HIMA - The safety of an island

In our increasingly connected world, 'integration' sounds like a good idea but, when it comes to process safety, you should instead be thinking 'island'. That's because an integrated control and safety system from one vendor isn't just a bad idea - it's a dangerous one.

Integrated control and safety systems are subject to potentially devastating common-cause failures. Separated control and safety systems, on the other hand, provide a far greater degree of safety, as well as higher availability and reliability.

Keeping your business planning and control system (BPCS), and safety instrumented system (SIS) separate is safer and more secure; it can be proven mathematically, and it can be shown through experience. International standards support diverse, physically separated systems. The IEC and ISA standards make it clear. So do OSHA-PSM and EPA-RMP requirements. Control and safety systems should be diverse and separate. This involves:

  • a different developer and supplier
  • physically separated hardware
  • different engineering tools
  • different engineering processes
  • different power supplies
  • different panels
  • different monitoring stations.

IEC 61511-1 states: "BPCS shall be designed to be separate and independent to the extent that the functional integrity of the SIS is not compromised."

While integration and connectivity may seem appealing in terms of practicality, systems built like this can confer hugely increased operational risks. Put simply, your safety solution should be an island, limiting the impact of common-cause failures, as automation safety expert HIMA explains.

Some integrated system vendors see wiggle room in this statement; HIMA doesn't. The functional integrity of an SIS is always compromised when it is part of a co-located, integrated, non-diverse system. To prevent common-cause, common-mode and dependent failures, an assessment should consider:

  • independency between protection layers
  • diversity between protection layers
  • physical separation between protection layers
  • common cause failures between protection layers and BPCS.

Safety isn't the only reason to have diverse, physically separated systems, according to IEC 62443-3-3. Cybersecurity is an increasing threat that potentially can even impact physical safety. The IEC standard for security requires the same kind of assessment required by IEC 61511-1, but it also introduces the concept of security zones, defined conduits and additional firewalls at every conduit.

Real separation requires independent layers of protection
International safety standards require independent layers of protection. It just makes sense. If you merge two layers, the BPCS and SIS protection layers, for example, the likelihood of an incident increases.

Mingling the BPCS and SIS in any way so that the failure of one might impact the proper operation of the other due to a systematic failure or common cause effectively negates the concept of independent layers of protection.

Real separation also offers advantages. When your SIS and BPCS are diverse and physically separated, you gain the following benefits:

  • elimination of common-cause errors that result in safety-critical situations or undesired shutdowns
  • avoidance of safety-critical design, programming and operating errors though the mixing of safe/non-safe elements (human common-cause errors)
  • openness for multivendor interoperability
  • freedom to choose best-of-breed BPCS and SIS
  • compliance with standards and best engineering practices
  • greater legal certainty that comes from standards compliance
  • future-proof investments
  • improved security.

The case to choose SIS independence and BPCS integration is therefore obvious. HIMA non-stop safety solutions can be integrated with all leading BPCSs, with features including:

  • integration of alarms and events into the alarm management of the BPCS
  • integration of faceplates for operating and monitoring
  • transfer and visualisation of diagnostic data
  • transfer and visualisation of process data and safety-related locking states
  • time-stamp transfer
  • a maintenance override switch
  • partial stroke test
  • start-up bypass.

This is why, to many companies around the world, HIMA is the first port of call for safety-related automation solutions.

Products and Services

Contact Details

URL: www.hima.com

Make An Enquiry
First Name

Last Name

Email Address


Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.