SRS guide for Safety Instrumented Functions Tutorials | SIS System


#1

SRS guide for safety instrumented functions Tutorials | SIS System

1 General SRS guide for safety instrumented functions

According to the requirements stated in the standard IEC 61511 all safety instrumented functions shall be described.

For each safety instrumented function the following guide provides information that can be used. In order to fulfil the requirements listed in the standard IEC 61511, the standard has to be used.

This appendix is a support to the Safety Requirement Specification (SRS), SIF specification form. The following chapters use the same index as the SIF specification form e.g. chapter 1 “Functional description” use the number 1 in the SIF specification form.

Page 1 in the SIF specification form deals with identification, organization and revision history.

1 Functional description

Each identified SIF shall be expressed in a general way since the description shall be easy to understand by other persons involved during the safety life-cycle. Below is a list of important issues to be taken in account during the creation of the SRS:

Functional description

A functional description shall describe why the SIF is needed [IEC 61511-1]. The functional description of the SIF includes words such as “prevent”, “protect” or “mitigate”

Example:

“The SIF protects the tank from overpressure by opening the release valve on high pressure”.

Defined safe process state

Define the safe state for each SIF [IEC 61511-1]. The description of the safe state for the SIF describes the process action needed to prevent an accident and additional actions needed to maintain the safe state.

The description shall explain safe state details regarding needed process actions e.g.:

• if sequential shutdown is needed
• the process valve(s) needed to perform a specific action (open or close)
• which flows should be started or stopped
• stop, start or continue operation of rotating elements (motors, pumps etc)

Example: When an abnormal situation occurs (hazardous event), which measure should be taken e.g. “On low level alarm the valve V10 shall be closed”

Which measures must be taken when:

• power supply is missing
• air supply is missing
• fault/ faults occur (hardware or software)

Example: If the air supply is missing the valve has a mechanical return spring that close the valve and prevents overflow.

2 Primary actions/ sequence (for bringing the process to the defined safe state)

The actions that are needed to prevent the hazardous event shall be described [ IEC 615111 ]. The primary actions describes the measures that are necessary to bring the process to the defined safe state. A primary action could be “open the relief valve in order to reduce too high pressure”.

Some more examples:

• “reduce the pressure within a specific time”
• “reduce the flow by 10%”
• “open or close the valve”
• “measures to prevent additional hazardous conditions”

The threshold value of the parameter at which an action should be taken is also needed. This value will need to be outside the normal operating range and less than the value that will result in an hazardous condition. The response time of the system must also be taken into account, allowance will need to be made for the response of the system and the accuracy of measurement.

3 Secondary actions (for operational reasons)

In some cases actions for operational reasons are needed. These actions may involve other measures e.g. “stop the inlet flow to the tank in order to eliminate overflow and give an operator alarm”.

Some more examples;

• actions that enables faster start up
• shut down of upstream or downstream units to reduce demands on other protection systems
• operator alarm

4 Demand rate and Safety integrity

Specify the estimated demand rate and the target safety integrity level, SIL, for the SIF. The assumed sources of demand and demand rate on the safety instrumented function shall be specified [IEC 61511-1].

Estimated demand sources

Sources of demand are the source of events leading to the hazardous event.

Some examples:

• “malfunction of the inlet valve V6, valve jammed in open position, leading to over pressure”
• “malfunction of the temperature transmitter T2 e.g. too low indication, leading to over temperature”

Estimated SIF demand rate:

Specify the SIF demand rate.

Low Demand, High Demand or Continuous mode of operation.

Specify if the SIF uses demand or continuous mode of operation

Demand mode:

The “need” of safety appears when a certain level is reached. In demand mode, the safety is not always dependent on the SIF

Example: “A SIF is used to protect a tank for over- pressure “when the pressure is above 5 bar the relief valve is opened”

Continuous mode:

In continuous mode of operation the safety entirely depends on the SIF. If the SIF gets some kind of failure it will result in a hazardous event.

In the process industry the SIFs are generally of demand mode type.

Established target SIL (Safety Integrity Level)

Specify the target SIL for the SIF. Describe the used SIL- selection method:

5 Trigging/Tripping

The trigging modes (automatic, manual) for the SIF and trigging detection need to be explained. The goal of this activity is to describe the conditions that affect the trigging of the SIF.

Automatic mode of trigging and trigging detection:

Explain briefly, what shall be detected? Describe the level for detection and accuracy.

Example: “High pressure in the extractor tank shall automatically open the relief valve V14. The set point for maximum pressure is 5 bar and the accuracy must be within +/- 0.2 bar”

Manual mode of trigging:

The manual trig mode of the SIF needs to be described. Are there any restrictions to activate the manual trigging? Describe the use of manual trigging during different modes.

Example: “Manual trigging, pushbuttons mounted near the control panel, shall open the relief valve. The relief valve shall automatically close when the pressure is below 1 bar. During process shutdown the manual trigging shall be disabled. In all other modes the manual trigging is needed.”

Trigging response and delay time requirements

Specify the requirements regarding response and time delay.

6 Reset/ restart

Describe the reset functions (automatic mode, manual mode)[IEC 61511-1]. Explain the conditions that affect the reset.

Automatic reset:

Example: “The relief valve shall automatically close when the pressure is below 1 bar”
“The emergency draining shall stop when low level switch L2 is affected”

Manual reset:

Explain the conditions that affect the manual reset.

Reset response and delay time requirements

Specify response time requirements. The response time shall not affect the reset or restart.

Example: The relief valve V23 shall close within 5 seconds when the pressure in tank T22 is below 1 bar.

7 Overriding, Inhibiting and Bypassing

In some process applications the need of overrides/inhibits and bypass may appear. Describe the requirements regarding overrides, inhibits and bypasses including how they will be cleared [IEC 61511-1].

Important issues regarding overrides, inhibits and bypass functions:

• how should the SIF be tested during normal operation
• are there any requirements regarding key lock or password
• the need of instructions

8 Spurious trips and reset failures

The SRS shall include the maximum allowable spurious trip rate [IEC 61511-1].

Estimated conscience of nuisance trips

The maximum allowable spurious trips is an economical issue. Describe the losses. Specify the estimated consequence and the effort to restore the process to normal conditions.

Maximum allowable reset failure rate

Specify maximum allowable reset failure rate if the SIF uses automatic reset function. The reset function is important in case of preventing hazards during trip conditions e.g. avoid complete draining of the vessel.

9 Final elements description

Provide a final elements description.

Description of output actions

Give a brief explanation of the output action.

Defined fail safe position of final elements

Describe the final element and its fail-safe position (open or close)

Justification of the defined fail-safe positions

Explain why the final element has to be in the defined fail safe position.

Final elements specification

Specify the final element:

• TAG name
• type
• required number
• actuator action.

Requirements for successful operation of final elements

Specify if there are any specific requirements regarding environmental quality (e.g. temperature, humidity) of the final element.

10 Fail-safe process output description

Describe each fail- safe output.

• number of outputs
• I/O name, the name of output
• device, the connected device to the output
• trip action (energize, de-energize)

Output circuit requirements Specify requirements regarding the output circuit safety measures:

• periodic tests
• alarm actions
• feedback

11 Fail-safe process input and trip limit description

Describe each fail-safe inputs:

• type (digital, analogue)
• number of inputs
• name
• voting
• open or closed work circuit (digital input)
• trip limit (analogue input)

Input circuit requirements Specify requirements regarding the input circuit safety features:

• the need of wire break detection
• the need of failure detection

12 BPCS and other systems interface

Give an explanation of the BPCS and other system interface (non fail safe). Describe the digital
outputs, digital inputs, analogous inputs and other output/ input signals.

13 Requirements for proof test intervals

Specify the desired proof test interval (months).

Is it possible to execute a fully proof test during operation (Yes/No). If no, is it possible to execute a
partial proof test (Yes/No).

Special proof test design requirements

Specify the requirements for the proof test.
Describe the test sequence.

14 Relationship between process inputs and outputs

Give a logical description of the SIF. The description shall be easy to understand.

Trigging and reset:

• describe the architecture (1oo1, 1oo2, 2oo3 etc)
• describe the conditions that trig the SIF (inputs or other communication signals that trig the SIF)
• describe the conditions that reset the SIF (inputs or other communication signals that reset the SIF)
• provide time and delay requirements

Actuating:

• describe the actuating of the output
• provide time ad delay requirements
• forced energized or de-energized
• describe bypass modes

15 Operator interfaces (HMI)

Panels/ buttons:

Describe the use of pushbuttons, key switches, indicators etc included in the SIF.

Graphics

Provide a description of the graphics representation (picture) of the SIF. The graphic representation shall indicate:

• included components (switches, transmitters etc)
• the position of the included components
• abnormal modes
• alarms/ warnings

Generation of alarms

Describe the different failure modes that activate alarms (high temperature, low level, high pressure, abnormal conditions, detected errors, valve in a abnormal position, hardware or software errors etc.)

Generation of events

Important events shall be displayed for the operator e.g automatic or manual trig of the SIF, affected switches, bypasses, valve position.

Alarm and event logging

Provide a description of alarm and event logging.

16 Requirements for protecting the SIF from special environmental conditions

Describe the requirements regarding environmental aspects that affect the SIF (temperature, humidity etc.).

17 Requirements for protecting the SIF from major accidents

Specify the requirements that protect the SIF in case of major accidents (fire, explosion etc.):

• resisting fire in XX minutes
• the need of instrumentation air
• the need of redundancy (air supply, power supply etc.)
• safety devices (relief valves etc.)
• manual safety devices

18 Consequential hazards (due to implementation of the SIF)

Discovered consequential hazards
Describe consequential hazards that could occur e.g.:
• mechanical faults (e.g. valve jam)
• human behaviour (e.g. operation by accident, lack of knowledge)

Hazards due to concurrently occurring events:
Describe possible hazards due to concurrently occurring events e.g.:
• fire (pool fire, flash fire, jet fire)
• explosion (fireball, physical explosion, vapour cloud explosion)

Possible risk reducing measures:
Describe possible risk reducing measures e.g.

• indicators (level, pressure, temperature etc)
• monitoring of manual bypasses