Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

Register Log in
  • Congratulations waross on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIS separation from DCS 1

Status
Not open for further replies.
controlnovice

controlnovice

Electrical
Jul 28, 2004
975
0
0
US
Working on a project with an SIS system. It is the same manufacturer as the DCS, so it is an 'integrated' system.

The design firm has the DCS commands going through the SIS to open/close valves as necessary, and the feedback from the valves goes to the SIS, which sends the signal to the DCS. All of the communication between the DCS and SIS are through the vendor's network, not hardwired.

I've always designed SIS and DCS completely separate, so one does not rely on the other to operate. So the DCS would activate a solenoid for an on/off valve, and the SIS would have another solenoid (always energized, only de-energize to trip) for the same on/off valve. Separate feedback as well (to save space and $, we would have two close feedbacks on the valve positioner, instead of two open and two close switches)

I think sending the information between the SIS and DCS through the network 'voids' the layer of protection the SIS is providing.

Any ideas on this practice?

______________________________________________________________________________
This is normally the space where people post something insightful.
 
Replies continue below

Recommended for you

Sort by date Sort by votes
Controlnovice,

I don't have any experience to pitch in, but I wanted to expand your acronyms so everyone understands the question (remember, we're not all in one country)...

SIS = Safety Instrumented System
DCS = Distributed Control System (or Process Control System, etc...).

I sure do see a lot of articles about integration of the two, but I'd also like to hear from people who have done so.

Good on ya,

Goober Dave
 
Upvote 0 Downvote
I have not been involved in recent process hazard or layers of protection analysis for the situation described. I hear people discuss things in a refinery environment that were not permitted offshore when I last reviewed API RP 14C.

What type commands are being sent from the DCS to the SIS? If this is an operator to select “Automatic or Close” on a shutdown valve I might not be too concerned. An “Open or Close” command for a fail close valve would cause more grief. An automated “close” command from the DCS would be very wrong. The valve position feedback for purposes of the operator HMI indication might not bother me. However if the DCS is using the valve position status for normal control logic this would be very wrong. The normal / regulatory control from the DCS should use segregated sensors from the SIS sensors. I don’t have a problem with display type information communicated via Ethernet etc.

I expect the DCS to operate a control valve. The SIS should operate a separate shutdown or blowdown valve. A solenoid valve in the air to a control valve actuator is a very unreliable scheme. It is done in old refineries but should be avoided in a new site.

For control, the SIS and DCS should be completely separate. Further an integrated system could be very susceptible to common mode failures. I like that the DCS uses different power supplies, different microprocessors, different I/O hardware and especially different measurement sensor technologies. Using the same type controller, power supply, I/O etc. seems risky.

Some are using a “digital valve controller” for the valve actuation and feedback as a technique to accommodate partial stroke testing. I have not looked into this yet. I would not like using a DVC for shutdown initiation unless I REALLY understood it.

Excellent topic. I look forward to other responses by those closer to current DCS / SIS segregation and integration projects.
 
Upvote 0 Downvote
Thanks for the comments:

A bit more: The DCS is controlling the valve, Open/Close, through the SIS. The SIS does not control the valve, its only logic will shutoff the valve (for a fail closed valve).

The DCS is using the feedbacks from the valve through the SIS as interlocks for other equipment, not just HMI or Command Disagree (when feedback does not match output command).

Even though by the same vendor, the DCS and SIS are separate systems, connected through same network: different processors, I/O cards, power supplies, etc.

I still think the concept of SIS in an INDEPENDENT layer of protection...the DCS is one layer, the SIS has to be completely separate.

Hope this leads to some good discussion as the design firm has apparently done this in the past for other firms. So, makes me think it's an okay practice. Need a second pair of eyes on this one.

______________________________________________________________________________
This is normally the space where people post something insightful.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sky2020
  • Locked
  • Question
From Bode Plot to Root Locus
Replies
9
Views
36
hacksaw
hacksaw
johnthebest
  • Locked
  • Question
Help!!!Online optimization for DCS
Replies
0
Views
14
johnthebest
johnthebest
MEEngineer1818
  • Locked
  • Question
How can I create a basic mathematical model from real life systems?
Replies
5
Views
29
PNachtwey
PNachtwey
Jabadab
  • Locked
  • Question
Transfer Function from Difference Equations
Replies
7
Views
32
hacksaw
hacksaw
mahmoudathab90
  • Locked
  • Question
Getting the transfer function from the transient response
Replies
6
Views
32
PNachtwey
PNachtwey
Back
Top