Permissives and Inhibit Functions of Safety Instrumented Functions (SIF)
Safety Instrumented Functions (SIFs) play a critical role in process safety by either preventing or allowing a sequence to proceed. These functions ensure that operations occur under safe conditions, preventing potential hazards. However, defining SIFs accurately is essential to avoid ambiguity and ensure proper implementation.
Understanding Permissives
Permissives are enable functions that allow a process to proceed only when specific conditions are met. They act as safety checks before an operation can continue. For example, in a burner management system, a SIF may be defined as: “Do not allow the burner startup sequence to begin if the fuel gas pressure is low.” This means that the burner can only start when the fuel gas pressure is within the safe operating range. However, permissives are often expressed in software logic, which can create ambiguity about the actual safety hardware involved. To ensure proper implementation, permissives should be translated into physical safety actions, such as controlling a valve or interlocking a system component.
Understanding Inhibit Functions
Inhibit functions actively prevent an unsafe condition from occurring by taking a specific action on hardware. Unlike permissives, which allow operations under safe conditions, inhibit functions block or stop operations when hazardous conditions are detected. A clearer way to define the SIF in the burner management example would be: “On low fuel gas pressure during startup, close the fuel gas valves to the burners.” This definition explicitly states the action taken by the system and ensures that the critical hardware (the fuel gas valve) is properly identified and SIL-rated.
Importance of Properly Defining SIFs
A well-defined SIF should specify a positive action on hardware rather than relying on software functions. This approach ensures that the failure of the SIF results in a clearly understood loss of risk control, rather than an ambiguous state. For instance, stating that the fuel gas valves should close on low pressure provides a concrete safety action that can be verified and tested.
Rewriting Enable Functions as Inhibit Functions
To avoid misinterpretation, enable functions (permissives) should be rephrased as inhibit functions. Consider a SIF written as: “When the pressure and temperature in the stack are low, allow the operator to unlock the inspection door.” This statement may not effectively communicate the final safety action. A better definition would be: “On not-low pressure or not-low temperature in the stack, lock the stack inspection door.” This revision explicitly states that the lock itself is the final element, ensuring that if the locking mechanism fails, the risk to the operator is properly managed.
Ensuring Effective Risk Control
By defining SIFs in terms of inhibit functions rather than permissives, the safety system becomes more robust and reliable. Clear definitions help in ensuring that SIS designers understand which components must meet SIL requirements and be included in the safety system. Ultimately, a well-structured SIF guarantees that safety mechanisms function correctly and mitigate risks effectively.
References:
Functional Safety from Scratch by Peter Clarke, xSeriCon
