ICEweb has nearly 100 Control, Instrumentation, Fire & Gas, Safety Instrumented Systems core pages and a total of more than 300 pages - It Really is Cool Engineering - By Engineers for Engineers it must be just about the World's first choice for Technical Information.
Whilst every effort is made to ensure technical accuracy of the information supplied on iceweb.com.au, Keyfleet Pty Ltd and its employees accept no liability for any loss or damage caused by error or omission from the data supplied. Users should make and rely on their own independent inquiries. By accessing the site users accept this condition. Should you note any error/omission or an article offends please do not ignore it, contact the webmaster and we will review, rectify and remove as necessary.
Get seen by the people who use
can be yours
A new ANSI/ISA standard sets specific mandates for the integrity of
This paper was published in Chemical Engineering Progress, November 1998
Engineers involved with a process unit that utilizes an instrumented system to prevent or mitigate potentially unsafe conditions need to be aware of the new requirements within ANSI/ISA S84.01-1996. In February 1996, the "Application of Safety Instrumented Systems for the Process Industries" (1) was approved by the Instrument Society of America (ISA) and, in 1997, it was adopted by the American National Standards Institute (ANSI). This standard, which is considered by the U.S. Environmental Protection Agency (EPA) and Occupational Safety and Health Administration (OSHA) as an accepted industry practice, has placed many new requirements on the design, selection, installation, operation, and maintenance of instrumented safety systems.
Although neither the EPA nor OSHA rules explicitly state that compliance with this standard is required, both frequently refer to adhering to "accepted engineering standards and practices" (2,3). OSHA specifically states in 29 CFR 1910.119, Paragraph (d)(3)(ii): "The employer shall document that the equipment complies with recognized and generally accepted good engineering practices." Both OSHA and EPA define good engineering practice as following recognized industrial standards, including those of ANSI.
With over 100 user companies represented on the ANSI/ISA S84.01-1996 Committee, the standard produced clearly represents a consensus of both users and vendors, and the committee membership unanimously endorsed the document as an "accepted industry standard." Its requirements ensure that safety instrumented systems (SISs), including field instrumentation, logic solvers, and final elements, are designed, operated, and maintained to ensure safe operation of the process unit.
This standard now joins the other industry accepted standards, such as the American Society of Mechanical Engineers (ASME) codes for vessels, the National Fire Protection Association (NFPA) codes for burner management, and the Institute of Electrical and Electronic Engineers (IEEE) codes for electrical systems.
Most operating companies have strict compliance policies for these standards and would rarely, if ever, violate their requirements. Certainly, the new ANSI/ISA S84.01-1996 standard should be treated similarly.
What does the standard address?
The interpretation and implementation of the requirements contained in ANSI/ISA-S84.01- 1996 provide a new challenge for the chemical process industries (CPI). The objective of the standard is "to define [the] requirements for safety instrumented systems." The SIS boundaries include all elements of the system, from the field sensor to the final element connected to the process, including inputs, outputs, SIS user interfaces, power supply, and the logic solver. The standard addresses a number of logic-solver technologies, including electromechanical relays, solid-state logic, programmable electronic systems, motor-driven timers, hard-wired logic, and combinations of these technologies.
The standard is based upon a 14-step safety life cycle. The safety life cycle addresses activities associated with the SIS, beginning in conceptual design and continuing to decommissioning. (See Figure 1.) The requirements of ANSI/ISA S84.01-1996 actually begin in the sixth step of this life cycle, leaving the initial steps to the discretion of the operating companies.
What impact will it have?
The ANSI/ISA S84.01-1996 standard will prompt changes in many aspects of the design, operation, and maintenance of SISs. While it has been accepted practice for many years to mitigate potential incidents with instrumented systems, this generally has not included an assessment of what type of SIS provides the appropriate risk reduction. The requirement that the SIS be evaluated for its integrity is perhaps the most significant effect of ANSI/ISA S84.01-1996, because this evaluation typically leads to modifications of the design and increased testing of the SIS. The standard requires that the SIS meet a chosen safety integrity -- a numerical target known as the safety integrity level (SIL).
During a process hazards analysis (PHA), the assessment team identifies potentially hazardous events, their causes, potential consequences, and the safeguards that are in place to prevent or mitigate them. The PHA team then determines whether the existing safeguards are adequate or whether additional risk reduction is required. If the existing situation is found to be unacceptable, action items are developed to guide the engineering team to the solution.
The standard now requires that the user determine whether a SIS is necessary for adequate risk reduction for a particular event. The need for a SIS generally is quite evident from the list of existing safeguards and recommended actions. If an instrumented protection system either is provided as an existing safeguard or has been recommended, the team should indicate that a SIS is required.
Once the decision has been made to utilize a SIS for risk reduction, the SIS must be assigned a SIL, which is a relatively new concept for process engineers. ANSI/ISA S84.01- 1996 defines three discrete integrity levels, SIL 1, SIL 2, and SIL 3 -- based on SIS availability and the probability of failure on demand (PFD), as presented in Table 1. SIL assignment is based upon the PHA findings and on the expected likelihood and consequence of the potential incident. This assignment can be accomplished either as an additional step in the PHA process or in a separate, focused meeting. The assignment of SIL demands the development of a corporate approach that is aligned with management philosophy and risk-acceptance criteria (4).
A number of methods are available for assigning an SIL. Most are qualitative, such as consequence-only, risk matrices, and risk graphs; however, quantitative risk assessment (QRA) techniques can also be employed. Whatever method is selected, the assignment of a SIL must be carefully performed and thoroughly documented.
The conceptual design for the SIS then is developed, based on the assigned target SIL and in accordance with corporate standards, in order to meet the functional and integrity requirements. In developing the SIS architecture to meet these requirements, a number of design aspects may be improved, including:
The assigned SIL leads to the selection of architectures and to the commitment to a specific testing frequency. Table 2 presents a sample of typical SIS architectures that may meet the SIL performance requirements, depending upon the choice of testing frequency. A relative ranking of the SIS reliability is also provided. The reliability of a SIS is inversely related to its nuisance or spurious trip rate. When the reliability of the SIS is improved, the expected nuisance trip rate is lowered. Nuisance tripping can have a significant economic impact to the operating unit; therefore the relationship of SIS availability and reliability cannot be ignored.
Whichever architecture is chosen, the commitment to the functional testing frequency should not be taken lightly, because it is as important to long-term system performance as any of the other design choices, including those shown in Table 2. For example, if during the conceptual design stage, annual testing is chosen, this frequency must be maintained throughout the life of the plant. If, later on, a change in the testing frequency is desired, the SIS architecture will likely have to be modified to maintain the SIL. All changes to the SIS will need to be addressed through a formal management of change (MOC) procedure that verifies that the SIL has not been compromised and the SIS revision has been properly documented.
Before detailed design can begin, the system performance must be verified against the SIL requirements. Quantitative techniques are utilized to model the system architecture and calculate the expected availability in terms of PFD. Three QRA techniques are applicable to this type of analysis: fault tree analysis, reliability block diagrams, and Markov modeling. If the original design cannot meet the SIL performance requirements, risk-reduction techniques must be employed to improve the design to meet the SIL.
The risk-reduction methods included in the SIL-verification calculations must be clearly documented so that, as the process design is optimized and expanded, these elements are maintained. They also must be maintained throughout the remainder of the SIS life cycle, unless formal MOC procedures are applied.
An important step
The new ANSI/ISA S84.01-1996 standard is the first in the U.S. to establish specific requirements for the design, availability, installation, operation, maintenance, decommissioning, and documentation of SISs. For some firms, this will require a paradigm shift in their policies. Many companies now seem to be struggling with SIL assignments and quantitative assessments. There is no question, however, that the insight and vision of the S84 Committee members to finally link risk assessment and management with good engineering practices will make the CPI safer and will help protect workers, the community and the environment.