In process industries such as oil & gas, petrochemicals, and power generation, the Safety Instrumented System (SIS) plays a critical role in preventing hazardous events and protecting people, equipment, and the environment.
One frequently asked question in SIS design is: Should the SIS have its own dedicated operator station, or can it share the same station with the Distributed Control System (DCS)?
The answer depends on safety integrity requirements, system architecture, and operational philosophy.
1. Dedicated SIS Operator Station
Description:
A dedicated SIS operator station (HMI or engineering workstation) is completely separate from the DCS operator stations, with its own hardware, software, and network connection.
Advantages:
Maximum independence: Physical separation ensures that DCS failures do not affect SIS monitoring or control.
Compliance with SIL requirements: High Safety Integrity Level (SIL) systems—particularly SIL 3 and above—often require strict functional independence to meet IEC 61511 or similar standards.
Improved cybersecurity: Reduced risk of cross-system interference from malware or operator errors.
Disadvantages:
Higher hardware and licensing costs.
Operators must switch between different terminals to monitor both process and safety functions.
Typical Applications:
Emergency Shutdown Systems (ESD) in refineries.
Burner Management Systems (BMS) in high-hazard boilers.
SIS for offshore platforms and LNG plants.
2. Shared Operator Station with DCS
Description:
SIS graphics and controls are integrated into the DCS operator station. Logical isolation (software segregation, user privileges) is used instead of full physical separation.
Advantages:
Lower cost: Shared hardware and licenses reduce initial investment.
Convenience: Operators can view both process control and safety information on the same display.
Simplified training: Only one interface for most operational tasks.
Disadvantages:
Reduced independence—DCS hardware or software failure can impair SIS monitoring capabilities.
Higher risk of human error if control and safety functions are presented in the same interface without clear segregation.
Typical Applications:
Medium to low risk processes (SIL 1–SIL 2).
Smaller facilities where cost efficiency outweighs strict physical separation.
3. Hybrid Approach
Description:
A common compromise is to have:
A dedicated SIS engineering workstation for configuration, diagnostics, and maintenance.
Limited SIS monitoring functions integrated into the DCS operator stations (read-only or with restricted controls).
Advantages:
Meets most independence requirements for higher SIL ratings.
Provides operators with centralised process visibility.
Reduces duplication of hardware for day-to-day monitoring.
Typical Applications:
Large chemical complexes.
Power plants with integrated safety and control systems.
LNG terminals with high SIL requirements but shared operational staff.
Industry Best Practices
Follow IEC 61511 guidance for functional independence.
For SIL 3 and higher, physical separation is strongly recommended.
Even in shared configurations, ensure:
Network segregation between SIS and DCS.
Access control and role-based user permissions.
Clearly differentiated HMI graphics for safety vs. control functions.
Maintain a separate SIS engineering station for maintenance and configuration.
Conclusion
Whether an SIS requires a dedicated operator station depends on risk level, SIL rating, and operational philosophy.
High-risk applications: A dedicated SIS operator station (or at least a dedicated engineering station) is strongly advised to ensure maximum independence and compliance.
Lower-risk applications: Sharing a station with the DCS can be acceptable if appropriate safeguards and segregation measures are implemented.
In all cases, the decision should be based on safety analysis, compliance requirements, and operational practicality—always prioritizing the system’s ability to function correctly when it’s needed most.