ISA-84.91.03: New Framework for Low-Integrity Protection Layers

Defining life cycle expectations for instrumented protection layers outside traditional SIS requirements

Greg Rankin

Rankin PR

Wed, 04/08/2026 - 12:01

For decades, the process industries have relied on layers of protection to prevent hazardous events. When risk reduction requirements were high, safety instrumented systems (SIS), governed by standards such as IEC/ISA 61511, provided a clear framework for design, operation, and life cycle management.

ADVERTISEMENT

However, below that threshold sat a large class of instrumented protection layers that reduced risk, were credited in process hazard analyses, and were vital in day-to-day operations. But they weren’t designed or managed as safety instrumented systems and weren’t governed by a dedicated consensus standard. These functions were often treated as part of normal control or operations, with expectations that varied widely from one organization to another.

That inconsistency created practical problems. Functions that were relied on for risk reduction weren’t always subject to formal management of change, bypass control, testing, or documentation requirements. In many organizations, engineers and operations personnel understood what should be done but had no standard requiring that those practices be applied consistently.

That gap is what ANSI/ISA-84.91.03 was written to close.

Published in late 2025, ANSI/ISA-84.91.03 establishes a life cycle framework for managing low-integrity protection layers (LI-PLs): instrumented protective functions that provide risk reduction of 10 or less and aren’t designed as safety instrumented systems. Rather than introducing new concepts, the standard formalizes expectations around how these functions should be identified, managed, and maintained over time.

“This isn’t about inventing something new,” says Kevin Klein, P.E., co-chair of the ISA-84.91.03 committee and senior instrumented protective systems engineer at Chevron. “It’s about closing a recognized gap. For high-integrity systems, we’ve had clear standards for years. For lower-integrity instrumented functions, there were guidelines and books, but no consensus standard that said, ‘This is the minimum we all agree needs to be done.’”

Why now?

Although the gap around low-integrity protection layers has existed for years, the ISA 84 committee intentionally focused first on higher-risk safety instrumented systems. That sequencing was deliberate. As explained by Rahul Bhojani, VP of safety and operational risk assurance/technical functions at BP, and co-chair of ISA-84 committee, the industry needed time to mature its SIS practices before expanding life cycle expectations to other protection layers.

“The committee spent years focusing on getting SIS implementation right,” Bhojani says. “Not just design, but operation, maintenance, testing, and management of change. Once there was real maturity in that space, it became clear there was another category of protection layers that were still critical, still relied upon, but not governed by any consistent framework.”

Low-integrity protection layers often reside in distributed control systems, local interlocks, or independent instrumented functions that are credited during hazard reviews but fall below the SIS threshold. For example, a high-level interlock might stop a feed pump to prevent overfilling, or a control loop might respond to abnormal conditions by reducing flow or shutting down equipment, providing risk reduction even though these functions aren’t designed as safety instrumented systems.

Many organizations managed these functions responsibly, but practices varied widely across the industry.

Many organizations managed these functions responsibly, but practices varied widely across the industry.

“The issue wasn’t that companies weren’t doing anything,” Klein says. “It was that everyone was doing something different. That made it hard to communicate expectations, hard to align contractors and engineering firms, and hard to demonstrate that these layers were actually being managed in a disciplined way.”

From guidelines to standard

ANSI/ISA-84.91.03 doesn’t redefine risk analysis methods or replace existing SIS standards. Nor does it turn low-integrity protection layers into SIS by another name.

Instead, it introduces a structured life cycle approach, aligned with established process safety management principles, for a class of instrumented functions that had previously existed in a gray area.

“The framework should feel familiar,” Klein says. “It aligns with general functional safety and PSM practices. What’s new is the clarity around how those practices apply specifically to low-integrity protection layers.”

In practical terms, life cycle discipline means identifying which functions are relied on for risk reduction, controlling changes to those functions, managing bypasses, testing performance, and maintaining documentation that demonstrates the function will work when demanded.

Angela Summers, president of SIS-TECH and a licensed professional engineer with more than 30 years of experience in process safety, served as co-chair of the ISA-84.91.03 committee. She emphasizes that the intent was never to burden organizations with unnecessary bureaucracy.

“We were very deliberate about not turning this into another 61511,” Summers says. “The goal was to capture what risk-aware organizations were already doing and make it clear that these practices matter for low-integrity protection layers, too.”

Who is affected and how

The standard applies broadly across process industries, including oil and gas, refining, chemicals, pharmaceuticals, food and beverage, pulp and paper, and nonnuclear power generation. Any facility that credits instrumented protection layers outside of SIS during process hazard analysis will need to understand how those functions fit within the new framework.

Facilities that historically pushed most protective functions into SIS may see little change. Others that relied heavily on control system-based interlocks or loosely managed safeguards may uncover gaps.

“The first place companies feel this is in how they move from hazard analysis into layer of protection analysis,” Summers says. “Many organizations only ran scenarios through LOPA if they believed a SIS would be required. That left other credited functions outside a formal life cycle.”

ANSI/ISA-84.91.03 effectively expands the scope of discipline by applying life cycle expectations to a broader set of functions. More scenarios are likely to require structured evaluation, and more functions must be managed intentionally, not because they are high integrity but because the organization depends on them to reduce risk.

The timing question: Act now or later?

ANSI/ISA-84.91.03 is now published. While adoption timing remains up to individual companies, the expectations it reflects are now formally articulated.

“This is now the consensus view of what good practice looks like,” Bhojani says. “You don’t have to implement everything overnight, but you do need to understand how what you’re doing compares to this standard.”

Klein echoes that view, noting that the risk isn’t in the existence of gaps but in ignoring them. “If you’re depending on low-integrity protection layers and don’t have a clear program to manage them, it’s worth asking what are my gaps, and when should I close them?”

What happens if you don’t act

Regulators typically don’t audit facilities proactively for compliance with standards such as ANSI/ISA-84.91.03. The real consequences come after an incident.

“When something goes wrong, investigators look for benchmarks,” Klein says. “They ask what standards existed, what others in the industry were doing, and whether the company followed an equivalent approach.”

As adoption grows, ANSI/ISA-84.91.03 is likely to become a recognized reference point for good engineering practice.

As adoption grows, ANSI/ISA-84.91.03 is likely to become a recognized reference point for good engineering practice. At that point, companies may be expected either to follow the standard or demonstrate how their internal programs achieve equivalent outcomes.

Summers points to incident history as a reminder that low integrity doesn’t mean low consequence.

“I’ve worked cases where the function that failed wasn’t SIS,” she says. “It was an interlock or instrumented function that had been bypassed or poorly managed. The failure wasn’t dramatic until it was, and by then the consequences were very real.”

A new framework for low-integrity protection layers

One concern often raised with new standards is overcorrection.

“That’s not the intent,” Klein says. “This standard is about right-sizing. A consensus standard helps normalize expectations.”

For many organizations, assessing alignment with ANSI/ISA-84.91.03 will require a mix of internal review and external expertise. Engineering firms with deep process-safety experience can help identify which functions truly serve a safety role and where life cycle gaps exist.

Summers notes that one of the most valuable first steps is simply making an honest inventory.

“You can’t manage what you haven’t clearly identified,” she says. “Once you understand what you’re relying on, the path forward becomes much clearer.”

For more information, contact SIS-TECH: phone (713) 909–2100, email info@sis-tech.com, or visit https://sis-tech.com/.

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats
Image CAPTCHA
Enter the characters shown in the image.