A Safety Instrumented System (SIS) is a control system consisting of sensors, one or more controllers (often referred to as logic solvers), and final elements. Another common name is an Emergency Shutdown (ESD) system. The SIS is simply the sum of all the SIFs defined for the unit. The primary purpose of an SIS is to monitor an industrial process for potentially dangerous conditions and either issue alarms or execute pre-programmed actions. These actions are designed to either prevent a hazardous event from occurring or mitigate its consequences should it occur.
A safety instrumented system (SIS) implements the SIF(s) required to achieve or to maintain a safe state of the process and, as such, contributes towards the necessary risk reduction to meet the tolerable risk. For example, the SRS may state that when the temperature reaches a value of x, valve y opens to allow water to enter the vessel.
A SIS implements one or more Safety Instrumented Functions (SIFs). It typically includes several safety functions, each with a different Safety Integrity Level (SIL). Therefore, it is not appropriate to describe an SIS with a single SIL. Instead, SIS is designed and managed to achieve specific SIL requirements for individual functions.
It is important to distinguish between a SIS and a SIF. A SIF encompasses a single function, acting in one specific way to prevent a single harmful outcome. In contrast, a single SIS may contain multiple SIFs, each with its own unique SIL. This makes it incorrect and ambiguous to assign a single SIL to an entire safety instrumented system.
The IEC 61508 standard does not use the term “Safety Instrumented System (SIS)” but instead refers to it as a “safety-related system.” This term conveys the same concept but uses language that can be broadly applied across various industries.
Practitioners often prefer a more functional definition of an SIS, such as:
- A system composed of sensors, logic solvers, and final elements, designed to:
- Automatically take an industrial process to a safe state when specified conditions are violated.
- Allow a process to move forward safely when specified conditions permit (permissive functions).
- Mitigate the consequences of an industrial hazard through specific actions.
This definition highlights that an SIS may be responsible for shutdown functions, permissive functions, and consequence reduction (mitigation) functions. All these functions share a common attribute: they reduce risk. As a result, one common interpretation of an SIS is that it is an automatic risk reduction system.
In some cases, an SIS reduces risk by decreasing the likelihood of a potential hazard. In other cases, it decreases risk by reducing the severity of the consequences. Regardless of the approach, the core objective of an SIS remains consistent: to enhance safety and minimize industrial risks effectively.
BPCS Versus SIS
1. Purpose and Functionality:
- BPCS: The primary function of a Basic Process Control System is to maintain process variables (like temperature, pressure, flow) within specified limits. It continuously adjusts control elements to ensure optimal operation.
- SIS: In contrast, a Safety Instrumented System is designed to monitor process variables and take action only when specific unsafe conditions are detected. Its main goal is to prevent hazardous events rather than optimize process performance.
2. Operational Dynamics:
- BPCS: Operates under dynamic conditions, with control signals frequently changing as the process variables fluctuate. This constant activity allows for real-time adjustments and quick detection of failures.
- SIS: Functions under static conditions, often remaining inactive for long periods (e.g., years) until a hazardous situation arises. For instance, a safety isolation valve may not move for years, reflecting the low demand for SIS activation.
3. Failure Detection:
- BPCS: Failures in a BPCS are generally easier to detect due to the dynamic nature of its signals. Operators can identify issues through various diagnostic methods, such as flat line outputs, quality indicators, pre-alarms, and deviation alarms.
- SIS: Detecting failures in a SIS can be challenging because its signals are static Boolean variables. Since the SIS only activates in response to dangerous conditions, many failure modes may go unnoticed until an actual hazard occurs.
4. Design Considerations:
- Both systems require similar engineering skills and knowledge of instrumentation, materials, and process compatibility. However, the design process for SIS must account for its unique operational dynamics and the infrequent nature of its activation.
- Some engineers mistakenly apply BPCS design principles to SIS, potentially compromising safety. It is crucial to recognize that while the hardware may be similar, the operational requirements and safety implications are fundamentally different.
5. Risk Analysis and Event Frequency:
- In a well-designed process, risk analysis often indicates that hazardous events are rare, occurring once every ten years or more. This low-demand mode emphasizes the need for SIS to be robust and reliable, as it may only be called into action infrequently.
Summary
Top References
- Safety Instrumented Systems Verification: Practical Probabilistic Calculations by William M. Goble Harry Cheddie
- Control Systems Safety Evaluation and Reliability by William M. Goble
- www.exida.com
- IEC 61511-3-2016
- Functional Safety from Scratch by Peter Clarke, xSeriCon
