1. What is a SIS?
A SIS is a Safety Instrumented System. It is designed to prevent or
mitigate hazardous events by taking the process to a safe state when
predetermined conditions are violated. A SIS is composed of a combination
of logic solver(s), sensor(s), and final element(s). Other common
terms for SISs are safety interlock systems, emergency shutdown systems
(ESD), and safety shutdown systems (SSD). A SIS can be one or more
Safety Instrumented Functions (SIF).
2. What is a SIF?
SIF stands for Safety Instrumented Function. A SIF is designed to
prevent or mitigate a hazardous event by taking a process to a tolerable
risk level. A SIF is composed of a combination of logic solver(s),
sensor(s), and final element(s). A SIF has an assigned SIL level depending
on the amount of risk that needs to be reduced. One or more SIFs comprise
3. What is SIL?
SIL stands for Safety Integrity Level. A SIL is a measure of safety
system performance, or probability of failure on demand (PFD) for
a SIF or SIS. There are four discrete integrity levels associated
with SIL. The higher the SIL level, the lower the probability of failure
on demand for the safety system and the better the system performance.
It is important to also note that as the SIL level increases, typically
the cost and complexity of the system also increase.
A SIL level applies to an entire system. Individual products or components
do not have SIL ratings. SIL levels are used when implementing a SIF
that must reduce an existing intolerable process risk level to a tolerable
4. What does functional safety
Functional safety is a term used to describe the safety system that
is dependent on the correct functioning of the logic solver, sensors,
and final elements to achieve the desired risk reduction level. Functional
safety is achieved when every SIF is successfully carried out and
the process risk is reduced to the desired level.
5. Why were the ANSI/ISA 84,
IEC 61508, and IEC 61511 standards developed?
The standards were a natural evolution for the need to reduce process
risk and improve safety through a more formalized and quantifiable
methodology. Additionally, and specifically for IEC 61508, as the
application and usage of software has evolved and proliferated, there
was an increased need to develop a standard to guide system / product
designers and developers in what they needed to do to ensure and “claim”
that their systems / products were acceptably safe for their intended
Click here for additional information on Standards.
6. When do I need a SIF or
The philosophy of the standards suggests that a SIS or SIF should
be implemented only if there is no other non-instrumented way of adequately
eliminating or mitigating process risk. Specifically, the ANSI/ISA-84.00.01-2004
(IEC 61511 Mod) recommends a multi-disciplined team approach that
follows the Safety Lifecycle, conducts a process hazard analysis,
designs a variety of layers of protection (i.e., LOPA), and finally
implements a SIS when a hazardous event cannot be prevented or mitigated
with something other than instrumentation.
7. What is a proof-test interval?
Proof testing is a requirement of safety instrumented systems to ensure
that everything is working and performing as expected. Testing must
include the verification of the entire system, logic solver, sensors,
and final elements. The interval is the period of time that the testing
occurs. The testing frequency varies for each SIS and is dependent
on the technology, system architecture, and target SIL level. The
proof-test interval is an important component of the probability of
failure on demand calculation for the system.
8. What is a Process Hazard
Analysis (PHA) and who
A PHA is an OSHA directive that identifies safety problems and risks
within a process, develops corrective actions to respond to safety
issues, and preplans alternative emergency actions if safety systems
fail. The PHA must be conducted by a diverse team that has specific
expertise in the process being analyzed. There are many consulting
and engineering firms that also provide PHA services. PHA methodologies
can include a What-If Analysis, Hazard and Operability Study (HAZOP),
Failure Mode and Effects Analysis (FEMA), and a Fault Tree Analysis.
9. What voting configurations are required for each SIL level?
Obtaining a desired SIL level is dependent on a multitude of factors.
The type of technology employed, the number of system components,
the probability of failure on demand (PFD) numbers for each component,
the system architecture (e.g., redundancy, voting), and the proof
testing intervals all play a significant role in the determination
of a SIL level. There is not a standard answer for what voting configurations
are required for each SIL level. The voting architecture must be analyzed
in the context of all the factors noted above.
10. Will a SIL rated system require increased maintenance?
SIL solutions are certainly not always the most cost-effective solutions
for decreasing process risk. Many times, implementing a SIL solution
will require increased equipment, which inevitably will require increased
maintenance. Additionally, it is likely that the higher the SIL level,
the more frequent the proof testing interval will be, which may ultimately
increase the amount of system maintenance that is required. This is
why the standards recommend a SIL based solution only when process
risk cannot be reduced by other methods, as determined by LOPA.
11. Can a F&G system be
a SIF or SIS?
A Fire and Gas (F&G) system that automatically initiates process
actions to prevent or mitigate a hazardous event and subsequently
takes the process to a safe state can be considered a Safety Instrumented
Function / Safety Instrumented System.
However, it is absolutely critical in a F&G system to ensure optimal
sensor placement. If there is incorrect placement of the gas / flame
detectors and hazardous gases and flames are not adequately detected,
then the SIF / SIS will not be effective.
Correct sensor placement is more important than deciding whether a
F&G SIF / SIS should be SIL 2 or SIL 3.
12. What is SIL 4?
SIL 4 is the highest level of risk reduction that can be obtained
through a Safety Instrumented System. However, in the process industry
this is not a realistic level and currently there are few, if any,
products / systems that support this safety integrity level.
SIL 4 systems are typically so complex and costly that they are not
economically beneficial to implement. Additionally, if a process includes
so much risk that a SIL 4 system is required to bring it to a safe
state, then fundamentally there is a problem in the process design
which needs to be addressed by a process change or other non-instrumented
13. Can an individual product
be SIL rated?
No. Individual products are only suitable for use in a SIL environment.
A SIL level applies to a Safety Instrumented Function / Safety Instrumented
14. What type of communication
buses or protocols are applicable for SIL 2 or SIL 3 systems?
The type of communication protocol that is suitable for a SIL 2 or
SIL 3 system is really dependent on the type of platform that is being
used. Options include, but are not limited to: 4-20 mA output signal,
ControlNet (Allen Bradley), DeviceNet Safety (Allen Bradley), SafetyNet
(MTL), and PROFIsafe. Currently, the ISA SP84 committee is working
on developing guidelines for a safety bus, to make sure that the foundations
comply with IEC 61508, and IEC 61511 standards. The first devices
with a safety bus should be available by 2008. The Fieldbus Foundation
is actively involved in the committee and working on establishing
Foundation Fieldbus Safety Instrumented Systems (FFSIS) project to
work with vendors and end users to develop safety bus specifications.
15. For General Monitors,
how can I access the PFD and MTBF data for the products?
The General Monitors SIL certificates have the PFD, SFF, and SIL numbers
that correspond to each product. MTBF data can be provided by request.
16. Can a manufacturer state their products are “SIL X certified” rather than “suitable for use in a SIL X system”?
Individual products are only suitable for use in a SIL environment. A SIL level applies to a Safety Instrumented Function / Safety Instrumented System.
Product certificates are issued either by the manufacturer (self-certification), or other independent agency to show that the appropriate process is followed, calculations have been performed, and analysis has been completed on the individual products to indicate that they are compatible for use within a system of a given SIL level.
Full IEC 61508 certification can apply to a manufacturer’s processes. Full certification implies that a manufacturer’s product development process meets the standards set forth in the appropriate parts of sections 2 – 3 of IEC 61508 (including hardware / system and software). Receiving full certification from an accredited notifying body gives the end user confidence that the manufacturer’s engineering process has been reviewed and its product’s electrical content, firmware and logic have been assessed and conform to the guidelines set forth in the standard.
There are very few nationally accredited bodies that can issue nationally accredited certifications. Other consulting firms issue certificates that indicate that the product and / or process has been reviewed by an independent third party.
17. Can a manufacturer state their products meet all parts of the requirements of IEC 61508 parts 1 to 7?
IEC 61508 consists of the following parts, under the general title Functional Safety of electrical/electronic/programmable electronic safety-related systems:
Part 1: General requirements
Part 2: Requirements for electrical / electronic/programmable electronic
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity levels
Part 6: Guidelines on the application of parts 2 and 3
Part 7: Overview of techniques and measures
To be in compliance with the standard, it is necessary to conform to Parts 1 – 3. Parts 4 – 8 are informative only and can be useful in understanding and applying the standard, but do not have requirements for conformance.
Manufacturers of products generally meet Section 2 requirements to determine through a FMEDA analysis that their products are suitable for use within a given SIL level.
Companies choosing to certify their engineering processes and receive full IEC 61508 certification will also comply with Section 3 as it relates to software development.
18. What does SIL X suitable mean, is this a valid statement as per the standard IEC 61508 or can any other wording be used?
SIL stands for Safety Integrity Level. A SIL is a measure of safety system performance, or probability of failure on demand (PFD) for a SIF or SIS. There are four discrete integrity levels associated with SIL. The higher the SIL level, the lower the probability of failure on demand for the safety system and the better the system performance. It is important to also note that as the SIL level increases, typically the cost and complexity of the system also increase.
A SIL level applies to an entire system if it reduces the risk in the amount corresponding to an appropriate SIL level. Individual products or components do not have SIL ratings. SIL levels are used when implementing a SIF that must reduce an existing intolerable process risk level to a tolerable risk range.
To be compliant with the standards. It is up to the user to ensure that procedures have been followed properly, the proof testing is conducted correctly, and suitable documentation of the design, process, and procedures exists. The equipment or system must be used in the manner in which it was intended in order to successfully obtain the desired risk reduction level. Just buying SIL 2 or SIL 3 suitable components does not ensure a SIL 2 or SIL 3 system.