You are on page 1of 152

TECHNICAL REPORT

ISA-TR84.00.03-2012

Mechanical Integrity of Safety
Instrumented Systems (SIS)

Approved 28 August 2012








































ISA-TR84.00.03-2012
Mechanical Integrity of Safety Instrumented Systems (SIS)

ISBN: 978-1-937560-57-7

Copyright 2012 by ISA. All rights reserved. Not for resale. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means (electronic mechanical, photocopying, recording, or
otherwise), without the prior written permission of the Publisher.

ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709
- 3 - ISA-TR84.00.03-2012
Preface
This preface, as well as all footnotes and annexes, is included for information purposes and is
not part of ISA-TR84.00.03-2012.
This document has been prepared as part of the service of ISA towards a goal of uniformity in
the field of instrumentation. To be of real value, this document should not be static but should be
subject to periodic review. Toward this end, the Society welcomes all comments and criticisms
and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67
Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-
8411; Fax (919) 549-8288; E-mail: standards@isa.org.
The ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of instrumentation standards. The Department is further aware of the benefits to USA
users of ISA standards of incorporating suitable references to the SI (and the metric system) in
their business and professional dealings with other countries. Toward this end, this Department
will endeavor to introduce SI -acceptable metric units in all new and revised standards,
recommended practices, and technical reports to the greatest extent possible. Standard for Use
of the International System of Units (SI): The Modern Metric System, published by the American
Society for Testing & Materials as IEEE/ASTM SI 10-97, and future revisions, will be the
reference guide for definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals
and interests in the development of ISA standards, recommended practices, and technical
reports. Participation in the ISA standards-making process by an individual in no way constitutes
endorsement by the employer of that individual, of ISA, or of any of the standards, recommended
practices, and technical reports that ISA develops.
CAUTION ISA ADHERES TO THE POLICY OF THE AMERICAN NATIONAL STANDARDS
INSTITUTE WITH REGARD TO PATENTS. IF ISA IS INFORMED OF AN EXISTING PATENT
THAT IS REQUIRED FOR USE OF THE DOCUMENT, IT WILL REQUIRE THE OWNER OF THE
PATENT TO EITHER GRANT A ROYALTY-FREE LICENSE FOR USE OF THE PATENT BY
USERS COMPLYING WITH THE DOCUMENT OR A LICENSE ON REASONABLE TERMS AND
CONDITIONS THAT ARE FREE FROM UNFAIR DISCRIMINATION.
EVEN IF ISA IS UNAWARE OF ANY PATENT COVERING THIS DOCUMENT, THE USER IS
CAUTIONED THAT IMPLEMENTATION OF THE DOCUMENT MAY REQUIRE USE OF
TECHNIQUES, PROCESSES, OR MATERIALS COVERED BY PATENT RIGHTS. ISA TAKES
NO POSITION ON THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS THAT MAY BE
INVOLVED IN IMPLEMENTING THE DOCUMENT. ISA IS NOT RESPONSIBLE FOR
IDENTIFYING ALL PATENTS THAT MAY REQUIRE A LICENSE BEFORE IMPLEMENTATION
OF THE DOCUMENT OR FOR INVESTIGATING THE VALIDITY OR SCOPE OF ANY PATENTS
BROUGHT TO ITS ATTENTION. THE USER SHOULD CAREFULLY INVESTIGATE RELEVANT
PATENTS BEFORE USING THE DOCUMENT FOR THE USERS INTENDED APPLICATION.
HOWEVER, ISA ASKS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF
ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE
ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.
ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS,
OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE
APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN
HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND
PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE
ISA-TR84.00.03-2012 - 4 -
USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE
APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND
ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS
DOCUMENT.
THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE
IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET
ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION.
The following served as members of ISA84 in developing this technical report:
NAME COMPANY
W. Johnson, Chair Consultant
V. Maggioli, Co-Managing Director Feltronics Corp
D. Zetterberg, Co-Managing Director Chevron Energy Technology Company
K. Gandhi, Working Group Chair KBR
A. Summers, Working Group Editor SIS-TECH Solutions LP
R. Adamski RA Safety Consulting LLC
T. Ando Yokogawa Electric Co
R. Avali Westinghouse Electric Corp
L. Beckman Safeplex Systems Inc
J. Campbell Consultant
I. Chen Aramco
R. Chittilapilly Oil & Natural Gas Corp
M. Coppler Det Norske Veritas Certification Inc
M. Corbo ExxonMobil
P. Early Langdon Coffman Services
C. Fialkowski Siemens Inc
I. Gibson Consultant
J. Gilman JFG Technology Transfer LLC
W. Goble Exida Com LLC
P. Gruhn ICS Triplex
B. Hampshire BP
J. Harris UOP A Honeywell Company
J. Jamison EnCana Corporation Ltd
R. Johnson Consultant
K. Klein Chevron
T. Layer Emerson Process Management
E. Marszal Kenexis Consulting Corp
N. McLeod ARKEMA
M. Mollicone SYM Consultoria
G. Ramachandran Systems Research Intl Inc
R. Roberts Suncor Energy Inc
M. Scott AE Solutions
D. Sniezek Lockheed Martin Federal Services
C. Sossman CLS Tech-Reg Consultants
R. Strube Universal Instruments Corporation
L. Suttinger Savannah River Nuclear Solutions
T. Walczak Conversions Inc
M. Weber System Safety Inc
A. Woltman Shell Projects and Technology-Engineering
P. Wright BHP Engineering & Construction Inc



- 5 - ISA-TR84.00.03-2012
This technical report was approved for publication by the ISA Standards and Practices Board on
28 August 2012.

NAME COMPANY
D. Dunn, Vice President Aramco Services Co.
D. Bartusiak ExxonMobil Chemical Co.
P. Brett Honeywell Inc.
J. Campbell Consultant
M. Coppler Det Norske Veritas Certification Inc.
E. Cosman The Dow Chemical Company
B. Dumortier Schneider Electric
J. Federlein Federlein & Assoc. Inc.
J. Gilsinn NIST/EL
E. Icayan ACES Inc.
J. Jamison EnCana Corporation Ltd.
K. P. Lindner Endress + Hauser Process Solutions AG
V. Maggioli Feltronics Corp.
T. McAvinew Instrumentation and Control Engineering, LLC
R. Reimer Rockwell Automation
S. Russell Valero Energy Corp.
N. Sands DuPont
H. Sasajima Azbil Corp.
T. Schnaare Rosemount Inc.
J. Tatera Tatera & Associates Inc.
I. Verhappen Yokogawa Canada Inc.
W. Weidman WCW Consulting
J. Weiss Applied Control Solutions LLC
M. Wilkins Yokogawa IA Global Marketing (USMK)
D. Zetterberg Chevron Energy Technology Co.































This page intentionally left blank.
- 7 - ISA-TR84.00.03-2012
Contents

1 Scope and purpose ........................................................................................................ 13
2 Audience ........................................................................................................................ 14
3 Definitions ...................................................................................................................... 16
4 Abbreviations/Acronyms ................................................................................................. 20
5 MI planning considerations ............................................................................................. 22
5.1 Identification of the equipment and systems to be covered by SIS MI .................... 24
5.2 Determination of the maintenance strategy to be used for each type of
equipment ............................................................................................................. 26
5.3 Collection and retention of lifecycle documentation ............................................... 26
5.4 Defining personnel roles and responsibilities and ensuring competency ................ 27
5.5 Ensuring maintenance personnel skills and training .............................................. 27
5.6 Defining management system and performance metrics ........................................ 28
5.7 Implementing configuration management and management of change .................. 31
5.8 Performing audits to determine MI program compliance ........................................ 31
6 MI activity considerations ............................................................................................... 32
6.1 Planning and performing inspections ..................................................................... 33
6.2 Planning and performing repair ............................................................................. 34
6.3 Planning and performing preventive maintenance ................................................. 34
6.4 Planning and performing calibrations .................................................................... 35
6.5 Planning and performing proof tests ...................................................................... 37
6.6 Planning and performing bypasses........................................................................ 46
6.7 Defining pass/fail criteria ....................................................................................... 47
6.8 Developing validation plan and procedures ........................................................... 50
6.9 Developing Factory Acceptance Test (FAT), commissioning, and Site
Acceptance Test (SAT) procedures ....................................................................... 51
7 References .................................................................................................................... 60
Annex A Example training documentation ........................................................................ 61
Annex B Example demand logs ........................................................................................ 65
Annex C Example failure reports ...................................................................................... 69
Annex D Effective procedure writing, verification and implementation .............................. 71
D.1 Format .................................................................................................................. 73
D.2 Test scope ............................................................................................................ 74
D.3 Related reference data, drawings, documentation, procedures .............................. 74
D.4 Personnel safety considerations ............................................................................ 74
D.5 Planning ............................................................................................................... 75
D.6 Notification (Operations, Facility, etc.) .................................................................. 75
D.7 Operating procedure requirements ........................................................................ 75
D.8 Procedure verification ........................................................................................... 76
D.9 Procedure analysis ............................................................................................... 76
D.10 Continuous improvement....................................................................................... 77
D.11 Modification .......................................................................................................... 77
Annex E Example inspection items and forms .................................................................. 79
ISA-TR84.00.03-2012 - 8 -
E.1 General field inspection items ............................................................................... 79
E.2 Sensors ................................................................................................................ 80
E.3 Final elements ...................................................................................................... 80
E.4 Logic solvers ......................................................................................................... 81
E.5 Wiring connections ................................................................................................ 81
E.6 Power and grounding/bonding ............................................................................... 82
Annex F Example calibration forms .................................................................................. 85
Annex G Preventive maintenance .................................................................................... 87
G.1 Identification of preventive maintenance tasks ...................................................... 87
G.2 Criticality ............................................................................................................... 88
G.3 Timing ................................................................................................................... 88
G.4 Documentation ...................................................................................................... 90
Annex H Example proof test template and procedures ..................................................... 91
Annex I Proof test examples for various SIF technologies ................................................ 95
I.1 General considerations ......................................................................................... 95
I.2 Sensor testing ....................................................................................................... 98
I.3 Temperature ....................................................................................................... 101
I.4 Flow .................................................................................................................... 105
I.5 Level ................................................................................................................... 108
I.6 Process analyzers ............................................................................................... 109
I.7 PES logic solver .................................................................................................. 110
I.8 HMI ..................................................................................................................... 113
I.9 Communications ................................................................................................. 114
I.10 Power supplies ................................................................................................... 115
I.11 Interposing relays ............................................................................................... 115
I.12 Final element testing ........................................................................................... 115
I.13 Testing of manual/automatic response to SIS failure ........................................... 126
I.14 Testing of bypasses ............................................................................................ 127
Annex J Deferral considerations and example procedures .............................................. 129
J.1 Example deferral approval procedure .................................................................. 129
J.2 Example test deferral process ............................................................................. 130
J.3 Test due date deferral approval form................................................................... 132
J.4 Example repair deferral procedure ...................................................................... 133
J.5 Example repair due date deferral form ................................................................ 135
Annex K Example bypass approval procedures .............................................................. 137
K.1 Example bypass approval procedure 1 ................................................................ 137
K.2 Example bypass approval procedure 2 ................................................................ 142
K.3 Example bypass log ............................................................................................ 145
Annex L Validation planning ........................................................................................... 147

- 9 - ISA-TR84.00.03-2012
Foreword
ANSI/ISA-84.00.01-2004 gives requirements for the specification, design, installation, operation
and maintenance of SIS, so that it can be confidently entrusted to place and/or maintain the
process in a safe state. These requirements are presented in the standard using the safety
lifecycle shown in ANSI/ISA-84.00.01-2004-1 Figure 8 and described in ANSI/ISA-84.00.01-
2004-1 Table 2.
The ISA84 committee has developed a series of complementary technical reports to provide
guidance, as well as practical examples of implementation, on various topics and applications.
Three of these technical reports, ISA-TR84.00.02, ISA-TR84.00.03, and ISA-TR84.00.04, provide
informative guidance related to specific phases of the Safety Instrumented System (SIS)
lifecycle. Figure 8 and Table 2 have been adapted for this foreword as shown in ISA-TR84.00.04
Figure 1 and Table 1, respectively. A brief overview of each technical report is given below
including the reports relationship to the lifecycle requirements and the intended scope of each
reports guidance.
ISA-TR84.00.02Safety Integrity Level (SIL) Verification of Safety Instrumented
FunctionsLifecycle phase 4 requires verification that the intended or installed SIS meets its
specified SIL. To support the calculation of the average probability of failure on demand as
required by ANSI/ISA-84.00.01 Clause 11.9, ISA-TR84.00.02 provides guidance on the following:
a) assessing random and systematic failures, failure modes and failure rates; b) understanding
the impact of diagnostics and mechanical integrity (MI) activities on the SIL and reliability; c)
identifying sources of common cause, common mode and systematic failures; and d) using
quantitative methodologies to verify the SIL and spurious trip rate. The approaches outlined in
this document are performance-based; consequently, the reader is cautioned to understand that
the examples provided do not represent prescriptive architectural configurations or MI
requirements for any given SIL. Once an SIS is designed and installed, the ability to maintain the
specified SIL requires the implementation of a structured MI program as described in ISA-
TR84.00.03.
ISA-TR84.00.03Mechanical Integrity of Safety Instrumented Systems (SIS) Lifecycle
phases 5 and 6 involve the installation and testing of the SIS, the validation that the SIS meets
the safety requirements specifi cation, and the assurance that functional safety is maintained
during long term operation and maintenance. An important aspect of achieving and maintaining
the SIS integrity and its specified SIL is the implementation of an MI program that provides
quality assurance of the installed SIS performance. This technical report is an informative
document providing guidance on establishing an effective MI program that demonstrates through
traceable and auditable documentation that the SIS and its equipment are maintained in the as
good as new condition. The technical report addresses the identification of personnel roles and
responsibilities when establishing an MI plan, important considerations in establishing an
effective MI program, and detailed examples to ill ustrate user work processes used to support
various activities of the MI program. Data and information collected as part of the MI program
can be used to validate the SIL Verification calculations as discussed in ISA-TR84.00.02 and the
selection and continued use of devices as discussed in ISA-TR84.00.04 Annex L.
ISA-TR84.00.04Guidelines for the Implementation of ANSI/ISA-84.00.01Lifecycle phases
2, 4, 9 and 10 address the management of functional safety, allocation of safety functions to
protection layers, SIS design and engineering, and SIS verification. This technical report is
divided into two parts. Part 1 provides an overview of the SIS lifecycle with references to
annexes containing more detailed guidance on various subjects. Part 2 provides an end-user
example of "how to" implement ANSI/ISA-84.00.01. This report covers many aspects of the
safety lifecycle including such topics as: "grandfathering" existing SISs (Clause 3 and Annex A);
operator initiated functions (Annex B), separation of the Basic Process Control System (BPCS)
and SIS (Annex F), field device and logic solver selection (Annex L), manual shutdown
ISA-TR84.00.03-2012 - 10 -
considerations (Annex P), and design/installation considerations (e.g., wiring, power, relationship
to BPCS, common mode impacts, fault tolerance, etc. Annex N). ISA-TR84.00.02 expands
Annex G, which only provides a brief introduction to the topic of failure calculations. ISA-
TR84.00.04 does not address the MI program, which is discussed in ISA-TR84.00.03.



Figure 1 SIS safety lifecycle phases (modified ANSI/ISA-84.00.01-1 Figure 8)
- 11 - ISA-TR84.00.03-2012
Table 1 SIS safety lifecycle overview (modified ANSI/ISA-84.00.01-1
Table 2)
Safety lifecycle phase or
activity
Objectives ANSI/ISA-84.00.01
requirements
clause
ISA-84
Technical Report
reference

Figure
1 box
number
Title
1 Hazard and risk
analysis
To determine the hazards
and hazardous events of
the process and
associated equipment, the
sequence of events
leading to the hazardous
event, the process risks
associated with the
hazardous event the
requirements for risk
reduction and the safety
functions required to
achieve the necessary risk
reduction.
8 None
2 Allocation of
safety functions to
protection layers
Allocation of safety
functions to protection
layers and for each safety
instrumented function, the
associated safety integrity
level.
9 ISA-TR84.00.04 Annexes
B, F, and J
3 SIS safety
requirements
specification
To specify the
requirements for each
SIS, in terms of the
required safety
instrumented functions
and their associated
safety integrity, in order to
achieve the required
functional safety.
10 No specific guidance on
documenting the SRS. An
example is shown in ISA-
TR84.00.04 Part 2. All
three technical reports
(ISA-TR84.00.02, 03, and
04) provide fundamental
considerations for SRS
development

4 SIS design and
engineering
To design the SIS to meet
the requirements for
safety instrumented
functions and safety
integrity.
11 & 12.4 ISA-TR84.00.04 Annexes
F, G, I, K, L, M, N, O, P,
and Q
ISA-TR84.00.02
5 SIS installation
commissioning
and validation
To integrate and test the
SIS.
To validate that the SIS
meets, in all respects,
the requirements for
safety in terms of the
required safety
instrumented functions
and the required safety
integrity.
12.3, 14, 15 ISA-TR84.00.03
6 SIS operation
and maintenance
To ensure that the
functional safety of the
SIS is maintained during
operation and
maintenance
16 ISA-TR84.00.03
(Continued on next page)
ISA-TR84.00.03-2012 - 12 -
Safety lifecycle phase or
activity
Objectives ANSI/ISA-84.00.01
requirements
clause
ISA-84
Technical Report
reference

Figure
1 box
number
Title
7 SIS modification To make corrections,
enhancements or
adaptations to the SIS,
ensuring that the
required safety integrity
level is achieved and
maintained.
17 Apply appropriate safety
lifecycle phase during
management of change
activity
8 Decommissioning To ensure proper review,
sector organization, and
ensure SIF remain
appropriate.
18 Apply appropriate safety
lifecycle phase during
project execution
9 SIS verification To test and evaluate the
outputs of a given phase
to ensure correctness
and consistency with
respect to the products
and standards provided
as input to that phase.
7, 12.7 ISA-TR84.00.04 Annex C,
ISA-TR84.00.03, and ISA-
TR84.00.02
10 SIS functional
safety
assessment
To investigate and arrive
at a judgement on the
functional safety achieved
by the SIS.
5 ISA-TR84.00.04 Clause 3
and Annexes A, C, D, E,
and S
(Table 1 contd from previous page)
- 13 - ISA-TR84.00.03-2012
1 Scope and purpose
A process hazards analysis is used to identify the safety functions necessary to reduce the risk
of identified hazardous events. When a safety function is implemented in a safety instrumented
system (SIS), the risk reduction required from the safety instrumented function (SIF) is related to
one of four discrete safety integrity levels (SIL). The function and system are designed and
managed according to ANSI/ISA-84.00.01, which establishes requirements necessary to claim
the specified SIL for the SIS throughout its life.
A critical aspect of maintaining the SIL is the implementation of a mechanical integrity (MI)
program that monitors the installed performance of the SIS equipment and takes corrective
action when the performance does not meet the requirements. This technical report is an
informative document providing guidance on establishing an effective MI program that
demonstrates through traceable and auditable documentation that the SIS and its equipment is
maintained in the as good as new condition
This edition of ISA-TR84.00.03 provides considerations for establishing an MI program for SIS; it
focuses on how to plan and implement a comprehensive MI program rather than including
specific test procedures as in the previous edition. This technical report does not provide
complete details on how to safely or fully execute all MI activities in an operating facility.
Individuals who are assigned responsibility for MI activities must determine what is necessary to
maintain the safety integrity of a specific SIS.
The MI program involves many activities that occur throughout the SIS lifecycle, but it
predominantly focuses on the timely detection and correction of incipient/degraded conditions
and complete failures to ensure that the SIS operates as specified when required. Rigorous
inspection and complete proof testing is required for all SIS equipment whether existing or new.
While the frequency of these activities may vary due to the required SIL, the purpose and goal of
inspection and proof testing are not affected by the SIL.
Inspection and proof testing is required to:
meet regulatory requirements
meet ANSI/ISA-84.00.01 requirements
meet equipment manufacturer requirements (e.g., safety manual)
demonstrate through witnessed test and preventive maintenance records that the equipment
is being maintained in the as good as new condition
detect and correct unrevealed failures
verify that the MI program and test interval are sufficient to ensure functional and integrity
requirements are met for the equipment life
monitor equipment for degradation mechanisms (incipient and degraded) which may
compromise future performance
identify when equipment has reached wear-out and requires replacement
provide data and information to facilitate the evaluation of MI program success and to support
continuous improvement
The technical report addresses:
the identification of personnel roles and responsibilities when developing an MI plan,
important considerations in establishing an effective MI program, and
detailed guidance and examples to support user -specific work processes as part of an overall
MI program.
ISA-TR84.00.03-2012 - 14 -
2 Audience
The successful design and management of SIS is dependent on many departments within an
operating facility. Likewise, an effective MI program is a fundamental element of the SIS lifecycle
with many departments having responsibility. Consequently, the target audience of this technical
report is very broad and includes all personnel who impact program success. These personnel
perform certain roles and have responsibility for execution of many different tasks during various
lifecycle phases. Typical roles and responsibilities include:
Engineering Manager --- Ensures that engineering work processes are in place to determine
the required rigor of the MI program for all SIS, and subsequently to ensure that Operations
and Maintenance departments are engaged in determining how this testing can be
accommodated in a practical and effective manner.
Design Engineer --- Ensures maintenance provisions for safe and cost effective inspections
and testing are met as the SIS proceeds through the design phase.
Project Manufacturing/Operations Representative --- Ensures all roles communicate and fulfill
their responsibilities on projects, including development of validation, commissioning, proof
test procedures and documentation handoffs.
Process Automation/Control System Engineer --- Ensures all aspects of on-line testing,
demand tracking, bypassing are adequately addressed in design phase to deliver necessary
functionally across operations lifecycle including appropriate use of process historians to
track demands on the SIS.
Process Engineer --- Provides operation and technical information to ensure testing and
associated procedures are completed satisfactorily and no new hazards are introduced
during this process.
PSM Manager --- Ensures that recommendations related to the SIS are tracked to completion
and that an effective Management of Change (MOC) process is in place, which involves
review and approval of proposed changes to SIS by competent personnel.
Maintenance Manager --- Ensures that an effective management system is in place to
execute reliability and maintenance activities required to ensure SIS integrity including a
training program for maintenance personnel to maintain qualifications.
Operations Manager --- Ensures that Operating personnel are committed to providing the
opportunity for identified MI activities to take place in a planned manner including a training
program for Operations personnel to maintain qualifications. This role has the ultimate
responsibility to ensure the lifecycle management rigor and SIS integrity within the operating
facility.
Management Team --- Consists of the Project Manager, Maintenance Manager and
Operations Manager and ensures that competent and trained personnel receive the
appropriate level of support are available to carry out the identified activities and that SIS
installations are maintained inspected, tested and operated in accordance with ANSI/ISA-
84.00.01.
SIS Specialist/Engineer --- Works with both Engineering and Maintenance personnel to
develop and maintain the SIS equipment list and to define the MI requirements necessary to
ensure SIS integrity throughout the lifecycle of the facility. To ensure that SIS are
appropriately installed, inspected, tested and validated to demonstrate correct functionality
and performance prior to handover to Operations.
Reliability Specialist --- Advises the SIS Specialist/Engineer on appropriate testing and
reliability techniques. To apply the management system and ensure that testing activities are
performed effectively with appropriate supporting documentation including procedures and
results records. To address any non-compliance/failures in a timely and effective manner that
addresses the root cause of the failure to minimize repeat failures. To facilitate data capture
and analysis in support of on-going demonstration of SIS MI and continuous improvement.
- 15 - ISA-TR84.00.03-2012
Maintenance (and Construction) Supervision --- Understands the importance of SIS MI and
provides the necessary resources to ensure that all identified MI activities are completed in a
planned manner.
Maintenance (and Construction) Technician --- Understands purpose and function of the SIS,
the importance of inspection, preventive maintenance and testing plans, and how to complete
the required documentation to support data collection.
Testing Personnel --- Appreciate the concepts of SIS MI and the rigor required in the
identification and reporting of SIS failures.
Training Coordinators --- Ensures training of all roles impacting or impacted by SIS across
the plant operating lifecycle occurs in a timely manner.
It is expected that those persons identified as the audience possess an understanding of the
requirements of ANSI/ISA-84.00.01 appropriate to their level of responsibility and technical
expectation.
ISA-TR84.00.03-2012 - 16 -
3 Definitions
Definitions which are new and not previously documented in ANSI/ISA-84.00.01 are indicated
with (*).
3.1
allowable time to repair*
length of time that has been determined by hazard and risk analysis to be acceptable for
continued process operation with degraded or disabled equipment . Time is often constrained by
Operations ability to maintain the necessary compensating measure.
3.1.1
application program
program specific to the user application. In general, it contains logic sequences, permissives,
limits and expressions that control the input, output, calculations, and decisions necessary to
meet the SIS functional requirements.
3.1.2
Application Program Factory Acceptance Test (APFAT)*
formal testing of the configuration. The advantage of this type of test is that it can be
independent of all or most of the physical hardware, thereby supporting the concept of an
HWFAT. See FAT.
3.1.3
as good as new*
equipment is maintained in a manner that sustains its useful life. As good as new often refers
to the initial condition after proof test and subsequent repair/overhaul (as needed) so that the
probability of failure at time 0 is zero and the failure rate expected during the useful life is
unchanged.
NOTE When a device is returned to its as good as new condition, the expectation is that the as -left condition will
support operation within specification until the next scheduled proof test.
3.1.4
compensating measure*
planned and documented means for managing risk that are implemented during any period of
maintenance or process operation with known faults or failures in the SIS, which result in
increased risk
3.1.5
complete failure*
failure that results in a 100% loss of a required function. The failure can be further classified as
safe or dangerous depending on the application and desired operation.
3.1.6
degraded condition*
failure that results in a partial loss of function, that is less than as good as new, but does not
result in a complete loss of the function. Degraded condition also includes any time a portion of
the SIF is bypassed, but is still able to perform its function automatically.
3.1.7
detected failure
in relation to hardware failures and software faults, detected by the diagnostic test s or through
normal operation. Synonyms include announced, revealed and overt.
NOTE* Software faults can include errors within the application program, embedded program (operating system),
embedded firmware, or utility software (programming panel).
- 17 - ISA-TR84.00.03-2012
3.1.8
failure
the termination of the ability of equipment a functional unit to perform a required function
3.1.9
failure cause*
the circumstances during design, manufacture, or use which led to failure
3.1.10
failure mechanism*
the physical, chemical, or other process, or combination of processes, that has led to failure
3.1.11
failure mode*
the observed manner of failure. The failure modes describe the loss of required system
function(s) that result from failures.
3.1.12
failure to activate*
occurs when the SIS does not respond to the process deviation and an event occurs or the SIS
needs to be manually activated
3.1.13
fitness for service*
management system used to assess the current condition of equipment to determine whether it
is capable of continuing operation within equipment specification until the next opportunity to test
or perform maintenance
3.1.14
Hardware Factory Acceptance Test (HWFAT)*
testing of SIS equipment, panels I/O, power supplies, panel grounding, and related equipment at
the manufacturers fabrication facility to insure that the SIS equipment has been installed and
wired properly
3.1.15
Integrated Factory Acceptance Test (IFAT)*
formal testing of SIS and BPCS simultaneously to insure that the combine actions result in the
desired safe automation of the process
3.1.16
incipient condition*
the equipment operates within specification but in its current state is likely to result in a degraded
condition or complete failure if corrective action is not taken
3.1.17
integrity*
ability of the SIS to perform the required SIF as and when required
3.1.18
Mean Repair Time (MRT)*
expected overall repair time
NOTE MRT encompasses the times (b), (c) and (d) of the times for MTTR.
3.1.19
Mean Time between Failure (MTBF)*
for a repairable device, mean time to failure + the mean time to r estoration
ISA-TR84.00.03-2012 - 18 -
3.1.20
Mean Time to Failure (MTTF)*
the average time before equipments first failure. May refer to all failures, specific failure
classifications, specific failure modes, or specific failure causes.
3.1.21
Mean Time to Repair*
term has been replaced by Mean Time to Restoration or Mean Repair Time
3.1.22
Mean Time to Restoration (MTTR)*
expected time to achieve restoration
NOTE MTTR encompasses:
a) the time to detect the failure; and
b) the time spent before starting the repair; and
c) the effective time to repair; and
d) the time before the device is put back into operation.
The start time for (b) is the end of (a); the start time for (c) is the end of (b); the start time for (d) is the end of (c).

3.1.23
mechanical integrity*
management system assuring equipment is inspected, maintained, tested and operated in a safe
manner consistent with its risk reduction allocation
3.1.24
out of service*
includes any time the SIF is unavailable during an operating mode where the hazard exists
3.1.25
partial testing*
method of proof testing that checks a portion of the failures of a device, e.g., partial stroke
testing of valves and simulation of input or output signals
3.1.26
pass/fail criteria*
pre-established criteria that define the acceptability of equipment operation relative to the SRS
and equipment specification
3.1.27
proof test
test performed to reveal undetected faults in a safety instrumented system so that, if necessary,
the system can be restored to its designed functionality
3.1.28
proof test coverage*
expressed as the percentage of failures that can be detected by the proof test. A complete proof
test should provide 100% coverage of the failures.
3.1.29
reliability*
ability of a system or device to perform its specified function under stated conditions for a
specified period of time
- 19 - ISA-TR84.00.03-2012
3.1.30
safety instrumented function (SIF)
safety function with a specified safety integrity level which is necessary to achieve functional
safety and which can be either a safety instrumented protection function or a safet y instrumented
control function
3.1.31
safety instrumented system (SIS)
instrumented system used to implement one or more safety instrumented functions. An SIS is
composed of any combination of sensor (s), logic solver (s) and final elements (s).
3.1.32
site integration test (SIT)
formal testing of the ability of the SIS and BPCS to be able to properly communicate with each
other once those systems have been installed in the field. It also can include any third party
systems that need to interface with the BPCS.
3.1.33
useful life*
the portion of equipments life where the failure rate can be considered constant where early life
failures have been corrected and end of life failures have not begun
3.1.34
wear-out*
the time when equipments failure rate begins to increase due to various failure mechanisms
ISA-TR84.00.03-2012 - 20 -
4 Abbreviations/Acronyms
Abbreviations which are new and not previously documented in ANSI/ISA-84.00.01 are indicated
with (*)
AC/DC Alternating Current/Direct Current
ANSI American National Standards Institute
APFAT* Application Program Factory Acceptance Test
BPCS Basic Process Control System
CCPS* Center for Chemical Process Safety
EH&S Environment Health and Safety
ESD Emergency Shutdown System
EWS Engineering Work Station
FAT Factory Acceptance Test
FMEA* Failure Mode and Effects Analysis
HMI Human Machine Interface
HSE Health and Safety Executive
HWFAT* Hardware Factory Acceptance Test
IEC International Electrotechnical Commission
IFAT* Integrated Factory Acceptance Test
I/O* Input/Output
ISA International Society of Automation
IT Information Technology
MI Mechanical Integrity
MOC Management of Change
MTBF* Mean Time between Failure
MTTF* Mean Time to Failure
MTTR* Mean Time to Repair (also known as Mean Time to Restoration)
NIST National Institute of Standards and Technology
OSHA* Occupational Safety and Health Administration
PERD* Process Equipment Reliability Database
PES Programmable Electronic Systems
- 21 - ISA-TR84.00.03-2012
PFD
avg
Average Probability of Failure on Demand
P&IDs* Piping and Instrumentation Diagrams
PHA* Process Hazard Analysis
PLC Programmable Logic Controller
PPE* Personal Protective Equipment
PSD Process Shutdown System
PSM* Process Safety Management
RTD Resistance Temperature Detector
SAT Site Acceptance Test
S/D Shutdown
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SIT* Site Integration Test
SOE Sequence of Events
SRS Safety Requirements Specification
TC Thermocouple
UPS* Uninterruptible Power Supply
1oo1 one-out-of-one
1oo2 one-out-of-two
2oo3 two-out-of-three
ISA-TR84.00.03-2012 - 22 -
5 MI planning considerations
For SIS, planning is covered in ANSI/ISA-84.00.01 Clauses 5, 6, 7 15, 16, and 17. MI planning
involves establishing the management system and the maintenance requirements (e.g.,
inspection, preventive maintenance, and proof testing) for the SIS equipment. With limited
resources, it is important to identify and classify instrumentation and controls, so that plant
personnel know what equipment must be managed as safety. Fundamentally, all equipment is
covered by MI but only a portion of the equipment must be rigorously managed according to
ANSI/ISA-84.00.01. Classification is performed and documented during the process hazards
analysis as discussed in the standard ISA-84.91.01 and technical report ISA-TR91.00.02. The MI
program should cover all equipment required to support the SIF integrity and reliability, including
sensors, logic solvers, final elements, utilities, communications, and diagnostic equipment.
The facility safety and operating culture should be considered when designing the SIS, because
the culture affects the MI program, which must be capable of supporting the SIS functional and
integrity requirements defined in the safety requirements specification (SRS). Once an SIS is
designed and implemented, independence, integrity, functionality and reliability become inherent
attributes of the installation, which are proven through periodic MI activities, such as inspection
and testing, and supported through preventive maintenance and planned replacement/upgrade.
Auditability, access security, and management of change are attributes of the management
system, which are proven through periodic assessment and auditing activities. These core
attributes, namely independence, integrity, functionality, reliability, auditability, access security,
and management of change, must be managed throughout the SIS lifecycle with sufficient rigor
so that the SIS achieves and maintains the required safety integrity.
The planning phase of the ANSI/ISA-84.00.01 lifecycle includes development of MI procedures
and implementation of training programs for a variety of activities:
documentation transfer and lifecycle management from Design Engineering to Facility
Maintenance and Operations,
identification of the minimum dat a fields to be included in the facility maintenance
management system,
NOTE These data fields are intended to support scheduling of inspections and tests and the capture of data and
information for tracking failures impacting integrity and reliability
commissioning procedures and documentation of corrective actions,
identification and tagging of SIS equipment in the field,
managing failure conditions during plant operation, inspection, preventive maintenance, and
proof testing,
controlling and monitoring the use of bypasses,
investigation of process demands, spurious t rips, and dangerous failures,
performing follow-up failure investigations and communicating findings for continuous
improvement,
minimum required inspection and preventive maintenance practices to maintain equipment
MI,
minimum required proof testing to ensure correct operation of equipment,
minimum requirements for proof testing following modification and repair,
change management, including specific provisions for access security, configuration
management, planned modification, temporary modification, and decommissioning, and
appropriate degree of training for impacted personnel within Operations and Maintenance.
Figure 2 provides an illustration of the safety lifecycle relative to MI activities. As the project
moves from concept through detailed design, a validation plan is developed to ensure the SIS
- 23 - ISA-TR84.00.03-2012
meets the desired functionality and integrity. Validation demonstrates that each SIF and its
supporting utilities/diagnostics fully achieve the SRS prior to being placed into service. Validation
is required for any new or modified SIS.
A Factory Acceptance Test (FAT) of the SIS logic solver and other packaged equipment is
generally conducted prior to site installation. An FAT allows rigorous testing of the equipment in
a controlled environment without the time pressure that often occurs during on-site testing.
ANSI/ISA-84.00.01 does not require an FAT to be performed, but many users consider the FAT a
cost effective means of ensuring that packaged equipment, such as logic solvers, work according
to specification.
During construction and commissioning, the SIF sensors, final elements and ancillary support
equipment (e.g., air supplies, power supplies, communications, and interfaces) are installed
according to design documents and installation details. Inspection and commissioning
procedures are used to ensure the SIS equipment is installed and operating properly. Following
equipment commissioning, validation is conducted. Validation includes evidence from an end-to-
end test of the installed SIS and its SIF operate as required. Validation should be performed
after major process or SIS modifications.
Once operational and for as long as the plant continues to operate, the SI S equipment should be
periodically inspected to detect incipient and degraded conditions and to initiate corrective action
through equipment repair or replacement. Preventive maintenance whether on a fixed schedule
or based on condition is conducted to replace wearable or short-life parts to extend the useful
life of the equipment. Proof testing is required to demonstrate that the SIS equipment is
operating as specified and to identify deviations from acceptable operation so they can be
corrected. Test records provide documented proof that the SIS is achieving the required safety
integrity level (SIL). All SIS equipment should be tested, including field sensors, final control
elements, logic solvers, Human Machine Interfaces (HMI), communication links with other
systems, user application program, and any required support systems, such as power or
instrument air.
Many processes have operating cycles that are longer than the test interval necessary to
theoretically achieve the SIL. Therefore, the ability to perform testing while the process remains
in operation (e.g., on-line) is often desirable. The requirements of ANSI/ISA-84.00.01 can be met
using off-line testing with the process shutdown, on-line testing with the process in operation or a
combination of on-line and off-line testing. All means of testing can be supported by manual and
automated procedures and techniques.
This technical report provides guidance and examples for off-line and on-line testing
based on the experience of the working group members, but these examples should not be
considered the only means for achieving the objectives of ANSI/ISA-84.00.01.
There are several considerations that go into developing a holistic MI program. Each of these
considerations is discussed in more detail in later clauses:
identification of the equipment and systems to be covered by SIS MI
determination of the maintenance strategy to be used for each type of equipment
collection and retention of lifecycle documentation
defining personnel roles and responsibilities and ensuring competency
defining management system and performance metrics
implementing configuration management and management of change
performing audits to determine MI program compliance
ISA-TR84.00.03-2012 - 24 -
5.1 Identification of the equipment and systems to be covered by SIS MI
The following information at a minimum should be transferred from the design information to the
organization responsible for facility maintenance and record system to ensure proper scheduling
and completion of inspections, preventive maintenance, proof tests and reliability improvement:
production unit or plant identification (e.g., hydrocarbon alpha 1)
process unit within the production unit (e.g., quench unit)
tag item number (e.g., FT-10001)
NOTE Any facility testing or calibration equipment used to validate or test SIS devices should also be identified in
the maintenance management system to ensure calibration certifications are performed as required.
location description (e.g., T-630 discharge)
manufacturer (e.g. XYZ Instruments, Inc.)
model number (e.g.,1234DP)
pipe spec or process description (e.g., river water)
equipment group or family (e.g., f low)
equipment type (e.g., vortex)
serial number
SIF identification number
date installed
calibration, tolerance, and configuration values (e.g., span, filtering, square root extraction,
fail-direction on detected fault, leak tightness)
inspection/proof test i nterval
NOTE The maintenance management system is used to generate notifications for inspections, preventive
maintenance, and proof tests based on last maintenance date and specified interval.
- 25 - ISA-TR84.00.03-2012



Figure 2 Mechanical integrity across the lifecycle
Project Execution
Hazard
Review
Design
Construction
Commission Plant
PSSR
Mechanical Integrity
Develop Validation Plan
Staging
(FAT)
Install
Commission
Validation
(SAT)
PSSR
Data Capture and
Assess
Performance
Inspection, Preventive
Maintenance, and Proof
Test
Startup Operate Plant
Operation
The figure shows conceptually where the
MI (mechanical integrity) program and its
specific activities fit into an overall project
and subsequent plant operation.
ISA-TR84.00.03-2012 - 26 -
5.2 Determination of the maintenance strategy to be used for each type of equipment
The MI plan ensures that the facility maintenance strategy is in agreement with the intent of the
SIS MI program that the equipment is maintained in the as good as new condition through its
lifecycle. There are three basic maintenance strategies employed within the process industry,
depending on the type of equipment:
Preventive (planned) maintenance: Specifically defined maintenance is performed on a
periodic schedule, e.g., annual change out of air supply filters on automated valves.
Predictive (condition-based) maintenance: Applicable maintenance is initiated based on
monitoring equipment condition through inspection, diagnostics, and observation, e.g., valve
response to control signal is sluggish, indicating that a particular type of maintenance such
as an air filter change out is required.
Corrective (reactive) maintenance, also known as run to fail ure: Neither preventive nor
predictive maintenance is performed. Repair or replacement is initiated based on detecting
equipment failure. Though a viable maintenance strategy for some general equipment
population, it should not be used for SIS equipment where dangerous undetected
failures can occur.
Effective MI planning ensures that the maintenance strategy is consistent with maintaining the
SIS integrity. The SIS MI plan should be a component of the facilitys overall MI plan. The plan
begins its development in the early stages of design to ensure the needs of the operating facility
are addressed and that test and maintenance facilities are implemented to meet procedure
requirements. MI planning includes the development of procedures on how to plan, per form and
document the following:
inspections
repairs
preventive maintenance
calibrations
proof tests
reliability data capture and analysis
loop check/commissioning procedures
validation procedures
feedback to ensure continuous improvement
5.3 Collection and retention of lifecycle documentation
Various disciplines are involved in developing lifecycle documentation, including Operations,
Maintenance, and Design Engineering. The owner/operator is the ultimate owner of
documentation generated by Engineering and Maintenance. Documentation should be treated as
a long-term asset similar to the equipment within the operating facility. Engineering and
Maintenance uses and maintains the various documents described within the technical report.
The MI plan should define which documents will be transferred from Engineering to
Maintenance/Operations, where and in what form the master document s will be stored, who will
be the custodian, role(s) or person(s) who will maintain the master documents as evergreen. The
MI plan sets the foundation on how procedures such as those for proof testing and reliability are
accessed and maintained to provide for continuous improvement and value delivery.
All operating facilities should comply with their respective corporate records retention guidelines
and policies. The records may be maintained electronically or hard copy in on-site or off-site
storage. MI records are needed for tracking and trending equipment failure. These records are
typically reviewed whenever a functional safety assessment (see ISA-TR84.00.04 Annex D),
prior use assessment (see ISA-TR84.00.04 Annex L User approval) or audit (see ISA-
- 27 - ISA-TR84.00.03-2012
TR84.00.04 Annex E) is performed. Regulatory authorities may establish the minimum retenti on
period for MI records. For example, OSHA PSM requires that records to be mai ntained for the
facility life. Practically, records should be retained in a form and for a period of time sufficient to
support user approval and reliability assessment of equipment.
5.4 Defining personnel roles and responsibilities and ensuring competency
MI planning also ensures that personnel understand their roles and responsibilities in suppor ting
the maintenance strategy. Maintenance/Reliability personnel have a significant role in MI
planning and execution, but Operations and Engineering must support many specific tasks.
Maintenance/Reliability, including supervision, engineers, mechanics, and I&E technicians,
develop the SIS MI plan with dialogue and input from Operations and Design Engineering.
Successful completion of tasks defined in planning requires the active involvement of various
disciplines.
All personnel associated with the SIS, including Management, Operations, Maintenance, and
Engineering, should be competent in performing their assigned tasks. Management should
understand how the SIS operates to reduce risk and how their decisions affect its integrity.
Engineering choices influence the SIS design, test facilities, and proof test interval, so they
should understand how their choices affect long-term operation and maintenance. Maintenance
and Operations personnel need to have the knowledge, training and skills necessary to ensure
the SIS integrity is maintained throughout its installed life. Competency for all personnel extends
beyond simple knowledge of how to perform basic tasks; it also includes knowledge of how the
SIS equipment functions to achieve or maintain a safe state of the process.
Consequently, unlike other process safety programs, the training and skills for SIS MI cover a
significant range of subjects. It is generally not possible to provide a single training package for
everyone. Rather it requires the training program to be tailored to support the site culture and the
specific SIS equipment.
5.5 Ensuring maintenance personnel skills and training
This subclause specifically addresses the skills and training necessary for Maintenance
personnel who support SIS MI. Maintenance training includes maintenance management that
directs and funds the maintenance activities, the instrumentation technicians, the electricians,
and the mechanics. Maintenance personnel need to have an understanding of the importance of
the SIS, how they affect the performance of those systems, what skills they should have before
working on SIS, and how they should identify, correct and report failures of SIS equipment.
The goal of the training program is to give the maintenance personnel the skills and knowledge
needed to maintain the SIS equipment. The training program typically covers three subject areas
1) safe work practices and procedures, 2) basic skills required to be an instrumentation and
electrical technician, and 3) SIS specific training. In the performance of maintenance work,
consistency and quality of work execution is important in minimizing systematic failures. A
procedure for all aspects of the maintenance work helps ensure that consistency. This will be the
basis for the training program.
For basic skills, community colleges and private training centers offer varying training programs.
There are many resources available to a user who is developing a training program, for example:
ISA Certified Control Systems Technician Program, ISA-67.14.01-2000, Qualifications and
Certification of Instrumentation and Control Technicians in Nuclear Facilities, and ISA-
TR98.00.02-2006, Skill Standards for Control Systems Technicians.
SIS specific training focuses on the activities performed by maintenance per sonnel:
understanding pass-fail criteria
documenting as-found/as-left
ISA-TR84.00.03-2012 - 28 -
recording and reporting failure
recognizing common cause failure
permitting
bypassing
use of safety approved equipment for repair or replacement
use of approved and standardized equipment, such as calibration equipment
inspection and testing
management of change, including configuration management
preventive maintenance techniques
troubleshooting skills
The training can be provided in many different forms, such as classroom, hands on, self-study,
and computer-based training. Training can be conducted internally or externally. Classroom or
computer-based training is generally not sufficient, because skill development requires exposure
to the equipment and hands-on practice. Basic skills training should incorporate actual
demonstration of the required tasks, such as transmitter calibration, to ensure comprehension.
Documentation of maintenance training can be a challenge, especially for large sites or sites
relying on contract personnel. Annex A Example training documentation shows an example of
how some users approach training documentation.
5.6 Defining management system and performance metrics
Throughout the process equipment life, numerous assumptions are made about the SIS
equipment used to achieve or maintain a safe state of the process with respect to identified
hazardous events. The process hazards analysis made assumptions about the initiating cause
frequency and SIF risk reduction. These expectations led to a SRS where SIF functional and MI
requirements were specified. The SIL verification calculations made assumptions about the
failure modes and failure rates of the SIS equipment.
A health and safety executive (HSE) study found that 32% of loss-of-containment events were
caused by process and safety equipment failure due to inadequate design and maintenance
(HSE, 2005). Safety equipment performance is limited by the rigor, timeliness, and r epeatability
of MI activities. Metrics, including leading and lagging indicators, are used as a means for
assessing work execution and SIS performance against requirements. When implementing
metrics, always ensure that the intent of the metric is understood the SIS is demonstrated to
meet the functional and integrity requirements rather than simply managing the metric itself.
5.6.1 Management system metrics
Most management system metrics focus on schedules, which are not indicative of work quality. A
proof-test schedule can be developed with an unreasonably long interval or testing can be
performed inadequately, creating an illusion where the metrics indicate a well -maintained system
while equipment is failing in the field. A focus on the percentage of success or failure of various
activities can lead to normalization of some failures, which is unacceptable for SIS. Any piece of
failed SIS equipment represents a degradation of the risk reduction strategy. Consideration
should also be given to out-of-service periods where equipment has failed and is awaiting repair
or is bypassed for maintenance and test ing.
5.6.2 Performance metrics
The success of the MI program is proven by its MI data, which demonstrates that the SIS can
achieve the performance assumed during the process hazards analysis. Inspection, preventive
maintenance and proof testing are activities used to identify deviation from acceptable operation,
so that maintenance can be performed to ensur e the SIS integrity. Understanding what to test
- 29 - ISA-TR84.00.03-2012
and how to judge pass/fail criteria is critical to MI program success. The proper documentation
and analysis of equipment failure is necessary to ensure the assumptions in the SRS are
achieved and to drive continuous improvement long-term.
Periodically the actual equipment performance should be compared to the expected performance
to determine whether the SIS equipment is suitable for continued use as is or whether
improvement should be initiated. Repeated SIS failures indicate that the MI program is not
achieving its intent to maintain the SIS equipment in the as good as new condition. There are
five facets of SIF performance to monitor:
process demands,
detected faults,
dangerous failures,
spurious operation, and
personnel conformance to work practices.
When performance gaps are identified, root cause analysis should be conducted to (1) describe
what caused the identified failure, (2) determine the failure impact (3) identify the underlying
reasons for the failure, (4) implement corrective actions, and 5) verify that the corrective actions
addressed the cause. Consideration should then be given to changing t he design, installation,
operation, and maintenance practices to reduce the likelihood of failure re-occurrence. Annex B
Example demand logs provides examples of demand logs and trip reports. Annex C Example
failure reports provides examples of device failure reports.
The data necessary to perform reliability analysis can come from any of the tasks, which are par t
of the maintenance strategy. The most difficult part of instituting reliability improvement is the
culture change necessary for data capture and classification, which must be supported by
Maintenance, Testing, and Operations personnel. Training and positive re-enforcement is
necessary to maintain this effort. Failure reports can be collected from across a facility or a
company and used to identify patterns of failure, indicating systematic or common cause
problems. One means of monitoring failures is provided by the CCPS/AIChE Process Equipment
Reliability Database (PERD) initiative. This program develops and distributes failure
classification taxonomies.
ISA-TR84.00.03-2012 - 30 -
Table 2 Key performance indicators
(excerpted from ISA-TR84.00.04 Annex R)
The following metrics are recommended for the SIS MI program
Key performance indicator Formula - Deliverable
Inspections: Percent SIF overdue % KPI = 100 X (No. overdue / No. scheduled)
Inspections: Days overdue Pareto chart listing days behind schedule
- This may be used to measure currently overdue inspections or completed
inspections for comparison purposes
Inspections: Percent failed % KPI = 100 X (No. failed / No. performed)
Proof tests: Percent SIF overdue % KPI = 100 X (No. overdue / No. scheduled)
Proof tests: Days SIF overdue Pareto chart listing days behind schedule
- This may be used to measure currently overdue proof tests or completed
proof tests for comparison purposes
Proof tests: Percent SIF failed % KPI = 100 X (No. failed / No. performed)
Corrective maintenance: Percent
SIF overdue
% KPI = 100 X (No. overdue / No. scheduled)
Corrective maintenance: Days SIF
overdue
Pareto chart listing days corrective maintenance behind schedule
- This may be used to measure currently overdue corrective maintenance or
completed corrective maintenance for comparison purposes
Corrective maintenance: Percent
failed specification criteria
% KPI = 100 X (No. failed specification criteria / No. performed)
Failure to activate: Percent SIF
failed
% KPI = 100 X (No. SIF failed to activate / Total no. of SIF)
Shutdowns: Percent SIF spurious % KPI = 100 X (No. spurious SIF initiated shutdowns / Total No. of SIF
systems)
SIF out of service: Total hours Pareto chart listing hours out of service
- This may be used to measure SIF currently out of service or restored out of
service SIF for comparison purposes
SIF out of service: Percent % KPI = 100 X (No. out of service hours / Total no. process hours)
SIF degraded: Percent % KPI = 100 X (No. hours SIF degraded/ Total number of process hours)
SIF out of service: Hours beyond
specified repair time
Pareto chart listing hours beyond specified repair t ime
- This may be used to measure SIF currently beyond specified repair time or
repaired SIF that had exceeded specified repair time for comparison purposes
SIF out of service: Percent
beyond specified repair time
% KPI = 100 X (No. SIF beyond specified repair time / Total no. of SIF out of
service during measurement interval)
SIF out of service: Percent not
approved by MOC
% KPI = 100 X (No. out of service & not approved by MOC / Total out of
service SIF)


- 31 - ISA-TR84.00.03-2012
5.7 Implementing configuration management and management of change
Change is inevitable and equipment occasionally needs to be replaced, repaired, or upgraded.
The process facility may be expanded, leading to additional hazardous events requiring new SIF
or placing new requirements on existing SIF. Process and operational changes should be
reviewed through management of change to determine how these changes affect the SIS design
and operating basis. The manufacturer may discontinue or obsolete SIS equipment so
replacement-in-kind is no longer feasible. Planning must be put in place to ensure that necessary
changes do not increase the risk of hazardous events.
No SIS equipment or program modification should be made without first carrying out a review to
ensure the change does not affect the functionality of the SIF or reduce the risk reduction
provided by the SIF. Validation testing should be done to ensure correct operation when the SIF
or SIS equipment is changed.
For SIS, management of change includes configuration management and replacement -in-kind to
ensure:
appropriate analysis is conducted prior to change implementation,
approval is obtained from affected parties,
change is consistent with current practices,
documentation is completed and consistent with field application, and
risk is not adversely affected.
Effective management of change requires the use of administrative and physical means to
prevent unauthorized or inadvertent changes. Since the SRS involved input from many
disciplines, changes should be assessed and approved by similar disciplines. Such evaluation is
needed for any change, other than replacement in kind, such as:
adding new SIS equipment,
changing functional operation of the SIF,
changing the integrity requirements for the SIF,
changing the materials of construction,
changing the required speed of response,
removing or decommissioning SIS equipment,
changing the SIS equipment specification,
changing the brand or model of SIS equipment,
modifying the SIS equipment installation details,
changing the SIS alarm or trip setpoints,
changing SIS equipment firmware,
changing the SIS application program, and
modifying SIS inspection, preventive maintenance, and proof test procedures.
5.8 Performing audits to determine MI program compliance
ISA-TR84.00.04 Annex E provides guidance on developing and implementing an auditing
program to ensure ANSI/ISA-84.00.01 compliance. Periodic auditing of the operating,
maintenance, and engineering procedures should be performed to ensure that procedures are
consistent with actual work practices, personnel are receiving training as required, training is up-
to-date with latest practices, and training is comprehensive and technically appropriate.
ISA-TR84.00.03-2012 - 32 -
Furthermore, it is important to verify that the training is occurring at the designated time
intervals, and training records are being maintained.
Audits should follow a protocol that ensures procedures are up-to-date, personnel are familiar
with the procedures, and the instructions are being followed. Auditing is generally performed at a
3-5 year interval, typically corresponding with the process safety management audit schedule.
More frequent auditing may be required if there are numerous or repeated findings.
The audit should review records, information, and documentation to determine whether
procedures are being adhered to. Audit findings should be addressed in a timely manner and
tracked to completion. Shortcomings identified in the audit should be addressed with an action
plan that establishes a schedule and assigns responsibility for correcting deficiencies to specific
personnel or departments.
Audits should be performed to verify that the procedures related to SIF and, in particular, those
outlined in the MI plan remain in force throughout the life of the SIF. Records of audits and their
results should be documented and maintained in plant records.
6 MI activity considerations
The MI program is intended to ensure that SIS equipment is maintained in the as good as new
condition throughout its installed life. Inspection, preventive maintenance and proof testing are
activities used to identify deviation from acceptable operation, so that repair or replacement can
be performed to ensure safe and reliable operation. MI activities should be covered by written
procedures that specify the steps required to ensure that the activity is consistently performed
and documented (see Annex D Effective procedure writing, verification, and i mplementation).
Procedures should include safe work practices, permitting, and notification requirements.
An effective mechanical integrit y (MI) program is required to detect failure so that it can be
corrected in a timely manner. Incipient and degraded conditions can be identified through
inspection or diagnostics, while complete failures are often identified by proof test. The MI
program also includes preventive maintenance activities. When equipment is known to have
consumable components (e.g., batteries, catalytic bead sensor, etc.), preventive maintenance
activities ensure that these components are replaced on a periodic basis. Inspection and
automated diagnostics can identify degraded device conditions triggering maintenance.
Inspection, diagnostics and preventive maintenance complement periodic proof testing, which is
necessary to identify undetected failures prior to a demand being placed upon the SIF. Together,
MI activities increase the likelihood that the SIF functions correctly throughout its installed life.
Without a sound MI program incorporating periodic inspection, appropriate response to
diagnostics, preventive maintenance and proof testing, one runs the risk of running equipment to
dangerous failure. It is essential that equipment be maintained such that it meets the functional
and integrity requirements defined in the SRS. Inspection and preventive maintenance programs
are necessary for achieving the equipments assumed performance criteria in the SIL verification
calculations. The lack of a good MI program for the SIS devices, the SIF and associated utilities
supporting the SIS will result in increased spurious and dangerous f ailure rates for the SIS.
The SIF design should consider the requirements for testing including on-line and off-line test
facilities, and the SRS should identify the required test i ntervals for the SIS equipment. The
required test time can be significantly reduced if test requirements are considered an integral
part of the SIS design. Test facilities should be designed to minimize the physical modifications
required for testing (e.g., jumpers or lifting wires) and the operation of test facilities should be
addressed during validation planning.
Personnel should know what to inspect, test, and document and the differences between how
these activities are executed for safety equipment versus non-safety equipment. Understanding
how to judge pass/fail criteria and the current condition of the equipment is critical to MI program
- 33 - ISA-TR84.00.03-2012
success. Before one can define pass/fail criteria, it is necessary to understand what failures and
failure modes are critical with respect to the required SIF performance. A significant activity
within the MI program is the documentation of the as-found and as-left condition during the
inspections and tests. This enables analysis of actual performance versus the required
performance over time so that the installed integrity is periodi cally verified.
MI consists of many activities involving multiple departments and roles, which must be planned
and coordinated throughout the facility life. This clause briefly describes those activities following
a chronological sequence as practically feasible. There are some tasks that need to be
performed concurrently. Management of the work process and tasks is important, as the MI
activities must be reconciled with the planned and scheduled outages. Good planning and
effective management of change procedures are needed to deal with the real -world needs of the
operating facility, including deferred turnarounds, unplanned forces of nature, random equipment
failures, etc. For the overall MI program to accomplish its mission, the personnel involved need
to be sufficiently competent to successfully execute the MI activities.
This clause provides guidance related to the following MI activities:
planning and performing i nspections
planning and performing repair
planning and performing preventive maintenance
planning and performing calibrations
planning and performing proof tests
planning and performing reliability analysis
6.1 Planning and performing inspections
The physical condition of the SIS equipment should receive a thorough mechanical inspection on
a regular scheduled basis as determined by the historical performance of the installed equipment
in the operating environment. This is especially true for field equipment exposed to
environmental conditions and operating impact such as corrosion, process spills, leaks, etc.
Inspections should be documented and any corrective action needed should be initiated
immediately through site work order pr ocesses as discussed in 6.2).
As a general practice, a thorough inspection should be performed each time a proof test is
performed, but this is generally not the only time an inspection is performed, since proof test
intervals may extend beyond the interval required to detect and correct incipient and degraded
conditions. The inspection interval should take into consideration ambient conditions such as
heat, cold, salt, dust, dirt, rain, wind, insect activity and plant painting programs.
An inspection program is intended to monitor the apparent condition of equipment and its
capability to operate as required to meet the SRS. An example of a condition that could limit the
performance capability of SIS equipment would be corrosion build-up around the stem of a rising
stem valve used to isolate a process stream. The build-up, if not identified and corrected, could
prevent the valve from stroking all the way or even at all. Consequently, visual inspection should
be performed periodically to verify installation quality and correctness, enhancing the integrity
and reliability of the SIF.
Annex E Example inspection items and forms provides additional examples of items to inspect
associated with sensors, logic solvers, final elements, and wiring, typical problems that might be
found with these items, and an inspection form. If a defect is found during the inspection it
should be corrected at the time of the finding if possible. If the defect cannot be corrected
immediately then a work order should be generated to repair the defect as soon as practical. The
nature of the defect should be described on the inspection form.
ISA-TR84.00.03-2012 - 34 -
6.2 Planning and performing repair
Repair work is performed to correct revealed faults in a timely manner. In general, this means
that the repair should be done as soon as it can be scheduled and safely executed. As faults are
found and corrected, the repair information should be recorded for later review as part of
continuous improvement. A repair work order can be generated as a result of any of the
following:
Shift operator identifies potential problem/failure during normal daily field rounds .
Maintenance personnel i dentify potential problem/failure during scheduled inspection.
Testing or maintenance personnel identify potential problem/failure during execution of proof
test.
On-line diagnostics identifies potential problem/failure.
Problem/failure is identified due to spurious trip.
Testing after repair should include the following activities, depending on what repair work has
been completed.
1) Sensor: Exercise sensor input and verify alarm and trip setpoints are correct. Use the
applicable section of the SIF test procedure and complete the required documentation for
the equipment checked.
2) Final element: Exercise all outputs that actuate final control elements and observe output
actions. Verify any feedback (limit switches, position indication, etc.) associated wit h the
final control elements is functional. Use the applicable section of the SIF test procedure
and complete the required documentation for the equipment checked.
3) Logic solver: The test will vary depending on the extent of the repair and its potential
effect on the logic solver hardware or application program. Perform test of affected
hardware, application program, or configuration to ensure proper operation and complete
the required documentation.
Upon completion of the work and any required repairs, the work order and any test
documentation should be signed by the person performing the work. It should be
understood that the Reliability Engineer may need to dialogue with the person who signed
off the form. Repeat maintenance offenders such as repeat work or ders to address
performance issues should be investigated so that action can be taken to minimize failure.
These actions may include recommendations to change the MI plan, such as shortening
the test interval and even re-evaluating the design, specification or installation.
6.3 Planning and performing preventive maintenance
Preventive maintenance may be required to extend the useful life of the overall equipment when
some part has a shorter life, such as soft goods in sealing service. The failure rate of a linkage
may be quite different in the case of periodic oiling (i.e., preventive or predictive maintenance)
versus no oiling (i.e., corrective maintenance). Todays SISs employ a great deal of diagnostics,
which support preventive maintenance based on the observed condition of the equipment.
Routine visual inspections may also initiate preventive maintenance, as those inspections can
uncover incipient/degraded conditions that need to be corrected. The periodic proof test is
intended to identify and to correct degradation and complete failures, but not all degradation and
failures can be identified through testing alone. Thus, proof tests activities are often
supplemented with thorough physical inspection and preventive maintenance tasks. As the time
interval between periodic proof testing is increased, there is a need to improve the effectiveness
of preventive maintenance. Refer to Annex E for more guidance on inspection and Annex G for
more guidance on preventive maintenance.
Preventive maintenance is performed based on manufacturer recommendations and past
experience with the equipment in similar operating environments that indicates equipment
- 35 - ISA-TR84.00.03-2012
reliability is maintained when certain items are proactively repaired or overhauled. The
preventive maintenance schedule and procedure may be modified over the equipment life due to
information collected during inspections, proof tests and repair work. Activities must include
proper documentation and retention of preventive maintenance actions, e.g., what part needed
corrective action/repair and why.
6.4 Planning and performing calibrations
All SIS equipment should be calibrated prior to placing the SIF in service. Calibration can be
performed by the manufacturer or by the user in the workshop or field. Calibration test equipmen t
traceable to a recognized standards performance organization should be used to perform a
minimum three-point calibration (e.g., 5%, 50%, 95% to prevent scaling errors) over the full
signal range of the loops sensor/transmitter to the final readout device. Valves should be
calibrated to proper stroke length for full open and full closed positions. Any valve that is not
required to close or open to full stroke position should be calibrated at the appropriate position
prior to placing in service.
Correct functionality between transmitters and the SIS logic solver is essential to effective SIF
operation. Failure to ensure that this has been installed and configured correctly can lead to SIF
failure in the event of a demand. The configuration of all analog transmitters should be tested to
ensure that they function in accordance with how the logic solver is configured. The following
items should be confirmed:
Calibrated range of the transmitter should be the same as the range configured in the logic
solver.
Saturation HI/LO current value parameters in the transmitter should be configured to
specified values.
The BADPV HI/LO current value thresholds in the logic solver should be configured to
specified values that are outside of the saturation HI/LO parameter range in the respective
transmitter.
The Fail HI/LO direction in the transmitter should be confirmed to be configured as specified.
The Fail current value that the transmitter defaults to when a fault is detected should be
configured to a value above/below the BADPV HI/LO thresholds in the logic solver.

ISA-TR84.00.03-2012 - 36 -
Figure 3 depicts a suggested transmitter and logic solver analogue input configuration.
Normal Operation
NOTE: Tx configuration parameters are NAMUR suggested values. Logic solver BADPV settings are
suggested to align with NAMUR Tx configuration.
4mA
3.7mA
20mA
3.8mA 20.5mA
3.6mA
21.5mA
Lo
saturation
High
saturation
Lo failed
state
22.5mA
High failed
state
BADPV
Lo
BADPV
High
Logic solver configuration
Transmitter configuration

Figure 3 Example of transmitter and logic solver analogue input configuration
An instrument calibration record should contain the following data fields at a minimum:
tag number/identification number
manufacturer model number
serial number
process location
calibration range and tolerance
calibration date
test standard
as-found/as-left
comments
special consideration, e.g., signal filtering, dampening, failure detection hi/low, etc.
technician name, signature and date
supervisor/approver name, signature, and date
Calibration procedures should be available for each type of SIS equipment (See Annex F
Example calibration forms). In general, calibration procedures recommended by the
manufacturer should be followed. Where additional requirements (e.g., response time of
instruments or valves) are necessary to perform the specified function, these should be taken
into account in the calibration procedures.
A good practice is to include reasonableness checks as part of the calibration procedure. For
example, on-line calibration procedures may include a step in which Operations compares the
process variable readings from newly calibrated field sensors to other process measurements.
Similarly, a reasonableness check for off -line calibration can be performed after the unit has
been re-started. This additional step minimizes the likelihood of a syst ematic failure during
calibration.
NOTE Common cause failure can arise when redundant sensors are calibrated at the same time by the same person
using the same test equipment or standard. Where an instrument technician miscalibrates one sensor, he/she is very
likely to miscalibrate the others. Special concerns for these failures arise in calibration of redundant process analyzers
using a single mixed sample and in SIL 3 SISs with non-diverse process measurements.
- 37 - ISA-TR84.00.03-2012
6.5 Planning and performing proof tests
Personnel associated with the Maintenance, Operations, Design Engineering, and Process
Control organizations support the planning, development and execution of proof tests. Periodic
proof tests are executed to detect unrevealed failures - failures that may have existed since the
last periodic test. This activity is a quality control check that verifies that the facility is operating
with its intended safety integrity. Inspection and proof testing is not a substitute for preventive
maintenance and repair. Detailed recording of inspection and test observations are essential for
supporting failure tracking and investigation. Proof tests include checking not only the SIS
functionality, but also any SIS alarms and indications (e.g., diagnostic, pre-trip, and trip alarms).
Similar tests should be periodically performed on the overall system, including main processors,
input/output modules, communications links, power, relays, and SIS grounding. Each test serves
as an opportunity for personnel to see the SIS equipment in action and to validate the
procedures associated with its operation.
Procedures should be in place to assure that all test and calibration equipment used on the SIS
equipment is properly maintained, calibrated (certified per standard, if necessary), and ful ly
operational (See Annex H Example proof test template and procedures and Annex I Proof
test examples for various SIF t echnologies). Calibration cycles of test equipment should follow
manufacturer recommendations and methods to assure the accuracy of the equipment. It is
recommended that field test/calibration equipment be checked/calibrated against a National
Institute of Standards and Technology (NIST) traceable standard on an annual basis. Calibration
labs will normally provide a calibration stamp along with calibration documentation for the device
being calibrated. In general, field test/calibration equipment that is found to be out of calibration,
past established calibration dates, poorly maintained, or in poor physical condition shou ld not be
used on SIS systems. If a facility owns test/calibration devices, the devices should be assigned a
tag name, which should be entered into the maintenance management system to ensure
calibrations are performed in the recommended time frame.
Proof test procedure development should begin in the design phase so that any considerations
or issues associated with the test interval or bypassing can be addressed properly. Good
communications with maintenance is necessary to provide the most effective and efficient proof
test procedure to guard against the need for unnecessary shutdowns or extended test deferrals.
In addition to providing a step-by-step procedure on how to test the SIF or SIS equipment
against the SRS, the proof test procedure should address:
approvals and notifications required for test execution, e.g., notification of operators
description of the expected SIF or SIS equipment operation, as appropriate
work scope, e.g., what will be checked, such as flow rate, valve closure, etc.
when applicable, how tests may affect other SIF or operating systems and how to address
impact
where applicable, how the SIF or SIS equipment is affected by bypasses
required notifications during test, such as notifying the operator when alarms are activated
once the test is complete, how the SIF or SIS equipment is brought back on line
To support any on-line tests, operating procedures should ensure that any loss of risk reduction
due to the SIF or SIS equipment being out of service is provided by compensating measures
(refer to ISA-TR84.00.04 Annex P). Prior to approving bypassing or performing the test,
operations should review any special precautions or compensating measures required during the
bypass or test period.
Does Operations have an equivalent process variable to monitor when the SIF process
sensor is in bypass?
ISA-TR84.00.03-2012 - 38 -
Does Operations have control of a final element that can be used to shutdown the process
independently during testing when the output is in bypass?
Discuss what if a process demand occurs while in bypass? What should Operations do? What
should Maintenance do?
Is there sufficient time for the operator to take action?
Is there communication with Maintenance on when to evacuate to a safe location?
Discuss what if an operator-initiated trip is required while bypassed. What should Operations
do? What should Maintenance do?
The test procedure should include return to service provisions to assure proper transfer of SIS
equipment responsibility from Maintenance to Operations. The operator should confirm by
process condition or equipment observation that the SIS equipment is on-line. Operations should
approve work completion closing the work permit. Additional supervisory sign off may be
appropriate in some cases.
6.5.1 Proof test planning
Performing proof tests can be costl y if not appropriately planned. When the SIF is designed such
that off-line testing is required, additional costs are incurred due to loss of production and
environmental/safety impacts during the shutdown and subsequent start-up. It is therefore highly
recommended that proof testing be discussed and planned for during the project design phase
with input from Maintenance and Operations.
Proof testing is often accomplished through a number of discrete activities that test parts of the
SIF at different times with sufficient overlap of the tests that all parts are demonst rated to
function as intended. Fortunately, increased levels of automation, enhanced programming
techniques, and new test techniques can be used to execute safe and comprehensive testing of
individual devices or segments (e.g., input to logic solver) of the SIS while the process is
running.
A periodic end-to-end test should be considered to ensure proper functioning of the entire
system. Where the dynamics of the entire end-to-end SIF is crucial, the complete SIF should be
tested together to ensure specification compliance, e.g., the thermowell, the thermocouple, the
transmitter, the input cycle time, the logic cycle time, the output signal cycle time and all of the
components required for operation of the final elements, such as volume boosters, pneumatic
tubing size and length.
A key question concerns whether SIF testing must be done as an integrated test or whether
various parts of the SIF can be tested at di fferent times as necessary to achieve the SIL. Testing
is performed to identify incipient/degraded conditions and equipment failure. Whether these
issues are found piecemeal or through an end-to-end test is not important. Their timely detection
and correction is. ANSI/ISA-84.00.01 does not specify that all proof testing must take place at
the same time. It does require full validation using an end-to-end test prior to placing a new or
modified SIF in service. However after that, the user is free to structur e proof testing to achieve
the SIL and reliability requirements for each SIF, e.g., individual SIS equipment or SIF segment
tests.
Personnel and resource requirements should consider whether workshop or calibration/test lab
facilities will be provided on-site, off-site, or at a manufacturers premises, so the time required
for troubleshooting, repair, and proof testing can be estimated. Tool availability and personnel
competency in these tools affect how quickly MI activities can be conducted and the achievable
installation quality and equipment integrity. Therefore, planning is an important activity to
address both the safety requirements necessary to maintain the required SIL and to minimize the
cost. Once a plan has been documented, the various activities can be scheduled.
- 39 - ISA-TR84.00.03-2012
When performing segment testing rather than end-to-end testing, it is critical to ensure that the
discrete activities account f or, or overlap, all interfaces. For example, SIF proof tests should
cover the sensor, input wiring, input systems, communications, logic solver operation, output
systems, relays (especially for voted relay outputs), output wiring, and final element, so that the
operation of the entire circuit is demonstrated. Figure 4 illustrates an SIF that has been divided
into 3 overlapping segments for testing. Any project or change impacting the SIS should address
test requirements and the provision for competent resources to analyze discrepancies or
changes.
Test plan documentation should include:
procedures to test each SIF or SIS equipment
descriptions of the common aspects of the SIS (e.g., PE logic solver and associated
equipment) and its associated safety requirements or references to the SRS
procedures that defines testing following on-line repair or modification
reporting requirements
NOTE Current standards require documentation of as-found/as-left test results. This information is used to verify the
assumptions used in the reliability calculations.
who will review proof test results and records to ensure completeness and work quality
competency requirements for persons performing the inspections, tests and repairs


















Figure 4 Example of SIF segment tests illustrating overlapping segments
6.5.2 Test interval basis
The SRS should specify the required proof test intervals for the SIS equipment, which are
necessary to support quality assurance of the MI plan. The proof test intervals for the sensors,
logic solvers, and final elements may be different due to the individual device technology
integrity and reliability. Some devices may be tested using manual or automated on-line testing.
Others may require a plant turnaround in order to fully test the devi ce operation. During the
design phase, the planned turnaround interval should be considered to determine whether on-
line testing is needed to demonstrate the required SIF performance. Follow-up testing of SIS
equipment may be considered at intervals shorter than the complete proof test t o improve the
SIF performance. Factors that impact the frequency of these tests include:
process severity for sensors and final elements
Sensing
Elements
Final
Control
Elements
Control
Logic
I/O I/O
Common
System
Aspects
ISA-TR84.00.03-2012 - 40 -
accuracy of measurements required for safety
need for positive isolation of streams by valve action
mechanical wear and tear on equipment
desire for longer test interval between complete proof tests
Test intervals should be documented in the facilitys maintenance management system. The
proof test interval can be determined using a combinati on of good engineering practice,
manufacturer recommendations, operating history, insurance requirements, industry standards,
operational constraints and the risk reduction requirements. It is always permissible to test more
frequently that what is specifi ed in the SRS. Since operational issues can affect the test window,
meeting the exact test interval may be difficult at times. The MI plan should define the allowable
test interval variation, including management approvals for test deferral (refer to 6.5.4 for more
guidance on deferrals and approvals).
NOTE Test intervals may be impacted by unplanned repairs or replacement. If a proof test is performed and
documented, consideration may be given to resetting the next test date, recognizing that the proof test interval
documented in the SRS may not be exceeded.
When establishing a proof test interval basis, it is necessary t o first consider how long unit
operations are expected to continue between outages required to conduct off-line testing.
Regulatory authorities may also require testing at intervals shorter than the planned outage
schedule. These situations can have a considerable impact on the SIS design, as it may be
necessary to include the ability to perform on-line testing or may require more complex
architectures to achieve the needed risk reduction wi th a long proof test interval. Once the
access and maintenance constraints are understood, the design must provide equipment in an
architecture that is sufficient to achieve the required risk reduction with the specified proof test
interval.
The MI plan should consider the useful life of the selected SIS equipment. The SIL verification
calculations (refer to ISA-TR84.00.02) are based on the estimated dangerous failure rate during
the equipments useful life. When equipment is operated beyond its useful life, the dangerous
failure rate begins to increase over time, leading the SIL verification calculation to become
increasingly optimistic. Consequently, it is important to monitor the SIS at a frequency sufficient
to detect when the failure rate begins to incr ease over time, so that the actual performance is
maintained comparable to the design assumptions. Monitoring the SIS performance is required
by ANSI/ISA-84.00.01-2004, 5.2.5.3. User approval as discussed in ISA-TR84.00.04 Annex L
relies on prior use information to determine whether equipment is fit for service, whether in a
new installation or in an existing one. The approval process acknowledges that once the
equipment is installed the in-service performance may indicate the need to modify the design,
specification, installation, or mechanical integrity plan to bring the SIS performance into
alignment with expectations; it may also indicate the need to remove equipment from service.
With regards to useful life, there are two important considerations: 1) understanding what
component/parts limit the overall equipment useful life and establishing a mechanical integrity
plan to deal with those components/parts within a suitable timely basis and 2) monitoring the
equipment to identify when it has reached wear-out. In many cases, consumable parts or
individual parts with a known life dictate the useful life of SIS equipment. The user approval
process (see ISA-TR84.00.04 Annex L) should include identifying what limits the useful life of the
SIS equipment, so that consideration can be given as to whether it is feasible and cost effective
to replace the consumable parts to extend the useful life or to control the conditions that
accelerate degradation. Inspection or proof test intervals should not exceed the known useful life
and consideration should be given to decreasing the intervals as the end of useful life
approaches. To maintain the required risk reduction and to allow the desired proof test interval, it
may be necessary to design the system to allow on-line replacement of the weaker parts.
- 41 - ISA-TR84.00.03-2012
The user is cautioned however that there are some instruments that exhibit a clear break
between pass and fail. For instance, a capacitor in a transmitter has a specific life dependent on
its materials of construction and operating environment. When it is sufficiently degraded, the
instrument will not be able to perform its function(s). In the illustrated example, the user should
consider the capacitor and the remaining equipment components. In most cases, a MI program
designed around the equipment produces the most effective solution from both a performance
and cost perspective. In the case of equipment like transmitters and solenoid valves, repair is
generally not cost effective, so replacement is often performed.
6.5.3 Ensuring safe work practices
Incidents involving testing have been caused by many different factors including:
inadequate test coordination with Operations
inadequate return to service procedure
inadequate communication and coordination with adjacent Operations and Maintenance who
were unaware of test being conducted and the impact of testing on their situation
SIS equipment failure
improper bypassing
poor test facility design
misunderstood or incomplete test procedures
lack of personnel competency and training
Common incidents as a result of testing include:
beginning a test without satisfying the pre-test conditions
attempting to start-up when a test is still in progress
violations of lock-out/tag-out
leaving SIS equipment bypassed (trip point, relay, timer, or valve) long-term in error
working on the wrong device (e.g. SIF relies on redundant sensors meant to test A, but
tested B instead)
leaving a transmitter with a simulated signal or point in manual source mode
leaving analyzers in zero or span
To prevent these incidents from occurring, MI planning should ensure that inspection/proof test
and bypass procedures are clearly documented and that personnel are adequately trained to
perform their required tasks. These incidents are further reduced through job safety analysis and
human reliability studies. Human factors should be considered during test facility design and
procedure documentation, such as requiring that test conditions be satisfied before a test facility
is enabled or that cross-checks be performed to ensure that SIS equipment is fully operational
after test.
Complete testing may require the process equipment to be on-line. Safe operation must be
ensured through work practices and procedure execution. Depending on site procedures, safe
work practices may be covered under permitting requirements or may be addressed in the test
procedures. Where permits are required, they should be listed in the procedure. Prior to any
testing, a review of the tests to be conducted and the procedures for performing these tes ts
should be carried out by persons from Instrument/Electrical Maintenance, Operations, and
Technical who are familiar with the process and the SIF. This review should reinforce validating
the SIF or SIS equipment against the pass-fail criteria, documenting as-found/as-left, recording
and reporting failure and recognizing common cause failure.
ISA-TR84.00.03-2012 - 42 -
6.5.4 Deferrals and approvals
MI programs and the designs that support them should be developed so that the potential need
to extend inspection or proof testing is an exceptional event, not a matter of routine. Deferrals
need to be handled using the management of change process that includes a technical review to
ensure the companys risk criteria is not being violated. In the event that it is, then temporary
compensating measures should be put into place until the protection is returned to the as good
as new condition.
The most common MI deferrals are requests to delay inspections, proof tests, or repair. Common
reasons for deferral are as follows:
The equipment that the SIF is protecting is out of service. The SIF must be tested prior to the
equipment being returned to service.
A turnaround is scheduled shortly after the scheduled test of the SIF. The intent is to perform
the test during the turnaround.
Spare parts or other required resources are not currently available.
The equipment cannot be accessed or repaired on-line.
Deferrals can be addressed by implementing a deferral procedure or through plant MOC. Annex
J Deferral considerations and example procedures provides an example of a deferral
procedure. The purpose of the deferral procedure or approval process is to ensure that the risk
associated with the deferral is understood and that any additional risk caused by the deferral is
properly addressed. Management should be made aware of the risks involved with delay of SIS
inspection, test, and repair and approve deferments on a case-by-case basis.
Probability of failure of an SIF increases as a function of time. The longer the proof test interval,
the higher the average probability of failure on demand (PFDavg), potentially resulting in the SIS
not achieving the risk reduction defined in the SRS. Deferring on-line or off-line tests such that
the test interval is greater than the specified interval may negatively degrade the SIF
performance. The approval process should examine the impact of the deferral on the SIF
integrity prior to approving the deferral. Justification should consider historical performance, such
as inspection, work order and proof test records, the integrity of planned compensating
measures, and the SRS. The SIL verification calculation should be reviewed to determine
whether the deferral will compromise the overall SIF performance.
Deferrals must be approved and authorized by competent personnel who are accountable for
safe operation, understand the equipment operation, the risk the SIF is designed to reduce, and
the equipment reliability history. Typically, Operations, Maintenance, and Technical
representatives are invol ved in the approval processes. In some cases, there may be different
levels of required review and approval dependent on the SIF complexity, the SIL, the potential
event consequence severity that the SIF is protecting against, and the planned deferral length.
An example of this is shown in Table 2.
Table 2 Example of temporary test or inspection deferral authorization
In compliance
Unit supervisor
manager
Site manager
Operating group V.P.
and process safety
Less than or equal to 30
days beyond test or
inspection due date
31 to 60 days beyond
test or inspection due
date
61 to 90 days beyond
test or inspection due
date
> 90 days beyond test or
inspection due date.

- 43 - ISA-TR84.00.03-2012
6.5.5 Proof test strategy
Each SIF in the SIS should be identified, including its inputs, output s, and the required logic to
be performed using the inputs and outputs. A test procedure should define how each piece of
SIS equipment or segment is tested. All equipment necessary for performing testing should be
identified and verified suitable for tests to be performed. This includes calibration equipment with
traceable performance. If any equipment is shared by multiple SIF, the proof test strategy should
take this into account to guard against unnecessary testing, e.g., block valve shared among
several independent SIF.
6.5.5.1 Off-line testing
The most common test of an SIF is the off -line manual proof test. This test is performed while the
process being protected is not in operation thus allowing all features of the SIS equipment, SIF
segment, or SIF to be validated. The primary purpose of this testing is to detect dangerous
unrevealed faults that exist in the SIF. When the SIF is properly designed and maintained, this
testing should rarely find faults. There are, however, multiple ways that test s can be performed.
This subclause will describe techniques and procedures that are known to be effective in
carrying out the proof test.
Off-line end-to-end testing of the complete SIS should be performed prior to placing the SIS in
service. This is described as vali dation in ANSI/ISA-84.00.01-2004 and demonstrates that the
SIS operates according to the SRS.
NOTE After the initial validation has been performed, subsequent tests that demonstrate the operation of the SIS
equipment or SIF segments are referred to as a proof test.
SIF proof testing should be performed at intervals determined by one or more of the following
criteria:
the test interval specified in the SRS
the test interval recommended by the equipment manufacturer
when changes are made to logic, impacting the function of the SIF
when the process or equipment is taken out of service for scheduled maintenance activities
that require work involving SIS equipment
company policy requiring complete SIF testing on a predefined schedule
after extended down time of the SIS (see deferrals clause)
6.5.5.2 On-line testing
On-line testing may be necessary where the normal operating cycle of the process between
scheduled shutdowns is greater than the test interval defined in the SRS. Maintaining the
required SIF integrity requires that this test interval be maintained. Therefore, the testing of
some SIF will require executing on-line testing.
Before performing an on-line test, it is important to ensure the process has stable operating
conditions. Stable operating conditions incl ude no major rate changes, emergency situations,
process upsets, etc. On-line testing may require bypassing of the equipment to be tested. In
some cases the risk of being in bypass may require presence of a field operator as the
compensating measure. This will introduce stress on those performing the testing as well as any
operators providing the protection. It is therefore imperative that on-line testing be performed
under closely controlled and monitored conditions using procedures that have been technically
reviewed and previously executed off -line. On-line testing should not be started unless it can be
worked step by step to completion with no anticipated interruptions. Once the inputs or outputs
are bypassed, a dedicated operator should monitor the process continuously in case there is a
process demand, requiring shutdown. Once the manual bypass valves are opened or closed, a
dedicated field operator should be available to close or open the block valves quickly if a process
ISA-TR84.00.03-2012 - 44 -
demand occurs. During the on-line test, the operator should be capable of manually tripping the
SIF via a manual shutdown switch, which initiates the SIF final elements in the event a trip is
required. All personnel involved in on-line testing of SIS equipment should be aware of the
procedures to follow in case a process demand occurs while the testing is in progress.
6.5.5.3 Effect of incomplete testing
An effective test will detect all hidden dangerous failures and degraded conditions. The SIF can
then be restored to full operation. When eff ective testing occurs on schedule, the risk reduction
is maintained at the desired level. As shown in Figure 5, the SIF probability of failure increases
as a function of time. With complete testing at the required proof test interval, the PFDavg will
continue to provide a level of performance assumed in the SIL verification.

Figure 5 Change in PFD(t) as a function of time and test interval
If the testing is not done effectively, some hidden dangerous failures will not be detected.
Figure 6 illustrates how the PFDavg will increase over time during the life of the equipment.


Figure 6 Increase of PFD(t) over time due to partial testing
If testing is not completed effectively as scheduled, the SIS performance will inevitably
deteriorate. If tests are also ineffective and durations between tests are increased, the PFDavg
will increase as shown in Figure 7. It becomes more likely that the r isk reduction needed to
maintain the tolerable risk will not be provided by the SIS.
- 45 - ISA-TR84.00.03-2012

Figure 7 Increase of PFD(t) over time due to incomplete testing
6.5.5.4 Relationship of diagnostics to proof testing
Diagnostics help to reduce the number of undetected failures that can occur by alerting the
operating and maintenance personnel that repairs need to be made. In SIF, these diagnostics
should vote to initiate the safety action unless redundancy is provided to ensure the required SIL
is maintained. Diagnostics are used to identify specific failure modes of equipment. Diagnostics
are not a replacement for proof testing. When diagnostics detect degraded or complete failure,
repair or replacement occurs such that the equipment is returned to the as good as new
condition. Unlike a proof test, the diagnostics do not inspect for incipient conditions. Although
diagnostics are never a full replacement for routine inspections or proof tests, their benefits may
allow greater time intervals between complete proof tests while ensuring the required risk
reduction is provided.
6.5.5.5 Proof testing by demand
Trips related to process demands or manually initiated shutdowns can be treated as proof tests if
adequate verification is performed and documentation similar to a proof test is created after the
trip. To be considered a proof test, the following should occur:
confirmation the demand was not caused due to failure of the component to be tested
proper documentation
visual inspection of equipment being tested
confirmation of expected action of the equipment being tested
confirmation of functional requirements of the equipment being tested
pre-demand and post-demand status
Since the test will be reactive and unexpected, a robust system designed to track the trip and
document the cause should be in place in order to take cr edit for the demand as a test. The
required data for proper documentation also needs to be created, stored and retained. If the data
is gathered manually, resources (electronic and or personnel) will be necessary during the
process interruption and this should be taken into account during trip response and start -up
activity planning. Before start-up, the affected SIS equipment should be visually inspected, along
with any auxiliary systems, to the same rigor of a planned proof test. Automated methods of
gathering the data are generally preferable because personnel are usually focused on returning
the process to a normal /safe operating state after an SIF demand. Detail ed analysis of the data
can be performed at a later time by qualified personnel once start -up is complete.
ISA-TR84.00.03-2012 - 46 -
Implementation of a system to take credit for a demand may not be appropriate for all
applications based upon the test interval and testing strategy of SIF at a location. For example, if
an SIF proof test interval was every three years and coincided with the plant shutdown /
turnaround schedule, there would be little benefit for taking credit for a proof test of the final
element if the trip occurred one year into the cycle. It may be more beneficial to design the SIFs
test interval through diagnostics and a robust architecture to meet or exceed the available testing
duration opportunity rather than developing a comprehensive system that can take credit for
demand trips. On the other hand, if the testing strategy consisted of small segments that could
be tested independently of a larger system or were needed to operate during the planned
turnaround, the benefit could be greater. An example would be an individual oil well or a cooling
/ heating system for a vessel with inventory.
Typically, demand tests are focused on final elements, since sensor and logic solver tests can be
performed on-line. However, this does not limit the potential for demonstrating a complete proof
test of SIF after a demand. The most important aspect is that the demand test generates data
and documentation equivalent to a planned proof test for the demand to be considered a proof
test (i.e., functional requirements incorporated i nto the equipment proof test and associated
pass/fail criteria should be demonstrated and appropriate evidence gathered during the demand).
Using the data gathered, the final element can be documented that it passed or failed the
functional requirements. It is important to note that a final control element may be a part of
multiple SIF and so the data should be compared to its most stringent functional requirements.
Failure to pass a functional requirement should be viewed as a failed test and the proper
procedures followed to restore the functionality of the device.
6.6 Planning and performing bypasses
An SIF is considered bypassed when the output is intentionally prevented from acting to achieve
or maintain a safe state of the process. A bypass can occur if the signal is forced, terminal wiring
is jumpered, trip settings are such that the trip will not occur, valve is clamped, or
physical/logical bypasses are initiated. Start -up bypasses are sometimes required during plant
start-up due to the required SIF functionality, e.g., low flow cut-off for a pump. They are
sometimes necessary to allow maintenance or testing to be performed while the process is still
operational, reducing downtime required for testing thus improving process reliability. However,
bypassing SIF often means that the process equipment is less protected and more vulnerable to
a hazardous event should a process demand occur.
Bypasses increase the potential for systematic errors. SIF in bypass are not available to operate
when a process demand occurs, so bypass periods should be tracked and minimized. The use of
bypasses should be reviewed and approved under a MOC process that involves procedures,
administrative control, and access security provisions. Bypasses are considered acceptable, as
long as their use is controlled and the risk is properly managed.
When bypasses are initiated, the bypass may result in impairment of the function or in its
disablement. If the SIF is not fault tolerant, the bypass of a single device results in complete
loss, or disablement, of the SIF. If the SIF is fault tolerant, a single device in bypass does not
impair the SIF, but it often reduces the SIL of the SIF. For this reason, an analysis of the
increased risk during bypassing should be performed so that compensating measures can be
identified to address any increased risk.
If the bypass is implemented while the process is on-line, there is generally increased risk. A
bypass permit system is generally used to satisfy MOC requirements and to provide traceable
and auditable MOC documentation (See Annex K - Example bypass approval procedures). An
assessment should be performed to identify the conditions under which the risk can be safely
managed and the compensating measures that provide risk reduction equivalent to the degree of
system impairment. The bypass period should be limited to what is necessary to test or repair
SIS equipment.
- 47 - ISA-TR84.00.03-2012
The operator should be informed, by alarm or by procedure, when any part of an SIS is
bypassed. Some companies choose to send notifications to Operations supervision as well.
Bypass alarms should ring back functionality, where alarms are periodically repeated after shift
change to ensure acknowledgement that the alarm is in bypass. Compensating measures
necessary to maintain safe operation when bypasses are active should be clearly identified and
documented in operating procedures.
Proof tests usually require bypassing SIS equipment. Bypass safe work practice requires the
documentation of the installation and removal of each bypass. Test procedures often include the
bypass permit requirements. Test procedures should specify for each bypass the approval and
confirmation of:
the activation of each bypass, force or override
the use of each bypass, such as approval to install, tracking bypass period, maximum bypass
time
the removal of each bypass, force, or override
6.7 Defining pass/fail criteria
It is repeatedly stated in this technical report that the mechanical integrity plan seeks to maintain
equipment in the as good as new condition, but what does that mean? Essentially, the installed
equipment must function in the operating environment as intended and support the risk reduction
necessary to meet the process hazards analysis requirements. The equipment is not as good as
new when the mechanical integrity records show increasing failure or wear out. Each piece of
equipment has failure modes that can be detected by observation, diagnostics or tests. These
failure modes can result in degraded conditions or complete failure of the equipment. Pass/fail
criteria determine when the failure mode results in the equipment not being capable of operating
as needed.
MI records document the acceptability of equipment operation. The as-found condition provides
evidence of the equipment operation at the initiation of the MI activities. If the as-found condition
meets the pass/fail criteria, the equipment is operating as intended and the equipment is said to
pass the inspection or test. Well defined pass/fail criteria ensures that the as-left condition
supports equipment that can be considered as good as new when returned to service. As an
example, the specified as-left tolerance for an instrument may be tighter than the pass/fail
criteria applied to the as-found reading, to allow for expected dr ift during the operating cycle. The
expectation is that as-left condition will support operation within specification until the next
scheduled proof test.
6.7.1 Identifying failure modes
Failure mode is defined as the observed manner of failure. Generally this observation involves
determining that some function of the equipment has been lost or that a degraded condition
exists. It is most convenient to think of a failure mode as a loss of a particular function provided
by the equipment. Most equipment have multi ple functions, therefore most equipment have
several failure modes. With respect to SIF, these failure modes may be considered safe, i.e.
causes the process to be placed in a safe state, or dangerous, i.e. fails to operate when there is
a process demand. Whether a specific failure mode is safe or dangerous is highly dependent
upon the process and the SIS design. For instance a transmitter does not know whether high or
low flow represents a hazardous condition. If the failure results in a high output on a low trip or
low output on a high trip, the failure is dangerous. Conversely, if the failure results in a high
output on a high trip or low output on a low trip, the failure is safe. Even with a switch contact,
safe and dangerous take on different meanings for energize-to-trip and de-energize-to-trip.
Where increased ventilation or fire water pumps are required, the switch failing open is
dangerous.
ISA-TR84.00.03-2012 - 48 -
Once the failure modes for a specific application have been determined, improvements to both
safety and reliability can be gained if diagnostics coupled with appropriate architectures are
properly employed. Diagnostics help to reduce the number of undetected failures that can occur
by alerting the operating and maintenance personnel that repairs need to be made. It should be
recognized that diagnostics are themselves acting as protection for the equipment and may also
be prone to undetected failures. This propensity is dependent upon the particular diagnostic. Any
time that diagnostics are being used to enhance the SIS performance, they need to be
addressed and considered in the overall MI program.
An example of a complete listing of failure modes for a remote actuated valve is included in
Table 3.
Table 3 Remote actuated valve failure modes
Description
Complete failures
Fail to closed position
Fail to open position
Fail to close on demand
Fail to open on demand
Frozen position
Valve rupture
Seal/Packing blowout

Partial Failures
Reduced capacity
Seat leakage
External l eak
External l eak - Body/Bonnet
External Leak - Packing/Seal
Fugitive emission
Controlled variable high
Controlled variable low
Fail to hold position
Unstable control (hunting)
Responds too quickly
Responds too slowly
Excessive noise

Incipient Conditions
Body cracked
Body eroded
Body corroded
Body material wrong
Guide fouled
Guide galled
Guide corroded
Guide worn
Stem fouled
Stem galled
Stem corroded
Stem bent
Stem worn
Seat fouled
Seat cut
Seat eroded
Seat corroded
Seat excessive wear
Seat (soft) embedded debris
Seat (soft) overheat evidence
Seat loading mechanism dysfunctional
Spring cracked
Spring corroded
Spring fatigued
Spring rubbing
Improperly i nstalled
Excessive vibration
(Excerpted from CCPS PERD Remote Actuated Valve Taxonomy)
6.7.2 Defining as good as new
Once facilities are commissioned and placed into operation, equipment and systems begin to
wear out due to a variety of mechanisms. Like other facility equipment, SIS equipment is
maintained under the MI program. For SIS, a rigorous MI program, with the subsequent reliability
data collection and analysis, is necessary to ensure that the equipment is maintained in the as
good as new condition and meets the design functionality defined in the SRS. MI procedures
define the inspection, preventive maintenance and proof test activities necessary t o assure the
equipment integrity and to determine when equipment requires replacement or upgrade. As
reliability data is captured and analyzed, inspection, preventive maintenance and proof test
procedure intervals may be adjusted. Inspection and preventive maintenance should be sufficient
to ensure equipment is not run to failure and to identify potential failures and to prevent
dangerous failure.
6.7.3 Detecting wear out
When wear out occurs, the SIS may not provide the expected level of protection. The lifecyc le
assumes that equipment will be maintained in a manner that assures it remains in its useful life
- 49 - ISA-TR84.00.03-2012
where the failures occur on a random basis. Wear out can be identified by monitoring equipment
at a frequency that is sufficient to detect an increase in failures over time. When the number of
reported equipment failures trends upward, wear-out is a likely cause. An increased failure rate
would indicate that action should be taken to repair or replace the ageing equipment; otherwise
other means of protection should be implemented to address potential risk gaps. The mean time
between work orders or the frequency of diagnostic alarms can also be examined. A short mean
time between work orders or high diagnostic alarm rate would indicate wear out or some other
failure mechanism that requires further investigation and resolution.
6.7.4 Defining as-found/as-left
Most MI personnel recognize the need to document the results of the proof tests as they move
through the testing process. What is sometimes overlooked is to document the as-found/as-left
conditions. The as-found condition is the initial state of the equipment prior to any corrective
action or preventive maintenance activity. The as-left condition is the final state of the SIS
equipment after MI activities have been completed.
As-found information is critical to understanding the actual degradation or failure rate of the
equipment. For a successful test, it documents that the SIS equipment successfully achieved
design intent. As a general rule, if hardware must be repaired or replaced, or
settings/configuration must be changed, record the original state or value before making the
change. When the as-found condition does not meet the design intent, corrective action should
be taken and previous MI history should be reviewed to see if the problem has occurred
previously. If so, a root cause analysis should be conducted so that changes to the design or MI
plan can be identified to reduce the likelihood of re-occurrence.
The as-left condition should indicate that the equipment is in its as good as new condition and
ready to return to service. Documenting the as-left information serves several purposes. It
formally records the state that the SIS equipment was left in after testing. When the SIS
equipment is being returned to service, this documentation provides a good crosscheck against
the as-found information to verify that SIS equipment is operating as required.
Examples of typical forms used to document as-found/as-left are included in Annexes E
through H.
6.7.5 MI documentation
As part of the MI program within process safety management, regulatory agencies require as -
found/as-left conditions to be documented as part of any inspection or test in accordance with
written procedures. The following information generally repr esents the minimum information
required for SIF and systems:
date of inspection or test
name of the person who performed the inspection or test
serial number or other identifier of the equipment on which the inspection or test was
performed
description of the inspection or test performed
inspection / test results prior to any maintenance activity being performed whatsoever
documentation of work performed (if any)
test result following any maintenance activity
While required by regulatory agencies, the intent of this documentation from a lifecycle
perspective is as follows:
provide information for measuring and tracking performance (refer to ISA-TR84.00.03, 5.6)
ISA-TR84.00.03-2012 - 50 -
support prior use analysis of installed equipment (refer to ISA-TR84.00.04-1 Annex L)
support estimation of the equipment failure rate and probability of failure on demand (refer to
ISA-TR84.00.02)
identify systematic/common cause problems that should be minimized through management
system activities or taken into account in the SIL verification calculation (refer to ISA-
TR84.00.02)
6.8 Developing validation plan and procedures
Process Control, Operations, Design Engineering, and Maintenance personnel are involved in
developing the validation plan and procedures. SIF validation (sometimes referred to as a Site
Acceptance Test SAT) is intended to demonstrate through inspection and functional testing that
the SIF meets all aspects of the SRS as installed before starting any operation of the process
equipment for production purposes. Validation provides proof that the SIS, including those
utilities and diagnostics required for the system or function to perform as required meets the SRS
intent, is installed in accordance with construction, installation and detailed engineering
requirements, and is ready for process equipment start-up. It is generally witnessed by process
control and production (or manufacturing) representatives. Although validation is often
considered an inherent part of the project implementation and construction phases, this activity
also provides an opportunity for facility personnel to become familiar with the operation of SIS
equipment and its actions prior to the facility commencing full operation.
SIF validation can only be performed after all mechanical, electrical, instrument, SIS and
supporting utilities have been installed. Validation or functional test of the SIF is performed by
simulating the process and watching for the proper response of the logic solver and field
equipment. The validation is a whole loop test using the actual fi eld sensors, logic solvers and
final elements (e.g., pressure transmitters, block valves, pumps, air supplies, etc.). It is normally
performed once unless there is a fundamental change to the process design or significant
modification of the SIS.
Validation completion establishes the date from which individual SIS equipment or segment proof
tests are scheduled. Validation records provide the baseline for subsequent revalidations or
proof tests. As such, strict adherence to the testing protocols with appropriate supervision and
signature approval to confirm complete and ready to operate. Any deviations need to be
managed according to a validation plan.
6.8.1 Validation plan development
A successful SIF validation is a culmination of many related steps throughout a project process.
A validation plan ensures these steps are completed as required. The validation plan should
identify the related steps and step execution timing, outlining the required resources, the
expected level of involvement of each participant, t he protocol to be followed during the
inspection or test, the order in which the SIS or SIF segments are to be tested, and the scope of
each test. The plan should also define how and to whom failures should be reported, as well as
how they will be resolved. Annex L Example validation plan provides an example of a
validation plan.
To support any validation plan development, it is necessary to have the safety requirement
specification and detailed design information, including but not limited to:
instrument specification sheets,
logic flow diagrams or Boolean drawings for application program testing,
cause and effect matrices and loop drawings for maintenance troubleshooting, and
SIF I/O and set point list.
- 51 - ISA-TR84.00.03-2012
This information should be consistent and accurate, and one set of documentation should be
considered as master for validation execution.
It is also necessary to have inspection procedures, test procedures and pass fail criteria
documented for each activity. Annexes E through I give specific examples for each activity.
When planning site validation, it is essential that the discrete activities do not undo previous
work. A test should not be negated by subsequent alterations due to construction, commissioning
or other activities that follow completion of the test. Field clean-up of deficiencies found during
the commissioning / loop check phase should be repaired prior to start of validation. This
reduces the potential for unforeseen delays during the validation execution.
6.9 Developing Factory Acceptance Test (FAT), commissioning, and Site Acceptance Test
(SAT) procedures
Engineering, Construction, and Maintenance personnel have significant roles and responsibilities
in executing the FAT, commissioning the SIS, and conducting validation (SAT). These activities
should be conducted in a logical and organized manner to minimize the probability of human
error or equipment damage and to ensure rigorous testing and validation is completed.
6.9.1 Factory Acceptance Test
An FAT is not required by IEC 61511-1 Clause 13, which is the only informative clause in Part 1.
The FAT may be conducted for any portion of an SIF or on the entire SIS and it may rely on
simulated inputs uses switches and analog dials or simulation software. The user may elect to
only perform the Site Acceptance Test. In general, FATs are conducted on vendor-packaged
systems, hardwired panels, and PE logic solvers. An FAT is routinely performed for
programmable electronic (PE) systems, where it may involve an integrated test of the SIS logic
solver and the BPCS. The FAT verifies the ability of the BPCS to communicate with the SIS logic
solver, its communication security, and its ability to meet the SRS. Additionally, PE hardware,
firmware, and application program may be tested before installation and commissioning in the
field.
An FAT is a test performed in a controlled setting, usually at the manufacturer, integrator, or
engineering contractor location. The FAT is a series of tests performed by the system supplier,
as required by the customer, to ensure the system meets design specifications and was built with
the required integrity. The FAT verifies that the supplier is providing SIS equipment that function
according to the SRS, the application program specification where applicable, and other
contracted documents. During the FAT, the owner/operator is generally an observer.
Some manufacturers and users may wish to break the FAT into phases or distinct tests
performed at different times. Some typical FAT phases are:
1) Hardware Factory Acceptance Test (HWFAT) is the test of SIS equipment, panels, I/O, power
supplies, panel grounding and related equipment at the suppliers facility to ensure that the
SIS equipment has been installed and wired according to specification and that there are no
faulty devices. Also fault injection testing on the hardware can be performed at this time to
ensure proper operation with respect to redundancy and safe failure modes. Depending on
system architecture and capabilities, the final software configuration may or may not need to
be configured in the logic solver. The advantage of doing this type of test is for systems that
are capable of testing the hardware and software independently of each other. The hardware
can be tested earlier in the project lifecycle and delivered to the field earlier to potentially
shorten the construction schedule. This concept is not unique to SIS and can also pertain to
the BPCS.
2) Application Program Factory Acceptance Test (APFAT) is the formal testing of the
configuration in the SIS to ensure that it conforms to the SRS, cause and effect or logic
narrative. Trips, resets, alarms, bypasses as well as graphics and all modes of operation are
ISA-TR84.00.03-2012 - 52 -
tested. Fault injection testing, voter degradation and other items described in the SRS are
tested. This may be done using physical devices to simulate field I/O or software simulation
techniques depending on the capabilities of the system. The advantage of this type of test is
that it allows for the application program configuration to be independent of the project
hardware and can typically be later in the project lifecycle allowing for more complete
definition. This concept is not unique to SIS and can also pertain to the BPCS.
3) Integrated Factory Acceptance Test (IFAT) is the formal testing of the SIS and BPCS
simultaneously so that combined actions result in the desired safe automation of the process
facility. This test may or may not require all or part of the SIS and BPCS hardware to be
present depending on system(s) capability. A SIS may have secondary non-safety actions or
trips performed in the BPCS to aid Operations in restarting the unit after a trip. For example a
typical action maybe putting a control loop in manual and moving the control valve to the safe
state upon the trip of an SIF. Another example would be ensuring the BPCS cannot move its
control valve when the SIS has final control of the device. This test is performed prior to the
configuration being installed in the field. The advantage of this type of testing is to expedite
field commissioning by minimizi ng configuration errors.
The above FAT phases are typically conducted wherever there are more resources available to
rigorously test and correct operational issues if needed. Performing the work at the factory
generally provides an economic benefit to the project in terms of scheduling and less rework in
the field, which is more costly. The four (4) main objectives of the FAT are stated in Table 4.
Each objective is further divided into specific goals that should be considered in developing the
FAT procedure.

- 53 - ISA-TR84.00.03-2012
Table 4 FAT objectives and associated goals

The tests listed below can be a specific sub-set of the supplier's standard tests. These tests are
not intended to eliminate any of the supplier's standard tests, but to specifically highlight typical
tests conducted as part of an FAT.
inventory the hardware items in the system, point out any discrepancies at the start of
staging, and find out when these items will arrive. The FAT should only be conducted if a fully
functional system can be tested. Verify all the items purchased function properly including
each type of I/O card, HMI equipment, and other items such as printers. After the FAT is
successfully completed and accepted, the owner/operator periodically performs hardware and
application program testing.
physically inspect the hardware. Inventory and system layout must be checked based on the
specification. The I/O wiring and layout should be checked. The HMI and related system
hardware integration should also be inspected.
validate communications through the various levels of the SIS to the HMI. The following need
to be checked for integrity:
internal logic solver communication
I/O module to logic solver communication
intra-module communication network
logic solver network to HMI network server communications

OBJECTIVES

GOALS
Goal-1 Goal-2 Goal-3 Goal-4
(1) Supplier site
hardware and
system checkout
sometimes referred
to as the HWFAT

Verify supplier tests
were completed.
Test and verify all SIS
equipment/
components before
field installation.
Establish a basis in
case problems/ defects
show up in field.
Minimize product
defects and
manufacturing errors.
Reduce start-up
and commissioning
time.
Ensure system will
perform its safety
shutdown functions
on demand.

Reduce start-up and
commissioning time.
(2) SIS configuration
checkout sometimes
referred to as the
SWFAT
Test and verify all
design and SIS
configuration work
before field start -
up/commissioning.
Ensure that Engineering
Support and Operations
personnel agree that
the SIS configuration
meets the application
requirements.
Reduce start-up
and commissioning
time.
Reduce start-up and
commissioning time.
(3) "Open" SIS
sometimes referred
to as the IFAT
Prove that there are no
compatibility issues
with the integration of
the SIS with non-SIS
supplier-specific
hardware or
application programs.
Test the performance of
the SIS and all non-SIS
supplier-specific
hardware and
application programs in
their control
environment.
Test and verify all
SIS equipment/
components before
field installation.
Establish a basis in
case problems/
defects show up in
field

(4) Training Train operating and
support personnel
before field
installation.
Training key operating
personnel before start-
up and commissioning.
Reduce start-up
and commissioning
time.

ISA-TR84.00.03-2012 - 54 -
HMI network communications (such as Ethernet)
printers
modems
when a historian is included in the scope, communication to historical data logger needs to
be confirmed, as well as proper communication with redundancy failure for any of the above
communication protocols that are implemented with redundancy.
proper operation of power supplies should be validated as well as the distribution wiring. The
following needs to be checked for integrity:
module power supply
I/O power supply
proper I/O card failure
proper control card failure
logic solver battery power backup
I/O module redundancy
SIS grounding integrity
for an instrumented system that has segregated safety layers, it is necessary to inspect, test
out, and verify that module power and I/O power are installed in accordance with the
requirements as documented in the equipment safety manual.
for I/O power supply that does not have a built -in system alarm on loss of power, confirm
external signal wiring (e.g., as 24 VDC discrete input or voltage i nput) into the control system
and verify the alarm.
perform an SIS hardware and operating system software check versus SRS to the extent
necessary to prove correct functionality. I/O channels need to be tested with proper
simulation panels and equipment. The I/O test needs to be conducted with signal generators
and original termination units in place.
special attention needs to be given to observing and recording events or discrepancies in the
area of system reliability and designed redundancy functions. If any system component
failure does not generate automatic-failure-reporting to the operator, it needs to be recorded
and resolved with the assistance from the supplier. If proper "fail -over" to the backup
component does not occur automatically within a designed redundancy, a discrepancy report
with proper punch listing needs to be documented for a root -cause analysis and final
resolution.
proper operation of the HMI and Engineering Work Station (EWS) needs to be confirmed. The
EWS is defined as the main configuration station that has application program & I/O
configuration capability. Occasionally, the EWS also has HMI console capability.
Site Integration Test (SIT) is the formal testing of the ability of the SIS and BPCS to be able
to properly communicate with each ot her once those systems have been installed in the field.
It also can include any third party systems that need to interface with the BPCS.
6.9.2 Installation and commissioning
After the SIS equipment is delivered to the site and has been installed, it needs to undergo the
appropriate inspection and commissioning processes before validation (or Site Acceptance Test)
can be completed. Figure 8 provides an illustration of the conceptual work process.
Typically, physical inspection is the first task to be performed once an instrument is turned over
from construction. Physical inspections need to be documented to provide evidence of what was
checked and whether the device passed or failed. It is recommended that field inspection reports
be filled out for every piece of instrumentation. Failed equipment needs to be repaired or
replaced before proceeding to commissioning. Physical inspections need to be performed prior to
- 55 - ISA-TR84.00.03-2012
commissioning as improper physical installation may require removal or alteration of the
instrument and therefore would require re-commissioning the instrument. In some cases,
physical inspections may be performed on skidded equipment while still at the supplier's site if
appropriate. Physical inspections done at supplier sites should be spot checked once
permanently installed at site to ensure no damage was done during transportation.
Commissioning is intended to ensure the wiring is landed on the proper termination point and to
verify the overall integrity of the loop from field device, through I/O modules, logic solver, and to
the HMI operator console displays as well as the final elements. Commissioning activities
include:
all hardware properly installed according to manufacturer's requirements
check of all installed hardware according to system drawings
proper installation of computers/workstations
check of all diagnostic systems statistics
routing of cables and wires verifi ed for proper AC/DC segregation
ensuring all cables and wires are properly supported
ensuring all cable connectors are secure and relieved of stress
ensure wiring is landed on the proper termination and verify overall wiring loop integrit y for all
field instrumentation
verify proper crimping and perform a tightness check
verify proper instrument range by use of a calibration check (field check)
verify proper labeling and identification as SIS equipment
verify engineering units, tag name, and diagnostics, etc. of each instrument according to
specification
verify SIS input range is in agreement with field instrumentation and specification
verify and confirm proper operation of the instruments, sensors and final elements according
to supplier and specifications
verify proper installation of air supplies
verify proper grounding by visual inspection and perform grounding test
verify proper freeze protection
verification that HMI system network topology is install ed according to design drawings
verification of security settings for field and SIS devices (e.g., password prot ection or
jumpers)
The emergency back-up power (e.g., uninterruptible power supply (UPS), battery banks, auxiliary
generation, transfer switch, etc.) should be fully tested to provide:
adequate bumpless power to all appropriate devices
prevent loss of critical data parameter
retain SIS application program
provide adequate time for the operating personnel to place the facility in a safe mode in case
of extended power interruptions
UPS circuit labeling should be checked for correctness as to not place any undue load from non-
critical devices being plugged into UPS outlets.
ISA-TR84.00.03-2012 - 56 -
Backup generator systems should be tested to work in conjunction with the UPS system to
provide adequate power coverage.
All backup power systems should be verified to provide appropriate alarms and diagnostics. The
interfaces between the SIS and the back-up power systems needs to be functionality checked to
the greatest extent possible. Functionality tests should be initiated at the back -up power system
while observing proper operation of the SIS. It is not acceptable to lift interface wires. The goal is
to test the system as a whole to the greatest extent possible.
The piping and instrumentation diagrams (P&IDs) or cable/instrument schedules can be used as
a record of equipment checked. Proper documentation of commissioning should be stored on a
loop-by-loop basis and become a permanent record at the site.
6.9.3 Validation completion (Site Acceptance Test)
Validation can be completed once the SIS equipment installation, inspection and commissioning
is confirmed. Validation is sometimes referred to as the Site Acceptance Test (SAT). Validation
demonstrates that all installed SIS equipment fully meets the SRS. In executing validation,
emphasis should be on completing the functional testing of each SIF to demonstrate its operation
according to the SRS, not on correcting deficiencies. It is expected that most, if not all,
deficiencies have been identified during earlier verification activities, such as the FAT, field
equipment installation, inspection, commissioning and loop checks. If these earlier verification
activities are thoroughly performed, validation should progress smoothly and on schedule.
When the scope of functional testing of each SIF is determined for inclusion in the Validation,
consideration should be given to logical testing already performed during the FAT. Each SIF
should be proven to be functional regardless of the FAT, however extensive testing of all
possible combinations of voting conditions that can activate a SIF may not be necessary as part
of the Validation if there is good documentation in place that records the testing results of the
relevant logical configurations during the FAT AND effective MOC of the logic solver
configuration can be demonstrated from the time that the FAT was completed.
The overall project plan should include the SIS design and construction activities impacting on-
site validation requirements. These activities include:
Factory Acceptance Test
SIS equipment installation and commissioning
Various aspects of the SIS should be tested and confirmed as a part of validation, including but
not limited to the following:
set points and ranges,
status of sensors and final elements,
operator interface,
diagnostic indications, such as out of bounds, deviation, or not in commanded state,
indication of any automated logic changes, such as voting degradation or fault handling,
indication of where the process is in its sequence, if applicable,
indication that an SIF has taken action,
indication of SIF bypass,
operation of manual shutdown facilities,
operation of resets,
indication of SIS support system loss,
failure of environmental conditioning equipment, which supports the SIS,
- 57 - ISA-TR84.00.03-2012
response time, and
criticality requirements, such as valve shutoff tightness and closure speed.
All auxiliary systems associated with the SIS need to be checked with the appropriate rigor and
thoroughness. Examples of auxiliary systems are:
controls or control systems external to the main SIS
Foreign Device Interfaces between the SIS and an external party
stand alone historian data collecting devices
billing systems either internal to the l ogic solver or external systems
callout systems for unmanned plants
remote access
remote control
The interfaces between the SIS and the auxiliary systems must be proof tested to the greatest
extent possible. Proof tests should be initiated at the auxiliary system while observing proper
operation of auxiliary system and the SIS inputs and responses. It is not acceptable to lift
interface wires. The goal is t o test the system as a whole to the greatest extent possible.
Testing should be performed to ensure design intent of the auxiliary system failure modes and
the failure modes of the interface signals to the SIS. Normally these auxiliary systems and
interfaces are designed fail safe. Testing for fail safe functionality may include loss of power,
loss of instrument air, loss of communications, loss of interface wiring, etc.
The outcome of a successful validation provides an auditable documentation trail, which proves
that the designed and constructed SIS operates according to the SRS and equipment
specification. Discrepancies identified during validation should be corrected and tracked to
completion. Documentation should incorporate signoff sheets identifying t he personnel who
conducted tests or served as verifiers for various work activities.
When the SIS is approved for service, site safety, permitting, and facility management of change
procedures for in-service systems will apply. Validation approval indicates that necessary parties
agree that the SIS operates as required in the operating environment and is ready for the
process unit startup. Documentation should include a formal notice of turnover to the site
management.
Note that completion of the SIS validation does not approve the SIS for handover to Operations
on its own. A Stage 3 Functional Safety Assessment and a Pre-Startup Safety Review are
required to be completed prior to handover.

ISA-TR84.00.03-2012 - 58 -

Table 5 Validation roles and responsibilities
The following roles and responsibilities relating to SIS validation are listed as a recommendation
for its completion.

SIS Specialist/Engineer
Responsibility Qualifications
Overall responsibility for planning and
executing the SIS validation and ensuring that
it is completed with appropriate documented
results.
Sufficient experience and training in working on SIS related
projects/equipment.
Possesses a detailed understanding of ANSI/ISA-84.00.01-2004
(IEC 61511 MOD).

Construction or Maintenance Supervision/Technician
Responsibility Qualifications
Represent the owner of the SIS in confirming
that all validation activities are effectively
carried out.
Sufficient experience and training in working on SIS related
projects/equipment.
Possesses a working understanding of ANSI/ISA-84.00.01-2004
(IEC 61511 MOD).

Independent Reviewer
Responsibility Qualifications
Performing a peer review along with the SIS
engineer to make a general judgment that the
validation plan is appropriate, and that
evidence of completion that is provided is
sufficient.
Sufficient experience and training in working in a related job role
(Instrumentation, Process, and Process Safety Management).
Possesses an awareness of ANSI/ISA-84.00.01-2004 (IEC 61511
MOD).
Independent of the project team and should have had no
involvement in its execution.

Management Team Representative
Responsibility Qualifications
Approval of the individuals that will be
performing the above three roles as they relate
to this specific project. This approval is to
confirm that these individuals have sufficient
experience and professional standing in order
to undertake these responsibilities.
Sufficient experience in the industry.
Possesses a basic awareness of ANSI/ISA-84.00.01-2004 (IEC
61511 MOD).
- 59 - ISA-TR84.00.03-2012

Figure 8 Validation flowchart
Visual
Inspection of
Devices
System
Ready For
Start Up
Control/Safety
System
Visual
Inspection
Validation of:
- SIS
- Each SIF
- Essential diagnostic alarms
- Non-safety critical interlocks
- Process alarms
Redundancy
and I/O
Segregation
checkout
Backup/Redundant
Power Checkout (UPS,
diesel generator)
Site
Acceptance
Test (SAT)
Functional
Checkout of
Auxiliary
Systems
Functional
Checkout of
Shutdown
Logic
Functional
Checkout of
Control Logic
Loop
Checking
Instrument Air
Normal Power
Checkout
Checkout of
Auxiliary
Systems (FDI,
Historian)
Utilities BPCS / SIS Instruments
Inspection, Loop
Check and
Commissioning
Validation
Functional Safety
Assessment Stage 3
Prior to Start Up
ISA-TR84.00.03-2012 - 60 -
7 References
Health and Safety Executive, Findings from Voluntary Reporting of Loss of Containment
Incidents 2004/2005, Hazardous Installations Directorate, Chemical Industries Division, St
Annes House, Bootle, UK, 2005.
ANSI/FCI 70-2-2006, Control Valve Seat Leakage.
ANSI/ISA-84.00.01-2004 (IEC 61511 Modified), Functional Safety: Safety Instrumented Systems
for the Process Industry Sector, www.isa.org.
API 598, Valve Inspection and Testing, Ninth Edition, American Petroleum Institute, 2009
Edition.
CCPS Process Equipment Reliability Database (PERD), American Institute of Chemical
Engineers, Center for Chemical Process Safety.
IEC 60534-4, Industrial Process Control Valves Part 4: Inspection and Routine Testing.
ANSI/ISA-84.91.01-2012, Identification and Mechanical Integrity of Safety Controls, Alarms, and
Interlocks in the Process Industry, Research Triangle Park, NC. www.isa.org
ISA-TR84.00.02-2002, Parts 1-5, Safety Instrumented Functions (SIF) Safety Integrity Level
(SIL) Evaluation Techniques Package, www.isa.org.
ISA-TR84.00.03-2002, Guidance for Testing of Process Sector Safety Instrumented Functions
(SIF) Implemented as or Within Safety Instrumented Systems (SIS), www.isa.org
ISA-TR84.00.04-2011, Guidelines on the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511
Modified), Research Triangle Park, NC (2006). www.isa.org
NAMUR Ne43 Standardization of the Signal Level for the Breakdown Information of Digital
Transmitters.
NFPA 86, Ovens and Furnaces, National Fire Protection Association, 2003 Edition.
NFPA 70e, Standard for Electrical Safety i n The Workplace, National Fire Protection Association,
2012 Edition.



















- 61 - ISA-TR84.00.03-2012
Annex A Example training documentation
SIS related training should be part of an individuals comprehensive training plan and should be
tracked through an operating facilities training documentation and management system as shown
in Figure A.1 below. The first document shows how one company documents the training in an
electronic database to track the training of each individual. The second example shows a
checklist used for performing and documenting the training. The checklist identifies the training
required and as the trainee completes the training a trainer will sign off that the tasks have been
completed.

Form A.1

ISA-TR84.00.03-2012 - 62 -
- 63 - ISA-TR84.00.03-2012
Form A.2 Training documentation and process
The following NOTES apply to all t asks.
1. Circling perform or simulate [P, S] must indicate method of accomplishment for each skills demonstration. Skill
demonstrations that are provided with a [P] only must be performed.
2. Initiating of task certifies the person for INDEPENDENT operation.
3. Person initiating the successful completion of the knowledge requirements must be a qualified craft technician,
supervisor or other knowledgeable personnel.

TASK # TASK STATEMENT REFERENCE (P/S) INIT

TASK 1 DRAW the following instrument symbols :
a) Pneumatic signal lines
b) Electrical/electronic signal lines
c) Control room mounted instrument/field mounted instrument
P/S


TASK 2 DRAW a closed loop flow control system naming the
components and showing proper symbols for each component
P/S
TASK 3 CALIBRATE a pneumatic controller that has proportional plus
reset action
P/S
TASK 4 CALIBRATE a magnetic flow transmitter P/S
TASK 5 CALIBRATE/ADJUST/REPAIR a Varec P/S
TASK 6 CALIBRATE/ADJUST/REPAIR an interface l evel P/S
TASK 7 CALIBRATE/ADJUST/REPAIR a level transmitter loop P/S
TASK 8 CALIBRATE a SMART transmitter P/S
TASK 9 PERFORM the following to the SIS PLC system:
EXPLAIN the purpose
STATE the inputs and outputs of the SIS PLC system
Using the PLC operating i nstructions, ACCESS data in
PLC to determine the source of a problem
IDENTIFY and REPLACE failed board
COPY error codes and fault details to diskette
PERFORM functional checkout
P/S
TASK
10
CALIBRATE the following transmitters:
Differential pressure
Pressure
P/S
TASK
11
PERFORM an SIS bypass P/S
TASK
12
COMPLETE bypass authorization form
EXPLAIN the different level for bypass approvals
STATE location of an active SIS bypass form
STATE the location of a completed (inactive) bypass form
Using corporate SIS document as a reference, STATE the
acceptable reasons for bypassing an SIS
P/S
ISA-TR84.00.03-2012 - 64 -
TASK
13
PERFORM the following SIS valve performance tests
TIMING TEST
BUBBLE TEST
FUNCTIONAL TEST (what is the content of this test?)
EXPLAIN the purpose of each of the above test
STATE the location of the test sheets
Using a test sheet, EXPLAIN the performance parameters for
the respective test
P/S


1st Attempt


2nd Attempt


3rd Attempt

______________________ / ________
Evaluator Date
Trainee has successfully completed all
performance evaluation requirements, and is
approved to perform this task INDEPENDENTLY.

______________________ / ________
Trainee Date
- 65 - ISA-TR84.00.03-2012
Annex B Example demand logs
A demand occurs when a process deviation results in the need for the SIS to take action to
achieve or maintain a safe state. Demands should be recorded and tracked so that their
frequency can be compared to the assumptions in the process hazards analysis. Repeated
demands often indicate a reliability problem wi th SIS or operating procedures. Repeated
demands should be investigated and actions taken to reduce the frequency where possible. This
annex provides examples of demand logs. Users may develop other log sheets or reports
incorporating similar information or use other forms of documentation to record and track
demands.
Form B.1 Demand log
Facility ______________________
Plant ______________________
SIF ID # (e.g., loop number or description) ____________________
Demand start date: _____________ Start time: _____________
Demand end date: ______________ End time: _____________
SIS type involved: (Circle applicable type)
Shutdown Go to (1)
Permissive Go to (2)
Auto-Start Go to (3)

1) Shutdown info
Did shutdown function? Yes No (Circle one)
Did process variable reach or exceed setpoint? Yes No (Circle one)
Comments:


2) Permissive info
Did permissive function correctly? Yes No (Circle one)
If no, circle one of the following:
Permissive failed to prevent unsafe state
Permissive spuriously initiated action
Comments:


3) Auto-start info
Was system supposed to start? Yes No (Circle one)
Did system start? Yes No (Circle one)
Did system start on first attempt? Yes No N/A (Circle one)
Did system start within defined time criteria? Yes No N/A (Circle one)
Comments:






ISA-TR84.00.03-2012 - 66 -
Form B.2 Demand log
Distribution list:
SIS Specialist:
Operations Manager:

Operator
Date and
Time of
Event
Instrument
Loop
Number(s)
Service
Process
Area
Sub-Area
Batch
No
Initiating
Event
Comments




Example

Operator
Date and
Time of
Event
Instrument
Loop
Number(s)
Service
Process
Area
Sub-Area
Batch
No
Initiating
Event
Comments
John
Doe
8/21/2007
14:08
206LSLL
and
207LSLL
Boiler #1
Steam
Drum Low
Level
Switches
Power
House
Boiler #1
N/A While
swapping
boiler #1 to
boiler #2
operator lined
up the wrong
blowdown
valve which
dropped the
level in boiler
#1 causing
trip
See Data
Historian
and SOE
Log for
8/21/2007


- 67 - ISA-TR84.00.03-2012
Form B.3 Trip investigation report
Distribution list:
SIS Specialist:
Operations Manager:



SIF tag number or loop ID: Plant ID:
SIF description:
(If there is a documented SRS provide document reference)
Process demand Spurious trip
(Was there a process excursion or was it a spurious SIF failure?)
Date/Time:
Classification: ______Safety ______Environmental _____ Asset Protection
Trip caused by: Check all that apply
Process upset Wind
Control failure Ground movement
Operator error Loss of containment detection
Equipment failure Fire
Lightning Explosion
(What caused the process to shutdown or to be interrupted?)
Did all of the SIS equipment operate as designed? yes no
If no, fill out a failure report for any equipment that did not function properly.
Plant restart Date/Time
Estimate cost of the trip based on business interruption or lost production:

Estimate equipment damage costs:
If trip was due to failed equipment, has a failure report been completed? yes no
Considering the impact of the trip, are there any recommendations to prevent future occurrence?
Information used in analysis:
(Attach DCS trends, alarm journals, first out, sequence of events logs, manufacturer failure reports)
Comments:
Assessment led by: Date:
(Process Automation/Control System Engineer)
ISA-TR84.00.03-2012 - 68 -
The form shows how the individual demand reports in B.1 through B.3 can be summarized for
reporting to the management team.
Form B.4 SIF demand report
This form to be maintained by the Process Automation/Control System Engineer or SIS Specialist
Report time
period
From: To:
SIF ID# Number of
trips
Actual
demands
(process issue)
Spurious
events
(reliability
issue)
Remarks



















- 69 - ISA-TR84.00.03-2012
Annex C Example failure reports
A failure has occurred when equipment is not able to perform its required function. Failures
should be recorded and tracked so that their frequency can be compared to the assumptions in
the process hazards analysis and SIL Verification calculation. Repeated failure is a leading
indicator of inadequate mechanical integrity and should be investigated so that action can be
taken to reduce the frequency of reoccurrence where possible. This annex provides exampl es of
failure reporting forms. Users may develop other failure reports incorporating similar information
or use other forms of documentation to record and track failure.
Form C.1 Failure investigation report form
SIF ID #: Plant ID:
SIF description:
(If there is a documented SRS provide document reference)
Manufacturer: Software Rev #
(Firmware/application program, where relevant)
Model number: When Installed?
Failure was detected by:
Operator Diagnostic alarm Inspection
Proof test Near miss / incident
(If detected by incident, this report may accompany the near miss/incident report)
Classification: ______Safety ______Environmental _____ Asset protection
How did the equipment fail?
Failed to operate according to specification
Operated without cause
Where was the failure? (check all that apply)
Part failure Installation Electrical connection
Process connection Program error Human error
Utility (e.g., power supply, communication) Design error
Other (describe) _______________________________________________________
Describe what failed?

(Examples: Plugged process connection, over-temperature, short, power supply went bad, electronics failed)
Was the failure corrected through repair replacement
modification program fix
Was the repair/replacement like for like? yes no
Was the replaced equipment on the Approved Equipment List? yes no
Will the failed equipment be subjected to manufacturer/outside shop failure analysis?

(If so, forward report to Maintenance Manager and SIS Specialist)
Are there similar installations in this process unit, which should be examined for similar failure?

Comments:

(Detail any additional monitoring or precautions required?)
Assessment led by: Date:
SIS Specialist/Engineer or equivalent

ISA-TR84.00.03-2012 - 70 -
Form C.2 Transmitter failure report 1
Plant ID: Loop ID: Tag #:
Test date: Who tested: Test procedure #:
Previous test date: Previous failure report #:
What was the effect of the failure:
Failed to operate according to specification
Operated without cause
What caused the failure:
Sensor Process connection Electrical connection
Electrical contact Power supply
Impulse line plugged Root valve/manifold closed Configuration
Other (describe)
Comments:
Assessment led by: _____________________________Date:_______________________
SIS Specialist/Engineer or equivalent
2
Form C.3 Valve failure report 3
Plant ID: Loop ID: Tag #:
Failure date: Identified by: Test procedure #:
Previous test date: Previous failure report #:
What was the effect of the failure:
Failed to operate according to specification
Operated without cause
What parts contributed to the f ailure:
Actuator Seat Airset/Air supply
Solenoid valve Spring Pneumatic connection/tubing
Body/Bonnet Gasket Pneumatic accessory (e.g. booster, quick vent, etc.)
Guide Packing Power supply
Shaft Position switch Electrical connection
Comments:
Assessment led by: _____________________________Date:_______________________
SIS Specialist/Engineer or equivalent
4
- 71 - ISA-TR84.00.03-2012
Annex D Effective procedure writing, verification and implementation
A comprehensive MI program is only useful if personnel understand the intent of the program
and have the means and capability to execute its procedures as written. Procedure
documentation is more than just the act of putting words on paper, it involves the systematic
review of the steps required to execute a job task, including the examination of human factors
and ergonomics. Procedures should be in place prior to the start -up of the process equipment
and should be written with the intended audience in mind. Consideration should be given to the
level of technical knowledge expected of the reader.
Procedures should provide instructions, practices, and guidelines used for SIS equipment
inspection, preventive maintenance, and testing. Procedures should be in place before process
equipment is placed in service, updated before any change is implemented, and kept current
throughout the SIS life. An internal practice should provide overall requirements for procedure
scope and content. Each SIS should have a set of procedures covering the MI requirements
unique to that specific SIS and its SIF. Separate work processes are often used for on-line
versus off-line maintenance.
Inspection and test procedures should be available and should describe the work tasks in a step-
by-step manner with clear pass/fail criteria. As with other procedures, responsible personnel or
departments, the required permits and notifications, the required test equipment and tools, and
any appropriate hazard or safety warnings should be identified. Procedures should provide the
work process steps necessary to successfully complete equipment commissioning and validation.
Validation should be performed whether repair is done on-site or by the manufacturer.
Test procedures should describe any related functions, such as SIS alarms, bypass switches ,
manual shutdown buttons, and resets. Procedures may be modularized as desired with
procedures written for individual pieces of SIS equipment, SIF subsystems, each SIF, a set of
SIF, or the entire SIS. Procedures should be comprehensive and clearly convey the work
expectations and requirements. Maintenance records should be signed and dated by the
person(s) conducting the work.
Those assigned responsibility for conducting work according to a test procedure should be
sufficiently competent to understand and implement the procedure as written. The procedures
should include an inspection of the physical installation to provide visual confirmation that
equipment is in satisfactory condition. Preventive maintenance activities should also be
described.
SIS equipment should be periodically proof tested to demonstrate and document that the
equipment is operating according to the SRS and equipment specification. Proof tests can be
performed on-line or off-line. On-line test procedures should be carefully planned, documented,
and validated, because minor mistakes during on-line testing can potentially lead to process
upsets or spurious trips. Off-line testing is inherently safer, but given the current trend of
increasing run time between process facility turnarounds, i t is becoming increasingly difficult to
determine the as good as new equipment status without some on-line testing.
When automated diagnostics detect a fault, the SIF is configured to initiate 1) an automatic
shutdown, 2) a safety alarm, or 3) a fault al arm. The required configuration is defined in the SRS
and is determined by the equipment choice, subsystem fault tolerance against dangerous failure,
the nature of the failure (e.g., dangerous failure versus safe), and the availability of
compensating measures. Continued operation requires compensating measures to ensure safe
operation during the allowable repair time (refer to ISA-TR84.00.04 Annex P). When applicable,
operating procedures should provide restrictions on the maintenance activities, e.g., prohibited
during certain operating modes.
Test procedures should cover in detail how maintenance is performed safely while the process
equipment is operating. A key parameter for on-line repair is the allowable repair time
ISA-TR84.00.03-2012 - 72 -
established in the design and operating basis. The allowable repair time provides the maximum
time that the equipment can be out of service prior to initiating management of change activity.
The management of change review is performed to determine whether the compensating
measures are sufficient for the extended period, additional measures are required, or manual
shutdown executed. The review should also address the priority status for the repair activity.
A specific written test procedure should be available for each SIF. The procedures should be of
sufficient detail to allow personnel who are not intimately familiar with the SIF to perform the
appropriate testing. These should include where appropriate the following:
list of SIF included in the SIS
equipment description and location for each safety function
functional requirements for each safety function
inspection procedures to be followed
calibration and testing methods to be followed
frequency of calibration, testing, inspections, and maintenance activities
specify acceptable performance limits ( 2% of full range if no limits specified)
specify sequence of testing if required
specify who should perform test
specify state of process when test is performed
if the SIF is mirrored in the BPCS, test should show that SIF actuated final contr ol device
verification of operational state of SIF after test complete
test of internal and external diagnostics (WDT, etc.)
verify auxiliary service components are operational (fans, filters, batteries, UPS, etc.)
define a means of ensuring testing is performed and documented
All test procedures should have system being tested, page numbers, and revision date on each
page of procedure. The responsible role/person for maintaining each procedure should be
identified in the procedure. The electronic file path or hard copy library location of test
procedures corresponding to the device to be tested should appropriately loaded in the
maintenance management system.
All drawings used to describe SIF should be referenced including P&IDs, loop drawings, logic
sheets, etc.
Procedures should focus on the ways in which the core attributes, namely independence,
integrity, functionality, reliability, auditability, access security, and management of change, are
maintained to the suitable level of rigor. Well written procedures help eliminate systematic
failures by providing instructions, improving communication, reducing training time, and
improving work consistency.
The test procedures are considered a controlled document just like the process operating
procedures. Any deviations from the documented test procedure should be reviewed to make
sure the change will lead to a failure of the SIF.
A thorough understanding of the intended SIS functionality is critical to ensuring that the SIS is
operated and maintained to meet the required performance. Consideration should be given to
potential language barriers to effective learning. If multiple languages are spoken, safety and
emergency information should be communicated in other languages as necessary to ensure
personnel understand work process requirements and expectations. If personnel do not
- 73 - ISA-TR84.00.03-2012
understand how the SIS equipment is expected to operate, a procedure change, variance, or
deviation may seem acceptable, yet yield an undesirable outcome.
Personnel should be trained on facility procedures, such as safe work practices, evacuation and
response procedures, access permit requirements, and management of change. Personnel
should receive specific training related to their assigned responsibility. Personnel training should
be verified as complete during the pre-start-up safety review for any new or modified SIS. New
personnel should complete training on the SIS operation prior to taking responsibility for the
process equipment.
Once an SIS is operational, knowledge and skills should be maintained through an on-going
training program. For best results, facility training should emphasize the fundamental criticality of
SIS operation. Means for evaluating the training program effectiveness should be implemented.
Training should be revised to resolve deficiencies. Knowledge and skills based testing can be
used to validate training effectiveness, as necessary. When knowledge and skills do not match
expectations, consideration should be given to improving training content, depth, or fr equency to
obtain the desired level of competence. Training records should be maintained.
Training should familiarize maintenance personnel with the hazardous events the SIS protects
against and the expected SIS operation. Personnel assigned responsibility to perform
maintenance and testing on the SIS equipment require the knowledge and experience necessary
to perform the procedures correctly. Training should ensure that maintenance personnel
understand what permits and notifications are required to work on or to bypass SIS equipment.
Training should cover task expectations, such as documentation, reporting, and failure
investigation.
D.1 Format
The procedure format is often determined by the equipment to be tested, the testing equipment
employed and the capabil ities of the technician performing the test procedure. All procedures
should be written with their intended audience in mind and with an appreciation for the specific
technical knowledge of the reader. The procedures should be clear and concise, with minimum
complexity. Procedures should provide information in different formats, such as text, graphics,
and flowcharts, to accommodate different learning styles. Where multiple languages are spoken,
consideration should be given to developing procedures and training materials in each language
to ensure critical information is not lost in translation.
Task lists, checklists, hierarchical outlines, or task analysis can be used to create procedures,
which are easy to understand and use. Task analysis offers a more rigorous organization than
other methods. It often uses a three or four column format delineating major steps, providing
detailed work tasks, caution notes and comments.
The choice of technique is highly related to the complexity of the procedure. Task li sts are
generally restricted to very simple work instructions, requiring few steps and decisions. Longer
instructions should be written in checklists or in hierarchical (i.e., outline) format to break the
work process into smaller logical steps that are generally executed in series to obtain the
specified result. For example, a series of maintenance steps for a transmitter would include
activities such as checking the transmitter range, verifying the deviation alarms, and validating
the trip set point. Each step has specified pass-fail criteria, which is evaluated and recorded.
When many decisions are required, graphical techniques for presenting the steps of the
procedure, such as flow charts, should be considered. Flow charts break down the procedures
into small logical steps and provide an effective means to illustrate decision blocks where the
answer choice, e.g., a yes or no, affects the action to be taken.
Regardless of the format chosen, the goal is to ensure that safe and reliable operation is
achieved through the detection and correction of failures. The SIS procedures should be written
ISA-TR84.00.03-2012 - 74 -
with sufficient detail to achieve the performance specified in the SRS. Just as the core attributes
affect the SRS, they are also significant to effective procedure development.
D.2 Test scope
The test scope should identify for the technician what the procedure intends to test, the status of
the process during the test, and what is not tested using this procedure. In some cases there
may be several test procedures for a specific component or SIF.
the hazardous event(s) for which the SIF provides protection
the hazardous event(s) classification or SIL target
the testing and inspection interval
the identification of the equipment on which the inspection or test was performed (e.g., loop
number, equipment number, SIF identification, test procedure reference for a set of SIF)
the settings and tolerance or acceptable performance limits (e.g., pass/fail criteria) for the
SIS equipment
the pretest conditions required to safely run the test, including the state of the process
(normal operating conditions, shutdown, on-line, off-line, lock-out, etc.)
for on-line tests with a process hazard present, the procedure must give specific instructions
on what to do if the SIF fails and specify limits on when to abort the test
the proper step-by-step sequence in which to run the test
the procedure validates each channel of the SIF, including
each channel of the SIF independently trips each final element as designed
each SIF independently trips each final element as designed
each logic solver independently trips each final element as designed. If BPCS is used in
the SIF, it should be tested in the procedure.
the name(s) of the qualified individuals performing the test, and their responsibilities
reference drawings and documents
test equipment required
removal of equipment used for the test
verification that equipment and final control element is returned to normal operation.
Verification that each sensor and final control element is returned to pre-test operation.
permits required
manufacturing authorization of the procedure
D.3 Related reference data, drawings, documentation, procedures
The technician may need additional information not contained in the test procedure in order to
properly carry out the test such as calibration procedures, lock out procedures, line breaking
procedures, inspection procedures, schematic diagrams, and P&ID. Providing references to the
technician will ensure the test procedure will be properly carried out and reduce the time
required to perform the tests. This is especially important during turnarounds where many test
procedures may need to be completed in a short period of time.
D.4 Personnel safety considerations
Personnel may be exposed to the process while performing the test procedure or have to enter
an area which would put the operator at risk. In order for the technician to perform the work
safely, they need to be informed of the hazards they may incur, such as exposure to hazardous
- 75 - ISA-TR84.00.03-2012
substances, electrocution, flammables, radiation, gravity, and ergonomic considerations and the
potential consequences of failure to follow the procedure or of exposure.
D.5 Planning
Performing testing on a process can be costly and potentially result in a loss of production. It is
important to document in the planning section of the procedure the testing equipment, PPE, test
gases, scaffolding, and any other equipment needed to per form the test. In addition, the plan
should include information on what to do if the test fails. Remember that if the test is performed
on-line, you do not have an unlimited amount of time to complete the test. Locating the spare
parts for the SIF before the shutdown can save a lot of precious time when SIS equipment fails
the test and needs to be replaced. To aid the technician in planning it is recommended to have
notification of required test issued via the maintenance management system 30 to 60 days from
the actual required test date.
D.6 Notification (Operations, Facility, etc.)
What the technician does in the process can affect many others in the process and even
potentially the community if the work is not coordinated with the proper plant personnel. Before
the technician starts work, a permit to work should be obtained from the appropriate person in
order to make sure it is safe to perform the work. In addition the technician may need to get a
breaking into process permit or a lockout permit in order to perform the procedure safely. The
notification section of the procedure should identify the permits required to perform the work
safely.
D.7 Operating procedure requirements
Figure D.1 provides an example of a simplified work process, illustrating the typical
interrelationship between operational and maintenance activities. The content and depth of the
information communicated to various personnel should be based on the intended role of the
individual in managing risk and performing the MI activity.
Process Engineering and Operations are primarily responsible for defining the content of SIS
operating procedures. These procedures should cover SIS specific information and should
explain to the operator the correct use of bypasses and resets, the required response to SIS
alarms and trips, when to execute a manual shutdown, and provisions for operation with detected
faults. These procedures, along wi th analogous ones developed by Maintenance/Reliability
Engineering for maintenance activities, make up the backbone of the operating basis for the
process equipment.
ISA-TR84.00.03-2012 - 76 -

Figure D.1 Simplified operation and maintenance work process
D.8 Procedure verification
Maintenance procedures should be analyzed using a suitable, standardized method to determine
the coverage comprehensiveness of the test procedure, ensure adequate test coverage for all
dangerous failure modes, and ensure the potential for systematic (human) errors have been
considered in the procedure. These methods may vary depending upon the complexity of the
task and may include failure mode and effects analysis (FMEA), job step analysis, task analysis,
or equivalent. While a test should be comprehensive, if it is too difficult or complex, there is a
greater likelihood the test will not be completed properly.
D.9 Procedure analysis
Each procedure should define the individuals, departments, or job functions responsible for the
development, approval, upkeep, distribution, and revision management of the procedures
themselves. Work procedures are most successful when they are broken down into steps or
tasks intended to achieve specific results.
If the intended audience does not understand them or feels that they are too complex, the
procedures will not be followed. In an operating and maintenance environment, people often tend
to follow the path of least resistance and, if they perceive a difficult path, they may find an
easier, though not necessarily correct, or safe, one.
Table D.1 provides a listing of people, situations, and system related errors. Slips, such as
omissions and lapses, are common, yet critical errors. Incorrect equipment assembly,
installation, and repair are common maintenance errors.

- 77 - ISA-TR84.00.03-2012
Table D.1 People, situations, and system related errors
People-oriented errors
Slips (lapses, omissions, execution errors)
Capture error
Identification error
Impossible tasks
Input or misperception errors
Lack of knowledge
Over-motivation or under under-motivation
Reasoning error
Task mismatches
Situation-oriented errors
Environmental
Stress
Timing
System-oriented errors
Errors by others
Procedural
Violations
Human errors in system design
Mistakes
Specification errors
Communication breakdown
Lack of competency
Functional errors
Common errors in instrument design

D.10 Continuous improvement
Personnel should contribute their experience and knowledge to the continuous improvement of
procedures and practices. Cooperation of multiple parties is necessary to ensure that the SIS
requirements match the capability of personnel. Procedures used in combination with training
and regular performance feedback achieve predictable work results. The procedure should be
reviewed after completion by a planner and any deviations should be reviewed to determine
whether the procedure should be updated. Any modifications to the procedure should follow the
MOC procedures at the site.
D.11 Modification
SIS procedures should be under revision control. Procedures should be periodically reviewed to
ensure that the procedures are up-to-date and reflect current work tasks and expectations.
Changes to SIS procedures, whether technical or editorial, should be reviewed and approved.
























This page intentionally left blank.

- 79 - ISA-TR84.00.03-2012
Annex E Example inspection items and forms
The following are recommended inspection items that should be covered by an inspection
program as part of an overall mechanical integrity plan. The bullet lists are not exhaustive and do
not include everything that should be covered by the inspection progr am for particular equipment
or SIS.
Inspection is typically not a singular activity, but something that is done as part of other duties
and in some cases only under specific circumstances. Some items can be addressed by simple
visual inspection, where personnel perform a unit walkthrough and look for discrepancies, e.g.,
tagging or labeling. These inspections do not require tools and may be performed by plant
operators or maintenance technicians. Other items can be intrusive, requiring hands -on
inspection and would likely be performed only by maintenance personnel under controlled
conditions, e.g., pulling wire to determine whether it is loose. These latter items are often verified
during commissioning or proof testing when equipment is off -line or in bypass. Some inspections
require specialized resources, tools and equipment access. For example, examining the physical
condition, application program, and diagnostic status of a logic solver requires a skilled control
system technician and access to the engi neering station and logic solver. Another example
requiring specialized tools would be the use of radiography to detect a plugged process
connection. Any person trained in the use of the radiography equipment could perform the
inspection, but it is likely that it would only be performed on connections where process pluggage
has been identified as a concern.
The recommended inspection items are not intended to be turned into a single checklist, since
these items may be performed at different frequencies depending on manufacturer
recommendations, the type of inspection being performed, the expected equipment degradation
rates, specific characteristics of the process, and SIS management of change history. Some of
these items may be inspected frequently as in the case of visual inspections, while others may
only be performed infrequently as in the case of hands-on inspections.
Generally, an inspection checklist or form is used t o support thorough inspection. An example
checklist is provided in Table E.1. This checklist applies to multiple equipment types and is not
intended for use as is. Typically, a user will have a generic template with typical inspection items
and then modify the template to address the specific application and device technology, subject
to a particular inspection. Specific checklists are used to ensure consistency in the inspection
scope and record quality. Training should ensure that inspectors understand the importance of
verifying the overall fitness of the equipment in service and of reporting any discrepancies with
the equipment regardless of the checklist items.
E.1 General field inspection items
On the field side, the focus is on the physical aspects of the installation, such as wiring, status of
any punch list items remaining from the commissioning effort, and adherence to construction
specifications. Field inspections should verify:
tags and labeling
painting, where applicable
conduit seals
covers
wiring
grounding systems
support systems (e.g., communications, power supplies, and instrument air)
installation materials (e.g., gaskets, grounding rings)
ISA-TR84.00.03-2012 - 80 -
installation (e.g., bolts, insulation, process connections, supports, tracing, purges, bug
screens,)
installation quality (e.g., no signs of physical disturbances, such as absence of
moisture/debris/corrosion, excessive vibration or steam impingement)
barriers (e.g., bollards protecting equipment from physical impact or covers on emergency
push buttons)
warning signs (e.g., radiation or high voltage hazard)
Each component of an SIF should be in good condition with no visible physical defects, which
could impact the performance or reliability of the system. All parts of the SIF should be inspected
for damage, deterioration, missing parts, or other physical damage and for incipient conditi ons
such as water ingress. The physical examination should include:
all input devices to the SIS such as transmitters, switches, thermocouples
all output devices such as solenoid valves, control valves, motor controllers
system wiring with particular attention to terminations, junction boxes, conduit
SIS logic solver - electromechanical relays, PLC, etc.
E.2 Sensors
In addition to the items covered in E.1, the following inspection criteria apply to field sensors:
instruments clearly identified as part of SIF
process connections in good condition with respect to leaks, insulation, corrosion, etc.
root valves in correct position
instruments installed per design standards and manufacturer guidelines
configuration per design
heat tracing functional and insulation i n good condition
conduit connections and covers in good condition and properly supported
cabling in good condition and correct length for thermal expansion
cabling drip loops in place and functional with drainage to a proper location
drains and seals, if required, in place and functional
process tubing lines properly supported and sloped
E.3 Final elements
In addition to the items covered in E-1, the following inspection criteria apply to the final
elements:
final elements clearly identified as part of SIF
configuration per design (e.g., valve fails open or closed)
heat tracing functional and insulation in good condition
bug screens in place and functional
tubing for air supply and connections to positioner or top works in good condition
solenoids properly mounted with tubing and electrical connections in good condition
valve piping gaskets in good condition (e.g., no cracks or leaks)
valve stem in good condition
- 81 - ISA-TR84.00.03-2012
top works in good condition (e.g., no cracks or leaks at gaskets)
valve installation supports in good condition
no corrosion build-up around valve stem
motor control circuits in good condition
variable speed drive mounting is secure
electrical wiring terminals (at each end) are properly tightened
no sign of overheating has occurred at each terminal
no corrosion, burnt spots, overheating, de-formation, or discoloration on contacts
instrument pressure gauges in good condition
any auxiliary equipment, such as signal converters and positioners, in good condition
any other conditions which might hinder proper operation of the valve
E.4 Logic solvers
The following inspection items apply to logic solvers:
diagnostic checks
diagnostic alarms configured per specification and properly prioritized
proper operation of all communication buses
power to redundant power supplies and proper operation
proper logic solver scan order to ensure proper process safety time
operating records indicate that solid state outputs are not generati ng off leakage current
above rated value
physical checks
components clearly identified as part of SIF
absence of moisture
status condition lights are functional and normal (e.g., fault, communication, power,
fusing)
ventilation or cooling is functional
absence of dust or other foreign material (e.g., filters)
closure hardware installed per design standards
check that access security (e.g., doors locked) is in place
logical checks
configuration per design (e.g., absence of forces and bypasses, scan rate)
manufacturer recommendations (e.g., bug fixes, recalls)
E.5 Wiring connections
The following inspection items apply to wiring connections:
wiring, terminals or junction boxes clearly identified as part of SIF
wiring connections in junction boxes, scramble boxes, or other terminations are tight
wiring and cable segregation, as required, is in place
fire proofing per design
ISA-TR84.00.03-2012 - 82 -
seals where required should be checked
conduit covers should be in place
conduit drains should be in place and working properly
cabinet doors are closed, water tight, and properly labeled
E.6 Power and grounding/bonding
Proper grounding includes many separate grounding entities in a process facility. Some
examples include DCS, PLC, highway, static, substation, neutral, single point, motor, raceway,
control room, instrument transformer, building, faraday effect (framing), lightning cone of
protection, surge protection, safety, noise (e.g., shielding), ungrounded, ground tripod, lightning
rods, ground rods, ground noise, computer flooring, footing ground rods, isolated, ground plane,
UPS, isolation transformer, computer, ground resistance, etc. For this technical report,
discussion of grounding is focused on the SIS, but the reader is cautioned that improper
grounding and poor maintenance of the grounding systems is one of the leading causes for
process unreliability.
Power and grounding connections and insulation should be verified to ensure no degradation.
Visual inspection is typically performed during on-line operation, while more rigorous physical
inspection is executed off-line. The following inspection criteria apply:
all power and grounding / bonding installed per documented design
all power and grounding / bonding connections securely fastened
no evidence of corrosion or fouling on any power or grounding / bonding connections
no evidence of sliced, cracked or otherwise degraded power and grounding / bonding
insulation
no evidence of charring or heat build-up
power operating within acceptance range
- 83 - ISA-TR84.00.03-2012
Form E.1 Generic field sensor checklist
Instrument number: ________________________________________________________
Test number: ______________________________________________________________

Materials of construction:
OK Not OK No obvious signs of corrosion in area with the process
OK Not OK Model number of installed instrument matches instrument
calibration records

Protection from the environment:
OK Not OK NA Protection from mechanical damage (can instrument be
used as a step, etc.)
OK Not OK NA Protection from weather (freezing, rain, snow, ice, etc.)
OK Not OK NA Protection from insects, birds, etc. (vents clear, etc.)
OK Not OK NA Protection from corrosive leaks of adjacent process (signs
of external corrosion on instrument)

Proper installation of impulse lines:
OK Not OK NA Sloped correctly (down for liquids, up for gases)
OK Not OK NA Materials of construction correct (no obvious signs of
corrosion)

Proper installation of instrument:
OK Not OK NA Orientation of instrument
OK Not OK NA Field zeroed after shop calibration (if required)
OK Not OK NA Primary elements not worn or eroded (orifice plates, vortex
shedder bar, etc.)
OK Not OK NA Breather drain fitting installed
OK Not OK NA Low point conduit drain installed
OK Not OK NA Conduit in good shape
OK Not OK NA Proper static grounding applied

Process concerns:
OK Not OK NA Impulse lines not plugged
OK Not OK NA Purges working properly
OK Not OK NA No corrosion present
OK Not OK NA Thermowell fouling

Equipment identification:
OK Not OK NA Green "Safety Interlock" tag i nstalled
OK Not OK NA Clearly labeled with instrument number
OK Not OK NA Up-to-date calibration sticker

Comments/Observations:_______________________________________________________

Inspected
by:______________________________________________________________________

Inspection
date:____________________________________________________________________
























This page intentionally left blank.



- 85 - ISA-TR84.00.03-2012
Annex F Example calibration forms
This Annex provides an example of a calibration record. Users may develop other calibration
records incorporating similar information or use other forms of documentation to record and track
calibration.

Form F.1 Instrument calibration record
TAG NUMBER: DATE: / /
UNIT: SYSTEM:
TRANS DAMPENING: Seconds TRANSMITTER Analog SqRt.
VERIFIED AGAINST GOVERNING DOCUMENT AS-FOUND: Digital Linear

Transmitter Calibration Data SERIAL NUMBER:
Zero and
Span
Process
Range
Units Transmitter
Input
Units Transmitter
Output
Units
Lower Limit
Upper Limit

Transmitter Calibration Record
Transmitter Input: Transmitter Output:
Percent
of Span
Actual
Input
Desired
Output
Output
As-
found
%
Error
As-
found
After
Calibration
%
Error
After
Cal.
Output
As-left
%
Error
As-left
0%
25%
50%
75%
100%

Actual output - Desired output
Percent error = (Actual output - Desired output)/(Upper output limit - Lower output limit) X 100%
Maximum allowable % error: The maximum allowable % error is listed in the
instrument maintenance SOP.
Maximum % error as-found:
Calibration required: Yes No Calibration is required if the maximum % error as-
found is greater than the maximum allowable %
error.
Maximum % error after
calibration:
Corrective action (repair or replacement is
required if the maximum % error after calibration
is greater than the maximum allowable % error.
Corrective action required: Yes No
Corrective action taken: (If required)
ISA-TR84.00.03-2012 - 86 -

Switch Settings: Serial Number:
Tag
Number
Switch
Setting
Signal
As-found
Signal
As-left

Deadband

Comments




Switch Settings: Serial
Number:

Tag
Number
Switch
Setting
Signal
As-found
Signal
As-left

Deadband

Comments






Calibration Equipment Used:
Instrument Shop
I.D. Number
Calibration
Due Date

Comments
IS / /
IS / /
IS / /
IS / /

REMARKS:

DIGITAL DOWNSCALE B/O SS TAG ATTACHED
ANALOG UPSCALE B/O
TRANSMITTER
PROPERLY COLOR
CODED SQUARE ROOT
AS-LEFT: PMI PERFORMED LINEAR

TECHNICIAN: DATE: / /





- 87 - ISA-TR84.00.03-2012
Annex G Preventive maintenance
Preventive maintenance is a proactive activity that maintains the equipment in the as good as
new condition. When the equipment is in this condition, it is operating within its useful life
period. Preventive maintenance reduces the frequency of equipment failure through periodic
restoration of the equipment condition. It involves many different activities that occur based on
fixed schedules and based on predicted degradation. It includes performing maintenance to
extend the equipment life such as changing an air filter and replacing disposable parts such as
changing batteries. Common preventive maintenance tasks include timely:
battery replacement
process connection cleaning
periodic replacement of eroded components based on historical erosion rates (e.g., flow
tubes, thermowells, or orifice plates)
rebuilding valves
seat
actuator
packing
gasket replacement
instrument air filter / separator cleaning/change-out
lubrication
electrical contact replacement
Appropriate preventive maintenance tasks may be identified from sources such as
manufacturers literature, brainstorming, operating experience, maintenance experience, and
best practices. Important considerations in establishing a rigorous MI program include:
integrating preventive maintenance efforts with other plant tasks resulting in a cost effective
efficient multi-tasking maintenance program.
availability of the competent and trained personnel to perform the desired maintenance.
availability of correct materials and tools to utilize in the desir ed maintenance.
availability of correct instructions and related planning to utilize in the desired maintenance.
availability of MI and reliability processes to identify chronic failure issues (e.g., possible
improper selection of equipment/materials).
G.1 Identification of preventive maintenance tasks
Understanding causes and mechanisms of equipment failures provides the insight as to how the
path to failure may be measured. It also helps to establish appropriate predetermined levels of
degradation that mandate action is taken within some prescribed time period.
An initial source of needed preventive maintenance tasks can be found in the manufacturers
safety manual and equipment maintenance manual. This will need to be supplemented with the
tasks required due to the impact of the process and environmental conditions, which may
accelerate the degradation or wear beyond manufacturer expectations. Failure Modes and
Effects Analysis (FMEA) and Reliability Centered Maintenance (RCM) are analytical methods
that can be used to identify preventive maintenance tasks that sustain the SIS equipments
integrity and reliability.
Failure investigation, such as Root Cause Analysis, can potentially identify weaknesses in the
maintenance program which should be corrected. This approach helps facilitate an overall
ISA-TR84.00.03-2012 - 88 -
reliability centered maintenance program that additionally would measure and analyze equipment
performance, looking to maintain expected performance as well as to identify opportunities to
improve reliability.
G.2 Criticality
Some maintenance tasks are performed to extend the life of the equipment, such as replacing
the electrolyte in an analyzers cell, or improving the reliability of the equipment. Other tasks are
critical to ensuring the integrity and reliability of the SIF on a routine basis, such as replacing
instrument air filters to reduce the likelihood of failing or rebuilding shutoff valves on a periodic
basis. While all of these activities are important to the operation of the process, tasks associated
with maintaining the performance of the SIS need to be managed using the typical lifecycle
management systems such as MOC, action tracking, failure response, and documentation.
G.3 Timing
The frequency of maintenance tasks are affected by the following:
shutdown schedule
on-line vs. off-line tasks
unexpected as found condition during preventive maintenance
manufacturers recommendations
good engineering practices and expert j udgment
system architecture (e.g. level of fault tolerance)
PFD targets
incident investigation results
testing interval constraints and requirements
number of operations
hours of operation experience
In some cases optimizing all of the factors to satisfy performance expectations can be a
challenge, especially the shutdown schedule. The SIS design may need to include provisions for
performing preventive maintenance on-line. During a turnaround, preventive maintenance tasks
may need to be performed in conjunction with inspection and testing tasks. The order of these
tasks and whether they can be performed at the same time should be discussed and scheduled.
When production units do not run continuously, the preventive maintenance tasks may by based
on how long the equipment is operating or may need to be scheduled just prior to startup of the
unit.
As part of the continuous improvement part of the lifecycle, the timing of the activities need to be
reviewed to determine if the performance of the maintenance program meets the assumptions of
the SIL Verification. Maintenance records and incident investigations can provide insight into
whether the MI plan is achieving its goals. Where the equipment performance does not meet the
required performance, the task may need to be performed more frequently or modified to improve
performance. Where the performance of the equipment cannot be improved by modifying the
timing or task, other equipment may need to be selected.
Once a schedule basis is established, changes should be reviewed to ensure that the change
does not impact the SIS equipment integrity. When the task cannot be performed within a
defined acceptable grace period, the user has several options using management of change.
This may include permanent changes to the schedule if justified or implementing alternative
- 89 - ISA-TR84.00.03-2012
temporary means of risk reduction. Annex J provides additional guidance for dealing with
potential deferral situations.
G.3.1 Fixed schedule
Fixed schedules are often used to address parts that predictably wear out, gum up, foul, corrode,
etc. Inspection checklists, such as those listed in Annex E, can supplement scheduled preventive
maintenance by identifying corrosion and wear and to determine what parts need to be replaced.
When a part is found to be out of tolerance, the part is repaired/ replaced to bring the equipment
back to an as good as new condition.
Some of the advantages of conducting preventive maintenance on a fixed schedule include:
allows maintenance effort to serve as a training tool
improved process uptime and fewer process upsets
planned maintenance resulting in a safe plant floor environment
planned maintenance resulting in shorter downtime
sustain warranty protection
reduced spares inventory

G.3.2 Predictive maintenance schedule
Predictive, or condition-based, maintenance represents a means to detect equipment
degradation, allowing repair to occur prior to a complete failure. It is only appropriate when there
is a method in place that allows measurement of degraded performance so that a predetermined
intervention point can be defined. For example, inspection or proof testing checklists can be
used to identify when replaceable parts are wearing out, so the replacement of the part can be
scheduled so that it is replaced prior to the equipment failure.
For predictive maintenance, the timing is linked to an inspection, test or diagnostics to determine
the timing. The MI plan should define the response required once a deficiency has been
identified and when the task becomes overdue. The response to an overdue task will need to
consider how fast the equipment is degrading. The response is generally more critical than
scheduled maintenance since degradation has already been identified and documented either
through inspection activities or automated diagnostics that alert personnel when there is a need
for intervention.
For example a 2oo3 voting level sensors where two sensors are DP level and one radar level,
comparison diagnostics can be used to identify the onset of excessive drift or allowing
identification of impulse line pluggage. Instead of cleaning the impulse lines on a weekly basis
the lines could be cleaned based on the diagnostics results.
Advantages of predictive maintenance include:
improved process uptime and fewer spurious shutdowns, especially when used in conjunct ion
with fault tolerant systems
availability of information to support troubleshooting
providing an alert to the appropriate personnel, giving them some time to optimize the
performance of critical maintenance activities
integration with other mechanical integrity efforts resulting in a cost effective efficient multi-
tasking maintenance program
automated documentation of specifically defined degraded conditions to support proven in
use
ISA-TR84.00.03-2012 - 90 -
extended life as degraded conditions are repaired prior to more complete failures
analysis of actual equipment wear-out versus estimated wear-out performance allowing MI
plan upgrade
controlled analysis of replaced equipment for evidence of unexpected application limitations
or potential unsafe failures
optimized spares inventory
G.4 Documentation
Preventive maintenance should be documented and include step-by-step instructions as needed
to ensure the task is being performed consistently and properly. The procedure should include:
procedure for performing the task
who is qualified to perform the task
pass / fail criteria
as-found condition
listing of parts replaced
other work performed in response to as-found condition
as-left condition
name of person(s) performing task

Where the as-found is outside the expected condition, the current condition should be
documented for that piece of equipment. The deviation from expected performance should be
investigated to determine if the frequency of the maintenance activity is adequate or if potential
changes should be considered. Options include development of additional scheduled
maintenance activities, redesign of the device in question or implementation of predictive
maintenance via diagnostics.

- 91 - ISA-TR84.00.03-2012
Annex H Example proof test template and procedures
The proof test template (Table G.1) and technology test procedures contained in this technic al
report are examples of how some user companies develop proof test procedures. The user is
reminded that the proof test template and the device tests contained in this technical report are
examples illustrating how some user companies develop and implement proof test procedures. It
should not be interpreted that these are recommendations or requirements for proof testing any
specific technology. Users should consider their application and SIF requirements, as well as
manufacturers recommendations, when writing proof test procedures. The user is cautioned to
clearly understand all facility design and operational constraints prior to developing and
executing proof test procedures.
Table H.1 Proof test procedure template
Generic Procedure
Scope







This generic procedure is meant to provide a basis to develop plant specific and
technology specific proof test procedures. It DOES NOT take into account specific
concerns regarding safety, process control disturbances, etc. that may be related to a
particular plant or process. While there are some points in the procedure where
notice is given that safety, control of the process, etc. should be considered, it is the
responsibility of the person using this document, and modifying it for a specific plant
and technology, to take these process concerns into account. Steps that lead the
user to check specific known hazards should be added to this procedure by plant
representatives who understand the process, and who thus know what kinds of items
should be addressed.
This document explains the basic rules of the test procedures and provides di rections for
the development of plant specific procedures and or new procedures.
(Define the task along with explaining when to apply and why it must be done a specific
way. Also, describe how it affects product or service quality)
General Plant and
SIF Information









Facility code number: ___________________________________
Plant code number: _____________________________________
Safety Instrumented Function (SIF) identification number: ________________
Protective system type (circle applicable type)
Alarm
Shutdown interlock
Permissive interlock
Auto-Start interlock
Protective circuit description: (Reference applicable interlock table or master alarm
summary as appropriate)
___________________________________________

Continued on next page











ISA-TR84.00.03-2012 - 92 -
Proof test procedure template (continued)
Basic Information
for Test Procedures
in SIS Loops
There are four topics, which are the basis for test procedures for instruments used in SIS
loops:
1) Diagnostic coverage: All calculations of test intervals and reliability for each instrument
in a SIS loop are based on a certain part of diagnostic coverage. This might be limited
to the check of shorts or open circuits for an analog instrument or a certain amount of
diagnosis of the internal function of a smart instrument or even 100% diagnosis
coverage with an internal test unit. The scope of the test is to check all functions not
covered by the diagnosis of the instrument. Example: A smart pressure transmitter
does not check (today) the function of the process connection (plugging), the drift of
the sensor module and the accuracy of an A/D converter. Therefore these functions
have to be part of the test procedure: The process connection is checked by visual
inspection and the other functions are checked by a zero and calibration test. The
result of this part must be to ensure that the instrument is functioning as it would if
new.
2) Reliability: To meet the business requirements about Asset Mechanical Reliability
(AMR) additional testing is done to ensure, that the instrument will function properly
during the coming period until the next test. Therefore some checks are added, which
are not effecting the measurement now, but may become a failure in the future.
Example: Insulation test for thermocouples.
3) Verification: Some tests are included to ensure that the instrument has the same
function as designed. This should ensure that during a replacement the right
instrument and the proper settings have been done.
4) Experience of people: Only experienced people should do test for instruments in SIS
loops. The procedures are written for this level only. A note should be added to all
procedures:
Note: The person performing the work should have training on the ____ and ____
and handling of _____ or thoroughly familiarize themselves with the
instrument's manual.
Site specific requirements for training may be added here
Attributes and
Categories
Categories:
Safety Environmental Asset Protection Other

Hazards and
precautions
The table below lists job hazards and the precautions that should be taken for ergonomics,
safety, environmental, quality, and Good Manufacturing Practices before beginning this
procedure.
Specific hazards should also be addressed in the procedure steps.
Hazard Precaution



Tools and
equipment
The tools and equipment listed below are needed to do this job.
Include safety equipment here.
Tool/Equipment Use (if explanation is needed)
Hand tools
Consumables

Continued on next page




- 93 - ISA-TR84.00.03-2012
Proof test procedure template (continued)
Before you begin Before beginning this procedure ...
List things that have to be done before the procedure can be started.
List any resources and references to consult before beginning.
Examples
obtain a valid work permit for the planned maintenance task
check working conditions of test equipment or make arrangements with a test lab or
have needed calibration gases available
ensure Operations/Operator communication link open to be kept fully awar e of work
activity as if progresses, e.g., place look in manual prior to removing equipment from
service
confirm equipment tag corresponds with maintenance management system work order
tag

Safe operating
limits
List general operating limits here if they apply.
List specific limits in the procedure table.
Example: A root valve is leaking and the process cannot be isolated.

Consequences of
Deviation
List consequences of deviation from the procedure steps
Steps necessary to correct or avoid the deviation must be listed in the procedure.
Type of deviation Consequences and how to avoid



Procedure __________ follows these steps to ________________:
Limit each procedure table to a maximum of nine steps if possible. Procedures may
have more than one procedure table. Use of the Step/Action table or the checklist
format below may be useful. For examples of proof test steps, refer to specific
instrument device technology examples, which follow after this template.
Step Action



Procedure
Checklist
The checklist contains critical steps. The as-found and as-left results should be noted
to document the performance of a sensor or final element during the proof test. These
data must be evaluated periodically to determine to proper length of the proof test interval
or take corrections (extension or shorten of a proof test interval).
In some geographic regions it is required to file a signed record. In this case the checklist
can be printed the results should be listed and signed by the person doing the job.
In other regions (e.g., the US) this is not required. In this case the checklist may be used
to note the as-found / as-left results for later i nput in the maintenance management
system.
NOTE Add Hazard/Precaution sub-label if applicable to a particular step.

Continued on next page



ISA-TR84.00.03-2012 - 94 -
Proof test procedure template (continued)
Part Step Action Pass/Fail
Criteria
As-
found
As-
left
Checked
by
Condition of process installation
Condition of wiring
Visual Inspection
Trip point check
Zero check
Out of range check
Failure detection values
Range of instrument and HMI
Final element check
Instrument back in operation
All corrective actions, damage codes
and as-found results reported in
maintenance management system and
work order closed.

Instrument replaced with proper
settings



Related Documents List related and supporting documents like manuals here:
Signature This procedure checklist was completed by (applies if a hardcopy of checklist must be
signed and filled):
____________________________________ ____________________
(Name) (Date)
Records control File this completed procedure checklist (applies if checklist format utilized) in:
____________________________.
Validation This procedure was validated as the best known way to do this job by:
____________________________________ ____________________
(Name/Job Title) (Date)
Approvals This procedure was approved by:
____________________________________ ____________________
(Name/Job Title) (Date)
Document history Below are at least the last three revisions of this document, including all revisions within
the last three months.
Date By Description



- 95 - ISA-TR84.00.03-2012
Annex I Proof test examples for various SIF technologies
The following information can be used to develop proof tests using the pr oof test template in
Table G.1 The user is reminded that the proof test template and the device tests contained in
this technical report are examples illustrating how some user companies develop and i mplement
proof test procedures. It should not be interpreted that these are recommendations or
requirements for proof testing any specific technology. The user is cautioned to clearly
understand manufacturer testing requirements, facility design and operational constraints prior to
developing and executing proof test procedures.
I.1 General considerations
Proof tests may be performed as partial device tests, full device tests, segment tests, or end-to-
end tests. The mechanical integrity plan must ensure that the complete SIS is demonstrated to
work according to specification and is being maintai ned in the good as new condition
throughout the equipment life. The proof test procedure should describe the test scope and
clearly define the pass-fail criteria. The proof test procedure should clearly require that the test is
performed and the results recorded in the as-found condition. The proof test procedure should
also account for testing and inspection requirements that are identified in the equipment safety
manual.
I.1.1 Test facility design
In the design of your test facility you need to consider the types of equipment you will be testing
and what off-line testing you will be able to conduct. The typical testing facility will include
equipment for calibration of temperature elements and transmitters, pressure and level
transmitters and components, and electronic components such as trip amps. In some cases, the
test facilities will include flow testing equipment. For organic vapor monitors, the test facility will
need to have a source of test gases to test the monitors with.
I.1.2 Test equipment
It is important that the test equipment used is periodically calibrated to a recognized national
standard. Considerations need to be given to where the testing equipment will be used. Will the
test equipment be used in a hazardous area where explosion proof test equipment will be
required? The use of smart testing equipment provides many advantages, which will help
improve consistency in testing and reduce systematic errors. Some smart testing equipment
include features such as instructing the technician what steps to perform when, recording of as-
found and as-left values, identification of test failure, and upload capability to the maintenance
management system.
I.1.3 Ergonomics
It is important to assess aspects of the proof test steps, which could require awkward body
positions, heavy lifts and repetitive motion. Ensure that the necessary personnel, equipment, and
planning are available to expeditiously resolve any such issue.
I.1.4 Preventive maintenance
As part of the testing and inspection of the SIS equipment, consideration needs to be taken to
ensure that the recommended maintenance be performed on the equipment to ensure that the
component is returned to service in an as new condition.
I.1.5 As-found/as-left
Ensure that when a proof test is to be or being performed the as-found condition, or the initial
state of the equipment is documented prior to any corrective action or preventive maintenance
activity. The as-found information is critical to understanding the actual degradation or failure
ISA-TR84.00.03-2012 - 96 -
rate of the equipment. Also, ensure that the as-left condition, or the final state of the SIS
equipment after MI activities, is documented prior to returning the equipment to service.
I.1.6 Proof testing pitfalls
Personnel participating in all aspects of SIS proof testing should be competent to carry out their
assigned tasks. The need for personnel to be competent in carrying out their assigned task is a
fundamental and obvious prerequisite for the avoidance of unsafe situations, particularly around
SIS maintenance. This subclause describes some common pitfalls that can occur (and have
been seen) during SIS proof testing.
I.1.6.1 Test philosophy
1) Living by a philosophy that anybody can do proof testing. Most SIS systems are not
trivial, and as such require a certain level of competency to understand their purpose and to
maintain so that they provide a high level of integrity. Simply put, specially trained people
should take responsibility and perform this function. A failure to recognize this fact can lead
to unexpected process trips during on-line testing, and in some cases more severe unsafe
situations.
2) Using an open work order as an excuse for equipment not working. If equipment is not
functional at the proof test, this condition should be documented and corrected. An open
work order is not justification to skip the test.
3) Not properly planning test execution during major projects resulting in test
invalidation. On major projects, there can be intense pressure to test SIS equipment as
soon as it is installed but prior to other wor k in the unit being completed. However, some late
stage construction work can impact SIS equipment. For example, SIS equipment may need to
be disconnected in order to conduct pipe or vessel pressure testing, which invalidates the
proof test. Painters and insulators could damage SIS equipment that has already been
tested.
4) Not performing a complete proof test to demonstrate required operation. For example,
incidents have occurred where it was later shown that the level switch was manually toggled
rather than proving that the level float could break the contact. It is important to demonstrate
the functionality documented in the SRS. This includes not only the basic functionality, but
also validating that diagnostic alarms are still annunciating as expected, pre-trip and trip
alarms are displayed at the correct priority, SIS valves are not leaking, and the application
program executes functions as specified.
I.1.6.2 Pre-test tasks
1) Failure to fully open or full close a bypass valve associated with a SIS final element
valve at the beginning and end of proof testing. A failure to fully open a bypass valve
associated with a SIS final element valve could lead to an actual trip of the process - due to
insufficient flow for maintaining downstream operating conditions, when the SIS final element
valve is full stroke tested during proof testing.
2) Incorrectly inserting a hardwired jumper on an output while on-line and causing a trip.
In some PLC systems, the digital output card could generate a diagnostic fault when the
hardwired jumper is inserted. Depending on the architecture, this could lead to the PLC
generating a trip condition. Also, the hardwired jumper can cause a ground fault, leading to
de-energization of the digital output.
3) Not performing a walk-through prior to initiating proof testing. A walkthrough should be
conducted to locate the equipment to be tested, to ensure that blinds and bleeds are properly
lined up, to verify that no process fluid or materials are trapped in lines, and to identi fy where
equipment is missing. This walk-through is often skipped because it is assumed that it is not
necessary, but tests go much smoother and more efficiently when it occurs.
- 97 - ISA-TR84.00.03-2012
4) Failure to lock out all energy sources (e.g., electrical, pneumatic, hydraulic, steam,
gravity) and to bleed all latent energy sources (e.g., pneumatic, hydraulic) as part of
lockout. Failure to do this can cause a safety hazard during testing.
I.1.6.3 General testing mistakes
1) Testing the wrong transmitter, when individual bypass functions are provided for
individual field instruments in a redundant channel subsystem. For example in a 1oo2
voting subsystem, bypassing transmitter A during an on-line test, but accidentally working on
transmitter B results in a spurious trip. To prevent this some users implement a bypass of the
entire subsystem, which disables the SIF during the test. Compensating measures equivalent
to the loss of protection must then be provided, which for high SIL requirements can be
difficult. Individual bypasses allow the SIF to continue to provide some protection reducing
the required compensating measure. In some cases, the configuration of the bypass may
allow the SIF to provide sufficient protection negating the need for a compensating measure.
2) Calibrating a transmitter prior to recording the as-found condition. Technicians
routinely perform calibration on control transmitters to minimize process measure error. For
SIS transmitters, it is important for the as-found condition to be recorded prior to initiating
calibration, zero error adjustment, or ranging.
3) During level instrument proof testing, a failure to recognize and compensate for
specific gravity differences. For example, the level trip is based on fluid specific gravity A,
but the level test uses a fluid with specific gravity B. A common occurrence here is users
using water to conduct the level test, but the normal fluid is hydrocarbon. While the level
instrument may function and give the appropriate alarms/trip actions using specific gravity B
during testing, the result of this situation in the real world is the actual alarm/trip setting will
be different at specific gravity A.
4) Moving the valve repeatedly until it moves freely then recording the as-found. When
maintenance is conducted on control valves, technicians will open and close the valve
several times to get the valve to move freely across its range. For SIS final elements, it is
important for the as-found condition be recorded prior to working on the valve.
5) Testing both circuits of shared final element at same time. When the BPCS and SIS
share a final element, sometimes the procedure is incorrectly written so that both output
circuits are de-energized prior to checking the final element state. This does not support the
validation of each circuit and it is possible for the final element to achieve the correct state
with one failed circuit. Instead each circuit should be tested individually.
I.1.6.4 Post-test tasks
1) Failure to re-open root (or manifold) valves to an instrument following a proof test . This
situation leads to an instrument reading a constant value, and its failure to not see actual
process changes due to being blocked in.
2) Not recognizing, or remembering to remove a forced value in a field instrument after
proof testing. When this occurs, the field instrument reads a constant value because it's
been locked into its memory. This is a very dangerous situation, and can sometimes go
unrecognized for a period of time.
3) Leaving a smart transmitter in test mode after proof test. The field instrument reads a
constant value at last test state. This is a very dangerous situation and can go unrecognized
for a period of time.
4) Failure to fully open or fully close a bypass valve associated with a SIS final element
valve at the end of proof testing. A failure to fully close a bypass valve associated with a
SIS final element valve could lead to a unsafe condition - if there is a process demand
resulting in a need for the SIS final element valve to close, but its bypass valve is still open
following proof testing. This situation results in no isolation of the process stream, and feeds
the unsafe situation.
ISA-TR84.00.03-2012 - 98 -
5) Failure to return a SIF function to a normal operating state, before the removal of its
bypass. Following simulated on-line proof testing, if one forgets to return the value of the SIF
trip function from the trip value back to a normal operating value and removes the SIF trip
bypass function - the SIS will initiate a process trip. So many times, people performing the
test get caught up in the moment or get distracted, and forget to recognize this fact. In the
end, they learn the hard way.
6) Failure to remove bypasses, forces, and jumpers when testing is complete. This
situation can result in the dangerous failure of the SIS, where it is disabled. For this reason,
it is recommended that any form of bypassing be covered by documented procedures that
ensure proper installation and that the removal of bypasses be independently verified.
7) Failure to turn the heat tracing on before returning the sensor t o service after
maintenance on dP measurements. Turning on heat tracing once the process is operating
can cause one leg of the transmitter to heat up faster than the other causing a false signal. If
the heat tracing is not turned on the material could solidify or fr eeze in the impulse lines
causing a failure of the measurement.
I.2 Sensor testing
With SIS sensors testing, inspection and maintenance is performed to ensure that equipment is
not in a failed or degraded condition. The testing, inspection and maintenance procedures are
designed to ensure that the performance of the components of an SIS remain in the as good as
new condition. Testing of process sensors can be performed on-line while the process is
operating or off-line while the process is shutdown. In either case, the process may be designed
such that the sensor may be able to be removed for testing. Factors to consider include:
can the sensor be removed for testing and calibration,
will the sensor be calibrated on-line, and
will the process be down and cl eaned out or operating?
Process sensors that are going to require on-line testing should generally be installed with some
level of redundancy to allow testing of one sensor while another is still making the necessary
measurement. If on-stream reliability of the process is critical, a 2oo3 configuration of sensors
may be necessary. With this configuration, one sensor can be tested at a time without any
bypasses and without any sacrifice of SIF integrity or safety. Logic for the SIF should be
designed to reduce the 2oo3 voting to a 1oo2 while one sensor is being tested. If a 1oo2
configuration is used for sensors, a bypass will be necessary to allow on-line testing of each
sensor while maintaining measurement capability with the other sensor. Logic during such a test
will reduce to 1oo1, which is a lower SIF integrity than the 1oo2, and appropriate precautions
should be taken during the testing to ensure safety is not compromised. The key is to make sure
that with the 2oo3 voting the sensor defaults to the tripped direction whereas the 1oo2 would
default to the non trip direction. The technician will need to identify the trip direction of the
sensor and may need to implement a bypass or software force to achieve the appropriate
degraded state.
While having fault tolerant systems provides the capability to perform on-line testing, the user
needs to keep several things in mind.
1) Any time a bypass is implemented for on-line testing there is a risk for human error which can
leave the process vulnerable or result in a spurious trip. The user needs to make sure that
the labeling of equipment is accurate and clear. For instance, the control room may bypass
sensor 1 of a 1oo2 configuration, but the technician in the field may pull sensor 2 leading to a
trip of the process.
2) In many cases on-line testing does not cover all the potential covert failures which only can
be tested during off-line testing.
- 99 - ISA-TR84.00.03-2012
3) There is a limited amount of time to complete the testing and repairs if necessary. If a
component fails the test, there should be a procedure to ensure replacement or repair of the
equipment within the assumed mean t ime to restoration time or a process shutdown may be
required.
The testing frequency for sensors can be more or less frequent than that for other SIS equipment
depending on the MTTF of the SIS equipment used and the sensor contribution to the overall SIF
integrity. Where sensors are installed in redundant configurations such as 2oo3, the testing of
individual sensors can be extended by installing diagnostics such as having comparison
monitoring of the sensor signals and alarming when one or more signals depart from acceptable
ranges. Then if there is an alarm indicating a failure of the sensors, additional testing and
calibration can be performed at that time. Whi le diagnostics can provide identification of many of
the covert failures of a sensor, full functional testing of a sensor still needs to be performed.
Testing sensors may involve any of the following techniques, which should be specified in the
test procedure for the SIF: The technique used to test the SIF should be specified in the test
procedure. This could be:
1) use of process to drive transmitter (NOTE Using the process to drive the transmitter will
provide assurance the transmitter can measure the process conditions but this technique
may not always be available if the process is not in operation.)
2) simulating the sensor input via appropriate measurement source
3) simulating process conditions utilizing an external simulator such as using a hand pump t o
pressure up a level transmitter
4) simulating the sensor output via a mA simulation tool
NOTE (Using a current simulation on the output tests the wiring and the receiving device but does not test the
transmitter function).
Measure the sensor output conditi ons - If the output is linear, measure the output level with
respect to the current process condition such as temperature, pressure, product level etc.
Sensor testing will vary depending on the type of sensor used.
In cases where the transmitters or switches are in a voting configuration, the redundant
transmitter(s) will either need to be isolated or the trip signal disabled for the redundant
transmitters to ensure the trip signal is coming from the transmitter being tested. Each
transmitter in the voting configuration will need to be tested separately if the system has not
been set up to indicate the trip of each sensor separately.
Isolation valves on all sensors should be verified open at end of test.
Each sensors off-line condition should be checked and verified against the expected value with
respect to the process off-line conditions. Also, verify that the sensor when brought back on-line
provides the expected process variable measurement based on the known process conditions.
ISA-TR84.00.03-2012 - 100 -
I.2.1 Pressure
I.2.1.1 mA pressure transmitter
Using a 4-20 mA signal simulator or hand held communicator connected to the transmitter, verify
the transmitter fault logic, per NAMUR Ne43, by performing the following steps:
1) connect the simulator to the instrument loop being tested
2) drive the output current to 21.2 mA (or whatever the fault value is defined by the
manufacturer - a different value may be selected by the user with assurance that upscale
overdrive has taken place) and verify readout device indicates bad measurement
3) drive the output current to 3.5 mA (or whatever the fault value is defined by the manufacturer
- a different value may be selected by the user with assurance that downscale overdrive has
taken place) and verify readout device indicates bad measurement
4) disconnect the simulator from the loop being tested
Perform the following steps, as applicable, for verification of transmitter input processing and trip
check:
1) ensure root process isolation valves to transmitter are closed
2) relieve pressure and (if checking differential pressure device, equalize pressure on high and
low side of sensing diaphragm) check zero mA output to read 4 mA and trim mA output if
necessary. Record as-found/as-left.
3) connect the calibrated pressure source to the process side of the transmitter downstream of
the process isolation valve(s). If the process does not have a set up for testing the
transmitter in process then connecting to the impulse piping or disconnecting the process
seal installing a test flange is acceptable.
4) set the calibrated pressure source to allow simulation of the input pressure over the
calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and 100%
of calibrated range and verify readings at HMI concur, repeat process decreasing. Record all
as-found conditions prior to making any adjustments or repairs.
5) set the pressure source to the lower range (zero) of the transmitter
6) increase the simulated pressure until the low pressure trip and pre-alarm clears as indicated
by loop documentation (if applicable). Verify and document as-found condition that trip and
pre-alarm clear at correct set point. Record as-found conditions.
7) Increase the simulated pressure until a high pressure pre-alarm and trip occurs as indicated
by the loop documentation (if applicable). Verify and document as-found conditions that pre-
alarm and trip occur at correct set point. Record as-found conditions. Make sure to approach
the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more
important when dealing with analog trip setting on trip amps where there is no digital readout
and set point.
8) increase the pressure to the high range limit for the transmitter and verify the upper limit is
accurate. Record as-found conditions.
9) decrease the simulated pressure until the high pressure trip and pre-alarm clears as
indicated by loop documentation (if applicable). Verify and document as-found conditions that
trip and pre-alarm clear at correct set point. Verify the dead band setting on the trip is
correct. Record as-found conditions.
10) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as indicated
by loop documentation (if applicable). Verify and document as-found conditions that pre-
alarm and trip occurs at correct set point. Make sure to approach the pre-alarm and trip point
in such a manner to ensure accurate testing results. This is more important when dealing
with analog trip setting on trip amps where there is no digital readout and set point. Record
as-found conditions.
- 101 - ISA-TR84.00.03-2012
11) return the pressure to the lower range limit to check the r epeatability of the transmitter
12) document as-found and as-left alarm and trip settings, and calibration check points on
appropriate place in test procedure report
13) make adjustments to transmitter if required then repeat test recordings as-left conditions
14) disconnect and close up the process connection for the pressure source
15) verify that process isolation valve(s) is open
NOTE:
If the root valve leaks, the procedure above may give false results.
The procedure above may not be applicable for high pressure applications.
Ensure the process can tolerate the SIF trip, or place the instrument into manual (bypass) prior to starting the
test.
I.2.1.2 Pressure switches
Perform the following steps for verification of switch input processing validation and trip check.
When a pressure switch is implemented, it is common to provide a pre-trip alarm using the
process transmitter. If a pre-trip alarm is provided, the technician will also need to perform the
tasks listed in B1.1 for a mA pressure transmitter in addition to testing the pressure switch.
1) close off the isolation valve(s) for the process
2) connect the calibrated pressure source to the input of the pressure switch downstream of
process isolation valve. If the process does not have a set up for testing the transmitter in
process then connecting to the impulse piping or disconnecting the process seal installing a
test flange is acceptable.
3) set the calibrated pressure source to allow simulation of the input pressure over the
calibrated range of the pressure switch
4) increase the simulated pressure until the low pressure trip clears as indicated by loop
documentation (if applicable). Verify and document the as-found condition that the trip
cleared at the correct set point.
5) increase the simulated pressure until a high pressure trip occurs as indicated by the loop
documentation (if applicable). Verify and document the as-found condition that the trip occur
at the corrected set point. Make sure to approach the trip point in such a manner to ensure
accurate testing results. This is more important when dealing with analog trip setting on trip
amps where there is no digital readout and set point.
6) decrease the simulated pressure until the high-pressure trip clears as indicated by loop
documentation (if applicable). Verify and document the as-found condition that trip clears at
correct set point. Verify the dead band is correct.
7) decrease the simulated pressure until a low-pressure trip occurs as indicated by loop
documentation (if applicable). Verif y and document the as-found condition that trip occurs at
correct set point. Make sure to approach the trip point in such a manner to ensure accurate
testing results. This is more important when dealing with analog trip setting on trip amps
where there is no digital readout and set point.
8) make adjustments if required, then repeat the tests above recording the as-left conditions
9) disconnect pressure source and reconnect switch to process tap and open process root valve
I.3 Temperature
I.3.1 mA temperature transmitters
Verify the thermocouple (TC) fault protection by disconnecting the thermocouple and verifying
that the Open TC tag alarms in control center. The user should be aware that this might be
alarmed high, low or last depending on the SRSs (SRS) and the applicati on.
ISA-TR84.00.03-2012 - 102 -
Using a 4-20 mA signal simulator, or hand held communicator connected to the transmitter verify
the transmitter fault logic, per NAMUR Ne43, by performing the following steps:
1) connect the simulator/calibrator to the inst rument signal loop being tested
2) drive the output to the devices high fault value (for example to 21.2 mA. A different value
may be selected by the user with assurance that upscale overdrive has taken place) and
verify readout device indicates bad measurement.
3) drive the output to the devices low fault value (for example to 3.5 mA. A different value may
be selected by the user with assurance that downscale overdrive has taken place) and verify
readout device indicates bad measurement.
Perform the following steps as applicable for verification of transmitter input processing and trip
check:
1) verify the thermocouple (TC) type by physical examination of tag or color code on
thermocouple and confirm that the transmitter is set for the correct thermocouple type
2) verify the TC open circuit detect ion by disconnecting the TC and verifying the appropriate
transmitter response
3) connect the mV simulator to the TC wiring to the transmitter to simulate the TC input
4) perform a calibration check by entering mV or temperature signals corresponding to 0%, 50%
and 100% of calibrated range and verify readings at HMI and simulator concur. Repeat
process decreasing. Record all as-found conditions prior to making any adjustments or
repairs.
5) starting from the low scale mV or temperature signal, increase the simulated temperature
until the low temperature trip and low temperature pre-alarm clear. Record as-found
mV/temperature readings for these two points. Verify and document that pre-alarm and trip
clear at correct values.
6) continue increasing the mV or temperature si gnal until the high temperature pre-alarm and
high temperature trip activate. Record the as-found mV/temperature readings for these two
points. Verify and document that pre-alarm and trip activate at correct values.
7) decrease the mV or temperature signal until the high temperature trip and high temperature
pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and
document that pre-alarm and trip clear at correct values and that the dead band setting on
the trip is correct.
8) decrease the mV or temperature signal until the low temperature pre-alarm and low
temperature trip activate. Record as-found mV/temperature readings for these two points.
Verify and document that pre-alarm and trip activate at correct values and that the dead band
setting on the trip is correct.
9) if any readings are out of specification and require adjustment or repairs, make adjustments
and repairs then repeat steps 1 through 5 recording readings for as-left condition
10) disconnect the mV/temperature simulator and simulator/calibrator then reconnect the
thermocouple. Verify that the thermocouple polarity is correctly connected.
Since TC assemblies are relatively inexpensive, consider keeping a calibrated spare for SIS
applications in the plant instrument shop or warehouse for change out at designated proof test
intervals. Then check the calibration of the removed TC in the instrument shop or lab to
determine if it can be placed in the spare inventory, for use at the next proof test interval, is
recommended. Thermocouple assemblies are subject to aging and accelerated calibration drift,
which varies with TC assembly type and the process str eams to which they are exposed. These
considerations will set the proof test or change-out interval. (For safety applicati ons, during the
design phase, the use of a thermowell should be considered along with process temperature
- 103 - ISA-TR84.00.03-2012
reading lag time due to thermowell thickness.) If the temperature sensor is a bare sensor (not in
a thermo well) ensure the process is cleaned out so it is safe to remove the sensor.
Using a calibrated temperature simulator and a portable ice bath, measure the thermocouple
voltage output or temperature with the thermocouple inserted into the ice bath. Verify correct
reading for type of thermocouple used. Record as-found reading.
Repeat above for ambient temperature measurement and verify that thermocouple output
indicated correct ambient temperature. Record as-found reading.
I.3.2 Thermocouples
Verify the thermocouple (TC) type by physical examination of tag or color code on thermocouple.
Keep in mind that different countries have different color codes.
Using an installed reference TC or comparison of installed TC assembly outputs will allow a
high level of diagnostic coverage of TC failures due to aging or drift. At some point though, the
TC assemblies will have to be replaced or have individual calibration checks because these
techniques will not achieve 100% coverage of faults.
TC input validation and trip check
Perform the following steps as applicable for verification of TC input processing validation and
trip check.
1) verify the TC open circuit detection by disconnecting the TC and verifying the open TC tag
alarms in control center
2) connect the mV simulator to the TC wiring to the sensor end and simulate the TC input over
the operating range indicted in the table
3) perform a calibration check by entering mV or temperature signals corresponding to 0%, 50%
and 100% of calibrated range and verify readings at HMI concur. Repeat process decreasing.
Record all as-found conditions prior to making any adjustments or repairs.
4) starting from the low scale mV or temperature signal, increase the simulated temperature
until the low temperature trip and low temperature pre-alarm clear. Record as-found
mV/temperature readings for these two points. Verify and document that pre-alarm and trip
clear at correct values.
5) continue increasing the mV or temperature signal until the high temperature pre-alarm and
high temperature trip activate. Record the as-found mV/temperature readings for these two
points. Verify and document that pre-alarm and trip activate at correct values.
6) decrease the mV or temperature signal until the high temperature trip and high temperature
pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and
document that pre-alarm and trip clear at correct values and that the dead band setting on
the trip is correct.
7) decrease the mV or temperature signal until the low temperature pre-alarm and low
temperature trip activate. Record as-found mV/temperature readings for these two points.
Verify and document that pre-alarm and trip activate at correct values and that the dead band
setting on the trip is correct.
8) if any readings are out of specification and require adjustment or repairs, make adjustments
and repairs then repeat steps 1 through 5 recording readings for as-left condition
9) disconnect the mV/temperature simulator and reconnect the thermocouple. Verify that the
thermocouple polarity is correctly connected
Since TC assemblies are relatively inexpensive, keeping a calibrated spare for SIS applications
in the plant instrument shop or warehouse for change out at designated proof test interval. Then
ISA-TR84.00.03-2012 - 104 -
check the calibration of the removed TC in the instrument shop or lab to determine if it can be
placed in the spare inventory, for use at the next proof test interval, is recommended.
Thermocouple assemblies are subject to aging and accelerated calibration drift, which varies
with TC assembly type and the process streams to which they are exposed. These
considerations will set the proof test or change-out interval. (For safety applications, during the
design phase, the use of a thermowell should be considered along with process temperature
reading lag time due to thermowell thickness.)If the temperature sensor is a bare sensor (not in a
thermo well) ensure the process is cleaned out so it is safe to remove the sensor.
Using a calibrated temperature simulator and a portable ice bath, measure the thermocouple
voltage output or temperature with the thermocouple inserted into the ice bath. Verify correct
reading for type of thermocouple used. Record as-found reading.
Repeat above for ambient temperature measurement and verify that thermocouple output
indicated correct ambient temperature. Record as-found reading.
I.3.3 Resistance temperature detectors
Verify the resistance temperature detector (RTD) type by physical examination of tag or color
code on sensor.
Perform the following steps as applicable for verification of RTD input processing validation and
trip check.
1) connect the simulator to the RTD wiring to the sensor end and simulate the RTD input
2) perform a calibration check by entering resistance or temperature signals corresponding to
0%, 50% and 100% of calibrated range and verify readings at HMI concur. Repeat process
decreasing. Record all as-found conditions prior to making any adjustments or repairs.
3) starting from the low scale resistance or temperature signal, increase the simulated
temperature until the low temperature trip and low temperature pre-alarm clear. Record as-
found resistance/temperature readings for these two points. Veri fy and document that pre-
alarm and trip clear at correct values.
4) continue increasing the resistance or temperature signal until the high temperature pre-alarm
and high temperature trip activate. Record the as-found resistance/temperature readings for
these two points. Verify and document that pre-alarm and trip activate at correct values.
5) decrease the resistance or temperature signal until the high temperature trip and high
temperature pre-alarm clear. Record as-found resistance/temperature readings for these two
points. Verify and document that pre-alarm and trip clear at correct values and that the dead
band setting on the trip is correct.
6) decrease the resistance or temperature signal until the low temperature pre-alarm and low
temperature trip activate. Record as-found resistance/temperature readings for these two
points. Verify and document that pre-alarm and trip activate at correct values and that the
dead band setting on the trip is correct.
7) if any readings are out of specification and require adjustment or repairs, make adjustments
and repairs then repeat steps 1 through 5 recording readings for as-left condition
8) disconnect the temperature simulator and reconnect the RTD. Verify that the thermocouple
polarity is correctly connected.
For the RTD:
1) using a calibrated temperature simulator and a portable ice bath, measure the RTD output or
temperature with the RTD inserted into the ice bath. Verify correct reading for type of RTD
used. Record as-found reading.
- 105 - ISA-TR84.00.03-2012
2) repeat above for ambient temperature measurement and verify that RTD output indicated
correct ambient temperature. Record as-found reading.
If the values above are out of specification, replace the RTD and repeat the test recording as -
left.
I.3.4 Temperature switches
Perform the following steps as applicable for verification of switch input processing validation
and trip check. It may not be possible to perform the following tests in the field depending on
specific area classifications.
1) set a calibrated temperature bath to allow simulation of the input temper ature over the
calibrated range of the temperature switch
2) place temperature switch in temperature bath
3) increase the simulated temperature until the low temperature trip and pre-alarm clears as
indicated by loop documentation. Verify and document that pre-alarm and trip clear at correct
set point. Record all as-found conditions prior to making any adjustments or repairs.
4) increase the simulated temperature until a high temperature pre-alarm and trip occurs as
indicated by the loop documentation. Verify and document record these two values as-found.
Confirm that pre-alarm and trip occur at correct set point.
5) decrease the simulated temperature until the high temperature trip and pre-alarm clears as
indicated by loop documentation. Verify and record these two val ues as-found. Confirm that
trip and pre-alarm clear at correct set point.
6) decrease the simulated temperature until a low temperature pre-alarm and trip occurs as
indicated by loop documentation (if applicable). Verify and record these two values as -found.
Confirm that pre-alarm and trip occurs at correct set point.
7) if any readings are out of specification and require adjustment or repairs, make adjustments
and repairs then repeat steps 1 through 5 recording readings for as-left condition
I.4 Flow
I.4.1 Flow transmittersDifferential pressure
Using a 4-20 mA signal simulator, verify the transmitter fault logic, per NAMUR Ne43, by
performing the following steps:
1) connect the simulator to the instrument loop being tested
2) drive the output current to 21.2 mA (a different value may be selected by the user with
assurance that upscale overdrive has taken place) and verify readout device indicates bad
measurement
3) drive the output current to 3.5 mA (a different value may be selected by the user with
assurance that downscale overdrive has taken place) and verify readout device indicates bad
measurement
4) disconnect the simulator from the loop being tested
Perform the following steps for verification of transmitter input processing and trip check:
1) ensure root process isolation valves to transmitter are closed
2) relieve pressure and equalize pressure on high and low side of sensing diaphragm) check
zero mA output to read 4 mA and trim mA output if necessary, record as-found as-left
3) if process service is dirty or plugging may be necessary to check for plugged taps,
deformation of orifice plate i ncluding wear/sharpness of bore
ISA-TR84.00.03-2012 - 106 -
4) connect the calibrated pressure source to the process side of the transmitter downstream of
the process isolation valve(s). If the process does not have a set up for testing the
transmitter in process then connecting to the impulse piping or disconnecting the process
seal installing a test flange is acceptable
5) set the calibrated pressure source to allow simulation of the input pressure over the
calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and 100%
of calibrated range and verify readings at HMI concur, repeat process decreasing.
6) set the pressure source to the lower range (zero) of the transmitter
7) Increase the simulated pressure unt il the low pressure trip and pre-alarm clears as indicated
by loop documentation (if applicable). Verify and document that pre-alarm and trip clear at
correct set point. Verify the dead band setting on the trip is correct.
8) increase the simulated pressure until a high pressure pre-alarm and trip occurs as indicated
by the loop documentation (if applicable). Verify and document that pre-alarm and trip occur
at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to
ensure accurate testing results. This is more important when dealing with analog trip setting
on trip amps where there is no digital readout and set point.
9) increase the pressure to the high range limit for the transmitter and veri fy the upper limit is
accurate
10) decrease the simulated pressure until the high pressure trip and pre-alarm clears as
indicated by loop documentation (if applicable). Verify and document that trip and pre-alarm
clear at correct set point. Verify the dead band setting on the trip is correct.
11) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as indicated
by loop documentation (if applicable). Verify and document that pre-alarm and trip occurs at
correct set point. Make sure to approach the pre-alarm and trip point in such a manner to
ensure accurate testing results. This is more important when dealing with analog trip setting
on trip amps where there is no digital readout and set point.
12) return the pressure to the lower range limit to check the repeatability of the transmitter
13) document as-found and as-left alarm and trip settings, and calibration check points on
appropriate place in test procedure along with any adjustments which were made
14) disconnect and close up the process connection for the pressure source
15) verify that process isolation valve(s) is open
I.4.2 Flow transmitterIn line
Using a 4-20 mA signal simulator, verify the transmitter fault logic, per NAMUR Ne43, by
performing the following steps:
1) connect the simulator to the instrument loop being tested
2) drive the output current to 21.2 mA (a different value may be selected by the user with
assurance that upscale overdrive has taken place) and verify readout device indicates bad
measurement
3) drive the output current to 3.5 mA (a different value may be selected by the user with
assurance that downscale overdrive has taken place) and verify readout device indicates bad
measurement
4) disconnect the simulator from the loop being tested
NOTE1 The full proof test of in-line meters such as vortex, coriolis and magnetic presents some challenges in that the
only way to fully check process measurement input into the electronics is through the use of a master comparison
meter or a prover connection, with installation provisions provided for during design and construction, or by re moval of
the meter for calibration check in a flow lab (removal of the meter for testing in a lab can probably only be done or
planned for during a scheduled shutdown).
- 107 - ISA-TR84.00.03-2012
NOTE 2 Another possible consideration for proof testing the operation or calibrated flow range of orifice plates and
in line meters is the use of clamp on ultrasonic flow meters in order to somewhat prove in specification performance
between shutdown intervals.
5) shortly after start-up, temporarily install clamp-on ultrasonic flow meters, either upstream or
downstream of in line flow meter to best fit operation of clamp-on
6) with plant operational constraints, open and close selected control valve or block valve to
vary flow and document readings from both flow devices
7) at some selected interval recheck/prove in-line meter reading against temporary clamp-on
meter
I.4.3 Flow transmitter - Using master meter or prover loop
1) install the master meter (or prover) and transmitter using the plant operations operating
procedure
2) install the necessary data collection components to collect and compare data points from
both the meter under test and the master meter
3) follow the plant operating procedure to have the same process fluid flow through both the
master meter and the meter under test
4) close the downstream block and check the zero value and zero stability of both meters and
document results
5) open downstream block valve and check reading of both meters at normal flow rate and
document results
6) if the trip flow rate for the meter under test is lower than the normal operating range, the
second test point should be flow rate at which trip is designed to occur. This may need to be
achieved by closing the downstream block valve. Document results from both meters.
7) if the trip flow rate for the meter under test is higher than the normal operating range the
second test point should be the closest rate to t he value which can be achieved. This may
require extraordinary operating provisions approved by plant operations. Document results
from both.
I.4.4 Flow transmitterTesting/Checking in flow lab
1) follow plant operating procedure for removing meter from line
2) inspect meter internal component for any extraordinary damage or wear which may
necessitate a complete replacement
3) send meter to flow test lab. Lab will need flow performance specification requirements. If
tests show re-calibration is necessary, lab must show results that the re-calibrated meter
performance is repeatable other a replacement meter should be purchased.
4) upon receiving tested meter from flow lab, inspect and re-install ensuring proper alignment of
body with piping and gaskets
5) using appropriate hand held electronic communicator, set transmitter output to 4 mA and
verify reading on HMI. Perform a 4 mA trim on transmitter if required.
6) follow plant operations procedure t o fill line with process fluid. Close downstream block valve
and verify zero reading of meter. Re-zero if required then open downstream block valve.
I.4.5 Flow switches
1) obtain work permit from Operations to ensure the flow switch can be checked safely without
impacting Operations and prepare to open flow switch electronics enclosure foll owing
manufacturer instructions
2) open flow switch electronics enclosure and connect one digital voltmeter (DVM) across load
side of switch contacts and second DVM to measure voltage signal output
ISA-TR84.00.03-2012 - 108 -
3) start feed pump, open flow block valve and ensure that flow switch alarm contact is closed
(measuring 24 VDC on load side) and the critical interl ock is not engaged on the DCS.
Record voltage signal output.
4) instruct the operator to close flow block valve. Ensure that the flow switch contacts open and
critical interlock engages. Measure the flow switch voltage signal and record. If the interlock
fails to trip, investigate to find out the failure and report/document findings.
5) open flow block valve and ensure that the flow switch contacts close and the interlock resets
(operators must reset the interlock)
6) turn equipment back over to Operations with instructions to reinstall t he car seal on the
manual valve
I.5 Level
I.5.1 Level transmitterDifferential pressure
Using a 4-20 mA signal simulator, verify the transmitter fault logic, per NAMUR Ne43, by
performing the following steps:
1) connect the simulator to the instrument loop being tested
2) drive the output current to 21.2 mA (a different value may be selected by the user with
assurance that upscale overdrive has taken place) and verify readout device indicates bad
measurement
3) drive the output current to 3.5 mA (a different value may be selected by the user with
assurance that downscale overdrive has taken place) and verify readout device indicates bad
measurement
4) disconnect the simulator from the loop being tested
5) perform the following steps for verification of transmitter input processing and trip check:
1) ensure root process isolation valves to transmitter are closed
2) relieve pressure and equalize pressure on high and low side of sensing diaphragm)
check zero mA output to read 4 mA and trim mA output if necessary, record as-found
as-left
3) if process service is dirty or plugging may be necessary to check for plugged taps, i.e.
remove diaphragm seals check and re install with new gaskets
4) connect the calibrated pressure source to the process side of the transmitter
downstream of the process isolation valve(s). If the process does not have a set up for
testing the transmitter in process then connecting to the impulse piping or
disconnecting the process seal installing a test flange is acceptable
5) set the calibrated pressure source to allow simulation of the input pressure over the
calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and
100% of calibrated range and verify readings at HMI concur, repeat process
decreasing.
6) set the pressure source to the lower range (zero) of the transmitter
7) increase the simulated pressure until the low pressure trip and pre-alarm clears as
indicated by loop documentation (if applicable). Verify and document that pre-alarm and
trip clear at correct set point. Verify the dead band setting on the trip is correct.
8) increase the simulated pressure until a high pressure pre-alarm and trip occurs as
indicated by the loop documentation (if applicable). Verify and document that pre-alarm
and trip occur at correct set point. Make sure to approach the pre-alarm and trip point in
such a manner to ensure accurate testing results. This is more important when dealing
with analog trip setting on trip amps where there is no digital readout and set point.
- 109 - ISA-TR84.00.03-2012
9) increase the pressure to the high range limit for the transmitter and verify the upper
limit is accurate
10) decrease the simulated pressure until the high pressure trip and pre-alarm clears as
indicated by loop documentation (if applicable). Verify and document that trip and pre-
alarm clear at correct set point. Verify the dead band setting on the trip is correct.
11) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as
indicated by loop documentation (if applicable). Verify and document that pre-alarm and
trip occurs at correct set point. Make sure to approach the pre-alarm and trip point in
such a manner to ensure accurate testing results. This is more important when dealing
with analog trip setting on trip amps where there is no digital readout and set point.
12) return the pressure to the lower range limit to check the repeat ability of the transmitter
13) document as-found and as-left alarm and trip settings, and calibration check points on
appropriate place in test procedure along with any adjustments which were made
14) disconnect and close up the process connection for the pressure source
15) verify that process isolation valve(s) is open
I.5.2 Level switchesTuning fork
Development of proof test procedures for this type of device must take into consideration
process potential for plugging, corrosion and density effects. Some devices of this configuration
have high levels of on board diagnostics, which can proof -test operation with the press of a
button or turning of a key. Even with this type of configuration, tuning fork needs to be removed,
visually inspected and tested operationally on some periodic basis. Typical steps:
1) notify plant operations that the device to be taken out of service
2) press or turn the test key on the electronic unit and confirm operation on the HMI/l ogic solver
in the control room
3) visually inspect the condition of level switch housing for corrosion, damaged conduit/wire
entry and other issues, which could impact MI
4) test/verify settings such as density
5) per plant operations procedures/constraints raise the tank level to actuation point and check
for positive confirmation in control room
6) if raising level in tank is not safely possible, remove the switch from service and place in
container of liquid with similar density and check for positive confirmation in control room.
7) check tuning fork and tank nozzle for signs of corrosion and process coating, take corrective
actions necessary
8) re-install switch assembly and place back into service per plant operations guidelines
This procedure is intended for use in on-line testing but is applicable for off -line testing as well.
I.6 Process analyzers
Process analyzers should be calibrated in accordance with manufacturers specific instructions.
Signals from process analyzers to SIF are typically current signals representing values and
ranges of SIS equipment being measured. Verification of correct setpoints for pre-alarm and trip
values should be done using current sources in like manner to that for other current transmitters.
(See mA pressure transmitter above.) Document as-found and as-left values
ISA-TR84.00.03-2012 - 110 -
I.7 PES logic solver
Before the advent of programmable devices using multiple I/O, proof testing was conceptually
relatively straight forward, giving rise to the concept of an end-to-end test of the complete SIF. In
todays world, the logic solver is most often a system unto itself and is involved in multiple SIF.
This significant increase in complexity designed to provide greater flexibility while lowering cost
and balancing reliability makes it necessary to thoughtfully consider how to perform effective
proof testing. There are two major aspect s that must be considered. The first is that the logic
solver health, independent of any individual SIF needs to be adequately validated. Checking the
utilities needed by the logic solver to function correctly would also fall into this category. The
second is the individual SIF needed to be tested as they always have. However, even here, there
has been an increase in complexity at times with voted sensors and sensors/final elements being
shared by multiple SIF, making a segmented approach more appropriate t han a seemingly
infinite number of end-to-end tests.
There are several methods to test the logic solver, each with different purposes and
effectiveness, depending upon the design stage, whether in operation, and whether following a
change during the operational time of the facility. The following subclauses provide some
guidance as to when a particular method is useful and what type of validation is performed.
I.7.1 Logic solver stand alone test procedure
This part of the overall SIS validation is not part of the specific SIF proof tests. The MI program
should address the inspection and testing of logic solver hardware, diagnostics, (e.g., watch dog
timer and stuck-on/stuck-off input/output diagnostics), and application program that are not
tested as part of individual SIF tests. Testing of logic solvers for SIF is not practical while the
process is operating to perform its designated function. Therefore the full functionality of the
logic solver should be tested and validated prior to placing the SIF in operation as a layer of
protection for the process. Further testing of the logic solver should be performed at the
scheduled down time for the process and any time the SIF is taken out of service for application
program changes.
By testing the individual SIF, the application program should be adequately tested. However,
there are other aspects of the logic solver that merit further testing to ensure continued reliability
of performance. These include, but are not necessarily limited to:
validate preprogrammed function blocks within the PES that are not part of the equipment
suppliers standard library of function blocks, typically at the Factory Acceptance Test (FAT),
rather than the Site Acceptance Test (SAT). For those function blocks that fall into this
category, the following is recommended:
identify those function blocks that are used within the SIS. For this purpose, different
versions of a preprogrammed function blocks that accomplish the same result are
considered to be different function blocks.
for each different preprogrammed function block that is used, at least one instance of this
block should be validated by testing all combinations of initiators
when testing combinations of trip signals, the effects of transmitter bypasses, operator
bypasses, and "transmitter bad quality" should be considered and tested. For a typical
two-out-of-three function block, this will result in substantially more than three tests.
for a preprogrammed function block, features that can be tuned individually for each
instance of the block should be thoroughly validated for each block
if SIS operation can be affected by an individually tuned parameter, each instance of the
block should be thoroughly validated
- 111 - ISA-TR84.00.03-2012
verify that the system is fully functional and is not operating in a degraded state. It is possible
in many cases for an SIS to be in a degraded state, with major failed components, and still be
capable of providing appropriate responses due to system redundancy and other safeguards.
validate that the system diagnostics are fully functional
during the FAT this includes more rigorous fault insertion type testing
during an SAT/initial validation or subsequent revalidations, the level of rigor that can be
achieved at an FAT is not practical. Nevertheless, checks should be made that include:
check of all diagnostic systems statistics
check that system diagnostics are active in accordance wit h manufacturer
recommendations
function check status alarms for each device in the system. Pull each module and
watch for status alarm on al arm summary. Disconnect cabling and check for status
alarms. Also pull each power supply and fail each I/O card.
if redundant power feeds are used, confirm that the loss of one power feed will
generate status alarm while leaving system healthy
verify that no significant PES or hardwired system diagnostic alarms are generated
during the course of validation. If so, the cause should be determined immediately,
and the situation rectified and noted in the SAT/FAT document.
check status of power supplies (including backup power supplies) in the system, and
ensure that there are no power supply system alarms
check status of communication buses in the system (such as: I/O Bus, Module Bus,
Data Highway, etc), and that there are no communication system alarms
check status of I/O modules (specifically any redundant I/O cards), and that there are
no I/O modules system alarms
check status of logic solvers (specifically any redundant pair), and that there are no
system alarms
verify that all firmware and application program revisions are consistent and are in
accordance with manufacturer recommendations
the PES is configured per manufacturer specific certification requirements and user
standards or approved documented modi fications to those requirements
verify proper fail-to-safe modes are set properly in each I/O channel
check of all communications networks including visual inspection of wiring for proper
supports
check that the logic solver scan time and statistics are properly tuned to ensure optimum
performance. Make sure adequate free memory exists for future on-line/off-line configuration
changes.
verify that all module power-up initialization logic works properly. Ensure that all shutdown
set points are retained through power down and power up initialization of t he logic solver.
perform redundancy checks on all redundant modules and racks. Remove or generate an
error on the primary module/rack and verify that the backup module/rack takes control.
Restart the primary module/rack and verify that it returns to a heal thy state as a backup unit.
confirm that both the primary and redundant have identical configurations at the completion
of staging
make backup copies of all logic solver and operator i nterface configurations at the completion
of staging. At subsequent revalidations, run a compare of the master copy versus the as-
found copy.
ISA-TR84.00.03-2012 - 112 -
check that the PES is locked, secure, and cannot be changed (manually or via electronic
means) unless appropriate management of change procedures are used
I.7.2 SIF logic solver test procedure when connected to field equipment
This procedure builds upon the test procedure documented in paragraph H.7.1 and applies to
logic solvers that have been installed in the field. It encompasses the initial validation proof test
when first installed as well as to subsequent proof tests as part of the mechanical integrity
program for the life of the installation.
The following is a generalized version of specific tests that should be conducted using a 2oo3
sensor architecture example connected to the logic solver:
Typical special tools for use in testing the logic solver may include but not necessarily be limited
to:
digital volt meter (DVM)
stopwatch
HART smart communicator
reference documentation for SIF logic (e.g., wiring diagrams or application program
specification)
Specific checks:
for new installations, all alarm inhibits on listed tags should be removed prior to testing. For
existing facilities, any alarm inhibit found represents a failure that should be documented.
confirm pre-alarm set point in logic solver
confirm initiation set point in SIS logic solver
confirm time delays in SIS logic solver
transmitter "A" value trip level (verify vote to trip and deviation)
transmitter "A" value bad quality (verify vote to trip)
transmitter "B" value trip level (verify vote to trip and deviation)
transmitter "B" value bad quality (verify vote to trip)
transmitter "C" value trip level (verify vote to trip and deviation)
transmitter "C" value bad quality (verify vote to trip)
"A" high high and "B" bypass and trip level (verify no trip)
"A" high high and "C" bypass and trip l evel (verify no trip)
"B" high high and "C" bypass and trip level (verify no trip)
"B" high high and "A" bypass and trip level IF only one transmitter bypass then trip level
(verify no trip)
"C" high high and "A" bypass and trip l evel (verify no trip)
"C" high high and "B" bypass and trip level (verify no trip)
bring one pair (or single) to pre-alarm (verify alarm)
bring same initial set (or 1) to trip value (record pair tested) (verify trip actions)
bring different set of initiators to trip value (record pair tested) (verify trip signal in PES)
bring different set of initiators to tr ip value (record pair tested) (verify trip signal in PES)
run a comparison check of the master reference copy of application program versus the
current application program
- 113 - ISA-TR84.00.03-2012
For each action above, the as-found condition or state should be documented.
Some of the checks above may be able to be performed while the plant is running. With respect
to proof testing the final element under the most realistic conditions, maximizing its proof test
coverage, incorporating that check as part of a scheduled shutdown can be useful. Any checks
or tests that cannot be performed while running or via transition from running to off-line must be
performed off-line while the plant is not running.
Following the tests and prior to restoring the SIS to operation:
remove any overrides applied for testing
return sensors to their normal operating state and remove test equipment
ensure all are left in a safe state and passed back to Operations
ensure that the work area is safe, and left in a clean and tidy manner
sign-off relevant work permit and return to the area authority for close out
record any maintenance history in the maintenance management IT system pr eventive
maintenance work order
raise a malfunction report for any failure that would have prevented the protecti on from
performing its function
I.7.3 Logic solver simulation test procedure
Prior to field installation or prior to implementing application program changes to an installed
logic solver in the field, it can be useful to test the application program off line. One means to
accomplish this is with a simulator. In this instance, the test program is developed in a simulation
program using another PE logic solver. Connection to the logic solver for testing is similar to
above. However, the use of such a simulation requires complete validation of the simulation
program in the simulator prior to testing the SIS logic solver. The simulation might also be used
in training operators in the functionality of the SIF and confirming that the application program
meets the SRS. In some instances this simulator might operate in an automated mode in
performing the test. The actual test procedure as outlined in 7.1 should also be accomplished to
the greatest extent possible.
This approach supports both factory acceptance training and on-going training. Maximizing the
opportunity to test at the factory prior to shipment and field installation decreases the potential
for issues to occur in the field, where diagnostic trouble shooting tools are more limited in
comparison to what can be done at the manufacturers site.
I.7.4 PE logic solvers not connected to field or simulators
Testing PE logic solvers that are not yet connected to field devices or a simulator is limited to
manual testing of the application program using the PE logic solver configuration device. This is
an action that primarily takes place during initial programming and configuration of the PE logic
solver for the SIF application. Since changes are numerous during this activity, formal
documentation of this testing should not be necessary. The final application program
documentation should reflect the results of thi s testing.
I.8 HMI
The testing guidance below assumes that the HMI does not write to the SIS. The only write to the
SIS is a manual emergency stop that is a hardwired input to the SIS. Emergency trips initiated
within the BPCS are assumed to be in series with the SIS outputs.
The Human Machine Interface (HMI) displays related to safety should be tested at the same
frequency as the full SIF. When changes are made to information displayed in the HMI, the
ISA-TR84.00.03-2012 - 114 -
changes should be tested to confirm appropriate status is displayed. If the HMI is used to provide
a manual initiation of the SIF, this function should be tested during each revalidation of the SIF.
All indications of SIF variables that are displayed on a human machine interface whether they be
within the BPCS operator workstation, a separate operator display station, or lights on a panel
should be verified as each variable is tested. The correct range of process variable, the pre-
alarm and trip set points, and any other variable information that is provided should be verified
and documented during the testing. Both as-found and as-left values should be documented.
Where multiple pages (video, CRT, etc.,) of SIF information are provided, all displayed pages
should be verified for appropriate labeling and access cont rol.
Testing of the HMI during normal operation of the process should be done any time that there is
an indication of a malfunction of the HMI display itself. This could result from a fault in an input
to the display or a fault in the display component itself. When repairs are made or a HMI is
replaced, all features of the original HMI specified for the SIF should be tested.
On-line testing of the HMI is not required unless changes have been made in the information
presented to the operator. Any changes that modify information to the operator about the status
of the SIF should be tested when they are made and verified as being appropriate.
I.9 Communications
Communications between the SIF and other control equipment such as the Basic Process
Control System (BPCS) should be tested at the same frequency as the SIF. When performing the
initial SAT and completing full proof tests of the SIF, the testing should include all communication
to auxiliary equipment such as the DCS. When changes are made to the communications links
between the SIF and any other equipment, testing should confirm that appropriate information is
being communicated.
Where provided, all communications with other systems such as the BPCS should be tested to
verify correct transfer of information and data between the SIF and other system(s). All
information transferred should be verified by comparing the sent information with the received
and displayed information on the system(s) other than the SIF.
Techniques used for blocking communications from t he BPCS operator workstation to the SIF
that could lead to application program changes in the SIS should be validated. Attempts at
changing the SIF application program should be made from the BPCS operator workstation to
verify that this action cannot take place. The security technique used to protect against changes
to the firmware or application program from the configuration station should also be tested. If this
technique involves connecting the configuration station only when changes are to be made,
verify that another PES station cannot perform this function. If password protection is the
technique used, verify that the password meets the companys requirements for password
strength. This is especially important if the SIF display station is also used as the configuration
station with key lock or password protection.
Where a separate operator display station is provided for the SIF, tests should confirm that
changes to the application program in the SIF cannot be made from this station.
Communications between other systems and the SIF should be tested on the same schedule as
the logic solver and at any time there is an indication of a malfunction of the communication link.
If communication with another system has an impact on the safety integrity of the SIF, the test
interval included in the integrity evaluation should be used. Any on-line testing of a
communication link should not reduce the capability of the SIF to perform its function.
Any changes made to communications between the SIF and any other system should be tested
when the changes are made. It is not recommended that changes be made while the SIF is
- 115 - ISA-TR84.00.03-2012
providing protection to the process as these change activities could result in nuisance trips of the
SIF or result in program errors, which could render the SIF incapable of performing its function.
I.10 Power supplies
Perform the following inspections and tests under typical load and use points. For revalidations,
most of these can be performed while the plant is running:
measure and record voltage
measure and record current
measure and record ohms to ground (anything less than or equal to 2.0 ohms is
considered an incipient failure and must be corrected)
inspect to ensure that that isolated ground system has not been compromised
measure power quality and ensure the absence of AC ripple. AC ripple is considered a
dangerous failure and must be corrected.
test that both over and under voltage diagnostics function and take appropriate action
test that over current diagnostics function and take appropriate action
test any other external power supply and interrupts triggered by SIS application program
Any measurements outside of the defined acceptable range need to be noted in the as-found
documentation and then repaired.
I.11 Interposing relays
An interposing relay is either an electromechanical or a solid state relay whose function is to
accept as input a low level (e.g., current, voltage) signal and provide as output a higher level
signal. In process control the input source is typically the output card of an i ndustrial control
system (e.g., SIS, BPCS, PLC, DCS) and the output is connected to plant floor loads (e.g., final
elements such as motor control circuits, or electromagnetic valves).
refer to the segment testing guidance (e.g., from sensor through logic solver to final
element) and verify that the interposing relay is functioning properly (e.g., output power
off when input power is off and vice versa)
perform test on each segment connected to the interposing relay
perform test for each unused interposing relay output using terminal block wi ring locations
where applicable
confirm interposing relay mounting is secure (e.g., tighten mounting screws)
confirm wiring to terminals are secure (e.g., tighten terminals)
for an electromechanical relay, inspect each contact for degradation (e.g., oxidation due
to low-energy output current, poor colorization due to overheating or excessive duty
cycle)
for a solid state relay, confirm output leakage current i s not exceeding nameplate level
compare test plan to manufacturer requirements and perform tests not listed above
I.12 Final element testing
Final elements are in general the most likely component to fail when a demand is placed on the
SIF. The most common failures involve seat leakage rates, solenoid coil failures, and fouling of
the valve preventing closure. These devices fall into two categories of operation: those that
typically remain in one position for long periods of time without moving and those that operate
frequently as part of normal operation. The test program needs to examine at the specific
ISA-TR84.00.03-2012 - 116 -
application and determine what testing and preventive maintenance is required for a particular
final element. The process operating conditions can be severe thus contributing to potential
failures. Unlike transmitters and l ogic solvers, the final control elements contain many moving
parts, which must function together to accomplish the desired action they are specified to
perform. This means that the performance of the valve not only depends on a good test program,
but also on an effective preventive maintenance program. For instance some companies perform
a rebuild of SIS valves and actuators every six years to replace packing, check corrosion on
springs, replace o-rings, and lubricate moving parts.
Many installed final elements utilize common process utilities, such as compressed ai r,
electricity, and hydraulics which should they fail, could render multiple devices unavailable. An
example of this would be an air supply that was required to close two valves in a redundant
configuration. If the air supply fails to provide the necessary pressure or volume to move either
of the valves, the SIF will fail to accomplish its function.
The test interval may need to be modified based on the severity of the service the valve
encounters. Temperature (high or low), erosion and corrosion are a few of the factors, which may
have an impact on making changes to the testing frequency.
A visual inspection according to an approved procedure should be carried out regularly. See
Annex E for a sample procedure or checklist for this visual inspection.
Some final element testing includes testing the speed of closure of the valve. There are several
things to be aware of when performing this test. Valves with soft seats will deform when the
valve is stroked. It will take about 24 hours for the re-form after the valve is stroked. This can
lead to error in the speed at which the valve will perform during actual demand. Where you have
soft seats make sure you put the valve into the operational position long enough to ensure you
will get an effective test of the valve speed during actual demand.
Other devices used as final control elements such as motors should be tested at the frequency
used in the performance calculations for the SIF.
When the final element is part of more than one scenario, the final element has to be tested
according the highest SIL-level requirements.
I.12.1 Valves
Before developing the testing procedures for valves you should identify the critical requirements
for successful operation such as speed of operation, the leakage requirements, fail to open
position or fail to close position,
The appropriate test interval as final control elements depends on a number of factors:
type of valve used as the final control element
service in which the valve is applied
whether the valve is used during normal operation or as a standby valve for use only
when the SIF takes action
whether the valve must provide minimal leakage isolation or some leakage can be
tolerated
whether the valve actuator has a spring to drive it to the safe state or it depends on
motive power to drive it in both directions
A proof test of an SIF valve should include full stroking of the valve, inspection, and leak
tightness as required. During the test the stroke time, feed back signals, leak test and inspection
should be recorded on the testing documentation. Stroking time is from output signal change to
valve position change, not just from start to finish of valve stroke. Pre-stroke dead time as the
- 117 - ISA-TR84.00.03-2012
actuators fill or exhaust and achieve break away force on the valve is generally the longest time
component of the total stroke time.
I.12.1.1 Solenoid operated valves
Verify solenoid valve normal and trip condition status. If solenoid is normally energized during
process operation, verif y that coil is energized and no air is venting through vent port. If solenoid
is normally de-energized during process operation, verify that coil is de-energized and vent port
is open to vent. De-energize or energize coil as required and verify that air is either vented from
valve actuator or applied to valve actuator as required by the SRS. Verify that solenoid installed
position allows gravity assist in taking valve to de-energized position. For examples of testing
solenoid valves see example procedures f or testing of final control elements.
Solid state outputs have leakage current when they are off. Pilot operated solenoid valves
generally have very low hold-in current requirements when in the on position. The result may
be that the solenoids may not move to off position when the solid state output commands off
since the leakage current holds the solenoid on. Periodically check a few of the solid state
outputs to ensure their off leakage current has not increased above rated value.
I.12.1.2 Leakage testing
For many SIS valves the leakage test is the most important and most often the reason for valve
failure. Selection of the appropriate leakage rate can be difficult and often results in conservative
leakage requirements. In most cases, the seat leakage f or control valves is defined by a leakage
class as defined by ANSI/FCI 70-2 and IEC 60534-4. The classes range from Class I where no
testing is required to Class VI, which is bubble tight for gas service. For block valves API 598
provides a listing of maxi mum allowable leakage rates for closure tests.
When there is not a RAGAGEP identifying the proper leakage rate for the valve, what do you
need to consider when determining whether the valve passes or fails the leakage requirements?
In many cases the valve is designed to the requirements of the process, but not the process
safety requirements. For example you have a double block and wedge design where nitrogen is
used as a wedge in-between the valves to ensure that if there is a leak the nitrogen leaks into
the process and prevents the process from leaking through both valves. In this case you want a
tight shut off, but if the valves leak it is just an economic problem. Would the leakage rate be
critical to the operation of the SIS? It may not be.
Where the leakage of a valve could prevent the SIS from achieving or maintaining a safe state of
the process, the leakage rate will need to be included as part of the pass/fail criteria. Involve the
process engineers. This decision will be very process and SIF specific. Include in your
determination:
the design of the final element configuration (single valve, double block, double block and
bleed, double block and wedge)
the pressures on each side of the valve
how much of a leak will prevent the SIS from achieving or maintaining a safe state of the
process
There are several sources for information on how to perform a leakage test. For gas -fired
systems the NFPA 86 standard in section A.7.5.9 and FM 6-0 in section 2.12.6 provide testing
methods for gas shut off valves. When you use the FM test procedure you could have a valve
downstream that leaks causing an error in the test.
In-line testing of the block valve avoids the cost of removal of the valve, which can be very
expensive. This procedure means that the user may need to provide the manual block valves and
testing ports needed to perform the test.
ISA-TR84.00.03-2012 - 118 -
The typical method for testing the valve closure requirements falls into two categories; gas and
liquid. The method for gas used in fired equipment involves blocking in the downstream side of
the valve, applying a specific pressure to the upstream side and measuring the number of
bubbles leaking through the valve. NFPA specifies the use of a tube inserted between to
below the surface of the water. It is import ant to minimize the volume in the piping between
the test valve and the downstream block valve. The user will need to time the test to identify the
number of bubbles per minute for the leakage test. Generally it is a good practice to wait 2-3
minutes after applying pressure to start the test. This method can be applied to non-fired
equipment as well.
For liquid services, the line is filled with liquid including the valve cavity before performing the
test. The leakage from the valve is captured in a container over a specified time and measured to
determine the leakage rate. As with the gas leakage test the user will need to provide time for
the leakage to stabilize before starting the test.
Other leak test methods for non-fired equipment valves depend on the allowable leak rate for the
SIF. If large leak rates are acceptable for the SIF, a highly accurate existing (or temporary such
as clamp on) flow meter can be used. For lower leak rates the ideal gas law concept can be
used. This involves blocking in the upstream side of the SIF valve and introducing and
monitoring the pressure between the valves. Usi ng the ideal gas law PV=nRT the amount of
pressure drop can be converted into a leak rate. For an accurate calculation, ensure enough time
is taken to perform this test (10-15 minute pressure test), and to be cautious of external
influences (such as ambient temperature changes).
I.12.1.3 On-line testing
Since the test interval to achieve the required safety integrity is often shorter than the desired
operating cycle for the process, on-line testing thus becomes a desirable procedure. The test
interval determination is based on required SIF integrity.
Operation of valves while on-line may result in tripping the SIF even if the valve is only operated
for a portion of its full stroke capability. Redundancy of final control elements may or may not
provide for on-line testing of these devices. If the redundancy is to ensure stopping a flowing
stream, two final control elements, i.e., valves, will be installed in series and closing or opening
either one as the case may be is not desirable while the process is in operation. On-line testing
of final control elements is the most difficult portion of the testing required for SIF.
Techniques have been devised to allow some measure of testing of final elements, particularly
valves. These include use of manual block valves around the SIF valve for use while the testing
is being performed. A drawback of this approach is high capital cost and the chance of leaving
the manual block valves in the wrong position after a test has been performed. Using this
technique requires special attention to operation of the manual valves before and during the test.
See 6.5.17 on bypass cautions.
Some companies take credit for on-line valve tests when an unplanned trip of the system takes
place. They verify that all valves went to their correct position as required by the trip condition
and that all indications of valve position have confirmed this to be true. They then document what
has occurred and take credit for this as a functional test of the valves affected. When taking such
credit, consideration should be given to the performance requirement of the operation of the
valve (i.e. speed of response and shutoff performance). The documentation should include the
rationale for acceptance of the performance based on additional in-line testing while the
opportunity is available or noting that prior testing could lead one to believe the performance is
adequate until the next scheduled test.
I.12.1.4 Partial stroke
On method of testing a valve is to perform a partial stroke test. ANSI/ISA-TR96.05.01-2008
provides guidance on performing partial stroke testing of automatic block valves. The user needs
- 119 - ISA-TR84.00.03-2012
to be aware that partially stroking a valve does not ensure it will function to its full open or closed
position or satisfy the required shutoff of the valves when cal led upon to do so. The test only
covers part of the failure modes of the valve. The coverage factor of a partial stroking of a valve
should be limited to a certain maximum, e.g., 70%.
I.12.1.5 Hydraulic slide valve
Due to their physical size, hydraulic slide valves (HSV) are usually not provided with bypass
lines around them. HSV's are also rarely fully stroked on-line due to the fact that even the
slightest uncontrolled change in valve position can result in a major unit upset. Therefore, on-line
proof testing of HSV's is usually limited to testing up to the trip solenoid, in addition to performing
periodic preventive maintenance checks. Full stroke testing of HSV's is left as a turnaround
maintenance activity
1) prior to performing any work or testing on a HSV, the following steps should be taken:
a) obtain console operator permission to perform work on the HSV
b) if HSV to be tested is associated with a SIS, obtain and complete the necessary bypass
approval process including all signatures
NOTE The below information is generic in nature. For recommendations on a specific type valve, hydraulic
actuator and hydraulic power unit, the manufacturer SHOULD BE CONSULTED.
Inspection and maintenance while HSV is in-service
1) perform a visual field inspection of the hydraulic slide valve installation:
a) check HSV identification signage is intact, and clearly visible - including all operational
and warning signs
b) check visual integrity of all instrument and control cabling around the hydraulic slide valve
and its hydraulic power unit (HPU) source
c) if HSV actuator is insulated or fireproofed, check the integrity of the insulation and
fireproofing
d) check the integrity of all hydraulic lines or hoses between the HSV actuator and its HPU,
especially for leaks
e) check line flanges, bonnet flange, and stem packing gland for evidence of leakage
f) on HSVs where steam purge is used, check the integrity of steam supply, and ensure
steam traps are working properly
g) at the hydraulic power unit (HPU) for the HSV check and verify:
1) oil reservoir level and temperature
2) differential pressure across hydraulic pump filters for dirty filters
3) catch oil sample to prove quality of hydraulic oil, and signs of wear
4) ensure reservoir nitrogen purge pressure is positive to eliminate pulling air into the
system
5) ensure all HPU process and system alarms are clear
6) ensure the standby hydraulic pump (i.e. non-running) is in auto
7) check motor vibration and amperage of the running pump
2) hydraulic slide valve operational checks:
a) partially-move the HSV at least once a day to the degree feasible, (without creating a unit
upset) - to verify valve is not stuck in place and will move
b) verify HSV position feedback signal is working correctly
c) HSV emergency trip solenoid verification:
ISA-TR84.00.03-2012 - 120 -
1) place the HSV into the l ocked-in place (manual) test position - which renders the
hydraulic actuator to be inoperable during this test
2) by either using an actual SIF trip initiator or by forcing the SIS logic solver output,
simulate the trip output si gnal to the HSV trip solenoid. Depending on the HSV
design, this output signal will either be an "energized" or "de-energized" signal.
3) confirm the HSV trip solenoid operated correctly by observing a change in pressure
via a pressure gauge that now reads the trip accumulator pressure
There should also be no change observed in the physical HSV position
4) when HSV trip solenoid testing is complete, re-establish normal function (by either
restoring the SIF trip initiator or placing the SIS logic solver output back to normal
state). Confirm that the command signal is equal to the position feedback signal.
5) once complete, restore the hydraulic actuator back in service by removing the l ocked-
in place (manual) function, and return to "auto"
3) once testing is complete, restore everything back to pre-test conditions, ensure all HPU
alarms are clear, one HPU pump is running/other pump is in auto-start, the HSV is in the
correct process position, and notify console operator that testing is complete
Inspection and maintenance during a turnaround - while HSV is not in-service
1) perform a visual field inspection of the hydraulic slide valve installation, and replace as
needed:
a) check the integrity of all hydraulic lines or hoses between the HSV actuator and its HPU,
especially at threaded junctions for leaks
b) remove external insulati on and examine welds for cracks
c) inspect refractory lining for erosion, spalling or excessive cracking
d) if stem packing has a history of leaking though this seal, replace the packing on the stem
packing gland
e) thoroughly clean HPU reservoir and replace hydraulic fluid
f) HPU filter replacement
g) inspect and replace accumulator seals and charging valve
h) inspect and clean lock-in place solenoid valve
i) inspect and clean emergency trip solenoid valve
j) check status and calibration of all gauges and transmitters
2) hydraulic slide valve operational checks:
a) at the hydraulic power unit (HPU) for the HSV simulate and test all of the following
alarms:
1) oil reservoir high and low level alarms
2) oil temperature high and low level alarms
3) high differential pressure alarm across hydraulic pump filters
b) test and verify the correct operation of the hydraulic oil pump auto-start function on low
low oil pressure
1) perform auto-start test with pump A in hand, and pump B in auto
2) repeat auto-start test with pump A in auto, and pump B in hand
c) check the following data for each hydraulic oil pump:
1) pump efficiency and vibration, in compar ison to previous collected data
- 121 - ISA-TR84.00.03-2012
2) motor vibration and amperage draw on pump cycling per previous data
3) motor couplings for wear and replace as necessary
d) check and verify local hand wheel operation
e) perform lock-in place test to verify that hydraulic actuator does not respond to an input
command signal
f) perform trip solenoid test and verify the following:
1) HSV strokes from fully open to fully close
2) confirm stroke time in comparison to previous collected data
3) check calibration and linearity of feedback position transducer and control (for
modulating valves)
g) check the number of full strokes possible with the pumps switched off and using only the
accumulator pressure. Record pressure at each step, and compare results with previously
collected data.
h) perform testing for each of the following scenarios, and confirm the HSV f ail action:
1) loss of electrical power
2) loss of input command signal
3) loss of feedback signal
4) deviation error between feedback signal and input command signal catch
i) once turnaround testing is complete, restore everything back to pre-test conditions, and
notify the console operator that testing is complete
I.12.1.6 Motor operated valve
1) prior to performing test, the following steps should be taken:
a) obtain console operator permission to perform the MOV proof test
b) obtain and complete the necessary control of defeat f orm including all signatures
2) perform a visual field inspection of the MOV installation:
a) check visual integrity of all control and power cabling around the MOV
b) check that MOV identification signage is intact, and clearly visible
c) if MOV is fireproofed, check the integrity of the fireproofing
d) check the integrity of the grease lubricant between the actuator and the valve stem.
Replenish as needed.
e) check the MOV actuator to ensure all cover bolts, and spare conduit entries are intact
f) if the MOV actuator is fitted with integral pushbuttons, ensure the pushbutton waterproof
seals or membranes are intact
g) if MOV has a remote field mounted pushbutton station, check integrity of the pushbutton
station and its associated cabling
h) at the substation (or switch rack) that the MOV power is fed from, check the i ntegrity of
the circuit breaker
3) depending on whether the MOV valve installation has a bypass line around it or not, proof
testing is conducted in one of two ways:
Partial stroke test (without a bypass line)
a) position person #1 at the MOV, person #2 at the remote pushbutton station, and the
electrician at the MOV circuit breaker
ISA-TR84.00.03-2012 - 122 -
b) person #1 alerts the console operator, and places the MOV in hand wheel manual. Hand
crank the valve 25% of travel towards the closed position from the fully open position,
verifying that the hand wheel is functional. Then reverse the operation of the hand-wheel
to allow the valve to move back to its full open position. Release the manual override
setting/clutch.
c) person #1 operates the MOV with the MOV local OPEN pushbutton. Person #1 verifies
that the valve is opening and then uses the local STOP pushbutton to stop the valve.
Repeat the procedure, this time allowing the valve to go to the full open position. Verify
that all local and remote MOV status indicators are working correctly.
NOTE If however, the valve started to go closed, person #1 radios to the electrician to open the breaker to
abort the test.
d) notify console operator of the problem, and have the electrician troubleshoot the problem
- before continuing the test from the beginning
e) person #1 operates the local CLOSE pushbutton. Person #1 allows the MOV to go 25% of
travel towards the closed position from the full open position (or as far as the Process will
allow without causing a serious unit upset). Person #1 uses the local STOP pushbutton to
stop the valve. (If however, the valve doesn't stop, person #1 radios to the electrician to
open the breaker to abort the test.)
f) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN
pushbutton. Person #1 verifies that the valve is opening and radios to person #2 to stop
the valve. Repeat the procedure, this time allowing the valve to go full open. Verify that all
local and remote MOV status indicators are working correctly.
NOTE If however, the valve started to go closed, person #1 radios to the electrician to open the breaker to
abort the test.
g) notify console operator of the problem, and have the electrician troubleshoot the problem
- before continuing the test from the beginning
h) person #1 radios to person #2 to operate the MOV with the MOV remote CLOSE
pushbutton. Person #1 allows the MOV to go 25% closed (or as far as the process will
allow with causing a serious unit upset). Person #1 radios to person #2 to stop the valve
using the STOP pushbutton. Verify that all local and remote MOV status indicators are
working correctly.
NOTE If however, the valve doesn't stop, person #1 radios to the electrician to open the breaker to abort the
test.
i) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN
pushbutton. Person #1 verifies that the valve is opening and allows to valve to go fully
open.
j) if the MOV has pushbuttons in the manned control center, repeat steps e through f except
using the control center pushbuttons
k) once testing is complete, restore everything back to pre-test conditions, ensure breaker is
energized (i.e. closed), MOV valve is in the correct position, and notify the console
operator that testing is complete

- 123 - ISA-TR84.00.03-2012
Full stroke test (with a bypass line)
a) position person #1 at the MOV, person #2 at the remote pushbutton station, and the
electrician at the MOV circuit breaker
b) open the bypass valve around the MOV valve to be tested. If the bypass valve is fitted with a
position status indication, verify the bypass valve status changed from closed to open.
c) person #1 alerts the console operator, and places the MOV in hand wheel manual. Hand
crank the valve 25% closed, verifying that the hand wheel is functional.
d) person #1 operates the MOV with the MOV local OPEN pushbutton. Person #1 verifies that
the valve is opening and then uses the local STOP pushbutton to stop the valve. Repeat the
procedure, this time allowing the valve to go full open. Verify that all local and remote MOV
status indicators are working correctly.
NOTE If however, the valve started to go closed, person #1 radios to the electrician to open the breaker to abort
the test.
e) notify console operator of the problem, and have the electrician troubleshoot the problem -
before continuing the test from the beginning
f) person #1 operates the local CLOSE pushbutton. Person #1 allows the MOV to go fully
closed. Verify that all local and remote MOV status indicators are working correctly.
At this point - if it is desired, and facilities permit, leak testing of the valve may be performed.
g) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN pushbutton.
Person #1 verifies that the valve is opening and radios to person #2 to stop the valve. Repeat
the procedure, this time allowing the valve to go full open. Verify that all local and remote
MOV status indicators are working correctly.
NOTE If however, the valve start ed to go closed, person #1 radios to the electrician to open the breaker to abort
the test.
h) notify console operator of the problem, and have the electrician troubleshoot the problem -
before continuing the test from the beginning
i) person #1 radios to person #2 to operate the MOV with the MOV remote CLOSE pushbutton.
Person #1 allows the MOV to go fully closed. Person #1 radios to person #2 to fully OPEN
the valve with the remote OPEN pushbutton. Verify that all local and remote MOV status
indicators are working correctly.
j) if the MOV has pushbuttons in the manned control center, repeat step i for the c ontrol center
pushbuttons
k) once testing is complete, restore everything back to pre-test conditions, ensure breaker is
energized (i.e. closed), MOV valve is in the correct position, MOV bypass line is closed, and
notify the console operator that testing is complete
I.12.2 Motor starters (low to medium voltage)
Another final element that needs to be tested is a motor star ter for an electrical motor. Electrical
motors are typically implemented to drive pumps on process facilities. There are a number of
types of motors starters found on process facilities with the most common being a manual starter
and a combination FVNR (full voltage non-reversing) starter.
The manual starter is typically used for single-phase motors that do not require remote start/stop
functionality. A manual starter includes make/break electrical contacts operated by an operator
accessible manual switch, overload protection, and is mounted in a single NEMA rated enclosure
near the motor
A combination FVNR motor starter is typically used for three phase motors or motors that require
remote start stop functionality. A combination FVNR starter includes a fused disconnect switch,
an electrical contactor, overloads, and is mounted in either a single NEMA rated enclosure or a
motor control center (MCC). With the advent of remote operator control of processes came the
ISA-TR84.00.03-2012 - 124 -
need for central control rooms (CCR) and electrical control rooms (ECR) in the process sector;
as a result most combination FVNR motor starters are now mounted in MCCs located in the
ECR.
A MCC is a free-standing row of vertical and horizontal buses mounted in sections with plug-in
type motor starters. The size of the MCC is based on the number and size of the motor starters
and the supplemental requirements (e.g., main disconnect, section disconnects, safety switches,
power panels).
I.12.2.1 Test requirements
This brief review of testing requirements is based on applications using combination FVNR motor
starters mounted in a MCC with each motor starter directly connected to its motor. It is assumed
that the SIS is de-energized to trip and the motor-operated pump is considered in a safe state
when the motor is stopped.
Safety concerns with motor starters in MCCs include:
short-circuit induced arc when inserting motor starter into the MCC bus
short-circuit induced arc when extracting motor starter into the MCC bus
bus shorts and voltages
improper power lockout
alternate power feeds into the MCC that require mul tiple lockouts
alternate power feeds into the motor starter so that opening the motor starter disconnect
switch does not remove all power within the motor starter
I.12.2.2 General requirements
The facility should have an approved procedure and training in place before testing MCC motor
starters. The procedure should ensure electrical safety equivalent to NFPA 70E, which includes
activities such as:
try, lock, tag, and try procedure
stand aside-left hand rule in any MCC disconnect switch operation
eye protection
hand and body protection
as built drawings
MCC is ECOd (i.e., engineering change ordered) up-to-date
Plant maintenance, operations, and productions safety procedures
MCC manufacturer testing and safety procedures
MCC is properly grounded
ability to lock out all power sources to the MCC
When testing a MCC motor starter implement and complete all the procedures noted above, and
perform an inspection of the wear on the bus and plug-in clamps on the motor starter. This
should indicate excessive heat, improper contact, or wear. In addition to visual inspection, full
functional cycling of the contactor should be performed.
If further inspection is needed, the motor starter can be removed and can now be taken to
the maintenance shop and inspected, tested, and upgr aded as needed. Note that a duplicate
motor starter could have been previously approved and designed to replace the removed unit
thus greatly reducing the mean time to restoration. In any event the insertion of the tested
- 125 - ISA-TR84.00.03-2012
starter should follow the manufacturers approved installation method and the power and control
leads should be tested as noted elsewhere in this TR before energizing the motor starter.
I.12.3 Variable speed drives (VSD)
Following are some basic testing considerations for E/E/PE smart (i.e., microprocessor-based)
VSDs (e.g., DC, AC, variable frequency) that are final elements within SIF.
This discussion centers on the premise that the SIF application is a de-energized to trip
application where removal of electrical power to the VSD provides a safe state.
CAUTION: Removal of power refers to the power necessary to operate the drive. It does
NOT refer to the removal of all electrical power within a VSD drive system. As such, a
SIF/VSD SIF should NEVER be considered an electrical lock-out device.
Typical shutdown interfaces between SIF and the VSDs in an industrial environment include
implementation of electro-mechanical contactors, discrete outputs, communication networks,
analog signals, and wireless technologies.
The shutdown technology implemented is based on the process safety-related application and
the VSD design.
Todays VSD design is impacted by the mature EN954 standard and the recent IEC62061
standard. While this issue may not impact testing measures directly it is mentioned herein
because it does impact SIF design considerations; The SIF interface design to the VSD should
be completely understood prior to proceeding with testing.
It is assumed that the design has three basic design characteristics:
1) The VSD design has a TRY-LOCK-TAG-CLEAR-TRY feature. The initial TRY pushbutton
feature allows the VSD to be momentarily jogged (this ensures the proper drive is being
locked out), then the SIF shutdown is implemented; the system is LOCKED out and
TAGGED; the total physical area impacted by the VSD is CLEARED and the TRY button is
activated again to ensure the VSD has been properly locked out.
2) The VSD design electrical distribution has an internal electrical distribution system that
isolates the VSD drive power and VSD load output power from the VSD microprocessor
power, the VSD input power, the VSD diagnostic output power, and the VSD HMI power.
3) The plant has a lockout procedure for the VSD microprocessor power, the VSD input power,
the VSD diagnostic output power, and the VSD HMI power circuits.
It is assumed that the plant has a turnover tagging system. The purpose of placing tags is to
provide a visible indication of the status of each piece of equipment to eliminate exposure to
energized systems by unauthorized personnel. Placement or removal of tags must be done
jointly by the organizations involved. Only one color of tag may be on a piece of equipment at
any time.
NOTE This test description is not intended to determine if the VSD is operating properly, but is intended to determine
if the SIF interface to the VSD is operating properly.
I.12.3.1 SIF/VSD testing - general
Given the multiple energy sources typically found in a VSD, the plant should have the ability to
safely de-energize, lock-out, and tag any and all parts of the VSD system.
The SIF/VSD testing procedure will vary depending on which circuit is being tested. For
purposes of brevity it will be assumed the VSD power circuit is to be tested.
I.12.3.2 Discrete outputs
The VSD may need to be locked out in order to test the discrete logic solver output to ensure it is
functioning properly. This can be done using the SIF logic solver forcing capability or when
ISA-TR84.00.03-2012 - 126 -
testing the logic solver application program. If there is not a separate motor starter supplying
power to the VSD, and if the output is a solid state device the for complete test coverage its
leakage current (i.e., current drawn when in the off mode) should be checked and documented.
This value should be checked against the circuit hold-in current value in the VSD circuit to
ensure there is sufficient current gap so the drive will shut down when the output commands.
These current values should be recorded and saved since solid state device off leakage current
value tends to increase over time.
The VSD should be uncoupled from its load if practicable. This will facilitate safely testing the
SIF interface to the VSD. If this is not possible an analysis of the impact of drive rotation on the
process load is required to determine when and how to proceed. Often a pre-planned jog or try
pushbutton function coordinated with the SIF command can be used to test the validity of the SIF
interface to the VSD while not impacting the process.
I.12.3.3 Communication networks
Todays VSDs often offer the ability to interface the SIF and VSD via a safety certified
communications network. Testing of this approach requires the following additional
considerations:
1) Testing requires a complete understanding of the testing recommendations provided by the
communications network and the VSD manufacturers.
2) Test of the communications network watchdog system should be included in the test.
3) Corporate IT systems should be consulted to determine the impact of cyber-security past,
present, and future threats to determine the extent of cyber -security testing needed.
I.12.3.4 Analog
While todays VSDs often offer the ability to interface the SIF and VSD via a safety certified
communications network, most VSD manufacturers still provide an analog interface option (e.g.,
4-20ma). This is done in part to allow for an alternate SIF interfaces between a SIF logic solver
and a VSD system from different manufacturers where the universal interface may have bugs.
The analog communications watchdog system should be included in the test.
I.12.4 Wireless
Todays VSDs are often implemented in robotic type applications (e.g., material handling,
material storage and retrieval) that utilize wireless SIF to VSD interfaces. Testing of the wireless
communication may utilize any of the other approaches discussed in I.12. However, testing of
wireless does introduce additional considerations including:
1) Testing requires a complete understanding of the testing recommendations provided by the
wireless manufacturer.
2) Wireless implementation typically brings into play other layers of protection that have to be
considered (e.g., barriers, photo eyes, pressure mats, light curtains)
3) Test of the wireless communications network watchdog system should be included in the
test.
I.13 Testing of manual/automatic response to SIS failure
The design of SIS should consider what could happen if the SIS fails and identify means to
respond to those failures. Based on the requirements of ANSI/ISA-84.00.01-1 Clause 11.3.2,
there needs to be a way to achieve or maintain a safe state of the process when there is a failure
of the SIS to operate as required. For example, the failure of the final elements could be
disastrous. Having a plan, or response procedure, on how to manage to this situation minimizes
the impact of this failure.
- 127 - ISA-TR84.00.03-2012
In many applications, an operator is provided with a manual shutdown to provide means to
manual initiate shutdown of the process. For example, when a sensor fails to activate the SIS,
the operator can activate a manual trip of the SIS through the SIS or through an independent trip
switch. In the case of a final control element failure, there may need to be unit boundary shut off
valve. In all cases these backup systems should be tested to ensure their functionality were an
event to occur. This includes the equipment, the alarms and the operators.
The manual shutdown or the independent trip systems may operate one or multiple valves. Each
component of the manual shutdown should be tested and maintained as necessary to keep the
equipment in good working order. An end-to-end test should be performed to make sure the
entire system is functional. The most logical time to test the manual shutdown equipment is
during the proof test, since some of the equipment is associated with the SIS. The equipment
that is not part of the SIS could be tested at a different interval as appropriate to demonstrate the
required integrity.
Manually operated valves or other manual devices will need to be periodically operated for
functionality, inspected, and preventive maintenance performed on the equipment as needed.
The sensors and alarms, which identify the failure of the SIS, should be tested, calibrated and
maintained.
I.14 Testing of bypasses
I.14.1 Testing of manual bypass switches
The proper operation of manually operated bypass switches should be verif ied during SIS
commissioning and verified after modifications that could affect the operation of the bypass.
Verification should be performed prior to commencing operations and should demonstrate proper
application and removal of the bypass condition. A failure to enter the bypass state could result
in spurious alarms or spurious activation of the SIS during maintenance. A failure to return to
normal from the bypass state could block SIS action during a valid process demand.
I.14.2 Testing of automated bypasses
The proper operation of automatically initiated bypasses should be verified during SIS
commissioning and verified after modifications that could affect the operation of the bypass.
Automated bypasses include timed functions (for instance a timed low flow bypass for pump
start) and manually initiated conditions through and HMI. Verification should be performed prior
to commencing operations and should demonstrate proper application and removal of the bypass
condition. A failure to enter the bypass state could result in spurious alarms or spurious
activation of the SIS during maintenance. A failure to return to normal from the bypass state
could block SIS action during a valid process demand.



























This page intentionally left blank.



- 129 - ISA-TR84.00.03-2012
Annex J Deferral considerations and example procedures
This Annex provides examples of deferral procedures. Users may develop other deferral
procedures incorporating similar information or use other forms of documentation to approve,
record and track deferral.
J.1 Example deferral approval procedure
Below are the requirements for deferring tests and r epairs of SIS and BPCS IPL equipment. All
due dates mentioned below are based on the last day of the month in which the test was
due.
Parameter Requirement
Statement of
intent
This process provides flexibility in instrument testing requirements to accommodate production
planning and turnaround timing issues. However, deferral of a required test or repair of a SIS or
of a required test of a BPCS Independent Protection Layer (IPL) should be a non-routine event,
based upon unusual circumstances.

Each SIS and BPCS IPL should be designed and maintained such that deferrals are not routinely
required.
Alternative
practices for
test deferrals
Design practices to consider include:
partial stroke testing
automatic testing
testing while bypassing the SIS or BPCS IPL
use an alternate SIS or BPCS IPL
Test deferral
identification
If a test is not completed by the end of the month in which it was due and an approved deferral
is not obtained, the test will be considered overdue. The overdue report should be presented to
the responsible leader and a compliance plan should be developed for all overdue tests.
- The Maintenance organization at each site must determine which role(s) are responsible for
tracking and reporting overdue tests.
Test deferral
requirements
A test of an individual SIS or BPCS IPL component may be deferred up to 50% of the prescribed
test interval beyond the scheduled test date, but less than one year, with the approval of the
Production Leader and, either the EH&S Delivery Leader and, either the Geographic or Business
Process Safety Technology Leader.

A test for an individual SIS or BPCS IPL component may be deferred between 50% and 100% of
the prescribed test interval , but not more than one year, with the additional approval by the Tech
Center Director, the Site Leader (or small site equivalent) and Manufacturing Business
Operations Leader.
Repair
deferral
identification
At the time a failure or malfunction is noted, an assessment on the repair time is made by the
owner, SIS Specialist and other expertise as appropriate.

The timing for repair / monitoring plan is established by designated Tables or approved
calculation method for the MTTR with a maximum of 14 days.

A repair time exceeding the MTTR is considered a repair time issue
ISA-TR84.00.03-2012 - 130 -
Repair
deferral
requirements
Repair deferral applies only to those SIS Instruments and Final Elements which are redundant.
Single instruments cannot be repaired online.

Repair timing deferrals up to a maximum of 5 times MTTR require approval by the Production
Leader and the SIS Instrument Coach or global SIS Specialist. Repair deferrals beyond the
maximum of 5 times the MTTR must meet specific hazard assessment requirements.

If the repair is not completed within the time it was due and an approved deferral is not obtained,
the SIS loop is considered impaired and appropriate actions must be taken (e.g. , shutdown).

If the repair is not completed within the time approved in the deferral, the SIS loop is considered
impaired and appropriate actions must be taken (e.g. , shutdown or alternative protection
arrangement).

J.2 Example test deferral process
Applicability The process to all SIS and IPL scheduled tests that cannot be completed during the month
of the originally scheduled due date.

Deviation from specific governmentally mandated test intervals must be reviewed by the
Legal Department and approved in writing by the appropriate government agency.
Purpose The purpose of this document is to provide a defined process for a SIS or BPCS owner to
determine if a one-time deferral of a scheduled due date for a test of equipment is
warranted or whether the equipment should be taken out of service. This will be performed
by documenting an evaluation and reviewing the evaluation with a SIS Specialist, and other
key stakeholders. A deferral evaluation should be performed whenever there will be a
deviation from a test interval requirement.

For a deferral to be approved the equipment owner must demonstrate that the deferral will
not add inappropriate risk for the period of t ime of the requested deferral. This process is
not to be used to routinely defer proof tests. Each loop must be designed to allow an
appropriate proof test interval.
Timing / Approval
requirement for
50% deferral
A test deferral of up to 50% for an individual SIS or BPCS component of the prescribed test
frequency beyond the scheduled test date, (flexibility to accommodate production planning
and turnaround timing issues) requires approval of the Production Leader and
Environmental Health and Safety (EH&S) Leader and Geographic or Business Process
Safety Leader. For example: Equipment requiring a test frequency of 6 months can be
extended 3 months past the scheduled test date with the appropriate approvals. Maximum
duration of the deferral should not exceed 1 year nor exceed the next shutdown or
turnaround date whichever comes earlier.
Timing / Approval
requirement for
100% deferral
A test deferral beyond 50% of the prescribed test frequency, but not exceeding 100% for an
individual SIS or BPCS component of the prescribed test frequency requires additional
approval by the Tech Center Director, the Site Leader (or small site equivalent) and
Manufacturing Business Operations Leader. Maximum duration of the deferral should not
exceed 1 year nor exceed the next shutdown or turnaround date whichever comes earlier.
Deferral Process
Timing
Considerations
It is recommended that the test due date deferral process and required documentation be
completed 30 days prior to the originally scheduled due date. This timing will allow the
entity to plan and schedule a shutdown to meet the originally scheduled date if the deferral
request is not approved.
Management
system /
documentation
These deferred tests should be documented in the computerized maintenance management
system such that completion of these activities will be identified as a priority item during
any unscheduled opportunity prior to the deferred date.
Overdue definition If a test is not completed by the end of the month in which it was due and an approved
deferral is not obtained, the test will be considered overdue. A compliance plan should be
developed for all overdue tests.
- 131 - ISA-TR84.00.03-2012
Process Steps in the process:
1) Initiate the test due date deferral form and identify all the key stakeholders.
Stakeholders may include: owners, owners representative, SIS Specialist.
2) Review demand rate and SIS/BPCS performance history
3) Identify what will be done for the evaluation and document. This might be a formal
Risk assessment or a meeting of SIS Specialists. Part of this should be a visual
inspection of the equipment by the owners representative, and SIS Specialist.
Where visual inspection is not feasible, digital photographs of the equipment may be
used.
4) After review and concurrence of the SIS Specialist, obtain signatures of Production
Leader, and, either the EH&S Leader. Deferrals in excess of 50% will additionall y
require the signature of the Tech Center Director, the Manufacturing Business
Operations Leader and Site Leader (or small site equivalent).
5) Complete documentation of the test due date deferral form and file either
electronically or hard copy in the equipment history file.
6) Update required information in the maintenance management system.
7) Upon completion of the test the test due date deferral form should become part of
the permanent equipment history file.
Form

Documentation of this process should be done using the test due date deferral form
supplied below or a suitable alternate that must include as a minimum the following:
equipment identification
original due date for test
deferred due date
listing of the SMEs
approval signatures
explanation of why the deferral is requested
documentation of the global SIS Specialist evaluation
ISA-TR84.00.03-2012 - 132 -
J.3 Test due date deferral approval form
IPL
description:
SIS or BPCS tag
numbers:


Originator:
Plant/Department requesting deferral:

Scheduled due date
Proposed deferral due date

Reason for deferral request (attach additional sheets if needed)





Describe or document SIS Specialist evaluation (attach additional sheets if needed)





Communication plan (attach additional sheets if needed)





Identify stakeholders:

SIS Specialist/Engineer
Management Team

Approval signatures (electronic or manual):


Operations Manager Date

SIS Specialist/Engineer Date

PSM Manager Date
- 133 - ISA-TR84.00.03-2012
J.4 Example repair deferral procedure
Applicability Redundant i nstruments.
The process applies to all deficiencies that have been identified as a result of Safety
Instrumented System (SIS) test that cannot be completed within the average MTTR after
the time the deficiency is found.
Single i nstruments.
SIS without redundant sensors/final elements cannot be handled with this process.
Instruments required by government regulation.
This process does not apply to deficiencies identified during government or other
regulatory tests. Deviation for repairs resulting from regulatory required tests can only be
approved using the process identified by the appropriate government agency and reviewed
by the Legal Department.
Purpose The purpose of this process is to provide a defined process for an entity to seek a one-time
deferral of a scheduled due date for repair of equipment by documenting an engineering
evaluation and reviewing with the SIS Specialist, and other key stakeholders and
documenting approval of the Operations, Maintenance and Process Safety Leadership
Team.
For deferrals of this type, the requestor must demonstrate that the deferral will not add
inappropriate risk for the period of time of the requested deferral.
Timing approval
requirements
The Production Leader/Department Head and, either the SIS Specialist must approve all
deferrals within their block/area. Additionally, the Site/Regional Process Safety Technology
Leader (or small site equivalent) must approve all deferrals to ensure compliance with
applicable government regulations.
Management
system
documentation
These deferred repairs should be documented in the maintenance management system
such that completion of these activities will be identified as a priority item during any
unscheduled opportuni ty prior to the deferred date. Maximum duration of the deferral
should be the next scheduled shutdown or turnaround date, not to exceed one year.
Overdue
definition
If the repair is not completed by the time defined tables or other approved calculation
method as average Mean Time to Repair and an approved deferral is not obtained or a
SIS Impairment Standard process hazard assessment was not completed and approved,
the repair will be considered overdue. The operation of the plant section protected by the
SIF must be discontinued or an alternative arrangement must be put in place that provides
an equivalent level of safety. The relevant LOPA line should be modified to show the
existence and adequacy of this alternative arrangement and approval of business Process
Safety Leader must be obtained.
ISA-TR84.00.03-2012 - 134 -
Process Steps in the process:
1) Initiate the repair due date deferral form and identify all the key stakeholders.
Stakeholders may include; owners, owners representative, SIS Specialist.
2) Review the documentation that was prepared for the repair and other equipment
history.
3) identify what will be done for an engineering evaluation to insure no additional risk
will result from deferring this repair the additi onal time period and document. This
might be a meeting of Specialists. Part of this should be a visual inspection and a
review of the impact on the PFD calculation of the SIS loop by the owners
representative and global SIS Specialist. Where visual inspection is not feasible,
digital photographs of the equipment may be used.
4) Obtain signatures of Production Leader/Department Head, SIS Specialist, Tech
Center Director, Business Operations Leader, Site Leader, Site/Regional Process
Safety Technology Leader (or small site equivalent) as required.
5) Complete documentation of the repair due date deferral form and file either
electronically or hard copy in the equipment history file.
6) Update required information in the maintenance management system.
7) Upon completion of the inspection or repair the repair due date deferral form should
become part of the permanent equipment history file.
Form

Documentation of this process should be done using the repair due date deferral form
supplied below or a suitable alternate that must include as a minimum the following:
equipment identification
original due date for repair
deferred due date
listing of the SMEs
approval signatures
explanation of why the deferral is requested
documentation of the SIS Specialist evaluation

- 135 - ISA-TR84.00.03-2012
J.5 Example repair due date deferral form
SIF
description:
SIS tag numbers

Originator:
Plant/Department requesting deferral:

Scheduled due date
Proposed deferral due date

Reason for deferral request (attach additional sheets if needed)





Describe or document SIS Specialist evaluation (attach additional sheets if needed)





Attach repair deficiency documentation

Communication plan (attach additional sheets if needed)





Identify stakeholders:

SIS Specialist/Engineer
Management Team

Approval signatures (electronic or manual):

Operations Manager Date

SIS Specialist/Engineer Date

PSM Manager Date























This page intentionally left blank

- 137 - ISA-TR84.00.03-2012
Annex K Example bypass approval procedures
This Annex provides examples of bypass approval procedures. Users may develop other bypass
approval procedures incorporating similar information or use other forms of documentation to
approve, record, and track bypassing.
K.1 Example bypass approval procedure 1
K.1.1 Bypassing policy when process hazards are present
Process hazards are normally considered present when the process is running, has process
materials still contained in the vessels or piping, or has energy sources available.
All SIF(s), which are found to be bypassed without authorization, are to become the subject of an
incident investigation.
The following is required to bypass SIS equipment.
The authorization to bypass will be on a completely filled out SIS equipment bypass
permit.
Authorization levels for all SIS equipment bypasses depend on the length of the bypass
permit as shown below.
up to 72 hours: Second Line Manager or designate
more than 72 hours but less than 168 hours (7 days): Production Manager or
designate
more than 168 hours (7 days): Plant Manager or designate
It is forbidden to circumvent the time limit by having bypasses re-authorized, e.g. if a
bypass is originally authorized for 72 hours and the work is not completed then
another bypass must be issued with the permit starting at the original time.
When authorization is required at times other than days, Monday through Friday, or
holidays telephone contact to the authorizer or designate is adequate.
The time that the bypass is in effect should be limited to the minimum time.
Continuity of the repair should be maintained during the bypassing of SIF(s).
A qualified instrument or electrical technician must bypass the SIF(s).
The bypass should only bypass the part of the SIF(s) required for the purpose of the
bypass.
Production must post the white copy of the authorized bypass permit in the CCR, one
copy with the Production Supervisors and one copy with the E&I Supervisor when the
bypass is installed. The white copy is to be filed when the permit is removed.
Bypassing is to be done in such a way that it is obvious that the SIF(s) is bypassed.
Bypass the minimum part of the circuit. For example, if the transmitter is bad or
questionable then bypass only the input to the relay or PES. This will leave the other
SIF(s) in the circuit functional.
Do not bypass SIF(s) by forcing transmitters to give false measurements. Examples are to
raise the zero on transmitters, bypassing transmitters impulse lines and changing purge
gas flows to cause measurement errors. Entering process values in PES is not
recommended.
K.1.2 Bypassing policy when process hazards are not present
Process hazards are normally not present when equipment is not in operation and i s properly
cleared and tagged. Other policies such as log-tag-try, MOC policy, and the other requirements
ISA-TR84.00.03-2012 - 138 -
of this standard must be met to insure the SIF are returned to service before the hazards are
introduced.
The following exceptions to bypassing policy apply when process hazards are not present.
bypassing permit is not required
the time that the bypass is in effect is not limited to minimum repair time
continuity of repair is not required
bypassing authorization is not required
the following must be done when bypassing (performing maintenance work on) an SIF(s)
when process hazards are not present:
a qualified instrument or electrical technician must bypass the SIF(s)
the bypass should only bypass the part of the SIF(s) requiring repair or maintenance
K.1.3 Records
The SIF(s) bypass permit authorizing the bypass will be under the control of production. Af ter the
bypass has been removed, production is required to keep the bypass permits on file for five
years. This is to allow review by the cyclic PHA team.
A unit report no later than the third working day of each month, documenting each SIF(s) which
was bypassed via a bypass permit must be prepared and submit ted to the Production Manager.
This report should include the date the bypass was installed, the date the bypass was removed
and if it was past due.
K.1.4 Responsibilities
K.1.4.1 Approvers of the bypass permit
The function of approvers is to complete the bypass permit. They must be knowledgeable of the
process, process hazards, and the SIF(s) system. This will usually consist of a production
supervisor, operating technician, E&I supervisor, E&I technician, process technical, and E&I
engineer, as needed.
All participants filling in the bypass permit sections 1 through 4 must initial the permit, indicating
their approval. Technical approval can be complete by the Technical Supervisor or designate or
senior technical person familiar with the process hazards.
K.1.4.2 Authorizer of the bypass permit
The function of the authorizer is to insure that the permit has been completed correctly and the
risk to bypass the SIF(s) is acceptable. Typically this requires the authorizer to ask quest ions of
the approvers to insure due consideration has been given to each entry of the permit. A second
line supervisor or designate fills this function.
OPERATIONS:
Determine if process hazards are present.
Insure the equipment is returned to service.
Assist Maintenance as required.
For keyed SIF(s) bypasses, the operating supervisor must retain responsibi lity for control of the
key. Keys must not be left in the switch when the SIF(s) is not bypassed.
Produce the monthly unit report for the Production Manager.
- 139 - ISA-TR84.00.03-2012
MAINTENANCE:
Perform all mechanical work involving bypassing and restoring of SIF to service.
TECHNICAL:
Assist production and maintenance as required especially in hazard analysis and SIF(s)
bypassing method.
Approve the bypass permit.
K.1.5 Safety analysis and authorization
The operating group requesting the work will normally fill in the first and second sections of the
permit. These sections document the purpose and objectives for the bypass and lead you
through simple hazards screening. These sections focus on the EHS hazards that the safety
action addresses. Much of the hazard information will be documented in the operating guides,
SIF(s) test procedure and in the process hazard classification documentation for the area. If
additional information is needed to complete this section, consult the t echnical and maintenance
groups. The hazards screening section of the permit details which action will be bypass ed, the
reason for the bypass, limits for the change (expected bypass duration), and safety steps to be
taken that insure safe operation while the bypass is in effect. When filling in this permit, it is
important to be as thorough as possible, attach temporary operating procedures and other
documentation as needed.
The third section of the permit wil l normally be filled in by the Maintenance group performing the
bypass work. This section documents the technical basis and description of how the bypass will
be accomplished. All affected devices and actions are to be listed. List all other documentation
related to the bypass action, such as marked prints or special maintenance procedures.
Section four of the permit is a summary statement to say why the unit is safe to operate with the
bypass in service.
Section five of the bypass permit is for approval and authorization of the action. All participants
filling in the bypass permit sections 1 through 4 must initial the permit, indicating their approval.
Technical approval can be complete by the Technical Supervisor or designate or senior technical
person familiar with the process hazards. After section 5 is compl eted, the action can be taken.
All devices bypassed must be properly tagged. The white signed copy of the bypass permit
should be posted in the CCR for communication purposes and will be filed for closure after the
bypass action is removed. The yellow and pink copies are to be sent to the production and E&I
supervisor when the SIF is bypassed.
Finally sections six and seven of the permit document when the bypass is installed and removed.
It also documents that the CCR operator has reviewed the bypass permits at the beginning of the
shift.

ISA-TR84.00.03-2012 - 140 -

K.1.6 Example SIF bypass permit
Section 1:
Requested by: _________________________________ Date: ______________
Area: _____________________________
Service description: _____________________________________________________
Trip setting: _____________________________________________(with Eng. Units)
Effective date/time: From ______________________ To ______________________
Section 2:
Hazardous event classification (S, E, A) and SIL of the SIF: ______________________

Describe the EHS hazard the instrument action is designed to prevent:
________________________________________________________________________
List other protection for this hazard (R/V, SIF(s), and alarms):
________________________________________________________________________
Purpose for bypass:
________________________________________________________________________
Backup variable to be monitored and responsibility:
________________________________________________________________________
Backup variable mandatory shutdown limits:
High: Low: Other_____________
Shutdown method and responsibility:
________________________________________________________________________
Operating procedure modifications complete appended and communicated?
Yes No N/A
Section 3:
Loop no.: _________ Instrument setting:__________ I. D. no.:__________
Describe how the instrument action will be bypassed:
________________________________________________________________________
List all sensors (initiating events) and hand switches that will be bypassed:
________________________________________________________________________
List actions (valves, motors, etc.) that will be bypassed:
________________________________________________________________________
Section 4:
Why is the unit safe to operate with this SIF(s) bypassed?
_________________________________________________________________________
Section 5:
PARTICIPANTS APPROVAL :(print names and initial):
________________________________________________________________________
DATE:__________________
TECHNICAL APPROVAL:_____________________________________________________
DATE:__________________
AUTHORIZED BY:___________________________________________________________
DATE:___________________
Up to 72 hours First Line Supervisor or designate
72 hours to 168 hours: Production Manager or designate
Over 168 hours: Plant Manager or designate
- 141 - ISA-TR84.00.03-2012
NOTE The yellow COPY to the Operating Supervisor when the bypass is installed; the pink copy to the E&I Supervisor
when the bypass is installed. The white signed copy will be posted in the CCR when the bypass is installed. The white
copy will be filed when the bypass is removed.
Section 6:
BYPASS INSTALLED:__________________________ DATE:___________
(OPERATING TECHNICIAN) TIME:____________
________________________ DATE:___________
(E&I TECHNICIAN) TIME:____________
Section 7:
BYPASS REMOVED:___________________________ DATE:__________
(OPERATING TECHNICIAN) TIME:___________
____________________________ DATE:__________
(E&I TECHNICIAN) TIME:___________
Until the bypass is removed the CCR operator is required to initial and date this permit at the
beginning of each shift.
_________________________________ DATE:____________ TIME:________
(OPERATING TECHNICIAN)

K.1.7 Glossary of bypass permit terms
SIF bypass permit: A work sheet that documents and authorizes a bypass, hazards screening
leading up to the bypass, and exactly what bypass work was done.
Requested by and date: Name of person requesting the bypass to be done, usually the shift
supervisor for the group that operates the equipment and the date that the bypass permit is
started.
Area: Operating area or system requesting the bypass.
Service description: Device name in common terms such as the operating manual description
or control system descriptor.
Trip setting: The process trip setting from the operating guide procedure with engineering units
such as degrees C. or PSI.
Effective date/time: Estimated date that the bypass will be in service, such as from the permit
date until the earliest planned repair window.
Hazardous event classification and SIL: The classification of the hazard that the action being
bypassed is used to mitigate, such as safety, environmental, asset and the SIF Safety Integrity
Level.
EHS hazard the action is designed to prevent: The specific hazard that the action is used to
prevent.
List other protection for this hazard: List other hazard controls or devices such as R/V's,
instrument actions, special procedures or alarms. This information may be documented in the
Hazard classification files or can be reconstructed by the bypass permit requestor.
Purpose for bypass: State the purpose of the bypass, why it is needed.
Backup variable to be monitored and responsibility: Describe any other process variables or
special operating procedures that will be monitored or used while this action is bypassed and
define who is responsible to monitor this information.
ISA-TR84.00.03-2012 - 142 -
Backup variable mandatory shutdown limits: If a backup variable is to be used, detail the
mandatory shutdown limits with engineering units of the backup process variables being
monitored.
Shutdown method and responsibility: Document how the system will be shutdown with the SIF
bypassed and who is responsible for this action.
Operating procedure modifications complete, appended and communicated Document
whether or not operating procedures have been changed and were issued based on the bypass
work.
Loop no.: The instrument loop number.
Instrument Setting: The SIF trip setting in engineering units or other instrument specific units,
as are appropriate for this device.
I.D. no.: The SAP equipment number for the trip device being bypassed.
Describe how the action will be bypassed: Document the physical instrument action bypass
method. Refer to marked prints or sketches if necessary. This information will be used to remove
the bypass after repairs have been made.
Sensors (initiating events) and hand switches that will be bypassed: List all sensors that will
be bypassed by this work, such as when multiple sensors trip a common device that is being
bypassed.
Actions (valves, motors, etc.) that will be bypassed: List all instrumented actions that will be
bypassed by this work, such as when multiple final acting devices are bypassed by single relay.
Why is the unit safe to operate? This affirming question, to be answered after steps 1, 2, & 3
has been completed. It documents the reasons of the bypass requestor believes that the unit IS
safe to operate with the bypass in effect.
Participant's approval: The names and initials of the principle participants of the bypass safety
and work analysis. The signature initials of the participants approves the bypass action.
Authorized by and date: First Line Supervisor, Production Manager or Plant Manager or
designate responsible for the operating equipment and the date of authorization.
Bypass INSTALLED / REMOVED: The names, date, and time of the actual bypass installation
and removal team, so that complete tracking of the bypass removal can be insured.
K.2 Example bypass approval procedure 2
A Bypass Assessment is carried out before the application of a bypass. The assessment is led
by a Process Specialist with support from the IPS Specialist and Operations. A Bypass
Assessment issued within 24 hours of bypass initiation is deemed an emergency bypass.
Emergency Bypass Assessments should be periodically reviewed by the Process Specialist.
Consideration should be given to developing a permanent file Bypass Assessment . The Bypass
Assessment is executed by a Process Specialist who facilitates a meeting involving an
Operations Supervisor and an SIS Specialist. The assessment is performed to:
understand the hazardous event being prevented by the SIS,
understand how the IPS detects and responds to the hazardous event,
determine whether or not it is permissible to apply the bypass,
determine the allowable repair time,
- 143 - ISA-TR84.00.03-2012
understand the process impact if the bypass is not used correctly and the process trips,
determine how the bypass is implemented,
evaluate how the bypass impairs or disables the IPS,
identify how the operator would know when bypass is in place,
identify measures to be implemented during bypass to compensate for IPS impairment or
disablement, and
identify whether any further precautions to be implemented.
ISA-TR84.00.03-2012 - 144 -
K.2.1 Example bypass assessment form
Planned Emergency (<24 hours)
SIS Equipment or Loop ID: Plant ID:
Hazardous event being prevented:
(Provide hazard analysis report references)
SIF Description:
(If there is a documented SRS, provide document reference)
Classification: ______Safety ______Environmental _____ Asset Protection
Risk Reduction: ______Safety ______Environmental _____ Asset
Protection
Process impact if spurious trip occurs during bypass:

How is the bypass implemented?

Is bypass covered by procedure? Yes No
If yes, give procedure ID:
How does the bypass affect the SIS ability to function?

Can operator independently verify that the bypass is in place or not?

What compensating measures will be taken to address the hazardous event?

(If these are documented in start-up or other operating procedures, provide
procedure reference)
Considering the risk and the compensating measures, the bypass is:
Acceptable Unacceptable
Bypass is conditionally permitted for:
Start-up only Maintenance only Start-up and Maintenance
Allowable Repair Time (approved bypass period):
Start-up only Maintenance - 48 hours
Additional Requirements:

(Provide requirements for additional operator or supervisory personnel or for unit
access restrictions, signage, notifications, precautions, etc.)
Assessment led by: Date:
(Process Specialist or equivalent)

Approval
SIS Specialist/Engineer: Date:
Operations Manager: Date:


- 145 - ISA-TR84.00.03-2012

K.3 Example bypass log
K.3.1 Sheet 1
Facility / Plant / Unit ID ____________________________________________
Tag Number Description Reason for Bypass Applied by Date Time Restored by Date Time











K.3.2 Sheet 2
Facility / Plant / Unit ID ____________________________________________
By signing below all signatories confirm acceptance of the outstanding bypasses listed on sheet
1
Date Day shift OPERATOR technician Night shift OPERATOR technician
(All techs to sign in this box) (All techs to sign in this box)







































This page intentionally left blank.

- 147 - ISA-TR84.00.03-2012
Annex L Validation planning
The following table identifies items that should be included as part of the validation plan of the
SIS. Refer to ANSI/ISA-84.00.01-1 Clause 15.2 for more details.
1 Safety requirement specification
Identification of the version of the SRS and any other documentation to which the site acceptance
testing and validation is to be based upon.
2 Relevant modes of operation
Testing of all relevant modes of operation of the process where required including:
preparation for use including setting and adjustment
start-up, automatic, manual, semi -automatic, steady state
re-setting, shutdown, maintenance
reasonable foreseeable abnormal conditions
3 Validation testing
Confirmation that the SIS and the individual SIF performs as specified in the SRS. Also confirm
that the document:
records the results of each test
details of special test equipment including calibration info
details any special pass fail criteria
4 Reference documentation
All documentation that will be referred to during the execution of the validation / testing activities
is specifically identified including version number.
5 Logic solver program version tracking
Review the version control of the embedded firmware and appli cation program of the SIS from
completion of the Factory Acceptance Test through the Site Acceptance Test / Validat ion up until
final handover to Operations. Effective Management Of Change (MOC) should be demonstrated.
6 Engineering modifications
Validation testing should account for any approved design changes that have taken place during
the installation of the SIS.
7 Validation strategy
Justification of any testing activity used as part of the validation process that is not based upon
end-to-end testing with process simulation in the field. Consider the following areas:
electrical signal injectors used in place of transmitters
reliance upon simulators to test application program
reliance upon FAT results in place of on-site function tests
any automated testing techniques
8 Validation Environment
Consideration of representative environmental conditions that the equipment is to be tested
under. Things to consider:
ensure that normal air conditioning systems are running when the tests are performed
making the test realistic
ensure that the conditions and test equipment used is as realistic as possible
9 Pass/Fail Criteria
Detail any special Pass/Fail criteria which should be considered and confirm that these
requirements have been incorporated into the SAT document including a requirement to record
the actual values (see ISA-TR84.00.03, 6.7 for details).
10 Measurement Accuracy
Specific testing of any device that has any measurement accuracy specification that is above
normal.
ISA-TR84.00.03-2012 - 148 -
11 Calibration
Calibration details and related documentation are up-to-date and that the testing is based upon
the correct and up-to-date values.
12 Adverse Reaction
Review the overall system configuration in which the SIS is located and ensure that no equipment
connected to the SIS can have an adverse effect on the SIS, e.g., communication links, power
supplies, peripherals, HMI, etc. This might be due to regular or i rregular operation of that
equipment. Ensure that any required tests are included in the SAT document.
13 SIF Functionality
Detailed testing activities associated with SIF functionality including redundant channels and
where shutdown sequences are in place.
14 SIS Documentation
SIS documentation is consistent with the installed SIS. If mark-ups have been made during the
testing/validation process, confirm that these details will be incorporated onto the master
documents in a timely manner and are made available to anyone who might need to refer to them
in the meantime (e.g., start -up team, Operations, or Maintenance).
15 Analogue Input Configuration
Invalid analogue input signal testing (see ISA-TR84.00.03, 6.4 for details).
Things to consider:
calibrated ranges smaller than the process range
transmitter process saturation current settings
transmitter fault current settings
logic solver compatibility with t ransmitter settings
logic solver response to above conditions
16 Human Machine Interface
Functionality of the HMI.
17 Special computations
Testing of any special computations performed with the SIS.
18 Reset functionality
Individual SIF and overall SIS reset functionality.
19 Bypass functionality
Testing of bypass facilities.
Consider both electrical (hand-switches/buttons) and mechanical (valve) bypasses and any
alarms that annunciate their use/application.
Consider partial bypass facilities and include testing to ensure that they only bypass what they
are thought to bypass (see ISA-TR84.00.03, 6.6 for details).
20 Manual shutdown functionality
Testing of manual shutdown functionality.
Consider individual SIF and overall plant shutdown requirements and the locations for these
facilities.
21 Maintenance proof test procedures

Maintenance proof test procedures have been produced and integrated into the Computer
Maintenance Management System.
Proof test interval and proof test coverage assumptions in the related SIL Calculations have
been implemented effectively.
22 Maintenance testing facilities

Online and offline testing facilities that form part of the design of the SIS/SIF are tested.
Special tools required to perform the test/s are identified in the documentation and made
available for the test.
- 149 - ISA-TR84.00.03-2012
23 Diagnostic alarm functionality
Test diagnostic alarms. These include both SIS system alarms such as power supply failure,
processor failure, etc. and also SIF specific alarms such as voting channel deviation, bad PV etc.
24 Power/Utility interruption
Test for specified response to loss of utilities (i.e. electric, air, hydraulic power) and also
reintroduction of power/utilities.
25 EMC immunity
Test EMC immunity of the logic solver. Some common examples of sources of interference are:
site radio communication, mobile phones etc.
wireless laptops, Bluetooth enabled PDAs, etc.
air conditioning systems starting/stopping/under full load, etc.
26 Voting arrangements
Test input / output voting arrangements.
(see ISA-TR84.00.03, 6.9.3 for credit that can be taken on FAT testing).
27 Special conditions of use
Test special conditions documented in the SRS, such as power quality, environmental conditions,
heat tracing, minimum motive force on valve actuators, etc.
28 Field process installation
Check field installations of each function relevant hook-up drawing by performing a walk-
through with an Operations representative to verify that all installations are connected to
appropriate process connections/orientation.
29 Discrepancy control/closure
Track all discrepancies uncovered during validation, and provide information on what action is
taken to rectify. For each discrepancy, detail what course of re-testing is performed to ensure the
correct result is observed and also that no other erroneous faults are introduced to the system
during the change. Detail also the approval of these re-testing activities including the basis for
the decision to approve. Approval of discrepancy closure should be carried out joint ly between
the appointed field and SIS engineers.
30 Documentation
Provide the fully completed copy of t he validation documentation ensuring that the results of all
tests are recorded. The validation documentation should be signed to confirm completeness of all
testing activities identified.
31 Pre-startup safety review (PSSR)
Confirm that a PSSR is included in the scope of the handover activities to Operations.

























This page intentionally left blank.















Developing and promulgating sound consensus standards, recommended practices, and
technical reports is one of ISAs primary goals. To achieve this goal the Standards and Practices
Department relies on the technical expertise and efforts of volunteer committee members,
chairmen and reviewers.

ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers
United States Technical Advisory Groups (USTAGs) and provides secretari at support for
International Electrotechnical Commission (IEC) and International Organization for
Standardization (ISO) committees that develop process measurement and control standards. To
obtain additional information on the Societys standards program, please write:



ISA
Attn: Standards Department
67 Alexander Drive
P.O.Box12277
Research Triangle Park, NC 27709

ISBN: 978-1-937560-57-7