Safety Instrumented Systems are required in the process industry because basic process control systems (BPCSs) are not perfect. While some safety is included in the BPCS, the emphasis on the design is to control the process. Many industrial standards and guidelines recommend that the SIS be separate from the BPCS. "A device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that the overall risk is acceptable." - ANSI/ISA 84.00.01-2004 11.2.10.
Human issues are the most common reason why SISs and BPCSs are independent. People cannot be trusted to make safe decisions during emergencies, no matter how well trained. A study analyzing human performance in life threatening situations discovered that people make the wrong choice 99% of the time when required to do so in less than one minute, emphasizing the importance of an automated SIS to protect against hazardous events.
If components are allowed to be shared between SIS and BPCS, specifications may be overlooked leading to serious consequences. Separating the SIS from the BPCS assures that Safety Requirement Specifications (SRS) are reviewed before changes are made, and all new potential hazards caused by the proposed change will be identified before the change can be implemented. Consideration should be given to using devices that are differentiated by color, unique tags or a numbering system to help differentiate from BPCS devices.
Safety Instrumented Systems are passive and dormant, monitoring and maintaining the safety of the process. These systems operate for long periods of time in which they simply wait to respond to a system demand. Diagnostics are critical in SISs to ensure that components are functioning properly, reducing the frequency of manual tests, also called proof tests. Changes after installation are subject to strict adherence to management of change (MOC). Even the smallest change can have a significant consequence.
Basic Process Control Systems (BPCS) are active and dynamic, controlling the process. These systems have a variety of digital and analog inputs and outputs that react to logic functions, making most failures self-revealing. Changes to BPCSs are very common and required to maintain accurate process control.
Separating the SIS from the BPCS greatly reduces the risk of common cause failures, systematic failures that affect the entire system. Common cause failures can include loss of power, bugs in software or undetected device failures. Assumptions are made that installing redundant components will lead to a safer and more reliable system, but more is not always better. Typically, more components lead to more complexity in the system, leading to more opportunities for failures. Common cause failures are often triggered by temperature fluctuations, equipment vibration, radio frequency interference or power surges. The greater the performance level required of a SIF, the more aware you must be to common cause failures.
The ideal way to prevent common cause failures is to install redundant devices with diverse technologies and physically separate the devices. For example, if you install a safety differential pressure transmitter to monitor a level application, you should also consider installing a gauge pressure mechanical switch in the event you lose power to the transmitter. By doing so, you are providing redundancy and diversity in your SIS design.
Recommended methods to reduce these failures are: