Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
3/4/16
Copyright©exida.comLLC2000-2013 1
Webinar : The Importance Of Having A Good Safety
Requirements Specification (SRS)
Steve Gandy
Copyright © exida.com LLC 2000-2016
We help our clients improve the safety, security and availability of their automation systems
2 Copyright © exida.com LLC 2000-2016
3/4/16
Copyright©exida.comLLC2000-2013 2
exida Industry Focus
Automotive Nuclear
Automation Process Industry
Copyright © exida.com LLC 2000-2016 3
exidaauthoredmostindustryreferencesforautoma=onsafetyandreliability
exidaauthoredindustrydatahandbookonequipmentfailuredata
exidaauthoredthemostcomprehensivebookonfunc=onalsafetyinthemarket
Reference Materials
4 Copyright © exida.com LLC 2000-2016
3/4/16
Copyright©exida.comLLC2000-2013 3
exida Certification
Products,Personnel,Processes&Procedures§ exidahasanindependentcer=fica=oncompany§ Cer=fica=onsarecompletedforcyber-securityandfunc=onalsafety§ exidaisaccreditedbyAmericanNa=onalStandardsIns=tute(ANSI)
5 Copyright © exida.com LLC 2000-2016
6
Steve Gandy CFSP, MBA, DipM, MIET, AMBA
• VP Global Business Development for exida with 38 years industrial experience in safety and controls
• Responsible for exida’s end user business • Certifications
– CFSP, Certified Functional Safety Professional • Industry Associations
– Association of MBAs – IET Member
• Publications – Author of Managing Risky Projects – Author of Conforming to IEC 61511: Operation and Maintenance Requirements – Author of Concurrent Engineering: Reducing Time to Market
• Training – FSE Trainer – Functional Safety for Sales Engineers – Management training
Copyright © exida.com LLC 2000-2016
3/4/16
Copyright©exida.comLLC2000-2013 4
SAFETY REQUIREMENTS SPECIFICATION
Copyright © exida.com LLC 2000-2016
Copyright © exida.com LLC 2001-2016
Industrial Accident Primary Causes
Specifica)on 44%
Design&Implementa)on
15%Installa)on&Commissioning
6%Opera)on&Maintenance
15%
Changesa>erCommissioning
20%
HSEstudyofaccidentcausesinvolvingcontrolsystems:
“OutofControl:WhyControlSystemsgoWrongandHowtoPreventFailure,”U.K.:Sheffield,HealthandSafetyExecu=ve,1995(Ed2,2003)
3/4/16
Copyright©exida.comLLC2000-2013 5
Test
Install
Validate
Feed
Concept
IEC 61511 Safety Lifecycle
Copyright © exida.com LLC 2000-2016 9
Management of Functional
Safety and
Functional Safety
Assessment
Clause 5
Safety Lifecycle Structure
and Planning
Clause 6.2
Allocate Safety Function to Protection Layers [Clause 9]
Verification
Clause 7 &
Clause 12.7
SIS Safety Requirements Specification [Clauses 10 & 12]
Process Hazard & Risk Analysis [Clause 8]
SIS Design and Engineering [Clauses 11 & 12]
SIS Installation & Commissioning [Clause 14]
SIS Operation & Maintenance [Clause 16]
SIS Safety Validation [Clause 15]
SIS Modification [Clause 17]
SIS Decommissioning [Clause 18]
SIS FAT [Clause 13]
Manage
Proof Test
Design & Build
Anal
ysis
De
sign
& Im
plem
ent
Ope
ratio
n
Safety Lifecycle (SLC) Objectives
• Build safer systems that do not experience as many of the problems of the past
• Build more cost effective systems that match design with risk
• Eliminate “weak link” designs that cost much but provide little
• Provide a global framework for consistent designs
Copyright © exida.com LLC 2001-2016
Avoid Systematic Faults!
Reduce the potential for Random Faults!
3/4/16
Copyright©exida.comLLC2000-2013 6
Safety Lifecycle Successes
• 49%: Safety Functions were over-engineered • 4%: Safety Functions were under-engineered (unsafe) • 47%: No change
Copyright © exida.com LLC 2001-2016
47%
49%
4%
Refinery: Hydrogen Manufacturing Unit Source
Safety Requirements Specification Definition and Objective
• Definition – Specification that contains ALL the requirements of the safety instrumented
functions in a safety instrumented system (IEC 61511)
• Objective – Specify all SIF/SIS requirements needed for detailed engineering and
process safety information purposes – Functional Requirements
• Description of the SIF’s functions/actions • How it should work
– Integrity Requirements • Specification of the risk reduction and reliability requirements • How well it should work • How quickly it should work
– Often a contractual document prepared by one company and executed by another
Copyright © exida.com LLC 2000-2016 12
3/4/16
Copyright©exida.comLLC2000-2013 7
SLC - Requirements Specification
Copyright © exida.com LLC 2000-2016 13
Process Design – Scope Definition
Event History
SIF Required?
Application Standards
Hazard Characteristics
Consequence Database
Failure Probabilities
Identify Potential Hazards
Consequence Analysis
Identify Protection Layers
Likelihood Analysis (LOPA)
Select RRF, Target SIL for each SIF
Develop Process Safety Specification
Tolerable Risk Guidelines
Potential Hazards
Process Safety Information
Hazard Consequences
Layers of Protection
Hazard Frequencies
RRF, Target SILs
Safety Requirements Specification
Design of other risk reduction facilities
NO
YES
IEC 61511 Stage 1 FSA
1.
2.
3.
4.
5.
6.
7.
SRS – The Source of Knowledge
Copyright © exida.com LLC 2000-2016 14
Safety Requirements Specification
Process Information
Functionality
Integrity
System
Procedures
Hazard Information
Hazard Frequencies
Hazard Consequences
Target SIL
Regulatory Requirements
Information & Revision
Operations, Maintenance,
& Modifications
Hardware & Software
Conceptual & Detailed Design
& Validation
Analysis Implementation Operation
3/4/16
Copyright©exida.comLLC2000-2013 8
Specification = Communication
Copyright © exida.com LLC 2000-2016 15
How the Customer
explained it
How it was Sold
How it was Designed
How it was Built
How it was Tested
What the Customer
really needed
How it was Maintained
How it was Billed
How it was Installed
How it was Documented
The SRS as a Living Document • The SRS is the ‘backbone’ not just of the project Implementation
& Testing but also a key point of reference during the Operation phase
• The SRS should be constructed in a way that is: – Clear
• Jargon-free so everybody can read it – Concise
• To-the-point with minimal repetition – Complete
• All functional, integrity and non-functional requirements covered – Consistent
• Avoid contradicting statements or requirements • All modifications should be evaluated against the SRS, the better
the background information provided, the better informed the change impact assessment
Copyright © exida.com LLC 2000-2016 16
3/4/16
Copyright©exida.comLLC2000-2013 9
SRS Functional Requirements (I)
• Definition of the safe state • Process Inputs and their trip points • Process parameter normal operating range • Process outputs and their actions • Relationship between inputs and outputs • Selection of energize-to-trip or de-energize-
to-trip
Copyright © exida.com LLC 2000-2016 17
SRS Functional Requirements (II)
• Consideration for manual shutdown • Consideration for bypass • Actions on loss of power to the SIS • Response time requirements for the SIS to
bring the process to a safe state • Response actions for overt fault • Operator Interface requirements • Reset functions
Copyright © exida.com LLC 2000-2016 18
3/4/16
Copyright©exida.comLLC2000-2013 10
SRS Integrity Requirements
• The required SIL for each SIF • Requirements for diagnostics to achieve the
required SIL • Requirements for maintenance and testing
to achieve and maintain the required SIL • Reliability requirements if spurious trips may
be hazardous (or costly)
Copyright © exida.com LLC 2000-2016 19
SRS Structure
• General Requirements – Requirements common to all SIF
• SIF Requirements – Functional Requirements – Integrity Requirements
Copyright © exida.com LLC 2000-2016 20
3/4/16
Copyright©exida.comLLC2000-2013 11
SRS Structure General Requirements Section (I)
• General Requirements 1. All safety instrumented functions (except fire and gas
and special cases) shall be designed such that movement of the final element to the safe position will be performed by removing power from the element (i.e., de-energize-to-trip).
2. SIFs that are not de-energize-to-trip will be clearly described as such in that individual SIF’s specification. For safety instrumented functions where energize-to-trip is selected, positive means for continuously monitoring circuit integrity shall be employed.
Copyright © exida.com LLC 2000-2016 21
SRS Structure General Requirements Section (II)
3. All safety instrumented functions shall be designed in accordance with the requirements set forth in the following statutes, regulations, and standards. If individual safety functions are to be designed in accordance with other standards than the ones listed below, they shall be clearly described in that safety instrumented function’s individual safety requirements specifications. Statutes, Regulations, and Standards • IEC 61511 Application of Safety Instrumented
Systems for the Process Industries
• 29 CFR 1910.119 Process Safety Management • 40 CFR 68 Risk Management Planning
Copyright © exida.com LLC 2000-2016 22
3/4/16
Copyright©exida.comLLC2000-2013 12
SRS Structure General Requirements Section (III)
4. Unless specified otherwise in an individual SIF’s logic diagram, the MTTFS of a SIF shall not be less than 25 years.
5. Unless specified otherwise for an individual SIF, the response time of a SIF shall not exceed 3 seconds. The maximum response time for each sub-system, operating asynchronously, shall be as shown below. System Response Time • Sensor Sub-system 100 milliseconds • Logic Solver Sub-system 900 milliseconds • Final Element Sub-system 2 second
Copyright © exida.com LLC 2000-2016 23
SRS Structure SIF Requirements Section
Copyright © exida.com LLC 2000-2016 24
ID: SIF-001 Service: Reference: PID-012
Required SIL: 1
Test Interval: 3 years
Response Time: See General Requirement 5
Activation Method: Deenergize-to-Trip (See G.R. 1)
Low Recycle Gas Flow Closes Fuel Gas to Reforming Heaters Dropout Valve
Manual Reset: Required (See G. R. 7) Safe State: Nuisance Trip Req’s: See General Requirement 4
Diagnostics: None Additional (See G.R. 2)
Manual Shutdown: HS-001 (See G. R. 8)
Regulatory Req’s: See General Requirement 3
Notes: 1
Fuel Gas to Reforming Heaters RH-01 and RH-02 is stopped by closing the fuel gas shutoff valve.
3/4/16
Copyright©exida.comLLC2000-2013 13
Logic Description Methods • Plain Text
– Strengths – Extremely flexible, No special knowledge req’d – Weaknesses – Time-consuming, transposition to program
code difficult and error prone • Cause-and-Effect Diagrams
– Strengths – Low level of effort, clear visual representation – Weaknesses – Rigid format (some functions can not be
represented w/ C-E diagrams), can oversimplify • Binary Logic Diagrams (ISA 5.2)
– Strengths – More flexible than C-E diagrams, direct transposition to a function block diagram program
– Weaknesses – Time consuming, knowledge of standard logic representation required
Copyright © exida.com LLC 2000-2016 25
Logic Description Plain Text
• If one of the following conditions occurs – Switch BS-01 is de-energized, indicating loss of flame – Switch PSL-02 is de-energized, indicating low fuel gas
pressure • Then the main fuel gas flow to the heater is stopped
by performing all of the following – Closing valves XV-03A and XV-03B – Opening valve XV-03C
• The respective valves will be opened and closed by de-energizing the solenoid valve XY-03
Copyright © exida.com LLC 2000-2016 26
3/4/16
Copyright©exida.comLLC2000-2013 14
Logic Description Cause-and-Effect Diagram
Copyright © exida.com LLC 2000-2016 27
Tag# Description SIL
InstrumentR
ange
TripPoint
Units
CLOSEVALVEUV-03
A
CLOSEVALVEUV-03
B
OPENS
VALVEUV-03
C
BS-01 BurnerLossofFlame ~ 0 ~ X X XPSL-02 FuelGasPressureLow ~ 7 PSIG X X X
1
C&E Auto-Generated from exSILentia®
Copyright © exida.com LLC 2000-2016 28
Cause&EffectMatrixgeneratedbyexSILentiaSRSCEplug-in
Engine
eringUnits
N/A
N/A
Actio
n
Close
Close
Close
Close
Effect
Off
Off
TagNam
e
XV-101
XV-102
XV-103
XV-104
VGV
LS TagName Cause Type EULow EUHigh Action LimitValue EngineeringUnits V GV Num 1 2 3 4 NotesPT-101 HighTrip 50 150 125 PSIG 1 ● 32oo3majorityvote
PT-102 HighTrip 50 150 125 PSIG 2 ●PT-103 HighTrip 50 150 125 PSIG 3 ●FS-101 OpenContact 0 1 0 - 4 ● ● ●TT-101 HighTrip 0 100 85 C 5 ●
AND
-
-
-
- -SafetyLo
gic
Solver VO
TE 3
-
-
-
- -
GV:GroupVoting
ProjectDescription:
ProjectIdentification:ProjectName:Company:ProjectLeader:ProjectInitiatedOn: 24-May-13
Q13/05-024Project
IwanvanBeurden,CFSE-exidaClient
V:Voting
Exampleproject
3/4/16
Copyright©exida.comLLC2000-2013 15
Field Input
Logic Description Binary Logic Diagram
Copyright © exida.com LLC 2000-2016 29
BS 01
PSL 01
AND
Energized=1
Energized=1
1=Energized s FC
FC
FO
XV 03C
XV 03B
XV 03A
Vent PSL 02
Field Output Logic Solver
SRS Summary • SIS General
– Non-Functional – Regulations & Standards – Failure, Start & Restart – Interfaces – Environmental conditions
• SIF General – Maintenance Overrides – Manual Shutdown – Operating Modes – Failure Modes – Reset – Diagnostics
• SIF Specific – Identification – Description/Duty/P&ID – Safe State – Required SIL – Proof Test Interval – Response Time – Architecture Summary
• Sensor(s) • Logic Solver • Final Element(s)
– Mode of Operation • Energize or Deenergize • Demand or Continuous
– Trip Setting & Logic – Spurious Trip Requirements – Startup Overrides – Special Requirements
Copyright © exida.com LLC 2000-2016 30
3/4/16
Copyright©exida.comLLC2000-2013 16
exSILentia® – Design SRS
Copyright © exida.com LLC 2000-2016 31
Potential SRS Problems • Hazard and Risk Analysis was done poorly, providing bad input for
the SRS – Mis-identification of SIF – Incorrect selection of SIL
• Not defining all failure modes and protection requirements – Actions of function do not actually achieve safe state. – Measurement too slow to pick-up and prevent accident
• Not defining all operating regimes, start-up, shut-down • Not defining all environmental conditions • SRS not maintained (poor revision control) • Conflicting or missing requirements
– Safety & Non-Safety actions
Copyright © exida.com LLC 2000-2016 32
3/4/16
Copyright©exida.comLLC2000-2013 17
Avoiding SRS Problems • Recommendations to avoid mistakes during
specification of system requirements IEC61508-2 (Table B.1), IEC61508-7 – Project Management – establish organizational
model and project specific guidelines/procedures – Documentation – clear, concise, complete lifecycle – Separation of safety and non-safety functions – Structured specification – Checklists – Semi-formal methods – logic diagrams, sequence
diagrams etc. for software
Copyright © exida.com LLC 2000-2016 33
SRS Quality
• The measure of quality for any document, including a SRS, is not the number of pages or the document weight but rather how precisely, quickly, and clearly all required information is passed to the reader
Copyright © exida.com LLC 2000-2016 34
3/4/16
Copyright©exida.comLLC2000-2013 18
Summary • Having a clear set of requirements is essential to ensuring an
accurate and safe design – reducing systematic issues and reducing random failures
• Avoiding jargon and keeping requirements succinct is key • Ensuring that all key maintenance personnel understand what
each SIF of the SIS is protecting against is highly important • Defining the target SIL levels with specific RRF (demand mode)
will ensure no over or under design • Understanding the SIF response time is essential for ensuring the
process safety time is not exceeded • Running proof tests according to the SRS is essential to maintain
integrity • Maintaining and updating the SRS as part of MOC is essential
Copyright © exida.com LLC 2000-2016 35
Copyright © exida.com LLC 2000-2016 36
Thank You
QUESTIONS ?