TECHNICAL REPORT

ISATR91.00.022003

Criticality Classification Guideline for Instrumentation

NOTICE OF COPYRIGHT
This is a copyrighted document and may not be copied or distributed in any form or manner without the permission of ISA. This copy of the document was made for the sole use of the person to whom ISA provided it and is subject to the restrictions stated in ISAs license to that person. It may not be provided to any other person in print, electronic, or any other form. Violations of ISAs copyright will be prosecuted to the fullest extent of the law and may result in substantial civil and criminal penalties.

Approved 2 January 2003

TM

ISAThe Instrumentation, Systems, and Automation Society

ISA-TR91.00.02-2003 Criticality Classification Guideline for Instrumentation ISBN: 1-55617-841-7 Copyright 2003 by ISA The Instrumentation, Systems, and Automation Society. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709

-3-

ISA-TR91.00.02-2003

Preface
This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR91.00.02-2003. This document has been prepared as part of the service of ISAThe Instrumentation, Systems, and Automation Societytoward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org. The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing & Materials as IEEE/ASTM SI 1097, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops. CAUTION ISA ADHERES TO THE POLICY OF THE AMERICAN NATIONAL STANDARDS INSTITUTE WITH REGARD TO PATENTS. IF ISA IS INFORMED OF AN EXISTING PATENT THAT IS REQUIRED FOR USE OF THE DOCUMENT, IT WILL REQUIRE THE OWNER OF THE PATENT TO EITHER GRANT A ROYALTY-FREE LICENSE FOR USE OF THE PATENT BY USERS COMPLYING WITH THE DOCUMENT OR A LICENSE ON REASONABLE TERMS AND CONDITIONS THAT ARE FREE FROM UNFAIR DISCRIMINATION. EVEN IF ISA IS UNAWARE OF ANY PATENT COVERING THIS DOCUMENT, THE USER IS CAUTIONED THAT IMPLEMENTATION OF THE DOCUMENT MAY REQUIRE USE OF TECHNIQUES, PROCESSES, OR MATERIALS COVERED BY PATENT RIGHTS. ISA TAKES NO POSITION ON THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS THAT MAY BE INVOLVED IN IMPLEMENTING THE DOCUMENT. ISA IS NOT RESPONSIBLE FOR IDENTIFYING ALL PATENTS THAT MAY REQUIRE A LICENSE BEFORE IMPLEMENTATION OF THE DOCUMENT OR FOR INVESTIGATING THE VALIDITY OR SCOPE OF ANY PATENTS BROUGHT TO ITS ATTENTION. THE USER SHOULD CAREFULLY INVESTIGATE RELEVANT PATENTS BEFORE USING THE DOCUMENT FOR THE USERS INTENDED APPLICATION. HOWEVER, ISA ASKS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND

ISA-TR91.00.02-2003

-4-

PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION. The following served as members of ISA SP91. NAME G. Ramachandran, Chair R. Dunn, Vice Chair V. Maggioli, Managing Director C. Ackerman R. Adamski L. Baruwa N. Battikha K. Bond R. Boyd L. Brown S. Brown J. Carew W. Cohen A. De Souza A. Dowell A. Engels D. Fritsch J. Gilman W. Goble D. Green C. Hardin J. Harris D. Haysley T. Hurst A. Iverson W. Johnson T. Layer D. Leonard G. McFarland N. McLeod W. Mostia I. Nimmo D. Novak R. Raghavan M. Schmidt J. Shaw C. Sossman H. Storey R. Szanyi E. Vodopest T. Walczak COMPANY Systems Research International Inc. DuPont Engineering Feltronics Corporation Air Products & Chemicals Inc. Invensys / Premier Consulting Services Titan Systems Corporation BergoTech Inc. Consultant RVB Management & Engineering Inc. TFE Inc. UK Health & Safety Executive Consultant Kellogg Brown & Root Tandem Tech Group Rohm & Haas Company Praxair Inc. Fritsch Consulting Service Consultant Exida Com LLC Rohm & Haas Company CDH Consulting Inc. UOP LLC Albert Garaody & Associates Hurst Technologies Corporation Ivy Optiks E.I. du Pont Emerson Process Management D J Leonard Consultants Westinghouse Process Control Inc. Atofina WLM Engineering Company User Centered Design Services LLC BASF Corp. Raytheon Systems Inc. Michael E. G. Schmidt, PE Process Control Solutions WG-W Safety Management Solutions Equilon Enterprises LLC ExxonMobil Research Engineering Bechtel National Inc. GE Fanuc Automation

-5-

ISA-TR91.00.02-2003

This technical report was approved for publication by the ISA Standards and Practices Board on 2 January 2003. NAME M. Zielinski, Chair D. Bishop D. Bouchard M. Cohen M. Coppler B. Dumortier W. Holland E. Icayan A. Iverson R. Jones V. Maggioli T. McAvinew A. McCauley, Jr. G. McFarland R. Reimer J. Rennie H. Sasajima I. Verhappen R. Webb W. Weidman J. Weiss M. Widmeyer C. Williams G. Wood COMPANY Emerson Process Management David N Bishop, Consultant Paprican Consultant Ametek, Inc. Schneider Electric Southern Company ACES Inc Ivy Optiks Dow Chemical Company Feltronics Corporation I&C Engineering, LLC Chagrin Valley Controls, Inc. Westinghouse Process Control Inc. Rockwell Automation Factory Mutual Research Corporation Yamatake Corporation Syncrude Canada Ltd. POWER Engineers Parsons Energy & Chemicals Group KEMA Consulting Stanford Linear Accelerator Center Eastman Kodak Company Graeme Wood Consulting

This page intentionally left blank.

-7-

ISA-TR91.00.02-2003

Contents
1 2 3 4 5 6 Introduction ............................................................................................................................................ 9 Guidelines for defining instrument classifications .................................................................................. 9 Guidelines for ranking instruments within criticality classifications...................................................... 13 Additional considerations ..................................................................................................................... 13 Abbreviations ....................................................................................................................................... 14 References........................................................................................................................................... 14

Annex A Guidance ................................................................................................................................... 17 Annex B Todays criticality classification (see Clause 3.3) ...................................................................... 21 Annex C Criticality rankings example ...................................................................................................... 25

This page intentionally left blank.

-9-

ISA-TR91.00.02-2003

Introduction

1.1 Process operating facilities utilize instrumentation to monitor and control processes. The performance of this instrumentation ties directly into product quality and product throughput. In addition, the process may become hazardous to operating facility personnel, the community, and the environment if control is lost. Some instruments perform essential functions during emergency response activities and a high degree of confidence is required to ensure that instrumentation will function correctly during an emergency. 1.2 This guideline is developed to assist engineering, operations, and maintenance personnel with establishing the classification of their instrumentation, thus facilitating all aspects of designing and maintaining reliable operating facility instrumentation. Global instrumentation manufacturers classify their equipment according to various country classification standards (see clauses 6.3, 6.7, 6.8). Some process sector facilities utilize criticality classification methods to:

Facilitate understanding of how these classifications can be used in the design process. Reduce design costs by using prescriptive design approach for each classification to ensure consistency, understanding, and cost effective design. Relate instrumentation requirements to corporate, local, national, and international standards. Facilitate communication to those responsible for instrumentation, electrical, mechanical, chemical, measurement, and operating technologies. Allow clear communication with integrators, auditors and other third parties Identify training and maintenance needs compatible to the needs of the application.

1.3 This guideline does not mandate what the classification of each instrument should be. It does provide information to assist each operating facility in determining the classification of its process instrumentation. It is the responsibility of an operating facilitys management to determine whether criticality classification is needed. 1.4 This guidance will deal primarily with instrumentation used in the process industries. The operating facility may have instrumentation associated with the machinery sector, the medical/drug sector, the railway sector, etc. For example, this guidance will address the machinery and combustion sectors only where equipment associated with these sectors is utilized in the process (e.g., product heating, range drives, product conveying). This guideline addresses asset and safety critical issues as well as other issues. Requirements exist for each of the noted sectors (e.g., process, machinery) and are addressed in the following clauses for their relationship to the process sector and its requirements. 1.5 Note that all applications, regardless of classification, should adhere to good engineering practices.

Guidelines for defining instrument classifications

2.1 Many operating facilities have a classification system (generic scheme) that includes categories such as critical and noncritical. Figure 1 illustrates such a classification scheme.

ISA-TR91.00.02-2003

- 10 -

Critical

Non-critical

Figure 1 Generic classificat ion scheme

2.2 More mandates apply to safety & environmental instrumentation than to asset protection and nonclassified instrumentation. As a result, understanding of these mandates is required before design can begin. Figure 2 provides a further example of classification category subdivision common to process operating facilities.

Figure 2 Process operating facility criticality classification chart

Safety & Environmental

Asset Protection

Non-Classified

2.3 While the process sector recognizes the need for classifying safety critical instrumentation, the need for any formal classification for other critical instrumentation varies greatly among operating facilities. Safety and environmental operating facility requirements that do not fall under U.S. OSHA 29 CFR Part 1910/119-1992 or U.S. EPA 40 CFR Part 68 may allow alternate design solutions from those listed as OSHA/EPA good engineering practices (e.g., ANSI/ISA-84.01-1996). As a result, operating facilities may choose to classify all areas of their instrumentation. The operating facility may classify the safety and environmental area so that it is subdivided between those falling under specific OSHA/EPA regulations and all other categories. Figure 3 illustrates an example classification chart illustrating this approach.

- 11 -

ISA-TR91.00.02-2003

Figure 3 Process operating facility criticality classification chart with safety/environmental subdivisions

Safety & environmental per OSHA/EPA regulation

Safety & environmental (all others)

Non-Classified

Asset Protection

2.4 Operating facilities encounter a range of asset issues. To handle this situation, an operating facility may choose to break asset issues into minor and major classifications. The example shown in Figure 4 is similar to that of Figure 2 except the asset protection classification has been subdivided into major asset protection and minor asset protection.

ISA-TR91.00.02-2003

- 12 -

Figure 4 Example process o perating facility criticality classification chart with asset protection subdivided

Safety & environmental per OSHA PSM/EPA RMP regulation

Safety & environmental per OSHA/EPA general duty clause

Non-classified Major asset protection

Minor asset protection

2.5 Some operating facilities may wish to subdivide safety and environmental as well as asset protection. The Figure 5 example illustrates such a breakdown.

Figure 5 Example process o perating facility criticality classification chart with safety, environmental, and asset protection subdivided

Safety per OSHA PSM rule

Environmental per EPA RMP rule

Safety per OSHA general duty clause Environmental per EPA general duty clause Major asset

Non Classified

Minor asset

2.6 There are additional subdivision choices in criticality classification that can be made. To date, the most common classifications relate to safety, environmental, and asset protection instrumentation. Further detail is provided in Annex B.

- 13 -

ISA-TR91.00.02-2003

Guidelines for ranking instruments within criticality classifications

3.1 Annex A is provided to assist in developing an operating facility criticality classification; see flow chart A1. Flow chart A1 provides an overview of key considerations when developing an operating facility classification scheme. The flow chart should be modified for specific applications. The flow chart stresses the development of an overall plan (e.g., Figure 5) prior to addressing the details of a specific classification category (e.g., Table A1). The order shown for the classification categories may be modified to meet application needs. Note that some categories may not exist depending on the application. 3.2 Annex A, Table A1 reflects an asset-related classification breakdown example.

3.3 Annex A, Table A2 reflects a criticality classification example developed in response to U.S. OSHA regulation 29 CFR 1910/119. Further detail is provided in Annex B. 3.4 Annex A, Figure A1 combines Tables A1 and A2 into a typical operating facility process instrumentation criticality classification example.
NOTE

SIL is an acronym for Safety Integrity Level. SIL is defined as one of three possible integrity levels (SIL1, SIL2, SIL3) of safety instrumented functions. SILs are defined in terms of probability of failure on demand (PFD) (see Annex B, Table B1). It should be noted that presently the international community (see clauses 6.3 and 6.4) recognizes four SILs (SIL 1, SIL 2, SIL 3, SIL 4), while ANSI/ISA-84.01-1996 recognizes only three SILs.

3.5

Annex C provides an example of criticality ranking.

4
4.1

Additional considerations
Good engineering practices are required regardless of the criticality classification.

4.2 Often a system that belongs in one classification is utilized in another classification. One example is that of a single burner boiler installed in a process line. A single burner boiler falls under NFPA 85. However, when installed in a process that falls under U.S. OSHA 29 CFR Part 1910.119, a boilers instrumentation should be designed, operated, and maintained per ANSI/ISA-84.01-1996 as well as NFPA 85. Therefore, an instrument engineer may rank the furnace instrumentation also against both NFPA 85 and ANSI/ISA-84.01-1996. 4.3 It is common for instrumentation associated with machinery located in a process to be designed according to EN 954 (see Annex A, Table A3) and ANSI/ISA-84.01-1996 (see Annex A, Table A2). 4.4 Annex A, Table A3 lists various process and machinery functional safety standards and some of their associated criticality classifications.

ISA-TR91.00.02-2003

- 14 -

Abbreviations

ACR Asset Criticality Ranking AK Application Klass (class) BPCS Basic Process Control System RC Risk Klass (class) SECR Safety & Environmental Criticality Ranking SIL Safety Integrity Level

6
6.1

References
ANSI/ISA84.011996, Application of Safety Instrumented Systems for the Process Industries.

6.2 U.S. Environmental Protection Agency (EPA), Federal Regulation 40 CFR Part 68, Risk Management Programs for Chemical Accidental Release Prevention. 6.3 International Electrotechnical Commission, IEC 61508, Parts 1-7, Functional safety of electrical/electronic/programmable electronic safety-related systems. 6.4 International Electrotechnical Commission, d-IEC 61511 (drafts), Parts 1-3, Functional safety: Safety instrumented systems for the process industry sector. 6.5 ANSI/ISA91.00.012001; Identification of Emergency Shutdown Systems and Controls That Are Critical to Maintaining Safety in Process Industries. 6.6 U.S. Department of Labor, Occupational Safety and Health Administration (OSHA), Federal Regulation 29 CFR Part 1910; Process Safety Management of Highly Hazardous Chemicals; Explosives and Blasting Agents; Final Rule, 1992. 6.7 European Committee for Standardization (CEN) EN 954-1, Safety of Machinery - Safety-Related Parts of Control Systems - Part 1: General Principles for Design. 6.8 Deutsches Institut fur Normung (DIN), DIN V 19250, Control technology; fundamental safety aspects to be considered for measurement and control equipment 6.9 Deutsches Institut fur Normung (DIN), VDI/VDE 2180 Blatt 2, Safeguarding of industrial process plants by means of process control engineering - Classification of process control systems - Realisation, operation and testing of safety instrumented systems. 6.10 American Institute of Chemical Engineers (AIChE), Guidelines for Safe Automation of Chemical Processes, 1993; AIChE, 345 East 47th Street, New York, NY 10017, Tel: (212) 705-7657, www.aiche.org. 6.11 CEN/TC 114/WG 6 - N 860 - prEN ISO 13849-1 (EN 954-1 Rev. 12): Safety of machinery - Safetyrelated parts of control systems - Part 1: General principles for design. Descriptors: safety of machines, control devices, design, interfaces, hazards, generalities, defects, verification. 6.12 STSARCES, Standards for Safety-Related Complex Electronic Systems, Annex 11, Applicability of IEC 61508 & EN 954, Task 1: A study of the links & divergences between draft IEC 61508 and EN 954 Final Report of WP4, S. J. Brown & S. Frost, Health & Safety Executive, European Project STSARCES,

- 15 -

ISA-TR91.00.02-2003

Contract SMT 4CT97-2191; the STSARCES report, including the annex, is available for download at: http://www.safetynet.de/EC-Projects/stsarces/STSARCESMain.htm.

This page intentionally left blank.

- 17 -

ISA-TR91.00.02-2003

Annex A Guidance Example criticality classification flow chart A1 (see Clause 3.1)

Is the facility a process sector operating facility? Yes

Is it an existing or new facility? New Existing
Does the operating facility have an existing criticality classification chart (see Table A3)

No

Note: This flow chart could be used for nonprocess sector facilities.

Develop or modify an operating facility criticality classification chart (see Fig. 1,

2, 3, 4, & 5 for examples)

No

Yes

Plant review complete Yes No

Verify that the existing criticality classification chart covers the necessary issues (see Table A3) Safety critical Asset critical All others

Develop or modify an operating facility asset criticality classification (See Table A1 for example) Operating facility review complete Yes No

Existing criticality classification acceptable

No

Yes

Modify chart as needed

Utilize for new/modified facility

Develop or modify an operating facility safety criticality classification (see Table A2 for example) Operating facility review complete Yes No

No

Yes

Obtain operating facility approval to sustain the classification Develop or modify all other criticality classification (see Table A3)

Develop or modify an operating facility asset/safety criticality classification (see Figure A1 for example)

No

Yes

Plant review complete

ISA-TR91.00.02-2003

- 18 -

Table A1 Example operatin g facility process sector asset classification (see Clause 3.2)
Hazardous event that results in significant damage to equipment and or significant loss of production. Does not result in serious injury to personnel and does not have significant environmental impact. Same as class A except its probability of occurring is reduced by an existing function. Hazardous event that can be controlled safely to a low-risk business loss.

Class A Asset Protection Class B Low Risk (e.g., other)

Class C

Table A2 Example operatin g facility process sector safety classification (see Clause 3.3)
SIL 1 Safety & Environmental SIL 2 SIL 3 See ANSI/ISA-84.011996 & Annex B, Table B1.

NOTE SIL is defined in Clause 3.4. Note that when SIL is used to refer to a specific device (e.g., sensor, logic solver, final element) it should be referred to as SIL claim limit or SIL capability. SIL claim limit or SIL capability requires you to contact the device manufacturer to determine the actual PFD of that device. The device cannot claim any functional safety value associated with the term SIL since an integration of devices (e.g., sensor logic solver, final element) is needed to achieve functional safety.

Figure A1 Example operatin g facility process sector classification (see Clause 3.4)

Safety & Environmental

SIL3 SIL2 SIL1 Class A Class B Class C

Low Risk (e.g., other)

Asset Protection

- 19 -

ISA-TR91.00.02-2003

Table A3 Safety classificat ions shown in relation to their associated functional safety standards (see Clause 4.4)
Sector Standard Classification

DIN 19250

IEC 61508 Process

Draft IEC 61511

ANSI/ISA-84.01-1996

AK 1 AK 2 AK 3 AK 4 AK 5 AK 6 AK 7 AK 8 SIL 1 SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SIL 3 SIL 4 SIL 1 SIL 2 SIL 3 Risk area 1 (low risk w/ SIS only ) Risk area 2 (high risk w/ SIS only) Cannot be covered by SIS only Category B Category 1 Category 2 Category 3 Category 4

VDI/VDE 2180

EN 954-1 Machinery

Draft IEC 62061

To be determined

This page intentionally left blank.

- 21 -

ISA-TR91.00.02-2003

Annex B Todays criticality classification (see Clause 3.3) B.1 There are many globally accepted criticality classifications. With the continued globalization of the
process sector, it is important that the instrument engineer understands these classifications. Note that this guideline does not discuss area hazard classifications (e.g., 1999 NEC 500).

B.2 Table B1 represents the USA process sector safety instrumentation functional criticality rankings (SIL 1, 2, 3) that apply to processes falling under U.S. OSHA 29 CFR 1910.119 - 1992 and U.S. EPA 40 CFR Part 68. . Table B1 Safety Integrity L evel (SIL) per ANSI/ISA-84.01-1996 * (see Clause B.2)
Safety Integrity Level (SIL) 1 2 3 Probability of Failure on Demand Average Range (PFDavg) 10 to 10 10 to 10 10 to 10
-3 -2 -1 -2 -3 -4

* These are for demand mode processes only (demand mode - safety instrumented function: where a specified action (e.g., closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the safety instrumented function, a potential hazard only occurs in the event of a failure in the process or the BPCS).

B.3 Figure B1 represents the machinery sector (refer to EN 954-1) criticality ranking (e.g., category B, 1, 2,
3, 4). Categories are typically machine sector requirements utilized by manufacturers in the design of their machinery. When the machinery is integrated into a process, a pragmatic assumption is that an end-to-end (i.e., sensor-to-actuator) system that meets SIL 1 requirements will provide an equivalent level of safety performance as an end-to-end system that fully meets the requirements of EN 954-1 at categories 1and 2. Similarly, a pragmatic assumption is that a SIL 2 system will provide safety performance equivalent to a system meeting category 3, and that a SIL 3 system will provide safety performance equivalent to a system meeting category 4. However, the reverse (e.g., category 3 providing safety performance equivalent to SIL 2) should not be implied since SIL classification requires conformance to all parts of the safety life cycle while category classification does not. More information regarding the application of EN 954-1 can be found in CEN report, CR 954-100, Guide on the use and application of EN 954-1.

ISA-TR91.00.02-2003

- 22 -

Figure B1 EN 954-1 Criticality classification (see Clause B3)

Categories
B S1 F1 S2 F2 P1 P2 P1 P2 1 l l 2 l l 3 l l 4 l

Legend l Preferred categories for reference points Possible categories that can require additional measures Measures that can be over-dimensioned for the relevant risk

S = Severity of injury S1 Slight injury (normally reversible), i.e., slight cut or bruise. S2 Serious (normally irreversible) injury including death. F= Frequency and/or exposure time to the hazard F1 Seldom to quite often and/or the exposure time is short. F2 Frequent to continuous and/or the exposure time is long. P= Possibility of avoiding the hazard P1 Possible under specific conditions. P2 Scarcely possible.

B.4 NFPA 85, NFPA 86, and API 556 provide guidance for the implementation of combustion systems safeguards. B.5 IEC 61508 and proposed IEC 61511 criticality classifications are illustrated in Table B2.
NOTE

Table B2 is similar to Table B1 except SIL 4 is added.

- 23 -

ISA-TR91.00.02-2003

Table B2 Safety Integrity Levels: probability of failure on demand (source IEC 61508 and draft IEC 61511) (see Clause B5)
DEMAND MODE OF OPERATION

Safety Integrity Level (SIL) 1 2 3 4

Average Probability of Failure on Demand 10 to <10 10 to <10 10 to <10 10 to <10

-5 -4 -3 -2 -1 -2 -3 -4

Risk Reduction >10 to 100 >100 to 1000 >1000 to 10,000 >10,000 to 100,000

B.6 German standard VDE-DIN-V-19250 utilized a different criticality classification as shown in Figure B2. These AK categories are significant since they can be found on many safety-related control products. Figure B2 Classification ac cording to DIN V 19250 (see Clause B.6)
W3 W2 W1

S1 S2
A1 A2
G1 G2 G1 G2

S3 S4

A1 A2

1 2 3 4 5 6 7 8

1 2 3 4 5 6 7

1 2 3 4 5 6
AK Category (typical)

Degree-of consequence S1: Light injury S2: Death of 1 person S3: More than 1 S4: Catastrophic result

Possibility of failure prevention G1: Limited possibility G2: Hardly possible

Likelihood of hazard occurrence Presence in hazardous area A1: Rarely to frequently A2: Frequently to continuously W1: Very low W2: Low W3: Relatively high 1 thru 8 inclusive AK categories

ISA-TR91.00.02-2003

- 24 -

The AK ratings are somewhat compatible with SIL levels and Figure B3 provides such a comparison; however, components of the IEC 61508 development life cycle requirements and the quantitative evaluation of hardware may not exist in the AK rating.

Figure B3 Risk graph DIN V 19250/NE31/IEC 61511 (see Clause B.6)

DIN V 19250 S1 G1 G2 A2 S3 A1 A2 G1 G2 IEC61511 VDI/VDE 2180

W3 W2 W1 1
A1

1 2 3 4 5 6 7

1 2 3 4 5 6

no safety system requirements no special safety requirements

2 3 4 5 6 7 8

S2

SIL 1 SIL 2 SIL 3 SIL 4

A SIF is not sufficient

Risk Area (low Risk )

S4

Risk Area (high Risk)

Note: See Figure B2 for legend.

Cannot be covered by SIF only

- 25 -

ISA-TR91.00.02-2003

Annex C Criticality rankings e xample

This annex provides an example procedure a facility may use to develop criticality rankings for its instrumentation.

C.1 After defining the Instrumentation Categories for the operating facility, one can now determine the Criticality Rankings for each instrumentation system and establish any facility specific requirements for each ranking group. C.2 It is the responsibility of each operating facility to determine the number of Critical Ranking groups. It is recommended that a minimum of three critical ranking groups be defined. One may define additional critical ranking categories as appropriate. C.3 Each Instrument System is then categorized under one of the critical ranking groups established. All instrumentation systems that fall into one of the defined instrumentation categories should be assigned to one of the criticality ranking groups (which may include a nonclassified category). C.4 Once all the instrumentation systems are assigned to a Critical Ranking group, one may establish specific requirements for the Critical Ranking, or for specific instrumentation systems within a critical ranking. Requirements may include one or more of the following:
C.4.1 C.4.2 C.4.3 C.4.4 Purchasing/Procurement requirements Supplier requirements Special inspection or acceptance test requirements Other

The above requirements are examples only. Many other requirements may be specified depending on the application.

ISA-TR91.00.02-2003

- 26 -

C.5 Example
C.5.1 Assume the process facility establishes Instrumentation System Categories as shown in Clause 2, Figure 5. C.5.2 Figure C1 shows a possible criticality ranking scheme. For this example, we identified four Critical Ranking Categories.
NOTE

The operating facility chose to alter the ranking provided in the guidelines to suit its application.

C.5.2.1 Critical Ranking Category #4 consisted of the OSHA PSM/EPA RMP regulated Safety Instrumented Systems and systems identified as Major Asset. C.5.2.2 Critical Ranking Category #3 consisted of all other Safety Instrumented Systems (OSHA & EPA gen. duty clauses). C.5.2.3 C.5.2.4 Critical Ranking Category #2 consisted of the remainder of the Asset Systems. Critical Ranking #1 consisted of all other instrumented systems in the process facility.

Figure C1 Developing criticality rankings from guidance demo

Criticality Ranking #4
Safety & Environmental per OSHA PSM/EPA RMP regulations Major Assets

Criticality Ranking #3
Other Safety (OSHA & EPA gen. duty clauses)

Criticality Ranking #2
- Non Critical Assets

Criticality Ranking #1
Non Classified

Now that a Criticality Ranking represents each instrument system, specific requirements can now be established. References are available to assist you in determining any facility-specific requirements (see Table C1).

- 27 -

ISA-TR91.00.02-2003

Table C.1 Example of facility-specific requirements

Criticality Ranking CR #4 Description OSHA PSM/EPA RMP Process Facility Requirements Safety & Environmental - Prior Use - Designed per IEC 61508 Sect 2/3 Asset Critical Asset Critical - See Note C.1 CR #3 Safety Instrumented Systems for OSHA & EPA gen. duty cl. Minor Assets Safety & Environmental - Prior Use - Designed per IEC 61508 Asset Critical - See standard operating facility CR #1 Nonclassified No Specific Requirements Follow standard operating facility procurement processes Sect 2/3 Asset See Annex A Safety/Environ IEC 61511 ANSI/ISA 84.01 Asset See Annex B Operating facility standard References Safety/Environ IEC 61511 ANSI/ISA-84.01

CR #2

NOTE

C.1: Asset Critical Requirements

It is the responsibility of the operating facility to determine the requirements for instrumentation systems deemed Asset Critical. These requirements may include the following: Prior use in similar environments A specific number of years of experience using the instrument Designed per IEC 61508 Sections 2 and 3 Special tests or documentation to be supplied by the supplier Other Supplier is on qualified supplier list Supplier has approved quality system/program (e.g., ISO 9001:2000)

This page intentionally left blank.

Developing and promulgating sound consensus standards, recommended practices, and technical reports is one of ISAs primary goals. To achieve this goal the Standards and Practices Department relies on the technical expertise and efforts of volunteer committee members, chairmen and reviewers. ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United States Technical Advisory Groups (USTAGs) and provides secretariat support for International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees that develop process measurement and control standards. To obtain additional information on the Societys standards program, please write: ISA Attn: Standards Department 67 Alexander Drive P.O. Box 12277 Research Triangle Park, NC 27709 ISBN: 1-55617-841-7