Equipment or asset protection functions also are not SIFs. Every plant has protective functions that protect the plant's equipment and assets. This is primarily a commercial or money issue. If there are no safety aspects to these protective functions, they are not SIFs.
But since there are few to no standards in this area, some people do assign an asset integrity level (AIL) to these protection functions and treat these systems like safety instrumented systems. For example, if high-high level in a knockout drum to a compressor shuts it down to protect it from mechanical damage due to liquids, and there is no anticipated safety issue (such as rupture of the compressor case), then this is not a SIF but rather an equipment protection function. Considering asset protection functions as SIFs generally leads to a large number of SIFs, each of which has to conform to the relevant safety standard. This creates a large burden on the operating company to meet safety standards and regulations for protective functions that are not required to meet the safety standards and regulations.
Environmental protection is a bit more difficult to categorize, as it is not directly life-and-limb protection. Many people currently have a separate class of protection function and assign an environmental integrity level, sometimes called an EIL. While the principles of ANSI/ISA 84.01 are many times applied to environmental protection systems, there is not a specific requirement in 84.01 to do so, nor any specific regulatory requirement to apply 84.01.
This does not, however, necessarily let you off the hook. EPA regulations in CFR 40 part 68, "Risk Management Programs for Chemical Accident Release Prevention," have virtually the same language as OSHA 1910.119, "Process Safety Management," only different end goals. As a result, CFR 40 Part 68 requires recognized and generally accepted good engineering practices to be used to achieve the goal of protection of the environment. As such, the principles and practices of 84.01 may represent a recognized and generally accepted good engineering practice that could be used for environmental protection systems.
Figure 2: SIF vs. SIS
A safety instrumented system (SIS) is a combination of one or more safety instrumented functions (SIFs).
Also, in IEC 61511, Section 1.2 states that "this standard in particular,j. applies when functional safety is achieved using one or more safety instrumented functions for the protection of personnel, protection of the general public or protection of the environment,"
Another example of what is not a SIF is an operational protection function. This type of function is design to keep the plant within predetermined operational boundaries for commercial or operational reasons but not safety.
(Functional Safety and Security- It's Cultural)
One of the keys to successful SIL selection is to correctly identify the safety instrumented functions for a facility. Failure to identify true SIFs leads to less safety, conversely, identifying things as SIFs that are not leads to unnecessary cost, burden, and complexity.
How SIF Fits With SIS and SIL
ANSI/ISA 84.01 does not always make a clear distinction between a SIF (a safety function) and a SIS (see sidebar, "A SIF by Other Names"). IEC 61511 makes a bit clearer distinction but still intermixes some. A SIS is made up of one or more SIFs. The relationship of a SIF to a SIS is illustrated in Figure 2.
By definition, each SIF must have a SIL based on how much risk reduction the SIF must provide to help reduce the risk of a particular hazard to an acceptable level when considered with the rest of the protective layers that reduce the risk of that particular hazard. The SIL is selected based on the risk posed by the hazard the SIF is protecting against. This risk is composed of a consequence (what bad things that can happen) and a pre-safeguard frequency (how often the hazard is expected to occur if no protections--SIS or non-SIS--are provided).
Figure 3: SIF vs. SIL
When a safety instrumented function (SIF) has multiple potential causes, each with its own safety integrity level (SIL) requirement, the highest SIL is generally selected for the entire SIF.
However, while you have a single hazard (and generally a single consequence) associated with a SIF, you can have multiple initiating causes, each with its own frequency of occurrence. For example, overpressure of a vessel due to loss of cooling (with a consequence of vessel rupture and fire/explosion) could be caused by loss of cooling water supply, loss of cooling water pump(s), temperature control loop failure, plugging of tubes, etc. Each of these initiating causes can have a different frequency of occurrence, and thus different risks (consequence x frequency) for the same SIF.
(Leading the Way to Process Safety)
When determining the target SIL of a SIF with multiple initiating cause scenarios, the highest SIL of all the scenarios is normally used (Figure 3). In cases where there are a large number of causes or multiple scenarios with the same or similar SIL (risk), a look at the overall risk may be warranted and may result in a higher SIL for the SIF. Fault tree analysis or other quantitative methods are sometimes used for this purpose.
|Definition of the SIF in the SRS
Standards IEC 61511 and ANSI/ISA 84.01 have specific requirements for defining the safety instrumented function (SIF) for the Safety Requirement Specification (SRS), including:
- A physical and functional description of the SIF.
- A definition of the safe or mitigated state of the process for the SIF.
- A definition of any interaction of the SIF's safe state with other concurrently occurring safe states or events that may create a separate hazard (i.e., overload of emergency storage, multiple relief to flare system, subsequent downstream or upstream tripping, etc.).
- Initiating causes (sources of demand) and frequency of causes (demand rate) of the hazard related to the SIF.
- Identification of the proof testing methods and intervals for off-line and online testing for the system and for individual components if they are not tested as a system.
- Response time (speed) requirements for the SIF to bring the process to a safe state. This includes detection time, decision time, final element action time, transmissions times, and time to bring the system to a safe or mitigated state.
- The safety integrity level (SIL) and mode of operation (demand/continuous) for the SIF.
- Identification of the SIF process measurements, their normal measurement ranges, normal operating ranges, and trip points.
- A description of the SIF process output actions (final element actions) and criteria for successful operation, i.e., tight shut-off, speed.
- The functional relationship between process inputs and outputs, including logic, mathematical functions, conditions, and any required permissives.
- Identification of any common-cause failure modes that affect the SIF.
- Requirements for manual shutdown.
- Requirements for resetting the SIF after a shutdown.
- Trip philosophy: energize-to-trip (ETT) or de-energize-to-trip (DTT).
- Identification of SIF failure modes and desired response of the SIF to them (e.g., alarms, automatic shut-down).
- Any specific requirements related to the procedures for starting up and restarting the SIF as well as for maintaining the SIF.
- Definition of all the interfaces between the SIF and any other systems (including the basic process control system and operators).
- A description of the modes of operation (normal and abnormal) of the plant that affect the SIF and the its response or operational mode for these modes of operations (startup, reduced rates, high rates, shutdown, different product grades, known upsets, etc.).
- Application software safety requirements pertinent to the SIF.
- Requirements for maintenance, testing, or operational overrides/inhibits/bypasses, including how they will be initiated, how they will be monitored while in place, and how they are cleared.
- Identification of any action necessary to achieve or maintain a safe state in the event of fault(s) being detected in the SIF. Any such action shall be determined taking account of all relevant human factors, procedures, training, etc.
- The mean-time-to-repair (or restoration) that is feasible for the SIF, taking into account the in-house maintenance capabilities, procedures and practices, spare part availability, etc. If the required maintenance is out of house then capability, travel time, location, spares holding location, service contracts, environmental constraints, etc., must be considered.
- Maximum allowable spurious trip rate. This should also consider whether there are any safety issues to spurious trips such as the potential hazards involved in restarting the SIF.
- For SIFs that have multiple final elements affecting different process functions (different equipment, valves that isolate or vent different process streams, etc.), identify any possible dangerous combinations of output states (where not all the final elements operate properly) that need to be avoided.
- Identify the extremes of all environment and abuse conditions likely to be encountered by the SIF. This may require consideration of temperature, humidity, contaminants, grounding, electromagnetic interference/radio frequency interference (EMI/RFI), shock/vibration, electrostatic discharge, electrical area classification, flooding, lightning, human factors, and other related factors.
- Definition of the requirements for the SIF necessary to survive a major accident event, i.e., time required for a valve to remain operational during a fire.