ISA S84.01 SIS

8/12/2019 ISA S84.01 SIS

1/110

8/12/2019 ISA S84.01 SIS

2/110

Copyright 1996 by the Instrument Society of America. All rights reserved. Printed in the UnitedStates of America. No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means (electronic, mechanical, photocopying, recording, orotherwise), without the prior written permission of the publisher.

ISA67 Alexander DriveP.O. Box 12277Research Triangle Park, North Carolina 27709

ANSI/ISA-84.01-1996 Application of Safety Instrumented Systems for the Process Industries

ISBN: 1-55617-590-6

8/12/2019 ISA S84.01 SIS

3/110ANSI/ISA-S84.01-1996 3

Preface

This preface as well as all footnotes, annexes, and draft technical report 84.02 (ISA-dTR84.02)are included for informational purposes and are not part of ANSI/ISA-84.01-1996. ISA-dTR84.02

was still in development at the time that ANSI/ISA-84.01-1996was published; for information, contactISA.

This standard has been prepared as part of the service of ISA, the international society formeasurement and control, toward a goal of uniformity in the field of instrumentation. To be of realvalue, this document should not be static but should be subject to periodic review. Toward thisend, the Society welcomes all comments and criticisms and asks that they be addressed to theSecretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; ResearchTriangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail:[email protected].

The ISA Standards and Practices Department is aware of the growing need for attention to themetric system of units in general, and the International System of Units (SI) in particular, in the

preparation of instrumentation standards, recommended practices, and technical reports. TheDepartment is further aware of the benefits to USA users of ISA standards of incorporatingsuitable references to the SI (and the metric system) in their business and professional dealingswith other countries. Toward this end, this Department will endeavor to introduce SI andacceptable metric units in all new and revised standards to the greatest extent possible. TheMetric Practice Guide, which has been published by the Institute of Electrical and ElectronicsEngineers as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide fordefinitions, symbols, abbreviations, and conversion factors.

It is the policy of ISA to encourage and welcome the participation of all concerned individuals andinterests in the development of ISA standards. Participation in the ISA standards-makingprocess by an individual in no way constitutes endorsement by the employer of that individual, of

ISA, or of any of the standards, recommended practices, and technical reports that ISA develops.S84.01 has been developed with the intent that it will eventually become a part of a group ofstandards being developed by the International Electrotechnical Commission (IEC). This hasresulted in a format and structure that may be somewhat different from previous ISA Standards.Some background information is, therefore, offered to assist the reader in better understandingthe focus of S84.01.

IEC has commissioned the development of a set of international standards encompassing allaspects of safety systems for all industries. It is titled "Functional Safety: Safety-RelatedSystems." This effort is under the direction of IEC Technical Committee No. 65, Subcommittee65A, Working Group 10. It is titled IEC draft Publication 1508 and is still in development but, as itexists today, there are seven parts:

Part 1 - General requirements

Part 2 - Requirements for Electrical/Electronic / Programmable Electronic Systems(E/E/PES)

Part 3 -Software requirements

Part 4 - Definitions and abbreviations of terms

Part 5 - Guidelines on the application of Part 1

Part 6 - Guidelines on the application of Parts 2 and 3

8/12/2019 ISA S84.01 SIS

4/1104 ANSI/ISA-S84.01-1996

Part 7 - Bibliography of techniques and measures

This work is to define requirements common to all industries. It is IEC's intent that there will thenbe additional standards developed to reflect specific requirements for the various industrysectors, such as nuclear, pharmaceutical, aeronautical, process, etc.

IEC has commissioned a subcommittee, identified as IEC 1511, for the development of anindustry-specific international standard that addresses the application of safety instrumented

systems for the process industries. ISA-S84.01-1995 has been written with the intent that it willserve as the basis for that sector-specific standard. The structure, format, and content of S84.01has been developed in this context. There are significant differences in S84.01 from IEC draftPublication 1508-1995, as described in Clause 12. However, IEC draft Publication 1508 was stillbeing developed at the time that S84.01 was published. As a result, ISA SP84 will continue tosupport and monitor IEC draft Publication 1508 development and will modify S84.01 as neededwhen IEC draft Publication 1508 is published.

The IEC style guide has been used to facilitate the harmonization of this material with the generalstandards and other sector-specific standards being developed for IEC draft Publication 1508.

The following people served as active members of ISA Committee SP84:

NAME COMPANY

V. Maggioli, Chairman Feltronics CorporationR. Boyd, Jr., Vice Chairman AramcoW. Calder III, Managing Director Calder Enterprises

*R. Adamski TriconexR. Aldridge ConsultantR. Bailliet Shell Offshore, Inc.N. Battikha ICI Canada, Inc.L. Beckman HIMA Americas, Inc.

R. Bell Technology & Health Sciences DivisionS. Bender S.K. Bender & AssociatesP. Bennett Center for Software EngineeringK. Bingham Hinz Consulting, Ltd.W. Black BP GREJ. Blagg Eco Waste TechnologiesR. Bloomfield Adelard

*K. Bond Shell Oil CompanyK. Bosch G3 IQSES. Boyer Iliad Engineering, Inc.

*B. Bradley Mobil Research & Development CorporationA. Brombacher Eindhoven University of Technology

D. Brown Fisher-Rosemount Systems*L. Brown Arco Oil & GasM. Cannon Industrial Equipment CompanyJ. Carew Stone & Webster, Inc.L. Cheung W.R. Grace & CompanyR. Desrochers (deceased) Sun Company

*One vote per company

8/12/2019 ISA S84.01 SIS

5/110ANSI/ISA-S84.01-1996 5

R. Dillman Conoco, Inc.

NAME COMPANY

J. Duran Lagoven SAP. Early ABB Industrial Systems, Inc.

*R. Ewbank Rhone-Poulenc, Inc.

T. Fisher Lubrizol CorporationJ. Forrest ABS Industrial Verification, Inc.*T. Frederickson, Jr. TriconexR. Freeman MonsantoD. Fritsch Phillips Petroleum Company

*K. Gandhi M. W. Kellogg CompanyR. Gardner DuPont Engineering

*F. Gellner E. I. du Pont de Nemours & CompanyJ. Gilman Procter & Gamble CompanyR. Glaser Dow Chemical CompanyW. Goble Moore Products Company

*C. Goring August Systems, Ltd.

*J. Gray Chevron Research & Technology CompanyD. Green Rohm & HaasT. Green Stubbs Overbeck & AssociatesJ. Greenwald Fina Oil & Chemical Company

*R. Grehofsky E. I. du Pont de Nemours & CompanyP. Gruhn Industrial Control Service, Inc.

*A. Habib Rhone-Poulenc, Inc.*A. Hamers Honeywell SMSA. Hammons Chevron USAB. Hampton ConsultantC. Hardin Hoechst Celanese CorporationD. Haysley Murphy Oil Company

*A. Heckman Bently Nevada*K. Hill Mobil Research & Development CorporationL. Hoffman BASF CorporationB. Humes Bently Nevada

*D. Inverso E.I. du Pont de Nemours & CompanyJ. Jarvi Teknillinen TarkastuskeskusW. Jay Entergy Operations, Inc.K. Jennings Square D CompanyD. Jensen Price Engineering CompanyR. Johnson Kingwood Technology Group

*W. Johnson E. I. du Pont de Nemours & Company*D. Karydas Factory Mutual Research Corporation

K. Kassner CALTEK Pacific-Minas CorporationR. Kier Kinetics Technology InternationalD. Leonard Consultant

*E. Lewis Union Carbide CorporationJ. Martel Exxon Chemical Company

*T. McAdams Allen-Bradley Company


8/12/2019 ISA S84.01 SIS

6/1106 ANSI/ISA-S84.01-1996

S. McCormick 3M Company

NAME COMPANY

*M. McElroy Pepperl + Fuchs SystemsF. McKenna FMcK Associates, Ltd.N. McLeod Elf Atochem

R. McNab Arco Chemical Company*F. Mears Mobil Research & Development Corporation*W. Mostia, Jr. Amoco CorporationI. Nimmo Honeywell, Inc.J. Nye Exxon Research and Engineering Company

*D. Ogwude Chevron Research & Technology CompanyT. Ostrowski Occidental Chemical Corporation

*J. Palomar Chevron Research & Technology CompanyJ. Paques Institut de RechercheB. Phelps Citgo Petroleum Corporation

*W. Purser Shell Oil CompanyR. Raghaven Consultant

G. Ramachandran Cytec Industries, Inc.*K. Rashida Allen-Bradley CompanyC. Richard Mobil Oil CompanyL. Richardson UOP

*C. Rischar Allen-Bradley Company*W. Robinson Amoco CorporationG. Russcher Westinghouse Electric Company

*D. Sanders August Systems, Ltd.K. Schilowsky Marathon Oil CompanyJ. Schroeder Tosco CorporationR. Shah Koch IndustriesT. Shephard Caltex Services Corporation

*J. Simon M. W. Kellogg CompanyI. Smith Campbell Love AssociatesS. Smith Touch Technology, Inc.J. Sottnik United Engineers & ConstructorsR. Spiker GTI Industrial AutomationR. Spinks Petrocon Engineering, Inc.

*P. Stavrianidis Factory Mutual Research CorporationR. Stevens U.S. Department of EnergyH. Storey Shell Development CompanyL. Suttinger Westinghouse Savannah River CompanyH. Thomas Air Products & Chemicals

*C. Thurston Union Carbide Corporation

M. Toffolo Elsag Bailey (Canada), Inc.*W. Valerie Arco Oil & GasT. Walczak GE FanucD. Watkins Dow Chemical CompanyM. Weber TUV-IQSES. Weiner PC&E Consulting Engineers


8/12/2019 ISA S84.01 SIS

7/110ANSI/ISA-S84.01-1996 7

W. Welz, Jr. BHP Engineers & Constructors, Inc.*G. Wristen E. I. du Pont de Nemours & Company

This published standard was approved for publication by the ISA Standards and PracticesBoard on February 15, 1996.

NAME COMPANY

M. Widmeyer, Vice President Washington Public Power Supply SystemH. Baumann H. D. Baumann, Inc.D. Bishop Chevron USA Production CompanyP. Brett Honeywell, Inc.W. Calder III Calder EnterprisesH. Dammeyer Phoenix Industries, Inc.R. Dieck Pratt & WhitneyW. Holland Southern Company Services, Inc.A. Iverson Lyondell Petrochemical CompanyK. Lindner Endress + Hauser GmbH + CompanyT. McAvinew Metro Wastewater Reclamation DistrictA. McCauley, Jr. Chagrin Valley Controls, Inc.G. McFarland Honeywell Industrial Automation & ControlJ. Mock ConsultantE. Montgomery Fluor Daniel, Inc.D. Rapley Rapley Engineering ServicesR. Reimer Rockwell Automation A-BR. Webb Pacific Gas & Electric CompanyW. Weidman ConsultantJ. Weiss Electric Power Research InstituteJ. Whetstone National Institute of Standards & Technology

H. Wiegle Canus CorporationC. Williams Eastman Kodak CompanyG. Wood Graeme Wood ConsultingM. Zielinski Fisher-Rosemount

8/12/2019 ISA S84.01 SIS

8/110

8/12/2019 ISA S84.01 SIS

9/110

8/12/2019 ISA S84.01 SIS

10/11010 ANSI/ISA-S84.01-1996

9 SIS operation and maintenance .......................................................................................... 38

9.1 Objective...................................................................................................................... 389.2 Training........................................................................................................................ 389.3 Documentation ............................................................................................................ 389.4 SIS operating procedures ............................................................................................ 389.5 Maintenance program.................................................................................................. 389.6 Testing, inspection, and maintenance ......................................................................... 39

9.7 Functional testing ........................................................................................................ 399.8 Documentation of functional testing ............................................................................ 40

10 SIS Management Of Change (MOC) .................................................................................. 41

10.1 Objective.................................................................................................................... 4110.2 MOC procedure ......................................................................................................... 4110.3 MOC documentation.................................................................................................. 42

11 Decommissioning ............................................................................................................... 42

11.1 Objective.................................................................................................................... 4211.2 General ...................................................................................................................... 43

12 Differences .......................................................................................................................... 43

12.1 Terminology............................................................................................................... 4412.2 Organizational differences......................................................................................... 4412.3 Technology differences ............................................................................................. 46

Annexes

A (Informative) Information and examples illustrating methods fordetermining Safety Integrity Level (SIL) for a Safety Instrumented System (SIS) ......... 47

A.1 Introduction ................................................................................................................. 47A.2 Safety Integrity Level (SIL) considerations and the process example......................... 48

A.3 Example methods for selecting SIL............................................................................. 50

B (Informative) SIS design considerations ....................................................................... 55

B.1 Separation - identical or diverse.................................................................................. 55B.2 Redundancy - identical or diverse ............................................................................... 58B.3 Software design considerations .................................................................................. 59B.4 Technology selection .................................................................................................. 60B.5 Failure rates and failure modes................................................................................... 63B.6 Architecture ................................................................................................................. 66B.7 Power sources ............................................................................................................ 66B.8 Common cause failures .............................................................................................. 69

B.9 Diagnostics.................................................................................................................. 70B.10 Field devices ............................................................................................................. 72B.11 User interface............................................................................................................ 75B.12 Security ..................................................................................................................... 77B.13 Wiring practices......................................................................................................... 78B.14 Documentation .......................................................................................................... 79B.15 Functional test interval .............................................................................................. 79

C (Informative) Informative references ............................................................................. 81

8/12/2019 ISA S84.01 SIS

11/110ANSI/ISA-S84.01-1996 11

D (Informative) Example ..................................................................................................... 85

D.1 Introduction to the example problem........................................................................... 85D.2 Safety Life Cycle (Figure 4.1) ..................................................................................... 85D.3 Safety requirement specification................................................................................. 85D.4 Safety integrity requirements (5.4) .............................................................................. 88D.5 Conceptual design (6.0) .............................................................................................. 89D.6 Detail design (7.0)....................................................................................................... 90

E (Informative) Index........................................................................................................... 93

Figures

1.1 Definition of Safety Instrumented Systems (SIS) ............................................................ 164.1 Safety Life Cycle ............................................................................................................. 24A.1 Company ABC, Site XX, Specific SIL implementation techniques, example only .......... 50A.2 Process example ............................................................................................................ 51A.3 Company ABC, Site XX, Example of a qualitative matrix for the determining SIL.......... 52D.1 Basic process control scheme ........................................................................................ 86D.2 Tentative design solution................................................................................................ 91

Tables

3.1 Safety Integrity Level (SIL)........................................................................................... 214.1 Safety Integrity Level performance requirements ........................................................ 25A.1 Modified HAZOP documentation example ................................................................... 53B.5.1 Typical SIS failure modes ............................................................................................ 64B.5.2 Typical Programmable Electronic Failure Modes......................................................... 65B.9.1 Fault types.................................................................................................................... 70B.9.2 Diagnostic tests for programmable electronics ............................................................ 72

8/12/2019 ISA S84.01 SIS

12/110

8/12/2019 ISA S84.01 SIS

13/110ANSI/ISA-S84.01-1996 13

Introduction

Purpose

This standard addresses the application of Safety Instrumented Systems (SIS) for the processindustries. The SIS addressed includes Electrical (E)/, Electronic (E)/ and ProgrammableElectronic (PE) technology. This standard is process industry specific within the framework of theInternational Electrotechnical Commission (IEC) draft Publication 1508 (References C.8 andC.9). This standard follows the Safety Life Cycle presented later (see Figure 4.1).

This document is intended for those who are involved with SIS in the areas of

design and manufacture of SIS products, selection, and application

installation, commissioning, and Pre-Startup Acceptance Test

operation, maintenance, documentation, and testing

Objective

The objective is to define the requirements for Safety Instrumented Systems.

Organization

This standard is organized into three major parts. The main body of the standard (Clauses 1-11)present mandatory specific requirements. Clause 12 provides key differences between

ISA-S84.01 and IEC draft Publication 1508. Informative Annexes A through E present additionalnon-mandatory (informative) technical information that is useful in SIS applications.

Draft Technical Report 84.02 (ISA-dTR84.02), which is issued under separate cover, providesnon-mandatory (informative) technical guidance in Safety Integrity Level analysis.

8/12/2019 ISA S84.01 SIS

14/110

8/12/2019 ISA S84.01 SIS

15/110ANSI/ISA-S84.01-1996 15

1 Scope

NOTE THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORYREQUIREMENTS.

This standard addresses Electrical/Electronic/Programmable Electronic System (E/E/PES),associated sensors, final elements, and interfaces used in automated Safety InstrumentedSystems (SIS) for the process industries (Reference C.6). Examples of the E/E/PEStechnologies are:

a) Electromechanical relays;

b) Solid state logic;

c) PES;

d) Motor-driven timers;

e) Solid state relays and timers;f) Hard-wired logic; and

g) Combinations of the above.

1.1 Boundaries of the Safety Instrumented System (SIS)

1.1.1 Figure 1.1 defines the boundaries of the SIS and identifies the devices that may be includedin the system. The SIS described in this standard is that portion of the diagram enclosed withinthe double lined box.

1.1.2 The SIS includes all elements from the sensor to the final element, including inputs, outputs,power supply, and logic solvers. SIS user interface may be in the SIS.

1.1.3 Other interfaces to the SIS are considered a part of the SIS if they have potential impacton its safety function.

8/12/2019 ISA S84.01 SIS

16/11016 ANSI/ISA-S84.01-1996

Figure 1.1 Definition of Safety Instrumented Systems (SIS)

1.2 Exclusions

1.2.1 This standard identifies all the steps of the Safety Life Cycle (see Figure 4.1)but does notdefine the method(s) that may be used in some of the steps.

1.2.2 This standard does not address management of the non-SIS portion of the design or themanagement of the startup process.

1.2.3 In jurisdictions where the governing authorities (Federal, State, Province, County, City, etc.)have established Process Safety Design, Process Safety Management, or other requirements,these laws shall in all cases take precedence over those requirements defined in this standard.

These factors must be integrated into the Safety Life Cycle at the appropriate step.

1.2.4 This standard does not address the codes, regulations, and other requirements that applyonly to the Nuclear Industry.

1.2.5 The activity of identifying process hazards by use of Process Hazards Analysis methodsis not part of this standard.

1.2.6 Defining the need for a Safety Instrumented Systems is not included in this standard.

1.2.7 This standard is not intended to be used as a stand-alone system purchase specification.It will not eliminate the need for sound engineering judgment. It also does not mandate the use of

any particular technology.

1.2.8 The standard is not intended to apply to Basic Process Control Systems (BPCS).

1.2.9 This standard is not intended for pneumatic or hydraulic logic solvers.

8/12/2019 ISA S84.01 SIS

17/110ANSI/ISA-S84.01-1996 17

1.2.10 This standard does not consider the use of technology that is not currently utilized in SafetyInstrumented Systems. As new technology evolves and becomes available (e.g., ISA SP50Fieldbus) it will be addressed in scheduled (5 year) revisions to this standard. In the interim, if newsystem performance justifies its use, new technology shall be user approved before use in safetyapplications. In these cases, the new technology implementation may require exception to somestandard requirements of S84.01. Exceptions shall be documented to demonstrate that the newapproach satisfies the safety requirements.

1.2.11 Analysis of the capability of humans to act on human-machine interface information is partof the Process Hazards Analysis and is outside the scope of this standard.

1.2.12 Instrumentation installed for the purpose of monitoring conditions that may lead to chronichealth effects is not covered by this standard.

1.2.13 This standard does not cover instrumentation installed principally for the purpose of propertyprotection.

1.2.14 Systems where operator action is the sole means required to return the process to a safestate are not covered by this standard. (e.g., alarm systems, fire and gas monitoring systems, etc.)

2 Conformance to this standard


To conform to the requirements of this standard, the following shall be adhered to:

2.1 Conformance guidance

2.1.1 To conform to this Standard, it must be shown that each of the requirements have beensatisfied and therefore the Clause objectives have been met.

2.1.2 Where a requirement is qualified by reference to an informative annex, this indicates thata range of techniques and measures can be used to satisfy that requirement including techniquesand measures not listed in the informative annex.

2.1.3 The techniques and measures included in normative Clauses 1 through 11 are consideredgood engineering practices in the design and support of Safety Instrumented Systems.

2.2 Existing systems

2.2.1 For existing SIS designed and constructed in accordance with codes, standards, or prac-tices prior to the issue of this standard, the owner/operator shall determine that the equipment isdesigned, maintained, inspected, tested, and operating in a safe manner.

8/12/2019 ISA S84.01 SIS

18/11018 ANSI/ISA-S84.01-1996

3 Definition of terms and acronyms


3.1 Definitions

For the purposes of this standard, the following definitions apply:

3.1.1 application program: See software (3.1.58.1).

3.1.2 application software: See software (3.1.58.1).

3.1.3 architecture: The arrangement and interconnection of the hardware components or mod-ules that comprise the SIS.

3.1.4 availability: See safety availability (3.1.51).

3.1.5 Basic Process Control System (BPCS):A system that responds to input signals fromthe equipment under control and/or from an operator and generates output signals, causing theequipment under control to operate in the desired manner. Some examples include control of anexothermic reaction, anti-surge control of a compressor, and fuel/air controls in fired heaters. Alsoreferred to as Process Control System.

3.1.6 bypassing: Act of temporarily defeating a safety function in a SIS.

3.1.7 common cause

3.1.7.1 common cause fault: A single source that will cause failure in multiple elements of asystem. The single source may be either internal or external to the system.

3.1.7.2 common cause failure: The result of a common cause fault.

3.1.8 communication

3.1.8.1 external communication: Data exchange between the SIS and a variety of systems ordevices that are outside the SIS. These include shared operator interfaces, maintenance/engi-neering interfaces, data acquisition systems, host computers, etc.

3.1.8.2 internal communication: Data exchange between the various devices within a givenSIS. These include bus backplane connections, the local or remote I/O bus, etc.

3.1.9 coverage: See diagnostic coverage (3.1.14).

3.1.10 covert fault: Faults that can be classified as hidden, concealed, undetected, unrevealed,latent, etc.

3.1.11 decommissioning: The permanent removal of a complete SIS from active service.

8/12/2019 ISA S84.01 SIS

19/110

8/12/2019 ISA S84.01 SIS

20/11020 ANSI/ISA-S84.01-1996

3.1.29 input/output modules

3.1.29.1 input module:E/E/PES or subsystem that acts as an interface to external devices andconverts input signals into signals that the E/E/PES can utilize.

3.1.29.2 output module: E/E/PES or subsystem that acts as an interface to external devicesand converts output signals into signals that can actuate external devices.

3.1.30 interface: Shared boundary through which information is conveyed.

3.1.31 integration:Process of assembling multiple components or subsystems to form a system.

3.1.32 logic solver: E/E/PES components or subsystems that execute the application logic.Electronic and programmable electronics include input/output modules.

3.1.33 off-line: Process, to which the SIS is connected, is shut down.

3.1.34 on-line: Process, to which the SIS is connected, is operating.

3.1.35 overt faults: Faults that are classified as announced, detected, revealed, etc.

3.1.36 permissive:Condition within a logic sequence that must be satisfied before the sequenceis allowed to proceed to the next phase.

3.1.37 Pre-Startup Acceptance Test (PSAT): Process of confirming performance of the totalintegrated SIS to assure its conformance to the Safety Requirement Specifications and design.

3.1.38 preventive maintenance: Maintenance practice in which equipment is maintained on thebasis of a fixed schedule, dictated by manufacturers recommendation or by accumulated datafrom operating experience.

3.1.39 Probability of Failure on Demand (PFD): A value that indicates the probability of a systemfailing to respond to a demand. The average probability of a system failing to respond to a demandin a specified time interval is referred to as PFDavg. PFD equals 1 minus Safety Availability [seesafety availability (3.1.51)].

3.1.40 process industry sector: Refers to those processes involved in, but not limited to, theproduction, generation, manufacture, and/or treatment of oil, gas, wood, metals, food, plastics,petrochemicals, chemicals, steam, electric power, pharmaceuticals, and waste material(s).

3.1.41 Programmable Electronic System (PES): See E/E/PES (3.1.16).

3.1.42 protection layer:Engineered safety features or protective systems or layers that typicallyinvolve special process designs, process equipment, administrative procedures, the Basic ProcessControl System (BPCS), and/or planned responses to protect against an imminent hazard. Theseresponses may be either automated or initiated by human actions (see Annex A for guidance).

3.1.43 qualitative methods: Methods of design and evaluation developed through experienceand/or the application of good engineering judgement.

3.1.44 quantitative methods: Methods of design and evaluation based on numerical data andmathematical analysis.

8/12/2019 ISA S84.01 SIS

21/110ANSI/ISA-S84.01-1996 21

3.1.45 redundancy: Use of multiple elements or systems to perform the same function. Redun-dancy can be implemented by identical elements (identical redundancy) or by diverse elements(diverse redundancy).

3.1.46 reliability:Probability that a system can perform a defined function under stated conditionsfor a given period of time.

3.1.47 replacement in kind: A replacement that satisfies the design specification.

3.1.48 reset:Action that restores the equipment under control to a predetermined normal enabledor operating state.

3.1.49 risk assessment: Process of making risk estimates and using the results to make deci-sions.

3.1.50 safe state: State that the equipment under control, or process, shall attain as defined bythe Process Hazards Analysis (PHA).

3.1.51 safety availability: Fraction of time that a safety system is able to perform its designatedsafety service when the process is operating. In this standard, the average Probability of Failureon Demand (PFDavg) is the preferred term. (PFD equals 1 minus Safety Availability; see 3.1.39.)

3.1.52 Safety Integrity Level (SIL): One of three possible discrete integrity levels (SIL 1, SIL 2,SIL 3) of Safety Instrumented Systems. SILs are defined in terms of Probability of Failure onDemand (PFD) (see Table 3.1).

Table 3.1 Safety Integrity Level (SIL)

3.1.53 Safety Instrumented Systems (SIS): System composed of sensors, logic solvers, andfinal control elements for the purpose of taking the process to a safe state when predeterminedconditions are violated (see Figure 1.1). Other terms commonly used include Emergency ShutdownSystem (ESD, ESS), Safety Shutdown System (SSD), and Safety Interlock System.

3.1.54 Safety Life Cycle: Sequence of activities involved in the implementation of the SafetyInstrumented Systems from conception through decommissioning (see Figure 4.1).

3.1.55 separation: The use of multiple devices or systems to segregate control from safetyfunctions. Separation can be implemented by identical elements (identical separation) or by diverseelements (diverse separation).

3.1.56 shall: Indicates a mandatory requirement.

3.1.57 SIS components: A constituent part of a SIS. Examples of SIS components are fielddevices, input modules, output modules, and logic solvers.

Safety Integrity Level (SIL) Probability of Failure on

Demand Average Range

(PFD avg)

1 10-1to 10-2

2 10-2to 10-3

3 10-3to 10-4

8/12/2019 ISA S84.01 SIS

22/11022 ANSI/ISA-S84.01-1996

3.1.58 software

3.1.58.1 application software: Software specific to the user application in that it is the SISfunctional description programmed in the PES to meet the overall Safety Requirement Specifica-tions (see Clause 5). In general, it contains logic sequences, permissives, limits, expressions, etc.,that control the appropriate input, output, calculations, decisions necessary to meet the safetyfunctional requirements.

3.1.58.2 embedded software: Software that is part of the system supplied by the vendor andis not accessible for modification by the end user. Embedded software is also referred to asfirmware or system software.

3.1.58.3 utility software: Software tools for the creation, maintenance, and documentation ofapplication programs. These software tools are not required for the operation of the SIS.

3.1.59 spurious trip: Refers to the shutdown of the process for reasons not associated with aproblem in the process that the SIS is designed to protect (e.g., the trip resulted due to a hardwarefault, software fault, electrical fault, transient, ground plane interference, etc.). Other terms usedinclude nuisance trip and false shut down.

3.1.60 systematic failures: Failures due to errors (including mistakes and acts of omissions) inSafety Life Cycle activities that cause the SIS to fail under some particular combination of inputsor under a particular environmental condition. Systematic failures can arise in any Safety LifeCycle step.

3.1.61 Test Interval (TI): Time between functional tests.

3.1.62 user approved: Hardware, software, procedures, etc., that the user has evaluated anddetermined to be acceptable for the application.

3.1.63 verification: Process of confirming for certain steps of the Safety Life Cycle that theobjectives are met.

3.1.64 voting system: Redundant system (e.g., "m" out of "n", one out of two [1oo2] to trip, twoout of three [2oo3], etc.) that requires at least "m" of the "n" channels to be in agreement beforethe SIS can take an action.

3.2 Acronyms

BPCS: Basic Process Control System

CFR: Code of Federal Regulations

E/E/PES: Electrical/Electronic/Programmable Electronic System

I/O: Input/Output

MOC: Management of Change

MTBF: Mean Time Between Failures

MTTF: Mean Time To Failure

MTTR: Mean Time To Repair

OSHA: Occupational Safety and Health Administration

8/12/2019 ISA S84.01 SIS

23/110ANSI/ISA-S84.01-1996 23

PES: Programmable Electronic System

PFD: Probability of Failure on Demand

PHA: Process Hazards Analysis

PSAT: Pre-Startup Acceptance Test

PSSR: Pre-Startup Safety Review

SIL: Safety Integrity Level

SIS: Safety Instrumented Systems

WDT: Watchdog Timer

4 Safety life cycle


4.1 Scope

The clauses in this standard are organized based on the Safety Life Cycle (see Figure 4.1). TheSafety Life Cycle covers the Safety Instrumented Systems (SIS) activities from initial conceptionthrough decommissioning. Note that this standard does not address the method for performinginitial Safety Life Cycle activities, such as:

a) Performing conceptual process design

b) Performing Process Hazards Analysis & risk assessment

c) Defining non-SIS protection layers

d) Defining the need for an SIS

e) Determining required Safety Integrity Level

These activities are outside the scope of this standard.

8/12/2019 ISA S84.01 SIS

24/11024 ANSI/ISA-S84.01-1996

Figure 4.1 Safety Life Cycle

(4.2.15)

8/12/2019 ISA S84.01 SIS

25/110ANSI/ISA-S84.01-1996 25

During the Safety Life Cycle of a SIS, there may be points where iterations are necessary. A fewof these are indicated in the Safety Life Cycle presented, but these should not be considered theonly points where iteration may be necessary.

4.2 Safety Life Cycle steps

4.2.1 The first step in the Safety Life Cycle is concerned with the conceptual process design.The method for accomplishing this step is outside the scope of this standard.

4.2.2 The second step is concerned with identifying the hazards and hazardous events for aprocess and assessing the level of risk involved. This standard does not address the methods forperforming this analysis and evaluation but assumes it has taken place prior to applying the prin-ciples in this document. The method(s) for accomplishing this step is outside the scope of thisstandard.

4.2.3 Once the hazards and risks have been identified, appropriate technology (including processand equipment modifications) is applied to eliminate the hazard, to mitigate their consequencesor reduce the likelihood of the event. The third step involves the application of non-SIS protection

layers to the process. The method(s) for accomplishing this step is outside the scope of thisstandard.

4.2.4 Next an evaluation is made to determine if an adequate number of non-SIS protectionlayers have been provided.

The desire is to provide appropriate number of non-SIS protection layers, such that SISprotection layer(s) are not required. Therefore, consideration should be given to changing theprocess and/or its equipment utilizing various non-SIS protection techniques, before consideringadding SIS protection layer(s). The method for accomplishing this step is outside the scope ofthis standard.

4.2.5 If an SIS is appropriate, the next step is establishing the requirements for the SIS by defining

a target Safety Integrity Level (SIL) (See Annex A for guidance). A SIL defines the level of perfor-mance needed to achieve the user s process safety objective. SILs are defined as 1, 2, and 3.SISs above SIL 3 are not addressed in this standard. The higher the SIL, the more available thesafety function of the SIS. Performance is improved by the addition of redundancy, more frequenttesting, use of diagnostic fault detection, and use of diverse sensors and final control elements,etc. Performance is also improved through better control of design, operation, and maintenanceprocedures.

Associated with the SIL are Probability of Failure on Demand average (see Table 4.1).

Table 4.1 Safety Integrity Level performance requirements

SAFETY

INTEGRITY LEVEL

1 2 3

SIS

PERFORMANCE

REQUIREMENTS

Safety Availability Range

0.9 to 0.99 0.99 to 0.999 0.999 to 0.9999

PFD Average Range

10-1to 10-2 10-2to 10-3 10-3to 10-4

8/12/2019 ISA S84.01 SIS

26/11026 ANSI/ISA-S84.01-1996

The SIL concept is utilized in several steps of the Safety Life Cycle. See Annex Afor guidanceon SIL determination. The method for accomplishing this step is outside the scope of thisstandard.

4.2.6 The next step is developing Safety Requirement Specifications. The Safety RequirementSpecifications document functional and integrity requirements for the SIS (see Clause 5).

4.2.7 The next step involves developing the SIS Conceptual Designs that may meet the Safety

Requirement Specifications. Annex B provides guidance on the selection of architectures to meetSIL requirements (see Clause 6).

4.2.8 Once SIS Conceptual Design is complete, the detailed design can be performed (seeClause 7).

4.2.9 Install the SIS (see Clause 8).

4.2.10 After installation is complete, the Commissioning and Pre-Startup Acceptance Test (PSAT)of the SIS shall be performed (see Clause 8).

4.2.11 SIS Operation and Maintenance Procedures may be developed at any step of the SafetyLife Cycle and shall be completed prior to startup (see Clause 9).

4.2.12 Prior to startup of the SIS, a Pre-Startup Safety Review (PSSR) shall take place. ThisPSSR shall include the following SIS activities:

a) Verification that the SIS was constructed, installed, and tested in accordance with theSafety Requirement Specifications.

b) Safety, operating, maintenance, Management of Change (MOC), and emergencyprocedures pertaining to the SIS are in place and are adequate.

c) PHA recommendations that apply to the SIS have been resolved or implemented.

d) Employee training has been completed and includes appropriate information about the

SIS.

The planning and execution of this activity is outside the scope of this standard.

4.2.13 After PSSR, the SIS may be placed in operation. This step includes startup, normal oper-ation, maintenance, and periodic Functional Testing (see Clause 9).

4.2.14 If modifications are proposed, their implementation shall follow a Management of Change(MOC) procedure. The appropriate steps in the Safety Life Cycle shall be repeated to address thesafety impact of the change (see Clause 10).

4.2.15 At some time, the need for the SIS will cease. For example, this may be caused by plantclosure, or the removal or change of the process. The decommissioning of the SIS shall be planned,

and appropriate steps should be taken to ensure that this is accomplished in a manner that doesnot compromise safety (see Clause 11).

8/12/2019 ISA S84.01 SIS

27/110ANSI/ISA-S84.01-1996 27

5 Safety requirements specifications development


5.1 Objective

The objective is to develop specifications for Safety Instrumented Systems (SIS) design. TheseSafety Requirement Specifications consist of both safety functional requirements and safetyintegrity requirements. The Safety Requirement Specifications can be a collection of documentsor information.

5.2 Input requirements

The information required from the Process Hazards Analysis (PHA) or process design team todevelop the Safety Requirement Specifications, includes the following.

5.2.1 A list of the safety function(s) required and the SIL of each safety function.

5.2.2 Process information ( incident cause, dynamics, final elements, etc.) of each potentialhazardous event that requires a SIS.

5.2.3 Process common cause failure considerations such as corrosion, plugging, coating, etc.

5.2.4 Regulatory requirements impacting the SIS.

5.3 Safety functional requirements

The safety functional requirements shall include the following.

5.3.1 The definition of the safe state of the process, for each of the identified events.

5.3.2 The process inputs to the SIS and their trip points,

5.3.3 The normal operating range of the process variables and their operating limits,

5.3.4 The process outputs from the SIS and their actions,

5.3.5 The functional relationship between process inputs and outputs, including logic, math func-tions, and any required permissives.

5.3.6 Selection of de-energized to trip or energized to trip.

5.3.7 Consideration for manual shutdown.

5.3.8 Action(s) to be taken on loss of energy source(s) to the SIS.

8/12/2019 ISA S84.01 SIS

28/11028 ANSI/ISA-S84.01-1996

5.3.9 Response time requirements for the SIS to bring the process to a safe state.

5.3.10 Response action to any overt fault.

5.3.11 Human-machine interfaces requirements.

5.3.12 Reset function(s).

5.4 Safety integrity requirements

Safety integrity requirements shall include the following.

5.4.1 The required SIL for each safety function.

5.4.2 Requirements for diagnostics to achieve the required SIL (see B.9 for guidance).

5.4.3 Requirements for maintenance and testing to achieve the required SIL.

5.4.4 Reliability requirements if spurious trips may be hazardous.

6 SIS conceptual design


6.1 Objectives

To define those requirements needed to develop and verify a SIS Conceptual Design that meetsthe Safety Requirements Specifications.

6.2 Conceptual design requirements

6.2.1 The Safety Instrumented Systems (SIS) architecture for each safety function shall beselected to meet its required Safety Integrity Level (SIL). (e.g., The selected architecture may beone out of one [1oo1], 1oo2 voting, 2oo3 voting, etc.)

6.2.2 A SIS may have a single safety function or multiple safety functions that have a commonlogic solver and/or input and output devices. When multiple safety functions share common com-ponents, the common components shall satisfy the highest SIL of the shared safety function.Components of the system that are not common must meet the SIL requirements for the safetyfunction that they address. When multiple SISs are combined in a system where they sharecommon logic or components, the potential for common cause faults is increased. Programming,accessibility, maintenance, power supplies, and security are typical common cause issues to con-sider.

8/12/2019 ISA S84.01 SIS

29/110ANSI/ISA-S84.01-1996 29

6.2.3 The desired SIL shall be met through a combination of the following design considerations:

a) Separation - identical or diverse (see B.1 for guidance)

b) Redundancy - identical or diverse (see B.2 for guidance)

c) Software design considerations (see B.3 for guidance)

d) Technology selection (see B.4 for guidance)

e) Failure rates and failure modes (see B.5 for guidance)

f) Architecture (see B.6 for guidance)

g) Power sources (see B.7 for guidance)

h) Common cause failures (see B.8 for guidance)

i) Diagnostics (see B.9 for guidance)

j) Field devices (see B.10 for guidance)

k) User interface (see B.11 for guidance)

l) Security (see B.12 for guidance)

m) Wiring practices (see B.13 for guidance)

n) Documentation (see B.14 for guidance)

o) Functional test interval (see B.15 for guidance)

7 SIS detailed design


7.1 Objective

To provide detailed requirements for the design of the Safety Instrumented Systems (SIS) toachieve the requirements of the Safety Requirement Specifications and conceptual design.

7.2 General requirements

7.2.1 The SIS design shall be capable of meeting the Safety Integrity Level (SIL).

7.2.2 The SIS may include sequencing functions to take the process to or maintain it in a safestate.

8/12/2019 ISA S84.01 SIS

30/110

8/12/2019 ISA S84.01 SIS

31/110ANSI/ISA-S84.01-1996 31

7.3.5 The logic solver shall be designed to ensure the process will not automatically restart whenpower is restored, unless Process Hazards Analysis indicates this is appropriate.

7.4 Field devices

7.4.1 General requirements

7.4.1.1 Energize to trip discrete input/output circuits shall apply a method (e.g., end-of- line monitor,such as pilot current continuously monitored to ensure circuit continuity; the pilot current shall notbe of sufficient magnitude to affect proper I/O operation) to assure circuit integrity.

7.4.1.2 When remote input/output is used, it shall be evaluated in conjunction with the logic solver(see B.6 for guidance).

7.4.1.3 Each individual field device shall have its own dedicated wiring to the system Input/Output,except in the following cases:

a) Multiple connected discrete sensors connected in series to a single input if the sensorsmonitor the same process condition (e.g., motor overloads)

b) Multiple connected Final Control Elements (FCE) to a single output if each FCE servicesthe same process condition

c) User approved systems such as fire and gas detection systems

d) See 1.2.10for ISA SP50 Fieldbus.

7.4.1.4 Field devices shall be selected and installed to minimize failures that could relate inaccurateinformation due to conditions arising from the process and environmental conditions. Conditionsthat shall be considered include corrosion, freezing of materials in pipes, suspended solids, poly-merization, coking, and temperature and pressure extremes.

7.4.2 Sensor requirements

7.4.2.1 Smart sensors shall be write protected to prevent inadvertent modification from a remotelocation, unless appropriate safety review allows the use of read/write.

7.4.2.2 Sensors for SIS shall be separated from the sensors for the Basic Process Control System(BPCS). Two exceptions are allowed provided the failure of the sensor does not create a conditionthat the SIS is intended to protect against:

a) If redundant sensors are used, they may be connected to both the BPCS and the SISprovided that any failure in the BPCS will not affect the proper operation of the sensoror the ability of the SIS to read the sensor properly (see B.1.5).

b) If the PHA determines that one or more protection layers other than the BPCS and theSIS offers protection redundant to that provided by the sensor (for further guidance, seeAnnex A).

7.4.2.3 Sensor diagnostics, vendor or user supplied , shall be provided as required to meet theSIL (see B.9 for guidance).

8/12/2019 ISA S84.01 SIS

32/11032 ANSI/ISA-S84.01-1996

7.4.3 Final control element requirements

7.4.3.1 A control valve from the BPCS shall not be used as the only final element for SIL 3.A safety review shall be required to use a single BPCS control valve as the only final element forSIL 1 and 2. For additional information,see B.1.6.

7.4.3.2 Motor starters

Motor starters are typically common to both the BPCS and the SIS unless the Process HazardsAnalysis dictates otherwise (see B.10.4.3 for guidance).

7.5 Interfaces

This section addresses all human-machine and communication interfaces to the SIS. These caninclude, but are not limited to

a) operator interface(s);

b) maintenance/engineering interface(s); and

c) communication interface(s).

7.5.1 Operator interface requirements

Operator interface refers to that media (e.g., CRTs, indicating lights, push-buttons, horns,alarms, etc.) used to communicate information between the operator and the SIS.

7.5.1.1 The operator interface system design shall take into consideration the loss of the SISoperator interface and the resulting requirements as defined by appropriate safety review. Thedesign shall ensure that, upon failure of the SIS operator interface, sufficient alternate means shallbe provided for the operator to bring the process to a safe state and that the automatic functionsof the SIS are not compromised.

7.5.1.2 The SIS status information that is critical to maintaining the SIL shall be available as partof the operator interface. This information may include

a) where the process is in its sequence;

b) indication that SIS protective action has occurred;

c) indication that a protective function is bypassed;

d) indication that automatic action(s) such as degradation of voting and/or fault handlinghas occurred;

e) status of sensors and final control elements;

f) the loss of energy where that energy loss impacts safety;

g) the results of comparison diagnostics; and

h) failure of environmental conditioning equipment that is necessary to support the SIS.

8/12/2019 ISA S84.01 SIS

33/110ANSI/ISA-S84.01-1996 33

7.5.1.3 Changes to the SIS application software shall not be allowed from the SIS operatorinterface. Where the SIS maintenance/engineering interface is used as the operator interface tothe SIS, changes to application software from this interface shall require appropriate safety reviewand access security. There may be some safety-related information that needs to be transmittedfrom the BPCS to the SIS. For example, in batch systems a SIS may have different setpoints orlogic functions depending on the recipe being used. If so, the operator interface may be used toselect the appropriate logic function in the SIS or may be used to select recipe-specific tables. For

these types of applications, use only SIS systems that offer the ability to selectively allow writingto a SIS variable that is accessible to the BPCS (see B.1.8 for additional guidance), and a confir-mation procedure to ensure the proper selection has been transmitted and received in the SIS.

Enabling and disabling the read-write access shall be done only by a configuration orprogramming process using the Maintenance/Engineering Interface with appropriatedocumentation and security measures. An Operator Interface shall not be allowed to performthis function.

7.5.2 Maintenance/Engineering interface requirements

Maintenance/Engineering interface is that media provided to allow proper SIS maintenance. Itcan include instructions and diagnostics that may be found in software, programming terminals,

diagnostic tools, indicators, bypass devices, test devices, and calibration devices.7.5.2.1 The design of SIS maintenance/engineering interface shall ensure that any failure of thisinterface shall not adversely affect the ability of the SIS to bring the process to a safe state. Thismay require disconnecting of maintenance/engineering interfaces, such as programming panels,during normal SIS operation.

7.5.2.2 The maintenance/engineering interface shall provide the following functions:

a) Access security protection to the SIS operating mode, program, data, means of disablingalarm communication, test, bypass, maintenance, etc.

b) Access to SIS diagnostic, voting and fault handling services

c) Access to add, delete, or modify application software

d) Access to data necessary to troubleshoot the SIS

7.5.3 Communication interface requirements

Communication interface refers to hardware and software communication between the SIS andother devices such as the operator interfaces, maintenance/engineer interfaces, BPCS, networkor peripherals.

7.5.3.1 The design of the communication interface of the SIS shall ensure that any failure of thecommunication interface shall not adversely affect the ability of the SIS to bring the process to asafe state.

7.5.3.2 Communication signals shall be isolated from other energy sources through the use ofgood engineering practices, such as the use of shielded cable while maintaining a single groundplane with a single dedicated power source, or the use of fiber optics.

8/12/2019 ISA S84.01 SIS

34/11034 ANSI/ISA-S84.01-1996

7.6 Power sources

The design shall ensure that each power source meets the needs of the SIS as specified in theSafety Requirement Specifications (see B.7 for guidance).

7.7 System environment

The system environment must be addressed to ensure proper SIS operation. This may requireconsideration of the following: temperature, humidity, contaminants, grounding, ElectroMagnetic Interference/Radio Frequency Interference (EMI/RFI), shock/vibration, electrostaticdischarge, electrical area classification, flooding, etc.

7.7.1 All environmental conditions to which the SIS will be exposed and the operating environ-mental specifications for all components of the SIS shall be considered in the system design.

7.7.2 The system design shall take specific steps to resolve all differences between the environ-mental conditions and equipment specifications in a manner that will allow the SIS to perform in

accordance with the Safety Requirement Specifications, such as installing heating, ventilation/airconditioning equipment, and/or air filtration.

7.8 Application logic requirements

7.8.1 Application logic for electrical systems

7.8.1.1 Only application logic under the control of a formal revision and release control programshall be provided and considered for use on a SIS.

7.8.1.2 The application logic formal revision and release control program shall be provided and

maintained by the user.

7.8.1.3 The user shall ensure the application logic is documented in a clear, precise, and completeway(see B.14 for guidance).

7.8.2 Application logic for electronic system

7.8.2.1 Only application logic under the control of a formal revision and release control programshall be provided and considered for use on a SIS.

7.8.2.2 The application logic formal revision and release control program shall be provided andmaintained by the user.

7.8.2.3 The user shall ensure the application logic is documented in a clear, precise, and completeway (See B.14 for guidance).

8/12/2019 ISA S84.01 SIS

35/110ANSI/ISA-S84.01-1996 35

7.8.3 Application logic for PES

Software discussed in this subclause addresses the SIS applications. Embedded and utilitysoftware is discussed as far as it impacts application software.

7.8.3.1 Only software under the control of a formal revision and release control program shall beprovided and considered for use on a SIS.

7.8.3.2 The embedded software and utility software formal revision and release control programsshall be provided and maintained by the SIS manufacturer(s). The manufacturer(s) shall alsoprovide and maintain a bug list and advise customers of any software faults which may lead to afailure to function on demand.

7.8.3.3 The user shall not modify the SIS embedded or utility software.

7.8.3.4 The user shall ensure the application software is documented in a clear, precise, andcomplete way (see B.3 and B.14 for guidance).

7.8.3.5 The application software formal revision and release control programs shall be maintainedby the user.

7.9 Maintenance or testing design requirements

7.9.1 The design shall allow for testing of the overall system. It shall be possible to test finalelement actuation in response to sensor operation. Where the interval between scheduled processdowntime is greater than the functional test interval, then on-line testing facilities are required.

7.9.2 When on-line functional testing is required, test facilities shall be an integral part of the SISdesign to test for covert failures.

7.9.3 When test and/or bypass facilities are included in the SIS, they shall conform with thefollowing:

a) SIS shall be designed in accordance with the maintenance and testing requirementsdefined in the Safety Requirement Specifications.

b) The operator shall be alerted to the bypass of any portion of the SIS via an alarm and/or operating procedure.

c) Bypassing of any portion of the SIS shall not result in the loss of detection and/orannunciation of the condition(s) being monitored.

7.9.4 Forcing of inputs and outputs shall not be used as a part of:

a) application software;

b) operating procedure(s); and

c) maintenance, except as noted.

Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unlesssupplemented by procedures and access security. Any such forcing shall be annunciated oralarmed, as appropriate.

8/12/2019 ISA S84.01 SIS

36/11036 ANSI/ISA-S84.01-1996

8 Installation, commissioning, and pre-startup acceptance test


8.1 Objective

8.1.1 The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) isinstalled per the detail design and performs per the Safety Requirement Specifications.

8.1.2 Any modification or change to SIS-specific equipment during installation, commissioning,or Pre-Startup Acceptance Test (PSAT) shall require a return to the appropriate phase (the onefirst affected by the change) of the Safety Life Cycle.

8.2 Installation

8.2.1 All equipment shall be installed per the design.

8.3 Commissioning

8.3.1 Commissioning ensures the SIS is installed per the detailed design and is ready for thePre-Startup Acceptance Test.

8.3.2 The SIS commissioning activities shall include, but may not be limited to, confirmation that

the following are installed per the detailed design documents and are performing as specified inthe Safety Requirement Specifications:

a) Equipment and wiring are properly installed.

b) Energy sources are operational.

c) All instruments have been properly calibrated.

d) Field devices are operational.

e) Logic solver and Input/Output are operational.

8.4 Pre-Startup Acceptance Test (PSAT)

8.4.1 A PSAT provides a full functional test of the SIS to show conformance with the SafetyRequirement Specifications. The PSAT shall include, but may not be limited to, confirmation ofthe following:

a) SIS communicates (where required) with the Basic Process Control System or any othersystem or network.

8/12/2019 ISA S84.01 SIS

37/110ANSI/ISA-S84.01-1996 37

b) Sensors, logic, computations, and final control elements perform in accordance withSafety Requirement Specifications.

c) Safety devices are tripped at the setpoints as defined in the Safety RequirementSpecifications.

d) The proper shutdown sequence is activated.

e) The SIS provides the proper annunciation and proper operation display.

f) The accuracy of any computations that are included in the SIS.

g) That the system total and partial reset functions as planned.

h) Bypass and bypass reset functions operate correctly.

i) Manual shutdown systems operate correctly.

j) Test interval is documented in maintenance procedures consistent with SILrequirements.

k) SIS documentation is consistent with actual installation and operating procedures.

8.4.2 A PSAT shall be satisfactorily completed prior to the introduction of hazards the SIS isdesigned to prevent or mitigate.

8.4.3 Accuracy of calibration of test instruments used in the PSAT shall be consistent with theapplication. For example, the margin between the SIS setpoint and the hazardous process con-dition may be used to determine the required accuracy.

8.4.4 Documentation to substantiate completion of the Commissioning and PSAT shall be com-pleted prior to the introduction of hazards the SIS is designed to prevent or mitigate.

As a minimum, this documentation shall include the following:

a) Identification of the SIS that has been tested

b) Confirmation that Commissioning is complete

c) Date the PSAT was performed

d) Reference to the procedures used in the PSAT

e) Authorized signature that indicates PSAT has been satisfactorily completed

8/12/2019 ISA S84.01 SIS

38/11038 ANSI/ISA-S84.01-1996

9 SIS operation and maintenance


9.1 Objective

The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) functions inaccordance with the Safety Requirement Specifications throughout the SIS operational life.

9.2 Training

9.2.1 Employees involved in the operation and maintenance activities of the SIS shall be properly

trained.

9.2.2 Employee training shall adhere to requirements specified in applicable regulation(s) (e.g.,OSHA 29CFR1910.119, Reference C.11).

9.3 Documentation

The user shall have appropriate documentation (as noted in each Clause 9 subsection) and shallkeep the documentation current (see B.14 for guidance).

9.4 SIS operating procedures

Operating procedures shall be written to explain the safe and correct methods of operating theSIS. These procedures are typically part of the unit operating procedures. These proceduresshould include, but not be limited to, the following:

a) Limits of safe operation (i.e., trip points) and the safety implications of exceeding them

b) How the SIS takes the process to a safe state

c) The correct use of operational bypasses, permissives, system reset, etc. (whererequired)

d) The correct response to SIS alarms and trips

9.5 Maintenance program

9.5.1 A maintenance program shall be established, which includes written procedures for main-taining, testing, and repairing the SIS.

8/12/2019 ISA S84.01 SIS

39/110ANSI/ISA-S84.01-1996 39

9.5.2 SIS maintenance shall include, but not be limited to, the following:

a) Regularly scheduled functional testing of the SIS

b) Regularly scheduled preventative maintenance, as required (e.g., replacement ofventilation filters, lubrication, battery replacement, calibration, etc.)

c) Repair of detected faults, with appropriate testing after repair

9.6 Testing, inspection, and maintenance

9.6.1 Vendor manuals that describe the SIS maintenance and testing requirements (e.g., batterymaintenance, fuse replacement) may be included in the maintenance procedures.

9.6.2 Bypassing may be necessary. If the process is hazardous while a SIS function is beingbypassed, administrative controls and written procedures shall be provided to maintain the safetyof the process.

9.6.3 The user shall have a periodic inspection program for the SIS to detect equipment faults,

defects, etc.

9.7 Functional testing

Not all system faults are self revealing. Covert faults that may inhibit SIS action on demand canonly be detected by testing the entire system.

9.7.1 Periodic Functional Tests shall be conducted using a documented procedure(see 9.7.4.1)to detect covert faults that prevent the SIS from operating per the SafetyRequirement Specifications.

9.7.2 The entire SIS shall be tested including the sensor(s), the logic solver, and the finalelement(s) (e.g., shutdown valves, motors).

9.7.3 Frequency of functional testing

9.7.3.1 The SIS shall be tested at specific intervals based on the frequency specified in the SafetyRequirement Specifications (see B.15 for guidance). Note that different portions of the SIS mayrequire different periodic test intervals.

9.7.3.2 At some periodic interval (determined by the user), the frequency(s) of testing for the SISor portions of the SIS shall be re-evaluated based on historical data plant experience, hardwaredegradation, software reliability, etc.

9.7.3.3 Any change to the application logic requires full functional testing. Exceptions to this areallowed if appropriate review and partial testing of changes are done to ensure the SIL has notbeen compromised.

8/12/2019 ISA S84.01 SIS

40/11040 ANSI/ISA-S84.01-1996

9.7.4 Functional testing procedures

9.7.4.1 A documented functional test procedure, describing each step to be performed, shall beprovided for each SIS.

9.7.4.2 Any deficiencies found during the functional testing shall be repaired in a safe and timelymanner.

9.7.4.3 The functional testing procedures shall include, but not be limited to, verifying the following:

a) Operation of all input devices including primary sensors and SIS input modules

b) Logic associated with each input device

c) Logic associated with combined inputs

d) Trip initiating values (setpoints) of all inputs

e) Alarm functions

f) Speed of response of the SIS when necessary

g) Operating sequence of the logic program

h) Function of all final control elements and SIS output modules

i) Computational functions performed by the SIS

j) Function of the manual trip to bring the system to its safe state

k) Function of user diagnostics

l) Complete system functionality

m) The SIS is operational after testing.

9.7.5 On-line functional testing

9.7.5.1 Procedures shall be written to allow on-line functional testing (if required).

9.7.5.2 For those applications where exercising the final trip element may not be practical, theprocedure shall be written to include

a) testing the final element during unit shut down; and

b) exercising the output(s) as far as practical (e.g., output trip relay, shut down solenoid,partial valve movement) during on-line testing.

9.8 Documentation of functional testing

9.8.1 A description of all tests performed shall be documented. The user shall maintain recordsto certify that tests and inspections have been performed.

9.8.2 Documentation shall include the following information as a minimum:

a) Date of inspection

b) Name of the person who performed the test or inspection

8/12/2019 ISA S84.01 SIS

41/110ANSI/ISA-S84.01-1996 41

c) Serial number or other unique identifier of equipment (loop number, tag number,equipment number, user approved number, etc.)

d) Results of inspection/test ("as-found" and "as-left" condition)

10 SIS Management Of Change (MOC)


10.1 Objective

The objective of this clause is to ensure that the management of change requirements are

addressed in any changes made to an operating SIS.

10.2 MOC procedure

10.2.1 A written procedure shall be in place to initiate, document, review the change, and approvechanges to the SIS other than "replacement in kind" (e.g., OSHA 29 CFR 1910.119, Section B)(see Reference C.11 for guidance).

The MOC Procedure could be required as a result of

a) modification to the operating procedure;

b) modification necessary because of new or amended safety legislation;

c) modifications to the process;

d) modification to the Safety Requirement Specifications;

e) modifications to fix software or firmware errors;

f) modifications to correct systematic failures;

g) modification as a result of a failure rate higher than desired;

h) modifications resulting from increased demand rate on the SIS; and

i) modifications to software (embedded, utility, application).

10.2.2 The MOC procedure shall ensure that the following considerations are addressed prior toany change:

a) The technical basis for the proposed change

b) Impact of change on safety and health

c) Modifications for operating procedures

8/12/2019 ISA S84.01 SIS

42/11042 ANSI/ISA-S84.01-1996

d) Necessary time period for the change

e) Authorization requirements for the proposed change

f) Availability of memory space

g) Effect on response time

h) On-line versus off-line change, and the risks involved

10.2.3 The review of the change shall ensure

a) that the required safety integrity has been maintained; and

b) personnel from appropriate disciplines have been included in the review process.

10.2.4 Personnel affected by the change shall be informed of the change and trained prior toimplementation of the change or startup of the process, as appropriate.

10.2.5 All changes to the SIS shall initiate a return to the appropriate phase (first phase affectedby the modification) of the Safety Life Cycle. All subsequent Safety Life Cycle phases shall thenbe carried out, including appropriate verification that the change has been carried out correctly

and documented. Implementation of all changes (including application software) shall adhere tothe previously established SIS design procedures.

10.3 MOC documentation

10.3.1 All changes to operating procedures, process safety information, and SIS documentation(including software) shall be noted prior to startup and updated accordingly.

10.3.2 The documentation shall be appropriately protected against unauthorized modification,destruction, or loss.

10.3.3 All SIS documents shall be revised, amended, reviewed, approved, and be under the controlof an appropriate document control procedure.

11 Decommissioning


11.1 Objective

11.1.1 To ensure proper review prior to permanently retiring a Safety Instrumented Systems (SIS)from active service.

8/12/2019 ISA S84.01 SIS

43/110ANSI/ISA-S84.01-1996 43

11.2 General

11.2.1 Management of Change procedures shall be implemented for all decommissioning activi-ties (see Clause 10).

11.2.2 The impact of decommissioning an SIS on adjacent operating units and facility servicesshall be evaluated prior to decommissioning.

12 Differences

NOTE THIS CLAUSE IS PART OF THIS STANDARD. IT ILLUSTRATES THE KEYDIFFERENCES BETWEEN ISA-S84.01 AND IEC DRAFT PUBLICATION 1508.

Generally, ISA-S84.01 varies from IEC draft Publication 1508-1995, Parts 1 through 7. These

differences are discussed in 12.1 Terminology, 12.2 Organizational, and 12.3 Technical, and arebased on the comparison of published S84.01 to a 1995 version of IEC draft Publication 1508that is undergoing much change. When IEC draft Publication 1508 is published, the SP84committee will revisit Clause 12 then revise and reissue S84.01, if required.

This clause only compares the normative portion (i.e., Parts 1, 2, 3, and 4) of IEC draftPublication 1508 to ISA-S84.01.

The modes of operation in which a Safety Instrumented Systems is intended to be used areclassified as follows:

a) Demand Mode: SIS designed to attain appropriate probability of failure to perform itsdesign function on demand

b) Continuous Mode: SIS designed to attain appropriate probability of a dangerous failureper year (e.g., Avionics). This standard does not address this continuous mode ofoperation.

8/12/2019 ISA S84.01 SIS

44/11044 ANSI/ISA-S84.01-1996

12.1 Terminology

12.2 Organizational differences

ISA-S84.01 is prepared by instrumentation personnel for ISA, the international society formeasurement and control, and American National Standards Institute (ANSI). As such, it doesnot detail information of process hazards reviews and those issues presently mandated byU.S.A. regulations such as OSHA 29 CFR 1910.119.

The result is training, management of change, personnel certification, and process hazardsreviews are only briefly discussed and references provided. IEC draft Publication 1508discusses these issues in greater depth.

IEC draft Publication

1508 (Part 4)

ISA-S84.01 Comment

E/E/PES Safety

Related System

SIS IEC draft Publication 1508 refers to Safety Related Sys-

tems utilizing all technologies, while S84.01 refers only totechnologies utilizing Safety Instrumented Systems.

PES PES IEC draft Publication 1508 "PES" includes sensors & final

control elements, while S84.01 "PES" does not include sen-

sors & final control elements.

EUC Process IEC draft Publication 1508 uses "equipment under control"

as a generic term for the process S84.01 uses.

Assessment PSSR IEC draft Publication 1508 refers to assessment where

S84.01 refers to verifications and pre-startup safety review

(PSSR).

Functional

RequirementsSpecification

Safety

RequirementSpecifications

IEC draft Publication 1508 refers to functional requirements

specification, while S84.01 refers to Safety RequirementSpecifications

8/12/2019 ISA S84.01 SIS

45/110ANSI/ISA-S84.01-1996 45

IEC draft Publication 1508

Part 1

ISA-S84.01

Specifies the requirements for achieving functional

safety of external risk reduction facilities

Does not specify external risk reduction facilities

requirements for achieving functional safety

Applies to the total combination of safety related

systems and external risk reduction facilities

Applies only to E/E/PES safety related systems

(e.g., SIS)

Applies Safety Integrity Levels (SIL) to external risk

reduction facilities

Does not apply Safety Integrity Levels (SIL) to

external risk reduction facilities

Mandates the use of ISO 9000 Series of Quality

Systems or equivalent

Does not mandate the use of ISO 9000 Series of

Quality Systems

Mandates the use of Tables in IEC draft Publication

1508 that specify minimum level of independence

of person, department, organization

Does not mandate the use of IEC draft Publication

1508 Tables

Mandates the documentation of rationale for not

implementing "Highly Recommended" measures or

techniques in IEC draft Publication 1508

Does not mandate documentation of reasons for

using a different implementation scheme

Mandates the use of a Safety Plan (see details thatfollow)

Mandates documentation consistent with OSHA1910.119, Reference C.11 - Safety Plan not

required

(4.6) Mandates adhering to respective Measures

and Techniques

Does not mandate adhering to any specific mea-

sure or technique

Does mandate use of good engineering practice

(4.6) Mandates witnessing tests to ensure

compliance with this standard

Does not mandate witnessing tests to ensure

compliance

(5) Addresses "Competence of Persons" by

providing detailed requirements in addition to

ISO 9000

Refers "Competence of Persons" to OSHA

1910.119, Reference C.11

(6.0) Defines "Safety Management" activities

during the whole Safety Life Cycle

Does not address management issues, except

management of change

(7.1) Mandates that each phase of the overall

Safety Life Cycle be followed by planned

verification activity, documented with

design review, testing, and analysis of results

Mandates commissioning and Pre-Startup

Acceptance Test (PSAT) of the SIS with appropriate

documentation (see 8.3 & 8.4)

(7.1.3.2) Mandates ISO 9000 procedures plus IEC

draft Publication 1508 requirements be

implemented for all aspects of the Safety

Life Cycle

Does not mandate the use of ISO 9000

(7.1.3.1) Mandates adhering to each step in

the Safety Life Cycle and providing adocumented Safety Plan defining

deviations

Does not address conceptual process design,

process hazard and risk analysis, non-SISprotection layers, need for a SIS and determining

required SIL

SP84 requires that these activities be completed

prior to implementation of SP84

(7.1.3.3) Mandates each phase of the overall

Safety Life Cycle be divided into

elementary tasks with well defined input,

output activity for each, scope, and

documented

8/12/2019 ISA S84.01 SIS

46/11046 ANSI/ISA-S84.01-1996

12.3 Technology differences

IEC draft Publication 1508

Part 1

S84.01

(7.2) Requires process conceptional design

information and overall process

concept description

The method for accomplishing this is outside the

scope of this standard

(7.3) Requires EUC definition documented

in this overall scope definition description

(7.4) Defines Hazard and Risk Analysis and

mandates implementation methodology

and documentation

(7.5) Mandates: Items:

Risk Reduction 7.5.2.4

7.5.2.6

7.5.2.7

All Safety Functions 7.5.2.2

Level of Safety 7.5.2.3

Specifies Risk

Reduction Method 7.5.2.5

The method for accomplishing this is outside the

scope of this standard

(7.6.1) Safety requirements allocation is PHA

oriented and has external risk reduction

facilities

(7.7) Overall operator and

(7.15) maintenance planning includes external

risk reduction systematic analysis

(7.8) Validation includes external risk

(7.14) reduction

(7.9) Provides installation mandates

(7.13)

Mandates overall modification and retrofit issues Refer to Management of Change in

OSHA1910.119, Reference C.11

Mandates decommissioning log, verification plan,

functional safety assessment plan and report, lev-

els of independence

Does not mandate these requirements

Addresses documentation for all phases Only addresses SIS documentation

Parts 2 and 3 are normative Parts 2 and 3 type information is part normative

and part informative -- to be defined

IEC draft

Publication 1508

ISA-S84.01 Comment

SIL 1, 2, 3, 4 SIL 1, 2, 3 S84.01 does not address Safety Integrity Level (SIL) 4 other

than recognizes its existence. SIL 4 development is not

normally found in the process industries.

Equipment Under

Control (EUC) control

system excluding the

safety controls

Basic Process

Control

System

(BPCS)

IEC draft Publication 1508 refers to the EUC control system,

while S84.01 refers to the BPCS.

8/12/2019 ISA S84.01 SIS

47/110ANSI/ISA-S84.01-1996 47

Annex A (Informative) Information and examples illustrating methodsfor determining Safety Integrity Level (SIL) for a SafetyInstrumented System (SIS)

NOTE THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD. IT IS PROVIDED FORINFORMATION ONLY.

A.1 Introduction

This annex provides four examples of methods for determining SIL as part of process safetyactivities. These examples provide only general information on the range and types ofapproaches for determining SIL. These and additional methods are described in Reference C.1.Determining where a SIS is appropriate, what process variables actuate it, and what final

process actions it takes, are beyond the scope of this annex. The four SIL determinationmethods are applied to an example in only enough detail to show conceptually how SIL can bedetermined. Details on how to use and understand these SIL determination methods, andothers, are described in the references.

Four example SIL determination methods were selected to illustrate the variety of approaches. Asimple matrix method was chosen to briefly present the key factors, recognizing that many morecomprehensive matrix methods are available. The consequences only method exemplifies astraight-forward SIL selection method that involves adoption of some very conservative safetypremises. To illustrate a qualitative risk evaluation SIL determination method, a modified HAZOPmethod was chosen. Quantitative risk assessment methods are represented by describing howa fault tree analysis can be used to determine SIL.

Regardless of the method used to select SIL, it is done as part of process safety activities. Theteam involved in making SIL decisions consists of participants with certain types of expertise. Itis generally appropriate to include the following expertise and qualifications on the process safetyteam:

a) Ownership those who have direct responsibility for operating the equipment

b) Process Knowledge an understanding of the basic science and technology involvedin the process and equipment operation

c) Design Knowledge how the equipment or process should work, particularlyinstrumentation for complex control systems

d) Operating Experience those with direct "hands on" operating and maintenanceexperience

e) Others skill in running process hazards reviews and other appropriate knowledgeas needed

This annex does not provide enough information to adequately understand the use of anymethod, and it does not indicate or imply any safety criteria, or recommend any particularapproach.

8/12/2019 ISA S84.01 SIS

48/11048 ANSI/ISA-S84.01-1996

As described in Clause 4 of the standard, determination of Safety Integrity Level (SIL), for aSafety Instrumented Systems (SIS) is a part of process safety activities. As depicted in theSafety Life Cycle, (see Figure 4.1), steps 2, 3, 4, 5, and 6 summarize the process safetyconcepts involved in determining SIL. These life cycle steps are as follows:

f) Step 2 - Evaluate consequences and likelihood for hazardous events

g) Step 3 - Evaluate preventive, protective and mitigating process safety features for these

events, other than SIS

h) Step 4 - Decide if a SIS is appropriate for this application

i) Step 5 - Determine target SIL for the SIS

j) Step 6 - Determine other process safety-related specifications and design criteria

Process safety activities, which include consequence analysis and process hazards reviews(References C.14 and C.15), have the objective of helping to assure that the process will be safeto operate. Hazards, and hazardous events, are identified, and means to control the risk andpotential consequences are decided upon, as part of these activities. Risk control and riskreduction decisions are made on many process safety features of the process. These includeitems, such as, procedures, basic process design, over-pressure protection, and SIS.

A.2 Safety Integrity Level (SIL) considerations and the process example

Safety Integrity Level (SIL) is a basic concept in this standard. SIL defines the level of safetyperformance for a SIS. SILs are defined as 1, 2, or 3. The higher the SIL, the better the safetyperformance of the SIS. Better SIS performance is achieved by higher availability of the safetyfunction. SIS performance is improved by the addition of redundancy, more frequent testing, useof diagnostic fault detection, etc., as described in the standard and annexes.

Some understanding of how the three SIL levels will be implemented is important for the process

safety team making the SIL determinations. As the team learns the process, and how hazardousevents can occur, they should understand how the SIS will perform its safety function. With anunderstanding of the important safety aspects of the SIS, including what is needed to achieve thedifferent SIL, the team helps to ensure that the process design and operation do not compromiseperformance of the SIS.

Figure A.1 conceptually shows how the three SIL will be implemented in the example application.The implementation depicted in Figure A.1 is specific to this example. As described in thisstandard and ISA-dTR84.02 (Reference C.2), there are many ways to implement SIS to achievea specified SIL.

Figure A.2 depicts a simplified piping and instrumentation diagram for the process example. Ahigh pressure vapor is used to control pressure in a low pressure system. The low pressure

system is protected from over-pressure by

a) a pressure relief valve;

b) a pressure control system; and

c) an operator response to a high pressure alar

Documents

ISA S84.01 SIS