Webinar The Importance of having a good SRS - exida · Hazard Characteristics ... The SRS as a Living Document • The SRS is the ‘backbone’ not just of the project ... Webinar

3/4/16

Copyright©exida.comLLC2000-2013 1

Webinar : The Importance Of Having A Good Safety

Requirements Specification (SRS)

Steve Gandy

Copyright © exida.com LLC 2000-2016

We help our clients improve the safety, security and availability of their automation systems

2 Copyright © exida.com LLC 2000-2016

3/4/16


exida Industry Focus

Automotive Nuclear

Automation Process Industry

Copyright © exida.com LLC 2000-2016 3

  exidaauthoredmostindustryreferencesforautoma=onsafetyandreliability

  exidaauthoredindustrydatahandbookonequipmentfailuredata

  exidaauthoredthemostcomprehensivebookonfunc=onalsafetyinthemarket

Reference Materials


3/4/16


exida Certification

Products,Personnel,Processes&Procedures§  exidahasanindependentcer=fica=oncompany§  Cer=fica=onsarecompletedforcyber-securityandfunc=onalsafety§  exidaisaccreditedbyAmericanNa=onalStandardsIns=tute(ANSI)


6

Steve Gandy CFSP, MBA, DipM, MIET, AMBA

•  VP Global Business Development for exida with 38 years industrial experience in safety and controls

•  Responsible for exida’s end user business •  Certifications

–  CFSP, Certified Functional Safety Professional •  Industry Associations

–  Association of MBAs –  IET Member

•  Publications –  Author of Managing Risky Projects –  Author of Conforming to IEC 61511: Operation and Maintenance Requirements –  Author of Concurrent Engineering: Reducing Time to Market

•  Training –  FSE Trainer –  Functional Safety for Sales Engineers –  Management training


3/4/16


SAFETY REQUIREMENTS SPECIFICATION



Industrial Accident Primary Causes

Specifica)on 44%

Design&Implementa)on

15%Installa)on&Commissioning

6%Opera)on&Maintenance

15%

Changesa>erCommissioning

20%

HSEstudyofaccidentcausesinvolvingcontrolsystems:

“OutofControl:WhyControlSystemsgoWrongandHowtoPreventFailure,”U.K.:Sheffield,HealthandSafetyExecu=ve,1995(Ed2,2003)

3/4/16


Test

Install

Validate

Feed

Concept

IEC 61511 Safety Lifecycle


Management of Functional

Safety and

Functional Safety

Assessment

Clause 5

Safety Lifecycle Structure

and Planning

Clause 6.2

Allocate Safety Function to Protection Layers [Clause 9]

Verification

Clause 7 &

Clause 12.7

SIS Safety Requirements Specification [Clauses 10 & 12]

Process Hazard & Risk Analysis [Clause 8]

SIS Design and Engineering [Clauses 11 & 12]

SIS Installation & Commissioning [Clause 14]

SIS Operation & Maintenance [Clause 16]

SIS Safety Validation [Clause 15]

SIS Modification [Clause 17]

SIS Decommissioning [Clause 18]

SIS FAT [Clause 13]

Manage

Proof Test

Design & Build

Anal

ysis

De

sign

& Im

plem

ent

Ope

ratio

n

Safety Lifecycle (SLC) Objectives

•  Build safer systems that do not experience as many of the problems of the past

•  Build more cost effective systems that match design with risk

•  Eliminate “weak link” designs that cost much but provide little

•  Provide a global framework for consistent designs


Avoid Systematic Faults!

Reduce the potential for Random Faults!

3/4/16


Safety Lifecycle Successes

•  49%: Safety Functions were over-engineered •  4%: Safety Functions were under-engineered (unsafe) •  47%: No change


47%

49%

4%

Refinery: Hydrogen Manufacturing Unit Source

Safety Requirements Specification Definition and Objective

•  Definition –  Specification that contains ALL the requirements of the safety instrumented

functions in a safety instrumented system (IEC 61511)

•  Objective –  Specify all SIF/SIS requirements needed for detailed engineering and

process safety information purposes –  Functional Requirements

•  Description of the SIF’s functions/actions •  How it should work

–  Integrity Requirements •  Specification of the risk reduction and reliability requirements •  How well it should work •  How quickly it should work

–  Often a contractual document prepared by one company and executed by another


3/4/16


SLC - Requirements Specification


Process Design – Scope Definition

Event History

SIF Required?

Application Standards

Hazard Characteristics

Consequence Database

Failure Probabilities

Identify Potential Hazards

Consequence Analysis

Identify Protection Layers

Likelihood Analysis (LOPA)

Select RRF, Target SIL for each SIF

Develop Process Safety Specification

Tolerable Risk Guidelines

Potential Hazards

Process Safety Information

Hazard Consequences

Layers of Protection

Hazard Frequencies

RRF, Target SILs

Safety Requirements Specification

Design of other risk reduction facilities

NO

YES

IEC 61511 Stage 1 FSA

1.

2.

3.

4.

5.

6.

7.

SRS – The Source of Knowledge


Safety Requirements Specification

Process Information

Functionality

Integrity

System

Procedures

Hazard Information

Hazard Frequencies

Hazard Consequences

Target SIL

Regulatory Requirements

Information & Revision

Operations, Maintenance,

& Modifications

Hardware & Software

Conceptual & Detailed Design

& Validation

Analysis Implementation Operation

3/4/16


Specification = Communication


How the Customer

explained it

How it was Sold

How it was Designed

How it was Built

How it was Tested

What the Customer

really needed

How it was Maintained

How it was Billed

How it was Installed

How it was Documented

The SRS as a Living Document •  The SRS is the ‘backbone’ not just of the project Implementation

& Testing but also a key point of reference during the Operation phase

•  The SRS should be constructed in a way that is: –  Clear

•  Jargon-free so everybody can read it –  Concise

•  To-the-point with minimal repetition –  Complete

•  All functional, integrity and non-functional requirements covered –  Consistent

•  Avoid contradicting statements or requirements •  All modifications should be evaluated against the SRS, the better

the background information provided, the better informed the change impact assessment


3/4/16


SRS Functional Requirements (I)

•  Definition of the safe state •  Process Inputs and their trip points •  Process parameter normal operating range •  Process outputs and their actions •  Relationship between inputs and outputs •  Selection of energize-to-trip or de-energize-

to-trip


SRS Functional Requirements (II)

•  Consideration for manual shutdown •  Consideration for bypass •  Actions on loss of power to the SIS •  Response time requirements for the SIS to

bring the process to a safe state •  Response actions for overt fault •  Operator Interface requirements •  Reset functions


3/4/16


SRS Integrity Requirements

•  The required SIL for each SIF •  Requirements for diagnostics to achieve the

required SIL •  Requirements for maintenance and testing

to achieve and maintain the required SIL •  Reliability requirements if spurious trips may

be hazardous (or costly)


SRS Structure

•  General Requirements – Requirements common to all SIF

•  SIF Requirements – Functional Requirements –  Integrity Requirements


3/4/16


SRS Structure General Requirements Section (I)

•  General Requirements 1.  All safety instrumented functions (except fire and gas

and special cases) shall be designed such that movement of the final element to the safe position will be performed by removing power from the element (i.e., de-energize-to-trip).

2.  SIFs that are not de-energize-to-trip will be clearly described as such in that individual SIF’s specification. For safety instrumented functions where energize-to-trip is selected, positive means for continuously monitoring circuit integrity shall be employed.


SRS Structure General Requirements Section (II)

3.  All safety instrumented functions shall be designed in accordance with the requirements set forth in the following statutes, regulations, and standards. If individual safety functions are to be designed in accordance with other standards than the ones listed below, they shall be clearly described in that safety instrumented function’s individual safety requirements specifications. Statutes, Regulations, and Standards •  IEC 61511 Application of Safety Instrumented

Systems for the Process Industries

•  29 CFR 1910.119 Process Safety Management •  40 CFR 68 Risk Management Planning


3/4/16


SRS Structure General Requirements Section (III)

4.  Unless specified otherwise in an individual SIF’s logic diagram, the MTTFS of a SIF shall not be less than 25 years.

5.  Unless specified otherwise for an individual SIF, the response time of a SIF shall not exceed 3 seconds. The maximum response time for each sub-system, operating asynchronously, shall be as shown below. System Response Time •  Sensor Sub-system 100 milliseconds •  Logic Solver Sub-system 900 milliseconds •  Final Element Sub-system 2 second


SRS Structure SIF Requirements Section


ID: SIF-001 Service: Reference: PID-012

Required SIL: 1

Test Interval: 3 years

Response Time: See General Requirement 5

Activation Method: Deenergize-to-Trip (See G.R. 1)

Low Recycle Gas Flow Closes Fuel Gas to Reforming Heaters Dropout Valve

Manual Reset: Required (See G. R. 7) Safe State: Nuisance Trip Req’s: See General Requirement 4

Diagnostics: None Additional (See G.R. 2)

Manual Shutdown: HS-001 (See G. R. 8)

Regulatory Req’s: See General Requirement 3

Notes: 1

Fuel Gas to Reforming Heaters RH-01 and RH-02 is stopped by closing the fuel gas shutoff valve.

3/4/16


Logic Description Methods •  Plain Text

–  Strengths – Extremely flexible, No special knowledge req’d –  Weaknesses – Time-consuming, transposition to program

code difficult and error prone •  Cause-and-Effect Diagrams

–  Strengths – Low level of effort, clear visual representation –  Weaknesses – Rigid format (some functions can not be

represented w/ C-E diagrams), can oversimplify •  Binary Logic Diagrams (ISA 5.2)

–  Strengths – More flexible than C-E diagrams, direct transposition to a function block diagram program

–  Weaknesses – Time consuming, knowledge of standard logic representation required


Logic Description Plain Text

•  If one of the following conditions occurs –  Switch BS-01 is de-energized, indicating loss of flame –  Switch PSL-02 is de-energized, indicating low fuel gas

pressure •  Then the main fuel gas flow to the heater is stopped

by performing all of the following –  Closing valves XV-03A and XV-03B –  Opening valve XV-03C

•  The respective valves will be opened and closed by de-energizing the solenoid valve XY-03


3/4/16


Logic Description Cause-and-Effect Diagram


Tag# Description SIL

InstrumentR

ange

TripPoint

Units

CLOSEVALVEUV-03

A

CLOSEVALVEUV-03

B

OPENS

VALVEUV-03

C

BS-01 BurnerLossofFlame ~ 0 ~ X X XPSL-02 FuelGasPressureLow ~ 7 PSIG X X X

1

C&E Auto-Generated from exSILentia®


Cause&EffectMatrixgeneratedbyexSILentiaSRSCEplug-in

Engine

eringUnits

N/A

N/A

Actio

n

Close

Close

Close

Close

Effect

Off

Off

TagNam

e

XV-101

XV-102

XV-103

XV-104

VGV

LS TagName Cause Type EULow EUHigh Action LimitValue EngineeringUnits V GV Num 1 2 3 4 NotesPT-101 HighTrip 50 150 125 PSIG 1 ● 32oo3majorityvote

PT-102 HighTrip 50 150 125 PSIG 2 ●PT-103 HighTrip 50 150 125 PSIG 3 ●FS-101 OpenContact 0 1 0 - 4 ● ● ●TT-101 HighTrip 0 100 85 C 5 ●

AND

-

-

-

- -SafetyLo

gic

Solver VO

TE 3

-

-

-

- -

GV:GroupVoting

ProjectDescription:

ProjectIdentification:ProjectName:Company:ProjectLeader:ProjectInitiatedOn: 24-May-13

Q13/05-024Project

IwanvanBeurden,CFSE-exidaClient

V:Voting

Exampleproject

3/4/16


Field Input

Logic Description Binary Logic Diagram


BS 01

PSL 01

AND

Energized=1

Energized=1

1=Energized s FC

FC

FO

XV 03C

XV 03B

XV 03A

Vent PSL 02

Field Output Logic Solver

SRS Summary •  SIS General

–  Non-Functional –  Regulations & Standards –  Failure, Start & Restart –  Interfaces –  Environmental conditions

•  SIF General –  Maintenance Overrides –  Manual Shutdown –  Operating Modes –  Failure Modes –  Reset –  Diagnostics

•  SIF Specific –  Identification –  Description/Duty/P&ID –  Safe State –  Required SIL –  Proof Test Interval –  Response Time –  Architecture Summary

•  Sensor(s) •  Logic Solver •  Final Element(s)

–  Mode of Operation •  Energize or Deenergize •  Demand or Continuous

–  Trip Setting & Logic –  Spurious Trip Requirements –  Startup Overrides –  Special Requirements


3/4/16


exSILentia® – Design SRS


Potential SRS Problems •  Hazard and Risk Analysis was done poorly, providing bad input for

the SRS –  Mis-identification of SIF –  Incorrect selection of SIL

•  Not defining all failure modes and protection requirements –  Actions of function do not actually achieve safe state. –  Measurement too slow to pick-up and prevent accident

•  Not defining all operating regimes, start-up, shut-down •  Not defining all environmental conditions •  SRS not maintained (poor revision control) •  Conflicting or missing requirements

–  Safety & Non-Safety actions


3/4/16


Avoiding SRS Problems •  Recommendations to avoid mistakes during

specification of system requirements IEC61508-2 (Table B.1), IEC61508-7 – Project Management – establish organizational

model and project specific guidelines/procedures – Documentation – clear, concise, complete lifecycle –  Separation of safety and non-safety functions –  Structured specification – Checklists –  Semi-formal methods – logic diagrams, sequence

diagrams etc. for software


SRS Quality

•  The measure of quality for any document, including a SRS, is not the number of pages or the document weight but rather how precisely, quickly, and clearly all required information is passed to the reader


3/4/16


Summary •  Having a clear set of requirements is essential to ensuring an

accurate and safe design – reducing systematic issues and reducing random failures

•  Avoiding jargon and keeping requirements succinct is key •  Ensuring that all key maintenance personnel understand what

each SIF of the SIS is protecting against is highly important •  Defining the target SIL levels with specific RRF (demand mode)

will ensure no over or under design •  Understanding the SIF response time is essential for ensuring the

process safety time is not exceeded •  Running proof tests according to the SRS is essential to maintain

integrity •  Maintaining and updating the SRS as part of MOC is essential



Thank You

QUESTIONS ?

[email protected]

Documents

Webinar The Importance of having a good SRS - exida · Hazard Characteristics ... The SRS as a Living Document • The SRS is the ‘backbone’ not just of the project ... Webinar