Integrated Safety Instrumented Systems and Distributed Control Systems – Are They a Good Idea?
For those of you who have been entrusted with the task of selecting a safety instrumented system for use in your plant, often run into a perplexing question. Should I go for an integrated Safety Instrumented System, which will be totally different from my Distributed Control system (or DCS for short)? Or should I select one of the newer “integrated systems”, that comprise of both the Distributed Control System and a Safety Instrumented System in one package?
A Safety Instrumented System (or SIS) is a special kind of control system that is used for the safety critical parts of process plants, turbo machinery, boilers and other machinery or equipment that has to be controlled with a very high degree of reliability in order to run it safely, as well as bring it to a safe state if something goes wrong. Emergency Shutdown Systems (ESD for short), can be considered a subset of the SIS category of control systems.
On the other hand DCS (Distributed Control Systems) are those control systems that are used for normal control and monitoring operations of process plants, oil refineries, oil & gas production platforms, power plants and so on. The DCS is the main system that measures, monitors and controls various process parameters like flow, temperature, pressure and so on. In standards related literature, this system is also referred to as the BPCS (short for Basic Process Control System).
In the view of the standards bodies (like IEC and ISA), these two systems have to be completely separate, as these safety instrumented systems have to be dedicated to controlling only the safety critical parts of the plant .The ordinary DCS cannot be said to be robust, fail-safe and sure to operate the safety critical instruments at all times. This distinction between the DCS and SIS, led to separate markets for both types of systems with separate suppliers for both, initially. Thus companies like Triconex, HIMA, Pilz and ICS Triplex were the traditional vendors of these Safety Instrumented Systems, whereas the BPCS or DCS market belonged to the companies like Emerson, ABB, Honeywell, Yokogawa and Invensys.
This obviously, meant that now, if a plant had instruments and controls that were designated as safety critical, it necessarily required a separate SIS; the DCS would not do at all because of what the standards state. Thus now, one control room had two control systems, completely different as chalk and cheese. The SIS had separate power supply (or a UPS), separate panels, monitoring stations, separate programming software and of course totally separate hardware from the DCS. The same Instrument engineer who maintained the instruments and controls of this process plant, now had to be adept at both systems simultaneously. Plant modifications and changes were a pain as any change had to be implemented in both systems, with a lot of testing to ensure that the original interlocks and loops worked as designed to.
Making the two systems communicate with each other, also proved not so simple, since even after DCS vendors had come out with open systems, the Safety Instrumented System vendors were reluctant to migrate to such systems, due to the extensive proof testing required to ensure that the “open” systems were bug free.
Hence, most instrument engineers in these situations started wishing for a new deal, whereby both the SIS and the DCS could talk to each other seamlessly (even while remaining separate to conform to the standards) . Also, what if they could share a common engineering /programming platform as well? That would be the icing on the cake!
The DCS vendors sensed this mood of the users and many of them came out with “integrated” DCS/SIS systems, where the DCS and SIS controllers are different, but part of the same overall system. Some recent examples are Emerson’s Delta V with SIS and Siemens Safety Integrated system. These reportedly have become popular, due to the fact that most of these integrated systems have got third party (most commonly TUV) certificates for the SIS part, so users can have a worry free installation of these for safety critical applications. However, I have not yet seen any debate in the technical media, regarding this issue. Are these systems doing great, or are users now longing for the earlier separate DCS/SIS systems? I think we need some more time and more data, to arrive at any definitive conclusion. The advantages of an integrated DCS/SIS are obvious, as stated above. The disadvantages are somewhat less obvious. One disadvantage is that if the SIS portion is really easy to program, then there is a chance that unauthorized users (say a savvy DCS operator) might end up changing protected settings like interlock bypasses and setpoints, which is really dangerous. Plus the thought of having an SIS with a standard “open” OS like Windows, is rather uncomfortable, as the last thing one wants is a system freeze during an emergency.
Only time will tell, if the integrated SIS/DCS systems were a better choice than the stand-alone SIS, as then we would have enough data to have a balanced view.