A SIS is a set of devices and software that perform one or more Safety Instrumented Functions (SIFs). Each SIF has a stated Safety Integrity Level (SIL) that is related to the probability that the SIF will NOT work when challenged (when needed).

In order to begin this assessment, one must understand the rules of a SIS and how Independent Protection Layers (IPLs), SIFs and SILs are all related. For example, in order to be considered IPLs (including SIFs), there are several rules that must be satisfied, some of which include: each protection layer must be truly independent of the others (i.e., no failure can deactivate two or more protection layers); the IPL must be specifically designed to prevent or mitigate the consequences of a potentially hazardous event; the IPL must be dependable (must have the stated reliability); the IPL must be validated periodically and the validation system must be audited. A probability of failure (PFD) of each IPL (including SIFs) must also be identified. One of the biggest challenges a PHA or design team faces is the determination of when a SIF is the appropriate choice for reducing the risk and then determining the appropriate target SIL for an identified SIF.



The True Boundary for an IPL includes all associated connections, isolations, and bypasses. Note how the traditional SIL Verification calculation boundary is much different than the true IPL boundary











PII can help with all aspects of SIS implementation, including:

  • SIF/SIL Determination – This is deciding (1) if a SIF is needed and if so (2) what should be the SIL of the SIF. SIF/SIL determination should be (and at PII normally is) performed within a PHA/HAZOP. Accident scenarios are identified, the team decides what can go wrong and how, existing IPLs are identified, and determination of acceptable risk levels associated with the existing IPLs are made. If these are deemed insufficient to keep the risk at acceptable levels, the PHA/HAZOP recommends a new IPL, which may be a new or improved SIF and SIL. (Note that about 1% to 5% of the time, a HAZOP team does not fully understand an accident scenario; in such cases, further analysis may be needed. The best method for this further analysis is LOPA. Staff at PII invented LOPA in the mid-1990s and wrote the textbooks on the topic.) PII can perform the SIF/SIL determination at various levels, including:
    1. During PHAs/HAZOPs using a qualitative approach to determine IPLs (while still gaining most of the benefit of the quantitative approach of LOPA)
    2. As a stand-alone task outside of PHA/HAZOP setting using a qualitative approach
    3. As a stand-alone task outside of PHA/HAZOP using the quantitative technique of a LOPA (see separate tab under “Consulting Services” offered for LOPA)
    4. Coach your staff to do 1, 2 or 3
  • SIF Specification – This usually involves process engineers (including engineers at PII), who at the request of the HAZOP team (or perhaps LOPA analyst), design the SIS to provide the SIF with the requested SIL. This also means making sure the proper sequence of functions is considered in the design and the interaction with the DCS (BPCS) is accounted for. The final results is called the Safety Requirements Specification (SRS).
  • SIF Design – PII provides this service as well, by designing the basic architecture to meet the SRS and provide the required SIL. Of course, your own internal instrumentation specialist and perhaps instrumentation engineers will do this step or will work with PII to select the desired components from your approved vendors.
  • SIL Verification – PII can do this at the request of the owner company (or contracted engineering firm) to make sure the SIF design will provide the SIL needed, without causing harm due to spurious trips. This requires a fault tree analysis (FTA) or Markov analysis to complete a quantitative frequency analysis of the design. Most folks use the proprietary software to perform this step and to produce the final SRS as well. PII uses the most popular software for this task (see list below), and augments these as necessary to ensure that the probability of human errors such as leaving root valves closed or leaving the SIF in bypass will not be accounted; this is something that NO OTHER SIS vendor does!
  • SIS Installation – The vendor, equipment contractor, or the owner technicians normally do this.
  • SIS Functional Checks – The owner process technicians normally do this in the field as part of operational readiness checks or pre-startup safety reviews (PSSRs). PII can help to ensure the appropriate inspection, test, and preventative maintenance system is in place for each SIF.

Software: PII staff utilize the following software for SIF design, SIL Verification, and development and documentation of the SRS:

  • exSILentia (from exida)
  • SIL-Solver (from SIS-Tech)
  • Hand calculations (to provide a rough design; or to account for specific human errors, which are not addressed in the commercial software yet).

Typical configuration of a SIL1 SIF


Typical configuration of a SIL2 SIF






Typical configuration of a SIL3 SIF

PII also offers the following courses related to LOPA, SIS, SIL and SIF (see courses 11 and 12 under the “Training” tab or click on the individual links below:

In addition, feel free to download papers written by PII staff related to LOPA, SIS, SIF & SIL under the “Free Resources” tab (or click the individual links below):

Why Choose PII?

  • PII staff understand how to account for specific human errors which can dominate the failure rate for SIL 2 and SIL 3 systems. No other company does this. We wrote the definitive papers and book chapters on this topic, which is NOT addressed in the existing SIS standards (and common software) except for a general statement that says the implementing company must address all human errors. If doing so was that easy, why do we need SIFs? PII explicitly accounts for such human errors and our designs provide means for controlling such errors.
  • PII Conducts Meetings with Speed & Efficiency. Because of our vast experience in performing thousands of PHAs/HAZOPs and LOPAs in real plant settings, we can lead meetings faster than anyone else, while maintaining quality/thoroughness. This saves cost for you and your projects.
  • Our expertise ensures efficient, thorough, and cost effective completion of each of the SIS steps listed above.

PII Credentials

  • The staff at PII pioneered the LOPA methodology as part of the industry effort to develop and implement the SIS standards (ISA S84.01 in 1996 and then IEC 61508/61511 in 2000).
  • Our staff co-invented LOPA and were primary authors of the first two textbooks on LOPA and (through AIChE/CCPS)
    • Guidelines for Initiating Events and Independent Protection Layers, CCPS/AIChE, 2015 (Mr. Bridges was the main author; this is an essential supplement to the original LOPA book which was co-authored by Mr. Bridges and Mr. Art Dowell
[also of PII])
  • Layer of Protection Analysis (LOPA), CCPS/AIChE, 2001 (Mr. Dowel and Mr. Bridges were the two primary authors; this is the definitive text on semi-quantitative risk assessment)
  • Guidelines for Enabling Events and Conditional Modifiers, CCPS/AIChE, 2013 (Mr. Bridges is a committee member; this will be an essential supplement to the original LOPA book which was co-authored by Mr. Bridges)
  • We pushed the SIS standards committee (ANSI/ISA committee) to fix the requirements of SIL Verification to include consideration of specific human errors. But we failed due to industry pressure against “raising the bar”. Nonetheless, we do the calculations right at PII, and then let the client decide if they want to account for and control such human errors.
  • Our staff were co-authors of the textbooks on how to properly lead and document HAZOPs (through AIChE/CCPS)
    • Guidelines for Hazard Evaluation Procedures, 2nd edition (1992) and 3rd edition (2008) (AIChE/CCPS)