3 COMMON FUNCTIONS ...................................................................................3-2 3.1 Security Overview.................................................................................................. 3-2 3.1.1 DCS Risk Profile ............................................................................................................. 3-3 3.1.2 Overview of Security Implementation............................................................................ 3-4 3.1.3 Recommended Security Procedures: .............................................................................. 3-5 3.2 CS3000 Security Function..................................................................................... 3-9 3.2.1 Overview of the Security Function ................................................................................. 3-9 3.2.2 HIS Security .................................................................................................................. 3-10 3.2.3 User Security ................................................................................................................. 3-11 3.2.4 User Group..................................................................................................................... 3-13 3.2.5 Privilege level ................................................................................................................ 3-17 3.2.6 Priority Levels of the Tag.............................................................................................. 3-24 3.2.7 Advanced Security......................................................................................................... 3-25 3.2.8 Windows Security ......................................................................................................... 3-27 3.3 Alarm Function.................................................................................................... 3-29 3.3.1 Overview of the Alarm Function .................................................................................. 3-29 3.3.2 Viewing Alarms............................................................................................................. 3-34 3.3.3 Advanced Alarm Filter.................................................................................................. 3-38 3.3.4 Techniques for Alarm Minimisation............................................................................. 3-41 3.4 Plant Hierarchy function..................................................................................... 3-47 3.5 Operation Mark ................................................................................................... 3-51 3.6 Operation Group.................................................................................................. 3-52 3.7 PICOT................................................................................................................... 3-53 YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-2
3 COMMON FUNCTIONS
3.1 Security Overview
The CS3000 system is based on the Microsoft Windows operating system, and is usually combined into corporate networks to enable accessibility of data from the DCS to plant information management systems. This presents security vulnerabilities partly because of the nature of the operating system, and partly because of the required openness of the system.
Security problems:
1. Viruses these have the potential to damage and disable operational interfaces (HIS) and data gathering (ExaOPC and Exaquantum) components of the DCS. Viruses will not affect the control units (FCS) because they operate on a proprietary operating system.
2. Unauthorised Access it may be possible for someone to gain unauthorised access to the DCS and either damage one or more of the components (eg, wiping a hard disk), or possibly even gaining control of the DCS and shutting down plant, or putting it into an unsafe state.
With the move to Vnet/IP, an Ethernet based network for the control network, security issues have become increasingly important.
This section provides a summary of the security issues associated with a networked DCS, and provides a policy for securing the system.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-3 3.1.1 DCS Risk Profile
The DCS is a network of computers and as such is susceptible to the problems associated with all networked computers. This section describes these problems and how they will affect the DCS.
1. Viruses - The risk of a virus infecting the DCS is high. Most viruses involve either disabling a Windows based PC, or causing denial-of-service attacks by flooding a network. The CS3000 components at risk are the HIS, the ExaOPC server and the Exaquantum server. Losing any of these devices will result in loss of data and the ability to monitor the plant. However, unless all HISs are affected simultaneously, it would not affect the control of the plant.
2. Denial-of-service attacks are often caused by viruses, but may have other causes. DoS attacks work by flooding the network, making normal communication difficult or impossible. It is possible that a DoS attack from a HIS onto the Vnet could cause degradation in performance of the Vnet, leading to loss of data and reduced ability to monitor the plant. The risk of a virus related DoS attack is high
3. Access - The risk of unauthorised access is more likely to be caused by a disgruntled employee than an outside attack. (Between 70% and 80% of all cyber incidents are by people with authorised access.) However, the consequences can be serious. A random attack from an internet source is most likely to gain access to a PC and disable it. At worst, such an attack could bring down the network, resulting in loss of data and the ability to monitor plant operations, but will not affect the control of the plant. However, an inside attack by someone with knowledge of the system could be very serious, as they have the ability to interfere directly with the control of the plant.
Access points:
1. The connection from the corporate network to the DCS network is the main port of entry into the system. From this, unauthorised users from the internet and from within the corporate network can gain access. It is also a connection point where viruses can enter.
2. Floppy disks, CDs and other removable media can contain viruses and these can be transferred to the system through any of the PCs within the DCS.
3. Dial-up access for remote maintenance is also an entry point, although is limited to those who know the telephone number, and is therefore easily traced. There is the risk of people scanning telephone numbers and finding this entry point, but the chances are small.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-4 3.1.2 Overview of Security Implementation
Objective of the security process
Prevention The system must be designed to prevent unauthorised access in the first place. This is achieved through proper design of the network architecture, implementation of security policies, installation of anti-virus software, and update procedures.
Detection Should a cyber incident occur, the ability to detect it as soon as possible ensures that problems due to the attack are minimised.
Recovery The ability to repair systems after an attack and bring them back online quickly ensures that the effects of damage due to an attack are minimised.
Implementation of the security process:
Design of network architecture the network must be designed in such a way as to minimise the number of points of access. This includes single point of access through a router and firewall, demilitarised zones (DMZ) and, in certain cases, the use of decoys (honeypots).
Implementation of security policies As part of the system installation, security policies need to be implemented that limit access and reduce the possibility of misuse of the equipment. The policies should range from securing the computer operating systems to making use of the control system security features. Implementation includes: hardening of O/S through security policy configuration and password management, locking down of I/O ports (floppy disk drives, CD drives, USB memory, etc) and installation of anti-virus software.
Maintenance of the system after installation Once the system is installed and running, regular maintenance of the security configuration is necessary to maintain its integrity. New methods of circumventing security are constantly being developed, as are new viruses and it is essential to remain ahead of these. Maintenance includes: monitoring of log files for suspicious activity, virus updates, O/S updates and regular backups.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-5 3.1.3 Recommended Security Procedures:
System Architecture
1. Router - Install a router between the corporate network and the DCS. Through this, limit and control which PCs have access to Exaquantum, ExaOPC and Remote HIS. Yokogawa recommends using a CISCO router with the optional firewall software. CISCO SDM (Security Data Manager) should be included to tighten the firewall.
2. Firewall - In addition to the firewall software provided with the CISCO router, install a hardware firewall with the router. A firewall not only limits access for PCs over the network, but also tracks connection between the networks. Yokogawa recommends using the Symantec Gateway Security 5400 Series.
3. Intrusion Protection System (IPS) This provides further protection against unauthorised entry, and is often the only defence against worms which are often able to sneak in through open ports in the Firewall. An IPS is expensive and only required in critical applications.
4. DMZ - Install Exaquantum Server, update servers and any web servers in a demilitarised zone (DMZ). This zone sits between the DCS and the corporate LAN so that clients need access only to the servers in the DMZ. This makes it much easier to control and secure the connection between the DCS LAN and the DMZ.
5. Honeypots these are decoy computers that sit in the DCS network and are designed to look like a part of the DCS. Such computers may be installed with HIS/HIS-TSE, Exaquantum Server or ExaOPC, but not actually connect to the process controllers or use its database. They may contain similar updates to the other computers, but still have a few holes through which a hacker could gain access. While a hacker cannot do anything useful with these computers, they could give those monitoring the system security time to trace the source of the attack. Such a technique requires extensive maintenance, very fast detection, and experienced IT personnel. While it is listed here, it is not generally recommended, as its usefulness is limited by the available resources and experience of personnel monitoring the system.
6. Vnet/IP Although Ethernet connection can share the same physical network as Vnet Bus 2 with the Vnet/IP system, it is recommended that a separate network interface card be installed in all computers that connect to the external network, such as ExaOPC and PRM. This will ensure that no external client will have direct access to the control bus network.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-6
PRM Server Router/Firewall/IPS Eng Station HIS ExaOPC HIS-TSE Exaquantum Exaquantum Client HIS-TSE Client DCS Zone Corporate Zone Controller Controller Vnet Ethernet Corporate Ethernet Figure 1 DCS Security Architecture PRM Client Router/Firewall Demilitarized Zone DMZ Ethernet Web Server Update Servers (VUS, WUS) Note, DCS Ethernet is part of the physical Vnet/IP bus. DCS Ethernet YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-7 System Security Configuration:
7. Physical Security - Lock away PCs in the DCS network, such as HISs, ExaOPC/HIS-OPC servers and Exaquantum servers so that unauthorised people do not have access to the disk drives.
8. Client Access to ExaOPC - Limit or prohibit access to ExaOPC/HIS-OPC from the corporate network. It is recommended that staff do not have VB access to ExaOPC/HIS-OPC data. Ensure that ExaOPC/HIS-OPC has read-only privileges.
9. Remote HIS - Ensure that any HIS with HIS-TSE server or PCAnywhere is read-only, so that remote users do not have operational access to the plant.
10. Internet Access - Disable internet access from all devices in the DCS network. It is essential that there is no web or email access from any computer within the DCS network. Hide the PCs within the DCS network from the main network so that they cannot be seen in Network Neighbourhood (also known as My Network Places).
11. Windows Policies - Set up security policies in the DCS PCs such that disk drives and USB memory devices cannot be used, and the running of applications and access to the file system is restricted. Make use of the Centum Desktop function available with CS3000.
12. Computer Hardening Remove all unnecessary programs and services from the computers.
13. Passwords - Ensure that all users have passwords. Change passwords regularly, and create passwords that are difficult to crack. The default CENTUM password should be changed.
14. CS3000 Operator Security - Setup Operator security using Advanced CS3000 Security. Each Operator should have their own username and password. This defines operator access to plant control, and provides a log of all operations performed by that operator.
15. CS3000 Engineering Security - Install the Access Administrator package. This provides access control and an audit trail for all engineering tasks conducted through System View.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-8 Software
16. Installation provide a standardised operating system installation for the DCS computers, such that the operating system version, service pack and patch levels are the same for all computers. Ensure that the service pack and patch levels are approved by Yokogawa.
17. Viruses - Install a virus protection program and keep it up to date. How it is kept up to date depends on the system. This is discussed in the Maintenance section below. We recommend Norton Anti-Virus, which Yokogawa must configure for optimal performance.
18. Windows Updates Microsoft regularly issues patches for Windows to resolve security problems with the operating system. While it is desirable to install these patches as they are released, not all of them are necessary for the DCS, and some could cause instability within the DCS. Yokogawa tests all patches and releases a regular report on which updates need to be installed and whether it is safe to do so. We recommend a Windows Update Server (WUS) be installed in the DMZ which is manually updated with recommended patches. This server can then install the patches on the HISs and other DCS computers as required.
Maintenance
Regular maintenance is essential to maintaining the integrity of DCS security. The following measures are necessary as part of an ongoing maintenance regime:
19. Virus Updates For large systems, it is recommended that a PC is in operation on the DCS network (or DMZ) which receives updates for the virus package (VUS). This will then update the DCS accordingly. It must not be updated directly from the internet, but it should be updated from the server on the corporate LAN. If it is a small isolated system, update the virus package manually and ensure this is done regularly.
20. Windows Updates update the WUS on a monthly basis or when Yokogawa issues a test report on Windows patches.
21. System monitoring monitor firewall, router and DCS log files regularly to detect any suspicious activity. The firewall should be configured to provide alarms in the event of a security breach.
22. Backups carry out backups of all DCS computers regularly, or at least after any system updates. Two copies of the backup disks should be kept: one on-site and one off-site. At least three previous sets of backups are to be maintained so that the system can be restored to a known point before an infection or breach occurred.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-9 3.2 CS3000 Security Function
The security function is used to control access to the system, and to specific areas and functions of the system.
Note: General-purpose Windows applications other than operation and monitoring functions follow the security procedures for Windows.
3.2.1 Overview of the Security Function
The security function restricts the scope of operation and monitoring permitted for an operator, and masks certain alarms for which the operator need not be notified. The following two types of functions are available with the security function:
HIS security User security
The HIS security function restricts the scope of operation and monitoring, as well as the authority of the HIS. By doing so, operation performed by a user regarding certain equipment or data items can be prohibited, regardless of the scope of operation and monitoring or the authority granted to the user.
The user security function restricts the scope of operation and monitoring, as well as authority given to the user. By doing so, operation by a user on certain equipment or data items, to which he/she has no access authority, can be prohibited. The scope of operation and monitoring permitted for an operator is determined by a combination of HIS security and user security settings.
In the framework of the security function, operation and monitoring is defined as follows:
Operation Setting data to function blocks, changing function block statuses and other operations.
Monitoring Displaying function block data, receipt of messages and calling up windows.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-10
3.2.2 HIS Security
The functional security level regarding operation and monitoring as well as the operation and monitoring scope can be set for the HIS itself. The HIS security check has a precedence over the user security check. Use the HIS Constant Definition Builder to set the HIS security.
Select the function security level of the HIS from the following two types:
Monitoring only HIS Operation and monitoring HIS (default)
If the HIS is set as a monitoring only, a user can only perform monitoring on the HIS regardless of his/her access level. Operations allowed on the HIS set as operation and monitoring vary depending on the user privilege level and the security level of the function blocks.
Scope of Operation and Monitoring - Advanced Setting
The operation and monitoring scope of the HIS can be set for each HIS.
In the operation and monitoring scope check, both the operation and monitoring scope of the HIS and that of the user group are checked. Any operation or monitoring that is not included in both scopes cannot be performed.
Monitoring Range (Default: ALL) Operation Range (Default: ALL) Window Range (Default: ALL) Acknowledgment (Default: ALL) Process Message Receiving (Default: ALL) System Alarm Receiving (Default: ALL) Exclude Monitoring (Default: NONE) Exclude Operation (Default: NONE) Exclude Acknowledgment (Default: NONE) Exclude Process Message (Default: NONE) Exclude System Alarm (Default: NONE)
The default setting is ALL for INCLUDE and NONE for EXCLUDE.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-11
3.2.3 User Security
User security is defined by the security settings specified for each user. When an operator is checked for his/her user security, the operator is identified by the user name and the scope of operation and monitoring and privilege level. As a result, the scope of operation and monitoring permitted for the operator can be restricted. In addition, it is possible to mask out alarms that are not required for that user.
The following items may be defined in relation to user security:
User name User group Privilege Level
The user security function records the details of operation and monitoring performed by the user as operation logs. These operation records may be checked on the Historical Message Report Window.
The security builder is accessed through the COMMON folder for the project:
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-12 The Security Builder configures users and user groups. User registration is described below:
User Registration
User name definition is carried out on the definition builder. Each user name must be unique, consisting of eight alphanumeric characters or fewer. Up to 250 users can be defined. Upper- and lower-case letters are not distinguished. Up to 32 single-byte characters or 16 double-byte characters may be entered for each user name.
Password
When logging in, the user enters their name and password. In the Password tab of the security builder, it is possible to select either local or common. If local is selected then setting the password is carried out in the user-in dialog box called up from the system message window. If common is selected, then a master password file is held in the project server and this is checked whenever someone logs on.
Automatic User-Out Time
When an automatic user out-time is defined, the user automatically changes to the OFFUSER when the automatic user-out time elapsed. The choices are:
1. Elapsed time from user in when someone logs in, after the specified period, they are logged out. Specify the time in hours and minutes. 2. No operation time if there has been no activity on the HIS for a period of time, the user is logged out. Specify the time in minutes.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-13
3.2.4 User Group
The users are classified into groups based on their operation and monitoring scopes. This classification is called user group.
The following attributes are assigned to each user group:
User group name Operation scope Monitoring scope Windows scope Confirmation operation scope Messaging scope Comment
Each user is linked to a user group so that when they log in, the scope of their operations and monitoring, including what alarms they receive and acknowledge is defined.
Figure 1.1 Example of Relationship Between User Group and Operation/Monitoring Scopes
In the above example, the users belong to Group A (user1, user2 and user3) have rights on operating and monitoring tank1 and monitoring tank2, but have not right on tank3. While the user belongs to Group B (user4) has rights on operating and monitoring tank3 but no right on tank1 nor on tank 2.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-14
User Group Name Definition
The user group name is defined on the security definition builder. Each user group name must be unique and be 8 or less alphanumeric characters. 50 user groups may be assigned to one project. The names are not case sensitive. User groups may be used to classify the messages sent to different printers. Up to 32 single -byte characters or 16 double-byte characters may be entered as the comment for a user group name.
Note: a HIS can be a member of a User Group. This is configured in the Open I/F tab of the HIS Constants.
Setting Operation and Monitoring Scope
The operation and monitoring scope is set for each user group. The user-in user can perform operation and monitoring within the scope specified for the user group to which he/she belongs. The operation and monitoring scope may be exclusively defined on the security definition builder.
Inclusive Definition
Specify the following items:
Monitoring Range Specify the scope of data to be read by station name, drawing name, and unit name.
Operation Range Specify the scope of data to be read and written by station name, drawing name, and unit name.
Window Range Specify a window name a user can operate and monitor after user-in. Specify folder name and window name.
Acknowledgment Specify the scope of acknowledged process alarms by station name.
Process Message Receiving YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-15 Specify the scope of monitored messages by station name.
System Alarm Receiving Specify the scope of monitored system alarms by station name. The operation range must be included in the monitoring range. You cannot operate outside the monitoring range.
The following keywords are used in setting operation and monitoring scope:
ALL Operation and monitoring rights on all stations and windows connected to the control bus
NONE No monitoring rights on any station
station names (e.g. FCS0101) unit names drawing names (e.g. %DR0001S0101)
When setting operation and monitoring rights on designated station names or window names, the wild card character * can be used instead of part or all characters in a character string. The default setting is that all stations and windows are within the operation and monitoring scope.
Exclusive Definition
Specify the following items:
Exclude Monitoring Specify the scope of data not to be written by station name, drawing name, and unit name.
Exclude Operation Specify the scope of data not to be read or written by station name, drawing name and unit name.
Exclude Acknowledgment Specify the scope of non-acknowledged process alarms by station name.
Exclude Process Message Specify the scope of non-monitored messages by station name.
Exclude System Alarm Specify the scope of non-acknowledged
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-16
Combining Inclusive and Exclusive Definitions
You may combine inclusive and exclusive definitions to specify various scopes.
The following are examples of combination:
If operation and monitoring are possible at the FCS0101 and FCS0102; Specify FCS0101 and FCS0102 at the inclusive definition, and NON at the exclusive definition.
If operation and monitoring are possible at other stations excluding FCS0103; Specify ALL at the inclusive definition, and FCS0103 at the exclusive definition.
If operation and monitoring are possible at the FCS0101 and FCS0102, but not at the UNIT A; Specify FCS0101 and FCS0102 at the inclusive definition, and UNIT A at the exclusive definition.
Example of Operation and Monitoring Scope Setting
Monitoring rights: ALL Operation rights: FCS0101,FCS0102,%DR0001S010301,UNIT001 Operation and monitoring rights on windows: TANK1, WIN*
In the above example, all stations and windows are within the monitoring scope. However, only stations FCS0101 and FCS0102, drawing DR0001 of station FCS0103 (%DR0001S010301) and unit UNIT001 are within the operation scope. The operation and monitoring rights on windows covers all windows lower than the hierarchy TANK1 and the hierarchies windows under the windows whose names start with WIN.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-17
3.2.5 Privilege level
The users rights and abilities on operation and monitoring are defined as accountabilities.
The following attributes are assigned to each privilege level:
Whether or not monitoring is permitted Whether or not operation is permitted Whether or not operation and monitoring using system operation windows is permitted
Privilege Level and User Security
With the user security function, a users operation and monitoring authority on data items and system operation windows is determined by the users privilege level.
Operation and Monitoring Authority on Data Items
Below are tables that describe the relationship between the privilege level of the operator and the security level of a function block. The security level of a function block can be set between 1 8 and this defines what privilege level the operator needs to be able to monitor and operate the tag.
The tables on operation and monitoring authority are fixed and cannot be edited.
Table Data Item Operation and Monitoring Authority Table (Important Tag and Ordinary Tag)
Note: The authority on Important Tag and Ordinary Tag is the same as that of the security level 4. *1: Users having no AFLS operation authority cannot acknowledge alarms sent from the corresponding function blocks. R/W: Both operation and monitoring permitted R: Only monitoring permitted
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-18 <Toc> <Ind> <J10. Security Function> J10-23 IM 33S1B30-01E 4th Edition : Jan.11,1999-00 J10.4 Function Block Security An attribute called security level is assigned to the function blocks. The security level classifies function blocks by priority level. The bigger number of the security level stands for higher priority level. Function Security Levels Security Level Several operation and monitoring authority tables classified by data items, each corre- sponding to a different function security level are provided. As the security level changes, the operation and monitoring authority changes over each data item. Data items Privilege level Security level 1 Security level 8 S1 S2 S3 Mode status, SV, MV R/W R/W R/W Alarm set value R/W R/W R/W Write-allowed data items other than mode status, SV, MV, and alarm set value R/W R/W: Both operation and monitoring permitted R/W R/W Write-prohibited data items R/- R/-: Only monitoring permitted R/- R/- AFLS (alarm acknowledgment) only R/W R/W R/W J100401E.EPS Figure Security Levels Security level may be set from level 1 to level 8. The security level definition may be carried out on the Function Block Detail Builder. Level 4 is the default security level set for the function blocks. The operation and monitoring authority tables for different function security levels are shown below: Table Operation and Monitoring Authorities for Security Level 1 Data items Privilege level S1 S2 S3 Mode status, SV, MV R/W R/W R/W Alarm set value R/W R/W R/W Write-allowed data items other than mode status, SV, MV, and alarm set value R/W R/W R/W Write-prohibited data items R/- R/- R/- AFLS (alarm acknowledgment) only R/W R/W R/W J100402E.EPS R/W: Both operation and monitoring permitted R/-: Only monitoring permitted
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-19 J10-24 <Toc> <Ind> <J10. Security Function> IM 33S1B30-01E Table Operation and Monitoring Authorities for Security Level 2 Data items Privilege level S1 S2 S3 Mode status, SV, MV R/W R/W R/W Alarm set value R/W R/W R/W Write-enable data items other than mode status, SV, MV, and alarm set value R/- R/W R/W Write-disable data items R/- R/- R/- AFLS (alarm acknowledgment) only R/W R/W R/W J100403E.EPS R/W: Both operation and monitoring permitted R/-: Only monitoring permitted Table Operation and Monitoring Authorities for Security Level 3 Data items Privilege level S1 S2 S3 Mode status, SV, MV R/W R/W R/W Alarm set value R/- R/W R/W Write-enable data items other than mode status, SV, MV, and alarm set value R/- R/W R/W Write-disable data items R/- R/- R/- AFLS (alarm acknowledgment) only R/W R/W R/W J100404E.EPS R/W: Both operation and monitoring permitted R/-: Only monitoring permitted Table Operation and Monitoring Authorities for Security Level 4 Data items Privilege level S1 S2 S3 Mode status, SV, MV Alarm set value Write-enable data items other than mode status, SV, MV, and alarm set value Write-disable data items AFLS (alarm acknowledgment) only J100405E.EPS R/- R/W R/W R/- R/W R/W R/- R/W R/W R/- R/- R/- R/W R/W R/W R/W: Both operation and monitoring permitted R/-: Only monitoring permitted Table Operation and Monitoring Authorities for Security Level 5 Data items Privilege level S1 S2 S3 Mode status, SV, MV Alarm set value Write-enable data items other than mode status, SV, MV, and alarm set value Write-disable data items AFLS (alarm acknowledgment) only J100406E.EPS R/- R/- R/- R/- R/- R/- R/- R/- R/- R/- R/- R/- R/W R/W R/W R/W: Both operation and monitoring permitted R/-: Only monitoring permitted 4th Edition : Jan.11,1999-00
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-20 <Toc> <Ind> <J10. Security Function> J10-25 IM 33S1B30-01E Table Operation and Monitoring Authorities for Security Level 6 Data items Privilege level S1 S2 S3 Mode status, SV, MV Alarm set value Write-enable data items other than mode status, SV, MV, and alarm set value Write-disable data items AFLS (alarm acknowledgment) only J100407E.EPS -/- R/- R/W -/- R/- R/W -/- R/- R/W -/- R/- R/- -/- R/W R/W R/W: Both operation and monitoring permitted R/-: Only monitoring permitted -/-: Neither operation nor monitoring permitted Table Operation and Monitoring Authorities for Security Level 7 Data items Privilege level S1 S2 S3 Mode status, SV, MV Alarm set value Write-enable data items other than mode status, SV, MV, and alarm set value Write-disable data items AFLS (alarm acknowledgment) only J100408E.EPS -/- -/- R/- -/- -/- R/- -/- -/- R/- -/- -/- R/- -/- R/- R/W R/W: Both operation and monitoring permitted R/-: Only monitoring permitted -/-: Neither operation nor monitoring permitted Table Operation and Monitoring Authorities for Security Level 8 Data items Privilege level S1 S2 S3 Mode status, SV, MV Alarm set value Write-enable data items other than mode status, SV, MV, and alarm set value Write-disable data items AFLS (alarm acknowledgment) only J100409E.EPS -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-: Neither operation nor monitoring permitted 6th Edition : Jan.24,2000-00
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-21 Window Operation and Monitoring Authority
With the operation and monitoring functions, the operation and monitoring authority can be set for each window. By setting the operation and monitoring authority on graphic windows, changing the instrument faceplate assignment or acknowledging of alarm blinking can be prohibited.
In the case of trend windows, changing the trend pen assignment can be prohibited by setting the corresponding operation and monitoring authority.
The following three types of operation and monitoring authorities can be set for windows:
General window Important window System operation window
The types of windows with which a user can perform operation and monitoring vary, de-pending on the settings of operation and monitoring authority on windows and the users accountability level.
The table below shows operation and monitoring authorities on windows, indicating which user can perform operation and monitoring using which types of windows:
Table 3.4 Table of Window Operation and Monitoring Authorities
The operation and monitoring authority on system operation windows cannot be changed. The operation and monitoring authority on windows other than system operation windows can be changed using the system view.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-22 Operation and Monitoring Authority on System Operation Windows
The operation and monitoring authority on windows is defined over the system maintenance window and system view.
The following windows are referred to as system operation windows:
System status overview window System alarm window FCS status window HIS setup window System View
Table 3.5 Operation and Monitoring Authority over System Operation Window
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-23
Change Privilege Level on the Operation Keyboard
When the HIS console is connected with an operation keyboard, the privilege level of the user may be changed temporarily using the mode selection key on the keyboard. The privilege level changed on the keyboard has higher priority than the level set in the user-in dialog box.
The following two mode selection keys are used to switch the security level:
Operation key The key can be switched between the ON and OFF positions only.
Engineering key The key can be switched to any position.
Table 3.5 Relationship Among Mode Selection Key Position, Privilege Level and Operation Mode
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-24
3.2.6 Priority Levels of the Tag
The tag priority level is one of the attributes assigned to function blocks. The confirmation operation after changing data or the tag mark displayed with a function block varies with the security level of the function block set with tag priority.
Priority Levels of the Function Block
The priority level of a function block is determined in accordance with the tag priority assigned to the block.
The tag priority levels classify tags into the important tag, ordinary tag, auxiliary tag1 and auxiliary tag2. The priority levels are represented by tag marks.
Assigning the important tag priority level to the function block displays the acknowledgment dialog, but assigning other priority levels does not. When entering a value to a function block that requires acknowledgment, a dialog box appears to prompt for confirmation.
Table 3.6 Tag Priorities
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-25 3.2.7 Advanced Security
With the advanced security function, detailed security settings can be defined for each function block. The advanced security settings are included in advanced setup items in the security definition builder.
As mentioned previously, there are three standard security access (privilege) levels: S1, S2 and S3. These can be extended with 7 extra security access levels: U1 - U7. Unlike the standard levels, they are not assigned to the key switch, and users with these levels must log-in using the HIS login function.
The advanced setting items are as follows:
Window Monitoring Window Operation Tag View Item Operation Operator Action Operation-mark On
For each of these items, a table mapping privilege level to security level allows the user to define which access levels allow the items listed above to be actioned, as the example below shows: YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-26
Table 3.7 Example of Extended Privilege
When accountability level U1 is defined, the users to whom U1 is assigned will be prohibited from performing any operation.
Window Monitoring - defines whether the user can display a window.
Window Operation - defines whether the user can operate function within a window.
Tag View - defines whether the user can call up a faceplate on the operator console.
Item Operation - defines whether the user can change data on the tuning panel of the faceplate.
Operator Action - defines whether the user can operate a faceplate.
Operation-mark On - defines the users accessibility to the 3 security levels of an Operation Mark (see below).
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-27 3.2.8 Windows Security
During installation, CS3000 creates a user in Windows called CENTUM (with password CENTUM). This provides a restricted level of access, and generally the HIS is set up to log in to this user on start-up.
It is important to not change the settings of CENTUM (including password) as the system uses this to communicate between stations. If this user is deleted, or the password is changed then the stations cannot talk to each other.
It is also possible to further restrict user access by modifying certain elements of this user.
Start up for [CENTUM] the HIS Operating and Monitoring functions will start up automatically when you logon to the PC.
Auto Logon will automatically log into CENTUM user on boot-up of the PC. The password of CENTUM is CENTUM. If the password is to be changed, this must be done through this dialog box and the same password must be applied to all HIS and EWS. Otherwise they will not be able to communicate with each other.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-28 Set Desktop Environment for CENTUM by selecting CENTUM Desktop, the START menu is cleared of most applications, including shutdown. The desktop is also cleared of any icons so that the operator cannot launch any applications in the PC. This can be modified further by deleting all items from the START menu manually.
HIS Security Policy allows the advanced setting of user security behaviour. This applies to the CS3000 User Security and not Windows security.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-29 3.3 Alarm Function
3.3.1 Overview of the Alarm Function
There are two types of alarms:
System alarms failures of DCS hardware or software, eg, I/O card failure Process alarms alarms from the process, ie, outside the DCS, eg, high level alarm, motor failure, etc.
These alarms are displayed on separate alarm pages, and the process alarms are the most important ones for the operator.
Process alarms are generated in the FCS. These are either Function Block alarms, Annunciators or Input/Output Status alarms. When these are raised, the FCS time- stamps the alarm and broadcasts it onto the Vnet. The alarm package then captures it, displays it on the process alarm page and logs it to the Historical Event Message file.
Each function block has several configuration items relating to alarms:
Alarm Level defines the alarm priority level, and what the alarm does Alarm Setting Individual alarm types can be enabled or disabled
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-30 Alarm Level Definition
In the properties of a function block, an alarm level is assigned as follows:
1. High 2. Medium 3. Low 4. Logging 5. User(5) to User (16)
These alarm levels do not relate directly to the alarm priority, but are mapped to alarm priority and alarm type in the Alarm Processing Table Builder (Common folder of the project), as shown in the following table.
The rows are numbered 7 to 32 and these relate to the different alarm types as can be seen in the User-defined Status Character String Builder. For example, alarm no. 15 is a HI HI alarm.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-31 The first four alarm levels are fixed and cannot be changed. These in fact, correspond directly with the four alarm priorities. However, there are 12 user-definable alarm levels (User(5) to User(12)) where the alarm priority and tag mark colour can be modified for each alarm type for that alarm level, as shown below:
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-32 Alarm Priority Definition
Once the alarm level has been set for a tag, the function of each of the five alarm priorities can be defined in the Alarm Priority Builder. The alarm priorities are:
1. High priority 2. Medium priority 3. Low-priority 4. Alarm Logging Only 5. Reference
Here you can define what happens when the alarm occurs and when it recovers. The fields are as follows:
CRT notification to the operator, on the alarm line and in the process alarm window PRT the alarm is sent to the printer Historical File the alarm is logged to hard disk Alarm Action locking, non-locking or self acknowledging
Locking the alarm must be acknowledged before it is cleared from the alarm page Non-Locking the alarm is cleared from the alarm page as soon as it returns to normal, even if it has not been acknowledged Self-acknowledging the alarm is immediately acknowledged so that it is never seen flashing
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-33 Alarm Settings
For each function block, the different types of alarms can be enabled or disabled. This is accessed by selecting the function block and calling Edit Detail.
Note that a hysteresis is applied to the alarms as a percentage of the engineering range of the function block. This is a builder item and cannot be adjusted through the operator display.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-34 3.3.2 Viewing Alarms
The Process Alarm Page
The process alarm page displays current and unacknowledged alarms. It has a 200 alarm buffer. Older alarms can be viewed through the historical event message file.
The process alarm page has some simple alarm filtering functions:
Equipment name allows sorting using the plant hierarchy function. This provides a sophisticated method of grouping alarms according to plant location and function. This is discussed in more detail later. YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-35 Process Report
The process report displays the current state of tags and I/O in the system. It has a more sophisticated filter than the process alarm page and through this it is possible to list tags according to their particular alarm state, or other attribute of the tag.
With the search utility it is possible to display tags that are in a specific alarm, say HH, by typing HH into the Specified Alarm field. Tags can be specified by wild cards, so for example, 30G* will list all tags beginning with 30G.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-36 Historical Message Report
All alarms, operator actions and other events are logged to file on the hard disk. These can be viewed in the Historical Message Report window. This shows all events, but the filter allows you to view specific types of events and alarms.
The search function has the following search parameters:
Date search for events between two time & dates, or look back over the past few hours, days or weeks.
Message Type Select the type of message to display. This includes:
Process and System Alarms Status Change (eg, mode change to auto) Operation Message (eg, turning on a motor) Various System Messages
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-37 Occurrence Source Select the range of the search, ie, search by station, plant hierarchy (see below), tag name.
User Search by user. The historical message function records which user performed what operation and so it is possible to check what a user has done over a given time.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-38 3.3.3 Advanced Alarm Filter
An advanced alarm filter filters out alarms generated on the HIS and displayed on the Process Alarm page during plant operation. It is possible to define a filter for each operator and only notify the operator regarding alarms corresponding to the operators level and range of rights. In order to use advanced alarm filters, it is necessary to install the Advanced Alarm Filter package on the HIS.
What is an Advanced Alarm Filter ?
An advance alarm filter can perform the following operations:
It can suppress alarm buzzer output, LED output and window output generated during plant operation, according to user-defined filter settings. Note, however, that printer output, historical output and LED output for user- assigned information cannot be filtered.
It is possible to specify conditions for the filtering of alarms using logical operators such as AND, OR, XOR and NOT. The conditions are specified via fixed qualifiers, such as tag names, project names, station names and types of alarms, rather than being based on dynamic conditions that depend on the status for the generation of a given alarm.
It is possible to create several filters in advance, and to switch between them in order to select a filter with settings suitable for a particular situation. It is also possible to disable filters as necessary.
It is possible to set security when creating and switching between filters.
It is possible to export advanced alarm filters created in one HIS, and to import and use them in another HIS.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-39 Calling up the filter window:
The Advanced Alarm filter window is displayed by typing .AF into the NAME field.
Filter Syntax
Into this window filter logic can be written. The information on the syntax is available in the help file that can be accessed by clicking on the Help menu.
Keyword Options Description KIND: AL, OG Type of Message PJT: Pn Project ID (eg, P1, P2, etc) PL: Sn Plant Hierarchy Name (eg, S1, S2, etc) AL-C: Black, Red, etc Alarm Colour AL: HH, HI, LO, etc Alarm Name AL-P: H, M, L Alarm Priority. H = High, M = Medium, L = Low STN: Sddss Station Name (eg, S0101) TAG: Tag, *, ? Tag Name (eg, FIC100, FIC*, ?IC1*) NO: Message Number (eg, 1101) TYPE: BLK, ANN, OTH Alarm Type
Operators:
Keyword Description & AND | OR ^ Exclusive OR ! NOT
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-40 Examples:
1. Display only function block alarms of HI or HH attributes:
TYPE:BLK & (AL:HI | AL:HH)
2. Display only High priority, Red colour alarms from FCS0105:
STN:S0105 & AL-P:H
Note: Red alarms are IOP, HH, HI, LO, LL alarms. Deviation, Velocity and Output alarms are Yellow and will not be displayed.
3. Display all alarms beginning with FIC:
TAG:FIC*
4. Display all alarms with the letter L or P as the second character:
TAG:?L* | TAG:?P*
Enabling/Disabling the Advanced Alarm Filter
Within the Advanced Alarm Filter window, the filter can be enabled or disabled as shown above.
When it is enabled, the Process Alarm Window shows AF01 on the window frame, to indicate that alarm are being filtered.
For more information on the Advanced Alarm Filter, refer to the Instruction Manual: Reference, Part E12.5 (IM 33S01B30-01E).
Filter On Filter Off YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-41 3.3.4 Techniques for Alarm Minimisation
There are several ways alarms can be minimised using the standard functions of the CS3000 system. In addition, there are a number of packages available for alarm analysis and management, including AAASuite, and ExaPlog. Only the standard CS3000 functions are discussed here.
Alarm Priority
The default alarm priority for all function blocks is medium. This means that all alarms generated by function block are reported equally to the operator.
It is recommended that the alarm priority of function blocks be set as low as is appropriate for that function block. Thus, any that do not require alarm reporting should be set to Logging or Reference. All others should be set to Low priority unless they are important. A very small number should be set to High priority.
Alarm Configuration
In the Detail settings of a function block, disable any alarm types that are not required for that function block. Set hysteresis levels to avoid alarm chatter.
Alarm Masking and Disabling
However, the problem with these solutions is that in some contexts an alarm may need to be reported, whereas in other contexts in does not.
For example: High current alarm on a motor. This is important for tripping the motor and notification to the operator during normal operation. However, when the motor is first started, the current spike should be ignored.
Below are some possible techniques for dealing with these situations. These comprise masking and disabling alarms in function blocks:
Masking this does not disable the alarm function, but stops the alarm from being reported to the operator. Specific alarms or all alarms in a function block can be masked. This can be done manually by the operator or by logic in the FCS. These techniques are described below.
Disabling the alarm function within a function block can be disabled such that the alarm is not detected. Only a specific alarm within the function block can be disabled, and this can only be done in a sequence table or logic chart.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-42 Procedure for Masking Nuisance Alarms through the operator display
This procedure for masking nuisance alarms can be performed during operation. It is important to be able to check which tags have had their alarms masked, and this section describes how to list which ones have been masked.
How to mask the alarm function of a tag:
1. Call up the faceplate for the tag.
This can be done in several ways:
Click on the NAME button and type in the tagname. Call up the Alarm Window and double click on the tag. Call up the tag from a graphic or control group.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-43
2. Call the Tuning Panel from the faceplate:
This can be done by clicking on the TUNING button in the Toolbox.
3. Click on the Alarm On/Off button, and then the Confirm button to disable the alarm.
This is a toggle button. Clicking on the same button will re-enable it.
When the Alarm Off button is pressed, the word AOF appears in the faceplate. This indicates that the alarm has been masked. This means that the alarm will no longer be reported to the Alarm Window. However, note that the alarm still appears on the faceplate itself.
Alarm On/Off toggle button YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-44 Checking for Alarm Off status of Tags:
It is important to check periodically for tags that have had their alarm function masked. This can be done through the Process Report window.
1. To call the Process Report window, click on the Process Report button on the Tollbox, or press the same button on the Operator Keyboard.
2. The Process Report window appears. Click on the Tag Search Dialog button and select AOF under State. Press OK.
Process Report button YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-45 Masking alarms in logic
The alarm mask item is the AOF data item. The syntax for its usage in a sequence table is as follows:
Tag.AOFS Alarm Type Mask alarm of this type (eg, HI) AOF Mask all alarms in this function block
Example of usage:
VALVE1.PV ON Y N
LC500.AOFS HI Y N FI100.AOFS AOF Y N
If VALVE1 is open, mask the HI alarm of LC500. mask all alarms of FI100 If VALVE1 is closed, unmask the HI alarm of LC500 unmask FI100 alarms
Cancelling alarms in logic
This works in a similar way to alarm masking. However, when alarms are cancelled, the alarm detection process is disabled.
Tag.AF Alarm Type Cancel alarm of this type (eg, HI) Tag.XAF IOP Cancel IOP alarm detection for this tag
Example of usage:
MOTOR1.PV ON Y Y N TIM01.BSTS CTUP N Y
TIM01.OP START Y N II100.AF HI Y N N
If MOTOR1 is running and timer not expired: start a timer cancel the current alarm (II100)
If MOTOR1 is running and timer has expired: re-enable the current alarm
If MOTOR1 is not running: stop the timer and re-enable the current alarm.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-46 Representative Alarm Block
The representative alarm block provides a way of condensing the alarms of 16 function blocks in a single alarm. The operator can then call up this block and identify what alarm has occurred.
This block masks the alarms of the 16 function blocks connected to it, and raises a single alarm to the operator if any of the block go into alarm.
To configure this block, go into the EDIT DETAIL of the block and select the Representative Alarm tab. The last field is where you type in the name of the connecting blocks.
For more information see the Instruction Manual: Reference, Part D1.31 (IM 33S01B30-01E).
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-47 3.4 Plant Hierarchy function
CS3000 allows function blocks, control drawings and FCSs to be assigned to a plant hierarchy. This has many benefits, such as the ability to filter alarms and define security by a plant area. Plant Hierarchy organises the plant control system in a layered architecture based on the ISA S88.01 physical model. CS3000 implements this according to the following diagram:
A Custom Plant can be built which enables you to build your own plant hierarchy. While the hierarchy can be designed in many different ways, a typical hierarchy might look like this:
Equipment Hierarchy Belongs to: Site A large area of plant FCS, HIS Area Site Drawing Cell Area Tag (FB or AN) Equipment Cell
Customising the Plant Hierarchy is accessed in the COMMON folder of the project, under the file name Custom Plant. In this you enter the equipment name and format, and Upper Equipment Name (ie, what it belongs to) for each type of equipment in the hierarchy. Usually, large plant areas with several FCSs will be designated as Sites, smaller areas that may be controlled by a single FCS are Areas, equipment sets that are controlled by a single drawing are Cells, and single elements such as alarms, transmitters, control loops, pumps and valves and designated as equipment.
Control Drawings can be assigned to the plant hierarchy through the Equipment file in the CONFIGURATION folder of the FCS.
In summary, the various components of the DCS can be members of different levels of the hierarchy as follows:
Equipment Member of FCS, HIS Site Control Drawing Site, Area Tag (FB or AN) Site, Area, Cell, Unit, Equipment
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-48
Once this has been done, it is then possible to assign an Upper Equipment Name to each FCS and HIS. This is done through the Properties dialog for each station. This then makes the FCS a member of a Site.
To assign control drawings to Areas, in the Configuration folder in the FCS, open the Equipment file. This lists all the drawings, and each can then be assigned to an Area or even a Site. Thus, although drawings within an FCS usually belong to the same Area, they can belong to different areas. Function Blocks can be assigned to Cells by selecting the Upper Equipment Name in the Properties dialog of the block. Likewise, Annunciators can be assigned to Cells be selecting the "Upper Equipment Name in the Annunciator configuration.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-49 The results of your plant hierarchy assignments can be viewed by the plant hierarchy viewer. This is accessed though the TOOL menu in System View. Within the viewer, stations, drawings and tags can be designated as equipment. This is useful for alarm filtering as described above.
Now that the hierarchy is setup, it can be applied to the Security, Operation Grouping and alarm settings. It can also be used for alarm filtering on the operator display.
In the Security Builder (Common Folder), in User Group fields (such as Monitoring Range, Process Message Receiving, etc), Site, Area or Cell names can be entered, and all FCSs, drawings or tags that are a members of this hierarchy are then available. Thus, it is not necessary to list individual FCSs or drawing numbers. Similarly, HIS operation and monitoring scope can be configured in the same way in the Opecon file for the HIS.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-50 Filtering of alarms can be simplified by selecting an equipment name in the search field in the Process Alarm page. Also, in the Process Report and Historical Event Message file, equipment names can be used to search for events, alarms and tags.
For more information on Plant Hierarchy, refer to the Instruction Manual: Reference Part E10.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-51 3.5 Operation Mark
To attach or remove a tag mark on a function block may temporarily enable or disable the operation restriction on the instrument faceplate. When an operation mark is attached to a function block, a comment label can be added to the function block and the security level of the block (i.e., the write access) can be changed temporarily during operation. When the operation mark is removed, the security level returns to the original setting.
Operation marks have the following attributes:
Operation Mark type (Tag Level) Colour Comment Label Attachment/Removal attribute
Security Provided by an Operation Mark
When an operation mark is created, a security level (1-4) is defined that sets the accessibility of the faceplate when the operation mark is applied to it. This is defined in the Tag Level field as follows:
Privilege Level Tag Level S1 S2 S3 1. Comment Type (no access restriction) Y Y Y 2. S2, S3 Privileges N Y Y 3. S3 Privilege N N Y 4. Operation Guard Type (write prohibited) N N N
As well as defining the access level when the mark is applied, the access level required to apply and remove the operation mark can also be defined. This is defined in the Install/Remove attribute.
Operation Mark Label
Operation marks label can be set using the operation mark definition builder. Up to 4 double-byte characters or 8 single-byte characters can be entered as the text on the label (string). The operation mark label may be temporarily changed during the operation on the HIS setup window.
Operation Mark Color
The color of the operation mark is defined on the Operation Mark definition builder. The color of the operation mark may be temporarily changed on the HIS Setup window.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-52
3.6 Operation Group
A number of HIS consoles on the same bus system are defined with same operation policy, and the operation and monitoring may be performed in the unit of the group. This group is referred as operation group.
Setting Operation Group Identifier
The following functions are relying on the settings of operation group identifier.
The HIS consoles with the same ID may acknowledge the same operation guide message or system alarm message.
The HIS consoles with the same ID may call up each others panel set.
The operation group identifier are defined in the properties setting box. Up to 8 alphanumeric characters may be used but only the first two characters stand for the ID, the text from the 3rd character is referred as the ID comment. The default setting is [A1].
The wild card [*] may be used in group identifier setting. When setting the group ID as [A*], the acknowledgment operation is valid for HIS consoles with operation group identifiers beginning with the letter A.
Buzzer Acknowledgment Identifier (BuzzerACK)
For the alarm silence function, it is possible to define which HISs will have their alarm buzzer silenced when the Buzzer Reset button is pressed. All HISs with the same BuzzerACK ID belong to the same Buzzer Reset group, and if the Buzzer Reset button is pressed on any one of these HISs, then the buzzer will be silenced on all these HISs. Those HISs with a different BuzzerACK ID will not be silenced and their Buzzer Reset buttons must be pressed as well.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-53 3.7 PICOT
PICOT is an under-used but very useful utility that allows downloading or capturing of FCS data in an Excel spreadsheet. It is simply necessary to list the tags and data items in a spreadsheet for the read or write. This has many uses, such as loading bulk tuning parameters, loading recipe data, capturing totals and averages for a report.
To use PICOT, the following packages are required:
PICOT HIS-OPC Excel
The process is triggered by setting a %M3 event in a sequence table. This causes a Procedure definition file in the HIS to execute a download and/or upload as required using the Grade and Product files that contain the lists of tags. It is even possible to trigger Macros within the spreadsheet, such as a print of a report.
To setup PICOT, the following files must be configured in the CS3000\his\users\save\BKUPicot directory:
Procedure definition file PrcxxxxSyyzz.xls. This file defines what happens when a %M3 request is triggered by an FCS. It initiates the reads/writes according to the Grade and Product definition files. One procedure definition file is required for each PICOT event in the FCS from which PICOT events are to be received.
The file name format is defined as follows:
xxxx a 4 digit number, eg, 0001, that corresponds to the %M3 number in the FCS. yy domain of the FCS zz station number of the FCS
File example: filename = Prc0001S0101.xls
Num Command Arg1 Arg2 Arg3 1 GRADESET 0001 2 PRODUCTSET 0001 3 DOWNLOAD GROUP1 4 UPLOAD GROUP2 5 END
In this example, the grade and product files are connected to, and then the download and upload are executed. Any number of upload and download commands can be listed before the END command.
YOKOGAWA TRAINING Section 3. CS3000 Common Functions TE 33AU1C3-01 Rev. 3.3 3-54 Grade definition file (write) Gdfxxxx.xls (Download definition). This file contains the list of tags and data items, and the values to be loaded to these items in the FCS.
Example: file = Gdf0001.xls
GROUP TAG ITEM VALUE GROUP1 LC500 P 100 I 250 D 25 END
Product definition file (read) PdfxxxxSyyzz.xls (Upload definition). This file contains the list of tags and data items to be read from the FCS.
Example: file = Pdf0001S0101.xls
GROUP TAG ITEM VALUE GROUP2 LC500 PV END
Triggering the read/write:
There are two ways of triggering the PICOT event:
1. Sequence table in FCS the command in the action line of the sequence is:
%M30001.PV NON Y
This will send an event that causes Prc0001S0101 to execute.
2. Run from the PC this simulates a trigger from the FCS and can be run from a VB program, etc. This format is: