The purpose of this work instruction is to provide engineering guidance towards implementing ANSI/ISA-
84.01, the Application of Safety Instrumented Systems for the Process Industries, which is the current
U.S. industry standard. (In Europe, the International Electrotechnical Commission standard IEC 61511
Functional Safety-Safety Instrumented Systems for the Process Industry Sector is applied. It is almost
identical to the ANSI/ISA standard.) This document is not intended as a reference manual but rather to
provide general guide to the implementation of the standards.
The objective of implementing ANSI/ISA-84.01on a project is to provide the client with a safety instrumented
system (SIS) whose design, functionality and reliability are the result of a rigorously defined method having
been followed and documented.
Table of Contents
SAFETY INSTRUMENTED SYSTEM
A safety instrumented system or SIS is a combination of field sensing devices, a logic solver (such as a
programmable logic controller (PLC), a triple modular redundant (PLC) or a relay system) and field control
devices that are installed to execute safety instrumented functions which are the last line of defense in
preventing an occurrence that could have safety, health or environmental (SHE) consequences.
The SIS protects against those possible occurrences, which get by all other non-SIS protection layers. A non-SIS
protection layer can be any number of items including, special process designs, design limits of equipment or
vessels, operating procedures, configuration of the basic process control system and pre-planned operator
responses to an abnormal occurrence.
DEFINITIONS
Covert Fault: A system fault not detected by the system
DTT: De-energize To Trip
ETT: Energize To Trip
HAZOP: Hazardous Operations Review
IPL: Independent Protection Layer
LOPA: Layer of Protection Analysis
MOC: Management of Change
Overt Fault: A system fault detected by the system
PES: Programmable Electronic System
PFD: Probability of Failure on Demand
SAR: Safety Availability Range
SHE: Safety-Health-Environmental
SIF: Safety Instrumented Function
SIL: Safety Integrity Level
SIS: Safety Instrumented System
SRS: Safety Requirements Specification.
SIS CONCEPTS
Implementation of this standard is to be operating company driven. Contractors and consultants can
be utilized to facilitate and assist in the implementation but the bottom line responsibility is with the
operating company. This is a Life Cycle standard in that the process starts during process design,
continues with system design, installation and testing, maintenance, periodic functionality verification
and even decommissioning of the system at the end of its lifetime.
This is not an individual discipline subject. It involves Control Systems, Process, Operations, Safety,
Reliability, Maintenance, Mechanical, etc. A “committee” that includes adequate representation from
all relevant disciplines must execute this standard.
The committee is responsible for setting a number of the rules to be followed during the performance
of this task. In other words the committee will, for example, determine the method to be used to
evaluate safety integrity levels and values within the method. Once a rule is set then it needs to be
consistently followed.
While it is not the primary focus of ANSI/ISA-84.01, economic issues and considerations (such as the
cost of a spurious trip) can be made a part of this process.
For the process industries, a safety integrity level or SIL is either a 1, 2 or 3, with 1 being the lowest
level of criticality and 3 being the highest level of criticality. A SIL of 3 should be avoided if at all
possible by design. First of all a SIL 3 indicates protection against a very severe SHE occurrence.
Secondly, the SIS required to meet SIL 3 requirements would likely require a complex SIS along with
all of its baggage. Therefore SILs should be kept to 2 or1 or not required, even if additional non-SIS
protection layers have to be added.
This is not a clear black and white subject but at best a subjective one with significant variations
present in how one operating company handles it procedurally versus another.
SAFETY INSTRUMENTED SYSTEM BASIC STEPS:
The following are the basic steps in the process of implementing ANSI/ISA-84.01 on a project.
These steps are predicated on conceptual process design being complete and a minimum of review
level P&IDs being available. As previously stated this is a Life Cycle process. While the entire
system implementation should be subject to the review and approval of the committee, the third
column indicates who would be foreseen to have primary responsibility for the main task execution.
- Step 1: Identify individual SIF’s during preliminary HAZOP.
- Step 2: Confirm Identification of SIF’s during HAZOP.
- Step 2: Determine Required SIL’s of each SIF during LOPA.
- Step 3: Develop SRS Control Systems 3.
- Step 4: Develop SIS Conceptual Design Control Systems 3.
- Step 5: Perform SIS to SIL Verification Third Party 4.
- Step 6: Execute SIS Detail Design Control Systems 4.
- Step 7: Develop Test procedures Control Systems 4.
- Step 8: Install & Commission SIS Const/Reliability 5.
- Step 9: Establish Operations and Maintenance Procedures.
- Step 10:Initiate SIS Management of Change Operations Mgt.
- Step 11: Perform SIS Modifications (when & if req’d).
- Step 12: Decommissioning of System Maintenance.
LIFECYCLE FLOWCHART
![Safety Instrumented System SIS Full Technical Easy Guide](https://i0.wp.com/srecontracting.com/wp-content/uploads/2023/05/image-17-689x1024.png?resize=689%2C1024&ssl=1)
IDENTIFICATION OF SAFETY INSTRUMENTED FUNCTIONS
This step needs to be performed early in the design, preferably during the preliminary HAZOP with a
subsequent confirmation during the actual formal HAZOP. A SIF is a control or interlock function whose
failure to function can result in an occurrence which can have SHE consequences. SIS safety instrumented
functions can be avoided in some cases by having other protection layers present.
SIL DETERMINATION
A determinate method, either qualitative or quantitative, must be established and used to evaluate safety
instrumented function SILs. The following are offered as examples, not as recommendations, of methods that
can be utilized for SIL determination. Once a method is determined, it must then be used and applied
consistently. During a LOPA credit should be reasonably taken for viable IPLs towards the determination of
actual required SILs. Once a SIL has been determined as the result of a LOPA, then the SIS must be
designed to accommodate the respective PFD requirements.
SAFETY INSTRUMENTED SYSTEM METHODS
Qualitative Method 1 (Example)
This method can be visualized as a 3 dimensional cube (Fig 1) with the 1 st axis being
Frequency of Initiating Events with 5 units
1) Improbable
2) Remote
3) Occasional
4) Probable
5) Frequent
the 2nd axis being
Consequence of Severity with 5 units
1) Negligible
2) Minor
3) Serious
4) Severe
5) Catastrophic
And the 3rd axis being
Effectiveness of Protection Layers with 3 units
1) Additional Layers Preclude Occurrence
2) Additional Layers not Totally Effective
3) No Additional Layers
Where each of the resulting 75 sub-cubes would not require a SIL, would have a designated SIL or
would require redesign of the process.
![Safety Instrumented System SIS Full Technical Easy Guide](https://i0.wp.com/srecontracting.com/wp-content/uploads/2023/05/image-18-979x1024.png?resize=979%2C1024&ssl=1)
Qualitative Method 2 (Example)
Consequence (C)
Ca Minor Injury
Cb Serious Injury, Single Fatality
Cc Several Fatalities
Cd Many Fatalities
Frequency & Exposure (F)
Fa Rare to Frequent
Fb Frequent to Continuous
Possibility of Avoidance (P)
Pa Sometimes Possible
Pb Almost Impossible
Probability of Occurrence (W)
W1 Very Slight
W2 Slight
W3 Relatively High
a = No special safety requirements
b = Single SIS not sufficient
![Safety Instrumented System SIS Full Technical Easy Guide](https://i0.wp.com/srecontracting.com/wp-content/uploads/2023/05/image-19.png?w=1200&ssl=1)
SAFETY REQUIREMENTS SPECIFICATION
The SRS defines the requirements for the Safety Instrumented System. The following is an outline of the
requirements for the SRS:
10.1 System Function List
10.2 Process Common Cause Failure Considerations
10.3 Regulatory Requirements
10.4 Safe Process State Definition
10.5 Process Inputs
10.6 Process Outputs
10.7 Functional I/O Relationships (Logic)
10.8 Final Element Trip State (ETT/DTT)
10.9 Manual Shutdown Requirements
10.10 Loss of Energy Source Actions
10.11 Response Time Requirements
10.12 Overt Fault Response
10.13 Man-Machine Interface (MMI) Requirements
10.14 Activation Reset Function Requirements
10.15 Safety Instrumented Function SIL Requirements
10.16 System Diagnostic Requirements (to achieve req’d SIL)
10.17 Maintenance Requirements (to achieve req’d SIL)
10.18 Reliability Requirements for Hazardous Spurious Trips.
SIS CONCEPTUAL DESIGN
Conceptual design includes the layout of the overall system plus the selection of field sensors, final control elements and the logic solver. Power and grounding philosophies are to be established. Considerations are given to such items as what technology will be used, diversity in design to preclude common cause failures from occurring, fault tolerant needs, element reliability, bypasses, requirements for maintenance and online testing, etc.
SIS DESIGN TO SIL VERIFICATION
Confirmation documentation must be prepared that confirms that the combination of field sensors, the logic solver and the final control elements meet the SIL requirements for a given safety instrumented function. This is typically done by one of the following analysis techniques:
Simplified Equations
Fault Tree Analysis
Markov Analysis
This is the part of the overall implementation for which it is highly recommended that a Consultant be
contracted to perform.
DETAIL DESIGN
This part of the implementation involves the development of all required design documents and drawings necessary to meet the SIS conceptual design and to install and commission the SIS. Also involved is the specification and procurement of hardware, including field sensors, final control elements, the logic solver and any other necessary devices such as power supplies. All system needs are to be considered at this time.
TESTING PROCEDURES
Online/Offline test Procedures should be developed once the detail design is complete. The online procedures include only the sensors and final elements and contain detail steps to ensure safe online test of each element.
The offline test includes the logic solver, sensors and final elements.
SIS INSTALLATION-COMMISSIONING-TESTING
This part of the implementation is would include such tasks as:
Field Device Installation
Logic Solver Installation
All System Wiring
System Installation Review
System Power-Up
Program Loading
Logic Testing
SIS Loop Check-out
SIS Loop Commissioning
OPERATION AND MAINTENANCE PROCEDURES
This part of the implementation is development of operational procedures such as required operator responses upon alarm and/or activation occurrences. Maintenance procedures must also be developed.
MANAGEMENT OF CHANGE
SIS Management of change is to be put into effect on any part of the system, which has been commissioned. A very structured procedure needs to be prepared and followed for any change to the system. Examples of
changes could be:
Logic Revisions (including voting)
Number of Field Sensors
Number of Final Control Elements
Type of Field Devices
Modifications to the Logic Solver
Read Also: Is it okay to connect Instrument Earth with Safety Earth?