In our increasingly connected world, 'integration' sounds like a good idea but, when it comes to process safety, you should instead be thinking 'island'. That's because an integrated control and safety system from one vendor isn't just a bad idea - it's a dangerous one.
Integrated control and safety systems are subject to potentially devastating common-cause failures. Separated control and safety systems, on the other hand, provide a far greater degree of safety, as well as higher availability and reliability.
Keeping your business planning and control system (BPCS), and safety instrumented system (SIS) separate is safer and more secure; it can be proven mathematically, and it can be shown through experience. International standards support diverse, physically separated systems. The IEC and ISA standards make it clear. So do OSHA-PSM and EPA-RMP requirements. Control and safety systems should be diverse and separate. This involves:
IEC 61511-1 states: "BPCS shall be designed to be separate and independent to the extent that the functional integrity of the SIS is not compromised."
While integration and connectivity may seem appealing in terms of practicality, systems built like this can confer hugely increased operational risks. Put simply, your safety solution should be an island, limiting the impact of common-cause failures, as automation safety expert HIMA explains.
Some integrated system vendors see wiggle room in this statement; HIMA doesn't. The functional integrity of an SIS is always compromised when it is part of a co-located, integrated, non-diverse system. To prevent common-cause, common-mode and dependent failures, an assessment should consider:
Safety isn't the only reason to have diverse, physically separated systems, according to IEC 62443-3-3. Cybersecurity is an increasing threat that potentially can even impact physical safety. The IEC standard for security requires the same kind of assessment required by IEC 61511-1, but it also introduces the concept of security zones, defined conduits and additional firewalls at every conduit.
Real separation requires independent layers of protection
International safety standards require independent layers of protection. It just makes sense. If you merge two layers, the BPCS and SIS protection layers, for example, the likelihood of an incident increases.
Mingling the BPCS and SIS in any way so that the failure of one might impact the proper operation of the other due to a systematic failure or common cause effectively negates the concept of independent layers of protection.
Real separation also offers advantages. When your SIS and BPCS are diverse and physically separated, you gain the following benefits:
The case to choose SIS independence and BPCS integration is therefore obvious. HIMA non-stop safety solutions can be integrated with all leading BPCSs, with features including:
This is why, to many companies around the world, HIMA is the first port of call for safety-related automation solutions.