Introduction | Control System Migration | Part 4 November 2024 — by Tom McGreevy, PE, PMP, CFSE — Give yourself a pat on the back, you’ve successfully navigated the tasks of providing procurement specification and selecting a vendor for your control system migration project . In part four of this series , we will be exploring scope, schedule, and budget. These elements form the “triple constraint” or what is sometimes referred to as the “three-headed monster” of control system migration project management — or any project, for that matter . The success of a migration project depends on balancing these constraints, with trade-offs required to meet objectives while addressing stakeholder needs, industry mandates, and operational realities. Phased Project Execution and Trade-offs Ideally, control system migrations follow a phased approach — starting with conceptual and preliminary design, moving through detailed design, and ending in execution. However, phases do not always flow sequentially, and overlapping activities are common, a phenomenon that makes a project more challenging. At the heart of control system projects lies the negotiation between scope, schedule, and budget. These three variables shape the project from inception to completion. Stakeholders, including project sponsors, operations teams, and users, bring different priorities to the table — requiring alignment to strike the right balance. For example, a project's scope must align with user requirements while staying within budget and schedule constraints. While many projects have some flexibility for scope, budget and schedule trade-offs, few projects are entirely unconstrained. Rare exceptions exist — such as the rapid construction of the Pentagon during World War II or the development of the atomic bomb — where scope and schedule were paramount, and budget was comparatively unlimited. However, most control system migrations are not afforded a constraint waiver, making the balancing act of scope, schedule, and budget a constant challenge. The Importance of Schedule and Outage Management In many control system migration initiatives, the project schedule is non-negotiable. Certain projects — such as those in the energy sector — are driven by government regulations (like Title V permitting ) or market demands, forcing strict adherence to timelines. Refinery turnarounds are a prime example: These large-scale maintenance events may only occur every 10 years, and once scheduled, the dates cannot shift. The high cost of shutting down operations for a refinery or chemical plant places immense pressure on teams to execute migrations efficiently within the set outage window. Outage durations and deadlines are major factors influencing both project scope and budget. Teams must prepare thoroughly to avoid overruns, as missing an outage window could result in costly delays. Planning and execution are equally critical during cutover phases when legacy systems are replaced with new ones, requiring seamless transitions within tight timeframes. Stakeholder Engagement and Balancing Constraints Engaging stakeholders early in the migration process is essential to align expectations around scope, schedule, and budget. By understanding their priorities — whether cost control, quality, or speed — project teams can manage trade-offs effectively. For example, a project may prioritize scope and quality, leaving budget as a secondary concern. However, as the old project management adage goes: “ You can have two of the three—scope, schedule, or budget—but the third must remain flexible .” A common question when setting priorities is whether quality fits within scope. In control system migrations, quality is considered a given. If the migration is poorly executed, operational issues will surface immediately, posing significant risks to production. Based on this, ensuring quality throughout the process is non-negotiable, even if it means adjusting schedule or budget constraints. Whether the new control system is ultimately a “Chevrolet”, or a “Cadillac” is a scope question, the answer to which depends on user requirements. However, whether a Chevy or a Caddy, the solution must be of high quality.    Scope — V-Model Systems Engineering The V-Model Systems Engineering approach is a widely recognized and robust framework, that is particularly valuable in managing project scope within control system migrations. Originating from the systems engineering discipline, the V-Model has been used extensively by industries such as process control and process safety and is a standard practice in high-stakes environments like the Department of Defense (DoD). The DoD has adopted the V-Model as a foundational approach for all acquisition systems, owing to its reliability and flexibility across various complex systems. The V-Model’s structured yet adaptable framework makes it an ideal tool for managing the many layers of control system migrations, where scope must be clearly defined and rigorously adhered to. The model is not only a theoretical construct but also integrated into practical standards like the IEC 61511 standard for Safety Instrumented Systems, demonstrating its alignment with the development and delivery of safety-critical industrial automation systems. Understanding the V-Model Structure   Image Source   The V-Model is visually represented as a “V” shape, with each side denoting specific phases of a project lifecycle. Starting from the upper left, the model begins with conceptualization and planning stages, where project requirements are established. These initial steps serve as the foundation for the entire project, ensuring clarity in objectives and design specifications. As the project progresses down the left side of the “V,” each phase deepens the project’s detail, moving through stages such as system architecture, preliminary design, and detailed design. At the bottom of the “V,” the project reaches the development and integration phase, where the designed systems are constructed and configured. The right side of the “V” begins with the validation and verification stages, where each element developed is thoroughly tested and validated against the original requirements set out in the project’s conceptual phase. This structured approach provides a clear pathway from inception to completion, ensuring that each component of the control system migration aligns with the initial scope and quality expectations. An important element of the “V” is that systems engineering does not end after system commissioning but should continue throughout the life of the asset to ensure upgrades and changes are also managed in a systematic manner. Benefits of the V-Model in Control System Migrations The V-Model’s stepwise progression is highly beneficial in control system migrations, where maintaining scope integrity is crucial. Each phase builds upon the last, allowing for consistent alignment with project objectives. The systematic approach helps minimize scope creep —  a common risk in complex migrations — and ensures that each requirement is tracked through development to final validation. One of the unique strengths of the V-Model is its emphasis on early-stage requirements. By investing time in clearly defining the project’s scope and requirements at the outset, teams can better manage expectations, budgets, and timelines. This is particularly valuable in environments where safety and reliability are critical, as any deviation from the intended design could result in costly or even hazardous outcomes. Scope — Requirements Document The Requirements Document is a foundational component in any control system migration, defining what the project must achieve and setting the framework for success. At the outset, the project team collaborates with stakeholders to clearly define the project’s objectives, specifications, and performance standards. This process ensures alignment around the key questions: What are we trying to accomplish?  and What are the essential requirements? In a control system migration, whether a Basic Process Control System (BPCS) or Safety Instrumented System  (SIS), a requirements document addresses the unique demands of replacing outdated and unsupported systems. As technology evolves, older systems eventually become unsupported, are difficult to maintain, lack operational reliability and flexibility, and no longer meet the organization’s needs. Establishing clear, detailed requirements is imperative in ensuring the new control system addresses these challenges effectively. Key Elements in Requirements Documentation The requirements document must integrate inputs from multiple entities involved in the control system’s operation and maintenance: Physical Environment Requirements :  This includes details about the physical assets the control system connects to, such as motors, pumps, compressors, tanks, and valves. Understanding the full scope of the machinery and processes the control system controls is crucial for designing a system that operates safely and effectively. User Requirements : Operators are on the front lines of system interaction, making user-friendly interfaces critical. The requirements document specifies Human-Machine Interface  (HMI) design, alarm management, and process visualization needs, ensuring that operators can navigate the system efficiently and without undue stress. Maintenance and Troubleshooting Requirements :  Maintenance teams need access to troubleshooting tools and systems capable of proactive fault detection. Requirements for system diagnostics, error reporting, and asset management tools (such as those using HART communication protocols ) are outlined to streamline ongoing maintenance. Advanced Control and Optimization :  For organizations aiming to optimize quality and profitability, the requirements document includes specifications for advanced applications and optimization tools. These capabilities allow for efficient control of complex processes and help meet business objectives. Cybersecurity and IT Requirements :  IT teams and cybersecurity stakeholders provide input on access control, remote troubleshooting capabilities, and integration with broader IT systems. This is especially important in cases where engineers or maintenance personnel may need secure, remote access to the control system. Business and Management Requirements :  Business leaders often have specific visibility requirements, allowing them to monitor production and other metrics from a management perspective. The requirements document captures these needs, balancing operational transparency with security concerns. The Systems Engineering V-Model for Requirements Documentation The Systems Engineering V-Model discussed earlier is also frequently applied to structuring the process of defining, refining, and verifying requirements documentation. During the initial FEL ( Front-End Loading ) phases, the project team identifies high-level requirements, involving potential vendors, systems integrators, and Original Equipment Manufacturers (OEMs) to validate early concepts. As the project progresses, requirements are broken down into more specific design elements, such as Piping and Instrumentation Diagrams (P&IDs), system architecture diagrams, and detailed hardware and software specifications. This phase culminates in a comprehensive set of design deliverables, including finalized drawings and specifications. As the project moves from design into implementation, the V-Model allows teams to check each aspect of the implementation against the original requirements, ensuring that the system meets expectations through validation and verification steps. Ongoing Maintenance and Adaptation Control system migrations do not end with commissioning. Modern control systems are increasingly software-dependent, relying on regular updates and security patches for sustained performance. As part of the requirements documentation, teams establish processes for managing updates and maintaining alignment with evolving cybersecurity standards. These “ living ” documents serve as references for future maintenance, ensuring the control system remains functional, secure, and aligned with operational needs well into the future.   Scope — Work Breakdown Schedule (WBS) A Work Breakdown Structure (WBS) is fundamental to the scope definition process in control system migrations, as they establish a clear framework for planning, estimating, and executing the project. The WBS divides a project into smaller, manageable parts, facilitating clearer communication, better cost control, and improved resource allocation. At its core, a Work Breakdown Schedule helps the team “ eat the elephant one bite at a time ,” breaking down complex tasks into structured and measurable components. Developing the Work Breakdown Structure In a WBS, the project is defined at the highest level and progressively divided into subprojects, sub-phases, and tasks. The process typically starts with defining the overarching goal — whether that’s replacing outdated control systems, implementing new safety standards, or optimizing performance. From there, the WBS is broken down into manageable sections, with each phase building on the previous ones. The ultimate goal is to create small enough tasks that allow for accurate estimation and efficient management. A comprehensive WBS should be developed early in the control system migration project, ideally before the schedule is finalized. Breaking down the project into smaller components enables teams to estimate durations and resources for each element more accurately. This is especially valuable in complex control system migrations, where precise scheduling is a must-have to minimize operational disruptions. Owner-Level and Vendor/Contractor-Level WBS In many projects, including government and large-scale industrial migrations, the WBS is divided into two levels: Owner-Level WBS : The project owner (often the client or the entity funding the project) typically defines the first few levels of the WBS. This includes outlining the major phases, primary objectives, and key deliverables. For instance, in government contracts, the owner might specify the first two levels of the WBS, setting the foundational structure of the project without delving into granular details. Vendor/Contractor-Level WBS : Contractors or vendors are then responsible for developing the WBS beyond the initial levels specified by the owner. They add the finer details needed for execution, filling in tasks, subtasks, and resource assignments to meet the owner’s requirements. This approach empowers contractors to bring their expertise to the project, structuring their work to align with the project goals and optimizing resource allocation. This dual-level WBS structure allows owners to set clear expectations while giving vendors the flexibility to plan and execute in a way that leverages their strengths. It’s a common practice to help ensure a balanced approach where high-level objectives are set by the owner, and detailed planning is conducted by those executing the work. Benefits of a Well-Defined WBS A well-defined WBS simplifies schedule and budget development by enabling a “ bottom-up ” approach to project planning and execution. It provides a structured method for estimating time and resources, making it easier to assign costs accurately and avoid budget overruns. By breaking the project down into smaller parts, the WBS helps identify risks early, setting the stage for more effective project management. In the context of control system migrations, where tasks may vary in complexity and dependencies, a robust WBS can help mitigate scheduling challenges. Estimating timeframes for smaller tasks is inherently easier than for large, undefined tasks, leading to a more realistic and achievable schedule. Additionally, as the project progresses, the WBS serves as a roadmap, enabling the project team to track progress, adjust resources as needed, and ensure each phase aligns with the defined scope. For owners and contractors alike, a well-defined WBS not only clarifies project expectations but also enhances the likelihood of completing the migration on time and within budget.   Schedule — Resource-Loaded with Logic Creating a resource-loaded schedule with logic is a vital step in control system migrations, allowing project teams to allocate resources efficiently while ensuring all tasks follow a logical sequence. Once the scope is established, and the Work Breakdown Structure (WBS) is outlined, these elements provide the foundation for developing a detailed, executable schedule. By defining what needs to be done at a granular level, teams can move forward with estimating timelines and applying resources in a structured manner. Building the Schedule with Logical Sequencing A well-crafted schedule isn’t just a list of tasks — it is a sequence of events governed by logic. In this context, logic refers to the relationships and dependencies between tasks, dictating what must happen in a specific order and what can happen concurrently. This logical structure ensures that each activity aligns with the project's overall timeline, minimizing delays and optimizing efficiency. For example, certain tasks may need to finish before others can start, while some can proceed simultaneously, depending on resource availability and task dependencies. Using the WBS, each task in the schedule can be broken down into smaller sections, often organized in a Gantt chart format. The WBS sections align directly with the schedule, allowing for a smooth transition from scope definition to scheduling. As the project progresses from conceptual design (FEL 1) through preliminary (FEL 2) and detailed design stages (FEL 3), the schedule becomes increasingly specific. By the time the project reaches the execute stage, the schedule should be thoroughly developed, reflecting both the scope and WBS in a detailed, logical format. Resource Loading and Effort Estimation Resource loading is the process of assigning human resources, materials, and equipment to each task based on effort estimates. This step involves calculating the actual effort hours needed for each task, allowing the project manager to allocate the appropriate resources at the right times. Effort estimates are based on the complexity of the work, skill requirements, and task duration. A resource-loaded schedule helps ensure that project teams are neither overburdened nor underutilized, helping to keep the project on track and within budget. The resource-loaded schedule allows project managers to see where resources may be constrained or where adjustments might be needed. By integrating resource availability with task dependencies, the team can make informed decisions on scheduling adjustments, such as reallocating personnel or shifting task start dates. This level of planning is imperative in large-scale control system migrations, where resource constraints could lead to significant delays. The Value of Progressive Detailing The level of detail in the schedule should grow as the project advances. Early in the project, schedules are often high-level, with broader phases outlined in sequence. As the project reaches subsequent stages, each phase becomes more defined. By the time the project is ready for funding approval at the execute stage, the schedule should be highly detailed, providing a clear roadmap for completion. A well-detailed, resource-loaded schedule with logical sequencing is essential for obtaining project funding. Investors and stakeholders need confidence in the project’s timeline and feasibility, and a thoroughly prepared schedule demonstrates both preparedness and reliability. The more specific the schedule at this stage, the better equipped the team will be to manage the project’s complexities during execution.   Schedule — Critical Path The Critical Path is a fundamental concept in control system migration project scheduling. It represents the longest sequence of dependent tasks that must be completed for the project to reach its end date. In essence, the critical path is “ the longest pole in the tent ” — the chain of tasks that dictates the overall project duration. Identifying the Critical Path Identifying the critical path involves mapping out the sequence of tasks and understanding their dependencies. Each task on the critical path has no leeway for delay, as any delay in these tasks will directly impact the project’s completion date. Thus, accurately identifying this sequence early in the planning phase is essential, and a resource-loaded schedule can help visualize these dependencies and constraints. A resource-loaded schedule aligns resources with each task, allowing teams to see how resource availability impacts the critical path. By continuously managing to this path, project managers can ensure that resources are allocated to high-priority tasks, keeping the project on track. Managing the Critical Path Once identified, the critical path must be actively managed throughout the project. It’s common for the critical path to evolve as the project progresses — some tasks may be optimized, resources may be reallocated, or unforeseen issues may necessitate changes in task sequencing. For example, a task initially identified as critical “ subtask A ” might later be optimized, shifting the critical path to another task “ subtask D ”. This shifting nature requires a proactive approach to critical path management, with regular reviews to ensure the path remains accurate. Adjustments should be made as necessary to reflect any changes in the sequence or duration of tasks. By monitoring the critical path, teams can quickly adapt to changes and avoid potential delays. Ultimately, the critical path is the backbone of a control system migration project’s schedule. When managed well, the critical path provides a clear roadmap for prioritizing resources and activities to keep the project on track.   Schedule — Slip In any control system migration project, project managers should plan for schedule slip. Slip refers to the allowance for unexpected delays or setbacks that may impact the project timeline. Recognizing that projects are executed by human beings and subject to real-world unpredictability, building in a buffer for slip is a practical and necessary component of scheduling. Why Allow for Schedule Slip? Projects are seldom immune to delays. Factors such as natural disasters, world events, and unforeseen technical challenges can disrupt even the most meticulously planned schedules. By planning for possible delays, teams can set realistic expectations with stakeholders and avoid the need for crisis management when things don’t go as planned. A well-designed schedule with built-in slip is a reflection of common sense and practical risk management. This buffer provides the flexibility needed to adapt to changes without jeopardizing the overall project timeline. It allows project managers to respond to issues effectively, keeping the project on track while managing unforeseen obstacles. Managing Slip in Schedule Development Managing slip requires a careful balance between optimism and realism. Too little allowance for slip may result in unnecessary pressure on resources, increasing the risk of errors and burnout. Conversely, too much allowance may inflate the schedule, impacting cost and resource allocation. The goal is to include just enough flexibility to accommodate probable delays without compromising efficiency. In the context of control system migrations, schedule slip is especially important. These projects often involve complex integrations, interdependent systems, and critical operations. Allowing for slip in the schedule ensures that these complexities are managed without excessive risk of delay, helping the project team deliver a successful migration within a reasonable timeframe. A realistic approach to slip allows for smoother project execution, reducing the impact of setbacks and fostering a more resilient project plan.   Budget — Parametric, Analogous, & Bottom-Up Estimating As you might imagine, budget is an important component when planning a control system migration. Determining the funds required to complete the project is essential to ensure that resources are allocated effectively and that project stakeholders have realistic cost expectations. However, establishing an accurate budget can be challenging, particularly if cost estimates are provided too early in the process without sufficient data or analysis. The following budgeting techniques — Parametric Estimating, Analogous Estimating, and Bottom-Up Estimating — offer different methods to approach budgeting based on the project’s phase and the level of detail available.   Parametric Estimating Parametric estimating is commonly used in the early phases of project development when only high-level information is available. This technique relies on statistical relationships between historical data and other variables, allowing teams to estimate costs based on a unit of measure. For example, building a control system for a manufacturing plant might be estimated based on a cost per Input/Output (I/O) point or cost per square foot. Parametric estimates can vary significantly depending on the type of facility and the complexity of the control logic. For instance, while a widget manufacturing plant may have relatively simple I/O points, a chemical processing plant with advanced controls would require a more sophisticated (and thus more costly) system. Although parametric estimates are useful, they should be used cautiously, as variations in project scope or industry standards can impact the accuracy of these estimates. Unit cost estimating is a similar approach to parametric estimating, where costs are determined based on the cost per unit (e.g., per foot, per ton) of a particular item. This technique is often applied when more specific information about project components is available. In control system migrations, unit cost estimating might apply to components like stainless steel piping or wiring, providing a straightforward calculation for materials or parts with standard unit costs. Unit cost estimating is particularly useful for elements that have consistent pricing structures, allowing project teams to forecast material costs with a fair degree of accuracy. Like parametric estimating, this approach is more reliable when sufficient historical data exists, enabling comparisons across similar projects or components. Analogous Estimating Analogous estimating is another common technique used in the early stages of control system project budgeting. This method relies on historical data from similar past projects to estimate the costs of a new project. For instance, if a similar control system migration was completed five years ago, or if a nearly identical project was executed at another facility a year prior, those projects can serve as benchmarks for the current estimate. Analogous estimating allows teams to leverage known data, adjusting for differences in scope, inflation, or other variables, to create a rough cost estimate without extensive upfront details. While it may not provide the level of accuracy achieved through bottom-up estimating, analogous estimating is a practical tool for generating early budget figures and can be refined as more specific project information becomes available. Bottom-Up Estimating Bottom-up estimating is the most detailed and precise budgeting method, typically applied in the final design phases, such as the FEL 3. By this point, the project team has completed a detailed Work Breakdown Structure and can estimate costs for each subtask with higher accuracy. Bottom-up estimating involves calculating the cost of each component or task individually and then summing them to derive the total project cost. This technique requires a comprehensive understanding of the project’s scope, schedule, and resource requirements, making it best suited for later stages when detailed design and planning are complete. Although time-consuming, bottom-up estimating is highly accurate, as it accounts for specific project needs and is based on actual data from the project’s planning stages. Each of these budgeting techniques serves a unique purpose at different stages of project development. Parametric and Analogous estimating are effective tools in the early stages when only high-level information is available, while bottom-up estimating provides a more precise calculation as the project reaches maturity. By employing the appropriate technique at each stage, project teams can ensure that budget estimates evolve alongside the project, aligning with the increasing specificity of scope and design.   Budget — Analyzing the Quality of Your Budget Once a budget has been established for your control system migration, you’ll want to evaluate its quality. Analyzing the quality of a budget involves assessing whether the cost estimate is optimistic, pessimistic, or realistically positioned within the range of expected expenses. This process allows project managers to ensure that the budget is grounded in reality and aligned with project risks. Contingency and Reserve Planning One element of budget analysis is establishing a contingency amount. Contingency planning accounts for known risks that might affect costs, such as potential delays or changes in scope. Project teams can use various methods to determine contingency amounts, including expert opinion or quantitative approaches like Monte Carlo analysis . By calculating an appropriate contingency, the project team provides a buffer for foreseeable risks, adding a layer of resilience to the budget. In addition to contingency planning, projects should include a management reserve — a fund set aside at the discretion of the project manager to cover unforeseen issues. Unlike contingency, which addresses specific identified risks, the management reserve handles unexpected, “ unknown unknowns ” that may arise. This reserve allows project managers to navigate unanticipated challenges without immediately compromising the budget. Assessing Budget Confidence Analyzing budget quality also involves reflecting on the methodology used to develop cost estimates. Project teams should consider whether their cost elements are based on realistic assumptions and whether they have allocated resources prudently. By evaluating each component of the budget and ensuring it aligns with project goals and constraints, teams can increase their confidence in the budget’s accuracy. Before submitting the budget for final funding, it’s important to undergo this self-assessment. This evaluation helps in identifying any potential gaps and ensures that the budget reflects all known variables and has adequate provisions for managing uncertainty. Moving Forward with an Approved Budget Once the budget has been thoroughly analyzed and approved, the project is equipped with a solid financial plan. At this point, the project should also have a resource-loaded schedule, a clear critical path, built-in allowances for schedule slip, and structured reserve management. These elements together form a comprehensive project plan, ready for execution. As the project progresses, maintaining control over scope, schedule, and budget is crucial. Any project that begins with delays or budget overruns is challenging to recover, making it essential to start on solid ground. Proactively addressing risks early increases the chances of successful project completion and mitigates the impact of any adverse events that might arise.   Project Controls — In-House or Third-Party? Project controls are extremely important for the success of any control system migration. They provide the structure and oversight necessary to manage risks, monitor progress, and ensure that the project remains on schedule and within budget. The decision to handle project controls in-house or to engage a third-party firm depends on factors like organizational culture, project complexity, and available resources. In-House Project Controls Organizations with the necessary skills and resources may choose to manage project controls internally. This approach allows the project manager or other team members to oversee scheduling, estimation, and physical progress. An in-house team can solicit feedback directly from the design, procurement, and construction teams, collating data to update progress against the baseline. In-house project controls require a dedicated team with the ability to monitor percent completions, maintain schedules, and adjust resources as needed. However, many organizations today operate with lean staffing, focusing primarily on operational roles rather than project-specific capabilities. This limitation can impact their ability to execute comprehensive project controls effectively. Third-Party Project Controls When internal resources are insufficient, engaging a third-party project controls firm can be a strategic choice. Specialized firms focus solely on project controls, often bringing a high level of expertise and efficiency. Some third-party firms specialize in control systems, offering insights tailored to the needs of complex control system migrations. Larger engineering firms may also provide project controls services, supported by dedicated departments with robust processes and systems. Outsourcing project controls can offer a level of sophistication and objectivity that may be challenging to maintain in-house, especially for smaller organizations. These smaller facilities may lack the resources or expertise required for project controls and can benefit significantly from external support. Risk Management and Decision-Making Whether in-house or outsourced, project controls are fundamentally about risk management. They provide a framework to assess if the project is on track, identify potential delays, and highlight budget overruns. Having accurate and timely project controls data allows organizations to address issues proactively, minimizing disruptions and maintaining project momentum. Project controls serve as an early warning system, enabling project managers to intervene before small issues become major setbacks. They answer the key questions: Are we ahead or behind schedule? Are we within budget? Are we meeting quality standards?  This transparency is invaluable in ensuring that the project stays aligned with organizational goals. Project Controls in Procurement and Vendor Management When selecting vendors, systems integrators, or OEMs for a control system migration, it’s important to consider their project controls capabilities. Any vendor contributing to the project’s scope should be able to demonstrate project controls skills, providing regular reports on progress, costs, and quality metrics. This requirement applies even to subcontractors like electrical contractors, who may manage specific project segments but still impact overall timelines and budget. In larger companies, project controls are often standardized across departments, ensuring consistency in execution. Smaller organizations, however, may need to assess whether outsourcing these skills can provide the necessary structure to keep projects on track. Regardless of the approach, project controls are indispensable for managing scope, schedule, and budget in control system migrations, providing the transparency needed to ensure a successful outcome.   The Takeaway Control system migrations are complex projects that require a careful balancing of scope, schedule, and budget — the three primary constraints that govern project success. This fourth installment in our series has explored the essential frameworks, methodologies, and tools that can help manage these constraints effectively, from defining scope using the V-Model Systems Engineering approach to managing project controls in-house or through a third-party provider. Moving Forward with Confidence Control system migrations demand precision, foresight, and flexibility. By embracing the methods discussed in this series — from structured planning to diligent budgeting and project controls — organizations can enhance their capacity to deliver successful migrations that meet performance, safety, and financial objectives. Be sure to keep an eye out for the fifth installment in our control system migrations series, where we will explore best practices when planning and implementing training after a system migration. More information about aeSolutions' comprehensive DCS/PLC migrations and upgrades capabilities and services.

Presented by Greg Hardin - Senior Principal Specialist, aeSolutions Why Do Control Systems Go Wrong? The British HSE publication “Out of control - Why control systems go wrong and how to prevent failure” (HSE238) reports the primary cause by phase (specification, design and implementation, installation and commissioning, operation and maintenance, changes after commissioning) of failures of 34 safety systems in different industries. This document is frequently referred to in functional safety activities in the process industries. This presentation will consider just how applicable are the quantitative results presented in HSE238 to the process industries. Keywords: automation, systems integration, upgrade, process safety, process control network, pcn, safety instrumented systems, SIS, systematic failure Auto Generated Transcript: Is that really why control systems go wrong? OK. Out of control, why control systems go wrong and how to prevent failure? That's a publication of the United Kingdom's Health and Safety executive. It is, you know, very well down in the functional safety. Business and I have used this chart. In multiple presentations over the years and what it represents is the percent of particular phase of the lifecycle where things went wrong that resulted in eventually in a serious incident. 6% installation and commissioning 20% modifications after commissioning. 15% operation and maintenance. 15% design and implementation and this is the biggie. That was a surprise to a lot of people when it was published. That the idea that where we were going wrong with. Process safety in related to instrumented protective functions was in specification. So if you take that pie chart, you can do the same thing against. Their safety lifecycle. Specification design and implementation. And then you can break it down a little bit more to show the areas that we're interested in. You know hazard and risk analysis, then sift selection safety instrumented function and safety integrity level determination. Thus Isfel is what we. Used to and still do called the calls. Call the group that I am in. And then device selection safety, integrity, integrity level calculation again. That's assist file function. And then not to cut off half the life cycle. Installation and commissioning. Operation and maintenance modification. I think if you had taken a survey of people before the HSE publication came out, this is where people would have said most of the. Incidents were caused and I'll have a little bit more about that to say about that later in the talk. What really prompted me to want to do the some of the research that led to this talk was what is known as the streetlight of effect. You may be familiar with this little story of someone on their hands and knees. Obviously looking for something along comes a police officer. Ask the person what are they doing and they say they're looking for the car keys that they drop well. The officer wants to help, so he asks where were you standing exactly when you dropped them? And the person replies back up the street. Then why are you looking here? Because the light is better. Are we looking at just at the specification to the exclude, not to the exclusion, but, More giving it more effort than we should, because that's, you know, that's our business. That's what's right, and at least you know my part of the business. That's right, what's right in front of me on my desk or on my computer screen? Is the the sisvel portions of the safety lifecycle that I did just identified? So that's the street light effect? When I was putting this talk together, I said, well, I'm familiar with the Identification of the different incidents in the report. Where they identified that specification is where they went wrong. But I said, well, I probably ought to go ahead and really read the report. And if I read the report. The report is not as exclusive. To the analysis of the various phases as. I was assuming they do say that. Poor hazard analysis of the equipment under control. Inadequate assessment. Systematic approach not used. These are all portions of the specification phase. That when you lump everything together as specification, that's where I started to get worried. If we were. If we were looking where the light was better. So this is the table from that report and. Where they picked up 44 of the incidents that they reviewed were 44% were due to inadequate specification and they said of those twelve were inadequate functional requirements. Specification in and 32 were, 32% were. Inadequate safety integrity requirements specification. Well, if you look at all of the incidents in the report, only one third of the total number of incidents. Which was 15 of the incidents in this case total number only one third of those, or approximately 5 are related to incidents in the chemical or refinery industries. So do the causes of incidents in the process industries follow the distribution given in out of control? That was my promise in starting this. There are lots of Compilations of incidents in the process industries. And there's I will give a list of references at the end of this presentation. But. The granularity of the causes in these compilations is somewhat limited, in other words. Just because a significant incident happened very few cases do the reports, particularly the summary reports that you can find on multiple incidents. Rarely do they give you the detail that you would new need to say. Was this specification related or not? Most of the major incidents, involve a sequence of events they have multiple causes related to organizations and other things and. You know they generate these large reports and again you may find something that says, well, specification of this control or safety function was inadequate. That's almost never the entire story. So I did go through and this is, you know, several of the reference lists, and I did look at 50 incidents in a particular period of time out of this out of loss prevention and the process industries, which is a commonly cited book and I was only able to identify five that were in the least bit instrument related. Based on the description that was given and again. You know, can you say from this was these were these specification related? Possibly there just not enough detail to to tell, so my initial premise that I could. Review the incidents and Compare the results that I could get to the same distribution of incidence of causes in the HSE publication. Turned out to not be very practical, but what can we talk about? Well, here are some of the better known major incidents. I think everybody's probably heard most about most of these, of course, Pasadena in 1989 was the explosion at the Phillips 66 facility here in the Houston area that resulted in the death of Mary Kay O'Connor and eventually the founding of the Mary Kay O'Connor Process Safety Center. The one incident of all of these where you could say that Specifications sure sounds like specification was a good portion of the problem. Was bunch field, but essentially it was a tank overflowed in a fuel depot outside of London and generated and explode a vapor cloud that eventually exploded. And reading the reports on the incident, if you look at it, it's like boy. If this was the consequence Well, did they not recognize the potential consequences of overfilling a tank? Would it have not made sense to have multiple, independent, diverse technology level instruments and communication to the remote Control Center? You know, so I would have to say of the major incidents. That most people are familiar with Bunch Field becomes the closest to being specification related. So where can things go wrong in specifications? Well, you know. Obviously in the hazards assessment. If you don't identify a hazard if you don't identify an initiating event, if you don't accurately. Predict the potential consequences if you give too much credit for your existing safeguards. Well then you regarding ill then you have missed something that will not be addressed in the rest of your project. Risk assessment. People tend to overestimate or underestimate initiating event frequency. We happen to be of all involved in a a project right now. I did some checking on just the other day where we're actually doing some failure mode and effect analysis. Trying to apply some Bayesian statistics to help a client identify the closer. Initiating event frequency to the true value than what you can get just out of looking at the reference books. Obviously you can over under May underestimate the consequence, severity, conditional modifiers and enabling conditions of inappropriately applied to reduce the potential frequency. I've borrowed this chart from the presentation I did a while back on functional safety assessments and this is just. You know, I put this together, it's it's not really a serious analysis. But one thing we run and run into frequently when people ask us to help them do. Safety, integrity level, determination of safety functions related to fired equipment is that they start out assuming that if the slightest bit of uncombusted fuel makes its way into the fire box, then you have a violent explosion that results in a fatality. And if you look at it, it's. Yeah, that makes an awful lot of assumptions, so this just happens to be a specific instance that I've seen several times and people come up with outrageous what seems unnecessarily high. Safety, integrity level requirements beyond that required by the standards. To address this, when if they took a, a more hardheaded look at it, it would not necessarily occur with the frequency or the consequence that they assume. In the safety requirements specification. Systematic errors or your field device is going to be certified to E. C, Six, 1508 or based on prior use. The standard is more forgiving of you if you base them on prior use. However, this is also some place where you can go wrong or go astray, I should say. Because the latest version of ANSI ISA 615 eleven allows you to have a safety integrity level, two function with zero hardware fault tolerance. In other words, no redundancy. Well, that is based on the fact that the failure rates you're using to calculate the safety integrity level are based on prior use, but the standard doesn't stay that very clearly an you know. That's an unfortunate. Weakness I think in the standard, but it's a place where you have to be careful. It makes a difference in how you evaluate hardware, fault tolerance, architectural constraints. Whether you're basing your failure rates. Are they certified devices or are they based on prior use? Is your failure rate data reasonable? Boy, that's something that we deal with very frequently. Clients will come to us sometimes with a manufacturer certificate that has a. Dangerous undetected failure rate for a device that's one or two orders of magnitude lower than what we're used to seeing even for certified devices. And sometimes it can be difficult to get the client to recognize the risk that they're taking in the past. Sometimes I have performed the calculation with their data and then with more reasonable data and showed them the difference. And like I say, you're trying to identify the risk. That the client is assuming by using this potentially unreasonable failure rate that the device can't really maintain in the field. Test intervals. Are people really thought through? You know, that's one of the knobs that they want us to change. Is test intervals? Well, yeah, I can't see you know. Well, let's make this the test interval shorter and we'll get the safety integrity level down. Well yeah, that's true. Or mean up increases. Excuse me, but is that really? You know, if you've got a five year turn around frequency and that's the only time that you can test some of your safety functions well. D. I'll just changing the number. Doesn't really do you anything if you can't actually operate that way. Test coverage is. That's another place where people want to say oh, our test coverage. We're night. We cover 99% of the potential failures. Well, if you look at the possible, hopefully the manufacturers safety manual, that's possibly not. Reasonable, we had a good presentation to spend some time ago about vendor talking about the work that has been done in the nuclear industry about what it takes to obtain test, you know, proof test coverage for shut off valves, and they're not even to get to the highest. Proof test coverage takes an awful lot of work and an awful lot of resources. Hardware resources. Process safety time. Is it accurate digit? Is it considered in the design to the valves really closed fast enough? All process operating modes consider. Do you consider startup and shutdown? Are there times when one piece of equipment is out of service but not another will tripping this safety function at that time? Create a hazard you hadn't anticipated. So in summary. Are 44% of the incidents in the process industries do just to a specification error of a safety function? Doubtful. Most have complex causes noticed. I'm saying serious incidents. Out of control, focused attention on the specification portion of the safety lifecycle, and that was a good thing because before that I think most people would have said that operation and maintenance and problems with management of change where where the main causes of serious incidents were happening and when reason for that is. Well, you know things don't blow up during the Specification's age. They have to be operating and being maintained before you have a serious incident, and so that's tends to be where the focus is. That doesn't mean that the chain that led to the incident did not start back in the specification phase. So out of control, I still consider it a valuable reference.

Updated November 2024 — Written by Judith Lesslie, CFSE, CSP — Those who work in high hazard industries are familiar with the OSHA Process Safety Management (PSM) and EPA Risk Management Plan (RMP) requirements for routine audits to assess and verify compliance with these regulations. In Part 1 blog, we reviewed specific types of concerns that have been identified at many manufacturing sites for several of the PSM/RMP elements. In Part 2 we review the following elements: MOC/PSSR, Process Safety Information, Operating Procedures, Mechanical Integrity, Process Hazard Analysis, and Training. This blog is Part 2 of a series. If you missed part 1, you can find it here.   Reviewing Key PSM/RMP Elements for Compliance: MOC/PSSR, Process Safety Information, and More Management of Change (MOC) and Pre-Startup Safety Review (PSSR) Management of Change (MOC)  and Pre-Startup Safety Review (PSSR) are two elements that are joined at the hip. Almost all sites have occasional one-off failings in their MOC and PSSR systems, but very common program-level failures occur around failure to conduct adequate PSSRs prior to approval for startup; failure to follow-up or document punch list items from PSSRs; and failure to conduct or document adequate training or informing of affected personnel prior to startup. While organizational changes are not specifically required to be included in a site’s MOC system, organizational change management is considered RAGAGEP for PSM facilities, so it behooves covered sites to ensure that changes to personnel and changes to the organizational structure are managed appropriately. Process Safety Information (PSI) Like MOC and PSSR, most sites have occasional failings in the Process Safety Information (PSI) element, which describes information pertaining to the HHC that is required to be available. Larger gaps of PSI are present more often than you might think, including such areas as a clear electrical area classification map, basic process control system alarm documentation (including those identified in process hazard analyses), poor instrumentation documentation, failure to identify safety upper and lower operating limits and the consequences of deviations from those limits, failure to ensure that the process safety time available for Operator response to alarm safeguards (as identified in PHAs) is adequate. Ventilation system design information is another area where documentation is frequently lacking as well. Operating Procedure Operating Procedure element failures often echo the PSI failures mentioned above, most particularly in the areas of identification of safety upper and lower operating limits, the consequences of deviations from those limits, and the steps required to correct or avoid deviations. In a similar vein, safety systems and their functions are sometimes not well-covered in operating procedures. It is also relatively common to identify procedures that do not explicitly cover operating phases, such as startup, shutdown, temporary or emergency operations. Finally, a surprising number of facilities fail to annually certify that operating procedures are current and accurate. Mechanical Integrity Mechanical Integrity (MI) is a huge element, covering vessels, tanks, piping systems, relief devices, emergency shutdown systems, controls, and rotating equipment. While MI programs for mechanical equipment are typically better developed than those for instrumentation and control systems, there are still relatively common concerns identified for mechanical equipment. These include non-code-compliant inspection reports, failure to use appropriately certified inspection personnel, and failure to include components such as hoses, expansion joints, check valves, or other less common mechanical components in the program when they are critical to covered processes. Mechanical Integrity program concerns with controls (including monitoring devices and sensors, alarms, and interlocks) and emergency stop functions are even more common. These include failures to categorize criticality, failure to test or inspect (including very serious failures to test process safety e-stops, instruments, and interlocks), and failure to align process hazard analysis (PHA) safeguards with the equipment included in the Mechanical Integrity program. Process Hazard Analysis A Process Hazard Analysis an area where quality varies widely across facilities. While most sites do have PHA reports, it is far too common to find covered process PHAs that are of poor quality, that use non-standard practices, and that are neglected once completed. PHAs are overdue more frequently than you might anticipate as well. There are many sources of good PHA practices and initiating cause data. It behooves facilities to ensure that the personnel responsible for executing the PHA program are well-trained in current industry practices and have good software tools for executing PHAs. It is also important that PHA recommendations and actions to ensure the integrity of identified safeguards are a part of the program expectations. Related to this, PHA recommendations should receive a high level of management attention to ensure they are completed to expectations in a timely manner. Training The Training element is one of those typically in pretty good shape at many facilities. However, it is not uncommon to find that employees involved in operating the process are not involved in determining the appropriate frequency for refresher training. The Stakes The PSM and RMP regulations have proven over time that they are excellent practices to drive the reduction of serious process safety incidents. It is far better for a company and sites to find and correct their own PSM and RMP system deficiencies than for a serious incident to occur or for a regulatory agency to identify it. Are you positive that the commonly found concerns reviewed above are not present at your facility? Leveraging Expert Support for Comprehensive PSM/RMP Compliance Assessments If you have not previously taken a deep dive into the assessment of the topics above at your site, now would be a good time to do so. If you do not have the right expertise in your staff to assess PSM and RMP compliance in these areas, consider selecting a process safety consultancy with deep experience and expertise to assist you . Their range of experience enables external auditors to share the general methods proven to drive good PSM and RMP compliance across industry. This independence from the site and company has the best probability of a careful assessment with fresh eyes on the relevant critical systems and leads to more efficient compliance with the necessary standards.

Improving industry by guiding our clients to increasingly resilient operations and safer communities How We Can Help Our Story Engineering Company Integrating Process Safety, Automation & Fired Equipment Success Stories 25+ Years Strong 40+ Certified Experts 2000+ Clients Served 600+ Projects per Year Our Services Alarm Management Machinery Safety Migrations and Upgrades Process Safety Fired Equipment Project Management Combustible & Toxic Gas SIS Engineering Feature Stories Control System Migrations | Part 4 | Managing Scope, Schedule, Budget Control System Migrations | Procurement Specification & Vendor Selection FSA Stage 2: Evaluating the Safety Instrumented System (SIS) Readiness for Field Installation Can Stage 3 FSA Confirm Your Safety Instrumented System Is Ready for Operational Use? What is a Stage 1 FSA & How Can It Help Discover Critical SIS Flaws? How to Prevent the Five Most Common Industrial Alarm Management Issues Client Success Built With Trusted Expertise aeSolutions is an engineering consulting and systems integration company that provides industrial process safety and automation products and services. We specialize in helping industrial clients achieve their site’s risk management and operational excellence goals. Process Safety As a supplier of complete process safety management (PSM) solutions, we pride ourselves on providing engineers from industry with design, maintenance, operating, and process safety backgrounds. Our specialists understand how plants operate because they have actually worked in covered processes and facilities. Alarm Managem ent Our clients recognize the relationship between the process safety performance of their facilities and the implementation of effective alarm management techniques and alarm philosophy. Our alarm management services help clients improve the performance of their alarm systems and increase the situational awareness of their operators. Machinery Safety Clients who operate and maintain machinery and robotics list safety is a top priority. We help manufacturing facilities achieve safe machine operation through risk assessments, application of the hierarchy of control, and sensible safeguard design. Our scalable programs address client’s specific needs and the machinery lifecycle to provide tailored solutions aligned with international and United States’ standards. DCS/PLC Migrations and Upgrades aeSolutions can provide the system integration methodology, technical services, and resources to accomplish the objectives of your automation project. We work with you from project inception to final commissioning through a proven project delivery model integrating diverse hardware, software, and services from multiple vendors and stakeholders into a unified, integrated system. Safety Instrumen ted Systems aeSolutions has a unique process to design and implement ISA84/IEC 61511-compliant safety instrumented systems (SIS). We integrate our knowledge and experience in PHA/LOPA along with control system hardware and field instrumentation to ensure that Safety Instrumented Functions (SIFs) are clearly defined. We define, design, and document the safety functions to meet your safety and online reliability requirements for 61511 and regulatory compliance. Fired Equipment From up-front engineering to end-user compliance testing, aeSolutions has helped clients create and maintain safe, efficient fired equipment and associated processes. With our extensive engineering knowledge of the National Fire Protection Agency (NFPA) and other regulations, aeSolutions is uniquely qualified to advise on virtually all combustion-related codes and other hazard assessments. Combustible & Toxic Gas The aeSolutions Fire and Combustible & Toxic Gas Detection team deliver a unique blend of experience in philosophy, technology selection, and geographic/scenario-based modeling. Beginning with a Gas Detection Philosophy development or review and update, we design a system that is fit for purpose, cost-effective, and has a defined basis that can be updated as the plant evolves.

Working at aeSolutions View Current Openings > At aeSolutions, our team members solve some of the most complex automation and process safety engineering challenges in industry. We foster a collaborative wo rk environment comprised of talented and dedicated individuals who strive to realize their full potential while also contributing to the success of our clients. We lead the way in critical fields that others avoid by staying authentic to our core values – Results-Driven, Inclusive, and Relentless. Employees Are VALUED At aeSolutions you won’t get lost in the crowd. Each employee’s contribution makes a difference and helps us improve industry and guide clients to increasingly resilient operations and safer communities. Employees Are CHALLENGED We provide stimulating career development opportunities including working on complex projects in a quality-driven, fast-paced environment. You will be challenged to bring your creativity, problem-solving skills, high-integrity, and professional insight to everything you do. Employees Are DEVELOPED New team members join a collaborative, supportive, and inclusive work culture which will encourage you to develop to your full potential. You will learn from others, and they will learn from you. Your success is our success, and you will be supported in setting and achieving your professional goals. Employees Are REWARDED We provide competitive salaries, opportunities for advancement, and a comprehensive Total Rewards package, including: Medical, Prescription Drug, Dental, & Vision insurance HSA, FSA, and Dependent Care FSA options Mental health & counseling benefits through our confidential Employee Assistance Program (EAP) for employees and their family members Company-provided Employee Life and Disability Coverage with buy-up options 401(k) retirement plan with Roth or Traditional options and company contribution 1-on-1 retirement planning and financial advice for all stages of life Flexible paid time off accrual program Flex-time schedules, Half-Day Fridays, & Office, Hybrid, and Remote work options Incentive bonus programs, including for performance, professional development, employee referrals, repeat business, and more Resources and support for career and skills development, including a Learning Management System with access to thousands of high-quality learning courses, and a peer-to-peer Coaching Program Applicant Notices aeSolutions values the contributions of a diverse and inclusive workforce and is an Equal Employment Opportunity employer. This means we do not discriminate on the basis of actual or perceived race, creed, color, religion, national origin, ancestry, citizenship status, age, disability, sex, marital status, veteran status, uniformed services, sexual orientation, gender identity, genetic information, or any other characteristic protected by applicable federal, state, or local laws. Our management team is dedicated to this policy with respect to recruitment, hiring, placement, promotion, transfer, training, compensation, benefits, employee activities, and general treatment during employment. Access the “Know Your Rights” information from the Equal Employment Opportunity Commission here: Know Your Rights: Workplace Discrimination is Illegal. aeSolutions participates in E-Verify. We will provide the federal government with new employee’s Form I-9 information to confirm work authorization. Please note that we do not use this information to pre-screen applicants: E-Verify Notice — Right to Work Notice . Consistent with the Americans with Disabilities Act (ADA) and state disability laws, it is the policy of aeSolutions to provide reasonable accommodation when requested by a qualified applicant or employee with a disability, unless such accommodation would cause an undue hardship. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment, please contact the HR Director at 864-404-3022 or resumes@aeSolutions.com This link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data: Transparency in Coverage – Machine Readable Files *aeSolutions does not solicit resumes from territories covered by the GDPR. View Current Openings >

The Leadership Team Ken O'Malley Founder & Chief Executive Officer (CEO) Joel Read Chief Financial Officer (CFO) Chris Neff Chief Operating Officer (COO) David Ivester Chief Commercial Officer (CCO) Ken Whittle VP of Solutions Development Ben Krisher Human Resources Director Roland Stock Director of Projects At aeSolutions, we know that our leader’s success is a result of having talented, dedicated, and passionate team members driving our all of our Engineering projects. If working for a company that takes on unique and complex challenges in nearly every capacity interests you, we would love to talk to you about a career with aeSolutions. Read below for a list of why working for aeSolutions could be the opportunity of a lifetime. Our professional staff ranges from recent college graduates to professional engineers with our more experienced professionals mentoring our newer staff. Many members of our team are industry leaders, serving in leadership positions on key industry committees. Our employees actively participate in the development of industry codes and standard practices for engineering and implementation of control and safety-related system solutions. Our clients trust the aeSolutions team to deliver consulting and engineering expertise for smarter, more resilient industrial operations and safer communities.