There will always be users whose corporate policy is to keep systems separate. Notes Bill Barkovitz, vice president of marketing at Triconex,, “Our customers pretty much all have internal standards that require separation between the control and safety systems. There is no way we’ll see the need for separation going away.” However he does see the need for good communications and data flow from both SIS and BCPS. But there is a caveat. If data presented from both systems is shown on a single screen, there needs to be clear differentiation between them, and operators should not be able to access the SIS without a procedure.
Integration can be done safely. According to Bruce Jensen, Yokogawa manager of marketing and sales support, manufacturers can have two separate networks and use a gateway, or put the SIS data on the DCS network using a single unified HMI. The operator from his console can monitor the safety system and operate the DCS. Engineers, for example, can have a unified screen with a common engineering environment to configure the logic solver on the safety system and the DCS using the DCS builder. The safety tags use the same tag names that can be displayed on the DCS without any gateway conversion or mapping of loops. The alarms come into a unified alarm system.
While savings are possible with an integrated system, Scott Hillman, manager, Safety Management Systems, Honeywell Process Solutions, thinks that it’s not so much the architecture (integrated or separate) that makes the difference in saving money. Rather, the biggest savings actually comes from the up-front analysis and design phase, where manufacturers run the risk of either under-engineering the SIS (exposing too much risk) or over-engineering the SIS, resulting in spending too much money. Over-engineering is the more common path taken, adding too much cost to the system without really adding any risk further protection.
While integration brings with it all the advantages of improved data communications, simplified engineering tools, and common HMIs for the operators, it means more up-front work for manufacturers, especially the smaller ones who lack qualified personnel on staff who are current with the new specs. One vendor recommends that these manufacturers call in TĂśV certified consultants (see www.cfse.org) who can design, build, and verify that a safety system meets all the IEC and ISA specs.
“Why shouldn’t a DCS system with an integrated safety system go through the same scrutiny as DCSs and safety PLCs did in the 80s?” questions Shell’s Janiec. Janiec says the new safety approach is easier to use, may be more economical than the separate systems of today, and promises more reliability with higher availability.
Apply Common Sense
While it may be quite all right in some applications to put process control and SIS in the same controller, it’s a good idea to make sure that existing controllers aren’t maxed out. An already over-tasked safety controller that’s running 200 safety loops is just too much to ask of the logic solver. The accumulated risk that comes with this build-up of loops should not be overlooked. In this situation, it makes more sense to add another controller.
Finally, it’s all well and good to have the technology in place, but accidents can often be traced to human error. Says Dr. Mannan, “In general the majority of accidents happen for two reasons. First, 90% of accidents happen because the manufacturer didn’t use the resources that were available. For example, the procedures were there, but ignored; a check valve should have been installed, but wasn’t; or the control system was in place, but operators relied on human judgment. The remaining 10% occur because of a lack of adequate technology or knowledge.” Mannan contends that if humans are 90% reliable, then controls companies need to design fail-safe systems that take into consideration the 10% human unreliability factor.
Mannan sees three areas of growth in the future of safety. First, we need better performance measurement systems to tell us how we’re doing with plant safety design. Second, we need better ways of dealing with run-away chemical reactions—and computer modeling software is making it possible to design safer process control systems. Third, we need inherently safer design where lifecycle risk assessments are used with all the chemicals involved in a process.