Institute of Measurement and Control Functional Safety Conference 2016
Challenges in Achieving Safety Instrumented Function Response Time for a Fast-Acting Process
Page 5
and log the behaviour of the system between the time it reached the measured maximum safe operating
limit (specified as the trip setpoint) to the time it reached the design limit.
It is necessary for early identification of the most conservative hazardous scenario which would result in
the hazardous event and the safeguards which may be required for mitigation of this event. The PST for
the identified cause should be established after which it is necessary to determine the target response time
of the SIF to qualify it as an effective IPL.
Relationship between PST and SIFRT
As mentioned earlier, the PST is defined as the time period between a failure occurring in the process or
the basic process control system (with the potential to give rise to a hazardous event) and the occurrence
of the hazardous event if the SIF is not performed. (IEC 61511-1, 2016)
SIFRT is not formally defined in either the IEC or ISA functional safety standards. However, the SIFRT
can be described as the time taken for the SIF to detect the abnormal condition and respond to bring the
process to a safe state and prevent the hazard from occurring. It is the summation of the individual
response times of all elements which comprise the SIF, which includes the sensors, logic solver and final
elements.
The relationship between PST and SIFRT is not a precisely defined area. What is clearly understood is
that the SIFRT should be less than the PST to ensure that the SIF responds in time to prevent the
hazardous event occurring. However, the target SIFRT should also be selected such that there is a safe
margin to account for inaccuracies in any part of the SIF, from sensing the fault to actuating the end
device, and should also account for degradation in SIF performance throughout the lifetime of the SIF. A
SIF may be proven to satisfy the requirements of PFD, SC and HFT; however, if the safety function
cannot respond within the target SIF response time, then it is considered ineffective and inadequate in
mitigating the hazardous event.
In the IEC functional safety standards, the margin between PST and SIFRT is not defined. Under the
definition of Process Safety Time in IEC 61511-1 (2016), a note is included regarding the SIF Response
Time -
“The SIF has to detect the failure and complete its action soon enough to prevent the hazardous
event taking into account any process lag.”
The new revisions of the IEC 61511-1 and 61511-2 standards
released in 2016 provide no additional discussion or clarity on this subject.
The ISA functional safety standards also provide general guidance regarding the relationship between
SIFRT and PST. ISA-TR84.00.04 (2015) Section 4.3.4 states that the
“SIS should be capable of
completing its action within the allocated process safety time.”
Furthermore, within Annex Q under the
discussion of alarm set-points, it is implied that each SIF should respond to achieve or maintain the safe
state of the process within one-half of the process safety time with respect to a specific hazardous event.
Some operating companies may provide their own definition of the relationship between PST and SIFRT.
As one example, one operator provides specific guidelines for the design margin between PST and SIFRT
based on the relationship:
ܦ
݁
ݏ
݅݃݊ ݉ܽ
ݎ
݃݅݊ % =
ܲܵܶ − ܵ
ܨܫ
ܴܶ
ܵ
ܨܫ
ܴܶ