1. What is a SIS?

A SIS is a Safety Instrumented System. It is designed to

prevent or mitigate hazardous events by taking the process to
a safe state when predetermined conditions are violated. A
SIS is composed of a combination of logic solver(s), sensor(s),
and final element(s). Other common terms for SISs are safety
interlock systems, emergency shutdown systems (ESD), and
safety shutdown systems (SSD). A SIS can be one or more
Safety Instrumented Functions (SIF).
2. What is a SIF?
SIF stands for Safety Instrumented Function. A SIF is
designed to prevent or mitigate a hazardous event by taking a
process to a tolerable risk level. A SIF is composed of a
combination of logic solver(s), sensor(s), and final element(s).
A SIF has an assigned SIL level depending on the amount of
risk that needs to be reduced. One or more SIFs comprise a
SIS.
3. What is SIL?
SIL stands for Safety Integrity Level. A SIL is a measure of
safety system performance, or probability of failure on
demand (PFD) for a SIF or SIS. There are four discrete
integrity levels associated with SIL. The higher the SIL level,
the lower the probability of failure on demand for the safety
system and the better the system performance. It is important
to also note that as the SIL level increases, typically the cost
and complexity of the system also increase.
A SIL level applies to an entire system. Individual products or
components do not have SIL ratings. SIL levels are used when
implementing a SIF that must reduce an existing intolerable
process risk level to a tolerable risk range.
4. What does functional safety mean?
Functional safety is a term used to describe the safety system
that is dependent on the correct functioning of the logic solver,
sensors, and final elements to achieve the desired risk
reduction level. Functional safety is achieved when every SIF
is successfully carried out and the process risk is reduced to
the desired level.
5. Why were the ANSI/ISA 84, IEC 61508, and IEC
61511 standards developed?

The standards were a natural evolution for the need to reduce

process risk and improve safety through a more formalized
and quantifiable methodology. Additionally, and specifically for
IEC 61508, as the application and usage of software has
evolved and proliferated, there was an increased need to
develop a standard to guide system / product designers and
developers in what they needed to do to ensure and claim
that their systems / products were acceptably safe for their
intended uses.
Click here for additional information on Standards.
6. When do I need a SIF or a SIS?
The philosophy of the standards suggests that a SIS or SIF
should be implemented only if there is no other noninstrumented way of adequately eliminating or mitigating
process risk. Specifically, the ANSI/ISA-84.00.01-2004 (IEC
61511 Mod) recommends a multi-disciplined team approach
that follows the Safety Lifecycle, conducts a process hazard
analysis, designs a variety of layers of protection (i.e., LOPA),
and finally implements a SIS when a hazardous event cannot
be prevented or mitigated with something other than
instrumentation.
7. What is a proof-test interval?
Proof testing is a requirement of safety instrumented systems
to ensure that everything is working and performing as
expected. Testing must include the verification of the entire
system, logic solver, sensors, and final elements. The interval
is the period of time that the testing occurs. The testing
frequency varies for each SIS and is dependent on the
technology, system architecture, and target SIL level. The
proof-test interval is an important component of the
probability of failure on demand calculation for the system.
8. What is a Process Hazard Analysis (PHA) and who
conducts this?
A PHA is an OSHA directive that identifies safety problems and
risks within a process, develops corrective actions to respond
to safety issues, and preplans alternative emergency actions if
safety systems fail. The PHA must be conducted by a diverse
team that has specific expertise in the process being analyzed.
There are many consulting and engineering firms that also
provide PHA services. PHA methodologies can include a What-

If Analysis, Hazard and Operability Study (HAZOP), Failure

Mode and Effects Analysis (FEMA), and a Fault Tree Analysis.
9. What voting configurations are required for each SIL
level?
Obtaining a desired SIL level is dependent on a multitude of
factors. The type of technology employed, the number of
system components, the probability of failure on demand
(PFD) numbers for each component, the system architecture
(e.g., redundancy, voting), and the proof testing intervals all
play a significant role in the determination of a SIL level.
There is not a standard answer for what voting configurations
are required for each SIL level. The voting architecture must
be analyzed in the context of all the factors noted above.
10. Will a SIL rated system require increased
maintenance?
SIL solutions are certainly not always the most cost-effective
solutions for decreasing process risk. Many times,
implementing a SIL solution will require increased equipment,
which inevitably will require increased maintenance.
Additionally, it is likely that the higher the SIL level, the more
frequent the proof testing interval will be, which may
ultimately increase the amount of system maintenance that is
required. This is why the standards recommend a SIL based
solution only when process risk cannot be reduced by other
methods, as determined by LOPA.
11. Can a F&G system be a SIF or SIS?
A Fire and Gas (F&G) system that automatically initiates
process actions to prevent or mitigate a hazardous event and
subsequently takes the process to a safe state can be
considered a Safety Instrumented Function / Safety
Instrumented System.
However, it is absolutely critical in a F&G system to ensure
optimal sensor placement. If there is incorrect placement of
the gas / flame detectors and hazardous gases and flames are
not adequately detected, then the SIF / SIS will not be
effective.
Correct sensor placement is more important than deciding
whether a F&G SIF / SIS should be SIL 2 or SIL 3.

12. What is SIL 4?

SIL 4 is the highest level of risk reduction that can be obtained
through a Safety Instrumented System. However, in the
process industry this is not a realistic level and currently there
are few, if any, products / systems that support this safety
integrity level.
SIL 4 systems are typically so complex and costly that they
are not economically beneficial to implement. Additionally, if a
process includes so much risk that a SIL 4 system is required
to bring it to a safe state, then fundamentally there is a
problem in the process design which needs to be addressed by
a process change or other non-instrumented method.
13. Can an individual product be SIL rated?
No. Individual products are only suitable for use in a SIL
environment. A SIL level applies to a Safety Instrumented
Function / Safety Instrumented System.
14. What type of communication buses or protocols are
applicable for SIL 2 or SIL 3 systems?
The type of communication protocol that is suitable for a SIL 2
or SIL 3 system is really dependent on the type of platform
that is being used. Options include, but are not limited to: 420 mA output signal, ControlNet (Allen Bradley), DeviceNet
Safety (Allen Bradley), SafetyNet (MTL), and PROFIsafe.
Currently, the ISA SP84 committee is working on developing
guidelines for a safety bus, to make sure that the foundations
comply with IEC 61508, and IEC 61511 standards. The first
devices with a safety bus should be available by 2008. The
Fieldbus Foundation is actively involved in the committee and
working on establishing Foundation Fieldbus Safety
Instrumented Systems (FFSIS) project to work with vendors
and end users to develop safety bus specifications.
15. For General Monitors, how can I access the PFD and
MTBF data for the products?
The General Monitors SIL certificates have the PFD, SFF, and
SIL numbers that correspond to each product. MTBF data can
be provided by request.
16. Can a manufacturer state their products are SIL X
certified rather than suitable for use in a SIL X

system?
Individual products are only suitable for use in a SIL
environment. A SIL level applies to a Safety Instrumented
Function / Safety Instrumented System.
Product certificates are issued either by the manufacturer
(self-certification), or other independent agency to show that
the appropriate process is followed, calculations have been
performed, and analysis has been completed on the individual
products to indicate that they are compatible for use within a
system of a given SIL level.
Full IEC 61508 certification can apply to a manufacturers
processes. Full certification implies that a manufacturers
product development process meets the standards set forth in
the appropriate parts of sections 2 3 of IEC 61508 (including
hardware / system and software). Receiving full certification
from an accredited notifying body gives the end user
confidence that the manufacturers engineering process has
been reviewed and its products electrical content, firmware
and logic have been assessed and conform to the guidelines
set forth in the standard.
There are very few nationally accredited bodies that can issue
nationally accredited certifications. Other consulting firms
issue certificates that indicate that the product and / or
process has been reviewed by an independent third party.

17. Can a manufacturer state their products meet all

parts of the requirements of IEC 61508 parts 1 to 7?
IEC 61508 consists of the following parts, under the general
title Functional Safety of electrical/electronic/programmable
electronic safety-related systems:
Part 1: General requirements
Part 2: Requirements for electrical/electronic/programmable
electronic safety-related systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety
integrity levels
Part 6: Guidelines on the application of parts 2 and 3
Part 7: Overview of techniques and measures

To be in compliance with the standard, it is necessary to

conform to Parts 1 3. Parts 4 8 are informative only and
can be useful in understanding and applying the standard, but
do not have requirements for conformance.
Manufacturers of products generally meet Section 2
requirements to determine through a FMEDA analysis that
their products are suitable for use within a given SIL level.