Securing automation systems – a step by step approach


Prof. Dr. Frithjof Klasen, the writer of this presentation, is a member of the Managing Board of the PROFIBUS Nutzerorganisation e.V. (PNO), Director of the Institute for Automation & Industrial IT (AIT) at FH Köln, and Director of AIT Solutions GmbH in Gummersbach.

Prof. Dr. Frithjof Klasen

Prof. Dr. Frithjof Klasen

The big problem when it comes to security for automation systems: there are no simple solutions.

A system is only safe if the threats are known. Typical security threats in production include infection by malware, unauthorized use (both intentional and unintentional), manipulation of data, espionage and related know-how loss, and denial of service. The consequences can be loss of production, reduced product quality, and endangerment of humans and machines.

In order to evaluate threats, the properties and possible weak points of devices and systems must be known. After all, a property that is useful from the automation perspective – for example, the ability for a programming device to access a controller without authentication – is seen as a possible weak point from the security perspective. It is necessary to distinguish these weak points in order to assess risks, develop security solutions, and take appropriate measures:

  • Weak points that arise due to incorrect implementation (for example, faulty device behavior).
  • Conceptually planned and accepted properties. These include all features that can also be exploited for attack purposes. An example here would be an integrated web server in an automation device.
  • Weak points that are caused by organizational measures or lack thereof.

Field devices not only contain communication technologies for transmission of process signals (real-time communication) but also standard IT technologies, such as FTP services. In addition, field devices also operate as network infrastructure components (switches) and therefore have services and protocols that are needed for network management and diagnostic purposes. The fact of the matter is that most communication protocols at the field level have no integrated security mechanisms. Devices and data are not authenticated and, consequently, within the scope of a possible attack, systems at the field level can be expanded at will and communications can be imported. Even the transferring of PLC programs often takes place without use of security measures such as user authentication and integrity protection.

There is no panacea

Ideally, users would like to have a tool, certification, or system that promises them long-term security. The difficulty, however, is that such solutions don’t provide lasting security. In order to develop secure systems, users must not only implement technical measures but also conceptual and organizational measures. And everyone will know from their own experience that processes can be implemented in technologies much faster than in the minds of people.

However, conceptual and organizational weak points can be more easily overcome when they are described in guideline documents. For example, PI developed a Security Guideline for PROFINET in 2006 and published a completely revised version of this guideline at the end of 2013. This guideline specifies ideas and concepts on how security solutions can be implemented and which security solutions should be implemented. The subject of risk analysis is covered, for example. This analysis estimates the probability of a damage event and its possible consequences, based on protection goals, weak points, and possible threats. Only on the basis of an analysis of this type can appropriate security measures be derived that are also economically feasible. A series of proven best practices are also given, such as the cell protection concept.

Making devices more secure
Another measure concerns the device security. After all, robust devices are the basis for stable processes and systems. They are a basic prerequisite for security in automation. Weak points due to incorrect implementation can be eliminated only through appropriate quality assurance measures and certifications. In large networks, system availability matters the most. To achieve this, devices must respond reliably to various network load scenarios. In systems with many devices, an unintended elevated broadcast load can occur on the network during commissioning, for example, when the master attempts repeatedly to access all devices even though only a few devices are connected. The available devices must be able to handle this abnormal load. It is difficult for operators to predict such scenarios since the probability of a high data volume is dependent on the system. The reason is that the data traffic is determined by cyclic and acyclic data exchange as well as the event-driven data volume.

With the help of the Security Level 1 Tester developed by PI for certification of PROFINET devices and free-of-charge to member companies, such network load scenarios up to and including denial of service can be simulated already in advance. The field devices are tested under stress conditions to simulate an unpredictable load and, thus, to reduce device failures. Uniform test specifications have been defined for this, which can be systematically applied by the test tool. In addition, various network load-related scenarios have been developed that take into account various frame types and sizes as well as the repetition period and number of frames per unit of time, among other things. The network load-related test is already being required by various end users such as the automotive industry. This test is already integrated in the device certification testing according to the latest PROFINET 2.3 specification and must therefore be passed in order for a device to be certified. Users that purchase such a certified device can rely on having a correspondingly robust device.

By no means are all problems solved
Only those who know their devices can protect them. Still, not all manufacturers provide comprehensive information about the utilized protocols and services and communication properties of their devices. Another problem: in spite of security, users must still be able to handle and operate systems. No maintenance technician wants to be looking for a certification key for a failed device at 2 AM in order to bring a system back online. Future-oriented concepts therefore master the tightrope walk between usability and security.

Securing_Automation_Systems• PI has been dealing with the issue of security for years. For example, one PI Working Group is concentrating continuously on security concepts. A product of this is the PROFINET Security Guideline, which can also be downloaded free of charge by non-members. Moreover, further development of the Security Level 1 Tester is being advanced here. In so doing, it is important to all participants that the described and recommended procedures are sustainable and practicable and ultimately also accepted by users. Only in this way can protection concepts be truly successful.

Failure is not an option!


ProSoft Technology’s PROFIBUS Modules and Industrial Radios allow critical data to be transmitted from ControlLogix PACs at Flood Defense System.

Failure is not an option when upgrading a flood barrier’s control system. Should a flood barrier malfunction, thousands of homes and businesses could be severely impacted.

Upgrading a flood barrier isn’t a task that can be done overnight. It takes months and months of work. The barrier has to remain available for use throughout the upgrade, making it a considered and careful task. There has to be several fail safe measures and redundancies in place. Whoever said redundancies are a bad thing hasn’t taken a look at a flood barrier system.


Two concrete towers stand 20 meters above the ground on either side of the mouth of Dartford Creek. This is the UK Environment Agency’s Dartford Barrier Flood Defense System in Kent, South East England. The barrier is routinely closed, in conjunction with the bigger Thames Barrier upstream, to prevent high tide water levels in the River Thames Estuary flowing back up the creek and flooding Dartford and the surrounding area.

Two steel gates, each 30-metre across and weighing over 160 tons each, are suspended at high level between the two concrete towers. Like a huge guillotine at the creek mouth, one gate may be slowly lowered on its supporting chains onto the river bed to block the flow of water. Then the second gate may be slowly lowered to rest onto the top of the first gate. When closed together, the 160 ton steel gates can withstand up to 10.4 meters of water.

The gates are raised and lowered by direct drive oil hydraulic motors. The drive system comprises two 18.5kW pump and motor units, providing both duty and standby facilities, enabling a gate to be raised or lowered in 15-minutes. When not in use both gate structures are safely held in the fully raised position and latched using hydraulic latch mechanisms. This permits vessels to pass underneath the gates along the creek.

It is envisaged that due to climate change that the barrier may need to operate an average of 50 times per annum over the next 25 years.

“The system has to be highly available with many fallback systems in case of failures,” said Andrew Garwood, a Senior Contracts Manager in the Controls Division of Qualter Hall & Co Limited, Barnsley (GB).

Just a couple of years ago, the control system was starting to show its age. As part of a large upgrade to the barrier, its associated control system was overhauled. The original control system was a completely hardwired based relay system that was over 30 years old. Spare parts for the 30 year-old system were becoming scarce.

Qualter Hall provided the M&E contracted works on behalf of the principal contractor Birse Civils, who had engaged Qualter Hall as the Systems Integrator for the project and as the Mechanical and Electrical Engineering Contractor in charge of upgrading the control system; they had several goals in mind. Number one was safety and reliability. Flooding, should it occur, could cause extensive damage to the surrounding area.

instrument_inst_DartfordQualter Hall, who provides an attractive ‘one stop shop’ for a multitude of engineering solutions, decided to call ProSoft Technology. Qualter Hall selected this company, because it was a reliable, cost effective solution that was endorsed by Rockwell Automation. ProSoft Technology is a Rockwell Automation Encompass Partner.

Two Rockwell Automation ControlLogix redundant PACs are inside each of the 20-meter towers to control the opening and closing of the barrier, but much of the equipment the control system spoke to was PROFIBUS or Siemens based. Two PROFIBUS Master communication module (MVI56-PDPMV1) from ProSoft Technology were installed inside the ControlLogix PACs to facilitate communication from the Rockwell Automation processors.

“The ProSoft Technology modules were utilized to provide PROFIBUS DP into the ControlLogix rack and permitted four separate PROFIBUS DP segments for redundant operation,” Andrew Garwood said.
Fiber optic cables were installed between the two towers, as part of the control system overhaul. While the cable links were being constructed, ProSoft Technology 802.11 Industrial Hotspot radios served as the communication link.

“The wireless link was then used as an automatic fallback connection should fiber optic connection be lost. The ProSoft Technology equipment was selected for its flexibility and support of the spanning tree protocol (RSTP) “, Andrew Garwood said.

ProSoft Technology’s solutions helped ease the engineering work by making it possible for the ControlLogix system to communicate as one single protocol.

The system now allows data to be reviewed quickly, centrally and remotely, providing convenience when accessing diagnostic information.

Thousands of homes and businesses are now safely protected.

The bar is set!

PROFINET’s remarkable achievement of 31.25 µs cycle time and how this impacts on the future of data transmission:

What are the factors for successful automation?
Factors like speed or the excellent performance capability of a particular sensor are often mentioned. Nevertheless, the outstanding features of an individual component can only be taken advantage of if the design of the overall system is compatible. In practical terms, this means that high-precision sensors are of little use without a fast synchronous network, and vice versa.

The Chairman speaks!

Karsten Schneider

For many users, a cycle time of 31,25 µs is almost unimaginable. Karsten Schneider, PI Chairman, explains the tools used to demonstrate this fast cycle time and the significance it has for real-world applications:
Read-out: Mr. Schneider, just how fast is a cycle time of 31.25 µs?
K.S: In fact, it is difficult to grasp just how fast this cycle time is, which is why we constructed a live model. Because LEDs react too slowly, we used an oscilloscope to visualize the cycle time of 31.25 µs as well as the slight jitter over the entire system. In addition, an analog signal was sampled, transmitted via PROFINET, and output at another station in our model.
Read-out: Which applications will benefit of this cycle?
K.S: It is of interest to highly dynamic measuring equipment applica-tions, since sampling rates up to 32 kHz over the network are possible. It could be used, for example, to record torque characteristics in test stands.
Read-out: Why will isochronous operation play an even more important role in the future?
K.S: The processes of the future will have to be tuned to each another with even greater precision. A typical example is the multi-axis closed-loop control process in printing machines. A more precise isochronous operation will not only increase the productivity of the overall printing machine but will also allow production of printed products with higher-resolution and thus sharper images. Another industry sector with stringent requirements for isochronous operation is the packaging industry. While the material filling process runs relatively slowly, the primary packaging process requires a very high speed. Both processes must be precisely tuned to each another to avoid disruptions in the overall process.
Read-out: And how have you demonstrated this feature with the model?
K.S: Isochronous operation was demonstrated with a traditional stroboscope test. For this, we aimed a stroboscope at a variable-speed disk in such a way that a permanent image of a written text is produced.
Read-out: Your are always emphasizing openness as a highlight of PROFINET. Does this also apply to the short cycle time of 31.25 µs?
K.S: We have placed a high value on this during development. Even with the short cycle time, standard data can be transmitted without limitation via TCP/IP. We have a full HD video taken in our test setup that demonstrates undisturbed transmission of these data all the way through the PROFINET system. The ability to transmit standard data is necessary in order, for example, to transfer new parameters, quality assurance data, or images for production monitoring. An example of this is the transmission of data from high bay storage systems via a camera. In addition, there is a trend in assembly lines toward recording and storing torque characteristics of screws for quality control purposes. These data can also be transmitted without any problems.

Whenever performance is discussed, the overall system often takes a back seat. The result: the overall speed of the system is only as fast as the slowest link. In other words, you may have fast communication, but it is of little use if your controller or I/O system do not have compatible cycle times. One must always bear in mind that the terminal-terminal response time depends heavily on the bus update time. The critical factors are therefore the overall system accuracy as well as the synchronization of controller, communication, and inputs/outputs. The basis for achieving such a high-performance overall system is the use of a fast synchronous network.This is just one of the reasons for the unbridled popularity of the PROFINET technology. The communication system, which reflects all facet of automation, is enjoying success across all industry sectors throughout the factory automation, motion control, and process automation markets. Regardless of the industry sector, it is not just the system’s speed that is playing a critical role but also its real-world diagnostics, integration, safety, and wireless solutions. In 2011, for example, 1.3 million new PROFINET devices were sold on the market, bringing the total installed base to 4.3 million devices.

In automation, the challenge lies in not knowing what the future holds in terms of requirements. For example, an end user may be completely satisfied at the moment with its automation and communication systems. But what happens 5 years later when that user’s Quality Assurance Department requires certain production procedures to be transmitted over the communication system in realtime?

In order to be equipped for future tasks, PROFINET Specification V2.3 defined mechanisms that will further speed up communication with PROFINET. An important step of this definition is the performance upgrade of PROFINET to achieve cycle times of 31.25 µs. This upgrade is for applications that have more stringent demands on communication while also requiring isochronous operation. The key thing here is that the system remains scalable. Regardless of which level of performance will be required in the future, the user can rely on a single communication system without system gaps.

Faster to the goal
Three mechanisms make this possible: Fast Forwarding, Dynamic Frame Packing, and Fragmentation. As a result, short cycle times of as little as 31,25 µs can be achieved together with high-precision isochronous operation. To maintain compatibility with the previous specification, three main tricks have been used. To optimize the IO bandwidth, the transmission time of messages was shortened from 6.3 µs to 1.2 µs by forcing an earlier forwarding decision (Fast Forwarding) during switching. Previously, a standard Profinet frame could only be forwarded in the switch when the complete Ethernet header was received.

Like other communication systems, PROFINET uses the summation frame method for optimizing the ratio of frame to user data, thereby opening up further potential for optimization. In contrast to ring bus systems, PROFINET relies on the performance advantages of a full duplex system, i.e., input and output data are sent simultaneously on the 2-pair cable. When a single summation frame is used, this would have to be sent, received, and checked completely down to the last node, including the checksums. This is where Dynamic Frame Packing comes in. Because the data of the first nodes in the line are not relevant for the nodes placed further at the end, these are removed during the passage. This shorts the frame in its passage through the network. The time-determining arrival of the frame at the last node is thus much sooner, thereby significantly reducing the overall update time for all nodes.

A proven and important advantage of PROFINET is its unlimited TCP/IP communication even when isochronous realtime communication is occurring simultaneously. For this, the architecture of PROFINET provides for time scheduling in addition to synchronization. The network is not loaded with I/O frames during a defined time phase but instead is free for any TCP/IP frames, which can take up a duration of up to 125 µs with Fast Ethernet and thus define the minimum cycle time.
Next, the fragmentation defined with PROFINET V2.3 takes large TCP/IP frames in the individual nodes and, prior to sending, divides them into smaller fragments, which are sent in consecutive cycles. The counterpart then re-assembles them so that the upper-level application layer receives an unaltered TCP/IP frame. This allows users to realize bus cycles of 31.25 µs with shared I/O and TCP/IP communication, without having to reduce the available bandwidth for the TCP/IP communication.

Applications exist today that can benefit from a cycle time of 31,25 µs, such as high-speed closed-loop motion control applications and applications in the measuring equipment sector.

A key aspect for the user is the compatible expansion options that allow it to update an individual controller or field device and still retain existing functions. Only when the user wants to make use of the new functions, e.g., for performance optimization, is it necessary to fully update controllers and field devices to the latest version. The user protects its investment, while remaining free to access the reserved performance at any time.

The resulting new generation of PROFINET modules will implement all these new functions in hardware. Accordingly, various technology suppliers will offer easy-to-integrate solutions in the form of ASICs, network controllers, or FPGAs and thus provide device manufacturers with the basis for producing high-performance solutions that meet customer requirements. As a result, users can rely on a coherent approach that uses both a fast, high-performance network as well as fast devices. A system designed with both in mind is essential for realizing the benefits of increased performance in practice – today and in future applications.

Energy savings potential for production plants


Prof. Dr. Frithjof Klasen presents the results of a PROFIenergy study

Energy-efficient production means more than just the use of variable-speed drives and efficient motors with low energy consumption. The question going forward is how to selectively place complete production lines or portions thereof into an energy saving mode during unproductive times.

The high cost of energy and compliance with legal obligations are compelling industry to engage in energy conservation. Recent trends toward the use of efficient drives and optimized production processes have been accompanied by significant energy savings. One area that has received too little attention in this regard is the handling of production idle times. During idle times in plants and production units today, it is common for numerous energy consuming loads to continue running. It was exactly this problem that a group of automobile manufacturers asked PI to address by defining an energy savings profile using PROFINET infrastructure and communication. The result was the specification of the vendor-neutral PROFIenergy energy savings profile.
PROFIenergy enables an active and effective energy management. During idle times in plants and production units today, it is common for numerous energy consuming loads to continue running. By purposefully switching off unneeded consumers and/or adapting parameters such as clock rates to the production rate, energy demand and, thus, energy costs can be drastically reduced. In doing so, the power consumption of automation components such as robots and laser cutting machines or other subsystems used in production industries is controlled using PROFIenergy commands. PROFINET nodes in which PROFIenergy functionality is implemented can use the commands to react flexibly to idle times. In this way, individual devices or unneeded portions of a machine can be shut down during short pauses, while a whole plant can be shut down in an orderly manner during long pauses. In addition, PROFIenergy can help optimize a plant’s production on the basis of its energy consumption.

It has long been a matter of course in every notebook computer that the hard drive, screen, or notebook as a whole will be placed in standby mode, depending on the operating situation. This function is a device feature and only requires parameter assignment. This is exactly the approach taken in the PROFIenergy concept, in which standardized control commands are used to place devices and machines into energy saving mode via PROFINET.

The initial situation

In 2009 the PI (PROFIBUS & PROFINET International) began work on developing the basic technology of PROFIenergy – the communication profile for operating energy-efficient production plants.

The specification was finished in record time, and the first PROFIenergy devices reached the market in 2010. Since then companies have indicated a strong demand for PROFIenergy products.

PROFIenergy enables use of smart energy management over existing network infrastructures in production. However, the actual energy savings that can be achieved depends primarily on how equipment manufacturers and operators implement the opportunities provided by the technology into their equipment and operating concepts. This requires knowledge of the technical and economical tradeoffs between energy consumption and equipment operating modes.

Since up to now only limited empirical data and hardly any actual data have been available on the relationship between energy consumption and equipment operating modes, a detailed measurement study was needed to provide actual quantitative data and analyses that would support the now-familiar qualitative assertions. The Institute for Automation & Industrial IT (GoogleTranslated!), Cologne University of Applied Sciences, was commissioned to perform this study. The institute is a member of the PI Working Group that developed the PROFIenergy specification and also serves as a PROFINET Competence Center, among other things. It specializes in PROFINET diagnostics and in performing energy consumption measurements and analyses for production plants.

The Study

The goal of the PROFIenergy study is to show the user benefits that will result from using PROFIenergy. These include both the direct benefits associated with improved energy efficiency (electric, pneumatic, thermal energy) as well as the indirect benefits, e.g., resulting from extended service life of operating equipment.

The main tasks of the study include:

  • Performing measurements for recording typical load curves
  • Analyzing load curves
  • Determining the relevance of idle times for energy savings
  • Identifying the potential savings from use of PROFIenergy

To achieve representative results, the study included applications and industry sectors in which PROFINET is used and benefits from PROFIenergy are particularly relevant.

Typical measuring setup of PROFIenergy study in a production plant

The task

Initial analyses and measurements for the PROFIenergy study have been completed on production lines in Germany at Daimler’s Sindelfingen plant and at Volkswagen Commercial Vehicles in Hanover (Panamera production). The behavior of the overall plants and their components were analyzed with respect to load curve, load distribution, and pauses. In addition, the influence of operating modes on energy consumption was analyzed, and pauses were analyzed with respect to frequency and duration.

The measurement concept

Typical arrangement of current transformers flexible current transducers for high power ratings (background); split-core current transformers for lower power ratings (foreground)

The measurements conducted in October 2010 involved long-term recordings on production equipment in order to capture both planned pauses and idle times as well as unplanned pauses and to determine their relevance. The power measurements were taken at up to 15 different measuring points within a plant. As a result, it was possible to record typical load curves and determine characteristic values at different levels, ranging from the main incoming supply down to individual consumers.

Line-side analyzers capable of simultaneous measurement and recording of values were used to measure the power and all characteristic values of the supply system, including voltage, harmonics, and phase offsets. Up to 15 measuring devices were used in parallel for the long-term recordings. Continuous recordings of voltage, current, and power parameters were made over a 7-day period at 1 second measurement intervals. At the same time, synchronous data on equipment status and operating mode were acquired from PLC log data. The synchronization of the measuring devices and the PLC ensured that the measured values at the individual measuring points could be attributed explicitly for subsequent analysis.

Example of the recording of operating mode (PLC signal, top) and load curve (bottom) for a robot system in a production plant

Based on these measurements it was possible to perform a detailed analysis of operating modes and the related energy consumption of plant units. This analysis covered the following points:

  • Typical energy consumption of individual plant units
  • Typical reduction of energy consumption during idle times
  • Characteristic duration of idle times
  • Relevance of pauses (planned, unplanned, operational, model-related)
  • Relevance of plant concept (effect on energy savings potential)

Typical arrangement of measuring points in a production plant


The load curves in the analyzed production plants typically exhibit regularly recurring load profiles that are the direct result of the discrete production steps occurring in production plants. Yet, not all production equipment is active at every point in time. The load curves therefore have typical profiles that are the result of chronological overlapping of individual devices and plant components. However, due to material stores in the infeed or between plant units, there are often no rigid process sequences. The load profiles can thus vary – particularly during the transition to a temporary equipment standstill, in which not all plant components are necessarily affected at the same time (due to run-on, idling of certain stations, additional filling of intermediate stores, etc.).

A noticeable feature of the load curves in the analyzed production plants is the high load peaks, which can be seen in the example measurement results in below, which were obtained over 24 hours in a typical plant segment. While the load level during operation is around 80 kW, the base load is only around 17 kW. At first glance, this does not seem particularly relevant to the search for potential savings by reducing energy consumption during idle times. After all, the base load appears to be less than 20% of the upper load level – a misinterpretation that is easy to make. Here, however, one must not allow the high peak load to conceal the fact that the actual consumption value (that is, what is actually paid for) is the mean value of the load profile, which in this example is around 32 kW.  The base load during a standstill is thus more than 50% of the energy consumption during productive operation and provides significant opportunity for savings if handled appropriately.

In addition to this relative evaluation, attention must also be paid to the order of magnitude of the energy consumption range.

If one compares the energy consumption of the plant segment chosen in this example to the typical energy consumption figures of a private household, the order of magnitude is quickly apparent: the base load measured during a standstill is equivalent to the average energy consumption of approximately 50 households (based on 350 watts/household).

Load distribution and energy flow within the plants

An important aspect of the study was the analysis of the load distribution within the different plants. Due to the structured distribution of the measuring points – extending from the incoming supply to the terminal level – it was possible to analyze the energy consumers separately and to identify their typical characteristics during production and idle times

Power distribution and energy flow using a Sankey diagram

Robot systems are a prominent feature in automotive production. A large proportion of the energy consumed, i.e., on the order of 30 to 60 percent, is typically used for operating the robots (Figure xx). Robot systems are also predominant energy consumers during idle times. A robot typically consumes up to 300 watts during idle times.

On the other hand, controllers typically account for 2-3% of the overall energy demand.

Analysis of idle times

Idle times occur for different reasons (planned, unplanned, operational, model-related) and provide important clues to the operating behavior of a plant. Brief standstills are often an indicator of opportunities for optimization with respect to equipment synchronization and/or the material store; longer standstills occur during planned pauses and planned shutdowns and when problems occur.

Based on the results of the study, not only planned but also unplanned idle times are relevant for the use of PROFIenergy. Special attention was therefore given to analyzing the duration of the idle period. The idle times were classified according to their duration, and the cumulative duration of all the individual events was calculated (total time of all standstills occurring in one class) to produce the analysis of idle times shown in Figure xx.

Idle times of short duration occur relatively frequently, but are typically not candidates for switchover to energy saving mode because of the time required to restart the equipment from standby mode.

Based on previous estimations, it can be assumed that for many plant components, a transition to energy saving modes is appropriate for idle times lasting 5 minutes or more. If this approach is taken, one can conclude for the plant example in Figure 7 that 64% of the cumulative idle times last more than 5 minutes and thus offer significant potential for the use of PROFIenergy.

An even more pronounced result can be seen in the curve for another plant example in Figure 8 in which the relevant portion of the exploitable idle times accounts for 90% of the cumulative idle times.

Figure 7

Figure 8

The potential for energy and cost savings

Most of today’s production plants have only a ‘hard switch’ on/off option.

Experience dictates that problems will occur when restarting switched-off equipment. Out of fear of startup problems, operators often do not switch off production equipment even during extended standstills, e.g., overnight and on weekends. These planned idle times account for a significant portion of the operating hours, depending on the shift model. Unplanned idle times contribute even further to this. Based on the results of the study, it can be assumed for typical automotive production plants engaged in body construction and assembly that a production plant with 2-shift operation will consume about half (47%) of its total energy consumption during idle times. Only 53% of the energy consumption is used for productive operation.

As a result, the use of PROFIenergy offers significant potential for savings. It must be noted, however, that all of the energy consumed during idle times cannot be saved. For one thing, the PROFIenergy concept does not switch-off equipment completely but rather places it in an energy-saving mode; this mode can differ depending on the equipment component. In addition, it only makes use of idle times of sufficient duration.

PROFIenergy applications
PROFIenergy differentiates the following four main applications
Application 1: Energy savings during brief standstills
Examples of brief standstills are breakfast and lunch breaks. The standstills range from a few minutes to an hour. For these brief standstills, energy can be saved by placing unneeded consumers in energy saving modes. The energy savings are not as high in this application as in application 2, in order to allow a fast restart.
Application 2: Energy savings during extended standstills
Nights and weekends are typical examples of these idle times. The duration of the standstill is significantly longer so that more consumers can typically be switched to more stringent energy saving modes, thus maximizing the possible energy savings.
Application 3: Energy savings during unplanned standstills
Because in this case the duration of the standstill cannot be predicted, it is first classified as application 1, i.e., a limited number of consumers are placed in energy-saving modes, to avoid interfering with a fast switchover to production. If the standstill turns out to last longer, a switch can be made to application 2 in order to achieve greater energy savings.
Application 4: Measurement and representation of power consumption
PROFIenergy allows acquisition and representation of consumption data of devices during operation. These consumption values can be visualized on an HMI device, for example.

Based on the previous results, it can be assumed that the use of PROFIenergy can save approximately 70% of the energy during exploitable idle times. The result is a savings of 33% of the total energy consumption of a plant.

In summary:

• Half of the total energy consumption occurs during idle times

• One-third of the total energy consumption can be saved by using PROFIenergy

Based on the energy consumption of a typical production line of 210,000 kWh per year, this yields a potential savings on the order of 7,000 € per year (based on 0.10 € per kWh).

The new opportunities made possible by PROFIenergy will change how plants are operated, assuming that these opportunities are considered during plant engineering, i.e., during development of plants and plant concepts.

PROFIenergy is both the basis for and the driver behind this development work.

The prerequisites

To fully exploit the savings potential, the use of PROFIenergy-capable control components alone is not enough. In addition, changes to plant concepts are needed to enable devices or plant units to be placed selectively in energy-saving modes. In so doing, there must not be any impairment of safety-related functions in standby mode for safety-related applications.

For machine and plant manufacturers, this opens up new opportunities for gaining a competitive advantage. But this will only be the case, if purchase decisions for new equipment take into account energy consumption costs in addition to investment costs. Plant owners must clearly define their requirements to plant manufacturers so that PROFIenergy can be included in the design plans for equipment from the outset.


The current results of the PROFIenergy study confirm significant potential energy savings during pauses and idle periods of up to 50% or more and a savings potential on the order of 33% of the total energy demand. In addition to planned pauses, e.g., on the weekend, unplanned idle periods of a plant represent another significant potential candidate for use of PROFIenergy.

To optimize these potential savings, however, corresponding plant concepts are required, for example, to allow plant units to be selectively placed in energy-saving mode and, if necessary, to be switched off selectively.

Musings on safety and security!


Safety has been a more and more important facet of industrial life since the middle of the last century. Before that the condition in which workers, and before that slaves, worked was, except in the rarest cases, appalling with scant regard to principals of safety.

ISA Symposium April 2011

More recently safety has become an important part of modern life. Health and safety are watchwords used more and more frequently and many practices of the past have been outlawed. Indeed sometimes one wonders how anybody survived the past it was so dangerous. Last night I saw a victorian rocking horse which had been in a locam school for over a hundred years which gave immeasurable joy to children through the generations but which may not now be played with by the children because of “health and safety implications!”

As technology developed, and processes became more and more sophisticated, so too did safety systems. In the early and mid parts of the twentieth century safety in process control was one of two things. Pneumatic instrumentation (remember 3-15psi/0.2-1bar?) and the big heavy cast metal explosion-proof box. Pneumatics as a safety method has now largely been replaced by the more sophisticated and less unwieldy electronic safety systems, though one may still find the odd explosion-proof contained instrument around!

Since July when we first learned of Stuxnet in an email in mid July 2009 from Eric Byres of Byres Security (our blog Security threat to the control system world!), we have been following developments. Indeed we have listed links to developments as we learned of them on Nick Denbow’s article, “Stuxnet – not from a bored schoolboy prankster!” the following September. We gradually learned of the seriousness of this malware incident (Though Byres had realised this almost from the start), and indeed its implictation, as we started to understand that this was a direct atack on automation systems, designed for that purpose.

Virus infection and malware have been around, I suppose, since the invention of software. I first realised that it could present a problem was at the Read-out Forum in 2003 where, in the inimitable words of Andrew Bond “..Brian Ahern of Verano (now Industrial Defender)… sent a shiver up everyone’s spine by pointing out just how vulnerable Internet enabled, Windows based automation systems are to ‘cyber terrorism’. (There were) few dissenters when he told this largely pharmaceutical industry oriented audience that the security issue is “the next 21CFR11.” Nevertheless..“given the degree of concern shown by the audience it was perhaps surprising to hear the vendors respond pretty much with one voice that they have as yet to see the issue addressed in RFQs but would of course respond once they did, not a view which particularly impressed some members of the audience who took the view that vendors were under an obligation to ensure that their systems were secure. “

Several events in the mid-past and more recently have tended to amalgamate these two important considerations and in some cases have blurred the lines of demarcation between them. Events like Bhopal in 1987, the blackout of the eastern states of the US in 2003 (or Brazil more recently), the explosion in Buncefield in 2005, Deepwater Horizon in the Gulf of Mexica, the terrible tragedy still unfolding in Japan, see out blog Assessing nuclear threat in Japan, and unfortunately many more take the headlines and show that we still have a lot to learn.

While preparing this blog our attention was drawn to a useful volume from the ISA stable. Starting with a description of the safety life cycle, Safety Instrumented Systems Verification – Practical Probabilistic Calculations,” shows where and how SIL verification fits into the key activities from conceptual design through commissioning. The book not only explains the theory and methods for doing the calculations, the authors also provide many examples from the chemical, petrochemical, power and oil & gas industries.

Training has assumed an important role here and this blog has been inspired by a number of notifications received in a few short days of events and publications which confront these issues.

First in a few days time Industrial Defender have a webcast scheduled for the 24th March 2011 addressing, “Security AMI Solutions for the Smart Grid: Creating enhanced capabilities in secure cyber-infrastructure” featuring the aforementioned Brian Ahern and Jeff McCullough, Director of IP Communications, Elster Solutions, LLC. They will discuss the newly announced partnership between the two companies, and the benefits of their integrated security solution.

The 2011 ISA Safety & Security Symposium is scheduled for Texas will focus on training including courses: An Introduction to Safety Instrumented Systems (EC50C) and Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C). This two day event (13-14 May 2011) will provide an in-depth look at today’s safety technologies and procedures associated with identifying and mitigating safety hazards in industrial environments. This symposium will focus not only on Safety Instrumented Systems (SIS) topics, but also include material on cyber security and associated challenges in designing and implementing SIS and process automation solutions. It will include a small exhibit and promises to be well worth attending.

We travel back across the Atlantic now to Manchester (GB) the ProfiBus organisation and the University of Manchester will hold a one day event on 12th May 2011, Functional Safety and IT Security. This new, one-day seminar addresses the key safety and security issues arising from the use of digital communications technologies in automated manufacturing and advanced engineering applications.

Staying in Manchester, IDC Technology are hosting the Safety Control Systems Conference, a three day event focusing on the technology and application of safety-related control and instrumentation systems in the chemicals, energy, mining and manufacturing industries. In particular it will discuss the changes to the IEC61508 standard and the implications this will have on your industry. The dates are 24-26th May 2011. Speakers include Paul Gruhn, (co-author  of Safety Instrumented Systems: Design, Analysis, and Justification), and Clive Timms, a globally recognised expert in functional safety.

Safety and security will continue to excercise our minds. Perhaps the problems in the final analysis are not so much technical problems as a procedural one. In any case where procedures are not followed there must be a way of dealing with the aftermath.

#SPS Largest automation event in 2010


We missed (again) the biggest automation event of the year in Nuremberg (D) this year. There are only so many things one can do and with the proliferation of user group or company sponsored events in the final four months of the year it is difficult to spread the limited resources – both fiscal and physical – to cover everything. That is why we try to use the social media resources to cover so many of these events.

An unbroken rush of visitors!

Products Releases:

  • Operator panels for demanding visualization tasks in harsh industrial environments (Siemens)
  • Key panels for use in tough and safety-related industrial applications (Siemens)
  • Customized HMI unit fronts in industrial quality (Siemens)
  • Fail-safe distributed I/O modules for use up to Ex Zone 1/21 (Siemens)
  • Efficient and uniform handling of operator control and monitoring tasks (Siemens)
  • Efficient engineering system for all Simatic controllers (Siemens)
  • A new age in modern engineering with the TIA Portal (Siemens)
  • Measuring technology and communication come together (Krohne)
  • 1st Industrial PC with MS Windows XP Pro operating system (Schneider)
  • Cables for automation applications (Nexans)
  • IO-Link starter kit simplifies the development of automation solutions (Fujitsu)
  • Connecting networks (HMS Industrial Networks)
  • Programmable automation controller (Aerotech)
  • Complete servo drive in a compact EtherCAT Terminal (Beckhoff)
  • Beckhoff elevates Motion division
  • Cost-effective EtherNet/IP Bus Coupler in a compact design (Beckhoff)
  • Machine safety in harsh conditions (Beckhoff)
  • Bus Terminals for extreme climates (Beckhoff)
  • Slide-in Industrial PC features extremely flat design (Beckhoff)
  • Quick evaluation with extremely flexible I/O (Kontron)
  • Unified middleware for simplified access and control of hardware resources (Kontron)
  • Extremely high I/O flexibility off the shelf (Kontron)
  • Successful show (Contemporary Controls)
  • The SPS/IPC/Drives has been consistant in delivering a very useful and practical showcase for the European and Global automation market for many years. This year was no exception.

    52,028 trade visitors poured into  Nuremberg and chose this exhibition as their highlight of the year for the electric automation industry. During the three days of the show the industry showed its condensed ability and its optimism which it will use to profit from the positive economic situation. Indeed the boyancy of the show belied the gloom and doom of the mass media predictions of the economic state of Europe. Especially the increase in visitors  from abroad was significant. 10,147 (+34%) came to inform themselves about the offers of 1,323 exhibitors.

    The concurrent conference showed a growth as well. 302 (previous year: 281) participants took part in the event to discuss new trends, exchange knowledge and network intensively

    Last year we reported on this show too – Major show in the heart of Europe – and this year topped it in size with nine halls full of automation and having to fight your way through the crowds to see what you wanted to see.

    One of the most complete reports is from Leo Poner’s Industrial Ethernet Book in their SPS/IPC/DRIVES 2010 Show Report published on 7th December 2010. They report that the shopw emphasised green issues and security.

    Microsoft listed Windows Embedded Partner Innovations Showcased at the show.

    Carl Henning, the ever-active ProfiBus US guy, put two contemporaneous reports on their stand on his ProfiBlog.  Both offer a pictorial guide to the stand entitled “Technologies in the PI Booth” and the next one “Welcome to the PI booth” They are good pen pictures support with generous pictures and videos of what one stand’s experience was. He also alludes to the US automation journals who sacrificed time so close to their beloved Thanksgiving festival to report on this event.

    He may have another report. This and some of their reports will appear below appear below, newest at the top.

    Other reports

    Innovation abounds at a record-breaking SPS event (Control Engineering EME 13/12/2010)

    ProfiBlog SPS/IPC/Drices ReCap (10/12/2010)

    Walt Boyes tells How I Spent My Thanksgiving Vacation! (9/12/2010)

    HBI Table talk says SPS / IPC / Drives – really all pure automation? (Google translation – 8/12/2010)

    On Windows wrote Microsoft partners at SPS/IPC/Drives (8/12/2010)

    Around the show (Carl Henning 7/12/2010)

    Automation World’s Gary Mintchell’s Mintchell Report comments in living colour on his way home from the show on key trends and new products from Siemens and Beckhoff are highlighted. He also has a few pictures on his Flikr page: SPS-Drives Trade Fair Nuremberg.

    ProfiBlog ProfiBus & ProfiNet News (ProfiBlog 1/12/2010)

    Highest hopes exceeded – more than 52,000 came (Organiser’s release 25/11/2010)

    EPN Industrial Automation Blog reports on Box IPC with Core-Processor (23/11/2010)

    The next SPS/IPC/Drives 2011 show is scheduled for 22 – 24 November 2011, so mark your diary.

    Stumble into standardisation leads to top award


    Bernard Dumortier on the left receives the Lord Kelvin Award from Jacques Régis, IEC chaiman.

    Bernard Dumortier has been awarded the IEC’s Lord Kelvin award, the highest distinction granted by IEC, by Jacques Régis, Président of the IEC. The presentation was made at the gala dinner of the annual meeting of IEC at Seattle (WA US). Lord Kelvin was the first President of the IEC.

    Bernard Dumortier has been active in IEC work for over 25 years, starting as a member of the French shadow committee and working as expert in the Fieldbus projects developed within SC65C. He is currently ISA-France Vice-president and secretary and an influential member of the ISA standardisation Board and memeber of several committees.

    In 1993, Bernard became the Secretary of the SC65C and took the challenge to finalize the standardization of Fieldbus.  Under his management SC65C successfully standardized the Fieldbus and is now taking a leadership role in Industrial Wireless.

    Since 2001 Bernard serves as TC65 Secretary.  He has been instrumental in facilitating the new organization of TC65 with, among other things, the creation of SC65E dedicated to device integration in enterprise systems.
    The nomination says “in recognition of his substantial contributions to the IEC in the field of Industrial Automation.  Bernard has displayed skills in managing difficult and controversial negotiations without confrontation, reaching instead agreement with logic, persuasion and inclusion.  Bernard has been a key contributor to the re-organization of the TC65 which now gathers all the worldwide players in the automation fields.”

    He stumbled into standardisation a bit by chance he told e-tech’s Philippa Martin King. “Standardization wasn’t a career decision,” he says. “It was my boss’s idea. I’d been working for around 15 years in the company as an engineer and head of the electronics laboratory when one day my boss called me into his office and told me he was sending me out the next day to take part in a special fieldbus project. I wasn’t a fieldbus specialist but he obviously had ulterior motives. They needed someone who spoke English, he told me.”

    Standardization role wasn’t a career decision
    Dumortier, as his boss had obviously intended, ended up doing quite a bit more than simply attending a meeting about fieldbuses. Almost immediately, he found himself leading a group drafting the FIP (Factory Interface Protocol) specifications for the Eureka Field Bus project, a European umbrella project for technology collaboration, which was itself destined to be included in a standardization process.

    Dumortier says the standardization situation for fieldbuses was hazy: “There were two similar regional teams both working on more or less the same projects, and they seemed to have somewhat similar aims. It’s not really surprising perhaps since the Project Leader for both groups, the ISA-S50.02 group and IEC WG (Working Group) 6 of IEC SC (Subcommittee) 65C: Industrial networks, was the same person. ISA (International Society of Automation) used to meet every month and IEC met every three months with the result that each time, the week-long meeting started under one banner and then we switched hats to cover the other project.”

    Franco-German confrontation on American soil
    Dumortier describes his first international standardization experience: “Progress was hard going because we French with our FIP project were up against the Germans who were defending their own PROFIBUS project. Fortunately, the Americans were there to channel our animosity. It was in that context that I met Tom Phinney, who later became the editor of the mammoth 10 000-page standard we finally produced [with IEC SC 65C]. Today, we can laugh about the first ‘Franco-German war’ to take place on American soil. It was Phinney who coined that phrase. I was able to appreciate not only his qualities as a technician, but also his ability as an excellent strategist. He was just so clairvoyant in his whole approach during that Franco-Germanic standardisation confrontation.”

    Paving the way for taking a systems approach
    The American intervention finally led to consensus between the two groups with their different allegiances and an agreement to draw up IEC International Standards that took very much a systems approach. The result was a series of (TYPE) protocols and (CPF – Communication Profile Family) profiles in IEC 61158 Industrial communication networks – Fieldbus specifications, and IEC 61784, Industrial communication networks – Profiles, with new editions released in June 2010. They define a set of protocol-specific communication profiles that can be used in the design of devices involved in communications in factory manufacturing and process control, as opposed to being based on a single protocol.

    The importance of industry in achieving consensus for standardization
    Before that state of consensus could be achieved however, it took a summit meeting with representatives of all the stakeholders gathered together in the office of Anthony Raeburn, IEC General Secretary 1988-1998. The IEC TC 65 officers were present, as was the IEC President of the time, Mathias Fünfschilling (1999-2001), together with representatives of each IEC NC (National Committee) and top management of all the industries concerned. “He told us we needed to come to a mutual agreement”, says Dumortier.

    “That’s when you see the importance of industry in these matters,” he says. “It needed technical representation from the companies concerned – and in this particular case we’re talking CEOs, who came accompanied by technical advisors – not political representatives – to come to a mutual agreement on a matter that was entirely technical. We couldn’t have solved the problem satisfactorily between NC representatives. We needed that technical expertise and the involvement of the industry specialists themselves to be able to take a really qualified decision.”

    Participation in TC work means working actively
    Another important change had also come about when the WG (Working Group) had previously met in Ottawa, Canada. “We needed to redefine various things because we weren’t quite ready to vote on our standardization work,” says Dumortier. “But there was no point in someone giving a negative vote if they didn’t submit any corresponding technical comments. That’s not a valid way of proceeding.”

    Dumortier produced some efficient people management skills. He simply told the former Chairman of the SC (Subcommittee) that he wasn’t going to sign the CDV (Committee Draft for Voting) until he had received the relevant comments. “I’m not dogmatic”, he says, “and, even if my own personal choice isn’t what we finally choose, I believe in consensus.” Instead of continuing with the raised-hand voting, he proceeded to summon each member by alphabetical order to obtain their individual vote. “Of course some people weren’t too happy,” he underlines, “but it gave everyone the opportunity to say what they really felt and gradually the situation broadened out to become what it is today: smooth and consensual. Today, we have all these publications to show for it.

    “But we’d still never be where we are today if we hadn’t had an editor like Tom Phinney. He’s a major element in the team.”

    Today, Phinney is Convenor of TC 65/WG 10: Security for industrial process measurement and control – Network and system security, and TC 65/SC 65C/WG 13: Cyber Security, in addition to eight other member roles in various TC 65 groups and liaison roles with ITU-T /SG 17 and ISO/IEC JTC (Joint Technical Committee) 1/SC 27 for IEC TC 65: Industrial-process measurement, control and automation, and with ISA/SP 99 for IEC SC 65C. [ITU-T stands for the International Telecommunication Union Telecommunication Standardization Sector. ISO stands for the International Organization for Standardization.]

    Another person Dumortier cites as being instrumental in helping the group get the results it did is Graeme G. Wood. He’s on the 2010 list of honours as a recipient of the IEC 1906 award. “Graeme is someone I’d call a true expert”, says Dumortier. “He’s in all the fieldbus committees and is liaison officer with the Joint Working Groups [ISO/IEC JTC 1/SC 25] and incredibly willing. He has a truly remarkable capacity in a Working Group to take minutes that reflect exactly what happened. If the SC 65C works so well, it’s also thanks to people like Graeme.”

    But their first encounters were not so unequivocal. “‘I’ve never met such a silly engineer in all my life.’ That’s what I know Graeme was muttering in his beard – I understood him perfectly,” smiles Dumortier. “I know my English wasn’t precise. But it’s not so easy when you’re not speaking your mother tongue. You don’t weigh the effect of your words in the same way.”

    Working in standardization helps understand the competition
    However, he soon learnt to appreciate Wood’s expertise. “In our Working Group discussions we were talking about various technologies produced by our various companies. Wood was obviously backing his own. The technology we [the French] were pursuing wasn’t yet finalized but we were quite confident about the developments we’d made until he criticized our messaging system, telling us it was totally inefficient. He’s such an excellent technician and so implicated in technology that he couldn’t help but propose us a new solution. The changes we eventually made didn’t exactly follow what he suggested. They didn’t make good enough use of the protocol. But thanks to his intervention, it opened our eyes to the fact that our company’s messaging system was inefficient and we revised the entire programme. Essentially, he was instrumental in our system changes. That helped the world advance. It also made for a friendship that has never diminished.”

    Consensus is what counts
    “In standardization you can have some quite heated discussions, but once out of that formal meeting context, you find you have real friends with whom you have a lot in common. That’s when you create the consensus.”

    Dumortier cites a third person whom he claims is part of the success of SC 65C. He names Ludwig Winkel, “the person who set off the Ottawa discussions where there was so much hostility”, he adds. “I persuaded Winkel to take on the task of Convenor of SC 65C MT (Maintenance Team) for IEC 61158 and IEC 61784-1 and 2 (Fieldbus). [Winkel is also Convenor of SC 65C/WG 17: Wireless Coexistence]. Winkel is at ease in international meetings and is most competent when it comes to fieldbuses. So he was the perfect choice for the task in managing a multi-protocol standard. In a committee, you can defend your own ideas and interests. Just because a person doesn’t have the same vision as you do doesn’t stop them having clairvoyance and using it for the good of the group. That’s what consensus in international standardization is about.”

    Consortia need international recognition
    “Why is TC 65 so successful?” says Dumortier. “It’s because all the main actors are present. Industry really has something to gain here. They all sit around the same table. Consortia can’t work on their own. Once they have developed their solutions, they need the seal of approval of an international organization in order to gain international recognition for their standardization work.”

    The importance of a non-hierarchical officer status
    Returning to the subject of committees and the officers, Dumortier says: “It’s important to underline the importance of the complicity between the roles of Chairman and the Secretary of a TC. As you know, in an IEC TC the two officers are always elected from different countries. That makes for a particular quality in the IEC. If, within a TC there weren’t that relationship with a mixture of cultures and instead, you had officers from the same country, you would likely find a hierarchical relationship. In IEC TCs, that simply doesn’t exist. The Chairman and Secretary have mutual respect for each other. It’s the mixture of cultures that makes the difference.

    “There are three such Chairmen I want to mention,” says Dumortier. “First, there’s Otto Ulrichs”, says Dumortier. “That makes two Lord Kelvin Awards for TC 65!” [NB Otto Eberhard Ulrichs, Germany – received the Lord Kelvin Award in 2003]. It’s thanks to Otto Ulrichs”, says Dumortier, “that we were able to set down the basis for the TC 65 strategy. My relationship with Otto had started off on bad terms. There was such mutual hostility between us. It was only once I’d pleaded for help that the original friction turned into a relationship of trustful collaboration which, from that day on, never wavered.

    “Later on, I completed that original plan for TC 65 with the present Chairman of TC 65, Roland Heidel. With Roland, we’re very complementary. Our relationship is one of incredible complicity. It has been largely instrumental in giving TC 65 the world leading position it has in industrial automation today.

    “Finally,” continues Dumortier, “there’s Tony Capel [Chairman of SC 65C], the person who introduced me to the world of Anglo-Saxon culture, something that can’t be underestimated in standardization. It is he too that backed me in helping us reach consensus. I use him as my sounding board to test out my ideas.

    “Over the years, these three people have become real friends. Without them I would never have received the Lord Kelvin Award. I owe them such a lot.”