Table of Contents Table of Contents
Previous Page  157 / 1145 Next Page
Information
Show Menu
Previous Page 157 / 1145 Next Page
Page Background

Paper 2: Why embrace the concept of the Safety Requirements Specification?

Institute of Measurement and Control – Functional Safety 2016

5

required to manage risk and why, because the future will cause many

occasions to ask “why?” and expect the SRS to provide the answers.

If specifications (the solution) are not linked to requirements (the

process) then how can their importance be judged by others?

Case studies.

To illustrate the above analysis and substantiate the opinions put forward in this

paper, the following examples are included

Case study 1.

Off gas from a scrubber with a vacuum unit is extracted and sent via network of

pipes to a heater or incinerator. The specification required shut-off valves in the

gas line to both the heater and incinerator. An over temperature hazard had

been identified whereby hot gas could be drawn back into the scrubber.

Therefore, the valves were specified as tight shut-off and both valves must

successfully close to eliminate the hazard. During the device review the

requirement for tight shut-off was questioned. Minor leakage of the valves was

considered along with the length of pipe, lack of lagging and consequent

temperature drop. It was determined that although tight shut-off was an

appropriate design feature, it was not a requirement for achieving the safe state

for this hazard. Tight shut-off is a significant decision to make. The failure rate

is increased, testing almost certainly requires removal and meeting the SIL

target might impose further redundancy requirements. On its own tight shut-off

was a simple requirement but when considered as a whole safety function the

full impact is realised.

Case study 2.

Although the application of IEC 61511 to fire and gas systems is the subject of

much debate, this example illustrates a point. The FPSO had a complex

system of fire protection systems and associated firewater pumps. The cause

and effect matrix was the reference for logic solver configuration. Three of the

effects were associated with starting the firewater pumps and an associated

note said "pumps will start on demand". On questioning what this note meant it

was clear that a significant layer of complexity was not addressed by the

cause-and-effect matrix. After significant discussion a four-page description

was agreed regarding overall firewater pump operation and logic solver

configuration.

Case study 3.

Tank overfill prevention has gained significant focus since the Buncefield

disaster of December 2005. This application involved unloading methanol from

a ship to bulk storage tanks onshore, movement of methanol between storage

tanks and movement of methanol to a smaller tank which fed the process units.

The specification received stated "on detection of high-level close the inlet

valve" for each of the four tanks involved. It is important to only include the

minimum measurements and actions required to detect and protect against a

1 152 153 154 155 156 157 158 159 160 161 162-163 164-165 1145  FlippingBook