Safety Instrumented System, SIS
A safety instrumented system is a separate control system whose only job is to take a process to a defined safe state when a measurement crosses a trip threshold. Designed and proof-tested per IEC 61511, ANSI-ISA 84, an SIS sits alongside the BPCS but is structurally independent so neither can mask a fault in the other.
Read one of your own drawings.
Drop a P&ID, instrument index, or schedule. Tagsight reads it to the tag and opens a workspace you keep when you sign in.
PDF · DWG · DXF · TIFF · PNG · XLSX
A safety instrumented system exists for one reason. To move the process to a safe state when the basic process control system, the operators, and the mechanical safeguards have not. IEC 61511, harmonized in North America as ANSI/ISA 84, governs it as a complete lifecycle rather than a piece of hardware, running from the hazard study that identifies which scenarios need an instrumented safeguard, through the safety requirement specification, to the proof-test schedule that runs for the life of the plant. The defining design rule is independence. Clause 9 of IEC 61511 requires that a fault in the BPCS cannot disable the SIS, which in practice forces separate logic solvers, separate I/O, and separate field cabling for the safety-classified loops. That independence is why the SIS is carried as its own scope on a project. When an I/O list is built from a P&ID set, the safety tags, PSHH, FSLL, ESDV, and the SIF-flagged final elements are separated into their own workbook so they get their own SIL allocation, their own cabinet, and their own proof-test cadence, and so the safety case can be audited without untangling it from the regulatory control scope. A tag that the drawing shows as safety-classified but that never reaches that separate register is exactly the gap a pre-startup safety review is designed to catch.
What an SIS actually does.
An SIS continuously monitors process variables. When a value exceeds a configured trip point, high pressure, low flow, high temperature, the SIS executes a configured action. Shut a feed valve, open a vent, isolate a unit. The action must be deterministic, fast, and provably reliable to a Safety Integrity Level, SIL 1, 2, 3, or 4 appropriate for the hazard. Loop-by-loop proof testing verifies the SIS still works as designed. Falsifying or skipping a proof test is a regulatory failure.
How SIS instruments show up on a P&ID.
Tag prefixes signal SIS service. PSHH, PSLL, FSLL, TSHH, and the more general SIF, safety instrumented function suffix on logic blocks. Voting hardware, 1oo2, 2oo3 is annotated near the field device. The drawing legend identifies the SIS classification scheme used. When extracting I/O lists from a P&ID set, teams typically split SIS tags into a separate workbook so they get their own SIL allocation, separate cabinet, and separate cabling.
Frequently asked.
What does SIL mean.
SIL stands for Safety Integrity Level. It is the probability-of-failure-on-demand bracket required for a safety function. SIL 1 allows roughly one failure in 100 demands. SIL 3 demands one failure in 10,000. Higher SIL requires more redundant hardware and more frequent proof testing.
Can BPCS and SIS share field instruments.
IEC 61511 strongly discourages it. Practical implementations run separate transmitters and separate cabling for SIL-classified loops, even when the process measurement is the same.
Who is responsible for specifying SIS instruments on a project.
The process safety engineer assigns the safety function and SIL target during LOPA. The I&C engineer then selects the sensor type, voting topology, and logic solver to meet that target, and documents the selection in the safety requirement specification. The SIS vendor and integrator implement to the SRS. The owner-operator verifies through pre-startup safety review.