Ensuring a Safe, Secure HMI

When it comes to human machine interfaces (HMIs), the distinction between safety and security is often well defined. Safety refers to “the control that’s built into the PLCs and the safety interlocks,” says Steven Garbrecht, marketing program manager for Wonderware’s infrastructure and platform products.

By Peter Cleaveland for Control Engineering October 1, 2006

AT A GLANCE

Preventing system damage

Ensuring employee safety

Deliberate versus inadvertent

Integrating functions

Promoting efficiency

Controlling access

Sidebars: Application: Performance management software, interfaces, help optimize operations, meet regulations Application: HMI system brings safety, security to aluminum production Application: PLC control of robots uses handheld HMIs, integrated safety software

When it comes to human machine interfaces (HMIs), the distinction between safety and security is often well defined. Safety refers to “the control that’s built into the PLCs and the safety interlocks,” says Steven Garbrecht, marketing program manager for Wonderware’s infrastructure and platform products. “It is designed into the control programs.”

Security, on the other hand, is concerned with people breaking into a control system to steal information or cause damage. The two areas are addressed in different ways. Yet when it comes to an HMI, safety and security overlap.

Proper safety design prevents operators from doing anything that could cause injury or damage a product or piece of equipment, and enables them to act in time to prevent such an occurrence. Consider the December 1984 disaster in which an out-of-control chemical reaction at a Union Carbide plant in Bhopal, India, caused the release of tons of methyl isocyanate, killing thousands of people and sickening many more. There is disagreement as to whether plant safety systems were working, and Union Carbide’s position is that the leak “could only have been caused by deliberate sabotage. ”Others strongly disagree.

During the March 1979 accident at the nuclear power plant at Three Mile Island, PA, plant operators did not know that a vital relief valve had remained open despite an indication that it was closed. They later received incorrect information about the level of water in the reactor. During the subsequent investigation, the question of sabotage was ruled out, and it became apparent that had the operators received correct information, they would have been able to prevent the situation from getting out of hand.

Keeping control

Certainly there is no shortage of outside agents wishing to cause harm. Rich Clark, Information Security (Infosec) Analyst at Wonderware, in a presentation entitled “Control System Security Guidance,” lists 17, ranging from disaffected staff to common criminals to organized crime to nation states and governments. There are, he says, facilities that he will not identify, “but they do have targeted attacks every single day.”

From an HMI standpoint, says Garbrecht, there are three primary scenarios: “One is somebody external to the company coming in through firewalls, coming in through the network and doing something with the HMI. The second one is somebody within the company that wants to do something malicious for whatever reason. The third would be somebody who’s not trying to be malicious, does work for the company, but is just doing something they shouldn’t be doing and is making a mistake or causing security or some kind of problem in the process.”

Companies can get into trouble, says Clark, by assigning the job of securing a control system to the IT department. IT people seek security by isolating machines from each other, he notes, to keep people who are surfing the Web and may be picking up viruses in the process from infecting other parts of the enterprise. This method works in the IT domain, but it sacrifices ease of communication between machines and it is incapable of real-time performance.

When control systems are designed, continues Clark, “the machines are designed to talk to one another unhindered. Most machines in a control system environment are both servers and clients, so the IT client server model is not accurate there,” says Clark. The way to secure a control system, he points out, is to put it behind a protective wall, with close control of all traffic into and out of the protected space.

All communications between the control system and the corporate system must go through firewalls. One California-based biopharmaceutical company recently installed a new system for handling historical data in accordance with 21 CFR 11. All data related to process upsets and events are kept in servers and available to those who need it, but vital plant data and control information are carried on a series of networks completely isolated from the corporate system.

More than philosophy

Clark calls this philosophy “having limited threat vectors.” An ideal secure control system he says:

is isolated from all threats, including corporate business enterprises;

is layered with aggressive anti-penetration devices;

has only one point of ingress/egress;

contains all the system automation within a secure bubble; and

allows each trusted machine within the enterprise to have unimpeded, unlimited access to any other trusted machine.

Microsoft Corp. calls this security model “domain isolation.” GE Fanuc has built such security features into version 3.5 of its iFIX software with its “Application Validator Utility.” This software tool automatically documents any changes made to system files or utilities, reducing the likelihood that installations will inadvertently or intentionally be compromised.

People with the best of intentions can create hazards, warns Joe Quigg, vice president of engineering, Systek Automated Controls (previously corporate controls engineering manager, International Automation). “A lot of the times in legacy systems people were unguarded and unsupervised when they were making changes and alterations,” he says. “There was a lack of documentation, and when people alter systems and don’t document things, there’s no accountability.” Many legacy systems, he continues, may contain hard-wired relay logic “where somebody could open up a control panel and bypass something if they wanted to on purpose.”

A properly designed modern system, he continues, is divided into two parts, “the standard, everyday control programs that will run the process are open architecture, whereas the safety portion—the section deemed to be dangerous if altered—is locked down. Only certain people, given the correct password, training, and instructions can actually alter [it].”

Application: Performance management software, interfaces, help optimize operations, meet regulations

Roche Diagnostics GmbH recently established a new rack-packing line for its diabetes care and diagnostic products at its Mannheim, Germany, facility. To meet U.S. Food and Drug Administration (FDA) standards, improve operational efficiency, and enhance its process monitoring and auditing capabilities, the company implemented a production and performance management software system from Wonderware, a business unit of Invensys Systems Inc.

The company sought a system that would be easy to use and ensure its processes could be validated according to FDA 21 CFR Part 11 regulations. Two essential parts of the Wonderware package it selected are the InTouch human-machine interface (HMI) software and the IndustrialSQL Server historian, which combines a relational database with a real-time system. Both help Roche meet business and operational objectives and FDA requirements (see illustrations).

On the new rack-packing line, vials are individually selected from pallets, sorted, and joined together to make a rack pack. The packs are then transported to a rotary table for further processing. Labels are applied and a camera verifies that the matrix bar code is correct and properly positioned. After another camera checks the vials and caps for the correct color, the pack goes to the final packing stages. The manufacturing process is initiated, controlled, and monitored by operators using the software. The interface guides operators step-by-step through the process. They no longer have to select from a multitude of screen options.

FDA guidelines require manufacturers to maintain traceability of product data, which means the company must substantiate every step of the processes, including which operator completed each task and when the activity took place. The program’s user-management features and those provided by the Microsoft Windows 2000 operating system allow strong security to be designed into the plant without exposing the operating system to the user.

“One of the benefits of using this approach is that user management isn’t performed just on a standalone system, but rather as part of the enterprise-wide security system,” said Uwe Drücker, managing director of Drücker Steuerungssysteme GmbH. “Using this method of operation, the company can easily incorporate and re-use the plant’s existing operating system user models. In addition, the software’s easy-to-use controls and consistent interfaces enable the Mannheim operators to keep the rack-packing line running at optimum efficiency. We experience end-to-end security using a single user management system rather than employing several costly proprietary solutions.”

Operators of the new rack-pack line log on using screens that authenticate and authorize them to perform certain actions, depending on their access level. Activities on the process line can include day-to-day operations such as creating or editing product and process data; initiating, pausing, or stopping a batch; or editing user profiles. Operators working on the line must confirm their actions by entering their user name and password. This secure login technique helps the company meet FDA traceability requirements and helps make the manufacturing and processing lines more tamper-resistant.

The software enables time-stamped electronic signatures that link each operator to a specific action. The signature and any other relevant data are then logged in the IndustrialSQL Server historian database to generate a comprehensive audit trail (see illustration). These audit trails easily can be viewed and printed by authorized supervisors or managers at any time. Information and electronic signatures cannot be altered or deleted—resulting in an FDA-approved, tamper-resistant repository.

In addition, the Mannheim plant operates a redundant system for high availability and data integrity. Physically separated from the master system, this standby system continually synchronizes its data with the master. In the event of a master system failure, this handshake synchronization method detects when the primary process is down and automatically switches into the master mode, creating a failsafe capability. This seamless integration of the corporate network also makes all data available for enterprise-wide analysis.

Aside from the pressures of satisfying FDA requirements, the growing threat of bioterrorism and product tampering is always a critical concern for pharmaceutical companies. The security features provided by the software management system gives Roche a high level of confidence that it can track and maintain quality throughout each step of its manufacturing and packaging process.

Application: HMI system brings safety, security to aluminum production

Built in 1990, Alcoa—Aluminerie de Deschambault in Quebec was a plant in need of an upgrade. The primary metals facility employs about 550 and produces raw aluminum ingots that are sent to transformation facilities and manufactured into various products.

Process control and monitoring had been done through a DOS-based system that could not be upgraded. Data acquisition was accomplished with a homemade OpenVMS (VAX) system. “We needed a system that could be modified with a minimal amount of work,” explains Pierre Boutin, application engineer at the facility.

Company personnel also needed better access to process data. For example, the 30-plus members of the plant’s environmental team collaborate closely, but can be located anywhere in the half-mile long plant at any given time. Any new system would need to provide a highly secure method of allowing authorized users to access control data from anywhere in the plant, but to change control parameters only from specific locations.

Boutin and his colleagues chose to install a control and monitoring solution running GE Fanuc Automation’s Cimplicity software on top of the existing infrastructure. The process of electrolyzing alumina to extract the metal it contains is divided into five sectors. In each sector, 10 to 15 GE Fanuc Series 90-70 PLCs and several Series 90-30 PLCs provide redundant monitoring and control. In each sector, the PLCs monitor approximately 10,000 points.

Using a star Ethernet topology, the PLCs and operator interfaces equipped with Cimplicity software are connected to a switch in each sector and networked through standard 10Base-T copper connectors. Each sector is, in turn, networked via 100 Mbps Ethernet running on fiber optics to the IT department. The master servers reside in the IT department, while the slaves are located in the sectors. IT personnel maintain the system.

Cimplicity HMI Plant Edition uses Web technology through a client/server architecture and open-system design to allow users access to real-time data remotely through Web browsers on the Cimplicity viewers located throughout the plant. In addition to the system’s built-in user-access security features, IT added another level of security to ensure that, while processes can be viewed by authorized users from all stations, parameters can be changed only from a few designated stations.

The new control and monitoring system has worked well, facilitating teamwork among IT and process control personnel, where disconnects are prevalent in many other enterprises. “The collaboration between the two groups is outstanding,” says Boutin, “and it plays a major role in the successful operation of our control and monitoring system.”

Application: PLC control of robots uses handheld HMIs, integrated safety software

Greater positioning accuracy, shorter cycle times, and minimum expenditures on hardware are among benefits of the turnkey Rexroth system installed at Klocke-Robot-Systeme GmbH in Vlotho, Germany. Klocke’s loading and unloading robots carry out automation tasks for injection molding machines. The IndraMotion for Handling, complete with integrated safety functions, uses the open sequential control system IndraLogic, in compliance with IEC 61131-3, to guarantee re-usability of already established program modules. The system has the look and feel of a robot control, but it is actually a PLC control.

IndraMotion for Handling incorporates finished desktops for mobile operating panels such as the Rexroth VEH30 handheld operator interface. This unit features an 8.4-in. touchscreen and hot-plug capability and can be easily connected via Ethernet while the equipment is operating. One device can handle several controls. The user can edit movements with the four soft keys on the handheld and teach or input fixed points via the virtual keyboard. Integrated safety functions in the Rexroth IndraDrive, which are certified to EN-954-1, Category 3, make it possible to comply with the safety regulations in force throughout Europe without any additional hardware or detouring via the control.