Introduction
Safety Instrumented Systems (SIS) are critical to ensuring process safety in high-risk industries such as petrochemicals, oil and gas, and power generation. A key consideration in SIS architecture is the configuration of operator stations (HMI) and engineering stations. This article addresses two common questions in SIS design:
Can the operator and engineering stations be shared in an SIS environment?
Is it necessary to provide a dedicated operator station for SIS, separate from the BPCS (Basic Process Control System)?
1. Can Operator and Engineering Stations Be Shared?
➤ Recommended Practice: Not Shared
While technically possible, sharing the operator and engineering stations is strongly discouraged in safety-critical systems for the following reasons:
| Concern | Description |
|---|---|
| Safety | Engineering stations have high-level privileges, including logic modifications and bypass operations. Shared access increases the risk of unauthorized or accidental changes to safety logic. |
| System Stability | Operator stations must be available 24/7 for real-time monitoring and response. Engineering operations (e.g., software updates or configuration downloads) can interrupt this availability. |
| Cybersecurity | Engineering stations often interact with external devices (e.g., USBs, programming tools), posing higher risks for malware or cyberattacks. Shared systems compromise SIS integrity. |
| Compliance | IEC 61511 and related safety standards emphasize access control, change management, and role separation — all of which are undermined by shared usage. |
➤ Acceptable Under Strict Controls (Small Systems)
In small-scale, low-SIL systems, shared usage may be tolerated if:
User access is tightly restricted by role;
The system implements logging and audit trails;
The engineering interface is separated via virtual machines or remote sessions.
However, even under these conditions, shared use is not a best practice.
2. Should SIS Have a Dedicated Operator Station?
➤ Not Mandatory by Standards, but Highly Recommended
IEC 61511 does not explicitly require a dedicated SIS operator station. However, industry best practices—especially for SIL2 and SIL3 systems—strongly recommend separating SIS operator functions from the main DCS or BPCS interface.
| Consideration | Reason |
|---|---|
| Functional Isolation | Dedicated SIS HMIs prevent confusion and limit operational access to only authorized safety functions. |
| Enhanced Security | Segregated HMI networks reduce the risk of malware or ransomware affecting critical safety operations. |
| Availability | Even if the DCS station fails, SIS can remain operable with an independent HMI. |
| Audit and Compliance | A separate SIS operator station enables clearer records of safety-related actions and changes. |
➤ System Design Recommendations
| System Type | Recommended Configuration |
|---|---|
| SIL1 / Small Systems | Shared operator interface may be acceptable with proper access controls. |
| SIL2 Systems | Strongly recommended to logically isolate SIS HMI, even if hosted on shared hardware. |
| SIL3 / Large Systems | Dedicated SIS operator station with independent communication and control is considered best practice. |
Conclusion
While it is technically possible to share operator and engineering stations in SIS, this practice contradicts core principles of functional safety, security, and reliability. Similarly, although standards do not mandate a standalone SIS operator station, most projects with SIL2 or higher requirements adopt this architecture to reduce operational risks and meet audit expectations.
✔ Best Practice Summary:
Operator station and engineering station should not be shared.
SIS operator station should be physically or logically independent from BPCS.
Engineering station should be isolated and used under strict control.