Giving View Only Access To PLC's

[Mark Wilson]

Hello

I am looking for help with how to setup view only access for E&I Techs for various Allen Bradley PLC's. There are PLC 5, Micrologix, CompactLogix, ControlLogix.

I want to setup some workstations and Laptops and give them view only access for troubleshooting and maybe give some limited edit capability.

The Logix Family PLC's are mostly on Ethernet and the SLC and PLC 5 units are on DH+

There are 2 controlnet systems and most of the Micrologix Family units are not networked.

I see some scattered info on the Rockwell Automation website about processor security but some looks old and some newer but all a little dated.

How can this be done? What methods should I be considering?

 

[Mark Wilson]

No takers?

 

[Paullys50]

Simplest method is to put the processor in RUN mode via the keyswitch, then lock away the keys.

They can go online, but no edits made.

 

[daba]

Hello

I am looking for help with how to setup view only access for E&I Techs for various Allen Bradley PLC's. There are PLC 5, Micrologix, CompactLogix, ControlLogix.

I want to setup some workstations and Laptops and give them view only access for troubleshooting and maybe give some limited edit capability.

The Logix Family PLC's are mostly on Ethernet and the SLC and PLC 5 units are on DH+

There are 2 controlnet systems and most of the Micrologix Family units are not networked.

I see some scattered info on the Rockwell Automation website about processor security but some looks old and some newer but all a little dated.

How can this be done? What methods should I be considering?

This is lame...why?

If you don't give them access to edit the code, why give them access at all?

If they can't be trusted, they are not fit to get into the code, and you should be providing alternative means for troubleshooting. Why put someone in the position that they can troubleshoot a problem that they can't fix?

If they can be trusted, let them in, I don't see how a "limited editing capability" can work.

Next you'll be asking for 16 levels of access, based on the individuals' capabilities..!!

 

[daba]

Simplest method is to put the processor in RUN mode via the keyswitch, then lock away the keys.

They can go online, but no edits made.

Most maintenance techs can find a small screwdriver and a file...

 

[Ken Roach]

The big-iron approach is FactoryTalk AssetCentre. You get very granular permissions for each of the editors (RSLogix 5, 500, 5000) and each of the users.

FTAC also has features that do disaster recovery and edit auditing; you'll know who did what when.

You can get very specific; one user might have permission to edit only SLC-500 controllers, and another might be able to edit the ControlLogix but not add an I/O module. It gets complicated fast.

A less heavy-duty approach is to equip some of the users with the Service Edition (RSLogix 5000) or Starter Edition (RSLogix 500) of the software, so they can't do edits.

But the most common, and least observed, method to keep people from editing the controller is the good old keyswitch.

I once encountered a system that would shut down the process and turn on a klaxon if somebody put the PLC-5 in REM RUN or REM PROG mode. The klaxon and the PLC cabinet were both in the main control room. You only made that mistake once.

 

[Mark Wilson]

This is lame...why?

If you don't give them access to edit the code, why give them access at all?

If they can't be trusted, they are not fit to get into the code, and you should be providing alternative means for troubleshooting. Why put someone in the position that they can troubleshoot a problem that they can't fix?

If they can be trusted, let them in, I don't see how a "limited editing capability" can work.

Next you'll be asking for 16 levels of access, based on the individuals' capabilities..!!

Sir

I respectfully disagree. I am very new to this field but I do know the basic concepts. From what I know once a PLC controlled machine is working correctly it's code does not change itself and so if the machine has issues it has to be a I/O device that is not working correctly.

From what knowledge I have a field I/O device is much easer to troubleshoot if you have the PLC logic and status available. You should not need to modify the code to find the issue with the field I/O device thus read only access should work ok.

At this site there have been several issues in the past 2 years where people were hurt and property was damaged because someone changed something in code that they did not understand. Also there are constant issues keeping the equipment running as there are a large group of untrained people with full access who change things without going through the proper channels and without documenting, etc.

I have been mandated to get a handle on this and there are only 2 E&I techs that are trained and are mature enough to have edit capability and I feel that the rest can do their job functions with read only access.

 

[JordanCClark]

Mark, the history you describe punctuates what daba is saying. The goal should be to troubleshoot a machine without the use of a laptop.

Now, I'm not saying that looking at the code isn't a wonderful tool. What I am saying is that if there is a failed field device, then there needs to be notification (via HMI/SCADA or whatever) on where the problem is. The laptop shouldn't be the first weapon of choice.

I'm going to editorialize for a moment.

Believe me, I feel your pain. I've run into the same issue of people just lacking critical thinking and troubleshooting skills, don't take the time to find out how a machine works or why it does things the way it does. We become babysitters, spoon-feeding information to them that they should already know, and then it's difficult to give the troubleshooting tools for the machines as I briefly outlined above, because we get interrupted by the same people who seemingly have no troubleshooting skills and no drive to learn. Throwing up their hands and saying "I just can't do it". That's just c.r.a.p...

Okay, maybe that was more of a rant...

Not saying it's an easy task to wean them off of the laptop. There will be some growing pains. But once you get there, these problems will all but disappear. And you'll get a better class of troubleshooters.

 

[dmargineau]

If you have (or could implement) connectivity between all the involved controllers and software running PCs and also possess significant financial resources, FactoryTalk AssetCentre is the preferred tool.
http://www.rockwellautomation.com/rockwellsoftware/assetmgmt/assetcentre/overview.page
The "Basic" setup will cost you some $5K (List) for the software and probably another $4K for a Server Class PC.
Once setup, FTAC will be able to "control" the access level of any logged Windows User to any RA editor or system configuration tool while also controlling the applications' revisions.
If you want to go one step further (and I personally think it is worth the investment) another $5K or so will get you the FTAC Disaster Recovery feature which could continuously and automatically audit any active application comparing it to a "template"; in case of found differences, FTAC could automatically generate email to all interested parties, messages which contain the comparisons' results.
FTAC was developed to be used primarily on AB/RA automation pletforms, however, there are available "connectors" for third party platforms such as Siemens or Schneider; these "connectors" will have to be purchased separately though and of course they dont't come cheaply either...

 

[geniusintraining]

The goal should be to troubleshoot a machine without the use of a laptop.

I think both... have the ability to do simple troubleshooting by looking at the LED's on the CPU, then if needed go further by troubleshooting the code with the laptop

And this is done by... training your employees not locking them out

In the short term (before they are trained) remove the laptops and give them a printed version of the code, they can troubleshoot by looking at the pages and looking at the I/O (LEDs) on the CPU, this will only make them better troubleshooters in the end.

ALSO... since you are in TN there is one of the best trainers in the USA just a few hours away www.ronbeaufort.com send them to him and you will not need to lock them out of the CPU and you will have more up time... then everyone will be happy


Edit:
Tim also has classes and may do training onsite http://www.theautomationstore.com/a...g-for-the-micrologix-and-slc-plc-5-day-class/

Just another thought...

 

[MaintMike]

I mainly do just maintenance and troubleshooting. The lap top is the tool of last resort for me. It can be time consuming sometimes, going to get it, going on line, going through the code. (Looks cool thought Knowing how the machine functions, having good electrical drawings (this really is important) and then learn to observe. The I/O status lights and knowing the sequence of events gets the job done pretty quick 90% of the time.

IMHO Thanks!

 

[nehpets]

Personally if a HMI or a small dataliner is available then I would generate full diagnostic alarm messages for all monitorable items, with the idea that the machine could be diagnosed without even opening a cabinet let alone get the laptop out.

Basically It's the responsibility of the Logic coder to facilitate this to allow bubba's to maintain with very little pain.

Steve

 

[James Mcquade]

Mark,

then may i suggest that you install RSladder on the maintenance laptops.

this allows you to view the code but not edit the code.
i don't know if it exists for the logix5000 software.

you have several options.

1. lock the plc's in run mode and take the keys.
2. lock the maintenance laptops is a secured location.
when the maintenance crew needs to get online, have someone checkout the laptop to them.
3. the software method mention earlier mentioned by Ken.
4. install an HMI terminal and program all i/o into the hmi screens.
5. install rsladder to view the software.
6. train the maintenance crew. only they can have laptops or make changes. anyone caught violating this policy is terminated.

regards,
james

 

[Paullys50]

Most maintenance techs can find a small screwdriver and a file...

A bit far-fetched. Someone go through that trouble/risk so they can make a program change they aren't suppose to make?

Considering using the Keyswitch method is FREE can you provide a better alternative? As others have mentioned you can certainly go the Factory Talk Asset Centre route, but it ain't cheap and certainly will need cost justification. So, techs using a screw driver and file, maybe that can aid in justification if/when it starts to happen.

I agree the laptop should be the last resort when troubleshooting, in my experience trouble shooting skills of maintenance techs is poor, logical thinking and understanding of the systems is not there, could be for any number or reasons. Lack of training, poor system documentation, old systems which have been morphed/band-aided over they years, lack of skillset....laziness. I have not seen many systems that truly do a good job of diagnosing filed equipment from the SCADA panel, so getting online is sometimes the only way to really find the problem. Imagine the system that has run for years without issue, suddenly it breaks down. Some of these small support systems are just taken for granted that they work, and may not have much for information display.