1 May 2007

Multiple regional vs. one global standard

By Ellen Fussell Policastro

While safety and security are becoming more prevalent topics of concern in the automation industry standards sector, standards leaders are talking more about the need for one global standard in their respective specialties.

"Most companies are global and would rather have one standard on a particular topic, rather than one for North America, one for Europe, and one for Asia," said Paul Gruhn, safety product specialist at ICS Triplex in Houston, and a member of the ISA-SP84 committee on programmable electronic systems.

"Manufacturing and engineering work forces are now global, so the practices employed in design and implementation must also translate to a broad and diverse audience. One standard provides a common language and rule book for everyone," said Angela Summers, president of SIS-TECH Solutions in Houston and a member of ISA-SP84.

One global standard in control system security would benefit the industry through a number of potential mechanisms. Asset owners and vendors across verticals "are quickly becoming confused between the NERC CIP guidelines, products such as AGA 12, ISA-99, NIST 800-53, and the overwhelming variety of things coming out of DHS/INL," said Bryan Singer, senior business consultant at FluidIQs in Birmingham, Ala., and chair of the ISA-SP99 standard on manufacturing and control system security. "The frustration is already starting to mount as people really don't know what to pick and work with in many cases, and vendors face the challenge of potentially having to be multi-standard compliant," he said. ISA-99 is a vendor- and industry-neutral standard that focuses on solutions crossing verticals and vendor boundaries. Therefore, "taking advantage of industry practices and common successful techniques, we can leverage this into a unified standard that can be an industry benchmark, helping to drive away the need for industry specific solutions," Singer said.

Helping manufacturers

Understanding and meeting the needs of a diverse set of users is a major hurdle for manufacturers, Summers said. "Standards often bring focus to important issues in a particular industrial sector and provide a benchmark for the development of better solutions."

"Similarly, it's cheaper for manufacturers to make one product and sell it around the world, rather than tool up and follow different requirements for different countries," Gruhn said. "Turn the question around; how could multiple standards help a manufacturer?"

"Vendors don't have to be multi-compliant with varying features built into single products that meet each standard," Singer said. "This helps lower potential costs to the end users, shortens product development lifetimes, and makes them easier to support longer term with less potential application or system errors (the more code in a system, the more potential bugs and issues to be worked out)."

Challenges ahead

"A consensus standard is by its nature one-size-fits-all," Summers said. Yet, we all know a one-size-fits-all shirt doesn't fit everyone the same way. "It's important the user of a standard recognize at the end of the day, these practices often represent the minimum that should be done. The risk inherent to the specific process design determines what additional measures should be taken."

Some obstacles to accepting a global standard could be "pride, tradition, and opening up of markets that some would prefer to keep closed," Gruhn said. "Car manufacturers would rather make all vehicles with left-side steering, but England and other countries around the world won't be too keen on changing their tradition of driving on the left side of the road."

Some may spend a lot of time arguing about their unique needs, Singer said. "Having worked across many vertical industries, I typically find there really is much more commonality than most care to admit, but it's easy to consider needs as unique. Most of the time, they are really just variations on simple requirements themes. The most complicated part is terminology is often not globally applicable, causing some to want to write their own guidelines that seem to more uniquely fit their needs."

Some people oppose standards because standards establish minimum practices, introducing potential legal liability if the standard is inadequately addressed or improperly applied," Summers said. People with a vested interest in the status quo might not be so eager to accept a global standard either, Gruhn said, "It's human nature not to like change." Those that have industry niches who would want to be able to specify products and services for very specific purposes to create their own product markets might object as well, Singer said.

About the author

Ellen Fussell Policastro is the associate editor of InTech.  Her e-mail is efussellpolicastro@isa.org.

Leaders fostering change

ISA 84-2004 is actually IEC 61511 with one additional clause, said Angela Summers, president of SIS-TECH Solutions in Houston and a member of ISA-SP84. "The U.S. is one of over 20 countries that were involved in developing the standard. International standards require international input if they are to be accepted. ISA accepted the 2003 international standard IEC 61511 as the update to ANSI/ISA 84.01-1996 and released the standard as ANSI/ISA 84.00.01-2004.  With ANSI and CENELEC acceptance of IEC 61511, there is now one global standard covering safety instrumented system applications, she said.

ISA members also participated in the development of a new guidelines book from Center for Chemical Process Safety, Guidelines for Safe and Reliable Instrumented Protective Systems. This engineering practice expands on ANSI/ISA 84.00.01-2004, explaining the roles and responsibilities of process, operations, maintenance, and management personnel, as well as automation professionals.

Andre Ristaino, managing director of ISA's Automation Standards Compliance Institute, has an immediate project to establish a compliance program for control systems security. Ristaino said users of control systems products are "highly motivated to move this initiative forward. They have unilaterally created an informal group called the Control Systems Security Compliance Organization. This group will soon become the founding members of the security compliance consortium.

"We'll start out with a mosaic of standards comprised of ISA-99, Department of Homeland Security (DHS) requirements, IEC, OMAC, WBF, AGA, NERC, and vendor-written standards," he said. "Vendors and users are confused by the multitude of different standards and organizations," he said. "What then becomes the criteria for selecting a standard for conformance; cost, best fit with the vendor's proprietary approach, affinity with a particular standards group?  This leaves too much room for suboptimal conformance activity. A single global standard will mitigate if not eliminate standards overload for both vendors and users."

The major disadvantage of a single standard is it will not be universally accepted if leaders do not address industry-specific nuances as part of the standard. Yet specific nuances are not enough to warrant different sets of standards, Ristaino said. "They can be addressed through properly defined variations within a single standard. The old 80/20 rule holds true for this dilemma; if you overlaid the different standards for security, most likely 60%-80% of the requirements would be redundant."

"ISA-99 continues to drive at having vendors and asset owners from as horizontal of an industry base as possible, and we continue to leverage relationships with other standards bodies and groups to try and maintain our independent position while still capturing the latest in industry techniques and useful practices," said Bryan Singer, senior business consultant at FluidIQs in Birmingham, Ala., and chair of ISA-SP99 standard on manufacturing and control system security. "Dealing with the unique-needs scenarios, we maintain liaisons with these special interest groups to try and extract if the needs truly are unique or not. If not, we seek to make the topic easier to understand in a non-specific way. If so, we work with those groups to encourage them to create documents to support those unique needs."