What is SIS?
A Safety Instrumented Function, or SIF, is one or more components designed to execute a specific safety-related task in the event of a specific dangerous condition. A Safety Instrumented System, or SIS, is a collection of SIFs designed to bring an industrial process to a safe condition in the event of any dangerous detected conditions. Also known as Emergency Shutdown (ESD) or Protective Instrument Systems (PIS).
SIS controllers:
Control hardware for safety instrumented functions should be separate from the control hardware used to regulate the process, if only for the simple reason that the SIF exists to bring the process to a safe state in the event of any unsafe condition arising, including dangerous failure of the basic regulatory controls. If a single piece of control hardware served the dual purposes of regulation and shutdown, a failure within that hardware resulting in loss of regulation (normal control) would not be protected because the safety function would be disabled by the same fault.
Safety controls are usually discrete with respect to their exit signals. When a process needs to be closed for safety reasons, the steps to implement the shutdown often take the form of opening and closing certain valves completely instead of partially. This type of all-or-nothing control action is more easily implemented in the form of discrete signals that activate solenoid valves or electric motor actuators.
A specially designed digital controller responsible for the execution of instrumented safety functions is often referred to as a logical solver, or sometimes as a safety PLC, in recognition of this discrete output nature.
An example of a safety-specific programming instruction is the GuardLogix DCSRT instruction, which compares two redundant input channels for agreement before activating a “start” bit which may be used to start some equipment function such as an electric motor:
In this case, the DCSRT instruction searches for two discrete inputs to be in the correct complementary states (Channel A = 1 and Channel B = 0) before allowing a motor to start. These states must not conflict for a period of time greater than 50 milliseconds or, otherwise, the DCSRT instruction will set a “Fault Present” (FP) bit. As you can see, the contacts of the C-shaped pushbutton are connected to two discrete inputs in the GuardLogix PLC, which gives the PLC a dual (complementary) indication of the state of the switch.
Safety controls are usually discrete with respect to their exit signals. When a process needs to be closed for safety reasons, the steps to implement the shutdown often take the form of opening and closing certain valves completely instead of partially. This type of all-or-nothing control action is more easily implemented in the form of discrete signals that activate solenoid valves or electric motor actuators. A specially designed digital controller responsible for the execution of instrumented safety functions is often referred to as a logical solver, or sometimes as a safety PLC, in recognition of this discrete output nature.
The Allen-Bradley line of programmable logic controllers from Rockwell has the dominant market share of PLC, a version of the ControlLogix 5000 series called GuardLogix is manufactured specifically for security system applications. Not only are there differences in hardware between standard and safety controllers (for example, redundant processors), but some of the programming instructions are unique to these safety-oriented controllers.