Understanding SIS industry standards

Process safety standards and practices are spreading from oil and gas and other energy-related industries to broader process industry applications. Here’s basic advice on how to make more sense of the numbers and acronyms.


Safety instrumented system (SIS) applications grew primarily out of the oil and gas industries, where they are used to mitigate safety hazards related to many dangerous feedstocks, products, and processes. When applied appropriately, the fundamental concepts of SIS applications are integrated within the total lifecycle of the overall safety system. Understanding these systems involves unraveling the sometimes arcane language of safety engineers with standards numbers and many acronyms.

Figure 1. An individual SIS includes three items: sensor, logic solver, and final control element. It needs to be able to perform its function independently and not depend on the basic process control system. Courtesy: Emerson Process Management

An SIS provides an integrated approach to complete safety loops, as shown in Figure 1. Such a loop includes a sensor, logic solver, and final control element. The SIS system shuts down a process plant or part of a plant when needed for safety, but keeps the plant running safely when devices fail.

What is a safety function?

Safety instrumented functions (SIFs) are actions taken by a SIS to shut down the process plant safely. Each identified SIF consists of a set of actions to protect against a specific hazard. A process plant SIS therefore consists of a number of SIFs which are listed in the process hazard analysis (PHA) report.

Part of the design process is considering many what-if scenarios that examine what happens if various components fail. A safety integrity level (SIL) is a performance measure which tries to quantify the probability of a specific SIF failing to perform its required function when called upon, known as the probability of failure on demand (PFD). Whereas a DCS is performing process control functions continually while the plant is running, the SIS is dormant by design until required to perform a safe shutdown function. Table 1 lists four SIL levels and their related PFDs as defined by IEC 61508 and IEC 61511. All standards are not necessarily the same. For example, ANSI/ISA-S84.01-1996 recognizes only three SILs.

Table 1: Safety Integrity Levels

Table 1: Safety integrity levels

Techniques to establish the required SIL for a SIF in a SIS are defined in the relevant industry standards. (Some are listed in the online resources for this article.) SIL 4 is the highest level of safety integrity while SIL 1 is the lowest.

The risk reduction factor (RRF) for a SIF is the mathematical inverse of the PFDavg for that SIF. It represents a number corresponding to the factor that the SIF reduces the likelihood of the hazardous event that the SIF intended to prevent.

Probability of failure on demand (PFD) is the probability that a SIF designed to protect a process plant will fail to shut down the plant safely when the hazard shutdown condition occurs. In other words, the safety function fails to do its job when called upon.

Safety lifecycle

The safety lifecycle, as defined by IEC 61508 and ANSI/ISA-S84.01, structurally defines a SIS development from its initial conceptual design through to its final decommissioning, as follows:

  1. Conceptual design
  2. Hazard and risk analysis PHA (HAZOP)
  3. Safety requirements specification
  4. System architecture and detailed engineering
  5. Application programming
  6. System production
  7. System integration
  8. Factory acceptance tests (FAT)
  9. System installation and commissioning
  10. Safety system validation—site acceptance tests (SAT)
  11. Operation and maintenance plan
  12. System change management
  13. Decommissioning, and
  14. Information and documentation requirements.

Generally, the significant hazards for equipment and any associated control systems have to be identified by the specifier or developer via a hazard analysis. The analysis identifies whether functional safety is necessary to ensure adequate protection against each significant hazard. If so, then it has to be taken into account in an appropriate manner in the design. Functional safety is just one method of dealing with hazards, and other means for their elimination or reduction, such as inherent safety through design, are of primary importance.

Figure 2. Information from SISs can be sent up to a larger control network for alarms or data collection, but they need to retain the ability to carry out their specific safety assignment independently. Courtesy: Emerson Process Management

IEC 61508 applies to safety-related systems when one or more of such systems incorporate electrical and/or electronic and/or programmable electronic (E/E/PE) devices. It covers possible hazards caused by failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from hazards arising from the E/E/PE equipment itself. It is generically based and applicable to all E/E/PE safety-related systems irrespective of the application.

The underlying assumptions of the standards recognize that the consequences of failure could have serious economic implications. In such cases the standard could be used to specify any E/E/PE safety-related system used for the protection of equipment or product. The scope of IEC 61508-1 goes into more detail.

The range of E/E/PE safety-related systems to which IEC 61508 can be applied includes:

  • Emergency shutdown systems
  • Fire and gas systems
  • Turbine control
  • Gas burner management
  • Crane automatic safe-load indicators
  • Guard interlocking and emergency stopping systems for machinery
  • Railway signaling systems, and
  • Variable speed motor drives used to restrict speed as a means of protection.

Relevant means of implementing safety functions include electromechanical relays (electrical), nonprogrammable solid-state electronics (electronic), and programmable electronics. Programmable electronic safety-related systems typically incorporate programmable controllers, programmable logic controllers, microprocessors, application specific integrated circuits, or other programmable devices which could include smart devices such as sensors, transmitters, and actuators.

In every case, the standard applies to the entire E/E/PE safety-related system. That could encompass, for example, a sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator. For safety functions to be effectively specified and implemented, it is essential to consider the system as a whole. The physical extent of an E/E/PE safety-related system is solely determined by the safety function.

Working through the entire safety lifecycle is a major undertaking, but it is a process critical to the safety of people, property, and environment.

Robert I. Williams, PE, is instrumentation and control systems manager at Brinderson, Costa Mesa, Calif. 

Key concepts:

  • Understanding process safety involves potentially confusing standards and acronyms.
  • Working through the overall safety lifecycle is a major project, but the process is straightforward.
  • Understanding a few basic concepts can help decipher the complexities of standards language. 


Detail on IEC safety standards




The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me