Safety Requirement Specification (SRS)
The Safety Requirement Specification (SRS), as described by IEC 61511-1:2016, Clause 3.2.72, is the specification that includes the functional requirements for the SIFs and the corresponding safety integrity levels. SRS is a part of Safety Lifecyle of the Safety Instrumented Systems (SIS) (refer Figure:1-Clause 10), a crucial step in recording each SIF’s safety requirements before the SIS is designed, installed, validated, verified, and operated
In 2003, a study conducted by the UK’s Health and Safety Executive (HSE) on accident causes involving control systems, it was found that about 44% attributed to issues with specifications. A poorly defined, ambiguous, or inadequate specification significantly increases risk, as the SIS design might fail to achieve its intended safety objectives. Consequently, clear and precise specifications are essential to avoid misinterpretation or misunderstanding in SIS design. As per IEC 61511-1:2016: Clause 10.3.2(2), SIS safety requirements shall adequately address the below considerations/ issues, Note: Below list is not a complete list, you may refer IEC 61511-1:2016: Clause 10.3.2 for further reading. SRS may be a Single Document or a collection of several documents developed by Hazard and Risk Analysis Team or Project Team
- SIF Specifications and Functional Details: Define all Safety Instrumented Functions (SIFs) with supporting documentation such as cause and effect diagrams or logic narratives, including clear identification of associated plant input/output devices and equipment tags.
- Process Safety and Operational Requirements: Specify the safe state for each SIF, response time to achieve it, assumed demand sources and rates, required SIL and operational mode (demand or continuous), proof test interval and its implementations and spurious trip limits.
- Application Program Safety Requirements: Specify safety requirements of each SIF, including sensor voting, etc. Requirements arising from the safety handbook and the SIS architecture, including embedded software and hardware limits.
- Failure and Shutdown Protocols: Address common cause failure considerations, manual shutdown requirements, energize or de-energize to trip conditions, and operational requirements for each plant mode.
- Bypass Management: Define requirements for bypassing SIFs, including administrative control procedures and protocols for clearing bypass states.
- Survivability in Major Events: Specify SIF requirements to endure major accident scenarios, such as the time a valve must remain operational during a fire.
SIL Verification
IEC 61511-1 2016 Clause 11, provides the Safety Instrumented System design requirements to meet the SRS in terms of SIL level, associated risk reduction, PFD or PFH etc.
The primary objective of SIL Verification is to demonstrates the capability of a SIF in accordance with IEC61508 and IEC 61511, with respect to Probability of Failure under Demand (PFD), Architectural constraints and Systematic Capability. SIL Verification will be carried out for all SIFs with a target SIL level greater than or equal to SIL 1.
Probability of Failure under Demand (PFD):
Quantification of PFD can be carried out using various modeling techniques such as Markov Analysis, Fault Tree Analysis, Reliability Block Diagram, Cause consequence analysis etc.
Below Table shows the target PFD of the SIL Levels for SIFs in low demand mode and continuous demand mode.
Following inputs are required to calculate the PFDavg of a SIF,
- Safety Requirement Specification,
- SIL Assessment Report
- Failure rates of the Elements considered in the SIF (Sensors, Logic Solver & Final Elements) and its Common Cause Failure.
- SIL Certificates for the Elements considered in the SIF (Sensors, Logic Solver & Final Elements)
- Piping and Instrumentation Diagram (P&ID),
- Cause & Effect Diagram and Control Narratives etc.
Architectural constraints
SIL for a SIF is taken as the lowest of the three. For example, as per IEC 61511:1-2016 Table for Hardware Fault Tolerance (HFT) i.e. for Architectural constraints, for SIL 3 minimum HFT is 1, thus PFD Avg or Systemic Capability taken not be credit with SIL 3 unless it meets HFT of 1 for SIL 3. This is often the case for a HIPPS system.
Systematic Capability: It is the measure (on a scale from SC 1 to SC 4) of the degree of confidence that, when a device is used in compliance with the guidelines outlined in the device safety manual, its systematic safety integrity satisfies the requirements of the specified SIL with regard to the specified safety function. IEC 61508-2:2010 and IEC 61508-3:2010’s requirements for the prevention and management of systematic defects are used to evaluate systematic capability.