I am often asked the question, “Are permissives safety instrumented functions?” I always respond with a very firm, “maybe”.
From the perspective of risk analysis, a permissive can and should be treated just like any other SIF. The difference is that when you calculate the achieved SIL, there will be no final element (more on that later). A permissive is an instrumented function that will prevent you from taking an action until preconditions have been met, but once the conditions have been met and the process is started violating those constraints no longer has any effect and will not cause a shutdown. Permissives virtually always work against an initiating event of a human taking an improper action. The seriousness of the consequences will determine what SIL (if any) is required. Let me give you two example permissives to demonstrate.
First, the low risk situation. Many compressors have a low lube oil temperature permissive. The purpose of this permissive is to prevent you from starting the compressor while the temperature of the oil is low. If the oil temperature is too low, it will be too viscous, and essentially stay in the oil pan – providing no lubrication to the machine and ultimately causing damage to the machine (which is typically a relatively small financial consequence usually with no safety ramifications). Since this is a permissive, once the machine is started changes in the temperature of the lube oil have no effect. If the measured temperature of the lube oil drops below the permissive point while in operation, the machine will not shut down. The rationale is that the machine is already running so oil is already flowing, and a decrease in temperature is probably not an actual process problem, but a faulty measurement. In this case, the permissive would either be assigned a low SIL based entirely on a small commercial loss, or more frequently is categorized as a “minor equipment protection” and not even analyzed.
Next, the high risk situation. Consider a batch oxidation reaction. A reactor is charged with hydrocarbon liquid with a catalyst in solution. The reactor is then heated to a temperature that will ensure that the oxidation reaction will occur. After the safe temperature is achieved, the reaction can begin, and does begin with introduction of oxygen or air being sparged into the reactor. If the air were introduced to the reactor prior to the safe temperature being achieved, the likely result would be that that oxygen would bubble through the hydrocarbon liquid unreacted, leaving the reactor and creating a flammable mixture in the reactor overhead vapor line, which is often directed to a catalytic oxidation unit which provides the strong source of ignition that causes an explosion. Again, this is a permissive so the only initiating event we’re acting against is where an operator starts the reaction prematurely (i.e., prior to achieving the safe temperature). Once the safe temperature is achieved and the reaction is started, dropping below the safe temperature will no longer cause a trip. In this case, the continued safety of the reactor system and the health of the reaction would be monitored by other measurements, such as the oxygen concentration in the reactor off-gas, which works well during the normal operation phase of the reaction but is completely ineffective in preventing the startup incident.
With respect to risk analysis, the initiating event for a permissive is virtually always an operator taking an action at an inappropriate time. This is typically quantified using the site’s standard criteria for human error probability combined with frequency at which the action is expected to be taken. The required RRF of the permissive SIF is then calculated as usual for any other SIF considering that the probability of failure of the permissive must be low enough to ensure that frequency of the initiating event multiplied by the failure probability of the permissive SIF (and any other protection layers) is below the tolerable limit.
The curiosity of the permissive SIF is that it has no final element for purposes of probability of failure on demand calculation. Consider the batch oxidation reaction safe temperature permissive. If this were a normal SIF, one would calculate the PFD of the loop considering the transmitter’s failure to measure the safe temperature, the logic solver’s failure to act properly and the oxygen valves failure to move to the closed position. But this is not a normal SIF in that the oxygen valve is already closed before you start. The valve does not need to move, thus the probability of failure of the valve to move must be ignored, as it is not relevant.
The bottom line is that a permissive should be treated like any other instrumented function. The analyst must review the INTENTION of the function. If the intention is to prevent a safety consequence, then it is effectively a SIF and needs to be analyzed and designed as such.