AMERICAN NATIONAL STANDARD

ANSI/ISA–S84.01–1996

Application of Safety Instrumented Systems for the Process Industries

Approved 15 March 1997

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

ANSI/ISA-S84.01 — Application of Safety Instrumented Systems for the Process Industries

ISBN: 1-55617-590-6 Copyright © 1996 by the Instrument Society of America. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of the publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

Preface

This preface as well as all footnotes, annexes, and draft technical report 84.02 (ISA-dTR84.02) are included for informational purposes and are not part of ANSI/ISA-S84.01. ISA-dTR84.02 was still in development at the time that ANSI/ISA-S84.01 was published; for information, contact ISA. This standard has been prepared as part of the service of ISA, the international society for measurement and control, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards, recommended practices, and technical reports. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI and acceptable metric units in all new and revised standards to the greatest extent possible. The Metric Practice Guide, which has been published by the Institute of Electrical and Electronics Engineers as ANSI/IEEE Std. 268-1992, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. S84.01 has been developed with the intent that it will eventually become a part of a group of standards being developed by the International Electrotechnical Commission (IEC). This has resulted in a format and structure that may be somewhat different from previous ISA Standards. Some background information is, therefore, offered to assist the reader in better understanding the focus of S84.01. IEC has commissioned the development of a set of international standards encompassing all aspects of safety systems for all industries. It is titled "Functional Safety: Safety-Related Systems." This effort is under the direction of IEC Technical Committee No. 65, Subcommittee 65A, Working Group 10. It is titled IEC draft Publication 1508 and is still in development but, as it exists today, there are seven parts: • Part 1 - General requirements • Part 2 - Requirements for Electrical/Electronic / Programmable Electronic Systems (E/E/PES) • Part 3 -Software requirements • Part 4 - Definitions and abbreviations of terms • Part 5 - Guidelines on the application of Part 1 • Part 6 - Guidelines on the application of Parts 2 and 3

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

ANSI/ISA-S84.01-1996

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

3

• Part 7 - Bibliography of techniques and measures This work is to define requirements common to all industries. It is IEC's intent that there will then be additional standards developed to reflect specific requirements for the various industry sectors, such as nuclear, pharmaceutical, aeronautical, process, etc. IEC has commissioned a subcommittee, identified as IEC 1511, for the development of an industry-specific international standard that addresses the application of safety instrumented systems for the process industries. ISA-S84.01-1995 has been written with the intent that it will serve as the basis for that sector-specific standard. The structure, format, and content of S84.01 has been developed in this context. There are significant differences in S84.01 from IEC draft Publication 1508-1995, as described in Clause 12. However, IEC draft Publication 1508 was still being developed at the time that S84.01 was published. As a result, ISA SP84 will continue to support and monitor IEC draft Publication 1508 development and will modify S84.01 as needed when IEC draft Publication 1508 is published. The IEC style guide has been used to facilitate the harmonization of this material with the general standards and other sector-specific standards being developed for IEC draft Publication 1508.

The following people served as active members of ISA Committee SP84: NAME V. Maggioli, Chairman R. Boyd, Jr., Vice Chairman W. Calder III, Managing Director *R. Adamski R. Aldridge R. Bailliet N. Battikha L. Beckman R. Bell S. Bender P. Bennett K. Bingham W. Black J. Blagg R. Bloomfield *K. Bond K. Bosch S. Boyer *B. Bradley A. Brombacher D. Brown *L. Brown M. Cannon J. Carew L. Cheung R. Desrochers (deceased)
*One vote per company

COMPANY Feltronics Corporation Aramco Calder Enterprises Triconex Consultant Shell Offshore, Inc. ICI Canada, Inc. HIMA Americas, Inc. Technology & Health Sciences Division S.K. Bender & Associates Center for Software Engineering Hinz Consulting, Ltd. BP GRE Eco Waste Technologies Adelard Shell Oil Company G3 IQSE Iliad Engineering, Inc. Mobil Research & Development Corporation Eindhoven University of Technology Fisher-Rosemount Systems Arco Oil & Gas Industrial Equipment Company Stone & Webster, Inc. W.R. Grace & Company Sun Company

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

4

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

ANSI/ISA-S84.01-1996

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

R. Dillman NAME J. Duran P. Early *R. Ewbank T. Fisher J. Forrest *T. Frederickson, Jr. R. Freeman D. Fritsch *K. Gandhi R. Gardner *F. Gellner J. Gilman R. Glaser W. Goble *C. Goring *J. Gray D. Green T. Green J. Greenwald *R. Grehofsky P. Gruhn *A. Habib *A. Hamers A. Hammons B. Hampton C. Hardin D. Haysley *A. Heckman *K. Hill L. Hoffman B. Humes *D. Inverso J. Jarvi W. Jay K. Jennings D. Jensen R. Johnson *W. Johnson *D. Karydas K. Kassner R. Kier D. Leonard *E. Lewis J. Martel *T. McAdams
*One vote per company

Conoco, Inc. COMPANY Lagoven SA ABB Industrial Systems, Inc. Rhone-Poulenc, Inc. Lubrizol Corporation ABS Industrial Verification, Inc. Triconex Monsanto Phillips Petroleum Company M. W. Kellogg Company DuPont Engineering E. I. du Pont de Nemours & Company Procter & Gamble Company Dow Chemical Company Moore Products Company August Systems, Ltd. Chevron Research & Technology Company Rohm & Haas Stubbs Overbeck & Associates Fina Oil & Chemical Company E. I. du Pont de Nemours & Company Industrial Control Service, Inc. Rhone-Poulenc, Inc. Honeywell SMS Chevron USA Consultant Hoechst Celanese Corporation Murphy Oil Company Bently Nevada Mobil Research & Development Corporation BASF Corporation Bently Nevada E.I. du Pont de Nemours & Company Teknillinen Tarkastuskeskus Entergy Operations, Inc. Square D Company Price Engineering Company Kingwood Technology Group E. I. du Pont de Nemours & Company Factory Mutual Research Corporation CALTEK Pacific-Minas Corporation Kinetics Technology International Consultant Union Carbide Corporation Exxon Chemical Company Allen-Bradley Company

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

ANSI/ISA-S84.01-1996

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

5

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

S. McCormick NAME *M. McElroy F. McKenna N. McLeod R. McNab *F. Mears *W. Mostia, Jr. I. Nimmo J. Nye *D. Ogwude T. Ostrowski *J. Palomar J. Paques B. Phelps *W. Purser R. Raghaven G. Ramachandran *K. Rashida C. Richard L. Richardson *C. Rischar *W. Robinson G. Russcher *D. Sanders K. Schilowsky J. Schroeder R. Shah T. Shephard *J. Simon I. Smith S. Smith J. Sottnik R. Spiker R. Spinks *P. Stavrianidis R. Stevens H. Storey L. Suttinger H. Thomas *C. Thurston M. Toffolo *W. Valerie T. Walczak D. Watkins M. Weber S. Weiner
*One vote per company

3M Company COMPANY Pepperl + Fuchs Systems FMcK Associates, Ltd. Elf Atochem Arco Chemical Company Mobil Research & Development Corporation Amoco Corporation Honeywell, Inc. Exxon Research and Engineering Company Chevron Research & Technology Company Occidental Chemical Corporation Chevron Research & Technology Company Institut de Recherche Citgo Petroleum Corporation Shell Oil Company Consultant Cytec Industries, Inc. Allen-Bradley Company Mobil Oil Company UOP Allen-Bradley Company Amoco Corporation Westinghouse Electric Company August Systems, Ltd. Marathon Oil Company Tosco Corporation Koch Industries Caltex Services Corporation M. W. Kellogg Company Campbell Love Associates Touch Technology, Inc. United Engineers & Constructors GTI Industrial Automation Petrocon Engineering, Inc. Factory Mutual Research Corporation U.S. Department of Energy Shell Development Company Westinghouse Savannah River Company Air Products & Chemicals Union Carbide Corporation Elsag Bailey (Canada), Inc. Arco Oil & Gas GE Fanuc Dow Chemical Company TUV-IQSE PC&E Consulting Engineers

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

6

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

ANSI/ISA-S84.01-1996

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

Honeywell Industrial Automation & Control Consultant Fluor Daniel. McAvinew A.`--- COPYRIGHT 2003. Brett W. Holland A.. Weidman J. Inc. Wiegle C. Jr. Inc. Welz. G. McFarland J. Calder III H. Dieck W. Webb W. NAME M. Baumann D. Calder Enterprises Phoenix Industries. McCauley.````. E.. Lyondell Petrochemical Company Endress + Hauser GmbH + Company Metro Wastewater Reclamation District Chagrin Valley Controls. Dammeyer R.`. Rapley R... Widmeyer. Inc. Bishop P. 7 .. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. User=. Chevron USA Production Company Honeywell.`. Lindner T. Mock E.`. Pratt & Whitney Southern Company Services.`-`-`. *G. Inc. D. Whetstone H. I. The Instrumentation. Iverson K. Rapley Engineering Services Rockwell Automation A-B Pacific Gas & Electric Company Consultant Electric Power Research Institute National Institute of Standards & Technology Canus Corporation Eastman Kodak Company Graeme Wood Consulting Fisher-Rosemount --``.``. Baumann. Williams G. and Automation Society ANSI/ISA-S84. Systems. Jr.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`.. Reimer R.. 1996.W. Montgomery D.. Inc. Inc.`. Vice President H.``.. Weiss J. Zielinski COMPANY Washington Public Power Supply System H. Inc. Wristen BHP Engineers & Constructors.. Wood M.. du Pont de Nemours & Company This published standard was approved for publication by the ISA Standards and Practices Board on February 15..

Systems. The Instrumentation.`....`.. User=... --``.`--- ..`..````...`.`-`-`.``.COPYRIGHT 2003.``.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101..`.

................................................................................................................... 32 Power sources .................................................................... 36 8.............................................. 27 --``...... 9 ..... 25 5 Safety requirements specifications development ...............................2 Acronyms...............................................7 7........................................................................ 28 6......................................................... 22 4 Safety life cycle .2 7...............`--- 5................................................................................................. commissioning and pre-startup acceptance test .............9 Objective............................................................................................... 13 1 Scope ................. 23 4.............``............ 23 4...............................................3 8................................................................................. 35 8 Installation..... 18 3......3 7............................................. User=............................ 34 System environment ................. 16 2 Conformance to this standard................... 36 Commissioning ...............................................................................4 Objective............................................................................................................................1 7......................................................................................... 17 2................................................................2 Conceptual design requirements ......................................................................................... 29 7......1 8............................................................................................1 Boundaries of the Safety Instrumented System (SIS) .......................... 15 1. 17 2...................... Systems..................................................................... 34 Maintenance or testing design requirements... 27 Safety functional requirements .....2 8................................................................. 17 3 Definition of terms and acronyms...............````..........................................................Contents Introduction .................................................`............................................... 27 Safety integrity requirements ....................................................................................`-`-`.....2 Safety Life Cycle steps ............ 15 1............ 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584...............................................................................................5 7................................................ 36 COPYRIGHT 2003................ 29 SIS logic solver .......................................................................2 5...........3 5.................................................................. 36 Installation ............................................................................................................................................................................................................................................................`....................... and Automation Society ANSI/ISA-S84...........................4 Objective.........``........................`.............................................. 27 Input requirements..................................1 Definitions .....................................1 5...........................1 Scope ... 36 Pre-Startup Acceptance Test (PSAT)........................................................................................................................................... 30 Field devices.................................................6 7................................................................................... 31 Interfaces ................1 Objectives .........................1 Conformance guidance .............2 Exclusions ..............................`................................................................................ 29 General requirements ........................................................... 34 Application logic requirements................ 18 3.........................................................01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101......................... 28 7 SIS detailed design .................4 7.........................................................`... 28 6............8 7...........................................................................................2 Existing systems ....................... 28 6 SIS conceptual design.................................................... The Instrumentation........................................................

....... 38 9.............................. 60 B................................3 MOC documentation................................................................................2 Redundancy ................ The Instrumentation............................................................................`............... 66 B.................................................................... 47 A.................... 41 10...........................````....................................................4 9..................8 Common cause failures ...................................3 Example methods for selecting SIL................................................................................... 46 Annexes A (Informative) — Information and examples illustrating methods for determining Safety Integrity Level (SIL) for a Safety Instrumented System (SIS) ........................................................`--- ..................1 Objective....................................... Systems........................................................................... 38 Maintenance program.14 Documentation ............5 Failure rates and failure modes........................................................... 38 Testing.... ANSI/ISA-S84.............................................12 Security ......................................................................7 Power sources ....................... 72 B............................................................................................... 41 10..........................................4 Technology selection ........................................................................................... 55 B................... 39 Documentation of functional testing ...................................................................................... 75 B..................... 79 B....................................................... 59 B.................................................. 63 B....................................................................................................... 38 Documentation ...................2 Organizational differences .........................................11 User interface ..........................................................................10 Field devices ... 44 12.................................................................................................................................................01-1996 --``........................................................................................................................... 55 B...`-`-`.................................................................2 MOC procedure ................................................... 50 B (Informative) — SIS design considerations .........................3 Software design considerations ..................................................................... 39 Functional testing .......8 Objective.............................................. 44 12............................................................................ 43 12 Differences ...............................................6 9.......... 69 B........................1 9..........identical or diverse .......................... 42 11 Decommissioning ....2 9.....................`............................. 78 B................................................... and maintenance ...............................................................5 9................... 81 COPYRIGHT 2003................1 Separation ....................................................................................................................... 66 B..............``.................... inspection............................................................................identical or diverse......................................................................................9 Diagnostics............................... 48 A.... 42 11.......................`........................................ 40 10 SIS Management Of Change (MOC) .............................................................................................. 38 SIS operating procedures ................................................. 47 A.......................................................9 SIS operation and maintenance ...`...3 Technology differences .................. 58 B................................................................................. User=........................... 77 B.........................2 Safety Integrity Level (SIL) considerations and the process example.......2 General .......... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584............. 42 11........................................................7 9....... and Automation Society 10 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.......................``....1 Objective................3 9...........1 Terminology .............. 70 B..............`.......................................................................................................................................................... 79 C (Informative) — Informative references ..........................13 Wiring practices................ 43 12...................6 Architecture .............15 Functional test interval .... 38 Training..............................................................1 Introduction ............................ 41 10.....................................................................................................................

................`.................. and Automation Society --``.............................. 16 — Safety Life Cycle ...........................................................1 B....D (Informative) — Example ....... 85 Safety Life Cycle (Figure 4...................................... Example of a qualitative matrix for the determining SIL...................1 4............ example only .............................................................................. 85 D.................................................................................................3 D............``................................................................01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101................. 51 — Company ABC................................1 A............````....................6 Introduction to the example problem...................... 25 — Modified HAZOP documentation example .....................`.....`....1 D............................. The Instrumentation....4) ................ User=................................................................. 86 — Tentative design solution ...... 89 Detail design (7...........................2 A..`...........4 D............9....... 85 Safety integrity requirements (5....9..................................................... 91 Tables 3....... 53 — Typical SIS failure modes ................................................................ 11 .................... 70 — Diagnostic tests for programmable electronics ...... 21 — Safety Integrity Level performance requirements .......1 A. 50 — Process example ............................................1) .....1 D......1 B...............0) ............................................... 90 E (Informative) — Index............................................ 52 — Basic process control scheme ............................ Specific SIL implementation techniques....................... 64 — Typical Programmable Electronic Failure Modes...............................................2 B......... 85 Safety requirement specification ...................................................... Site XX..................................`.......2 — Safety Integrity Level (SIL).......``.......1 A.....................1 4.............................................................................`-`-`.................................0) ................ 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.......1 B..2 D....5.................`--- ANSI/ISA-S84..................................... 24 — Company ABC............... 93 Figures 1.......... 88 Conceptual design (6............................................................................... 72 COPYRIGHT 2003...........................5 D.................................5.................2 — Definition of Safety Instrumented Systems (SIS) .. Systems. Site XX................................ 65 — Fault types.................3 D.......................................................

.. The Instrumentation.`. .`. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101...``..````.``. User=.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584....`..`...`.`-`-`. Systems.`--- COPYRIGHT 2003.--``.

9).`.````.02).`--- COPYRIGHT 2003.`.. This document is intended for those who are involved with SIS in the areas of • design and manufacture of SIS products.. Systems. The Instrumentation. This standard follows the Safety Life Cycle presented later (see Figure 4.`-`-`. provides non-mandatory (informative) technical guidance in Safety Integrity Level analysis. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`.Introduction Purpose This standard addresses the application of Safety Instrumented Systems (SIS) for the process industries.``. --``.... Electronic (E)/ and Programmable Electronic (PE) technology..01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. and Automation Society ANSI/ISA-S84. The main body of the standard (Clauses 1-11) present mandatory specific requirements..``. documentation. and testing Objective The objective is to define the requirements for Safety Instrumented Systems. commissioning. and Pre-Startup Acceptance Test • operation..`. Informative Annexes A through E present additional non-mandatory (informative) technical information that is useful in SIS applications. User=...`. Clause 12 provides key differences between ISA-S84.01 and IEC draft Publication 1508. Draft Technical Report 84. which is issued under separate cover. Organization This standard is organized into three major parts.1). selection. This standard is process industry specific within the framework of the International Electrotechnical Commission (IEC) draft Publication 1508 (References C.8 and C. and application • installation. maintenance..02 (ISA-dTR84.. 13 . The SIS addressed includes Electrical (E)/.

.``.COPYRIGHT 2003.`.`.`-`-`..``.`.`.....`--- Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`. The Instrumentation... User=. Systems...````. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. and Automation Society --``...

and Automation Society ANSI/ISA-S84. The Instrumentation. The SIS described in this standard is that portion of the diagram enclosed within the double lined box.``. b) Solid state logic. d) Motor-driven timers.`.1 defines the boundaries of the SIS and identifies the devices that may be included in the system. and logic solvers.`. 1.1 Figure 1.`. This standard addresses Electrical/Electronic/Programmable Electronic System (E/E/PES).`-`-`.. outputs. Examples of the E/E/PES technologies are: a) Electromechanical relays. associated sensors.6).1.2 The SIS includes all elements from the sensor to the final element. Systems. and interfaces used in automated Safety Instrumented Systems (SIS) for the process industries (Reference C. including inputs..3 Other interfaces to the SIS are considered a part of the SIS if they have potential impact on its safety function.``.. e) Solid state relays and timers.1.`--- COPYRIGHT 2003.. power supply.`.`.. c) PES. 1. 1.````.1.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101... f) Hard-wired logic.1 Boundaries of the Safety Instrumented System (SIS) 1.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. SIS user interface may be in the SIS. User=.1 Scope NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS... final elements. and g) Combinations of the above.. 15 .. --``.

..`. 1.````. 1. 1. City.6 Defining the need for a Safety Instrumented Systems is not included in this standard.1 This standard identifies all the steps of the Safety Life Cycle (see Figure 4.) have established Process Safety Design.`.7 This standard is not intended to be used as a stand-alone system purchase specification. --``.5 The activity of identifying process hazards by use of Process Hazards Analysis methods is not part of this standard.Figure 1.`.. Province.4 This standard does not address the codes.9 The standard is not intended to apply to Basic Process Control Systems (BPCS).``. and other requirements that apply only to the Nuclear Industry. regulations.`--- COPYRIGHT 2003. and Automation Society 16 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.2 This standard does not address management of the non-SIS portion of the design or the management of the startup process..`.1 — Definition of Safety Instrumented Systems (SIS) 1... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 1.2. or other requirements. ANSI/ISA-S84.2.2.3 In jurisdictions where the governing authorities (Federal. Systems.`.. State. The Instrumentation.... It also does not mandate the use of any particular technology.``. Process Safety Management.2.01-1996 . This standard is not intended for pneumatic or hydraulic logic solvers.2. 1.2.8 1. County.. these laws shall in all cases take precedence over those requirements defined in this standard. 1. User=.2.2.. 1. These factors must be integrated into the Safety Life Cycle at the appropriate step.1) but does not define the method(s) that may be used in some of the steps.2 Exclusions 1.2. It will not eliminate the need for sound engineering judgment. etc.`-`-`.

2 Existing systems 2.12 Instrumentation installed for the purpose of monitoring conditions that may lead to chronic health effects is not covered by this standard. 1.````. the owner/operator shall determine that the equipment is designed.``. ISA SP50 Fieldbus) it will be addressed in scheduled (5 year) revisions to this standard... 1.2. this indicates that a range of techniques and measures can be used to satisfy that requirement including techniques and measures not listed in the informative annex. tested. 2. the new technology implementation may require exception to some standard requirements of S84.2.) COPYRIGHT 2003..10 This standard does not consider the use of technology that is not currently utilized in Safety Instrumented Systems. Systems.2 Where a requirement is qualified by reference to an informative annex.13 This standard does not cover instrumentation installed principally for the purpose of property protection.`--- 2 Conformance to this standard NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.2. standards..14 Systems where operator action is the sole means required to return the process to a safe state are not covered by this standard. maintained. inspected. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.g.`. To conform to the requirements of this standard. The Instrumentation. new technology shall be user approved before use in safety applications. In these cases.. (e.. 2.g.. alarm systems. the following shall be adhered to: 2.`-`-`.`.1.01.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 17 .1.. or practices prior to the issue of this standard..`.1 Conformance guidance 2. In the interim.1 To conform to this Standard.`. if new system performance justifies its use.11 Analysis of the capability of humans to act on human-machine interface information is part of the Process Hazards Analysis and is outside the scope of this standard. ANSI/ISA-S84.``... it must be shown that each of the requirements have been satisfied and therefore the Clause objectives have been met.. and operating in a safe manner. As new technology evolves and becomes available (e.1.1 For existing SIS designed and constructed in accordance with codes. 1. User=.. 1. Exceptions shall be documented to demonstrate that the new approach satisfies the safety requirements.2.2..1.3 The techniques and measures included in normative Clauses 1 through 11 are considered good engineering practices in the design and support of Safety Instrumented Systems.`. etc.2. 2. and Automation Society --``. fire and gas monitoring systems.

11 decommissioning: The permanent removal of a complete SIS from active service..10 covert fault: Faults that can be classified as hidden. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.7..1. host computers.`. ANSI/ISA-S84.1 external communication: Data exchange between the SIS and a variety of systems or devices that are outside the SIS.1 Definitions For the purposes of this standard. 3.. unrevealed.8.1.`.1).5 Basic Process Control System (BPCS): A system that responds to input signals from the equipment under control and/or from an operator and generates output signals.8.1 3.1...2 application program: See software (3. Systems.````. causing the equipment under control to operate in the desired manner.2 common cause failure: The result of a common cause fault.1.1 common cause fault: A single source that will cause failure in multiple elements of a system. 3.1.1. maintenance/engineering interfaces.51). etc.7. 3. 3. Some examples include control of an exothermic reaction. latent.. 3. 3.1. application software: See software (3.1. 3. 3.6 --``.3 Definition of terms and acronyms NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.1.14).8 communication 3.1.9 coverage: See diagnostic coverage (3.1. COPYRIGHT 2003.`. undetected. User=. Also referred to as Process Control System.01-1996 . 3.`...`-`-`. and Automation Society 18 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1... and fuel/air controls in fired heaters.`...1. The Instrumentation.1. These include bus backplane connections. etc.1.1). 3.``.1. etc. anti-surge control of a compressor.58.3 architecture: The arrangement and interconnection of the hardware components or modules that comprise the SIS.1.58.1. common cause 3.``. concealed. The single source may be either internal or external to the system. 3. the following definitions apply: 3.1.`--- bypassing: Act of temporarily defeating a safety function in a SIS.2 internal communication: Data exchange between the various devices within a given SIS. data acquisition systems. These include shared operator interfaces.4 availability: See safety availability (3.7 3. the local or remote I/O bus.

final control elements. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. Systems.1. 3.12). 3.58. 3. 3. 19 .2).12 de-energize to trip: SIS circuits where the outputs and devices are energized under normal operation.1. 3. electricity..45. 3.. 3.1..g. Application of power (e.`.1.. The Instrumentation.13 demand: A condition or event that requires the SIS to take appropriate action to prevent a hazardous event from occurring or mitigate the consequence of a hazardous event. 3.1. (e.2)..g.).24 forcing: A PES engineering station function that provides the capability to override the application program and to change the states of inputs and outputs.1..````.3). motor driven timers.1. User=. 3. electrical refers to logic functions performed by electromechanical techniques. 3.g. etc... sensors.. etc. solid state relay.22 field devices: Equipment connected to the field side of the SIS I/O terminals.1. and B. 3.23 firmware: Special purpose memory units containing software embedded in protected memory required for the operation of programmable electronics.15 diverse: Use of different technologies.`-`-`.1. and those operator interface devices hard-wired to SIS I/O terminals.] Field devices are not included in E/E/PES. equipment or design methods to perform a common function with the intent to minimize common cause faults (see 3. and Automation Society ANSI/ISA-S84.`--- COPYRIGHT 2003. air) causes a trip action. air) causes a trip action.1. 3. Such equipment includes field wiring.1. --``.25 functional testing: Periodic activity to verify that the SIS is operating per the Safety Requirement Specifications Testing.``.26 hardware configuration: See architecture (3. the ratio of detectable faults to the total number of faults. Removal of the source of power (e.1. 3. solid state logic.1. electronic refers to logic functions performed by electronic techniques. Programmable Logic Controller (PLC).``.). 3. 3.`.16).27 hard-wired: Electrical connections accomplished without the use of software or firmware.17 electronic (/E): See E/E/PES (3.g.1.1.14 diagnostic coverage: For SIS with active fault-detection capabilities.1. and Programmable Electronic System refers to logic performed by programmable or configurable devices [e.19 energize to trip: SIS circuits where the outputs and devices are de-energized under normal operation..1. (e.1..`. etc.1. 3.28 hazard: Chemical or physical condition that has the potential for causing injury to people or the environment (Reference C..21 fault tolerance: Built-in capability of a system to provide continued correct execution of its assigned function in the presence of a limited number of hardware and software faults. Single Loop Digital Controller (SLDC).`.3... electricity.1.g.. electromechanical relay.20 fail-safe: The capability to go to a predetermined safe state in the event of a specific malfunction.1.55.1.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. 3.18 embedded software: See software (3.16 Electrical (E)/ Electronic (E)/Programmable Electronic Systems (PES) (E/E/PES): When used in this context.`..

1.1.`.`.1. User=.1. is shut down.1.29 input/output modules 3.29.34 on-line: Process.. --``. dictated by manufacturer’s recommendation or by accumulated data from operating experience.`.1. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 3. 3. detected.39 Probability of Failure on Demand (PFD): A value that indicates the probability of a system failing to respond to a demand..1. steam.1.1. plastics.1. 3.3. the production. process equipment. etc. electric power.40 process industry sector: Refers to those processes involved in. manufacture... 3.1. petrochemicals.41 Programmable Electronic System (PES): See E/E/PES (3. and waste material(s).01-1996 . is operating.1.1. 3. gas.37 Pre-Startup Acceptance Test (PSAT): Process of confirming performance of the total integrated SIS to assure its conformance to the Safety Requirement Specifications and design. The Instrumentation..36 permissive: Condition within a logic sequence that must be satisfied before the sequence is allowed to proceed to the next phase. to which the SIS is connected. The average probability of a system failing to respond to a demand in a specified time interval is referred to as PFDavg.`-`-`. 3. food.`.29. 3.. PFD equals 1 minus Safety Availability [see safety availability (3.````..16).1. metals.2 output module: E/E/PES or subsystem that acts as an interface to external devices and converts output signals into signals that can actuate external devices. and Automation Society 20 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. and/or planned responses to protect against an imminent hazard.1.44 quantitative methods: Methods of design and evaluation based on numerical data and mathematical analysis. revealed.51)]. 3.32 logic solver: E/E/PES components or subsystems that execute the application logic. wood. 3... 3.`--- 3..`.1.35 overt faults: Faults that are classified as announced.42 protection layer: Engineered safety features or protective systems or layers that typically involve special process designs. 3.43 qualitative methods: Methods of design and evaluation developed through experience and/or the application of good engineering judgement. chemicals.. pharmaceuticals.1 input module: E/E/PES or subsystem that acts as an interface to external devices and converts input signals into signals that the E/E/PES can utilize. Systems.1. ANSI/ISA-S84.38 preventive maintenance: Maintenance practice in which equipment is maintained on the basis of a fixed schedule. and/or treatment of oil.1.1.33 off-line: Process.. COPYRIGHT 2003. 3.31 integration: Process of assembling multiple components or subsystems to form a system. but not limited to. 3. the Basic Process Control System (BPCS).``. These responses may be either automated or initiated by human actions (see Annex A for guidance). Electronic and programmable electronics include input/output modules. 3.``.1.30 interface: Shared boundary through which information is conveyed. generation. 3. to which the SIS is connected. administrative procedures.

and final control elements for the purpose of taking the process to a safe state when predetermined conditions are violated (see Figure 1. ESS). shall attain as defined by the Process Hazards Analysis (PHA)..``..1.`--- 3..1.`.. 3.49 risk assessment: Process of making risk estimates and using the results to make decisions.1..39. input modules.1. 21 .57 SIS components: A constituent part of a SIS. 3.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1).54 Safety Life Cycle: Sequence of activities involved in the implementation of the Safety Instrumented Systems from conception through decommissioning (see Figure 4.46 reliability: Probability that a system can perform a defined function under stated conditions for a given period of time.1.``.3. see 3.````.`. logic solvers.51 safety availability: Fraction of time that a safety system is able to perform its designated safety service when the process is operating.1. Safety Shutdown System (SSD). the average Probability of Failure on Demand (PFDavg) is the preferred term.) 3.1. output modules.47 replacement in kind: A replacement that satisfies the design specification. 3.`... 3.`. Examples of SIS components are field devices. and Automation Society ANSI/ISA-S84. and logic solvers.48 reset: Action that restores the equipment under control to a predetermined normal enabled or operating state. Separation can be implemented by identical elements (identical separation) or by diverse elements (diverse separation).1. The Instrumentation.1. SIL 2.56 shall: Indicates a mandatory requirement.45 redundancy: Use of multiple elements or systems to perform the same function. SILs are defined in terms of Probability of Failure on Demand (PFD) (see Table 3.1.55 separation: The use of multiple devices or systems to segregate control from safety functions.1). 3. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.52 Safety Integrity Level (SIL): One of three possible discrete integrity levels (SIL 1. --``. and Safety Interlock System..53 Safety Instrumented Systems (SIS): System composed of sensors.1.50 safe state: State that the equipment under control.. (PFD equals 1 minus Safety Availability. COPYRIGHT 2003.1)..1. 3. 3.`.1 — Safety Integrity Level (SIL) Safety Integrity Level (SIL) Probability of Failure on Demand Average Range (PFD avg) 10-1 to 10-2 10-2 to 10-3 10-3 to 10-4 1 2 3 3...1.`-`-`. 3. Table 3. or process.1. User=. In this standard. Other terms commonly used include Emergency Shutdown System (ESD. Systems. 3. SIL 3) of Safety Instrumented Systems. Redundancy can be implemented by identical elements (identical redundancy) or by diverse elements (diverse redundancy).

64 voting system: Redundant system (e.3.60 systematic failures: Failures due to errors (including mistakes and acts of omissions) in Safety Life Cycle activities that cause the SIS to fail under some particular combination of inputs or under a particular environmental condition.. Systems. etc.``. These software tools are not required for the operation of the SIS.. 3. etc. etc..58 software 3. ANSI/ISA-S84.g.61 Test Interval (TI): Time between functional tests. etc.. that the user has evaluated and determined to be acceptable for the application.``. Embedded software is also referred to as firmware or system software.1. The Instrumentation. and documentation of application programs. Systematic failures can arise in any Safety Life Cycle step.2 embedded software: Software that is part of the system supplied by the vendor and is not accessible for modification by the end user. output.`.`. permissives.`.59 spurious trip: Refers to the shutdown of the process for reasons not associated with a problem in the process that the SIS is designed to protect (e.1.. maintenance.63 verification: Process of confirming for certain steps of the Safety Life Cycle that the objectives are met..3 utility software: Software tools for the creation.58. electrical fault.1.`-`-`. calculations.1. 3.1. 3. procedures. it contains logic sequences.1. Other terms used include nuisance trip and false shut down. 3. ground plane interference. and Automation Society --``. that control the appropriate input. transient.1.01-1996 ..) that requires at least "m" of the "n" channels to be in agreement before the SIS can take an action.. 3...````. In general.2 Acronyms BPCS: CFR: E/E/PES: I/O: MOC: MTBF: MTTF: MTTR: OSHA: Basic Process Control System Code of Federal Regulations Electrical/Electronic/Programmable Electronic System Input/Output Management of Change Mean Time Between Failures Mean Time To Failure Mean Time To Repair Occupational Safety and Health Administration 22 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`.1 application software: Software specific to the user application in that it is the SIS functional description programmed in the PES to meet the overall Safety Requirement Specifications (see Clause 5). limits. 3.).`--- 3. the trip resulted due to a hardware fault.62 user approved: Hardware.g.1.1. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..1...`. one out of two [1oo2] to trip. User=.58. "m" out of "n". 3. software fault. expressions. decisions necessary to meet the safety functional requirements. software... COPYRIGHT 2003.58. 3.. two out of three [2oo3].

`.`-`-`.... 23 . such as: a) Performing conceptual process design b) Performing Process Hazards Analysis & risk assessment c) Defining non-SIS protection layers d) Defining the need for an SIS e) Determining required Safety Integrity Level These activities are outside the scope of this standard.1 Scope The clauses in this standard are organized based on the Safety Life Cycle (see Figure 4.``...1).PES: PFD: PHA: PSAT: PSSR: SIL: SIS: WDT: Programmable Electronic System Probability of Failure on Demand Process Hazards Analysis Pre-Startup Acceptance Test Pre-Startup Safety Review Safety Integrity Level Safety Instrumented Systems Watchdog Timer 4 Safety life cycle NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS..`. Note that this standard does not address the method for performing initial Safety Life Cycle activities. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. User=.`.. Systems... The Safety Life Cycle covers the Safety Instrumented Systems (SIS) activities from initial conception through decommissioning.`--- COPYRIGHT 2003. The Instrumentation.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`.`. 4.``. --``. and Automation Society ANSI/ISA-S84.````...

. User=.(4... The Instrumentation..`.2.01-1996 ...`--- COPYRIGHT 2003.. and Automation Society 24 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. Systems. ANSI/ISA-S84.1 — Safety Life Cycle --``.````...``..`...`.15) Figure 4.``.`.`.`-`-`.

`. use of diagnostic fault detection.9 to 0.2. appropriate technology (including process and equipment modifications) is applied to eliminate the hazard. User=.2 Safety Life Cycle steps 4. This standard does not address the methods for performing this analysis and evaluation but assumes it has taken place prior to applying the principles in this document.. SISs above SIL 3 are not addressed in this standard. Associated with the SIL are Probability of Failure on Demand average (see Table 4.. 4. etc.. 4. the more available the safety function of the SIS. more frequent testing. 4. and 3.3 Once the hazards and risks have been identified.2... A SIL defines the level of performance needed to achieve the user ’s process safety objective. The higher the SIL. to mitigate their consequences or reduce the likelihood of the event.`--- COPYRIGHT 2003.1 — Safety Integrity Level performance requirements SAFETY INTEGRITY LEVEL SIS PERFORMANCE REQUIREMENTS 1 2 Safety Availability Range 0... The Instrumentation.````.2 The second step is concerned with identifying the hazards and hazardous events for a process and assessing the level of risk involved. A few of these are indicated in the Safety Life Cycle presented.999 0.``. The method for accomplishing this step is outside the scope of this standard.99 to 0.`.9999 3 PFD Average Range 10 to -1 10-2 10-2 to 10-3 10-3 to 10-4 --``.4 Next an evaluation is made to determine if an adequate number of non-SIS protection layers have been provided.. and use of diverse sensors and final control elements.`...1). Performance is improved by the addition of redundancy. The method(s) for accomplishing this step is outside the scope of this standard.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.2. The third step involves the application of non-SIS protection layers to the process.During the Safety Life Cycle of a SIS.``.999 to 0. SILs are defined as 1. Performance is also improved through better control of design. Therefore. and maintenance procedures.2. The desire is to provide appropriate number of non-SIS protection layers. The method for accomplishing this step is outside the scope of this standard. and Automation Society ANSI/ISA-S84. 4. Table 4. operation..`..1 The first step in the Safety Life Cycle is concerned with the conceptual process design. 2. 4. such that SIS protection layer(s) are not required. Systems.`.`-`-`. the next step is establishing the requirements for the SIS by defining a target Safety Integrity Level (SIL) (See Annex A for guidance). The method(s) for accomplishing this step is outside the scope of this standard. but these should not be considered the only points where iteration may be necessary. consideration should be given to changing the process and/or its equipment utilizing various non-SIS protection techniques. before considering adding SIS protection layer(s).99 0. there may be points where iterations are necessary.2. 25 .5 If an SIS is appropriate. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

4.The SIL concept is utilized in several steps of the Safety Life Cycle. maintenance. this may be caused by plant closure.``.8 Once SIS Conceptual Design is complete.. d) Employee training has been completed and includes appropriate information about the SIS. Management of Change (MOC).`.`. See Annex A for guidance on SIL determination. The method for accomplishing this step is outside the scope of this standard. 4. 4.2.2.2. ANSI/ISA-S84.11 SIS Operation and Maintenance Procedures may be developed at any step of the Safety Life Cycle and shall be completed prior to startup (see Clause 9).`.01-1996 .6 The next step is developing Safety Requirement Specifications. Systems. the Commissioning and Pre-Startup Acceptance Test (PSAT) of the SIS shall be performed (see Clause 8). the need for the SIS will cease..2. User=.7 The next step involves developing the SIS Conceptual Designs that may meet the Safety Requirement Specifications.13 After PSSR. a Pre-Startup Safety Review (PSSR) shall take place.2.`-`-`. 4.. 4.2. 4. maintenance. and emergency procedures pertaining to the SIS are in place and are adequate. 4..2. or the removal or change of the process. 4.9 Install the SIS (see Clause 8).. and Automation Society 26 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. normal operation..2.10 After installation is complete.2. The appropriate steps in the Safety Life Cycle shall be repeated to address the safety impact of the change (see Clause 10). operating.15 At some time. This PSSR shall include the following SIS activities: a) Verification that the SIS was constructed..14 If modifications are proposed..12 Prior to startup of the SIS.`. the detailed design can be performed (see Clause 7). Annex B provides guidance on the selection of architectures to meet SIL requirements (see Clause 6).`. their implementation shall follow a Management of Change (MOC) procedure. For example. the SIS may be placed in operation. and tested in accordance with the Safety Requirement Specifications. b) Safety. The Safety Requirement Specifications document functional and integrity requirements for the SIS (see Clause 5). installed.````. and appropriate steps should be taken to ensure that this is accomplished in a manner that does not compromise safety (see Clause 11)..``. The decommissioning of the SIS shall be planned. The Instrumentation.. This step includes startup. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. 4. The planning and execution of this activity is outside the scope of this standard. --``. and periodic Functional Testing (see Clause 9). 4.2.`--- COPYRIGHT 2003.. c) PHA recommendations that apply to the SIS have been resolved or implemented.

11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. plugging. includes the following. etc.) of each potential hazardous event that requires a SIS.. final elements.2 Process information ( incident cause..3.4 The definition of the safe state of the process. The Safety Requirement Specifications can be a collection of documents or information..``. for each of the identified events. and any required permissives.`-`-`.3.6 5.3.1 A list of the safety function(s) required and the SIL of each safety function. Consideration for manual shutdown.``.`.2. 5.3....`--- COPYRIGHT 2003. and Automation Society ANSI/ISA-S84. User=. 5.`.1 5. The normal operating range of the process variables and their operating limits.3 Safety functional requirements The safety functional requirements shall include the following. 5.`.. The process outputs from the SIS and their actions. 5.````. math functions..1 Objective The objective is to develop specifications for Safety Instrumented Systems (SIS) design.`. dynamics.7 5.2 Input requirements The information required from the Process Hazards Analysis (PHA) or process design team to develop the Safety Requirement Specifications. --``.3. 5..`. 5.3 5. Regulatory requirements impacting the SIS.2.2. The Instrumentation.3..3 5.. The process inputs to the SIS and their trip points. etc.5 The functional relationship between process inputs and outputs.3.4 Process common cause failure considerations such as corrosion.2 5. Systems..2. 27 .5 Safety requirements specifications development NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 5.8 Selection of de-energized to trip or energized to trip. Action(s) to be taken on loss of energy source(s) to the SIS. 5. 5.3. These Safety Requirement Specifications consist of both safety functional requirements and safety integrity requirements. including logic. coating.

When multiple SISs are combined in a system where they share common logic or components.``.2.4. 5.. 5. the potential for common cause faults is increased.2 5. Requirements for diagnostics to achieve the required SIL (see B.9 Response time requirements for the SIS to bring the process to a safe state. and security are typical common cause issues to consider.`.``.`. The Instrumentation..4 The required SIL for each safety function.. (e. 2oo3 voting. Components of the system that are not common must meet the SIL requirements for the safety function that they address.11 Human-machine interfaces requirements.`.10 Response action to any overt fault.9 for guidance). User=.. etc. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.3.1 5. maintenance. When multiple safety functions share common components. Programming.2 Conceptual design requirements 6..1 The Safety Instrumented Systems (SIS) architecture for each safety function shall be selected to meet its required Safety Integrity Level (SIL). ANSI/ISA-S84..3 5.3.. Requirements for maintenance and testing to achieve the required SIL. 6 SIS conceptual design 6.`. Systems. 5.. COPYRIGHT 2003.`-`-`..`. accessibility..````. Reliability requirements if spurious trips may be hazardous.5. .. 1oo2 voting.4. the common components shall satisfy the highest SIL of the shared safety function.12 Reset function(s).1 Objectives To define those requirements needed to develop and verify a SIS Conceptual Design that meets the Safety Requirements Specifications.4.) 6..g.`--- NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.3. 5..4.2. power supplies.3.2 A SIS may have a single safety function or multiple safety functions that have a common logic solver and/or input and output devices.01-1996 --``. The selected architecture may be one out of one [1oo1]. 5. and Automation Society 28 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.4 Safety integrity requirements Safety integrity requirements shall include the following. 6.

`..identical or diverse (see B.11 for guidance) l) Security (see B..7 for guidance) h) Common cause failures (see B.10 for guidance) k) User interface (see B.1 Objective To provide detailed requirements for the design of the Safety Instrumented Systems (SIS) to achieve the requirements of the Safety Requirement Specifications and conceptual design.2...12 for guidance) m) Wiring practices (see B.identical or diverse (see B.4 for guidance) e) Failure rates and failure modes (see B.``. User=.1 The SIS design shall be capable of meeting the Safety Integrity Level (SIL).`-`-`.1 for guidance) b) Redundancy .`.13 for guidance) n) Documentation (see B. 29 . 7.6.`.`. 7.5 for guidance) f) Architecture (see B..3 for guidance) d) Technology selection (see B..````. The Instrumentation.2. and Automation Society --``.``.15 for guidance) COPYRIGHT 2003.. ANSI/ISA-S84.9 for guidance) j) Field devices (see B. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.6 for guidance) g) Power sources (see B.2. Systems.14 for guidance) o) Functional test interval (see B..2 The SIS may include sequencing functions to take the process to or maintain it in a safe state..8 for guidance) i) Diagnostics (see B.`..2 General requirements 7...`--- 7 SIS detailed design NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.3 The desired SIL shall be met through a combination of the following design considerations: a) Separation . 7.2 for guidance) c) Software design considerations (see B.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.

2. 7. serial #.12 The design shall apply codes and standards for environmental and hazardous area classifications (e.3 The SIS may contain one or more interlocks or safety functions. shall not interrupt or compromise any SIS safety functions. COPYRIGHT 2003.`.`.9 The SIS shall be designed such that once it has placed the process in a safe state.2.`. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. the BPCS/SIS logic solver shall meet the SIL (see C. input module(s)...5 The manufacturer of equipment used in SIS service shall maintain a formal revision and release control program for the equipment. 7..3 PES logic solvers shall have methods (internal and/or external) to protect against covert faults (e.4..1 for additional guidance). Systems.2. The integrated design shall be documented. it shall remain in the safe state until a reset has been initiated. batch #. 7.11 Any detected single fault that causes a SIS failure shall result in an automatic.g.1.1 The logic solver supplier shall provide an integrated design including.. including applicable software. In these cases. ANSI/ISA-S84.2 The logic solver supplier shall provide Mean Time To Failure (MTTF) data.01-1996 .7 The action of any non-safety function. part #..8 The required safe states of each SIS component required for the safety function shall be defined. 7. 7. User=.3.``. The requirement for a manual or automatic reset shall be as defined in the Safety Requirements Specifications.3. communication(s).g.2. and utility software..2. safe failure action.``.3. 7.. shall be provided to actuate the SIS final elements unless otherwise directed by the Safety Requirements Specifications.`-`-`. if implemented by the SIS. etc. NFPA 70.2.. gas turbines)..4.2. 7.3 SIS logic solver 7.2. 7.6 The design shall ensure that the hardware and software used in an application are compatible.).2.`. 7.7.````.10 Manual means.13 SIS Input/Output power circuits shall be separated from circuits used for any other purpose except where the sensor or final control element is shared as allowed in 7.2 and 7..`--- 30 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 7.2. where applicable. 7. predetermined. 7. covert failure mode listing.g. National Electrical Code. and/or a safe process condition if the appropriate response action is undertaken.4 The logic solver shall be separated (see B.. The use of visible markings or user interfaces to identify this information is acceptable (e. output module(s). 7. The method and data sources for the above shall be provided. comparison of logic solver performance versus process action. independent of the logic solver.2.5 for guidance).2. The Instrumentation. embedded or application software testing the logic solver performance). Article 500)(see C.`...g.4 The SIS design documents shall be under control of a formal revision and release control program. maintenance interface device(s).3. and frequency of occurrence of identified covert failures.3.1 for guidance) from the Basic Process Control System (BPCS) except where some applications have combined BPCS and SIS functions in one "logic solver" (e.. 7. and Automation Society --``.

4..4.`.. coking.1 Energize to trip discrete input/output circuits shall apply a method (e.1 Smart sensors shall be write protected to prevent inadvertent modification from a remote location..`.4 Field devices 7.1. 31 .1 General requirements 7.4.10 for ISA SP50 Fieldbus. Two exceptions are allowed provided the failure of the sensor does not create a condition that the SIS is intended to protect against: a) If redundant sensors are used.`-`-`.`.. 7. freezing of materials in pipes.6 for guidance).1.3 Sensor diagnostics. The Instrumentation. 7. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. see Annex A). b) If the PHA determines that one or more protection layers other than the BPCS and the SIS offers protection redundant to that provided by the sensor (for further guidance.4. shall be provided as required to meet the SIL (see B.2 When remote input/output is used.2.g.1.5).``.`... unless appropriate safety review allows the use of read/write. Systems. 7. motor overloads) b) Multiple connected Final Control Elements (FCE) to a single output if each FCE services the same process condition c) User approved systems such as fire and gas detection systems d) See 1. User=. they may be connected to both the BPCS and the SIS provided that any failure in the BPCS will not affect the proper operation of the sensor or the ability of the SIS to read the sensor properly (see B. 7..1.line monitor. 7.4.. 7.. unless Process Hazards Analysis indicates this is appropriate. suspended solids.3 Each individual field device shall have its own dedicated wiring to the system Input/Output.2. Conditions that shall be considered include corrosion.4.``.1.COPYRIGHT 2003. polymerization...2 Sensors for SIS shall be separated from the sensors for the Basic Process Control System (BPCS).g.. such as pilot current continuously monitored to ensure circuit continuity.2.`--- 7. the pilot current shall not be of sufficient magnitude to affect proper I/O operation) to assure circuit integrity.3.`. and temperature and pressure extremes.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.4. 7.````. and Automation Society --``.2 Sensor requirements 7...2. end-of.4.4.4 Field devices shall be selected and installed to minimize failures that could relate inaccurate information due to conditions arising from the process and environmental conditions. ANSI/ISA-S84.5 The logic solver shall be designed to ensure the process will not automatically restart when power is restored. except in the following cases: a) Multiple connected discrete sensors connected in series to a single input if the sensors monitor the same process condition (e. vendor or user supplied .9 for guidance). it shall be evaluated in conjunction with the logic solver (see B.

COPYRIGHT 2003.2 The SIS status information that is critical to maintaining the SIL shall be available as part of the operator interface.1.1.. and h) failure of environmental conditioning equipment that is necessary to support the SIS.g.10.3. This information may include a) where the process is in its sequence...1 A control valve from the BPCS shall not be used as the only final element for SIL 3. The Instrumentation.3 for guidance). see B.2 Motor starters Motor starters are typically common to both the BPCS and the SIS unless the Process Hazards Analysis dictates otherwise (see B.5. CRTs. The design shall ensure that.. e) status of sensors and final control elements.) used to communicate information between the operator and the SIS.`.4.01-1996 --``.. b) maintenance/engineering interface(s)... f) the loss of energy where that energy loss impacts safety.1 Operator interface requirements Operator interface refers to that media (e. c) indication that a protective function is bypassed. horns.3 Final control element requirements 7..4. A safety review shall be required to use a single BPCS control valve as the only final element for SIL 1 and 2.4. indicating lights..`-`-`. etc.`. upon failure of the SIS operator interface. but are not limited to a) operator interface(s).1 The operator interface system design shall take into consideration the loss of the SIS operator interface and the resulting requirements as defined by appropriate safety review.4. and c) communication interface(s).7. d) indication that automatic action(s) such as degradation of voting and/or fault handling has occurred.. 7. 7.`... and Automation Society 32 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 7.5 Interfaces This section addresses all human-machine and communication interfaces to the SIS.1. These can include. User=.````. For additional information. g) the results of comparison diagnostics.6. alarms.``. ANSI/ISA-S84. 7. sufficient alternate means shall be provided for the operator to bring the process to a safe state and that the automatic functions of the SIS are not compromised.`--- . 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.3.5.`. 7. b) indication that SIS protective action has occurred.`..5.``. Systems. push-buttons.

Systems.1. etc. 7. 7.. User=.``. maintenance.``. b) Access to SIS diagnostic. For these types of applications.5. It can include instructions and diagnostics that may be found in software. This may require disconnecting of maintenance/engineering interfaces. such as the use of shielded cable while maintaining a single ground plane with a single dedicated power source. and a confirmation procedure to ensure the proper selection has been transmitted and received in the SIS. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. or the use of fiber optics.`. maintenance/engineer interfaces..1 The design of SIS maintenance/engineering interface shall ensure that any failure of this interface shall not adversely affect the ability of the SIS to bring the process to a safe state. in batch systems a SIS may have different setpoints or logic functions depending on the recipe being used. changes to application software from this interface shall require appropriate safety review and access security.2 The maintenance/engineering interface shall provide the following functions: a) Access security protection to the SIS operating mode. BPCS. program..````. use only SIS systems that offer the ability to selectively allow writing to a SIS variable that is accessible to the BPCS (see B.. bypass.1 The design of the communication interface of the SIS shall ensure that any failure of the communication interface shall not adversely affect the ability of the SIS to bring the process to a safe state.5.8 for additional guidance). bypass devices. delete. and Automation Society --``.2.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.5. programming terminals.1.3 Changes to the SIS application software shall not be allowed from the SIS operator interface. and calibration devices.`. the operator interface may be used to select the appropriate logic function in the SIS or may be used to select recipe-specific tables.`. such as programming panels..5.2. indicators..`.. means of disabling alarm communication. data. diagnostic tools.`.`--- Communication interface refers to hardware and software communication between the SIS and other devices such as the operator interfaces. Where the SIS maintenance/engineering interface is used as the operator interface to the SIS.`-`-`.5.3 Communication interface requirements COPYRIGHT 2003. ANSI/ISA-S84. or modify application software d) Access to data necessary to troubleshoot the SIS 7. Enabling and disabling the read-write access shall be done only by a configuration or programming process using the Maintenance/Engineering Interface with appropriate documentation and security measures. voting and fault handling services c) Access to add.. network or peripherals. The Instrumentation. If so. test..5.. 7.3.7..2 Maintenance/Engineering interface requirements Maintenance/Engineering interface is that media provided to allow proper SIS maintenance. test devices. There may be some safety-related information that needs to be transmitted from the BPCS to the SIS.3..5. 33 . 7. An Operator Interface shall not be allowed to perform this function. For example. during normal SIS operation.2 Communication signals shall be isolated from other energy sources through the use of good engineering practices. 7.

. 7.8. grounding.8.1.`.1 Application logic for electrical systems 7..8 Application logic requirements 7..2.7.3 The user shall ensure the application logic is documented in a clear.7 System environment The system environment must be addressed to ensure proper SIS operation.1 Only application logic under the control of a formal revision and release control program shall be provided and considered for use on a SIS.`-`-`.. such as installing heating.8.6 Power sources The design shall ensure that each power source meets the needs of the SIS as specified in the Safety Requirement Specifications (see B. 7. 7. The Instrumentation. 7.8. ventilation/air conditioning equipment.7.01-1996 .`. COPYRIGHT 2003. electrical area classification...2 The system design shall take specific steps to resolve all differences between the environmental conditions and equipment specifications in a manner that will allow the SIS to perform in accordance with the Safety Requirement Specifications.2.7 for guidance). ANSI/ISA-S84... precise.1 All environmental conditions to which the SIS will be exposed and the operating environmental specifications for all components of the SIS shall be considered in the system design. 7.2 The application logic formal revision and release control program shall be provided and maintained by the user. Electro Magnetic Interference/Radio Frequency Interference (EMI/RFI).`. precise.1 Only application logic under the control of a formal revision and release control program shall be provided and considered for use on a SIS. Systems.````. 7.`. flooding.2 The application logic formal revision and release control program shall be provided and maintained by the user.14 for guidance).1.`--- 7..`. shock/vibration.7.. and/or air filtration.2 Application logic for electronic system 7.2. and complete way (See B.3 The user shall ensure the application logic is documented in a clear. 34 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. electrostatic discharge. and complete way (see B.. humidity.``. etc.``. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. contaminants.14 for guidance).8. 7. This may require consideration of the following: temperature.. 7.8. and Automation Society --``.1. User=.8.8.

``.3 Application logic for PES Software discussed in this subclause addresses the SIS applications. Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unless supplemented by procedures and access security. 7. The Instrumentation. 7.8... 7. It shall be possible to test final element actuation in response to sensor operation..7.5 The application software formal revision and release control programs shall be maintained by the user. b) The operator shall be alerted to the bypass of any portion of the SIS via an alarm and/ or operating procedure.`. c) Bypassing of any portion of the SIS shall not result in the loss of detection and/or annunciation of the condition(s) being monitored... 7. Embedded and utility software is discussed as far as it impacts application software.3. they shall conform with the following: a) SIS shall be designed in accordance with the maintenance and testing requirements defined in the Safety Requirement Specifications.3. 7...4 The user shall ensure the application software is documented in a clear. and complete way (see B. 35 . 7.9.8..8.`-`-`.. 7.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.9.2 When on-line functional testing is required.3 When test and/or bypass facilities are included in the SIS. The manufacturer(s) shall also provide and maintain a bug list and advise customers of any software faults which may lead to a failure to function on demand.14 for guidance).4 Forcing of inputs and outputs shall not be used as a part of: a) application software.`--- COPYRIGHT 2003.3 and B.3.`. and Automation Society ANSI/ISA-S84. Where the interval between scheduled process downtime is greater than the functional test interval.1 The design shall allow for testing of the overall system. User=. b) operating procedure(s).3.````. precise.9. Systems.``. 7.8.`.`.1 Only software under the control of a formal revision and release control program shall be provided and considered for use on a SIS.8.9.. except as noted. --``. as appropriate.2 The embedded software and utility software formal revision and release control programs shall be provided and maintained by the SIS manufacturer(s). then on-line testing facilities are required. Any such forcing shall be annunciated or alarmed.3 The user shall not modify the SIS embedded or utility software. and c) maintenance. 7.9 Maintenance or testing design requirements 7.`.3..8. test facilities shall be an integral part of the SIS design to test for covert failures.

11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. c) All instruments have been properly calibrated.`.. Systems.. --``.. 8.. but may not be limited to.2.1.8 Installation. but may not be limited to.2 Installation 8. confirmation that the following are installed per the detailed design documents and are performing as specified in the Safety Requirement Specifications: a) Equipment and wiring are properly installed.2 Any modification or change to SIS-specific equipment during installation.`. commissioning..````.2 The SIS commissioning activities shall include. d) Field devices are operational.`--- 8. 8. The Instrumentation.1 All equipment shall be installed per the design..3. User=. b) Energy sources are operational. e) Logic solver and Input/Output are operational. and pre-startup acceptance test NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS. confirmation of the following: a) SIS communicates (where required) with the Basic Process Control System or any other system or network.`... or Pre-Startup Acceptance Test (PSAT) shall require a return to the appropriate phase (the one first affected by the change) of the Safety Life Cycle.`.1 Commissioning ensures the SIS is installed per the detailed design and is ready for the Pre-Startup Acceptance Test. 8. The PSAT shall include.1.01-1996 . COPYRIGHT 2003.`.1 A PSAT provides a full functional test of the SIS to show conformance with the Safety Requirement Specifications. ANSI/ISA-S84.3 Commissioning 8.``. and Automation Society 36 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.4 Pre-Startup Acceptance Test (PSAT) 8.1 The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) is installed per the detail design and performs per the Safety Requirement Specifications...3.1 Objective 8.4. 8.`-`-`.``. commissioning. 8...

37 .2 A PSAT shall be satisfactorily completed prior to the introduction of hazards the SIS is designed to prevent or mitigate.`.`-`-`. Systems.`--- COPYRIGHT 2003. 8.`.. For example.4 Documentation to substantiate completion of the Commissioning and PSAT shall be completed prior to the introduction of hazards the SIS is designed to prevent or mitigate.````. c) Safety devices are tripped at the setpoints as defined in the Safety Requirement Specifications. this documentation shall include the following: a) Identification of the SIS that has been tested b) Confirmation that Commissioning is complete c) Date the PSAT was performed d) Reference to the procedures used in the PSAT e) Authorized signature that indicates PSAT has been satisfactorily completed --``.. and Automation Society ANSI/ISA-S84.4.3 Accuracy of calibration of test instruments used in the PSAT shall be consistent with the application. j) Test interval is documented in maintenance procedures consistent with SIL requirements. the margin between the SIS setpoint and the hazardous process condition may be used to determine the required accuracy.`.`.. and final control elements perform in accordance with Safety Requirement Specifications. 8. f) The accuracy of any computations that are included in the SIS.``. d) The proper shutdown sequence is activated. As a minimum...4. i) Manual shutdown systems operate correctly.`.. computations. g) That the system total and partial reset functions as planned. logic.``.. 8.4. The Instrumentation..... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. User=..b) Sensors. k) SIS documentation is consistent with actual installation and operating procedures. h) Bypass and bypass reset functions operate correctly. e) The SIS provides the proper annunciation and proper operation display.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.

11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. These procedures should include.. system reset.14 for guidance).2 Training 9.g. the following: a) Limits of safe operation (i.. trip points) and the safety implications of exceeding them b) How the SIS takes the process to a safe state c) The correct use of operational bypasses. and repairing the SIS. 9. testing.119...01-1996 --``.. These procedures are typically part of the unit operating procedures.2. ANSI/ISA-S84.5 Maintenance program 9. 9. but not be limited to. permissives.. which includes written procedures for maintaining... The Instrumentation..`. Systems. and Automation Society 38 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1 Objective The objective of this clause is to ensure that the Safety Instrumented Systems (SIS) functions in accordance with the Safety Requirement Specifications throughout the SIS operational life.4 SIS operating procedures Operating procedures shall be written to explain the safe and correct methods of operating the SIS.`--- .1 A maintenance program shall be established. etc. User=.9 SIS operation and maintenance NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS. (where required) d) The correct response to SIS alarms and trips 9.1 Employees involved in the operation and maintenance activities of the SIS shall be properly trained.``..2 Employee training shall adhere to requirements specified in applicable regulation(s) (e.`.`.e.2.. Reference C.`.5.. 9. COPYRIGHT 2003..`-`-`. 9.``.`.3 Documentation The user shall have appropriate documentation (as noted in each Clause 9 subsection) and shall keep the documentation current (see B. 9..11).````. OSHA 29CFR1910.

administrative controls and written procedures shall be provided to maintain the safety of the process.7. shutdown valves..g.4. Systems.7.6 Testing.`. the frequency(s) of testing for the SIS or portions of the SIS shall be re-evaluated based on historical data plant experience.`-`-`.6.7 Functional testing Not all system faults are self revealing. Exceptions to this are allowed if appropriate review and partial testing of changes are done to ensure the SIL has not been compromised. the following: a) Regularly scheduled functional testing of the SIS b) Regularly scheduled preventative maintenance.. but not be limited to. lubrication.3 Any change to the application logic requires full functional testing. The Instrumentation. with appropriate testing after repair 9.15 for guidance).1 Vendor manuals that describe the SIS maintenance and testing requirements (e.6..6. 9.. replacement of ventilation filters. 9. inspection.``.2 SIS maintenance shall include. etc. --``. fuse replacement) may be included in the maintenance procedures.3. the logic solver. etc.7.7.1 The SIS shall be tested at specific intervals based on the frequency specified in the Safety Requirement Specifications (see B. hardware degradation. 39 . as required (e.3 Frequency of functional testing 9.3 The user shall have a periodic inspection program for the SIS to detect equipment faults. User=.. battery replacement.9..g.) c) Repair of detected faults.7. battery maintenance.5.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101..1 Periodic Functional Tests shall be conducted using a documented procedure (see 9.3.g..1) to detect covert faults that prevent the SIS from operating per the Safety Requirement Specifications.``. and the final element(s) (e. Covert faults that may inhibit SIS action on demand can only be detected by testing the entire system. If the process is hazardous while a SIS function is being bypassed.````. software reliability. 9.`--- COPYRIGHT 2003.7. etc..7.3. 9. and maintenance 9.2 The entire SIS shall be tested including the sensor(s). 9.2 At some periodic interval (determined by the user). Note that different portions of the SIS may require different periodic test intervals. 9. defects..`. 9. motors).. and Automation Society ANSI/ISA-S84. 9..`.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`. calibration..`..2 Bypassing may be necessary.

`. 9.``. 9..`. and Automation Society 40 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.4.7.2 Any deficiencies found during the functional testing shall be repaired in a safe and timely manner..3 The functional testing procedures shall include.1 A documented functional test procedure.7.8..1 Procedures shall be written to allow on-line functional testing (if required). The user shall maintain records to certify that tests and inspections have been performed. ANSI/ISA-S84.8. describing each step to be performed.7.5 On-line functional testing 9.``..`.. shut down solenoid.`--- COPYRIGHT 2003.4. The Instrumentation. partial valve movement) during on-line testing.7.````..`.7.8 Documentation of functional testing 9... User=.4.. 9. Systems. but not be limited to. shall be provided for each SIS.7.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. 9.5. 9. and b) exercising the output(s) as far as practical (e.9.2 For those applications where exercising the final trip element may not be practical.7. 9.`.01-1996 .`-`-`.2 Documentation shall include the following information as a minimum: a) Date of inspection b) Name of the person who performed the test or inspection --``. output trip relay..g.1 A description of all tests performed shall be documented.. verifying the following: a) Operation of all input devices including primary sensors and SIS input modules b) Logic associated with each input device c) Logic associated with combined inputs d) Trip initiating values (setpoints) of all inputs e) Alarm functions f) Speed of response of the SIS when necessary g) Operating sequence of the logic program h) Function of all final control elements and SIS output modules i) Computational functions performed by the SIS j) Function of the manual trip to bring the system to its safe state k) Function of user diagnostics l) Complete system functionality m) The SIS is operational after testing.4 Functional testing procedures 9.5. the procedure shall be written to include a) testing the final element during unit shut down.

.2.`.`-`-`.c) Serial number or other unique identifier of equipment (loop number. application). f) modifications to correct systematic failures.`. tag number.`. etc...01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. d) modification to the Safety Requirement Specifications..`--- COPYRIGHT 2003..``.2 The MOC procedure shall ensure that the following considerations are addressed prior to any change: a) The technical basis for the proposed change b) Impact of change on safety and health c) Modifications for operating procedures --``. Systems.g..11 for guidance)..1 A written procedure shall be in place to initiate.`.. 10. equipment number. and Automation Society ANSI/ISA-S84.`. e) modifications to fix software or firmware errors.) d) Results of inspection/test ("as-found" and "as-left" condition) 10 SIS Management Of Change (MOC) NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS.. and approve changes to the SIS other than "replacement in kind" (e. c) modifications to the process.2 MOC procedure 10. g) modification as a result of a failure rate higher than desired.1 Objective The objective of this clause is to ensure that the management of change requirements are addressed in any changes made to an operating SIS. The MOC Procedure could be required as a result of a) modification to the operating procedure. utility. and i) modifications to software (embedded.. b) modification necessary because of new or amended safety legislation. 10.``. user approved number. review the change. User=. document.````. 41 .119. Section “B”) (see Reference C. 10..2. The Instrumentation.. h) modifications resulting from increased demand rate on the SIS. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. OSHA 29 CFR 1910.

or loss.d) Necessary time period for the change e) Authorization requirements for the proposed change f) Availability of memory space g) Effect on response time h) On-line versus off-line change.1 Objective 11.2 The documentation shall be appropriately protected against unauthorized modification.``. User=.1 All changes to operating procedures.. and b) personnel from appropriate disciplines have been included in the review process.1.1 To ensure proper review prior to permanently retiring a Safety Instrumented Systems (SIS) from active service. The Instrumentation.01-1996 .. reviewed.`. All subsequent Safety Life Cycle phases shall then be carried out. process safety information.3 The review of the change shall ensure a) that the required safety integrity has been maintained.2. and the risks involved 10.. 11. 10.. Implementation of all changes (including application software) shall adhere to the previously established SIS design procedures..3.. and be under the control of an appropriate document control procedure... COPYRIGHT 2003.. 10. 42 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.5 All changes to the SIS shall initiate a return to the appropriate phase (first phase affected by the modification) of the Safety Life Cycle.`.2. as appropriate. approved. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.3.`--- 11 Decommissioning NOTE — THIS CLAUSE IS PART OF THIS STANDARD AND CONTAINS MANDATORY REQUIREMENTS. including appropriate verification that the change has been carried out correctly and documented.`. amended. ANSI/ISA-S84.4 Personnel affected by the change shall be informed of the change and trained prior to implementation of the change or startup of the process. 10. and Automation Society --``.``.````..3 All SIS documents shall be revised. Systems. 10.`-`-`. destruction.3 MOC documentation 10.`..3.. 10. and SIS documentation (including software) shall be noted prior to startup and updated accordingly.`.2.

43 .`-`-`.`--- ANSI/ISA-S84.01.1 Terminology... This clause only compares the normative portion (i...`.2. When IEC draft Publication 1508 is published.g. Parts 1.01. This standard does not address this continuous mode of operation. and 4) of IEC draft Publication 1508 to ISA-S84..01 AND IEC DRAFT PUBLICATION 1508.. 12.2 Organizational.2 General 11.. User=.3 Technical. Systems.2.01 to a 1995 version of IEC draft Publication 1508 that is undergoing much change. Avionics).01 varies from IEC draft Publication 1508-1995.``. if required. IT ILLUSTRATES THE KEY DIFFERENCES BETWEEN ISA-S84. The Instrumentation. The modes of operation in which a Safety Instrumented Systems is intended to be used are classified as follows: a) Demand Mode: SIS designed to attain appropriate probability of failure to perform its design function on demand b) Continuous Mode: SIS designed to attain appropriate probability of a dangerous failure per year (e. the SP84 committee will revisit Clause 12 then revise and reissue S84.`. and are based on the comparison of published S84. and Automation Society --``. 3... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..`.. 12 Differences NOTE — THIS CLAUSE IS PART OF THIS STANDARD.`.e. COPYRIGHT 2003. Generally.1 Management of Change procedures shall be implemented for all decommissioning activities (see Clause 10).2 The impact of decommissioning an SIS on adjacent operating units and facility services shall be evaluated prior to decommissioning. 11.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 2. and 12.`. These differences are discussed in 12..``..11.. ISA-S84. Parts 1 through 7.````.

`. and process hazards reviews are only briefly discussed and references provided.. IEC draft Publication 1508 refers to assessment where S84.01 Comment IEC draft Publication 1508 refers to Safety Related Systems utilizing all technologies.01 is prepared by instrumentation personnel for ISA.. IEC draft Publication 1508 "PES" includes sensors & final control elements. regulations such as OSHA 29 CFR 1910.`. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.``. As such.``.2 Organizational differences ISA-S84... management of change.01-1996 .A.01 uses.1 Terminology IEC draft Publication 1508 (Part 4) E/E/PES Safety Related System PES SIS ISA-S84. the international society for measurement and control.12. and American National Standards Institute (ANSI).````.01 refers to Safety Requirement Specifications --``. ANSI/ISA-S84. User=.`. Systems...`.`-`-`. while S84.01 "PES" does not include sensors & final control elements.. while S84.. IEC draft Publication 1508 refers to functional requirements specification. The result is training.01 refers to verifications and pre-startup safety review (PSSR). and Automation Society 44 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.01 refers only to technologies utilizing Safety Instrumented Systems.`--- PES EUC Assessment Process PSSR Functional Requirements Specification Safety Requirement Specifications 12..`. personnel certification.S. it does not detail information of process hazards reviews and those issues presently mandated by U... COPYRIGHT 2003. IEC draft Publication 1508 discusses these issues in greater depth.119.. IEC draft Publication 1508 uses "equipment under control" as a generic term for the process S84. The Instrumentation. while S84.

IEC draft Publication 1508 Part 1 Specifies the requirements for achieving functional safety of external risk reduction facilities Applies to the total combination of safety related systems and external risk reduction facilities Applies Safety Integrity Levels (SIL) to external risk reduction facilities Mandates the use of ISO 9000 Series of Quality Systems or equivalent Mandates the use of Tables in IEC draft Publication 1508 that specify “minimum level of independence of person.1) Mandates that each phase of the overall Safety Life Cycle be followed by planned verification activity.6) Mandates adhering to respective Measures and Techniques ISA-S84.1.`. organization” Mandates the documentation of rationale for not implementing "Highly Recommended" measures or techniques in IEC draft Publication 1508 Mandates the use of a Safety Plan (see details that follow) (4. The Instrumentation.`.11 Does not address management issues... process hazard and risk analysis. and Automation Society ANSI/ISA-S84. output activity for each.Safety Plan not required Does not mandate adhering to any specific measure or technique Does mandate use of good engineering practice (4.2) Mandates ISO 9000 procedures plus IEC draft Publication 1508 requirements be implemented for all aspects of the Safety Life Cycle (7.119.``.`.. Systems.. Reference C.0) Defines "Safety Management" activities during the whole Safety Life Cycle (7. Reference C...``. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. non-SIS protection layers.`...4) Does not mandate the use of ISO 9000 (6.1. except management of change Mandates commissioning and Pre-Startup Acceptance Test (PSAT) of the SIS with appropriate documentation (see 8.119.11 . User=.`-`-`.01 Does not specify external risk reduction facilities requirements for achieving functional safety Applies only to E/E/PES safety related systems (e.````.. 45 .1) Mandates adhering to each step in the Safety Life Cycle and providing a documented Safety Plan defining deviations (7.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101...3. department.1.3 & 8.g.6) Mandates witnessing tests to ensure compliance with this standard (5) Addresses "Competence of Persons" by providing detailed requirements in addition to ISO 9000 Does not mandate witnessing tests to ensure compliance Refers "Competence of Persons" to OSHA 1910.. and analysis of results (7.3.`--- COPYRIGHT 2003. need for a SIS and determining required SIL SP84 requires that these activities be completed prior to implementation of SP84 --``. scope. documented with design review.`.3.3) Mandates each phase of the overall Safety Life Cycle be divided into elementary tasks with well defined input. and documented Does not address conceptual process design.. testing. SIS) Does not apply Safety Integrity Levels (SIL) to external risk reduction facilities Does not mandate the use of ISO 9000 Series of Quality Systems Does not mandate the use of IEC draft Publication 1508 Tables Does not mandate documentation of reasons for using a different implementation scheme Mandates documentation consistent with OSHA 1910.

verification plan.5....13) Mandates overall modification and retrofit issues Mandates decommissioning log.2. functional safety assessment plan and report.4 7. SIL 4 development is not normally found in the process industries.to be defined 12.5.9) Provides installation mandates (7.4) Defines Hazard and Risk Analysis and mandates implementation methodology and documentation (7. IEC draft Publication 1508 refers to the EUC control system. 2.`.2. The Instrumentation.2.`.2..2) Requires process conceptional design information and overall process concept description (7.8) Validation includes external risk (7.3 7.2 7.01-1996 . levels of independence Addresses documentation for all phases Parts 2 and 3 are normative Refer to Management of Change in OSHA1910....`--- All Safety Functions Level of Safety Specifies Risk Reduction Method (7.01 does not address Safety Integrity Level (SIL) 4 other than recognizes its existence...`-`-`.01 The method for accomplishing this is outside the scope of this standard The method for accomplishing this is outside the scope of this standard --``.3 Technology differences IEC draft Publication 1508 SIL 1. while S84. and Automation Society 46 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 3 Comment S84.7 7.1) Safety requirements allocation is PHA oriented and has external risk reduction facilities (7. User=.5. Equipment Under Control (EUC) control system excluding the safety controls Basic Process Control System (BPCS) COPYRIGHT 2003.`.6. 3.``.2. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. ANSI/ISA-S84.5..6 7.5 S84.5) Mandates: Risk Reduction Items: 7.5.14) reduction (7.`. Reference C.119.2.3) Requires EUC definition documented in this overall scope definition description (7.`.IEC draft Publication 1508 Part 1 (7.01 refers to the BPCS.01 SIL 1. 4 ISA-S84..11 Does not mandate these requirements Only addresses SIS documentation Parts 2 and 3 type information is part normative and part informative -.``.15) maintenance planning includes external risk reduction systematic analysis (7.````.5. Systems. 2.7) Overall operator and (7.

`... are described in the references.`. These examples provide only general information on the range and types of approaches for determining SIL. Regardless of the method used to select SIL. Determining where a SIS is appropriate. The team involved in making SIL decisions consists of participants with certain types of expertise.`. The Instrumentation. or recommend any particular approach. Quantitative risk assessment methods are represented by describing how a fault tree analysis can be used to determine SIL.. are beyond the scope of this annex.1 Introduction This annex provides four examples of methods for determining SIL as part of process safety activities.. it is done as part of process safety activities.1.````.. Four example SIL determination methods were selected to illustrate the variety of approaches.`. User=. These and additional methods are described in Reference C. particularly instrumentation for complex control systems d) Operating Experience — those with direct "hands on" operating and maintenance experience e) Others — skill in running process hazards reviews and other appropriate knowledge as needed This annex does not provide enough information to adequately understand the use of any method. 47 ..``. and what final process actions it takes. and others. The consequences only method exemplifies a straight-forward SIL selection method that involves adoption of some very conservative safety premises. To illustrate a qualitative risk evaluation SIL determination method. recognizing that many more comprehensive matrix methods are available. and it does not indicate or imply any safety criteria. COPYRIGHT 2003. The four SIL determination methods are applied to an example in only enough detail to show conceptually how SIL can be determined... Details on how to use and understand these SIL determination methods. ANSI/ISA-S84.. Systems.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`--- A. and Automation Society --``. It is generally appropriate to include the following expertise and qualifications on the process safety team: a) Ownership — those who have direct responsibility for operating the equipment b) Process Knowledge — an understanding of the basic science and technology involved in the process and equipment operation c) Design Knowledge — how the equipment or process should work. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`-`-`.. what process variables actuate it.``.. A simple matrix method was chosen to briefly present the key factors.. a modified HAZOP method was chosen. IT IS PROVIDED FOR INFORMATION ONLY.`.Annex A (Informative) — Information and examples illustrating methods for determining Safety Integrity Level (SIL) for a Safety Instrumented System (SIS) NOTE — THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD.

Decide if a SIS is appropriate for this application i) Step 5 . A high pressure vapor is used to control pressure in a low pressure system. The Instrumentation. and c) an operator response to a high pressure alarm. steps 2. 2. the better the safety performance of the SIS. The low pressure system is protected from over-pressure by a) a pressure relief valve.. have the objective of helping to assure that the process will be safe to operate.`. User=.`. determination of Safety Integrity Level (SIL)..````. b) a pressure control system. With an understanding of the important safety aspects of the SIS.....Evaluate preventive.14 and C. (see Figure 4.``. for a Safety Instrumented Systems (SIS) is a part of process safety activities. Risk control and risk reduction decisions are made on many process safety features of the process.``.`. ANSI/ISA-S84.1).`.As described in Clause 4 of the standard. etc. protective and mitigating process safety features for these events. including what is needed to achieve the different SIL. Better SIS performance is achieved by higher availability of the safety function. Some understanding of how the three SIL levels will be implemented is important for the process safety team making the SIL determinations. A. and SIS.1 conceptually shows how the three SIL will be implemented in the example application.1 is specific to this example. --``.Determine other process safety-related specifications and design criteria Process safety activities.Determine target SIL for the SIS j) Step 6 . are identified. procedures. over-pressure protection. As the team learns the process. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. more frequent testing. as part of these activities.01-1996 . These include items.Evaluate consequences and likelihood for hazardous events g) Step 3 . basic process design. 3. and Automation Society 48 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. other than SIS h) Step 4 .02 (Reference C..`-`-`. 4. 5. These life cycle steps are as follows: f) Step 2 . and 6 summarize the process safety concepts involved in determining SIL.. The implementation depicted in Figure A. Figure A. Figure A. as described in the standard and annexes. The higher the SIL.. As depicted in the Safety Life Cycle. which include consequence analysis and process hazards reviews (References C. such as. SILs are defined as 1.2 depicts a simplified piping and instrumentation diagram for the process example.. and means to control the risk and potential consequences are decided upon. or 3. Systems. the team helps to ensure that the process design and operation do not compromise performance of the SIS. they should understand how the SIS will perform its safety function. and hazardous events.15).`. SIS performance is improved by the addition of redundancy. use of diagnostic fault detection.2 Safety Integrity Level (SIL) considerations and the process example Safety Integrity Level (SIL) is a basic concept in this standard.. SIL defines the level of safety performance for a SIS. Hazards. and how hazardous events can occur.2).. there are many ways to implement SIS to achieve a specified SIL.`--- COPYRIGHT 2003. As described in this standard and ISA-dTR84.

. The SIS would be implemented by sensing pressure and closing valves for the different SIL. and logic solvers arranged as shown in Figure A. --``. and Automation Society ANSI/ISA-S84.Protection of the low pressure system is achieved by stopping flow from the high pressure system.`. 49 . final elements...``.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. or by the pressure relief valve opening. The consequence of over-pressuring the low pressure system is rupture of the low pressure vessel. with sensors.`...2 simply illustrates the process and is not intended to depict any specific SIL requirements....`-`-`.````.`. The Instrumentation... Figure A..1.``.`. The process safety team has identified a potential SIS to prevent over-pressure from occurring in the low pressure system.`--- COPYRIGHT 2003..`. Systems. User=. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

Specific SIL implementation techniques.`.````.`-`-`.T YYYY Logic Solver(s) * Figure A.T YYYY Note 1 Logic Solver Note: 1) Sensors.. ANSI/ISA-S84. User=....T YYYY Logic Solver 2) The performance of two identical SIL 1 SIS’s may not equal that of one SIL 3 SIS..T XXXX SIL 3 ...``.``...T XXXX Logic Solver SIL 2 .`. Systems.1d * Logic Solver(s) as required to meet SIL Figure A... Safety Integrity Level Sensor Logic Solver Actuator SIL 1 .`..1a ..3 Example methods for selecting SIL In the following sections.`--- .`. The Instrumentation.. logic solvers. Figure A.1 — Company ABC....1c . example only COPYRIGHT 2003.... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..01-1996 --``. and/or final elements may be redundant as safety availability requirements dictate Figure A.T XXXX Logic Solver Figure A. four different methods will be described for selecting SIL for this high pressure shutdown SIS..`. and Automation Society 50 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. Site XX.1b .A....T XXXX Logic Solver Note 2 SIL 3 .

.`.``. The process safety team felt the effectiveness was between low and medium for this example.`--- Figure A. The possible trade-off was that the design selection of SIL could be higher ANSI/ISA-S84. are evaluated for their effectiveness in preventing the initiating events from leading to consequences.. and the effectiveness of protection.2 — Process example A.the safety layer matrix (Reference C. other than the SIS. Layers.`. The method uses a qualitative matrix. the nature of the process.. This judgement was based on the need for extremely rapid operator response and the tendency for the pressure relief valve to plug. etc..`.`. or impact of harm.. It requires a qualitative evaluation. Qualitative guidance for determining the range of low to high values for the matrix inputs is specific to many considerations such as company guidance. The matrix also requires an evaluation of the likelihood of occurrence for all the initiating events that could lead to consequences. that could occur if the SIS and other protection did not stop an initiating event from proceeding to completion. that requires an evaluation of all the initiating events that could lead to the consequences.. The Instrumentation.3...`-`-`.3. Matrixes actually used will be company dependent.the consequences only method This method has fewer steps than many other methods and only requires evaluation of the severity of consequences possible if the SIS and other protection fails. The third axis of the matrix requires a qualitative evaluation of the effectiveness of other protection layers. shown in Figure A.``. Use of the matrix requires qualitative evaluation of the severity of the consequences for hazardous events the SIS is protecting against. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..2 Example method . Using these qualitative evaluations.1) The method is based on a qualitative understanding of the process risk..3. The process safety team felt that the severity was moderate for this example. The process safety team felt this method should be used because it could expedite SIL decisions by reducing the time spent on evaluations.COPYRIGHT 2003.1 Example method .`. A. Systems.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. the matrix indicates SIL 2 for the high pressure shutdown system. primarily identification of all the different initiating events and their potential consequences. and Automation Society --``. User=..````. and requires a qualitative evaluation of potential consequences.. The process safety team felt the likelihood was moderate for this example. other than the SIS under consideration. 51 . The matrix used here is strictly for illustrative purposes. local factors.

.3 — Company ABC. Erring on the side of designing a higher than necessary SIL level was felt to be conservative by this team. User=. Risk was addressed in setting these guidelines. Figure A. These two severity levels were defined to include injuries.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. the modified HAZOP method includes the consideration of the severity of the consequences.. If the consequences are above a base threshold.. Since this is a conservative method. then a SIL 1 is selected.````.`. If they are above a "major" severity criteria. their probability of occurrence. and Automation Society --``.`. this particular plant decided to simplify the SIL selection process from three SIL choices to two SIL choices.`.than predicted by use of other SIL selection methods.. Systems.01-1996 . The Instrumentation.. then a SIL 3 is selected... Site XX.. Based on that evaluation. ANSI/ISA-S84. Example of a qualitative matrix for the determining SIL The method only requires an evaluation of the severity of consequences.`--- 52 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.3 Example method .. A. This was done by selecting only SIL 1 or SIL 3 designs. by the underlying assumption that the frequence of occurrence of initiating events for all SIS applications was assumed to be frequent.3. should the SIS and other protective safety items fail.`. or “likely..`.``.” The team evaluated the severity of consequences for the high pressure shutdown SIS in the example and felt they exceeded the "major" criteria. along with other risk-related COPYRIGHT 2003.`-`-`. The team preferred to save time that would be spent on risk evaluations and to incur the potential cost penalties imposed by selecting a higher SIL than might otherwise result.``.. a SIL 3 was selected.the modified HAZOP method In order to determine the SIL. property damage. Money spent on equal or better safety performing SIS was felt to be a good investment in safety. and environmental impact specific to this process.

equipment reliability. and Automation Society ANSI/ISA-S84.1.3.`. and lead to a defined "top" event are diagramed. a fault tree analysis was done for a large part of the process. the team agreed a SIS was needed. The Instrumentation.SIL determined from a fault tree Based on the example vessel rupture hazard and several other major hazards in this process. property damage.. the process segment is systematically analyzed using a set of guide words to identify process deviations that could lead to hazardous events.4 Example method .`.. Based on the severity of the consequences. The modified HAZOP team also identified operator error when in manual mode during startup as a cause of a high pressure upset. A spreadsheet format is used to associate the process deviation.. Then the top event frequency of occurrence can be calculated. and the action or judgement of the team on how to control the associated risk. the team’s feeling for the likelihood of these upsets.`. Specific risk reduction recommendations can be evaluated in terms of their effectiveness in reducing risk..``.`. The team decides on recommendations or the adequacy of current risk controls. The team considered safety. 53 . factors that prevent or protect against the consequences. Systems. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. or the adequacy of current risk controls. Part of the modified HAZOP documentation for the example is summarized in Table A.. based on this evaluation process. Failure rates and conditional failure probabilities are assigned to each basic event.. User=.`--- More Pressure Pressure sensor fails. such as a sensor failure..`-`-`. based on this evaluation process.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. The top event in this case is explosive over-pressure rupture of process vessels. and overall performance of the protective systems. Sequences of failures that begin with basic events. drifts to a false low pressure output Same as More Flow A. except the operator response is only triggered by a single high pressure signal --``... Table A. with a specific upset cause. a SIL 2 or 3 was considered by the team for further evaluation. Using an experienced leader in HAZOP methodology. Fault tree analysis is briefly described COPYRIGHT 2003.factors. and operation and maintenance costs then determined that an SIL 2 SIS is more appropriate for this application. and environmental damage PROTECTION – Relief Valve – Operator response to high pressure alarms – High pressure shutdown SIS – Same as More Flow. Initially.````. Fault trees are logic diagrams that systematically display sequences of failures. The team decides on recommendations.``... The fault tree quantitatively estimated the frequency of occurrence for explosive over-pressure rupture of several process vessels.`. which included the example. The fault tree logic diagram can be analyzed to estimate the frequency of occurrence for the top event.1 — Modified HAZOP documentation example PROCESS DEVIATION More Flow CAUSE Pressure control valve fails to open CONSEQUENCES Vessel rupture with potential injuries. The upset cause is followed by the potential consequences of the upset.

and extensively covered in Reference C.``. --``.13.`--- COPYRIGHT 2003. i.`.. The top event vessel rupture frequency of occurrence decreased by a substantial percentage..````. such as the pressure control valve failing to open. Subsequent results of this fault tree evaluation indicated a substantial safety improvement for the SIL 2 design. The first step in using the fault tree to determine SIL for the example was to develop the fault tree logic diagram..in Reference C. For example.1. versus the SIL 1 design.2.01-1996 . 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. A similar comparison of SIL 2 versus SIL 3 designs.`. failure frequencies were estimated for initiating events.`..e.`.. the top event frequency decreased only slightly. the team selected SIL 2 for the high pressure shut down SIS.. page 56..`-`-`.. a SIL 1 design. Details of the fault tree covering the example are too complex to describe or depict in this annex. Based on these comparisons.. indicated only a small safety improvement.`.. User=. Systems.. Appropriate failure information were determined for all the failure events associated with the example..``. After reviewing the fault tree results. The initial fault tree was based on the assumption of a high pressure shutdown SIS designed as shown in Figure A. A top event frequency for vessel rupture was then calculated. The Instrumentation.. the team decided that the fault tree should be changed for evaluation of an SIL 2 and 3 design for this SIS. and Automation Society 54 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. ANSI/ISA-S84.

User=.1 Separation .1.2 Identical separation is generally acceptable for SIL 1 applications. The Instrumentation..8 B.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.11 B.1 B.2 B.````.`.13 B.`.`-`-`.3 There are four areas where separation may be needed to meet the safety functionality and safety integrity requirements: a) Application of field sensors b) Application of final control elements COPYRIGHT 2003.`.identical or diverse Redundancy ...``..identical or diverse B.`.5 B.15 Separation . or that inadvertent changes affect the safety functionality of the SIS..1.1.``.10 B.9 B. Therefore.6 B..identical or diverse Software design considerations Technology selection Failure rate and failure modes Architecture Power sources Common cause failures Diagnostics Field devices User interface Security Wiring practices Documentation Function test interval B.8). it is generally necessary to provide separation between the BPCS and SIS functions. B. This informative annex addresses design methods to meet SIL requirements..4 B. 55 .`--- ANSI/ISA-S84. Systems. Diverse separation offers the additional benefit of reducing the probability of systematic faults (a factor especially important in SIL 3 applications) and reducing common cause failures (see B..7 B.14 B.12 B..1 Separation between BPCS and SIS functions reduces the probability that both control and safety functions become unavailable at the same time. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.Annex B (Informative) — SIS design considerations NOTE — THIS ANNEX IS NOT A REQUIREMENT OF THIS STANDARD.. The following SIS design considerations are addressed: B... IT IS PROVIDED FOR INFORMATION ONLY.3 B.`. and Automation Society --``. B.

--``.`. B.5 Sensors A single sensor used for both BPCS and SIS requires further safety review and analysis as part of the process safety activity (see Annex A). The Instrumentation.`. identical separation between BPCS and SIS is typically needed to meet the required safety integrity. open bypass valves).3 For SIL 3.6.. provided the safety integrity requirements are met.5. identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity. B.3 For SIL 3.`-`-`.5. and d) operating procedures that make the valve less effective (e. the valves may be connected to both the SIS and BPCS provided that a safety review and analysis shows the connection to the BPCS does not compromise the safety integrity of the SIS. the controller may drive the valve open. the sensors may be connected to both the SIS and BPCS provided that a safety review and analysis shows the connection to the BPCS does not compromise the safety integrity of the SIS.1. and Automation Society 56 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101...1. a single valve may be used for both BPCS and SIS. B..01-1996 .1. B. For example.. If this valve is also used for an interlock.6.4 Each of these four areas should be evaluated to ensure that the required SIL is met.. c) unsafe failure modes of the valve.. since it may not meet the required safety integrity. B.``.. and this protection will be lost..6.1 For SIL 1.c) The logic solver d) Communication between SIS and BPCS or other equipment B.`. a valve used for both BPCS and SIS can create a demand if it fails in the open position.5.6. provided the valve’s unsafe failure rate meets the safety integrity requirements.2 For SIL 2. identical separation between BPCS and SIS is typically needed to meet the required safety integrity.1 For SIL 1. identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.1.1.4 When redundant SIS sensors are used. a single sensor may be used for both BPCS and SIS.`--- COPYRIGHT 2003. The design should ensure that the SIS action overrides the BPCS action.4 When redundant SIS valves are used.1.g. B. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. For example. since the SIS could not close the valve.6.1.5 Additional considerations for determining valve requirements are a) shutoff requirements..1.1. a level sensor used for both BPCS and high level trip SIS can create a demand if it fails below the setpoint of the level controller..6 Control and shutdown valves B.````.5. as a result. B.. Systems.`.``.2 For SIL 2. A single valve used for both BPCS and SIS requires further safety review and analysis.1.1.`. B. B. User=. ANSI/ISA-S84. b) reliability experience with the valve. this protection will be lost. B.1.

``.. B. analog or discrete output from one device to the input of another device.1.2 There are five basic ways to approach external communication between BPCS and SIS: a) No external communication between BPCS and SIS This is acceptable for all SILs.1. c) Read only external communication from SIS to BPCS This may be acceptable for all SILs if review and analysis is done to assure that the safety function is not compromised. d) Read/write external communications with write protection of the safety function This is acceptable for SIL 1 and 2.. For example. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`--- COPYRIGHT 2003.`. Systems.1. and documentation. and Automation Society ANSI/ISA-S84.7.B. but use of this method for SIL 3 requires additional safety review and analysis.`-`-`.7. but use of this method for SIL 3 requires additional --``..8.8 Communications between BPCS and SIS B.2 For SIL 2. User=.1 Communications between BPCS and SIS can enhance the overall safety of the application.8.7. b) Hard-wired communication between BPCS and SIS This is acceptable for SIL 1 and SIL 2. a gas turbine control system includes both control and safety functions). Identical separation between BPCS and SIS may be used provided safety review and analysis shows that it meets the safety integrity requirements. and 2) implementation of the safety function in SIS ROM. diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.````. Measures to achieve write protection of the safety function include. but are not limited to 1) hard-wired switch (or jumper) to limit write access.`.g. and c) limiting access to the programming or configuration functions of the system. (See B.1 For SIL 1. maintenance. can compromise the safety integrity of the SIS. B.. B.3 For SIL 3.1. Provision must be made to ensure all writes are valid and do not negatively impact the system safety or operation. 57 .) B. B. Additional considerations when combining control and safety functions in the same device are a) evaluation of the failure of common components and software and their impact on SIS performance.7 Logic solver B.1. b) life cycle support of the entire system as a SIS with respect to changes..``.4 There may be special cases where it is not possible to provide separation between BPCS and SIS (e...1...`.1.8.. diverse separation between BPCS and SIS should be considered to meet the required safety integrity. identical or diverse separation between BPCS and SIS is typically needed to meet the required safety integrity.`..1.`.. particularly writes to the SIS. external communications. testing.7. However.. The Instrumentation.2 sections (c) and (d) for further guidance.1.

. and --``. Measures to achieve write protection of the safety function include but are not limited to 1) limited time window for write access.3 Redundancy is applicable to both hardware and software (see B. pressure and temperature) when there is a known relationship between them..2. password) to limit write access.``.`.safety review and analysis. Diverse redundancy should be used if it is required to meet the SIL.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.4 Redundancy should be analyzed for common cause faults. Use of this method in SIL 3 is discouraged.``.g.`.````. The designer should determine the redundancy requirements that achieve the SIL and reliability requirements for all components of the SIS including sensors.2. B. and COPYRIGHT 2003..5 Diverse redundancy uses different technology.`--- e) power supply/source. Use of this method for SIL 2 requires additional safety review and analysis. etc. but there is concern about spurious trips. are methods to mitigate common cause faults. b) corrosion. software.2.10).identical or diverse B.2 Redundancy .. Systems. or the use of diverse redundancy. Diverse redundancy should not be used where its application can result in the use of lower reliability components that will not meet system reliability requirements. c) hardware faults.2. ANSI/ISA-S84.`..2.`. which may improve reliability without substantially reducing safety integrity. c) the use of different types of PES for each channel of redundant architecture. the designer may choose a 2oo3 architecture. The Instrumentation.`. design. B. B. B.2 An example of this is where the SIS requires a 1oo2 architecture. Some examples of common cause faults are a) plugging of shared instrument lead lines..6 Measures that can be used to achieve diverse redundancy include. but are not limited to a) the use of different measurements (e.2. e) Read/write external communications with limited or no write protection of the safety function Use of this method may be acceptable for SIL 1. B. to reduce the influence of common cause faults. b) the use of different measurement technologies of the same variable (e. and 2) software switch (e. and final control elements.`-`-`...01-1996 .. Elimination or reduction of the fault source.g.. logic solver. and Automation Society 58 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101...g. firmware. User=...1 Redundancy can be applied to provide enhanced safety integrity or improved fault tolerance. manufacture. coriolis flow and vortex flow). In such a situation. d) software errors.. B.

f) firmware.1.3.2 Application software should include provision for diagnostic testing if required to meet the system SIL.`.g. c) The embedded software revision level is the same as the revision level analyzed when initially approving the PES for use as a SIS.``.3. b) The embedded software revision level is defined.1.`. Utility software from third parties may be available and considered for use.. e) communications. B.2. h) application programming. B. without testing and approval of the PES manufacturer of the utility software package. Use of third party utility software for applications program development.3 Software design considerations B. is not recommended. embedded software functionality contained in new software releases have been reviewed and analyzed. alternate routes for redundant communications media). b) manufacturing... A typical diagnostic testing scheme using an external Watchdog Timer is illustrated in Reference C.1 Embedded software is provided by PES suppliers and is typically transparent to the preparation of application software.3.. B.1)..3.. The Instrumentation.````.. c) components. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.3...7 Some typical concerns with PES technology that could warrant diverse redundancy in SIS would be undetected faults in a) hardware. Considerations that should be understood before proceeding with the application software development include the following: --``. B.1 Modular design is highly desirable in application programs.`--- a) The supplier has a software quality plan.1 Embedded Software B.3 Application software B. COPYRIGHT 2003.1 Use of utility software should adhere to the same criteria as embedded software (see B.. User=. or fixes of.`.2.2 Utility software B. 59 .3.3..3. d) operating system. g) software.. Systems. B.3.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. Modular design tends to enhance design simplicity and integrity.`.`.``. d) All enhancements to.3.`-`-`. and Automation Society ANSI/ISA-S84. and i) environment.d) the use of geographic diversity (e..

4. the following should be considered: a) The software should have a definite order and structure so that it ensures understanding of where you are in the application software at all times b) If nested sequences are used..4 Programming guidelines should be established to enforce consistent style among the design team. B.. etc. Electrical.1 Direct-wired systems B.3 There are other technologies that can be used other than E/E/PE in the design of an SIS.3.`--- b) A bug-reporting and resolution system should be implemented.1 Direct-wired systems have the discrete sensor directly connected to the final element.`-`-`.) may be used to develop a SIS. Consider the following: a) Tests should be developed to exercise the software beyond the normal bounds for data.g.`.`. c) Application software should be tested to determine software behavior in the presence of hardware faults.. commands. such as pneumatics.4. etc.3. B..4.5 To avoid unnecessary complexity and features that make the behavior of the system difficult to predict. The Instrumentation.4 Electrical technology used in SISs B.1 Safety Instrumented Systems (SIS) can be developed using Electrical.2 A hybrid scheme combining technologies (e.4.6 To verify that the software design meets each of the requirements established in the Safety Requirement Specifications..3. so proof testing frequency may have to be increased.B.7 Confirm that the application software meets the requirements established in the Safety Requirement Specifications under all expected operating conditions.``.. nesting should be limited to as few layers as possible c) Peer reviews of application software B. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..4.3.3. and other actions.2. --``.4.. User=.. keyboard inputs. B. Electronic or Programmable Electronic (E/E/PE) technologies..4 Technology selection B. B..01-1996 .4. consider the following: a) An analysis to demonstrate that each of the requirements established in the Safety Requirement Specifications is implemented in the design b) Peer review of designs of safety critical functions B. There is minimal diagnostic coverage.`. hydraulics.`.`. PE. COPYRIGHT 2003.3..3 Programming languages that are mature and/or have been certified to accepted industry standards are preferred. and Automation Society 60 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1.3. Systems.3. These technologies are outside the scope of this standard (see 1.4.3. Implementation of a software quality plan may facilitate development of a consistent programming style. B.````.``. ANSI/ISA-S84. This technology can only be used in the simplest applications.. B.3.9).

2. hermetically sealed). Even if the relays are properly selected and applied. B. Relays are often used where simple logic functions are adequate to provide the necessary safety logic.. B.`-`-`..2.2 Electromechanical devices B.4. and e) is suitable for the environment in which it is placed (e.4.4.1 Electromechanical devices include relays and timers.``..4..2.`--- COPYRIGHT 2003..4 The relay SIS has other attributes that should be considered: a) The on/off status can be readily obtained by checking contact position (e. When utilizing these special contacts. c) is found reliable through life-cycle testing.4. b) has the proper "fail-to-shelf" position (e.``..g.2.`. This is referred to as contact-wetting. --``. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. Unsafe failure modes of relays can also be quantified.. They include using a relay that a) has a good in-plant track record. B..4.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. User=. d) Energy limiting load resistance is installed to prevent contacts from welding closed.4. B.`. the contacts may weld and the spring may not return the switching contacts to the de-energized position.`. hermetically-sealed contacts) to eliminate oxidation build-up on contacts resulting in unreliable operation (e..`.. Extensive operating experience with relays and their mature technology make acceptance of this device in a SIS widespread.````.7 There are low energy loads (e..g. B. 61 .4.4.4.6 Electromechanical relay logic systems should consider the following criteria: a) Contacts open on coil de-energization or failure. Systems. e) It has failure modes that can be isolated to reduce common mode failures.g. The Instrumentation.. open or closed). 50 volts or below and/or 10 mA or below) that require special contact materials or designs (e.4. c) It is simple and understood by plant personnel and can be easily supported.4).2.g.4.4.`. e) Proper arc suppression of the contacts is provided for inductive loads.g. b) The coil has gravity dropout or dual springs.2. c) Contacts are of proper material and rating... load dropout). and Automation Society ANSI/ISA-S84.2. b) Its interconnected logic is very difficult to change (requires rewiring)..4. B..5 Relay logic should not be considered inherently fail-safe. position when completely disconnected) characteristics when installed.4. d) It is easily identified and secured as a critical control device.B.g.4..2 Standards and guidelines for implementing electromechanical relays in SIS applications are available to users (see Reference C.3 Successful users of relays in safety applications have followed some simple guidelines.. specific failure mode analysis is needed for these contacts to ensure that a fail-safe electromechanical system is being designed. d) is user approved for safety applications.

can use a number of methods to achieve pulse counting.2. c) complex math functions.4. These systems have limitations in fail-safe requirements (e.3 Solid state logic B.4. They perform according to the logic obtained by the direct-wiring techniques of interconnecting the various logic components such as ANDs. and NOTs.4.4. B.. --``.5.4. Systems.3. and High Noise Immunity Logic (HNIL). b) timers or latching functions.4. They differ from typical computer-type equipment in that they have no Central Processing Unit (CPU).5.3.. 62 ANSI/ISA-S84.4.. Resistor-Transistor Logic (RTL).4.4.1 Solid state timers are used where the application’s complexity does not warrant a PES.B. User=. Appropriate design features should be added to handle these unsafe failure modes. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..8 Electromechanical relays may not be suitable for SIS applications with a) high duty-cycles resulting in frequent state changes. quartz) timer is recommended because of high repeatability and good reliability. indeterminate failure modes) that should be recognized. transistor-transistor logic (TTL).5.3 A user-approved safety crystal oscillator (e.. and c) a quartz crystal oscillator.1 Solid state logic refers to the transistor family of components like Complimentary Metal Oxide Semiconductor (CMOS).. sometimes referred to as a digital timer. B.`. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1 Solid state relays are used in high duty-cycle application and have unsafe failure modes that can be identified and quantified. RC timing devices may not be suitable for safety applications because of poor repeatability and unsafe failure modes.2. B.1 Motor driven timers provide acceptable performance for key safety applications such as burner purge timing.2 Solid state timers B..4. ORs. B. or in highly integrated. plug-in board modules.g. d) analog measurements.`--- . b) an electronic oscillator.. Note that RC circuitry is often used in the time setting portion of pulse-counting timers.1 Solid state relays B.01-1996 COPYRIGHT 2003. Motor driven timers are limited in timing resolution and the ability to handle high duty cycles. Some additional applications of solid state relays are described in the following paragraphs..2. B.. Most motor driven timers require a locking device or appropriate modification to eliminate tampering with critical settings.``.5. and e) large logic applications.4..4.5 Electronic technology used in SISs B.5.5.4. These components are assembled in stand-alone modules. this does not preclude the use of these timers.2. The Instrumentation. high-density chips.. B.`. Solid state timer technology can be categorized as either Resistor-Capacitor (RC) circuit or pulse counting. These include a) a line frequency (50 or 60 Hz).````.`.4.4.3 Motor driven timers B.5.``.1.`...`.5.g.2 The pulse-counting timer.`-`-`.

````.4. and d) different trip points are required for different operations (e.5.2 Solid state logic has generally been integrated with direct-wiring and relay schemes for SIS. B. A pulse train is recognized as a logic "true” or "one." B.. Systems. 63 .4.5. grounds.4 Select PES technology for SIS when a) there are large numbers of Input/Output.4. and networking. installation practice. 2oo3). Solid state logic is not recommended for SISs unless provided with additional diagnostics to test for unsafe failure modes. However. and d) use of outputs with diagnostics to detect output module failures.2 Pulsed electronic logic can be considered in a SIS if it meets the requirements noted in this standard and is user approved.5..2 The use of PES results in many difficult to recognize failure modes.`.... since they generally do not have the safety integrity required for SIS applications..`-`-`. Caution should be used when using personal computers.4 Pulsed electronic logic B.. many of which can be unsafe.`..4. or many analog signals.4.9 for guidance).3 Pulsed electronic logic can offer high safety integrity.`. b) logic requirements are complex.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. B.5. non-specified pulses. See ISA-dTR84.. b) use of redundancy. --``... User=.. B.4.4.4.``. COPYRIGHT 2003.6. B.4.. and similar architectures.``.6.1 Failure rate is the average rate at which faults occur within the SIS components.4.g.3. or an application-specific stand alone microcomputer.5 Failure rates and failure modes B.3 Some techniques that can be used to minimize the unsafe failure modes of PES are a) extensive diagnostics to detect covert faults (see B.`.`--- B.1 The PES can be a programmable controller.4.5.02 for additional information. and Automation Society ANSI/ISA-S84. fault tolerance (e.`. The failure rates for both of these modes and their safety implication should be considered in the design of the SIS. PESs are sometimes used as a diagnostic tool to make solid state logic systems suitable for SIS. both internal and external.6.4.1 Pulsed electronic logic generates pulses with a specified amplitude and period. c) use of Watchdog Timers. The failure rate for the overt failure mode of a component may be quite different than the failure rate for the covert mode.. Failure rates are influenced by component design. PES designs offer some functions that may not be available with pulsed solid state systems or electronic logic such as calculation capability.5. improved communications. manufacturing quality. or the logic includes computational functions. The Instrumentation." while all other signals (e.4. a distributed control system controller. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.6 PES technology used in SIS B. and continuous "on" or "off") are recognized as a logic "false" or "zero.B..g. B. B. c) extensive data communications with the BPCS is required.6. and environmental and process conditions.g. batch application recipe selection).

..B. Incorrect signal Drift/Calibration Fault Noise Conversion time fault. Systems.5.2 list some of the possible faults which should be considered in the design of SIS.1 — Typical SIS failure modes Device(s) SENSOR Failure Mode Isolation from process Sensor/X-mitter stuck Up/Downscale stuck..2 Tables B.`.`--- Device(s) Failure Mode ELECTROMECHANICAL RELAY/TIMER Wiring faults. Total loss of energy Backup-Energy failure (UPS) Temporary energy fluctuations Temperature too high or too low Corrosion Electromagnetic interference COPYRIGHT 2003.`.`-`-`.. etc. etc. User=. current... Relay race Timing faults Welded contacts Stuck armature Contact fidelity Wiring fault Noise/dynamic faults/ x-talk Stuck gates (on-off)/ back-plane faults Counter failure Pilot device fault Stuck open/closed/ intermediate Mechanism stuck Energy source Conversion time fault Conversion fault Over-voltage. current. Coil burn out.````.01-1996 ...``.`.5.`.`.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. ANSI/ISA-S84. Under-voltage.5.1 and B.5. Conversion fault Incorrect supply voltage WIRING/CONNECTORS Open/short Ground fault Noise BARRIER/ TERMINATION Open/short Ground fault Isolation failure Wrong signal EXTERNAL COMMUNICATION Corrupt data Incorrect data Incorrect source/ destination Incorrect handshaking Duplicate source/ destination Incorrect Input/Output addressing Loss of connection Loss of receiver/ transmitter Response timeout Faulty error correction Shorts or open circuits Loss of redundant channel COMMON MODE FINAL ELEMENT SOLID STATE LOGIC --``.. pressure.``. and Automation Society 64 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. Table B... The Instrumentation.

and Automation Society ANSI/ISA-S84.`--- .`.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`....`.. User=. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.``.`.Table B.````.2 — Typical programmable electronic failure modes Device(s) PES Failure Mode Stuck bit / multiple bits Dynamic faults / x-talk Instruction time / Wait states / stall uCode / macro code Arithmetic Logic Unit (ALU) faults Access time wait state logic Access time Stuck Interrupt Request (IRQ) Stuck / loss of timing Device specific (custom IC) Stuck Input/Output bit x-talk on Input / Output lines Wrong Input / Output line Data direction fault (I/O Port) Signal too fast / slow (I/O Port) Lost bit / byte / message (comm) Wrong sender / receiver / message Timeout / multidrop conflict Deadlock (comm) Parity generator fault Frame fault / buffer overrun Stuck Direct Memory Access (DMA) x-talk (DMA) Loss of Input/Output communication OUTPUT INPUT PES Device(s) Failure Mode x-talk (DMA) Bus request stuck (DMA) Transfer time incorrect (DMA) Wrong sample time Timer register fault Wrong timer Timeout / overrun Timebase fault Set / reset fault IRQ / poll fault (Timer) Trigger pattern (WDT) Trigger too early / late (WDT) Stuck on/off Upscale / Downscale / conversion fault Drift calibration Unstable input Isolation fault Linearization / Compensation Stuck on / off / Conversion fault Upscale / Downscale Drift / Calibration Unstable output Isolation fault Linearization/ Compensation COPYRIGHT 2003.`-`-`.5.``. The Instrumentation. Systems...`... 65 --``.....

1 Selection of the SIS architecture is an activity performed during the conceptual design step of the Safety Life Cycle.`.`. The Instrumentation..`. COPYRIGHT 2003.`.. logic solver.. CRT..01-1996 . etc.g. electrical power. B. ANSI/ISA-S84. redundancy..``.7 Power sources Power sources include.g. alarm annunciator. and --``.A 1oo1 architecture with a single sensor.. SIL 2 . The architecture has a major impact on the overall safety integrity of the SIS.. test intervals..3 A SIS may utilize architectures (e.. read only or read/write). diagnostic coverage. and a single final control element. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.g. BPCS) and their method of communication (e. single logic solver. Diverse separation.4 Architecture that may typically meet the SIL performance requirements includes: SIL 1 ..g. B. each with their own sensor. Grounding is included in this subclause after electrical power.Typically two separate and diverse 1oo1 arrangements. with redundancy of final control elements as necessary.6. The 1oo1 arrangements would be connected in a 1oo2 voting scheme. pneumatic power (e. c) selection of redundancy for power sources and SIS power supplies.6.. SIL 3 . d) selection of operator interface components (e. The architecture also influences SIS reliability (likelihood of spurious trips) (Reference C.``.6 Architecture B. and Automation Society 66 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101... User=.````.3)..6.`. and exhaustive diagnostic capabilities are considered significant aspects of a SIL 3 system.. 1oo2 final element) for reasons that may include different a) SILs in the same SIS. and hydraulic power. and evaluate each specific SIS to validate its performance (see ISA-dTR84.B. B.. but are not limited to. The user must determine the failure rates of the system components. Systems. and final control elements. logic solver. b) testing requirements. 2oo3 sensor.02 for additional guidance).2 Some of the activities involved in determining the SIS architecture are a) selection of energize to trip or de-energize to trip design.g. c) equipment reliability and failure modes. instrument air).. b) selection of identical or diverse redundancy for the SIS sensors.6. pushbuttons) and their method of interconnection to the SIS..`--- d) user interfaces.Requires more diagnostics and typically includes redundancy of the logic solver and sensors. 1oo1 logic solver. B. and final control element. and e) selection of data communications interfaces between SIS and other subsystems (e.`-`-`. redundancy.

`-`-`.7. radio frequency interference or electromagnetic interference) Utilize shielding.1.10 A checklist of AC electrical power considerations includes a) voltage and current range including inrush current. The Instrumentation.. good wiring practices (see B.`. B.2). B. Systems. These fuses should coordinate with upstream fuses to insure minimum impact on system performance if a fuse blows..7 Electronic and programmable electronic SIS typically have a lower insulation breakover voltage rating than an electrical SIS. b) transfer to back-up source without impacting SIS operation..4 Consider providing power source(s) diagnostics that will not allow SIS startup unless all power sources are available. Therefore. B.7. For energize to trip applications. g) lightning protection. d) non-linear loads.1.6 Electronic and programmable electronic SIS typically are more sensitive to electrical noise (e. B.. B. c) harmonics.. B.1...`. and Automation Society ANSI/ISA-S84..3 Electrical power source redundancy can be provided using an alternate source with automatic transfer. Design considerations when transferring to alternate sources include a) detection of fault prior to impacting SIS operation.1. User=. B. an Uninterruptible Power Supply (UPS).01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.``.1 Electrical power source B.B.. and proper grounding (see B. --``.`.2 Electrical power source redundancy is frequently provided to improve the reliability of the SIS.``.7. B.````. additional surge protection may be required. Power supply redundancy should be considered to meet the reliability requirements of the application.7.5 Electronic and programmable electronic SIS frequently include internal power supplies that convert electrical power source(s) to lower level voltages for internal use..`.9 Input/Output (I/O) may have separate power distribution. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. although redundancy may not be necessary to meet the safety integrity requirements for deenergized to trip applications..`. electrical power source redundancy is typically provided to meet the safety integrity requirements. c) ability to maintain UPS or batteries without impacting SIS operation. f) overload and short circuit protection and coordination.13).1.`--- B.7.7. e) ac transfer time.1. or battery backup by an alternate source. and d) minimize common cause failures.7..8 Programmable electronic SIS may require electrical power with lower total harmonic distortion than electrical or electronic SIS.7. b) frequency range.7.1 The electrical power source should be designed to meet the safety integrity and reliability requirements of the application.7.7. fused to minimize common cause in case of a wiring fault..1.1.7. 67 .1.1.g. COPYRIGHT 2003.

This subclause deals only with the voltages found in SIS applications (typically 240 volt AC or below.h) protection against transients such as spikes.2 Note that the grounding becomes more restrictive when moving from electrical to electronic and from electronic to programmable electronic.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.7.`. ANSI/ISA-S84. --``.`. g) shield ground.7. electrical equipment grounding can be easily achieved in a grounding system designed for electronic and/or Programmable Electronic equipment. consider using ground fault detection relays and alarms as appropriate.01-1996 .1.`--- COPYRIGHT 2003. and 125 volts DC and below). B. surges..16). B.5) and proper equipment performance. f) static electricity protection.`.`. and Automation Society 68 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.2.. B. diagnostics.1 Grounding is critical in E/E/PE technology to ensure personnel safety (Reference C.``. Deviations should have safety review and analysis.7. treat the grounding as if it is Programmable Electronic grounding.``.6 A checklist of grounding considerations includes a) corrosion protection. User=.11 A checklist of DC electrical power considerations includes a) voltage range and current range including inrush current.`. b) cathodic protection.. and k) ground terminal(s) availability. B. i) test ground. c) lightning cone of protection.2 Grounding B.7. Programmable Electronic equipment installed in a grounding system designed for electrical technology may not be appropriate.. and k) grounding. etc.````..2.4 Note that electrical or electronic technologies may integrate Programmable Electronic into their equipment to enhance performance through improved communication. h) single point ground.2. and b) non-linear loads.`-`-`..7. humanmachine interfaces. j) intrinsic safety barrier grounds. j) protection against overvoltages.3 For ungrounded systems. and electronic equipment grounding can be easily achieved in a grounding system designed for programmable electronic equipment. e) raised floor grounding.7. Therefore.2. B.7. B.5 The grounding system should meet the manufacturer’s recommendations.. Systems. unless vendor installation guidelines dictate a different approach. and electrical noise. B.7.2. In those cases..2. The Instrumentation. d) ground planes (Reference C.. brown outs... i) protection against undervoltages.

69 .8. Figure 5..pressure.1 Common cause faults can be caused by a single (non-redundant) component or by systematic errors in redundant components.7.4.1.B. Systems.humidity .g. B... tools. The instrument gas should be filtered..4 Hydraulic power B. training.8 Common cause failures B. and the system should be backed up to attain the uptime required to meet the reliability. etc. B. dried.. B. procedures.. corrosion)..).8. i) maintenance (e.3.`--- B.7. b) hardware design errors.1 Instrument air (or other gas) is typically used with final elements such as control valves.2 Instrument air checklist: a) Pressure b) Moisture c) Contaminants d) Lubrication where required e) Volume B. c) software design errors. procedures. common conduit single energy sources.``..``. d) human-machine interface design. g) process corrosion or fouling.7. e) environmental over-stress (HI/LO temperature .2 Hydraulic power checklist: a) Pressure b) Volume c) Contaminants d) Fluid properties COPYRIGHT 2003. training). Reference C.````.4. and Automation Society --``.. f) single elements (common process taps.7. The solenoid valve acts as an electrical to instrument gas relay..7. The Instrumentation. single field devices. ANSI/ISA-S84. and j) susceptibility to mis-operation (e..2 Some examples of common cause faults include a) specification errors. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.g. and continuously monitored to assure proper pressure is maintained.1 Hydraulic power is typically used where high motive force is required.11. calibration.3 Pneumatic power B.. h) vibration. activity under abnormal stress).`.`. User=.`.7.`-`-`..`.3. such as very large valves..01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`.

The Instrumentation.. COPYRIGHT 2003..g....1 — Fault types Fault Type Faults that immediately disable the capability of the SIS to respond to a demand (critical faults) Faults that in combination with other faults disable the capability of the SIS to respond to a demand (potential critical faults) Faults initiating a safe response of the SIS without a demand Faults that have no impact on the capability of the SIS to respond to a demand (benign faults) Example Stuck-on or stuck off of a critical output point Diagnostic of a critical output point not performed Spurious trip due to a component fault Burned out.``.`.`. The impact of these activities should be considered during system layout.3 A covert fault in a system may prevent the SIS from responding to a demand.9 Diagnostics --``.9.3 Common cause faults or systematic errors may be reduced during design using appropriate fault avoidance measures..02 for further guidance). model number(s).1.9.01-1996 . Therefore it is important to not only discover critical faults but also potentially critical faults before they accumulate.1..1 Diagnostics are tests performed periodically and automatically to detect covert faults that prevent the SIS from responding to a demand (see ISA-dTR84.`. ANSI/ISA-S84. etc. B.2 Various types of faults that can occur are included in Table B.9.`..1.9.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. These separate systems may however require physical separation of power and logic solver to accomplish testing maintenance or modification..`-`-`.``.`.9. and maintenance/engineering interface. not critical LED B.4 A number of functionally separate SIS may share the same environment.`--- B. operator interface.8... This can be the first fault in a single channel system or a combination of faults in a multi-channel system. codes.) b) Verification c) Diverse separation d) Diverse redundancy e) Identical redundancy f) Identical separation B. B.1 General considerations B.1: Table B.````.9.B.8. cabinet. User=.. Consider using the following methods: a) Provide supplier with application-specific information (e. Systems. and Automation Society 70 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.

`.9.1.) will inhibit almost the entire processing of data and are therefore more far reaching than a fault of a single output point. An estimate of the "effectiveness" of the diagnostics used may be provided for the set of failures being addressed.3 Diagnostic coverage B...2. and Automation Society ANSI/ISA-S84. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.).9. etc.3.``. b) Dynamic random faults (cross-talk.) occur under certain circumstances and disappear. thermal faults.. the detectability of failure modes has to be taken into account . Input/Output module self-tests).2 Improved diagnostic coverage of the SIS may assist in satisfying the requirements of the target Safety Integrity Level.9. This or a similar list of failure modes may be needed to identify those areas where diagnostic coverage is required. Additionally.failure modes that are detectable using simple means should be implemented whenever possible.. B.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. failure modes that carry a high failure probability have to be detected with more confidence.3. B.1 Diagnostics may be accomplished using a variety or combination of methods.g..9..4 Faults can result in two types of failures: a) Random failures. b) automatic built-in tests provided within the purchased SIS equipment (e. B..`--- COPYRIGHT 2003. Further.1 A particular diagnostic technique is usually less than 100% effective in detecting all possible failures.1.2.`..1.2 Diagnostic tests B. d) Watchdog Timers.g.2 An inherently safe response to a fault may replace the requirement for a diagnostic for that fault. However..B.`. Specific failure modes that may be covered by diagnostics are listed in Table B.6 Software is generally free of random failures.5 Hardware is prone to random failures. signal comparison.. a spontaneous failure of a component b) Systematic failures (or errors). but can also have systematic failures (incorrect timing. 71 . B.9. including: a) hardware integrity monitoring (e. The Instrumentation.. c) automatic test incorporated as part of the application specific design (e.````.2.1.3 Critical and potentially critical faults (like faults to CPU / RAM / ROM .9. User=. readback of output signals through input points). etc. but has a high probability of systematic failures. as this is application specific. it can be corrected and will cease to exist. a hidden fault in design or implementation B.`-`-`. Systems. --``..9.g. Depending on the persistence of the fault over time two conditions are possible: a) Permanent random faults persist until they are repaired.9.9..3. components used outside their specified range.. impedance monitoring in thermocouples).9.``. end-of-line detection. etc.7 Random failures occur spontaneously.`.9. B. a so called "safe" design of a component may not always result in a safe response of the SIS.`... and e) comparing redundant signals. B. The coverage requirements for these kind of faults are therefore stricter.. B.9. Once a systematic failure becomes overt.

B. B.9.1.2 — Diagnostic tests for programmable electronics Hardware possible cause Data Address Time Wrong circuit Component out of specification Processing Voter fault Random voter test Chip error detection Hardware fault testing possible cause Wrong constants Indexing Event Scheduling Algorithm Hard limit checking Event verification Scheduler monitor Assertions Plausibility check Reverse computation diversity Software detection B. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. B..`.1.````. appropriate diagnostics may be implemented at the system or application level.10. appropriate precautionary measures to detect possible systematic faults may be implemented.9.5 Where certain diagnostics are not "built-in" to the vendor-supplied equipment. the following should be identified: a) Testing interval b) Resulting action on fault detection c) Both criteria should meet the Safety Requirement Specifications B.3.`. ANSI/ISA-S84..`.9. they can be continuously compared..`.`.1 General considerations B.. One example is an application requiring redundant sensors using different principles of operation and/or different manufacturers. However. two discrete sensors (switches).10.. Systems. Proper operation of the discrete device can only be verified by testing or the occurrence of a process demand.9.. alarm or shut down on unacceptable deviation) --``.... or one of each could be selected.10 Field devices B. as opposed to two analog devices.`--- COPYRIGHT 2003. This comparison significantly reduces Mean Time To Detection of failure thus providing more available protection.3 The following SIS considerations related to field devices may enhance the application of field devices: a) Continuously compare redundant sensors while system operates (e..``.3.3.2 Two analog sensors.g. the advantage of continuous comparison of signals is lost. The Instrumentation.1. B.4 For each diagnostic implemented.``. User=.10. Table B..`-`-`. and Automation Society 72 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.6 Diagnostics may not be capable of detecting systematic errors (like software bugs).1 Many common cause failures of field devices may be avoided by properly applied redundancy and/or diversity. If one analog device and one discrete device are selected to provide diversity.. If two analog devices are selected.10.01-1996 ..

.3. on scale Current/voltage alarm trips: current/voltage alarm trips convert current and voltage (e. etc. Valves: Relays: open. and stuck armature B. B. The Instrumentation.20 mA or 0 .10 V DC) analog inputs into discrete signal outputs.. consider selecting components with built in features that drive the device to one of its detectable extremes in a high percentage of its failure modes.1 Some considerations for the selection of sensors include a) analog devices are preferred to discrete types.`. Systems. temperature.. closed. User=. where zero flow is to be verified.10..) l) With analytical measurements. for example.b) Compare flow or other related variables to modulating valve position c) At each shutdown..their extreme states or somewhere in between..````. try to design the system to provide a comparison between analytical readings and related basic measurements such as pressure.`-`-`. accuracy/ turndown.`. try to obtain redundancy and/or diversity by measuring different variables where each is indicative of the same abnormal condition. The trip value is field adjustable.10.10.10..`. B. Sensors: upscale. b) where possible. contacts welded closed. downscale. a flow sensor should not be used) k) Identification (typing.g. These switches have unsafe failure modes.2.) d) If SIS has a built-in feature that displays the last good value on a bad value of the field sensor..10.`..``. contacts worn resulting in high resistance/restricted current flow.2. use these comparisons as permissives for the next startup.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.g. etc.``. 73 .2 Field device failure modes and their detection B.`--- COPYRIGHT 2003. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`.. 4 . --``.. This reduces Mean Time To Detection of field device failures. This applies also to valve positions monitored by limit switches.2 Given these failure modes.3 Sensor selection criteria B.. color code.. compare sensor readings with known shutdown conditions and each other (e. partially open coil inoperative. contacts held in their "normal" positions. and Automation Society ANSI/ISA-S84..1 Essentially all field devices have three failure states .g.. this feature should be defeated (For SIS applications the signal should be permitted to go to its extreme value) e) Feedback to alarm when a final element fails to go to its commanded state f) Alarm if field devices change state without a command from the SIS g) Vendors MTBF data h) Predictability of failure modes i) Performance following long periods in the same position j) Avoid using measurements outside the accuracy limit of the sensors (e. appropriate analysis and design features should be provided to ensure safe operation.

Figure 5.2.`. e) mounting the solenoid between the positioner and the valve. and Automation Society 74 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101...`.4 Final element application considerations B. b) shutoff differential pressure in both directions of flow. freezing.`.``.`. i) carefully weigh the use of devices that are foreign to a plant's maintenance organization. c) leakage (degree of shutoff requirements). d) verify seal liquids in diaphragm seal applications for resistance to amalgamation..11). area classification.1 Some considerations in the application of solenoid valves include a) consider temperature. on the valve. when selecting solenoid valves. and k) valve position indication.. e) performance following long periods in the same position.10.10. h) materials suitability/comparability. minimum or maximum. ANSI/ISA-S84. The Instrumentation.1 Some considerations in the application of valves used as final control elements include a) opening/closing speeds.10.. etc.2 A minimum number of shutoff valves should be employed between the process and a sensor in SIS service.1. c) ensure the solenoid valve is sized properly. f) where it will meet the requirements.. Systems. e) devices that are selected to achieve diversity should have sufficient reliability to meet system reliability requirements or alternate approaches to diversity should be considered.4. b) effects of air pressure. and f) carefully weigh the use of devices that are foreign to a plant’s maintenance organization. voltage.. B. j) fail position considerations.`.`--- COPYRIGHT 2003. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584...10.3.c) carefully review process/ambient conditions that could effect the filling/emptying of impulse lines. User=. polymerization. all of which can cause false readings. B.. --``.``..````. d) adjustable flow paths provide an opportunity for defeating an SIS function if improperly adjusted.4. d) fire resistance — body and actuator..4.01-1996 . g) do not compromise reliability to achieve diversity.`-`-`.10. consider the use of a modulating control valve as one of the final valve elements since the proper operation of the control loop verifies the valve is not stuck in a single position.2 Solenoid valves B.. B. Each sensor requiring a process shutoff should have its own dedicated connection and valve (see Reference C. loading.

.20 mA). solenoid valve).. push buttons. Systems. 24 V.`. Input signal conditioners receive sensor signals at the strength required for suitable operation on the factory floor (e.1.. B.11 User interface User interfaces to a safety-related PES are operator interfaces and maintenance/engineering interfaces. Redundancy is applied in the form of contacts in the control circuit.1.g. redundant motor starters are not used.. 48 V. c) annunciators. B.``. may provide the sole operator interface to a SIS.g. The purpose of the inputs and outputs in a solid state SIS is to isolate the low energy logic system (typically low voltage DC) from the high energy field system (typical signal levels are 120 volt AC and 24 volt DC).11.1 In general. d) printers. and Automation Society ANSI/ISA-S84.`. 4 .. 120 V. through its normal operator displays.f) some solenoids are mounting position sensitive — consider installation detail requirements.10.. Input/output interfaces are required as the signal conditioners for solid state logic systems or PESs. etc.3. Output amplifiers receive the low energy signal from the solid state or PES logic solver and convert it to a signal suitable for driving the final element (e. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. B.1 Video displays B. and e) any combination of these. --``.11.1 Operator interfaces The operator interface used to communicate information between the operator and the SIS may include a) video displays.. User=. insects..5 Input signal conditioners and output amplifiers Input/output interface devices are special purpose solid state relays.`. High energy signal levels are used in the field devices to ensure a high signal to noise ratio over long transmission distances and to assure that contacts on discrete sensors used as input devices have sufficient power (voltage and current) to provide appropriate contact-wetting. Appropriate design features should be added to handle these unsafe failure modes before they can be approved for use in a SIS. and switches. B. Low energy signal levels are utilized in the logic system to achieve signal processing speed..`. B.10.`-`-`.11..10.````. indicators.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. freezing.4.3 Motor starters B. b) panels containing lamps.``.4. 75 .`--- COPYRIGHT 2003. Auxiliary contacts may be fed back to the SIS to verify starter status (position). and g) solenoid vents should have protection against plugging.1.1 Video displays may share safety and process control functions. or other computer-based control system. The Instrumentation... dirt. They have unsafe failure modes that should be identified and quantified.`.. A BPCS.

1.`.3. B. Provide the same access methods. Messages must be clear.1.1 Maintenance/Engineering interfaces consist of means to program.11.`. gauges.3..1..1.11.4 Give the operator enough information on one display to rapidly convey critical information.3.`-`-`. and unambiguous.2 Arrange panel to ensure that the layout of the push buttons. Provide means to test all lamps. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. and other information is not confusing to the operator.. flashing indicators. lamps. is turned off.3 Printers are useful to document Sequence Of Events (SOE) information. diagnostics..11.1.6 The operator interface and associated system (such as a Distributed Control System) may be used to provide automatic safety-related event logging and alarming functions.B. and display components as are used in the non-safety-related displays. Interfaces are devices used for functions such as: a) System hardware configuration --``. B.1. then printed on demand or on a timed schedule).2.1 Panels should be located to give operators easy access.11.4 If printing is a buffered function (information is stored. whenever the SIS is accessed for program changes..11.11.1. B.11.1.2 A SIS connected to a BPCS may use BPCS facilities to perform its safety-related logging and reporting functions. User=. ANSI/ISA-S84. B.11.11. and Automation Society 76 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.11.1. avoiding ambiguity or potential for operator confusion in an emergency situation. Systems.11.1.5 Display layout is also important.1.3 Displays relating to the SIS should be clearly identified as such.1. with time and date stamping and identification by tag number.. and under no circumstances should SIS functionality be compromised due to filled buffered memory space. or behaves abnormally..1.11.2.`--- COPYRIGHT 2003. Shutdown switches for different process units or equipment that look the same and are grouped together may result in the wrong equipment being shut down by an operator under stress in an emergency situation.3 Printer(s) B. B.01-1996 . Operators should have easy access to safety-related displays.11.. Display consistency is important. preferably by a single key-stroke or touch-screen stroke giving entry into a display hierarchy. B.1.1 Printers connected to the SIS should not compromise the safety function if the printer fails.2 Maintenance/Engineering interface(s) B. Physically separate the shutdown switches and boldly label their function. B.``.``. Conditions to be logged should include SIS events (such as trip and pre-trip occurrences). Too much information on one display may lead to operators misreading data and taking wrong actions.. alarm conventions. B.2 Panel(s) B. B. Use colors. The Instrumentation.11.1.`.3.2 SIS data displayed to the operator should be updated and refreshed at the rate required to communicate between the operator and the SIS during emergency conditions so safe response(s) can be attained. B. and maintain the SIS.2.1. test..1. concise. Report formatting utilities should be provided.1. runs out of paper. and other safety-related events and alarms. is disconnected.11.. and diagnostics.`.````.`.. and judicious data spacing to guide the operator to important information and to reduce the possibility of confusion. then the buffer should be sized so that information is not lost. B.

`. SIS maintenance interfaces.`-`-`.2 Exceptions Protection against the following are beyond the scope of this annex: a) Malicious modification b) Modification errors B. B.`.`--- B. program.``.3 Additional PES considerations B.2 The ability to restrict access to the SIS operating mode.1 General B.1 Means should be provided to control access to SIS including the logic solver. The access protection may be in the form of locked cabinets.b) Application software development. processors. "read only" communication..12.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.2. c) Parameters or functions that require validation after change should be accessible only off-line.12.. sensors.1 Access control and security may be provided by a combination of application logic and host functions for any SIS user-interface device that could interfere with performance of the safety function: a) Parameters that are appropriate for operator interaction should be accessible.1. User=.3.12 Security B. logic solver c) Access to application software for changes. and final elements. and data should be an integral feature of the SIS.``.2. B. SIS alarms.12.11.11. etc.. etc. B. 77 .. Systems.2. and Automation Society ANSI/ISA-S84. Section 6.1. b) Parameters that may be changed on-line with appropriate review should come under access control.`.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. documentation.12.3 Maintenance/Engineering Interfaces should provide means for copying application programs to storage media. The Instrumentation. test and bypass functions. administrative procedures.) including the communication among them. COPYRIGHT 2003. access codes.3.. B.2 For guidance in the application of these options see Reference C. testing. B.2 Maintenance/Engineering Interfaces should have capabilities to display the operating and diagnostic status of all SIS components (such as Input/Output modules.4 A user-approved personal computer may be used as a Maintenance/Engineering Interface..`.9..`. and downloading to the SIS.12. passwords.1..12. and monitoring d) Viewing SIS system resource and diagnostic information e) Changing SIS security levels and access to application software variables B.1...````.11.12.. --``.

c) Adding fuses to isolate faults in a way that reduces common cause. b) Shield and drain wire for RFI protection...7)..5 Electronic and programmable electronic logic solvers may require a more restrictive wiring approach because inductive or capacitive coupling may falsely turn on inputs.13.`-`-`. e) Elimination of ground loop problems.`--- COPYRIGHT 2003. and h) cabinet wiring should be arranged to minimize electrical noise interference and high temperature. B.. fiber optic) between different ground planes.`.13.2 Consider enhancing wiring practices by: a) Eliminating circuit commons for multiple circuits...1 Wiring practices should meet the manufacturers’ recommendations and NEC requirements. usually grounded at the power source end.`.13 Wiring practices B. e) surge protection as appropriate.B. g) data communication cable specification and shielding should meet manufacturer’s recommendations.g. cable armor) or raceway (e. b) Adding circuits for better isolation. cable tray. Deviations should have safety review and analysis.`. d) separation of energy levels to eliminate cross-talk and radiated noise pickup. and Automation Society 78 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. at intermediate points.13. c) Overall metallic covering (e. B. f) provide isolation (e.`. and f) Separating SIS terminations from all other terminations.``.13..3 Additional considerations for electronic or programmable electronic SIS include: a) Twisted pair signal wires for EMI protection (Reference C. conduit) for EMI and lightning protection should be grounded at both ends.. The Instrumentation.13.. User=.4 Electronic and programmable electronic logic solvers use internal low level logic signals.... d) Implementing test facilities.6 Use caution when using solid state inputs or outputs because leakage current may falsely actuate final control elements..``.`..g.````. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. B.g. Systems.. ANSI/ISA-S84. --``. B. duct.13. Use of low level logic outside the shielded controller cabinet may be inappropriate. and depending on the distance.01-1996 . B.

1 A list of the documentation that may be used to implement a SIS.2 Applications program backup B.02 illustrates various methods to determine the functional test interval.15..``. B..14..15. Systems. which may be used to determine the functional test interval.. and trends.. The following is guidance.14 Documentation B..`.15 Functional test interval See 9..2 Consider maintaining a separate backup for data that is accumulated by the application software to generate reports.14.3 ISA-dTR84.B..`.`--- B.. B. These techniques may include one or several of the following: a) Copy to a removable medium such as magnetic tape or disk which can be copied back b) Copy to a removable medium which can be used as a disk replacement for a corrupted PES c) Copy to an on-line device (e. 79 . User=.2.`. and more frequently if determined to be necessary by prior operating experience. and Automation Society ANSI/ISA-S84.1 A backup technique allows the entire system to be restored to operation as quickly as possible.. The Instrumentation. --``..14.`.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101..``.14. COPYRIGHT 2003.g.. disk) used to backup d) A communications link with another digital system B.1 The frequency of functional tests should be consistent with applicable manufacturer’s recommendations and good engineering practices. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. records. B.`-`-`.`.15. includes the following: a) Safety Requirement Specifications b) Application logic c) Design documentation d) Commissioning Pre-Startup Acceptance Test procedure(s) e) SIS operating procedure(s) f) SIS maintenance procedure(s) g) Functional test procedure(s) h) Management of Change documentation i) Qualitative or quantitative verification that the SIS meets the SIL NOTE — Not all this documentation needs to be maintained. B.2.7 for mandates related to functional testing.2 The functional test interval should be selected to achieve the Safety Integrity Level (SIL).````.

...`..`. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. Systems.``.`--- .`-`-`....`. --``...``..`..````. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.COPYRIGHT 2003.. User=.`. The Instrumentation.

``. 3.. 1977 Chemical Industries Association King’s Buildings Smith Square London SW1P 2JJ England Available from: Tel: 44 71 8343399 --``..15] Knowlton. New York. C. 1989 Guidelines for Hazard Evaluation Procedures.`. 1993 AIChE 345 East 47th Street New York... AMERICAN INSTITUTE OF CHEMICAL ENGINEERS (AIChE) [Ref..1] Guidelines for Chemical Process Quantitative Risk Analysis.. The Instrumentation. London.Annex C (Informative) — Informative references NOTES 1..``.````. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. C. Systems. C. NY 10017 Available from: Tel: (212) 705-7657 CHEMETICS INTERNATIONAL COMPANY [Ref. 81 . User=.`.. 1988 Chemetics International Company Chemical Technology Division 1818 Corwall Avenue Vancouver BC V6J 1C7 Canada Available from: Tel: (604) 734-1200 CHEMICAL INDUSTRIES ASSOCIATION [Ref. An Introduction to Hazard and Operability Studies.13] [Ref.`-`-`. references are cited by the reference numbers (in italics and brackets) given below...`--- COPYRIGHT 2003. C. In case of conflicting information.`.`. Ellis.15] A Guide to Hazard and Operability Studies.01 takes precedence.`. New York. R. C. and Automation Society ANSI/ISA-S84.14] [Ref. 1985 Guidelines for Safe Automation of Chemical Processes.. ISA-S84. Within the body of the text and the Index.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.. 2. New York. Utilize latest edition of the reference.

`--- COPYRIGHT 2003.O.. ANSI/ISA-S84. Box 1331 445 Hoes Lane Piscataway. and Automation Society 82 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. User=. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. C.`.O.````.``.INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC) [Ref.`.01-1995 Identification of Emergency Shutdown Systems and Controls That are Critical to Maintaining Safety in Process Industries [Ref.6] ISA-S91.``. Systems..O.`. Available from: IEC P... Evaluating Control System Reliability Techniques and Applications.. C. rue de Varembe 1211 Geneva 20 Switzerland Tel: 41 22 734 0150 INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE) [Ref.01-1996 . contact your national committee. Functional safety of electrical/electronic/programmable electronic safety-related systems NOTE — IEC draft Publication 1508 is in development.. Box 12277 67 Alexander Drive Research Triangle Park..3] Goble.Safety Integrity Evaluation Techniques NOTE — dTR84. for more information. C. for information..2] ISA-dTR84. C.9] Parts 1-7 IEC draft Publication 1508-1995. C.. contact ISA. NJ 08855-1331 Tel: (800) 678-4333 ISA [Ref..`. NC 27709 Available from: Tel: (919) 990-9200 --``.02-1996 Electrical (E) / Electronics (E) / Programmable Electronic Systems (PES) for Use in Safety Applications .`-`-`. RA-1990 Guide for the Installation of Electrical Equipment to Minimize Electrical Noise Inputs to Controllers from External Sources Available from: IEEE P. Box 131 3.M... 1992 ISA P. W. [Ref.02 is in development.7] IEEE 518-1982.8 & C..`. The Instrumentation.

MA 02269-9101 --``.`--- Available from: Tel: (617) 770-3000 UNDERWRITERS LABORATORIES. Inc. and Automation Society ANSI/ISA-S84.MCGRAW-HILL. Industrial Control Equipment Available from: UL 333 Pfingsten Road Northbrook. 83 ..O. (UL) [Ref. User=. [Ref.. UK.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. Warrington.`...`. INC.16] Dictionary of Scientific and Technical Terms. IL 60062 Tel: (708) 272-8800 UK ATOMIC ENERGY AUTHORITY (AEA TECHNOLOGY) [Ref.. fifth edition....````. 1993 McGraw-Hill. NY 10020 Available from: Tel: (800) 262-4729 NATIONAL FIRE PROTECTION ASSOCIATION (NFPA) [Ref. C. Box 9101 One Batterymarch Park Quincy.`. INC.4] UL Standard 508-1989 (15th Edition) Standard for Safety. 1980 UK Atomic Energy Authority Safety and Reliability Directorate Wigshaw Lane Culcheth Warrington WA3 4NE England Available from: Tel: 44 71 925 254486 COPYRIGHT 2003..10] Risk Control and Instrument Protective Systems in the Process Industries.``.`.`-`-`.5] NFPA 70-1993 National Electrical Code NFPA P. C.. The Instrumentation.. C. C.. Systems.``. 1221 Avenue of the Americas New York.`.

119-1992 (Final Rule: February 24. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`. C... ANSI/ISA-S84.UNITED STATES CODE OF FEDERAL REGULATIONS (CFR) [Ref.01-1996 .... C.. Explosives.`-`-`.12] Available from: U. 1992) 40 CFR Part 68 (Proposed rules: October 23. User=..`.`. 1993) Process Safety Management of Highly Hazardous Chemicals.``. DC 20402 Tel: (202) 512-1800 --``... and Automation Society 84 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. Systems.`.. S..````. The Instrumentation. and Blasting Agents Risk Management Programs for Chemical Accidental Release Prevention [Ref.``.11] 29 CFR 1910.. Government Printing Office Superintendent of Documents Washington.`.`--- COPYRIGHT 2003.

should meet the specified Safety Integrity Level (SIL).01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.1 Introduction to the example problem This example problem is provided as an aid to illustrate how a user company might apply this standard to design a Safety Instrumented Systems (SIS)..Annex D (Informative) — Example NOTE — THIS CLAUSE IS NOT A REQUIREMENT OF THIS STANDARD. D. 85 . This example does provide guidance to users on how to implement this standard. Because of the amount of detail that is required to achieve a high-integrity safety design. this example includes a number of simplifications. D...`--- This example reviews the development of the Safety Requirement Specifications (Clause 5).``. The Instrumentation.3 Safety requirement specification D.. exact extractions from the normative portion of this standard are shown in italics. The results of the KIS2 Process Hazards Analysis (PHA) that was conducted on this vessel is an input to this example problem. addresses the issues in SIS Conceptual Design (Clause 6). and Automation Society ANSI/ISA-S84.1 Input requirements (5. and maintain a SIS.2 Safety Life Cycle (Figure 4. The final design.. The example problem is maintaining a level in a process surge tank in the KIS2 Corporation. It is expected that each company will have guidelines that address the methodology that should be used in arriving at their own particular solution. IT IS PROVIDED FOR INFORMATION ONLY. The information provided in Annex D is intended to illustrate the thought process in designing a SIS and the relationship of each step to this standard.`. D.) are not addressed except as they pertain to the design of the SIS.. Subsequent functions (Commissioning. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. Maintenance.`. and briefly touches on Detail Design (Clause 7). The figures and guidance provided in Annex D are an overview of what is needed and do not provide the detail necessary to specify.``. References to the standard and the appropriate annexes are provided in parentheses ( ). Systems. by whatever methodology used. Pre-Startup Acceptance Test.````.`. It is necessary to read the complete annex to understand how all design issues are addressed. etc.`-`-`.2) The information required from the Process Hazards Analysis (PHA) or process design team used to develop the Safety Requirement Specifications.`. and in addition. The specific design choices made in this example do not reflect practices associated with any particular company and are not intended to be the only possible choices. design. User=......1) --``. COPYRIGHT 2003. install.. includes the following.3.`.

b) LT-1 fails indicating a low level which causes the level controller to open LV-1. and LV-1) have been reliable in the past.``. If the relief valve discharges.1 Process information description (5.1. The PHA team has identified two possible causes of an overfill event in the tank: a) LV-1 fails in an open position due to foreign material in the pipeline. LC-1.20 mA signal to a current-to-air transducer (I/P-1). the resulting spray could cause serious personnel injury due to the hazardous chemicals inside the tank..`-`-`. In addition.... The level is sensed and transmitted by a level transmitter (LT-1) to a controller (LC-1) which in turn regulates the position of a control valve (LV-1) by transmitting a 4 .1 contains hot wash water with varying amounts of flammable organics and other hazardous chemicals.. 86 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. additional safeguards should be added to reduce this risk. The tank (1-101) is provided with a relief valve to prevent over-pressure due to overfilling or fire. The process as shown in Figure D. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. which could also result in serious injury to personnel.01-1996 . Although the instruments in service (LT-1. The Instrumentation.````. COPYRIGHT 2003. the potential for a fire or explosion exists. sensors.1) Process information description (dynamics. Systems. etc..D.. ANSI/ISA-S84. the PHA team believes that due to the number of safety issues involved..`.`--- Figure D.6)..3..2. The relief valve discharges directly to the atmosphere.`.`. User=. final elements.`.``.) of each potential hazardous event that requires a SIS (Reference C..1 — Basic process control scheme The level inside the process surge tank must be maintained.`. and Automation Society --``. since the fluid is also flammable.

. pluggage of the overflow line.2. and Automation Society ANSI/ISA-S84. and also believes that the catch tank could overflow.6 Selection of de-energized to trip or energized to trip (5. logic diagrams are provided and in some cases may have to be supplemented with text to properly communicate the functional requirements. Therefore..1. Both valves are to fail closed. one of which is shared with the BPCS (LV-1).01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`. b) Valves should also be selected that guard against this same concern (chemical buildup).`--- D.. a SIS will be installed. D. Another option is to install a catch tank on the line from the relief valve.3.4) Redundant (1oo2) shutoff valves are required.4) Because of the significant quantity of hazardous chemicals used in this process. the logic is so simple a P&ID with narrative is sufficient.3. However.5 Functional relationships between process inputs and outputs. and any required permissives (5.2 Safety Integrity Level of each safety function (5.3. the PHA team is very concerned about contamination in the catch tank.3. full port-line size ball valves should be considered.`.6) This SIS shall be de-energized to trip. D..3 Process common cause failure consideration (5.2 Process inputs to the SIS and their trip points (5.1 The process safe state is to shut off all raw material feeds into Tank 1-101.3.3.4 Regulatory requirements (5.2. this option is barred by the ASME Code and could lead to a catastrophic failure of the tank in the event of over-pressure due to an external fire. D.2.3) D.2.1.3 Normal operation range (5. Systems.3.``. D..3) The normal operation is twenty to eighty percent of tank level..2.2.2.``.3.`.2) All feeds to the tank are to shut off when the level reaches ninety percent. User=. --``.3. Since an intrinsic safety fix is not easy and/or may create additional safety problems..````.2.3.. In this example. math functions..3) The design team should be aware of the following process common cause failure possibilities: a) There is a potential for chemical buildup on the level sensor.`-`-`. including logic.3.3. This option was rejected.1. which would in turn indicate that Tank 1-101 has overflowed.11)..2. Consideration should be given to selecting the best sensor that guards against this failure and installing it so that the buildup does not take place or is reduced to a maintainable level. In this particular case. D.2 Safety functional requirements (5. the SIS shall be required to adhere to OSHA 29 CFR 1910 (Reference C.3.4 Process outputs from the SIS and their action (5.3.2) The PHA team agreed that the SIS for this application shall be designed and maintained to provide SIL 2 performance..5) For complex control system functional relationships.`. D. An alarm could be provided to indicate the presence of a liquid in the tank. 87 . COPYRIGHT 2003. D. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. The Instrumentation.. D.3.One possibility would be to eliminate the relief valve.`.

D.D.12 Reset function (5. the operator shall immediately shut off all feeds into the tank by pressing the emergency shutdown switch.2.3.11) a) Pre-high alarm from BPCS b) Manual shutdown capability c) SIS tripped alarm d) SIS diagnostics alarm(s) (see D.4. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.3 Maintenance and testing (5.4. If they don’t agree...8 Action to be taken on loss of energy source to the SIS (5.11 Human-machine interface requirements (5. D.3. and Automation Society 88 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.4.10 Response action to any overt fault (5. User=.3.2.2 Diagnostic requirements (5.3. D.`.9) Since the tank fills slowly.3.4.3.4) D.2.4) Spurious trips will not cause any safety-related problems.3) This SIS shall be inspected and tested once per year.`-`-`.4.2) Limit switches on the shutoff valve will be used to compare the position of the valve with the signal from the logic solver. if any problems are detected with the SIS.4 Safety integrity requirements (5..7 Considerations for manual shutdown (5..3.4. D.01-1996 . ANSI/ISA-S84.3.`--- COPYRIGHT 2003.`.. D.10) If the operator becomes aware of any failure in the SIS.2..4. The Instrumentation.`.2.`.7) Manual push buttons and a panel mounted alarm will be provided so that the operators can shutdown the flow in the event that the SIS fails or the operator observes some other unusual condition..``.````.9 Response time requirements for the SIS to bring the process to a safe state (5.``.. correction will be started immediately and work will continue round-the-clock until repair is complete. D.8) Loss of electricity or air supply will result in closure of block valves.1) SIL 2 is required. the operator will be notified (by an alarm and/or printer) that there is an equipment failure..12) In the event that the SIS tripped.3.`. D.3. In addition. D.4 Spurious trips (5.2) D.. response time for this SIS to function upon detection of high level is adequate.3.4. --``.4.1 Required SIL (5.3. it is necessary for the operator to push a reset button to restart the feed into the tank. Systems.2...

``. D. Sections 250-5 and 250-26). b) Redundancy Require redundant shutoff valves.5..`.1 Considerations (6. 2) power sources capable of being individually maintained..`--- COPYRIGHT 2003.1.1) The following requirements define the conceptual design requirements for this SIS. d) Technology selection This SIS could be performed using any approved technology. f) Architecture requirements Using internal KIS2 Corporation guidelines. Systems.2. 89 .01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.3) a) Separation The SIS shall be separate from the BPCS except for a shared valve. and 4) grounding using good engineering practices..`. and Automation Society ANSI/ISA-S84.`. c) Software design considerations The application program shall utilize function block-type software..5.. 3) power sources with no common mode failure mechanisms due to failure of non-related power sources (except the main power source header).. PES is selected to allow this example to be more useful to the reader.5. The Instrumentation. This shall include 1) dedicated power source from a separately derived system (Reference C. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584...`-`-`..D.. the architectural requirements for a SIL 2 is as follows: Sensor 1oo1 Logic Solvers 1oo1 Valves 1oo2 g) Power sources The electrical and pneumatic system power sources required for this batch process shall be provided using good engineering practices..0) D. User=. An Uninterruptible Power Supply is not required because of the high system reliability experienced with the plant electrical power system. e) Failure rates and failure modes The failure rates and failure modes for the SIS equipment used in this design has been developed from the data compiled within the KIS2 Corporation.``.`.5 Conceptual design (6.1 Objective (6..`. --``.````.

and SIS equipment supplier guidelines.. i) Diagnostics Limit switches on the shutoff valve will be used to compare the position of the valve with the signal from the logic solver. local codes and regulations.g. o) Function test interval The SIS shall be tested once a year... --``. 4 .. SIS wiring can use the same terminal box as BPCS wiring. but clearly identified separate terminals shall be provided for all SIS wiring. If they don’t agree. 120/240V) and one for instrument signal (e.`.``... and Automation Society 90 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101..5). 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. All smart transmitter communication to the SIS logic solver shall be write protected to prevent changing the transmitter settings while on-line.1 Objective (7. Systems. User=. The SIS sensors and final control elements are red tagged (in addition to standard identification) to note their safety functional status to plant personnel. Any communication link between the SIS and the BPCS shall be write protected to prevent inadvertent program changes to the SIS from the BPCS.`.. and manual shutdown switch..6 Detail design (7. manual reset switch.`-`-`.`.20 mA) shall be provided.````. The Instrumentation...``.`.1) The following is an overview of how the information developed in the Safety Requirement Specifications and the SIS Conceptual Design is used to develop the SIS Detail Design. D.01-1996 . The SIS logic solver shall be located in the equipment control room. ANSI/ISA-S84. j) Field devices Smart transmitters shall be utilized for all process measurements.g. one for electrical power (e.h) Common cause Sensors and valves selected to reduce chemical buildup problems.. n) Documentation Compliance with OSHA 29 CFR 1910 documentation requirement is mandatory..`--- Two separate raceway systems.`.6. l) Security The KIS2 facility is secure. k) User interface User interface shall be panel-mounted alarm panel.. COPYRIGHT 2003.0) D. m) Wiring practices The wiring shall be in accordance with the National Electrical Code (Reference C. the operator will be notified (by an alarm and/or printer) that there is an equipment failure.

.2.. the SIS Conceptual Design requirement..`. COPYRIGHT 2003..2 General requirements (7.``.2) KIS2 Corporation has developed corporate guidelines for the detail design of SISs.2 — Tentative design solution ANSI/ISA-S84.`--- Figure D. The architecture is selected using KIS2 corporate guidelines and the information developed. Using these documents.D.6. User=. and internal KIS2 corporate guideline..`.`. The conceptual design is shown in Figure 2.. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 91 .`.. Systems.. and Automation Society --``.`-`-`. the SIS can now be designed.`..01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.``.. the final design is reflected in Figure D.. The Instrumentation. Using the Safety Requirement Specifications.````..

.`.`..`-`-`.``.`... Systems. The Instrumentation. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`. User=. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584..````.--``.... ...``..`--- COPYRIGHT 2003..`.

66. 22.`. 66. 89 application software 18. 33. 60. 88 air conditioning 34 air filtration 34 alarm convention(s) 76 alarm systems 17 alarm(s) 32. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. 58. 74. 63.. 91 armature 64.. 28.. 73 analog devices 72. 87. 28. 71 appropriate technology 25 arc suppression 61 architecture(s) 18. 88. 30. 86. 66. 73 Accuracy of calibration 37 achitecture(s) 66 actuator 74 adequacy of current risk controls 53 adhere 38. Systems. 58. 63. 89 1oo2 22. 59. 69. 89 2 2oo3 22. 66.`--- 1 1oo1 28. 42. 29. 79 application specific 70.``. 65. 77. 77 access method(s) 76 accuracy 37. 76. 74 ambient 74 ambiguity 76 American National Standards Institute (ANSI) 44 amplifier(s) 75 amplitude 63 analog 57.`. 89.``. 59.. 93 . 19. 72. 66.. 72. 59. The Instrumentation. 66.````.. 28.. 22. 87 administrative controls 39 administrative procedure(s) 20. 75 anti-surge control 18 application program(s) 18. 19. 73..`.`-`-`. 42. and Automation Society ANSI/ISA-S84. 77 aeronautical 4 air 19. 73 as-found 41 as-left 41 assessment 46 authorization requirements 42 COPYRIGHT 2003. 33.`..Annex E (Informative) — Index --``. 59.`. 40.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 48. User=.. 90 algorithm(s) 72 alternate 32. 66 A abnormal stress 69 AC transfer time 67 access 33.. 79. 67. 35. 87. 26. 76. 35. 53. 73 analytical measurement(s) 73 annunciator(s) 66. 68. 63. 62. 58. 35.

. 83. 42. 84 C.2 48. The Instrumentation. 38. 65. 18.6 15. 79 barrier 64 basic events 53 Basic Process Control System(s) (BPCS) 16. 20.8 13. 76 buffered 76 bug 35 bug-reporting 60 built-in test(s) 71 bypass 56 bypassed 32..4 61.7 78. 82 C.11 41.. 69 chronic health effects 17 circuit common(s) 78 --``.`. 81 C.. 89. 78 Central Processing Unit (CPU) 62 certified 60 certify 40 channel(s) 22. 74. 64. 59. 86 C.. 90 C. 83 cabinet wiring 78 cabinet(s) 70. 82.3 66.````.`. 82 C.`.. 45..9 13. 54.automated 15. 31.`--- COPYRIGHT 2003.. 39. 63 calibration 33.`. 76 automatic reset 30 automatic transfer 67 automatically restart 31 auxiliary contact(s) 75 availability 18. 81. 68. 20 automatic 30.. 82 C.5 30. 48.``. 82 C. 77. 70 checklist 67. 83 C. 67 benign faults(s) 70 boundaries 15 brown outs 68 buffer 65.`-`-`.14 48. 51. User=. 39 C C. 68. 47. 67. 35.10 83 C. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 81 C.1 30. 81 C.01-1996 . 78 calculation 22. 69 capacitive 78 cathodic protection 68 caution 63.13 54.`. 68 avionics 43 B backed up 69 backup 64. 71.. 39 bypassing 18... 58. and Automation Society 94 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 84 C. 32.12 19. 30. 46 batch # 30 battery(ies) 39. 36.15 48. 22. 46. 77. 69.``. 87 C. ANSI/ISA-S84. Systems. 64.16 68. 82 C.

64. 70. 66.. 52 contact 61. 30. 51 conservative 47.`. 49..````. 66. 89. 58. 62.. 61. 69 continuous 63. 86 coordination 67 coriolis flow 58 corrosion 27.closed 61. 68. 64. 67. 73. 73 coking 31 color code 73 color(s) 76 commands 60 commissioning 13. 69. 63. 39. 64. 87 Complimentary Metal Oxide Semiconductor (CMOS) 62 compressor 18 computational 40. 58. 36. 27. 63. 75 contaminants 34. 76 conformance 20. 72. 48. 72 continuous mode 43 control and safety functions 55. Systems. 73 Critical 71 critical 32. 73. 28. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 17. 38. 78. 77.`. 79. 90 common cause failure(s) 18.`. 67. 62. 65. and Automation Society --``. 33. 75 contact-wetting 61. 26. 77. 29. 53. 67. 85 common cause 18. 87 coating 27 code(s) 16. 68. 59. 25. 95 . 33.`.. 51. 57. 70 covert mode 63 criteria 47. 61. 87. 37. The Instrumentation. 28. 78 CRT 32 current 31. User=.``. 75. 31.. 56. 90 company guidance 51 competence of persons 45 complex 47. 64. 78.. 59.. 72.. 64.. 73. 32. 78. 48. 69. 52.`. 19. 87 common cause fault(s) 18. 86 customers 35 COPYRIGHT 2003.`-`-`. 63 conceptual design 29. 30.. 68. 25. 63. 45 conditioner(s) 75 cone of protection 68 configuration 19.``. 71 covert 35 covert failure mode 30 covert failure(s) 30 covert fault(s) 18. 57 control valve(s) 32. 68. 64. 91 conceptual process design 23. 45.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 79. 53 consequences only method 47. 90 coil 61. 58.. 54.. 69 cost 52 coverage 18. 55. 57. 71 critical information 76 cross-talk 71. 70 common components 57 common elements 28 common logic 28 common mode 64 common mode failure mechanisms 89 common mode failures 61 communication(s) 18. 70 critical faults 70.`--- ANSI/ISA-S84. 36 confusion 76 consequence analysis 48 consequence(s) 19. 30.

57. 27. 90 downscale 64. 13. 21. 72.. and Automation Society 96 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 40. 46.`.``. 89 dedicated wiring 31 de-energize(d) to trip 19. 73 detected faults 39 detection 19. 34. 79 digital timer 62 direct-wired 60 direct-wiring 62. 66. 27. 23. 61 defects 39 definitions 3. 71. 25.D decommissioning 18. 75. 56. 75 disk(s) 79 display(s) 37. 71 diagnostic fault detection 25. 53. 65. 32. 76... 45. 37. 72. 90. 76. 82 duty cycles 62 dynamic random fault(s) 71 dynamics 27. 20.. 26. 72. 43. ANSI/ISA-S84. 39.`. 73. 85.. 36. 33. 67.. 26. 74 document control procedure 42 document(s) 13. 18 degradation 32 demand 19. 66. 41..01-1996 --``.. 70. 30. 57. 55. 66 diverse redundancy 21.`. 67 designer 58 detail design 36. 63. 67. 68. 40. 57.`. 13. 71. 21. 72. 76 diverse 19. 48 diagnostic testing 59 diagnostic(s) 28. 42. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 79. 76. 43.``. 68 Electrical/Electronic/Programmable Electronic System (E/E/PES) 15 Electro Magnetic Interference (EMI) 34. 66. 42. 87 de-energized 19. 73 discrete input/output 31 discrete sensor(s) 31. 19. 43 digital 19. 63.````.`-`-`. 77. 67 electromechanical 19 COPYRIGHT 2003. User=. 67. 88 diagnostic coverage 18. 60.02 3. 72. 25. 78 electrical technology 60. 29. 70 diversity 72.. 86 E electrical area classification 34 electrical fault 22 electrical noise 67. 29. 73. 73 drain wire 78 dropout 61 dTR84.`. 77 distributed control system 63. 59. 70 diverse separation 21.. 58. 76 demand mode 43 demand rate 41 design considerations 29.. 55. Systems.. 77. 60. 22. 53. 70. 48. 78. 91 detectability 71 detectable 19.`--- . 66. 66. 38. 66. 29. 79. The Instrumentation. 56. 90 diagram 15 differences 4. 91 documentation 13. 88. 70. 46 dedicated power source 33. 63 dirt 75 disabling 33 discrete 21. 73. 33. 35.

Systems. 66. 75. 69. 41. 29.`.`. 46 F factory floor 75 fail position 74 fail-safe 19. 31. 34. 73. 62. 87 equipment reliability 53. 88 Emergency Shutdown System 21 end-of-line detection 71 energize(d) to trip 19. 64. 74. 73. 58. 76.`. 72. and Automation Society ANSI/ISA-S84. 64 electronic technology 62 electrostatic discharge 34 embedded software 19. 54 fault tree(s) 53... 53. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.. 56. 90 field element(s) [See field device(s). 74 false shut down 22 falsely 78 fault avoidance 70 fault detection 72 fault source 58 fault tolerance 19. 86 forcing 19.``.. 63. 31. 63.electromechanical devices 61 electromechanical relay 19 electromechanical relay(s) 15. 66 equipment under control 18. The Instrumentation. 54 fault type(s) 70 feedback 73 fiber optic(s) 33.`--- COPYRIGHT 2003.``. 59 emergency 26. 61. 89 failure rate(s) 29. 71. User=. 22. 61. 63 fault tree analysis 47. 66. 62. 53 fault tree logic diagram 53. 61.. 31 fire and gas detection systems 31 fire and gas monitoring systems 17 fire resistance 74 firmware 19. 54. 21. 41.. 35 formatting utilities 76 fouling 69 freezing 31. 79 frequency of occurrence 30. 21. 66. 27. 88 fluid 69. 65.`. 67. 86 formal revision and release control program(s) 30.`-`-`.````.] field device(s) 19.] field sensor(s) 55. 75 frequency 34. 46 event logging 76 explosive 53 external risk reduction 45.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 78 field control element(s) [See field device(s). 67. 73. 74. 89 failure state(s) 73 failure to function on demand 35 false 53. 59 fixes 59 flooding 34 flow 49. 39.. 62 failure mode(s) 29.. 53..... 53. 73 field wiring 19 fieldbus 17. 36. 22.`. 54 frequency(s) of testing 39 fuel/air controls 18 functional description 22 --``. 63. 58. 97 . 35. 35 foreign 74.

67..01-1996 .````. 88 humidity 34. 53.. 68. 26. 37. 33. 57 geographic diversity 59 good engineering practices 17. 67. ANSI/ISA-S84. 69. 52.`..``. and Automation Society 98 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 69 hydraulic(s) 16. 54 highly recommended 45 historical data 39 horns 32 host 18 host functions 77 human actions 20 human machine interface(s) 17. 60 hard-wired 19. 79 functional testing 19.. The Instrumentation. 68 grounding 34.``. 35. 86 HAZOP 53 heaters 18 hermetically sealed 61 hidden fault(s) 71 High Noise Immunity Logic (HNIL) 62 high pressure 48. 69 hybrid 60 hydraulic power 66. 64.. 39. 33. 19. 30. 58.functional test interval 29. 53.. 89. 50. 39.`.. 61. 71. 20. 52. 19. 51. 78 G gas turbine(s) 30. 87 hazardous area classifications 30 hazardous event(s) 19. 89 governing authorities 16 gravity 61 ground fault detection 68 ground loop(s) 78 ground plane(s) 22. 79 functional testing procedures 40 fuse(s) 39.. 44. 68.`..`-`-`. 49. 90. 86. 85.. 25. 58. 22. 53 hazardous 28. 27. 51.. 40. 59. 46 hazard(s) 16. 79 functional test(s) 22. 91 H hands on 47 hardware 18. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 66. 68. 69. 79. 28.`--- COPYRIGHT 2003. 39. 33. 76 hardware degradation 39 hardware fault(s) 22. 57 hard-wired logic 15 harm 51 harmonics 67 hazard and risk analysis 45.`. 48.`. 37.. 78 ground(s) 63. 48. User=. 60 --``. Systems. 35. 79 functional test procedure(s) 40. 89 guide words 53 guideline(s) 3. 72. 36. 25.

89. 87 life cycle 48.`. 77 interlock(s) 30. 68. 41 installation 13. 76 latching 62 laws 16 layers 20.. 57 COPYRIGHT 2003. 86 level of risk 25 level of safety 46. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`. 91 internal communication 18 intrinsic safety barrier 68 ISO 9000 45 isolation 64. 54 injury 19. 60 layout 70.``. 78. 44.`-`-`.. 4 IEC draft Publication 1508 3. 66.`.`.I identical 21 identical redundancy 21. 76. 78 K keyboard 60 L label(s) 76 lamp(s) 75. 68 insect(s) 75 inspection(s) 40. 30. 71. and Automation Society ANSI/ISA-S84. 29. 63.. 43. 75. 63. 76 inductive 61. 78 industry 4 industry sectors 4 industry standards 60 inherently 61 inherently safe 71 inhibit 39.. 33. 56 internal 18.. 36. 68. 56. 29. User=. 46.. 30. 66. 70 IEC 3. The Instrumentation. 4.`--- . 75.``. 51. 67.`. 37. 20. 99 --``. 52. 55. 46 impedance 71 incident cause 27 indeterminate failure modes 62 indicating lights 32 indicators 33. 75 input/output modules 20.. Systems. 30.. 13. 86 input requirements 85 input/output devices 28. 77 inrush current 67.. 71 initiating event(s) 51. 76 leakage 74..````. 26. 45. 57. 48 level sensor 56.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 78 legislation 41 level controller 56. 75 instrument gas 69 insulation 67 integration 20 interface(s) 15.. 65. 21. 70 identical separation 21. 32..

70 modified HAZOP method 47. 90 manual trip 40 manufacture 13. 42. 87 logic function(s) 19. 62 COPYRIGHT 2003. 90 loop # 41 low energy 61. 62. 46 Management of Change (MOC) documentation 79 Management of Change (MOC) procedure(s) 26. 41. 26. 39. 63. 22. 68.. The Instrumentation. 39.. 90 manual shutdown 27. 38. 26. 87 mathematical analysis 20 matrix method(s) 47 mature 60 mature technology 61 Mean Time Between Failures (MTBF) 22 Mean Time To Detection (MTTD) 72. 49. 77 modification errors 77 modification(s) 22. 44.. 70. 58. 20. 89. 79 memory 19.. 33. 65. User=. 46. 49. 33. 20.`.`-`-`. 69.`.````. 35.`--- 100 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 52 modular design 59 modulating 73. 53 lubrication 39. 30 Mean Time To Repair (MTTR) 22 measure(s) 3. 36. 87 math functions 27. 72. 76 metallic covering 78 microcomputer 63 minimum level of independence 45 mitigate 19. 31. 42.`. 59. 31. 43 manual mode 53 manual reset 30. and Automation Society --``. 41. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 19. 77 major criteria 52 major severity 52 malicious modification 77 management 16. 28. Systems. 61.``. ANSI/ISA-S84. 79 material(s) 4. 61 logic solver(s) 15. 76. 46.lightning 67. 30. 33. 37. 74. 17. 69 M magnetic tape 79 maintenance 20.01-1996 . 77. 70. 73 Mean Time To Failure (MTTF) 22. 47. 35. 57.. 45 Management of Change (MOC) 22. 58 mode(s) 33. 25. 30. 75 low pressure 48.... 16. 39. 57. 62. 78. 77 motor driven timer(s) 15. 66. 26. 58 manufacturer 20. 26. 86. 31. 25. 21..`. 78. 74. 45. 37. 71. 57. 62. 77. 45. 88. 74 moisture 69 monitoring 17.. 75. 58. 20. 72 measurement(s) 58. 70.`. 79 maintenance program 38 maintenance/engineering interface(s) 18. 32. 90 medium 51. 88. 33.. 88 maintenance costs 53 maintenance procedures 25. 78 limited time window 58 limiting access 57 local factors 51 locking 62 log 46 logged 76 logic diagrams 53. 37. 73. 70. 30.``. 68. 43. 85.. 56.

56 overt 63. 74 oscillator 62 OSHA 22. 44. 19.`. 75. Systems. 41. 38. 86. 51.. 41. 73. 56. 42. 101 --``. 78. 64. 28. 36. 77 on scale 73 on-line 20. 79 operating limits 27 operating procedure(s) 35. 32. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 87 normal operation range 87 not recommended 59. 42.01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 41. 90 organization(s) 13. 33.. 86 operating conditions 60 operating experience 20. 26. 61. 53. 47. 22.````. 56. 70. 75. 90 off-line 20. 66. 54. 35.. 87 override(s) 19. 53 operator(s) 18. 90 nested 60 network 33. 77.``.``. 90 on-line testing 35. 17. The Instrumentation.] output trip relay 40 overload 67 over-pressure 48. 38. 38. 46. 71 overt fault(s) 20..`. 49. 45...motor overload(s) 31 motor starter(s) 32.. 76. 77.. 75 N name(s) 40 National Electrical Code (NEC) 30. 45. 46.`. and Automation Society ANSI/ISA-S84.. 25. 88. 37. 76 operator response 48. 61. 36 networking 63 NFPA 70 30 noise 64. 88 overvoltage(s) 68 owner/operator 17 ownership 47 oxidation 61 COPYRIGHT 2003. User=. 42.`. 45 normal operating range 27 normal operation 19. 87. 48.`. 63 Nuclear Industry 16 nuisance trip 22 numerical data 20 O objective(s) 13. 25..`-`-`.. 68 non-safety function 30 non-safety related display(s) 76 non-SIS protection layers 23.`--- . 35. 27. 90 output(s) [See input/output devices and input/output modules. 68 non-linear 67. 40 open 53.. 89. 40. 79 operating system(s) 59 operational bypasses 38 operator action 17 operator error 53 operator interface(s) 18. 75 motor(s) 39 mounting 74. 32. 79.

73. 69. 49. 20 physical 19. 67. 58. 67 predictability 73 pressure 31.. 38. 23. 31.01-1996 . 42.. 40. 85 process hazards review(s) 44.. 25 Process Control System 18 process deviation(s) 53 Process Hazards Analysis (PHA) 16. 74 possible cause(s) 72.. 77 personnel safety 68 PES logic solver(s) 30. Systems. 87 personal computer(s) 63. 53. 90 plugging 27. 70. 47. 63.`-`-`. 19. 59. 31. 61.. 68. 57. 89.``. 39. 60.`. 37. 48. 21. 76. 26. 90 power distribution 67 power source(s) 29. 20. 70 piping and instrumentation diagram (P&ID) 48 plant 26. 23 Programmable Logic Controller (PLC) 19 programming 28. 64.`--- COPYRIGHT 2003. 22. 66.``. 69. 86 power 19. 75. 51 process variable(s) 27. and Automation Society 102 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 20. 32. 85 Pre-Startup Safety Review (PSSR) 23. 36. 88. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 78. 58. 76. 67. 34. 75. 73. 77 peer review(s) 60 period(s) 21. 75 pneumatic(s) 16.. 48 process industry sector 20 process industry(ies) 4. 46 process knowledge 47 process risk 51 Process Safety Design 16 Process Safety Management 16 process safety team 47. 79. 54 pressure relief valve 48. 21. 73. 89 poll fault 65 polymerization 31. 74 pressure control valve 53. 17. 74 periodic inspection program 39 periodic test intervals 39 permanent random fault(s) 71 permissives 22.````. 48.. 88. 52. 75 PFD Average Range 25 pharmaceutical(s) 4. 27.P panel(s) 33.`. 47 program(s) 33. 15... 28.`. 89. 49. 90 programmable controller 63 Programmable Electronic Failure Mode(s) 65 Programmable Electronic System(s) (PES) 3. 77. 89 power supply (supplies) 15.`. 76. The Instrumentation. User=. 74. 58. 15. 49. 30. 90 parameter(s) 77 part # 30 partially open 73 password(s) 58. 60 programming guidelines 60 programming language(s) 60 programming terminal(s) 33 proof testing frequency 60 --``. 51 pressure sensor 53 Pre-Startup Acceptance Test (PSAT) 13. 26 pre-trip 76 preventive 48 preventive maintenance 20 printer(s) 75. 27. ANSI/ISA-S84. 66.`. 23. 45.. 13. 90 Probability of Failure on Demand (PFD) 20. 33. 69.. 23. 66. 20..

property damage 52, 53 property protection 17 protect against the consequences 53 protection layer(s) 20, 25, 31, 51 pulse counting 62 pulsed 63 pulsed electronic logic 63 purchase specification 16 purge 62 purpose(s) 17, 18, 21, 30, 51, 75 pushbutton(s) 66

Q
qualitative 20, 51, 79 qualitative matrix 51, 52 qualitative risk evaluation SIL determination method 47 quality 59, 60, 63 quality system(s) 45 quantified 61, 62, 75 quantitative 20, 79 quantitative risk assessment 47 quartz 62

R
radiated noise 78 raised floor grounding 68 Random Access Memory (RAM) 71 random failure(s) 71 read 31, 85 read only 57, 66, 77 read/write 31, 57, 58, 66 reading(s) 73, 74 read-write access 33 recipe 33, 63 redundancy 21, 25, 48, 58, 63, 66, 67, 72, 73, 75, 89 Redundant 87 redundant 22, 31, 56, 58, 59, 64, 69, 71, 75, 89 redundant sensors 31, 72 references [See Annex C page 81 and C.1 - C.16.] regulation(s) 16, 22, 38, 44, 90 regulatory requirement(s) 27, 87 relay(s) 61, 63, 64, 68, 69, 73 reliability 21, 28, 58, 62, 66, 67, 69, 74, 89 reliability experience 56 relief valve 53, 86, 87 remote I/O 18, 31 repair 39, 88 repeatability 62 replacement in kind 21, 41 reporting 76 reset 21, 30, 38, 65, 88 reset function(s) 28, 37, 88 resistor-capacitor (RC) 62 Resistor-Transistor Logic (RTL) 62 resolution 60, 62 response action 28, 30, 88 response time 42, 88 response time requirements 28, 88

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

ANSI/ISA-S84.01-1996

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

103

response(s) 20, 35, 38, 64, 71 revise 43 revision level 59 rewiring 61 risk assessment 21, 23 risk control(s) 53 risk estimates 21 risk evaluation(s) 52 risk reduction 46, 48, 53 risk related 52 risk(s) 25, 42, 48, 52, 53, 86 ROM 57, 71

S
safe process condition(s) 30 safe response(s) 70, 71, 76 safe state(s) 17, 19, 21, 27, 28, 29, 30, 32, 33, 38, 40, 87, 88 safety and health 22, 41 safety availability 18, 20, 21 safety availability range 25 safety critical function(s) 60 safety function(s) 15, 18, 21, 25, 27, 28, 30, 46, 48, 57, 58, 76, 77, 87 safety functional requirements 22, 27, 87 safety functionality 55 Safety Instrumented Systems (SIS) 4, 13, 15, 16, 17, 21, 23, 27, 28, 29, 36, 38, 42, 43, 48, 60, 85 safety integrity 42, 56, 57, 58, 63, 66, 67 Safety Integrity Level (SIL) 13, 21, 23, 25, 28, 29, 45, 46, 48, 79, 85, 87 safety integrity requirements 27, 28, 55, 56, 67 Safety Interlock System 21 safety layer matrix 51 Safety Life Cycle 13, 16, 21, 22, 23, 24, 25, 26, 36, 42, 45, 48, 66 safety logic 61 safety management 45 safety plan 45 safety related display(s) 76 safety related system(s) 45 Safety Requirement Specifications 19, 20, 22, 26, 27, 28, 29, 30, 34, 35, 36, 37, 38, 39, 41, 60, 72, 78, 85, 90, 91 safety review 31, 32, 33 safety review and analysis 56, 57, 58, 68, 78 Safety Shutdown System (SSD) 21 science 47 scope 17, 23, 25, 26, 45, 46, 47, 60, 77 security 28, 29, 33, 35, 77, 90 self revealing 39 self-tests 71 sensor diagnostics 31 separate(s) 13, 66, 67, 70, 76, 79, 89, 90 separated 30, 31 separating 78 separation 21, 55, 57, 70, 78, 89 Sequence Of Events (SOE) 76 sequence(s) of failure(s) 53 sequencing functions 29 serial # 30, 41 setpoint(s) 37, 40, 56 severity 51, 52 severity of (the) consequences 51, 52, 53 shield 68, 78 shielding 67, 78 shock 34 short circuit 67 shutdown 22, 37, 39, 50, 51, 52, 53, 54, 56, 73, 82, 88

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

104

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

ANSI/ISA-S84.01-1996

shutdown switches 76, 88 shutoff valves 74, 87, 88, 89, 90 signal comparison 71 signal processing speed 75 signal to noise ratio 75 SIL 1 21, 32, 46, 52, 54, 55, 56, 57, 58, 66 SIL 2 21, 46, 51, 53, 54, 56, 57, 58, 66, 87, 88, 89 SIL 3 21, 25, 32, 46, 52, 54, 55, 56, 57, 58, 66 SIL 4 46 SIL determination method(s) 47 SIL performance 66 SIL selection 47, 52 simple 47, 61, 71, 87 simplicity 59 single point 68 SIS alarm(s) 38, 77 SIS applications 52, 61, 62, 63, 68, 73 SIS architecture 28, 66 SIS Conceptual Design(s) 26, 28, 85, 90, 91 SIS failure mode(s) 64 SIS performance 48, 57 smart sensors 31 software 3, 18, 19, 22, 30, 33, 35, 41, 42, 57, 58, 59, 60, 71, 72, 89 software bugs 72 software design 60, 69 software design considerations 29, 89 software error(s) 58 software fault(s) 19, 22, 35 software release(s) 59 software reliability 39 software revision 59 software switch 58 solenoid valve(s) 69, 74, 75 solid state 75, 78 solid state logic 15, 19, 62, 63, 64 solid state logic system(s) 63, 75 solid state relay(s) 15, 19, 62, 75 solid state system(s) 63 solid state timer(s) 62 special purpose(s) 19, 75 speed of response 40 spring(s) 61 spurious trip(s) 22, 28, 58, 66, 70, 88 Standards and Practices (S&P) Board 3, 7 startup 16, 26, 42, 53, 67, 73 static electricity 68 storage media 77 supplier(s) 30, 59, 70, 90 surge(s) 67, 68, 78, 85, 86 suspended solid(s) 31 switch(es) 57, 72, 73, 75, 88, 90 system software 22 systematic error(s) 69, 70, 72 systematic failure(s) 22, 41, 71 systematic fault(s) 55, 72

T
tag # 41, 76 tampering 62 target SIL 25, 48, 71 team 27, 47, 48, 52, 53, 54, 60, 85, 86, 87 technology selection 29, 89

COPYRIGHT 2003; The Instrumentation, Systems, and Automation Society

ANSI/ISA-S84.01-1996

Document provided by IHS Licensee=Technip Abu Dabhi/5931917101, User=, 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.

105

--``,``,,,,````,``,,,`,,,,,`,`-`-`,,`,,`,`,,`---

63. 35. 49. 62. User=. 73 upset 53 upset cause 53 uptime 69 user approved 17. 61. 70. 54 vessel(s) 49. 28. 87 trip(s) 19. 28. 73.02 [See ISA-dTR84.. 68 transistor(s) 62 transmission 75 trip point(s) 27. 63.`. 90 utility software 22. The Instrumentation. 38.. 60. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. 77. 88. 40. 22. 63.``.. 75 volume 69 vortex flow 58 voting 22. 33. 72.````. 39. 76 testing 13. 39. 41. 74. 31. 73. 44. 89 unreliable 61 unsafe failure mode(s) 56. 40. 69. 89.`--- U undervoltage(s) 68 ungrounded 68 Uninterruptible Power Supply (UPS) 67. 76 turndown 73 twisted pair 78 COPYRIGHT 2003..02. 68. 38. 38. 88 thermal fault(s) 71 thermocouple(s) 71 third party(ies) 59 time(s) 4. 35.] track record 61 training 26. 22. ANSI/ISA-S84. 35. 61. 72. 66.`. 68.. 74. 62. 66. 75. 61.. 60. 64. 54 TR84. 37. 74.``. 90 test(s) 33.. 55.`.temperature 31.`. 72. 71. 75 upscale 64. 39 verification(s) 22.. 59 V validate(s) 66 validation 46.. 73. 41. 71. 22.. 28. 65. 58. 65. 51. 45. 34. 69 video display(s) 75 visible markings 30 voltage(s) 64. 48.. 61. 66 106 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. 67. 76 timer(s) 15. 26. 30. 57. 77 vendor(s) 22. 70. 77 valve(s) 39. 72. 30. 56. 20. 66.01-1996 .`. 53. 77. 62. 45. 26. 72. 40. 37. 62. 75 vessel rupture 53. 85 vibration 34. 31. 90 variable(s) 33. 38. 56. 79 verify 19. 58. 73. 59.`-`-`. 72. 63. 32. 42. 73. 69 transfer time 65 transient(s) 22. 19. 25. 52. 30. 73. 69. 77 user interface(s) 15. 64. 64. 73 vent(s) 75 ventilation 34. 87. and Automation Society --``.. 46. 21. 78 terminology 43 test and bypass functions 77 test facilities 35. Systems. 60. 40. 68. 74. 70. 65 top event 53. 29. 42. 78 test interval(s) 22.

. Systems..````. 78. 58 write(s) 57 COPYRIGHT 2003. 90 witnessing test(s) 45 Working Group 10 (WG10) 3 write access 57. 64. User=.. 67..01-1996 Document provided by IHS Licensee=Technip Abu Dabhi/5931917101.`--- . 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`.`..`.. 78.. 107 --``. 90 wiring practice(s) 29.``. 90 write protection 57. 67. 71 wiring 36.`-`-`.... 59. The Instrumentation. 63.`..`. and Automation Society ANSI/ISA-S84.``.W Watchdog Timer(s) (WDT) 23. 58 write protected 31..

`--- Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. The Instrumentation. User=. and Automation Society --``.`.. Systems..`-`-`.`. .``..``..COPYRIGHT 2003......`.````.`..`. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584...

.COPYRIGHT 2003..`..`--- . Systems.`... 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584.`. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. --``. The Instrumentation...`...`-`-`.`.``.``...````.. User=.

. Systems. ISA is an American National Standards Institute (ANSI) accredited organization.O. please write: ISA Attn: Standards Department 67 Alexander Drive P.``... chairmen....````. ISA administers United States Technical Advisory Groups (USTAGs) and provides secretariat support for International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees that develop process measurement and control standards. and reviewers.`.`.`..`. and Automation Society Document provided by IHS Licensee=Technip Abu Dabhi/5931917101. To obtain additional information on the Society’s standards program..Developing and promulgating technically sound consensus standards... NC 27709 --``..`. 11/19/2003 03:35:21 MST Questions or comments about this message: please call the Document Policy Group at 1-800-451-1584. To achieve this goal the Standards and Practices Department relies on the technical expertise and efforts of volunteer committee members. User=. recommended practices.`--- ISBN: 1-55617-590-6 COPYRIGHT 2003. Box 12277 Research Triangle Park.``..`-`-`.. and technical reports is one of ISA’s primary goals. The Instrumentation.

Sign up to vote on this title
UsefulNot useful