… Please don’t.

I have recently put together a couple of presentations and a paper on the topic of shared field equipment in BPCS and SIS service.  The bottom line is that sharing a piece of field equipment is often a clear violation of the IEC 61511 standard that can not be “assessed away”, at least not without very rigorous mathematical proof that you often will not be able to get.

The IEC 61511 standard (or whatever national variant that you follow) discourages sharing of components between SIS and BPCS, and specifically excludes it in one case.  That case where the use of a single component is not allowed is when failure of a single component both INITIATES a hazardous event and simultaneously PREVENTS the SIS from taking action.  Let me give you two quick examples.

1. A single flow transmitter is used to control flow of a fired heater pass and also cause a shutdown of fuel gas if the flow goes too low.  In this case, if the device fails in place (e.g., taps freeze) and the set point is above the frozen measure value, the controller will cause the control valve to go closed, stopping flow (i.e., INITIATING the hazard) and also prevents the SIS from detecting the abnormally low flow condition (i.e., PREVENTING the SIS from taking action).

2. Control valve throttles flow on the outlet of a vessel, and solenoid on that valve is de-energized upon low level preventing low level.  If that valve gets stuck in position and inflow decreases, the level will start to drop because the valve cannot close to decrease outlet (i.e., INITIATING the hazard).  Also, the SIS action to de-energize the solenoid valve does nothing because the valve is stuck in position (i.e., PREVENTING the SIS from taking action).

While it is apparent that these types of installations are quite dangerous, the standard does still allow them to exist, but it states that if this situation occurs, there shall be an analysis that justifies the use of the single component.  While some may use a simple hand-waving justification, this is not adequate.  When a single device’s failure can essentially cause a hazardous event to occur, you have essentially created a continuous mode safety function.  Thus, if one desires to demonstrate that use of the single component is still acceptable, you would be required to mathematically show that the dangerous failure rate of the device (in reality, of the whole loop associated with the device) is lower than the tolerable frequency of the event that the SIF is intended to protect against.  This is significantly different and more labor intensive that simply having a meeting where everyone agrees that it is “safe enough”.

Of course, this type of quantitative analysis is complex and beyond the abilities of a lot of practitioners.  My advice, install separate hardware!  In my experience, the cost of the additional hardware is lower than the cost of the analysis, and at the end of the project you have additional tangible safety hardware instead of a consultant’s report.