When discussing Human-Machine Interfaces (HMIs), the distinction between safety and security is often clear. Steven Garbrecht, Marketing Manager for Infrastructure and Platform Products at Wonderware, explains, “Safety refers to the embedded control operations and safety linkages within the PLC, which are designed into the control program.” Security, on the other hand, targets individuals who break into the control system intending to steal information or cause damage. These are two distinct fields, yet when it comes to HMIs, safety and security overlap somewhat. Proper safety design can prevent damage or destruction to products or equipment by operators and enable them to act promptly to prevent such incidents. In December 1984, a catastrophic accident occurred at a Union Carbide plant in Bhopal, India, where a chemical reactor went out of control, causing tons of methyl isocyanate to leak, resulting in thousands of deaths and numerous illnesses. There was disagreement regarding whether the safety systems functioned during the accident; Union Carbide maintained that “such a large accident could only have been caused by sabotage,” a view strongly disagreed with by others. [align=center]Figure 1: In this pharmaceutical process, the start-up, control, and monitoring of the production process are all performed by operators. Wonderware Intouch's HMI software guides operators step-by-step through this process. The figure shows the overall layout of the plant system (left side) and the sample data management and review process.[/align] In the 1979 nuclear disaster at Three Mile Island (PA) in the United States, operators were unaware that a critical valve had been opened, even though it appeared closed. They subsequently received incorrect information about the reactor level. Later investigations ruled out sabotage; if operators had received the correct information, they could have prevented the situation from spiraling out of control. Ensuring No Loss of Control Admittedly, there are indeed external malicious actors. In a presentation titled "A Guide to Control System Security," Wonderware's Infosec analyst Rich Clark listed 17 scenarios, ranging from disgruntled employees to ordinary criminals, and even organized groups and individuals who threaten national and governmental security. He said these individuals are difficult to identify, but "they have many targets to attack every day." Garbrecht said, "From a human-machine interface perspective, there are three main scenarios: First, someone outside the company crosses the firewall, enters the company through the network, and makes some modifications to the human-machine interface. Second, someone inside the company performs malicious operations for some reason. Third, an employee within the company, not intentionally intending to launch a malicious attack, but due to misoperation, causes security or other issues in the process." Clark said that if a company delegates the security of its control systems to the IT department, it may run into trouble. IT personnel achieve security by isolating each machine; they isolate those who are online and those who may be carrying viruses, preventing them from affecting other parts of the enterprise. This method does work in the IT field, but it sacrifices the convenience of communication between machines and has poor real-time performance. Clark continued, “When control systems are designed, each machine is designed to communicate with another machine without hindrance. In a control system environment, more machines are both servers and clients, which doesn’t fit the client-server model in the IT field.” Clark pointed out that the security solution for control systems is to place the control system behind a protective wall and then closely control all access to the protected area. All communication between the control system and the entire system must pass through a firewall. A biopharmaceutical company in California recently installed a new system compliant with 21 CFR 11 for processing historical data. All information about process errors and events is stored on a server and accessible to those who need it. However, critical data and control information for the plant are stored in a network isolated from the entire system. Clark cited “having limited threat vectors.” He said an ideal security control system should meet the following criteria: ■ Isolation from all threats, including business partners. ■ Layering with strong anti-corrosion equipment. ■ Only one input/output point. ■ All system automation is within a single security set. ■ And every trusted machine within the enterprise can access every other trusted machine without hindrance. Microsoft calls this security model “domain isolation.” GE added this security feature to its iFIX software version 3.5 by using the "Application Validator Utility." This software tool can automatically clean up modifications to system files and functions, reducing the possibility of unintentional or intentional security breaches during installation. Joe Quigg, Vice President of Engineering at Systek Automated Controls (formerly Control Engineering Manager at International Automation), warned: “Intentional individuals can create dangers. With older systems, in many cases, people could modify and alter the system unimpeded and without supervision. Moreover, such modifications lacked documentation; if someone changed the system and didn't record it, there was no way to trace it.” He continued, “Many logic systems have hardware relay logic; if someone can open the control panel, they can set up bypasses whenever they want.” He went on to say, “A well-designed modern system is divided into two parts: a standard part, the daily control procedures, which is open-architecture; and a secure part, which is locked down and could be dangerous if modified. Only specific people, using the correct password, and after training and guidance, can modify it.” Applications: Performance management software and interfaces help optimize operations and meet standard requirements. Roche Diagnostics GmbH recently established a new shelving production line in Mannheim, Germany, for caring for diabetic patients and storing diagnostic products. To meet U.S. Food and Drug Administration (FDA) standards, improve production efficiency, and enhance its process monitoring and auditing capabilities, Roche installed Wonderware's production and performance management software system, a business unit of Invensys Systems. The company sought an easy-to-use system that ensured its production processes were up-to-date and compliant with FDA 21 CFR Part 11. It selected two key software packages from Wonderware: the InTouch human-machine interface software and IndustrialSQL Server, which includes a database that is dynamically updated to the system. These two packages enabled Roche to meet both commercial and production requirements while also complying with FDA regulations. On this new shelving assembly line, small bottles are selected from trays, sorted, and grouped into packages. These packages are then sent to a rotating table for further processing. Labels are affixed, and a camera checks the matrix barcodes for correct and proper placement. Another camera then checks each bottle and cap for the correct color before the package reaches the final packaging stage. The initiation, control, and monitoring of this production process are all performed by operators using this software. The human-machine interface guides operators step-by-step, eliminating the need to navigate through complex on-screen options. FDA standards require manufacturers to maintain the traceability of production data, meaning companies must clearly define every step of the process, including which operator performed a task at what time. The program's user management features and the capabilities of the Microsoft 2000 operating system allow for robust safety design of the factory without requiring the operating system to directly interact with users. Uwe Drker, Managing Director of Dr焎ker Steuerungssysteme GmbH, said: “One benefit of this approach is that user management is not presented as a separate system, but as part of the overall enterprise security system. Using this approach, the company can easily integrate and reuse existing operating systems in the plant. Moreover, the ease of use and unified interface of this software allow operators in Mannheim to keep the shelving line running at optimal efficiency. We only need to adopt one end-to-end security system using a single-user management system instead of several expensive solutions.” Operators on this shelving line log into the application interface, are authenticated and authorized according to their access levels, and then perform specific operations. Operations on the process line include the daily creation and editing of product and process data, starting, pausing, or stopping batch processing, or editing user preset files. Line operators log in using their usernames and passwords. This secure login technology enables the company to meet FDA data traceability requirements and makes the production line more tamper-proof. The software features timestamped electronic signatures, linking each operator to specific actions. This signature and other related data are then stored in the IndustrialSQL server's historical database, generating a sophisticated audit trail. These audit trails can be viewed and printed by authorized supervisors or managers at any time. Information and electronic signatures cannot be altered or deleted, thus creating a tamper-proof repository that meets FDA requirements. Furthermore, the Mannheim plant uses an additional system for high availability and data integration. This system is physically isolated from the main system but maintains data synchronization with it. In the event of a main system failure, a synchronization handshake protocol detects when the main process has stopped and automatically switches to the backup system—a failover capability. Meticulous public network integration also ensures that all data can be used for enterprise-wide analysis. In addition to pressure from FDA regulations, the growing threats of terrorism and counterfeit products are always a primary concern for pharmaceutical companies. The security features of this software management system give Roche high confidence in its ability to track and guarantee quality at every step of the manufacturing and packaging process. Application: HMI System Brings Safety and Security to Aluminum Production. Alcoa – Aluminerie de Deschambault, an American aluminum company established in Quebec in 1990, was a plant in need of upgrades. Its main metal processing equipment, operated by 550 people, produced primary aluminum ingots, which were then sent to shaping equipment to produce various products. Process control and monitoring were done on a DOS-based system that could not be upgraded. Data acquisition used a self-made OpenVMS (VAX) system. Pierre Boutin, the plant's applications engineer, explained, "We needed a system where changing settings could be done with minimal effort." Company staff also needed better access control mechanisms for data processing. For example, over 30 members of the plant's environmental team worked closely together, but they could access data at any time from anywhere within a half-mile of the plant. Any new system needed to provide a highly secure authentication mechanism, allowing authorized users to access control data from anywhere in the plant, but modifications to control parameters could only be made from specific locations. Boutin and his colleagues chose to install GE Fanuc Automation's Cimplicity software on top of the existing infrastructure to build a control and monitoring solution. The electrolytic alumina extraction process is divided into five steps. In each step, 10 to 15 GE Fanuc 90-70 series PLCs and multiple 90-30 series PLCs perform additional monitoring and control tasks, monitoring approximately 10,000 points per step. A star Ethernet topology network is used, with PLCs equipped with Cimplicity software and operator interfaces connected to switches in each step via standard 10Base-T copper terminal blocks. Each step alternately connects to a 100Mbps Ethernet network, routed to the IT department via fiber optic cable. The main server is located in the IT department, while slave servers are located on-site; IT staff are responsible for system maintenance. The Cimplicity HMI software factory version uses web technology based on a client/server architecture and open systems design. Users access real-time remote data through a web browser placed throughout the Cimplicity window across the plant. As a supplement to the system's built-in user access security features, the IT department added another security layer. At this layer, process information can be accessed by authorized users at all workstations, while parameter modifications can only be performed at designated workstations. The new control and monitoring system works well, promoting teamwork between IT and process control staff, whereas previously, collaboration between these two departments often broke down in many companies. Boutin said, "The collaboration between these two groups is excellent, which has played a crucial role in the successful operation of our control and monitoring system." Application: PLC-controlled robots using handheld HMI devices with integrated safety software. The complete Rexroth system installed by Klocke-Robot-Systeme GmbH in Vlotho, Germany, offers advantages such as high positioning accuracy, short cycle times, and low hardware costs. Klocke's loading and unloading robots automatically operate injection molding machines to complete tasks. The IndraMotion for Handling system, with integrated safety features, uses continuous control from Siton IndraLogic, meeting IEC 61131-3 standards and ensuring the reusability of pre-built program models. This system looks and feels like a robot control system, but it is actually PLC-controlled. The IndraMotion for Handling system works with complete mobile operator panels, such as the Rexroth VEH30 handheld operator interface device. This component features an 8.4-inch touchscreen and hot-swappable capabilities, allowing for easy interconnection with devices via Ethernet while they are running. A single device can perform multiple control tasks. Users can edit actions using the four soft buttons on the handheld device, or input specific points via a virtual keyboard. The Rexroth IndraDrive's integrated safety features meet the requirements of EN-945-1 Category 3, thus complying with safety regulations across Europe without requiring additional hardware or control modifications.