Tuesday, November 17, 2009
Comingling Safety and Control Systems
There is an interesting blog post by Joe Weiss over at ControlGlobal.com about concerns in the regulatory community about the comingling of control systems and safety systems. To understand the concern we need to do a little instructional backgrounder here as part of Industrial Control Systems 101. Industrial Control Systems 101 In a chemical facility an industrial control system (ICS) may be used to control a chemical process. An operator typically uses a computer to monitor process conditions (weights, temperatures, pressures, etc) and control process equipment (valves, pumps, etc). These systems can be fairly simple with all process decisions and actions being controlled by the human operator or more complex with active computer controls of multiple process parameters. A safety system is a system used to protect process equipment, personnel and/or the environment from unsafe process upsets. These can be straight mechanical systems like pressure relief valves or they can be automated systems where there is, at a minimum, a sensor, an actuator and a controller between the two. The sensor is used to detect an impending process upset, the controller receives the signal from the sensor and directs one or more actuators to take action to prevent that upset. You may have a chemical process where heat is used to drive a reaction to completion. There will be optimum process temperature conditions that the operator will use a control system to maintain; too low a temp and the process will be inefficient; too high a temp and there will be quality issues with the product. The ICS will be used to manipulate heating and cooling to maintain the process within that optimum temperature range. The same process may have a temperature above the optimum temperature range where an unsafe chemical reaction can take place; an auto-ignition temperature for example. A safety system would be in place to automatically turn off heating and start cooling if the process temperature gets within a pre-set limit of that unsafe temperature. Now the ICS should never allow the temperature to approach that unsafe condition because it is beyond the optimum temperature range. But the safety system is put into place because there is always the possibility that there could be a failure in the ICS, a human error, or some other problem that allows the temperature to rise to an unsafe level. It would seem obvious that one would want to make sure that a failure in the ICS that would allow an unsafe temperature rise would not affect the safety system. This is one of the reasons that in the ‘good ole days’ safety systems were designed as stand alone systems with their own sensors, controllers and actuators. The power systems were even separate with battery back up systems for the safety systems where electric systems were used. As both safety systems and control systems became more complex it became easier to justify the linkage of parts of these two systems. Sensors became more robust with very low failure rates and multiple sensors were being used in any case, so why not use the same sensor array for both systems. As systems became more complex it became harder to physically fit in separately actuated systems that accomplished the same thing so common controls were used in both systems. Finally, as the programming of the control system became more complex and interactive it became easier to justify putting the safety system controller on the same computer system as the ICS. Unfortunately, with the mergers of these two systems it becomes easier to posit a single system failure that could affect both systems. Some systems engineers feel that the new system failure rate is lower than the rate of double failures in the old systems so the combination of the two systems is justified as being safer than the old separate systems. This is certainly true, but two systems with modern low failure rates would be safer still. Safety Systems as Security Systems This discussion would not seem to be germane to the discussion of security at high-risk chemical facilities, until one realizes that safety systems are actually the final line of defense against a cyber attack on the facility control system. In addition to protecting against a failure in the ICS they would also prevent catastrophic consequences from a deliberate misuse of that system. Using the example in the ICS 101 discussion above, suppose a terrorist gained control of the ICS either through corrupting an operator or via a cyber attack on the control system computer. Changing the high temperature limits of the control system could allow the system temperature to rise to the auto-ignition temperature, causing a catastrophic fire in the facility equipment. An old-style safety system would prevent that occurrence and stymie the terrorist attack. In other words, an existing old-style stand-alone safety system could be considered to be a security measure. No added cost or complexity, just another layer in the protective shield around the facility. But, that would only be true if the safety system were maintained as a separate system from the ICS. A safety system that is tied into the ICS would be subject to the same attack and would not prevent the catastrophic consequences of the attack.