Kenexis is commonly asked to assist in specifying requirements for bypassing functions the Safety Instrumented System (SIS). Most SIS share a common Human Machine Interface (HMI) with the Basic Process Control System (BPCS). The HMI application software typically runs on a server and communicates with both the BPCS and the SIS using a digital protocol (e.g., Modbus, Ethernet I/P, etc.). In rare situations the SIS will have its own, dedicated HMI, but this is not typical.
Operators will bypass a Safety Instrumented Function (SIF) using the HMI, which communicates bypass information to the SIS controller. For relatively small systems, bypass is accomplished using physical switches that are hardwired inputs to the SIS, but this is increasingly uncommon.
For most systems, Kenexis’ limits the ability to bypass to SIS inputs; we disallow SIS outputs or overriding the commanded state of a SIF. In doing so, operators are required to take responsibility for providing alternate protection when bypassing any process condition that is being monitored by the SIS.
Using any digital protocol to communicate bypass status should be carefully engineered to avoid an unsafe bypass situation. Good engineering practice is described in ANSI/ISA 84.00.01-2004 (IEC 61511-MOD), Clause 220.127.116.11 “The design of the SIS communication interface shall ensure that any failure of the communication interface shall not adversely affect the ability of the SIS to bring the process to a safe state”.
Failure of the communications link between the HMI server and SIS should not create a situation where a bypass remains in effect when it shouldn’t be. Of course, we could configure the SIS to monitor the status of the communications link and take some pre-defined action, which could theoretically include automatic shutdown of the process. Albeit safe, this would not be desirable in most situations, so other configuration options should be considered.
Typically, Kenexis recommends the SIS be provided with physical switch that is hardwired to an SIS digital input channel. This is usually a keyswitch that is designated “Bypass Enable”. When the switch is in the “NORMAL” position, the input channel is OFF, and the SIS is programmed to ignore any requests to bypass any SIS input from the HMI. When the switch is in the “ENABLE” position, the input channel is ON, and the SIS will permit bypasses to be requested from the HMI.
Failure of the communication link between the HMI and the SIS would be a revealed condition that would generate a fault alarm; however, the state of bypasses would not change in the SIS. Even though the comm link is down, operators can remove any bypasses by switching the Bypass Enable keyswitch to NORMAL.
If a Bypass Enable switch has not been provided in the design, then operators would not have this ability to remove bypasses that were in effect at the time of the communications failure. This does not conform to Clause 18.104.22.168. To resolve this without adding a bypass enable switch, we would require the SIS to be configured to automatically remove any bypasses that might be in effect at the time of comms failure. Obviously, this could result in a SIF to activate if an input were not in service or otherwise outside the safe operating limits at the time of the comms failure. As this may result in an unwanted shutdown of the process, the bypass enable switch avoids the need for this configuration of the SIS.