Application of Safety Instrumented Systems for the Process Industries

Transcription

Application of Safety Instrumented Systems for the Process Industries
AMERICAN NATIONAL STANDARD
ANSI/ISA–84.01–1996
Formerly ANSI/ISA–S84.01–1996
Application of Safety
Instrumented Systems for
the Process Industries
Approved 15 March 1997
ANSI/ISA-84.01-1996 — Application of Safety Instrumented Systems for the Process Industries
ISBN: 1-55617-590-6
Copyright  1996 by the Instrument Society of America. All rights reserved. Printed in the United
States of America. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), without the prior written permission of the publisher.
ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709
Preface
This preface as well as all footnotes, annexes, and draft technical report 84.02 (ISA-dTR84.02)
are included for informational purposes and are not part of ANSI/ISA-84.01-1996. ISA-dTR84.02
was still in development at the time that ANSI/ISA-84.01-1996 was published; for information, contact
ISA.
This standard has been prepared as part of the service of ISA, the international society for
measurement and control, toward a goal of uniformity in the field of instrumentation. To be of real
value, this document should not be static but should be subject to periodic review. Toward this
end, the Society welcomes all comments and criticisms and asks that they be addressed to the
Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research
Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail:
[email protected].
The ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of instrumentation standards, recommended practices, and technical reports. The
Department is further aware of the benefits to USA users of ISA standards of incorporating
suitable references to the SI (and the metric system) in their business and professional dealings
with other countries. Toward this end, this Department will endeavor to introduce SI and
acceptable metric units in all new and revised standards to the greatest extent possible. The
Metric Practice Guide, which has been published by the Institute of Electrical and Electronics
Engineers as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for
definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards. Participation in the ISA standards-making
process by an individual in no way constitutes endorsement by the employer of that individual, of
ISA, or of any of the standards, recommended practices, and technical reports that ISA develops.
S84.01 has been developed with the intent that it will eventually become a part of a group of
standards being developed by the International Electrotechnical Commission (IEC). This has
resulted in a format and structure that may be somewhat different from previous ISA Standards.
Some background information is, therefore, offered to assist the reader in better understanding
the focus of S84.01.
IEC has commissioned the development of a set of international standards encompassing all
aspects of safety systems for all industries. It is titled "Functional Safety: Safety-Related
Systems." This effort is under the direction of IEC Technical Committee No. 65, Subcommittee
65A, Working Group 10. It is titled IEC draft Publication 1508 and is still in development but, as it
exists today, there are seven parts:
• Part 1 - General requirements
• Part 2 - Requirements for Electrical/Electronic / Programmable Electronic Systems
(E/E/PES)
• Part 3 -Software requirements
• Part 4 - Definitions and abbreviations of terms
• Part 5 - Guidelines on the application of Part 1
• Part 6 - Guidelines on the application of Parts 2 and 3
ANSI/ISA-S84.01-1996
3
• Part 7 - Bibliography of techniques and measures
This work is to define requirements common to all industries. It is IEC's intent that there will then
be additional standards developed to reflect specific requirements for the various industry
sectors, such as nuclear, pharmaceutical, aeronautical, process, etc.
IEC has commissioned a subcommittee, identified as IEC 1511, for the development of an
industry-specific international standard that addresses the application of safety instrumented
systems for the process industries. ISA-S84.01-1995 has been written with the intent that it will
serve as the basis for that sector-specific standard. The structure, format, and content of S84.01
has been developed in this context. There are significant differences in S84.01 from IEC draft
Publication 1508-1995, as described in Clause 12. However, IEC draft Publication 1508 was still
being developed at the time that S84.01 was published. As a result, ISA SP84 will continue to
support and monitor IEC draft Publication 1508 development and will modify S84.01 as needed
when IEC draft Publication 1508 is published.
The IEC style guide has been used to facilitate the harmonization of this material with the general
standards and other sector-specific standards being developed for IEC draft Publication 1508.
The following people served as active members of ISA Committee SP84:
NAME
V. Maggioli, Chairman
R. Boyd, Jr., Vice Chairman
W. Calder III, Managing Director
*R. Adamski
R. Aldridge
R. Bailliet
N. Battikha
L. Beckman
R. Bell
S. Bender
P. Bennett
K. Bingham
W. Black
J. Blagg
R. Bloomfield
*K. Bond
K. Bosch
S. Boyer
*B. Bradley
A. Brombacher
D. Brown
*L. Brown
M. Cannon
J. Carew
L. Cheung
R. Desrochers (deceased)
COMPANY
Feltronics Corporation
Aramco
Calder Enterprises
Triconex
Consultant
Shell Offshore, Inc.
ICI Canada, Inc.
HIMA Americas, Inc.
Technology & Health Sciences Division
S.K. Bender & Associates
Center for Software Engineering
Hinz Consulting, Ltd.
BP GRE
Eco Waste Technologies
Adelard
Shell Oil Company
G3 IQSE
Iliad Engineering, Inc.
Mobil Research & Development Corporation
Eindhoven University of Technology
Fisher-Rosemount Systems
Arco Oil & Gas
Industrial Equipment Company
Stone & Webster, Inc.
W.R. Grace & Company
Sun Company
*One vote per company
4
ANSI/ISA-S84.01-1996
R. Dillman
Conoco, Inc.
NAME
COMPANY
J. Duran
P. Early
*R. Ewbank
T. Fisher
J. Forrest
*T. Frederickson, Jr.
R. Freeman
D. Fritsch
*K. Gandhi
R. Gardner
*F. Gellner
J. Gilman
R. Glaser
W. Goble
*C. Goring
*J. Gray
D. Green
T. Green
J. Greenwald
*R. Grehofsky
P. Gruhn
*A. Habib
*A. Hamers
A. Hammons
B. Hampton
C. Hardin
D. Haysley
*A. Heckman
*K. Hill
L. Hoffman
B. Humes
*D. Inverso
J. Jarvi
W. Jay
K. Jennings
D. Jensen
R. Johnson
*W. Johnson
*D. Karydas
K. Kassner
R. Kier
D. Leonard
*E. Lewis
J. Martel
*T. McAdams
Lagoven SA
ABB Industrial Systems, Inc.
Rhone-Poulenc, Inc.
Lubrizol Corporation
ABS Industrial Verification, Inc.
Triconex
Monsanto
Phillips Petroleum Company
M. W. Kellogg Company
DuPont Engineering
E. I. du Pont de Nemours & Company
Procter & Gamble Company
Dow Chemical Company
Moore Products Company
August Systems, Ltd.
Chevron Research & Technology Company
Rohm & Haas
Stubbs Overbeck & Associates
Fina Oil & Chemical Company
E. I. du Pont de Nemours & Company
Industrial Control Service, Inc.
Rhone-Poulenc, Inc.
Honeywell SMS
Chevron USA
Consultant
Hoechst Celanese Corporation
Murphy Oil Company
Bently Nevada
Mobil Research & Development Corporation
BASF Corporation
Bently Nevada
E.I. du Pont de Nemours & Company
Teknillinen Tarkastuskeskus
Entergy Operations, Inc.
Square D Company
Price Engineering Company
Kingwood Technology Group
E. I. du Pont de Nemours & Company
Factory Mutual Research Corporation
CALTEK Pacific-Minas Corporation
Kinetics Technology International
Consultant
Union Carbide Corporation
Exxon Chemical Company
Allen-Bradley Company
*One vote per company
ANSI/ISA-S84.01-1996
5
S. McCormick
3M Company
NAME
COMPANY
*M. McElroy
F. McKenna
N. McLeod
R. McNab
*F. Mears
*W. Mostia, Jr.
I. Nimmo
J. Nye
*D. Ogwude
T. Ostrowski
*J. Palomar
J. Paques
B. Phelps
*W. Purser
R. Raghaven
G. Ramachandran
*K. Rashida
C. Richard
L. Richardson
*C. Rischar
*W. Robinson
G. Russcher
*D. Sanders
K. Schilowsky
J. Schroeder
R. Shah
T. Shephard
*J. Simon
I. Smith
S. Smith
J. Sottnik
R. Spiker
R. Spinks
*P. Stavrianidis
R. Stevens
H. Storey
L. Suttinger
H. Thomas
*C. Thurston
M. Toffolo
*W. Valerie
T. Walczak
D. Watkins
M. Weber
S. Weiner
Pepperl + Fuchs Systems
FMcK Associates, Ltd.
Elf Atochem
Arco Chemical Company
Mobil Research & Development Corporation
Amoco Corporation
Honeywell, Inc.
Exxon Research and Engineering Company
Chevron Research & Technology Company
Occidental Chemical Corporation
Chevron Research & Technology Company
Institut de Recherche
Citgo Petroleum Corporation
Shell Oil Company
Consultant
Cytec Industries, Inc.
Allen-Bradley Company
Mobil Oil Company
UOP
Allen-Bradley Company
Amoco Corporation
Westinghouse Electric Company
August Systems, Ltd.
Marathon Oil Company
Tosco Corporation
Koch Industries
Caltex Services Corporation
M. W. Kellogg Company
Campbell Love Associates
Touch Technology, Inc.
United Engineers & Constructors
GTI Industrial Automation
Petrocon Engineering, Inc.
Factory Mutual Research Corporation
U.S. Department of Energy
Shell Development Company
Westinghouse Savannah River Company
Air Products & Chemicals
Union Carbide Corporation
Elsag Bailey (Canada), Inc.
Arco Oil & Gas
GE Fanuc
Dow Chemical Company
TUV-IQSE
PC&E Consulting Engineers
*One vote per company
6
ANSI/ISA-S84.01-1996
W. Welz, Jr.
*G. Wristen
BHP Engineers & Constructors, Inc.
E. I. du Pont de Nemours & Company
This published standard was approved for publication by the ISA Standards and Practices
Board on February 15, 1996.
NAME
COMPANY
M. Widmeyer, Vice President
H. Baumann
D. Bishop
P. Brett
W. Calder III
H. Dammeyer
R. Dieck
W. Holland
A. Iverson
K. Lindner
T. McAvinew
A. McCauley, Jr.
G. McFarland
J. Mock
E. Montgomery
D. Rapley
R. Reimer
R. Webb
W. Weidman
J. Weiss
J. Whetstone
H. Wiegle
C. Williams
G. Wood
M. Zielinski
Washington Public Power Supply System
H. D. Baumann, Inc.
Chevron USA Production Company
Honeywell, Inc.
Calder Enterprises
Phoenix Industries, Inc.
Pratt & Whitney
Southern Company Services, Inc.
Lyondell Petrochemical Company
Endress + Hauser GmbH + Company
Metro Wastewater Reclamation District
Chagrin Valley Controls, Inc.
Honeywell Industrial Automation & Control
Consultant
Fluor Daniel, Inc.
Rapley Engineering Services
Rockwell Automation A-B
Pacific Gas & Electric Company
Consultant
Electric Power Research Institute
National Institute of Standards & Technology
Canus Corporation
Eastman Kodak Company
Graeme Wood Consulting
Fisher-Rosemount
ANSI/ISA-S84.01-1996
7
Contents
Introduction ............................................................................................................................... 13
1 Scope ...................................................................................................................................... 15
1.1 Boundaries of the Safety Instrumented System (SIS) ................................................. 15
1.2 Exclusions ................................................................................................................... 16
2 Conformance to this standard............................................................................................. 17
2.1 Conformance guidance ................................................................................................ 17
2.2 Existing systems .......................................................................................................... 17
3 Definition of terms and acronyms....................................................................................... 18
3.1 Definitions .................................................................................................................... 18
3.2 Acronyms..................................................................................................................... 22
4 Safety life cycle ..................................................................................................................... 23
4.1 Scope .......................................................................................................................... 23
4.2 Safety Life Cycle steps ................................................................................................ 25
5 Safety requirements specifications development ............................................................. 27
5.1
5.2
5.3
5.4
Objective...................................................................................................................... 27
Input requirements....................................................................................................... 27
Safety functional requirements .................................................................................... 27
Safety integrity requirements ....................................................................................... 28
6 SIS conceptual design.......................................................................................................... 28
6.1 Objectives .................................................................................................................... 28
6.2 Conceptual design requirements ................................................................................. 28
7 SIS detailed design ............................................................................................................... 29
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
Objective...................................................................................................................... 29
General requirements .................................................................................................. 29
SIS logic solver ............................................................................................................ 30
Field devices................................................................................................................ 31
Interfaces ..................................................................................................................... 32
Power sources ............................................................................................................. 34
System environment .................................................................................................... 34
Application logic requirements..................................................................................... 34
Maintenance or testing design requirements............................................................... 35
8 Installation, commissioning and pre-startup acceptance test ......................................... 36
8.1
8.2
8.3
8.4
Objective...................................................................................................................... 36
Installation ................................................................................................................... 36
Commissioning ............................................................................................................ 36
Pre-Startup Acceptance Test (PSAT).......................................................................... 36
ANSI/ISA-S84.01-1996
9
9 SIS operation and maintenance .......................................................................................... 38
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.8
Objective...................................................................................................................... 38
Training........................................................................................................................ 38
Documentation ............................................................................................................ 38
SIS operating procedures ............................................................................................ 38
Maintenance program.................................................................................................. 38
Testing, inspection, and maintenance ......................................................................... 39
Functional testing ........................................................................................................ 39
Documentation of functional testing ............................................................................ 40
10 SIS Management Of Change (MOC) .................................................................................. 41
10.1 Objective.................................................................................................................... 41
10.2 MOC procedure ......................................................................................................... 41
10.3 MOC documentation.................................................................................................. 42
11 Decommissioning ............................................................................................................... 42
11.1 Objective.................................................................................................................... 42
11.2 General ...................................................................................................................... 43
12 Differences .......................................................................................................................... 43
12.1 Terminology ............................................................................................................... 44
12.2 Organizational differences ......................................................................................... 44
12.3 Technology differences ............................................................................................. 46
Annexes
A (Informative) — Information and examples illustrating methods for
determining Safety Integrity Level (SIL) for a Safety Instrumented System (SIS) ......... 47
A.1 Introduction ................................................................................................................. 47
A.2 Safety Integrity Level (SIL) considerations and the process example......................... 48
A.3 Example methods for selecting SIL............................................................................. 50
B (Informative) — SIS design considerations ....................................................................... 55
B.1 Separation - identical or diverse.................................................................................. 55
B.2 Redundancy - identical or diverse ............................................................................... 58
B.3 Software design considerations .................................................................................. 59
B.4 Technology selection .................................................................................................. 60
B.5 Failure rates and failure modes................................................................................... 63
B.6 Architecture ................................................................................................................. 66
B.7 Power sources ............................................................................................................ 66
B.8 Common cause failures .............................................................................................. 69
B.9 Diagnostics.................................................................................................................. 70
B.10 Field devices ............................................................................................................. 72
B.11 User interface ............................................................................................................ 75
B.12 Security ..................................................................................................................... 77
B.13 Wiring practices......................................................................................................... 78
B.14 Documentation .......................................................................................................... 79
B.15 Functional test interval .............................................................................................. 79
C (Informative) — Informative references ............................................................................. 81
10
ANSI/ISA-S84.01-1996
D (Informative) — Example ..................................................................................................... 85
D.1
D.2
D.3
D.4
D.5
D.6
Introduction to the example problem........................................................................... 85
Safety Life Cycle (Figure 4.1) ..................................................................................... 85
Safety requirement specification ................................................................................. 85
Safety integrity requirements (5.4) .............................................................................. 88
Conceptual design (6.0) .............................................................................................. 89
Detail design (7.0) ....................................................................................................... 90
E (Informative) — Index........................................................................................................... 93
Figures
1.1
4.1
A.1
A.2
A.3
D.1
D.2
— Definition of Safety Instrumented Systems (SIS) ............................................................ 16
— Safety Life Cycle ............................................................................................................. 24
— Company ABC, Site XX, Specific SIL implementation techniques, example only .......... 50
— Process example ............................................................................................................ 51
— Company ABC, Site XX, Example of a qualitative matrix for the determining SIL.......... 52
— Basic process control scheme ........................................................................................ 86
— Tentative design solution ................................................................................................ 91
Tables
3.1
4.1
A.1
B.5.1
B.5.2
B.9.1
B.9.2
— Safety Integrity Level (SIL)........................................................................................... 21
— Safety Integrity Level performance requirements ........................................................ 25
— Modified HAZOP documentation example ................................................................... 53
— Typical SIS failure modes ............................................................................................ 64
— Typical Programmable Electronic Failure Modes......................................................... 65
— Fault types.................................................................................................................... 70
— Diagnostic tests for programmable electronics ............................................................ 72
ANSI/ISA-S84.01-1996
11
Introduction
Purpose
This standard addresses the application of Safety Instrumented Systems (SIS) for the process
industries. The SIS addressed includes Electrical (E)/, Electronic (E)/ and Programmable
Electronic (PE) technology. This standard is process industry specific within the framework of the
International Electrotechnical Commission (IEC) draft Publication 1508 (References C.8 and
C.9). This standard follows the Safety Life Cycle presented later (see Figure 4.1).
This document is intended for those who are involved with SIS in the areas of
• design and manufacture of SIS products, selection, and application
• installation, commissioning, and Pre-Startup Acceptance Test
• operation, maintenance, documentation, and testing
Objective
The objective is to define the requirements for Safety Instrumented Systems.
Organization
This standard is organized into three major parts. The main body of the standard (Clauses 1-11)
present mandatory specific requirements. Clause 12 provides key differences between
ISA-S84.01 and IEC draft Publication 1508. Informative Annexes A through E present additional
non-mandatory (informative) technical information that is useful in SIS applications.
Draft Technical Report 84.02 (ISA-dTR84.02), which is issued under separate cover, provides
non-mandatory (informative) technical guidance in Safety Integrity Level analysis.
ANSI/ISA-S84.01-1996
13
1 Scope
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
This standard addresses Electrical/Electronic/Programmable Electronic System (E/E/PES),
associated sensors, final elements, and interfaces used in automated Safety Instrumented
Systems (SIS) for the process industries (Reference C.6). Examples of the E/E/PES
technologies are:
a) Electromechanical relays;
b) Solid state logic;
c) PES;
d) Motor-driven timers;
e) Solid state relays and timers;
f) Hard-wired logic; and
g) Combinations of the above.
1.1 Boundaries of the Safety Instrumented System (SIS)
1.1.1 Figure 1.1 defines the boundaries of the SIS and identifies the devices that may be included
in the system. The SIS described in this standard is that portion of the diagram enclosed within
the double lined box.
1.1.2 The SIS includes all elements from the sensor to the final element, including inputs, outputs,
power supply, and logic solvers. SIS user interface may be in the SIS.
1.1.3 Other interfaces to the SIS are considered a part of the SIS if they have potential impact
on its safety function.
ANSI/ISA-S84.01-1996
15
Figure 1.1 — Definition of Safety Instrumented Systems (SIS)
1.2 Exclusions
1.2.1 This standard identifies all the steps of the Safety Life Cycle (see Figure 4.1) but does not
define the method(s) that may be used in some of the steps.
1.2.2 This standard does not address management of the non-SIS portion of the design or the
management of the startup process.
1.2.3 In jurisdictions where the governing authorities (Federal, State, Province, County, City, etc.)
have established Process Safety Design, Process Safety Management, or other requirements,
these laws shall in all cases take precedence over those requirements defined in this standard.
These factors must be integrated into the Safety Life Cycle at the appropriate step.
1.2.4 This standard does not address the codes, regulations, and other requirements that apply
only to the Nuclear Industry.
1.2.5 The activity of identifying process hazards by use of Process Hazards Analysis methods
is not part of this standard.
1.2.6
Defining the need for a Safety Instrumented Systems is not included in this standard.
1.2.7 This standard is not intended to be used as a stand-alone system purchase specification.
It will not eliminate the need for sound engineering judgment. It also does not mandate the use of
any particular technology.
1.2.8
The standard is not intended to apply to Basic Process Control Systems (BPCS).
1.2.9
This standard is not intended for pneumatic or hydraulic logic solvers.
16
ANSI/ISA-S84.01-1996
1.2.10 This standard does not consider the use of technology that is not currently utilized in Safety
Instrumented Systems. As new technology evolves and becomes available (e.g., ISA SP50
Fieldbus) it will be addressed in scheduled (5 year) revisions to this standard. In the interim, if new
system performance justifies its use, new technology shall be user approved before use in safety
applications. In these cases, the new technology implementation may require exception to some
standard requirements of S84.01. Exceptions shall be documented to demonstrate that the new
approach satisfies the safety requirements.
1.2.11 Analysis of the capability of humans to act on human-machine interface information is part
of the Process Hazards Analysis and is outside the scope of this standard.
1.2.12 Instrumentation installed for the purpose of monitoring conditions that may lead to chronic
health effects is not covered by this standard.
1.2.13 This standard does not cover instrumentation installed principally for the purpose of property
protection.
1.2.14 Systems where operator action is the sole means required to return the process to a safe
state are not covered by this standard. (e.g., alarm systems, fire and gas monitoring systems, etc.)
2 Conformance to this standard
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
To conform to the requirements of this standard, the following shall be adhered to:
2.1 Conformance guidance
2.1.1 To conform to this Standard, it must be shown that each of the requirements have been
satisfied and therefore the Clause objectives have been met.
2.1.2 Where a requirement is qualified by reference to an informative annex, this indicates that
a range of techniques and measures can be used to satisfy that requirement including techniques
and measures not listed in the informative annex.
2.1.3 The techniques and measures included in normative Clauses 1 through 11 are considered
good engineering practices in the design and support of Safety Instrumented Systems.
2.2 Existing systems
2.2.1 For existing SIS designed and constructed in accordance with codes, standards, or practices prior to the issue of this standard, the owner/operator shall determine that the equipment is
designed, maintained, inspected, tested, and operating in a safe manner.
ANSI/ISA-S84.01-1996
17
3 Definition of terms and acronyms
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
3.1 Definitions
For the purposes of this standard, the following definitions apply:
3.1.1
application program: See software (3.1.58.1).
3.1.2
application software: See software (3.1.58.1).
3.1.3 architecture: The arrangement and interconnection of the hardware components or modules that comprise the SIS.
3.1.4
availability: See safety availability (3.1.51).
3.1.5 Basic Process Control System (BPCS): A system that responds to input signals from
the equipment under control and/or from an operator and generates output signals, causing the
equipment under control to operate in the desired manner. Some examples include control of an
exothermic reaction, anti-surge control of a compressor, and fuel/air controls in fired heaters. Also
referred to as Process Control System.
3.1.6
bypassing: Act of temporarily defeating a safety function in a SIS.
3.1.7
common cause
3.1.7.1 common cause fault: A single source that will cause failure in multiple elements of a
system. The single source may be either internal or external to the system.
3.1.7.2 common cause failure: The result of a common cause fault.
3.1.8
communication
3.1.8.1 external communication: Data exchange between the SIS and a variety of systems or
devices that are outside the SIS. These include shared operator interfaces, maintenance/engineering interfaces, data acquisition systems, host computers, etc.
3.1.8.2 internal communication: Data exchange between the various devices within a given
SIS. These include bus backplane connections, the local or remote I/O bus, etc.
3.1.9
coverage: See diagnostic coverage (3.1.14).
3.1.10 covert fault: Faults that can be classified as hidden, concealed, undetected, unrevealed,
latent, etc.
3.1.11 decommissioning: The permanent removal of a complete SIS from active service.
18
ANSI/ISA-S84.01-1996
3.1.12 de-energize to trip: SIS circuits where the outputs and devices are energized under normal
operation. Removal of the source of power (e.g., electricity, air) causes a trip action.
3.1.13 demand: A condition or event that requires the SIS to take appropriate action to prevent
a hazardous event from occurring or mitigate the consequence of a hazardous event.
3.1.14 diagnostic coverage: For SIS with active fault-detection capabilities, the ratio of detectable faults to the total number of faults.
3.1.15 diverse: Use of different technologies, equipment or design methods to perform a common
function with the intent to minimize common cause faults (see 3.1.45, 3.1.55, and B.2).
3.1.16 Electrical (E)/ Electronic (E)/Programmable Electronic Systems (PES) (E/E/PES):
When used in this context, electrical refers to logic functions performed by electromechanical
techniques, (e.g., electromechanical relay, motor driven timers, etc.), electronic refers to logic
functions performed by electronic techniques, (e.g., solid state logic, solid state relay, etc.), and
Programmable Electronic System refers to logic performed by programmable or configurable devices [e.g., Programmable Logic Controller (PLC), Single Loop Digital Controller (SLDC), etc.]
Field devices are not included in E/E/PES.
3.1.17 electronic (/E): See E/E/PES (3.1.16).
3.1.18 embedded software: See software (3.1.58.2).
3.1.19 energize to trip: SIS circuits where the outputs and devices are de-energized under normal
operation. Application of power (e.g., electricity, air) causes a trip action.
3.1.20 fail-safe: The capability to go to a predetermined safe state in the event of a specific
malfunction.
3.1.21 fault tolerance: Built-in capability of a system to provide continued correct execution of
its assigned function in the presence of a limited number of hardware and software faults.
3.1.22 field devices: Equipment connected to the field side of the SIS I/O terminals. Such
equipment includes field wiring, sensors, final control elements, and those operator interface devices hard-wired to SIS I/O terminals.
3.1.23 firmware: Special purpose memory units containing software embedded in protected
memory required for the operation of programmable electronics.
3.1.24 forcing: A PES engineering station function that provides the capability to override the
application program and to change the states of inputs and outputs.
3.1.25 functional testing: Periodic activity to verify that the SIS is operating per the Safety
Requirement Specifications Testing.
3.1.26 hardware configuration: See architecture (3.1.3).
3.1.27 hard-wired: Electrical connections accomplished without the use of software or firmware.
3.1.28 hazard: Chemical or physical condition that has the potential for causing injury to people
or the environment (Reference C.12).
ANSI/ISA-S84.01-1996
19
3.1.29 input/output modules
3.1.29.1 input module: E/E/PES or subsystem that acts as an interface to external devices and
converts input signals into signals that the E/E/PES can utilize.
3.1.29.2 output module: E/E/PES or subsystem that acts as an interface to external devices
and converts output signals into signals that can actuate external devices.
3.1.30 interface: Shared boundary through which information is conveyed.
3.1.31 integration: Process of assembling multiple components or subsystems to form a system.
3.1.32 logic solver: E/E/PES components or subsystems that execute the application logic.
Electronic and programmable electronics include input/output modules.
3.1.33 off-line: Process, to which the SIS is connected, is shut down.
3.1.34 on-line: Process, to which the SIS is connected, is operating.
3.1.35 overt faults: Faults that are classified as announced, detected, revealed, etc.
3.1.36 permissive: Condition within a logic sequence that must be satisfied before the sequence
is allowed to proceed to the next phase.
3.1.37 Pre-Startup Acceptance Test (PSAT): Process of confirming performance of the total
integrated SIS to assure its conformance to the Safety Requirement Specifications and design.
3.1.38 preventive maintenance: Maintenance practice in which equipment is maintained on the
basis of a fixed schedule, dictated by manufacturer’s recommendation or by accumulated data
from operating experience.
3.1.39 Probability of Failure on Demand (PFD): A value that indicates the probability of a system
failing to respond to a demand. The average probability of a system failing to respond to a demand
in a specified time interval is referred to as PFDavg. PFD equals 1 minus Safety Availability [see
safety availability (3.1.51)].
3.1.40 process industry sector: Refers to those processes involved in, but not limited to, the
production, generation, manufacture, and/or treatment of oil, gas, wood, metals, food, plastics,
petrochemicals, chemicals, steam, electric power, pharmaceuticals, and waste material(s).
3.1.41 Programmable Electronic System (PES): See E/E/PES (3.1.16).
3.1.42 protection layer: Engineered safety features or protective systems or layers that typically
involve special process designs, process equipment, administrative procedures, the Basic Process
Control System (BPCS), and/or planned responses to protect against an imminent hazard. These
responses may be either automated or initiated by human actions (see Annex A for guidance).
3.1.43 qualitative methods: Methods of design and evaluation developed through experience
and/or the application of good engineering judgement.
3.1.44 quantitative methods: Methods of design and evaluation based on numerical data and
mathematical analysis.
20
ANSI/ISA-S84.01-1996
3.1.45 redundancy: Use of multiple elements or systems to perform the same function. Redundancy can be implemented by identical elements (identical redundancy) or by diverse elements
(diverse redundancy).
3.1.46 reliability: Probability that a system can perform a defined function under stated conditions
for a given period of time.
3.1.47 replacement in kind: A replacement that satisfies the design specification.
3.1.48 reset: Action that restores the equipment under control to a predetermined normal enabled
or operating state.
3.1.49 risk assessment: Process of making risk estimates and using the results to make decisions.
3.1.50 safe state: State that the equipment under control, or process, shall attain as defined by
the Process Hazards Analysis (PHA).
3.1.51 safety availability: Fraction of time that a safety system is able to perform its designated
safety service when the process is operating. In this standard, the average Probability of Failure
on Demand (PFDavg) is the preferred term. (PFD equals 1 minus Safety Availability; see 3.1.39.)
3.1.52 Safety Integrity Level (SIL): One of three possible discrete integrity levels (SIL 1, SIL 2,
SIL 3) of Safety Instrumented Systems. SILs are defined in terms of Probability of Failure on
Demand (PFD) (see Table 3.1).
Table 3.1 — Safety Integrity Level (SIL)
Safety Integrity Level (SIL)
Probability of Failure on
Demand Average Range
(PFD avg)
1
10-1 to 10-2
2
10-2 to 10-3
3
10-3 to 10-4
3.1.53 Safety Instrumented Systems (SIS): System composed of sensors, logic solvers, and
final control elements for the purpose of taking the process to a safe state when predetermined
conditions are violated (see Figure 1.1). Other terms commonly used include Emergency Shutdown
System (ESD, ESS), Safety Shutdown System (SSD), and Safety Interlock System.
3.1.54 Safety Life Cycle: Sequence of activities involved in the implementation of the Safety
Instrumented Systems from conception through decommissioning (see Figure 4.1).
3.1.55 separation: The use of multiple devices or systems to segregate control from safety
functions. Separation can be implemented by identical elements (identical separation) or by diverse
elements (diverse separation).
3.1.56 shall: Indicates a mandatory requirement.
3.1.57 SIS components: A constituent part of a SIS. Examples of SIS components are field
devices, input modules, output modules, and logic solvers.
ANSI/ISA-S84.01-1996
21
3.1.58 software
3.1.58.1 application software: Software specific to the user application in that it is the SIS
functional description programmed in the PES to meet the overall Safety Requirement Specifications (see Clause 5). In general, it contains logic sequences, permissives, limits, expressions, etc.,
that control the appropriate input, output, calculations, decisions necessary to meet the safety
functional requirements.
3.1.58.2 embedded software: Software that is part of the system supplied by the vendor and
is not accessible for modification by the end user. Embedded software is also referred to as
firmware or system software.
3.1.58.3 utility software: Software tools for the creation, maintenance, and documentation of
application programs. These software tools are not required for the operation of the SIS.
3.1.59 spurious trip: Refers to the shutdown of the process for reasons not associated with a
problem in the process that the SIS is designed to protect (e.g., the trip resulted due to a hardware
fault, software fault, electrical fault, transient, ground plane interference, etc.). Other terms used
include nuisance trip and false shut down.
3.1.60 systematic failures: Failures due to errors (including mistakes and acts of omissions) in
Safety Life Cycle activities that cause the SIS to fail under some particular combination of inputs
or under a particular environmental condition. Systematic failures can arise in any Safety Life
Cycle step.
3.1.61 Test Interval (TI): Time between functional tests.
3.1.62 user approved: Hardware, software, procedures, etc., that the user has evaluated and
determined to be acceptable for the application.
3.1.63 verification: Process of confirming for certain steps of the Safety Life Cycle that the
objectives are met.
3.1.64 voting system: Redundant system (e.g., "m" out of "n", one out of two [1oo2] to trip, two
out of three [2oo3], etc.) that requires at least "m" of the "n" channels to be in agreement before
the SIS can take an action.
3.2 Acronyms
22
BPCS:
Basic Process Control System
CFR:
Code of Federal Regulations
E/E/PES:
Electrical/Electronic/Programmable Electronic System
I/O:
Input/Output
MOC:
Management of Change
MTBF:
Mean Time Between Failures
MTTF:
Mean Time To Failure
MTTR:
Mean Time To Repair
OSHA:
Occupational Safety and Health Administration
ANSI/ISA-S84.01-1996
PES:
Programmable Electronic System
PFD:
Probability of Failure on Demand
PHA:
Process Hazards Analysis
PSAT:
Pre-Startup Acceptance Test
PSSR:
Pre-Startup Safety Review
SIL:
Safety Integrity Level
SIS:
Safety Instrumented Systems
WDT:
Watchdog Timer
4 Safety life cycle
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
4.1 Scope
The clauses in this standard are organized based on the Safety Life Cycle (see Figure 4.1). The
Safety Life Cycle covers the Safety Instrumented Systems (SIS) activities from initial conception
through decommissioning. Note that this standard does not address the method for performing
initial Safety Life Cycle activities, such as:
a) Performing conceptual process design
b) Performing Process Hazards Analysis & risk assessment
c) Defining non-SIS protection layers
d) Defining the need for an SIS
e) Determining required Safety Integrity Level
These activities are outside the scope of this standard.
ANSI/ISA-S84.01-1996
23
(4.2.15)
Figure 4.1 — Safety Life Cycle
24
ANSI/ISA-S84.01-1996
During the Safety Life Cycle of a SIS, there may be points where iterations are necessary. A few
of these are indicated in the Safety Life Cycle presented, but these should not be considered the
only points where iteration may be necessary.
4.2 Safety Life Cycle steps
4.2.1 The first step in the Safety Life Cycle is concerned with the conceptual process design.
The method for accomplishing this step is outside the scope of this standard.
4.2.2 The second step is concerned with identifying the hazards and hazardous events for a
process and assessing the level of risk involved. This standard does not address the methods for
performing this analysis and evaluation but assumes it has taken place prior to applying the principles in this document. The method(s) for accomplishing this step is outside the scope of this
standard.
4.2.3 Once the hazards and risks have been identified, appropriate technology (including process
and equipment modifications) is applied to eliminate the hazard, to mitigate their consequences
or reduce the likelihood of the event. The third step involves the application of non-SIS protection
layers to the process. The method(s) for accomplishing this step is outside the scope of this
standard.
4.2.4 Next an evaluation is made to determine if an adequate number of non-SIS protection
layers have been provided.
The desire is to provide appropriate number of non-SIS protection layers, such that SIS
protection layer(s) are not required. Therefore, consideration should be given to changing the
process and/or its equipment utilizing various non-SIS protection techniques, before considering
adding SIS protection layer(s). The method for accomplishing this step is outside the scope of
this standard.
4.2.5 If an SIS is appropriate, the next step is establishing the requirements for the SIS by defining
a target Safety Integrity Level (SIL) (See Annex A for guidance). A SIL defines the level of performance needed to achieve the user ’s process safety objective. SILs are defined as 1, 2, and 3.
SISs above SIL 3 are not addressed in this standard. The higher the SIL, the more available the
safety function of the SIS. Performance is improved by the addition of redundancy, more frequent
testing, use of diagnostic fault detection, and use of diverse sensors and final control elements,
etc. Performance is also improved through better control of design, operation, and maintenance
procedures.
Associated with the SIL are Probability of Failure on Demand average (see Table 4.1).
Table 4.1 — Safety Integrity Level performance requirements
SAFETY
INTEGRITY LEVEL
SIS
PERFORMANCE
REQUIREMENTS
1
2
3
Safety Availability Range
0.9 to 0.99
0.99 to 0.999
0.999 to 0.9999
PFD Average Range
10-1 to 10-2
ANSI/ISA-S84.01-1996
10-2 to 10-3
10-3 to 10-4
25
The SIL concept is utilized in several steps of the Safety Life Cycle. See Annex A for guidance
on SIL determination. The method for accomplishing this step is outside the scope of this
standard.
4.2.6 The next step is developing Safety Requirement Specifications. The Safety Requirement
Specifications document functional and integrity requirements for the SIS (see Clause 5).
4.2.7 The next step involves developing the SIS Conceptual Designs that may meet the Safety
Requirement Specifications. Annex B provides guidance on the selection of architectures to meet
SIL requirements (see Clause 6).
4.2.8 Once SIS Conceptual Design is complete, the detailed design can be performed (see
Clause 7).
4.2.9
Install the SIS (see Clause 8).
4.2.10 After installation is complete, the Commissioning and Pre-Startup Acceptance Test (PSAT)
of the SIS shall be performed (see Clause 8).
4.2.11 SIS Operation and Maintenance Procedures may be developed at any step of the Safety
Life Cycle and shall be completed prior to startup (see Clause 9).
4.2.12 Prior to startup of the SIS, a Pre-Startup Safety Review (PSSR) shall take place. This
PSSR shall include the following SIS activities:
a) Verification that the SIS was constructed, installed, and tested in accordance with the
Safety Requirement Specifications.
b) Safety, operating, maintenance, Management of Change (MOC), and emergency
procedures pertaining to the SIS are in place and are adequate.
c) PHA recommendations that apply to the SIS have been resolved or implemented.
d) Employee training has been completed and includes appropriate information about the
SIS.
The planning and execution of this activity is outside the scope of this standard.
4.2.13 After PSSR, the SIS may be placed in operation. This step includes startup, normal operation, maintenance, and periodic Functional Testing (see Clause 9).
4.2.14 If modifications are proposed, their implementation shall follow a Management of Change
(MOC) procedure. The appropriate steps in the Safety Life Cycle shall be repeated to address the
safety impact of the change (see Clause 10).
4.2.15 At some time, the need for the SIS will cease. For example, this may be caused by plant
closure, or the removal or change of the process. The decommissioning of the SIS shall be planned,
and appropriate steps should be taken to ensure that this is accomplished in a manner that does
not compromise safety (see Clause 11).
26
ANSI/ISA-S84.01-1996
5 Safety requirements specifications development
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
5.1 Objective
The objective is to develop specifications for Safety Instrumented Systems (SIS) design. These
Safety Requirement Specifications consist of both safety functional requirements and safety
integrity requirements. The Safety Requirement Specifications can be a collection of documents
or information.
5.2 Input requirements
The information required from the Process Hazards Analysis (PHA) or process design team to
develop the Safety Requirement Specifications, includes the following.
5.2.1
A list of the safety function(s) required and the SIL of each safety function.
5.2.2 Process information ( incident cause, dynamics, final elements, etc.) of each potential
hazardous event that requires a SIS.
5.2.3
Process common cause failure considerations such as corrosion, plugging, coating, etc.
5.2.4
Regulatory requirements impacting the SIS.
5.3 Safety functional requirements
The safety functional requirements shall include the following.
5.3.1
The definition of the safe state of the process, for each of the identified events.
5.3.2
The process inputs to the SIS and their trip points,
5.3.3
The normal operating range of the process variables and their operating limits,
5.3.4
The process outputs from the SIS and their actions,
5.3.5 The functional relationship between process inputs and outputs, including logic, math functions, and any required permissives.
5.3.6
Selection of de-energized to trip or energized to trip.
5.3.7
Consideration for manual shutdown.
5.3.8
Action(s) to be taken on loss of energy source(s) to the SIS.
ANSI/ISA-S84.01-1996
27
5.3.9
Response time requirements for the SIS to bring the process to a safe state.
5.3.10 Response action to any overt fault.
5.3.11 Human-machine interfaces requirements.
5.3.12 Reset function(s).
5.4 Safety integrity requirements
Safety integrity requirements shall include the following.
5.4.1
The required SIL for each safety function.
5.4.2
Requirements for diagnostics to achieve the required SIL (see B.9 for guidance).
5.4.3
Requirements for maintenance and testing to achieve the required SIL.
5.4.4
Reliability requirements if spurious trips may be hazardous.
6 SIS conceptual design
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
6.1 Objectives
To define those requirements needed to develop and verify a SIS Conceptual Design that meets
the Safety Requirements Specifications.
6.2 Conceptual design requirements
6.2.1 The Safety Instrumented Systems (SIS) architecture for each safety function shall be
selected to meet its required Safety Integrity Level (SIL). (e.g., The selected architecture may be
one out of one [1oo1], 1oo2 voting, 2oo3 voting, etc.)
6.2.2 A SIS may have a single safety function or multiple safety functions that have a common
logic solver and/or input and output devices. When multiple safety functions share common components, the common components shall satisfy the highest SIL of the shared safety function.
Components of the system that are not common must meet the SIL requirements for the safety
function that they address. When multiple SISs are combined in a system where they share
common logic or components, the potential for common cause faults is increased. Programming,
accessibility, maintenance, power supplies, and security are typical common cause issues to consider.
28
ANSI/ISA-S84.01-1996
6.2.3
The desired SIL shall be met through a combination of the following design considerations:
a) Separation - identical or diverse (see B.1 for guidance)
b) Redundancy - identical or diverse (see B.2 for guidance)
c) Software design considerations (see B.3 for guidance)
d) Technology selection (see B.4 for guidance)
e) Failure rates and failure modes (see B.5 for guidance)
f) Architecture (see B.6 for guidance)
g) Power sources (see B.7 for guidance)
h) Common cause failures (see B.8 for guidance)
i) Diagnostics (see B.9 for guidance)
j) Field devices (see B.10 for guidance)
k) User interface (see B.11 for guidance)
l) Security (see B.12 for guidance)
m) Wiring practices (see B.13 for guidance)
n) Documentation (see B.14 for guidance)
o) Functional test interval (see B.15 for guidance)
7 SIS detailed design
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
7.1 Objective
To provide detailed requirements for the design of the Safety Instrumented Systems (SIS) to
achieve the requirements of the Safety Requirement Specifications and conceptual design.
7.2 General requirements
7.2.1
The SIS design shall be capable of meeting the Safety Integrity Level (SIL).
7.2.2 The SIS may include sequencing functions to take the process to or maintain it in a safe
state.
ANSI/ISA-S84.01-1996
29
7.2.3
The SIS may contain one or more interlocks or safety functions.
7.2.4 The SIS design documents shall be under control of a formal revision and release control
program.
7.2.5 The manufacturer of equipment used in SIS service shall maintain a formal revision and
release control program for the equipment, including applicable software. The use of visible markings or user interfaces to identify this information is acceptable (e.g., part #, serial #, batch #, etc.).
7.2.6 The design shall ensure that the hardware and software used in an application are compatible.
7.2.7 The action of any non-safety function, if implemented by the SIS, shall not interrupt or
compromise any SIS safety functions.
7.2.8 The required safe states of each SIS component required for the safety function shall be
defined.
7.2.9 The SIS shall be designed such that once it has placed the process in a safe state, it shall
remain in the safe state until a reset has been initiated. The requirement for a manual or automatic
reset shall be as defined in the Safety Requirements Specifications.
7.2.10 Manual means, independent of the logic solver, shall be provided to actuate the SIS final
elements unless otherwise directed by the Safety Requirements Specifications.
7.2.11 Any detected single fault that causes a SIS failure shall result in an automatic, predetermined, safe failure action; and/or a safe process condition if the appropriate response action is
undertaken.
7.2.12 The design shall apply codes and standards for environmental and hazardous area
classifications (e.g., NFPA 70, National Electrical Code, Article 500)(see C.5 for guidance).
7.2.13 SIS Input/Output power circuits shall be separated from circuits used for any other purpose
except where the sensor or final control element is shared as allowed in 7.4.2.2 and 7.4.3.1.
7.3 SIS logic solver
7.3.1 The logic solver supplier shall provide an integrated design including, where applicable,
input module(s), output module(s), maintenance interface device(s), communication(s), and utility
software. The integrated design shall be documented.
7.3.2 The logic solver supplier shall provide Mean Time To Failure (MTTF) data, covert failure
mode listing, and frequency of occurrence of identified covert failures. The method and data
sources for the above shall be provided.
7.3.3 PES logic solvers shall have methods (internal and/or external) to protect against covert
faults (e.g., comparison of logic solver performance versus process action, embedded or application software testing the logic solver performance).
7.3.4 The logic solver shall be separated (see B.1 for guidance) from the Basic Process Control
System (BPCS) except where some applications have combined BPCS and SIS functions in one
"logic solver" (e.g., gas turbines). In these cases, the BPCS/SIS logic solver shall meet the SIL
(see C.1 for additional guidance).
30
ANSI/ISA-S84.01-1996
7.3.5 The logic solver shall be designed to ensure the process will not automatically restart when
power is restored, unless Process Hazards Analysis indicates this is appropriate.
7.4 Field devices
7.4.1
General requirements
7.4.1.1 Energize to trip discrete input/output circuits shall apply a method (e.g., end-of- line monitor,
such as pilot current continuously monitored to ensure circuit continuity; the pilot current shall not
be of sufficient magnitude to affect proper I/O operation) to assure circuit integrity.
7.4.1.2 When remote input/output is used, it shall be evaluated in conjunction with the logic solver
(see B.6 for guidance).
7.4.1.3 Each individual field device shall have its own dedicated wiring to the system Input/Output,
except in the following cases:
a) Multiple connected discrete sensors connected in series to a single input if the sensors
monitor the same process condition (e.g., motor overloads)
b) Multiple connected Final Control Elements (FCE) to a single output if each FCE services
the same process condition
c) User approved systems such as fire and gas detection systems
d) See 1.2.10 for ISA SP50 Fieldbus.
7.4.1.4 Field devices shall be selected and installed to minimize failures that could relate inaccurate
information due to conditions arising from the process and environmental conditions. Conditions
that shall be considered include corrosion, freezing of materials in pipes, suspended solids, polymerization, coking, and temperature and pressure extremes.
7.4.2
Sensor requirements
7.4.2.1 Smart sensors shall be write protected to prevent inadvertent modification from a remote
location, unless appropriate safety review allows the use of read/write.
7.4.2.2 Sensors for SIS shall be separated from the sensors for the Basic Process Control System
(BPCS). Two exceptions are allowed provided the failure of the sensor does not create a condition
that the SIS is intended to protect against:
a) If redundant sensors are used, they may be connected to both the BPCS and the SIS
provided that any failure in the BPCS will not affect the proper operation of the sensor
or the ability of the SIS to read the sensor properly (see B.1.5).
b) If the PHA determines that one or more protection layers other than the BPCS and the
SIS offers protection redundant to that provided by the sensor (for further guidance, see
Annex A).
7.4.2.3 Sensor diagnostics, vendor or user supplied , shall be provided as required to meet the
SIL (see B.9 for guidance).
ANSI/ISA-S84.01-1996
31
7.4.3
Final control element requirements
7.4.3.1 A control valve from the BPCS shall not be used as the only final element for SIL 3.
A safety review shall be required to use a single BPCS control valve as the only final element for
SIL 1 and 2. For additional information, see B.1.6.
7.4.3.2 Motor starters
Motor starters are typically common to both the BPCS and the SIS unless the Process Hazards
Analysis dictates otherwise (see B.10.4.3 for guidance).
7.5 Interfaces
This section addresses all human-machine and communication interfaces to the SIS. These can
include, but are not limited to
a) operator interface(s);
b) maintenance/engineering interface(s); and
c) communication interface(s).
7.5.1
Operator interface requirements
Operator interface refers to that media (e.g., CRTs, indicating lights, push-buttons, horns,
alarms, etc.) used to communicate information between the operator and the SIS.
7.5.1.1 The operator interface system design shall take into consideration the loss of the SIS
operator interface and the resulting requirements as defined by appropriate safety review. The
design shall ensure that, upon failure of the SIS operator interface, sufficient alternate means shall
be provided for the operator to bring the process to a safe state and that the automatic functions
of the SIS are not compromised.
7.5.1.2 The SIS status information that is critical to maintaining the SIL shall be available as part
of the operator interface. This information may include
a) where the process is in its sequence;
b) indication that SIS protective action has occurred;
c) indication that a protective function is bypassed;
d) indication that automatic action(s) such as degradation of voting and/or fault handling
has occurred;
e) status of sensors and final control elements;
f) the loss of energy where that energy loss impacts safety;
g) the results of comparison diagnostics; and
h) failure of environmental conditioning equipment that is necessary to support the SIS.
32
ANSI/ISA-S84.01-1996
7.5.1.3 Changes to the SIS application software shall not be allowed from the SIS operator
interface. Where the SIS maintenance/engineering interface is used as the operator interface to
the SIS, changes to application software from this interface shall require appropriate safety review
and access security. There may be some safety-related information that needs to be transmitted
from the BPCS to the SIS. For example, in batch systems a SIS may have different setpoints or
logic functions depending on the recipe being used. If so, the operator interface may be used to
select the appropriate logic function in the SIS or may be used to select recipe-specific tables. For
these types of applications, use only SIS systems that offer the ability to selectively allow writing
to a SIS variable that is accessible to the BPCS (see B.1.8 for additional guidance), and a confirmation procedure to ensure the proper selection has been transmitted and received in the SIS.
Enabling and disabling the read-write access shall be done only by a configuration or
programming process using the Maintenance/Engineering Interface with appropriate
documentation and security measures. An Operator Interface shall not be allowed to perform
this function.
7.5.2
Maintenance/Engineering interface requirements
Maintenance/Engineering interface is that media provided to allow proper SIS maintenance. It
can include instructions and diagnostics that may be found in software, programming terminals,
diagnostic tools, indicators, bypass devices, test devices, and calibration devices.
7.5.2.1 The design of SIS maintenance/engineering interface shall ensure that any failure of this
interface shall not adversely affect the ability of the SIS to bring the process to a safe state. This
may require disconnecting of maintenance/engineering interfaces, such as programming panels,
during normal SIS operation.
7.5.2.2 The maintenance/engineering interface shall provide the following functions:
a) Access security protection to the SIS operating mode, program, data, means of disabling
alarm communication, test, bypass, maintenance, etc.
b) Access to SIS diagnostic, voting and fault handling services
c) Access to add, delete, or modify application software
d) Access to data necessary to troubleshoot the SIS
7.5.3
Communication interface requirements
Communication interface refers to hardware and software communication between the SIS and
other devices such as the operator interfaces, maintenance/engineer interfaces, BPCS, network
or peripherals.
7.5.3.1 The design of the communication interface of the SIS shall ensure that any failure of the
communication interface shall not adversely affect the ability of the SIS to bring the process to a
safe state.
7.5.3.2 Communication signals shall be isolated from other energy sources through the use of
good engineering practices, such as the use of shielded cable while maintaining a single ground
plane with a single dedicated power source, or the use of fiber optics.
ANSI/ISA-S84.01-1996
33
7.6 Power sources
The design shall ensure that each power source meets the needs of the SIS as specified in the
Safety Requirement Specifications (see B.7 for guidance).
7.7 System environment
The system environment must be addressed to ensure proper SIS operation. This may require
consideration of the following: temperature, humidity, contaminants, grounding, Electro
Magnetic Interference/Radio Frequency Interference (EMI/RFI), shock/vibration, electrostatic
discharge, electrical area classification, flooding, etc.
7.7.1 All environmental conditions to which the SIS will be exposed and the operating environmental specifications for all components of the SIS shall be considered in the system design.
7.7.2 The system design shall take specific steps to resolve all differences between the environmental conditions and equipment specifications in a manner that will allow the SIS to perform in
accordance with the Safety Requirement Specifications, such as installing heating, ventilation/air
conditioning equipment, and/or air filtration.
7.8 Application logic requirements
7.8.1
Application logic for electrical systems
7.8.1.1 Only application logic under the control of a formal revision and release control program
shall be provided and considered for use on a SIS.
7.8.1.2 The application logic formal revision and release control program shall be provided and
maintained by the user.
7.8.1.3 The user shall ensure the application logic is documented in a clear, precise, and complete
way (see B.14 for guidance).
7.8.2
Application logic for electronic system
7.8.2.1 Only application logic under the control of a formal revision and release control program
shall be provided and considered for use on a SIS.
7.8.2.2 The application logic formal revision and release control program shall be provided and
maintained by the user.
7.8.2.3 The user shall ensure the application logic is documented in a clear, precise, and complete
way (See B.14 for guidance).
34
ANSI/ISA-S84.01-1996
7.8.3
Application logic for PES
Software discussed in this subclause addresses the SIS applications. Embedded and utility
software is discussed as far as it impacts application software.
7.8.3.1 Only software under the control of a formal revision and release control program shall be
provided and considered for use on a SIS.
7.8.3.2 The embedded software and utility software formal revision and release control programs
shall be provided and maintained by the SIS manufacturer(s). The manufacturer(s) shall also
provide and maintain a bug list and advise customers of any software faults which may lead to a
failure to function on demand.
7.8.3.3 The user shall not modify the SIS embedded or utility software.
7.8.3.4 The user shall ensure the application software is documented in a clear, precise, and
complete way (see B.3 and B.14 for guidance).
7.8.3.5 The application software formal revision and release control programs shall be maintained
by the user.
7.9 Maintenance or testing design requirements
7.9.1 The design shall allow for testing of the overall system. It shall be possible to test final
element actuation in response to sensor operation. Where the interval between scheduled process
downtime is greater than the functional test interval, then on-line testing facilities are required.
7.9.2 When on-line functional testing is required, test facilities shall be an integral part of the SIS
design to test for covert failures.
7.9.3 When test and/or bypass facilities are included in the SIS, they shall conform with the
following:
a) SIS shall be designed in accordance with the maintenance and testing requirements
defined in the Safety Requirement Specifications.
b) The operator shall be alerted to the bypass of any portion of the SIS via an alarm and/
or operating procedure.
c) Bypassing of any portion of the SIS shall not result in the loss of detection and/or
annunciation of the condition(s) being monitored.
7.9.4
Forcing of inputs and outputs shall not be used as a part of:
a) application software;
b) operating procedure(s); and
c) maintenance, except as noted.
Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unless
supplemented by procedures and access security. Any such forcing shall be annunciated or
alarmed, as appropriate.
ANSI/ISA-S84.01-1996
35
8 Installation, commissioning, and pre-startup acceptance test
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
8.1 Objective
8.1.1 The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) is
installed per the detail design and performs per the Safety Requirement Specifications.
8.1.2 Any modification or change to SIS-specific equipment during installation, commissioning,
or Pre-Startup Acceptance Test (PSAT) shall require a return to the appropriate phase (the one
first affected by the change) of the Safety Life Cycle.
8.2 Installation
8.2.1
All equipment shall be installed per the design.
8.3 Commissioning
8.3.1 Commissioning ensures the SIS is installed per the detailed design and is ready for the
Pre-Startup Acceptance Test.
8.3.2 The SIS commissioning activities shall include, but may not be limited to, confirmation that
the following are installed per the detailed design documents and are performing as specified in
the Safety Requirement Specifications:
a) Equipment and wiring are properly installed.
b) Energy sources are operational.
c) All instruments have been properly calibrated.
d) Field devices are operational.
e) Logic solver and Input/Output are operational.
8.4 Pre-Startup Acceptance Test (PSAT)
8.4.1 A PSAT provides a full functional test of the SIS to show conformance with the Safety
Requirement Specifications. The PSAT shall include, but may not be limited to, confirmation of
the following:
a) SIS communicates (where required) with the Basic Process Control System or any other
system or network.
36
ANSI/ISA-S84.01-1996
b) Sensors, logic, computations, and final control elements perform in accordance with
Safety Requirement Specifications.
c) Safety devices are tripped at the setpoints as defined in the Safety Requirement
Specifications.
d) The proper shutdown sequence is activated.
e) The SIS provides the proper annunciation and proper operation display.
f) The accuracy of any computations that are included in the SIS.
g) That the system total and partial reset functions as planned.
h) Bypass and bypass reset functions operate correctly.
i) Manual shutdown systems operate correctly.
j) Test interval is documented in maintenance procedures consistent with SIL
requirements.
k) SIS documentation is consistent with actual installation and operating procedures.
8.4.2 A PSAT shall be satisfactorily completed prior to the introduction of hazards the SIS is
designed to prevent or mitigate.
8.4.3 Accuracy of calibration of test instruments used in the PSAT shall be consistent with the
application. For example, the margin between the SIS setpoint and the hazardous process condition may be used to determine the required accuracy.
8.4.4 Documentation to substantiate completion of the Commissioning and PSAT shall be completed prior to the introduction of hazards the SIS is designed to prevent or mitigate.
As a minimum, this documentation shall include the following:
a) Identification of the SIS that has been tested
b) Confirmation that Commissioning is complete
c) Date the PSAT was performed
d) Reference to the procedures used in the PSAT
e) Authorized signature that indicates PSAT has been satisfactorily completed
ANSI/ISA-S84.01-1996
37
9 SIS operation and maintenance
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
9.1 Objective
The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) functions in
accordance with the Safety Requirement Specifications throughout the SIS operational life.
9.2 Training
9.2.1 Employees involved in the operation and maintenance activities of the SIS shall be properly
trained.
9.2.2 Employee training shall adhere to requirements specified in applicable regulation(s) (e.g.,
OSHA 29CFR1910.119, Reference C.11).
9.3 Documentation
The user shall have appropriate documentation (as noted in each Clause 9 subsection) and shall
keep the documentation current (see B.14 for guidance).
9.4 SIS operating procedures
Operating procedures shall be written to explain the safe and correct methods of operating the
SIS. These procedures are typically part of the unit operating procedures. These procedures
should include, but not be limited to, the following:
a) Limits of safe operation (i.e., trip points) and the safety implications of exceeding them
b) How the SIS takes the process to a safe state
c) The correct use of operational bypasses, permissives, system reset, etc. (where
required)
d) The correct response to SIS alarms and trips
9.5 Maintenance program
9.5.1 A maintenance program shall be established, which includes written procedures for maintaining, testing, and repairing the SIS.
38
ANSI/ISA-S84.01-1996
9.5.2
SIS maintenance shall include, but not be limited to, the following:
a) Regularly scheduled functional testing of the SIS
b) Regularly scheduled preventative maintenance, as required (e.g., replacement of
ventilation filters, lubrication, battery replacement, calibration, etc.)
c) Repair of detected faults, with appropriate testing after repair
9.6 Testing, inspection, and maintenance
9.6.1 Vendor manuals that describe the SIS maintenance and testing requirements (e.g., battery
maintenance, fuse replacement) may be included in the maintenance procedures.
9.6.2 Bypassing may be necessary. If the process is hazardous while a SIS function is being
bypassed, administrative controls and written procedures shall be provided to maintain the safety
of the process.
9.6.3 The user shall have a periodic inspection program for the SIS to detect equipment faults,
defects, etc.
9.7 Functional testing
Not all system faults are self revealing. Covert faults that may inhibit SIS action on demand can
only be detected by testing the entire system.
9.7.1 Periodic Functional Tests shall be conducted using a documented procedure
(see 9.7.4.1) to detect covert faults that prevent the SIS from operating per the Safety
Requirement Specifications.
9.7.2 The entire SIS shall be tested including the sensor(s), the logic solver, and the final
element(s) (e.g., shutdown valves, motors).
9.7.3
Frequency of functional testing
9.7.3.1 The SIS shall be tested at specific intervals based on the frequency specified in the Safety
Requirement Specifications (see B.15 for guidance). Note that different portions of the SIS may
require different periodic test intervals.
9.7.3.2 At some periodic interval (determined by the user), the frequency(s) of testing for the SIS
or portions of the SIS shall be re-evaluated based on historical data plant experience, hardware
degradation, software reliability, etc.
9.7.3.3 Any change to the application logic requires full functional testing. Exceptions to this are
allowed if appropriate review and partial testing of changes are done to ensure the SIL has not
been compromised.
ANSI/ISA-S84.01-1996
39
9.7.4
Functional testing procedures
9.7.4.1 A documented functional test procedure, describing each step to be performed, shall be
provided for each SIS.
9.7.4.2 Any deficiencies found during the functional testing shall be repaired in a safe and timely
manner.
9.7.4.3 The functional testing procedures shall include, but not be limited to, verifying the following:
a) Operation of all input devices including primary sensors and SIS input modules
b) Logic associated with each input device
c) Logic associated with combined inputs
d) Trip initiating values (setpoints) of all inputs
e) Alarm functions
f) Speed of response of the SIS when necessary
g) Operating sequence of the logic program
h) Function of all final control elements and SIS output modules
i) Computational functions performed by the SIS
j) Function of the manual trip to bring the system to its safe state
k) Function of user diagnostics
l) Complete system functionality
m) The SIS is operational after testing.
9.7.5
On-line functional testing
9.7.5.1 Procedures shall be written to allow on-line functional testing (if required).
9.7.5.2 For those applications where exercising the final trip element may not be practical, the
procedure shall be written to include
a) testing the final element during unit shut down; and
b) exercising the output(s) as far as practical (e.g., output trip relay, shut down solenoid,
partial valve movement) during on-line testing.
9.8 Documentation of functional testing
9.8.1 A description of all tests performed shall be documented. The user shall maintain records
to certify that tests and inspections have been performed.
9.8.2
Documentation shall include the following information as a minimum:
a) Date of inspection
b) Name of the person who performed the test or inspection
40
ANSI/ISA-S84.01-1996
c) Serial number or other unique identifier of equipment (loop number, tag number,
equipment number, user approved number, etc.)
d) Results of inspection/test ("as-found" and "as-left" condition)
10 SIS Management Of Change (MOC)
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
10.1 Objective
The objective of this clause is to ensure that the management of change requirements are
addressed in any changes made to an operating SIS.
10.2 MOC procedure
10.2.1 A written procedure shall be in place to initiate, document, review the change, and approve
changes to the SIS other than "replacement in kind" (e.g., OSHA 29 CFR 1910.119, Section “B”)
(see Reference C.11 for guidance).
The MOC Procedure could be required as a result of
a) modification to the operating procedure;
b) modification necessary because of new or amended safety legislation;
c) modifications to the process;
d) modification to the Safety Requirement Specifications;
e) modifications to fix software or firmware errors;
f) modifications to correct systematic failures;
g) modification as a result of a failure rate higher than desired;
h) modifications resulting from increased demand rate on the SIS; and
i) modifications to software (embedded, utility, application).
10.2.2 The MOC procedure shall ensure that the following considerations are addressed prior to
any change:
a) The technical basis for the proposed change
b) Impact of change on safety and health
c) Modifications for operating procedures
ANSI/ISA-S84.01-1996
41
d) Necessary time period for the change
e) Authorization requirements for the proposed change
f) Availability of memory space
g) Effect on response time
h) On-line versus off-line change, and the risks involved
10.2.3 The review of the change shall ensure
a) that the required safety integrity has been maintained; and
b) personnel from appropriate disciplines have been included in the review process.
10.2.4 Personnel affected by the change shall be informed of the change and trained prior to
implementation of the change or startup of the process, as appropriate.
10.2.5 All changes to the SIS shall initiate a return to the appropriate phase (first phase affected
by the modification) of the Safety Life Cycle. All subsequent Safety Life Cycle phases shall then
be carried out, including appropriate verification that the change has been carried out correctly
and documented. Implementation of all changes (including application software) shall adhere to
the previously established SIS design procedures.
10.3 MOC documentation
10.3.1 All changes to operating procedures, process safety information, and SIS documentation
(including software) shall be noted prior to startup and updated accordingly.
10.3.2 The documentation shall be appropriately protected against unauthorized modification,
destruction, or loss.
10.3.3 All SIS documents shall be revised, amended, reviewed, approved, and be under the control
of an appropriate document control procedure.
11 Decommissioning
NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY
REQUIREMENTS.
11.1 Objective
11.1.1 To ensure proper review prior to permanently retiring a Safety Instrumented Systems (SIS)
from active service.
42
ANSI/ISA-S84.01-1996
11.2 General
11.2.1 Management of Change procedures shall be implemented for all decommissioning activities (see Clause 10).
11.2.2 The impact of decommissioning an SIS on adjacent operating units and facility services
shall be evaluated prior to decommissioning.
12 Differences
NOTE — THIS CLAUSE IS PART OF THIS STANDARD. IT ILLUSTRATES THE KEY
DIFFERENCES BETWEEN ISA-S84.01 AND IEC DRAFT PUBLICATION 1508.
Generally, ISA-S84.01 varies from IEC draft Publication 1508-1995, Parts 1 through 7. These
differences are discussed in 12.1 Terminology, 12.2 Organizational, and 12.3 Technical, and are
based on the comparison of published S84.01 to a 1995 version of IEC draft Publication 1508
that is undergoing much change. When IEC draft Publication 1508 is published, the SP84
committee will revisit Clause 12 then revise and reissue S84.01, if required.
This clause only compares the normative portion (i.e., Parts 1, 2, 3, and 4) of IEC draft
Publication 1508 to ISA-S84.01.
The modes of operation in which a Safety Instrumented Systems is intended to be used are
classified as follows:
a) Demand Mode: SIS designed to attain appropriate probability of failure to perform its
design function on demand
b) Continuous Mode: SIS designed to attain appropriate probability of a dangerous failure
per year (e.g., Avionics). This standard does not address this continuous mode of
operation.
ANSI/ISA-S84.01-1996
43
12.1 Terminology
IEC draft Publication
1508 (Part 4)
ISA-S84.01
Comment
E/E/PES Safety
Related System
SIS
IEC draft Publication 1508 refers to Safety Related Systems utilizing all technologies, while S84.01 refers only to
technologies utilizing Safety Instrumented Systems.
PES
PES
IEC draft Publication 1508 "PES" includes sensors & final
control elements, while S84.01 "PES" does not include sensors & final control elements.
EUC
Process
IEC draft Publication 1508 uses "equipment under control"
as a generic term for the process S84.01 uses.
Assessment
PSSR
IEC draft Publication 1508 refers to assessment where
S84.01 refers to verifications and pre-startup safety review
(PSSR).
Functional
Requirements
Specification
Safety
Requirement
Specifications
IEC draft Publication 1508 refers to functional requirements
specification, while S84.01 refers to Safety Requirement
Specifications
12.2 Organizational differences
ISA-S84.01 is prepared by instrumentation personnel for ISA, the international society for
measurement and control, and American National Standards Institute (ANSI). As such, it does
not detail information of process hazards reviews and those issues presently mandated by
U.S.A. regulations such as OSHA 29 CFR 1910.119.
The result is training, management of change, personnel certification, and process hazards
reviews are only briefly discussed and references provided. IEC draft Publication 1508
discusses these issues in greater depth.
44
ANSI/ISA-S84.01-1996
IEC draft Publication 1508
Part 1
ISA-S84.01
Specifies the requirements for achieving functional
safety of external risk reduction facilities
Does not specify external risk reduction facilities
requirements for achieving functional safety
Applies to the total combination of safety related
systems and external risk reduction facilities
Applies only to E/E/PES safety related systems
(e.g., SIS)
Applies Safety Integrity Levels (SIL) to external risk
reduction facilities
Does not apply Safety Integrity Levels (SIL) to
external risk reduction facilities
Mandates the use of ISO 9000 Series of Quality
Systems or equivalent
Does not mandate the use of ISO 9000 Series of
Quality Systems
Mandates the use of Tables in IEC draft Publication
1508 that specify “minimum level of independence
of person, department, organization”
Does not mandate the use of IEC draft Publication
1508 Tables
Mandates the documentation of rationale for not
implementing "Highly Recommended" measures or
techniques in IEC draft Publication 1508
Does not mandate documentation of reasons for
using a different implementation scheme
Mandates the use of a Safety Plan (see details that
follow)
Mandates documentation consistent with OSHA
1910.119, Reference C.11 - Safety Plan not
required
(4.6) Mandates adhering to respective Measures
and Techniques
Does not mandate adhering to any specific measure or technique
Does mandate use of good engineering practice
(4.6) Mandates witnessing tests to ensure
compliance with this standard
Does not mandate witnessing tests to ensure
compliance
(5)
Refers "Competence of Persons" to OSHA
1910.119, Reference C.11
Addresses "Competence of Persons" by
providing detailed requirements in addition to
ISO 9000
(6.0) Defines "Safety Management" activities
during the whole Safety Life Cycle
Does not address management issues, except
management of change
(7.1) Mandates that each phase of the overall
Safety Life Cycle be followed by planned
verification activity, documented with
design review, testing, and analysis of results
Mandates commissioning and Pre-Startup
Acceptance Test (PSAT) of the SIS with appropriate
documentation (see 8.3 & 8.4)
(7.1.3.2) Mandates ISO 9000 procedures plus IEC
draft Publication 1508 requirements be
implemented for all aspects of the Safety
Life Cycle
Does not mandate the use of ISO 9000
(7.1.3.1) Mandates adhering to each step in
the Safety Life Cycle and providing a
documented Safety Plan defining
deviations
Does not address conceptual process design,
process hazard and risk analysis, non-SIS
protection layers, need for a SIS and determining
required SIL
(7.1.3.3) Mandates each phase of the overall
Safety Life Cycle be divided into
elementary tasks with well defined input,
output activity for each, scope, and
documented
SP84 requires that these activities be completed
prior to implementation of SP84
ANSI/ISA-S84.01-1996
45
IEC draft Publication 1508
Part 1
S84.01
(7.2) Requires process conceptional design
information and overall process
concept description
The method for accomplishing this is outside the
scope of this standard
(7.3) Requires EUC definition documented
in this overall scope definition description
(7.4) Defines Hazard and Risk Analysis and
mandates implementation methodology
and documentation
(7.5) Mandates:
Risk Reduction
All Safety Functions
Level of Safety
Specifies Risk
Reduction Method
Items:
7.5.2.4
7.5.2.6
7.5.2.7
7.5.2.2
7.5.2.3
The method for accomplishing this is outside the
scope of this standard
7.5.2.5
(7.6.1) Safety requirements allocation is PHA
oriented and has external risk reduction
facilities
(7.7) Overall operator and
(7.15) maintenance planning includes external
risk reduction systematic analysis
(7.8) Validation includes external risk
(7.14) reduction
(7.9) Provides installation mandates
(7.13)
Mandates overall modification and retrofit issues
Refer to Management of Change in
OSHA1910.119, Reference C.11
Mandates decommissioning log, verification plan,
functional safety assessment plan and report, levels of independence
Does not mandate these requirements
Addresses documentation for all phases
Only addresses SIS documentation
Parts 2 and 3 are normative
Parts 2 and 3 type information is part normative
and part informative -- to be defined
12.3 Technology differences
IEC draft
Publication 1508
46
ISA-S84.01
Comment
SIL 1, 2, 3, 4
SIL 1, 2, 3
S84.01 does not address Safety Integrity Level (SIL) 4 other
than recognizes its existence. SIL 4 development is not
normally found in the process industries.
Equipment Under
Control (EUC) control
system excluding the
safety controls
Basic Process
Control
System
(BPCS)
IEC draft Publication 1508 refers to the EUC control system,
while S84.01 refers to the BPCS.
ANSI/ISA-S84.01-1996
Annex A (Informative) — Information and examples illustrating methods
for determining Safety Integrity Level (SIL) for a Safety
Instrumented System (SIS)
NOTE — THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD. IT IS PROVIDED FOR
INFORMATION ONLY.
A.1 Introduction
This annex provides four examples of methods for determining SIL as part of process safety
activities. These examples provide only general information on the range and types of
approaches for determining SIL. These and additional methods are described in Reference C.1.
Determining where a SIS is appropriate, what process variables actuate it, and what final
process actions it takes, are beyond the scope of this annex. The four SIL determination
methods are applied to an example in only enough detail to show conceptually how SIL can be
determined. Details on how to use and understand these SIL determination methods, and
others, are described in the references.
Four example SIL determination methods were selected to illustrate the variety of approaches. A
simple matrix method was chosen to briefly present the key factors, recognizing that many more
comprehensive matrix methods are available. The consequences only method exemplifies a
straight-forward SIL selection method that involves adoption of some very conservative safety
premises. To illustrate a qualitative risk evaluation SIL determination method, a modified HAZOP
method was chosen. Quantitative risk assessment methods are represented by describing how
a fault tree analysis can be used to determine SIL.
Regardless of the method used to select SIL, it is done as part of process safety activities. The
team involved in making SIL decisions consists of participants with certain types of expertise. It
is generally appropriate to include the following expertise and qualifications on the process safety
team:
a) Ownership — those who have direct responsibility for operating the equipment
b) Process Knowledge — an understanding of the basic science and technology involved
in the process and equipment operation
c) Design Knowledge — how the equipment or process should work, particularly
instrumentation for complex control systems
d) Operating Experience — those with direct "hands on" operating and maintenance
experience
e) Others — skill in running process hazards reviews and other appropriate knowledge
as needed
This annex does not provide enough information to adequately understand the use of any
method, and it does not indicate or imply any safety criteria, or recommend any particular
approach.
ANSI/ISA-S84.01-1996
47
As described in Clause 4 of the standard, determination of Safety Integrity Level (SIL), for a
Safety Instrumented Systems (SIS) is a part of process safety activities. As depicted in the
Safety Life Cycle, (see Figure 4.1), steps 2, 3, 4, 5, and 6 summarize the process safety
concepts involved in determining SIL. These life cycle steps are as follows:
f) Step 2 - Evaluate consequences and likelihood for hazardous events
g) Step 3 - Evaluate preventive, protective and mitigating process safety features for these
events, other than SIS
h) Step 4 - Decide if a SIS is appropriate for this application
i) Step 5 - Determine target SIL for the SIS
j) Step 6 - Determine other process safety-related specifications and design criteria
Process safety activities, which include consequence analysis and process hazards reviews
(References C.14 and C.15), have the objective of helping to assure that the process will be safe
to operate. Hazards, and hazardous events, are identified, and means to control the risk and
potential consequences are decided upon, as part of these activities. Risk control and risk
reduction decisions are made on many process safety features of the process. These include
items, such as, procedures, basic process design, over-pressure protection, and SIS.
A.2 Safety Integrity Level (SIL) considerations and the process example
Safety Integrity Level (SIL) is a basic concept in this standard. SIL defines the level of safety
performance for a SIS. SILs are defined as 1, 2, or 3. The higher the SIL, the better the safety
performance of the SIS. Better SIS performance is achieved by higher availability of the safety
function. SIS performance is improved by the addition of redundancy, more frequent testing, use
of diagnostic fault detection, etc., as described in the standard and annexes.
Some understanding of how the three SIL levels will be implemented is important for the process
safety team making the SIL determinations. As the team learns the process, and how hazardous
events can occur, they should understand how the SIS will perform its safety function. With an
understanding of the important safety aspects of the SIS, including what is needed to achieve the
different SIL, the team helps to ensure that the process design and operation do not compromise
performance of the SIS.
Figure A.1 conceptually shows how the three SIL will be implemented in the example application.
The implementation depicted in Figure A.1 is specific to this example. As described in this
standard and ISA-dTR84.02 (Reference C.2), there are many ways to implement SIS to achieve
a specified SIL.
Figure A.2 depicts a simplified piping and instrumentation diagram for the process example. A
high pressure vapor is used to control pressure in a low pressure system. The low pressure
system is protected from over-pressure by
a) a pressure relief valve;
b) a pressure control system; and
c) an operator response to a high pressure alarm.
48
ANSI/ISA-S84.01-1996
Protection of the low pressure system is achieved by stopping flow from the high pressure
system, or by the pressure relief valve opening. The consequence of over-pressuring the low
pressure system is rupture of the low pressure vessel.
The process safety team has identified a potential SIS to prevent over-pressure from occurring in
the low pressure system. The SIS would be implemented by sensing pressure and closing
valves for the different SIL, with sensors, final elements, and logic solvers arranged as shown in
Figure A.1. Figure A.2 simply illustrates the process and is not intended to depict any specific
SIL requirements.
ANSI/ISA-S84.01-1996
49
A.3 Example methods for selecting SIL
In the following sections, four different methods will be described for selecting SIL for this high
pressure shutdown SIS.
Safety
Integrity Level
Sensor
Logic Solver
SIL 1
...T
XXXX
Logic
Solver
Actuator
Figure A.1a
...T
XXXX
Logic
Solver
SIL 2
...T
YYYY
Note 1
Logic
Solver
Note:
1) Sensors, logic solvers, and/or final elements may be redundant as safety availability requirements
dictate
Figure A.1b
Logic
Solver
...T
XXXX
SIL 3
Note 2
...T
YYYY
Logic
Solver
2) The performance of two identical SIL 1 SIS’s may not equal that of one SIL 3 SIS.
Figure A.1c
...T
XXXX
SIL 3
...T
YYYY
Logic
Solver(s)
*
Figure A.1d
* Logic Solver(s) as required to meet SIL
Figure A.1 — Company ABC, Site XX, Specific SIL implementation techniques,
example only
50
ANSI/ISA-S84.01-1996
Figure A.2 — Process example
A.3.1 Example method - the safety layer matrix (Reference C.1)
The method is based on a qualitative understanding of the process risk, and requires a
qualitative evaluation of potential consequences, or impact of harm, that could occur if the SIS
and other protection did not stop an initiating event from proceeding to completion. It requires a
qualitative evaluation; primarily identification of all the different initiating events and their potential
consequences.
The method uses a qualitative matrix, shown in Figure A.3, that requires an evaluation of all the
initiating events that could lead to the consequences, and the effectiveness of protection, other
than the SIS. Qualitative guidance for determining the range of low to high values for the matrix
inputs is specific to many considerations such as company guidance, local factors, the nature of
the process, etc. The matrix used here is strictly for illustrative purposes. Matrixes actually used
will be company dependent.
Use of the matrix requires qualitative evaluation of the severity of the consequences for
hazardous events the SIS is protecting against. The process safety team felt that the severity
was moderate for this example.
The matrix also requires an evaluation of the likelihood of occurrence for all the initiating events
that could lead to consequences. The process safety team felt the likelihood was moderate for
this example.
The third axis of the matrix requires a qualitative evaluation of the effectiveness of other
protection layers. Layers, other than the SIS under consideration, are evaluated for their
effectiveness in preventing the initiating events from leading to consequences. The process
safety team felt the effectiveness was between low and medium for this example. This
judgement was based on the need for extremely rapid operator response and the tendency for
the pressure relief valve to plug. Using these qualitative evaluations, the matrix indicates SIL 2
for the high pressure shutdown system.
A.3.2 Example method - the consequences only method
This method has fewer steps than many other methods and only requires evaluation of the
severity of consequences possible if the SIS and other protection fails. The process safety team
felt this method should be used because it could expedite SIL decisions by reducing the time
spent on evaluations. The possible trade-off was that the design selection of SIL could be higher
ANSI/ISA-S84.01-1996
51
than predicted by use of other SIL selection methods. Erring on the side of designing a higher
than necessary SIL level was felt to be conservative by this team. The team preferred to save
time that would be spent on risk evaluations and to incur the potential cost penalties imposed by
selecting a higher SIL than might otherwise result. Money spent on equal or better safety
performing SIS was felt to be a good investment in safety.
Figure A.3 — Company ABC, Site XX, Example of a qualitative matrix for the
determining SIL
The method only requires an evaluation of the severity of consequences, should the SIS and
other protective safety items fail. Since this is a conservative method, this particular plant
decided to simplify the SIL selection process from three SIL choices to two SIL choices. This
was done by selecting only SIL 1 or SIL 3 designs. If the consequences are above a base
threshold, then a SIL 1 is selected. If they are above a "major" severity criteria, then a SIL 3 is
selected.
These two severity levels were defined to include injuries, property damage, and environmental
impact specific to this process. Risk was addressed in setting these guidelines, by the
underlying assumption that the frequence of occurrence of initiating events for all SIS
applications was assumed to be frequent, or “likely.”
The team evaluated the severity of consequences for the high pressure shutdown SIS in the
example and felt they exceeded the "major" criteria. Based on that evaluation, a SIL 3 was
selected.
A.3.3 Example method - the modified HAZOP method
In order to determine the SIL, the modified HAZOP method includes the consideration of the
severity of the consequences, their probability of occurrence, along with other risk-related
52
ANSI/ISA-S84.01-1996
factors. Specific risk reduction recommendations can be evaluated in terms of their effectiveness
in reducing risk. The team decides on recommendations, or the adequacy of current risk controls,
based on this evaluation process.
Using an experienced leader in HAZOP methodology, the process segment is systematically
analyzed using a set of guide words to identify process deviations that could lead to hazardous
events. A spreadsheet format is used to associate the process deviation, with a specific upset
cause. The upset cause is followed by the potential consequences of the upset, factors that
prevent or protect against the consequences, and the action or judgement of the team on how to
control the associated risk. The team decides on recommendations or the adequacy of current
risk controls, based on this evaluation process.
Part of the modified HAZOP documentation for the example is summarized in Table A.1.
The modified HAZOP team also identified operator error when in manual mode during startup as
a cause of a high pressure upset.
Based on the severity of the consequences, the team’s feeling for the likelihood of these upsets,
and overall performance of the protective systems, the team agreed a SIS was needed. Initially,
a SIL 2 or 3 was considered by the team for further evaluation. The team considered safety,
equipment reliability, and operation and maintenance costs then determined that an SIL 2 SIS is
more appropriate for this application.
Table A.1 — Modified HAZOP documentation example
PROCESS DEVIATION
CAUSE
CONSEQUENCES
PROTECTION
More Flow
Pressure control valve
fails to open
Vessel rupture with
potential injuries,
property damage, and
environmental damage
– Relief Valve
– Operator response
to high pressure
alarms
– High pressure
shutdown SIS
More Pressure
Pressure sensor fails,
drifts to a false low
pressure output
Same as More Flow
– Same as More Flow,
except the operator
response is only
triggered by a single
high pressure signal
A.3.4 Example method - SIL determined from a fault tree
Based on the example vessel rupture hazard and several other major hazards in this process, a
fault tree analysis was done for a large part of the process, which included the example. The
fault tree quantitatively estimated the frequency of occurrence for explosive over-pressure
rupture of several process vessels.
Fault trees are logic diagrams that systematically display sequences of failures. Sequences of
failures that begin with basic events, such as a sensor failure, and lead to a defined "top" event
are diagramed. The top event in this case is explosive over-pressure rupture of process vessels.
The fault tree logic diagram can be analyzed to estimate the frequency of occurrence for the top
event. Failure rates and conditional failure probabilities are assigned to each basic event. Then
the top event frequency of occurrence can be calculated. Fault tree analysis is briefly described
ANSI/ISA-S84.01-1996
53
in Reference C.1, page 56, and extensively covered in Reference C.13. Details of the fault tree
covering the example are too complex to describe or depict in this annex.
The first step in using the fault tree to determine SIL for the example was to develop the fault tree
logic diagram. The initial fault tree was based on the assumption of a high pressure shutdown
SIS designed as shown in Figure A.2, a SIL 1 design. Appropriate failure information were
determined for all the failure events associated with the example. For example, failure
frequencies were estimated for initiating events, such as the pressure control valve failing to
open. A top event frequency for vessel rupture was then calculated.
After reviewing the fault tree results, the team decided that the fault tree should be changed for
evaluation of an SIL 2 and 3 design for this SIS. Subsequent results of this fault tree evaluation
indicated a substantial safety improvement for the SIL 2 design, versus the SIL 1 design. The
top event vessel rupture frequency of occurrence decreased by a substantial percentage. A
similar comparison of SIL 2 versus SIL 3 designs, indicated only a small safety improvement, i.e.,
the top event frequency decreased only slightly. Based on these comparisons, the team selected
SIL 2 for the high pressure shut down SIS.
54
ANSI/ISA-S84.01-1996
Annex B (Informative) — SIS design considerations
NOTE — THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD.
IT IS PROVIDED FOR INFORMATION ONLY.
This informative annex addresses design methods to meet SIL requirements. The following SIS
design considerations are addressed:
B.1
Separation - identical or diverse
B.2
Redundancy - identical or diverse
B.3
Software design considerations
B.4
Technology selection
B.5
Failure rate and failure modes
B.6
Architecture
B.7
Power sources
B.8
Common cause failures
B.9
Diagnostics
B.10
Field devices
B.11
User interface
B.12
Security
B.13
Wiring practices
B.14
Documentation
B.15
Function test interval
B.1 Separation - identical or diverse
B.1.1 Separation between BPCS and SIS functions reduces the probability that both control and
safety functions become unavailable at the same time, or that inadvertent changes affect the safety
functionality of the SIS. Therefore, it is generally necessary to provide separation between the
BPCS and SIS functions.
B.1.2 Identical separation is generally acceptable for SIL 1 applications. Diverse separation offers
the additional benefit of reducing the probability of systematic faults (a factor especially important
in SIL 3 applications) and reducing common cause failures (see B.8).
B.1.3 There are four areas where separation may be needed to meet the safety functionality and
safety integrity requirements:
a) Application of field sensors
b) Application of final control elements
ANSI/ISA-S84.01-1996
55
c) The logic solver
d) Communication between SIS and BPCS or other equipment
B.1.4 Each of these four areas should be evaluated to ensure that the required SIL is met.
B.1.5 Sensors
A single sensor used for both BPCS and SIS requires further safety review and analysis as part
of the process safety activity (see Annex A). For example, a level sensor used for both BPCS
and high level trip SIS can create a demand if it fails below the setpoint of the level controller; as
a result, the controller may drive the valve open, and this protection will be lost.
B.1.5.1 For SIL 1, a single sensor may be used for both BPCS and SIS, provided the safety integrity
requirements are met.
B.1.5.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the
required safety integrity.
B.1.5.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.5.4 When redundant SIS sensors are used, the sensors may be connected to both the SIS
and BPCS provided that a safety review and analysis shows the connection to the BPCS does not
compromise the safety integrity of the SIS.
B.1.6 Control and shutdown valves
B.1.6.1 For SIL 1, a single valve may be used for both BPCS and SIS, provided the valve’s unsafe
failure rate meets the safety integrity requirements. The design should ensure that the SIS action
overrides the BPCS action.
B.1.6.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the
required safety integrity. A single valve used for both BPCS and SIS requires further safety review
and analysis, since it may not meet the required safety integrity. For example, a valve used for
both BPCS and SIS can create a demand if it fails in the open position. If this valve is also used
for an interlock, this protection will be lost, since the SIS could not close the valve.
B.1.6.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.6.4 When redundant SIS valves are used, the valves may be connected to both the SIS and
BPCS provided that a safety review and analysis shows the connection to the BPCS does not
compromise the safety integrity of the SIS.
B.1.6.5 Additional considerations for determining valve requirements are
a) shutoff requirements;
b) reliability experience with the valve;
c) unsafe failure modes of the valve; and
d) operating procedures that make the valve less effective (e.g., open bypass valves).
56
ANSI/ISA-S84.01-1996
B.1.7 Logic solver
B.1.7.1 For SIL 1, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.7.2 For SIL 2, diverse separation between BPCS and SIS is typically needed to meet the
required safety integrity. Identical separation between BPCS and SIS may be used provided safety
review and analysis shows that it meets the safety integrity requirements.
B.1.7.3 For SIL 3, diverse separation between BPCS and SIS should be considered to meet the
required safety integrity.
B.1.7.4 There may be special cases where it is not possible to provide separation between BPCS
and SIS (e.g., a gas turbine control system includes both control and safety functions). Additional
considerations when combining control and safety functions in the same device are
a) evaluation of the failure of common components and software and their impact on SIS
performance;
b) life cycle support of the entire system as a SIS with respect to changes, maintenance,
testing, and documentation; and
c) limiting access to the programming or configuration functions of the system.
B.1.8 Communications between BPCS and SIS
B.1.8.1 Communications between BPCS and SIS can enhance the overall safety of the application.
However, external communications, particularly writes to the SIS, can compromise the safety
integrity of the SIS. Provision must be made to ensure all writes are valid and do not negatively
impact the system safety or operation. (See B.1.8.2 sections (c) and (d) for further guidance.)
B.1.8.2 There are five basic ways to approach external communication between BPCS and SIS:
a) No external communication between BPCS and SIS
This is acceptable for all SILs.
b) Hard-wired communication between BPCS and SIS
This is acceptable for SIL 1 and SIL 2, but use of this method for SIL 3 requires additional
safety review and analysis. For example, analog or discrete output from one device to
the input of another device.
c) Read only external communication from SIS to BPCS
This may be acceptable for all SILs if review and analysis is done to assure that the
safety function is not compromised. Measures to achieve write protection of the safety
function include, but are not limited to
1) hard-wired switch (or jumper) to limit write access; and
2) implementation of the safety function in SIS ROM.
d) Read/write external communications with write protection of the safety function
This is acceptable for SIL 1 and 2, but use of this method for SIL 3 requires additional
ANSI/ISA-S84.01-1996
57
safety review and analysis. Measures to achieve write protection of the safety function
include but are not limited to
1) limited time window for write access; and
2) software switch (e.g., password) to limit write access.
e) Read/write external communications with limited or no write protection of the safety
function
Use of this method may be acceptable for SIL 1. Use of this method for SIL 2 requires
additional safety review and analysis. Use of this method in SIL 3 is discouraged.
B.2 Redundancy - identical or diverse
B.2.1 Redundancy can be applied to provide enhanced safety integrity or improved fault tolerance.
The designer should determine the redundancy requirements that achieve the SIL and reliability
requirements for all components of the SIS including sensors, logic solver, and final control elements.
B.2.2 An example of this is where the SIS requires a 1oo2 architecture, but there is concern about
spurious trips. In such a situation, the designer may choose a 2oo3 architecture, which may
improve reliability without substantially reducing safety integrity.
B.2.3 Redundancy is applicable to both hardware and software (see B.10).
B.2.4 Redundancy should be analyzed for common cause faults. Elimination or reduction of the
fault source, or the use of diverse redundancy, are methods to mitigate common cause faults.
Some examples of common cause faults are
a) plugging of shared instrument lead lines;
b) corrosion;
c) hardware faults;
d) software errors; and
e) power supply/source.
B.2.5 Diverse redundancy uses different technology, design, manufacture, software, firmware,
etc., to reduce the influence of common cause faults. Diverse redundancy should be used if it is
required to meet the SIL. Diverse redundancy should not be used where its application can result
in the use of lower reliability components that will not meet system reliability requirements.
B.2.6 Measures that can be used to achieve diverse redundancy include, but are not limited to
a) the use of different measurements (e.g., pressure and temperature) when there is a
known relationship between them;
b) the use of different measurement technologies of the same variable (e.g., coriolis flow
and vortex flow);
c) the use of different types of PES for each channel of redundant architecture; and
58
ANSI/ISA-S84.01-1996
d) the use of geographic diversity (e.g., alternate routes for redundant communications
media).
B.2.7 Some typical concerns with PES technology that could warrant diverse redundancy in SIS
would be undetected faults in
a) hardware;
b) manufacturing;
c) components;
d) operating system;
e) communications;
f) firmware;
g) software;
h) application programming; and
i) environment.
B.3 Software design considerations
B.3.1 Embedded Software
B.3.1.1 Embedded software is provided by PES suppliers and is typically transparent to the
preparation of application software. Considerations that should be understood before proceeding
with the application software development include the following:
a) The supplier has a software quality plan.
b) The embedded software revision level is defined.
c) The embedded software revision level is the same as the revision level analyzed when
initially approving the PES for use as a SIS.
d) All enhancements to, or fixes of, embedded software functionality contained in new
software releases have been reviewed and analyzed.
B.3.2 Utility software
B.3.2.1 Use of utility software should adhere to the same criteria as embedded software (see
B.3.1). Utility software from third parties may be available and considered for use. Use of third
party utility software for applications program development, without testing and approval of the
PES manufacturer of the utility software package, is not recommended.
B.3.3 Application software
B.3.3.1 Modular design is highly desirable in application programs. Modular design tends to
enhance design simplicity and integrity.
B.3.3.2 Application software should include provision for diagnostic testing if required to meet the
system SIL. A typical diagnostic testing scheme using an external Watchdog Timer is illustrated
in Reference C.1.
ANSI/ISA-S84.01-1996
59
B.3.3.3 Programming languages that are mature and/or have been certified to accepted industry
standards are preferred.
B.3.3.4 Programming guidelines should be established to enforce consistent style among the
design team. Implementation of a software quality plan may facilitate development of a consistent
programming style.
B.3.3.5 To avoid unnecessary complexity and features that make the behavior of the system
difficult to predict, the following should be considered:
a) The software should have a definite order and structure so that it ensures understanding
of where you are in the application software at all times
b) If nested sequences are used, nesting should be limited to as few layers as possible
c) Peer reviews of application software
B.3.3.6 To verify that the software design meets each of the requirements established in the Safety
Requirement Specifications, consider the following:
a) An analysis to demonstrate that each of the requirements established in the Safety
Requirement Specifications is implemented in the design
b) Peer review of designs of safety critical functions
B.3.3.7 Confirm that the application software meets the requirements established in the Safety
Requirement Specifications under all expected operating conditions. Consider the following:
a) Tests should be developed to exercise the software beyond the normal bounds for data,
commands, keyboard inputs, and other actions.
b) A bug-reporting and resolution system should be implemented.
c) Application software should be tested to determine software behavior in the presence
of hardware faults.
B.4 Technology selection
B.4.1 Safety Instrumented Systems (SIS) can be developed using Electrical, Electronic or Programmable Electronic (E/E/PE) technologies.
B.4.2 A hybrid scheme combining technologies (e.g., PE, Electrical, etc.) may be used to develop
a SIS.
B.4.3 There are other technologies that can be used other than E/E/PE in the design of an SIS,
such as pneumatics, hydraulics, etc. These technologies are outside the scope of this standard
(see 1.2.9).
B.4.4 Electrical technology used in SISs
B.4.4.1 Direct-wired systems
B.4.4.1.1 Direct-wired systems have the discrete sensor directly connected to the final element.
This technology can only be used in the simplest applications. There is minimal diagnostic coverage, so proof testing frequency may have to be increased.
60
ANSI/ISA-S84.01-1996
B.4.4.2 Electromechanical devices
B.4.4.2.1 Electromechanical devices include relays and timers. Relays are often used where
simple logic functions are adequate to provide the necessary safety logic. Extensive operating
experience with relays and their mature technology make acceptance of this device in a SIS
widespread.
B.4.4.2.2 Standards and guidelines for implementing electromechanical relays in SIS applications
are available to users (see Reference C.4). Unsafe failure modes of relays can also be quantified.
B.4.4.2.3 Successful users of relays in safety applications have followed some simple guidelines.
They include using a relay that
a) has a good in-plant track record;
b) has the proper "fail-to-shelf" position (e.g., position when completely disconnected)
characteristics when installed;
c) is found reliable through life-cycle testing;
d) is user approved for safety applications; and
e) is suitable for the environment in which it is placed (e.g., hermetically sealed).
B.4.4.2.4 The relay SIS has other attributes that should be considered:
a) The on/off status can be readily obtained by checking contact position (e.g., open or
closed).
b) Its interconnected logic is very difficult to change (requires rewiring).
c) It is simple and understood by plant personnel and can be easily supported.
d) It is easily identified and secured as a critical control device.
e) It has failure modes that can be isolated to reduce common mode failures.
B.4.4.2.5 Relay logic should not be considered inherently fail-safe. Even if the relays are properly
selected and applied, the contacts may weld and the spring may not return the switching contacts
to the de-energized position.
B.4.4.2.6 Electromechanical relay logic systems should consider the following criteria:
a) Contacts open on coil de-energization or failure.
b) The coil has gravity dropout or dual springs.
c) Contacts are of proper material and rating.
d) Energy limiting load resistance is installed to prevent contacts from welding closed.
e) Proper arc suppression of the contacts is provided for inductive loads.
B.4.4.2.7 There are low energy loads (e.g., 50 volts or below and/or 10 mA or below) that require
special contact materials or designs (e.g., hermetically-sealed contacts) to eliminate oxidation
build-up on contacts resulting in unreliable operation (e.g., load dropout). This is referred to as
contact-wetting. When utilizing these special contacts, specific failure mode analysis is needed
for these contacts to ensure that a fail-safe electromechanical system is being designed.
ANSI/ISA-S84.01-1996
61
B.4.4.2.8 Electromechanical relays may not be suitable for SIS applications with
a) high duty-cycles resulting in frequent state changes;
b) timers or latching functions;
c) complex math functions;
d) analog measurements; and
e) large logic applications.
B.4.4.3 Motor driven timers
B.4.4.3.1 Motor driven timers provide acceptable performance for key safety applications such as
burner purge timing. Most motor driven timers require a locking device or appropriate modification
to eliminate tampering with critical settings. Motor driven timers are limited in timing resolution and
the ability to handle high duty cycles.
B.4.5 Electronic technology used in SISs
B.4.5.1 Solid state relays
B.4.5.1.1 Solid state relays are used in high duty-cycle application and have unsafe failure modes
that can be identified and quantified. Appropriate design features should be added to handle these
unsafe failure modes. Some additional applications of solid state relays are described in the
following paragraphs.
B.4.5.2 Solid state timers
B.4.5.2.1 Solid state timers are used where the application’s complexity does not warrant a PES.
Solid state timer technology can be categorized as either Resistor-Capacitor (RC) circuit or pulse
counting. RC timing devices may not be suitable for safety applications because of poor repeatability and unsafe failure modes. Note that RC circuitry is often used in the time setting portion of
pulse-counting timers; this does not preclude the use of these timers.
B.4.5.2.2 The pulse-counting timer, sometimes referred to as a digital timer, can use a number of
methods to achieve pulse counting. These include
a) a line frequency (50 or 60 Hz);
b) an electronic oscillator; and
c) a quartz crystal oscillator.
B.4.5.2.3 A user-approved safety crystal oscillator (e.g., quartz) timer is recommended because
of high repeatability and good reliability.
B.4.5.3 Solid state logic
B.4.5.3.1 Solid state logic refers to the transistor family of components like Complimentary Metal
Oxide Semiconductor (CMOS), Resistor-Transistor Logic (RTL), transistor-transistor logic (TTL),
and High Noise Immunity Logic (HNIL). These components are assembled in stand-alone modules,
plug-in board modules, or in highly integrated, high-density chips. They differ from typical computer-type equipment in that they have no Central Processing Unit (CPU). They perform according
to the logic obtained by the direct-wiring techniques of interconnecting the various logic components
such as ANDs, ORs, and NOTs. These systems have limitations in fail-safe requirements (e.g.,
indeterminate failure modes) that should be recognized.
62
ANSI/ISA-S84.01-1996
B.4.5.3.2 Solid state logic has generally been integrated with direct-wiring and relay schemes for
SIS. Solid state logic is not recommended for SISs unless provided with additional diagnostics to
test for unsafe failure modes. PESs are sometimes used as a diagnostic tool to make solid state
logic systems suitable for SIS.
B.4.5.4 Pulsed electronic logic
B.4.5.4.1 Pulsed electronic logic generates pulses with a specified amplitude and period. A pulse
train is recognized as a logic "true” or "one," while all other signals (e.g., grounds, non-specified
pulses, and continuous "on" or "off") are recognized as a logic "false" or "zero."
B.4.5.4.2 Pulsed electronic logic can be considered in a SIS if it meets the requirements noted in
this standard and is user approved.
B.4.5.4.3 Pulsed electronic logic can offer high safety integrity. However, PES designs offer some
functions that may not be available with pulsed solid state systems or electronic logic such as
calculation capability, improved communications, and networking.
B.4.6 PES technology used in SIS
B.4.6.1 The PES can be a programmable controller, a distributed control system controller, or an
application-specific stand alone microcomputer. Caution should be used when using personal
computers, since they generally do not have the safety integrity required for SIS applications.
B.4.6.2 The use of PES results in many difficult to recognize failure modes, many of which can
be unsafe.
B.4.6.3 Some techniques that can be used to minimize the unsafe failure modes of PES are
a) extensive diagnostics to detect covert faults (see B.9 for guidance);
b) use of redundancy, fault tolerance (e.g., 2oo3), and similar architectures;
c) use of Watchdog Timers, both internal and external; and
d) use of outputs with diagnostics to detect output module failures.
B.4.6.4 Select PES technology for SIS when
a) there are large numbers of Input/Output, or many analog signals;
b) logic requirements are complex, or the logic includes computational functions;
c) extensive data communications with the BPCS is required; and
d) different trip points are required for different operations (e.g., batch application recipe
selection).
B.5 Failure rates and failure modes
B.5.1 Failure rate is the average rate at which faults occur within the SIS components. The failure
rate for the overt failure mode of a component may be quite different than the failure rate for the
covert mode. The failure rates for both of these modes and their safety implication should be
considered in the design of the SIS. Failure rates are influenced by component design, manufacturing quality, installation practice, and environmental and process conditions. See ISA-dTR84.02
for additional information.
ANSI/ISA-S84.01-1996
63
B.5.2 Tables B.5.1 and B.5.2 list some of the possible faults which should be considered in the
design of SIS.
Table B.5.1 — Typical SIS failure modes
Device(s)
SENSOR
Failure Mode
Device(s)
Failure Mode
Isolation from process
Sensor/X-mitter stuck
Up/Downscale stuck;
Incorrect signal
WIRING/CONNECTORS
BARRIER/
TERMINATION
EXTERNAL
COMMUNICATION
Wiring faults; Coil burn
out; Relay race
Drift/Calibration Fault
Timing faults
Noise
Welded contacts
Conversion time fault;
Conversion fault
Stuck armature
Incorrect supply voltage
Contact fidelity
Open/short
SOLID STATE LOGIC
Wiring fault
Ground fault
Noise/dynamic faults/
x-talk
Noise
Stuck gates (on-off)/
back-plane faults
Open/short
Counter failure
Ground fault
FINAL ELEMENT
Pilot device fault
Isolation failure
Stuck open/closed/
intermediate
Wrong signal
Mechanism stuck
Corrupt data
Energy source
Incorrect data
Conversion time fault
Incorrect source/
destination
Incorrect handshaking
Conversion fault
Duplicate source/
destination
64
ELECTROMECHANICAL
RELAY/TIMER
COMMON MODE
Over-voltage, current,
pressure, etc.
Incorrect Input/Output addressing
Under-voltage, current,
etc.
Loss of connection
Total loss of energy
Loss of receiver/
transmitter
Backup-Energy failure
(UPS)
Response timeout
Temporary energy
fluctuations
Faulty error correction
Temperature too high or
too low
Shorts or open circuits
Corrosion
Loss of redundant
channel
Electromagnetic
interference
ANSI/ISA-S84.01-1996
Table B.5.2 — Typical programmable electronic failure modes
Device(s)
PES
Failure Mode
Stuck bit / multiple bits
PES
Failure Mode
x-talk (DMA)
Dynamic faults / x-talk
Bus request stuck
(DMA)
Instruction time / Wait
states / stall
Transfer time incorrect
(DMA)
uCode / macro code
Wrong sample time
Arithmetic Logic Unit
(ALU) faults
Timer register fault
Access time wait state
logic
Wrong timer
Access time
Timeout / overrun
Stuck Interrupt Request
(IRQ)
Timebase fault
Stuck / loss of timing
Set / reset fault
Device specific
(custom IC)
IRQ / poll fault (Timer)
Stuck Input/Output bit
Trigger pattern (WDT)
x-talk on Input /
Output lines
Trigger too early / late
(WDT)
Wrong Input /
Output line
INPUT
Stuck on/off
Data direction fault
(I/O Port)
Upscale / Downscale /
conversion fault
Signal too fast / slow
(I/O Port)
Drift calibration
Lost bit / byte / message (comm)
Unstable input
Wrong sender / receiver
/ message
Isolation fault
Timeout / multidrop
conflict
Linearization /
Compensation
Deadlock (comm)
ANSI/ISA-S84.01-1996
Device(s)
OUTPUT
Stuck on / off /
Conversion fault
Parity generator fault
Upscale / Downscale
Frame fault / buffer
overrun
Drift / Calibration
Stuck Direct Memory
Access (DMA)
Unstable output
x-talk (DMA)
Isolation fault
Loss of Input/Output
communication
Linearization/
Compensation
65
B.6 Architecture
B.6.1 Selection of the SIS architecture is an activity performed during the conceptual design step
of the Safety Life Cycle. The architecture has a major impact on the overall safety integrity of the
SIS. The architecture also influences SIS reliability (likelihood of spurious trips) (Reference C.3).
B.6.2 Some of the activities involved in determining the SIS architecture are
a) selection of energize to trip or de-energize to trip design;
b) selection of identical or diverse redundancy for the SIS sensors, logic solver, and final
control elements;
c) selection of redundancy for power sources and SIS power supplies;
d) selection of operator interface components (e.g., CRT, alarm annunciator, pushbuttons)
and their method of interconnection to the SIS; and
e) selection of data communications interfaces between SIS and other subsystems (e.g.,
BPCS) and their method of communication (e.g., read only or read/write).
B.6.3 A SIS may utilize architectures (e.g., 2oo3 sensor, 1oo1 logic solver, 1oo2 final element)
for reasons that may include different
a) SILs in the same SIS;
b) testing requirements;
c) equipment reliability and failure modes; and
d) user interfaces.
B.6.4 Architecture that may typically meet the SIL performance requirements includes:
SIL 1 - A 1oo1 architecture with a single sensor, single logic solver, and a single
final control element.
SIL 2 - Requires more diagnostics and typically includes redundancy of the logic
solver and sensors, with redundancy of final control elements as
necessary.
SIL 3 - Typically two separate and diverse 1oo1 arrangements, each with their
own sensor, logic solver, and final control element. The 1oo1
arrangements would be connected in a 1oo2 voting scheme. Diverse
separation, redundancy, and exhaustive diagnostic capabilities are
considered significant aspects of a SIL 3 system.
The user must determine the failure rates of the system components, diagnostic coverage, test
intervals, redundancy, etc., and evaluate each specific SIS to validate its performance (see
ISA-dTR84.02 for additional guidance).
B.7 Power sources
Power sources include, but are not limited to, electrical power, pneumatic power (e.g., instrument
air), and hydraulic power. Grounding is included in this subclause after electrical power.
66
ANSI/ISA-S84.01-1996
B.7.1 Electrical power source
B.7.1.1 The electrical power source should be designed to meet the safety integrity and reliability
requirements of the application.
B.7.1.2 Electrical power source redundancy is frequently provided to improve the reliability of the
SIS, although redundancy may not be necessary to meet the safety integrity requirements for deenergized to trip applications. For energize to trip applications, electrical power source redundancy
is typically provided to meet the safety integrity requirements.
B.7.1.3 Electrical power source redundancy can be provided using an alternate source with automatic transfer, an Uninterruptible Power Supply (UPS), or battery backup by an alternate source.
Design considerations when transferring to alternate sources include
a) detection of fault prior to impacting SIS operation;
b) transfer to back-up source without impacting SIS operation;
c) ability to maintain UPS or batteries without impacting SIS operation; and
d) minimize common cause failures.
B.7.1.4 Consider providing power source(s) diagnostics that will not allow SIS startup unless all
power sources are available.
B.7.1.5 Electronic and programmable electronic SIS frequently include internal power supplies
that convert electrical power source(s) to lower level voltages for internal use. Power supply
redundancy should be considered to meet the reliability requirements of the application.
B.7.1.6 Electronic and programmable electronic SIS typically are more sensitive to electrical noise
(e.g., radio frequency interference or electromagnetic interference) Utilize shielding, good wiring
practices (see B.13), and proper grounding (see B.7.2).
B.7.1.7 Electronic and programmable electronic SIS typically have a lower insulation breakover
voltage rating than an electrical SIS. Therefore, additional surge protection may be required.
B.7.1.8 Programmable electronic SIS may require electrical power with lower total harmonic
distortion than electrical or electronic SIS.
B.7.1.9 Input/Output (I/O) may have separate power distribution, fused to minimize common cause
in case of a wiring fault. These fuses should coordinate with upstream fuses to insure minimum
impact on system performance if a fuse blows.
B.7.1.10 A checklist of AC electrical power considerations includes
a) voltage and current range including inrush current;
b) frequency range;
c) harmonics;
d) non-linear loads;
e) ac transfer time;
f) overload and short circuit protection and coordination;
g) lightning protection;
ANSI/ISA-S84.01-1996
67
h) protection against transients such as spikes, surges, brown outs, and electrical noise;
i) protection against undervoltages;
j) protection against overvoltages; and
k) grounding.
B.7.1.11 A checklist of DC electrical power considerations includes
a) voltage range and current range including inrush current; and
b) non-linear loads.
B.7.2 Grounding
B.7.2.1 Grounding is critical in E/E/PE technology to ensure personnel safety (Reference C.5)
and proper equipment performance. This subclause deals only with the voltages found in SIS
applications (typically 240 volt AC or below, and 125 volts DC and below).
B.7.2.2 Note that the grounding becomes more restrictive when moving from electrical to electronic
and from electronic to programmable electronic. Therefore, electrical equipment grounding can
be easily achieved in a grounding system designed for electronic and/or Programmable Electronic
equipment, and electronic equipment grounding can be easily achieved in a grounding system
designed for programmable electronic equipment. Programmable Electronic equipment installed
in a grounding system designed for electrical technology may not be appropriate.
B.7.2.3 For ungrounded systems, consider using ground fault detection relays and alarms as
appropriate.
B.7.2.4 Note that electrical or electronic technologies may integrate Programmable Electronic into
their equipment to enhance performance through improved communication, diagnostics, humanmachine interfaces, etc. In those cases, treat the grounding as if it is Programmable Electronic
grounding, unless vendor installation guidelines dictate a different approach.
B.7.2.5 The grounding system should meet the manufacturer’s recommendations. Deviations
should have safety review and analysis.
B.7.2.6 A checklist of grounding considerations includes
a) corrosion protection;
b) cathodic protection;
c) lightning cone of protection;
d) ground planes (Reference C.16);
e) raised floor grounding;
f) static electricity protection;
g) shield ground;
h) single point ground;
i) test ground;
j) intrinsic safety barrier grounds; and
k) ground terminal(s) availability.
68
ANSI/ISA-S84.01-1996
B.7.3 Pneumatic power
B.7.3.1 Instrument air (or other gas) is typically used with final elements such as control valves.
The solenoid valve acts as an electrical to instrument gas relay. The instrument gas should be
filtered, dried, and continuously monitored to assure proper pressure is maintained, and the system
should be backed up to attain the uptime required to meet the reliability.
B.7.3.2 Instrument air checklist:
a) Pressure
b) Moisture
c) Contaminants
d) Lubrication where required
e) Volume
B.7.4 Hydraulic power
B.7.4.1 Hydraulic power is typically used where high motive force is required, such as very large
valves.
B.7.4.2 Hydraulic power checklist:
a) Pressure
b) Volume
c) Contaminants
d) Fluid properties
B.8 Common cause failures
B.8.1 Common cause faults can be caused by a single (non-redundant) component or by systematic errors in redundant components.
B.8.2 Some examples of common cause faults include
a) specification errors;
b) hardware design errors;
c) software design errors;
d) human-machine interface design;
e) environmental over-stress (HI/LO temperature - humidity - pressure, corrosion);
f) single elements (common process taps, Reference C.1, Figure 5.11, common conduit
single energy sources, single field devices, etc.);
g) process corrosion or fouling;
h) vibration;
i) maintenance (e.g., tools, procedures, calibration, training); and
j) susceptibility to mis-operation (e.g., training, procedures, activity under abnormal
stress).
ANSI/ISA-S84.01-1996
69
B.8.3 Common cause faults or systematic errors may be reduced during design using appropriate
fault avoidance measures. Consider using the following methods:
a) Provide supplier with application-specific information (e.g., codes, model number(s),
etc.)
b) Verification
c) Diverse separation
d) Diverse redundancy
e) Identical redundancy
f) Identical separation
B.8.4 A number of functionally separate SIS may share the same environment, cabinet, operator
interface, and maintenance/engineering interface. These separate systems may however require
physical separation of power and logic solver to accomplish testing maintenance or modification.
The impact of these activities should be considered during system layout.
B.9 Diagnostics
B.9.1 General considerations
B.9.1.1 Diagnostics are tests performed periodically and automatically to detect covert faults that
prevent the SIS from responding to a demand (see ISA-dTR84.02 for further guidance).
B.9.1.2 Various types of faults that can occur are included in Table B.9.1:
Table B.9.1 — Fault types
Fault Type
Example
Faults that immediately disable the capability of the SIS to
respond to a demand (critical faults)
Stuck-on or stuck off of a critical output
point
Faults that in combination with other faults disable the
capability of the SIS to respond to a demand (potential
critical faults)
Diagnostic of a critical output point not
performed
Faults initiating a safe response of the SIS without a demand
Spurious trip due to a component fault
Faults that have no impact on the capability of the SIS to
respond to a demand (benign faults)
Burned out, not critical LED
B.9.1.3 A covert fault in a system may prevent the SIS from responding to a demand. This can
be the first fault in a single channel system or a combination of faults in a multi-channel system.
Therefore it is important to not only discover critical faults but also potentially critical faults before
they accumulate.
70
ANSI/ISA-S84.01-1996
B.9.1.4 Faults can result in two types of failures:
a) Random failures, a spontaneous failure of a component
b) Systematic failures (or errors), a hidden fault in design or implementation
B.9.1.5 Hardware is prone to random failures, but can also have systematic failures (incorrect
timing, components used outside their specified range, etc.).
B.9.1.6 Software is generally free of random failures, but has a high probability of systematic
failures. Once a systematic failure becomes overt, it can be corrected and will cease to exist.
B.9.1.7 Random failures occur spontaneously. Depending on the persistence of the fault over
time two conditions are possible:
a) Permanent random faults persist until they are repaired.
b) Dynamic random faults (cross-talk, thermal faults, etc.) occur under certain
circumstances and disappear.
B.9.2 Diagnostic tests
B.9.2.1 Diagnostics may be accomplished using a variety or combination of methods, including:
a) hardware integrity monitoring (e.g., impedance monitoring in thermocouples);
b) automatic built-in tests provided within the purchased SIS equipment (e.g., Input/Output
module self-tests);
c) automatic test incorporated as part of the application specific design (e.g., readback of
output signals through input points);
d) Watchdog Timers, signal comparison, end-of-line detection, etc.; and
e) comparing redundant signals.
B.9.2.2 An inherently safe response to a fault may replace the requirement for a diagnostic for
that fault. However, a so called "safe" design of a component may not always result in a safe
response of the SIS, as this is application specific.
B.9.3 Diagnostic coverage
B.9.3.1 A particular diagnostic technique is usually less than 100% effective in detecting all possible
failures. An estimate of the "effectiveness" of the diagnostics used may be provided for the set of
failures being addressed.
B.9.3.2 Improved diagnostic coverage of the SIS may assist in satisfying the requirements of the
target Safety Integrity Level. Specific failure modes that may be covered by diagnostics are listed
in Table B.9.2. This or a similar list of failure modes may be needed to identify those areas where
diagnostic coverage is required.
B.9.3.3 Critical and potentially critical faults (like faults to CPU / RAM / ROM ...) will inhibit almost
the entire processing of data and are therefore more far reaching than a fault of a single output
point. The coverage requirements for these kind of faults are therefore stricter. Additionally, failure
modes that carry a high failure probability have to be detected with more confidence. Further, the
detectability of failure modes has to be taken into account - failure modes that are detectable using
simple means should be implemented whenever possible.
ANSI/ISA-S84.01-1996
71
B.9.3.4 For each diagnostic implemented, the following should be identified:
a) Testing interval
b) Resulting action on fault detection
c) Both criteria should meet the Safety Requirement Specifications
B.9.3.5 Where certain diagnostics are not "built-in" to the vendor-supplied equipment, appropriate
diagnostics may be implemented at the system or application level.
B.9.3.6 Diagnostics may not be capable of detecting systematic errors (like software bugs).
However, appropriate precautionary measures to detect possible systematic faults may be
implemented.
Table B.9.2 — Diagnostic tests for programmable electronics
Hardware
possible cause
Data
Chip error
Software
detection
Hardware fault testing
Address
Time
Processing
possible cause
detection
Wrong constants
Indexing
Hard limit checking
Wrong circuit
Event
Event verification
Component out of
specification
Scheduling
Scheduler monitor
Algorithm
Assertions
Plausibility check
Reverse
computation
diversity
Voter fault
Random voter test
B.10 Field devices
B.10.1 General considerations
B.10.1.1 Many common cause failures of field devices may be avoided by properly applied redundancy and/or diversity. One example is an application requiring redundant sensors using
different principles of operation and/or different manufacturers.
B.10.1.2 Two analog sensors, two discrete sensors (switches), or one of each could be selected.
If one analog device and one discrete device are selected to provide diversity, as opposed to two
analog devices, the advantage of continuous comparison of signals is lost. Proper operation of
the discrete device can only be verified by testing or the occurrence of a process demand. If two
analog devices are selected, they can be continuously compared. This comparison significantly
reduces Mean Time To Detection of failure thus providing more available protection.
B.10.1.3 The following SIS considerations related to field devices may enhance the application
of field devices:
a) Continuously compare redundant sensors while system operates (e.g., alarm or shut
down on unacceptable deviation)
72
ANSI/ISA-S84.01-1996
b) Compare flow or other related variables to modulating valve position
c) At each shutdown, compare sensor readings with known shutdown conditions and each
other (e.g., use these comparisons as permissives for the next startup. This reduces
Mean Time To Detection of field device failures. This applies also to valve positions
monitored by limit switches.)
d) If SIS has a built-in feature that displays the last good value on a bad value of the field
sensor, this feature should be defeated (For SIS applications the signal should be
permitted to go to its extreme value)
e) Feedback to alarm when a final element fails to go to its commanded state
f) Alarm if field devices change state without a command from the SIS
g) Vendors MTBF data
h) Predictability of failure modes
i) Performance following long periods in the same position
j) Avoid using measurements outside the accuracy limit of the sensors (e.g., accuracy/
turndown; for example, where zero flow is to be verified, a flow sensor should not be
used)
k) Identification (typing, color code, etc.)
l) With analytical measurements, try to design the system to provide a comparison
between analytical readings and related basic measurements such as pressure,
temperature, etc.
B.10.2 Field device failure modes and their detection
B.10.2.1 Essentially all field devices have three failure states - their extreme states or somewhere
in between.
Sensors:
upscale, downscale, on scale
Current/voltage alarm trips: current/voltage alarm trips convert current and voltage (e.g.,
4 - 20 mA or 0 - 10 V DC) analog inputs into discrete signal outputs. The trip value is field
adjustable. These switches have unsafe failure modes; appropriate analysis and design features
should be provided to ensure safe operation.
Valves:
open, closed, partially open
Relays:
coil inoperative, contacts held in their "normal" positions, contacts welded closed,
contacts worn resulting in high resistance/restricted current flow, and stuck
armature
B.10.2.2 Given these failure modes, consider selecting components with built in features that drive
the device to one of its detectable extremes in a high percentage of its failure modes.
B.10.3 Sensor selection criteria
B.10.3.1 Some considerations for the selection of sensors include
a) analog devices are preferred to discrete types;
b) where possible, try to obtain redundancy and/or diversity by measuring different
variables where each is indicative of the same abnormal condition;
ANSI/ISA-S84.01-1996
73
c) carefully review process/ambient conditions that could effect the filling/emptying of
impulse lines;
d) verify seal liquids in diaphragm seal applications for resistance to amalgamation,
freezing, polymerization, all of which can cause false readings;
e) devices that are selected to achieve diversity should have sufficient reliability to meet
system reliability requirements or alternate approaches to diversity should be
considered; and
f) carefully weigh the use of devices that are foreign to a plant’s maintenance organization.
B.10.3.2 A minimum number of shutoff valves should be employed between the process and a
sensor in SIS service. Each sensor requiring a process shutoff should have its own dedicated
connection and valve (see Reference C.1, Figure 5.11).
B.10.4 Final element application considerations
B.10.4.1 Some considerations in the application of valves used as final control elements include
a) opening/closing speeds;
b) shutoff differential pressure in both directions of flow;
c) leakage (degree of shutoff requirements);
d) fire resistance — body and actuator;
e) performance following long periods in the same position;
f) where it will meet the requirements, consider the use of a modulating control valve as
one of the final valve elements since the proper operation of the control loop verifies
the valve is not stuck in a single position;
g) do not compromise reliability to achieve diversity;
h) materials suitability/comparability;
i) carefully weigh the use of devices that are foreign to a plant's maintenance organization;
j) fail position considerations; and
k) valve position indication.
B.10.4.2 Solenoid valves
B.10.4.2.1 Some considerations in the application of solenoid valves include
a) consider temperature, voltage, area classification, loading, etc., when selecting solenoid
valves;
b) effects of air pressure, minimum or maximum, on the valve;
c) ensure the solenoid valve is sized properly;
d) adjustable flow paths provide an opportunity for defeating an SIS function if improperly
adjusted;
e) mounting the solenoid between the positioner and the valve;
74
ANSI/ISA-S84.01-1996
f) some solenoids are mounting position sensitive — consider installation detail
requirements; and
g) solenoid vents should have protection against plugging, dirt, insects, freezing, etc.
B.10.4.3 Motor starters
B.10.4.3.1 In general, redundant motor starters are not used. Redundancy is applied in the form
of contacts in the control circuit. Auxiliary contacts may be fed back to the SIS to verify starter
status (position).
B.10.5 Input signal conditioners and output amplifiers
Input/output interface devices are special purpose solid state relays. They have unsafe failure
modes that should be identified and quantified. Appropriate design features should be added to
handle these unsafe failure modes before they can be approved for use in a SIS.
Input/output interfaces are required as the signal conditioners for solid state logic systems or
PESs. Input signal conditioners receive sensor signals at the strength required for suitable
operation on the factory floor (e.g., 120 V, 48 V, 24 V, 4 - 20 mA). The purpose of the inputs and
outputs in a solid state SIS is to isolate the low energy logic system (typically low voltage DC)
from the high energy field system (typical signal levels are 120 volt AC and 24 volt DC).
Low energy signal levels are utilized in the logic system to achieve signal processing speed.
High energy signal levels are used in the field devices to ensure a high signal to noise ratio over
long transmission distances and to assure that contacts on discrete sensors used as input
devices have sufficient power (voltage and current) to provide appropriate contact-wetting.
Output amplifiers receive the low energy signal from the solid state or PES logic solver and
convert it to a signal suitable for driving the final element (e.g., solenoid valve).
B.11 User interface
User interfaces to a safety-related PES are operator interfaces and maintenance/engineering
interfaces.
B.11.1 Operator interfaces
The operator interface used to communicate information between the operator and the SIS may
include
a) video displays;
b) panels containing lamps, push buttons, indicators, and switches;
c) annunciators;
d) printers; and
e) any combination of these.
B.11.1.1 Video displays
B.11.1.1.1 Video displays may share safety and process control functions. A BPCS, or other
computer-based control system, through its normal operator displays, may provide the sole operator interface to a SIS.
ANSI/ISA-S84.01-1996
75
B.11.1.1.2 SIS data displayed to the operator should be updated and refreshed at the rate required
to communicate between the operator and the SIS during emergency conditions so safe
response(s) can be attained.
B.11.1.1.3 Displays relating to the SIS should be clearly identified as such, avoiding ambiguity or
potential for operator confusion in an emergency situation. Operators should have easy access
to safety-related displays, preferably by a single key-stroke or touch-screen stroke giving entry into
a display hierarchy.
B.11.1.1.4 Give the operator enough information on one display to rapidly convey critical
information. Display consistency is important. Provide the same access methods, alarm
conventions, and display components as are used in the non-safety-related displays.
B.11.1.1.5 Display layout is also important. Too much information on one display may lead to
operators misreading data and taking wrong actions. Use colors, flashing indicators, and judicious
data spacing to guide the operator to important information and to reduce the possibility of
confusion. Messages must be clear, concise, and unambiguous.
B.11.1.1.6 The operator interface and associated system (such as a Distributed Control System)
may be used to provide automatic safety-related event logging and alarming functions. Conditions
to be logged should include SIS events (such as trip and pre-trip occurrences), whenever the SIS
is accessed for program changes, and diagnostics.
B.11.1.2 Panel(s)
B.11.1.2.1 Panels should be located to give operators easy access.
B.11.1.2.2 Arrange panel to ensure that the layout of the push buttons, lamps, gauges, and other
information is not confusing to the operator. Shutdown switches for different process units or
equipment that look the same and are grouped together may result in the wrong equipment being
shut down by an operator under stress in an emergency situation. Physically separate the shutdown
switches and boldly label their function. Provide means to test all lamps.
B.11.1.3 Printer(s)
B.11.1.3.1 Printers connected to the SIS should not compromise the safety function if the printer
fails, is turned off, is disconnected, runs out of paper, or behaves abnormally.
B.11.1.3.2 A SIS connected to a BPCS may use BPCS facilities to perform its safety-related
logging and reporting functions.
B.11.1.3.3 Printers are useful to document Sequence Of Events (SOE) information, diagnostics,
and other safety-related events and alarms, with time and date stamping and identification by tag
number. Report formatting utilities should be provided.
B.11.1.3.4 If printing is a buffered function (information is stored, then printed on demand or on a
timed schedule), then the buffer should be sized so that information is not lost, and under no
circumstances should SIS functionality be compromised due to filled buffered memory space.
B.11.2 Maintenance/Engineering interface(s)
B.11.2.1 Maintenance/Engineering interfaces consist of means to program, test, and maintain the
SIS. Interfaces are devices used for functions such as:
a) System hardware configuration
76
ANSI/ISA-S84.01-1996
b) Application software development, documentation, and downloading to the SIS, logic
solver
c) Access to application software for changes, testing, and monitoring
d) Viewing SIS system resource and diagnostic information
e) Changing SIS security levels and access to application software variables
B.11.2.2 Maintenance/Engineering Interfaces should have capabilities to display the operating
and diagnostic status of all SIS components (such as Input/Output modules, processors, etc.)
including the communication among them.
B.11.2.3 Maintenance/Engineering Interfaces should provide means for copying application programs to storage media.
B.11.2.4 A user-approved personal computer may be used as a Maintenance/Engineering
Interface.
B.12 Security
B.12.1 General
B.12.1.1 Means should be provided to control access to SIS including the logic solver, SIS maintenance interfaces, test and bypass functions, SIS alarms, sensors, and final elements. The access
protection may be in the form of locked cabinets, "read only" communication, access codes, passwords, administrative procedures, etc.
B.12.1.2 For guidance in the application of these options see Reference C.1, Section 6.1.9.
B.12.2 Exceptions
Protection against the following are beyond the scope of this annex:
a) Malicious modification
b) Modification errors
B.12.3 Additional PES considerations
B.12.3.1 Access control and security may be provided by a combination of application logic and
host functions for any SIS user-interface device that could interfere with performance of the safety
function:
a) Parameters that are appropriate for operator interaction should be accessible.
b) Parameters that may be changed on-line with appropriate review should come under
access control.
c) Parameters or functions that require validation after change should be accessible only
off-line.
B.12.3.2 The ability to restrict access to the SIS operating mode, program, and data should be
an integral feature of the SIS.
ANSI/ISA-S84.01-1996
77
B.13 Wiring practices
B.13.1 Wiring practices should meet the manufacturers’ recommendations and NEC requirements.
Deviations should have safety review and analysis.
B.13.2 Consider enhancing wiring practices by:
a) Eliminating circuit commons for multiple circuits;
b) Adding circuits for better isolation;
c) Adding fuses to isolate faults in a way that reduces common cause;
d) Implementing test facilities;
e) Elimination of ground loop problems; and
f) Separating SIS terminations from all other terminations.
B.13.3 Additional considerations for electronic or programmable electronic SIS include:
a) Twisted pair signal wires for EMI protection (Reference C.7);
b) Shield and drain wire for RFI protection, usually grounded at the power source end;
c) Overall metallic covering (e.g., cable armor) or raceway (e.g., cable tray, duct, conduit)
for EMI and lightning protection should be grounded at both ends, and depending on
the distance, at intermediate points;
d) separation of energy levels to eliminate cross-talk and radiated noise pickup;
e) surge protection as appropriate;
f) provide isolation (e.g., fiber optic) between different ground planes;
g) data communication cable specification and shielding should meet manufacturer’s
recommendations; and
h) cabinet wiring should be arranged to minimize electrical noise interference and high
temperature.
B.13.4 Electronic and programmable electronic logic solvers use internal low level logic signals.
Use of low level logic outside the shielded controller cabinet may be inappropriate.
B.13.5 Electronic and programmable electronic logic solvers may require a more restrictive wiring
approach because inductive or capacitive coupling may falsely turn on inputs.
B.13.6 Use caution when using solid state inputs or outputs because leakage current may falsely
actuate final control elements.
78
ANSI/ISA-S84.01-1996
B.14 Documentation
B.14.1 A list of the documentation that may be used to implement a SIS, includes the following:
a) Safety Requirement Specifications
b) Application logic
c) Design documentation
d) Commissioning Pre-Startup Acceptance Test procedure(s)
e) SIS operating procedure(s)
f) SIS maintenance procedure(s)
g) Functional test procedure(s)
h) Management of Change documentation
i) Qualitative or quantitative verification that the SIS meets the SIL
NOTE — Not all this documentation needs to be maintained.
B.14.2 Applications program backup
B.14.2.1 A backup technique allows the entire system to be restored to operation as quickly as
possible. These techniques may include one or several of the following:
a) Copy to a removable medium such as magnetic tape or disk which can be copied back
b) Copy to a removable medium which can be used as a disk replacement for a corrupted
PES
c) Copy to an on-line device (e.g., disk) used to backup
d) A communications link with another digital system
B.14.2.2 Consider maintaining a separate backup for data that is accumulated by the application
software to generate reports, records, and trends.
B.15 Functional test interval
See 9.7 for mandates related to functional testing. The following is guidance, which may be used
to determine the functional test interval.
B.15.1 The frequency of functional tests should be consistent with applicable manufacturer’s
recommendations and good engineering practices, and more frequently if determined to be
necessary by prior operating experience.
B.15.2 The functional test interval should be selected to achieve the Safety Integrity Level (SIL).
B.15.3 ISA-dTR84.02 illustrates various methods to determine the functional test interval.
ANSI/ISA-S84.01-1996
79
Annex C (Informative) — Informative references
NOTES
1.
Utilize latest edition of the reference.
2.
In case of conflicting information, ISA-S84.01 takes precedence.
3.
Within the body of the text and the Index, references are cited by the reference numbers (in
italics and brackets) given below.
AMERICAN INSTITUTE OF CHEMICAL ENGINEERS (AIChE)
[Ref. C.13]
Guidelines for Chemical Process Quantitative Risk Analysis, New York, 1989
[Ref. C.14]
Guidelines for Hazard Evaluation Procedures, New York, 1985
[Ref. C.1]
Guidelines for Safe Automation of Chemical Processes, New York, 1993
Available from:
AIChE
345 East 47th Street
New York, NY 10017
Tel: (212) 705-7657
CHEMETICS INTERNATIONAL COMPANY
[Ref. C.15]
Knowlton, R. Ellis, An Introduction to Hazard and Operability Studies, 1988
Available from:
Chemetics International Company
Chemical Technology Division
1818 Corwall Avenue
Vancouver BC V6J 1C7
Canada
Tel: (604) 734-1200
CHEMICAL INDUSTRIES ASSOCIATION
[Ref. C.15]
A Guide to Hazard and Operability Studies, London, 1977
Available from:
ANSI/ISA-S84.01-1996
Chemical Industries Association
King’s Buildings
Smith Square
London SW1P 2JJ
England
Tel: 44 71 8343399
81
INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC)
[Ref. C.8 & C.9]
Parts 1-7 IEC draft Publication 1508-1995, Functional safety of
electrical/electronic/programmable electronic safety-related systems
NOTE — IEC draft Publication 1508 is in development; for more information, contact your
national committee.
Available from:
IEC
P.O. Box 131
3, rue de Varembe
1211 Geneva 20
Switzerland
Tel: 41 22 734 0150
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE)
[Ref. C.7]
IEEE 518-1982, RA-1990
Available from:
Guide for the Installation of Electrical Equipment
to Minimize Electrical Noise Inputs to Controllers
from External Sources
IEEE
P.O. Box 1331
445 Hoes Lane
Piscataway, NJ 08855-1331
Tel: (800) 678-4333
ISA
[Ref. C.2]
ISA-dTR84.02-1996
Electrical (E) / Electronics (E) / Programmable
Electronic Systems (PES) for Use in Safety
Applications - Safety Integrity Evaluation
Techniques
NOTE — dTR84.02 is in development; for information, contact ISA.
[Ref. C.6]
ISA-S91.01-1995
[Ref. C.3]
Goble, W.M., Evaluating Control System Reliability Techniques and
Applications, 1992
Available from:
82
Identification of Emergency Shutdown Systems
and Controls That are Critical to Maintaining
Safety in Process Industries
ISA
P.O. Box 12277
67 Alexander Drive
Research Triangle Park, NC 27709
Tel: (919) 990-9200
ANSI/ISA-S84.01-1996
MCGRAW-HILL, INC.
[Ref. C.16]
Dictionary of Scientific and Technical Terms, fifth edition, 1993
Available from:
McGraw-Hill, Inc.
1221 Avenue of the Americas
New York, NY 10020
Tel: (800) 262-4729
NATIONAL FIRE PROTECTION ASSOCIATION (NFPA)
[Ref. C.5]
NFPA 70-1993
Available from:
National Electrical Code
NFPA
P.O. Box 9101
One Batterymarch Park
Quincy, MA 02269-9101
Tel: (617) 770-3000
UNDERWRITERS LABORATORIES, INC. (UL)
[Ref. C.4]
UL Standard 508-1989
(15th Edition)
Available from:
Standard for Safety, Industrial Control
Equipment
UL
333 Pfingsten Road
Northbrook, IL 60062
Tel: (708) 272-8800
UK ATOMIC ENERGY AUTHORITY (AEA TECHNOLOGY)
[Ref. C.10]
Risk Control and Instrument Protective Systems in the Process Industries,
Warrington, UK, 1980
Available from:
ANSI/ISA-S84.01-1996
UK Atomic Energy Authority
Safety and Reliability Directorate
Wigshaw Lane
Culcheth Warrington WA3 4NE
England
Tel: 44 71 925 254486
83
UNITED STATES CODE OF FEDERAL REGULATIONS (CFR)
[Ref. C.11]
29 CFR 1910.119-1992
(Final Rule:
February 24, 1992)
Process Safety Management of Highly
Hazardous Chemicals, Explosives, and
Blasting Agents
[Ref. C.12]
40 CFR Part 68
(Proposed rules:
October 23, 1993)
Risk Management Programs for Chemical
Accidental Release Prevention
Available from:
84
U. S. Government Printing Office
Superintendent of Documents
Washington, DC 20402
Tel: (202) 512-1800
ANSI/ISA-S84.01-1996
Annex D (Informative) — Example
NOTE — THIS CLAUSE IS NOT A REQUIREMENT OF THIS STANDARD. IT IS PROVIDED
FOR INFORMATION ONLY.
D.1 Introduction to the example problem
This example problem is provided as an aid to illustrate how a user company might apply this
standard to design a Safety Instrumented Systems (SIS). The example problem is maintaining a
level in a process surge tank in the KIS2 Corporation. The results of the KIS2 Process Hazards
Analysis (PHA) that was conducted on this vessel is an input to this example problem.
The information provided in Annex D is intended to illustrate the thought process in designing a
SIS and the relationship of each step to this standard. References to the standard and the
appropriate annexes are provided in parentheses ( ), and in addition, exact extractions from the
normative portion of this standard are shown in italics. It is necessary to read the complete
annex to understand how all design issues are addressed.
Because of the amount of detail that is required to achieve a high-integrity safety design, this
example includes a number of simplifications. The specific design choices made in this example
do not reflect practices associated with any particular company and are not intended to be the
only possible choices. This example does provide guidance to users on how to implement this
standard.
It is expected that each company will have guidelines that address the methodology that should
be used in arriving at their own particular solution. The final design, by whatever methodology
used, should meet the specified Safety Integrity Level (SIL).
The figures and guidance provided in Annex D are an overview of what is needed and do not
provide the detail necessary to specify, design, install, and maintain a SIS.
D.2 Safety Life Cycle (Figure 4.1)
This example reviews the development of the Safety Requirement Specifications (Clause 5),
addresses the issues in SIS Conceptual Design (Clause 6), and briefly touches on Detail Design
(Clause 7). Subsequent functions (Commissioning, Pre-Startup Acceptance Test, Maintenance,
etc.) are not addressed except as they pertain to the design of the SIS.
D.3 Safety requirement specification
D.3.1 Input requirements (5.2)
The information required from the Process Hazards Analysis (PHA) or process design team used
to develop the Safety Requirement Specifications, includes the following.
ANSI/ISA-S84.01-1996
85
D.3.1.1 Process information description (5.2.1)
Process information description (dynamics, sensors, final elements, etc.) of each potential
hazardous event that requires a SIS (Reference C.6).
The process as shown in Figure D.1 contains hot wash water with varying amounts of flammable
organics and other hazardous chemicals.
Figure D.1 — Basic process control scheme
The level inside the process surge tank must be maintained. The level is sensed and transmitted
by a level transmitter (LT-1) to a controller (LC-1) which in turn regulates the position of a control
valve (LV-1) by transmitting a 4 - 20 mA signal to a current-to-air transducer (I/P-1). The tank
(1-101) is provided with a relief valve to prevent over-pressure due to overfilling or fire. The relief
valve discharges directly to the atmosphere.
If the relief valve discharges, the resulting spray could cause serious personnel injury due to the
hazardous chemicals inside the tank. In addition, since the fluid is also flammable, the potential
for a fire or explosion exists, which could also result in serious injury to personnel.
The PHA team has identified two possible causes of an overfill event in the tank:
a) LV-1 fails in an open position due to foreign material in the pipeline.
b) LT-1 fails indicating a low level which causes the level controller to open LV-1.
Although the instruments in service (LT-1, LC-1, and LV-1) have been reliable in the past, the
PHA team believes that due to the number of safety issues involved, additional safeguards
should be added to reduce this risk.
86
ANSI/ISA-S84.01-1996
One possibility would be to eliminate the relief valve. However, this option is barred by the ASME
Code and could lead to a catastrophic failure of the tank in the event of over-pressure due to an
external fire. Another option is to install a catch tank on the line from the relief valve. An alarm
could be provided to indicate the presence of a liquid in the tank, which would in turn indicate that
Tank 1-101 has overflowed. In this particular case, the PHA team is very concerned about
contamination in the catch tank, pluggage of the overflow line, and also believes that the catch
tank could overflow. This option was rejected. Since an intrinsic safety fix is not easy and/or may
create additional safety problems, a SIS will be installed.
D.3.1.2 Safety Integrity Level of each safety function (5.2.2)
The PHA team agreed that the SIS for this application shall be designed and maintained to
provide SIL 2 performance.
D.3.1.3 Process common cause failure consideration (5.2.3)
The design team should be aware of the following process common cause failure possibilities:
a) There is a potential for chemical buildup on the level sensor. Consideration should be
given to selecting the best sensor that guards against this failure and installing it so that
the buildup does not take place or is reduced to a maintainable level.
b) Valves should also be selected that guard against this same concern (chemical buildup).
Therefore, full port-line size ball valves should be considered.
D.3.1.4 Regulatory requirements (5.2.4)
Because of the significant quantity of hazardous chemicals used in this process, the SIS shall be
required to adhere to OSHA 29 CFR 1910 (Reference C.11).
D.3.2 Safety functional requirements (5.3)
D.3.2.1 The process safe state is to shut off all raw material feeds into Tank 1-101.
D.3.2.2 Process inputs to the SIS and their trip points (5.3.2)
All feeds to the tank are to shut off when the level reaches ninety percent.
D.3.2.3 Normal operation range (5.3.3)
The normal operation is twenty to eighty percent of tank level.
D.3.2.4 Process outputs from the SIS and their action (5.3.4)
Redundant (1oo2) shutoff valves are required, one of which is shared with the BPCS (LV-1).
Both valves are to fail closed.
D.3.2.5 Functional relationships between process inputs and outputs, including logic, math
functions, and any required permissives (5.3.5)
For complex control system functional relationships, logic diagrams are provided and in some
cases may have to be supplemented with text to properly communicate the functional
requirements. In this example, the logic is so simple a P&ID with narrative is sufficient.
D.3.2.6 Selection of de-energized to trip or energized to trip (5.3.6)
This SIS shall be de-energized to trip.
ANSI/ISA-S84.01-1996
87
D.3.2.7 Considerations for manual shutdown (5.3.7)
Manual push buttons and a panel mounted alarm will be provided so that the operators can
shutdown the flow in the event that the SIS fails or the operator observes some other unusual
condition.
D.3.2.8 Action to be taken on loss of energy source to the SIS (5.3.8)
Loss of electricity or air supply will result in closure of block valves.
D.3.2.9 Response time requirements for the SIS to bring the process to a safe state (5.3.9)
Since the tank fills slowly, response time for this SIS to function upon detection of high level is
adequate.
D.3.2.10 Response action to any overt fault (5.3.10)
If the operator becomes aware of any failure in the SIS, the operator shall immediately shut off all
feeds into the tank by pressing the emergency shutdown switch.
D.3.2.11 Human-machine interface requirements (5.3.11)
a) Pre-high alarm from BPCS
b) Manual shutdown capability
c) SIS tripped alarm
d) SIS diagnostics alarm(s) (see D.4.2)
D.3.2.12 Reset function (5.3.12)
In the event that the SIS tripped, it is necessary for the operator to push a reset button to restart
the feed into the tank.
D.4 Safety integrity requirements (5.4)
D.4.1 Required SIL (5.4.1)
SIL 2 is required.
D.4.2 Diagnostic requirements (5.4.2)
Limit switches on the shutoff valve will be used to compare the position of the valve with the
signal from the logic solver. If they don’t agree, the operator will be notified (by an alarm and/or
printer) that there is an equipment failure.
D.4.3 Maintenance and testing (5.4.3)
This SIS shall be inspected and tested once per year. In addition, if any problems are detected
with the SIS, correction will be started immediately and work will continue round-the-clock until
repair is complete.
D.4.4 Spurious trips (5.4.4)
Spurious trips will not cause any safety-related problems.
88
ANSI/ISA-S84.01-1996
D.5 Conceptual design (6.0)
D.5.1 Objective (6.1)
The following requirements define the conceptual design requirements for this SIS.
D.5.1.1 Considerations (6.2.3)
a) Separation
The SIS shall be separate from the BPCS except for a shared valve.
b) Redundancy
Require redundant shutoff valves.
c) Software design considerations
The application program shall utilize function block-type software.
d) Technology selection
This SIS could be performed using any approved technology. PES is selected to allow
this example to be more useful to the reader.
e) Failure rates and failure modes
The failure rates and failure modes for the SIS equipment used in this design has been
developed from the data compiled within the KIS2 Corporation.
f) Architecture requirements
Using internal KIS2 Corporation guidelines, the architectural requirements for a SIL 2
is as follows:
Sensor
Logic Solvers
Valves
1oo1
1oo1
1oo2
g) Power sources
The electrical and pneumatic system power sources required for this batch process
shall be provided using good engineering practices. This shall include
1) dedicated power source from a separately derived system (Reference C.5,
Sections 250-5 and 250-26);
2) power sources capable of being individually maintained;
3) power sources with no common mode failure mechanisms due to failure of
non-related power sources (except the main power source header); and
4) grounding using good engineering practices.
An Uninterruptible Power Supply is not required because of the high system reliability
experienced with the plant electrical power system.
ANSI/ISA-S84.01-1996
89
h) Common cause
Sensors and valves selected to reduce chemical buildup problems.
i) Diagnostics
Limit switches on the shutoff valve will be used to compare the position of the valve with
the signal from the logic solver. If they don’t agree, the operator will be notified (by an
alarm and/or printer) that there is an equipment failure.
j) Field devices
Smart transmitters shall be utilized for all process measurements.
k) User interface
User interface shall be panel-mounted alarm panel, manual reset switch, and manual
shutdown switch.
l) Security
The KIS2 facility is secure. The SIS logic solver shall be located in the equipment
control room.
The SIS sensors and final control elements are red tagged (in addition to standard
identification) to note their safety functional status to plant personnel.
All smart transmitter communication to the SIS logic solver shall be write protected to
prevent changing the transmitter settings while on-line.
Any communication link between the SIS and the BPCS shall be write protected to
prevent inadvertent program changes to the SIS from the BPCS.
m) Wiring practices
The wiring shall be in accordance with the National Electrical Code (Reference C.5),
local codes and regulations, and SIS equipment supplier guidelines.
Two separate raceway systems, one for electrical power (e.g., 120/240V) and one for
instrument signal (e.g., 4 - 20 mA) shall be provided.
SIS wiring can use the same terminal box as BPCS wiring, but clearly identified
separate terminals shall be provided for all SIS wiring.
n) Documentation
Compliance with OSHA 29 CFR 1910 documentation requirement is mandatory.
o) Function test interval
The SIS shall be tested once a year.
D.6 Detail design (7.0)
D.6.1 Objective (7.1)
The following is an overview of how the information developed in the Safety Requirement
Specifications and the SIS Conceptual Design is used to develop the SIS Detail Design.
90
ANSI/ISA-S84.01-1996
D.6.2 General requirements (7.2)
KIS2 Corporation has developed corporate guidelines for the detail design of SISs. The
architecture is selected using KIS2 corporate guidelines and the information developed. The
conceptual design is shown in Figure 2.
Using the Safety Requirement Specifications, the SIS Conceptual Design requirement, and
internal KIS2 corporate guideline, the SIS can now be designed.
Using these documents, the final design is reflected in Figure D.2.
Figure D.2 — Tentative design solution
ANSI/ISA-S84.01-1996
91
Annex E (Informative) — Index
1
1oo1 28, 66, 89
1oo2 22, 28, 58, 66, 87, 89
2
2oo3 22, 28, 58, 63, 66
A
abnormal stress 69
AC transfer time 67
access 33, 35, 65, 76, 77
access method(s) 76
accuracy 37, 73
Accuracy of calibration 37
achitecture(s) 66
actuator 74
adequacy of current risk controls 53
adhere 38, 42, 59, 87
administrative controls 39
administrative procedure(s) 20, 77
aeronautical 4
air 19, 66, 69, 74, 86, 88
air conditioning 34
air filtration 34
alarm convention(s) 76
alarm systems 17
alarm(s) 32, 33, 35, 40, 48, 53, 66, 68, 72, 73, 76, 87, 88, 90
algorithm(s) 72
alternate 32, 59, 67, 74
ambient 74
ambiguity 76
American National Standards Institute (ANSI) 44
amplifier(s) 75
amplitude 63
analog 57, 62, 63, 66, 72, 73
analog devices 72, 73
analytical measurement(s) 73
annunciator(s) 66, 75
anti-surge control 18
application program(s) 18, 19, 22, 59, 79, 89
application software 18, 22, 30, 33, 35, 42, 59, 60, 77, 79
application specific 70, 71
appropriate technology 25
arc suppression 61
architecture(s) 18, 19, 26, 28, 29, 58, 63, 66, 89, 91
armature 64, 73
as-found 41
as-left 41
assessment 46
authorization requirements 42
ANSI/ISA-S84.01-1996
93
automated 15, 20
automatic 30, 32, 71, 76
automatic reset 30
automatic transfer 67
automatically restart 31
auxiliary contact(s) 75
availability 18, 42, 48, 68
avionics 43
B
backed up 69
backup 64, 67, 79
barrier 64
basic events 53
Basic Process Control System(s) (BPCS) 16, 18, 20, 22, 30, 31, 36, 46
batch # 30
battery(ies) 39, 67
benign faults(s) 70
boundaries 15
brown outs 68
buffer 65, 76
buffered 76
bug 35
bug-reporting 60
built-in test(s) 71
bypass 56
bypassed 32, 39
bypassing 18, 35, 39
C
C.1 30, 38, 47, 51, 54, 59, 69, 74, 77, 81, 87
C.2 48, 82
C.3 66, 82
C.4 61, 83
C.5 30, 68, 83, 89, 90
C.6 15, 82, 86
C.7 78, 82
C.8 13, 82
C.9 13, 82
C.10 83
C.11 41, 45, 46, 84
C.12 19, 84
C.13 54, 81
C.14 48, 81
C.15 48, 81
C.16 68, 83
cabinet wiring 78
cabinet(s) 70, 77, 78
calculation 22, 63
calibration 33, 39, 64, 65, 69
capacitive 78
cathodic protection 68
caution 63, 78
Central Processing Unit (CPU) 62
certified 60
certify 40
channel(s) 22, 58, 64, 70
checklist 67, 68, 69
chronic health effects 17
circuit common(s) 78
94
ANSI/ISA-S84.01-1996
closed 61, 64, 73, 87
coating 27
code(s) 16, 17, 30, 70, 77, 87, 90
coil 61, 64, 73
coking 31
color code 73
color(s) 76
commands 60
commissioning 13, 26, 36, 37, 45, 79, 85
common cause 18, 28, 67, 78, 90
common cause failure(s) 18, 27, 29, 55, 67, 72, 87
common cause fault(s) 18, 19, 28, 58, 69, 70
common components 57
common elements 28
common logic 28
common mode 64
common mode failure mechanisms 89
common mode failures 61
communication(s) 18, 30, 32, 33, 56, 57, 58, 59, 63, 64, 65, 66, 68, 77, 78, 79, 90
company guidance 51
competence of persons 45
complex 47, 54, 62, 63, 87
Complimentary Metal Oxide Semiconductor (CMOS) 62
compressor 18
computational 40, 63
conceptual design 29, 66, 89, 91
conceptual process design 23, 25, 45
conditioner(s) 75
cone of protection 68
configuration 19, 33, 57, 76
conformance 20, 36
confusion 76
consequence analysis 48
consequence(s) 19, 25, 48, 49, 51, 52, 53
consequences only method 47, 51
conservative 47, 52
contact 61, 64, 73, 75
contact-wetting 61, 75
contaminants 34, 69
continuous 63, 72
continuous mode 43
control and safety functions 55, 57
control valve(s) 32, 69, 86
coordination 67
coriolis flow 58
corrosion 27, 31, 58, 64, 68, 69
cost 52
coverage 18, 71
covert 35
covert failure mode 30
covert failure(s) 30
covert fault(s) 18, 30, 39, 63, 70
covert mode 63
criteria 47, 48, 59, 61, 72, 73
Critical 71
critical 32, 61, 62, 68, 70
critical faults 70, 71
critical information 76
cross-talk 71, 78
CRT 32
current 31, 38, 53, 64, 67, 68, 73, 75, 78, 86
customers 35
ANSI/ISA-S84.01-1996
95
D
decommissioning 18, 21, 23, 26, 43, 46
dedicated power source 33, 89
dedicated wiring 31
de-energize(d) to trip 19, 27, 66, 67, 87
de-energized 19, 61
defects 39
definitions 3, 18
degradation 32
demand 19, 20, 39, 43, 56, 70, 72, 76
demand mode 43
demand rate 41
design considerations 29, 55, 67
designer 58
detail design 36, 85, 90, 91
detectability 71
detectable 19, 71, 73
detected faults 39
detection 19, 35, 67, 72, 73, 88
diagnostic coverage 18, 19, 60, 66, 71
diagnostic fault detection 25, 48
diagnostic testing 59
diagnostic(s) 28, 29, 32, 33, 40, 63, 66, 67, 68, 70, 71, 72, 76, 77, 88, 90
diagram 15
differences 4, 13, 34, 43
digital 19, 79
digital timer 62
direct-wired 60
direct-wiring 62, 63
dirt 75
disabling 33
discrete 21, 57, 72, 73
discrete input/output 31
discrete sensor(s) 31, 60, 72, 75
disk(s) 79
display(s) 37, 53, 73, 75, 76, 77
distributed control system 63, 76
diverse 19, 21, 25, 29, 66
diverse redundancy 21, 58, 59, 66, 70
diverse separation 21, 55, 56, 57, 66, 70
diversity 72, 73, 74
document control procedure 42
document(s) 13, 25, 26, 27, 30, 36, 41, 42, 76, 91
documentation 13, 22, 29, 33, 37, 38, 40, 42, 45, 46, 53, 57, 77, 78, 79, 90
downscale 64, 65, 73
drain wire 78
dropout 61
dTR84.02 3, 13, 48, 63, 66, 70, 79, 82
duty cycles 62
dynamic random fault(s) 71
dynamics 27, 86
E
electrical area classification 34
electrical fault 22
electrical noise 67, 78
electrical technology 60, 68
Electrical/Electronic/Programmable Electronic System (E/E/PES) 15
Electro Magnetic Interference (EMI) 34, 67
electromechanical 19
96
ANSI/ISA-S84.01-1996
electromechanical devices 61
electromechanical relay 19
electromechanical relay(s) 15, 61, 62, 64
electronic technology 62
electrostatic discharge 34
embedded software 19, 22, 35, 59
emergency 26, 76, 88
Emergency Shutdown System 21
end-of-line detection 71
energize(d) to trip 19, 27, 31, 66, 67, 87
equipment reliability 53, 66
equipment under control 18, 21, 46
event logging 76
explosive 53
external risk reduction 45, 46
F
factory floor 75
fail position 74
fail-safe 19, 61, 62
failure mode(s) 29, 61, 63, 64, 65, 66, 71, 73, 89
failure rate(s) 29, 41, 53, 56, 63, 66, 89
failure state(s) 73
failure to function on demand 35
false 53, 63, 74
false shut down 22
falsely 78
fault avoidance 70
fault detection 72
fault source 58
fault tolerance 19, 58, 63
fault tree analysis 47, 53
fault tree logic diagram 53, 54
fault tree(s) 53, 54
fault type(s) 70
feedback 73
fiber optic(s) 33, 78
field control element(s) [See field device(s).]
field device(s) 19, 21, 29, 31, 36, 69, 72, 73, 75, 90
field element(s) [See field device(s).]
field sensor(s) 55, 73
field wiring 19
fieldbus 17, 31
fire and gas detection systems 31
fire and gas monitoring systems 17
fire resistance 74
firmware 19, 22, 41, 58, 59
fixes 59
flooding 34
flow 49, 53, 73, 74, 88
fluid 69, 86
forcing 19, 35
foreign 74, 86
formal revision and release control program(s) 30, 34, 35
formatting utilities 76
fouling 69
freezing 31, 74, 75
frequency 34, 39, 54, 62, 67, 79
frequency of occurrence 30, 53, 54
frequency(s) of testing 39
fuel/air controls 18
functional description 22
ANSI/ISA-S84.01-1996
97
functional test interval 29, 35, 79
functional test procedure(s) 40, 79
functional test(s) 22, 36, 39, 79
functional testing 19, 26, 35, 39, 40, 79
functional testing procedures 40
fuse(s) 39, 67, 78
G
gas turbine(s) 30, 57
geographic diversity 59
good engineering practices 17, 33, 79, 89
governing authorities 16
gravity 61
ground fault detection 68
ground loop(s) 78
ground plane(s) 22, 33, 68, 78
ground(s) 63, 64, 68
grounding 34, 66, 67, 68, 89
guide words 53
guideline(s) 3, 52, 61, 68, 85, 89, 90, 91
H
hands on 47
hardware 18, 19, 22, 30, 33, 58, 59, 69, 71, 72, 76
hardware degradation 39
hardware fault(s) 22, 58, 60
hard-wired 19, 57
hard-wired logic 15
harm 51
harmonics 67
hazard and risk analysis 45, 46
hazard(s) 16, 19, 20, 25, 37, 44, 48, 53
hazardous 28, 37, 39, 86, 87
hazardous area classifications 30
hazardous event(s) 19, 25, 27, 48, 51, 53, 86
HAZOP 53
heaters 18
hermetically sealed 61
hidden fault(s) 71
High Noise Immunity Logic (HNIL) 62
high pressure 48, 49, 50, 51, 52, 53, 54
highly recommended 45
historical data 39
horns 32
host 18
host functions 77
human actions 20
human machine interface(s) 17, 28, 69, 88
humidity 34, 69
hybrid 60
hydraulic power 66, 69
hydraulic(s) 16, 60
98
ANSI/ISA-S84.01-1996
I
identical 21
identical redundancy 21, 29, 66, 70
identical separation 21, 29, 55, 56, 57, 70
IEC 3, 4
IEC draft Publication 1508 3, 4, 13, 43, 44, 45, 46
impedance 71
incident cause 27
indeterminate failure modes 62
indicating lights 32
indicators 33, 75, 76
inductive 61, 78
industry 4
industry sectors 4
industry standards 60
inherently 61
inherently safe 71
inhibit 39, 71
initiating event(s) 51, 52, 54
injury 19, 86
input requirements 85
input/output devices 28, 75
input/output modules 20, 21, 30, 71, 77
inrush current 67, 68
insect(s) 75
inspection(s) 40, 41
installation 13, 26, 36, 37, 46, 63, 68, 75
instrument gas 69
insulation 67
integration 20
interface(s) 15, 20, 30, 32, 33, 66, 68, 75, 76, 77
interlock(s) 30, 56
internal 18, 30, 63, 67, 78, 89, 91
internal communication 18
intrinsic safety barrier 68
ISO 9000 45
isolation 64, 65, 78
K
keyboard 60
L
label(s) 76
lamp(s) 75, 76
latching 62
laws 16
layers 20, 51, 60
layout 70, 76
leakage 74, 78
legislation 41
level controller 56, 86
level of risk 25
level of safety 46, 48
level sensor 56, 87
life cycle 48, 57
ANSI/ISA-S84.01-1996
99
lightning 67, 68, 78
limited time window 58
limiting access 57
local factors 51
locking 62
log 46
logged 76
logic diagrams 53, 87
logic function(s) 19, 33, 61
logic solver(s) 15, 16, 20, 21, 30, 31, 39, 49, 56, 57, 58, 66, 70, 77, 78, 88, 89, 90
loop # 41
low energy 61, 75
low pressure 48, 49, 53
lubrication 39, 69
M
magnetic tape 79
maintenance 20, 22, 26, 28, 30, 33, 35, 38, 39, 46, 47, 57, 69, 70, 74, 77, 85, 88
maintenance costs 53
maintenance procedures 25, 26, 37, 39, 79
maintenance program 38
maintenance/engineering interface(s) 18, 32, 33, 70, 75, 76, 77
major criteria 52
major severity 52
malicious modification 77
management 16, 45
Management of Change (MOC) 22, 26, 41, 44, 45, 46
Management of Change (MOC) documentation 79
Management of Change (MOC) procedure(s) 26, 43
manual mode 53
manual reset 30, 90
manual shutdown 27, 37, 88, 90
manual trip 40
manufacture 13, 20, 58
manufacturer 20, 30, 35, 59, 68, 72, 78, 79
material(s) 4, 20, 31, 61, 74, 86, 87
math functions 27, 62, 87
mathematical analysis 20
matrix method(s) 47
mature 60
mature technology 61
Mean Time Between Failures (MTBF) 22
Mean Time To Detection (MTTD) 72, 73
Mean Time To Failure (MTTF) 22, 30
Mean Time To Repair (MTTR) 22
measure(s) 3, 17, 33, 45, 57, 58, 70, 72
measurement(s) 58, 62, 73, 90
medium 51, 79
memory 19, 42, 65, 76
metallic covering 78
microcomputer 63
minimum level of independence 45
mitigate 19, 25, 37, 58
mode(s) 33, 43, 63, 77
modification errors 77
modification(s) 22, 25, 26, 31, 36, 41, 42, 46, 62, 70
modified HAZOP method 47, 52
modular design 59
modulating 73, 74
moisture 69
monitoring 17, 71, 77
motor driven timer(s) 15, 19, 62
100
ANSI/ISA-S84.01-1996
motor overload(s) 31
motor starter(s) 32, 75
motor(s) 39
mounting 74, 75
N
name(s) 40
National Electrical Code (NEC) 30, 78, 90
nested 60
network 33, 36
networking 63
NFPA 70 30
noise 64, 68
non-linear 67, 68
non-safety function 30
non-safety related display(s) 76
non-SIS protection layers 23, 25, 45
normal operating range 27
normal operation 19, 26, 87
normal operation range 87
not recommended 59, 63
Nuclear Industry 16
nuisance trip 22
numerical data 20
O
objective(s) 13, 17, 22, 25, 27, 36, 38, 41, 48, 89, 90
off-line 20, 42, 77
on scale 73
on-line 20, 35, 40, 42, 77, 79, 90
on-line testing 35, 40
open 53, 54, 56, 61, 64, 73, 86
operating conditions 60
operating experience 20, 47, 61, 79
operating limits 27
operating procedure(s) 35, 37, 38, 41, 42, 56, 79
operating system(s) 59
operational bypasses 38
operator action 17
operator error 53
operator interface(s) 18, 19, 32, 33, 66, 70, 75, 76
operator response 48, 51, 53
operator(s) 18, 32, 35, 46, 75, 76, 77, 88, 90
organization(s) 13, 45, 74
oscillator 62
OSHA 22, 38, 41, 44, 45, 46, 87, 90
output(s) [See input/output devices and input/output modules.]
output trip relay 40
overload 67
over-pressure 48, 49, 53, 86, 87
override(s) 19, 56
overt 63, 71
overt fault(s) 20, 28, 88
overvoltage(s) 68
owner/operator 17
ownership 47
oxidation 61
ANSI/ISA-S84.01-1996
101
P
panel(s) 33, 75, 76, 88, 90
parameter(s) 77
part # 30
partially open 73
password(s) 58, 77
peer review(s) 60
period(s) 21, 42, 63, 73, 74
periodic inspection program 39
periodic test intervals 39
permanent random fault(s) 71
permissives 22, 27, 38, 73, 87
personal computer(s) 63, 77
personnel safety 68
PES logic solver(s) 30, 75
PFD Average Range 25
pharmaceutical(s) 4, 20
physical 19, 70
piping and instrumentation diagram (P&ID) 48
plant 26, 39, 52, 61, 74, 89, 90
plugging 27, 58, 75
pneumatic(s) 16, 60, 66, 69, 89
poll fault 65
polymerization 31, 74
possible cause(s) 72, 86
power 19, 20, 28, 30, 31, 66, 67, 68, 69, 70, 75, 89, 90
power distribution 67
power source(s) 29, 34, 66, 67, 78, 89
power supply (supplies) 15, 58, 67
predictability 73
pressure 31, 48, 49, 53, 58, 64, 69, 73, 74
pressure control valve 53, 54
pressure relief valve 48, 49, 51
pressure sensor 53
Pre-Startup Acceptance Test (PSAT) 13, 20, 23, 26, 36, 37, 45, 79, 85
Pre-Startup Safety Review (PSSR) 23, 26
pre-trip 76
preventive 48
preventive maintenance 20
printer(s) 75, 76, 88, 90
Probability of Failure on Demand (PFD) 20, 21, 23, 25
Process Control System 18
process deviation(s) 53
Process Hazards Analysis (PHA) 16, 17, 21, 23, 27, 31, 32, 85
process hazards review(s) 44, 47, 48
process industry sector 20
process industry(ies) 4, 13, 15, 46
process knowledge 47
process risk 51
Process Safety Design 16
Process Safety Management 16
process safety team 47, 48, 49, 51
process variable(s) 27, 47
program(s) 33, 40, 76, 77, 90
programmable controller 63
Programmable Electronic Failure Mode(s) 65
Programmable Electronic System(s) (PES) 3, 15, 19, 20, 22, 23
Programmable Logic Controller (PLC) 19
programming 28, 33, 57, 59, 60
programming guidelines 60
programming language(s) 60
programming terminal(s) 33
proof testing frequency 60
102
ANSI/ISA-S84.01-1996
property damage 52, 53
property protection 17
protect against the consequences 53
protection layer(s) 20, 25, 31, 51
pulse counting 62
pulsed 63
pulsed electronic logic 63
purchase specification 16
purge 62
purpose(s) 17, 18, 21, 30, 51, 75
pushbutton(s) 66
Q
qualitative 20, 51, 79
qualitative matrix 51, 52
qualitative risk evaluation SIL determination method 47
quality 59, 60, 63
quality system(s) 45
quantified 61, 62, 75
quantitative 20, 79
quantitative risk assessment 47
quartz 62
R
radiated noise 78
raised floor grounding 68
Random Access Memory (RAM) 71
random failure(s) 71
read 31, 85
read only 57, 66, 77
read/write 31, 57, 58, 66
reading(s) 73, 74
read-write access 33
recipe 33, 63
redundancy 21, 25, 48, 58, 63, 66, 67, 72, 73, 75, 89
Redundant 87
redundant 22, 31, 56, 58, 59, 64, 69, 71, 75, 89
redundant sensors 31, 72
references [See Annex C page 81 and C.1 - C.16.]
regulation(s) 16, 22, 38, 44, 90
regulatory requirement(s) 27, 87
relay(s) 61, 63, 64, 68, 69, 73
reliability 21, 28, 58, 62, 66, 67, 69, 74, 89
reliability experience 56
relief valve 53, 86, 87
remote I/O 18, 31
repair 39, 88
repeatability 62
replacement in kind 21, 41
reporting 76
reset 21, 30, 38, 65, 88
reset function(s) 28, 37, 88
resistor-capacitor (RC) 62
Resistor-Transistor Logic (RTL) 62
resolution 60, 62
response action 28, 30, 88
response time 42, 88
response time requirements 28, 88
ANSI/ISA-S84.01-1996
103
response(s) 20, 35, 38, 64, 71
revise 43
revision level 59
rewiring 61
risk assessment 21, 23
risk control(s) 53
risk estimates 21
risk evaluation(s) 52
risk reduction 46, 48, 53
risk related 52
risk(s) 25, 42, 48, 52, 53, 86
ROM 57, 71
S
safe process condition(s) 30
safe response(s) 70, 71, 76
safe state(s) 17, 19, 21, 27, 28, 29, 30, 32, 33, 38, 40, 87, 88
safety and health 22, 41
safety availability 18, 20, 21
safety availability range 25
safety critical function(s) 60
safety function(s) 15, 18, 21, 25, 27, 28, 30, 46, 48, 57, 58, 76, 77, 87
safety functional requirements 22, 27, 87
safety functionality 55
Safety Instrumented Systems (SIS) 4, 13, 15, 16, 17, 21, 23, 27, 28, 29, 36, 38, 42, 43, 48, 60, 85
safety integrity 42, 56, 57, 58, 63, 66, 67
Safety Integrity Level (SIL) 13, 21, 23, 25, 28, 29, 45, 46, 48, 79, 85, 87
safety integrity requirements 27, 28, 55, 56, 67
Safety Interlock System 21
safety layer matrix 51
Safety Life Cycle 13, 16, 21, 22, 23, 24, 25, 26, 36, 42, 45, 48, 66
safety logic 61
safety management 45
safety plan 45
safety related display(s) 76
safety related system(s) 45
Safety Requirement Specifications 19, 20, 22, 26, 27, 28, 29, 30, 34, 35, 36, 37, 38, 39, 41, 60, 72, 78, 85, 90, 91
safety review 31, 32, 33
safety review and analysis 56, 57, 58, 68, 78
Safety Shutdown System (SSD) 21
science 47
scope 17, 23, 25, 26, 45, 46, 47, 60, 77
security 28, 29, 33, 35, 77, 90
self revealing 39
self-tests 71
sensor diagnostics 31
separate(s) 13, 66, 67, 70, 76, 79, 89, 90
separated 30, 31
separating 78
separation 21, 55, 57, 70, 78, 89
Sequence Of Events (SOE) 76
sequence(s) of failure(s) 53
sequencing functions 29
serial # 30, 41
setpoint(s) 37, 40, 56
severity 51, 52
severity of (the) consequences 51, 52, 53
shield 68, 78
shielding 67, 78
shock 34
short circuit 67
shutdown 22, 37, 39, 50, 51, 52, 53, 54, 56, 73, 82, 88
104
ANSI/ISA-S84.01-1996
shutdown switches 76, 88
shutoff valves 74, 87, 88, 89, 90
signal comparison 71
signal processing speed 75
signal to noise ratio 75
SIL 1 21, 32, 46, 52, 54, 55, 56, 57, 58, 66
SIL 2 21, 46, 51, 53, 54, 56, 57, 58, 66, 87, 88, 89
SIL 3 21, 25, 32, 46, 52, 54, 55, 56, 57, 58, 66
SIL 4 46
SIL determination method(s) 47
SIL performance 66
SIL selection 47, 52
simple 47, 61, 71, 87
simplicity 59
single point 68
SIS alarm(s) 38, 77
SIS applications 52, 61, 62, 63, 68, 73
SIS architecture 28, 66
SIS Conceptual Design(s) 26, 28, 85, 90, 91
SIS failure mode(s) 64
SIS performance 48, 57
smart sensors 31
software 3, 18, 19, 22, 30, 33, 35, 41, 42, 57, 58, 59, 60, 71, 72, 89
software bugs 72
software design 60, 69
software design considerations 29, 89
software error(s) 58
software fault(s) 19, 22, 35
software release(s) 59
software reliability 39
software revision 59
software switch 58
solenoid valve(s) 69, 74, 75
solid state 75, 78
solid state logic 15, 19, 62, 63, 64
solid state logic system(s) 63, 75
solid state relay(s) 15, 19, 62, 75
solid state system(s) 63
solid state timer(s) 62
special purpose(s) 19, 75
speed of response 40
spring(s) 61
spurious trip(s) 22, 28, 58, 66, 70, 88
Standards and Practices (S&P) Board 3, 7
startup 16, 26, 42, 53, 67, 73
static electricity 68
storage media 77
supplier(s) 30, 59, 70, 90
surge(s) 67, 68, 78, 85, 86
suspended solid(s) 31
switch(es) 57, 72, 73, 75, 88, 90
system software 22
systematic error(s) 69, 70, 72
systematic failure(s) 22, 41, 71
systematic fault(s) 55, 72
T
tag # 41, 76
tampering 62
target SIL 25, 48, 71
team 27, 47, 48, 52, 53, 54, 60, 85, 86, 87
technology selection 29, 89
ANSI/ISA-S84.01-1996
105
temperature 31, 34, 58, 64, 69, 73, 74, 78
terminology 43
test and bypass functions 77
test facilities 35, 78
test interval(s) 22, 37, 72, 90
test(s) 33, 35, 37, 40, 41, 60, 63, 66, 68, 70, 71, 72, 76
testing 13, 19, 25, 28, 30, 35, 38, 39, 40, 45, 48, 57, 59, 61, 66, 70, 72, 77, 88
thermal fault(s) 71
thermocouple(s) 71
third party(ies) 59
time(s) 4, 20, 21, 22, 26, 42, 51, 52, 55, 60, 62, 64, 65, 71, 72, 76
timer(s) 15, 61, 62, 64, 65
top event 53, 54
TR84.02 [See ISA-dTR84.02.]
track record 61
training 26, 38, 44, 69
transfer time 65
transient(s) 22, 68
transistor(s) 62
transmission 75
trip point(s) 27, 38, 63, 87
trip(s) 19, 22, 38, 40, 56, 73, 76
turndown 73
twisted pair 78
U
undervoltage(s) 68
ungrounded 68
Uninterruptible Power Supply (UPS) 67, 89
unreliable 61
unsafe failure mode(s) 56, 61, 62, 63, 73, 75
upscale 64, 65, 73
upset 53
upset cause 53
uptime 69
user approved 17, 22, 31, 41, 61, 62, 63, 77
user interface(s) 15, 29, 30, 66, 75, 77, 90
utility software 22, 30, 35, 59
V
validate(s) 66
validation 46, 77
valve(s) 39, 40, 49, 56, 69, 73, 74, 87, 88, 89, 90
variable(s) 33, 58, 73, 77
vendor(s) 22, 31, 39, 68, 72, 73
vent(s) 75
ventilation 34, 39
verification(s) 22, 26, 42, 45, 46, 70, 72, 79
verify 19, 28, 60, 74, 75
vessel rupture 53, 54
vessel(s) 49, 53, 85
vibration 34, 69
video display(s) 75
visible markings 30
voltage(s) 64, 67, 68, 73, 74, 75
volume 69
vortex flow 58
voting 22, 28, 32, 33, 66
106
ANSI/ISA-S84.01-1996
W
Watchdog Timer(s) (WDT) 23, 59, 63, 71
wiring 36, 64, 67, 78, 90
wiring practice(s) 29, 67, 78, 90
witnessing test(s) 45
Working Group 10 (WG10) 3
write access 57, 58
write protected 31, 90
write protection 57, 58
write(s) 57
ANSI/ISA-S84.01-1996
107
Developing and promulgating technically sound consensus standards,
recommended practices, and technical reports is one of ISA’s primary
goals. To achieve this goal the Standards and Practices Department
relies on the technical expertise and efforts of volunteer committee
members, chairmen, and reviewers.
ISA is an American National Standards Institute (ANSI) accredited
organization. ISA administers United States Technical Advisory
Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) and International Organization for
Standardization (ISO) committees that develop process measurement
and control standards. To obtain additional information on the
Society’s standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 1-55617-590-6