Menu

Safety Instrumented Systems (SIS) and SIL: The Last Automated Line of Defense

Safety instrumented systems explained: how SIS and safety integrity levels (SIL) work, proof testing, and why maintenance discipline decides real integrity.

A safety instrumented system (SIS) is an independent automated system, sensors, logic solver, and final elements, whose only job is to move a process to a safe state when things go wrong: trip the heater, close the valve, dump the quench. Its performance target is expressed as a safety integrity level (SIL), and the governing standards for the process industries are IEC 61511 and its parent IEC 61508.

How an SIS differs from normal control

The basic process control system runs production; the SIS watches it. Independence is the core principle: the SIS uses its own sensors, its own logic solver, and its own final elements, so a failure that misleads the control system does not simultaneously blind the protection. In protection-layer language, a safety instrumented function (SIF) is typically the strongest credited layer in a LOPA, which is exactly why its integrity gets a number instead of an adjective.

What SIL actually means

SIL is a band of average probability of failure on demand (PFDavg) for a low-demand function: SIL 1 means the function fails on no more than one demand in ten, SIL 2 one in a hundred, SIL 3 one in a thousand. Each step is ten times more risk reduction and considerably more engineering: redundancy, diagnostics, proof testing, and management discipline all tighten. A SIL rating belongs to a specific function, trip loop by trip loop, not to a plant or a brand of hardware.

A worked example: what proof testing buys

Consider a SIL 2 high-pressure trip whose components give a dangerous undetected failure rate that would accumulate to a PFDavg of about 0.02 with a 24-month proof test interval, just outside SIL 2 territory. Halving the interval to 12 months roughly halves the average accumulated unavailability, bringing PFDavg near 0.01 and back inside the band. Same hardware, same wiring, different testing calendar: the integrity level literally lives in the maintenance schedule. Skip one test cycle and the calculated protection quietly ceases to exist, with nothing visible on the control room screen.

The lifecycle, compressed

  • Analysis: hazard studies (HAZOP) and LOPA define which functions are needed and their SIL targets.
  • Realization: design, redundancy architecture, and verification calculations.
  • Operation: proof tests at defined intervals, bypass control, demand and failure recording, and management of change for any modification.

Most integrity is lost in the third phase, not the first two: bypassed trips that outlive the shift, proof tests deferred past their due date, and repairs that swap a certified component for whatever was on the shelf.

Operations red flags

  • Trip bypasses without time limits and authorization records.
  • Proof test procedures that only exercise the logic solver and never stroke the valve.
  • No record of real demands, every activation is integrity data going uncollected.
  • Spare parts for safety loops not identified as safety-critical in the storeroom.

Where Fabrico fits

Fabrico is not a safety system and plays no role in executing trips; SIS design and verification belong to functional safety engineers. What Fabrico manages is the operational discipline the standards demand: proof tests scheduled and evidenced as recurring work orders, bypass and demand events logged against the asset, safety-critical spares flagged in inventory, and overdue safety work impossible to overlook. When the functional safety audit asks for the last three years of proof test records, the answer is an export, not an excavation. EU-built, with EU data residency.

Frequently Asked Questions

Is a PLC with safety logic the same as an SIS?

No. An SIS is defined by independence, certified design, and a verified integrity target, not by where the logic happens to run. Safety-rated logic solvers exist precisely because general-purpose controllers cannot claim the required failure behavior on their own.

Who assigns the SIL target?

The risk assessment does: scenario analysis (typically HAZOP plus LOPA) determines how much risk reduction each safety function must provide, and that requirement translates into the SIL target. Vendors then supply components suitable for that level; buying "SIL 3 hardware" without the analysis is theater.

How often must proof tests run?

At the interval assumed in the SIL verification calculation for that specific function, commonly between six months and a few years. The interval is a design parameter, not a preference: stretching it without recalculation changes the achieved integrity.

Want safety-critical testing that never slips through the cracks? Book a Fabrico demo to see proof-test scheduling, bypass logging, and audit-ready asset history in one system.

Latest from our blog

Define Your Reliability Roadmap
Validate Your Potential ROI: Book a Live Demo
Define Your Reliability Roadmap
By clicking the Accept button, you are giving your consent to the use of cookies when accessing this website and utilizing our services. To learn more about how cookies are used and managed, please refer to our Privacy Policy and Cookies Declaration