PAGE 1 OF 7

Specification of Safety Requirements

(general section)

Description Created Checked Approved

Date
Project: Workshop for specialists

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 2 of 7
(general section) Rev.date : XXXXX

1 Aim and scope of document ..................................................................................3

2 Abbreviations / definitions ......................................................................................3

3 Functional safety requirements ..............................................................................4

3.1 Description of the SIFs...........................................................................................4
3.2 Safe state for each SIF ..........................................................................................4
3.3 Response times needed for each SIF....................................................................4
3.4 Alarm and switching points ....................................................................................4
3.5 Criteria for satisfying the SIFs ................................................................................4
3.6 Operational requirements ......................................................................................5
3.7 Interfaces to other operating equipment ................................................................5
3.8 Combination of hazardous initial states .................................................................5
3.9 Ambient conditions.................................................................................................6

4 Requirements of safety integrity.............................................................................7

4.1 SIL to be observed per SIF ....................................................................................7
4.2 Estimated quota of requirements per SIF ..............................................................7
4.3 Requirements of Proof Test Interval T1 .................................................................7
4.4 Mean Time To Repair ............................................................................................7

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 3 of 7
(general section) Rev.date : XXXXX

1 Aim and scope of document

This specification describes the safety requirements which are to apply to all safety-
related functions (SIF) within a safety-related system (SIS). Requirements are made of
both the function and the integrity of the safety-related functions. Requirements which are
made specifically of every individual SIF are specified in the document SIL classification.

2 Abbreviations / definitions

T1 Proof Test Interval

MTTR Mean Time To Repair

HFT Hardware Fault Tolerance

SRS Safety Requirement Specification

SIF Safety Instrumented Function

SIS Safety Instrumented System

SIL Safety Integrity Level

ESD Emergency Shutdown System

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 4 of 7
(general section) Rev.date : XXXXX

3 Functional safety requirements

3.1 Description of the SIFs

The functional relationships between causes and effects are specified in the document
Cause & Effect Diagram for each SIF.

The functional relationships between the individual SIFs and the process engineering
procedures are depicted in the R&I diagrams.

3.2 Safe state for each SIF

Always note that the de-energized state is also the safe state (de-energized to trip).
Deviations must be specified in the document SIL classification

The safe state of process valves is shown in the R&I diagram (open, closed, blocked).

The relevant safe process state to be achieved by the individual SIFs is described in the
document SIL classification.

3.3 Response times needed for each SIF

The response time is defined as the time between the measurement being recorded and
the actuators achieving safe state.

Unless specified in more detail for the individual SIF, the response time for the individual
sub-systems should not exceed the following values:

Sub-system Response time

Sensor 500 ms (pressure, stationary, flow)

10 s (temperature, analyses)

Logic system 500 ms

Actuator 1s per inch of nominal diameter for valves

1s for electrical deactivation elements (e.g. MCC)

Damping effects or delays are only permitted if specified as safety requirements.

3.4 Alarm and switching points

The relevant alarm and switching points are specified in the document SIL classification

3.5 Criteria for satisfying the SIFs

The requirements for satisfying the safety function which go beyond simply functioning
(e.g. seal integrity requirement, material requirements etc.) are described per SIF in the
document SIL classification.

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 5 of 7
(general section) Rev.date : XXXXX

3.6 Operational requirements

Manual shutdown:
Manual shutdown functions should not be provided unless especially noted and classified
as ESD functions

SIF bypass
Bypass functions may only be provided for the following applications:

During a process start or restart

During process states in which the corresponding SIF is not needed (e.g. monitoring
the pilot flame in hot process furnaces)

For test purposes as part of recurrent testing

Only authorized staff may use bypass switches.

The SIS should be configured such that bypasses can be activated in 2 stages. The first
stage is activation of a unit-specific approval switch. The corresponding bypass (override)
can then be set in the second stage. Activation of a bypass must be indicated and logged.
Depending on the process, timing elements should be implemented. These deactivate the
corresponding bypass function after an adjustable time (also refer to the Bypass concept
document).

Reset after shutdown (SIF tripping)

Once an SIF has tripped, the corresponding SIF must be manually acknowledged and
reset for starting up again

3.7 Interfaces to other operating equipment

Logging
Each SIF trip must be logged with a time stamp

Alarming
Each SIF trip must be alarmed with high priority in the process control system

SIS status display

Fault statuses detected must be reported to the operating staff

3.8 Combination of hazardous initial states

The simultaneous tripping of several SIFs must not result in dangerous process states.

The prioritization of individual SIFs can be found in the document SIL classification and
should be noted during software realization.

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 6 of 7
(general section) Rev.date : XXXXX

3.9 Ambient conditions

The design of the protective housing and the choice of devices and controls should be
specified for all extreme ambient condition values. If not defined for each specific SIF, the
following parameters should be observed:

Temperature min - 20.0C

max + 40.0C
Humidity Mean relative humidity: 68 %
Max relative humidity: 100 %
Min relative humidity: 7 %
Electro Magnetic EN 61000
Interference/Radio Frequency
Interference (Emi/RFI)
Shock/vibration refer to earthquake classification US-UBC
Electrostatic discharge
Ex- zone classification
Type of protection for housing For outdoor installation min. IP54
For indoor installation min. IP20

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
 Specification of Safety Requirements Page 7 of 7
(general section) Rev.date : XXXXX

4 Requirements of safety integrity

4.1 SIL to be observed per SIF

The safety integrity (SIL) to be observed per SIF is specified in the document SIL
classification.

4.2 Estimated quota of requirements per SIF

Unless otherwise noted in the document SIL classification, it is assumed that all safety-
related functions (SIF) are operated in low demand mode, i.e. that the requirement of the
relevant SIF occurs less often than once a year. Since we do not have any precise
statistical values, we must assume the worst case limit value and therefore the
requirement quota of once a year for reliability considerations.

4.3 Requirements of Proof Test Interval T1

The test interval requirement can be optimized as part of the design verification. The
following assumptions serve as initial values:

Test T1

Function test of entire SIF 3 years (facilitys inspection interval)

Test of sensor sub-system 1 year

Test of logic sub-system (validation ) 20 years (system service life)

Test of actuator sub-system 1 year (Partial Stroke Test for valves)

4.4 Mean Time To Repair

In principle, in low demand mode IEC 61508/1511 permits the definition of a MTTR even
for SIFs where HFT=0. However, in such cases an equivalent safety action would then
have to be taken during the repair period and in most cases this would prove difficult. The
following MTTR times therefore apply. Compliance with them should be ensured by
means of organizational measures.

HFT MTTR

HFT = 0 0

(1001, 2002, 3003

architectures)
72 hours
HFT > 0

(1002, 1003, 2003

architectures)

D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc