Contact US

Log In

Come Join Us!

Are you an
Engineering professional?
Join Eng-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Eng-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

SIS separation from DCS

SIS separation from DCS

SIS separation from DCS

Working on a project with an SIS system.  It is the same manufacturer as the DCS, so it is an 'integrated' system.

The design firm has the DCS commands going through the SIS to open/close valves as necessary, and the feedback from the valves goes to the SIS, which sends the signal to the DCS.  All of the communication between the DCS and SIS are through the vendor's network, not hardwired.

I've always designed SIS and DCS completely separate, so one does not rely on the other to operate.  So the DCS would activate a solenoid for an on/off valve, and the SIS would have another solenoid (always energized, only de-energize to trip) for the same on/off valve.  Separate feedback as well (to save space and $, we would have two close feedbacks on the valve positioner, instead of two open and two close switches)

I think sending the information between the SIS and DCS through the network 'voids' the layer of protection the SIS is providing.

Any ideas on this practice?

This is normally the space where people post something insightful.

RE: SIS separation from DCS


I don't have any experience to pitch in, but I wanted to expand your acronyms so everyone understands the question (remember, we're not all in one country)...

SIS = Safety Instrumented System
DCS = Distributed Control System (or Process Control System, etc...).

I sure do see a lot of articles about integration of the two, but I'd also like to hear from people who have done so.

Good on ya,

Goober Dave

RE: SIS separation from DCS

I have not been involved in recent process hazard or layers of protection analysis for the situation described.  I hear people discuss things in a refinery environment that were not permitted offshore when I last reviewed API RP 14C.

What type commands are being sent from the DCS to the SIS?  If this is an operator to select "Automatic or Close" on a shutdown valve I might not be too concerned.   An "Open or Close" command for a fail close valve would cause more grief.  An automated "close" command from the DCS would be very wrong.  The valve position feedback for purposes of the operator HMI indication might not bother me.  However if the DCS is using the valve position status for normal control logic this would be very wrong.  The normal / regulatory control from the DCS should use segregated sensors from the SIS sensors.  I don't have a problem with display type information communicated via Ethernet etc.

I expect the DCS to operate a control valve.  The SIS should operate a separate shutdown or blowdown valve.  A solenoid valve in the air to a control valve actuator is a very unreliable scheme.  It is done in old refineries but should be avoided in a new site.

For control, the SIS and DCS should be completely separate.  Further an integrated system could be very susceptible to common mode failures.  I like that the DCS uses different power supplies, different microprocessors, different I/O hardware and especially different measurement sensor technologies.  Using the same type controller, power supply, I/O etc. seems risky.

Some are using a "digital valve controller" for the valve actuation and feedback as a technique to accommodate partial stroke testing.  I have not looked into this yet.  I would not like using a DVC for shutdown initiation unless I REALLY understood it.

Excellent topic.  I look forward to other responses by those closer to current DCS / SIS segregation and integration projects.

RE: SIS separation from DCS

Thanks for the comments:

A bit more: The DCS is controlling the valve, Open/Close, through the SIS.  The SIS does not control the valve, its only logic will shutoff the valve (for a fail closed valve).

The DCS is using the feedbacks from the valve through the SIS as interlocks for other equipment, not just HMI or Command Disagree (when feedback does not match output command).

Even though by the same vendor, the DCS and SIS are separate systems, connected through same network: different processors, I/O cards, power supplies, etc.

I still think the concept of SIS in an INDEPENDENT layer of protection...the DCS is one layer, the SIS has to be completely separate.

Hope this leads to some good discussion as the design firm has apparently done this in the past for other firms.  So, makes me think it's an okay practice.  Need a second pair of eyes on this one.

This is normally the space where people post something insightful.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Eng-Tips Forums free from inappropriate posts.
The Eng-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Eng-Tips forums is a member-only feature.

Click Here to join Eng-Tips and talk with other members! Already a Member? Login


Close Box

Join Eng-Tips® Today!

Join your peers on the Internet's largest technical engineering professional community.
It's easy to join and it's free.

Here's Why Members Love Eng-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close