In todays environment of security awareness there is a heightened concern over maintaining the integrity of plant operations.
The causes of undesired interference with plant and industrial installations ranges from plant operator ignorance or error to vandalism and then the ultimate concern, terrorism.
Equipment behind a plant’s security fence is less vulnerable than equipment on a remote installation, like an unmanned pump station for example. However, the desire to reduce interference from all causes, warrants consideration of all potentially vulnerable devices.
The valves used in a plant are particularly important devices. Opening or closing a valve at the wrong time could cause a catastrophic leak, contamination or hazardous situation that may put personnel and equipment at risk.
Valves fall into two broad categories, manually operated and automated. The manual valve, if critical, will usually have some mechanical key operated lock out system that prevents plant personnel from inadvertently moving the valve unless a security or safety process is adhered to.
Automated valves are a little more complicated. Certainly many automated valves have local manual controls and hand wheels that can be used to move the valve. These can be mechanically locked in a similar way to a manually operated valve. The complication comes with the remote controls of the valve that are located in a control room at some distance from the valve itself. Furthermore, many modern valve actuators have wireless or other non-intrusive set up communications methods that also need to be secure from unauthorized tampering.
A possible unintended or unauthorized movement of an automated valve could come from two main sources, regardless of whether the valve actuator type is electric, pneumatic, hydraulic or any other.
- An equipment malfunction in the control system, field instrumentation or valve actuator itself.
- An unauthorized movement deliberately caused by an external actor.
With regard to equipment malfunctions, there are methods of mitigating the possibility of failure, this is quantified in a critical safety instrument system (SIS). The safety Integrity level (SIL) of an installation can be assessed using standards defined by the international Electro-technical Commission (IEC). Some valve actuators have been tested by third party testing establishments to operate at certain SIL levels. These actuators offer the ability to increase the integrity of the process by monitoring the actuator output as well as the control signal integrity.
For critical automated processes many systems use a triple redundant control system to ensure the integrity of signals sent process equipment including the automated valves.
A more recent area of concern in control systems is the guarding against cyber-attack. Major suppliers now incorporate substantial safeguards to counter this possibility.
Most valve actuators have a selector to choose either “local” (at the valve) or “remote” (control room) operation. When the “local” position is selected the valve can be moved by pushbutton controls on the actuator or on a local control station, if present. However these local controls are disabled if “Remote” is selected. The remote position places the control exclusively with the remote control system. To prevent tampering the selector can be padlocked in the “remote” mode. To further prevent tampering a “vandal proof” cover can be padlocked to cover the entire selector assembly. In some extreme circumstances the local selector and pushbuttons can be removed entirely, but alternative means of local control then need to be provided. This is possible with some non-intrusive set up devices.
Valve actuator hand wheels invariably have a provision for padlocking to prevent manual engagement.
The other mode of intervention could be through the non-intrusive set up arrangement. There are a variety of these set up methods. Some use the actuator pushbuttons, some use an infrared link (IrDA) but an increasing number use a standard Bluetooth connection.
There are some simple methods of preventing unauthorized tampering with these set up modes.
The pushbutton setup method can be padlocked to prevent interference.
The Infrared setup method is usually only active when the actuator is in the “local” mode. This means it can have the added protection of the padlocked selector. Further protection can be provided by the use of password protection. Some manufacturers also utilize a dedicated set up tool to ensure a further level of protection.
The Bluetooth method of communication typically uses a mobile Bluetooth device to communicate with the actuator. Proprietary communication software is usually freely available on most manufacturers’ websites. There are several layers of protection on most valve actuators to prevent unauthorized interference.
In order for the actuator to be visible to the Bluetooth device, the control selector would need to be in the “local” position, so direct access to the actuator is necessary. This selector may be padlocked to further prevent unauthorized movement. The Bluetooth device would then need to enter the correct password to communicate with the actuator. So three levels protection are available.
Despite these protective precautions, some sensitive end users have banned all wireless instrument communications. In these circumstances some manufacturers have the ability to deactivate their Bluetooth communications after actuator set up.
The tampering prevention on pneumatic actuators is similar to that of an electric actuator. A manual override is not always standard on a fluid powered actuator, but when supplied, it also can be padlocked to prevent tampering. The controls in some cases have similar “local / remote” selection and can be made tamperproof by the manufacturer, if requested by the user.
There is an important advantage of the automated valve when considering the problem of security and safety. That is, the monitoring capability that comes with the integral position sensors on the automated valve. Control systems have the ability to raise an alarm should there be any unauthorized movement of the valve or the local actuator controls. This monitoring is constant and continuous and would alert control room personnel to any problems in the field. In addition, a time stamped record of all events can be logged by the control system or actuator data loggers.
Chris Warnett is president of CPLloyd Consulting, providing marketing and applications expertise for the valve and automation industry.
This article first appeared in the Winter 2014 edition of BVAA’s Valve User magazine. Copyright © 2014 All Rights Reserved. www.bvaa.org.uk