Digital Energy Journal- Why we fail to manage control system software

Join | Existing Member Login

You are Home » News » View Article

Why we fail to manage control system software

Friday, July 24, 2015

Control system software management processes in the oil and gas industry often fail due to lack of corporate support, responsibilities not enforced, lack of deployment support, lack of training and poor vendor inclusion, writes Christopher Goetz.

Control system software management processes in the oil and gas industry often fail due to lack of corporate support, responsibilities not enforced, lack of deployment support, lack of training and poor vendor inclusion, writes Christopher Goetz. By Christopher Goetz, director, Kingston Systems

The oil and gas industry, specifically drilling, has come to recognize that managing software installed on Automated Control System PCs and Programmable Logic Computers is a critical engineering practice to avoid Non-Productive Time (NPT) and lost time injuries.

This comes in the form of Software Management of Change (SMOC) processes, procedures and policies.

These SMOC steps are now commonly identified by equipment owners as vital in maintaining the integrity of the software code and security of the control systems from inadvertent code regression or cyber threats like STUXNET.

However, in our review of how they are implemented on old and new rigs around the globe, we have yet to see a successful deployment.

Here, we will examine five of the most common reasons that Kingston Systems sees as the failure of SMOC to take hold, leaving the rig vulnerable to costly NPT.

Lack of corporate support

Consistently, we see that corporate management is quick to add work load and requirements for activities, but slow to add funding and technical or service support for the key policies and procedures that must be in place for SMOC to take hold.

This lack of a clear mandate sends a clear signal to maintenance crews. Something akin to 'Figure this out on your own. It needs to be done, but we won't help. If you mess up and we have a software or cybersecurity incident it will be you that gets the attention.'

A defined corporate mandate with funding and support for the initial design, rollout and long term maintenance of SMOC is the solution.

Roles and responsibilities not enforced

As the SMOC gets little attention from corporate management, the defined roles and responsibilities carry little weight in the field.

While all field personnel have a defined role in SMOC, in practice, these responsibilities are ignored and the job falls on to the head of a single individual. And often the role is taken on board with resentment due to the poor role definition, support and training.

Thus, the work load becomes unmanageable, and it is poorly and inconsistently applied. Kingston Systems has seen wide variance in execution levels between facilities and even between crews on a single facility. A cultural adjustment is required to make SMOC work. This requires a team or inclusive deployment and support plan. It is not something that can be established overnight.

Deployment support

As mentioned, the change cannot happen overnight. As with any new process there is a deployment front-end load. A large amount of activity that must be done before SMOC can be effective.

To be done correctly, the contractor should have a dedicated deployment team that attacks this front-end work load, provides training and coaching and gets the system up and running.

This does not seem to happen. Rather, the new SMOC process, roles and tools are emailed out and the expectation that SMOC be in place immediately. Corporate is often surprised when 1 year later there has been little positive motion and SMOC is still not functioning. Deploying SMOC is a larger endeavor than realized. The cultural and personnel needs have to be addressed as part of the deployment plan.

No training

A consistent gap Kingston Systems sees in audits is the lack of even the most basic training to relay the who, how, what and whys of SMOC. Today, the rigor of following SMOC does require a cultural change and does require that all team members understand their role in making the process work.

The lack of training further supports the lack of corporate and deployment support. And again without these the roles and responsibilities are misconstrued, the application becomes weak and inconsistent. An inconsistent SMOC program falls critically short of meeting its mission of protecting code and securing hardware.

Vendor inclusion

We consistently see that vendors of the control system have been slow to support the owners in their efforts of SMOC deployment.

This hesitance or passive resistance is surprising considering that the vendors seem to consistently be the primary source of regression and cyberattack through their direct actions with their own equipment.

As a bright spot in the discussion, this seems to be changing. Several vendors have started presenting better SMOC solutions, and have been more open about sharing versioning and other components with drilling contractors and equipment owners.

To help overcome some of these issues Kingston Systems utilizes a simplified online software version control register. This interface encompasses all of the key elements required for SMOC in a simple package that supports all vendor systems and helps address the training gap through its interface and training content. However, it is only a tool.

A Software MOC program cannot be successfully implemented without addressing the five failing points we have identified.

Christopher Goetz is the founding director of Kingston Systems and has 20 years of oil and gas experience to the field of rig auditing and operations. Based in Houston, Kingston Systems works with Operators and Contractors to review, build and rollout successful Software MOC programs on facilities and rigs.

Associated Companies
» Kingston Systems

CREATE A FREE MEMBERSHIP

To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.