SIL-Rated I/O and BPCS Separation Explained.
How Safety Integrity Level, SIL ratings change instrument selection, I/O list structure, and the hard line between safety instrumented systems and basic process control. Written for controls engineers building an I/O list that a functional safety auditor will accept.
An I/O list that mixes safety instruments with control instruments will fail a functional safety audit. It will also cause programming errors that show up during commissioning, when a technician discovers that a shutdown transmitter is wired to a BPCS card and the whole loop needs to be rebuilt.
BPCS and SIS are two systems, not one
The Basic Process Control System runs the normal operating loops. Flow controllers, level controllers, pressure indicators. Its job is to keep the plant running.
The Safety Instrumented System runs the shutdowns. When a pressure transmitter sees a high-high alarm, the SIS trips the upstream valve closed, vents the vessel, and takes action independent of whatever the BPCS is doing. Its job is to prevent harm when the BPCS has failed to keep the process inside safe limits.
Under IEC 61511, these two systems are physically independent. Separate PLCs, separate I/O cards, separate power, separate wiring runs. That is the principle of independent protection layers. An auditor will ask for proof of separation and will inspect the wiring if necessary.
SIL determination. Where the number comes from
SIL targets are set by the process hazard analysis and the Layer of Protection Analysis, LOPA, not by the instrumentation engineer selecting devices. The flow is.
- Process hazard analysis, PHA, HAZOP identifies hazard scenarios. "High pressure in V-201 could cause vessel rupture."
- LOPA quantifies the frequency of the initiating event and the risk reduction available from each independent protection layer, IPL. If existing safeguards, relief valves, BPCS alarms, operator response do not reduce risk to the tolerable frequency, a Safety Instrumented Function, SIF is required.
- LOPA output specifies a required Risk Reduction Factor, RRF for the SIF, which translates directly to a SIL target. RRF 10-100 SIL 1. RRF 100-1000 SIL 2. RRF 1000-10000 SIL 3.
- The instrumentation engineer then selects field devices, voting architecture, and proof-test interval to achieve the required Probability of Failure on Demand, PFD for the SIF.
The I/O list records the output of this process. It does not set the SIL. A controls engineer who writes "SIL 2" on an I/O list without a supporting LOPA has created a compliance document with no analysis behind it.
SIF identification and tagging
Each Safety Instrumented Function gets a unique SIF identifier. The common convention is SIF-XXX, where XXX is a sequential number assigned during the LOPA. Each SIF has.
- **Initiating element, s. ** the field transmitters or switches that detect the hazardous condition, e.g. PT-301A, PT-301B in a 1oo2 voting arrangement
- **Logic solver. ** the SIS PLC that evaluates the voting logic
- **Final element, s. ** the shutdown valve, s or motor trip, s that take the protective action, e.g. SDV-301
All three categories must appear on the SIS I/O list with their SIF identifier, so a reviewer can trace the complete SIF from sensor through logic to final element in a single document.
Voting architectures
Voting architecture determines how many sensors must agree before the SIF trips. The common architectures and their I/O implications.
| Architecture | Description | Typical use | I/O channels required |
|---|---|---|---|
| 1oo1 | One out of one. Single sensor trips | SIL 1 low-demand functions | 1 per sensor type |
| 1oo2 | One out of two. Either sensor trips | Increases availability vs 1oo1 | 2 per sensor type |
| 2oo2 | Both sensors must agree to trip | Reduces spurious trips | 2 per sensor type |
| 2oo3 | Two out of three. Majority vote | SIL 2-3 high-demand functions | 3 per sensor type |
| 1oo2D | One out of two with diagnostics | Balances availability and reliability | 2 per sensor type |
For the I/O list, each physical sensor in a voted arrangement gets its own row with its own tag, its own I/O channel, and the same SIF identifier. A 2oo3 high-pressure trip on SIF-101 might list PT-101A, PT-101B, and PT-101C each as separate AI rows, all carrying SIF-101 in the SIF identifier column.
Required columns for an SIS I/O list
A minimum SIS I/O list row contains.
| Column | Example | Notes |
|---|---|---|
| Tag number | PT-301A | Unique per physical instrument |
| Description | Reactor High-Pressure Trip | Match safety requirements spec |
| Signal class | AI | Per ISA 5.1 |
| SIS, BPCS | SIS | Never blank |
| SIF identifier | SIF-101 | Links to LOPA record |
| SIL target | SIL 2 | From LOPA output |
| Device SIL capability | SIL 2 | From vendor SIL certificate |
| Voting architecture | 2oo3 | Per SIS design |
| Proof-test interval | 12 months | From LOPA PFD calculation |
| Response time requirement | 2 seconds | From process demand rate |
| PLC assignment | SIS-PLC-1, Rack 1, Slot 3, Ch 4 | SIS rack only. Never BPCS rack |
| SIL certificate reference | exida Cert. No. 12345 | Document number for audit trail |
What does not go on a BPCS I/O list
Resist the temptation to copy SIS rows into the BPCS I/O list for visibility. An engineer reviewing the BPCS list should see only BPCS instruments. An engineer reviewing the SIS list should see only SIS instruments. Cross-pollination of tag ownership is what causes SIF instruments to be wired to the wrong rack.
If an operator needs to see an SIS measurement on the BPCS HMI, that is done through a read-only Modbus or OPC mapping between the two controllers, not by duplicating the instrument on the BPCS I/O list. The wiring stays in the SIS. The display reads over comms.
SIL ratings on the I/O list
SIL, Safety Integrity Level is a measure of risk reduction factor. A SIL 1 safety function reduces risk by 10-100x. SIL 2 by 100-1000x. SIL 3 by 1000-10000x. The SIL target of a Safety Instrumented Function, SIF is set by the process hazard analysis and the LOPA study, not by the instrument selection. The I/O list reflects it. It does not determine it.
On an SIS I/O list, every row carries.
- SIL target of the loop, e.g. SIL 2
- Device SIL capability of the individual instrument, e.g. SIL 2 certified
- SIF identifier linking the instrument to its shutdown function, e.g. SIF-101, Reactor High-Pressure Trip
- Proof-test interval for scheduled maintenance, e.g. 12 months
The device SIL capability must meet or exceed the loop SIL target. A SIL 3 loop cannot be built from SIL 1 transmitters, even if two of them vote.
Separation rules in practice
Physical separation between SIS and BPCS runs from the field device through to the controller. The separation requirements that show up most often during audits.
Separate PLC. The SIS logic solver cannot be the same physical controller as the BPCS PLC, unless the controller is a dual-path safety-rated system, Rockwell GuardLogix, Siemens S7-1500F with certified separation between the safety and standard program partitions. Standard BPCS controllers cannot be used for SIS logic, regardless of their firmware.
Separate I/O cards. SIS field devices land on SIS-rated I/O cards. They do not share card slots with BPCS instruments. Verify this from the PLC rack layout drawing. It should be cross-referenced in the I/O list.
Separate wiring runs. SIS cable runs should be separated from BPCS cable runs in cable trays. Minimum separation in the same tray depends on project standard. IEC 61511 requires adequate separation without specifying a distance. Many projects use a 50mm separation or a physical barrier.
Separate power supply. SIS and BPCS should have independent power feeds. A single power supply failure should not simultaneously take out both systems.
On the I/O list, the PLC rack, slot, channel column communicates the separation status. If SIS instruments show assignments in a clearly different rack identifier from BPCS instruments, the I/O list demonstrates separation. If they intermix rack references, the design has a separation deficiency.
Instrument datasheets for SIL-rated devices
SIL-rated transmitters and valves ship with additional documentation beyond a standard datasheet.
- SIL certificate, typically from exida or TÜV stating device SIL capability, PFD, and safe failure fraction
- Safety manual describing required configuration, diagnostic coverage, and proof-test procedures
- Fault exclusion document for any failure modes excluded from the SIL calculation
These go in the project file alongside the I/O list. During the functional safety assessment, the auditor will sample your I/O list, pull the corresponding instruments, and ask for the SIL certificate for each one. Missing certificates trigger a finding.
Audit trail requirements under IEC 61511
IEC 61511 requires that the functional safety lifecycle is documented and the documentation is maintained throughout the plant's operating life. For the I/O list specifically.
- The SIS I/O list must be revision-controlled and changes must go through the management of change process.
- Each revision must note what changed, when it changed, and who authorized the change.
- The I/O list revision must be traceable to the SRS revision that drove the change.
- Proof-test records referencing the I/O list must be retained for the life of the SIF.
A functional safety auditor checking IEC 61511 clause 5 compliance will ask for the I/O list revision history, the supporting LOPA or SIL verification calculation for each SIF, and the current status of any open findings from previous audits.
Building the list from a P&ID
On a well-drawn P&ID, safety instruments are already marked. Either with a thicker bubble outline, an SIS prefix on the tag, or a note on the drawing. When you extract the instrument list from the drawings, carry that classification through. Do not wait until detailed design to decide which instruments are in the SIS.
The I/O list carries the SIS, BPCS classification the drawing marks, with safety-related instruments identified. The full column layout, SIF-identifier conventions, and proof-test documentation expected alongside the list are covered in the guide to extracting SIF logic from P&IDs. For the base I/O list column structure and controlled-document conventions that the SIS list extends, see the I/O list creation guide. If your drawings are older and the classification is not explicit, a functional safety engineer needs to walk the plant and classify each loop before the I/O list is considered complete.
Common mistakes
- Mixing SIS and BPCS on a single sheet without classification
- Using the same tag number for a BPCS and an SIS transmitter measuring the same variable
- Specifying SIL 3 capability for every instrument "to be safe," which inflates cost and obscures the actual SIL targets
- Forgetting the proof-test interval, which is required on the SIF datasheet and drives maintenance scheduling
- Listing SIS instruments on the BPCS PLC I/O schedule
- Setting SIL targets on the I/O list without a supporting LOPA
Related
- SIS and functional safety
- OSHA PSM compliance
- IEC 61511 and process safety
- IEC 61511 for the I&C Engineer Building the SIS I/O List. From reading the LOPA output to documenting proof-test intervals
- Redundant I/O: How 1oo2, 2oo3, and 2oo4 Voting Show Up on the I/O List. One row per physical device, suffixed tags, shared SIF identifier
- Loop diagrams vs P&IDs
- Commissioning loop check plan
- P&ID to I/O list extraction
FAQ
What is the difference between a BPCS I/O list and an SIS I/O list.
The Basic Process Control System, BPCS runs the normal operating loops. The Safety Instrumented System, SIS runs the shutdown and interlock loops. IEC 61511 requires them to be physically independent. Separate PLCs, separate I/O cards, separate wiring. Your I/O list must reflect that separation, either by keeping them on different sheets or by adding an SIS, BPCS column that a safety auditor can filter on.
Can a single instrument appear on both the BPCS and SIS I/O lists.
No. An instrument is wired to one system or the other, not both. If you need the same measurement for control and shutdown, you specify two separate transmitters, a BPCS transmitter and an SIS-rated transmitter, each with its own tag, its own I/O channel, and its own signal class entry. Dual-use instruments are an IEC 61511 non-conformance.
What is a SIL rating and where does it go on the I/O list.
SIL is the Safety Integrity Level. SIL 1 through SIL 4 per IEC 61508, 61511, measuring risk reduction factor. SIL 1 is lowest. SIL 3 is the highest commonly specified in the process industries. On an SIS I/O list, every SIF row carries a SIL target. The individual instruments carry their device-level SIL capability, which must meet or exceed the SIF target.
Do all SIS transmitters need to be SIL 3 capable.
No. The device SIL capability must meet the SIL target of the loop it is in. A SIL 1 shutdown function can use a SIL 1 certified transmitter. Specifying SIL 3 devices everywhere wastes budget and makes spare-parts management harder. Size the instrument to the loop, not to a blanket specification.
How does SIL affect I/O card selection.
SIS I/O cards must be SIL 2 or SIL 3 certified depending on the SIF requirements. Major vendors, Rockwell GuardLogix, Siemens S7-1500F, HIMA, Emerson DeltaV SIS sell separate safety-rated I/O families. A standard BPCS PLC rack cannot be used for SIS I/O. That is a hard rule and auditors check it.
What columns should I add to the I/O list to handle SIL-rated instruments.
SIS, BPCS classification, SIL target for the loop, device SIL capability, proof-test interval, and SIF identifier, the shutdown function this instrument serves. With these columns a functional safety engineer can verify the loop design in the spreadsheet without cross-referencing another document.