A safety instrumented system (SIS) is an independent automated system, sensors, logic solver, and final elements, whose only job is to move a process to a safe state when things go wrong: trip the heater, close the valve, dump the quench. Its performance target is expressed as a safety integrity level (SIL), and the governing standards for the process industries are IEC 61511 and its parent IEC 61508.
The basic process control system runs production; the SIS watches it. Independence is the core principle: the SIS uses its own sensors, its own logic solver, and its own final elements, so a failure that misleads the control system does not simultaneously blind the protection. In protection-layer language, a safety instrumented function (SIF) is typically the strongest credited layer in a LOPA, which is exactly why its integrity gets a number instead of an adjective.
SIL is a band of average probability of failure on demand (PFDavg) for a low-demand function: SIL 1 means the function fails on no more than one demand in ten, SIL 2 one in a hundred, SIL 3 one in a thousand. Each step is ten times more risk reduction and considerably more engineering: redundancy, diagnostics, proof testing, and management discipline all tighten. A SIL rating belongs to a specific function, trip loop by trip loop, not to a plant or a brand of hardware.
Consider a SIL 2 high-pressure trip whose components give a dangerous undetected failure rate that would accumulate to a PFDavg of about 0.02 with a 24-month proof test interval, just outside SIL 2 territory. Halving the interval to 12 months roughly halves the average accumulated unavailability, bringing PFDavg near 0.01 and back inside the band. Same hardware, same wiring, different testing calendar: the integrity level literally lives in the maintenance schedule. Skip one test cycle and the calculated protection quietly ceases to exist, with nothing visible on the control room screen.
Most integrity is lost in the third phase, not the first two: bypassed trips that outlive the shift, proof tests deferred past their due date, and repairs that swap a certified component for whatever was on the shelf.
Fabrico is not a safety system and plays no role in executing trips; SIS design and verification belong to functional safety engineers. What Fabrico manages is the operational discipline the standards demand: proof tests scheduled and evidenced as recurring work orders, bypass and demand events logged against the asset, safety-critical spares flagged in inventory, and overdue safety work impossible to overlook. When the functional safety audit asks for the last three years of proof test records, the answer is an export, not an excavation. EU-built, with EU data residency.
No. An SIS is defined by independence, certified design, and a verified integrity target, not by where the logic happens to run. Safety-rated logic solvers exist precisely because general-purpose controllers cannot claim the required failure behavior on their own.
The risk assessment does: scenario analysis (typically HAZOP plus LOPA) determines how much risk reduction each safety function must provide, and that requirement translates into the SIL target. Vendors then supply components suitable for that level; buying "SIL 3 hardware" without the analysis is theater.
At the interval assumed in the SIL verification calculation for that specific function, commonly between six months and a few years. The interval is a design parameter, not a preference: stretching it without recalculation changes the achieved integrity.
Want safety-critical testing that never slips through the cracks? Book a Fabrico demo to see proof-test scheduling, bypass logging, and audit-ready asset history in one system.
Zakažite sastanak KSNUMKS-to-KSNUMKS sa našim stručnjacima ili se direktno upišite u naš besplatni plan.
Nije potrebna kreditna kartica!