Professional Documents
Culture Documents
01
How This Standard Will Affect Your Business
Bob Adamski, Director
PCE, Triconex Corporation
15091 Bake Parkway Irvine, CA 92618
(949) 699-2100 (949) 768-6601 Fax
Published or Presented: Instrument and Controls Systems, September, 1997, Vol. 70,
No. 9.
Introduction:
Page 6404 Para. (3)(H)(ii) Safety Systems (e.g. interlocks, detection or suppression
systems). (ii) The employer shall document that the equipment complies with
recognized and generally accepted good engineering practices.
Furthermore, EPA 40 CFR Part 68 has at least ten (10) references to . . . accepted
engineering standards and practices for mitigation or protective systems designed to
prevent an EPA incident. Both OSHA and EPA make references to national standards,
including the American National Standards Institute (ANSI). ISA is an American
National Standards Institute (ANSI) accredited organization.
With over 100 user companies represented on the S84 Committee, a standard was
produced that represents a consensus of users and vendors. An unanimous vote from the
Committee and the ISA membership endorsed the document as an accepted industry
standard. Most companies found little or no conflict with their own internal engineering
practices for safety systems, but others with no formal engineering guidelines, will have
to modify their practices. This standard joins the other industry accepted standards e.g.
ASME vessel codes, NFPA for burner management, IEEE for electrical systems, or other
civil and building codes/standards. User companies have strict compliance policies for
these standards and would rarely if ever violate their requirements. The new S84.01
standard is no different, its requirements insure a design that will meet the process safety
integrity level. In addition, US companies should be aware of the increasing threat of
What is also new to users is the assignment, and verification of the SIS safety integrity
level (SIL). Assigning and qualifying safety integrity levels is undoubtedly the one
requirement of S84.01 that companies are having the most difficulty with. SIL will be
discussed below. Even major companies are soliciting the assistance of consultants
specializing in safety and critical control systems to help in determining SIL and
evaluating their SISs. Unfortunately, there are few consultants and ESD vendors that
provide these services.
Discussion:
The S84.01 standard is organized into three major parts: 1) The main body of the
standard (Clauses 1-12) present mandatory specific requirements. 2) Informative
Annexes A-J present additional non-mandatory (informative) technical information that
may be useful in SIS applications. 3) Technical report S84.02 (to be released later in
1997), provides non-mandatory (informative) technical information that is useful in
Safety Integrity Level analysis.
The standard is intended for those involved with SIS in the areas of:
Does this standard cover installed existing safety instrumented systems (is there a
grandfather clause)? Yes and no. The requirement is stated accordingly: For existing
equipment designed and constructed with codes, standards, or practices that are no longer
in use, the company shall determine and document that the equipment is designed,
maintained, inspected, tested, and operating in a safe manner.
Safety Lifecycle Model: The clauses in this standard are organized based on the Safety
Life Cycle. The Safety Life Cycle covers the Safety Instrumented System (SIS) activities
from initial conception through decommissioning. There are 16 major steps in the Safety
Life Cycle but only 10 are covered by this Standard. The other 6 are outside the Scope of
SP-84.
Start
Develop Safety Establish Operation
Requirements & Maintenance
Specification Procedures
Conceptual
Process Design
Decommission
Safety Life Cycle
Y ES Model SIS
Decommissioning
Define
target SIL
BOLD AREAS ARE S84.01
Conceptual Process Design CONCERNS
l sm.ppt
1. The process hazard analysis (e.g. HAZOP) must have been completed
2. A safety instrumented system (SIS) is required
3. The target safety integrity level (SIL) has been determined
These are key decisions that the standard does not give guidance on. However, the
availability requirements of the SIS is clearly defined in the document as seen below.
It should be understood that SIL and availability are simply statistical representations of the
integrity of the SIS when a process demand occurs. The acceptance of a SIL 1 SIS means
that the level of hazard or economic risk is sufficiently low that a SIS with a 10% chance
of failure (90% availability) is acceptable. For example, consider the installation of a SIL
1 SIS for a high level trip in a liquid tank. The availability of 90% would mean that out of
every 10 times that the level reached the high level trip point there would be one
predicted failure of the SIS and subsequent overflow of the tank. Is this an acceptable
risk?
A qualitative view of SIL has slowly developed over the last few years as the concept of SIL
has been adopted at many chemical and petrochemical plants. This qualitative view can
be expressed in terms of the impact of the SIS failure on plant personnel and the public or
community.
One of the most common techniques, among U.S. chemical and petrochemical companies,
uses a risk matrix that is developed based on a corporate risk management philosophy.
The risk matrix is a correlation that presents the required risk reduction that is necessary
to decrease the perceived process risk to an acceptable level. The risk likelihood and risk
severity determined during the HAZOP is plotted on the risk matrix to determine the
required risk reduction or safety integrity level (SIL) for that specific hazard event. An
example of a risk matrix is shown below:
3 3
SEVERITY
2 HIGH
EVENT
RISK
LOW
SERIOUS
Numbers correspond to
2 2 SIL levels from ISA SP-84
3
MINOR
1
RISK
2 2
LOW MODERATE HIGH
EVENT
LIKELIHOOD
1. The first step is to develop a Safety Requirement Specification. The objective of this
Clause is to develop specifications for Safety Instrumented System (SIS) design.
These safety requirements specifications (SRS) consist of both safety functional
requirements and safety integrity requirements. The SRS can be a collection of
documents or information. The Safety Functional Requirements documents the logic
and actions to be performed by the SIS and the process conditions under which
actions are initiated. These requirements include such items as, consideration for
2. The second step is conceptual design. Some requirements the engineer will need to
define are: SIS architecture e.g. voting 1oo1, 1oo2, 2oo2, 2oo3, to insure SIL is met.
Logic solver must meet the highest SIL if different SILs in a single logic solver. A
functional test interval must be selected to achieve the SIL and the conceptual design
must be verified against the SRS.
3. Detail design covers the following areas: General Requirements, SIS Logic Solver,
Field Devices, Interfaces, Energy Sources, System Environment, Application Logic
Requirements, Maintenance or Testing Requirements. Some key requirements worth
noting are:
The logic solver shall be separated from the basic process control system (BPCS);
Sensors for SIS shall be separated from the sensors for the basic process control
system (BPCS);
The logic system vendor shall provide MTTF data, covert failure listing, and
frequency of occurrence of identified covert failures;
Each individual field device shall have its own dedicated wiring to the system I/O.
Field Bus not allowed!;
A control valve from the BPCS shall not be used as the only final element for SIL
3;
Operator Interface may not be allowed to change the SIS application software;
Forcing shall not be used as a part of application software or operating
procedure(s);
When on-line testing is required, test facilities shall be an integral part of the SIS
design.
1. The fourth step is to develop a Pre Start-up Acceptance Test procedure that
provides a full functional test of the SIS to show conformance with the SRS. It is
recommended that the reader review the entire requirements of this Clause.
2. The Operation and Maintenance section is to ensure that the Safety Instrumented
System (SIS) functions in accordance with the Safety Requirements Specification
(SRS) throughout the SIS operational life. You will notice this section follows the
requirements of OSHA 1910.119. This Clause has 7 Sections that state specific
requirements for all user companies.
8. Decommissioning is the last step in the life cycle model to ensure proper review prior
to permanently retiring a Safety Instrumented System (SIS) from active service.
Conclusion:
As seen above, this new standard for the first time in the US contains design, availability,
installation, operation, maintenance, decommissioning, and documentation requirements
for safety instrumented systems. For many companies, it will be business as usual, but
for some it will require a paradigm shift in their policies. It has also been noted that most
companies are struggling with safety integrity level determination and quantitative
assessment. Those companies, who have historically been industry leaders and
community friendly, are seeking help from Consultants. There is no question however,
that the insight and vision of the S84 Committee members to finally link risk assessment
and management with good engineering practices will make our process industries safer
and help protect our fragile environment.
References:
2. Adamski, Robert S., Status of SP-84 and How This Standard Will Affect Your
Business, 50th Annual Symposium on Instrumentation for the Process Industries,
Texas A&M University, 1995.
3. Adamski, Robert S., Design Critical Control or Emergency Shut Down Systems for
Safety AND Reliability, Automatizacion 96, Panamerican Automation Conference,
Carcas, Venezuela, May 1996.
4. Boykin, R.F., Kazarians,M., Apply Risk Analysis to Identify and Quantify Plant
Hazards, INTECH, July 1986.