ISA-TR84 00 06-2009+Safety+Fieldbus+Design+Considerations+for+Process+industry

ISATR84.00.
06
Safety Fieldbus Design Considerations
for Process Industry Sector Applications
Approved 2 October 2009
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Copyright International Society of Automation

Provided by IHS under license with ISA
No reproduction or networking permitted without license from IHS
Licensee=BP International/5928366101
Not for Resale, 10/04/2012 08:03:00 MDT
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
ISATR84.00.06
Safety Fieldbus Design Considerations for Process Industry Sector Applications
ISBN: 978-1-936007-33-2
Copyright 2009 by the International Society of Automation. All rights reserved. Printed
in the United States of America. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), without the prior written permission of the
publisher.
ISA
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, North Carolina 27709
E-mail: standards@isa.org

ISATR84.00.06
Preface
This preface is included for information purposes only and is not part of ISATR84.00.06.
This technical report has been prepared as part of the service of ISA, the International
Society of Automation. To be of real value, this document should not be static but should
be subject to periodic review. Toward this end, the Society welcomes all comments and
criticisms and asks that they be addressed to the Secretary, Standards and Practices
Board; ISA, 67 Alexander Drive; P.O. Box 12277; Research Triangle Park, NC 277099;
Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.
This ISA Standards and Practices Department is aware of the growing need for attention
to the metric system of units in general, and the International System of Units (SI) in
particular, in the preparation of instrumentation standards, recommended practices, and
technical reports. The Department is further aware of the benefits of USA users of ISA
standards of incorporating suitable references to the SI (and the metric system) in their
business and professional dealings with other countries. Toward this end, the Department
will endeavor to introduce SI and acceptable metric units in all new and revised standards
to the greatest extent possible. The Metric Practice Guide, which has been published by
the Institute of Electrical and Electronics Engineers (IEEE) as ANSI/IEEE Std. 268-1992,
and future revisions, will be the reference guide for definitions, symbols, abbreviations,
and conversion factors.
It is the policy of ISA to encourage and welcome the participation of all concerned
individuals and interests in the development of ISA standards. Participation in the ISA
standards-making process by an individual in no way constitutes endorsement by the
employer of that individual, of ISA, or of any of the standards, recommended practices,
and technical reports that ISA develops.
Copyright 2009 ISA. All rights reserved.

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISATR84.00.06
NAME
W. Johnson, Chair
V. Maggioli, Managing Director
R. Adamski
T. Ando
R. Avali
L. Beckman
J. Campbell
I. Chen
M. Coppler
M. Corbo
K. Dejmek
P. Early
K. Gandhi
J. Gilman
W. Goble
P. Gruhn
B. Hampshire
J. Harris
J. Jamison
R. Johnson
K. Klein
T. Layer
E. Marszal
N. McLeod
R. Peterson
G. Ramachandran
M. Scott
D. Sniezek
C. Sossman
R. Strube
A. Summers
L. Suttinger
R. Taubert
H. Thomas
T. Walczak
M. Weber
A. Woltman
P. Wright
D. Zetterberg
COMPANY
E I du Pont
Feltronics Corp
RA Safety Consulting LLC
Yokogawa Electric Co
Westinghouse Electric Corp
Safeplex Systems Inc
ConocoPhillips
Aramco
Ametek Inc
ExxonMobil
Baker Engineering & Risk Consultants
Langdon Coffman Services
KBR
JFG Technology Transfer LLC
Exida
ICS Triplex
BP
UOP A Honeywell Company
EnCana Corporation Ltd
Dow Process Automation SIS SME
Celanese Corp
Emerson Process Management
Kenexis Consulting Corp
ARKEMA
Lyondell Chemical Company
Shell Global Solutions US
AE Solutions
Lockheed Martin Federal Services
CLS Tech-Reg Consultants
Strube Industries
SIS-TECH Solutions LP
Savannah River Nuclear Solutions
Consultant
Air Products & Chemicals Inc
Conversions Inc
System Safety Inc
Shell Global Solutions
BHP Engineering & Construction Inc
Chevron Energy Technology Company

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
The following served as voting members of ISA84 and approved this technical report:
ISATR84.00.06
The following served as members of the ISA Standards and Practices board and approved this
technical report:
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
NAME
J. Tatera, VP
D. Dunn, VP Elect
P. Brett
M. Coppler
E. Cosman
B. Dumortier
R. Dunn
J. Gilsinn
E. Icayan
J. Jamison
D. Kaufman
K. Lindner
V. Maggioli
T. McAvinew
G. McFarland
R. Reimer
N. Sands
H. Sasajima
T. Schnare
I. Verhappen
R. Webb
W. Weidman
J. Weiss
M. Widmeyer
M. Zielinski
COMPANY
Consultant
Aramco Services Co
Honeywell, Inc
Ametek, Inc
The Dow Chemical Co
Schneider Electric
DuPont Engineering
NIST/MEL
ACES Inc
EnCana Corporation Ltd
Honeywell International Inc
Endress+Hauser Process Solutions AG
Feltronics Corp
I&C Engineering LLC
Emerson Process Mgmt Power & Water Sol
Rockwell Automation
DuPont
Yamatake Corp
Rosemount Inc
Industrial Automation Networks Inc.
ICS Secure LLC
WorleyParsons
Applied Control Solutions LLC
Kahler Engineering Inc
Emerson Process Management

This page intentionally left blank.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISATR84.00.06
Contents
Introduction ...................................................................................................................................... 9
1
Scope................................................................................................................................ 11
Criteria .............................................................................................................................. 11
2.1
Safety Requirements ............................................................................................... 11
2.2
Speed of Response ................................................................................................. 11
2.3
Interoperability & Integration.................................................................................... 12
2.4
Fault Tolerance ........................................................................................................ 12
2.5
Security .................................................................................................................... 13
2.6
Operation ................................................................................................................. 13
2.7
Diagnostics .............................................................................................................. 13
2.8
Documentation......................................................................................................... 13
2.9
Testability................................................................................................................. 14
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Safety Lifecycle Approach ................................................................................................ 14
References ....................................................................................................................... 19
Definitions ......................................................................................................................... 19

This page intentionally left blank.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISATR84.00.06
Introduction
Safety Fieldbuses are currently being used in various industrial sectors, such as automotive and
machinery, but they have only recently been introduced within the process sector for safety
instrumented systems (SISs). ISA84 committee members are concerned that generic Fieldbuses
may be incorrectly implemented in SIS applications. Consequently, the ISA84 committee formed
Working Group 1 (ISA84 WG1) to develop guidance on the implementation of Safety Fieldbuses
as part of an SIS for communicating between a safety logic solver and field devices.
A generic Fieldbus is multi-drop digital network consisting of digital communication cable,
terminators, hubs, links/couplers, power supplies, hosts and protocols, along with Fieldbuscompatible devices (Figure 1). It is used to communicate process information to and from
multiple field devices within a segment. Fieldbus is a network structure that allows daisy-chain,
star, ring, branch, and tree topologies.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Figure 1 Generic Safety Fieldbus (adapted from ANSI/ISA-84.01-1996)
ANSI/ISA-84.01-1996, Application of Safety Instrumented Systems for the Process Industries,

was developed under the assumption that each field device would be wired to the logic solver
using dedicated field wiring. That standard did not address the use of a digital bus
communications, such as a Fieldbus, for field device communications.
ANSI/ISA-84.01-1996 stated in clause 7.4.1.3, Each individual field device shall have its own
dedicated wiring to the system. Clause 1.2.10 stated that the standard does not address

ISATR84.00.06
10
technologies not currently utilized in safety systems (e.g., Fieldbuses), but that revisions to the
standard will address new technologies as they become available.
ANSI/ISA-84.00.01-2004, Clause 11.6.3 reflects ANSI/ISA-84.01-1996, Clause 7.4.1.3 above,
with an added statement that addresses the alternative of a digital bus communication with
overall safety performance that meets the integrity requirements of the SIF (safety instrumented
function) it services. Therefore, a Safety Fieldbus adds to the generic Fieldbus the additional
hardware and software features necessary to be compliant with ANSI/ISA-84.00.01-2004.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
This technical report addresses the use of Fieldbus for multi-drop digital network communication
for implementation of Safety Instrumental Function (SIF) within a safety logic solver designed and
managed in compliance with ANSI/ISA-84.00.01-2004. If the reader chooses to implement the
safety logic in the Fieldbus segment only, the fieldbus and any instruments executing the safety
logic should be evaluated as a logic solver under the requirements of ANSI/ISA-84.00.01-2004.
This technical report does not address implementation of the SIF logic within the Fieldbus
segment.

11
ISATR84.00.06
Scope
1.1
This technical report:
provides guidance on implementing Safety Fieldbus protocols and devices in safety

instrumented systems in the process industries
recommends additional considerations and practices for the implementation of Safety

Fieldbus that are not currently included in ANSI/ISA-84.00.01-2004.
1.2
This technical report addresses Safety Fieldbus design and management. It does not
provide detailed implementation guidance, which would be different for each Fieldbus
technology.
1.3
This technical report is limited to the application of Safety Fieldbus to communicate

between the safety logic solver (i.e., compliant with ANSI/ISA-84.00.01-2004) and
multiple field devices. It does not address implementation of the logic within the Fieldbus
segment.
Criteria
2.1
Safety Requirements
2.1.1
The Safety Fieldbus should meet the requirements of the highest safety integrity level
(SIL) of any safety instrumented function (SIF) it supports, as measured by the:
a.
hardware integrity
b.
hardware fault tolerance
c.
systematic integrity
d.
data communications integrity
2.1.2
The software/firmware used to carry out the Safety Fieldbus diagnostics should meet the
requirements of the highest SIL it supports.
2.1.3
The likelihood of random hardware undetected failures for the Safety Fieldbus should be
sufficiently low in comparison to the overall safety integrity requirements. As a rule of
thumb, for a demand mode SIS, the Safety Fieldbus should have a PFDavg less than 1%
of the target PFDavg for the SIF.
2.1.4
The Safety Fieldbus protocol should be compliant with IEC 61508 requirements to the
applicable SIL claim limit.
2.1.5
Open (non-proprietary) protocols should be used to enhance interoperability and

integration.
2.2
Speed of Response
2.2.1
The response time of the Safety Fieldbus should be incorporated in the calculation of the
overall response time of the SIF (e.g., the time from process deviation detection through
the process response to final element action). It is good engineering practice that overall
response time should be no more than one-half the process safety time allocated to the
SIF.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISATR84.00.06
12
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
2.2.2
The response time should be sufficient to meet the shortest process safety time
requirement of any SIF on the Safety Fieldbus.
2.3
Interoperability & Integration
2.3.1
The Safety Fieldbus selection should consider its ability to communicate with the field
devices and safety logic solver. It should support interoperability of devices without
degrading the safety integrity, the Risk Reduction Factor (RRF), the reliability (spurious
trip rate), or the communication speed of the Safety Fieldbus. When a manufacturer
claims interoperability of sensors, logic solvers, final elements, and the like, that claim
should be supported by analysis and testing.
2.3.2
The Safety Fieldbus should not be shared by non-safety devices. If non-safety devices
are used on the Safety Fieldbus, the non-safety devices should not impact the
functionality or integrity of the SIS. If the non-safety devices could affect the functionality
or integrity of the SIS, the non-safety devices should be designed and managed per
ANSI/ISA-84.00.01-2004 and Clause 2.4 of this technical report.
2.3.3
The Safety Fieldbus should ensure separation and independence of the Basic Process
Control System (BPCS) and the SIS. This will include independent security for
configuration and maintenance tools.
2.3.4
All devices that perform a safety function on a Safety Fieldbus should communicate using
a protocol that is designed in compliance with IEC 61508 and has been demonstrated to
work in the operating environment.
2.3.5
The integrity and reliability of the Safety Fieldbus devices should be considered in the SIL
verification calculations in accordance with ISA-TR84.00.02-2002.
2.4
Fault Tolerance
2.4.1
Fault tolerance may be achieved either through redundant Safety Fieldbuses or through
redundant subsystems/components on independent Safety Fieldbuses.
2.4.2
The nuisance trip rate of the Safety Fieldbus should support the assumptions in the
safety requirements specification (SRS). The impact of safe failures should be assessed
during the hazards and risk analysis.
2.4.3
A failure of any field device(s) connected to the Safety Fieldbus should not degrade the
Fieldbus operation nor degrade the integrity or reliability of any safety devices connected
to the Fieldbus.
2.4.4
A failure of any single Safety Fieldbus in a multiple Fieldbus SIS should not degrade the
performance of the other Fieldbuses nor degrade the performance of any devices
connected to other Fieldbuses. The design of the Fieldbus should be assessed to ensure
that the likelihood of common cause, common mode and dependent failures between
protection layers and between protection layers and the BPCS are sufficiently low in
comparison to the overall safety integrity requirements of the SIS.
2.4.5
The Fault Tolerance Tables 5 and 6 in ANSI/ISA-84.00.01-2004, Clause 11.4, should be

followed.

13
ISATR84.00.06
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
2.5
Security
2.5.1
The Safety Fieldbus should have sufficient security to prevent inadvertent changes to the
SIS configuration.
2.5.2
Safety Fieldbus devices should have a means to ensure configuration parameters are
protected. For example, inadvertent changes can be prevented through write-protection.
2.5.3
Access to Safety Fieldbus device configuration and programming should be restricted to

authorized personnel. Any changes to the configuration or programming should be
reviewed and approved under management of change.
2.5.4
Industrial cyber security practices should be implemented (e.g., see the ISA-99 series of
standards, www.isa.org).
2.6
Operation
2.6.1
On-line replacement of field devices should be possible without affecting the SIF
operation (i.e., the absence of device should not impact the bus integrity). Field device
replacement should be completed within the MTTR (mean time to repair) assumed in the
SRS unless otherwise approved by management of change.
2.6.2
The Safety Fieldbus should be capable of performing its SIFs irrespective of the
communication media.
2.6.3
The Safety Fieldbus should be designed to take a specified safe state on loss of support
systems (e.g.,off state for de-energize to trip applications).
2.6.4
Fieldbus communication interruption, lasting longer than the shortest process safety time
(see 2.2.2), should cause the SIF final elements to take the specified safe state, unless a
hazards analysis team approves otherwise.
2.6.5
When communication faults are detected, the Safety Fieldbus should be configured to
take the SIF final elements to the specified safe state.
2.7
Diagnostics
2.7.1
Timely notification of operational status of the Fieldbus and attached devices should be
readily available to the user via the Fieldbus interface. Diagnostics is typically
implemented in a manner transparent to the user.
2.7.2
The Safety Fieldbus should capture and communicate diagnostic information from the
sensors and final elements as specified in the SRS.
2.7.3
Diagnostics should consider known failure modes which include, but are not limited to,
complete failure of the transmission channel, transmission errors, repetitions, deletions,
insertions, re-sequencing, delay and masquerade.
2.7.4
The software and firmware used by the communication or diagnostic processes of the
Safety Fieldbus should be designed and managed per IEC 61508.
2.8
Documentation
2.8.1
The safety manual should define the industry sector(s) (e.g., process, machinery, rail,
avionics) that the Safety Fieldbus was designed to support.

14
2.8.2
The safety manual should include sector-specific guidance where relevant, since one
Fieldbus may not be suitable for all sectors.
2.8.3
If the operation of the Safety Fieldbus requires special configuration or external

hardware/software installation, the user requirements should be clearly stated in the
safety manual.
2.8.4
The safety manual should include analysis boundary and assumptions supporting the
claimed SIL and nuisance trip rate.
2.8.5
The safety manual should describe any limitations on the use of the Safety Fieldbus,
such as the inability to support SIFs across segments or to diagnose faults across
segments.
2.8.6
The failure modes that are detected by automatic diagnostics should be documented in
the safety manual along with the related diagnostic intervals.
2.8.7
The failure modes that are not detected by automatic diagnostics should be documented
in the safety manual along with associated failure rates due to both random hardware
failures and communications errors in the operating environment.
2.8.8
The hardware fault tolerance should be documented in the safety manual and should
meet the requirements of ANSI/ISA-84.00.01 Part 1, Clause 11.4.
2.8.9
The response time of the Safety Fieldbus should be documented in the safety manual,
together with hardware and/or configuration requirements necessary to achieve the
response time.
2.9
Testability
2.9.1
The operation of any new or modified Safety Fieldbus should be validated against the
SRS. Determination that proper communication occurs is not sufficient for validation or
periodic testing. Individual elements of the system should be periodically tested to
demonstrate that the element operates according to the SRS.
2.9.2
Tests of individual elements should demonstrate that the Safety Fieldbus has been
properly integrated with other system elements. The integration tests should proceed
according to documented specifications. Integration tests should include devices on the
Safety Fieldbus and host systems including engineering, maintenance, and operational
interfaces.
2.9.3
Fieldbus applications should be restricted to functions that have been validated through
formal documented proof test procedures supported by written specifications.
2.9.4
The individual elements, integration, and application should be covered in validation

planning according to ANSI/ISA 84.00.01-2004.
2.9.5
Specifications and tests should have clearly defined boundaries with sufficient overlap to
assure complete test coverage.
3
3.1
Safety Lifecycle Approach

This section provides reasonable and practical guidance on the design considerations
applicable with respect to the various phases of the ANSI/ISA-84.00.01-2004 lifecycle.
Without guidance, it would be possible to draw conclusions that changes to a Safety

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
ISATR84.00.06
15
ISATR84.00.06
3.2
Every Safety Fieldbus should be designed and managed to achieve the safety
requirements throughout all ten lifecycle phases shown in Table 3.1. The phases include
initial design and implementation, as well as long-term operation and maintenance (which
includes modifications such as changes, additions and deletions).
3.3
Any Safety Fieldbus should adhere to the nine basic criteria outlined in Section 2 above.
3.4
Any Safety Field bus that has already been commissioned and is in the operation and
maintenance phase of its Safety Lifecycle is most vulnerable to problems whenever
modifications are performed. Table 3.1 provides guidance to Safety Fieldbus users
regarding which lifecycle phases should be addressed due to these modifications,
additions or deletions. The lifecycle phases addressed are dependent on the nature of
the modification, addition or deletion. Ultimately, the modified Safety Fieldbus should
conform to the nine basic criteria.
3.5
Guidance for the modification of Safety Fieldbuses in existing SISs
3.6
The first lifecycle phase involves the use of hazard and risk analysis to identify the safety
functions needed to achieve or maintain a safe state of the process equipment in
response to unacceptable hazardous condition. The phase is independent of SIS
technology. Therefore, the application of a Safety Fieldbus within the SIS does not
generate additional requirements outside those already specified in ANSI/ISA-84.00.012004.
3.7
The second lifecycle phase involves allocating the safety functions to protection layers
(also known as classifying).
3.8
The third through seventh lifecycle phases (i.e., SIS SRS, SIS Design & Engineering, SIS
Installation, Commissioning and Validation, SIS Operation and Maintenance and
Management of Change) should consider adherence to the nine basic criteria outlined in
this technical report. Modifications to the Safety Fieldbus should be carefully analyzed to
ensure that Safety Fieldbus functionality is not compromised.
3.9
The considerations taken to achieve compliance to the eighth lifecycle phase

(decommissioning) do change somewhat with the use of Safety Fieldbus technology.
There may be additional requirements for documentation and testing.
3.10
The ninth lifecycle phase (SIS verification) is primarily a lifecycle process check.
Consequently, there are no specific requirements that need to be addressed as part of
this phase.
3.11
The tenth and last lifecycle phase is primarily an auditing step to determine whether or
not the desired functional safety has been achieved by a SIS. This phase evaluates the
SIS to determine whether it is achieving the desired functional safety with regard to the
Safety Requirements, Speed of Response, Interoperability, Operation and Testability.

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
Fieldbus segment require anywhere from no functional testing to full recursive testing of
each criteria for each device on that bus (i.e., infinite testing permutations).
ISATR84.00.06
16
Table 3.1 Lifecycle phases
ANSI/ISA
84.00.01
Lifecycle
Phase
Lifecycle
Phase
Description
Applicable
Safety
Fieldbus
Criterion
Considerations
During Initial
SIS Safety
Fieldbus Design
&
Implementation
Considerations During SIS Safety

Fieldbus Modification
(Additions, Deletions or Changes)
Hazard and
Risk
Assessment
None apply.
None
apply.
Hazard and risk
assessment are
process related
and
are
independent of
SIS technology.
None apply.
Allocation of
safety
functions to
protective
layers.
Safety
Requirements
(Clause 2.1)
Safety
Requirements
(Clause 2.1)
Applies only if the changes to the

allocation of safety functions requires
hardware / software additions,
deletions or changes.
Refer to
Lifecycle phase 3 below for guidance.
SIS Safety
Requirements
Specification
(SRS).
All apply:
Safety
Requirement
s (Clause
2.1)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Fault
Tolerance
(Clause 2.4)
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
Interoperability
(Clause 2.3)
All
Safety
Fieldbus criterion
requirements
need to be met
during
initial
design of the SIS
Safety Fieldbus.
Additions (For the purposes of this

table, additions include adding a
device or replacing an existing device
with a different make / model /
software revision.
Does the new device added to an
existing segment affect the following
on the Safety Fieldbus?
o Clause 2.1 but only for the new
device being installed on the
segment.
o Segment communication speed /
throughput (cycle time) Clause
2.2 for all devices on the segment.
o Clause 2.3 for all devices on the
segment.
segment.
segment.
o Clause 2.6 for all devices on the
segment
segment.
device being installed for the
segment.
o Clause 2.9 for all devices that are
part of the SIF.
Deletions:
Does decommissioning of the
device from an existing segment
affect the following on the Safety
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

17
ANSI/ISA
84.00.01
Lifecycle
Phase
Lifecycle
Phase
Description
Applicable
Safety
Fieldbus
Criterion
Considerations
During Initial
SIS Safety
Fieldbus Design
&
Implementation
ISATR84.00.06

Fieldbus?
Same as for additions
Parameter changes (For example set
point change.)
o Clause 2.6 but only for the SIF
being modified.
o Clause 2.8 but only for the . SIF
being modified.
o Clause 2.9 but only for the SIF
being modified.
4
SIS Design
and
Engineering
Includes
Factory
Acceptance
Test (FAT)
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---
SIS
Installation,
Commissionin
g and
Validation
Site
Acceptance
Test (SAT)
All apply:
Safety
Requirement
s (Clause
2.1)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Fault
Tolerance
(Clause 2.4)
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
All apply
Additions:
Same as for Phase 3 above.
Deletions:
Modifications in Segments:
What is the
best SIS Safety
Fieldbus
installation for
the
application?
Has the SIS
Safety Fieldbus
been installed
per installation
guidelines?
Was the SIS
Safety Fieldbus
installed by
qualified
personnel?
Additions:
Deletions:
Modifications:

ISATR84.00.06
ANSI/ISA
84.00.01
Lifecycle
Phase
Lifecycle
Phase
Description
SIS Operation
and
Maintenance
Modification
Decommissioning
18
Applicable
Safety
Fieldbus
Criterion
Considerations
During Initial
SIS Safety
Fieldbus Design
&
Implementation
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
Were
operations
personnel
properly trained
on the SIS
Safety
Fieldbus?
Were
maintenance
personnel
properly trained
on the SIS
Safety
Fieldbus?
None apply as
this Phase only
addresses SIS
modifications.
Safety
Requirement
s (Clause
2.1)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Fault
Tolerance
(Clause 2.4)
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
Safety
Requirement
s (Clause
2.1)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Fault
Tolerance
(Clause 2.4)
Operation
(Clause 2.6)
Diagnostics

Additions:
Deletions:
Modifications:
Refer to Considerations under all the

phases covered.
Additions:
- Same as for Phase 3 above.
Deletions:
Modifications:
This phase is
important from
an overall SIS
standpoint but
is independent
of SIS
technology
selection.
This phase
would have the
same effect on
Safety Fieldbus
as modification.
Deletions:

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

19
ANSI/ISA
84.00.01
Lifecycle
Phase
Lifecycle
Phase
Description
SIS
Verification
10
SIS Functional
Safety
Assessment
Applicable
Safety
Fieldbus
Criterion
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
None apply
All apply:
Safety
Requirement
s (Clause
2.1)
Speed of
Response
(Clause 2.2)
Interoperabilit
y (Clause
2.3)
Fault
Tolerance
(Clause 2.4)
Security
(Clause 2.5)
Operation
(Clause 2.6)
Diagnostics
(Clause 2.7)
Documentati
on (Clause
2.8)
Testability
(Clause 2.9)
Considerations
During Initial
SIS Safety
Fieldbus Design
&
Implementation
ISATR84.00.06

None apply
Does the SIS

Safety Fieldbus
genuinely meet
the desired
functional
safety?
Are the key SIS
Safety Fieldbus
criteria with
respect to
functional
safety
satisfied?
Refer to Considerations under all the

phases covered.
Additions:
Deletions:
Parameter changes:
Definitions
4.1
Fieldbus a digital, two-way, multi-drop communication link among controllers and its
remote I/Os, sensors, actuators and inter-networking components.
4.2
Safety Fieldbus a Fieldbus whose purpose is to implement safety functions that achieve
or maintain a safe state of the process when abnormal process conditions are detected to
reduce the risk of an identified hazardous event.
4.3
Protocol - a standard means to control or enable the connection, communication,

and data transfer between two computing endpoints. A protocol is generally defined by a
set of rules that govern the semantics, syntax and synchronization of communication.
The protocol determines the functionality of the hardware connection.
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

ISATR84.00.06
20
References
5.1
ANSI/ISA-84.01-1996, Application of Safety Instrumented Systems (SIS) for the Process

Industry, ISA.
5.2
ANSI/ISA-84.00.01-2004 (IEC 61511 modified), Functional Safety: Safety Instrumented

Systems for the Process Industry Sector, ISA.
5.3
The Foundation Fieldbus PRIMER, Fieldbus Inc., 24 June 2001
5.4
ISA-TR84.00.02-2002, Safety Instrumented Functions (SIF) Safety Integrity Level (SIL)

Evaluation Techniques, ISA.
5.5
IEC-61508, Functional Safety of Electrical /Electronic/Programmable Electronic Safety

Related Systems, Parts 1-7 (1999-2001).

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---

Developing and promulgating technically sound consensus standards and recommended

practice is one of ISAs primary goals. To achieve this goal the Standards and Practices
Department relies on the technical expertise and efforts of volunteer committee members,
chairmen and reviewers.
ISA is an American National Standards Institute (ANSI) accredited organization. ISA
administers United States technical Advisory Groups (USTAGs) and provides secretariat
support for International Electrotechnical Commission (IEC) and International
Organization for Standardization (ISO) committees that develop process measurement
and control standards. To obtain information on the Societys standards program, please
write:
ISA
Attn: Standards Department
67 Alexander Drive
P.O. Box 12277
Research Triangle Park, NC 27709
ISBN: 978-1-936007-33-2
--``,,`,`,`,````,``,`,``,``,``,,-`-`,,`,,`,`,,`---


ISA-TR84 00 06-2009+Safety+Fieldbus+Design+Considerations+for+Process+industry

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISA-TR84 00 06-2009+Safety+Fieldbus+Design+Considerations+for+Process+industry

Încărcat de

Drepturi de autor:

Formate disponibile

ISATR84.00.

Copyright International Society of Automation

Copyright International Society of Automation

Copyright 2009 ISA. All rights reserved.

Copyright International Society of Automation

Copyright 2009 ISA. All rights reserved.

Copyright 2009 ISA. All rights reserved.

This page intentionally left blank.

Copyright International Society of Automation

Safety Requirements ............................................................................................... 11

Speed of Response ................................................................................................. 11

Interoperability & Integration.................................................................................... 12

Fault Tolerance ........................................................................................................ 12

Safety Lifecycle Approach ................................................................................................ 14

Copyright 2009 ISA. All rights reserved.

This page intentionally left blank.

Copyright International Society of Automation

Figure 1 Generic Safety Fieldbus (adapted from ANSI/ISA-84.01-1996)

ANSI/ISA-84.01-1996, Application of Safety Instrumented Systems for the Process Industries,

Copyright 2009 ISA. All rights reserved.

Copyright 2009 ISA. All rights reserved.

This technical report:

provides guidance on implementing Safety Fieldbus protocols and devices in safety

recommends additional considerations and practices for the implementation of Safety

This technical report is limited to the application of Safety Fieldbus to communicate

hardware fault tolerance

data communications integrity

Open (non-proprietary) protocols should be used to enhance interoperability and

Copyright 2009 ISA. All rights reserved.

Interoperability & Integration

The Fault Tolerance Tables 5 and 6 in ANSI/ISA-84.00.01-2004, Clause 11.4, should be

Copyright 2009 ISA. All rights reserved.

Access to Safety Fieldbus device configuration and programming should be restricted to

Copyright 2009 ISA. All rights reserved.

If the operation of the Safety Fieldbus requires special configuration or external

The individual elements, integration, and application should be covered in validation

Safety Lifecycle Approach

Copyright 2009 ISA. All rights reserved.

Guidance for the modification of Safety Fieldbuses in existing SISs

The considerations taken to achieve compliance to the eighth lifecycle phase

Copyright 2009 ISA. All rights reserved.

Considerations During SIS Safety

Applies only if the changes to the

Additions (For the purposes of this

Copyright 2009 ISA. All rights reserved.

Copyright International Society of Automation

Considerations During SIS Safety

Copyright 2009 ISA. All rights reserved.

Considerations During SIS Safety

Refer to Considerations under all the

Copyright 2009 ISA. All rights reserved.

Copyright International Society of Automation

Considerations During SIS Safety

Does the SIS

Refer to Considerations under all the

Protocol - a standard means to control or enable the connection, communication,

Copyright 2009 ISA. All rights reserved.

Copyright International Society of Automation

ANSI/ISA-84.01-1996, Application of Safety Instrumented Systems (SIS) for the Process

ANSI/ISA-84.00.01-2004 (IEC 61511 modified), Functional Safety: Safety Instrumented

The Foundation Fieldbus PRIMER, Fieldbus Inc., 24 June 2001

ISA-TR84.00.02-2002, Safety Instrumented Functions (SIF) Safety Integrity Level (SIL)

IEC-61508, Functional Safety of Electrical /Electronic/Programmable Electronic Safety