Cooling Tower Water Loss Calculator

e ida.
com
excellence in dependable automation
Safety Instrumented Systems

Introduction
On-line Lesson
e ida.com Copyright exida.com 2002

Welcome to the exida.com safety instrumented systems introduction. A

Safety Instrumented System, known as a “S I S,” will be defined. We will
also describe the purpose of such systems, the basic components of a SIS,
and the key considerations that make SIS design and implementation
different than control system design and implementation.
1
Introduction to Safety
Instrumented Systems
Topics:
• SIS Definitions
• SIS Purpose
• Safety Instrumented Function
• Laws/Regulations/Standards
• Risk Reduction
• Failure Modes
• SIS Equipment

This lesson defines a safety instrumented system and describes it’s

purpose. Safety instrumented functions are defined and described. The
difference between control systems and safety systems are discussed in the
context of standards compliance, risk reduction and failure modes. Special
purpose equipment certified for SIS usage is also covered.
2
Safety Instrumented System Definition
Power Output Input PT

CPU 3
Supply Module Module
REACTOR
PT
1
TT
2
PT
2
TT
3
TT
1
Power CPU Output Input

IEC 61511 (draft) defines a Safety Instrumented System (SIS) as
“instrumented system used to implement one or more safety

instrumented functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).”

IEC 61511 (draft) defines a Safety Instrumented System (SIS) as
“instrumented system used to implement one or more safety instrumented

functions. A SIS is composed of any combination of sensor(s), logic
solver(s), and final element(s).”
There is no restriction as to what type of technology is used or the size of the

system.
3
IEC 61508 Definition
CPU 3
REACTOR
PT
1
TT
IEC 61508 does not use the
term Safety Instrumented
2
PT
2
TT
System (SIS). Instead it

3
TT
1
Power Output Input
uses the term Safety Related

CPU
System (SRS) to mean the

same thing.
Many expect the 61508

standard to be updated to
the newer term - SIS.

IEC 61508 does not use the term Safety Instrumented System (SIS).
Instead it uses the term Safety Related System (SRS) to mean the same
thing. Many expect the 61508 standard to be updated to the newer term -
SIS.
4
Safety Instrumented System
Functional Definition
CPU 3
REACTOR
PT
1
TT
2
PT
2
TT
3
TT
1
SIS
Power CPU Output Input
BPCS
Practitioners often prefer a more functional definition of SIS such as:
“A SIS is defined as a system composed of sensors, logic solvers and final

elements designed for the purpose of:
1) Automatically taking an industrial process to a safe state when specified

conditions are violated;
2) Permit a process to move forward in a safe manner when specified

conditions allow (permissive functions); or
3) Taking action to mitigate the consequences of an industrial hazard.”
A SIS is much like a basic process control system (BPCS) in that both have
sensors, logic solvers and final elements. But a SIS operates in a
completely different mode and unique design and maintenance, or
mechanical integrity requirements are needed.
5
Layers of Protection - Controller
Under normal circumstances, the process controller

maintains the process.
High level
Normal behavior
process value
Low level
Time

A safety instrumented system is usually one of several ‘layers of protection’

in an industrial process. Under normal circumstances the control system
keeps the process operating within bounds. If nothing ever went wrong,
there would be no need for other protection layers.
6
Layers of Protection - Alarms
Sometimes things go wrong and an operator takes

action to keep the process within limits.
Operator takes action

High alarm level
High level
Normal behavior
process value
Low level
Time

However, things do go wrong. Another layer of protection in manned

installations is the operator. If process alarms are configured and operating,
the operator can frequently diagnose what is wrong and take action to bring
the process back under control.
7
Layers of Protection – Safety Instrumented
System

Trip level
Emergency Shut-Down action

High alarm level
High level
Normal behavior
process value Time

Low level

In some applications this is not enough. In those situations a SIS can be

configured to execute pre-programmed action to take the process to a safe
state when it detects a potentially dangerous condition.
8
Incident If that does not work, there may
be an incident...

Trip level

High alarm level
High level
Normal behavior
process value
Low level
Time
If that safety function is not effective, there may be an incident. In such

situations, a SIS can take action to mitigate the consequences of the
incident.
NOTE: A Fire Sprinkler system is an example of a mitigation function.
9
Permissive function of SIS
All main, igniter, and individual Are required burner

burner and igniter safety shutoff registers open? Yes
valves are closed? Yes
One set of ID and Is air at purge rate? Five-minute

FD fans running? time delay Yes
Yes Yes
Reset master
fuel trip relay(s)

Safety Instrumented Systems can also be used in permissive applications.

The process can be held in a particular state if certain conditions are not
met, in order to avoid a potentially dangerous situation. The SIS permits the
process to move on when the conditions are met.
10
Integrated Control System
High Performance
Control
Ultra High Low Cost Control
Availability
Safety System

A Safety Instrumented System will typically be designed to be part of an

integrated control system with perhaps several different types of special
purpose subsystems.
11
Loop 1
1 Sensors
Loop 2 Final elements
2
6
3
Logic
Loop 3 4 Solver Loop 4
5 7
Loop 5
8
Like other types of control systems, a Safety Instrumented System typically

consists of many safety loops, called safety instrumented functions.
12
Safety Instrumented Function (SIF)
Loop 1
1
Logic
Solver 6
Sensors
Final elements

A safety instrumented function is defined as a “Function to be implemented

by a SIS which is intended to achieve or maintain a safe state for the
process with respect to a specific hazardous event.”
13
Safety Instrumented Function Examples
• Fuel to furnace shutdown

• Supply emergency coolant to reduce
extreme temperature
• Open valve to relieve excessive pressure
• Direct escaping liquid to waste handling
system
• Issue fire alarms
• Issue pre-recorded emergency message
to response team

Each safety instrumented function is intended to protect against a particular

hazard via shutdown, permissive or mitigation functions such as:
• Fuel to furnace shutdown;

• Supply emergency coolant to reduce extreme temperature;
• Open valve to relieve excessive pressure;
• Direct escaping liquid to waste handling system;
• Issue fire alarms; or
• Issue pre-recorded emergency message to response team.
14
SIF Sensors
Sensors Logic Solver Final

Elements
Like a control system, a safety system has sensors. In the

process industries sensors measure process parameters
including pressure, temperature, flow, level, gas
concentrations and other measurements. In the machine
industries sensors measure human proximity, operator
intrusion into a dangerous zone and other protective
parameters.

Also like a control system, SIS sensors measure relevant parameters. In

the process industries these include pressure, temperature, flow, level, gas
concentrations, flame presence or other measurements.
In machine safety sensors measure operator intrusion into a dangerous
zone, human proximity and other protective parameters.
15
Sensors
SIF Logic Solver
Logic Solver Final

Elements
A safety system also has a logic solver, typically

a controller, that reads signals from the sensors
and executes preprogrammed actions to prevent
or mitigate a process hazard. The controller
does this by sending signals to final elements.

A SIS has a logic solver. This is typically a special purpose PLC but can
also be a relay system or solid state logic. The controller reads signals from
the sensors, executes pre-programmed functions designed to prevent or
mitigate a potentially dangerous process hazard and takes action by
sending signals to final elements.
16
SIF Final Elements
Final
Elements
The final element in a SIF is often a remote actuated valve

in the process industries. A final element in machine
safety may likely be a clutch/brake assembly.

The final element in a SIF is often a remote actuated valve. Sometimes

solenoid valves are used directly, as are power relays, motors or other
devices that do things like interrupt fuel flow, vent high pressure gas, flood
with cooling water or release inert gas.
As with sensors, final elements in a safety instrumented function handle the

same process materials and environmental conditions as a control system
and need to be designed with the same considerations for materials,
hazardous area classifications, and so forth.
17
Safety Instrumented Function (SIF)
Implementation
Sensing Signal
Element Conditioning Logic Solver Signal Final Control
Conditioning Element
Sensing Signal
Element Conditioning
Circuit Utilities Final Control
i.e. Electrical Power, Element
Sensing
Instrument Air etc.
Element
Interconnections
The actual implementation of any single safety instrumented

function may include multiple sensors, signal conditioning
modules, multiple final elements and all dedicated circuit
utilities like electrical power or instrument air.
The actual implementation of any single safety instrumented function may

include multiple sensors, signal conditioning modules, multiple final
elements and all circuit utilities like electrical power or instrument air.
18
Safety Instrumented System vs.
Basic Process Control System
Safety Instrumented Basic Process Control
System (SIS) System (BPCS)
Inputs Outputs Inputs Outputs
PT PT
1A 1B
I/P
FT
A SIS appears in many ways like a control system and many of the
technical skills needed for good control system design are needed for
SIS design.

A SIS appears in many ways like a control system and many of the
technical skills needed for good control system design are needed for SIS
design. There are important differences however.
19
Safety Instrumented System Design
SIS
However, unlike control system design, there are special considerations and
additional requirements because of the critical nature of the application. SIS
design is also the subject of national regulations and international standards.
Safety instrumented systems are often subject to national regulations and

the requirements of international standards as well.
20
Laws and Regulations
¾ National Laws / Acts

EU Directives: Seveso, Machinery, Low Voltage, EMC,
Gaseous Fuel Appliances, Pressure Appliances
German Laws: GSG, BImSchG, WhG
American Acts: Clear Air/Water Act
Statutory
¾ National Directives (Verordnungen)

Germany: StörFallV, ElexV, AufzugsV
¾ Technical Regulations
Germany: UVV, ZH, TRA, TRbF, TRB, TRD,
AD-Merkblätter

In many countries of the world legislation, national laws and acts, is passed
to protect people and the environment. Many examples from Europe and
the United States come to mind. Regulations are often issued by various
governmental bodies in support of legislation. In the United States for
example, the Clean Air Act resulted in the Environmental Protection Agency
issuing various regulations.
21
“Listed” Standards
¾ European Standard referencing an EU Directive
Evidence for meeting Laws

Examples:
Gaseous fuel: EN 298, EN 230
Machinery: EN 60204, EN 292, EN 954-1
(EN 62061)
Low Voltage: EN 61010-1, EN 60950,
EN 61131-2, EN 50178
EMC: EN 50081, EN 50082
Hazardous Area: EN 50020
(Seveso: EN 61511)
¾ Listed National Standard

Examples listed by „Bundesanzeiger“ under GSG:
DIN V 19250, DIN VDE 0116, DIN V VDE 0801

When legislation or a regulation refers to a standard, that standard gains the

force of law. European Standards are referred to by various regulations and
have full legal standing.
22
Standards
¾ Other national documents/standards
VDI/VDE 2180, NE 31
NFPA 8502, FM7605
State of the Art
¾ International recommendations (IEC, ISO)

need to be taken over into European or National
Standards to receive statutory importance
PES: IEC 61508, IEC 61511

Nuclear: IEC 61513, IEC 880
QM: ISO 9000, ISO 14000

Standards that are not referenced by legislation or regulation do not have the
force of law. However, it is generally recognized that these standards show
consensus regarding best technical practices and many companies choose
to follow them (or parts of them).
23
Most Influential Documents
• AIChE CCPS; Guidelines for

Safe Automation of Chemical
Processes, 1993
• ISA84.01; Application of Safety
Instrumented Systems for the
Process Industries, 1996
• IEC 61508 (and dS61511);
Functional Safety - Safety Related
Systems, 1998/2000

In the process industries, there are several influential documents on safety

instrumented systems.
The American Institute of Chemical Engineers released their guideline
textbook in late ‘93. It covers the design of DCS and ‘interlock’ systems.
ISA 84.01 is a US standard focused on safety in automatic protection
systems. It has been endorsed by OSHA is an example of the “good
engineering practices” required by their regulations. Many companies
worldwide are beginning to use that standard as the basis for their safety
instrumented design.
The International Electrotechnical Commission has released IEC61508
which covers the use of relay, solid state and programmable systems. The
standard will apply for all industries such as transportation, medical, nuclear,
etc. It currently forms the primary basis for equipment manufacturer’s who
want certification of equipment for safety applications.
In the future, it is predicted that IEC61508 and IEC61511 will become the
dominant international standards for functional safety.
24
9
ISA84.01 Safety Life Cycle
Not Covered
by S84.01
Define Target SIS Installation,
Commissioning Covered by
Start SIL
and Pre-startup S84.01
Acceptance Test
Conceptual Develop Safety

Process Design Specification
Pre-startup Establish
Safety Review Operating and
(Assessment) Maintenance
SIS Conceptual Procedures
PHA &
Risk Assessment Design
SIS startup,
operation,
maintenance,
Develop non- SIS Detailed
Periodic
SIS Layers Design
Functional Tests
No SIS Modify, SIS

Decommission? Decommissioning
Required?
Yes
Modify Decommission

All the standards propose the use of a "safety life cycle." Safety lifecycle
analysis is a methodology used to insure that risks have been properly
managed, that they have been identified, that the necessary steps have
been taken to mitigate those risks. The safety lifecycle can be viewed simply
as a logical process for SIS design and operation.
25
Inherent Risk
Risk: A combination of the probability of occurrence of harm and

the severity of that harm (per IEC/ISO Guide 51:1990)
A measure of the likelihood and consequence of adverse effects,
i.e., How often can it happen, and what will be the consequences
if it does?
Inherent Risk: The risk from a completed process design that

contains a given amount of process materials at given process
parameters (temperature, pressure, etc.)

The objective is the safety lifecycle process is reduce risk. Inherent Risk is
defined the amount of risk in a completed process design resulting from a
given quantities of materials and given process parameters.
26
Risk Reduction
Risk of the
Process
L Increasing Risk
i
k
e
l
i
h
o Unacceptable
Risk Region
o
d Tolerable Risk
ALARP
Risk Region
Region
Consequence
The design objective of a safety instrumented system is to reduce the risk of

any process hazard from a region known as the ‘unacceptable risk region’ to
the ‘tolerable risk region.’ The inherent risk of a process from a
consequence perspective is fixed once the process design is fixed. Inherent
risk takes no credit for protective measures such as safety instrumented
systems, relief devices, etc.
NOTE: ALARP (As Low As Reasonably Practicable). See exida.com on-line

lesson – ALARP.
27
Non-SIS Risk Reduction
Non SIS Risk Inherent

Reduction, Risk of the
L
Alarms, BPCS,
Consequence Process
Administrative Increasing Risk
i
Procedures, etc.
Reduction, e.g.,
material reduction,
k
Non SIS Risk containment dikes,
e e.g.
Reduction, physical protection
Pressure Relief All layers of protection
Valvesl
i
h
o Unacceptable
Risk Region
o
d Tolerable Risk
ALARP
Risk Region
Region
Consequence
If possible, it is desirable to reduce the inherent process risk by modifying

the process. Consequence reduction can be achieved by lowering quantities
of materials or building physical protection. Likelihood can be reduced by
reviewing methods used to control the process as well as any means to
recover from upsets, such as alarms.
28
SIS Risk Reduction
Non SIS Risk Inherent

Reduction, Risk of the
L
Alarms, BPCS,
Consequence Process
Administrative Increasing Risk
i
Procedures, etc.
Reduction, e.g.,
material reduction,
k
Non SIS Risk containment dikes,
Reduction, e.g. physical protection
Pressure Relief
Valvesl All layers of protection
i
h
SIS Risk
Reduction
o Unacceptable
Risk Region
o
d Tolerable Risk
ALARP
Risk Region
Region
Consequence
If this reduction in the likelihood still leaves the estimated process risk too
high, safety instrumented functions are often designed to reduce risk further.
29
Safety Integrity Levels
Safety Integrity Probability of failure Risk Reduction

Level on demand per year Factor
(Demand mode of operation)
SIL 4 >=10
- 5to <10
- 4 100000 to 10000
SIL 3 >=10
- 4to <10
- 3 10000 to 1000
SIL 2 >=10
- 3to <10
- 2 1000 to 100
SIL 1 >=10
- 2to <10
- 1 100 to 10

The needed risk reduction is expressed in order of magnitude targets called safety
integrity levels. The IEC61508 standard shows four levels with the highest risk
reduction called SIL4, the lowest risk reduction called SIL1. Risk reduction levels
are shown in the right column of the SIL chart.
Risk reduction in a particular set of equipment chosen for a safety system is
measured by the probability that it will fail when needed. This is called “failure on
demand.” This is a measure used to determine if the design meets need. It is
shown in the middle column of the SIL chart.
30
The equipment used in control and
Safety Instrumented Systems has
more than failure mode.
Two critical failure modes for Safety

Instrumented Systems:
For De-Energize to Trip-
1. Outputs de-energized
or open circuit.
SAFE
2. Outputs energized or
frozen short circuit.
DANGEROUS

One key difference between control system design and SIS design is the
realization that the way in which a piece of equipment fails is very important.
The failure modes of equipment used to implement a control system or a SIS
can be classified in two important failure categories - safe and dangerous.
In a normally energized safety system (de-energize to trip) safe is de-

energize, dangerous is energized.
31
35
Multiple Failure Modes
For de-energize to trip

NORMAL
Failed Open Circuit
SAFE
DANGEROUS
Failed Short Circuit
Copyright exida.com 2000
These two categories - safe and dangerous represent different ways of

failing. Think about a switch. When it is working normally, the switch goes
on and off. It conducts electricity when it is on and does not conduct
electricity when it is off.
If the switch fails such that it does not conduct electricity no matter which
position it is in, that failure is called “open circuit.” In a normally energized
safety system, that de-energizes an output and is considered fail-safe.
If a switch fails such that it always conducts electricity no matter what the
switch position, that failure is called “short circuit.” It is potentially dangerous
in a normally energized SIS.
32
Boiler Example
PRESSURE
SWITCH
STEAM
SAFETY
PLC
FUEL VALVE
NATURAL GAS

Imagine a boiler where steam is generated from a natural gas burner.

Several possible hazards have been identified including the possibility that
the steam line will become clogged and the pressure in the tank can go too
high.
A pressure switch is installed on the tank. When the pressure is normal, the
switch is closed. The switch opens when the pressure goes too high. A
safety controller is programmed to turn off power (de-energize) a valve
which cuts off the fuel and turns off the burner.
33
Successful Operation
For normal + + For normal
operation, Normally Energized Systems operation,
switch is output switch
closed. is energized.
Pressure
For abnormal Sense Solid State For abnormal
operation,
switch opens.
Switch
Discrete Input PLC Output Switch operation,
output switch
de-energizes.
LOAD
Example: High Pressure protection system. Sense switch

closed when pressure is below danger point. Switch opens -
when pressure goes above danger point. PLC de-energizes
output if sense switch opens for more than 15 seconds
during start-up and more than 5 seconds during steady
operation.

The safety instrumented system consists of the switch, a PLC and the valve.
As long as the SIS is operating successfully, it will respond to high pressure
process demand. When operating successfully, the switch reads the
pressure, the PLC does timing and opens or closes its output switch. The
valve stays open when pressure is normal and closes when pressure goes
too high. The steam boiler is kept safe and operating as long as the safety
instrumented system is operating successfully.
34
36
Fail - Safe
System
+ + causes
Normally Energized Systems false trip!
Pressure
Sense Solid State
Switch
Discrete Input PLC Output Switch
LOAD
Input Circuit fails
such that the Logic Solver fails to -
PLC thinks the read logic 1 inputs,
sense switch is fails to solve logic, Output Circuit
open even when or fails to generate fails open
it is closed. logic 1 output. circuit.

If the SIS fails safely, it causes a false trip, it shuts the boiler down when it
should not have. This can certainly be caused by an open circuit failure of
the output device, It can also be caused by many types of failures of
components all through the system.
Input switch,
Input Circuits fail.
PLC fails,
Output Circuits,
Valve fails.
35
37
Fail - Danger
If Pressure
+ + goes high -
Normally Energized Systems system
cannot
Pressure respond.
Sense Solid State
Switch
Discrete Input PLC Output Switch
LOAD
Input Circuit fails
such that the Logic Solver fails to -
PLC thinks the read logic 0 inputs
sense switch is that indicate danger, Output Circuit
closed even fails to solve logic, fails short
when it is open. or fails to generate circuit.
logic 0 output.
If the system fails dangerously, the outputs cannot de-energize when

needed. Failures in all areas of the system can be responsible. This type of
failure means that the safety instrumented system cannot do its job. No
protection is provided under these circumstances.
This is bad but it can especially be bad because these failures are likely to be
undetected in normal operation. The output is supposed to be energized. If
it fails energized, operators and maintenance personnel do not notice a
difference.
36
38
PFS
RELIABILITY
Nuisance Trip
AVAILABILITY
PFD
SUCCESSFUL OPERATION UNSUCCESSFUL

OPERATION
PFS - Probability of Safe Failure
PFD - Probability of Failure on Demand (Dangerous Failure)
RRF - Risk Reduction Factor = 1/PFD.

The area of this box represents successful or failed operation of the system.
The white area is successful operation. This is normally measured by a
parameter called availability or reliability. While reliability or availability are
important for an SIS, the other important metrics are called PFS, probability
of failing safety,
PFD, probability of failing dangerously and
RRF, risk reduction factor, the inverse of PFD.
37
Higher Availability
RELIABILITY
PFS
Lower Failure
AVAILABILITY
Rate
PFD
SUCCESSFUL OPERATION UNSUCCESSFUL

OPERATION

In both control systems and SIS, it is clearly an important objective to design

the system to be highly successful. A lower failure rate leads to higher
probability of success.
38
Higher Safety
SIS SAFETY
RELIABILITY
PFS
AVAILABILITY
SUCCESSFUL OPERATION PFD

UNSUCCESSFUL
OPERATION
But in a safety instrumented system design, the other objective is to make

sure that the probability of failing dangerous is much lower.
39
Special Purpose SIS Equipment
• Many instrumentation
CCM
CCM
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
I/O
manufacturers build special
products for SIS
applications. This
equipment performs control
ODM
and logic functions like
normal controllers. This
equipment also meets
special requirements for
high availability and fail-
safe operation.
Many control equipment manufacturers build special products for safety

instrumented system applications. This equipment performs control and
logic functions much like normal controllers and meets special requirements
for high availability and fail-safe operation.
40
The Functional Safety Certification Program
• Independent, internationally
recognized testing-agency
• A certification program for
equipment used in critical
installations
• Benefits vendor by improving
product and minimizing the
need to supply evaluation
systems
• Benefits user by supplying
impartial evaluation of system

Several agencies, including TUV based in Germany, certify safety critical

equipment for functional safety. Based on standards, equipment and the
processes used to develop and manufacture the equipment are evaluated.
The primary standard used today is IEC61508. Sensors, PLCs, final
elements and other equipment used in SIS design is available as certified
per IEC61508.
41
Introduction to Safety
Instrumented Systems
Topics:
• SIS Definitions
• SIS Purpose
• Safety Instrumented Function
• Laws/Regulations/Standards
• Risk Reduction
• Failure Modes
• SIS Equipment

This lesson has covered the basics of SIS. Safety instrumented functions
were defined and described. Standards compliance, risk reduction and SIS
failure modes were also presented. Functional safety equipment certification
was reviewed. The participant should have an understanding of the
differences between basic process control systems and safety instrumented
systems. Please take the lesson quiz to verify correct understanding and
review the lesson if necessary.
42
More Information
Questions - please send any questions to

info@exida.com We will respond as soon as possible.
Additional Resources -
A series of free articles are available to download from
the exida.com website. These can be reached at
http://www.exida.com/articles.asp
Addition resources including books, tools and reports
are available from the exida on-line store. A product
listing is available at http://www.exida.com/products2/

We hope you have found this lesson useful. If have any questions, they may
sent via email to info@exida.com. Please refer to this particular lesson -
Introduction to Safety Instrumented Systems.
Additional resources are available from the exida website including a series
of free articles that may be downloaded. Books, reports and engineering
tools are available at exida on-line store.
Exida.com is a knowledge focused on system reliability and safety. We
provide training, tools, coaching, and consulting. For general information
about exida, please view our detail website - www.exida.com.
Thank you for your interest. Consider other lessons in the on-line training
series from exida.com.
43

Cooling Tower Water Loss Calculator

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cooling Tower Water Loss Calculator

Загружено:

Авторское право:

Доступные форматы

e ida.

Safety Instrumented Systems

e ida.com Copyright exida.com 2002

Welcome to the exida.com safety instrumented systems introduction. A

e ida.com Copyright exida.com 2002

This lesson defines a safety instrumented system and describes it’s

Power Output Input PT

Power CPU Output Input

IEC 61511 (draft) defines a Safety Instrumented System (SIS) as

“instrumented system used to implement one or more safety

e ida.com Copyright exida.com 2002

IEC 61511 (draft) defines a Safety Instrumented System (SIS) as

“instrumented system used to implement one or more safety instrumented

There is no restriction as to what type of technology is used or the size of the

System (SIS). Instead it

Power Output Input

uses the term Safety Related

System (SRS) to mean the

Many expect the 61508

e ida.com Copyright exida.com 2002

Practitioners often prefer a more functional definition of SIS such as:

“A SIS is defined as a system composed of sensors, logic solvers and final

1) Automatically taking an industrial process to a safe state when specified

2) Permit a process to move forward in a safe manner when specified

3) Taking action to mitigate the consequences of an industrial hazard.”

Under normal circumstances, the process controller

e ida.com Copyright exida.com 2002

A safety instrumented system is usually one of several ‘layers of protection’

Sometimes things go wrong and an operator takes

Operator takes action

e ida.com Copyright exida.com 2002

However, things do go wrong. Another layer of protection in manned

Safety Instrumented System

Operator takes action

process value Time

e ida.com Copyright exida.com 2002

In some applications this is not enough. In those situations a SIS can be

Safety Instrumented System

Operator takes action

If that safety function is not effective, there may be an incident. In such

NOTE: A Fire Sprinkler system is an example of a mitigation function.

All main, igniter, and individual Are required burner

One set of ID and Is air at purge rate? Five-minute

e ida.com Copyright exida.com 2002

Safety Instrumented Systems can also be used in permissive applications.

e ida.com Copyright exida.com 2002

A Safety Instrumented System will typically be designed to be part of an

Like other types of control systems, a Safety Instrumented System typically

e ida.com Copyright exida.com 2002

A safety instrumented function is defined as a “Function to be implemented

• Fuel to furnace shutdown

e ida.com Copyright exida.com 2002

Each safety instrumented function is intended to protect against a particular

• Fuel to furnace shutdown;

Sensors Logic Solver Final

Like a control system, a safety system has sensors. In the

e ida.com Copyright exida.com 2002

Also like a control system, SIS sensors measure relevant parameters. In

Logic Solver Final

A safety system also has a logic solver, typically

e ida.com Copyright exida.com 2002

The final element in a SIF is often a remote actuated valve

e ida.com Copyright exida.com 2002

The final element in a SIF is often a remote actuated valve. Sometimes