The term "safety instrumented function" or SIF is becoming common in the world of safety instrumented systems (SISs). It is one of the increasing number of S-words--SIS, SIL, SRS, SLC, etc.--that are coming into our safety system terminology.
The definition of a SIF as provided in IEC standard 61511, "Functional safety: Safety Instrumented Systems for the process industry sector," leaves a bit to be desired as a practical definition, and the application of the term leaves many people confused.
IEC standard 61511 defines a safety instrumented function as a "safety function with a specified safety integrity level which is necessary to achieve functional safety. A safety instrumented function can be either a safety instrumented protection function or a safety instrumented control function."
A safety function is further defined in 61511 as a "function to be implemented by a SIS, other technology safety-related system, or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event." The standard 61511, however, uses the term SIS and SIF somewhat interchangeably in places.
From this definition we can also see that there are two types of safety instrumented functions. The first is a safety instrumented protection function, which is a safety instrumented function operating in the demand mode. The second is a safety instrumented control function, which is a safety instrument function operating in the continuous mode.
Figure 1: The Critical Link
A safety instrumented function (SIF) detects a specific hazard and brings the process to a safe state.
Let us look at some of other definitions of SIF that may make things a bit more clear. In their book, Safety Integrity Level Selection, Systematic Methods Including Layer of Protection Analysis, Ed Marszal, PE, and Eric Scharpf describe it as, "a function that is a single set of actions that protects against a single specific hazard. The term SIF often refers to the equipment that carries out the single set of actions in response to the single hazard, as well as to the particular set of actions itself."
From these sources we might define the SIF as an identified safety function that provides a defined level of risk reduction or safety integrity level (SIL) for a specific hazard by automatic action using instrumentation. A SIF is made up of sensors, logic solver, and final elements that act in concert to detect a hazard and bring the process to a safe state.
Another view of a SIF is that of an instrument safety loop that performs a safety function which provides a defined level of protection (SIL) against a specific hazard by automatic means and which brings the process to a safe state.
What a SIF Is
Both these definitions define the key properties a SIF as illustrated in Figure 1. Its basic properties are outlined in Table I. Some examples of SIFs are:
- High pressure in a vessel opens a vent valve: The specific hazard is overpressure of the vessel. The high pressure is detected by a pressure-sensing instrument and logic (PLC, relay, hardwired, etc.) opens a vent valve, bringing the system to a safe state.
- High temperature in a furnace that can cause tube rupture shuts off firing to furnace: The specific hazard is tube rupture. Instrumentation automatically causes a main fuel trip that removes the heat, bringing the system to a safe state.
- Flame-out in an incinerator that can lead to a release of toxic gas causes process gas feed to be shut off: The specific hazard is a flame-out. The automatic instrument protective action is to close process gas feed to the incinerator, which stops any toxic gas release bringing the system to a safe state.
- Flame-out in an incinerator that could cause fuel gas accumulation and explosion causes a main fuel gas trip: The specific hazard is a flame-out. The automatic instrument protection action is a main fuel gas trip, which cuts off the fuel and prevents fuel gas accumulation, bringing the system to a safe state.
What a SIF Is Not
There are functions that may seem like a SIF or part of a SIF, but are not. A SIF is normally associated with life-and-limb protection. If you have identified an instrumented protection function and the consequence of the hazard could be killing or injuring, the function is a potential SIF (pending SIL analysis--there may be adequate layers of protection so that identification of the protective function as a SIF is not required).
However, when a SIF operates, there may be related actions that occur at the same time that place portions of the process in desirable operating states to minimize startup time, loss of inventory, process equipment problems, etc. Operating companies sometimes fall into the trap of considering these related actions as part of the SIF. Considering related actions that are operational complicates the SIF and can increase the difficulty of achieving the target SIL. This can lead to increased and unnecessary cost, burden, and complexity.