The Protection Layers

Last edit: 07/08/2023

A Safety Instrumented System (SIS) may fail while in passive state and the failure may remain hidden until a demand occurs from the process or until the system is tested.

Let’s suppose the pressure in a vessel is controlled by a pressure transmitter and the process control system has to keep the value around a certain set point.

In case the pressure increases above a certain threshold, an alarm is generated (PSH). In case the value goes “out of control”, a safety pressure switch, set at PSHH, shuts down the process (figure 7)

We see that there are two protection layers: a Control one and a Safety one. They normally do not share the same field components. In our example, the pressure transmitter belongs to the Control Layer, while the safety pressure switch to the Safety Layer.

Normally, the process control system keeps the pressure around the set point. Very rarely the pressure goes out of control, and at that moment the Safety System intervenes: the issue is that it may have failed in the meantime. A safety instrumented system is so called an independent protection layer. It is installed to mitigate the risk associated with the operation of a process that is normally hazardous and it is called the Equipment Under Control or EUC (figure 8).

A Safety Instrumented Function (SIF) is implemented with a SIS that is intended to achieve or maintain a safe state for the EUC with respect to a specific process demand (a high pressure for example). A SIS may consist of one or more SIFs.

Testing of the Safety Instrumented System

Safety Instrumented Systems are normally dormant and their failure may remain undetected, or hidden, until there is a demand upon them (a high temperature or pressure, for example) or until the system is tested if it is still working properly.

There are two types of tests that can be done on such systems.

Diagnostic Testing. They are done automatically by the component itself, or by the logic solver or by other elements of the safety system. The extent to which this automatic testing reveals a failure is called Diagnostic Coverage (DC). The failures that can be detected in this way are defined as Detectable, the remaining failures are called Undetectable.

Function Testing. The objective of the function testing is especially to reveal the undetectable failures and to verify that the system is still able to perform its required function, in case a process demand occurs. Function testing, defined in IEC 61508 as Proof Test, is normally done manually, or initiated manually. The time interval between two function tests is indicated as Ti and, in case of a perfect Proof Test, the item is considered “as new”, after such a test. Please refer to chapter 3 for the definition of Proof Test and further details.

Do not get confused between Function Test and Functional Test. In literature, you may find that the Proof test is defined as a Function Test, as well as Periodic Test, while the Diagnostic Coverage is also defined as a  Functional Test.