ISA TR84.00.02 PART 3
Safety Instrumented Functions (SIF) - Safety Integrity Level (SIL) Evaluation Techniques Part 3: Determining the SIL of a SIF via Fault Tree Analysis
|Publication Date:||17 June 2002|
ISA-TR84.00.02-2002 - Part 3 is intended to be used only after achieving a thorough understanding of ISA-TR84.00.02-2002 - Part 1, which defines the overall scope. This technical report addresses:
a) technical guidance in Safety Integrity Level (SIL) Analysis;
b) ways to implement Safety Instrumented Functions (SIF) to achieve a specified SIL;
c) failure rates and failure modes of SIF components;
d) diagnostics, diagnostic coverage, covert faults, test intervals, redundancy of SIF components; and
e) tool(s) for SIL verification of SIF.
ISA-TR84.00.02-2002 - Part 3 is considered informative and does not contain any mandatory requirements. The User should refer to ISA-TR84.00.02-2002 - Part 1, which defines the general requirements for the verification of SIL for SIF.
ISA-TR84.00.02-2002 - Part 3 is intended to provide guidance on the application of Fault Tree Analysis (FTA) to SIF. FTA is one possible technique for calculating SIL for a SIF installed per ANSI/ISA-84.01-1996.
ISA-TR84.00.02-2002 - Part 3 covers the analysis of a SIF application from the field sensors through the logic solver to the final elements.
Common cause failure and systematic failure are an example of important factors readily modeled in FTA.
Part 3 assumes that the complex analysis of the failure rate for
a programmable logic solver is done by another method (see Part 5)
or is provided by a vendor as an input PFDL or
MTTFspurious into this analysis (per Clause 7.3.2 of
This part does not cover modeling of external communications or operator interfaces. The SIL analysis includes the SIF envelope as defined by ANSI/ISA-84.01-1996 (see Figure I.2).
The ultimate goal for the FTA is to determine the following:
• The PFDavg, Safety Integrity Level (SIL), and
• The MTTFspurious of the SIF
This analysis aids in the design of an effective SIF by allowing the User to determine where weaknesses exist within the SIF. This technique is applicable when the failure of the SIF can be caused by more than one pathway, when strong interactions exist between multiple SIF, or when several support systems (instrument air, cooling water, power, etc.) are involved.