instrumentation and control

Hazardous Classes and Zones - Standard Definitions . . . . . . . . . . 213

Class, Division and Zone Definitions . . . . . . . . . . . . . . . . . . . . . . . . 213

Area (location) Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

North American methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Table Showing Area Classification . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Table Showing Apparatus Grouping . . . . . . . . . . . . . . . . . . . . . . . . 219

Table Summarizing NEC Class I, II, III Hazardous Locations . . . . . 220

Safety Integrity Level Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . 221

• Equation Calculations Extracted from ISA-TR84.00.02-2002 Part2, Safety Instrumentation Functions (SIF) – Safety Integrity Level(SIL) Evaluation Techniques Part 2: Determining the SIL of a SIFvia Simplified Equations.

7Safety

HB safety chap7.qxd 3/2/2006 9:05 AM Page 211

Hazardous Classes and Zones - Standard Definitions

A standard titled ANSI/ISA-12.01.01-1999, Definitions and InformationPertaining to Electrical Apparatus in I Hazardous (Classified) Locations,defines terminology to help those involved with the design, manufac-ture, installation, and maintenance of apparatus used in hazardous(classified) locations. It is also intended to promote uniformity. Thestandard uses definitions and explanations as published by severalaccepted standards organizations.

For hazardous location apparatus, atmospheric conditions are generallyconsidered to be:

(a) an ambient temperature range of -20°C (-4°F) to 40°C (104°F);(b) an oxygen concentration of not greater than 21% by volume;(c) a pressure of 86 kPa (12.5 psia) to 108 kPa (15.7 psia); and(d) a relative humidity of 5% to 95%.

Class, Division and Zone Definitions

Class I location: a location in which flammable gases or vapors are ormay be present in the air in quantities sufficient to produce explosive orignitable mixtures.

Class I, Division 1 location: a location (1) in which ignitable concen-trations of flammable gases or vapors can exist under normal operatingconditions; (2) in which ignitable concentrations of such gases orvapors may exist frequently because of repair or maintenance opera-tions or because of leakage; or (3) in which breakdown or faulty opera-tion of equipment or processes might release ignitable concentrationsof flammable gases or vapors and might also cause simultaneous fail-ure of electrical equipment that could act as a source of ignition.

Class I, Division 2 location: a location (1) in which volatile flammableliquids or flammable gases are handled, processed, or used, but in whichthe liquids, vapors, or gases will normally be confined within closed con-tainers or closed systems from which they can escape only in case ofaccidental rupture or breakdown of such containers or systems, or in caseof abnormal operation of equipment; or (2) in which ignitable concentra-tions of gases or vapors are normally prevented by positive mechanicalventilation and might become hazardous through failure or abnormaloperation of the ventilating equipment; or (3) that is adjacent to a Class I,Division 1 location and to which ignitable concentrations of gases or vaporsmight occasionally be communicated unless such communication is pre-vented by adequate positive-pressure ventilation from a source of clean airand effective safeguards against ventilation failure are provided.

Chapter 7/Safety 213

HB safety chap7.qxd 3/2/2006 9:05 AM 13

Class II location: a location that is hazardous because of the presenceof combustible dust.

Class II, Division 1 location: a location (1) in which combustible dustis in the air under normal operating conditions in quantities sufficient toproduce explosive or ignitable mixtures; or (2) in which mechanical fail-ure or abnormal operation of machinery or equipment might causesuch explosive or ignitable mixtures to be produced and might alsoprovide a source of ignition through simultaneous failure of electricalequipment, operation of protection devices, or from other causes; or (3)in which combustible dusts of an electrically conductive nature may bepresent in hazardous quantities.

Class II, Division 2 location: a location in which combustible dust isnot normally in the air in quantities sufficient to produce explosive orignitable mixtures and dust accumulations are normally insufficient tointerfere with the normal operation of electrical equipment or otherapparatus, but combustible dust may be in suspension in the air as aresult of infrequent malfunctioning of handling or processing equip-ment and where combustible dust accumulations on, in, or in the vicin-ity of the electrical equipment may be sufficient to interfere with thesafe dissipation of heat from electrical equipment or may be ignitableby abnormal operation or failure of electrical equipment.

Class III location: a location that is hazardous because of the presenceof easily ignitable fibers or flyings but in which such fibers or flyings arenot likely to be in suspension in the air in quantities sufficient to pro-duce ignitable mixtures.

Class III, Division 1 location: a location in which easily ignitablefibers or materials producing combustible flyings are handled, manu-factured, or used.

Class III, Division 2 location: a location in which easily ignitablefibers are stored or handled (except in the process of manufacture).

Zone 0 (IEC): an area in which an explosive gas atmosphere is presentcontinuously or for long periods.

Zone 0, Class I (NEC): a Class I, Zone 0 location is a location (1) inwhich ignitable concentrations of flammable gases or vapors are pres-ent continuously; or (2) in which ignitable concentrations of flammablegases or vapors are present for long periods of time.

214 ISA Handbook of Measurement Equations and Tables


Zone 1 (IEC): an area in which an explosive gas atmosphere is likely tooccur in normal operation.

Zone 1, Class I (NEC): a Class I, Zone 1 location is a location (1) inwhich ignitable concentrations of flammable gases or vapors are likelyto exist under normal operating conditions; or (2) in which ignitableconcentrations of flammable gases or vapors may exist frequentlybecause of repair or maintenance operations or because of leakage; or(3) in which equipment is operated or processes are carried on, of sucha nature that equipment breakdown or faulty operations could result inthe release of ignitable concentrations of flammable gases or vaporsand also cause simultaneous failure of electrical equipment in a modeto cause the electrical equipment to become a source of ignition; or (4)that is adjacent to a Class I, Zone 0 location from which ignitable con-centrations of vapors could be communicated, unless communicationis prevented by adequate positive-pressure ventilation from a source ofclean air and effective safeguards against ventilation failure are pro-vided.

Zone 2 (IEC): an area in which an explosive gas atmosphere is notlikely to occur in normal operation and, if it does occur, is likely to do soonly infrequently and will exist for a short period only.

Zone 2, Class I (NEC): a Class I, Zone 2 location is a location (1) inwhich ignitable concentrations of flammable gases or vapors are notlikely to occur in normal operation, and if they do occur, will exist onlyfor a short period; or (2) in which volatile flammable liquids, flammablegases, or flammable vapors are handled, processed, or used, but inwhich the liquids, gases, or vapors normally are confined within closedcontainers or closed systems from which they can escape only as aresult of accidental rupture or breakdown of the containers or system,or as the result of the abnormal operation of the equipment with whichthe liquids or gases are handled, processed, or used; or (3) in whichignitable concentrations of flammable gases or vapors normally are pre-vented by positive mechanical ventilation, but which may become haz-ardous as the result of failure or abnormal operation of the ventilationequipment; or (4) that is adjacent to a Class I, Zone 1 location fromwhich ignitable concentrations of flammable gases or vapors could becommunicated, unless such communication is prevented by adequatepositive-pressure ventilation from a source of clean air, and effectivesafeguards against ventilation failure are provided.

Zone 20 (IEC): an area in which combustible dust, as a cloud, is pres-ent continuously or frequently, during normal operation, in sufficient



quantity to be capable of producing an explosible concentration of com-bustible dust in mixture with air and/or where layers of dust of uncon-trollable and excessive thickness can be formed. This can be the caseinside dust containment where dust can form explosible mixtures fre-quently or for long periods of time. This occurs typically inside equip-ment.

Zone 21 (IEC): an area not classified as Zone 20 in which combustibledust, as a cloud, is likely to occur during normal operation, in sufficientquantity to be capable of producing an explosible concentration of com-bustible dust in mixture with air. This zone can include, among others,areas in the immediate vicinity of powder filling or emptying points andareas where dust layers occur and are likely in normal operation to giverise to an explosible concentration of combustible dust in mixture withair.

Zone 22 (IEC): an area not classified as Zone 21 in which combustibledust, as a cloud, can occur infrequently, and persist only for a shortperiod, or in which accumulations or layers of combustible dust cangive rise to an explosive concentration of combustible dust in mixturewith air. This zone can include, among others, areas in the vicinity ofequipment containing dust, and in which dust can escape from leaksand form deposits (e.g., milling rooms in which dust can escape fromthe mills and then settle).

Area (location) classification

Area classification schemes should specify the kind of flammable mate-rial that may be present and the probability that it will be present in ignitable concentrations. Area classification schemes andsystems of material classification have been developed to provide asuccinct description of the hazard so that appropriate safeguards maybe selected. The type of protection technique selected and the level ofprotection it must provide depend upon the potential hazard caused byusing electrical apparatus in a location in which a combustible, flamma-ble, or ignitable substance may be present.

North American methods

In the United States, the area classification definitions are stated in Arti-cles 500 and 505 of the National Electrical Code, (NEC) NFPA 70. InCanada, similar definitions are given in the Canadian Electrical Code(CEC), Part 1, Section 18 and Annex J18 (CSA C22.1). Area classificationdefinitions used in the United States and Canada include the following:



a) CLASS – the generic form of the flammable materials in theatmosphere, which may include gas or vapor, dusts, or easilyignitable fibers or flyings;

b) DIVISION (or ZONE) – an indication of the probability of thepresence of the flammable material in ignitable concentration;and

c) GROUP – the exact nature of the flammable material.

Groups (NEC Article 500 / CEC Annex J18)

The United States and Canadian Electrical Codes recognize sevengroups: Groups A, B, C, D, E, F, and G. Groups A, B, C, and D apply toClass I locations; Groups E, F, and G apply to Class II Locations. In NECthese groups are defined as:

Group A - Acetylene

Group B - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn orexplode, having either a maximum experimental safe gap (MESG) lessthan or equal to 0.45 mm or a minimum igniting current ratio (MICRATIO) less than 0.4. A typical Class I, Group B material is hydrogen.

Group C - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn or explode,having either MESG values greater than 0.45 mm and less than or equalto 0.75 mm or a MIC RATIO greater than or equal to 0.4 and less than orequal to 0.80. A typical Class I, Group C material is ethylene.

Group D - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn orexplode, having a MESG greater than 0.75 mm or a MIC RATIO greaterthan 0.80, or gases or vapors of equivalent hazard. A typical Class I,Group D material is propane.

Group E - Atmospheres containing combustible metal dusts, includingaluminum, magnesium, and their commercial alloys, or other com-bustible dusts whose particle size, abrasiveness, and conductivity pres-ent similar hazards in the use of electrical equipment.

Group F - Atmospheres containing combustible carbonaceous duststhat have more than 8% total entrapped volatiles or that have been



sensitized by other materials so that they present an explosion hazard.Coal, carbon black, charcoal, and coke dusts are examples of carbona-ceous dusts.

Group G - Atmospheres containing other combustible dusts, includingflour, grain, wood flour, plastic, and chemicals.

Groups (NEC Article 505/CSA C22.1 Section 18/IEC 60079-12/per EN 60079-12) are defined as:

Group IIC - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn orexplode, having either MESG less than or equal to 0.5 mm or MICRATIO less than 0.45, or gases or vapors of equivalent hazard.

NOTE: This group is similar to a combination of Groups A & B,described previously, although the MESG and MIC RATIO numbers areslightly different. Typical gases include acetylene, carbon disulfide,hydrogen, and gases or vapors of equivalent hazard.

Group IIB - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn orexplode, having either MESG values greater than 0.5 mm and less thanor equal to 0.9 mm or MIC RATIO greater than or equal to 0.45 and lessthan or equal to 0.80, or gases or vapors of equivalent hazard.

NOTE: This group is similar to Group C, described previously, althoughthe MESG and MIC RATIO numbers are slightly different. Typical gasesinclude ethylene and gases or vapors of equivalent hazard.

Group IIA - Flammable gas, flammable liquid-produced vapor, or com-bustible liquid-produced vapor mixed with air that may burn orexplode, having MESG greater than 0.9 mm or MIC RATIO greater than0.80, or gases or vapors of equivalent hazard.

NOTE: This group is similar to Group D, described previously, althoughthe MESG number is slightly different. Typical gases include propaneand gases or vapors of equivalent hazard.



Table courtesy of FM Approvals, an FM Global enterprise. Reprinted with permission.

Table courtesy of FM Approvals, an FM Global enterprise. Reprinted with permission.


Apparatus Grouping

TypicalGas/Dust/Fiber

U.S. (NEC® 505) IECCENELEC

U.S. (NEC® 500)

Acetylene Group IIC Class I/Group A

Hydrogen (Group IIB + H2) Class I/Group B

Ethylene Group IIB Class I/Group C

Propane Group IIA Class I/Group D

Methane Group I* Mining*

Metal Dust None Class II/Group E

Coal Dust None Class II/Group F

Grain Dust None Class II/Group G

Fibers None Class III

*Not within scope of NEC®. Under jurisdiction of Mine Safety and HealthAdministration (MSHA).

Area Classification

FlammableMaterial Present Continuously

FlammableMaterial PresentIntermittently

FlammableMaterial Present Abnormally

IEC/CENELEC Zone 0(Zone 20 – dust)

Zone 1(Zone 21 – dust)

Zone 2(Zone 22 – dust)

U.S. NEC® 505 Zone 0 Zone 1 Zone 2

U.S. NEC® 500 Division 1 Division 2

IEC classification per IEC 60079-10

CENELEC classification per EN 60079-10

U.S. classification per ANSI/NFPA 70 National Electric Codes (NECs) Article 500 or Article 505


*NOTE: Electrically conductive dusts are dusts with a resistivity less than 105

ohm-centimeter.


Table Summarizing NEC Class I, II, III Hazardous Locations

CLASSES GROUPS DIVISIONS

1 2

I. Gases,vapors, and liquids

(Art. 501)

A: Acetylene

B: Hydrogen, etc.

C: Ether, etc.

D: Hydrocarbons, fuels,solvents, etc.

Normally explosive andhazardous

Not normallypresent in anexplosive concentration(but may accidentally exist)

II. Dusts

(Art. 502)

E: Metal dusts (conductive,* and explo-sive)

F: Carbon dusts (someare conductive,* and allare explosive)

G: Flour, starch, grain,combustible plastic orchemical dust (explosive)

Ignitable quantities of dustnormally are ormay be in sus-pension, or con-ductive dust maybe present

Dust not normally suspended in anignitable concentration(but may accidentallyexist). Dust layers are present.

III. Fibersand flyings

(Art. 503)

Textiles, wood-working, etc. (easilyignitable, but not likelyto be explosive)

Handled or usedin manufacturing

Stored or handled in storage (exclusive ofmanufacturing)


Safety Integrity Level Verification

[Note: The following is extracted from ISA-TR84.00.02-2002 – Part 2,Safety Instrumented Functions (SIF) – Safety Integrity Level (SIL) Evalu-ation Techniques Part 2: Determining the SIL of a SIF via SimplifiedEquations. For those determining the SIL of a SIF via Fault Tree Analysis,it is highly recommended they refer to ISA-TR84.00.02-2002 – Part 3.Readers are also advised an updated ISA Technical Report (TR) isplanned on this subject, but was not available at the time of this ISAHandbook’s publication.]

Assumptions Used in the Calculations

The following assumptions were used in Part 2 for Simplified Equationcalculations:

• The SIF being evaluated will be designed, installed, and main-tained in accordance with ANSI/ISA-84.01-1996.

• Component failure and repair rates are assumed to be constantover the life of the SIF.

• Once a component has failed in one of the possible failure modesit cannot fail again in one of the remaining failure modes. It canonly fail again after it has first been repaired. This assumption hasbeen made to simplify the modeling effort.

• The equations assume similar failure rates for redundant com-ponents.

• The sensor failure rate includes everything from the sensor tothe input module of the logic solver including the processeffects (e.g., plugged impulse line to transmitter).

• The logic solver failure rate includes the input modules, logicsolver, output modules and power supplies. These failure ratestypically are supplied by the logic solver vendor.

Note: ISA-TR84.00.02-2002 – Part 5 illustrates a suggestedmethod to use in developing failure rate data for the logicsolver.

• The final element failure rate includes everything from the out-put module of the logic solver to the final element including theprocess effects.

• The failure rates shown in the formulas for redundant architec-tures are for a single ‘leg’ or ‘slice’ of a system (e.g., if 2oo3transmitters, the failure rate used is for a single transmitter, notthree (3) times the single transmitter value.)



• The Test Interval (TI) is assumed to be much shorter than theMean Time To Failure (MTTF).

• Testing and repair of components in the system are assumed tobe perfect.

• All SIF components have been properly specified based on theprocess application. For example, final elements (valves) havebeen selected to fail in the safe direction depending on theirspecific application.

• All equations used in the calculations based on this part arebased on Reference 3, Reliability, Maintainability and Risk, byDavid J. Smith, 4th Edition, 1993, Butterworth-Heinemann, ISBN82-515-0188-1.

• All power supply failures are assumed to be due to the de-energized state.

• It is assumed that when a dangerous detected failure occurs, theSIS will take the process to a safe state or plant personnel willtake necessary action to ensure the process is safe (operatorresponse is assumed to be before a demand occurs, i.e., instan-taneous, and PFD of operator response is assumed to be 0).

Note: If the action depends on plant personnel to providesafety, the user is cautioned to account for the probability offailure of personnel to perform the required function in a timelymanner.

• The target PFDavg and MTTFspurious is defined for each SIFimplemented in the SIS.

• The Beta model is used to treat possible common cause failures.

Note: A detailed explanation of the Beta model is given inAnnex A of Part 1.

• The equations developed in this part assume a graceful degra-dation path, i.e., 2oo4 system is assumed to degrade as 4-3-2-0.

• ISA-TR84.00.02-2002 - Part 2 assumes that the User is familiarwith the SIF verification techniques and has a general under-standing of the principles behind data collection, failure modes,and effects and analysis, and common cause and diagnosticcoverage assessment.



Calculation Procedures

Evaluation of a SIS or a portion of a SIS involves estimating both thePFDavg and the anticipated mean time to spurious trip or Mean Time toFailure - Spurious (MTTFspurious) of a single SIF. Both factors may beimportant in the final system selection and design.

The following steps are carried out in this evaluation:

1. Identify the hazardous event for which the SIS is providing alayer of protection and the specific individual components thatprotect against the event.

2. Identify the Safety Integrity Level (SIL) of each SIF required foreach hazardous event.

3. List the components that have an impact on each SIF. This willtypically be those sensors and final elements identified in theprocess hazard analysis (PHA) process. The associated SIFs areassigned a SIL by the PHA team.

4. Using the SIS architecture being considered, calculate thePFDavg for each SIF by combining the contributions from thesensors, logic solver, final elements, power supply, and anyother components that impact that SIF.

5. Determine if the PFDavg meets the Safety Requirements Specifi-cation for each SIF.

6. If required, modify SIS (hardware configuration, test interval,hardware selection, etc.) and recalculate to meet the require-ments specified in the Safety Requirements Specifications (SeeANSI/ISA-84.01-1996, Clause 5 and Clause 6.2.2) for each SIF.

7. If SIS reliability impacts the consequence of concern, determinethe expected Spurious Trip Rate (STR) for system componentsand combine to obtain MTTFspurious for the SIS.

8. If the calculated MTTFspurious is unacceptable, modify configura-tion (add redundancy, use components with better reliability, etc.)and re-calculate to meet requirements in the Safety Require-ments Specifications. This will require re-calculation of thePFDavg value for each SIF as well.

9. When the PFDavg and MTTFspurious values meet or exceedthose specified in the Safety Requirements Specifications, thecalculation procedure is complete.



5.1 PFDavg Calculations

The PFDavg is determined by calculating the PFD for all the componentsin each SIF which provide protection against a process hazardous eventand combining these individual values to obtain the SIF PFD value. Thisis expressed by the following:

(Eq. No. 1)

wherePFDA is the final element PFDavg for a specific SIFPFDS is the sensor PFDavg for a specific SIFPFDL is the logic solver PFDavg

PFDPS is the power supply PFDavg , andPFDSIS is the PFDavg for the specific SIF in the SIS.i represents the number of each type of components that is a part of thespecific SIF

Each element of the calculation is discussed in the followingsections:

5.1.1 Determining the PFDavg for sensors:

The procedure for determining the PFDavg for sensors is as follows:

1. Identify each sensor that detects the out-of-limits condition thatcould lead to the event the SIF is protecting against. Only those

sensors that prevent or mitigate the designated event are

included in PFD calculations.

2. List the MTTFDU for each sensor.

3. Calculate the PFD for each sensor configuration using theMTTFDU and the equations in 5.1.5 with appropriate considera-tion for redundancy.

4. Sum the PFD values for the sensors to obtain the PFDS compo-nent for the SIF being evaluated. This step is only required if mul-tiple sensor inputs are required in the SIF being evaluated.

PFDSIS = + + +∑ ∑ ∑ ∑PFD PFD PFD PFDSi Ai Li PSi



Combined sensor PFDavg component for SIF :

(values for individual sets of sensors)

5.1.2. Determining the PFDavg for Final Elements

The procedure for determining the PFDavg for final elements is as fol-lows:

1. Identify each final element that protects against the out-of-limitscondition that could lead to the event the SIS is protectingagainst. Only those final elements that prevent or mitigate the

designated event are included in PFD calculations.

2. List the MTTFDU for each final element.

3. Calculate the PFDavg for each final element configuration usingthe MTTFDU and the equations in 5.1.5 with appropriate consider-ation for redundancy.

4. Sum the PFD values for the final elements to obtain the PFDAcomponent for the SIF being evaluated. This step is only requiredif multiple final elements are required in the SIF being evaluated.

Combined final element PFDavg component for SIF :

(values for individual sets of final elements)

5.1.3 Determining the PFD for the logic solver

Note: A common logic solver may provide the logic for several SIFs.

The procedure for determining the PFDavg for the logic solver is as fol-lows:

1. Identify the type of logic solver hardware used.

2. Select the MTTFDU for the logic solver (typically obtained fromlogic solver manufacturer).

Note: Since the PFDavg for the logic solver is a non-linear func-tion, the user should request the MTTFDU for a number of func-tional test intervals of interest and use the one that matches thesystem requirements.

PFD PFDA Ai= ∑

PFD PFDS Si= ∑



3. Calculate the PFDavg for the logic solver portion of SIF usingequations in 5.1.5 with appropriate consideration for redundancy.(Note that this step is only required when the manufacturer doesnot supply the PFDavg for the fully integrated logic solver system.)

4. If the user must determine the PFD for a PES logic solver, refer toPart 5 of ISA-TR84.00.02-2002 for an approach that can be used.

5.1.4 Determining PFDavg for power supply

If the SIS is designed for de-energize to trip, the power supply does notimpact the SIF PFDavg because a power supply failure will result inaction taking the process to a safe state. If the SIS is energize to trip, thepower supply PFDavg is determined by the following:

1. List the MTTFDU for each power supply to the SIS.

2. Calculate the PFDavg for the power supplies using the appropriateredundancy and the equations in 5.1.5.

5.1.5 System equations

The following equations cover the typical configurations used in SISconfigurations. To see the derivation of the equations listed, refer toReference 3 or ISA-TR84.0.02 – Part 5.

Converting MTTF to failure rate, λ :

(Eq. No. 2)

Equations for typical configurations:

1oo1

Note: “1oo1” (above) is ISA Standards speak for “one out of one,”meaning only one device so identified is responsible for taking action.“1oo2” (see Eq. No. 4A) means there are two devices making the deci-sion, and they both must be in a “go” mode before an output can beachieved. The electrical equivalent of 1oo2 is two switches wired inseries and connected to a load.

λDUDUMTTF

=1



(Eq. No. 3)

where λDU is the undetected dangerous failure rate λD

F is the dangerous systematic failure rate, andTI is the time interval between manual functional tests of the component.

Note: The equations in ISA-TR84.00.02-2002 - Part 1 model the system-atic failure as an error that occurred during the specification, design,implementation, commissioning, or maintenance that resulted in theSIF component being susceptible to a random failure. Some systematicfailures do not manifest themselves randomly, but exist at time 0 andremain failed throughout the mission time of the SIF. For example, if thevalve actuator is specified improperly, leading to the inability to closethe valve under the process pressure that occurs during the hazardousevent, then the average value as shown in the above equation is notapplicable. In this event, the systematic failure would be modeled usinglxTI. When modeling systematic failures, the reader must determinewhich model is more appropriate for the type of failure being assessed.

1oo2

(Eq. No. 4A)

For simplification, 1 – β is generally assumed to be one, which yieldsconservative results. Consequently, the equation reduces to:

(Eq. No. 4B)

where MTTR is the mean time to repairλDD is dangerous detected failure rate, andβ is fraction of failures that impact more than one channel of a redun-dant system (common cause).

PFDTI

MTTR TITI

avgDU DU DD DU= ( ) ×

+ × × × + × ×

λ λ λ β λ2 2

3 2

+ ×

λFD TI

2

PFDTI

MTTR TIavgDU DU DD= − ×( ) ×

+ − × × × × ( ) ( )13

12 2

β λ β λ λ ++ × ×

+ ×

β λ λDUFDTI TI

2 2

PFD xTI

xTI

avgDU

FD=

+

λ λ2 2



The second term represents multiple failures during repair. This factoris typically negligible for short repair times (typically less than 8 hours).The third term is the common cause term. The fourth term is the sys-tematic error term.

1oo3

(Eq. No. 5)

The second term accounts for multiple failures during repair. This factoris typically negligible for short repair times. The third term is the com-mon cause term and the fourth term is the systematic error term.

2oo2

(Eq. No. 6)

The second term is the common cause term and the third term is thesystematic error term.

2oo3

(Eq. No. 7)

The second term in the equation represents multiple failures duringrepair. This factor is typically negligible for short repair times. The thirdterm is the common cause term. The fourth term is the systematic errorterm.

2oo4

(Eq. No. 8)

The second term in the equation represents multiple failures duringrepair. This factor is typically negligible for short repair times. The thirdterm is the common cause term. The fourth term is the systematic errorterm.

For equipment configurations other than those indicated above, seeISA-TR84.00.02-2002 - Part 5.

PFD TI MTTR TIavgDU DU DD DU= ( ) ×

+ × × × + ×λ λ λ β λ3 3 2 24( ) ( ) ( ) ××

+ ×

TI TIFD

2 2λ

PFD TI MTTR TITI


+ × × × + × ×

λ λ λ β λ2 2 3

2( )

+ ×

λFD TI

2

PFD TI TITI

avgDU DU

FD= × + × × + ×

λ β λ λ2

PFDTI

MTTR TIT


+ × × × + × ×λ λ λ β λ3 3

2 2

4( )

II TIFD

2 2

+ ×

λ



The terms in the equations representing common cause (Beta factorterm) and systematic failures are typically not included in calculationsperformed in the process industries. These factors are usuallyaccounted for during the design by using components based on plantexperience.

Common cause includes environmental factors, e.g., temperature,humidity, vibration, external events such as lightning strikes, etc. Sys-tematic failures include calibration errors, design errors, programmingerrors, etc. If there is concern related to these factors, refer to ISA-TR84.00.02-2002 - Part 1 for a discussion of their impact on the PFDavgcalculations.

If systematic errors (functional failures) are to be included in the calcu-lations, separate values for each sub-system, if available, may be usedin the previous equations. An alternate approach is to use a single valuefor functional failure for the entire SIF and add this term as shown inEquation 1a in 5.1.6.

Note: Systematic failures are rarely modeled for SIF Verification calcu-lations due to the difficulty in assessing the failure modes and effectsand the lack of failure rate data for various types of systematic failure.However, these failures are extremely important and can result in sig-nificant impact to the SIF performance. For this reason, ANSI/ISA-84.01-1996, IEC 61508, and IEC 61511 provide a lifecycle process that incorpo-rates design and installation concepts, validation and testing criteria,and management of change. This lifecycle process is intended to sup-port the reduction in the systematic failures. SIL Verification is thereforepredominantly concerned with assessing the SIS performance relatedto random failures.

The simplified equations without the terms for multiple failures duringrepair, common cause and systematic errors reduce to the following foruse in the procedures outlined in 5.1.1 through 5.1.4.

1oo1

(Eq. No. 3a)

PFDTI

avgDU= ×λ

2



1oo2

(Eq. No. 4a)

1oo3

(Eq. No. 5a)

2oo2

(Eq. No. 6a)

2oo3

(Eq. No. 7a)

2oo4

(Eq. No. 8a)

PFD TIavgDU= ×( ) ( )λ 3 3

PFD TIavgDU= ×( )λ 2 2

PFD TIavgDU= ×λ

PFDTI

avg

DU

=( ) ×

λ3 3

4

PFDTI

avg

DU

=( ) ×

λ2 2

3



5.1.6 Combining components’ PFDs to obtain SIF PFDavg

Once the sensor, final element, logic solver, and power supply (if appli-cable) portions are evaluated, the overall PFDavg for the SIF being eval-uated is obtained by summing the individual components. The result isthe PFDavg for the SIF for the event being protected against.

(Eq. No. 1a)

Note: The last term in the equation, the systematic failure term, is onlyused when systematic error has not been accounted for in individualcomponent PFD and the user desires to include an overall value for theentire SIF.

5.1.7 PFD improvement techniques

Where adjustments are required to decrease PFDavg, additional redun-dancy may be used on components, the functional test interval may bedecreased, the SIS configuration may be changed, or components withlower failure rates may be considered.

5.2 Mean time to failure spurious (MTTFspurious) calculations

A safe failure of a component may cause a spurious trip of the system. Mean time to a safe failure is referred to as Mean Time to Fail-ure Spurious (MTTFspurious) that is the estimated time between safefailures of a component or system.

If trips of the SIS caused by failures of system components are a con-cern, the anticipated spurious trip rate may be calculated to determineif additional steps are justified to improve SIS reliability. The proce-dures for making these calculations are presented in the sections thatfollow.

In ISA-TR84.00.02-2002, the term Spurious Trip Rate (STR) refers to therate at which a nuisance or spurious trip might occur in the SIS.

Note: All components that can cause a SIS trip even though not directlyrelated to a specific hazardous event must be considered in this evalu-ation.

PFD PFD PFD PFD PFDTI

SIS Si Ai Li PSi FD= + + + + ×

∑∑∑ λ

2



5.2.1 Determining the STR for sensors

The procedure for determining the spurious trip rate caused by sensorsis as follows:

1. Identify each sensor that is an initiator in the SIS.

2. List the MTTFspurious for each sensor.

3. List the MTTR for each sensor.

4. Calculate the spurious trip rate for each sensor using the equa-tions in 5.2.5 with appropriate consideration for redundancy.

5. Sum the individual trip rates to determine the SIS trip rate basedon sensors.

Combined sensor, (values for individual sensor con-figurations)

5.2.2 Determining the STR for final elements

The procedure for determining the spurious trip rate for final elementsused in the SIS is as follows:

1. Identify each final element controlled or driven by the SIS.

2. List the MTTFspurious for each final element.

3. List the MTTR for each final element.

4. Calculate the spurious trip rate for each final element using the equa-tions in 5.2.5 with appropriate consideration for redundancy.

5. Sum the individual trip rates to determine the SIS trip rate basedon final elements.

Combined final element, (values for individual finalelement configurations)

5.2.3 Determining the STR for logic solver(s)

The procedure for determining the spurious trip rate for logic solver(s)is as follows:

1. Identify each logic solver in the SIS.

2. List the MTTFspurious for each logic solver (typically obtainedfrom manufacturer).

STR STRA Ai= ∑

STR STRS Si= ∑



Note: Since the MTTFspurious for the logic solver is a non-linearfunction, the user should request the MTTFspurious as a functionof MTTR. The user should specify the range of MTTR that isacceptable.

3. List the MTTR for each logic solver.

4. Calculate the spurious trip rate for each logic solver using the equa-tions in 5.2.5 with appropriate consideration for redundancy.

Note: This step is only required for a PES logic solver when themanufacturer does not supply the spurious trip rate value for thefully integrated logic solver system.

5. Sum the individual trip rates to determine the SIS spurious triprate based on logic solver.

Combined logic solver - (values for individual logicsolver configurations)

5.2.4 Determining the STR for power supplies

Note: The power supplies referred to here are those power sourcesexternal to the SIS. These typically are UPS, diesel generators, or alter-nate power sources. The power supplies internal to the logic solvermust also be considered if their failure rate is not taken into account inthe logic solver failure rate itself. Unless otherwise noted, the internalpower supplies are assumed to be included in the logic solver failurerate for the calculations which follow.

The procedure for determining the spurious trip rate for power suppliesis as follows:

1. Identify each power supply that impacts the SIS.

2. List the MTTFspurious for each power supply.

3. List the MTTR for each power supply.

4. Calculate the spurious trip rate for the power supply using the equa-tions in 5.2.5 with appropriate consideration for redundancy.

Combined power supply - (values for multiple indi-vidual power supplies)

STR STRPS PSi= ∑

STR STRL Li= ∑



5.2.5 System equations for evaluating MTTFspurious

The following equations cover the typical configurations used in SISconfigurations. To see the derivation of the equations listed, refer toISA-TR84.00.02-2002 - Part 5.

The MTTFspurious for the individual SIS elements is converted to failurerate by,

(Eq. No. 9)

1oo1

(Eq. No. 10)

WhereλS is the safe or spurious failure rate for the component,λDD is the dangerous detected failure rate for the component, andλS

F is the safe systematic failure rate for the component.

The second term in the equation is the dangerous detected failure rateterm and the third term is the systematic error rate term. The danger-ous detected failure term is included in the spurious trip calculationwhen the detected dangerous failure puts that channel (of a redundantsystem) or system (if it is nonredundant) in a safe (de-energized) state.This can be done either automatically or by human intervention. If dan-gerous detected failure does not place the channel or system into a safestate, this term is not included in Equations 10 through 15.

1oo2

(Eq. No. 11)

The second term is the common cause term and the third term is thesystematic error rate term.

STR S DD S DDFS= × +( )

+ × +( )

+2 λ λ β λ λ λ

STR S DDFS= + +λ λ λ

λS =1

MTTF spurious


HB safety chap7.qxd 3/2/2006 9:05 AM 4

1oo3

(Eq. No. 12)

The second term is the common cause term and the third term is thesystematic error rate term.

2oo2

(Eq. No. 13)

The second term is the common cause term and the third term is thesystematic error rate term. This equation, as well as Equations 14 and15, assumes that safe failures can be detected on-line. If safe failurescan only be detected through testing or inspection, the testing (orinspection) interval TI should be substituted for MTTR.

2oo3

(Eq. No. 14)

The second term is the common cause term, and the third term is thesystematic error rate term.

2oo4

(Eq. No. 15)

The second term is the common cause term, and the third term is thesystematic error rate term.

Note: The above equations apply to elements with the same failurerates. If elements with different failure rates are used, appropriate adjust-ments must be made (See ISA-TR84.00.02-2002, Part 5 for method).

SIS in the process industry typically must be taken out of service tomake repairs when failures are detected unless redundancy of compo-nents is provided. Accounting for additional failures while repairs are

STR MTTRS DD S DDFS= × + × + × +( )

+12 3 2( )λ λ β λ λ λ

STR MTTRS S DD S DDFS= × × + × + × +( )

+6 ( ) ( )λ λ λ β λ λ λ

STR MTTRS S DD S DDFS= × + × + × +( )

+2 λ λ λ β λ λ λ( )

STR S DD S DDFS= × +( )

+ × +( )

+3 λ λ β λ λ λ



being made is typically not considered due to the relatively short repairtime. Common cause and systematic error are handled as described in5.1.5. Therefore, the equations above can be reduced to the following:

1oo1

(Eq. No. 10a)

1oo2

(Eq. No. 11a)

1oo3

(Eq. No. 12a)

2oo2

(Eq. No. 13a)

2oo3

(Eq. No. 14a)

2oo4

(Eq. No. 15a)

STR MTTRS= ×( ) ×123 2λ

STR MTTRS= ×( ) ×62

λ

STR MTTRS= ×( ) ×22

λ

STR S= ×3 λ

STR S= ×2 λ

STR S= λ



5.2.6 Combining spurious trip rates for components to obtainSIS MTTFspurious

Once the sensor, final element, logic solver, and power supply portionsare evaluated, the overall MTTFspurious for the SIS being evaluated isobtained as follows:

(Eq. No. 16)

Note: The last term in the equation, the systematic failure term, is onlyused when systematic error has not been accounted for in individualcomponent STR and the user desires to include an overall value for theentire system.

(Eq. No. 17)

The result is the MTTFspurious for the SIS.

MTTF =1

STRspurious

SIS

STR STR STR STR STRSIS Si Ai Li PSi FS= + + + +∑∑∑∑ λ



instrumentation and control

Engineering

hazardous location apparatus

nec class

hazardous quantities

hazardous locations

ventilating equipment

electrical apparatus

ignitable fibers

combustible flyings