The Safety Instrumented System (SIS) plays a vital role in providing a protective layer around industrial process systems. Whether called an SIS, emergency or safety shutdown system, or a safety interlock.
The purpose of SIS is to take process to a “safe state” when pre-determined set points have been exceeded or when safe operating conditions have been transgressed. An SIS is comprised of safety functions (see SIF below) with sensors, logic solvers and actuators:
Sensors for signal input and power
Input signal interfacing and processing
Logic solver with power and communications
Output signal processing, interfacing and power
Actuators (valves, switching devices) for final control function
Industrial Safety Instrumented Systems (SIS) always use dedicated transmitters and/or process switches to detect abnormal process conditions. As a general rule, independent sensors should always be used for safety shutdown, and never rely on regulatory control sensors for safety functions.
The modern technique in instrumented safety systems is to use continuous process transmitters instead of discrete process switches.
Here is shown the continuous transmitter used as an alarm and discrete triggering device, where the analog comparators generate discrete “trigger” and “alarm” signals based on the measured value of the liquid in a container.
A transmitter that continuously measures the liquid level will produce an output signal that varies with time with the measured process variable. Therefore, a “healthy” transmitter must exhibit a continuously changing output signal, proportional to the degree of change in the process.
The discrete process switches, in contrast to the transmitters, do not provide any indication of “healthy” operation.
The “trick” to using redundant transmitters is to have the system determine for itself what the process value is in case one or more of the redundant transmitters do not agree with each other.
Voting is the name given to this important function, and often takes the form of signal selection functions:
Multiple selection criteria are typically offered by “voting” modules, including high, low, average,
and median. A “high” select voter would be suitable for applications where the dangerous condition is a large measured value, the voting module selects the highest value transmitter signal in an effort to err on the side of safety.
The median select criteria very useful in safety systems because it effectively ignores any measurements deviating substantially from the others.
Three transmitters filtered through a median selection function effectively provide a safety redundancy of 2oo3, since only one transmitter that registers a value beyond the safety trigger point will be ignored by the voting function.
Two or more transmitters would have to register values beyond the trigger point to initiate a shutdown.