ANSI/ISA S84.

01
How This Standard Will Affect Your Business
Bob Adamski, Director
Premier Consulting Services
15345 Barranca Parkway • Irvine, CA 92618
PCS@invensys.com

Introduction:

If your company is planning an expansion, retro-fit, grass roots facilities, or simply modifying a
process unit and the process hazard analysis (PHA) indicates you need a safety instrumented
system (SIS) as a protective layer, you need to comply with ANSI/ISA S84.01. Why, because
in February 1996, the “Application of Safety Instrumented Systems for the Process
Industries” was approved and will be enforceable under OSHA 29 CFR Part 1910. There
are at least five (5) references in this Federal Register that state “. . . accepted engineering
standards and practices”. For example:

Page 6404 Para. (3)(H)(ii) Safety Systems (e.g. interlocks, detection or suppression systems).
(ii) “The employer shall document that the equipment complies with recognized and
generally accepted good engineering practices.”

Furthermore, EPA 40 CFR Part 68 has at least ten (10) references to “. . . accepted
engineering standards and practices” for mitigation or protective systems designed to prevent an
EPA incident. Both OSHA and EPA make references to national standards, including the
American National Standards Institute (ANSI). ISA is an American National Standards
Institute (ANSI) accredited organization.

With over 100 user companies represented on the S84 Committee, a standard was produced
that represents a consensus of users and vendors. An unanimous vote from the Committee and
the ISA membership endorsed the document as an “accepted industry standard”. Most
companies found little or no conflict with their own internal engineering practices for safety
systems, but others with no formal engineering guidelines, will have to modify their practices.
This standard joins the other industry accepted standards e.g. ASME vessel codes, NFPA for
burner management, IEEE for electrical systems, or other civil and building codes/standards.
User companies have strict compliance policies for these standards and would rarely if ever
violate their requirements. The new S84.01 standard is no different, its requirements insure a
design that will meet the process safety integrity level. In addition, US companies should be
aware of the increasing threat of litigation by overzealous attorneys and juries that have no
sympathy for companies who do not follow standards in their designs. The punitive sanctions of

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
1
OSHA or the EPA are insignificant as compared to the class action awards plaintiffs are
receiving.

What is also new to users is the assignment, and verification of the SIS safety integrity level
(SIL). Assigning and qualifying safety integrity levels is undoubtedly the one requirement of
S84.01 that companies are having the most difficulty with. SIL will be discussed below. Even
major companies are soliciting the assistance of consultants specializing in safety and critical
control systems to help in determining SIL and evaluating their SISs. Unfortunately, there are
few consultants and ESD vendors that provide these services.

Discussion:

The S84.01 standard is organized into three major parts: 1) The main body of the standard
(Clauses 1-12) present mandatory specific requirements. 2) Informative Annexes A-J
present additional non-mandatory (informative) technical information that may be useful in SIS
applications. 3) Technical report S84.02 (to be released later in 1997), provides non-
mandatory (informative) technical information that is useful in Safety Integrity Level analysis.

The objective of the standard is straight forward, “The objective is to define requirements
for Safety Instrumented Systems (SIS).”

The standard is intended for those involved with SIS in the areas of:

1. Design and manufacture of SIS products, selection and application.

2. Installation, commissioning and pre-startup acceptance testing.
3. Operation, maintenance and documentation.

The standard does not apply to the following:

• Non SIS portion of the design.

• Governing authorities take precedence over this Standard.
• Nuclear industry.
• Basic Process Control System (BPCS).
• Pneumatic or hydraulic logic solvers.

The scope of the standard is: “This standard addresses Electrical/Electronic/ Programmable
Electronic System (E/E/PES).” These include electro-mechanical relays, solid state logic types,
PES, motor driven timers, hard-wired logic, or combinations of these.

Boundaries of the SIS: The Safety Instrumented System (SIS) includes all elements from the
sensor to final element connected to the process, including inputs, outputs, SIS user interfaces,
power supply and logic solver.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
2
Does this standard cover installed existing safety instrumented systems (is there a
grandfather clause)? Yes and no. The requirement is stated accordingly: “For existing
equipment designed and constructed with codes, standards, or practices that are no longer in
use, the company shall determine and document that the equipment is designed, maintained,
inspected, tested, and operating in a safe manner”.

Safety Lifecycle Model: The clauses in this standard are organized based on the Safety Life
Cycle. The Safety Life Cycle covers the Safety Instrumented System (SIS) activities from initial
conception through decommissioning. There are 16 major steps in the Safety Life Cycle but
only 10 are covered by this Standard. The other 6 are outside the Scope of SP-84

Start
Develop Safety Establish Operation
Requirements & Maintenance
Specification Procedures
Conceptual
Process Design

Perform SIS Pre-Start-up Safety

Conceptual Review Assessment
Design, & Verify
Perform Process it meets the SRS
Hazard Analysis
& Risk Assessment
SIS start-up, operation,
Perform SIS maintenance, periodic
Detail Design functional testing.
Apply non-SIS
protection layers to
prevent identified
hazards or reduce risk.
SIS installation,
commissioning, Modify or
and pre-startup Modify
Decommission
NO acceptance test. SIS?
SIS required?

Decommission
Safety Life Cycle
YES Model SIS
Decommissioning
Define
target SIL
BOLD AREAS ARE S84.01
Conceptual Process Design CONCERNS

lsm.ppt

You will notice that before the S84.01 requirements become relevant, the following conditions
must be met:

1. The process hazard analysis (e.g. HAZOP) must have been completed
2. A safety instrumented system (SIS) is required
3. The target safety integrity level (SIL) has been determined

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
3
These are key decisions that the standard does not give guidance on. However, the availability
requirements of the SIS is clearly defined in the document as seen below.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
4
 What is safety integrity level (SIL)?

It should be understood that SIL and availability are simply statistical representations of the integrity
of the SIS when a process demand occurs. The acceptance of a SIL 1 SIS means that the level
of hazard or economic risk is sufficiently low that a SIS with a 10% chance of failure (90%
availability) is acceptable. For example, consider the installation of a SIL 1 SIS for a high level
trip in a liquid tank. The availability of 90% would mean that out of every 10 times that the level
reached the high level trip point there would be one predicted failure of the SIS and subsequent
overflow of the tank. Is this an acceptable risk?

Safety Integrity Availability Probability to Mean Time

Level Required Fail on Between Failures
Demand
IEC 4 >99.99% E-005 to < E-004 100,000 to 10,000
61508
ISA 3 99.90% E-004 to < E-003 10,000 to 1,000
S84
2 99.00 - 99.90% E-003 to < E-002 1,000 to 100

1 90.00 - 99.00% E-002 to < E-001 100 to 10

A qualitative view of SIL has slowly developed over the last few years as the concept of SIL has
been adopted at many chemical and petrochemical plants. This qualitative view can be
expressed in terms of the impact of the SIS failure on plant personnel and the public or
community.

• “4” - Catastrophic Community Impact.

• “3” - Employee and Community Protection.
• “2” - Major Property and Production Protection. Possible injury to employee.
• “1” - Minor Property and Production Protection.

The assignment of SIL is a corporate or company decision based on risk management

philosophy and risk tolerance. The caveat is that ANSI/ISA S84.01 mandates that companies
design their safety instrumented systems (SIS) to be consistent with similar operating process
units within their own companies and at other companies. Likewise, in the U.S., OSHA PSM
and EPA RMP require that industry standards and good engineering practice be used in the
design and operation of process facilities. This means that the assignment of safety integrity
levels must be carefully performed and thoroughly documented.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
5
One of the most common techniques, among U.S. chemical and petrochemical companies, uses
a risk matrix that is developed based on a corporate risk management philosophy. The risk
matrix is a correlation that presents the required risk reduction that is necessary to decrease the
perceived process risk to an acceptable level. The risk likelihood and risk severity determined
during the HAZOP is plotted on the risk matrix to determine the required risk reduction or
safety integrity level (SIL) for that specific hazard event. An example of a risk matrix is shown
below:

Qualitative Ranking of Risks

EXTENSIVE

3 3
2 HIGH
SEVERITY

RISK
EVENT

SERIOUS

LOW

Numbers correspond to
2 2 SIL levels from ISA SP-84
3

RISK
MINOR

1
2 2
LOW MODERATE HIGH
EVENT
LIKELIHOOD

Steps in Safety Life Cycle:

1. The first step is to develop a Safety Requirement Specification. The objective of this Clause
is to develop specifications for Safety Instrumented System (SIS) design. These safety
requirements specifications (SRS) consist of both safety functional requirements and safety
integrity requirements. The SRS can be a collection of documents or information. The
Safety Functional Requirements documents the logic and actions to be performed by the
SIS and the process conditions under which actions are initiated. These requirements
include such items as, consideration for manual shutdown, loss of energy source(s), etc.
The Safety Integrity Requirements document the SIL and performance required for
executing SIS functions. Safety Integrity Requirements includes: the required SIL for each
safety function, requirements for diagnostics, requirements for maintenance and testing,
reliability requirements if the spurious trips are hazardous.

2. The second step is conceptual design. Some requirements the engineer will need to define
are: SIS architecture e.g. voting 1oo1, 1oo2, 2oo2, 2oo3, to insure SIL is met. Logic solver
must meet the highest SIL if different SILs in a single logic solver. A functional test interval
must be selected to achieve the SIL and the conceptual design must be verified against
the SRS.

3. Detail design covers the following areas: General Requirements, SIS Logic Solver, Field
Devices, Interfaces, Energy Sources, System Environment, Application Logic
Requirements, Maintenance or Testing Requirements.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
6
 Some key requirements worth noting are:

• The logic solver shall be separated from the basic process control system (BPCS);
• Sensors for SIS shall be separated from the sensors for the basic process control
system (BPCS);
• The logic system vendor shall provide MTTF data, covert failure listing, and frequency
of occurrence of identified covert failures;
• Each individual field device shall have its own dedicated wiring to the system I/O. Field
Bus not allowed!;
• A control valve from the BPCS shall not be used as the only final element for SIL 3;
• Operator Interface may not be allowed to change the SIS application software;
• Forcing shall not be used as a part of application software or operating procedure(s);
• When on-line testing is required, test facilities shall be an integral part of the SIS design.

1. The fourth step is to develop a Pre Start-up Acceptance Test procedure that provides a full
functional test of the SIS to show conformance with the SRS. It is recommended that the
reader review the entire requirements of this Clause.

2. The Operation and Maintenance section is to ensure that the Safety Instrumented System
(SIS) functions in accordance with the Safety Requirements Specification (SRS) throughout
the SIS operational life. You will notice this section follows the requirements of OSHA
1910.119. This Clause has 7 Sections that state specific requirements for all user
companies.

• Training;
• Documentation;
• Operating Procedures;
• Maintenance Program;
• Testing and Preventive Maintenance;
• Functional Testing;
• Documentation of Functional Testing.

6. Some key point of these requirements are as follows:

• Employee training shall adhere to requirements specified in national regulation(s) (e.g.

OSHA 29 CFR 1910.119);
• Bypassing may be necessary for maintenance. If the process is hazardous while a SIS
function is being bypassed, administrative controls and written procedures shall be
provided to maintain the safety of the process;
• Periodic Functional Tests shall be conducted to detect covert faults that prevent the SIS
from operating per the SRS;
• The entire SIS shall be tested including the sensor(s), the logic solver, and the final
element(s) connected to the process (e.g. shutdown valves, motors).

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
7
7. To insure no unauthorized changes are made to the application program of a programmable
system, S84.01 requires that the management change (MOC) procedures be followed. The
objective of this clause is to ensure that the management of change requirements mandated
in OSHA 29 CFR 1910.119 are addressed in any changes made to the SIS.

8. Decommissioning is the last step in the life cycle model to ensure proper review prior to
permanently retiring a Safety Instrumented System (SIS) from active service.

Conclusion:

As seen above, this new standard for the first time in the US contains design, availability,
installation, operation, maintenance, decommissioning, and documentation requirements for
safety instrumented systems. For many companies, it will be business as usual, but for some it
will require a paradigm shift in their policies. It has also been noted that most companies are
struggling with safety integrity level determination and quantitative assessment. Those
companies, who have historically been industry leaders and community friendly, are seeking help
from Consultants. There is no question however, that the insight and vision of the S84
Committee members to finally link risk assessment and management with good engineering
practices will make our process industries safer and help protect our fragile environment.

STANDARDS/REGULATIONS:

1. “Programmable Electronic Systems in Safety Related Applications”, Health and Safety

Executive, U.K., 1987.
2. ANSI/ ISA-SP-84.01, “Application of Safety Instrumented Systems for the Process
Industries”, Instrument Society of America Standards and Practices, 1996.
3. 29 CFR Part 1910, “Process Safety Management of Highly Hazardous Chemicals;
Explosives and Blasting Agents”, Occupational Safety and Health Administration, 1992.
4. IEC-61508, “Functional Safety: Safety Related Systems”, International Electrotechnical
Commission, Technical Committee No. 65, Draft/June 1995.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
8
References:

1. Adamski, Robert S., “Evolution of Protective Systems in the Petrochemical Industry”,

45th Annual Symposium on Instrumentation for the Process Industries, Texas A&M
University, 1990.

2. Adamski, Robert S., Status of SP-84 and How This Standard Will affect Your
Business”, 50th Annual Symposium on Instrumentation for the Process Industries, Texas
A&M University, 1995.

3. Adamski, Robert S., “Design Critical Control or Emergency Shut Down Systems for
Safety AND Reliability”, Automatizacion 96, Panamerican Automation Conference,
Carcas, Venezuela, May 1996.

4. Boykin, R.F., Kazarians,M., “Apply Risk Analysis to Identify and Quantify Plant
Hazards”, INTECH, July 1986.

5. Martel, Troy J., “Safety System Engineering”, International Symposium and Workshop
on Safe Chemical Process Automation, Houston, Texas, 1994.

6. Summers, Angela E., “Use of Quantitative Risk Assessment To Define Weaknesses in

Turbomachinery Emergency Shutdown Systems”, Process Plant Reliability Symposium,
Houston, Texas , October 1996.

PCS Technical Paper - ANSI ISA S84.01 - How This Standard Will Affect Your Business.doc, Rev. 1, ©1997 PC+E
9