Your LOPA Says It Works. Your Maintenance Program Doesn't Know It Exists.
Introducing ISA-84.91.03-2025: The New Standard for Functional Safety Low Integrity Protection Layers
Every LOPA workshop team has done it. You credit a BPCS trip as a protection layer, assign it a risk reduction factor, and move on. But what happens to that function after the workshop closes? Usually nothing. It gets forgotten. Permanently.
ANSI/ISA-84.91.03-2025 Functional Safety: Low Integrity Protection Layers closes the gap between IEC 61511 and doing nothing. It puts guardrails around instrumented protection layers that carry a risk reduction credit but fall below the SIL threshold, the functions most likely to be designed once and never revisited.
Published November 2025, this article covers what the standard addresses and what it excludes, how it sits within the IEC 61511 framework, the case for adoption, and what operators should do now.
What the Standard Covers
A Low Integrity Protection Layer (LI-PL) is an instrumented protection layer with a risk reduction claim between 1 and 10 that is not intended to meet IEC 61511. In practical terms, these are the functions credited in a LOPA workshop that were assigned a RRF below 10 but above 1, not SIL-rated, but not nothing either.
There are three types of instrumented protection layers in functional safety:
- Safety Instrumented Functions (SIFs) with a RRF greater than 10 are governed by IEC 61511.
- Low Integrity Protection Layers with a RRF between 1 and 10 fall under ISA-84.91.03-2025.
- Safeguards that carry no risk reduction claim and fall outside any functional safety
standard.
The scope mirrors IEC 61511: oil and gas, energy, geothermal, pulp and paper, chemical and broader process industries.
ISA-84.91.03 is a lifecycle standard. Key requirements span functional safety management, identification and classification, functional requirements specification (FRS), detailed design, implementation and commissioning, bypass management, inspection testing and preventive maintenance, performance monitoring, and management of change.
It follows the IEC 61511 lifecycle structure but with meaningfully reduced rigor. There is no SIL verification requirement, no hardware fault tolerance or architecture constraint, no systematic capability requirement, and no proven-in-use evidence requirement. Alarm-only and monitoring functions are also excluded.
The diagram below shows Equinox Automation's interpretation of the LI-PL lifecycle. The panel on the right is equally important, it shows what ISA-84.91.03 explicitly does not require.
How it Ties into IEC 61511
LI-PLs are identified and classified through the IEC 61511 risk assessment and SIL determination process. ISA-84.91.03 picks up from that point. The lifecycle structure mirrors IEC 61511 but without the same rigour, no SIL verification, no hardware fault tolerance or architecture constraints, no systematic capability requirement, no proven-in-use evidence, no equipment SIL certificates.
Facilities with a mature IEC 61511 functional safety management system already have the backbone in place. Extending it to cover LI-PLs is an adjustment, not a rebuild, triggered at the point where functions are classified during the risk assessment. Some operators are already managing LI-PLs informally within their own processes. It's worth checking those against the standard and deciding whether the gaps warrant closing.
The core point: LI-PLs don't need to meet IEC 61511 SIF design criteria, but they do require a formal functional safety management plan with defined proof testing intervals, performance monitoring, and change management. That's the overlap.
Why This Gap Has Always Mattered
For most operators and projects, non-SIL functions have historically been handed off to the maintenance program as soon as they leave the LOPA workshop. No functional requirements specification, setpoint management, turnaround-aligned test frequencies, limited records, reactive maintenance, and minimal MOC process. The credited risk reduction exists on paper. Whether it exists in the field is another question.
That matters more than it appears. LI-PLs are independent protection layers within a full risk reduction stack. In many cases they sit inside the SIL calculation, reducing the demand rate on an associated SIF by an order of magnitude. If the LI-PL isn't performing as designed, the SIF's assumed risk reduction is wrong. Across a large facility, that accumulates into real risk that nobody is formally carrying.
The FRS requirement forces sites to define what each credited protection layer does, setpoints, cause-and-effect logic, response times, HMI identification, bypass design, success criteria, and test coverage. Not as a LOPA placeholder. As a documented engineering commitment.
Function testing records and performance monitoring close the loop between what's claimed in the risk assessment and what's happening operationally. Managing LI-PLs within the facility's Functional Safety Management Plan strengthens governance, improves demonstrable risk reduction, and reduces personnel exposure.
It also improves the conversation with regulators, insurers, and the community. Licence to operate is harder to defend when your credited protection layers have no lifecycle documentation behind them.
Real World Examples
Most facilities that have completed a LOPA or risk graph assessment have LI-PLs whether they've called them that or not. Any BPCS function assigned a risk reduction credit below SIL 1 sits in this space. Shell, for example, historically classified these as SIL-a Instrumented Protective Functions (IPFs), a recognised category sitting below their SIL-rated functions. The standard doesn't create new obligations out of thin air. It formalises what good operators were already doing inconsistently and gives everyone else a baseline to work from.
The following examples are illustrative, actual classification depends on the facility risk matrix, severity and likelihood allocation, assumed scenario, and initiating event frequency.
Oil & Gas - Pressure Protection
An oil and gas production facility has multiple layers of high-pressure protection across a process train, two relief devices and a SIL-rated high-pressure SIF at the outlet. A second pressure protection function sits mid-stream. Because sufficient independent protection layers already exist, the mid-stream function is assessed as non-SIL during the LOPA. It carries a RRF below 10 and becomes a LI-PL. Under ISA-84.91.03 it now requires an FRS, defined test intervals, and formal lifecycle management, rather than disappearing into the maintenance backlog.
Geothermal Power Plant - SIS Improvements
A geothermal operator completes an LOPA on a heat exchanger at a legacy power plant. A recent functional safety improvement project implemented a new SIS and installed SIL-rated pressure protection but retained the existing BPCS high-pressure trip, along with a pressure transmitter feeding an operator alarm. The BPCS trip is credited as a LI-PL with a RRF of 5. The workshop documents it, the assessment closes, and the project moves on. Five years later, a plugged impulse line is discovered during an unrelated inspection. The function hasn't been tested since commissioning. The original cause and effect documentation doesn't exist. The risk reduction is still in the design. The protection isn't.
Fire & Gas System - Detection Coverage Credit
A facility LOPA credits the fire and gas detection system with 90% detection coverage, validated through a performance-based fire and gas mapping study. Consistent with CCPS guidance, the F&G system contributes to risk reduction across multiple scenarios, influencing the overall risk picture and SIF demand rates. The detectors are implemented in the SIS for high availability but carry no SIL assignment, they are mitigative functions, not preventive ones. Under ISA-84.91.03, these functions can now be formally categorised as LI-PLs. The mapping study, detection coverage claim, test intervals, and performance monitoring all fall under a defined lifecycle process rather than sitting as an undocumented LOPA credit.
What Operators Should Do Now
The starting point is knowing what you have. Most facilities will find a population of credited instrumented functions that fall into the LI-PL category with no formal lifecycle documentation behind them.
From there it's a gap assessment against ISA-84.91.03 across design, testing, bypass management, and change control. The size of that gap will vary, but for most operators it won't be small.
Yes, implementing FRS documentation and formal test plans for LI-PLs is more work than the current approach. But the current approach is already carrying the cost, in unplanned failures, reactive maintenance, and risk reduction claims that don't hold up under scrutiny. A managed LI-PL lifecycle replaces that with a predictable, auditable system. Facilities with a mature IEC 61511 functional safety management system are best placed to extend it. Those without one have more ground to cover. Either way, the standard is published and the gap is real. The question is whether you close it on your own terms or wait until someone else raises it for you.
The standard is available for purchase directly from ISA. It's a short document, worth the investment to understand how it applies to your facilities and risk assessment methodology.
How Equinox Can Help
Equinox Automation has direct experience with both the standard and the industries it applies to, oil and gas, geothermal, and process facilities.
Our work spans Functional Safety Management Plan development, LOPA workshop facilitation, SIL verification, functional safety implementation on operating oil and gas facilities, independent IEC 61511 audits and performance-based fire and gas mapping and detection coverage assessments.
We have been applying lifecycle rigour to non-SIL instrumented protection layers ahead of the standard, recommending formal classification, engineered test frequencies, and proof-testing procedures where operators had previously treated these functions as set-and-forget. ISA-84.91.03 now gives that approach a formal basis.
We work with operators to identify their LI-PL population, assess gaps against ISA-84.91.03, and integrate the lifecycle requirements into existing functional safety management programmes.
We've been doing this work before the standard had a name. If you want to understand what it means for your site, get in touch.
Questions we're regularly asked
Q: If a LI-PL sits inside our SIL calculation, what's the actual exposure if it isn't performing?
The SIF's assumed demand rate is wrong. If a LI-PL is reducing demand on an associated SIF by an order of magnitude and that function has never been tested, the SIL target the SIF was designed to may no longer hold. The LOPA looks closed. The risk isn't.
Q: At what point in a project should LI-PLs be formally identified and managed?
At classification, during the risk assessment, not after detailed design. The most common failure mode is non-SIL functions being handed to the maintenance programme without an FRS and never revisited. By the time the facility is operational the context from the LOPA workshop is gone.
Q: We follow IEC 61511, why would we implement an ISA standard on top of that?
You're not implementing it on top. ISA-84.91.03-2025 fills the gap IEC 61511 deliberately leaves. IEC 61511 explicitly excludes instrumented functions below the SIL threshold from its requirements. Those functions still carry risk reduction credit in your LOPA. Without this standard there is no formal governance framework for them.
Q: We already have an IEC 61511 Functional Safety Management Plan (FSMP). Do we really need a separate process for LI-PLs?
Not a separate process, it's an extension. The lifecycle structure is the same, the rigour is lower, and the trigger is the risk assessment where functions are classified as non-SIL. If your FSMP stops at the SIL boundary, it isn't covering your full risk reduction stack.
Written by Hardie McLaren, Principal Engineer, Equinox Automation