INtech Magazine 324483-MAYJUN 2014
Transcript of INtech Magazine 324483-MAYJUN 2014
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
1/69
www.isa.org/intech
A PUBLICATION OF THE INTERNATIONAL SOCIETY OF AUTOMATION
May/June 2014
Integrating DCS I/O
Embedded vision
Multigenerational systems
Mobile user interfaces
Flow spotlight
http://www.isa.org/intechhttp://www.isa.org/intech -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
2/69
Hands-on training through real-life simulation.
A one-of-a-kind training opportunityWhat makes Endress+Hauser unique is our PTU (ProcessTraining Unit) network - full scale, working process systems
with on-line instrumentation and controls. Customers gainhands-on experience with the types of operation, diagnosticsand troubleshooting found in real-life process plants.
These mini process plants feature Endress+Hauserinstruments integrated with the PlantPAx process automationsystem from Rockwell Automation and are designed for theSXUSRVH RI HGXFDWLQJ HOG WHFKQLFLDQV WKURXJK UHDOOLIH
simulations and hands-on experience. Various communicationprotocols are fully operational, including: EtherNet/IPTM,
HART, PROFIBUSPA, and FOUNDATIONTMFieldbus.
Visitww w.us.endress.com/trainingfor information
on training opportunities near you!
For information on free events and special seminars, including
PTU tours, visitww w.us.endress.com/special-events
Check out our online training -End User Academy (EUA)!
Allow field technicians to gain the valuable
training needed in order to run your plant safely,
smoothly and more efficiently without spendingtoo much time away from your process.
Test drive a sample online training course today:
ww w.us.endress.com/eua
Endress+Hauser, Inc2350 Endress PlaceGreenwood, IN [email protected]
ww w.us.endress.com
Sales: 888-ENDRESSService: 800-642-8737Fax: 317-535-8498
http://www.us.endress.com/traininghttp://www.us.endress.com/traininghttp://www.us.endress.com/traininghttp://www.us.endress.com/special-eventshttp://www.us.endress.com/special-eventshttp://www.us.endress.com/special-eventshttp://www.us.endress.com/euamailto:[email protected]://www.us.endress.com/http://www.us.endress.com/http://www.us.endress.com/mailto:[email protected]://www.us.endress.com/euahttp://www.us.endress.com/special-eventshttp://www.us.endress.com/training -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
3/69
The Moore Industries NET Concentrator
System connects instruments and systems via
Ethernet, MODBUS and wireless technologies,while protecting your data from the real world.
The NCSs rugged industrial design protects
against RFI/EMI, ground loops, vibration and
the most severe temperature extremes:
-40C to +85C (-40F to +185F).
Whether youre managing a local process, or
need to collect data from locations across the
globe, our NET Concentrator System
is ready for your real world.
Wireless Network Module
for More Remote Locations
www.miinet.com/Solvers_IO
Visit our website and download one of our Process
Control and Distributed I/O Networks Problem
Solvers. Learn more about our Remote I/O products at:
Call Us at 800-999-2900!
Demand Moore Reliability
Remote I/O Has Never Been
More Rugged and Reliable
Whatever Your Extreme
http://www.miinet.com/Solvers_IOhttp://www.miinet.com/Solvers_IO -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
4/694 INTECH MAY/JUNE 2014 WWW.ISA.ORG
PROCESS AUTOMATION
20 Integrating DCS I/Oto an existing PLCBy Debashis Sadhukhan and John Mihevic
At the NASA Glenn Research Center, existing pro-
grammable logic controller (PLC) I/O was replaced
with distributed control system I/O, while keeping
the existing PLC sequence logic.
FACTORY AUTOMATION
26 Industrial automationand embedded vision:A powerful combination
By Brian Dipert
Traditional automated manufacturing systems have
relied on parts arriving in fixed orientations and
locations, making manufacturing processes complex
and limiting flexibility. New vision technologies are
enabling flexible and make-to-order manufacturing.
SYSTEM INTEGRATION
32 Integratingmultigenerationalautomation systems
By Chad Harper
Are you planning to add new elements to your
existing automation system? One system integratorsays it can be done, but proceed with caution.
AUTOMATION IT
38 Mobile HMI entersa new era
By Richard Clark
New technologies are improving remote access
to PC-based and Windows-embedded HMIs from
smartphones and tablets.
COVER STORY
Top ten differencesbetween ICS and IT
cybersecurityby Lee Neitzel and Bob Huba
Ten of the most important differences between ICS
and IT system security needs are identified and
described. Understanding these differences can leadto cooperation and collaboration between these
historically disconnected camps.
12
SPECIAL SECTION: ENTERPRISE ASSET MANAGEMENT
42 Enterprise assetmanagement
By Harry H. Kohal
Enterprise asset management should be well
defined and consistently implemented. Although
the software exists to facilitate this, manage-
ment and maintenance are often on different
pages. The daily reality of disposable attitudes
versus the quest to maintain, declining expertise,
and lack of focus from the top down cloud the
practice of enterprise asset management.
May/June 2014 | Vol 61, Issue 3 Setting the Standard for Automation www.isa.org
http://www.isa.org/http://www.isa.org/http://www.isa.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
5/69
Setting the Standard for Automation
www.isa.org/InTechDEPARTMENTS
8 Your LettersEfficient pumping applications
10 Automation UpdateUSA Science & Engineering
Festival, AMT talks to Congress,
By the Numbers, and more
48 Channel ChatPediatric hospital works with CSIA
member to develop unique test
chamber
50 Association NewsAre you qualified; certification review
54 Automation BasicsThe art of level instrument selection
58 Workforce DevelopmentPartner with your local community
college
59 StandardsIACS cybersecurity
60 Products and ResourcesSpotlight on flow
COLUMNS
7 Talk to MeSilo opportunities
46 Executive CornerCreating working information
capital within your enterprise
66 The Final SayWireless process instrumentation:
An end users perspective
RESOURCES
64 Index of Advertisers
65 Datafiles
65 Classified Advertising
65 ISA Jobs
2014 InTech ISSN 0192-303X
InTechis published bimonthly by the International Society of Automation (ISA).Vol. 61, Issue 3.
Editorial and advertising offices are at 67 T.W. Alexander Drive, P.O. Box 12277, Research Triangle Park, NC
27709; phone 919-549-8411; fax 919-549-8288; [email protected]. InTechand the ISA logo are registered
trademarks of ISA. InTechis indexed in Engineering Index Service and Applied Science & Technology Index
and is microfilmed by NA Publishing, Inc., 4750 Venture Drive, Suite 400, P.O. Box 998, Ann Arbor, MI 48106.
Subscriptions: For members in the U.S., $9.52 annually is the nondeductible portion from dues. Other sub-
scribers: $155 in North America; $215 outside North America. Multi-year rates available on request. Single copy
and back issues: $20 + shipping.
Opinions expressed or implied are those of persons or organizations contributing the information and are not to be
construed as those of ISA Services Inc. or ISA.
Postmaster: Send Form 3579 to InTech, 67 T.W. Alexander Drive, P.O. Box 12277, Research Triangle Park, NC
27709. Periodicals postage paid at Durham and at additional mailing office.
Printed in the U.S.A.
Publications mail agreement: No. 40012611. Return undeliverable Canadian addresses to P.O. Box
503, RPO West Beaver Creek, Richmond Hill, Ontario, L48 4RG
For permission to make copies of articles beyond that permitted by Sections 107 and 108 of U.S.
Copyright Law, contact Copyright Clearance Center atwww.copyright.com. For permission to copy articles
in quantity or for use in other publications, contact ISA. Articles published before 1980 may be copied for a
per-copy fee of $2.50.
To order REPRINTSfrom InTech, contact Jill Kaletha at 866-879-9144 ext. 168 or [email protected].
List Rentals: For information, contact ISA at [email protected] or call 919-549-8411.
InTechmagazine incorporates Industrial Computingmagazine.
WEB EXCLUSIVE
FDI meets plants deviceintegration needsPlant sensors and controllers use various industrial
networking protocols that require separate software
to configure. Field device integration (FDI) is a new
device integration technology that combines elec-
tronic device description language and provides
a single device package that can streamline
engineering, commissioning, and maintenance.
Read more at:www.isa.org/intech/201406WEB.
InTechprovides the most thought-provoking and authoritative coverage of automationtechnologies, applications, and strategies to enhance automation professionals on-the-jobsuccess. Published by the industrys leading organization, ISA, InTechaddresses the most
critical issues facing the rapidly changing automation industry.
ISA just launched its coolest
new mobile app, InTech
Plusfor the iPad, which
delivers interactive techni-
cal content and tools in a fresh and
engaging new way. You can download
InTech Plusfor free through the Apple
App Store atwww.apple.com/itunes/.
Other formats are under development.
For more information about InTech
Plus, contact Susan Colwell at
+1 919-990-9305 [email protected].
INTECH MAY/JUNE 2014 5
http://www.isa.org/InTechmailto:[email protected]:[email protected]:[email protected]://www.copyright.com/http://www.copyright.com/mailto:[email protected]:[email protected]://www.isa.org/intech/201406WEBhttp://www.isa.org/intech/201406WEBhttp://www.apple.com/itunes/http://www.apple.com/itunes/mailto:[email protected]:[email protected]:[email protected]://www.apple.com/itunes/http://www.isa.org/intech/201406WEBmailto:[email protected]:[email protected]://www.copyright.com/mailto:[email protected]://www.isa.org/InTech -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
6/69
Being a field calibration technician is a tough job: you need to have many skills
and carry multiple devices, environmental conditions can be challenging and
constantly changing, documentation of data takes time and is difficult in the
field and work efficiency requirements are demanding. However, having the
right gear makes the work much easier and also more efficient.Learn more at beamex.com/readyforthefield
Ready for the fi eld?
http://beamex.com/readyforthefieldhttp://beamex.com/readyforthefieldmailto:[email protected]:[email protected]:[email protected]://www.beamex.com/http://beamex.com/readyforthefieldhttp://beamex.com/readyforthefield -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
7/69
Perspectives from the Editor | talk to me ISA INTECHSTAFF
CHIEF EDITOR
Bill [email protected]
PUBLISHER
Susan [email protected]
PRODUCTION EDITOR
Lynne Franke
ART DIRECTOR
Colleen [email protected]
SENIOR GRAPHIC DESIGNER
GRAPHIC DESIGNER
Lisa [email protected]
CONTRIBUTING EDITOR
Charley [email protected]
ISA PRESIDENT
Peggie W. Koon, Ph.D.
PUBLICATIONS VICE PRESIDENT
David J. Adler, CAP, P.E.
EDITORIAL ADVISORY BOARD
CHAIRMAN
Steve Valdez
GE Sensing
Joseph S. Alford Ph.D., P.E., CAP
Eli Lilly (retired)
Joao Miguel BassaIndependent Consultant
Eoin RiainRead-out, Ireland
Vitor S. Finkel, CAPFinkel Engineers & Consultants
Guilherme Rocha LovisiBayer Technology Services
David W. Spitzer, P.E.Spitzer and Boyes, LLC
James F. TateraTatera & Associates Inc.
Michael FedenyszenR.G. Vanderweil Engineers, LLP
Dean Ford, CAPWestin Engineering
David HobartHobart Automation Engineering
Allan Kern, P.E.Tesoro Corporation
There has been a great deal of dis-
cussion about isolated silos in in-
dustry creating barriers to growth,
but they also offer opportunities for those
willing to take the initiative. The termsilo
thinking is used in business to describe
the mindset when departments do not
share information and collaborate with
others in the same company. That is a
problem and an opportunity. In the past,departments and disciplines in manufac-
turing companies have worked to opti-
mize their particular areas to be the most
efficient and productive, improving con-
trols and automation. Now automation
professionals can take the initiative and
apply their systems skills and thinking to
view manufacturing more broadly and
holistically, considering the big picture.
Using this focus, automation profes-
sionals can engage with people in other
groups in the organization to accomplish
bigger organizational goals.
Consider taking a risk to get people
from various groups to focus on some
problems and opportunities to bring a
wider range of knowledge and know-how
to create better solutions. The exchange
of knowledge and the inevitable collabo-
ration between people can be amazing.
In the process, people develop mutual
respect, expertise, and skills. Making im-
provements together encourages trust,
Making improvements
together encourages trust,
creates empowerment, and
breaks people out of the
my department mentality
and into the our organiza-
tion mentality.
Silo opportunitiesBy Bill Lydon, InTech, Chief Editor
creates empowerment, and breaks people
out of the my department mentality
and into the our organization mentality.
A great example is the shift occurring
in industry where the manufacturing au-
tomation and information technology
groups had been standing alone, each
defending its own turf. In many organi-
zations, the groups are now collaborat-
ing and creating more efficient and re-sponsive operating results. The ISA-95
standard for the integration of enterprise
and control systems is a good focal point
for these discussions with models and
terminology.
Sometimes the lack of collaboration
between siloed groups comes into
sharp focus when there are problems.
Part of my career dealt with fixing large
projects in the field that went off the
track, with every group blaming the
others for the problems. A favorite andfigurative way to describe these situ-
ations was everyone forms a circle and
points right at the person next to him
or her. This certainly describes the phe-
nomenon. You can solve problems and
create new ideas by engaging people in
focusing on common goals and working
together to solve problems. This holistic
view leads to the birth of new ideas in
many situations.
Cooperative actions do not need to
start as big projects. They can start by
simply discussing issues over coffee and
asking people from other departments
or groups if they have observations and
ideas. This interaction can naturally lead
to collaboration.
Specialization has made companies
strong, but it has worked against cooper-
ative efforts. It is important to remember
that everyone has an intellect, and that
two or more heads are better than one
to generate ideas and solutions.
Siloed departments can achieve big
improvements by working together. n
INTECH MAY/JUNE 2014 7
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
8/69
Efficient pumping
applications
Drive energy savings: Im-
prove performance and low-
er downtime [March/April
2014 InTech] is an informa-
tive presentation about vari-able speed drives and their
applications. However, the
section entitled, Enhancing
efficiency in pumping ap-
plications could have been
written more clearly.
The speeds and savings
presented in this section
apply to fan and blower
applications with no static headas is
stated about 80 percent into the section.
This should have been located at the startof the section, and it should have been
retitled as something like, Enhanced ef-
ficiency in fan and blower applications.
The example in the first paragraph
of the section appears to confuse valve
position with motor speed.
Pumping appli-
cations can exhibit
significantly lower
energy savings as
compared to fans
and blowers due to
static head. A moredetailed explana-
tion is presented in
my book, Variable
Speed Drives: Prin-
ciples and Applica-
tions for Energy
Cost Savings (ISA).
The remainder of
the article was in-
terestingespecially the regenerative
drive applications, because they are not
often presented in the literature.David W. Spitzer, P.E.
Please send us your comments and ques-
tions, and share your ideas with other
InTech readers! Contact the editors at
your letters| Readers Respond
Effective Alarm Managementshouldnt cause you stress
or put you at risk...
Ronan Engineering has the
solution for monitoring your
most critical alarm processes.
Excellence in Monitoring & Measurement for 54 Years
For more information:info.ronan.com/annunciators
(800) 327-6626
1. Identifycritical processes
2. Integrate reliableannunciator with
current PLC or DCS control system
We Know Safety.We Know Reliability.ISO 9001: 2008
programmable computer annunciators | solid-state annunciators | sequence of events recordersRonan provides economical solutions in custom enclosures for redundant alarm monitoring.
Source:Automation.com
mailto:[email protected]:[email protected]:[email protected]://info.ronan.com/annunciatorshttp://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://automation.com/http://info.ronan.com/annunciatorsmailto:[email protected] -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
9/69
In addition, its forged one-piece body
minimizes leak paths and offers you a choice
in end connections, including all popular
tube fitting configurations. Plus, the drop in
fit design allows for easy replacement. So if
youre looking for a choice, choose SSP,
where innovation begins once the standard
has been met. Call us at 330-425-4250
ext.169 or visitmySSPusa.com.After all,
you deserve a choice.
8250 Boyle Parkway, Twinsburg, OH 44087 | 330- 425-4250 | mySSPusa.com
Get Your Sample Today!Call 330-425-4250 ext.169
ormySSPusa.com/EB
NOW YOU HAVE A CHOICE
Now you have a choice when it comes to
specifying one-piece instrumentation ball
valves. Introducing FloLok EB Encapsulated
Ball Valve from SSP. With unique features like
its blow-out proof stem to maximize safety,
and one-piece packing --in all sizes-- to
ensure reliable and representative samples.
http://mysspusa.com/http://mysspusa.com/http://mysspusa.com/EBhttp://mysspusa.com/EBhttp://mysspusa.com/EBhttp://mysspusa.com/http://mysspusa.com/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
10/6910 INTECH MAY/JUNE 2014 WWW.ISA.ORG
New IndustrialInternet ConsortiumAT&T, Cisco, GE, IBM, and Intel have
formed the Industrial Internet Consor-tium (IIC), an open membership group
focused on breaking down the barri-
ers of technology silos to support bet-
ter access to big data with improved
integration of the physical and digital
worlds. The consortium will enable or-
ganizations to more easily connect and
optimize assets, operations, and data.
An ecosystem of companies, re-
searchers, and public agencies is
emerging to drive adoption of indus-
trial Internet applications, a founda-tional element for accelerating the
Internet of Things. The IIC is a not-
for-profit group that will take the lead
in establishing interoperability across
various industrial environments for a
more connected world. Specifically,
the IICs charter will be to encourage
innovation by:
n Using existing and creating new in-
dustry use cases and test beds for
real-world applications
n
Delivering best practices, referencearchitectures, and case studies to
ease deployment of connected tech-
nologies
n Influencing the global standards de-
velopment process for Internet and
industrial systems
n Facilitating open forums to share
and exchange ideas, practices, les-
sons, and insights
n Building confidence around innova-
tive approaches to security
The IIC is open to any business, orga-
nization, or entity with an interest in ac-
celerating the industrial Internet. In ad-
dition to gaining an immediate, visible
platform for their opinions, consortium
members will join in developing critical
relationships with leaders in technology,
manufacturing, academia, and the gov-
ernment on working committees. The
IIC will be managed by Object Manage-
ment Group, a nonprofit trade associa-
tion in Boston, Mass. The fee structure
and membership application forms are
available at www.iiconsortium.org. n
Youth engage at USA Science &Engineering Festival
R
epresentatives and volunteer members of ISA and its umbrella organization,
The Automation Federation, demonstrated fundamental processes of indus-trial automation to young people at the third USA Science & Engineering
Festival, conducted 2527 April 2014 in Washington, D.C.
More than 325,000 people
mostly primary and secondary
students and their families
attended the event, the U.S.s
only national science festival,
at the Walter E. Washington
Convention Center. This years
festival marked the largest
event ever in the history of the
citys convention center.
The USA Science & Engineering Festival
plays an important role in encouraging
young people to pursue learning in science,
technology, engineering, and mathemat-
ics (STEM) and in expanding awareness
about the virtues of STEM-related career
fields, including automation. Through their
participation and exhibition at the festivaland other events like it, ISA and the Automation Federation broaden awareness and
understanding of the automation fielda foundational step in cultivating the next
generation of automation professionals. n
automation update| News from the Field This content is courtesy of
AMT tells Congress to shape upThe board of directors of the Association for Manufacturing Technology (AMT) sent
a letter to the U.S. congressional leadership requesting action on a bipartisan manu-
facturing agenda in 2014. The letter urges House and Senate leaders to consider leg-
islation where there is common ground. It points to several initiatives with bipartisan
support that would strengthen U.S. manufacturing if enacted into law, including reau-
thorization of the America COMPETES Act, renewal of trade promotion authority, and
passage of tax, regulatory, and immigration reforms.
The Revitalize American Manufacturing and Innovation Act (RAMI) recently passed
the Senate Commerce, Science, and Transportation Committee. The bipartisan bill, in-
troduced by Senators Sherrod Brown (D-OH) and Roy Blunt (R-MO), would establish a
national network of regional manufacturing institutes modeled after America Makes,
the pilot institute in Youngstown, Ohio that is focused on additive manufacturing (also
known as 3-D printing). The Senate RAMI bill includes an amendment requiring the
President to submit an updated National Strategic Plan for Advanced Manufacturingto
Congress every four years.
The administration announced three new institutes earlier this year, including the
Digital Manufacturing and Design Institute (DMDI) in Chicago. AMT is a partner in both
America Makes and the DMDI. n
http://www.isa.org/http://www.iiconsortium.org/http://www.iiconsortium.org/http://automation.com/http://www.iiconsortium.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
11/69INTECH MAY/JUNE 2014 11
$1.8 billionFlow Research says the increased cost of oil
and heightened demand for natural gas have
put a premium on custody transfer in the
flowmeter markets. Coriolis flowmeter sup-
pliers have responded with an entirely new
line of Coriolis flowmeters: those with linesizes of 8 to 14 inches. Formerly, only Rheonik
(now part of GE Measurement) offered Co-
riolis meters in line sizes above 6 inches. Now
other suppliers have jumped in to take advan-
tage of the growing demand for these high-
value applications. The companies include
Micro Motion (part of Emerson Process Man-
agement), Endress+Hauser, and KROHNE.
A research study from Flow Research,
The World Market for Coriolis Flowmeters,
4th Edition, finds that the Coriolis flowme-
ter market is among todays fastest growingflowmeter markets, spurred by growing en-
ergy requirements. Worldwide sales for Co-
riolis flowmeters in 2011 were $1.1 billion,
with a projected compound annual growth
rate of 10.6 percent through 2016. The fore-
cast is for the worldwide Coriolis market to
exceed $1.8 billionin 2016.
The study also finds that Coriolis flowme-
ters are the most accurate meter available
today and that end users continue to view
this quality as decisive within many measure-
ment applications. The worldwide growth
in liquefied natural gas as an energy source
is another real driver of Coriolis sales. Flow
Research expects this trend to continue. The
largest single industry segment for Coriolis
flowmeter usage remains chemical, where
growth will be strong throughout the study
period. The food and beverage and phar-
maceutical industries also have a significant
number of users. The study also found that
the downstream oil and gas industry pres-
ents interesting new opportunities for Corio-
lis meters to loosen the hold that traditional
technologies have had on this market.n
5,938In the first quarter of 2014, the robotics mar-
ket in North America posted its second-highest
quarter ever in terms of robots ordered, accord-
ing to new statistics from Robotic Industries
Association (RIA), the industrys trade group.
A total of5,938robots valued at $338 million
were ordered by companies in North America
in first quarter 2014, coming in just shy of the
all-time record of 6,235 robots valued at $385
million in fourth quarter 2012. Units ordered
grew 1 percent, while order dollars fell 1 per-cent when compared to first quarter 2013
figures. When sales by North American robot
suppliers to companies outside North America
are included, the total is 6,491 robots valued
at $372 million.
The automotive industry is still the largest
customer for robotics in North America, rep-
resenting 58 percent of total orders, but non-
automotive industries have continued their
rapid growth. The top industries in terms of
growth for first quarter 2014 were food and
consumer goods (+91 percent), plastics andrubber (+55 percent), and life sciences (+36
percent). RIA estimates that some 228,000
robots are now at use in U.S. factories, placing
the U.S. second only to Japan in robot use.n
$559.2 millionUpcoming brownfield and greenfield proj-
ects in the oil and gas and power genera-
tion industries will sustain the demand for
automation and control solutions (ACS)
in the Commonwealth of Independent
States (CIS). Among the countries in the re-
gion (Kazakhstan, Azerbaijan, Uzbekistan,
Ukraine, Belarus, Armenia, Kyrgyzstan,
Tajikistan, and Moldova), Kazakhstan and
Azerbaijan will remain market hot spots.
Scheduled oil and gas exploration activities
as well as the anticipated modernization of
the industrial automation sectors pave the
way for ACS adoption.
Analysis from Frost & Sullivan, Strategic
Analysis of the Automation and Control
Solutions Market in CIS Countries, finds
that the market earned revenues of $443.8
million in 2013 and estimates this to reach
$559.2 millionin 2017. While program-
mable logic controllers and safety instru-
mented systems will continue to dominate
the market, the distributed control system
segment is expected to have the highest
growth rate.
One of the key challenges in the CIS ACS
market is the lack of a well-qualified work-
force. Innovative ACS systems require pro-
fessional engineering resources for installa-
tion, operation, and repair, and the shortage
of skilled assets affects project performance
and customer service support for ACS prod-
ucts. Another restraint is the economic
downturn that has compelled customers to
tighten budgets, resulting in the temporary
shelving of present projects and the delay of
future ones. High inflation rates further curb
the purchasing power of customers and
limit investments in automation. n
150,000Bosch Rexroth opened a new hydraulics
manufacturing and distribution center in
Bethlehem, Penn. The facility houses the
companys valve and manifold manufactur-
ing center for mobile and industrial hydrau-
lics, while the new logistics and distribution
facility handles shipments to more than
500 customers, including its nationwide
network of drive and control distributors.
This $2.2 million Brodhead Road expan-
sion adds about 150,000 square feet, giv-
ing the company approximately 200,000
square feet over two buildings for the dis-
tribution and manufacturing operation. n
Automation by the Numbers
News from the Field | automation updateThis content is courtesy of
http://automation.com/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
12/69
Top ten differences
between ICS andIT cybersecurityUnderstanding the different needs of ICS and ITsystem security leads to cooperation and collaborationbetween historically disconnected camps
By Lee Neitzel and
Bob Huba
In many, if not most plants with industrial
control systems (ICSs), ICS engineers and
their internal information technology (IT)
counterparts have very different perspec-
tives on cybersecurity. Not surprisingly, these dif-
ferent perspectives often lead to conflicts when
connecting an ICS to the plants IT system.
In the past, because ICSs used proprietary hard-ware and software, this interconnection focused
primarily on just being able to communicate. The
introduction of Ethernet and Microsoft Windows
into ICSs in the mid-1990s, followed by the devel-
opment of OPC interfaces, greatly simplified this
problem, but at the cost of exposing the ICS to se-
curity threats previously known only to IT systems.
Further, with the rapid increase of attacks on
industrial systems in the past few years, chief in-
formation officers are often held responsible for
cybersecurity for the entire plant, including their
ICSs. Unfortunately, not all IT security solutions
are suitable for ICSs because of fundamental dif-
ferences between ICS and IT systems. In addition,
plants often have multiple production processes
and ICSs, and some are naturally more critical
than others. As a result, it is not uncommon for se-
curity to be handled differently among the various
ICSs in a plant.
This article discusses how ICSs differ from IT
systems as they relate to cybersecurity. It is im-
portant that IT and ICS professionals jointly un-
derstand the following top ten differences and
develop workable security solutions that benefit
the whole organization.
Difference #1: Security objectivesOne of the biggest differences between ICS and
plant IT security is the main security objective of
each. Plant IT systems are business systems whose
primary cybersecurity objective is to protect data
(confidentiality). In contrast, the main cybersecurity
objective of an ICS is to maintain the integrity of its
production process and the availability of its com-ponents. Protection of information is still important,
but loss of production translates into an immediate
loss of income. Examples of threats to production in-
tegrity include those that degrade production, cause
loss of view/control, damage production equip-
ment, or result in possible safety issues.
One of the consequences of ICSs focusing on
the production process is that ICS security is im-
plemented using a comprehensive set of defense-
in-depth layers to isolate the ICS and the physical
process from the plant IT system. This isolation is
the topic of difference #2.
Difference #2: Network segmentationThe first difference encountered when connect-
ing ICS and IT systems is how they are segmented
and protected. IT systems are usually composed
of interconnected subnets (short for subnet-
works) with some level of Internet connectivity.
As a result, access controls and protection from
the Internet is a primary focus of IT network secu-
rity. It is not uncommon to see sophisticated fire-
walls, proxy servers, intrusion detection/preven-
tion devices, and other protective mechanisms at
the boundary with the Internet.
12 INTECH MAY/JUNE 2014 WWW.ISA.ORG
http://www.isa.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
13/69
Inside this boundary, the remainder of the IT
network is segmented into subnets that are gener-
ally aligned with organizational and geographical
boundaries. Because access between these sub-
nets is usually required, security between them
is typically limited. However, all traffic from them
must pass through the Internet security boundaryto access the Internet. ICS networks, on the other
hand, can be viewed as industrial intranets with
two overriding security requirements. First, no ac-
cess to the Internet or to email should be allowed
from ICS networks. Second, ICS networks should
be rigorously defended from other plant networks,
especially those with Internet access.
To meet these requirements, ICSs usually employ
network security devices (e.g., firewalls) for isola-
tion from the plant IT system. Only workstations
and servers within the ICS that act as gateways
should allow ICS access through these ICS perim-eter security devices. This prevents other devices
on the ICS control network from being directly ac-
cessible from the plant network. These gateways
should have an additional network card that allows
them to connect the ICS control network. In gen-
eral, only devices authorized to access the ICS from
the plant network should be aware of these ICS net-
work security devices and therefore be able to send
messages through them to ICS gateways.
ICSs should be further insulated from the plant
IT system by a demilitarized zone (DMZ) that sits
between the plant network and the ICS. The DMZis an intranet that should be hidden from the plant
network by an undiscoverable network security
device. All external access to the ICS should first
pass through this device and then be terminated
in DMZ servers. DMZ servers provide clients on the
plant network with ICS data and events that these
servers independently obtain through separate
and isolated communications with the ICS. The
network security device that connects the DMZ to
the ICS should be configured to allow only these
isolated communications to ensure that all ICS ac-
cess goes through the DMZ servers.
As a further precaution, the DMZ should use
private subnet addresses that are independent
of subnet addresses used in the plant network to
prevent plant network messages from being er-
roneously routed to the DMZ. Similarly, the ICS
should use private subnet addresses that are in-
dependent of DMZ addresses.
ICS networks often have remote input/output
(I/O) systems, whereas IT networks do not. In these
systems, I/O devices are installed in remote geo-
graphical locations and are often connected to the
ICS via modems over public networks, virtual pub-
lic networks (VPNs), and satellite links. Care must
INTECH MAY/JUNE 2014 13
COVER STORY
be taken, because these
connections can give
rise to security issues.
Difference #3:Network topology
Closely related to net-work segmentation dif-
ferences are network
topology differences.
Many IT systems are
large when compared to a typical ICS and contain
data centers, intranets, and Wi-Fi networks. ICSs,
on the other hand, are often small and have only a
configuration database and data/event historians.
It is not uncommon for an IT system to have
hundreds if not thousands of nodes whose num-
bers change daily as employees come and go, as
applications evolve, and as mobile devices are con-nected and disconnected. In contrast, most ICSs
are an order of magnitude smaller, and generally
have statically defined configurations.
IT network configurations, including VPNs, and
network security devices have to keep up with
these changes. As a result, IT systems extensively
use many automated tools, such as dynamic host
configuration protocol (DHCP), to manage their
network topologies. These and other tools are cost
effective only in large-scale systems and are consid-
ered expensive and complex by ICS standards.
ICSs typically remain relatively static for years. Arigorous change management process is normally
mandatory to ensure all changes are approved and
tested. In addition, the use of DHCP and Wi-Fi seg-
ments are discouraged in the ICS for security rea-
sons. In addition, ICS networks that connect ICS
workstations with controller-level devices are nor-
mally redundant to prevent a network failure from
affecting the operation of the control system. This
network redundancy is typically proprietary to the
ICS vendor with custom addressing models and swi-
tchover logic. As a result, the tools and techniques
FAST FORWARD
Differences in ICS and IT security objectivescause competing and often conflicting secu-rity solutions.
Differences in ICS and IT system character-istics lead to different defense-in-depth
strategies. Differences in ICS and IT operational char-
acteristics cause differences in how securitymechanisms are implemented and used.
Those responsible for cybersecurity within an organization must understand the
differences between ICS and IT systems in order to work together effectively.
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
14/69
IT uses to maintain its dynamic network
topologies are often not suitable or appli-
cable to statically defined ICS networks.
Difference #4: Functional partitioningICS and IT systems are functionally
partitioned in different ways. The mostcommon approach taken by IT systems
is to divide the system into various ad-
ministrative partitions to better restrict
user access to information assets. The
IT department typically implements the
partitions using Windows Domains and
operating system objects, such as files.
Domains and organizational units typi-
cally represent business units/geographi-
cal entities within an organization, to
which users and computers are assigned.
Groups are used to control access to thesecomputers and their objects (files, folders,
executables, etc.) through the definition
of access control lists (ACLs).
Each object contains an ACL that
identifies who has been granted/denied
access to the object. To simplify the pro-
cess of pairing users with objects, groups
are defined and assigned to objects, and
then users are assigned to groups. As a re-
sult, only users/roles who are trusted to
access an object are granted permission
to do so. The careful definition of groups/roles can thereby be used to partition an
IT system into trust levels.
ICS partitioning is much different. The
ICS is partitioned into three levels (0, 1,
and 2), as defined by the ISA95/Purdue
reference model. Level 0 represents the
physical process; Level 1 is control and
monitoring; and Level 2 is supervisorycontrol. Because of the nature of the de-
vices used in these ICS levels, it is neces-
sary to map trust levels to the device. In
this case, trust means how much a device
is trusted to behave as expected.
At Level 1, field devices perform I/O
operations on the physical process (Level
0). Because they operate on the physi-
cal process, field devices have the high-
est level of trust. Trust generally is ascer-
tained through design reviews, functional
testing, and experience. Devices whosebehavior is questionable should not be
trusted and should not be used in Level 1.
Field devices use proprietary designs
and firmware. Many can communicate
digitally using standard, industrial proto-
cols such as HART, Foundation Fieldbus,
Profibus, DeviceNet, and Modbus. With
the exception of wireless, field device
protocols rarely include security features.
Therefore, access to field devices must be
protected by external means. Unfortu-
nately, network security devices, such asfirewalls, that are commonly used in IT
systems are not applicable. These indus-
trial protocols are not based on Ethernet
or TCP/IP. Instead, physical and proce-
dural security often restricts access to field
devices and their communication links.
In addition, device firmware needs pro-
tection, including protection of upgradefiles and the processes used to install them
(e.g., flash upgrades and over-the-wire up-
grades). Currently, the firmware upgrade
process often has limited security features.
At Level 2 are distributed control system
controllers, programmable logic control-
lers, remote terminal units (RTUs), remote
I/O devices, and other similar devices. Be-
cause they read and write field device pa-
rameters, controller-level devices require
the second highest level of trust, generally
attained through testing and experience.Controller-level devices, other than
some RTUs and other remote devices,
usually have limited security-related fea-
tures and rely on the Level 2 control net-
work for protection. ICS vendors often
use industrial grade, proprietary firewalls
and Ethernet switches in the control net-
work to separate it into two layers, the
workstation layer and the control layer.
These network devices have three pri-
mary security objectives: to lock down the
network to prevent unauthorized devicesfrom connecting to it, to protect controller-
level devices from unauthorized contact,
and to prevent them from being saturated
with network traffic by rate-controlling the
network traffic flowing to them.
IT typically does not have the policies,
procedures, tools, and expertise in place
to manage the ICS vendor-specific Level 2
network and controller-level devices and
the Level 1 I/O devices.
Also at Level 2, and sitting above con-
troller-level devices, are the workstations/
serversconfiguration/engineering,
maintenance, operator, historian sta-
tionsall having direct connectivity to
the controllers, and all using components
and operating systems familiar to IT, such
as PCs, Windows, and Ethernet. Level 2
workstations and servers have the third
highest level of trustworthiness in the
ICS. They provide the buffer between the
outside world (Level 3 and beyond) and
the process, so outside direct access to
controller-level devices should not be al-
lowed. Access to controller-level devices
14 INTECH MAY/JUNE 2014 WWW.ISA.ORG
COVER STORY
Compared to a typical IT system, most ICSs contain relatively few workstations and
other computing components, a crucial difference that greatly affects the feasibility
of implementing certain cybersecurity measures.
http://www.isa.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
15/69
Another I/O change? Great.So another wiring schedule.Another marshalling design.And another cabinet...Just make it all go away!
YOU CAN DO THAT
The Emerson logo is a trademark and a service mark of Emerson Electric Co. 2014 Emerson Electric Co.
Electronic marshalling eliminates the rework, the redesign and the headaches.
With DeltaV Electronic Marshalling, Emerson lets you make I/O changes where and
when you need them without costly engineering and schedule delays. Our new DeltaV
CHARacterization Module (CHARM) completely eliminates the cross-wiring from the marshalling panel to the
I/O card regardless of signal type so youre no longer held to predefined specifications. All those wires,gone. All that time and engineering, gone. See how easy it can be by scanning the code below or by visiting
IOonDemandCalculator.com
http://ioondemandcalculator.com/http://ioondemandcalculator.com/http://ioondemandcalculator.com/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
16/69
should be limited to Level 2 workstations
and servers approved by the ICS vendor.
The trust levels of Level 2 workstations
and servers are lower than controller-level
and field devices for three reasons:
They run commercial operating sys-
tems and software (e.g., SQL data-base software) with vulnerabilities
that are continuously being discov-
ered and exploited.
They have a better chance of being
infected or compromised, because
they can be accessed by Level 3.
They have users who may not always
follow policies and procedures
some may plug in nonverified USB
sticks, plug in their smartphones to
charge, or bring in their own software
that has not been tested to operatecorrectly with the ICS.
The trust levels associated with field
devices, controller-level devices, and
workstations are inherent to most con-
trol systems. Understanding them and
maintaining separation/isolation be-
tween them is a responsibility that is
normally not present in IT systems.
Difference #5: Physical componentsClosely related to functional partitioning
and trust levels are the physical compo-nents used to implement ICS and IT sys-
tems. IT systems are primarily composed
of off-the-shelf networks, workstations,
and servers that IT can access and admin-
ister. As a result, IT departments are able
to define security policies for these com-
ponents and enforce them with off-the-
shelf security-related applications and de-
vices, such as firewalls, antivirus systems,
and patch management systems.
In contrast, ICSs are not IT systems do-
ing control, as it may sometimes appear,
but instead are tightly integrated proprie-
tary systems. With the exception of work-
stations and servers, ICSs are composed
of components that are generally custom
built and foreign to IT. This often includes
network devices built for industrial use,
including Ethernet switches and firewalls.
And, although ICS workstations and serv-
ers are typically based on Windows, they
are usually hardened by the ICS vendor to
the point that their software, other than
the operating system, is custom built, and
their security policies are set to industry
standards that may conflict with the poli-
cies used within the IT system.
Consequently, IT security cannot just be
mapped onto the ICS. Instead, the compo-
nents used in the ICS may, and often do,
require security-related ICS vendor-spe-
cific tools unknown to IT systems, such ascustom event logs, port lockdown mecha-
nisms, and features for disabling USB ports.
Difference #6: User accountsIT systems generally support two levels
of users: users known to the operating
system (e.g., Windows users) and users
of specific applications (e.g., order-entry
systems). Operating system user accounts
are used to authenticate the user dur-
ing login and to identify which operating
system resources the user can access. ITsystem administrators often administer
operating system user accounts with Win-
dows Domains/Active Directory. When
multiple domains are present, IT admin-
istration establishes trusts between spe-
cific domains to let users access resources
across domain boundaries.
IT systems also often contain applica-
tions, such as database applications, that
have their own user accounts that can
be independent of operating system ac-
counts. For these applications, the usermust go through a separate login screen
before being allowed to access the data.
ICSs also use operating system user ac-
counts and domains. However, allowing IT
systems users to access the ICS by establish-
ing trusts from IT system domains to the
ICS domain is generally not recommended,
since it reduces isolation of the ICS.
ICSs also have their own application-spe-
cific users. Unlike IT applications, however,
the ICS is really a complete distributed sys-
tem composed of configuration, operation,
and maintenance applications, databases,
and event journals. ICSs almost always use
role-based access controls for granting/
denying access to control data and devices.
Operators, process engineers, and mainte-
nance engineers are examples of these roles.
To manage access to these elements of
the ICS, ICSs typically have an ICS-specific
user management application. Although
in principle this is similar to IT application
security, the complexity, scope, and tech-
nical expertise required to administer ICS
users is closely related to the nature of the
process being controlled, which is generally
not familiar to IT system administrators.
Finally, authorizing access from the
plant network to the ICS becomes more
difficult because of these differences. Do
all external users become users of the ICS
and its domain, or do DMZ server appli-cations provide access to authorized IT
system users but connect to the ICS using
ICS credentials? Also, how is traceabil-
ity maintained for auditable ICS transac-
tions? Answering these questions normally
requires collaboration between the ICS
and IT systems administrators.
Difference #7: SISPlant safety is a critical part of plant opera-
tion, and ICSs, therefore, often include in-
tegrated, yet distinct, safety instrumentedsystems (SISs). The SIS is responsible for
maintaining the safe operation of the pro-
cess by placing the process into a safe state
when process conditions that threaten
safety are detected. IT systems have no
systems analogous to the SIS.
SIS networks are usually proprietary
and must be securely segmented and iso-
lated from ICS networks. In addition, the
SIS decision-making component, com-
monly called the logic solver, is also a cus-
tom, proprietary component, separateeven from other components used in the
ICS. Also, SIS-specific standards that in-
clude security are currently under devel-
opment in ISA84. As a result, commonly
used IT tools and network devices are not
applicable to SIS network security.
Managing the security of an ICS in-
cludes an often manual effort to ensure
that the SIS is protected from the ICS and
from external interference, and that its in-
tegrity has not been compromised. These
are capabilities not normally within the
scope of IT systems professionals.
Difference #8: Untested softwareIT systems are typically open systems,
which allow them to run off-the-shelf
software and to evolve over time. Evolu-
tion includes adding new software; up-
dating workstation, server, and network
device hardware and software; replacing
components as needed; and even adding
new components to the system. Keeping
systems current is one of the approaches
taken in IT systems to maintain security.
16 INTECH MAY/JUNE 2014 WWW.ISA.ORG
COVER STORY
http://www.isa.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
17/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
18/69
seldom used in IT systems.
Mechanisms to prevent unapproved
software from being run are not as com-
monplace. While antivirus software can
detect infected software, it cannot detect
untested or unapproved software. For this,
whitelisting is gaining acceptance in IT sys-tems. Whitelisting complements antivirus
programs by allowing only approved and
authentic (uninfected) executables to run.
However, because of the checks necessary
to validate an executable each time it is
run, performance is affected.
Software that has been approved to ex-
ecute in an IT system often has not been
rigorously tested for compatibility with the
IT system. All software that is allowed to
run on an ICS must be tested to ensure it
will not interfere with the ICS.
Difference #9: PatchingIT systems normally have patch manage-
ment software that automatically installs
security updates very quickly after their
release. On the other hand, it is not un-
common for patches to be deferred or
postponed indefinitely in ICSs. ICS patch-
ing requires testing, approval, scheduling,
and validation to ensure safe and repeat-
able control. Scheduling is required be-
cause of the potential disruption to opera-tions, such as reboots. Reboots can cause
a temporary loss of view/control, and
worse, they can fail, often requiring tech-
nical intervention to return a failed com-
ponent to service. As a result of the effort
required and because of the associated
risks, patching is often not performed on
an operational ICS, or at least not on the
same schedule as IT system patching.
In addition, because the lifespan of ICSs
is so long, patches for many older systems
are no longer available. For example, there
are many ICSs still in operation that run
Windows NT and Windows XP.
The challenge for ICSs, which is not
shared by IT systems, is to keep unpatched
systems secure. Typically this is done
through compensating security mecha-
nisms in an ICSs defense-in-depth strategy.
Difference #10: Security inconveniencesAs most of us probably agree, cybersecurity
measures add a degree of inconvenience to
our jobs. Who has not had to wait while op-
erating system patches are being installed?
Or who has not had to call the service desk
to report that he or she is locked out and
needs to have a password reset? But as
cumbersome as they can be, we have all
learned to live with these inconveniences.
However, in an ICS environment, such
inconveniences may not be tolerable, es-pecially those that decrease performance.
Imagine not receiving a critical system
alarm in time to respond to it, or having
to handle it while the workstation decides
to reboot itself. Also, having to use a long
and complex password during a process
upset may not be acceptable. While many
of these inconveniences are not specific
to ICSs, they can be intolerable to them.
As a result, security measures that are
acceptable in IT systems may not be ac-
ceptable in an ICS. If indiscriminatelyemployed in an ICS, IT security measures
may pose one of the biggest threats to
ICS security. Because they are so painful
or disruptive, they often result in the se-
curity mechanisms being bypassed, dis-
abled, postponed, or otherwise ignored.
Not only will this expose the ICS to vul-
nerabilities, but it will also negatively af-
fect attitudes of ICS users toward future
attempts to secure the ICS.
We have examined how ICSs differ
from IT systems with respect to cyber-security. Unfortunately, failure to un-
derstand these differences often leads to
conflicts between IT and ICS administra-
tors, which leads to a less-than-optimal
security solution for the plant. These
discussion points should help promote
communications and resolve conflicts.n
ABOUT THE AUTHORS
Lee Neitzel ([email protected]),
senior engineer at Emerson Process Man-
agement, has been involved in security andnetwork standards for more than 25 years.
He is currently the IEC project leader for in-
tegrating the WIB Process Control Domain
Security Requirements for Vendors spec-
ification into the ISA-99/IEC 62443 security
standards. Bob Huba(Bob.Huba@Emerson.
com), system security architect, has been
with Emerson Process Management for 36
years. He is active in the development of
the ISA-99/IEC 62443 standards.
View the online version at www.isa.org/intech/20140601.
18 INTECH MAY/JUNE 2014 WWW.ISA.ORG
ICSs, however, are typically closed and
implemented to a specific hardware config-
uration and operating system version (e.g.,
service pack), and may not run properly ifeither is changed. As a result, all updates,
including patches and virus definition files,
have to be thoroughly tested with the ICS
before being approved for installation.
Likewise, all new software added to the
ICS that is not supplied or supported by
the vendor should be thoroughly tested for
compatibility with the ICS. In some cases,
as with those regulated by the Food and
Drug Administration, the ICS and IT sys-
tems associated with the regulated prod-
uct must be validated, and once validated,cannot be updated with new software
without being revalidated. But for typi-
cal IT systems, this rigor is not common.
Running software that has not been tested
with the specific ICS is a serious concern,
because of its potential to cause conflicts
or failures within the ICS or introduce vul-
nerabilities of its own. Therefore, all soft-
ware to be run in an ICS should be tested
and approved using a formal operations
change management process.
The most common way to protect
against the introduction of unapproved
software is to restrict installation privileges
and to use access control lists for program
directories. However, these mechanisms
do not protect against executables that can
be copied to the directory and run without
being installed. Mechanisms to prevent
this type of software from being loaded
onto a workstation include disabling USB
ports and CD/DVD drives and tight control
or elimination of shared drives. Although
these are commonly employed techniques
in ICS workstations and servers, they are
COVER STORY
Unlike their IT counterparts, ICS users need
additional role-based access controls so
that each person can access only the areas
of the ICS needed to do a particular job.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.isa.org/intech/20140601http://www.isa.org/mailto:[email protected]:[email protected]://www.isa.org/http://www.isa.org/intech/20140601mailto:[email protected] -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
19/69
secure plan(t)
Proactive Protection for your Process Control Systems.
Honeywell offers a systemic approach to help mitigate the risks of the evolving cyber
threat landscape. Industrial IT Solutions is a complete portfolio of services and tools that
employ best practices in process control and cyber security. Honeywell global experts
help users develop a security scheme to preserve key assets and ensure data availability,integrity and confidentiality. Honeywells Industrial IT solutions deliver a more predictable
and secure environment regardless of control system vendor or location.
Securing a reliable, productive operation.
For more information go to becybersecure.comOr visit our blog atinsecurity.honeywellprocess.com
Also,follow us @insecculture
2013 Honeywell International, Inc. All right reserved.
http://becybersecure.com/http://becybersecure.com/http://insecurity.honeywellprocess.com/http://insecurity.honeywellprocess.com/http://insecurity.honeywellprocess.com/http://becybersecure.com/http://insecurity.honeywellprocess.com/http://becybersecure.com/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
20/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
21/69
PROCESS AUTOMATION
INTECH MAY/JUNE 2014 21
FAST FORWARD
l I/O parts for repair and replacement weredifficult to find.
l The new I/O system has improved through-put speed from the I/O to the operatorscreens.
l Advantages of the new I/O system includediagnostic capability and calibration.
miles of process piping and 600 valves to connect
the above systems to the various test facilities. A
DCS/PLC/pressure and surge controller system
consisting of nearly 100 proportional, integral, de-
rivative (PID) control loops and more than 12,000
I/O points monitors and controls the vast amount
of equipment across the facility. More than 12miles of dual-redundant data highway cable is in-
stalled to interface with the control/data system
for these essential services.
Historically, the equipment for controlling and
monitoring the process consisted of a PLC proces-
sor and its associated I/O distributed near process
equipment. The PLC communicated to the DCS
controller via the Modbus RTU protocol. The DCS
controller then communicated to the operator
console via a proprietary data highway network.
Reasons for conversion to DCS I/OAlthough the existing I/O was adequate at one
time, the need for its replacement became more
apparent as the technology changed. While the ex-
isting I/O was readily available in the 1990s, more
recently parts for repair and replacement were dif-
ficult to find. An upgrade to the new replacement
PLC I/O was available, but it provided none of the
benefits of the DCS I/O. The DCS I/O had much
faster speed and a quality status, which was not
available on a Modbus RTU serial link with a trans-
mission rate of 19,200 baud.
The choice was to either replace the entire PLCsystem with the DCS system at one time, which
required massive logic conversion and testing, or
perform a two-phase implementation approach.
The first phase would replace the PLC I/O with
the DCS I/O. Then the second phase would in-
volve converting PLC logic to DCS logic. The split
approach was chosen to minimize downtime and
prevent a complicated check-out process.
Hardware installationThe components for this application include a
new DCS controller, a DCS I/O, and new 24-V
dual-redundant power supplies for the I/O. The
PLC processor remains and communicates strictly
to the old DCS controller, which in turn commu-
nicates to the new DCS controller that talks to the
new DCS I/O. As with the old system, the primary
function of the new system is to provide process
control of the equipment via the DCS, which is
made available to operators at a remote location.
The basic system architecture is shown in figure 1.
In all cases, existing wiring could be reused as
part of the new scheme. The new I/O was mounted
in the existing I/O space. The old field wires were
terminated on the new I/O. The 24-V I/O power
supplies were installed
in an existing cabinet.
A new DCS controller,
connected to the new
DCS I/O via fiber, was
installed in the same
cabinet as the old DCScontroller. The new
DCS controller com-
municates to the old
DCS controller via a backplane that provided a
local control highway within the cabinet.
Software installationThe software for this application includes DCS
controller software that allows communication
between the old DCS controller and the new DCS
controller. The PLC receives the necessary data for
sequence logic from the new DCS controller. Nofield I/O connects to the PLC. All PID algorithms
are processed in the new DCS controller and pres-
sure and surge controllers, which communicate to
the old DCS controller via Modbus.
System architectureThe new DCS I/O is installed in the current PLC
I/O location. Wires from the field were removed
from the PLC I/O and terminated on the new DCS
I/O. The new DCS I/O connects to the new DCS
controller via a fiber optics network. The old DCS
controller utilizes a custom foreign device inter-face C program and Modbus RTU protocol to
communicate to the PLC. The old and new DCS
controllers communicate with the operator con-
sole via a proprietary data highway.
One of the powerful features of the new I/O
is the troubleshooting capability via the DCS
Figure 1. Basic system architecture
Field devices Field devices Field devices
DCS cabinet Operator console
Data highway Data highway
Old Current Future
DCS controller DCS controller DCS controller DCS controller
Backplane
Modbus RTU Modbus RTUFiber Fiber
PLC I/O Pressure/surgecontroller
Pressure/surgecontroller
Pressure/surgecontroller
DCS I/O DCS I/OPLC
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
22/6922 INTECH MAY/JUNE 2014 WWW.ISA.ORG
Global manufacturer of process control
and factory automation solutions
For more information:
Call: 1-800-Go-Festo
1-800-463-3786
www.festo.us
Ball ValveAssembliesExpertise from a
single source
q Pre-engineered and
pre-assembled with a single
acting or double acting
actuator
q Just bolt on a Festo sensor
box, positioner or Namur
valve to complete theassembly
q Simple solutions for
controlling liquid, gas or
granular media from a single
source
diagnostic. It also provides bad qual-
ity status on the operator console in
the case of signal failure. With the old
PLC I/O system, analog data was con-
verted to digital counts (04095). The
problem with this conversion is there
is no under or over range. The livezero of a 4- to 20-mA signal is lost. This
is a very important feature.
Before DCS and human-machine in-
terface (HMI), when pushbuttons and
meters were the interface to the op-
erators, zero-based meterswhether
voltage or currentwere common. The
problem with zero-based measurement
readouts is the inability to distinguish a
true zero reading from a failed transduc-
er. With the PLC there was also no way
to distinguish a zero reading (4 mA = 0counts) from a failed transducer (0 mA
= 0 counts).
High-speed PID loops (100-ms sam-
pling time) and analog data used for
measurement and alarming is pro-
cessed through the new DCS I/O. Only
sequence data is processed through the
PLC processor.
Testing of new I/OSome problems were encountered while
commissioning the new I/O installation.One of these involved minor wiring er-
rors on the drawings, which made it hard
to find the field devices for HMI screen-
to-field device point testing. This was
a relatively easy fix. Verification of the
drawings before demolition, although
time consuming, would have lessened
downtime and would have resulted in a
net saving of time. Having the same PLC
logic reduced troubleshooting, by isolat-
ing errors to the I/O cabinet.
General evaluationAlthough the PLC I/O was sufficient by
prior standards, the organization be-
lieved that the newer industrial tech-
nologies were at the very least worthy of
a trial in the CPS application. No histori-
cal data is presented here to detail the
performance of the traditional PLC I/O
system versus the new DCS I/O system,
but years of experience with them does
give one an overall appreciation for the
strengths and shortcomings of the vin-
tage technology. All said, this type of I/O
has, except perhaps in less demanding
roles, outlived its usefulness in modern
control and data acquisition systems.
Thus far, the new I/O is very accurate.
There is no indication of failing or drift-
ing from the original calibrations. How-
ever, one drawback to the system is thatfor the present the signal update time in
the PLC is 4 to 5 seconds compared to 2
to 3 seconds with the old I/O. However,
the signals that are not needed in the
PLC are scanned at the field device and
available to the operator console in 2 sec-
onds. The 4- to 5-second delay is due to
the transfer rate from the new I/O to the
old DCS controller in addition to the field
device interface (FDI) of 2 to 3 seconds.
This update rate is tolerable, however,
for these noncritical process sequencepoints. With the new I/O, the FDI is gone,
therefore eliminating the overhead of the
C program and the 19,200 baud serial
transmission rate. The time required for
the new DCS controller to scan all its
associated I/O is 250 milliseconds.
Future applicationsThere is a plan to convert the PLC pro-
gram to a DCS controller program, there-
by reducing two controllers (the PLC and
the old DCS controller) to one controllerand reducing the 4- to 5-second response
time for sequence points to 2 seconds.
BenefitsThe new DCS I/O provides simple in-
stallation, more accurate data, and im-
proved diagnostic capability compared
to the old I/O systems at GRC. Therefore,
in the long term, we foresee the utiliza-
tion of DCS I/O as an enhancement to
our facility DCS and a benefit to users. n
ABOUT THE AUTHORS
Debashis Sadhukhan (Debashis.Sad-
[email protected]), process controls
system manager at NASA Glenn Research
Center (GRC), has been employed at GRC
since 1991 and is experienced in integra-
tion of DCS and PLC systems. He is cur-
rently president of the ISA Cleveland Sec-
tion and bulletin editor. John Mihevic was
DCS control system manager at GRC until
his retirement in 2007.
View the online version at www.isa.org/intech/20140602.
PROCESS AUTOMATION
http://www.isa.org/http://www.festo.us/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.isa.org/intech/20140602mailto:[email protected]:[email protected]://www.isa.org/intech/20140602http://www.festo.us/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
23/69
Food-processing and pharmaceutical plants are harsh environments for electronics. Your critical systems must
withstand water and chemicals used during wash-down including the electronics inside every computer
enclosure. The NEMA 4X Titan from ITSENCLOSURES is made specifically for these extreme conditions. The Titan
is constructed of 14-gauge Type 304 stainless steel to handle corrosive cleaners and chemicals that would break
down a lesser enclosure. The Titan features a 24-inch (16:9) viewing window and a generously sized work surface.
Should a Titan ever fail due to manufacturer defect, ITSENCLOSURES will replace it immediately so your business
does not skip a beat. To learn more about IceStation TITAN, call 1.800.423.9911 or visitITSENCLOSURES.com.
Every day, IceStation enclosures are washed
down with harsh chemicals and water. And every
day, the electronics inside remain dry and clean.
http://itsenclosures.com/http://itsenclosures.com/http://itsenclosures.com/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
24/69
STEPS TO ENSURE MES SUCCESS
The question isnt What can manufacturingexecution systems do? Its What cant
they do? Whether youre monitoring ormanaging equipment, labor, product quality,recipes or batches, theres an MES for you.
But because MES upgrades andenhancements offer such a wide rangeof functionality, defining the initial scopeis a critical step thats often overlooked.The resulting abundance of data can be sooverwhelming that many companies simplyabandon the initiative rather than reassess
their approach.
Crawl Before You Walk
In a recent blog post, John Clemons, director of
manufacturing IT at MAVERICK Technologies,
recommends an approach that most of us will find
strikingly familiar: Crawl before you walk, and walk
before you run. This advice hearkens back to some of
our earliest memories, yet it remains just as valuable
when applied to MES projects.
Because MES is so comprehensive and complex,Clemons warns against biting off more than you can
chew. Starting small and building is the best road to
success with MES, he writes. Trying to make MES
be all things to all people will almost
certainly ensure it fails.
Start with the Snags
Perhaps youre looking to improve overall
equipment effectiveness (OEE). Or maybe you want
to reduce yield losses. Both are great ways to start
applying MES. In either case, you want to begin
by focusing intently on areas where you alreadyknow bottlenecks exist. By limiting your MES
measurements to problem equipment, you can home
in on root causes and resolve them individually to
improve overall efficiency and performance.
Statistical process control (SPC) is another
worthwhile jumping-off point for MES. Similar to
OEE and yields, with SPC youll want to identify the
processes, equipment or lines that seem to produce
the greatest variability. But then youll want to take
Manufacturing execution systems (MES) are applicable to so many processes
that it can be tempting to try and optimize everything at once. Heres whydoing too much too soon is often the downfall of early MES efforts.
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
25/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
26/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
27/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
28/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
29/69
-
7/25/2019 INtech Magazine 324483-MAYJUN 2014
30/69
Michael Bradingis chief technical officer of the Automotive Industrial and Medi-
cal business unit at Aptina Imaging. He has a B.S. in communication engineering
from the University of Plymouth.
Tim Droz heads the SoftKinetic U.S. organization, delivering 3-D ToF and ges-ture solutions to international customers, such as Intel and Texas Instruments. Droz
earned a BSEE from the University of Virginia, and a M.S. in electrical and computer
engineering from North Carolina State University.
Pedro Gelabert is a senior member of the technical staff and a systems engineer
at Texas Instruments. He received his B.S. and Ph.D. in electrical engineering from
the Georgia Institute of Technology. He is a member of the Institute of Electrical and
Electronics Engineers, holds four patents, and has published more than 40 papers,
articles, user guides, and application notes.
Carlton Heardis a product manager at National Instruments, responsible for vi-
sion hardware and software. Heard has a bachelors degree in aerospace and me-
chanical engineering from Oklahoma State University.
Yvonne Linis the marketing manager for medical and industrial imaging at Xilinx.Lin holds a bachelors degree in electrical engineering from the University of Toronto.
Thomas Maier is a sales and field application engineer at Bluetechnix and has
been working on embedded systems for more than 10 years, particularly on various
embedded image processing applications on digital signal processor architectures.
After completing the Institution of Higher Education at Klagenfurt, Austria, in the
area of telecommunications and electronics, he studied at the Vienna University of
Technology. Maier has been at Bluetechnix since 2008.
Manjunath Somayajiis the Imaging Systems Group manager at Aptina Imaging,
where he leads algorithm development efforts on novel multi-aperture/array-camera
platforms. He received his M.S. and Ph.D. from Southern Methodist University (SMU)
and his B.E. from the University of Mysore, all in electrical engineering. He was for-
merly a research assistant professor in SMUs electrical engineering department. Priorto SMU, he worked at OmniVision-CDM Optics as a senior systems engineer.
Danil Van Nieuwenhoveis the chief technical officer at SoftKinetic. He received
an engineering degree in electronics with great distinction at the VUB (Free University
of Brussels) in 2002. Van Nieuwenhove holds multiple patents and is the author of
several scientific papers. In 2009, he obtained a Ph.D. on CMOS circuits and devices
for 3-D time-of-flight imagers. As co-founder of Optrima, he brought its proprietary
3-D CMOS time-of-flight sensors and imagers to market.
30 INTECH MAY/JUNE 2014 WWW.ISA.ORG
to machine safety, necessary for re-
shaping factory automation.
Depth sensingAs already mentioned, 3-D cameras can
deliver notable advantages over their 2-D
precursors in manufacturing environ-ments. Several depth sensor technology
alternatives exist, each with strengths,
shortcomings, and common use cases
(table 1 and reference 1). Stereoscopic vi-
sion, combining two 2-D image sensors,
is currently the most common 3-D sensor
approach. Passive (i.e., relying solely on
ambient light) range determination via
stereoscopic vision uses the disparity in
viewpoints between a pair of near-iden-
tical cameras to measure the distance to
a subject of interest. In this approach, thecenters of perspective of the two cameras
are separated by a baseline or inter-pu-
pillary distance to generate the parallax
necessary for depth measurement.
Microsofts Kinect is todays best-
known structured light-based 3-D sen-
sor. The structured light approach,
like the time-of-flight technique to be
discussed next, is an example of an ac-
tive scanner, because it generates its own
electromagnetic radiation and analyzes
the reflection of this radiation from the
object. Structured light projects a set of
patterns onto an object, capturing the re-
sulting image with an offset image sensor.
Similar to stereoscopic vision techniques,
this approach takes advantage of the
known camera-to-projector separation to
locate a specific point between them and
compute the depth with triangulation al-
gorithms. Thus, image processing and tri-
angulation algorithms convert the distor-
tion of the projected patterns, caused by
surface roughness, into 3-D information.
An indirect time-of-flight (ToF) sys-
tem obtains travel-time information by
measuring the delay or phase-shift of
a modulated optical signal for all pix-
els in the scene. Generally, this optical
signal is situated in the near-infrared
portion of the spectrum so as not to
disturb human vision. The ToF sensor
in the system consists of an array of
pixels, where each pixel is capable of
determining the distance to the scene.
Each pixel measures the delay of the
received optical signal with respect to
the sent signal. A correlation function
is performed in each pixel, followed by
averaging or integration. The resulting
correlation value then represents the
travel time or delay. Since all pixels ob-
tain this value simultaneously, snap-
shot 3-D imaging is possible.
Vision processingVision algorithms typically require high
computing performance. And unlike
many other applications, where stan-
dards mean that there is strong com-
monality among algorithms used by
different equipment designers, no such
standards that constrain algorithm
choice exist in vision applications. On
the contrary, there are often many ap-
proaches to choose from to solve a par-
ticular vision problem. Therefore, vision
FACTORY AUTOMATION
Contributors (members of Embedded Vision Alliance)
3-D cameras can deliver
notable advantages over their
2-D precursors in manufac-
turing environments. Sev-
eral depth sensor technologyalternatives exist, each with
strengths, shortcomings, and
common use cases.
http://www.isa.org/http://www.isa.org/ -
7/25/2019 INtech Magazine 324483-MAYJUN 2014
31/69INTECH MAY/JUNE 2014 31
FACTORY AUTOMATION
algorithms are very diverse, and tend to
change fairly rapidly over time. And, of
course, industrial automation systems
are usually required to fit into tight cost
and power consumption envelopes.
Achieving the combination of high
performance, low cost, low power, andprogrammability is challenging (ref-
erence 2). Special-purpose hardware
typically achieves high performance
at low cost, but with little programma-
bility. General-purpose CPUs provide
programmability, but with weak perfor-
mance, poor cost effectiveness, or low
energy efficiency. Demanding vision
processing applications most often use
a combination of processing elements,
which might include, for example:
a general-purpose CPU for heuristics,complex decision making, network
access, user interface, storage man-
agement, and overall control
a high-performance digital signal
processor for real-time, moderate-
rate processing with moderately
complex algorithms
one or more highly parallel engines
for pixel-rate processing with simple
algorithms
Although any processor can in theory
be used for vision processing in in-dustrial automation systems, the most
promising types today are the:
high-performance CPU
graphics processing unit with a CPU
digital signal processor with
accelerator(s) and a CPU
field programmable gate arrays
with a CPU
ABOUT THE AUTHOR
Brian Dipert ([email protected]) is editor-
in-chief at the Embedded Vision Alliance.He is also a senior analyst at Berkeley De-
sign Technology, Inc., and editor-in-chief
ofInsideDSP, the companys online news-
letter dedicated to digital signal process-
ing technology. Dipert has a B.S. in elec-
trical engineering from Purdue University.
His professional career began at Mag-
navox Electronics Systems in Fort Wayne,
Ind. Dipert subsequently spent eight years
at Intel Corporation in Folsom, Calif. He
then spent 14 years at EDN Magazine.
View the online version at www.isa.org/intech/20140603.
REFERENCES
1. 3-D Sensors Bring Depth Discernment to Embedded Vision Designs
www.embedded-vision.com/platinum-members/embedded-vision-alliance/embedded-vision-
training/documents/pages/3d-sensors-depth-discernment
2. Processing Options for Implementing Vision Capabilities in Embedded Systems
www.embedded-vision.com/platinum-members/bdti/embedded-vision-training/documents/
pages/processing-options-implementing-visio
Platinum Sponsor
Gold Sponsors
Improve safety,security, and
efficiency.Registertoday!
Process Control& SafetySymposium2014
69 October 2014Houston Marriott West Loop by the GalleriaHouston, T