Until very recently, many offshore platforms and vessels operated their entire working lives using only the safety systems and features that were installed during construction. Their mechanical systems perform certain sets of functions that can be regulated and monitored by crews that possess complete knowledge of the systems and their interactions.

But the offshore industry and its business processes are evolving rapidly. As the offshore industry continues to deploy highly instrumented, automated and connected assets, unforeseen technical problems and risks have emerged.

Control systems
Today systems interconnect more widely than before, and this introduces concerns with system integrity. So one major area of concern is control systems, system interfaces and data management.

System integrity is the degree to which a particular system can operate completely deterministically—that is, its behavior in all circumstances is known, predictable and within designed boundaries and remains in that condition without conscious operator action despite potential failures or interfering influences. System integrity provides reliability and dependability, but it is affected by system modifications.

Typical requirements for systems on offshore units include the functions and considerations associated with software-intensive systems. Life-cycle requirements—which at one time were based largely on finite numbers of improvements or replacements to hull machinery and equipment resulting from long technology evolution cycles—now also include software updates and upgrades along with associated asset configuration and version control efforts.

Software modifications, updates and upgrades during the asset life cycle affect system behavior and response and therefore affect system integrity. This is most visible where real-time (RT) and near-real-time (NRT) control systems are used.

RT and NRT control systems are critical to the safe and effective operation of offshore assets. Their quick responses, data capture functions and labor-multiplying effects deliver vastly expanded capabilities. These types of control systems are referred to as operational technology (OT).

System integrity is central to offshore OT systems largely because of the complexity inherent in applications like drilling systems, which are highly integrated. On an offshore asset, many individual OT systems function together to produce the desired functionality. When the overarching functionality is defined and documented, the goals, purposes and critical natures of the connected subsystems are clear. It is at that point that the notion of system integrity is created as a required and expected
function that has to remain unaffected by either internal or external conditions.

Upgrades, vulnerabilities
The second major area of concern is configuration control. While there are many integrity-reducing conditions, a fair number of them can be managed through disciplined implementation of a relatively small number of comprehensive software quality engineering practices that include a detailed OT system architectural description, strict control of OT software and hardware evolution, and disciplined physical and cyber-OT system security protection.

Inadequate understanding of OT system architecture opens the door to threats to system integrity. For offshore crew members to maintain system integrity, they need to understand their systems completely, and they must have a detailed functional description of the OT system architecture. This transparent view of the “virtual asset” provides a working view of the asset that is critical to system operation, recovery, system evolution and system protection.

Clearly, controlling and managing updates and upgrades are critical to maintaining system integrity. Cost control measures, however, can work against good configuration control in two areas. One is in perceived return on expenditures. Owners commonly look for rapid and measurable value in return for software updates because the updates rarely associate with physical construction or drydocking. The lack of value recognition can result in decisions to defer updates to OT systems.

The opposite effect can occur when systems are updated simply because contracts include clauses for maintenance updates that allow external third parties to perform updates to maintain specified performance levels. If original equipment manufacturers (OEMs) or third-party maintenance personnel make software modifications without owner or crew knowledge, the working system configuration becomes very fragile.

Strict OT system software, firmware and hardware control is possible if all changes are vetted and authorized prior to installation. This evolutionary process can be orderly and effective if managed conscientiously.

Managed system evolution includes applying software management-of-change practices to all systems. It demands supplier transparency in change and configuration management during software development and maintenance, disciplined pre-installation review of new OT system elements, pre-installation supplier testing protocols for both computer hardware and software, disciplined warm- and cold-stacking of OT systems, and preplanned OT system end-of-life management.

Cyberthreats
The third major area of concern is cybersecurity. As remote connectivity through the Internet has increased, it has opened OT systems to integrity threats. Networked and remote connectivity bring major high-profile threats to OT systems.

Threats to remotely accessible systems have created a need for new types of corporate expertise and new practices and protective imperatives to manage threats to OT system integrity. Now more comprehensive policies for establishing organizational, technical and procedural capabilities are being applied to protect OT systems.

Two practices are particularly useful in protecting integrity: formal requirements management and documented system traceability. Documenting the linkages of formally stated requirements to the as-built system architecture, test procedures, and criticality and safety analyses allows those in the change management approval workflow to base decisions about system evolution on the original functional intent of the software.

These processes are part of normal systems engineering. Positive control of systems integrity and systems configurations is required before effective cybersecurity is possible. Cybersecurity of safety-critical systems really translates to maintaining integrity and deterministic outcomes of those systems.

Dependence on software, automation Growing dependence on software, increases in control system integration and more widespread connectivity to onshore monitoring systems have made cybersecurity a serious issue. Expanding automation means more interconnections, which present additional hazards, whether through the introduction of malicious code, malevolent actions, or imprudent care and maintenance.

There is greater pressure on OEMs, software developers and shipyards to design assets for which the system architecture is well defined, documented and communicated so informed decisions can be made throughout the asset’s service life—before, during and after modifications. Better system architecture and engineering should require that the unit be delivered with a documented process in place so security updates can be carried out easily.

The role of classification in this evolving environment is to apply technical competence and experience to determine risks and hazards and to provide a framework for practical and appropriate safety infrastructure without unduly restricting the potential for progress.