1、 TECHNICAL REPORT ISA-TR84.00.04-2015, Part 1 Guidelines for the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod) Approved 6 April 2015 Copyright 2015 ISA. All rights reserved. ISA-TR84.00.04-2015, Part 1 Guidelines for the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511) ISBN: 978-1-941
2、546-51-2 Copyright 2015 by the International Society of Automation (ISA). All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical, phot
3、ocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709 - 3 - ISA-TR84.00.04-2015, Part 1 Copyright 2015 ISA. All rights reserved. Preface This preface, as well as all footnotes and
4、annexes, is included for information purposes and is not part of ISA-TR84.00.04-2015, Part 1. This document has been prepared as part of the service of the International Society of Automation (ISA) toward a goal of uniformity in the field of instrumentation. To be of real value, this document should
5、 not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-
6、8411; Fax (919) 549-8288; E-mail: standardsisa.org. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports. Participation in the ISA standards-making process by an
7、 individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONN
8、ECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO
9、 ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NON-DISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE
10、 AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FO
11、R IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSIN
12、G AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INV
13、OLVE HAZARDOUS MATERIALS, OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDE
14、R THE USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SEC
15、URITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. ISA-TR84.00.04-2015, Part 1 - 4 - Copyright 2015 ISA. All rights reserved. The following served as voting members of ISA84 during the development of this technical report: NAME COMPANY W. Johnson, Chair Consultan
16、t V. Maggioli, Co-Managing Director Feltronics Corp D. Zetterberg, Co-Managing Director Chevron Energy Technology Company A. Summers, TR Working Group Leader SIS-TECH Solutions LP R. Adamski RA Safety Consulting LLC T. Ando Yokogawa Electric Co R. Avali Westinghouse Electric Corp L. Beckman Safeplex
17、 Systems Inc M. Balsubramanian ExxonMobil D. Bennett Phillips 66 I. Chen Aramco R. Chittilapilly Oil b) understanding the impact of diagnostics and mechanical integrity (MI) activities on the SIL and reliability; c) identifying sources of common cause, common mode and systematic failures; and d) usi
18、ng quantitative methodologies to verify the SIL and spurious trip rate. The approaches outlined in this document are performance-based; consequently, the reader is cautioned to understand that the examples provided do not represent prescriptive architectural configurations or MI requirements for any
19、 given SIL. Once an SIS is designed and installed, the ability to maintain the specified SIL requires the implementation of a structured MI program as described in ISA-TR84.00.03. ISA-TR84.00.03Mechanical Integrity of Safety Instrumented Systems (SIS)Lifecycle phases 5 and 6 involve the installation
20、 and testing of the SIS, the validation that the SIS meets the safety requirements specification, and the assurance that functional safety is maintained during long term operation and maintenance. An important aspect of achieving and maintaining the SIS integrity and its specified SIL is the impleme
21、ntation of an MI program that provides quality assurance of the installed SIS performance. This technical report is an informative document providing guidance on establishing an effective MI program that demonstrates through traceable and auditable documentation that the SIS and its equipment are ma
22、intained in the “as good as new” condition. The technical report addresses the identification of personnel roles and responsibilities when establishing an MI plan, important considerations in establishing an effective MI program, and detailed examples to illustrate user work processes used to suppor
23、t various activities of the MI program. Data and information collected as part of the MI program can be used to validate the SIL Verification calculations as discussed in ISA-TR84.00.02 and the selection and continued use of devices as discussed in ISA-TR84.00.04 Annex L. ISA-TR84.00.04-Guidelines f
24、or the Implementation of ANSI/ISA-84.00.01Lifecycle phases 2, 4, 9 and 10 address the management of functional safety, allocation of safety functions to protection layers, SIS design and engineering, and SIS verification. This technical report is divided into two parts. Part 1 provides an overview o
25、f the SIS lifecycle with references to annexes containing more detailed guidance on various subjects. Part 2 provides an end-user example of “how to“ implement ANSI/ISA-84.00.01. This report covers many aspects of the safety lifecycle including such topics as: “grandfathering“ existing SISs (Clause
26、3 and Annex A); operator initiated functions (Annex B), separation of the Basic Process Control System (BPCS) and SIS (Annex F), field device and logic solver selection (Annex L), manual shutdown considerations (Annex P), and design/installation considerations (e.g., wiring, power, relationship to B
27、PCS, common mode ISA-TR84.00.04-2015, Part 1 - 8 - Copyright 2015 ISA. All rights reserved. impacts, fault tolerance, etc. Annex N). ISA-TR84.00.02 expands Annex G, which only provides a brief introduction to the topic of failure calculations. ISA-TR84.00.04 does not address the MI program, which is
28、 discussed in ISA-TR84.00.03. Figure 1 SIS Safety Lifecycle (modified ANSI/ISA-84.00.01-2004-1 Figure 8 ) V e r i f i c a -t i o nM a n a g e -m e n t o f F u n c t i o na l S a f e t y a n d F u n c t i o na l S a f e t y A s s e s s -m e n t a n d A u d i t i n g S a f e t y L i f e c y c l e S t
29、r u c t u r e a n d P l a n n i n g 1H a z a r d there is an effect on the process. Determine the cost of the spurious operation of IPLs to establish the maximum acceptable spurious activation rate. The final risk-reduction strategy should ensure that the side effects are acceptable or properly mana
30、ged. 4.3 Implement the strategy The SIS functionality should be documented in a design basis that is maintained under revision control as process safety information for the life of the system. The SIS design basis should address the following: Detection of and response to potential hazardous events
31、Selection of equipment based on user approval process (see ISA-TR84.00.04 Annex L) Fault detection, such as diagnostics and proof testing Fault tolerance against dangerous failures Procedures for maintenance and test, including the use of bypasses (refer to ISA-TR84.00.03 for additional guidance) Op
32、eration and maintenance procedures required when SIS equipment is out of service Emergency shutdown capability if the SIS fails to take action as expected Start-up and shutdown of the process equipment ISA-TR84.00.04-2015, Part 1 - 18 - Copyright 2015 ISA. All rights reserved. The SIS design basis i
33、s covered by ANSI/ISA-84.00.01-2004 (Clauses 10 through 12). ISA-TR84.00.04-1 gives guidance on design requirements for the hardware in Annex N and software in Annex O. Uniform facility practices should be considered to promote consistency in SIS implementation, as well as to reduce training costs a
34、nd the potential for human error. 4.3.1 Independence If it is intended not to qualify the BPCS to this standard, then the SIS should be designed to be separate and independent from the BPCS to the extent that the safety integrity of the SIS is not compromised (IEC 61511-1 Clause 11.2.4). The potenti
35、al for common cause, common mode and systematic errors, which could result in a process demand and failure of the SIS, should be considered in any assessments of the BPCS and SIS, including but not limited to equipment technology, equipment design, operations, installation, maintenance, testing, sec
36、urity, and management of change. ISA-TR84.00.04-1 Annex F provides guidance with respect to the role of the Basic Process Control System (BPCS) in process safety. 4.3.2 PLCs PLCs are complex integrated systems with the potential for large numbers of random and systematic failures. Because of the fai
37、lure potential, ANSI/ISA-84.00.01-2004 (Clause 11.5) requires safety-configuration of PLCs for SISs. Safety configuration addresses the widely known failure modes of the inputs, main processors, communications, utilities (e.g., power, instrument air) and outputs. This requires diagnostics and fault-
38、tolerance capabilities that are generally not provided in process control but needed to identify and manage PLC failures in safety applications. ISA-TR84.00.04-1 Annex M provides further discussion of general purpose, safety configured and IEC 61508 compliant Programmable Electronic (PE) logic solve
39、rs. 4.3.3 User approved devices A user approval process should assure that field equipment has an established history of performance in a similar operating environment and that its failure mechanisms are understood and accounted for in the design, operation and mechanical integrity practices. ISA-TR
40、84.00.04-1 Annex L provides guidance on the selection of SIF devices. An SIS must be sufficiently robust to meet the required SIL under operating environment conditions. For each installation, define the environmental conditions that impact SIS equipment selection, such as: process composition, e.g.
41、, solids, salts, or corrosives process operating conditions, e.g., extremes in temperature, pressure, or vibration external conditions, e.g., winterization needs, hazardous area classification, or electromagnetic interference. 4.3.4 Response time The SIS is designed to detect the unacceptable proces
42、s condition and to respond in time to prevent the hazardous event. How much time the SIS has to respond depends on the process dynamics and the conditions initiating its actions. When multiple engineered safeguards are implemented to address an event, they are often designed to operate in a preferre
43、d sequence. The available process safety time for any given safeguard starts when it is required to take action and ends at the point where the event can no longer be prevented. In many applications, it is desirable that each safeguard be capable of completing its action prior to the initiation of t
44、he next in the sequence; the goal being to achieve or maintain a safe state with the safeguard that causes the least impact to process operation. Regardless, the need to allocate a limited process safety time to multiple safeguards leads to less time being available for safeguards operating later in
45、 the sequence. The SIS begins protective action at a defined process condition or setpoint. ISA-TR84.00.04-1 Annex Q provides guidance on the selection of SIF setpoints. The SISs speed of response is - 19 - ISA-TR84.00.04-2015, Part 1 Copyright 2015 ISA. All rights reserved. limited by the sensor dy
46、namics and overall instrument loop response time, which can be significantly affected by the process design itself. The shutdown lag can be long (seconds to minutes), particularly in applications where there is significant retained mass or energy that must be removed. It can also be short (milliseco
47、nds), such as stopping a motor. The SIS should be capable of completing its action within its allocated process safety time. 4.3.5 Support system considerations Assess potential common causes in the process support systems, such as power, communications, instrument air, cooling water and hydraulic p
48、ower. ISA-TR84.00.04-1 Annex K.3.3 provides additional guidance on support system requirements. Ensure that SIS support systems are designed to take the affected equipment to a specified safe state as necessary to achieve the required integrity. Approval of non-fail-safe design should consider the i
49、mpact on the risk-reduction strategy assumptions, the type of SIS, the support system integrity, and alternative means to achieve a safe state. Human and cyber access to any SIS should be sufficiently restricted using administrative procedures and physical means to ensure that changes to the SIS are approved through a management of change process. 4.3.6 Verification ANSI/ISA-84.00.01-2004 Clause 11.9 also requires that the SIS PFDavg be verified quantitatively (refer to ISA-TR84.00.02 for additional guidance on SIL Verification). Ensure that the selected
