happened, find new issues and remove them, too.”

TRIDENT RETROFIT PACKS HIGH AVAILABILITY INTO SMALL FOOTPRINTBy Keith Larson

When Brad Wentling was looking to modernize the controls on his employer’s trio of olefin compressor trains, three factors were top of mind. First, the project support analyst needed to replace turbine and compressor controls that were growing increas-ingly difficult to maintain and repair. “Obsolescence always is an issue,” Wentling said. “We don’t want to end up buying parts on eBay.”

Second priority was higher system availability, to be enabled by redundancy of key control system components. “We wanted extensive redundancy to avoid spurious trips,” Wentling said. Redundancy would also allow system main-tenance to be performed without shutting down production.

Third priority was that the new, more capable system be compact enough to readily fit within the obsolete sys-tem’s footprint.

Wentling ultimately selected Schneider Electric to supply new integrated turbine/compressor controls cen-tered on the company’s Trident SIS Logic Solver platform, a new human-machine interface for monitoring of system performance, and a mechanical retrofit that included tur-bine valves and trip-and-throttle (T&T) valve replacements.

Wentling, together with Sarah Harper-Tarantolo, proj-ect application engineer, Schneider Electric, detailed the recent upgrade during a presentation at this week’s EcoStruxure Triconex User Group meeting in Galves-ton, Texas.

Space constrainedThe legacy control system had been contained within a two-doored cabinet with controller and I/O modules in the front and I/O marshalling in the back. A similar


cabinet layout was used for the new system, with existing cabling marshalled in the rear of a new purged cabinet for the Class I, Div 2 environment.

Meanwhile, in the front of the cabinet reside triplicated Trident main processors, redundant communications mod-ules, sixteen I/O modules (with hot spare), redundant 28 VDC power distribution system, independent overspeed trip device, DCS/HMI network switch and daisy-chained HART communications interface.

“The entire system is now maintainable online,” said Harper-Tarantolo. “So hopefully never have to bypass again.”

The integrated control system for the compressor/tur-bine pairs handles startup/shutdown sequencing, machine protection functions, governor speed control, governor extraction control, compressor anti-surge control, compres-sor performance control, servo position control along with a range of auxiliary controls such as oil pump start/stop.

Other redundant Schneider technologies in play include TRAC (for Turbine Redundant Actuator Control), which supports triplicated servos working together to supply or drain oil of the power cylinder, as well as Trip Block Assem-blies (Quadvoter), which supports two redundant paths (with two servos each) to dump trip oil in the event of a trip.

Results deliveredLike most control system modernization projects, this one was not without its challenges. And the fact that the plant’s main DCS and SIS were being modernized at the same time certainly didn’t help, said Wentling. Some late design changes and custom factory acceptance test (FAT)

procedures posed bumps in the road, Harper-Tarantolo noted. And both organizations came away with a renewed appreciation for the importance of regular communica-tions among the busy project teams.

In the end, the project delivered improved mechanical functionality and updated controls; enabled compliance with API 612 and API 670 requirements; optimized exist-ing space constraints; enabled online maintenance and removed single points of vulnerability; boosted reliability, uptime, safety and ease of operation; and reduced spurious trips, maintenance costs, and long lead times for repair.

Since installed, there have been several system trips unrelated to the new controls and the system responded flawlessly, Harper-Tarantolo said.

“We’re very happy with the new system,” Wentling added. “We continue to tweak some test tolerances on the servos, but we’re in a good place.”

“We wanted extensive redundancy to avoid spurious trips.” Brad Wentling’s control upgrade wish-list also prioritized small footprint and the ability to do online maintenance on the system.

Like most control system modernization projects, this one was not without its challenges.


INDUSTRIAL IOT TECH NOT READY FOR SAFETY SYSTEM PRIME TIMEBy Paul Studebaker

The limitations of industrial communication proto-cols are already being circumvented by Industrial IoT technology to add edge devices, condition monitoring and even process instrumentation to process manufacturing environments. Might the same approach bring benefits to safety systems?

“IIoT is a more user-friendly and functional infrastruc-ture for control and safety systems that will do things we can’t do now because what we have is too slow,” said Herman Storey, principal, Herman Storey Consulting, in a presentation at the EcoStruxure Triconex User Group meeting this week in Galveston, Texas. “It also needs cybersecurity—authentication, authorization, time syn-chronization, key management and encryption. It has the high speed, but needs better options for routable, remote and mobile industrial applications. I can see its use for new applications, but do we need cloud-based applica-tions? I’m not so sure.”

For industrial applications, industry needs to settle on one infrastructure. It shouldn’t be the Apple model, where each application is a data island and no information is shared, nor the Google model where all information is accessible to all applications—”an Internet of Everything,” Storey said. “We need an industrial model with a white list, lockdown, and security management and tools, where all access is managed by who can access data and what they can do with it.”

In what industry has now—the legacy model—each com-munication bus has its own app and network technology, where sharing and management are not supported. Current safety bus standards only protect data in the application layer. Configuration is not protected, networks are not protected or managed (no authentication or authoriza-tion), and field devices don’t have encryption/decryption

chips. Devices and networks can’t be upgraded, and device support is more difficult than necessary. Device revision migration is not well supported, which is a management of change issue.

Update files for device support come over the internet and require system installation. Field networks are too slow to support user-friendly support features.

“So, what we need is a new infrastructure, not the IIoT,” Storey said. “It’s not yet available.”

One possibility is TSN/DetNet, a joint venture of IEEE, IETF, and AVnu. “This technology will improve time synchronization, priority, scheduling, and network man-agement for any IP network,” Storey said. IEEE TSN is improving 802.1, 802.3, 802.11, 802.15.4 and 1588. IETF

“Today, there are a lot of tools to manage, and we need a template for each one. Getting them right is a complicated task.” Herman Storey discussed industrial network and device management needs at this week’s EcoStruxure Triconex User Group meeting in Galveston, Texas.


DetNet will support those improvements’ ability to manage data streams or sessions instead of packets. AVnu Alliance will provide compliance assurance and support for network management. “Time synchronization is now 1 msec in 1588,” Storey said.

Real-time applications will be able to offer significant performance improvements with this technology applied to data streams from end to end, with the ability to priori-tize, schedule and synchronize both communications and applications. “Most communication protocols are adopting this new technology to work with their application layer,” Storey said. “Improved speed and management will allow for security and enhanced ease of use.

“Improved technology is available to developers and is prototyped, but you can’t buy it today.”

Support and certification organizations are developing interoperability specifications and conformance tests so exist-ing application information can be retained and reused. The new technology will meet security and safety requirements, and improve user friendliness. “Eventually, new applications will become available, but new technology adoption will take a long time—I think decades,” Storey said.

Device management needs work, tooMeanwhile, today several standards related to intelligent device management (IDM) are in progress. ISA108 Part 1 has been published by ISA and submitted to IEC as a new work item proposal. IEC formed SC65E WG10 for this work, a document has been circulated in IEC and comments resolved. IEC 63082-1 has been recirculated in IEC, and is out for comment now. “ISA108 Part 2

development is in progress and will be submitted to IEC when it’s ready,” Storey said.

IDM standards are needed to specify tools, devices and systems to manage data. “Today, there are a lot of tools to manage, and we need a template for each one. Getting them right is a complicated task,” Storey said. We have separate configuration tools for device and host integra-tion. Visitor hosts (handhelds) are hard to use, which often results in incomplete configurations and configuration mismanagement (or configuration drift). “To make con-figurations and diagnostics work right, we need tools for both the device and the system, and for startups when we have multiple users, we need simultaneous multiple access with secure, shared data,” Storey added. “Download and migration tools need a lot of support from the vendors.”

Further, “A lot of people claim backward compatibility when it doesn’t work,” Storey said. “Work processes are not standardized, and common tools don’t support good work processes. Some tools require interactive single-param-eter entry for configuration—devices don’t come with workable sets of default parameters (templates). “Current protocols also leave a lot to be desired for implementing diagnostics, finding undiagnosed faults and dealing with alerts,” Story said.

In conclusion, “They’re good products but there are things that can help us. And we’ll need work processes to go with the tools,” Storey said. “Our current safety commit-tee standards allow this mess. Do we want to fix it? Users will benefit but vendors may not see the ROI—barriers are money. Progress will depend on standards upgrades, and I encourage you to get involved.”

Schneider Electric wants you to think differently about safetyPanel traces dynamic evolution of SIS best practicesTriconex technology making safety yet more profitableBASF undertakes inventory of safety instrumented functionsAnatomy of a cyber-attack and successful recoveryLatest safety controller boasts small footprint, fast I/O busSafety excellence cuts costs, boosts profits at PetronasSchneider Electric solutions make safety pay offFocus on resilience to cultivate Safety II mindsetClosing the loop on safety system maintenanceTrident retrofit packs high availability into small footprintIndustrial IoT tech not ready for safety system prime time

Date post:	13-Jun-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Stay Safe and Secure Together - Control Global · Stay Safe and Secure Together ... keting director...

Documents