Professional Documents
Culture Documents
ANSI/ISA–84.01–1996
Formerly ANSI/ISA–S84.01–1996
Application of Safety
Instrumented Systems for
the Process Industries
ISA–The Instrumentation,
Systems, and
Automation Society
ANSI/ISA-84.01-1996 — Application of Safety Instrumented Systems for the Process Industries
ISBN: 1-55617-590-6
Copyright 1996 by the Instrument Society of America. All rights reserved. Printed in the United
States of America. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), without the prior written permission of the publisher.
ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709
Preface
This preface as well as all footnotes, annexes, and draft technical report 84.02 (ISA-dTR84.02)
are included for informational purposes and are not part of ANSI/ISA-84.01-1996. ISA-dTR84.02
was still in development at the time that ANSI/ISA-84.01-1996 was published; for information, contact
ISA.
This standard has been prepared as part of the service of ISA, the international society for
measurement and control, toward a goal of uniformity in the field of instrumentation. To be of real
value, this document should not be static but should be subject to periodic review. Toward this
end, the Society welcomes all comments and criticisms and asks that they be addressed to the
Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research
Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail:
standards@isa.org.
The ISA Standards and Practices Department is aware of the growing need for attention to the
metric system of units in general, and the International System of Units (SI) in particular, in the
preparation of instrumentation standards, recommended practices, and technical reports. The
Department is further aware of the benefits to USA users of ISA standards of incorporating
suitable references to the SI (and the metric system) in their business and professional dealings
with other countries. Toward this end, this Department will endeavor to introduce SI and
acceptable metric units in all new and revised standards to the greatest extent possible. The
Metric Practice Guide, which has been published by the Institute of Electrical and Electronics
Engineers as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for
definitions, symbols, abbreviations, and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned individuals and
interests in the development of ISA standards. Participation in the ISA standards-making
process by an individual in no way constitutes endorsement by the employer of that individual, of
ISA, or of any of the standards, recommended practices, and technical reports that ISA develops.
S84.01 has been developed with the intent that it will eventually become a part of a group of
standards being developed by the International Electrotechnical Commission (IEC). This has
resulted in a format and structure that may be somewhat different from previous ISA Standards.
Some background information is, therefore, offered to assist the reader in better understanding
the focus of S84.01.
IEC has commissioned the development of a set of international standards encompassing all
aspects of safety systems for all industries. It is titled "Functional Safety: Safety-Related
Systems." This effort is under the direction of IEC Technical Committee No. 65, Subcommittee
65A, Working Group 10. It is titled IEC draft Publication 1508 and is still in development but, as it
exists today, there are seven parts:
• Part 1 - General requirements
• Part 2 - Requirements for Electrical/Electronic / Programmable Electronic Systems
(E/E/PES)
• Part 3 -Software requirements
• Part 4 - Definitions and abbreviations of terms
• Part 5 - Guidelines on the application of Part 1
• Part 6 - Guidelines on the application of Parts 2 and 3
ANSI/ISA-S84.01-1996 3
• Part 7 - Bibliography of techniques and measures
This work is to define requirements common to all industries. It is IEC's intent that there will then
be additional standards developed to reflect specific requirements for the various industry
sectors, such as nuclear, pharmaceutical, aeronautical, process, etc.
IEC has commissioned a subcommittee, identified as IEC 1511, for the development of an
industry-specific international standard that addresses the application of safety instrumented
systems for the process industries. ISA-S84.01-1995 has been written with the intent that it will
serve as the basis for that sector-specific standard. The structure, format, and content of S84.01
has been developed in this context. There are significant differences in S84.01 from IEC draft
Publication 1508-1995, as described in Clause 12. However, IEC draft Publication 1508 was still
being developed at the time that S84.01 was published. As a result, ISA SP84 will continue to
support and monitor IEC draft Publication 1508 development and will modify S84.01 as needed
when IEC draft Publication 1508 is published.
The IEC style guide has been used to facilitate the harmonization of this material with the general
standards and other sector-specific standards being developed for IEC draft Publication 1508.
NAME COMPANY
4 ANSI/ISA-S84.01-1996
R. Dillman Conoco, Inc.
NAME COMPANY
J. Duran Lagoven SA
P. Early ABB Industrial Systems, Inc.
*R. Ewbank Rhone-Poulenc, Inc.
T. Fisher Lubrizol Corporation
J. Forrest ABS Industrial Verification, Inc.
*T. Frederickson, Jr. Triconex
R. Freeman Monsanto
D. Fritsch Phillips Petroleum Company
*K. Gandhi M. W. Kellogg Company
R. Gardner DuPont Engineering
*F. Gellner E. I. du Pont de Nemours & Company
J. Gilman Procter & Gamble Company
R. Glaser Dow Chemical Company
W. Goble Moore Products Company
*C. Goring August Systems, Ltd.
*J. Gray Chevron Research & Technology Company
D. Green Rohm & Haas
T. Green Stubbs Overbeck & Associates
J. Greenwald Fina Oil & Chemical Company
*R. Grehofsky E. I. du Pont de Nemours & Company
P. Gruhn Industrial Control Service, Inc.
*A. Habib Rhone-Poulenc, Inc.
*A. Hamers Honeywell SMS
A. Hammons Chevron USA
B. Hampton Consultant
C. Hardin Hoechst Celanese Corporation
D. Haysley Murphy Oil Company
*A. Heckman Bently Nevada
*K. Hill Mobil Research & Development Corporation
L. Hoffman BASF Corporation
B. Humes Bently Nevada
*D. Inverso E.I. du Pont de Nemours & Company
J. Jarvi Teknillinen Tarkastuskeskus
W. Jay Entergy Operations, Inc.
K. Jennings Square D Company
D. Jensen Price Engineering Company
R. Johnson Kingwood Technology Group
*W. Johnson E. I. du Pont de Nemours & Company
*D. Karydas Factory Mutual Research Corporation
K. Kassner CALTEK Pacific-Minas Corporation
R. Kier Kinetics Technology International
D. Leonard Consultant
*E. Lewis Union Carbide Corporation
J. Martel Exxon Chemical Company
*T. McAdams Allen-Bradley Company
ANSI/ISA-S84.01-1996 5
S. McCormick 3M Company
NAME COMPANY
6 ANSI/ISA-S84.01-1996
W. Welz, Jr. BHP Engineers & Constructors, Inc.
*G. Wristen E. I. du Pont de Nemours & Company
This published standard was approved for publication by the ISA Standards and Practices
Board on February 15, 1996.
NAME COMPANY
ANSI/ISA-S84.01-1996 7
Contents
Introduction ............................................................................................................................... 13
1 Scope ...................................................................................................................................... 15
1.1 Boundaries of the Safety Instrumented System (SIS) ................................................. 15
1.2 Exclusions ................................................................................................................... 16
ANSI/ISA-S84.01-1996 9
9 SIS operation and maintenance .......................................................................................... 38
9.1 Objective...................................................................................................................... 38
9.2 Training........................................................................................................................ 38
9.3 Documentation ............................................................................................................ 38
9.4 SIS operating procedures ............................................................................................ 38
9.5 Maintenance program.................................................................................................. 38
9.6 Testing, inspection, and maintenance ......................................................................... 39
9.7 Functional testing ........................................................................................................ 39
9.8 Documentation of functional testing ............................................................................ 40
11 Decommissioning ............................................................................................................... 42
11.1 Objective.................................................................................................................... 42
11.2 General ...................................................................................................................... 43
12 Differences .......................................................................................................................... 43
12.1 Terminology ............................................................................................................... 44
12.2 Organizational differences ......................................................................................... 44
12.3 Technology differences ............................................................................................. 46
Annexes
10 ANSI/ISA-S84.01-1996
D (Informative) — Example ..................................................................................................... 85
D.1 Introduction to the example problem........................................................................... 85
D.2 Safety Life Cycle (Figure 4.1) ..................................................................................... 85
D.3 Safety requirement specification ................................................................................. 85
D.4 Safety integrity requirements (5.4) .............................................................................. 88
D.5 Conceptual design (6.0) .............................................................................................. 89
D.6 Detail design (7.0) ....................................................................................................... 90
E (Informative) — Index........................................................................................................... 93
Figures
1.1 — Definition of Safety Instrumented Systems (SIS) ............................................................ 16
4.1 — Safety Life Cycle ............................................................................................................. 24
A.1 — Company ABC, Site XX, Specific SIL implementation techniques, example only .......... 50
A.2 — Process example ............................................................................................................ 51
A.3 — Company ABC, Site XX, Example of a qualitative matrix for the determining SIL.......... 52
D.1 — Basic process control scheme ........................................................................................ 86
D.2 — Tentative design solution ................................................................................................ 91
Tables
3.1 — Safety Integrity Level (SIL)........................................................................................... 21
4.1 — Safety Integrity Level performance requirements ........................................................ 25
A.1 — Modified HAZOP documentation example ................................................................... 53
B.5.1 — Typical SIS failure modes ............................................................................................ 64
B.5.2 — Typical Programmable Electronic Failure Modes......................................................... 65
B.9.1 — Fault types.................................................................................................................... 70
B.9.2 — Diagnostic tests for programmable electronics ............................................................ 72
ANSI/ISA-S84.01-1996 11
Introduction
Purpose
This standard addresses the application of Safety Instrumented Systems (SIS) for the process
industries. The SIS addressed includes Electrical (E)/, Electronic (E)/ and Programmable
Electronic (PE) technology. This standard is process industry specific within the framework of the
International Electrotechnical Commission (IEC) draft Publication 1508 (References C.8 and
C.9). This standard follows the Safety Life Cycle presented later (see Figure 4.1).
This document is intended for those who are involved with SIS in the areas of
• design and manufacture of SIS products, selection, and application
• installation, commissioning, and Pre-Startup Acceptance Test
• operation, maintenance, documentation, and testing
Objective
Organization
This standard is organized into three major parts. The main body of the standard (Clauses 1-11)
present mandatory specific requirements. Clause 12 provides key differences between
ISA-S84.01 and IEC draft Publication 1508. Informative Annexes A through E present additional
non-mandatory (informative) technical information that is useful in SIS applications.
Draft Technical Report 84.02 (ISA-dTR84.02), which is issued under separate cover, provides
non-mandatory (informative) technical guidance in Safety Integrity Level analysis.
ANSI/ISA-S84.01-1996 13
1 Scope
1.1.1 Figure 1.1 defines the boundaries of the SIS and identifies the devices that may be included
in the system. The SIS described in this standard is that portion of the diagram enclosed within
the double lined box.
1.1.2 The SIS includes all elements from the sensor to the final element, including inputs, outputs,
power supply, and logic solvers. SIS user interface may be in the SIS.
1.1.3 Other interfaces to the SIS are considered a part of the SIS if they have potential impact
on its safety function.
ANSI/ISA-S84.01-1996 15
Figure 1.1 — Definition of Safety Instrumented Systems (SIS)
1.2 Exclusions
1.2.1 This standard identifies all the steps of the Safety Life Cycle (see Figure 4.1) but does not
define the method(s) that may be used in some of the steps.
1.2.2 This standard does not address management of the non-SIS portion of the design or the
management of the startup process.
1.2.3 In jurisdictions where the governing authorities (Federal, State, Province, County, City, etc.)
have established Process Safety Design, Process Safety Management, or other requirements,
these laws shall in all cases take precedence over those requirements defined in this standard.
These factors must be integrated into the Safety Life Cycle at the appropriate step.
1.2.4 This standard does not address the codes, regulations, and other requirements that apply
only to the Nuclear Industry.
1.2.5 The activity of identifying process hazards by use of Process Hazards Analysis methods
is not part of this standard.
1.2.6 Defining the need for a Safety Instrumented Systems is not included in this standard.
1.2.7 This standard is not intended to be used as a stand-alone system purchase specification.
It will not eliminate the need for sound engineering judgment. It also does not mandate the use of
any particular technology.
1.2.8 The standard is not intended to apply to Basic Process Control Systems (BPCS).
1.2.9 This standard is not intended for pneumatic or hydraulic logic solvers.
16 ANSI/ISA-S84.01-1996
1.2.10 This standard does not consider the use of technology that is not currently utilized in Safety
Instrumented Systems. As new technology evolves and becomes available (e.g., ISA SP50
Fieldbus) it will be addressed in scheduled (5 year) revisions to this standard. In the interim, if new
system performance justifies its use, new technology shall be user approved before use in safety
applications. In these cases, the new technology implementation may require exception to some
standard requirements of S84.01. Exceptions shall be documented to demonstrate that the new
approach satisfies the safety requirements.
1.2.11 Analysis of the capability of humans to act on human-machine interface information is part
of the Process Hazards Analysis and is outside the scope of this standard.
1.2.12 Instrumentation installed for the purpose of monitoring conditions that may lead to chronic
health effects is not covered by this standard.
1.2.13 This standard does not cover instrumentation installed principally for the purpose of property
protection.
1.2.14 Systems where operator action is the sole means required to return the process to a safe
state are not covered by this standard. (e.g., alarm systems, fire and gas monitoring systems, etc.)
2.1.1 To conform to this Standard, it must be shown that each of the requirements have been
satisfied and therefore the Clause objectives have been met.
2.1.2 Where a requirement is qualified by reference to an informative annex, this indicates that
a range of techniques and measures can be used to satisfy that requirement including techniques
and measures not listed in the informative annex.
2.1.3 The techniques and measures included in normative Clauses 1 through 11 are considered
good engineering practices in the design and support of Safety Instrumented Systems.
2.2.1 For existing SIS designed and constructed in accordance with codes, standards, or prac-
tices prior to the issue of this standard, the owner/operator shall determine that the equipment is
designed, maintained, inspected, tested, and operating in a safe manner.
ANSI/ISA-S84.01-1996 17
3 Definition of terms and acronyms
3.1 Definitions
3.1.3 architecture: The arrangement and interconnection of the hardware components or mod-
ules that comprise the SIS.
3.1.5 Basic Process Control System (BPCS): A system that responds to input signals from
the equipment under control and/or from an operator and generates output signals, causing the
equipment under control to operate in the desired manner. Some examples include control of an
exothermic reaction, anti-surge control of a compressor, and fuel/air controls in fired heaters. Also
referred to as Process Control System.
3.1.7.1 common cause fault: A single source that will cause failure in multiple elements of a
system. The single source may be either internal or external to the system.
3.1.8 communication
3.1.8.1 external communication: Data exchange between the SIS and a variety of systems or
devices that are outside the SIS. These include shared operator interfaces, maintenance/engi-
neering interfaces, data acquisition systems, host computers, etc.
3.1.8.2 internal communication: Data exchange between the various devices within a given
SIS. These include bus backplane connections, the local or remote I/O bus, etc.
3.1.10 covert fault: Faults that can be classified as hidden, concealed, undetected, unrevealed,
latent, etc.
3.1.11 decommissioning: The permanent removal of a complete SIS from active service.
18 ANSI/ISA-S84.01-1996
3.1.12 de-energize to trip: SIS circuits where the outputs and devices are energized under normal
operation. Removal of the source of power (e.g., electricity, air) causes a trip action.
3.1.13 demand: A condition or event that requires the SIS to take appropriate action to prevent
a hazardous event from occurring or mitigate the consequence of a hazardous event.
3.1.14 diagnostic coverage: For SIS with active fault-detection capabilities, the ratio of detect-
able faults to the total number of faults.
3.1.15 diverse: Use of different technologies, equipment or design methods to perform a common
function with the intent to minimize common cause faults (see 3.1.45, 3.1.55, and B.2).
3.1.19 energize to trip: SIS circuits where the outputs and devices are de-energized under normal
operation. Application of power (e.g., electricity, air) causes a trip action.
3.1.20 fail-safe: The capability to go to a predetermined safe state in the event of a specific
malfunction.
3.1.21 fault tolerance: Built-in capability of a system to provide continued correct execution of
its assigned function in the presence of a limited number of hardware and software faults.
3.1.22 field devices: Equipment connected to the field side of the SIS I/O terminals. Such
equipment includes field wiring, sensors, final control elements, and those operator interface de-
vices hard-wired to SIS I/O terminals.
3.1.23 firmware: Special purpose memory units containing software embedded in protected
memory required for the operation of programmable electronics.
3.1.24 forcing: A PES engineering station function that provides the capability to override the
application program and to change the states of inputs and outputs.
3.1.25 functional testing: Periodic activity to verify that the SIS is operating per the Safety
Requirement Specifications Testing.
3.1.27 hard-wired: Electrical connections accomplished without the use of software or firmware.
3.1.28 hazard: Chemical or physical condition that has the potential for causing injury to people
or the environment (Reference C.12).
ANSI/ISA-S84.01-1996 19
3.1.29 input/output modules
3.1.29.1 input module: E/E/PES or subsystem that acts as an interface to external devices and
converts input signals into signals that the E/E/PES can utilize.
3.1.29.2 output module: E/E/PES or subsystem that acts as an interface to external devices
and converts output signals into signals that can actuate external devices.
3.1.32 logic solver: E/E/PES components or subsystems that execute the application logic.
Electronic and programmable electronics include input/output modules.
3.1.35 overt faults: Faults that are classified as announced, detected, revealed, etc.
3.1.36 permissive: Condition within a logic sequence that must be satisfied before the sequence
is allowed to proceed to the next phase.
3.1.37 Pre-Startup Acceptance Test (PSAT): Process of confirming performance of the total
integrated SIS to assure its conformance to the Safety Requirement Specifications and design.
3.1.39 Probability of Failure on Demand (PFD): A value that indicates the probability of a system
failing to respond to a demand. The average probability of a system failing to respond to a demand
in a specified time interval is referred to as PFDavg. PFD equals 1 minus Safety Availability [see
safety availability (3.1.51)].
3.1.40 process industry sector: Refers to those processes involved in, but not limited to, the
production, generation, manufacture, and/or treatment of oil, gas, wood, metals, food, plastics,
petrochemicals, chemicals, steam, electric power, pharmaceuticals, and waste material(s).
3.1.42 protection layer: Engineered safety features or protective systems or layers that typically
involve special process designs, process equipment, administrative procedures, the Basic Process
Control System (BPCS), and/or planned responses to protect against an imminent hazard. These
responses may be either automated or initiated by human actions (see Annex A for guidance).
3.1.43 qualitative methods: Methods of design and evaluation developed through experience
and/or the application of good engineering judgement.
3.1.44 quantitative methods: Methods of design and evaluation based on numerical data and
mathematical analysis.
20 ANSI/ISA-S84.01-1996
3.1.45 redundancy: Use of multiple elements or systems to perform the same function. Redun-
dancy can be implemented by identical elements (identical redundancy) or by diverse elements
(diverse redundancy).
3.1.46 reliability: Probability that a system can perform a defined function under stated conditions
for a given period of time.
3.1.48 reset: Action that restores the equipment under control to a predetermined normal enabled
or operating state.
3.1.49 risk assessment: Process of making risk estimates and using the results to make deci-
sions.
3.1.50 safe state: State that the equipment under control, or process, shall attain as defined by
the Process Hazards Analysis (PHA).
3.1.51 safety availability: Fraction of time that a safety system is able to perform its designated
safety service when the process is operating. In this standard, the average Probability of Failure
on Demand (PFDavg) is the preferred term. (PFD equals 1 minus Safety Availability; see 3.1.39.)
3.1.52 Safety Integrity Level (SIL): One of three possible discrete integrity levels (SIL 1, SIL 2,
SIL 3) of Safety Instrumented Systems. SILs are defined in terms of Probability of Failure on
Demand (PFD) (see Table 3.1).
3.1.53 Safety Instrumented Systems (SIS): System composed of sensors, logic solvers, and
final control elements for the purpose of taking the process to a safe state when predetermined
conditions are violated (see Figure 1.1). Other terms commonly used include Emergency Shutdown
System (ESD, ESS), Safety Shutdown System (SSD), and Safety Interlock System.
3.1.54 Safety Life Cycle: Sequence of activities involved in the implementation of the Safety
Instrumented Systems from conception through decommissioning (see Figure 4.1).
3.1.55 separation: The use of multiple devices or systems to segregate control from safety
functions. Separation can be implemented by identical elements (identical separation) or by diverse
elements (diverse separation).
3.1.57 SIS components: A constituent part of a SIS. Examples of SIS components are field
devices, input modules, output modules, and logic solvers.
ANSI/ISA-S84.01-1996 21
3.1.58 software
3.1.58.1 application software: Software specific to the user application in that it is the SIS
functional description programmed in the PES to meet the overall Safety Requirement Specifica-
tions (see Clause 5). In general, it contains logic sequences, permissives, limits, expressions, etc.,
that control the appropriate input, output, calculations, decisions necessary to meet the safety
functional requirements.
3.1.58.2 embedded software: Software that is part of the system supplied by the vendor and
is not accessible for modification by the end user. Embedded software is also referred to as
firmware or system software.
3.1.58.3 utility software: Software tools for the creation, maintenance, and documentation of
application programs. These software tools are not required for the operation of the SIS.
3.1.59 spurious trip: Refers to the shutdown of the process for reasons not associated with a
problem in the process that the SIS is designed to protect (e.g., the trip resulted due to a hardware
fault, software fault, electrical fault, transient, ground plane interference, etc.). Other terms used
include nuisance trip and false shut down.
3.1.60 systematic failures: Failures due to errors (including mistakes and acts of omissions) in
Safety Life Cycle activities that cause the SIS to fail under some particular combination of inputs
or under a particular environmental condition. Systematic failures can arise in any Safety Life
Cycle step.
3.1.62 user approved: Hardware, software, procedures, etc., that the user has evaluated and
determined to be acceptable for the application.
3.1.63 verification: Process of confirming for certain steps of the Safety Life Cycle that the
objectives are met.
3.1.64 voting system: Redundant system (e.g., "m" out of "n", one out of two [1oo2] to trip, two
out of three [2oo3], etc.) that requires at least "m" of the "n" channels to be in agreement before
the SIS can take an action.
3.2 Acronyms
22 ANSI/ISA-S84.01-1996
PES: Programmable Electronic System
PFD: Probability of Failure on Demand
PHA: Process Hazards Analysis
PSAT: Pre-Startup Acceptance Test
PSSR: Pre-Startup Safety Review
SIL: Safety Integrity Level
SIS: Safety Instrumented Systems
WDT: Watchdog Timer
4.1 Scope
The clauses in this standard are organized based on the Safety Life Cycle (see Figure 4.1). The
Safety Life Cycle covers the Safety Instrumented Systems (SIS) activities from initial conception
through decommissioning. Note that this standard does not address the method for performing
initial Safety Life Cycle activities, such as:
a) Performing conceptual process design
b) Performing Process Hazards Analysis & risk assessment
c) Defining non-SIS protection layers
d) Defining the need for an SIS
e) Determining required Safety Integrity Level
These activities are outside the scope of this standard.
ANSI/ISA-S84.01-1996 23
(4.2.15)
24 ANSI/ISA-S84.01-1996
During the Safety Life Cycle of a SIS, there may be points where iterations are necessary. A few
of these are indicated in the Safety Life Cycle presented, but these should not be considered the
only points where iteration may be necessary.
4.2.1 The first step in the Safety Life Cycle is concerned with the conceptual process design.
The method for accomplishing this step is outside the scope of this standard.
4.2.2 The second step is concerned with identifying the hazards and hazardous events for a
process and assessing the level of risk involved. This standard does not address the methods for
performing this analysis and evaluation but assumes it has taken place prior to applying the prin-
ciples in this document. The method(s) for accomplishing this step is outside the scope of this
standard.
4.2.3 Once the hazards and risks have been identified, appropriate technology (including process
and equipment modifications) is applied to eliminate the hazard, to mitigate their consequences
or reduce the likelihood of the event. The third step involves the application of non-SIS protection
layers to the process. The method(s) for accomplishing this step is outside the scope of this
standard.
4.2.5 If an SIS is appropriate, the next step is establishing the requirements for the SIS by defining
a target Safety Integrity Level (SIL) (See Annex A for guidance). A SIL defines the level of perfor-
mance needed to achieve the user ’s process safety objective. SILs are defined as 1, 2, and 3.
SISs above SIL 3 are not addressed in this standard. The higher the SIL, the more available the
safety function of the SIS. Performance is improved by the addition of redundancy, more frequent
testing, use of diagnostic fault detection, and use of diverse sensors and final control elements,
etc. Performance is also improved through better control of design, operation, and maintenance
procedures.
Associated with the SIL are Probability of Failure on Demand average (see Table 4.1).
SAFETY 1 2 3
INTEGRITY LEVEL
ANSI/ISA-S84.01-1996 25
The SIL concept is utilized in several steps of the Safety Life Cycle. See Annex A for guidance
on SIL determination. The method for accomplishing this step is outside the scope of this
standard.
4.2.6 The next step is developing Safety Requirement Specifications. The Safety Requirement
Specifications document functional and integrity requirements for the SIS (see Clause 5).
4.2.7 The next step involves developing the SIS Conceptual Designs that may meet the Safety
Requirement Specifications. Annex B provides guidance on the selection of architectures to meet
SIL requirements (see Clause 6).
4.2.8 Once SIS Conceptual Design is complete, the detailed design can be performed (see
Clause 7).
4.2.10 After installation is complete, the Commissioning and Pre-Startup Acceptance Test (PSAT)
of the SIS shall be performed (see Clause 8).
4.2.11 SIS Operation and Maintenance Procedures may be developed at any step of the Safety
Life Cycle and shall be completed prior to startup (see Clause 9).
4.2.12 Prior to startup of the SIS, a Pre-Startup Safety Review (PSSR) shall take place. This
PSSR shall include the following SIS activities:
a) Verification that the SIS was constructed, installed, and tested in accordance with the
Safety Requirement Specifications.
b) Safety, operating, maintenance, Management of Change (MOC), and emergency
procedures pertaining to the SIS are in place and are adequate.
c) PHA recommendations that apply to the SIS have been resolved or implemented.
d) Employee training has been completed and includes appropriate information about the
SIS.
The planning and execution of this activity is outside the scope of this standard.
4.2.13 After PSSR, the SIS may be placed in operation. This step includes startup, normal oper-
ation, maintenance, and periodic Functional Testing (see Clause 9).
4.2.14 If modifications are proposed, their implementation shall follow a Management of Change
(MOC) procedure. The appropriate steps in the Safety Life Cycle shall be repeated to address the
safety impact of the change (see Clause 10).
4.2.15 At some time, the need for the SIS will cease. For example, this may be caused by plant
closure, or the removal or change of the process. The decommissioning of the SIS shall be planned,
and appropriate steps should be taken to ensure that this is accomplished in a manner that does
not compromise safety (see Clause 11).
26 ANSI/ISA-S84.01-1996
5 Safety requirements specifications development
5.1 Objective
The objective is to develop specifications for Safety Instrumented Systems (SIS) design. These
Safety Requirement Specifications consist of both safety functional requirements and safety
integrity requirements. The Safety Requirement Specifications can be a collection of documents
or information.
The information required from the Process Hazards Analysis (PHA) or process design team to
develop the Safety Requirement Specifications, includes the following.
5.2.1 A list of the safety function(s) required and the SIL of each safety function.
5.2.2 Process information ( incident cause, dynamics, final elements, etc.) of each potential
hazardous event that requires a SIS.
5.2.3 Process common cause failure considerations such as corrosion, plugging, coating, etc.
5.3.1 The definition of the safe state of the process, for each of the identified events.
5.3.2 The process inputs to the SIS and their trip points,
5.3.3 The normal operating range of the process variables and their operating limits,
5.3.4 The process outputs from the SIS and their actions,
5.3.5 The functional relationship between process inputs and outputs, including logic, math func-
tions, and any required permissives.
ANSI/ISA-S84.01-1996 27
5.3.9 Response time requirements for the SIS to bring the process to a safe state.
5.4.2 Requirements for diagnostics to achieve the required SIL (see B.9 for guidance).
5.4.3 Requirements for maintenance and testing to achieve the required SIL.
6.1 Objectives
To define those requirements needed to develop and verify a SIS Conceptual Design that meets
the Safety Requirements Specifications.
6.2.1 The Safety Instrumented Systems (SIS) architecture for each safety function shall be
selected to meet its required Safety Integrity Level (SIL). (e.g., The selected architecture may be
one out of one [1oo1], 1oo2 voting, 2oo3 voting, etc.)
6.2.2 A SIS may have a single safety function or multiple safety functions that have a common
logic solver and/or input and output devices. When multiple safety functions share common com-
ponents, the common components shall satisfy the highest SIL of the shared safety function.
Components of the system that are not common must meet the SIL requirements for the safety
function that they address. When multiple SISs are combined in a system where they share
common logic or components, the potential for common cause faults is increased. Programming,
accessibility, maintenance, power supplies, and security are typical common cause issues to con-
sider.
28 ANSI/ISA-S84.01-1996
6.2.3 The desired SIL shall be met through a combination of the following design considerations:
a) Separation - identical or diverse (see B.1 for guidance)
b) Redundancy - identical or diverse (see B.2 for guidance)
c) Software design considerations (see B.3 for guidance)
d) Technology selection (see B.4 for guidance)
e) Failure rates and failure modes (see B.5 for guidance)
f) Architecture (see B.6 for guidance)
g) Power sources (see B.7 for guidance)
h) Common cause failures (see B.8 for guidance)
i) Diagnostics (see B.9 for guidance)
j) Field devices (see B.10 for guidance)
k) User interface (see B.11 for guidance)
l) Security (see B.12 for guidance)
m) Wiring practices (see B.13 for guidance)
n) Documentation (see B.14 for guidance)
o) Functional test interval (see B.15 for guidance)
7.1 Objective
To provide detailed requirements for the design of the Safety Instrumented Systems (SIS) to
achieve the requirements of the Safety Requirement Specifications and conceptual design.
7.2.1 The SIS design shall be capable of meeting the Safety Integrity Level (SIL).
7.2.2 The SIS may include sequencing functions to take the process to or maintain it in a safe
state.
ANSI/ISA-S84.01-1996 29
7.2.3 The SIS may contain one or more interlocks or safety functions.
7.2.4 The SIS design documents shall be under control of a formal revision and release control
program.
7.2.5 The manufacturer of equipment used in SIS service shall maintain a formal revision and
release control program for the equipment, including applicable software. The use of visible mark-
ings or user interfaces to identify this information is acceptable (e.g., part #, serial #, batch #, etc.).
7.2.6 The design shall ensure that the hardware and software used in an application are com-
patible.
7.2.7 The action of any non-safety function, if implemented by the SIS, shall not interrupt or
compromise any SIS safety functions.
7.2.8 The required safe states of each SIS component required for the safety function shall be
defined.
7.2.9 The SIS shall be designed such that once it has placed the process in a safe state, it shall
remain in the safe state until a reset has been initiated. The requirement for a manual or automatic
reset shall be as defined in the Safety Requirements Specifications.
7.2.10 Manual means, independent of the logic solver, shall be provided to actuate the SIS final
elements unless otherwise directed by the Safety Requirements Specifications.
7.2.11 Any detected single fault that causes a SIS failure shall result in an automatic, predeter-
mined, safe failure action; and/or a safe process condition if the appropriate response action is
undertaken.
7.2.12 The design shall apply codes and standards for environmental and hazardous area
classifications (e.g., NFPA 70, National Electrical Code, Article 500)(see C.5 for guidance).
7.2.13 SIS Input/Output power circuits shall be separated from circuits used for any other purpose
except where the sensor or final control element is shared as allowed in 7.4.2.2 and 7.4.3.1.
7.3.1 The logic solver supplier shall provide an integrated design including, where applicable,
input module(s), output module(s), maintenance interface device(s), communication(s), and utility
software. The integrated design shall be documented.
7.3.2 The logic solver supplier shall provide Mean Time To Failure (MTTF) data, covert failure
mode listing, and frequency of occurrence of identified covert failures. The method and data
sources for the above shall be provided.
7.3.3 PES logic solvers shall have methods (internal and/or external) to protect against covert
faults (e.g., comparison of logic solver performance versus process action, embedded or applica-
tion software testing the logic solver performance).
7.3.4 The logic solver shall be separated (see B.1 for guidance) from the Basic Process Control
System (BPCS) except where some applications have combined BPCS and SIS functions in one
"logic solver" (e.g., gas turbines). In these cases, the BPCS/SIS logic solver shall meet the SIL
(see C.1 for additional guidance).
30 ANSI/ISA-S84.01-1996
7.3.5 The logic solver shall be designed to ensure the process will not automatically restart when
power is restored, unless Process Hazards Analysis indicates this is appropriate.
7.4.1.1 Energize to trip discrete input/output circuits shall apply a method (e.g., end-of- line monitor,
such as pilot current continuously monitored to ensure circuit continuity; the pilot current shall not
be of sufficient magnitude to affect proper I/O operation) to assure circuit integrity.
7.4.1.2 When remote input/output is used, it shall be evaluated in conjunction with the logic solver
(see B.6 for guidance).
7.4.1.3 Each individual field device shall have its own dedicated wiring to the system Input/Output,
except in the following cases:
a) Multiple connected discrete sensors connected in series to a single input if the sensors
monitor the same process condition (e.g., motor overloads)
b) Multiple connected Final Control Elements (FCE) to a single output if each FCE services
the same process condition
c) User approved systems such as fire and gas detection systems
d) See 1.2.10 for ISA SP50 Fieldbus.
7.4.1.4 Field devices shall be selected and installed to minimize failures that could relate inaccurate
information due to conditions arising from the process and environmental conditions. Conditions
that shall be considered include corrosion, freezing of materials in pipes, suspended solids, poly-
merization, coking, and temperature and pressure extremes.
7.4.2.1 Smart sensors shall be write protected to prevent inadvertent modification from a remote
location, unless appropriate safety review allows the use of read/write.
7.4.2.2 Sensors for SIS shall be separated from the sensors for the Basic Process Control System
(BPCS). Two exceptions are allowed provided the failure of the sensor does not create a condition
that the SIS is intended to protect against:
a) If redundant sensors are used, they may be connected to both the BPCS and the SIS
provided that any failure in the BPCS will not affect the proper operation of the sensor
or the ability of the SIS to read the sensor properly (see B.1.5).
b) If the PHA determines that one or more protection layers other than the BPCS and the
SIS offers protection redundant to that provided by the sensor (for further guidance, see
Annex A).
7.4.2.3 Sensor diagnostics, vendor or user supplied , shall be provided as required to meet the
SIL (see B.9 for guidance).
ANSI/ISA-S84.01-1996 31
7.4.3 Final control element requirements
7.4.3.1 A control valve from the BPCS shall not be used as the only final element for SIL 3.
A safety review shall be required to use a single BPCS control valve as the only final element for
SIL 1 and 2. For additional information, see B.1.6.
7.5 Interfaces
This section addresses all human-machine and communication interfaces to the SIS. These can
include, but are not limited to
a) operator interface(s);
b) maintenance/engineering interface(s); and
c) communication interface(s).
7.5.1.1 The operator interface system design shall take into consideration the loss of the SIS
operator interface and the resulting requirements as defined by appropriate safety review. The
design shall ensure that, upon failure of the SIS operator interface, sufficient alternate means shall
be provided for the operator to bring the process to a safe state and that the automatic functions
of the SIS are not compromised.
7.5.1.2 The SIS status information that is critical to maintaining the SIL shall be available as part
of the operator interface. This information may include
a) where the process is in its sequence;
b) indication that SIS protective action has occurred;
c) indication that a protective function is bypassed;
d) indication that automatic action(s) such as degradation of voting and/or fault handling
has occurred;
e) status of sensors and final control elements;
f) the loss of energy where that energy loss impacts safety;
g) the results of comparison diagnostics; and
h) failure of environmental conditioning equipment that is necessary to support the SIS.
32 ANSI/ISA-S84.01-1996
7.5.1.3 Changes to the SIS application software shall not be allowed from the SIS operator
interface. Where the SIS maintenance/engineering interface is used as the operator interface to
the SIS, changes to application software from this interface shall require appropriate safety review
and access security. There may be some safety-related information that needs to be transmitted
from the BPCS to the SIS. For example, in batch systems a SIS may have different setpoints or
logic functions depending on the recipe being used. If so, the operator interface may be used to
select the appropriate logic function in the SIS or may be used to select recipe-specific tables. For
these types of applications, use only SIS systems that offer the ability to selectively allow writing
to a SIS variable that is accessible to the BPCS (see B.1.8 for additional guidance), and a confir-
mation procedure to ensure the proper selection has been transmitted and received in the SIS.
Enabling and disabling the read-write access shall be done only by a configuration or
programming process using the Maintenance/Engineering Interface with appropriate
documentation and security measures. An Operator Interface shall not be allowed to perform
this function.
7.5.2.1 The design of SIS maintenance/engineering interface shall ensure that any failure of this
interface shall not adversely affect the ability of the SIS to bring the process to a safe state. This
may require disconnecting of maintenance/engineering interfaces, such as programming panels,
during normal SIS operation.
7.5.3.1 The design of the communication interface of the SIS shall ensure that any failure of the
communication interface shall not adversely affect the ability of the SIS to bring the process to a
safe state.
7.5.3.2 Communication signals shall be isolated from other energy sources through the use of
good engineering practices, such as the use of shielded cable while maintaining a single ground
plane with a single dedicated power source, or the use of fiber optics.
ANSI/ISA-S84.01-1996 33
7.6 Power sources
The design shall ensure that each power source meets the needs of the SIS as specified in the
Safety Requirement Specifications (see B.7 for guidance).
The system environment must be addressed to ensure proper SIS operation. This may require
consideration of the following: temperature, humidity, contaminants, grounding, Electro
Magnetic Interference/Radio Frequency Interference (EMI/RFI), shock/vibration, electrostatic
discharge, electrical area classification, flooding, etc.
7.7.1 All environmental conditions to which the SIS will be exposed and the operating environ-
mental specifications for all components of the SIS shall be considered in the system design.
7.7.2 The system design shall take specific steps to resolve all differences between the environ-
mental conditions and equipment specifications in a manner that will allow the SIS to perform in
accordance with the Safety Requirement Specifications, such as installing heating, ventilation/air
conditioning equipment, and/or air filtration.
7.8.1.1 Only application logic under the control of a formal revision and release control program
shall be provided and considered for use on a SIS.
7.8.1.2 The application logic formal revision and release control program shall be provided and
maintained by the user.
7.8.1.3 The user shall ensure the application logic is documented in a clear, precise, and complete
way (see B.14 for guidance).
7.8.2.1 Only application logic under the control of a formal revision and release control program
shall be provided and considered for use on a SIS.
7.8.2.2 The application logic formal revision and release control program shall be provided and
maintained by the user.
7.8.2.3 The user shall ensure the application logic is documented in a clear, precise, and complete
way (See B.14 for guidance).
34 ANSI/ISA-S84.01-1996
7.8.3 Application logic for PES
Software discussed in this subclause addresses the SIS applications. Embedded and utility
software is discussed as far as it impacts application software.
7.8.3.1 Only software under the control of a formal revision and release control program shall be
provided and considered for use on a SIS.
7.8.3.2 The embedded software and utility software formal revision and release control programs
shall be provided and maintained by the SIS manufacturer(s). The manufacturer(s) shall also
provide and maintain a bug list and advise customers of any software faults which may lead to a
failure to function on demand.
7.8.3.3 The user shall not modify the SIS embedded or utility software.
7.8.3.4 The user shall ensure the application software is documented in a clear, precise, and
complete way (see B.3 and B.14 for guidance).
7.8.3.5 The application software formal revision and release control programs shall be maintained
by the user.
7.9.1 The design shall allow for testing of the overall system. It shall be possible to test final
element actuation in response to sensor operation. Where the interval between scheduled process
downtime is greater than the functional test interval, then on-line testing facilities are required.
7.9.2 When on-line functional testing is required, test facilities shall be an integral part of the SIS
design to test for covert failures.
7.9.3 When test and/or bypass facilities are included in the SIS, they shall conform with the
following:
a) SIS shall be designed in accordance with the maintenance and testing requirements
defined in the Safety Requirement Specifications.
b) The operator shall be alerted to the bypass of any portion of the SIS via an alarm and/
or operating procedure.
c) Bypassing of any portion of the SIS shall not result in the loss of detection and/or
annunciation of the condition(s) being monitored.
7.9.4 Forcing of inputs and outputs shall not be used as a part of:
a) application software;
b) operating procedure(s); and
c) maintenance, except as noted.
Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unless
supplemented by procedures and access security. Any such forcing shall be annunciated or
alarmed, as appropriate.
ANSI/ISA-S84.01-1996 35
8 Installation, commissioning, and pre-startup acceptance test
8.1 Objective
8.1.1 The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) is
installed per the detail design and performs per the Safety Requirement Specifications.
8.2 Installation
8.3 Commissioning
8.3.1 Commissioning ensures the SIS is installed per the detailed design and is ready for the
Pre-Startup Acceptance Test.
8.3.2 The SIS commissioning activities shall include, but may not be limited to, confirmation that
the following are installed per the detailed design documents and are performing as specified in
the Safety Requirement Specifications:
a) Equipment and wiring are properly installed.
b) Energy sources are operational.
c) All instruments have been properly calibrated.
d) Field devices are operational.
e) Logic solver and Input/Output are operational.
8.4.1 A PSAT provides a full functional test of the SIS to show conformance with the Safety
Requirement Specifications. The PSAT shall include, but may not be limited to, confirmation of
the following:
a) SIS communicates (where required) with the Basic Process Control System or any other
system or network.
36 ANSI/ISA-S84.01-1996
b) Sensors, logic, computations, and final control elements perform in accordance with
Safety Requirement Specifications.
c) Safety devices are tripped at the setpoints as defined in the Safety Requirement
Specifications.
d) The proper shutdown sequence is activated.
e) The SIS provides the proper annunciation and proper operation display.
f) The accuracy of any computations that are included in the SIS.
g) That the system total and partial reset functions as planned.
h) Bypass and bypass reset functions operate correctly.
i) Manual shutdown systems operate correctly.
j) Test interval is documented in maintenance procedures consistent with SIL
requirements.
k) SIS documentation is consistent with actual installation and operating procedures.
8.4.2 A PSAT shall be satisfactorily completed prior to the introduction of hazards the SIS is
designed to prevent or mitigate.
8.4.3 Accuracy of calibration of test instruments used in the PSAT shall be consistent with the
application. For example, the margin between the SIS setpoint and the hazardous process con-
dition may be used to determine the required accuracy.
8.4.4 Documentation to substantiate completion of the Commissioning and PSAT shall be com-
pleted prior to the introduction of hazards the SIS is designed to prevent or mitigate.
As a minimum, this documentation shall include the following:
a) Identification of the SIS that has been tested
b) Confirmation that Commissioning is complete
c) Date the PSAT was performed
d) Reference to the procedures used in the PSAT
e) Authorized signature that indicates PSAT has been satisfactorily completed
ANSI/ISA-S84.01-1996 37
9 SIS operation and maintenance
9.1 Objective
The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) functions in
accordance with the Safety Requirement Specifications throughout the SIS operational life.
9.2 Training
9.2.1 Employees involved in the operation and maintenance activities of the SIS shall be properly
trained.
9.2.2 Employee training shall adhere to requirements specified in applicable regulation(s) (e.g.,
OSHA 29CFR1910.119, Reference C.11).
9.3 Documentation
The user shall have appropriate documentation (as noted in each Clause 9 subsection) and shall
keep the documentation current (see B.14 for guidance).
Operating procedures shall be written to explain the safe and correct methods of operating the
SIS. These procedures are typically part of the unit operating procedures. These procedures
should include, but not be limited to, the following:
a) Limits of safe operation (i.e., trip points) and the safety implications of exceeding them
b) How the SIS takes the process to a safe state
c) The correct use of operational bypasses, permissives, system reset, etc. (where
required)
d) The correct response to SIS alarms and trips
9.5.1 A maintenance program shall be established, which includes written procedures for main-
taining, testing, and repairing the SIS.
38 ANSI/ISA-S84.01-1996
9.5.2 SIS maintenance shall include, but not be limited to, the following:
a) Regularly scheduled functional testing of the SIS
b) Regularly scheduled preventative maintenance, as required (e.g., replacement of
ventilation filters, lubrication, battery replacement, calibration, etc.)
c) Repair of detected faults, with appropriate testing after repair
9.6.1 Vendor manuals that describe the SIS maintenance and testing requirements (e.g., battery
maintenance, fuse replacement) may be included in the maintenance procedures.
9.6.2 Bypassing may be necessary. If the process is hazardous while a SIS function is being
bypassed, administrative controls and written procedures shall be provided to maintain the safety
of the process.
9.6.3 The user shall have a periodic inspection program for the SIS to detect equipment faults,
defects, etc.
Not all system faults are self revealing. Covert faults that may inhibit SIS action on demand can
only be detected by testing the entire system.
9.7.2 The entire SIS shall be tested including the sensor(s), the logic solver, and the final
element(s) (e.g., shutdown valves, motors).
9.7.3.1 The SIS shall be tested at specific intervals based on the frequency specified in the Safety
Requirement Specifications (see B.15 for guidance). Note that different portions of the SIS may
require different periodic test intervals.
9.7.3.2 At some periodic interval (determined by the user), the frequency(s) of testing for the SIS
or portions of the SIS shall be re-evaluated based on historical data plant experience, hardware
degradation, software reliability, etc.
9.7.3.3 Any change to the application logic requires full functional testing. Exceptions to this are
allowed if appropriate review and partial testing of changes are done to ensure the SIL has not
been compromised.
ANSI/ISA-S84.01-1996 39
9.7.4 Functional testing procedures
9.7.4.1 A documented functional test procedure, describing each step to be performed, shall be
provided for each SIS.
9.7.4.2 Any deficiencies found during the functional testing shall be repaired in a safe and timely
manner.
9.7.4.3 The functional testing procedures shall include, but not be limited to, verifying the following:
a) Operation of all input devices including primary sensors and SIS input modules
b) Logic associated with each input device
c) Logic associated with combined inputs
d) Trip initiating values (setpoints) of all inputs
e) Alarm functions
f) Speed of response of the SIS when necessary
g) Operating sequence of the logic program
h) Function of all final control elements and SIS output modules
i) Computational functions performed by the SIS
j) Function of the manual trip to bring the system to its safe state
k) Function of user diagnostics
l) Complete system functionality
m) The SIS is operational after testing.
9.7.5.1 Procedures shall be written to allow on-line functional testing (if required).
9.7.5.2 For those applications where exercising the final trip element may not be practical, the
procedure shall be written to include
a) testing the final element during unit shut down; and
b) exercising the output(s) as far as practical (e.g., output trip relay, shut down solenoid,
partial valve movement) during on-line testing.
9.8.1 A description of all tests performed shall be documented. The user shall maintain records
to certify that tests and inspections have been performed.
40 ANSI/ISA-S84.01-1996
c) Serial number or other unique identifier of equipment (loop number, tag number,
equipment number, user approved number, etc.)
d) Results of inspection/test ("as-found" and "as-left" condition)
10.1 Objective
The objective of this clause is to ensure that the management of change requirements are
addressed in any changes made to an operating SIS.
10.2.1 A written procedure shall be in place to initiate, document, review the change, and approve
changes to the SIS other than "replacement in kind" (e.g., OSHA 29 CFR 1910.119, Section “B”)
(see Reference C.11 for guidance).
The MOC Procedure could be required as a result of
a) modification to the operating procedure;
b) modification necessary because of new or amended safety legislation;
c) modifications to the process;
d) modification to the Safety Requirement Specifications;
e) modifications to fix software or firmware errors;
f) modifications to correct systematic failures;
g) modification as a result of a failure rate higher than desired;
h) modifications resulting from increased demand rate on the SIS; and
i) modifications to software (embedded, utility, application).
10.2.2 The MOC procedure shall ensure that the following considerations are addressed prior to
any change:
a) The technical basis for the proposed change
b) Impact of change on safety and health
c) Modifications for operating procedures
ANSI/ISA-S84.01-1996 41
d) Necessary time period for the change
e) Authorization requirements for the proposed change
f) Availability of memory space
g) Effect on response time
h) On-line versus off-line change, and the risks involved
10.2.4 Personnel affected by the change shall be informed of the change and trained prior to
implementation of the change or startup of the process, as appropriate.
10.2.5 All changes to the SIS shall initiate a return to the appropriate phase (first phase affected
by the modification) of the Safety Life Cycle. All subsequent Safety Life Cycle phases shall then
be carried out, including appropriate verification that the change has been carried out correctly
and documented. Implementation of all changes (including application software) shall adhere to
the previously established SIS design procedures.
10.3.1 All changes to operating procedures, process safety information, and SIS documentation
(including software) shall be noted prior to startup and updated accordingly.
10.3.3 All SIS documents shall be revised, amended, reviewed, approved, and be under the control
of an appropriate document control procedure.
11 Decommissioning
11.1 Objective
11.1.1 To ensure proper review prior to permanently retiring a Safety Instrumented Systems (SIS)
from active service.
42 ANSI/ISA-S84.01-1996
11.2 General
11.2.1 Management of Change procedures shall be implemented for all decommissioning activi-
ties (see Clause 10).
11.2.2 The impact of decommissioning an SIS on adjacent operating units and facility services
shall be evaluated prior to decommissioning.
12 Differences
ANSI/ISA-S84.01-1996 43
12.1 Terminology
E/E/PES Safety SIS IEC draft Publication 1508 refers to Safety Related Sys-
Related System tems utilizing all technologies, while S84.01 refers only to
technologies utilizing Safety Instrumented Systems.
PES PES IEC draft Publication 1508 "PES" includes sensors & final
control elements, while S84.01 "PES" does not include sen-
sors & final control elements.
EUC Process IEC draft Publication 1508 uses "equipment under control"
as a generic term for the process S84.01 uses.
ISA-S84.01 is prepared by instrumentation personnel for ISA, the international society for
measurement and control, and American National Standards Institute (ANSI). As such, it does
not detail information of process hazards reviews and those issues presently mandated by
U.S.A. regulations such as OSHA 29 CFR 1910.119.
The result is training, management of change, personnel certification, and process hazards
reviews are only briefly discussed and references provided. IEC draft Publication 1508
discusses these issues in greater depth.
44 ANSI/ISA-S84.01-1996
IEC draft Publication 1508 ISA-S84.01
Part 1
Specifies the requirements for achieving functional Does not specify external risk reduction facilities
safety of external risk reduction facilities requirements for achieving functional safety
Applies to the total combination of safety related Applies only to E/E/PES safety related systems
systems and external risk reduction facilities (e.g., SIS)
Applies Safety Integrity Levels (SIL) to external risk Does not apply Safety Integrity Levels (SIL) to
reduction facilities external risk reduction facilities
Mandates the use of ISO 9000 Series of Quality Does not mandate the use of ISO 9000 Series of
Systems or equivalent Quality Systems
Mandates the use of Tables in IEC draft Publication Does not mandate the use of IEC draft Publication
1508 that specify “minimum level of independence 1508 Tables
of person, department, organization”
Mandates the documentation of rationale for not Does not mandate documentation of reasons for
implementing "Highly Recommended" measures or using a different implementation scheme
techniques in IEC draft Publication 1508
Mandates the use of a Safety Plan (see details that Mandates documentation consistent with OSHA
follow) 1910.119, Reference C.11 - Safety Plan not
required
(4.6) Mandates adhering to respective Measures Does not mandate adhering to any specific mea-
and Techniques sure or technique
(4.6) Mandates witnessing tests to ensure Does not mandate witnessing tests to ensure
compliance with this standard compliance
(6.0) Defines "Safety Management" activities Does not address management issues, except
during the whole Safety Life Cycle management of change
(7.1) Mandates that each phase of the overall Mandates commissioning and Pre-Startup
Safety Life Cycle be followed by planned Acceptance Test (PSAT) of the SIS with appropriate
verification activity, documented with documentation (see 8.3 & 8.4)
design review, testing, and analysis of results
(7.1.3.2) Mandates ISO 9000 procedures plus IEC Does not mandate the use of ISO 9000
draft Publication 1508 requirements be
implemented for all aspects of the Safety
Life Cycle
(7.1.3.1) Mandates adhering to each step in Does not address conceptual process design,
the Safety Life Cycle and providing a process hazard and risk analysis, non-SIS
documented Safety Plan defining protection layers, need for a SIS and determining
deviations required SIL
(7.1.3.3) Mandates each phase of the overall SP84 requires that these activities be completed
Safety Life Cycle be divided into prior to implementation of SP84
elementary tasks with well defined input,
output activity for each, scope, and
documented
ANSI/ISA-S84.01-1996 45
IEC draft Publication 1508 S84.01
Part 1
(7.2) Requires process conceptional design The method for accomplishing this is outside the
information and overall process scope of this standard
concept description
(7.5) Mandates: Items: The method for accomplishing this is outside the
Risk Reduction 7.5.2.4 scope of this standard
7.5.2.6
7.5.2.7
All Safety Functions 7.5.2.2
Level of Safety 7.5.2.3
Specifies Risk
Reduction Method 7.5.2.5
Mandates decommissioning log, verification plan, Does not mandate these requirements
functional safety assessment plan and report, lev-
els of independence
Parts 2 and 3 are normative Parts 2 and 3 type information is part normative
and part informative -- to be defined
SIL 1, 2, 3, 4 SIL 1, 2, 3 S84.01 does not address Safety Integrity Level (SIL) 4 other
than recognizes its existence. SIL 4 development is not
normally found in the process industries.
Equipment Under Basic Process IEC draft Publication 1508 refers to the EUC control system,
Control (EUC) control Control while S84.01 refers to the BPCS.
system excluding the System
safety controls (BPCS)
46 ANSI/ISA-S84.01-1996
Annex A (Informative) — Information and examples illustrating methods
for determining Safety Integrity Level (SIL) for a Safety
Instrumented System (SIS)
A.1 Introduction
This annex provides four examples of methods for determining SIL as part of process safety
activities. These examples provide only general information on the range and types of
approaches for determining SIL. These and additional methods are described in Reference C.1.
Determining where a SIS is appropriate, what process variables actuate it, and what final
process actions it takes, are beyond the scope of this annex. The four SIL determination
methods are applied to an example in only enough detail to show conceptually how SIL can be
determined. Details on how to use and understand these SIL determination methods, and
others, are described in the references.
Four example SIL determination methods were selected to illustrate the variety of approaches. A
simple matrix method was chosen to briefly present the key factors, recognizing that many more
comprehensive matrix methods are available. The consequences only method exemplifies a
straight-forward SIL selection method that involves adoption of some very conservative safety
premises. To illustrate a qualitative risk evaluation SIL determination method, a modified HAZOP
method was chosen. Quantitative risk assessment methods are represented by describing how
a fault tree analysis can be used to determine SIL.
Regardless of the method used to select SIL, it is done as part of process safety activities. The
team involved in making SIL decisions consists of participants with certain types of expertise. It
is generally appropriate to include the following expertise and qualifications on the process safety
team:
a) Ownership — those who have direct responsibility for operating the equipment
b) Process Knowledge — an understanding of the basic science and technology involved
in the process and equipment operation
c) Design Knowledge — how the equipment or process should work, particularly
instrumentation for complex control systems
d) Operating Experience — those with direct "hands on" operating and maintenance
experience
e) Others — skill in running process hazards reviews and other appropriate knowledge
as needed
This annex does not provide enough information to adequately understand the use of any
method, and it does not indicate or imply any safety criteria, or recommend any particular
approach.
ANSI/ISA-S84.01-1996 47
As described in Clause 4 of the standard, determination of Safety Integrity Level (SIL), for a
Safety Instrumented Systems (SIS) is a part of process safety activities. As depicted in the
Safety Life Cycle, (see Figure 4.1), steps 2, 3, 4, 5, and 6 summarize the process safety
concepts involved in determining SIL. These life cycle steps are as follows:
f) Step 2 - Evaluate consequences and likelihood for hazardous events
g) Step 3 - Evaluate preventive, protective and mitigating process safety features for these
events, other than SIS
h) Step 4 - Decide if a SIS is appropriate for this application
i) Step 5 - Determine target SIL for the SIS
j) Step 6 - Determine other process safety-related specifications and design criteria
Process safety activities, which include consequence analysis and process hazards reviews
(References C.14 and C.15), have the objective of helping to assure that the process will be safe
to operate. Hazards, and hazardous events, are identified, and means to control the risk and
potential consequences are decided upon, as part of these activities. Risk control and risk
reduction decisions are made on many process safety features of the process. These include
items, such as, procedures, basic process design, over-pressure protection, and SIS.
A.2 Safety Integrity Level (SIL) considerations and the process example
Safety Integrity Level (SIL) is a basic concept in this standard. SIL defines the level of safety
performance for a SIS. SILs are defined as 1, 2, or 3. The higher the SIL, the better the safety
performance of the SIS. Better SIS performance is achieved by higher availability of the safety
function. SIS performance is improved by the addition of redundancy, more frequent testing, use
of diagnostic fault detection, etc., as described in the standard and annexes.
Some understanding of how the three SIL levels will be implemented is important for the process
safety team making the SIL determinations. As the team learns the process, and how hazardous
events can occur, they should understand how the SIS will perform its safety function. With an
understanding of the important safety aspects of the SIS, including what is needed to achieve the
different SIL, the team helps to ensure that the process design and operation do not compromise
performance of the SIS.
Figure A.1 conceptually shows how the three SIL will be implemented in the example application.
The implementation depicted in Figure A.1 is specific to this example. As described in this
standard and ISA-dTR84.02 (Reference C.2), there are many ways to implement SIS to achieve
a specified SIL.
Figure A.2 depicts a simplified piping and instrumentation diagram for the process example. A
high pressure vapor is used to control pressure in a low pressure system. The low pressure
system is protected from over-pressure by
a) a pressure relief valve;
b) a pressure control system; and
c) an operator response to a high pressure alarm.
48 ANSI/ISA-S84.01-1996
Protection of the low pressure system is achieved by stopping flow from the high pressure
system, or by the pressure relief valve opening. The consequence of over-pressuring the low
pressure system is rupture of the low pressure vessel.
The process safety team has identified a potential SIS to prevent over-pressure from occurring in
the low pressure system. The SIS would be implemented by sensing pressure and closing
valves for the different SIL, with sensors, final elements, and logic solvers arranged as shown in
Figure A.1. Figure A.2 simply illustrates the process and is not intended to depict any specific
SIL requirements.
ANSI/ISA-S84.01-1996 49
A.3 Example methods for selecting SIL
In the following sections, four different methods will be described for selecting SIL for this high
pressure shutdown SIS.
Safety
Integrity Level Sensor Logic Solver Actuator
...T Logic
SIL 1 XXXX Solver
Figure A.1a
...T Logic
XXXX Solver
SIL 2
Note:
1) Sensors, logic solvers, and/or final elements may be redundant as safety availability requirements
dictate
Figure A.1b
...T Logic
XXXX Solver
SIL 3 Note 2
...T Logic
YYYY Solver
2) The performance of two identical SIL 1 SIS’s may not equal that of one SIL 3 SIS.
Figure A.1c
...T
XXXX
SIL 3 Logic
Solver(s)
...T *
YYYY
Figure A.1 — Company ABC, Site XX, Specific SIL implementation techniques,
example only
50 ANSI/ISA-S84.01-1996
Figure A.2 — Process example
ANSI/ISA-S84.01-1996 51
than predicted by use of other SIL selection methods. Erring on the side of designing a higher
than necessary SIL level was felt to be conservative by this team. The team preferred to save
time that would be spent on risk evaluations and to incur the potential cost penalties imposed by
selecting a higher SIL than might otherwise result. Money spent on equal or better safety
performing SIS was felt to be a good investment in safety.
Figure A.3 — Company ABC, Site XX, Example of a qualitative matrix for the
determining SIL
The method only requires an evaluation of the severity of consequences, should the SIS and
other protective safety items fail. Since this is a conservative method, this particular plant
decided to simplify the SIL selection process from three SIL choices to two SIL choices. This
was done by selecting only SIL 1 or SIL 3 designs. If the consequences are above a base
threshold, then a SIL 1 is selected. If they are above a "major" severity criteria, then a SIL 3 is
selected.
These two severity levels were defined to include injuries, property damage, and environmental
impact specific to this process. Risk was addressed in setting these guidelines, by the
underlying assumption that the frequence of occurrence of initiating events for all SIS
applications was assumed to be frequent, or “likely.”
The team evaluated the severity of consequences for the high pressure shutdown SIS in the
example and felt they exceeded the "major" criteria. Based on that evaluation, a SIL 3 was
selected.
52 ANSI/ISA-S84.01-1996
factors. Specific risk reduction recommendations can be evaluated in terms of their effectiveness
in reducing risk. The team decides on recommendations, or the adequacy of current risk controls,
based on this evaluation process.
Using an experienced leader in HAZOP methodology, the process segment is systematically
analyzed using a set of guide words to identify process deviations that could lead to hazardous
events. A spreadsheet format is used to associate the process deviation, with a specific upset
cause. The upset cause is followed by the potential consequences of the upset, factors that
prevent or protect against the consequences, and the action or judgement of the team on how to
control the associated risk. The team decides on recommendations or the adequacy of current
risk controls, based on this evaluation process.
Part of the modified HAZOP documentation for the example is summarized in Table A.1.
The modified HAZOP team also identified operator error when in manual mode during startup as
a cause of a high pressure upset.
Based on the severity of the consequences, the team’s feeling for the likelihood of these upsets,
and overall performance of the protective systems, the team agreed a SIS was needed. Initially,
a SIL 2 or 3 was considered by the team for further evaluation. The team considered safety,
equipment reliability, and operation and maintenance costs then determined that an SIL 2 SIS is
more appropriate for this application.
More Flow Pressure control valve Vessel rupture with – Relief Valve
fails to open potential injuries, – Operator response
property damage, and to high pressure
environmental damage alarms
– High pressure
shutdown SIS
More Pressure Pressure sensor fails, Same as More Flow – Same as More Flow,
drifts to a false low except the operator
pressure output response is only
triggered by a single
high pressure signal
ANSI/ISA-S84.01-1996 53
in Reference C.1, page 56, and extensively covered in Reference C.13. Details of the fault tree
covering the example are too complex to describe or depict in this annex.
The first step in using the fault tree to determine SIL for the example was to develop the fault tree
logic diagram. The initial fault tree was based on the assumption of a high pressure shutdown
SIS designed as shown in Figure A.2, a SIL 1 design. Appropriate failure information were
determined for all the failure events associated with the example. For example, failure
frequencies were estimated for initiating events, such as the pressure control valve failing to
open. A top event frequency for vessel rupture was then calculated.
After reviewing the fault tree results, the team decided that the fault tree should be changed for
evaluation of an SIL 2 and 3 design for this SIS. Subsequent results of this fault tree evaluation
indicated a substantial safety improvement for the SIL 2 design, versus the SIL 1 design. The
top event vessel rupture frequency of occurrence decreased by a substantial percentage. A
similar comparison of SIL 2 versus SIL 3 designs, indicated only a small safety improvement, i.e.,
the top event frequency decreased only slightly. Based on these comparisons, the team selected
SIL 2 for the high pressure shut down SIS.
54 ANSI/ISA-S84.01-1996
Annex B (Informative) — SIS design considerations
B.1.1 Separation between BPCS and SIS functions reduces the probability that both control and
safety functions become unavailable at the same time, or that inadvertent changes affect the safety
functionality of the SIS. Therefore, it is generally necessary to provide separation between the
BPCS and SIS functions.
B.1.2 Identical separation is generally acceptable for SIL 1 applications. Diverse separation offers
the additional benefit of reducing the probability of systematic faults (a factor especially important
in SIL 3 applications) and reducing common cause failures (see B.8).
B.1.3 There are four areas where separation may be needed to meet the safety functionality and
safety integrity requirements:
a) Application of field sensors
b) Application of final control elements
ANSI/ISA-S84.01-1996 55
c) The logic solver
d) Communication between SIS and BPCS or other equipment
B.1.4 Each of these four areas should be evaluated to ensure that the required SIL is met.
B.1.5 Sensors
A single sensor used for both BPCS and SIS requires further safety review and analysis as part
of the process safety activity (see Annex A). For example, a level sensor used for both BPCS
and high level trip SIS can create a demand if it fails below the setpoint of the level controller; as
a result, the controller may drive the valve open, and this protection will be lost.
B.1.5.1 For SIL 1, a single sensor may be used for both BPCS and SIS, provided the safety integrity
requirements are met.
B.1.5.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the
required safety integrity.
B.1.5.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.5.4 When redundant SIS sensors are used, the sensors may be connected to both the SIS
and BPCS provided that a safety review and analysis shows the connection to the BPCS does not
compromise the safety integrity of the SIS.
B.1.6.1 For SIL 1, a single valve may be used for both BPCS and SIS, provided the valve’s unsafe
failure rate meets the safety integrity requirements. The design should ensure that the SIS action
overrides the BPCS action.
B.1.6.2 For SIL 2, identical separation between BPCS and SIS is typically needed to meet the
required safety integrity. A single valve used for both BPCS and SIS requires further safety review
and analysis, since it may not meet the required safety integrity. For example, a valve used for
both BPCS and SIS can create a demand if it fails in the open position. If this valve is also used
for an interlock, this protection will be lost, since the SIS could not close the valve.
B.1.6.3 For SIL 3, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.6.4 When redundant SIS valves are used, the valves may be connected to both the SIS and
BPCS provided that a safety review and analysis shows the connection to the BPCS does not
compromise the safety integrity of the SIS.
56 ANSI/ISA-S84.01-1996
B.1.7 Logic solver
B.1.7.1 For SIL 1, identical or diverse separation between BPCS and SIS is typically needed to
meet the required safety integrity.
B.1.7.2 For SIL 2, diverse separation between BPCS and SIS is typically needed to meet the
required safety integrity. Identical separation between BPCS and SIS may be used provided safety
review and analysis shows that it meets the safety integrity requirements.
B.1.7.3 For SIL 3, diverse separation between BPCS and SIS should be considered to meet the
required safety integrity.
B.1.7.4 There may be special cases where it is not possible to provide separation between BPCS
and SIS (e.g., a gas turbine control system includes both control and safety functions). Additional
considerations when combining control and safety functions in the same device are
a) evaluation of the failure of common components and software and their impact on SIS
performance;
b) life cycle support of the entire system as a SIS with respect to changes, maintenance,
testing, and documentation; and
c) limiting access to the programming or configuration functions of the system.
B.1.8.1 Communications between BPCS and SIS can enhance the overall safety of the application.
However, external communications, particularly writes to the SIS, can compromise the safety
integrity of the SIS. Provision must be made to ensure all writes are valid and do not negatively
impact the system safety or operation. (See B.1.8.2 sections (c) and (d) for further guidance.)
B.1.8.2 There are five basic ways to approach external communication between BPCS and SIS:
a) No external communication between BPCS and SIS
This is acceptable for SIL 1 and SIL 2, but use of this method for SIL 3 requires additional
safety review and analysis. For example, analog or discrete output from one device to
the input of another device.
c) Read only external communication from SIS to BPCS
This may be acceptable for all SILs if review and analysis is done to assure that the
safety function is not compromised. Measures to achieve write protection of the safety
function include, but are not limited to
1) hard-wired switch (or jumper) to limit write access; and
2) implementation of the safety function in SIS ROM.
d) Read/write external communications with write protection of the safety function
This is acceptable for SIL 1 and 2, but use of this method for SIL 3 requires additional
ANSI/ISA-S84.01-1996 57
safety review and analysis. Measures to achieve write protection of the safety function
include but are not limited to
1) limited time window for write access; and
2) software switch (e.g., password) to limit write access.
e) Read/write external communications with limited or no write protection of the safety
function
Use of this method may be acceptable for SIL 1. Use of this method for SIL 2 requires
additional safety review and analysis. Use of this method in SIL 3 is discouraged.
B.2.1 Redundancy can be applied to provide enhanced safety integrity or improved fault tolerance.
The designer should determine the redundancy requirements that achieve the SIL and reliability
requirements for all components of the SIS including sensors, logic solver, and final control ele-
ments.
B.2.2 An example of this is where the SIS requires a 1oo2 architecture, but there is concern about
spurious trips. In such a situation, the designer may choose a 2oo3 architecture, which may
improve reliability without substantially reducing safety integrity.
B.2.4 Redundancy should be analyzed for common cause faults. Elimination or reduction of the
fault source, or the use of diverse redundancy, are methods to mitigate common cause faults.
Some examples of common cause faults are
a) plugging of shared instrument lead lines;
b) corrosion;
c) hardware faults;
d) software errors; and
e) power supply/source.
B.2.5 Diverse redundancy uses different technology, design, manufacture, software, firmware,
etc., to reduce the influence of common cause faults. Diverse redundancy should be used if it is
required to meet the SIL. Diverse redundancy should not be used where its application can result
in the use of lower reliability components that will not meet system reliability requirements.
B.2.6 Measures that can be used to achieve diverse redundancy include, but are not limited to
a) the use of different measurements (e.g., pressure and temperature) when there is a
known relationship between them;
b) the use of different measurement technologies of the same variable (e.g., coriolis flow
and vortex flow);
c) the use of different types of PES for each channel of redundant architecture; and
58 ANSI/ISA-S84.01-1996
d) the use of geographic diversity (e.g., alternate routes for redundant communications
media).
B.2.7 Some typical concerns with PES technology that could warrant diverse redundancy in SIS
would be undetected faults in
a) hardware;
b) manufacturing;
c) components;
d) operating system;
e) communications;
f) firmware;
g) software;
h) application programming; and
i) environment.
B.3.1.1 Embedded software is provided by PES suppliers and is typically transparent to the
preparation of application software. Considerations that should be understood before proceeding
with the application software development include the following:
a) The supplier has a software quality plan.
b) The embedded software revision level is defined.
c) The embedded software revision level is the same as the revision level analyzed when
initially approving the PES for use as a SIS.
d) All enhancements to, or fixes of, embedded software functionality contained in new
software releases have been reviewed and analyzed.
B.3.2.1 Use of utility software should adhere to the same criteria as embedded software (see
B.3.1). Utility software from third parties may be available and considered for use. Use of third
party utility software for applications program development, without testing and approval of the
PES manufacturer of the utility software package, is not recommended.
B.3.3.1 Modular design is highly desirable in application programs. Modular design tends to
enhance design simplicity and integrity.
B.3.3.2 Application software should include provision for diagnostic testing if required to meet the
system SIL. A typical diagnostic testing scheme using an external Watchdog Timer is illustrated
in Reference C.1.
ANSI/ISA-S84.01-1996 59
B.3.3.3 Programming languages that are mature and/or have been certified to accepted industry
standards are preferred.
B.3.3.4 Programming guidelines should be established to enforce consistent style among the
design team. Implementation of a software quality plan may facilitate development of a consistent
programming style.
B.3.3.5 To avoid unnecessary complexity and features that make the behavior of the system
difficult to predict, the following should be considered:
a) The software should have a definite order and structure so that it ensures understanding
of where you are in the application software at all times
b) If nested sequences are used, nesting should be limited to as few layers as possible
c) Peer reviews of application software
B.3.3.6 To verify that the software design meets each of the requirements established in the Safety
Requirement Specifications, consider the following:
a) An analysis to demonstrate that each of the requirements established in the Safety
Requirement Specifications is implemented in the design
b) Peer review of designs of safety critical functions
B.3.3.7 Confirm that the application software meets the requirements established in the Safety
Requirement Specifications under all expected operating conditions. Consider the following:
a) Tests should be developed to exercise the software beyond the normal bounds for data,
commands, keyboard inputs, and other actions.
b) A bug-reporting and resolution system should be implemented.
c) Application software should be tested to determine software behavior in the presence
of hardware faults.
B.4.1 Safety Instrumented Systems (SIS) can be developed using Electrical, Electronic or Pro-
grammable Electronic (E/E/PE) technologies.
B.4.2 A hybrid scheme combining technologies (e.g., PE, Electrical, etc.) may be used to develop
a SIS.
B.4.3 There are other technologies that can be used other than E/E/PE in the design of an SIS,
such as pneumatics, hydraulics, etc. These technologies are outside the scope of this standard
(see 1.2.9).
B.4.4.1.1 Direct-wired systems have the discrete sensor directly connected to the final element.
This technology can only be used in the simplest applications. There is minimal diagnostic cov-
erage, so proof testing frequency may have to be increased.
60 ANSI/ISA-S84.01-1996
B.4.4.2 Electromechanical devices
B.4.4.2.1 Electromechanical devices include relays and timers. Relays are often used where
simple logic functions are adequate to provide the necessary safety logic. Extensive operating
experience with relays and their mature technology make acceptance of this device in a SIS
widespread.
B.4.4.2.2 Standards and guidelines for implementing electromechanical relays in SIS applications
are available to users (see Reference C.4). Unsafe failure modes of relays can also be quantified.
B.4.4.2.3 Successful users of relays in safety applications have followed some simple guidelines.
They include using a relay that
a) has a good in-plant track record;
b) has the proper "fail-to-shelf" position (e.g., position when completely disconnected)
characteristics when installed;
c) is found reliable through life-cycle testing;
d) is user approved for safety applications; and
e) is suitable for the environment in which it is placed (e.g., hermetically sealed).
B.4.4.2.4 The relay SIS has other attributes that should be considered:
a) The on/off status can be readily obtained by checking contact position (e.g., open or
closed).
b) Its interconnected logic is very difficult to change (requires rewiring).
c) It is simple and understood by plant personnel and can be easily supported.
d) It is easily identified and secured as a critical control device.
e) It has failure modes that can be isolated to reduce common mode failures.
B.4.4.2.5 Relay logic should not be considered inherently fail-safe. Even if the relays are properly
selected and applied, the contacts may weld and the spring may not return the switching contacts
to the de-energized position.
B.4.4.2.6 Electromechanical relay logic systems should consider the following criteria:
a) Contacts open on coil de-energization or failure.
b) The coil has gravity dropout or dual springs.
c) Contacts are of proper material and rating.
d) Energy limiting load resistance is installed to prevent contacts from welding closed.
e) Proper arc suppression of the contacts is provided for inductive loads.
B.4.4.2.7 There are low energy loads (e.g., 50 volts or below and/or 10 mA or below) that require
special contact materials or designs (e.g., hermetically-sealed contacts) to eliminate oxidation
build-up on contacts resulting in unreliable operation (e.g., load dropout). This is referred to as
contact-wetting. When utilizing these special contacts, specific failure mode analysis is needed
for these contacts to ensure that a fail-safe electromechanical system is being designed.
ANSI/ISA-S84.01-1996 61
B.4.4.2.8 Electromechanical relays may not be suitable for SIS applications with
a) high duty-cycles resulting in frequent state changes;
b) timers or latching functions;
c) complex math functions;
d) analog measurements; and
e) large logic applications.
B.4.4.3.1 Motor driven timers provide acceptable performance for key safety applications such as
burner purge timing. Most motor driven timers require a locking device or appropriate modification
to eliminate tampering with critical settings. Motor driven timers are limited in timing resolution and
the ability to handle high duty cycles.
B.4.5.1.1 Solid state relays are used in high duty-cycle application and have unsafe failure modes
that can be identified and quantified. Appropriate design features should be added to handle these
unsafe failure modes. Some additional applications of solid state relays are described in the
following paragraphs.
B.4.5.2.1 Solid state timers are used where the application’s complexity does not warrant a PES.
Solid state timer technology can be categorized as either Resistor-Capacitor (RC) circuit or pulse
counting. RC timing devices may not be suitable for safety applications because of poor repeat-
ability and unsafe failure modes. Note that RC circuitry is often used in the time setting portion of
pulse-counting timers; this does not preclude the use of these timers.
B.4.5.2.2 The pulse-counting timer, sometimes referred to as a digital timer, can use a number of
methods to achieve pulse counting. These include
a) a line frequency (50 or 60 Hz);
b) an electronic oscillator; and
c) a quartz crystal oscillator.
B.4.5.2.3 A user-approved safety crystal oscillator (e.g., quartz) timer is recommended because
of high repeatability and good reliability.
B.4.5.3.1 Solid state logic refers to the transistor family of components like Complimentary Metal
Oxide Semiconductor (CMOS), Resistor-Transistor Logic (RTL), transistor-transistor logic (TTL),
and High Noise Immunity Logic (HNIL). These components are assembled in stand-alone modules,
plug-in board modules, or in highly integrated, high-density chips. They differ from typical com-
puter-type equipment in that they have no Central Processing Unit (CPU). They perform according
to the logic obtained by the direct-wiring techniques of interconnecting the various logic components
such as ANDs, ORs, and NOTs. These systems have limitations in fail-safe requirements (e.g.,
indeterminate failure modes) that should be recognized.
62 ANSI/ISA-S84.01-1996
B.4.5.3.2 Solid state logic has generally been integrated with direct-wiring and relay schemes for
SIS. Solid state logic is not recommended for SISs unless provided with additional diagnostics to
test for unsafe failure modes. PESs are sometimes used as a diagnostic tool to make solid state
logic systems suitable for SIS.
B.4.5.4.1 Pulsed electronic logic generates pulses with a specified amplitude and period. A pulse
train is recognized as a logic "true” or "one," while all other signals (e.g., grounds, non-specified
pulses, and continuous "on" or "off") are recognized as a logic "false" or "zero."
B.4.5.4.2 Pulsed electronic logic can be considered in a SIS if it meets the requirements noted in
this standard and is user approved.
B.4.5.4.3 Pulsed electronic logic can offer high safety integrity. However, PES designs offer some
functions that may not be available with pulsed solid state systems or electronic logic such as
calculation capability, improved communications, and networking.
B.4.6.1 The PES can be a programmable controller, a distributed control system controller, or an
application-specific stand alone microcomputer. Caution should be used when using personal
computers, since they generally do not have the safety integrity required for SIS applications.
B.4.6.2 The use of PES results in many difficult to recognize failure modes, many of which can
be unsafe.
B.4.6.3 Some techniques that can be used to minimize the unsafe failure modes of PES are
a) extensive diagnostics to detect covert faults (see B.9 for guidance);
b) use of redundancy, fault tolerance (e.g., 2oo3), and similar architectures;
c) use of Watchdog Timers, both internal and external; and
d) use of outputs with diagnostics to detect output module failures.
B.5.1 Failure rate is the average rate at which faults occur within the SIS components. The failure
rate for the overt failure mode of a component may be quite different than the failure rate for the
covert mode. The failure rates for both of these modes and their safety implication should be
considered in the design of the SIS. Failure rates are influenced by component design, manufac-
turing quality, installation practice, and environmental and process conditions. See ISA-dTR84.02
for additional information.
ANSI/ISA-S84.01-1996 63
B.5.2 Tables B.5.1 and B.5.2 list some of the possible faults which should be considered in the
design of SIS.
64 ANSI/ISA-S84.01-1996
Table B.5.2 — Typical programmable electronic failure modes
Device(s) Failure Mode Device(s) Failure Mode
ANSI/ISA-S84.01-1996 65
B.6 Architecture
B.6.1 Selection of the SIS architecture is an activity performed during the conceptual design step
of the Safety Life Cycle. The architecture has a major impact on the overall safety integrity of the
SIS. The architecture also influences SIS reliability (likelihood of spurious trips) (Reference C.3).
B.6.2 Some of the activities involved in determining the SIS architecture are
a) selection of energize to trip or de-energize to trip design;
b) selection of identical or diverse redundancy for the SIS sensors, logic solver, and final
control elements;
c) selection of redundancy for power sources and SIS power supplies;
d) selection of operator interface components (e.g., CRT, alarm annunciator, pushbuttons)
and their method of interconnection to the SIS; and
e) selection of data communications interfaces between SIS and other subsystems (e.g.,
BPCS) and their method of communication (e.g., read only or read/write).
B.6.3 A SIS may utilize architectures (e.g., 2oo3 sensor, 1oo1 logic solver, 1oo2 final element)
for reasons that may include different
a) SILs in the same SIS;
b) testing requirements;
c) equipment reliability and failure modes; and
d) user interfaces.
B.6.4 Architecture that may typically meet the SIL performance requirements includes:
SIL 1 - A 1oo1 architecture with a single sensor, single logic solver, and a single
final control element.
SIL 2 - Requires more diagnostics and typically includes redundancy of the logic
solver and sensors, with redundancy of final control elements as
necessary.
SIL 3 - Typically two separate and diverse 1oo1 arrangements, each with their
own sensor, logic solver, and final control element. The 1oo1
arrangements would be connected in a 1oo2 voting scheme. Diverse
separation, redundancy, and exhaustive diagnostic capabilities are
considered significant aspects of a SIL 3 system.
The user must determine the failure rates of the system components, diagnostic coverage, test
intervals, redundancy, etc., and evaluate each specific SIS to validate its performance (see
ISA-dTR84.02 for additional guidance).
Power sources include, but are not limited to, electrical power, pneumatic power (e.g., instrument
air), and hydraulic power. Grounding is included in this subclause after electrical power.
66 ANSI/ISA-S84.01-1996
B.7.1 Electrical power source
B.7.1.1 The electrical power source should be designed to meet the safety integrity and reliability
requirements of the application.
B.7.1.2 Electrical power source redundancy is frequently provided to improve the reliability of the
SIS, although redundancy may not be necessary to meet the safety integrity requirements for de-
energized to trip applications. For energize to trip applications, electrical power source redundancy
is typically provided to meet the safety integrity requirements.
B.7.1.3 Electrical power source redundancy can be provided using an alternate source with au-
tomatic transfer, an Uninterruptible Power Supply (UPS), or battery backup by an alternate source.
Design considerations when transferring to alternate sources include
a) detection of fault prior to impacting SIS operation;
b) transfer to back-up source without impacting SIS operation;
c) ability to maintain UPS or batteries without impacting SIS operation; and
d) minimize common cause failures.
B.7.1.4 Consider providing power source(s) diagnostics that will not allow SIS startup unless all
power sources are available.
B.7.1.5 Electronic and programmable electronic SIS frequently include internal power supplies
that convert electrical power source(s) to lower level voltages for internal use. Power supply
redundancy should be considered to meet the reliability requirements of the application.
B.7.1.6 Electronic and programmable electronic SIS typically are more sensitive to electrical noise
(e.g., radio frequency interference or electromagnetic interference) Utilize shielding, good wiring
practices (see B.13), and proper grounding (see B.7.2).
B.7.1.7 Electronic and programmable electronic SIS typically have a lower insulation breakover
voltage rating than an electrical SIS. Therefore, additional surge protection may be required.
B.7.1.8 Programmable electronic SIS may require electrical power with lower total harmonic
distortion than electrical or electronic SIS.
B.7.1.9 Input/Output (I/O) may have separate power distribution, fused to minimize common cause
in case of a wiring fault. These fuses should coordinate with upstream fuses to insure minimum
impact on system performance if a fuse blows.
ANSI/ISA-S84.01-1996 67
h) protection against transients such as spikes, surges, brown outs, and electrical noise;
i) protection against undervoltages;
j) protection against overvoltages; and
k) grounding.
B.7.2 Grounding
B.7.2.1 Grounding is critical in E/E/PE technology to ensure personnel safety (Reference C.5)
and proper equipment performance. This subclause deals only with the voltages found in SIS
applications (typically 240 volt AC or below, and 125 volts DC and below).
B.7.2.2 Note that the grounding becomes more restrictive when moving from electrical to electronic
and from electronic to programmable electronic. Therefore, electrical equipment grounding can
be easily achieved in a grounding system designed for electronic and/or Programmable Electronic
equipment, and electronic equipment grounding can be easily achieved in a grounding system
designed for programmable electronic equipment. Programmable Electronic equipment installed
in a grounding system designed for electrical technology may not be appropriate.
B.7.2.3 For ungrounded systems, consider using ground fault detection relays and alarms as
appropriate.
B.7.2.4 Note that electrical or electronic technologies may integrate Programmable Electronic into
their equipment to enhance performance through improved communication, diagnostics, human-
machine interfaces, etc. In those cases, treat the grounding as if it is Programmable Electronic
grounding, unless vendor installation guidelines dictate a different approach.
B.7.2.5 The grounding system should meet the manufacturer’s recommendations. Deviations
should have safety review and analysis.
68 ANSI/ISA-S84.01-1996
B.7.3 Pneumatic power
B.7.3.1 Instrument air (or other gas) is typically used with final elements such as control valves.
The solenoid valve acts as an electrical to instrument gas relay. The instrument gas should be
filtered, dried, and continuously monitored to assure proper pressure is maintained, and the system
should be backed up to attain the uptime required to meet the reliability.
B.7.4.1 Hydraulic power is typically used where high motive force is required, such as very large
valves.
B.8.1 Common cause faults can be caused by a single (non-redundant) component or by system-
atic errors in redundant components.
ANSI/ISA-S84.01-1996 69
B.8.3 Common cause faults or systematic errors may be reduced during design using appropriate
fault avoidance measures. Consider using the following methods:
a) Provide supplier with application-specific information (e.g., codes, model number(s),
etc.)
b) Verification
c) Diverse separation
d) Diverse redundancy
e) Identical redundancy
f) Identical separation
B.8.4 A number of functionally separate SIS may share the same environment, cabinet, operator
interface, and maintenance/engineering interface. These separate systems may however require
physical separation of power and logic solver to accomplish testing maintenance or modification.
The impact of these activities should be considered during system layout.
B.9 Diagnostics
B.9.1.1 Diagnostics are tests performed periodically and automatically to detect covert faults that
prevent the SIS from responding to a demand (see ISA-dTR84.02 for further guidance).
B.9.1.2 Various types of faults that can occur are included in Table B.9.1:
Faults that immediately disable the capability of the SIS to Stuck-on or stuck off of a critical output
respond to a demand (critical faults) point
Faults that in combination with other faults disable the Diagnostic of a critical output point not
capability of the SIS to respond to a demand (potential performed
critical faults)
Faults initiating a safe response of the SIS without a demand Spurious trip due to a component fault
Faults that have no impact on the capability of the SIS to Burned out, not critical LED
respond to a demand (benign faults)
B.9.1.3 A covert fault in a system may prevent the SIS from responding to a demand. This can
be the first fault in a single channel system or a combination of faults in a multi-channel system.
Therefore it is important to not only discover critical faults but also potentially critical faults before
they accumulate.
70 ANSI/ISA-S84.01-1996
B.9.1.4 Faults can result in two types of failures:
a) Random failures, a spontaneous failure of a component
b) Systematic failures (or errors), a hidden fault in design or implementation
B.9.1.5 Hardware is prone to random failures, but can also have systematic failures (incorrect
timing, components used outside their specified range, etc.).
B.9.1.6 Software is generally free of random failures, but has a high probability of systematic
failures. Once a systematic failure becomes overt, it can be corrected and will cease to exist.
B.9.1.7 Random failures occur spontaneously. Depending on the persistence of the fault over
time two conditions are possible:
a) Permanent random faults persist until they are repaired.
b) Dynamic random faults (cross-talk, thermal faults, etc.) occur under certain
circumstances and disappear.
B.9.2.2 An inherently safe response to a fault may replace the requirement for a diagnostic for
that fault. However, a so called "safe" design of a component may not always result in a safe
response of the SIS, as this is application specific.
B.9.3.1 A particular diagnostic technique is usually less than 100% effective in detecting all possible
failures. An estimate of the "effectiveness" of the diagnostics used may be provided for the set of
failures being addressed.
B.9.3.2 Improved diagnostic coverage of the SIS may assist in satisfying the requirements of the
target Safety Integrity Level. Specific failure modes that may be covered by diagnostics are listed
in Table B.9.2. This or a similar list of failure modes may be needed to identify those areas where
diagnostic coverage is required.
B.9.3.3 Critical and potentially critical faults (like faults to CPU / RAM / ROM ...) will inhibit almost
the entire processing of data and are therefore more far reaching than a fault of a single output
point. The coverage requirements for these kind of faults are therefore stricter. Additionally, failure
modes that carry a high failure probability have to be detected with more confidence. Further, the
detectability of failure modes has to be taken into account - failure modes that are detectable using
simple means should be implemented whenever possible.
ANSI/ISA-S84.01-1996 71
B.9.3.4 For each diagnostic implemented, the following should be identified:
a) Testing interval
b) Resulting action on fault detection
c) Both criteria should meet the Safety Requirement Specifications
B.9.3.5 Where certain diagnostics are not "built-in" to the vendor-supplied equipment, appropriate
diagnostics may be implemented at the system or application level.
B.9.3.6 Diagnostics may not be capable of detecting systematic errors (like software bugs).
However, appropriate precautionary measures to detect possible systematic faults may be
implemented.
B.10.1.1 Many common cause failures of field devices may be avoided by properly applied re-
dundancy and/or diversity. One example is an application requiring redundant sensors using
different principles of operation and/or different manufacturers.
B.10.1.2 Two analog sensors, two discrete sensors (switches), or one of each could be selected.
If one analog device and one discrete device are selected to provide diversity, as opposed to two
analog devices, the advantage of continuous comparison of signals is lost. Proper operation of
the discrete device can only be verified by testing or the occurrence of a process demand. If two
analog devices are selected, they can be continuously compared. This comparison significantly
reduces Mean Time To Detection of failure thus providing more available protection.
B.10.1.3 The following SIS considerations related to field devices may enhance the application
of field devices:
a) Continuously compare redundant sensors while system operates (e.g., alarm or shut
down on unacceptable deviation)
72 ANSI/ISA-S84.01-1996
b) Compare flow or other related variables to modulating valve position
c) At each shutdown, compare sensor readings with known shutdown conditions and each
other (e.g., use these comparisons as permissives for the next startup. This reduces
Mean Time To Detection of field device failures. This applies also to valve positions
monitored by limit switches.)
d) If SIS has a built-in feature that displays the last good value on a bad value of the field
sensor, this feature should be defeated (For SIS applications the signal should be
permitted to go to its extreme value)
e) Feedback to alarm when a final element fails to go to its commanded state
f) Alarm if field devices change state without a command from the SIS
g) Vendors MTBF data
h) Predictability of failure modes
i) Performance following long periods in the same position
j) Avoid using measurements outside the accuracy limit of the sensors (e.g., accuracy/
turndown; for example, where zero flow is to be verified, a flow sensor should not be
used)
k) Identification (typing, color code, etc.)
l) With analytical measurements, try to design the system to provide a comparison
between analytical readings and related basic measurements such as pressure,
temperature, etc.
B.10.2.1 Essentially all field devices have three failure states - their extreme states or somewhere
in between.
Sensors: upscale, downscale, on scale
Current/voltage alarm trips: current/voltage alarm trips convert current and voltage (e.g.,
4 - 20 mA or 0 - 10 V DC) analog inputs into discrete signal outputs. The trip value is field
adjustable. These switches have unsafe failure modes; appropriate analysis and design features
should be provided to ensure safe operation.
Valves: open, closed, partially open
Relays: coil inoperative, contacts held in their "normal" positions, contacts welded closed,
contacts worn resulting in high resistance/restricted current flow, and stuck
armature
B.10.2.2 Given these failure modes, consider selecting components with built in features that drive
the device to one of its detectable extremes in a high percentage of its failure modes.
ANSI/ISA-S84.01-1996 73
c) carefully review process/ambient conditions that could effect the filling/emptying of
impulse lines;
d) verify seal liquids in diaphragm seal applications for resistance to amalgamation,
freezing, polymerization, all of which can cause false readings;
e) devices that are selected to achieve diversity should have sufficient reliability to meet
system reliability requirements or alternate approaches to diversity should be
considered; and
f) carefully weigh the use of devices that are foreign to a plant’s maintenance organization.
B.10.3.2 A minimum number of shutoff valves should be employed between the process and a
sensor in SIS service. Each sensor requiring a process shutoff should have its own dedicated
connection and valve (see Reference C.1, Figure 5.11).
B.10.4.1 Some considerations in the application of valves used as final control elements include
a) opening/closing speeds;
b) shutoff differential pressure in both directions of flow;
c) leakage (degree of shutoff requirements);
d) fire resistance — body and actuator;
e) performance following long periods in the same position;
f) where it will meet the requirements, consider the use of a modulating control valve as
one of the final valve elements since the proper operation of the control loop verifies
the valve is not stuck in a single position;
g) do not compromise reliability to achieve diversity;
h) materials suitability/comparability;
i) carefully weigh the use of devices that are foreign to a plant's maintenance organization;
j) fail position considerations; and
k) valve position indication.
74 ANSI/ISA-S84.01-1996
f) some solenoids are mounting position sensitive — consider installation detail
requirements; and
g) solenoid vents should have protection against plugging, dirt, insects, freezing, etc.
B.10.4.3.1 In general, redundant motor starters are not used. Redundancy is applied in the form
of contacts in the control circuit. Auxiliary contacts may be fed back to the SIS to verify starter
status (position).
B.11.1.1.1 Video displays may share safety and process control functions. A BPCS, or other
computer-based control system, through its normal operator displays, may provide the sole oper-
ator interface to a SIS.
ANSI/ISA-S84.01-1996 75
B.11.1.1.2 SIS data displayed to the operator should be updated and refreshed at the rate required
to communicate between the operator and the SIS during emergency conditions so safe
response(s) can be attained.
B.11.1.1.3 Displays relating to the SIS should be clearly identified as such, avoiding ambiguity or
potential for operator confusion in an emergency situation. Operators should have easy access
to safety-related displays, preferably by a single key-stroke or touch-screen stroke giving entry into
a display hierarchy.
B.11.1.1.4 Give the operator enough information on one display to rapidly convey critical
information. Display consistency is important. Provide the same access methods, alarm
conventions, and display components as are used in the non-safety-related displays.
B.11.1.1.5 Display layout is also important. Too much information on one display may lead to
operators misreading data and taking wrong actions. Use colors, flashing indicators, and judicious
data spacing to guide the operator to important information and to reduce the possibility of
confusion. Messages must be clear, concise, and unambiguous.
B.11.1.1.6 The operator interface and associated system (such as a Distributed Control System)
may be used to provide automatic safety-related event logging and alarming functions. Conditions
to be logged should include SIS events (such as trip and pre-trip occurrences), whenever the SIS
is accessed for program changes, and diagnostics.
B.11.1.2 Panel(s)
B.11.1.2.2 Arrange panel to ensure that the layout of the push buttons, lamps, gauges, and other
information is not confusing to the operator. Shutdown switches for different process units or
equipment that look the same and are grouped together may result in the wrong equipment being
shut down by an operator under stress in an emergency situation. Physically separate the shutdown
switches and boldly label their function. Provide means to test all lamps.
B.11.1.3 Printer(s)
B.11.1.3.1 Printers connected to the SIS should not compromise the safety function if the printer
fails, is turned off, is disconnected, runs out of paper, or behaves abnormally.
B.11.1.3.2 A SIS connected to a BPCS may use BPCS facilities to perform its safety-related
logging and reporting functions.
B.11.1.3.3 Printers are useful to document Sequence Of Events (SOE) information, diagnostics,
and other safety-related events and alarms, with time and date stamping and identification by tag
number. Report formatting utilities should be provided.
B.11.2.1 Maintenance/Engineering interfaces consist of means to program, test, and maintain the
SIS. Interfaces are devices used for functions such as:
a) System hardware configuration
76 ANSI/ISA-S84.01-1996
b) Application software development, documentation, and downloading to the SIS, logic
solver
c) Access to application software for changes, testing, and monitoring
d) Viewing SIS system resource and diagnostic information
e) Changing SIS security levels and access to application software variables
B.11.2.3 Maintenance/Engineering Interfaces should provide means for copying application pro-
grams to storage media.
B.12 Security
B.12.1 General
B.12.1.1 Means should be provided to control access to SIS including the logic solver, SIS main-
tenance interfaces, test and bypass functions, SIS alarms, sensors, and final elements. The access
protection may be in the form of locked cabinets, "read only" communication, access codes, pass-
words, administrative procedures, etc.
B.12.1.2 For guidance in the application of these options see Reference C.1, Section 6.1.9.
B.12.2 Exceptions
Protection against the following are beyond the scope of this annex:
a) Malicious modification
b) Modification errors
B.12.3.1 Access control and security may be provided by a combination of application logic and
host functions for any SIS user-interface device that could interfere with performance of the safety
function:
a) Parameters that are appropriate for operator interaction should be accessible.
b) Parameters that may be changed on-line with appropriate review should come under
access control.
c) Parameters or functions that require validation after change should be accessible only
off-line.
B.12.3.2 The ability to restrict access to the SIS operating mode, program, and data should be
an integral feature of the SIS.
ANSI/ISA-S84.01-1996 77
B.13 Wiring practices
B.13.1 Wiring practices should meet the manufacturers’ recommendations and NEC requirements.
Deviations should have safety review and analysis.
B.13.4 Electronic and programmable electronic logic solvers use internal low level logic signals.
Use of low level logic outside the shielded controller cabinet may be inappropriate.
B.13.5 Electronic and programmable electronic logic solvers may require a more restrictive wiring
approach because inductive or capacitive coupling may falsely turn on inputs.
B.13.6 Use caution when using solid state inputs or outputs because leakage current may falsely
actuate final control elements.
78 ANSI/ISA-S84.01-1996
B.14 Documentation
B.14.1 A list of the documentation that may be used to implement a SIS, includes the following:
a) Safety Requirement Specifications
b) Application logic
c) Design documentation
d) Commissioning Pre-Startup Acceptance Test procedure(s)
e) SIS operating procedure(s)
f) SIS maintenance procedure(s)
g) Functional test procedure(s)
h) Management of Change documentation
i) Qualitative or quantitative verification that the SIS meets the SIL
B.14.2.1 A backup technique allows the entire system to be restored to operation as quickly as
possible. These techniques may include one or several of the following:
a) Copy to a removable medium such as magnetic tape or disk which can be copied back
b) Copy to a removable medium which can be used as a disk replacement for a corrupted
PES
c) Copy to an on-line device (e.g., disk) used to backup
d) A communications link with another digital system
B.14.2.2 Consider maintaining a separate backup for data that is accumulated by the application
software to generate reports, records, and trends.
See 9.7 for mandates related to functional testing. The following is guidance, which may be used
to determine the functional test interval.
B.15.1 The frequency of functional tests should be consistent with applicable manufacturer’s
recommendations and good engineering practices, and more frequently if determined to be
necessary by prior operating experience.
B.15.2 The functional test interval should be selected to achieve the Safety Integrity Level (SIL).
B.15.3 ISA-dTR84.02 illustrates various methods to determine the functional test interval.
ANSI/ISA-S84.01-1996 79
Annex C (Informative) — Informative references
NOTES
1. Utilize latest edition of the reference.
2. In case of conflicting information, ISA-S84.01 takes precedence.
3. Within the body of the text and the Index, references are cited by the reference numbers (in
italics and brackets) given below.
[Ref. C.13] Guidelines for Chemical Process Quantitative Risk Analysis, New York, 1989
[Ref. C.14] Guidelines for Hazard Evaluation Procedures, New York, 1985
[Ref. C.1] Guidelines for Safe Automation of Chemical Processes, New York, 1993
[Ref. C.15] Knowlton, R. Ellis, An Introduction to Hazard and Operability Studies, 1988
ANSI/ISA-S84.01-1996 81
INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC)
[Ref. C.8 & C.9] Parts 1-7 IEC draft Publication 1508-1995, Functional safety of
electrical/electronic/programmable electronic safety-related systems
NOTE — IEC draft Publication 1508 is in development; for more information, contact your
national committee.
[Ref. C.7] IEEE 518-1982, RA-1990 Guide for the Installation of Electrical Equipment
to Minimize Electrical Noise Inputs to Controllers
from External Sources
ISA
82 ANSI/ISA-S84.01-1996
MCGRAW-HILL, INC.
[Ref. C.16] Dictionary of Scientific and Technical Terms, fifth edition, 1993
Available from: UL
333 Pfingsten Road
Northbrook, IL 60062 Tel: (708) 272-8800
[Ref. C.10] Risk Control and Instrument Protective Systems in the Process Industries,
Warrington, UK, 1980
ANSI/ISA-S84.01-1996 83
UNITED STATES CODE OF FEDERAL REGULATIONS (CFR)
84 ANSI/ISA-S84.01-1996
Annex D (Informative) — Example
This example problem is provided as an aid to illustrate how a user company might apply this
standard to design a Safety Instrumented Systems (SIS). The example problem is maintaining a
level in a process surge tank in the KIS2 Corporation. The results of the KIS2 Process Hazards
Analysis (PHA) that was conducted on this vessel is an input to this example problem.
The information provided in Annex D is intended to illustrate the thought process in designing a
SIS and the relationship of each step to this standard. References to the standard and the
appropriate annexes are provided in parentheses ( ), and in addition, exact extractions from the
normative portion of this standard are shown in italics. It is necessary to read the complete
annex to understand how all design issues are addressed.
Because of the amount of detail that is required to achieve a high-integrity safety design, this
example includes a number of simplifications. The specific design choices made in this example
do not reflect practices associated with any particular company and are not intended to be the
only possible choices. This example does provide guidance to users on how to implement this
standard.
It is expected that each company will have guidelines that address the methodology that should
be used in arriving at their own particular solution. The final design, by whatever methodology
used, should meet the specified Safety Integrity Level (SIL).
The figures and guidance provided in Annex D are an overview of what is needed and do not
provide the detail necessary to specify, design, install, and maintain a SIS.
This example reviews the development of the Safety Requirement Specifications (Clause 5),
addresses the issues in SIS Conceptual Design (Clause 6), and briefly touches on Detail Design
(Clause 7). Subsequent functions (Commissioning, Pre-Startup Acceptance Test, Maintenance,
etc.) are not addressed except as they pertain to the design of the SIS.
ANSI/ISA-S84.01-1996 85
D.3.1.1 Process information description (5.2.1)
Process information description (dynamics, sensors, final elements, etc.) of each potential
hazardous event that requires a SIS (Reference C.6).
The process as shown in Figure D.1 contains hot wash water with varying amounts of flammable
organics and other hazardous chemicals.
The level inside the process surge tank must be maintained. The level is sensed and transmitted
by a level transmitter (LT-1) to a controller (LC-1) which in turn regulates the position of a control
valve (LV-1) by transmitting a 4 - 20 mA signal to a current-to-air transducer (I/P-1). The tank
(1-101) is provided with a relief valve to prevent over-pressure due to overfilling or fire. The relief
valve discharges directly to the atmosphere.
If the relief valve discharges, the resulting spray could cause serious personnel injury due to the
hazardous chemicals inside the tank. In addition, since the fluid is also flammable, the potential
for a fire or explosion exists, which could also result in serious injury to personnel.
The PHA team has identified two possible causes of an overfill event in the tank:
a) LV-1 fails in an open position due to foreign material in the pipeline.
b) LT-1 fails indicating a low level which causes the level controller to open LV-1.
Although the instruments in service (LT-1, LC-1, and LV-1) have been reliable in the past, the
PHA team believes that due to the number of safety issues involved, additional safeguards
should be added to reduce this risk.
86 ANSI/ISA-S84.01-1996
One possibility would be to eliminate the relief valve. However, this option is barred by the ASME
Code and could lead to a catastrophic failure of the tank in the event of over-pressure due to an
external fire. Another option is to install a catch tank on the line from the relief valve. An alarm
could be provided to indicate the presence of a liquid in the tank, which would in turn indicate that
Tank 1-101 has overflowed. In this particular case, the PHA team is very concerned about
contamination in the catch tank, pluggage of the overflow line, and also believes that the catch
tank could overflow. This option was rejected. Since an intrinsic safety fix is not easy and/or may
create additional safety problems, a SIS will be installed.
D.3.2.1 The process safe state is to shut off all raw material feeds into Tank 1-101.
D.3.2.2 Process inputs to the SIS and their trip points (5.3.2)
All feeds to the tank are to shut off when the level reaches ninety percent.
D.3.2.4 Process outputs from the SIS and their action (5.3.4)
Redundant (1oo2) shutoff valves are required, one of which is shared with the BPCS (LV-1).
Both valves are to fail closed.
D.3.2.5 Functional relationships between process inputs and outputs, including logic, math
functions, and any required permissives (5.3.5)
For complex control system functional relationships, logic diagrams are provided and in some
cases may have to be supplemented with text to properly communicate the functional
requirements. In this example, the logic is so simple a P&ID with narrative is sufficient.
ANSI/ISA-S84.01-1996 87
D.3.2.7 Considerations for manual shutdown (5.3.7)
Manual push buttons and a panel mounted alarm will be provided so that the operators can
shutdown the flow in the event that the SIS fails or the operator observes some other unusual
condition.
D.3.2.9 Response time requirements for the SIS to bring the process to a safe state (5.3.9)
Since the tank fills slowly, response time for this SIS to function upon detection of high level is
adequate.
88 ANSI/ISA-S84.01-1996
D.5 Conceptual design (6.0)
g) Power sources
The electrical and pneumatic system power sources required for this batch process
shall be provided using good engineering practices. This shall include
1) dedicated power source from a separately derived system (Reference C.5,
Sections 250-5 and 250-26);
2) power sources capable of being individually maintained;
3) power sources with no common mode failure mechanisms due to failure of
non-related power sources (except the main power source header); and
4) grounding using good engineering practices.
An Uninterruptible Power Supply is not required because of the high system reliability
experienced with the plant electrical power system.
ANSI/ISA-S84.01-1996 89
h) Common cause
Sensors and valves selected to reduce chemical buildup problems.
i) Diagnostics
Limit switches on the shutoff valve will be used to compare the position of the valve with
the signal from the logic solver. If they don’t agree, the operator will be notified (by an
alarm and/or printer) that there is an equipment failure.
j) Field devices
Smart transmitters shall be utilized for all process measurements.
k) User interface
User interface shall be panel-mounted alarm panel, manual reset switch, and manual
shutdown switch.
l) Security
The KIS2 facility is secure. The SIS logic solver shall be located in the equipment
control room.
The SIS sensors and final control elements are red tagged (in addition to standard
identification) to note their safety functional status to plant personnel.
All smart transmitter communication to the SIS logic solver shall be write protected to
prevent changing the transmitter settings while on-line.
Any communication link between the SIS and the BPCS shall be write protected to
prevent inadvertent program changes to the SIS from the BPCS.
m) Wiring practices
The wiring shall be in accordance with the National Electrical Code (Reference C.5),
local codes and regulations, and SIS equipment supplier guidelines.
Two separate raceway systems, one for electrical power (e.g., 120/240V) and one for
instrument signal (e.g., 4 - 20 mA) shall be provided.
SIS wiring can use the same terminal box as BPCS wiring, but clearly identified
separate terminals shall be provided for all SIS wiring.
n) Documentation
Compliance with OSHA 29 CFR 1910 documentation requirement is mandatory.
o) Function test interval
The SIS shall be tested once a year.
90 ANSI/ISA-S84.01-1996
D.6.2 General requirements (7.2)
KIS2 Corporation has developed corporate guidelines for the detail design of SISs. The
architecture is selected using KIS2 corporate guidelines and the information developed. The
conceptual design is shown in Figure 2.
Using the Safety Requirement Specifications, the SIS Conceptual Design requirement, and
internal KIS2 corporate guideline, the SIS can now be designed.
Using these documents, the final design is reflected in Figure D.2.
ANSI/ISA-S84.01-1996 91
Annex E (Informative) — Index
1
1oo1 28, 66, 89
1oo2 22, 28, 58, 66, 87, 89
2
2oo3 22, 28, 58, 63, 66
A
abnormal stress 69
AC transfer time 67
access 33, 35, 65, 76, 77
access method(s) 76
accuracy 37, 73
Accuracy of calibration 37
achitecture(s) 66
actuator 74
adequacy of current risk controls 53
adhere 38, 42, 59, 87
administrative controls 39
administrative procedure(s) 20, 77
aeronautical 4
air 19, 66, 69, 74, 86, 88
air conditioning 34
air filtration 34
alarm convention(s) 76
alarm systems 17
alarm(s) 32, 33, 35, 40, 48, 53, 66, 68, 72, 73, 76, 87, 88, 90
algorithm(s) 72
alternate 32, 59, 67, 74
ambient 74
ambiguity 76
American National Standards Institute (ANSI) 44
amplifier(s) 75
amplitude 63
analog 57, 62, 63, 66, 72, 73
analog devices 72, 73
analytical measurement(s) 73
annunciator(s) 66, 75
anti-surge control 18
application program(s) 18, 19, 22, 59, 79, 89
application software 18, 22, 30, 33, 35, 42, 59, 60, 77, 79
application specific 70, 71
appropriate technology 25
arc suppression 61
architecture(s) 18, 19, 26, 28, 29, 58, 63, 66, 89, 91
armature 64, 73
as-found 41
as-left 41
assessment 46
authorization requirements 42
ANSI/ISA-S84.01-1996 93
automated 15, 20
automatic 30, 32, 71, 76
automatic reset 30
automatic transfer 67
automatically restart 31
auxiliary contact(s) 75
availability 18, 42, 48, 68
avionics 43
B
backed up 69
backup 64, 67, 79
barrier 64
basic events 53
Basic Process Control System(s) (BPCS) 16, 18, 20, 22, 30, 31, 36, 46
batch # 30
battery(ies) 39, 67
benign faults(s) 70
boundaries 15
brown outs 68
buffer 65, 76
buffered 76
bug 35
bug-reporting 60
built-in test(s) 71
bypass 56
bypassed 32, 39
bypassing 18, 35, 39
C
C.1 30, 38, 47, 51, 54, 59, 69, 74, 77, 81, 87
C.2 48, 82
C.3 66, 82
C.4 61, 83
C.5 30, 68, 83, 89, 90
C.6 15, 82, 86
C.7 78, 82
C.8 13, 82
C.9 13, 82
C.10 83
C.11 41, 45, 46, 84
C.12 19, 84
C.13 54, 81
C.14 48, 81
C.15 48, 81
C.16 68, 83
cabinet wiring 78
cabinet(s) 70, 77, 78
calculation 22, 63
calibration 33, 39, 64, 65, 69
capacitive 78
cathodic protection 68
caution 63, 78
Central Processing Unit (CPU) 62
certified 60
certify 40
channel(s) 22, 58, 64, 70
checklist 67, 68, 69
chronic health effects 17
circuit common(s) 78
94 ANSI/ISA-S84.01-1996
closed 61, 64, 73, 87
coating 27
code(s) 16, 17, 30, 70, 77, 87, 90
coil 61, 64, 73
coking 31
color code 73
color(s) 76
commands 60
commissioning 13, 26, 36, 37, 45, 79, 85
common cause 18, 28, 67, 78, 90
common cause failure(s) 18, 27, 29, 55, 67, 72, 87
common cause fault(s) 18, 19, 28, 58, 69, 70
common components 57
common elements 28
common logic 28
common mode 64
common mode failure mechanisms 89
common mode failures 61
communication(s) 18, 30, 32, 33, 56, 57, 58, 59, 63, 64, 65, 66, 68, 77, 78, 79, 90
company guidance 51
competence of persons 45
complex 47, 54, 62, 63, 87
Complimentary Metal Oxide Semiconductor (CMOS) 62
compressor 18
computational 40, 63
conceptual design 29, 66, 89, 91
conceptual process design 23, 25, 45
conditioner(s) 75
cone of protection 68
configuration 19, 33, 57, 76
conformance 20, 36
confusion 76
consequence analysis 48
consequence(s) 19, 25, 48, 49, 51, 52, 53
consequences only method 47, 51
conservative 47, 52
contact 61, 64, 73, 75
contact-wetting 61, 75
contaminants 34, 69
continuous 63, 72
continuous mode 43
control and safety functions 55, 57
control valve(s) 32, 69, 86
coordination 67
coriolis flow 58
corrosion 27, 31, 58, 64, 68, 69
cost 52
coverage 18, 71
covert 35
covert failure mode 30
covert failure(s) 30
covert fault(s) 18, 30, 39, 63, 70
covert mode 63
criteria 47, 48, 59, 61, 72, 73
Critical 71
critical 32, 61, 62, 68, 70
critical faults 70, 71
critical information 76
cross-talk 71, 78
CRT 32
current 31, 38, 53, 64, 67, 68, 73, 75, 78, 86
customers 35
ANSI/ISA-S84.01-1996 95
D
decommissioning 18, 21, 23, 26, 43, 46
dedicated power source 33, 89
dedicated wiring 31
de-energize(d) to trip 19, 27, 66, 67, 87
de-energized 19, 61
defects 39
definitions 3, 18
degradation 32
demand 19, 20, 39, 43, 56, 70, 72, 76
demand mode 43
demand rate 41
design considerations 29, 55, 67
designer 58
detail design 36, 85, 90, 91
detectability 71
detectable 19, 71, 73
detected faults 39
detection 19, 35, 67, 72, 73, 88
diagnostic coverage 18, 19, 60, 66, 71
diagnostic fault detection 25, 48
diagnostic testing 59
diagnostic(s) 28, 29, 32, 33, 40, 63, 66, 67, 68, 70, 71, 72, 76, 77, 88, 90
diagram 15
differences 4, 13, 34, 43
digital 19, 79
digital timer 62
direct-wired 60
direct-wiring 62, 63
dirt 75
disabling 33
discrete 21, 57, 72, 73
discrete input/output 31
discrete sensor(s) 31, 60, 72, 75
disk(s) 79
display(s) 37, 53, 73, 75, 76, 77
distributed control system 63, 76
diverse 19, 21, 25, 29, 66
diverse redundancy 21, 58, 59, 66, 70
diverse separation 21, 55, 56, 57, 66, 70
diversity 72, 73, 74
document control procedure 42
document(s) 13, 25, 26, 27, 30, 36, 41, 42, 76, 91
documentation 13, 22, 29, 33, 37, 38, 40, 42, 45, 46, 53, 57, 77, 78, 79, 90
downscale 64, 65, 73
drain wire 78
dropout 61
dTR84.02 3, 13, 48, 63, 66, 70, 79, 82
duty cycles 62
dynamic random fault(s) 71
dynamics 27, 86
E
electrical area classification 34
electrical fault 22
electrical noise 67, 78
electrical technology 60, 68
Electrical/Electronic/Programmable Electronic System (E/E/PES) 15
Electro Magnetic Interference (EMI) 34, 67
electromechanical 19
96 ANSI/ISA-S84.01-1996
electromechanical devices 61
electromechanical relay 19
electromechanical relay(s) 15, 61, 62, 64
electronic technology 62
electrostatic discharge 34
embedded software 19, 22, 35, 59
emergency 26, 76, 88
Emergency Shutdown System 21
end-of-line detection 71
energize(d) to trip 19, 27, 31, 66, 67, 87
equipment reliability 53, 66
equipment under control 18, 21, 46
event logging 76
explosive 53
external risk reduction 45, 46
factory floor 75
fail position 74
fail-safe 19, 61, 62
failure mode(s) 29, 61, 63, 64, 65, 66, 71, 73, 89
failure rate(s) 29, 41, 53, 56, 63, 66, 89
failure state(s) 73
failure to function on demand 35
false 53, 63, 74
false shut down 22
falsely 78
fault avoidance 70
fault detection 72
fault source 58
fault tolerance 19, 58, 63
fault tree analysis 47, 53
fault tree logic diagram 53, 54
fault tree(s) 53, 54
fault type(s) 70
feedback 73
fiber optic(s) 33, 78
field control element(s) [See field device(s).]
field device(s) 19, 21, 29, 31, 36, 69, 72, 73, 75, 90
field element(s) [See field device(s).]
field sensor(s) 55, 73
field wiring 19
fieldbus 17, 31
fire and gas detection systems 31
fire and gas monitoring systems 17
fire resistance 74
firmware 19, 22, 41, 58, 59
fixes 59
flooding 34
flow 49, 53, 73, 74, 88
fluid 69, 86
forcing 19, 35
foreign 74, 86
formal revision and release control program(s) 30, 34, 35
formatting utilities 76
fouling 69
freezing 31, 74, 75
frequency 34, 39, 54, 62, 67, 79
frequency of occurrence 30, 53, 54
frequency(s) of testing 39
fuel/air controls 18
functional description 22
ANSI/ISA-S84.01-1996 97
functional test interval 29, 35, 79
functional test procedure(s) 40, 79
functional test(s) 22, 36, 39, 79
functional testing 19, 26, 35, 39, 40, 79
functional testing procedures 40
fuse(s) 39, 67, 78
hands on 47
hardware 18, 19, 22, 30, 33, 58, 59, 69, 71, 72, 76
hardware degradation 39
hardware fault(s) 22, 58, 60
hard-wired 19, 57
hard-wired logic 15
harm 51
harmonics 67
hazard and risk analysis 45, 46
hazard(s) 16, 19, 20, 25, 37, 44, 48, 53
hazardous 28, 37, 39, 86, 87
hazardous area classifications 30
hazardous event(s) 19, 25, 27, 48, 51, 53, 86
HAZOP 53
heaters 18
hermetically sealed 61
hidden fault(s) 71
High Noise Immunity Logic (HNIL) 62
high pressure 48, 49, 50, 51, 52, 53, 54
highly recommended 45
historical data 39
horns 32
host 18
host functions 77
human actions 20
human machine interface(s) 17, 28, 69, 88
humidity 34, 69
hybrid 60
hydraulic power 66, 69
hydraulic(s) 16, 60
98 ANSI/ISA-S84.01-1996
I
identical 21
identical redundancy 21, 29, 66, 70
identical separation 21, 29, 55, 56, 57, 70
IEC 3, 4
IEC draft Publication 1508 3, 4, 13, 43, 44, 45, 46
impedance 71
incident cause 27
indeterminate failure modes 62
indicating lights 32
indicators 33, 75, 76
inductive 61, 78
industry 4
industry sectors 4
industry standards 60
inherently 61
inherently safe 71
inhibit 39, 71
initiating event(s) 51, 52, 54
injury 19, 86
input requirements 85
input/output devices 28, 75
input/output modules 20, 21, 30, 71, 77
inrush current 67, 68
insect(s) 75
inspection(s) 40, 41
installation 13, 26, 36, 37, 46, 63, 68, 75
instrument gas 69
insulation 67
integration 20
interface(s) 15, 20, 30, 32, 33, 66, 68, 75, 76, 77
interlock(s) 30, 56
internal 18, 30, 63, 67, 78, 89, 91
internal communication 18
intrinsic safety barrier 68
ISO 9000 45
isolation 64, 65, 78
keyboard 60
label(s) 76
lamp(s) 75, 76
latching 62
laws 16
layers 20, 51, 60
layout 70, 76
leakage 74, 78
legislation 41
level controller 56, 86
level of risk 25
level of safety 46, 48
level sensor 56, 87
life cycle 48, 57
ANSI/ISA-S84.01-1996 99
lightning 67, 68, 78
limited time window 58
limiting access 57
local factors 51
locking 62
log 46
logged 76
logic diagrams 53, 87
logic function(s) 19, 33, 61
logic solver(s) 15, 16, 20, 21, 30, 31, 39, 49, 56, 57, 58, 66, 70, 77, 78, 88, 89, 90
loop # 41
low energy 61, 75
low pressure 48, 49, 53
lubrication 39, 69
magnetic tape 79
maintenance 20, 22, 26, 28, 30, 33, 35, 38, 39, 46, 47, 57, 69, 70, 74, 77, 85, 88
maintenance costs 53
maintenance procedures 25, 26, 37, 39, 79
maintenance program 38
maintenance/engineering interface(s) 18, 32, 33, 70, 75, 76, 77
major criteria 52
major severity 52
malicious modification 77
management 16, 45
Management of Change (MOC) 22, 26, 41, 44, 45, 46
Management of Change (MOC) documentation 79
Management of Change (MOC) procedure(s) 26, 43
manual mode 53
manual reset 30, 90
manual shutdown 27, 37, 88, 90
manual trip 40
manufacture 13, 20, 58
manufacturer 20, 30, 35, 59, 68, 72, 78, 79
material(s) 4, 20, 31, 61, 74, 86, 87
math functions 27, 62, 87
mathematical analysis 20
matrix method(s) 47
mature 60
mature technology 61
Mean Time Between Failures (MTBF) 22
Mean Time To Detection (MTTD) 72, 73
Mean Time To Failure (MTTF) 22, 30
Mean Time To Repair (MTTR) 22
measure(s) 3, 17, 33, 45, 57, 58, 70, 72
measurement(s) 58, 62, 73, 90
medium 51, 79
memory 19, 42, 65, 76
metallic covering 78
microcomputer 63
minimum level of independence 45
mitigate 19, 25, 37, 58
mode(s) 33, 43, 63, 77
modification errors 77
modification(s) 22, 25, 26, 31, 36, 41, 42, 46, 62, 70
modified HAZOP method 47, 52
modular design 59
modulating 73, 74
moisture 69
monitoring 17, 71, 77
motor driven timer(s) 15, 19, 62
100 ANSI/ISA-S84.01-1996
motor overload(s) 31
motor starter(s) 32, 75
motor(s) 39
mounting 74, 75
name(s) 40
National Electrical Code (NEC) 30, 78, 90
nested 60
network 33, 36
networking 63
NFPA 70 30
noise 64, 68
non-linear 67, 68
non-safety function 30
non-safety related display(s) 76
non-SIS protection layers 23, 25, 45
normal operating range 27
normal operation 19, 26, 87
normal operation range 87
not recommended 59, 63
Nuclear Industry 16
nuisance trip 22
numerical data 20
objective(s) 13, 17, 22, 25, 27, 36, 38, 41, 48, 89, 90
off-line 20, 42, 77
on scale 73
on-line 20, 35, 40, 42, 77, 79, 90
on-line testing 35, 40
open 53, 54, 56, 61, 64, 73, 86
operating conditions 60
operating experience 20, 47, 61, 79
operating limits 27
operating procedure(s) 35, 37, 38, 41, 42, 56, 79
operating system(s) 59
operational bypasses 38
operator action 17
operator error 53
operator interface(s) 18, 19, 32, 33, 66, 70, 75, 76
operator response 48, 51, 53
operator(s) 18, 32, 35, 46, 75, 76, 77, 88, 90
organization(s) 13, 45, 74
oscillator 62
OSHA 22, 38, 41, 44, 45, 46, 87, 90
output(s) [See input/output devices and input/output modules.]
output trip relay 40
overload 67
over-pressure 48, 49, 53, 86, 87
override(s) 19, 56
overt 63, 71
overt fault(s) 20, 28, 88
overvoltage(s) 68
owner/operator 17
ownership 47
oxidation 61
ANSI/ISA-S84.01-1996 101
P
102 ANSI/ISA-S84.01-1996
property damage 52, 53
property protection 17
protect against the consequences 53
protection layer(s) 20, 25, 31, 51
pulse counting 62
pulsed 63
pulsed electronic logic 63
purchase specification 16
purge 62
purpose(s) 17, 18, 21, 30, 51, 75
pushbutton(s) 66
radiated noise 78
raised floor grounding 68
Random Access Memory (RAM) 71
random failure(s) 71
read 31, 85
read only 57, 66, 77
read/write 31, 57, 58, 66
reading(s) 73, 74
read-write access 33
recipe 33, 63
redundancy 21, 25, 48, 58, 63, 66, 67, 72, 73, 75, 89
Redundant 87
redundant 22, 31, 56, 58, 59, 64, 69, 71, 75, 89
redundant sensors 31, 72
references [See Annex C page 81 and C.1 - C.16.]
regulation(s) 16, 22, 38, 44, 90
regulatory requirement(s) 27, 87
relay(s) 61, 63, 64, 68, 69, 73
reliability 21, 28, 58, 62, 66, 67, 69, 74, 89
reliability experience 56
relief valve 53, 86, 87
remote I/O 18, 31
repair 39, 88
repeatability 62
replacement in kind 21, 41
reporting 76
reset 21, 30, 38, 65, 88
reset function(s) 28, 37, 88
resistor-capacitor (RC) 62
Resistor-Transistor Logic (RTL) 62
resolution 60, 62
response action 28, 30, 88
response time 42, 88
response time requirements 28, 88
ANSI/ISA-S84.01-1996 103
response(s) 20, 35, 38, 64, 71
revise 43
revision level 59
rewiring 61
risk assessment 21, 23
risk control(s) 53
risk estimates 21
risk evaluation(s) 52
risk reduction 46, 48, 53
risk related 52
risk(s) 25, 42, 48, 52, 53, 86
ROM 57, 71
104 ANSI/ISA-S84.01-1996
shutdown switches 76, 88
shutoff valves 74, 87, 88, 89, 90
signal comparison 71
signal processing speed 75
signal to noise ratio 75
SIL 1 21, 32, 46, 52, 54, 55, 56, 57, 58, 66
SIL 2 21, 46, 51, 53, 54, 56, 57, 58, 66, 87, 88, 89
SIL 3 21, 25, 32, 46, 52, 54, 55, 56, 57, 58, 66
SIL 4 46
SIL determination method(s) 47
SIL performance 66
SIL selection 47, 52
simple 47, 61, 71, 87
simplicity 59
single point 68
SIS alarm(s) 38, 77
SIS applications 52, 61, 62, 63, 68, 73
SIS architecture 28, 66
SIS Conceptual Design(s) 26, 28, 85, 90, 91
SIS failure mode(s) 64
SIS performance 48, 57
smart sensors 31
software 3, 18, 19, 22, 30, 33, 35, 41, 42, 57, 58, 59, 60, 71, 72, 89
software bugs 72
software design 60, 69
software design considerations 29, 89
software error(s) 58
software fault(s) 19, 22, 35
software release(s) 59
software reliability 39
software revision 59
software switch 58
solenoid valve(s) 69, 74, 75
solid state 75, 78
solid state logic 15, 19, 62, 63, 64
solid state logic system(s) 63, 75
solid state relay(s) 15, 19, 62, 75
solid state system(s) 63
solid state timer(s) 62
special purpose(s) 19, 75
speed of response 40
spring(s) 61
spurious trip(s) 22, 28, 58, 66, 70, 88
Standards and Practices (S&P) Board 3, 7
startup 16, 26, 42, 53, 67, 73
static electricity 68
storage media 77
supplier(s) 30, 59, 70, 90
surge(s) 67, 68, 78, 85, 86
suspended solid(s) 31
switch(es) 57, 72, 73, 75, 88, 90
system software 22
systematic error(s) 69, 70, 72
systematic failure(s) 22, 41, 71
systematic fault(s) 55, 72
tag # 41, 76
tampering 62
target SIL 25, 48, 71
team 27, 47, 48, 52, 53, 54, 60, 85, 86, 87
technology selection 29, 89
ANSI/ISA-S84.01-1996 105
temperature 31, 34, 58, 64, 69, 73, 74, 78
terminology 43
test and bypass functions 77
test facilities 35, 78
test interval(s) 22, 37, 72, 90
test(s) 33, 35, 37, 40, 41, 60, 63, 66, 68, 70, 71, 72, 76
testing 13, 19, 25, 28, 30, 35, 38, 39, 40, 45, 48, 57, 59, 61, 66, 70, 72, 77, 88
thermal fault(s) 71
thermocouple(s) 71
third party(ies) 59
time(s) 4, 20, 21, 22, 26, 42, 51, 52, 55, 60, 62, 64, 65, 71, 72, 76
timer(s) 15, 61, 62, 64, 65
top event 53, 54
TR84.02 [See ISA-dTR84.02.]
track record 61
training 26, 38, 44, 69
transfer time 65
transient(s) 22, 68
transistor(s) 62
transmission 75
trip point(s) 27, 38, 63, 87
trip(s) 19, 22, 38, 40, 56, 73, 76
turndown 73
twisted pair 78
undervoltage(s) 68
ungrounded 68
Uninterruptible Power Supply (UPS) 67, 89
unreliable 61
unsafe failure mode(s) 56, 61, 62, 63, 73, 75
upscale 64, 65, 73
upset 53
upset cause 53
uptime 69
user approved 17, 22, 31, 41, 61, 62, 63, 77
user interface(s) 15, 29, 30, 66, 75, 77, 90
utility software 22, 30, 35, 59
validate(s) 66
validation 46, 77
valve(s) 39, 40, 49, 56, 69, 73, 74, 87, 88, 89, 90
variable(s) 33, 58, 73, 77
vendor(s) 22, 31, 39, 68, 72, 73
vent(s) 75
ventilation 34, 39
verification(s) 22, 26, 42, 45, 46, 70, 72, 79
verify 19, 28, 60, 74, 75
vessel rupture 53, 54
vessel(s) 49, 53, 85
vibration 34, 69
video display(s) 75
visible markings 30
voltage(s) 64, 67, 68, 73, 74, 75
volume 69
vortex flow 58
voting 22, 28, 32, 33, 66
106 ANSI/ISA-S84.01-1996
W
ANSI/ISA-S84.01-1996 107
Developing and promulgating technically sound consensus standards,
recommended practices, and technical reports is one of ISA’s primary
goals. To achieve this goal the Standards and Practices Department
relies on the technical expertise and efforts of volunteer committee
members, chairmen, and reviewers.
ISA is an American National Standards Institute (ANSI) accredited
organization. ISA administers United States Technical Advisory
Groups (USTAGs) and provides secretariat support for International
Electrotechnical Commission (IEC) and International Organization for
Standardization (ISO) committees that develop process measurement
and control standards. To obtain additional information on the
Society’s standards program, please write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 1-55617-590-6