As per IEC 62443, Industrial Automation and Control Systems (IACS) refers to the collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process.
Most IACS can be remotely operated or monitored, but the risk and challenges in enabling remote actions can vary according to the type of system and its function.
The following types of IACS are considered in this recommended practice.
Basic Process Control System (BPCS):
Basic Process Control System (as per the definition in IEC 61511-1: a system which responds to input signals from the process, its associated equipment, other programmable systems and/or operators and generates output signals causing the process and its associated equipment to operate in the desired manner but which does not perform any SIF.).
Basic Process Control System (BPCS) is a system which handles process control and monitoring for the facility. It will take inputs from sensor and process instruments and provide output based on control functions in accordance with approved design control strategy.
Typically, Basic Process Control System (BPCS) performs the following functions:
- Control the process within pre-set operating condition, optimize plant operation to produce a good quality product and attempt to keep all process variables within its safety limit.
- Provide operator interface for monitoring and control via operator console (Human Machine Interface)
- Provide alarm/event logging and trending facilities
- Generate production data reports
Basic Process Control System (BPCS) is also considered as one of safety layer preceding Safety Instrumented System (SIS) within a facilities.
Safety Instrumented System (SIS):
Safety Instrumented System, as per the definition in IEC 61511-1: an instrumented system used to implement one or more SIFs.
A safety instrumented system (SIS) consists of an engineered set of hardware and software controls which are especially used on critical process systems.
A SIS is engineered to perform “specific control functions” to failsafe or maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety Instrumented Systems must be independent from all other control systems that control the same equipment in order to ensure SIS functionality is not compromised.
SIS is composed of the same types of control elements (including sensors, logic solvers, actuators and other control equipment) as a Basic Process Control System (BPCS). However, all of the control elements in an SIS are dedicated solely to the proper functioning of the SIS.
The specific control functions performed by an SIS are called Safety Instrumented Functions (SIF). They are implemented as part of an overall risk reduction strategy which is intended to eliminate the likelihood of a previously identified SH&E event that could range from minor equipment damage up to an event involving an uncontrolled catastrophic release of energy and/or materials.
The safe state must be achieved in a timely manner or within the “process safety time”.
The correct operation of an SIS requires a series of equipment to function properly. It must have sensors capable of detecting abnormal operating conditions, such as high flow, low level, or incorrect valve positioning.
A logic solver is required to receive the sensor input signal(s), make appropriate decisions based on the nature of the signal(s), and change its outputs according to user-defined logic. The logic solver may use electrical, electronic or programmable electronic equipment, such as relays, trip amplifiers, or programmable logic controllers.
Next, the change of the logic solver output(s) results in the final element(s) taking action on the process (e.g. closing a valve) to bring it to a safe state. Support systems, such as power, instrument air, and communications, are generally required for SIS operation. The support systems should be designed to provide the required integrity and reliability.
Safety instrumented systems are most often used in the process (e.g., oil & gas, refineries, chemical, nuclear) facilities to provide protection such as:
- High fuel gas pressure initiates action to close the main fuel gas valve.
- High reactor temperature initiates action to open the cooling media valve.
- High distillation column pressure initiates action to open a pressure vent valve.
- What is Safety System?
- SIS Sensors
- SIS final control element
- What is SIF?
- SIS Logic Solver
- Shutdown Philosophy
- What is SIL?
The packaged system often supplied with a Unit Control Panel (UCP):
Normally, this packaged equipment (for example for a compressor, generator, and pump) have their own instrumentation with control and safety functions implemented in a UCP. These packages are usually interfaced with the BPCS and/or SIS, e.g., for system startup, shutdown, and equipment status signals to the Operator.
Monitoring systems (which are connected to BPCS, SIS, or package, such as vibration monitoring) are considered part of the packaged system.
Monitoring-only systems (not connected to BPCS, SIS, or package):
These are independent systems. They can be used for the sole purpose of monitoring devices and assets (e.g., sensor status monitoring, corrosion monitoring, structure monitoring, etc.) but have no control or safety function and normally don’t need to be monitored by the operator in the control room.
These systems are usually made of sensor with data acquisition server, or sensors only. They are not normally interfaced with BPCS/SIS or packaged system and cannot be used to control or operate the physical process or equipment.
Common Terms used in Industrial control system
Remote vs. local
This topic covers the use of remote functions from a distant remote location, away from the production site, in premises that are in a safe area (e.g., the Operator’s administrative building or more generally from any site including premises of a vendor providing support).
Typically, the remote functions are performed tens or hundreds of kilometers from the production site. Implementing remote functions creates additional risks including organizational and security risks.
The scope addressed in terms of remote location is:
Remote control room:
Remote control room refers to a control room located outside the production site boundary and in a safe zone. This may be far away from the actual production site but is within the premises managed by the Operator.
The primary purpose is to remotely control and operate the production site, but it may also include dedicated remote engineering or maintenance rooms. As these connections allow interaction with the production process or equipment, physical access controls would be strictly enforced.
Remote collaborative center:
Remote collaborative center refers to an open office-based environment where personnel from multiple disciplines collaborate to manage the performance of one or more sites. These rooms typically host collaboration, monitoring, visualization, and analytical functions.
They are similar to remote control rooms in terms of geographic location, but may sometimes be distributed over one or more locations (i.e., multiple interconnected collaborative centers). Collaborative centers sometimes have fewer access controls than a control room however this depends on operational or security risks.
Remote at vendor premises:
This refers to any remote location belonging to a vendor (or subcontractor). This location is usually located on private premises managed by the vendor or contractor.
Contracts may define physical access and security restrictions at the vendor premises. Connection to these premises usually involves communications links via public networks.
Remote access from anywhere:
This refers to any external location, in a private or public area (e.g., a home, hotel, or airport).
The scope addressed in term of remote functions is:
remote control refers to remote actions such as control commands (adjusting plant or equipment operational parameters, setpoint changes, alarm acknowledgment, manual start/stop commands, etc.), setpoint changes and operations monitoring on detailed graphical displays (e.g., process conditions, equipment status, alarms, errors).
If the regulatory requirements of the country where the IACS is located and if operating and safety philosophy and policies allow, safety functions can also be performed from the remote control room (such as executing manual shutdowns, operating critical action panels, etc.).
Remote control requires read and write access to the system to enable operator interaction with the process and equipment on the production site.
Remote engineering refers to the modification of system functionality. Examples include system or device configuration, modification of design intent, changes to alarms, software updates, etc.
It can also include downloading to or uploading data or files to/from the system. It requires remote read/write engineering privileged access to the system, which is generally a higher-level than Operator access.
Local site policies and procedures such as work-permitting and management of change remain applicable and can require enhancement to manage remote functions. Due to the criticality of SIS, remote engineering of SIS should be subject to special attention and may be prohibited by company policies.
Remote maintenance refers to administering routine maintenance activities remotely. Examples of such activities include device monitoring, diagnostic analysis of automation systems (controllers, I/O, communication cards, network components as well as field input/output loops, power supply modules, etc), reviewing compliance status of control loops against maintenance plan, routine patch and antivirus updates and system backups.
It can require remote read access that allows detailed interrogation of systems and potentially write access to remedy problems or to apply updates. The access level is restricted to that required for system maintenance activities.
Remote monitoring refers to monitoring and diagnostics of production, operations and equipment conditions remotely using data generated and exported from the production site outside the control room. It also includes remote security monitoring using systems and network logs. It requires appropriate data needs to be available at the remote location.
The range of remote functions can vary from full operation of the site to specific and ad-hoc remote support. These needs are to be defined in the operating philosophy of the process and will have an impact on the architecture design and selection of technology.
Source: International Association of Oil & Gas Producers
Acknowledgments: IOGP Instrumentation and Automation Standards Subcommittee (IASSC) Remote Operating Centres Task Force.
- Distributed Control System Architecture
- Functions of PID Controller
- Example of Flow Control Loop
- Basic Process Control System (BPCS)
- Design Guide of Control Room