Vous êtes sur la page 1sur 7

The

Role of Automation Systems in


Management of Change

Similartochanginglanesinanautomobileinawinterstorm,withchangeentersrisk.Everyonehas
mostlikelyexperiencedthatfeelingofchanginglanesinbadweatherwhereyoufindyourselfweighing
theriskvs.thebenefitthatthenewlaneprovides.Thesameprinciplecanbefoundwhenconsidering
makingchangestocontrolapplicationsandautomationconfigurationsinanindustrialplant.Inorderfor
thechangetohaveapositiveimpactaswasoriginallyintended,theriskthatisassociatedwithmaking
thechangemustbemitigated.Therearemultiplewaysthatriskcanbereducedsuchasfollowinggood
managementofchangeprocessesandprocedures,personneltrainingprogramsandcertifications,and
havingasafetymindedcorporateculture.However,oneofthebestassetsthatthoseresponsiblefor
implementingchangehasistheautomationsystemitself.

Change is part of life and business


Firstletsexaminewhyachangeismadetoarunningfacilityduetothefactthatthefirstquestion
someonewillposeisIftheresincreasedrisk,whymakethechange?orIsntitbettertobesafethan
sorryandnotmakethechange?.Whilethesestatementsaretrue,therearebenefitsthatjustify
makingchangesprovidedthateveryeffortcanbemadetoreducetheriskthattheyincur.
Incrementalchangestoprocessautomationsystemsarerequiredtodaymorethaneverdueto
regulatorychanges,expansionsoradditions,optimization,andproductvariances.Insomeindustries,it
isacceptabletohavefrequentshutdownstosafelyincorporatethesechanges.Adversely,inmission
critical,continuousprocessessuchasoilandgas,petrochemical,andpowershutdownsarefewandfar
between.Inmostcases,majoroutagesinthesetypesofprocessapplicationswillonlyoccurevery36
years,thuschangestoacontrolsystemsconfigurationareanecessaryandacceptablepractice.Below
arejustafewexamplesofchangesthatoccurinarunningfacility:

Processmodifications
Productionoptimization
Plantexpansions
Enhancedsafetymeasures
Implementationofnewregulatoryorenvironmentalrequirements

Anyoftheabovecangreatlyimpactbusinessmetricswhichcanjustifymakingchangestoarunning
facility.Forexample,implementingachangeinachemicalfacilitythatoptimizesproductioncan
increaseproductionorresultinahigheryieldofacertaingradeproduct.Implementingthischange
makesthecompanymorecompetitive,efficient,andprofitabletherebyprovidingjustification.Ifthis

Page1

changewasonlyallowedtobemadeduringaplannedshutdownoroutage,theopportunitylostcould
meanmillioninlostrevenuedependingonwhatisproduced.
Anotherexampleofwherechangecouldimpactafacilityistheimplementationofchangesthatare
necessarytocomplywithstandards,bestpracticeguidelines,orregulatoryrequirements.Regional
legislationmayrequiretheadditionofmonitoring,controls,andreportinginordertocomplywithnew
standardsmeanttoreducetheimpacttotheenvironment.Theseimprovementsnormallyhavetobe
madewithinacertaintimeframewhichcanimpactthecostofimplementation.Ifafacilityhastoshut
downproductioninordertomakethechange,thenthecostofimplementationcouldincreaseto
millionsofdollars.Ofcourse,ifthechangesarenotmadeuntilashutdownoroutage,theremaybe
financialpenaltiesorpossibleharmtotheenvironmentthatcouldhavebeenavoided.

Defining necessary changes


Nowthatweveidentifiedwhychangesarenecessaryfromabusinessperspective,letsexaminewhat
kindofchangesaremadeandthepossibleconsequencesthatcanoccur.
1. Operationalchangestoapplications:
Operationalparameterchangesvaryslightlyfromsitetositeandcompanytocompanybasedonthe
chosenoperationsphilosophyandfunctionaldesignoftheapplication.However,thesetypesof
changescangenerallybeclassifiedasmodificationsmadebyoperationsthattheyhavepermission
tochange.AnexamplewouldbetomodifythegainofaPIDloopwithinapredetermined,
acceptablerangeormodifyingalowlevelalarmlimitonamonitoredprocessvariablethatdoesnt
haveprocessorsafetyimplications.Thesechangesareusuallyconsideredtobelowriskbutare
trackedviaanaudittrailtocapture:
a. whatwaschangedsuchasthetagnameandparameterthatwasmodified
b. whomadethechangewhichisonlyasaccurateasthegranularityofusersecurity
configured(johnsmithvs.operator1)
c. wherethechangewasmadefromusuallyindicatedbyanodename(Console1
d. whenthechangewasmade
e. whythechangewasmadewhich,dependingonthesophisticationofthesystemor
integratedchangemanagement/documentationsystems,couldbeacommentadded
toanaudittrailmessage
2. Runtimeconfigurationchanges
Runtimeconfigurationchangesarethosemadeto,deleted,oraddedto,aprogramorapplication
currentlyrunninginadistributedprocesscontroller.Thesechangesmayrequirethatthemodified
programreplacethecurrentrunningprogramorapplication.Theimpactthatthesechangeshave
arebasedonthearchitectureandconfigurationoftheautomationsystem.Usually,thesmallerthe
programorapplication,thesmallerthepossibleimpacttootherprogramsandapplications,
however,theriskmaybejustasgreat.Forexample,asinglePIDloopcouldbetheprogrambeing

Page2

modified.TheimportanceofthisPIDloopandconnectionsotherloops,interlocks,andpermissives
dictateitscontributionstotheoverallrisk.Someexamplesofcommonlymadechangesareas
follows:
a. Additionofanewtagortags,suchasaPIDloop,theadditionofanentireunit,and/or
additionormodificationofoptimizationalgorithmsrunninginacontroller.
b. Modificationofanexistingcontroltagsuchasitsrangeofoperationalparametersor
safetyboundaries
c. Modificationofinterlocksorpermissives.
d. Modificationofgraphicswhichneedtobedownloadedtovariousconsoles.Graphics
areconsideredbymanytobeapplicationcodewhichneedtobetreatedthesameas
runtimechangesastheymayimpact,bothpositivelyandnegatively,theoperationsofa
facility.
3. Changestotheautomationsysteminfrastructure
a. Modificationofexecutionparameterssuchasthetimeittakesforaprogramtoexecute
orI/Ocardparameterssuchassignaltypesandranges.
b. Addition,deletionofnodes,controllers,communication,andI/Ocards.
Anyoftheabovementionedtypesofchangescanintroduceriskwithouttheproperprocessesand
proceduresinplace.

Automation systems as facilitators


AutomationSystemscanfacilitateandprovidebestpracticefacilitationofthemanagementofchange
process.Inadditiontotrackinganddocumentingchangethroughfeaturessuchasaudittrails
mentionedearlier,moderndistributedcontrol,orautomation,systemstodayhavemanyfeaturesthat
minimizeriskwhenimplementingchange.
1. Catchingmistakesbeforetheygetdownloaded:
Wheneverhumansareinvolveditisinevitable
thatmistakeswillhappen.Avaluewillbe
mistypedoratagnamespelledwrong.Thekey
istoreducethechanceofthesemistakes
reachingtherunningsystem.Todothis,there
aremultipletoolsavailabledependingonthe
systemused.Oneexampleiscompilerchecks/
errordetectionordifferencereportingpriorto
download.Adifferencereportwillprovidea
comparisonofthebeforeandafter
applicationcodeaswellasfortheoperator
graphics.
Figure 1: DifferenceReport

Page3

2. Controllerimplications:Timingiseverythingforaprocesscontroller.Inmanycases
prioritizationandtaskexecutionsmaybechangedbasedontheprogram.Makingchanges
totheprogramwillresultinachangetotheresourcesutilized.Insomecases,thechange
mayaffectthecontrollersexecutionandcausepropagatingproblemsforotherapplications
runninginthesamecontroller.Oneexampleiswheremakingachangetoacycletime
couldproduceunwelcomedresults.Duetoachangemadeinthetimeittakesforan
applicationtorun,thecontrollermaybecomeoverloaded.Typicallythiswillnotbe
recognizeduntilthedownloadoccursandthecontrollerstopsoractsbadly.

Figure 2: Task Analysis Tool

3. Changeverification:Duringmodificationoftheprogram,goodchangemanagement
practiceusuallyincludesaqualityassurancestepthatverifiesthattheintendedchangewas
theonlychangethatwasimplemented.Thisensuresthatsomeoneelsehasnt
inadvertentlymadeachangetothesamecodethatisslatedtobedownloaded.Ifthisisnt
caughtpriortodownloading,thecompilerdetectionmaynotflagitasanerrorandifmissed
bytheuserdifferencereport,theroguechangewillbe
downloadedpossiblyyieldingunexpectedresults.In
somecases,therearewaystocomparetheapplication
codebeforeandafterversionstoreportondetailsof
thechangesmade.Comparingthetwocanrevealthat
onlytheintendedchangewastheonethatwasmade.
Thisisalsoimportantbeyondlogicconfiguration.
Graphicsareoftenconsideredasimportantasthe
applicationlogicastheydeterminewhattheoperator
mayseeincertainconditions.Therefore,itsimportant
thatgraphicsusethesameconversion.Also,its
importantforthisreportingtobeeasyforthenon
engineeringemployeesasitsusuallyqualitypersonnel
Figure 3: DetailedDifference Report
doingthesechecks.

Page4

4. Stepwisechangeintroduction:LibraryVersioning:Inmanysystemsinthepast,therewas
onlyonelibraryofblocksusedinaDCSforconfigurationhowever,today,somesystems
havelibraryversioningapproach.Thismeansaschangesaremade,theycanbemadetoa
newversionofthesolutionlibrary.Thechangesmadetothenewversionofthelibrarydo
notreachtherunningapplicationuntilitispointedtothenewlibraryversion.Thisallows
changestobemadetothelibrarytoberolledoutinstepswhichcangreatlyminimizeshow
muchischangedatonetimewhichminimizesrisk.Forexample,ifyouhadmultipleunitsin
afacilitythatwasusingacertainversion1ofalibraryandyouwantedtomake
modificationstothesolutionsinthelibrary,youwouldcreateversion2ofthatlibrary.
Implementationofthechangescanthenbetestedononeunit,thenthenextandsoon,by
connectingthedifferentapplicationsonebyonetothenewlibraryversion.Theversioned
libraryconceptcanallowthestepwisechangeintroductionwhichlimitstheimpactanerror
willhaveontheremainderofthefacility.
5. CrossReferencing:Animportantpartofreducingriskuponmakingachangeisdetermining
whatwillbeaffecteduponthechangebeingimplemented.Mostsystemshavecross
referencingtoolstotellwherecertainvariablesorprocesspointsarebeingused.Again,
graphicsisanotherareainwhichcrossreferencingisequallyimportantduetothefactthat
makingachangetoanoperatordisplaygraphicscouldaffecthowoperatorsinteractwith
theprocess.
6. Simulation:Simulationofanapplicationfortestingwilldemonstratethattheapplicationis
capableofexecutingtheautomationstrategybasedonthesimulationmodel.Themost
accuratesimulationwouldbeusingtheactualcodeandgraphicsrunningagainsteithera
softcontrollerorinanisolatedonlinecontrollerrunningagainstliveI/O.Simulation
servestwopurposes,itenablesdeploymentandtestingofbatchandcontinuouscontrol
applicationsinanofflineenvironmentandtrainingofoperatorsagainstthesystemtheywill
actuallyuse.

Impact Analysis the final frontier in change management


Whilesimulationtestingwillvalidateanapplicationsfunctionalityrelativetotheitsrequirements,it
cannotshowtheactualdifferencesbetweenthenewandtheoriginalapplicationinordertounveilany
dynamicsthatmightexistastheconsequenceofthenewapplicationcalculatingdifferentoutputs.For
example,upontheexecutionofanewlydownloadedapplicationorprogram,thenewapplicationcould
resultinclosingavalvewheretheexistingonewouldopenthevalve.Theresult,couldpotentiallyhave
consequencessuchaspoorperformance,shutdowns,environmentalimpactandincreasedrisktosafety
ofplantpersonnel.
Therefore,trueimpactanalysiscanonlybeaccomplishedwherethemodifiedapplicationorprogramis
downloadedtotherunningcontrollerinparallelwiththeoriginaland,usingactualinputs,theusercan
evaluatetheresultingdifferences,ifany,betweentheevaluationenvironmentandtheactual,
runningproductionenvironment.Thoughthisfeatureisnotcommoninallautomationsystems,itis

Page5

apowerfultoolthatprovidestwodistinctbenefits.First,it
significantlyreducestheriskassociatedwithmaking
applicationorprogramchangesintherunningprocessand
second,itimprovesoverallefficiencybyavoidingproduction
stops,pooroptimization,andcostlydowntime.
AfeatureofABBsSystem800xAwasdevelopedin
collaborationwithDOWcalledLoadEvaluateGOor
sometimesreferredtoasLEG.ThisLoadEvaluateGO
featureenablestheusertoaddprogramsormodify
configurationsandthenloadthenewapplicationintothe
runningcontrollerinparallelwiththeapplicationactually
runningproduction.

ABB System 800xAs


LoadEvaluateGO :
1.

The user downloads the


modified program to the
running controller in
parallel with actual
program that is running.

2.

The user evaluates the


modified program by
comparing output values
and alarms calculated

Usingactualliveinputs,theevaluationversionofthe
using live inputs.
applicationcalculatestheoutputsthatwouldgotothefieldif
3. The user can commit to
itwastheactualproductionapplication.Thetwo
the new program (GO) or
environmentscanthenbecompareddirectlytotheactual
back out and continue
runningapplicationviadifferencereportsofsignals,alarms
editing the new program.
thatmaybegeneratedaswellasanoperatorinterfaceview
thatisgeneratedseparatelyfromtheruntimeenvironment.
ThisparalleluniverseiscalledEvaluationEnvironmentand
canbecalledupsothattheusercanseewhatanoperatorwouldseeaspartoftheevaluation.
Oncetheuserevaluatesthenewprogramorapplicationsbehaviorbasedonliveinputs,theycan
committothenewprogram(GO)whichreplacestherunningapplicationORtheusercanbackoutof
theprocesswiththeoriginalprogramstillrunningproductionasitwasbefore.
Becauseoftheverystringentmanagementofchangeprocessanditsdifferencereportingcapabilitiesat
eachstageoftheloadingprocess,theLEGtoolsetforcestheusertothinkaboutthedifferences
reportedintwomajorsituations:
a. Staticdifferences:allthedifferencesbetweentherunningcodeandthecodetobe
loadedareflagged.Ifadifferenceisasurprise,loadprocesscanbestoppedandthe
situationcanbeinvestigated.Alsotheinverseisthecasehere:oneisexpectinga
differenceanditisnotreported.Thisindicatesthataprogrampartthatwassupposed
tobeloadedisnotincorporatedintheloadset.
b. Dynamicdifferencesduringevaluatemode:evenifthestaticdifferencetesthasnot
identifiedissues,thereisstilltheriskofcalculatingadifferentoutputvalueforoneor
moreoutputsbetweentheoldandnewapplication.Thosedifferencesarereportedand
offertheabilitytotheusertointervenepriortoactivatingtheapplicationsuchas
puttingtheoutputofacertainloopinmanualorbackoutoftheloadingprocess
altogether.

Page6


Take,forexample,acriticalprocessinwhichchangesneedtobemade.Eventhoughthechangescould
beextensivelytestedandsimulatedinanofflineenvironment,usingSystem800xAsLoadEvaluateGo
featurecouldrevealthatdownloadingthenew,modifiedapplicationwouldhaveresultedinaparticular
controlvalvesoutputincreasingby10%.Withoutthecapabilityofdetectingdifferencesinoutputs
duringimplementationofthechanges,plantoperationmayhavebeenunintentionallydisturbed,
impactingtheendproductqualityorworseaplanttrip.

Figure 4: LoadEvaluateGo

Conclusion
Changeisanecessarypartoftodaysoperationsinproductionfacilitiesandthereforemanagementofchangeis
keyinreducingrisktotheprocess,business,environmentandpersonnel.Thoughmanagementofchangeismuch
morethanfeaturesinanautomationsystem,thesefeaturescanhelpfacilitatemanagementofchangeinvarious
ways.Compilerchecks,changeverificationreports,theuseoflibrariesforstepwisechangeintroduction,and
simulationtestingareallwaysthatmostmodernsystemshaveavailabletohelpmanagementofchangeprocess.
However,probablythebestwaytoperformimpactanalysisinvolvescomparingthemodifiedapplicationor
programtotheoriginalusingtheactualliveinputsinordertodetectpotentiallyhazardouschangestotheprocess.
Thisisnotcommonlyfoundbuthasbeenprovedtobeaninvaluableassetforreducingriskasitdetectspossible
differencesincalculatedoutputswhichcannotbefoundinanyothertestingscenario.Toquoteawellknown
figureChange.good;Fire..Bad.

Page7