Separation of ESD and DCS


Thread Starter

Mike Boudreaux

We are planning to install a DCS with a separate ESD system in the near
future. I want to avoid having redundant instrumentation, so the DCS and
ESD will need to share input values from the field. Does anyone have any
suggestions for doing this? Should I have the inputs wired to the ESD
system and then have a serial connection sending the information to the DCS
for process control? I will be using smart transmitters and I don't want to
loose some of the maintenance and troubleshooting functionality that I have
in the DCS.

ISA S84 states in that sensors for the SIS have to be separate from
the BPCS, but later in B.1.5.1, it states that for SIL 1, a single sensor
may be used for both BPCS and SIS. Which is the truth when I want to stay
S84 compliant?


Mike Boudreaux
Akzo Nobel Chemicals, Inc.
ALL standards; ISA, IEC, AIChE, API, IEEE recommend separation. (This
subject is an entire chapter in the ISA book I co-authored.) The statements
in most of them are as black and white as what you quote from ANSI/ISA S84,
yet there are always exceptions (as even stated in If you have
other safety layers, and you do a risk analysis and can justify sharing
sensors, then go ahead and do it. But always keep a thought in mind, "How
will we justify this decision in court?"

Paul Gruhn, P.E.
SP84 committee member
Houston, TX

Henri Tausch


Note that the first quote ( is a requirement, while the second
(B.1.5.1) is in the annex and only is meant as an example.
Generally you will find separation of BPCS and SIS as a requirement in
all safety standards (ISA.S84 and IEC61508). This is the number one rule
in designing an SIS.

If you want to share instruments, I would use an I/I converter, to limit
the amount of common cause only to the transmitter.

Henri Tausch
Industrial Automation and Control
Safety Management Systems
8440 Westglen Drive
Houston, TX 77063

Tom Reinecke

If you use the same sensors for BPCS and SIS, then you can not claim the
BPCS as an independent protection layer and take credit for it during risk
assessment. Thus, your SIS must achieve higher risk reduction compared to
separate systems.

The strength of your proposed design is increased validation of sensor
inputs. However, there will always be failure modes of sensors that remain
undetected. The danger is that both, SIS and BPCS become unavailable at the
same time to perform the intended function.

If the risk assessment assumed the availability of an independent BPCS, you
must adhere to that assumption during implementation of the SIS. However,
you can redo the risk assessment based on no availability of a BPCS
independent protection layer (IPL). If you operator sits in a central
control room depending on the BPCS, you also cut out another IPL.

There is nothing wrong with repeating SIS inputs to the BPCS, if the systems
remain reaction free (SIS independent of BPCS).

I would suggest depending on you I/O count, that a combined system would meet your criteria.
If not, then I would suggest only process control critical analogue values are split (via signal isolators) and then sent to both systems.
As the safety system is the higher level system then the process critical values should be processed there initially