The safety instrumented system (SIS) safety life cycle can be simply defined as an engineering process with design, analysis, and testing steps to ensure that SISs are effective in the key mission of:

The activities associated with the SIS safety life cycle start when the conceptual design of the facilities is complete, and stop when the facilities are completely decommissioned. The key activities associated with the SIS safety life cycle are analyzing risks and the need for risk reduction; establishing performance requirements for all safety functions in a system; implementing the system based on required performance criteria; and ensuring that the system is always operated and maintained correctly.

When the SIS safety life cycle is used with an existing system, the first step is to review and update the process hazard analysis and safety integrity level (SIL) selection. Given that information, the “as installed design” is documented and verified via analysis to determine if the design meets the verification requirements of current standards. Often it is discovered that the design is stronger than needed. In that case, there are opportunities to reduce ongosing maintenance costs by increasing the proof test interval. The same general design process is used with the objectives of:

The functional safety standard [1] published by the International Electrotechnical Commission (IEC), IEC 61508, defines safety as freedom from unacceptable risk. This is a good definition because it does not include “the elimination of risk.” Functional safety has been defined in IEC 61508 as “part of the overall safety relating to the equipment under control (EUC) and the EUC control system which depends on the correct functioning of the electrical/electronic/programmable electronic (E/E/PE) safety-related systems and other risk reduction measures.” Functional safety has a similar definition in IEC 61511 [2], which states “part of the overall safety relating to the process and the BPCS (basic process control system) which depends on the correct functioning of the SIS and other protection layers.” The phrase “correct functioning of the SIS” is key. A high level of functional safety means that an SIS will work correctly and with a high probability of successful operation. This success is achieved with the selection of high-quality equipment that is well suited for the intended purpose, and supported by a complete, high-quality operations and maintenance program.

Functional safety is therefore the key objective in SIS design. To achieve the right level of functional safety, several issues must be considered that may not be part of the normal design process for automation systems. These issues are provided as requirements in international standards.

For as long as automated systems have existed, engineers have designed automatic protection into them. Engineers often have specifically designed many of these automatic protection systems with pneumatic logic or electrical relays because these components tended to fail in a de-energized mode. Systems were designed to be safe when the automation de-energized. They were, in other words, designed to “fail safe.”

As the logic became more complicated, systems expanded to include large panels packed with relays and timers. It was, perhaps, natural for some engineers to convert this logic to a new “solid-state” design when these components became available in the late 1960s. Figure 1–1 illustrates an early solidstate module designed to implement “burner logic” using diode transistor logic (DTL), an early form of simple integrated circuit logic. Unfortunately, there was little consideration of the component failure modes of these designs. The simple DTL systems had a much higher probability of dangerous failure than conventional pneumatic and relay-based systems.

When the first programmable electronic equipment, called programmable logic controllers (PLC), were created as an alternative to relay logic, many engineers immediately believed these new devices would be perfect for automatic protection applications. The functionality of these electronic devices, they felt, encompassed all that would be needed, and more. However, some engineers realized that the failure characteristics of solid-state/programmable electronic equipment might be quite different from traditional equipment. Other engineers were well aware of the “crash rate” and unpredictable failure modes of software systems at the time.

In fact, some government regulators banned the programmable electronic equipment for use in automatic protection functions. Others began working with industry experts to establish guidelines for using electronic equipment in “emergency shutdown” applications. Eventually, international standards committees were formed and standards covering the design and usage of equipment in SISs were published.

One of the more influential documents about SISs was titled “Programmable Electronic Systems in Safety Related Applications,” published by the Health and Safety Executive (HSE) in the United Kingdom [3, 4]. Early national standards for SISs include “Grundsätze für Rechner in Systemen mit Sicherheitsaufgaben,” first published in Germany [5, 6] in 1990, and ANSI/ISA-84.01-1996, “Application of Safety Instrumented Systems for the Process Industries,” [7] published in 1996 in the United States.

Many members of these national safety standards efforts became members of an international committee that eventually wrote IEC 61508. This standard began in the mid-1980s when the IEC Advisory Committee of Safety (...