Safety Architecture Overview

How Acaysia ensures safe operation through defense-in-depth design, failsafe mechanisms, and seamless integration with existing safety systems.

On This Page

Safety Philosophy

At Acaysia, safety is not a feature—it's the foundation of everything we build. Our safety architecture is guided by three core principles:

1. Never Compromise Safety for Performance

Acaysia will always choose the safe action over the optimal action. Performance improvements are only pursued within verified safe operating envelopes.

2. Fail Safe, Not Fail Operational

When in doubt, Acaysia returns control to proven traditional systems. We design for safe failure modes, not continued operation under uncertainty.

3. Operator Always Has Final Authority

Human operators can override Acaysia at any time. The system provides recommendations and automation, but never removes human agency.

Defense in Depth

Acaysia implements multiple independent layers of protection. If any single layer fails, subsequent layers prevent unsafe conditions.

Layer 1: Process Design

Inherently safer process conditions and equipment limits

Layer 2: Basic Process Control (BPCS)

Traditional PID loops maintain normal operation

Layer 3: Acaysia Optimization

Advanced control within verified safe envelope

Layer 4: Acaysia Safety Monitor

Independent watchdog validates all outputs

Layer 5: Safety Instrumented System (SIS)

Independent hardware-based emergency shutdown

Key Point: Acaysia operates at Layer 3 and is monitored by Layer 4. It never replaces or interferes with the independent Safety Instrumented System (Layer 5).

Failsafe Mechanisms

Automatic Fallback to PID

In any anomalous condition, Acaysia automatically transfers control to traditional PID controllers. This "bumpless transfer" ensures continuous process operation.

Fallback Triggers

Condition Detection Method Response Time
Communication loss Heartbeat timeout < 500ms
Model prediction error Residual monitoring < 1 second
Control output anomaly Rate-of-change limits Immediate
Process variable out of range Boundary monitoring Immediate
Operator request Manual override Immediate

Watchdog Timer

The Acaysia edge device includes a hardware watchdog timer. If the control software fails to reset the timer within the configured interval (default: 1 second), the hardware automatically:

  1. Disconnects Acaysia outputs from the process
  2. Signals the PLC to resume direct control
  3. Logs the event for post-incident analysis
  4. Alerts operators via configured notification channels

Output Clamping

All Acaysia outputs are bounded by configurable limits: 

# Output constraints configuration
outputs:
  reactor_temperature_sp:
    min: 50.0   # Minimum setpoint (°C)
    max: 180.0  # Maximum setpoint (°C)
    rate_limit: 5.0  # Max change per minute (°C/min)

  coolant_valve:
    min: 0.0    # Fully closed
    max: 100.0  # Fully open
    rate_limit: 20.0  # Max change per second (%/s)

Runtime Monitoring

Model Confidence Tracking

Acaysia continuously monitors the accuracy of its internal models by comparing predictions to actual process measurements. When confidence drops below threshold, the system:

  • Widens safety margins on control actions
  • Increases reliance on traditional control
  • Flags the situation for operator review
  • Triggers model retraining if appropriate

Anomaly Detection

Multiple anomaly detection methods run in parallel:

Statistical Process Control

Traditional SPC charts monitor process variables for out-of-control conditions using CUSUM and EWMA algorithms.

Physics-Based Consistency

Mass and energy balance checks verify that sensor readings are physically consistent with each other.

ML Anomaly Detection

Autoencoder neural networks identify subtle patterns that may indicate equipment degradation or process drift.

Audit Logging

Every control action is logged with full context:

  • Timestamp (synchronized to plant time server)
  • Current process state
  • Model predictions
  • Control action taken
  • Confidence level
  • Active constraints

Logs are stored locally and can be exported to plant historians for long-term retention.

Safety System Integration

Independence from SIS

Acaysia is architecturally separate from the Safety Instrumented System (SIS):

  • No shared hardware or software components
  • No ability to modify SIS logic or setpoints
  • SIS can operate correctly even if Acaysia completely fails

SIS Status Monitoring

Acaysia reads (but never writes) SIS status information to:

  • Detect when process is approaching safety limits
  • Proactively adjust control to avoid SIS activation
  • Recognize post-trip conditions and assist with safe restart
Critical: Acaysia never bypasses, overrides, or interferes with SIS operation. The SIS always has priority and will activate regardless of Acaysia state.

Operator Interface Integration

Acaysia integrates with existing HMI/SCADA systems to provide:

  • Clear indication of Acaysia mode (Shadow/Advisory/Closed-Loop)
  • Easy one-click override to return to manual control
  • Alarm integration following ISA-18.2 standards
  • Trend displays showing Acaysia recommendations vs. actual control

Standards Compliance

IEC 61511 / ISA 84

Acaysia is designed to operate within process plants that comply with IEC 61511 (functional safety for process industries). Key considerations:

  • Acaysia operates in the BPCS layer, not the SIS layer
  • Does not claim any Safety Integrity Level (SIL) rating
  • Relies on independent SIS for safety-critical functions

ISA/IEC 62443

Acaysia follows industrial cybersecurity best practices:

  • Secure-by-design architecture
  • Encrypted communications (TLS 1.3)
  • Role-based access control
  • Regular security updates and patching

See our ISA/IEC 62443 Compliance Guide for detailed information.

Industry-Specific Standards

Industry Relevant Standards Acaysia Compliance
Pharmaceutical 21 CFR Part 11 Audit trails, electronic signatures
Oil & Gas API RP 556 Instrumentation best practices
Chemical OSHA PSM Management of Change support

Safety Validation

Factory Acceptance Testing (FAT)

Before deployment, every Acaysia system undergoes comprehensive FAT including:

  • Simulated fault injection testing
  • Communication failure scenarios
  • Boundary condition testing
  • Failover timing verification

Site Acceptance Testing (SAT)

On-site testing validates integration with plant systems:

  • End-to-end communication verification
  • Manual override functionality
  • Alarm system integration
  • Watchdog timer operation

Ongoing Validation

Safety systems require continuous validation:

  • Automated daily self-tests
  • Quarterly manual failover drills
  • Annual comprehensive safety review
  • Model accuracy validation against process data

Related Documentation

Questions about safety? Contact our safety engineering team at founders@acaysia.com.

Safety is Our Priority

Discuss your safety requirements with our engineering team.

Contact Us