Views on Safety System and Control System Separation - Emerson Automation Experts

Views on Safety System and Control System Separation

Charles Fialkowski’s blog post last week, To Integrate or not to integrate Safety and Control describes some of the continued discussions going on concerning separation of the safety instrumented systems (SIS) and basic process control systems (BPCS). He wrote:

Today, I still see a lot of confusion over this issue on what’s right and what is ‘really’ right. I recently personally witnessed another vendor use my same 4 year old illustration on SIS integration and bugger it all up to position his system (of course) as the best approach, ugh!

He concluded:

The answer is not with a vendor whose underline message is “buy mine”, nor from that elderly colleague who’s reluctant to any change, and is convinced his 30 year approach is the ONLY way to go. Nope, the answer is that it all DEPENDS. It depends on many factors regarding your process, level of risk needed to be reduced, complexity, management of change issues, budget, communications, security, etc.

For other viewpoints on this topic, there are several references available via the DeltaV SIS website, including an ARC whitepaper titled Business Issues Driving Safety System Integration. You can also see a lot of back and forth on this topic of separation, if you’re a member of the ISA safety mailing list. Several Emerson process safety experts can be found in the SIS discussions that take place on this list.

I ran the post by Emerson’s Mike Boudreaux who was already one step ahead of me, since he also subscribes to Charlie’s blog. He agrees with the points Charlie makes. Building on these thoughts, Mike adds:

Separation of control and safety is important and required by IEC 61511. Clause 11.2.4 requires that the basic process control system (BPCS) shall be designed to be separate and independent to the extent that the functional integrity of the SIS is not compromised. Further, clause 9.5 requires that an assessment to be performed to ensure that the likelihood of common cause, common mode, and dependent failures between protection layers are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. Clause 9.5.2 specifically says that the assessment shall consider:

  • Independency between protection layers
  • Diversity between protection layers
  • Physical separation between different protection layers
  • Common cause failures between protection layers and between protection layers and BPCS

It is possible to meet these requirements under an integrated platform. In fact, DeltaV SIS has been assessed by both Exida and TÜV to consider these requirements of IEC 61511. This is accomplished by physically separate, diverse, and independent SIS logic solver hardware and firmware and a separate network for secure SIS communications. DeltaV SIS uses an integrated platform for operation, maintenance, and engineering but keeps separation at the run-time execution level so that the functional integrity of the SIS is not compromised. This level of integration is no different than the interdependency, diversity, physical separation, and common cause exposure that you have when you integrate systems from separate vendors.

Thinking about the different type of SIS applications, Mike adds:

It is also sometimes beneficial to integrate emergency shutdown systems (ESD), fire and gas systems (FGS), and burner management systems (BMS) applications in the same SIS platform, using separate logic solvers. For many BMS applications, there is often a high degree of interaction between the BPCS and SIS. An integrated platform like the DeltaV SIS streamlines implementation and simplifies the application.

GreenPodcast.gif MP3


  1. I have a doubt, consider a scenaio I am having a HIPS (High Integrity Pressure Protection System) which has its own logic solver. Whether can I integrate it with a ESD (SIS) system? Is it a benficial one? If so , Explain me how

  2. Tadeu Batista says:

    Hi Ulaganathan,

    It’s for sure beneficial to integrate the HIPPS to the overall SIS, the first benefit is you increase visibility on the HIPPS system, it’s not an independent system, that you don’t know what’s going on, till you have a trip.
    Other interesting point is, every single new HIPPS requires Partial Stroke, having it integrate you can run the procedure remotely and have it recorded to your system, increasing standards compliance.
    Ultimately, if you’re taking the Integrated Control and Safety System (ICSS) approach, now you’ll have integrated operation as well, having user privilege management, meaning only operators with SIS privilege are allowed to operate the system, plus, every action is recorded, again, making standards compliance easy.

Leave a Reply