Emerson’s Mike Boudreaux alerted me to a discussion in the Oil and Gas Instrumentation Club LinkedIn group. The thread referenced an earlier post on this blog, Field Device Sharing Between Control and Safety Systems that Mike had written.
The answers to these questions are not straightforward unless one is looking for NO as an answer.
The longer answer, as highlighted in the post is yes, with sufficient detailed analysis, device redundancy, and great care.
In the LinkedIn thread, noted safety expert Paul Gruhn highlighted the risks:
Sharing field devices is an open invitation for an accident and it has happened multiple times. The link above mentions Ed Marszal of Kenexis. Ed has written/presented multiple times of such accidents and his paper is on their company web site (www.kenexis.com). Learn from the mistakes of others and please don’t learn this lesson the hard way yourself. Don’t save money just so you can have an accident.
I mention this as background, for a great Control Engineering article on this subject, When Can The Process Control System, Safety System Share Field Devices? The article was written by Kenexis‘ Ed Marszal and Emerson’s Gary Hawkins. The authors note:
To share field devices successfully, it is vital to understand the process under control—not just the safety equipment or the electronics, but the chemical processes that are being controlled. One must understand the process and how the devices are used, and understand how they fail and what will happen if they fail.
The authors point to the IEC 61511 global safety standard, in paragraph 8.2.1 which addresses the issue of sharing devices:
In determining safety integrity requirements, account will need to be taken of the effects of common cause between systems that create demands and the protection systems that are designed to respond to those demands.
The standard provides more detail in 11.2.10 (emphasis added):
A device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that the overall risk is acceptable.
NOTE: When a part of the SIS is also used for control purposes and a dangerous failure of the common equipment would cause a demand for the function performed by the SIS, then a new risk is introduced. The additional risk is dependent on the dangerous failure rate of the shared component because if the shared component fails, a demand will be created immediately to which the SIS may not be capable of responding. For that reason, additional analysis will be necessary in these cases to ensure that the dangerous failure rate of the shared equipment is sufficiently low. Sensors and valves are examples where sharing of equipment with the BPCS is often considered.
The authors note that this passage is the origin of the single point of failure prevention requirement. They explain the 11.2.10 note (emphasis again added):
…having a single point of failure is permissible as long as the frequency of such a failure is acceptably low. This requires a detailed quantitative analysis—a laborious process that many people do not do well, and often ignore. However, in most situations the mathematical analysis will reveal that sharing is not possible.
IEC 61511 allows sharing of field equipment between the SIS and BPCS, but it has requirements that, if properly implemented, will prevent sharing in an unsafe manner. One of those requirements is a fairly complex analysis of the shared components, which is often misunderstood or done improperly. And finally, a documented and verified FMEA of all shared components should be performed.
If process safety is part of your responsibility set or you want to learn more about sharing devices between control and safety instrumented systems, this article is well worth your time to read in detail.