You are on page 1of 8

ANSI/ISA S84.

01
How This Standard Will Affect Your Business
Bob Adamski, Director
PCE, Triconex Corporation
15091 Bake Parkway Irvine, CA 92618
(949) 699-2100 (949) 768-6601 Fax

Published or Presented: Instrument and Controls Systems, September, 1997, Vol. 70,
No. 9.

Introduction:

If your company is planning an expansion, retro-fit, grass roots facilities, or simply


modifying a process unit and the process hazard analysis (PHA) indicates you need a
safety instrumented system (SIS) as a protective layer, you need to comply with
ANSI/ISA S84.01. Why, because in February 1996, the Application of Safety
Instrumented Systems for the Process Industries was approved and will be enforceable
under OSHA 29 CFR Part 1910. There are at least five (5) references in this Federal
Register that state . . . accepted engineering standards and practices. For example:

Page 6404 Para. (3)(H)(ii) Safety Systems (e.g. interlocks, detection or suppression
systems). (ii) The employer shall document that the equipment complies with
recognized and generally accepted good engineering practices.

Furthermore, EPA 40 CFR Part 68 has at least ten (10) references to . . . accepted
engineering standards and practices for mitigation or protective systems designed to
prevent an EPA incident. Both OSHA and EPA make references to national standards,
including the American National Standards Institute (ANSI). ISA is an American
National Standards Institute (ANSI) accredited organization.

With over 100 user companies represented on the S84 Committee, a standard was
produced that represents a consensus of users and vendors. An unanimous vote from the
Committee and the ISA membership endorsed the document as an accepted industry
standard. Most companies found little or no conflict with their own internal engineering
practices for safety systems, but others with no formal engineering guidelines, will have
to modify their practices. This standard joins the other industry accepted standards e.g.
ASME vessel codes, NFPA for burner management, IEEE for electrical systems, or other
civil and building codes/standards. User companies have strict compliance policies for
these standards and would rarely if ever violate their requirements. The new S84.01
standard is no different, its requirements insure a design that will meet the process safety
integrity level. In addition, US companies should be aware of the increasing threat of

How S84 affects your.doc, Rev. 1, 1997 PCE


1
litigation by overzealous attorneys and juries that have no sympathy for companies who
do not follow standards in their designs. The punitive sanctions of OSHA or the EPA are
insignificant as compared to the class action awards plaintiffs are receiving.

What is also new to users is the assignment, and verification of the SIS safety integrity
level (SIL). Assigning and qualifying safety integrity levels is undoubtedly the one
requirement of S84.01 that companies are having the most difficulty with. SIL will be
discussed below. Even major companies are soliciting the assistance of consultants
specializing in safety and critical control systems to help in determining SIL and
evaluating their SISs. Unfortunately, there are few consultants and ESD vendors that
provide these services.

Discussion:

The S84.01 standard is organized into three major parts: 1) The main body of the
standard (Clauses 1-12) present mandatory specific requirements. 2) Informative
Annexes A-J present additional non-mandatory (informative) technical information that
may be useful in SIS applications. 3) Technical report S84.02 (to be released later in
1997), provides non-mandatory (informative) technical information that is useful in
Safety Integrity Level analysis.

The objective of the standard is straight forward, The objective is to define


requirements for Safety Instrumented Systems (SIS).

The standard is intended for those involved with SIS in the areas of:

1. Design and manufacture of SIS products, selection and application.


2. Installation, commissioning and pre-startup acceptance testing.
3. Operation, maintenance and documentation.

The standard does not apply to the following:

Non SIS portion of the design.


Governing authorities take precedence over this Standard.
Nuclear industry.
Basic Process Control System (BPCS).
Pneumatic or hydraulic logic solvers.

The scope of the standard is: This standard addresses Electrical/Electronic/


Programmable Electronic System (E/E/PES). These include electro-mechanical relays,
solid state logic types, PES, motor driven timers, hard-wired logic, or combinations of
these.

How S84 affects your.doc, Rev. 1, 1997 PCE


2
Boundaries of the SIS: The Safety Instrumented System (SIS) includes all elements
from the sensor to final element connected to the process, including inputs, outputs, SIS
user interfaces, power supply and logic solver.

Does this standard cover installed existing safety instrumented systems (is there a
grandfather clause)? Yes and no. The requirement is stated accordingly: For existing
equipment designed and constructed with codes, standards, or practices that are no longer
in use, the company shall determine and document that the equipment is designed,
maintained, inspected, tested, and operating in a safe manner.

Safety Lifecycle Model: The clauses in this standard are organized based on the Safety
Life Cycle. The Safety Life Cycle covers the Safety Instrumented System (SIS) activities
from initial conception through decommissioning. There are 16 major steps in the Safety
Life Cycle but only 10 are covered by this Standard. The other 6 are outside the Scope of
SP-84.

Start
Develop Safety Establish Operation
Requirements & Maintenance
Specification Procedures
Conceptual
Process Design

Perform SIS Pre-Start-up Safety


Conceptual Review Assessment
Design, & Verify
Perform Process it meets the SRS
Hazard Analysis
& Risk Assessment
SIS start-up, operation,
Perform SIS maintenance, periodic
Detail Design functional testing.
Apply non-SIS
protection layers to
prevent identi fied
hazards or reduce risk.
SIS installation,
commissioning, Modify or Modify
an d pre-startup Decommission
NO acceptance test. SIS?
SIS required?

Decommission
Safety Life Cycle
Y ES Model SIS
Decommissioning
Define
target SIL
BOLD AREAS ARE S84.01
Conceptual Process Design CONCERNS

l sm.ppt

How S84 affects your.doc, Rev. 1, 1997 PCE


3
You will notice that before the S84.01 requirements become relevant, the following
conditions must be met:

1. The process hazard analysis (e.g. HAZOP) must have been completed
2. A safety instrumented system (SIS) is required
3. The target safety integrity level (SIL) has been determined

These are key decisions that the standard does not give guidance on. However, the
availability requirements of the SIS is clearly defined in the document as seen below.

What is safety integrity level (SIL)?

It should be understood that SIL and availability are simply statistical representations of the
integrity of the SIS when a process demand occurs. The acceptance of a SIL 1 SIS means
that the level of hazard or economic risk is sufficiently low that a SIS with a 10% chance
of failure (90% availability) is acceptable. For example, consider the installation of a SIL
1 SIS for a high level trip in a liquid tank. The availability of 90% would mean that out of
every 10 times that the level reached the high level trip point there would be one
predicted failure of the SIS and subsequent overflow of the tank. Is this an acceptable
risk?

Safety Integrity Availability Probability to Mean Time


Level Required Fail on Between Failures
Demand
IEC 4 >99.99% E-005 to < E-004 100,000 to 10,000
61508
ISA 3 99.90% E-004 to < E-003 10,000 to 1,000
S84
2 99.00 - 99.90% E-003 to < E-002 1,000 to 100

1 90.00 - 99.00% E-002 to < E-001 100 to 10

A qualitative view of SIL has slowly developed over the last few years as the concept of SIL
has been adopted at many chemical and petrochemical plants. This qualitative view can
be expressed in terms of the impact of the SIS failure on plant personnel and the public or
community.

4 - Catastrophic Community Impact.


3 - Employee and Community Protection.

How S84 affects your.doc, Rev. 1, 1997 PCE


4
2 - Major Property and Production Protection. Possible injury to employee.
1 - Minor Property and Production Protection.

The assignment of SIL is a corporate or company decision based on risk management


philosophy and risk tolerance. The caveat is that ANSI/ISA S84.01 mandates that
companies design their safety instrumented systems (SIS) to be consistent with similar
operating process units within their own companies and at other companies. Likewise, in
the U.S., OSHA PSM and EPA RMP require that industry standards and good
engineering practice be used in the design and operation of process facilities. This means
that the assignment of safety integrity levels must be carefully performed and thoroughly
documented.

One of the most common techniques, among U.S. chemical and petrochemical companies,
uses a risk matrix that is developed based on a corporate risk management philosophy.
The risk matrix is a correlation that presents the required risk reduction that is necessary
to decrease the perceived process risk to an acceptable level. The risk likelihood and risk
severity determined during the HAZOP is plotted on the risk matrix to determine the
required risk reduction or safety integrity level (SIL) for that specific hazard event. An
example of a risk matrix is shown below:

Qualitative Ranking of Risks


EXTENSIVE

3 3
SEVERITY

2 HIGH
EVENT

RISK
LOW
SERIOUS

Numbers correspond to
2 2 SIL levels from ISA SP-84
3
MINOR

1
RISK
2 2
LOW MODERATE HIGH
EVENT
LIKELIHOOD

Steps in Safety Life Cycle:

1. The first step is to develop a Safety Requirement Specification. The objective of this
Clause is to develop specifications for Safety Instrumented System (SIS) design.
These safety requirements specifications (SRS) consist of both safety functional
requirements and safety integrity requirements. The SRS can be a collection of
documents or information. The Safety Functional Requirements documents the logic
and actions to be performed by the SIS and the process conditions under which
actions are initiated. These requirements include such items as, consideration for

How S84 affects your.doc, Rev. 1, 1997 PCE


5
manual shutdown, loss of energy source(s), etc. The Safety Integrity Requirements
document the SIL and performance required for executing SIS functions. Safety
Integrity Requirements includes: the required SIL for each safety function,
requirements for diagnostics, requirements for maintenance and testing, reliability
requirements if the spurious trips are hazardous.

2. The second step is conceptual design. Some requirements the engineer will need to
define are: SIS architecture e.g. voting 1oo1, 1oo2, 2oo2, 2oo3, to insure SIL is met.
Logic solver must meet the highest SIL if different SILs in a single logic solver. A
functional test interval must be selected to achieve the SIL and the conceptual design
must be verified against the SRS.

3. Detail design covers the following areas: General Requirements, SIS Logic Solver,
Field Devices, Interfaces, Energy Sources, System Environment, Application Logic
Requirements, Maintenance or Testing Requirements. Some key requirements worth
noting are:

The logic solver shall be separated from the basic process control system (BPCS);
Sensors for SIS shall be separated from the sensors for the basic process control
system (BPCS);
The logic system vendor shall provide MTTF data, covert failure listing, and
frequency of occurrence of identified covert failures;
Each individual field device shall have its own dedicated wiring to the system I/O.
Field Bus not allowed!;
A control valve from the BPCS shall not be used as the only final element for SIL
3;
Operator Interface may not be allowed to change the SIS application software;
Forcing shall not be used as a part of application software or operating
procedure(s);
When on-line testing is required, test facilities shall be an integral part of the SIS
design.

1. The fourth step is to develop a Pre Start-up Acceptance Test procedure that
provides a full functional test of the SIS to show conformance with the SRS. It is
recommended that the reader review the entire requirements of this Clause.

2. The Operation and Maintenance section is to ensure that the Safety Instrumented
System (SIS) functions in accordance with the Safety Requirements Specification
(SRS) throughout the SIS operational life. You will notice this section follows the
requirements of OSHA 1910.119. This Clause has 7 Sections that state specific
requirements for all user companies.

How S84 affects your.doc, Rev. 1, 1997 PCE


6
Training;
Documentation;
Operating Procedures;
Maintenance Program;
Testing and Preventive Maintenance;
Functional Testing;
Documentation of Functional Testing.

6. Some key point of these requirements are as follows:

Employee training shall adhere to requirements specified in national regulation(s)


(e.g. OSHA 29 CFR 1910.119);
Bypassing may be necessary for maintenance. If the process is hazardous while a
SIS function is being bypassed, administrative controls and written procedures
shall be provided to maintain the safety of the process;
Periodic Functional Tests shall be conducted to detect covert faults that prevent
the SIS from operating per the SRS;
The entire SIS shall be tested including the sensor(s), the logic solver, and the final
element(s) connected to the process (e.g. shutdown valves, motors).

7. To insure no unauthorized changes are made to the application program of a


programmable system, S84.01 requires that the management change (MOC)
procedures be followed. The objective of this clause is to ensure that the management
of change requirements mandated in OSHA 29 CFR 1910.119 are addressed in any
changes made to the SIS.

8. Decommissioning is the last step in the life cycle model to ensure proper review prior
to permanently retiring a Safety Instrumented System (SIS) from active service.

Conclusion:

As seen above, this new standard for the first time in the US contains design, availability,
installation, operation, maintenance, decommissioning, and documentation requirements
for safety instrumented systems. For many companies, it will be business as usual, but
for some it will require a paradigm shift in their policies. It has also been noted that most
companies are struggling with safety integrity level determination and quantitative
assessment. Those companies, who have historically been industry leaders and
community friendly, are seeking help from Consultants. There is no question however,
that the insight and vision of the S84 Committee members to finally link risk assessment
and management with good engineering practices will make our process industries safer
and help protect our fragile environment.

How S84 affects your.doc, Rev. 1, 1997 PCE


7
STANDARDS/REGULATIONS:

1. Programmable Electronic Systems in Safety Related Applications, Health and Safety


Executive, U.K., 1987.
2. ANSI/ ISA-SP-84.01, Application of Safety Instrumented Systems for the Process
Industries, Instrument Society of America Standards and Practices, 1996.
3. 29 CFR Part 1910, Process Safety Management of Highly Hazardous Chemicals;
Explosives and Blasting Agents, Occupational Safety and Health Administration,
1992.
4. IEC-61508, Functional Safety: Safety Related Systems, International
Electrotechnical Commission, Technical Committee No. 65, Draft/June 1995.

References:

1. Adamski, Robert S., Evolution of Protective Systems in the Petrochemical Industry,


45th Annual Symposium on Instrumentation for the Process Industries, Texas A&M
University, 1990.

2. Adamski, Robert S., Status of SP-84 and How This Standard Will Affect Your
Business, 50th Annual Symposium on Instrumentation for the Process Industries,
Texas A&M University, 1995.

3. Adamski, Robert S., Design Critical Control or Emergency Shut Down Systems for
Safety AND Reliability, Automatizacion 96, Panamerican Automation Conference,
Carcas, Venezuela, May 1996.

4. Boykin, R.F., Kazarians,M., Apply Risk Analysis to Identify and Quantify Plant
Hazards, INTECH, July 1986.

5. Martel, Troy J., Safety System Engineering, International Symposium and


Workshop on Safe Chemical Process Automation, Houston, Texas, 1994.

6. Summers, Angela E., Use of Quantitative Risk Assessment to Define Weaknesses in


Turbomachinery Emergency Shutdown Systems, Process Plant Reliability
Symposium, Houston, Texas , October 1996.

How S84 affects your.doc, Rev. 1, 1997 PCE


8

You might also like