Paper 2: Why embrace the concept of the Safety Requirements Specification?
Institute of Measurement and Control – Functional Safety 2016
6
hazard as over complexity is the enemy of good SIF design. Emerson were
engaged to assist with defining the safety requirements specification and
therefore a discussion on hazard scenarios was conducted in order to fully
understand and document the safety requirements. From these discussions it
was obvious that under certain circumstances tank outlets could become inlets
and therefore primary actions included in the safety function. This requirement
was in the risk assessment, but the significance of what was written there had
not been appreciated until the definition of each safety function was considered
during the SRS activity.
Case study 4.
This example illustrates how a vital piece of information could get forgotten in
the early phases of the project resulting in a high likelihood of failure on
demand of a shutdown valve. The valve in question was identified as a primary
action closing off the gas stream that during operation could reach
temperatures of -40° C. As part of the SRS process, we discuss each primary
measurement and action and specific safety requirements including affects
which might result in a higher probability of failure. Whilst discussing this valve
with the process engineer he suddenly remembered and said
"I must
remember to check they have lagged the valve. If they do, it will never move".
Such a requirement would not be in the valve specification and is a good
example of where the SRS collects crucial safety related requirements.
The problem.
Our experiences regarding SRS content and the above examples could lead to
many observations. To summarise the problem is difficult. However, I conclude
that the main issue here is:
Nobody NEEDS an SRS!
The dilemma is that you can design, build, install, maintain and modify an SIS
without an SRS. We did for many years, which makes the process of
appreciating what an SRS can do for you more difficult.
From supply driven to requirements driven
The mere presence of a dedicated standard for safety instrumented systems
should be enough for us to conclude that functional safety and safety
instrumented systems deserve a unique identity. From an outsider's point of
view there is little difference between a control system and a safety system.
They measure, they make decisions, they take action and they communicate to
operators via a graphical interface. The supply model is equally similar. We
break down the total scope into individual elements based on technology and
supplier. Each one gets a set of documentation sufficient to complete their
supply obligations. The components may be different but the scene is set for
SIS being treated as an extension of the BPCS rather than unique, distinct and
secure.