Control Systems, HMI Change Management, Security

Change management and security concerns have increased as human-machine interfaces have become more open and expose process data and metadata. Security precautions need to provide selective availability to control functions. Standards such as OPC Unified Architecture (OPC UA) can help off-the-shelf products be flexible and reusable, even in demanding applications.

By Krzysztof Pietrusewicz and Mariusz Postol November 1, 2010

Change management and security concerns have increased as industrial visualization tools such as human-machine interface (HMI) have become more open. HMIs can expose process data and process metadata, so appropriate security precautions need to provide selective availability to control functions. Standards such as OPC UA and other newer technologies can allow off-the-shelf products to be flexible and reusable, while withstanding the most demanding requirements.

Modern control systems value graphical user interfaces. It seems that HMIs in automation extend far beyond the adage that a picture is worth a thousand words.

A lightweight local user interface of a machine is sometimes referred to as the HMI; in this context it is an embedded part of the machine. SCADA (supervisory control and data acquisition), on the other hand, is an all-in-one software package that consists of tightly coupled components implementing functionality to operate a system as a whole. Because of the complexity of design, development and management of software grows rapidly with the growing variety of functionality provided. SCADA systems more recently tend to be layered and offered as loosely coupled, dedicated components, such as a historian, communication server, user interface, and other functions.

The user interface serves as the intersection between someone responsible for making a decision and something responsible for the decision’s execution.

Today’s software allows the same interface to start drilling by a CNC machine, for example, or, alternatively, to start remotely shifting 200 MW in load from one power plant to another. In both cases the operation can be initiated by pressing a virtual “ACCEPT” button on a touch screen. In both cases, the HMI interface can decrease development and deployment costs.

Human-interface interactions

Efficient human-machine interaction requires providing:

  • A representation of the process behavior and its current state—output interface
  • Sensors to allow entering the operator decision—input interface.

HMI vendors can employ 3D graphic, touch screen, voice recognition, motion tracking, and many other technologies. Effective communications require considerations beyond the surface.

Automated processes are dynamic and rely on states, so the interface has to provide an informative context for decision making. To reach this goal the process behavior must be tracked by processing variables to optimally adjust the screen content and expose the most important elements in an instant of time. As automation systems add process variables, one has to choose how to organize the structure of the control system and mappings for visualization.

Each variable can be recognized as a set of attributes: value, quality, time stamp, and meaning. The first three attributes can be simply expressed as simple, complex, or structured numbers and bind to the graphic on the screen in a generic way. The attribute for meaning usually does not change over time, so interface behavior and appearance is designed (hard-coded) appropriately. For example, a certain part of a screen can allow an operator to communicate with a chromatograph analyzer in a pharmacy automation process.

Unfortunately, this design time approach is often too rigid to seamlessly adapt or upgrade when a replacement HMI device is installed, especially if it is from another vendor. Furthermore, a hard-coded approach is useless when dealing with multifunction devices that use pluggable components and variety of accessories. To avoid this unnecessary design cost and avoid proprietary solutions, the next generation of interfaces needs to use a “semantic HMI” approach. A semantic HMI discovers the meaning of process variables using the metadata provided by the plant floor measurement and control devices, like an analyzer, PLC, DCS, and so on. Metadata provides context for the real-time process data and must be processed simultaneously by a smart-enough semantic HMI.

Process-interface interaction

To make two devices interoperable, both must use the same (vendor-specific or standard-compliant) protocol and be connected by an underlying communication infrastructure. Relying on proprietary vendor-specific solutions limits future system expandability, so it generally is not recommended. While vendors usually offer a standard protocol for plant floor devices, unfortunately, there are hundreds of “open standards” defined in the automation marketplace.

To overcome this disadvantage, OPC specifications from the OPC Foundation were designed to bridge applications based on general-purpose operating systems, process control hardware, and software applications. OPC can replace direct communication between plant floor devices (process) and process data user (HMI) by indirect communication. (See graphic.)  Hundreds of communication standards are commonly used by the process control industry. The OPC specification has distinguishing features that help with integration and implementation of the “process observer” concept.

The OPC specifications suite is not a new protocol competing to be the best. It is a data access technology: a set of interfaces representing precisely defined services dedicated to managing the process data access. It assumes that the Microsoft DCOM technology is used as a system platform to access these services. Using DCOM, and being integrated as part of the Microsoft Windows operating system family, creates a strong, reusable platform providing support to address communication and security issues. The main disadvantage of this standard is that process metadata cannot be adequately exposed.

To overcome this disadvantage and migrate the widely accepted DCOM de facto standard to new emerging technologies, OPC Foundation developed the OPC Unified Architecture (OPC UA) specifications suite. This service-oriented architecture (SOA) is deployed using Web services defined by the World Wide Web Consortium (W3C).

OPC UA meets requirements of modern control systems, because it:

  • Is Internet-based technology
  • Is a platform neutral standard allowing implementation on any (including embedded) system
  • Supports complex types to get access to process variables and object model to expose process metadata
  • Achieves high-speed data transfers using efficient protocols
  • Is scalable from embedded applications up to the process automation at enterprise level, and
  • Has broad industry support and is being used in support of other industry standards, such as PAT, OpenPLC, ISA95, ISA88, EDDL, MIMOSA, OAGiS, and others.

Security issues

Connecting the HMI (the decision entrance device) and process control device (the decision execution device) may engage many technologies, such as the RS-232 serial bus located inside the box containing Internet, wireless connections, and the like. Vulnerability of communications is only one measure of the security severity. Robust security also depends on authentication of transferred data, data sources, and users.

Even in the completely shielded control rooms of nuclear power plants, at the end of the day we must know who is responsible for pressing the virtual “ACCEPT” button if any problems occur. On the other hand, it would be unacceptable to see a message on the screen saying, “You must log in to continue” during a critical situation.

Appropriate communication layer support is required for secure HMI designs.  Fortunately, the new OPC UA standard offers strong and effective cybersecurity technologies available out of the box.

OPC UA is important for further development of open process control systems, according to Maciej Zbrzezny, a software architect at CAS, an OPC Foundation member. CAS offers software that deploys OPC UA in three simple steps: design the information model (design phase), bind it with the process variables without programming (deployment phase), and expose data and metadata (run-time phase) as the out-of-the-box solution.

8,000-node process control system

More modern HMI solutions are being developed with advanced graphics, high resolution, touch screens, high IPs for front panels, faster CPUs, integration with modern operating systems, and so on. However, they must offer much more than that to be used as a decision entrance device.

A process control system for a municipal-wide heat distribution network in the city of Lodz, Poland, (750,000 citizens) handles three plants with total thermal output power of 2,560 MW producing hot water distributed using approximately 800 km of pipes interconnected by about 8,000 nodes. The most important features are openness, interoperability, visualization flexibility to expose process data in the context of process metadata, and appropriate security precautions to provide selective availability to control functions.

New standards, such as OPC UA used with reusable, off-the-shelf products, can withstand the most demanding requirements.


Krzysztof Pietrusewicz, PhD, is currently an assistant professor at the Control Engineering and Robotics chair, Faculty of Electrical Engineering, at the West Pomeranian University of Technology, Szczecin, Poland (formerly Szczecin University of Technology). His current research is in control engineering, computer controlled systems, hybrid control systems, real-time systems, artificial intelligence, and mechatronics. As a co-researcher, he has introduced simplified engineering design methods of fuzzy-logic PI/PD, PID, and PIDD controllers. He is also coauthor of two books: Two-Degrees of Freedom Robust PID Control in Practice, Polish, in 2006, and Programmable Automation Controllers PAC, in Polish, in 2007. He teaches courses in embedded control systems, hybrid control systems, programmable automation controllers as well as PLCs, and digital control of intelligent servodrives (digital motion control).

Mariusz Postol, PhD, is currently an assistant professor at the Technical University of Lodz, Poland. His current research is in architecture and communication in large-scale, highly distributed process control systems. He has introduced the process observer concept as a systematic approach to architecture design of the process control systems. He is also coauthor of the book OPC from Data Access to Unified Architecture, VDE Verlag Gmbh, in 2010, in English and German, and about 45 papers. At present, he teaches courses in distributed operating systems and security of computer systems.


-Edited by Mark T. Hoske, Control Engineering, www.controleng.com.