Understanding SIS industry standards

Process safety standards and practices are spreading from oil and gas and other energy-related industries to broader process industry applications. Here’s basic advice on how to make more sense of the numbers and acronyms.


Safety instrumented system (SIS) applications grew primarily out of the oil and gas industries, where they are used to mitigate safety hazards related to many dangerous feedstocks, products, and processes. When applied appropriately, the fundamental concepts of SIS applications are integrated within the total lifecycle of the overall safety system. Understanding these systems involves unraveling the sometimes arcane language of safety engineers with standards numbers and many acronyms.

Figure 1. An individual SIS includes three items: sensor, logic solver, and final control element. It needs to be able to perform its function independently and not depend on the basic process control system. Courtesy: Emerson Process Management

An SIS provides an integrated approach to complete safety loops, as shown in Figure 1. Such a loop includes a sensor, logic solver, and final control element. The SIS system shuts down a process plant or part of a plant when needed for safety, but keeps the plant running safely when devices fail.

What is a safety function?

Safety instrumented functions (SIFs) are actions taken by a SIS to shut down the process plant safely. Each identified SIF consists of a set of actions to protect against a specific hazard. A process plant SIS therefore consists of a number of SIFs which are listed in the process hazard analysis (PHA) report.

Part of the design process is considering many what-if scenarios that examine what happens if various components fail. A safety integrity level (SIL) is a performance measure which tries to quantify the probability of a specific SIF failing to perform its required function when called upon, known as the probability of failure on demand (PFD). Whereas a DCS is performing process control functions continually while the plant is running, the SIS is dormant by design until required to perform a safe shutdown function. Table 1 lists four SIL levels and their related PFDs as defined by IEC 61508 and IEC 61511. All standards are not necessarily the same. For example, ANSI/ISA-S84.01-1996 recognizes only three SILs.

Table 1: Safety Integrity Levels

Table 1: Safety integrity levels

Techniques to establish the required SIL for a SIF in a SIS are defined in the relevant industry standards. (Some are listed in the online resources for this article.) SIL 4 is the highest level of safety integrity while SIL 1 is the lowest.

The risk reduction factor (RRF) for a SIF is the mathematical inverse of the PFDavg for that SIF. It represents a number corresponding to the factor that the SIF reduces the likelihood of the hazardous event that the SIF intended to prevent.

Probability of failure on demand (PFD) is the probability that a SIF designed to protect a process plant will fail to shut down the plant safely when the hazard shutdown condition occurs. In other words, the safety function fails to do its job when called upon.

Safety lifecycle

The safety lifecycle, as defined by IEC 61508 and ANSI/ISA-S84.01, structurally defines a SIS development from its initial conceptual design through to its final decommissioning, as follows:

  1. Conceptual design
  2. Hazard and risk analysis PHA (HAZOP)
  3. Safety requirements specification
  4. System architecture and detailed engineering
  5. Application programming
  6. System production
  7. System integration
  8. Factory acceptance tests (FAT)
  9. System installation and commissioning
  10. Safety system validation—site acceptance tests (SAT)
  11. Operation and maintenance plan
  12. System change management
  13. Decommissioning, and
  14. Information and documentation requirements.

Generally, the significant hazards for equipment and any associated control systems have to be identified by the specifier or developer via a hazard analysis. The analysis identifies whether functional safety is necessary to ensure adequate protection against each significant hazard. If so, then it has to be taken into account in an appropriate manner in the design. Functional safety is just one method of dealing with hazards, and other means for their elimination or reduction, such as inherent safety through design, are of primary importance.

Figure 2. Information from SISs can be sent up to a larger control network for alarms or data collection, but they need to retain the ability to carry out their specific safety assignment independently. Courtesy: Emerson Process Management

IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices. It covers possible hazards caused by failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE equipment itself. It is generically based and applicable to all E/E/PE safety-related systems irrespective of the application.

The underlying assumptions of the standards recognize that the consequences of failure could have serious economic implications. In such cases the standard could be used to specify any E/E/PE safety-related system used for the protection of equipment or product. The scope of IEC 61508-1 goes into more detail.

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

  • Emergency shutdown systems
  • Fire and gas systems
  • Turbine control
  • Gas burner management
  • Crane automatic safe-load indicators
  • Guard interlocking and emergency stopping systems for machinery
  • Railway signaling systems, and
  • Variable speed motor drives used to restrict speed as a means of protection.

Relevant means of implementing safety functions include electromechanical relays (electrical), nonprogrammable solid-state electronics (electronic), and programmable electronics. Programmable electronic safety-related systems typically incorporate programmable controllers, programmable logic controllers, microprocessors, application specific integrated circuits, or other programmable devices which could include smart devices such as sensors, transmitters, and actuators.

In every case, the standard applies to the entire E/E/PE safety-related system. That could encompass, for example, a sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator. For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole. The physical extent of an E/E/PE safety-related system is solely determined by the safety function.

Working through the entire safety lifecycle is a major undertaking, but it is a process critical to the safety of people, property, and environment.

Robert I. Williams, PE, is instrumentation and control systems manager at Brinderson, Costa Mesa, Calif. 

Key concepts:

  • Understanding process safety involves potentially confusing standards and acronyms.
  • Working through the overall safety lifecycle is a major project, but the process is straightforward.
  • Understanding a few basic concepts can help decipher the complexities of standards language. 


Detail on IEC safety standards




Anonymous , 06/05/13 03:18 PM:

I believe the reference to IEC 61508 below the Safety lifecycle heading should actually be a reference to IEC 61511. IEC 61508 applies to E/E/PE DEVICES which may be part of a SIS which is the subject of IEC 61511. In some cases it is necessary for devices meeting the requirements of IEC 61508 be used in SIS to meet the required SIL. This also is defined in IEC 61511.
ahmed , Non-US/Not Applicable, Egypt, 06/06/13 09:39 AM:

to ensure implementation of safety system you have select the category (SIL2or3)of thedevices used in safety-related system.
Anonymous , 06/25/13 10:59 AM:

using field devices with highter level SIl in the SIS system is a must
M , MO, United States, 04/10/15 04:07 AM:

Anonymous 06/05/13 I don't believe that is correct. IEC 61511 is specific to the process industry. IEC 61508 is the basis for which SIS specifications are written. http://www.iec.ch/functionalsafety/
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safer human-robot collaboration; 2017 Maintenance Survey; Digital Training; Converting your lighting system
IIoT grows up; Six ways to lower IIoT costs; Six mobile safety strategies; 2017 Salary Survey
2016 Top Plant; 2016 Best Practices on manufacturing progress, efficiency, safety
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
What controller fits your application; Permanent magnet motors; Chemical manufacturer tames alarm management; Taking steps in a new direction
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Package boilers; Natural gas infrared heating; Thermal treasure; Standby generation; Natural gas supports green efforts

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on preventing compressed air leaks and centrifugal air compressor basics and best practices for the "fifth utility" in manufacturing plants.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
click me