Scribd
Upload
994 views

Sabp Z 076

Uploaded by

Hassan Mokhtar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
994 views

Sabp Z 076

Uploaded by

Hassan Mokhtar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Best Practice

SABP-Z-076 21 February 2016


Guideline for Development of Safety Requirement Specification (SRS)
Document Responsibility: Process Control Standards Committee

Contents
1 Introduction............................................................................................... 2
2 Scope........................................................................................................ 3
3 Conflicts with Mandatory Standards.......................................................... 4
4 References................................................................................................ 4
5 Abbreviations............................................................................................ 5
6 Definitions................................................................................................. 6
7 Roles and Responsibilities........................................................................ 8
8 Preparation of Safety Requirements Specification (SRS)......................... 8
8.1 SRS Objective................................................................................. 8
8.2 SRS Template................................................................................. 9
8.3 SRS Development......................................................................... 21

Appendix A - SRS Template.......................................................................... 22


Appendix B - SIF Summary Table................................................................. 29

Previous Issue: New Next Planned Update: TBD


Page 1 of 29
Contacts: David Northup at +966-013-8809487, and Limneo Capellan at +966-013-8801573

Copyright©Saudi Aramco 2016. All rights reserved.


Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

1 Introduction

Saudi Aramco Emergency Shutdown System (ESD) standards have adopted, by


reference, the international standard ANSI/ISA-84.00.01-2004 (IEC61511-1 Mod).
This international standard addresses all Safety Instrumented System (SIS) safety
life-cycle management requirements from initial concept through specification, design,
implementation, operation and maintenance.

Development of the Safety Requirement Specification (SRS), see Figure 1, is a critical


step in SIS life-cycle management. The SRS is developed immediately after the
identification of Safety Instrumented Functions (SIF) and determination of the required
Safety Integrity Level (SIL) for each function. The SRS is the basis of design for SIS
hardware and software, Factory Acceptance Testing (FAT), installation, commissioning,
validation, operation and maintenance and decommissioning. The minimum
requirements for the SRS are defined in ANSI/ISA-84.00.01-2004 (IEC61511-1 Mod)
Clause 10.

The SRS is a specification that contains all safety integrity requirements for each SIF
which must be achieved by the SIS in order to achieve the required functional safety as
determined during the SIL study. The SRS consists of general design requirements of the
SIS as well as specific integrity requirements for each individual SIF. Per SAES-B-058,
SAES-J-601 and SAEP-250 a single SRS is to be provided for each ESD system and the
SRS is required to identify each ESD function and its assigned SIL, even if the function is
assigned an integrity level of SIL 0.

The SIS requirements must be stated and structured in a clear, precise, verifiable,
maintainable and feasible manner. The SRS should be written to aid comprehension of
all individuals who will utilize the information at the various lifecycle phases.

This best practice has been developed to assure that quality SRS are developed in a
timely manner and used as the basis for SIS design, FAT, installation, commissioning,
validation, operation and maintenance as required by the applicable international
standards.

Page 2 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Figure 1 - ANSI/ISA-84.00.01-2004 (IEC61511-1 Mod) Lifecycle Model

2 Scope

This document provides guidance on SRS development to assure the content and style
of the SRS are consistent across all Saudi Aramco facilities.

This document provides an SRS template (Appendix A) to be used as a model for the
SRS development. Section 8 provided instruction for preparation of the SRS.

Page 3 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

The intent of the SRS template is to define a format that assures all process information,
SIS system requirements and SIF specific requirements are documented directly or by
reference in a single requirements document.

Define the roles and responsibilities of the various Saudi Aramco organizations in the
development, approval and implementation of the SRS.

This document is intended to comply with requirements for development of the SRS as
defined by ANSI / ISA-84.00.01-2004 (IEC61511-1 Mod), Functional Safety: Safety
Instrumented Systems for the Process Industry Sector - Part 1: Framework, Definitions,
System, Hardware and Software Requirements Clause 10, Saudi Aramco Engineering
Standard SAES-B-058, Saudi Aramco Engineering Standard SAES-J-601 and Saudi
Aramco Engineering Procedure SAEP-250.

Individual projects may add additional sections to the SRS to address vendor
requirements or specific project requirements. The SRS template should not be
modified in a manner that removes any requirements of ANSI/ISA-84.00.01-2004
(IEC61511-1 Mod).

The document does not define how the technical content for the SRS is developed.

3 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and Mandatory Saudi Aramco
Engineering Requirements (MSAERs), the Mandatory Saudi Aramco Engineering
Requirements shall govern.

4 References

Specific sections of the documents listed below are referenced within the body of this
standard. Where specific sections are not referenced the entire referenced document
shall apply.

4.1 Saudi Aramco References

Saudi Aramco Engineering Procedure


SAEP-250 Safety Integrity Level Assignment and Verification

Saudi Aramco Engineering Standards


SAES-B-058 Emergency Shutdown, Isolation and
Depressurization
SAES-J-601 Emergency Shutdown and Isolation Systems

Page 4 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

4.2 International Standard

American National Standards Institute


ANSI/ISA-84.00.01-2004 Functional Safety: Safety Instrumented Systems
(IEC61511-1 Mod) for the Process Industry Sector - Part 1:
Framework, Definitions, System, Hardware
and Software Requirements

5 Abbreviations
BPCS Basic Process Control System
C&E Cause and Effect Diagram
CIL Commercial Integrity Level
DCS Distributed Control System
EIL Environmental Integrity Level
ESD Emergency Shutdown System
EUC Equipment under Control
E&PM Engineering and Project Management
FAT Factory Acceptance Test
HIPS High Integrity Protection System
IO Input/output
IL Integrity Level
IPL Independent Protection Layer
HAZOP Hazard and Operability Study
LOPA Layer of Protection Analysis
LPD Loss Prevention Department
MOC Management of Change
MSAER Mandatory Saudi Aramco Engineering Requirements
OO Operations Organization
P&CSD Process and Control System Department
PAN Process Automation Network
PAS Process Automation System
PCN Process Control Network
PCS Process Control System
PFDAvg Average Probability of Failure on Demand
PMT Project Management Team
P&ID Process and Instrumentation Diagram
RRF Risk Reduction Factor

Page 5 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

SIF Safety Integrity Function


SIL Safety Integrity Level
SIS Safety Instrumented System
SME Subject Matter Expert
SRS Safety Requirement Specification

6 Definitions

Basic Process Control System (BPCS): System which responds to input signals from
the process, its associated equipment, other programmable systems and/or operator and
generates output signals causing the process and its associated equipment to operate in
the desired manner but which does not perform any safety instrumented functions with
a claimed SIL ≤ 1. [ANSI/ISA 84.00.01-2004 Part 1 (IEC61511-1 Mod) 3.2.3].

Commercial Integrity Level: Discrete level (one to four) for specifying the
commercial integrity requirements of an instrumented functions to be allocated to the
safety instrumented systems for the purpose of reducing commercial risk.

Common Cause Failure: Failure which is the result of one or more events, causing
failures of two or more separate channels in a multiple channel system, leading to
system failure. [ANSI/ISA 84.00.01-2004 Part 1 (IEC61511-1 Mod) 3.2.6.1].

Distributed Control System (DCS): A process control system that is composed of


distinct modules. These modules may be physically and functionally distributed over
the plant area. The distributed control system responds to input signals from the
process, its associated equipment, other programmable systems and/or operator and
generates outputs signals causing the process and its associated equipment to operate in
the desired manner but which does not perform any safety instrumented functions with
a claimed SIL greater than or equal to 1. Also referred to as BPCS.

Environmental Integrity Level: Discrete level (one to four) for specifying the
environmental integrity requirements of an instrumented functions to be allocated to the
safety instrumented systems for the purpose of reducing environmental risk.

Emergency Shutdown System (ESD): A system of valves, piping, sensors, actuating


devices, and logic solvers that takes the process, or specific equipment in the process, to
a safe state, i.e., to shutdown, to isolate, de-energize, and depressurize the plant, train,
or process unit. Also referred to as SIS.

Functional Safety: Part of the overall safety relating to the process and the BPCS
which depends on the correct functioning of the SIS and other protection layers.
[ANSI/ISA 84.00.01-2004 Part 1 (IEC61511-1 Mod) 3.2.25].

Page 6 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Independent Protection Layer (IPL): A device, system or action that is capable of


preventing a scenario from proceeding to its undesired consequence independent of the
initiating event or action of any other layer of protection.

Layer of Protection Analysis (LOPA): Simplified method of risk assessment method


used to assign safety integrity levels

Project Management Team (PMT): The team assigned the responsibility of


managing the project. An Engineering and Project Management (E&PM) organization
or the operating organization (OO) may serve as the PMT.

Operating Organization (OO): The organization responsible for operating the


facility.

Process Control System (PCS): The integrated system which is used to automate,
monitor and/or control an operating facility (e.g., plant process units). The PCS
consists of operating area Distributed Control Systems and their related auxiliary
systems which are connected together at the Process Control Network (PCN) and
Process Automation Network (PAN) level to form a single integrated system.

Probability of Failure on Demand Average (PFDAvg): Probability that, when


demanded, an IPL will not perform the required task.

Safety Instrumented System (SIS): Instrumented system used to implement one or


more safety instrumented control functions. An SIS is composed of any combination of
sensor(s), logic solver(s) and final element(s). [ANSI/ISA 84.00.01-2004 Part 1
(IEC61511-1 Mod) 3.2.72].

Safety Instrumented Function (SIF): Safety function with a specified safety integrity
level which is necessary to achieve functional safety and which can be either a safety
instrumented protection function or a safety instrumented control function.
[ANSI/ISA 84.00.01-2004 Part 1 (IEC61511-1 Mod) 3.3.71].

Safety Integrity Level (SIL): Discrete level (one to four) for specifying the safety
integrity requirements of the safety instrumented functions to be allocated to the safety
instrumented systems. Safety integrity level 4 has the highest level of safety integrity;
safety integrity level 1 has the lowest. [ANSI/ISA 84.00.01-2004 Part 1 (IEC61511-1
Mod) 3.2.74].

Risk Reduction Factor (RRF): Inverse of Probability of Failure on Demand

Page 7 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

7 Roles and Responsibilities

Roles and responsibilities for development of the SRS are defined in Table 1.

TABLE 1

Role/Responsibility PMT P&CSD LPD OO


SIL Assignment RA I I C
Specify required minimum test interval (unit turnaround C I I RA
frequency) and acceptable spurious trip rate
SRS Development RA I C
SIS Verification (Functional Safety Assessment) RA I I C
Design and Fabrication of SIS RA I I I
Conduct FAT of SIS against SRS RA I I C
SIS Validation (of installed system) RA I I C
Operate and maintain SIS in compliance with SRS - - - RA
SRS Management of Change - - - RA
Decommissioning - - - RA
R – Responsible
A – Accountable
C – Consulted
I – Informed

8 Preparation of Safety Requirements Specification (SRS)

8.1 SRS Objective

The objective of the SRS is to provide a single document which defines the
integrity requirements of the SIS and to communicate these requirements to the
individuals who will utilize the information throughout the SIS lifecycle.
These requirements should be sufficient to specify, design, test, install,
commission, validate, operate and maintain the SIS. The SRS should address
requirements of the logic solver, the individual SIFs, the process, plant operating
mode, plant maintenance activities, and any interfaces with the operator and
other systems.

The document should be concise, clear and easily understood by all users.
Depending on the process, there may be a single SRS for the entire SIS system
or there may be a separate SRS for each logic solver.

Page 8 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

The SRS should be developed immediately following the allocation of safety


requirements to the safety instrumented functions (i.e., following the HAZOP
and LOPA). The major steps of the SRS development should be reflected in the
project schedule

The completed and approved SRS is the basis for design, test, installation,
commissioning, validation and maintenance of the SIS.

The SRS is a living document and should be updated to reflect modifications to


the SIS during commissioning or operation. The SRS should be controlled
under the facility Management of Change (MOC) process.

8.2 SRS Template

To facilitate standardization, an SRS template is provided in Appendix A.


This template should be used to generate the SRS for each SIS.

This section summarized the information and provides instruction for


completing the SRS template.
Note: SAES-B-058, SAES-J-601 and SAEP-250 require the SRS to document each
function in the ESD whether it is a SIF or not. For this reason the SIF details
section needs to contain a sheet for each function implemented in the SIS
whether it is providing risk reduction or if it is located in the ESD for other
reasons.

8.2.1 Approval and Summary Revision (SRS Section 1)

Section 1 of the SRS documents the Approval and Revision History of


the SRS.
Note: The SRS needs to be keep current throughout the SIS lifecycle.

8.2.2 Executive summary (SRS Section 2)

Section 2 provides a high level summary of the SRS. This section


should provide the following information.
 Identify the Project responsible for development of the initial SRS.
 State if this was a grassroots project, expansion, migration or upgrade
project.
 State SRS has been developed to comply with ANSI/ISA 84.00.01-
2004 Part 1 (IEC61511-1 Mod) Clause 10 requirements.
 State the facility/plant/unit the SRS is developed for.
 State that LOPA method was utilized to identify SIFs and assign the

Page 9 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

SIL.

8.2.3 Acronyms (SRS Section 3)

Section 3 should list all acronyms used in the SRS.

8.2.4 SIS Summary Table (SRS Section 4)

Section 4, the SIS Summary Table, provides a high level overview of the
functions implemented in the SIS associated with this particular SRS.
The summary table lists, for each function;
 SIF Number – sequential number, e.g., SIF-001
 SIF Name – name used in Cause and Effect Diagram (C&E) and on
P&ID, e.g., ZC-001
 The target Integrity Level [i.e., SIL, Environmental Integrity Level
(EIL) and Commercial Integrity Level (CIL)]
 Target RRF (list for each type IL)
 Achieved SIL (List for each type IL)
 Achieved RRF (List for each type IL)
 Residual Risk (if any) (list for each type IL)
 Identify systems/functions in other automation systems affected by
the SIS in this SRS, (such as SIS peer to peer communications or
initiation of SIFs located in other SIS.
 Status of each SIF (active or decommissioned)
Note: The summary table should include all functions implemented in the
SIS even those with “no special IL requirements” functions, i.e., SIL 0.

 The SRS should contain a SIF SUMMARY Table base on the


recommendations format shown in Appendix B.

8.2.5 Process Overview Description (SRS Section 5)

Section 5 contains a brief description of the process with an emphasis on


the equipment associated with SIS outputs. It should describe each
process unit and identify process units that are “trained”, highlight
common equipment shared by trains and describe equipment level
redundancy.

The process description should state the planned turnaround for each unit
or train and identify any operational or licensor limits on the acceptable

Page 10 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

spurious trip rate.

A brief high-level summary of the hazards present should be provided.


Including identification of any normal and abnormal operating modes
(e.g., startup) and operating procedures (e.g., equipment maintenance,
calibration and repair) which may create the need for additional SIFs.

Identify and define requirements for any SIFs that must survive a major
incident, i.e., length of time an isolation valve needs to remain in
operation during a major fire.

8.2.6 SIS Block Diagram (SRS Section 6)

Generally an SRS is prepared for each SIS (i.e., logic solver, relay panel,
etc.).

Section 6 of SRS should contain an ESD System block Diagram showing


the scope of the ESD and its association with other ESD systems.

In some cases the plant may have multiple ESD’s. This section should
also provide a block diagram of the SISs for the entire facility and
highlight how the various ESD systems or logic solvers are grouped by
SRS.

8.2.7 SIS Design Basis (SRS Section 7)

Section 7 of the SRS provides details of the basis of SIS design.


This section is a combination of general SIS requirements and design
philosophies. This section of the SRS should provide the SIS philosophy
and requirements, including typical drawings, for the following design
considerations.

8.2.7.1 General SIS Requirements (SRS Section 7.1)

Section 7.2 of the SRS should define the General SIS Design
Requirements. Table 3 lists the General SIS Design
Requirements which need to be defined in Section 7.2 of the
SRS.

Page 11 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Table 3 - General SIS Design Requirements

Selected technology e.g., TMR PES, DMR PES, Relay, Solid State
SIF Reset Method e.g., software, CR pushbutton, field
Unit Maintenance Turnaround Interval X years
Use of hardwired or software resets Hardwired/software
BPCS Hardware Product e.g., Honeywell C300
BPCS Software Revision e.g., R14x
SIS Hardware e.g., Honeywell Safety Manager
SIS Software Revision e.g., R15x
Asset Management Hardware Product name
Asset Management Software Revision Rxxx
Design MTTR (entire SIS) Hours
SIS Mission Life Years
Overall Availability Target %
UPS backup time Hrs
SIF Reset Philosophy Hardwired/software
Programming method State programming method to be utilized

8.2.7.2 SIS Design Philosophy (SRS Section 7.2)

Section 7.2 of the SRS should provide an explanation of the


design philosophies which will affect the specification of SIF
architecture, SIS hardware selection and SIS software
development. Table 4 lists potential SIS design decisions which
need to be defined by philosophy statements in Section 7.2 of
SRS.

Table 4 - SIS Design Philosophy Requirements

Item Topic Design Considerations to be Documented in Philosophy


State if facility utilizes HIPS. Define philosophy for segregation
1 Use of HIPS
of HIPS and ESD
Develop philosophy for use of fail in place devices. State
Use of Fail In
2 requirements for inclusion of motive force availability into
Place
final device PFD calculation
State the common mode failures considered in the SIS design
Common Mode
3 and any required design guidelines, e.g., diverse technology
Failures
for level measurement.
SIF Design for State the expected plant maintenance interval (turnaround) to
4
Testing assure any annual or quarterly testing can be performed

Page 12 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Item Topic Design Considerations to be Documented in Philosophy


without interrupting plant throughput. Define operation’s
expectation on spurious trip rate.
State expectation for implementation of fired equipment
shutdowns (BMS) into overall SIS, e.g., for Claus units thermal
Fired
5 reactor, tail gas heater and incinerator should each have their
Equipment
own BMS and a separate SIS should be designed for the
process shutdowns.
By-pass State the philosophy for automatic re-annunciation of any SIS
6
annunciation bypass, either by shift or every 24 hours.
State philosophy for confirming devices went to safe state
Fail to when a shutdown is initiated. Define alarms to be generated if
7
Shutdown devices to not go to safe position and requirements to confirm
devices are in safe state before SIF can be reset.
State philosophy for any partial stroke testing. How is partial
Partial Stroke
8 stroke testing performed, how many partial strokes are
Testing
allowed before a full stroke test is required.
State philosophy for naming and numbering SIFs, as well as
9 SIF Name reset and bypass tags. This should include sketches as well as
a narrative.
BPCS Action on Identify expectation of BPCS action on activation of SIF,
10
SIF activation i.e., backup devices should go to manual, 0% output
Use of SIL State design basis regarding use of SIL capable
11 Capable instrumentation and required SIF response to instrument fault
Instrumentation identification.
State expected response to loss of system power and loss of
12 Loss of Power
device power
Dangerous Identify combinations of outputs that need to be avoided
13
Output States because they could create additional hazards.

8.2.7.3 SIS IO Functionality (SRS Section 3)

Section 7.3 should provide an explanation of the SIS IO


functionality requirements which may affect the SIS hardware
selection and SIS software development. Table 5 lists potential
SIS IO functionality considerations which need to be defined in
Section 7.3 of SRS.

Page 13 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Table 5 - SIS IO Functionality Requirements

Item Topic Design Considerations to be Documented in Philosophy


State how plant areas are assigned to various SIS systems,
1 SIS Assignment
describe risk area segregation requirements
State the philosophy for wiring device IO to the SIS, i.e., will
Connection of
2 only SIS IO be connected to SIS or will all IO for any device with
Device IO to SIS
a SIS function be wired to the SIS.
State if end devices with both an ESD stop/close and DCS
Segregation of stop/close will be implemented with separate DCS and ESD
3 DCS and ESD digital outputs or if the DCS digital output will be data linked to
Outputs ESD and a common ESD output will be used.
Note: Sketches should be provided.

8.2.7.4 SIS Communications (SRS Section 7.4)

Section 7.4 should provide an explanation of the SIS


communication requirements which may affect the SIS
hardware selection and SIS software development. Table 6
lists potential SIS communication considerations which need to
be defined in Section 7.4 of the SRS.

Table 6 - SIS Communications Requirements

Item Topic Design Considerations to be Documented in Philosophy


State requirements regarding what DCS/SIS communications
need to be via dedicated and separate communications
DCS/SIS
1 channels and what DCS/SIS communications can be via
communications
database server points (non-peer to peer) or common
communication channels
Loss of State behavior of SIS on loss of communications with DCS and
2
communications auxiliary systems
Watchdog State requirements for use of watchdog timers between ESD,
3
Timers DCS and auxiliary systems
Communication State requirements for alarms and operator action on loss of
4
Alarms DCS and SIS communications.
State requirements regarding what SIS/SIS communications
Peer to peer
5 that need to be peer to peer communications and what
communications
parameters are to be transferred and for what purpose.
Communications State communications method and protocol.
6
Protocol

Page 14 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

8.2.7.5 SIS Faults (SRS Section 7.5)

Section 7.5 should provide an explanation of the SIS faults


considerations which may affect the SIS hardware selection
and SIS software development. Table 7 lists potential SIS fault
considerations which need to be defined in Section 7.5 of the
SRS.

Table 7 - SIS Fault Requirements

Item Topic Design Considerations to be Documented in Philosophy


State degradation mode for potential SIS faults and state
1 SIS Degradation limitation for how long system can remain in the degraded
state, and the action if time is exceeded, i.e. 3/2/1, 3/2/0.
State conditions under which download can be performed,
2 Download i.e., what faults must not exist to perform a download, what
type downloads are only permitted off-line
Identify detectable SIS faults, define the alarms that will be
3 SIS Fault Alarms generated and describe the system or expected operator
action and time limits for correcting each fault

8.2.7.6 Device Faults (SRS Section 7.6)

Section 7.6 should provide an explanation of the SIS device


fault considerations which will affect the SIS hardware
selection and SIS software development. Table 8 lists potential
SIS device fault considerations which need to be defined in
Section 7.6 of the SRS.

Table 8 - Device Fault Requirements

Item Topic Design Considerations to be Documented in Philosophy


Transmitter State the philosophy for failure direction for each type of
1 Failure process transmitter
Direction
Identify detectable device faults, define the alarms that will be
2 Device Faults generated and describe the system or expected operator
action for each detected fault.

8.2.7.7 Operations Interface (SRS Section 7.7)

Section 7.7 should provide an explanation of the SIS Operator


Interface requirements which may affect the SIS hardware
selection and SIS software development. Table 9 lists potential

Page 15 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

SIS Operator Interface considerations which need to be defined


in Section 7.7 of the SRS.

Table 9 - SIS Operator Interface Requirements

Item Topic Design Considerations to be Documented in Philosophy


1 Pre-Trip Alarms State requirements for pre-trip alarms.
SIS System
2 State requirements for SIS status and diagnostic displays.
Alarms
State requirements for SIF status display, i.e., first outs, startup
sequences, permissive displays, isolation confirmation display,
SIF Status
3 blowdown permissive display, SIS alarm counters, SIF reset
Displays
displays, operator and maintenance bypass, SIF failed to
shutdown alarms.
State process graphic display requirements to indicate
4 Graphic Display
bypassed and tripped SIFs.

8.2.8 SIF Detail (SRS Section 8)

Section 8 provides the details of each SIF. The following


information is to be provided for each SIF in the SIS. The SRS
should have a SIF detail sheet for each function in the ESD.
The number in parenthesis indicates the applicable row and
column in the SIF detail sheet, Table 10.
Note: For non-SIL rated functions some information can be marked
N/A for Not Applicable.
1. SIF Number/SIF Name (1A/1B)
2. Facility/Plant/Unit (2A/B/C)
3. SIF Description (3A) – state primary action in the form of
“protect the reactor from overpressure by shutting down
the inlet valves on high pressure”. State secondary action
in the same form, if any, e.g. Stop feed pump
4. Description of hazard being mitigated (4A) – Description
of hazard such as fire resulting in injury etc.
5. Consequence Severity Rating (SIL/EIL/CIL) (5A/B/C) –
from LOPA study
6. Process Safe State (6A) – Describe the safe state such as
ZV-xx closed pump and GM-xx stopped
7. Process Safety Time (7A) –The period of time between a
failure occurring in the equipment under control and the

Page 16 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

occurrence of the hazardous event, if the safety function is


not performed
8. Safety Response Time (8A) – Time within which SIF
should take necessary action
9. Demand Rate/Demand Mode (9A/B) – From LOPA
initiating event frequencies
10. Initiating Demand (10A) – Tag or description of initiating
event which created demand on SIS. Note add additional
lines (11 A/B/C, 12A/B/C etc) for each identified initiating
event
11. Risk Measure – From SIL Verification Report
12. Target SIL (21A/B/C)– From SIL Verification report
13. Achieved SIL (22A/B/C) – From SIL Verification Report
14. Residual Risk PFDavg/RRF (23B/C) – Remaining risk
after consideration of SIF
15. Spurious Trip Rate Acceptable/Calculated (23A/B) –
calculated rate from SIL Verification
16. SIF Architecture Description (24A) – Description of the
SIF including voting, diagnostics etc.
17. SIF Inputs, including tag name, trip point and pre-alarm
tag (30A/B/C) – add additional lines as required so each
initiator is identified (31A/B/C, 32A/B/C, etc.)
18. SIF Outputs, including tag name, safe state and any special
criteria such as tight shutoff (40A/B/C) – add additional
lines as required so each initiator is identified (41A/B/C,
42A/B/C, etc.)
19. Action on loss of power to the equipment under control
(EUC) (41A)
20. Proof Test Requirements
 Online Proof Test Interval Sensors (51 A/B/C)
 Offline Proof Test Interval Sensors (52 A/B/C)
 Online Proof Test Interval Logic Solver (53 A/B/C)
 Offline Proof Test Interval Logic Solver (54 A/B/C)
 Online Proof Test Interval Final Element (55 A/B/C)
 Offline Proof Test Interval Final Element (56 A/B/C)

Page 17 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

21. Activation Method (60A) – De-energize to trip or


Energize to trip
22. Manual Shutdown Tag and Requirements (61A/B) –
identify manual shutdown and indicate associated tags
23. Reset Tag and Requirements (62A/B) – identify reset
requirements and indicate associated tag
24. Maintenance Bypass Tag and Requirements (63A/B) state
bypass requirements and indicate associated tags
25. Operation Bypass Tag and Requirements (64A/B) –
identify any operational bypass requirements for startup
and indicate associated tag
26. Common Cause/Mode Failures (65A/B) – list any common
cause/common mode failures unique to this SIF
27. Operator Actions which are considered part of SIF (66A) –
list operator actions which are acting as a layer of protection
28. System response to detected (overt) faults (67A) – state
response to detected faults
29. Dangerous Output States (68A) –list any output states
which may be dangerous
30. High-speed SOER Requirements (69A) – list requirements
for high speed SOER
31. First Out Requirements (70A) – list requirements for first
outs
32. Specific Software Requirements (71A) – list any special
software considerations.
33. Modes of operation where SIF is required to function
(72A) – identify any special modes where SIF is required
to operate, otherwise SIF is assumed to be required for all
operating modes.
34. Reference Documents – Add reference document number,
revision and sheet
 HAZOP Report (81 A)
 LOPA Report (82 A)
 P&ID (83 A)
 Cause & Effect (84 A)
 Sequence Logic (85 A)

Page 18 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

 Logic Narrative (86 A)


 SIS Logic Printout (87 A)
 Operating Procedures (88 A)
 Maintenance/Test Procedures (89 A)
 IPL List (90 A)
 SIL Verification Report (91 A)
 DCS/ESD Communications Mapping Document (92 A)
 Instrument Specification Sheet (93 A)
 Instrument Calculation Sheet (94 A)
 Instrument Piping Details (95 A)
35. Notes (34A) – Any unique notes for this SIF, e.g., special
software requirements, fireproofing requirements.

Table 10 - SIF Details

Item Description A B C
1 SIF Number/SIF Name -----Not Used-------
2 Facility/Plant/Unit
3 SIF Description
4 Hazard Description
Consequence Severity Rating
5
(SIL/EIL/CIL)
6 Process Safe State
7 Process Safety Time (minutes)
8 Safety Response Time (seconds)
9 Demand Rate (yr-1)/ Demand Mode -----Not Used-------
10 Demand Initiating Event Initiating Event Tag Description -----Not Used-------
-----Not Used-------
-----Not Used-------
11 Risk Targets SIL PFDavg RRF
12 Required (Target) SIL
13 Achieved SIL
14 Residual Risk EIL -----Not Used-------
Spurious Trip Rate
15
(acceptable/calculated) (yr-1) -----Not Used-------
16 SIF Architecture Description
SIF Inputs (including trips points and
17 Input Tag Trip Point Pre-Alarm
Pre-alarms)

Page 19 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Item Description A B C

SIF Outputs (including safe state per


output, criteria for successful operation,
18 Output Tag Safe Sate Special Criteria
example any requirements for tight
shutoff)

Action on loss of power to equipment


19
under control (EUC)
20 Proof Test Requirements Years
Online Proof Test Interval – Sensors
Offline Proof Test Interval – Sensors
Online Proof Test Interval – Logic
Solver
Offline Proof Test Interval – Logic
Solver
Online Proof Test Interval – Final
Elements
Offline Proof Test Interval – Final
Elements
Activation Method (Energized vs. De-
21
Energized)
Manual Shutdown Tag and
22
Requirements
Reset Requirements Tag and
23
Requirements
24 Maintenance Bypass Requirements
25 Operational Bypass Requirements
26 Common Cause/Mode Failures
Operator Actions considers as part of
27
SIF
System Response to detected (overt)
28
faults
29 Dangerous output states of the SIS
Sequence of Events Recording
30
Requirements
31 First Out Requirements
32 Specific software requirements
Special Modes of Operation that SIF
33
where is required to function
34 Documentation References Document No./Dwg No./Reference No.
HAZOP
LOPA
P&ID

Page 20 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Item Description A B C
Cause & Effect
Sequence Logic
Logic Narrative
Logic Printout
Operating Procedures
Maintenance Proof Test Procedures
IPL List
SIL Verification Report
DCS/ESD Communications Mapping
Instrument Specification Sheets (ISS)
Instrument Calculation Sheets
Instrument Piping Details
35 Notes:

8.3 SRS Development

The details of the SRS will be defined, developed and further refined over the
SIS lifecycle. The SRS should be developed immediately following the Risk
Allocation (SIL Assignment) effort. For this reason the major steps of SRS
development and validation should be included in the project schedule.

Revision Summary
21 February 2016 New Saudi Aramco Best Practice was created for the implementation of Virtual Servers
and Thin Clients for Process Automation Systems.
This best practice has been developed to assure that quality SRS are developed in a
timely manner and used as the basis for SIS design, FAT, installation, commissioning,
validation, operation and maintenance as required by Saudi Aramco and applicable
international standards.

Page 21 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Appendix A - SRS Template

Facility: (facility name)

Plant Number: (plant number)

Plant Description: (plant description)

SIS: (ESD ID)

Safety Requirements Specification


Template

Page 22 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

1. Approvals and Revision History

This section is used to document sign-off of the final SRS and to track the revisions during
SRS development.

Approvals

Name Organization Signature Date

PMT

Operations

Loss Prevention

P&CSD

Revision History

1. Revision 2. Description 3. Date

2. Executive Summary

This section contains the SRS Executive Summary, refer to requirements in SABP-XXX
Section 8.2.2

3. Acronyms

This Section to define all acronyms used in SRS.

Page 23 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

4. SIS Summary Table

This section is a summary of all SIF’s in the ESD system. The details should be per SABP-XXX Section 8.2.4.

Safety Integrity Level Environmental Integrity Level Commercial Integrity Level


SIF
SIF Target Achieved Target Achieved Target Achieved
Other SIS Status
Number
Name Residual Residual Residual
SIL PFD RRF SIL PFD RRF EIL PFD RRF EIL PFD RRF CIL PFD RRF CIL PFD RRF
Risk Risk Risk

Page 24 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

5. Process Overview

Brief process description addressing requirements of SABP-XXX Section 8.2.5

6. SIS Block Diagram

Block diagram showing the relationship between this ESD and other plant ESD systems,
see SABP-XXX Section 8.2.6.

7. SIS Design Basis

This section documents the SIS general design requirements and design philosophies.
The details of this section are defined in SABP-XXX Section 8.

7.1 General SIS Requirements

SIS General Design Requirements


Selected technology i.e., TMR PES, DMR PES, Relay
SIF Reset Method i.e., software, CR pushbutton, field
Unit Maintenance Turnaround Interval X years
Target Proof Test Interval (off-line) x year
Target Proof Test Interval (on-line) x year
Use of hardwired or software resets x year
BPCS Hardware Product e.g., Honeywell C300
BPCS Software Revision e.g., R14x
SIS Hardware e.g., Honeywell Safety Manager
SIS Software Revision e.g., R15x
Asset Management Hardware AM Product
Asset Management Software Revision Rxxx
Design MTTR Hours
SIS Mission Life Years
Overall Availability Target %
UPS backup time Hrs
SIF Reset Philosophy Hardwired/software
Programming method State programming method to be utilized

Page 25 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

7.2 SIS Design Philosophy

Explanation of design philosophies which affect design of SIS. See SABP-XXX Section
8.2.2 Table 4 for topics to be addressed.

7.3 SIS IO Functionality

Explanation of IO functionality that affect SIS hardware design. See SABP-XXX Section
8.2.3 Table 5 for topics to be addressed.

7.4 SIS Communications

Explanation of SIS communications requirements that will affect SIS hardware and
software design. See SABP-XXX Section 8.2.4 Table 6 for topics to be addressed.

7.5 SIS Faults

Explanation of SIS faults which may affect the SIS hardware and software design.
See SABP-XXX Section 8.2.5 Table 7 for topics to be addressed.

7.6 Device Faults

Explanation of SIS device faults which may affect the SIS hardware and software design.
See SABP-XXX Section 8.2.6 Table 8 for topics to be addressed.

7.7 Operator Interface

Explanation of Operator Interface requirements which may affect the SIS hardware and
software design. See SABP-XXX Section 8.2.7 Table 9 for topics to be addressed.

Page 26 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

8. SIF Details

Provide details of each SIF per SABP-Z-076, Section 8.2.7.

SIF Detail Template

Item Description A B C
1 SIF Number/SIF Name -----Not Used-------
2 Facility/Plant/Unit
3 SIF Description
4 Hazard Description
5 Consequence Severity Rating (SIL/EIL/CIL)
6 Process Safe State
7 Process Safety Time (minutes)
8 Safety Response Time (seconds)
9 Demand Rate (yr-1)/ Demand Mode -----Not Used-------
10 Demand Initiating Event Initiating Event Tag Description -----Not Used-------
-----Not Used-------
-----Not Used-------
11 Required (Target) SIL/PFDAvg/RRF
12 Achieved SIL/ PFDAvg /RRF
13 Residual Risk PFDAvg /RRF
14 Spurious Trip Rate (acceptable/calculated) (yr-1) -----Not Used-------
15 SIF Architecture Description
SIF Inputs (including trips points and
16 Input Tag Trip Point Pre-Alarm
Pre-alarms)

SIF Outputs (including safe state per output,


17 criteria for successful operation, example any Output Tag Safe Sate Special Criteria
requirements for tight shutoff)

Page 27 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Item Description A B C
Action on loss of power to equipment under
18
control (EUC)
Special Modes of Operation that SIF where is
19
required to function
20 Documentation References
HAZOP
LOPA
P&ID
Cause & Effect
Sequence Logic
Logic Narrative
Logic Printout
Operating Procedures
Maintenance/Proof Test Procedures
21 IPL List
22 SIL Verification Report
23 DCS/ESD Communications Mapping
24 Instrument Specification Sheet (ISS)
25 Notes:

End of SRS

Page 28 of 29
Document Responsibility: Process Control Standards Committee SABP-Z-076
Issue Date: 21 February 2016
Next Planned Update: TBD Guideline for Development of Safety Requirement Specification (SRS)

Appendix B - SIF Summary Table

Table 2 - SIS Summary Table


Safety Integrity Level Environmental Integrity Level Commercial Integrity Level
SIF
SIF Target Achieved Target Achieved Target Achieved
Other SIS Status
Number
Name Residual Residual Residual
SIL PFD RRF SIL PFD RRF EIL PFD RRF EIL PFD RRF CIL PFD RRF CIL PFD RRF
Risk Risk Risk

Page 29 of 29

You might also like