14. The basic process control system (BPCS) and the SIS can be easily and safely combined into one system. It's possible but there are many caveats because sharing BPCS equipment with the SIS violates inherently safer principles. IEC 61511 Clause 11.2.4 states that unless the BPCS is qualified in accordance with the standard, the SIS must be separate and independent from the BPCS. Qualifying the BPCS to IEC 61511 is more detailed than SIL verification, hazard rate analysis or calculations. ISA-TR84.00.04 Annex F and IEC 61511 Part 2 provide numerous reasons for not combining the systems.
Justifying the sharing of equipment requires carrying out additional failure and security analysis to ensure the overall hazard rate can be met for random failures and to provide adequate fault tolerance for systematic failures. Equipment also must have a prior-use history that demonstrates its dependability in both applications.
Independent and separate systems reduce common-cause, common-mode and systematic failures — and minimize the impact of BPCS failure on the SIS. Separate systems also ease making changes, performing maintenance, testing and documenting the SIS.
Separate systems facilitate identifying and managing the SIS elements and, thus, simplify and clarify validation and functional safety assessment. They support access security and enhance cyber security for the SIS because revisions to BPCS functions or data don't impact it. Finally, separate systems reduce the amount of analysis needed to ensure the SIS and BPCS are properly designed, verified and managed.
Common systems can reduce training — but ultimately not design, operations and maintenance manpower requirements for the reasons stated above.
15. The BPCS can serve as a process safety defense for risk reduction without a management system. Regulations as well as insurance and industry practices generally demand that all safeguards or protection layers have a management system to ensure proper operation when needed.
A safeguard implemented in BPCS hardware is no different than one implemented in the SIS; it must be covered by specification and MI, both with associated management systems. Upcoming publications from CCPS and ISA will provide detailed requirements in this area.
16. BPCS and SIS independence is a simple matter. You must demonstrate independence in the hardware, software, and personnel and management systems.
Any hardware or software the BPCS and SIS share could possess dangerous failure modes that make both systems vulnerable. Such modes could affect the ability of the common hardware and software to operate as required for both functions.
In terms of personnel and management, you must examine the entire lifecycle to see where shared personnel and management procedures, especially in the areas of design and maintenance, could contribute to systematic failure.
17. Safety systems aren't as important as the BPCS. Many companies spend a great deal of time and effort trying to justify that certain safety instruments, valves and other components aren't required. Such arguments rarely arise when it comes to the BPCS.
It's important to remember that the investment in safety systems is very small compared to that in the BPCS, and nearly negligible compared to that in the process equipment. Yet, the safety systems are the most dependable means to protect the total investment.
Proper design and management can yield effective and reliable safety systems. Leading companies have found that comprehensively examining their overall BPCS and safety strategy reveals opportunities to reduce unplanned events and emergency work orders, improving safety and productivity.
ANGELA E. SUMMERS, P.E., Ph.D., is president of SIS-TECH Solutions, LP, Houston. E-mail her at firstname.lastname@example.org.