Safety Instrumented System, abbreviated as SIS; also known as Safety Interlocking System. It mainly constitutes the alarm and interlock parts in factory control systems. It triggers alarm actions, adjusts or stops the control based on the detection results in the control system, and is an important component in the automatic control of factory enterprises.
System Features
Announcement Editor
(1) Based on IEC61508 as the basic standard, it complies with the safety standards stipulated by the International Safety Association for instruments. (2) It has a wide coverage, high safety, and has self-diagnostic functions, capable of detecting and preventing potential dangers. (3) The fault-tolerant multiple redundancy system. SIS generally adopts a multiple redundancy structure to improve the hardware fault margin of the system. A single fault will not lead to the loss of SIS safety functions. (4) The application program is easy to modify and can be modified according to actual needs for software. (5) The self-diagnosis coverage is large, and the number of points that workers need to check when maintaining is relatively small. (6) The response speed is fast, the response time from input change to output change is generally around 10 – 50 ms, and the response time of some small SIS is even shorter. (7) It can achieve the safety design of the entire loop from sensors to actuators, with monitoring functions such as I/O short circuit and break.
Basic composition
Broadcast Editor
The safety instrumented system consists of sensors, logic processors and the final execution components, namely the detection unit, control unit and execution unit. The SIS system can monitor the existing or latent dangers during the production process, issue warning messages or directly execute the predetermined procedures, immediately enter the operation mode, and prevent accidents from occurring, reduce the harm and impact brought by the accidents.
System structure
Announcement Editor
The mainstream system structure of SIS mainly includes two types: TMR (triple) and 2004D (quad).
(1) TMR structure: It integrates three isolated and parallel control systems (each called a sub-circuit) and extensive diagnostics into one system, providing highly reliable, error-free, and uninterrupted control through a three-out-of-two voting mechanism. TRICON, ICS, HollySys, etc. are all systems that adopt the TMR structure.
(2) 2004D structure: The 2004D system consists of two independent and parallel operating systems. The communication module is responsible for their synchronized operation. When the system self-diagnosis detects a failure in one module, the CPU will force it to fail to ensure the correctness of its output. At the same time, the SMOD function in the safety output module (auxiliary demagnetization method) ensures that a fault-safe signal is output by the system when both systems fail simultaneously or the power supply fails. An output circuit is actually achieved through four output circuits and the self-diagnosis function. This ensures the high reliability, high safety, and high availability of the system. HONEYWELL, HIMA’s SIS all adopt the 2004D structure.
Functions and Requirements
Announcement Editor
The basic functions and requirements of the safety instrument system
1. Ensure the normal operation of production and accident safety interlocks (the CPU scanning time of the control system must reach the ms millisecond level)
2. Safety interlock alarms (for general process operation parameters, there will be set alarm values and interlock values)
3. Interlock actions and operation display
Additional functions of the safety interlock system
1. Pre-alarm function of safety interlock
2. Safety interlock delay
3. Differentiating the first accident cause
4. Startup and switching of the safety interlock system
5. Hierarchical safety interlock
6. Manual emergency stop
7. Safety interlock reset
Principle requirements
Broadcast Editor
1. The settings for signal alarms and interlock points, as well as the action set values and adjustment ranges, must comply with the requirements of the production process.
2. Under the premise of ensuring safe production, one should try to choose a scheme with a simple line and fewer components.
3. Signal alarms and safety interlock equipment should be installed in places with low vibration, little dust, no corrosive gases, and no electromagnetic interference.
4. Signal alarm and safety interlock systems can be constructed using relay circuits with contacts, or using non-contact types such as transistors, DCS, or PLC.
5. The detection devices and actuators installed on-site in the signal alarm and safety interlock system should meet the explosion-proof and fire prevention requirements of the respective locations.
6. The power supply requirements for the signal alarm system are the same as those for general instruments.
Design Principles
Broadcast Editor
Design principles of sensors
Independence principle
Redundancy criterion
Design principles of final actuating elements
Valve independence principle
Valve redundancy criterion
Electromagnetic valve coordination criterion
Electric motor starter coordination criterion
Design principles of logic units
Logic unit independence principle
Logic unit redundancy criterion
Design principles of communication interfaces Grading
Announcement Editor
IEC-61508 classifies the safety levels required for process safety into four grades (SIL1 – SIL4). [1]
ISA-S84.01 classifies the safety degree levels into three grades (SIL1-SIL3) based on the probability that the system fails to respond to safety interlock requirements.
Given the actual situation in China, the appropriate safety degree level is generally determined through a qualitative assessment of the likelihood of all events occurring, the severity of their consequences, and the effectiveness of other safety measures:
Grade 1 is used for situations where accidents rarely occur. In case of an accident, it has only a minor impact on the equipment and products, and will not immediately cause environmental pollution or casualties, with relatively small economic losses;
Grade 2 is used for situations where accidents occur occasionally. In case of an accident, it has a significant impact on the equipment and products, and may cause environmental pollution and casualties, with relatively large economic losses.
Grade 3 is used for situations where accidents occur frequently. In case of an accident, it will have a serious impact on the equipment and products, and cause serious environmental pollution and casualties, with extremely large economic losses.