What is the Safe State?
In process safety, achieving a safe state is a fundamental objective of any Safety Instrumented Function (SIF). The safe state is the condition in which the harm that a SIF is designed to prevent cannot occur.
For instance, consider a tank containing a flammable liquid. If the tank is overfilled, it could lead to a hazardous release, potentially causing a fire or explosion. To prevent this, a SIF could be implemented, such as stopping a feed pump or closing an inlet valve to stop the overflow. In this scenario, the safe state can be defined as ‘no overflow from the tank. As long as there is no overflow, the associated risk is eliminated.
The Importance of Defining the Safe State
It is crucial to note that defining a safe state does not dictate how safety must be achieved. It does not specify whether the system should shut down a pump, close a valve, or take other actions. Instead, it simply states the desired end condition is no overflow.
This flexibility is important because, during the design process, it may become evident that an initial SIF approach has undesirable side effects. For example:
- Stopping a pump may cause unexpected process disruptions.
- Closing a valve may lead to pressure build-up elsewhere in the system.
- Response times may need to be adjusted to be practical and cost-effective.
By defining the safe state as ‘no overflow from the tank’ instead of ‘feed pump stopped and inlet valve closed’, design engineers have the freedom to explore alternative solutions that still meet safety objectives. This approach prevents unnecessary constraints on the system design while maintaining effective risk mitigation.
Process Conditions vs. Final Element Actions
Expressing the safe state in terms of process conditions rather than final element actions provides additional advantages.
- It allows engineers to evaluate whether certain system features, like a tight shutoff valve (TSO), are necessary.
- If minor leakage through a closed valve does not lead to overflow, achieving a perfect TSO might not be critical, reducing design complexity and cost.
- It enables engineers to explore redundant system architectures, such as deciding whether a 1oo2 (one out of two) system is sufficient instead of requiring a 2oo2 (two out of two) system.
Safe State vs. Normal Operation
For low-demand mode SIFs, ‘plant running normally’ is not considered a safe state. A safe state is only achieved after an initiating event has occurred and the unwanted outcome has been prevented.
However, for high-demand or continuous mode SIFs, normal operation can be considered a safe state. For example, in a fired heater system, the safe state could be: ‘burner starts only if a leak test was successful’. This ensures that a hazardous event cannot occur during normal operation.
References:
Functional Safety from Scratch by Peter Clarke
