Demystifying Functional Safety: SIS, SIL, and MooN Explained

Uncover the basics of SIS, SIL, and MooN.
Functional Safety - thumbnail
Listen to this article

In this article, we will explore the concepts commonly included within the domain of Functional Safety.

First of all, here are a few confusing acronyms for you… SIS, SIL, and MooN…

Stick around because we will attempt to address each term and discuss how they are related, or interact with each other.

What is Functional Safety?

The International Electrotechnical Commission (IEC), defines functional safety as identifying potential dangers and activating protective measures to prevent or reduce the impact of hazardous events.

It seems logical then that the goals of functional safety are to ensure a system or equipment is operating appropriately and actively prevent the failure of a system from causing harm to people and property.

All regulatory process control systems are designed and installed with safety in mind.

Even so, the risk of injury, fire, explosion, and other catastrophes is not at a tolerable level.

Deploying a functional safety system allows for an automated, safe shutdown of processing units in instances of unusually risky or potentially catastrophic situations that exceed the capabilities of the automatic process control system or trained operators to rectify.

Safety Instrumented System (SIS)

Adding another layer of protection called the Safety Instrumented System, or SIS, moves us closer to achieving the desired functional safety condition.

Ok… so let's be clear… the SIS is one Protection Layer in a multi-layered safety approach, as no single safety measure alone can eliminate risk.

The regulatory process control system and the SIS are separate.

The process control system operates the equipment or process and maintains it within safe parameters and is considered the first layer of protection.

The SIS provides another layer of protection by monitoring the equipment or process. If an unacceptable condition or risk of an unsafe condition occurs, it reacts by shutting down the equipment or process.

The Safety Instrumented System consists of a distinct set of devices operating independently from the process control system.

A Safety Instrumented System consists of sensors, logic solvers, and final control elements with the sole aim of ensuring the process enters a safe state upon encountering specific conditions.

The logic solver is often a Safety PLC manufactured by vendors such as Allen Bradley, Omron, or Schneider.

Safety Integrity Level (SIL)

Okay… let's move on to the term SIL, or Safety Integrity Level.

In functional safety, SIL is a measure of the probability of failure on demand (or PFD) for a Safety Instrumented System. PFD is the probability that a device or logic solver will fail causing the SIS not to respond when demanded.

So… now we're talking about the possibility that the SIS devices will fail when called into action.

There are four discrete SIL integrity levels. The higher the SIL level, the lower the PFD for the safety system.

Ok… is it true that the individual devices of an SIS have their own SIL integrity level ratings? That's a hard no.

A SIL integrity level applies to an entire system. Individual devices or components do not have SIL ratings.

To be clear, there is no such thing as a SIL-rated device. You can't buy SIL-rated temperature transmitters. You can buy a transmitter suitable for use in a SIL environment.

So, what is meant by a Temperature Transmitter with a specification that states SIL certification up to SIL2 according to IEC 61508:2010.

The International Electrotechnical Commission IEC 61508:2010 standard classifies the safety functions into four discrete SIL integrity levels.

Alright, so how are the SIL environment requirements determined? In a nutshell, each hazard is assigned to a target SIL. The determination process involves Hazard Analysis and Risk Assessment to bring the overall risk to an acceptable level.

Not every company uses the same determination process. There's the Layer of Protection Analysis (LOPA) method whereby all known process hazards and layers of protection are carefully examined.

Some companies use an Assignment Matrix to assign a SIL based on a qualitative ranking of the event likelihood, event consequences, and the availability of regulatory process control safeguards already in place.

We talked earlier about the sensors, logic solvers, and final control elements in the SIS. Let's get back to that temperature transmitter with the SIL certification up to SIL2 and see how it fits into an SIS.

As we all know, hardware devices and instruments have been known to fail or give false positives. If an SIS device or an instrument fails when called upon to act, the result could be catastrophic. A higher level of confidence would be a good thing.

MooN system

Let's go to the MooN system concept… Not the actual MooN in the sky, but the M out of N system.

The MooN system introduces a collective decision-making framework. It is defined as a system with N units (components, channels, etc.), in which M out of N units are sufficient to initiate an action.

There are a required minimum of M units to vote in agreement to command the execution of the safety action.

We could produce an entire article on the MooN system but our intent is to give you a brief introduction.

Let's look at an example of a SIL2 1oo2 configuration that stands for Safety Integrity Level 2 with a configuration of 1 out of 2 voting.

Every device and instrument must be rated to function at a SIL2 integrity level.

Keep in mind that this is the SIS and there is a regulatory control system doing its thing not shown here.

In our example, we have two Safety Temperature Transmitters. It is enough for one channel to exceed the trip setpoint for the Safety Instrumented System to trigger action on the final element.

Summary

Understanding SIS, SIL, and MooN systems is crucial for ensuring functional safety in various industries.

This article has provided introductory insights into the layers of protection, integrity levels, and collective decision-making frameworks involved.

We've just barely scratched the surface of Functional Safety. Keep exploring and learning to enhance safety protocols and mitigate risks effectively.

If you would like to learn more about Temperature Transmitters, then we suggest you check out our course Temperature Transmitters: Calibration, Principles & Industry Applications.

This course was developed in partnership with Endress + Hauser. At the end of the course, you will receive a certificate of completion from Endress + Hauser.

Do you want to train your team members? RealPars offers team memberships for organizations, empowering them with an online learning platform. Check out this link for more information.

Join the Top 1% of Automation Engineers

Start Your 7-day Free Trial

Learn from Industry Experts

Start your learning journey today!
With a 7-day trial, then 25/month
Start Learning For Free