B.3 Software design considerations B.4 Technology selection
B.5 Failure rate and failure modes B.6 Architecture
B.7 Power sources
B.8 Common cause failures B.9 Diagnostics B.10 Field devices B.11 User interface B.12 Security B.13 Wiring practices B.14 Documentation B.15 Function test interval
B.1 Separation - identical or diverse
B.1.1 Separation between BPCS and SIS functions reduces the probability that both control and safety functions become unavailable at the same time, or that inadvertent changes affect the safety functionality of the SIS. Therefore, it is generally necessary to provide separation between the BPCS and SIS functions.
B.1.2 Identical separation is generally acceptable for SIL 1 applications. Diverse separation offers the additional benefit of reducing the probability of systematic faults (a factor especially important in SIL 3 applications) and reducing common cause failures (see B.8).
B.1.3 There are four areas where separation may be needed to meet the safety functionality and safety integrity requirements:
a) Application of field sensors
b) Application of final control elements
COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=,
c) The logic solver
d) Communication between SIS and BPCS or other equipment
B.1.4 Each of these four areas should be evaluated to ensure that the required SIL is met. B.1.5 Sensors
A single sensor used for both BPCS and SIS requires further safety review and analysis as part of the process safety activity (see Annex A). For example, a level sensor used for both BPCS and high level trip SIS can create a demand if it fails below the setpoint of the level controller; as a result, the controller may drive the valve open, and this protection will be lost.
B.1.5.1 For SIL 1, a single sensor may be used for both BPCS and SIS, provided the safety integrity requirements are met.
B.1.5.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the required safety integrity.
B.1.5.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.
B.1.5.4 When redundant SIS sensors are used, the sensors may be connected to both the SIS and BPCS provided that a safety review and analysis shows the connection to the BPCS does not compromise the safety integrity of the SIS.
B.1.6 Control and shutdown valves
B.1.6.1 For SIL 1, a single valve may be used for both BPCS and SIS, provided the valve’s unsafe failure rate meets the safety integrity requirements. The design should ensure that the SIS action overrides the BPCS action.
B.1.6.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the required safety integrity. A single valve used for both BPCS and SIS requires further safety review and analysis, since it may not meet the required safety integrity. For example, a valve used for both BPCS and SIS can create a demand if it fails in the open position. If this valve is also used for an interlock, this protection will be lost, since the SIS could not close the valve.
B.1.6.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.
B.1.6.4 When redundant SIS valves are used, the valves may be connected to both the SIS and BPCS provided that a safety review and analysis shows the connection to the BPCS does not compromise the safety integrity of the SIS.
B.1.6.5 Additional considerations for determining valve requirements are a) shutoff requirements;
b) reliability experience with the valve; c) unsafe failure modes of the valve; and
d) operating procedures that make the valve less effective (e.g., open bypass valves).
ANSI/ISA-S84.01-1996 57
B.1.7 Logic solver
B.1.7.1 For SIL 1, identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.
B.1.7.2 For SIL 2, diverse separation between BPCS and SIS is typically needed to meet the required safety integrity. Identical separation between BPCS and SIS may be used provided safety review and analysis shows that it meets the safety integrity requirements.
B.1.7.3 For SIL 3, diverse separation between BPCS and SIS should be considered to meet the required safety integrity.
B.1.7.4 There may be special cases where it is not possible to provide separation between BPCS and SIS (e.g., a gas turbine control system includes both control and safety functions). Additional considerations when combining control and safety functions in the same device are
a) evaluation of the failure of common components and software and their impact on SIS performance;
b) life cycle support of the entire system as a SIS with respect to changes, maintenance, testing, and documentation; and
c) limiting access to the programming or configuration functions of the system. B.1.8 Communications between BPCS and SIS
B.1.8.1 Communications between BPCS and SIS can enhance the overall safety of the application. However, external communications, particularly writes to the SIS, can compromise the safety integrity of the SIS. Provision must be made to ensure all writes are valid and do not negatively impact the system safety or operation. (See B.1.8.2 sections (c) and (d) for further guidance.)
B.1.8.2 There are five basic ways to approach external communication between BPCS and SIS: a) No external communication between BPCS and SIS
This is acceptable for all SILs.
b) Hard-wired communication between BPCS and SIS
This is acceptable for SIL 1 and SIL 2, but use of this method for SIL 3 requires additional safety review and analysis. For example, analog or discrete output from one device to the input of another device.
c) Read only external communication from SIS to BPCS
This may be acceptable for all SILs if review and analysis is done to assure that the safety function is not compromised. Measures to achieve write protection of the safety function include, but are not limited to
1) hard-wired switch (or jumper) to limit write access; and 2) implementation of the safety function in SIS ROM.
d) Read/write external communications with write protection of the safety function
This is acceptable for SIL 1 and 2, but use of this method for SIL 3 requires additional
COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=,
safety review and analysis. Measures to achieve write protection of the safety function include but are not limited to
1) limited time window for write access; and
2) software switch (e.g., password) to limit write access.
e) Read/write external communications with limited or no write protection of the safety function
Use of this method may be acceptable for SIL 1. Use of this method for SIL 2 requires additional safety review and analysis. Use of this method in SIL 3 is discouraged.