Equipment or asset protection functions also are not SIFs. Every plant has protective functions that protect the plant's equipment and assets. This is primarily a commercial or money issue. If there are no safety aspects to these protective functions, they are not SIFs.
But since there are few to no standards in this area, some people do assign an asset integrity level (AIL) to these protection functions and treat these systems like safety instrumented systems. For example, if high-high level in a knockout drum to a compressor shuts it down to protect it from mechanical damage due to liquids, and there is no anticipated safety issue (such as rupture of the compressor case), then this is not a SIF but rather an equipment protection function. Considering asset protection functions as SIFs generally leads to a large number of SIFs, each of which has to conform to the relevant safety standard. This creates a large burden on the operating company to meet safety standards and regulations for protective functions that are not required to meet the safety standards and regulations.
Environmental protection is a bit more difficult to categorize, as it is not directly life-and-limb protection. Many people currently have a separate class of protection function and assign an environmental integrity level, sometimes called an EIL. While the principles of ANSI/ISA 84.01 are many times applied to environmental protection systems, there is not a specific requirement in 84.01 to do so, nor any specific regulatory requirement to apply 84.01.
This does not, however, necessarily let you off the hook. EPA regulations in CFR 40 part 68, "Risk Management Programs for Chemical Accident Release Prevention," have virtually the same language as OSHA 1910.119, "Process Safety Management," only different end goals. As a result, CFR 40 Part 68 requires recognized and generally accepted good engineering practices to be used to achieve the goal of protection of the environment. As such, the principles and practices of 84.01 may represent a recognized and generally accepted good engineering practice that could be used for environmental protection systems.
Figure 2: SIF vs. SIS
A safety instrumented system (SIS) is a combination of one or more safety instrumented functions (SIFs).
Also, in IEC 61511, Section 1.2 states that "this standard in particular,j. applies when functional safety is achieved using one or more safety instrumented functions for the protection of personnel, protection of the general public or protection of the environment,"
Another example of what is not a SIF is an operational protection function. This type of function is design to keep the plant within predetermined operational boundaries for commercial or operational reasons but not safety.
One of the keys to successful SIL selection is to correctly identify the safety instrumented functions for a facility. Failure to identify true SIFs leads to less safety, conversely, identifying things as SIFs that are not leads to unnecessary cost, burden, and complexity.
How SIF Fits With SIS and SIL
ANSI/ISA 84.01 does not always make a clear distinction between a SIF (a safety function) and a SIS (see sidebar, "A SIF by Other Names"). IEC 61511 makes a bit clearer distinction but still intermixes some. A SIS is made up of one or more SIFs. The relationship of a SIF to a SIS is illustrated in Figure 2.
By definition, each SIF must have a SIL based on how much risk reduction the SIF must provide to help reduce the risk of a particular hazard to an acceptable level when considered with the rest of the protective layers that reduce the risk of that particular hazard. The SIL is selected based on the risk posed by the hazard the SIF is protecting against. This risk is composed of a consequence (what bad things that can happen) and a pre-safeguard frequency (how often the hazard is expected to occur if no protections--SIS or non-SIS--are provided).
Figure 3: SIF vs. SIL
When a safety instrumented function (SIF) has multiple potential causes, each with its own safety integrity level (SIL) requirement, the highest SIL is generally selected for the entire SIF.
However, while you have a single hazard (and generally a single consequence) associated with a SIF, you can have multiple initiating causes, each with its own frequency of occurrence. For example, overpressure of a vessel due to loss of cooling (with a consequence of vessel rupture and fire/explosion) could be caused by loss of cooling water supply, loss of cooling water pump(s), temperature control loop failure, plugging of tubes, etc. Each of these initiating causes can have a different frequency of occurrence, and thus different risks (consequence x frequency) for the same SIF.
When determining the target SIL of a SIF with multiple initiating cause scenarios, the highest SIL of all the scenarios is normally used (Figure 3). In cases where there are a large number of causes or multiple scenarios with the same or similar SIL (risk), a look at the overall risk may be warranted and may result in a higher SIL for the SIF. Fault tree analysis or other quantitative methods are sometimes used for this purpose.