safety instrumented systems: can they be integrated but separate

A short review of some safety terminology will help as we move forward. TheSafety Instrumented System (SIS) is a set of components such as sensors, logicsolvers, and final control elements arranged for the purpose of taking the processto a safe state when predetermined conditions are violated. Another view is that itis a collection of Safety Instrumented Functions (SIF). A SIF is a loop composedof one or more transmitters and one or more valves linked together for thepurpose of preventing hazards. Each SIF is rated as a Safety Integrity Level(SIL) based upon the consequence and frequency of occurrence. In the past,process plants used different methods to define the Safety Integrity Level or SILof their plant. Often SIL 3 was considered a “worse case” and plants weredesigned around this rating. This led to over engineering and expensivesystems. Current standards require that each SIF in a Safety InstrumentedSystem be considered separately. This means that there are no “SIL 3 plants”.There are process plants that may be a combination of SIL 3, SIL 2, SIL 1 andSIL 0 SIFs. After each SIF has been assigned a SIL level, a Risk ReductionFactor (RRF) must be determined. The RRF is the reduction in risk that has tobe achieved to meet the tolerable risk for a specific situation.Traditionally, when looking at ways to reduce risk in order to achieve the correctRRF the focus has been on the SIS logic solver. The logic solver was the mostcomplex part of the SIF. This complexity required the people who configured it tobe highly skilled in the safety system programming. These people rarely lookedoutside the logic solver to see how the end devices affected the risk reductionfactor assumed. Research compiled in the OREDA Offshore ReliabilityDatabase shows that only 8% of SIS failures are a result of a problem in the logicsolver. The measurement device causes 42% of the failures and 50% arecaused by the final element. It is important to note that we will now focus on thelogic solver that in reality is only 8% of the problem.So why weren’t the end devices taken into account? One reason is thathistorically it has been very difficult to get information from the end devices usedby the SIS. Even if “smart” devices with HART diagnostics were used, to get theHART signal required HART multiplexers to strip off the HART signal and send itthe Asset Management System (AMS) where it then had to be re-connected withthe data from the SIS devices. This made it very difficult to determine the statusof the devices or use this data to make any informed decisions.The theoretical reason for separation of BPCS and SIS systems has beenintroduced but in reality these systems need to be integrated at some level toprovide an effective interface for plant personnel. There is no such thing ascompletely SEPARATE only how INTEGRATED should they be?