Safety Instrumented System (SIS): Instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensors, logic solvers, and final elements. This can include safety instrumented control functions, safety instrumented protection functions, or both. In many industrial processes, especially those in the chemical or oil & gas industries, involve inherent risk due to the presence of dangerous chemicals or gases. Safety Instrumented Systems are specifically designed to protect personnel, equipment, and the environment by reducing the likelihood or the impact severity of an identified emergency event.
Safety Integrity Level (SIL): SIL is a quantifiable measurement of risk used as a way to establish safety performance targets for SIS systems. IEC standards specify four possible Safety Integrity Levels (SIL1, SIL2, SIL3, SIL4); however, ISA S84.01 only recognizes up to SIL3 levels.
Additional terms in the Safety Design area:
Safety Instrumented Function (SIF): Safety function with a specified safety integrity level, which is necessary to achieve functional safety. A safety instrumented function can be either a safety instrumented protection function (define SIPF) or a safety instrumented control function (define SICF).
Safe Failure Fraction (SFF): is a relatively new term resulting from the IEC 61508 and IEC 61511
committees’ work to quantify fault tolerance and establish the minimum level of redundancy required in a safety instrumented function. Per IEC, “Safe failure fraction is the ratio of the (total safe failure rate of a subsystem plus the dangerous detected failure rate of the subsystem) to the total failure rate of the subsystem.” (In IEC terms, subsystem refers to individual devices).
There are four types of random hardware failures:
- Safe undetected (SU);
- Safe detected (SD);
- Dangerous detected (DU);
- Dangerous undetected (DD).
Determining the SFF requires dividing the sum of the first three by the sum of all four. The assumption is that the operator is expected to take action based on the dangerous detected faults, therefore even if a device has a large fraction of dangerous failures, if enough can be detected and safe action taken, then the device is still considered a safe device.
* From EmersonProcess training material.