Safety Instrumented Function and Safety Instrumented System

Safety Instrumented Function

A Safety Instrumented Function, or SIF, is one or more components designed to execute a specific safety-related task in the event of a specific dangerous condition. The over-temperature shutdown switch inside a clothes dryer or an electric water heater is a simple, domestic example of an SIF, shutting off the source of energy to the appliance in the event of a detected over-temperature condition.

Safety Instrumented Functions are alternatively referred to as Instrument Protective Functions, or IPFs.

The safety instrumented function is a control loop in a process or machine whose objective is safety. SIF is its acronym in English. In the following image we see the most common simplified representation of the SIF.

The integrity and performance of the safety instrumented function depends on a large number of factors, and it is measured by the so-called “Safety Integrated Level” (SIL) which are covered by various international standards such as IEC-61508 (for all industries), IEC-61511 (for the process industry), IEC-62061 (for machinery safety), IEC-61513 (for the nuclear industry) or ISA-84.

Sensors

It is very important to consider everything around the sensor to work properly, such as an adequate connection to the process, a correct measurement technology in each case, or other aspects of the design such as wiring and interface components with the safety PLC.

Logic solver

The logic solver can be a PLC, a relay system or an electronic system in general (programmable or not) but must meet a series of requirements to be used in an safety instrumented function. In this article we talk for example about the safety PLC. The design should take into account both hardware and, software or firmware, as well as external factors such as cybersecurity.

Final elements

In the safety instrumented function the final elements are usually the weakest link in the chain for different reasons (mechanical elements and in direct connection with the process). It is very important to select well the construction materials, as well as all the components and a correct execution of the mounting on site.

Other elements

There are many other elements and external factors that greatly influence the performance and integrity of the safety instrumented function such as external temperature, vibrations, electromagnetic interferences, if there is dust in suspension (especially if it is corrosive), power supplies, operation and maintenance tasks, etc. All these factors are in the category that we call common cause failures and that must be analyzed in detail in order to minimize their impact on the performance of the SIF, i.e., to avoid the degradation of the required SIL level

Why do we need Safety Functions?

A Safety Function is a mechanism to ensure safety in case of a hazardous event. Hence one can think of the rupture disk on a pressure cooker as a simple example of a safety function. In case the cooker gets overpressurized due to excess steam, the rupture disk (or burst disk as it is also known as) will break and release the pent up steam, thereby preventing the cooker itself from exploding and causing damage to the kitchen (as well as perhaps injury to the cook). While these devices are pretty reliable and work well, in automated plants we need them to be implemented via instrumentation and automation systems.

Safety Instrumented System

A Safety Instrumented System (SIS) is a collection of SIFs designed to bring an industrial process to a safe condition in the event of any dangerous detected conditions.

Also known as Emergency Shutdown (ESD) or Protective Instrument Systems (PIS), these systems serve as an additional “layer” of protection against process equipment damage, adverse environmental impact, and/or human injury beyond the protection normally offered by a properly operating regulatory control system.

Like all automatic control systems, an Safety Instrumented System consists of three basic sections

Sensor(s) to detect a dangerous condition
Controller to decide when to shut down the process
Final control element(s) to actually perform the shutdown action necessary to bring the process to a safe condition.

Sensors

Sensors may consist of process switches and/or transmitters separate from the regulatory control system.

Controller

Controller for an Safety Instrumented System is usually called a logic solver, and is also separate from the regular control system.

Final control elements

Final control elements for an Safety Instrumented System may be special on/off valves (often called “chopper” valves) or override solenoids used to force the normal control valve into a shutdown state.

Some industries, such as chemical processing and nuclear power, have extensively employed safety instrumented systems for many decades.

Likewise,

Automatic shutdown controls have been standard on steam boilers and combustion furnaces for years. The increasing capability of modern instrumentation, coupled with the realization of enormous costs (both social and fiscal) resulting from industrial disasters has pushed safety instrumentation to new levels of sophistication and new breadths of application. It is the purpose of this section to explore some common safety instrumented system concepts as well as some specific industrial applications.

One of the challenges inherent to safety instrumented system design is to balance the goal of maximum safety against the goal of maximum economy. If an industrial manufacturing facility is equipped with enough sensors and layered safety shutdown systems to virtually ensure no unsafe condition will ever prevail, that same facility will be plagued by “false alarm” and “spurious trip” events (Many synonyms exist to describe the action of a safety system needlessly shutting down a process. The term “nuisance trip” is often (aptly) used to describe such events. Another (more charitable) label is “fail-to-safe,” meaning the failure brings the process to a safe condition, as opposed to a dangerous condition) where the safety systems malfunction in a manner detrimental to the profitable operation of the facility. In other words, a process system designed with an emphasis on automatic shut-down will probably shut down more frequently than it actually needs to.

While the avoidance of unsafe process conditions is obviously a noble goal, it cannot come at the expense of economically practical operation or else there will be no reason for the facility to exist at all (Of course, there do exist industrial facilities operating at a financial loss for the greater public benefit (e.g. certain waste processing operations), but these are the exception rather than the rule. It is obviously the point of a business to turn a profit, and so the vast majority of industries simply cannot sustain a philosophy of safety at any cost. One could argue that a “paranoid” safety system even at a waste processing plant is unsustainable, because too many “false trips” result in inefficient processing of the waste, posing a greater public health threat the longer it remains unprocessed.).

A safety system must fulfill its intended protective function, but not at the expense of compromising the intended purpose of the facility.

This tension is understood well within the electric power generation and distribution industries. Faults in high-voltage electrical lines can be very dangerous, as well as destructive to electrical equipment. For this reason, special protective devices are placed within power systems to monitor conditions and halt the flow of electricity if those conditions become threatening. However, the very presence of these devices means it is possible for power to accidently shut off, causing unnecessary power outages for customers. In the electrical industry, the word “dependability” refers to the probability that the protective systems will cut power when required. By contrast, the word “security” is used in the electrical industry to refer to the avoidance of unnecessary outages. We will apply these terms to general process systems. To illustrate the tension between dependability and security in a fluid process system, we may analyze a double-block shutoff valve (As drawn, these valves happen to be ball-design, the first actuated by an electric motor and the second actuated by a pneumatic piston.) system for a petroleum pipeline

As is often the case with redundantinstruments, an effort is made to diversify the technology applied to the redundant elements in order to minimize the probability of common-cause failures. If both block valves were electrically actuated, a failure of the electric power supply would disable both valves. If both block valves were pneumatically actuated, a failure of the compressed air supply would disable both valves. The use of one electric valve and one pneumatic valve grants greater independence of operation to the double-block valve system.

The safety function of these block valves is, of course, to shut off flow from the petroleum source to the distribution pipeline in the event that the pipeline suffers a leak or rupture. Having two block valves in “series” adds an additional layer of safety, in that only one of the block valves need shut to fulfill the safety (dependability) function. Note the use of two different valve actuator technologies: one electric (motor) and the other a piston (either pneumatic or hydraulically actuated). This diversity of actuator technologies helps avoid common-cause failures, helping to ensure both valves will not simultaneously fail due to a single cause.

However, the typical operation of the pipeline demands both block valves be open in order for petroleum to flow through it. The presence of redundant (dual) block valves, while increasing safety, decreases security for the pipeline.

If either of the two block valves happened to fail shut when there was no need to shut off the pipeline, flow through the pipeline would needlessly halt. Having two series-plumbed block valves instead of one block valve increases the probability of unnecessary pipeline shutdowns. A precise notation useful for specifying dependability and security in redundant systems compares the number of redundant elements necessary to achieve the desired result compared to the total number of redundant elements. If the desired result for our double-block valve array is to shut down the pipeline in the event of a detected leak or rupture, we would say the system is one out of two (1oo2) redundant for dependability. In other words, only one out of the two redundant valves needs to function properly (shut off) in order to bring the pipeline to a safe condition. If the desired result is to allow flow through the pipeline when the pipeline is leak-free, we would say the system is two out of two (2oo2) redundant for security. This means both of the two block valves need to function properly (open up) in order to allow petroleum to flow through the pipeline. This numerical notation showing the number of essential elements versus number of total elements is often referred to as MooN (“M out of N”) notation, or sometimes as NooM (“N out of M”) notation. When discussing safety instrumented systems, the ISA standard 84 defines redundancy in terms of the number of agreeing channels necessary to perform the safety (shutdown) function – in other words, the ISA’s usage of “MooN” notation implies dependability, rather than security.

A complementary method of quantifying dependability and security for redundant systems is to label in terms of how many element failures the system may sustain while still achieving the desired result. For this series set of double block valves, the safety (shutdown) function has a fault tolerance of one (1), since one of the valves may fail to shut when called upon but the other valve remains sufficient in itself to shut off the flow of petroleum to the pipeline. The normal operation of the system, however, has a fault tolerance of zero (0). Both block valves must open up when called upon in order to establish flow through the pipeline. It should be clearly evident that a series set of block valves emphasizes dependability (the ability to shut off flow through the pipeline when needed) at the expense of security (the ability to allow normal flow through the pipeline when there is no leak).

What is a Safety Instrumented System?

A Safety Instrumented System, is simply a collection of safety instrumented functions that work together in a plant or equipment to ensure that it works safely and in case of a hazardous event, can be brought to a safe state without damaging itself or other assets, without injuring people and without harming the environment.