Escolar Documentos
Profissional Documentos
Cultura Documentos
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 2 of 7
(general section) Rev.date : XXXXX
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 3 of 7
(general section) Rev.date : XXXXX
This specification describes the safety requirements which are to apply to all safety-
related functions (SIF) within a safety-related system (SIS). Requirements are made of
both the function and the integrity of the safety-related functions. Requirements which are
made specifically of every individual SIF are specified in the document SIL classification.
2 Abbreviations / definitions
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 4 of 7
(general section) Rev.date : XXXXX
The functional relationships between causes and effects are specified in the document
Cause & Effect Diagram for each SIF.
The functional relationships between the individual SIFs and the process engineering
procedures are depicted in the R&I diagrams.
Always note that the de-energized state is also the safe state (de-energized to trip).
Deviations must be specified in the document SIL classification
The safe state of process valves is shown in the R&I diagram (open, closed, blocked).
The relevant safe process state to be achieved by the individual SIFs is described in the
document SIL classification.
The response time is defined as the time between the measurement being recorded and
the actuators achieving safe state.
Unless specified in more detail for the individual SIF, the response time for the individual
sub-systems should not exceed the following values:
10 s (temperature, analyses)
The relevant alarm and switching points are specified in the document SIL classification
The requirements for satisfying the safety function which go beyond simply functioning
(e.g. seal integrity requirement, material requirements etc.) are described per SIF in the
document SIL classification.
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 5 of 7
(general section) Rev.date : XXXXX
Manual shutdown:
Manual shutdown functions should not be provided unless especially noted and classified
as ESD functions
SIF bypass
Bypass functions may only be provided for the following applications:
During process states in which the corresponding SIF is not needed (e.g. monitoring
the pilot flame in hot process furnaces)
The SIS should be configured such that bypasses can be activated in 2 stages. The first
stage is activation of a unit-specific approval switch. The corresponding bypass (override)
can then be set in the second stage. Activation of a bypass must be indicated and logged.
Depending on the process, timing elements should be implemented. These deactivate the
corresponding bypass function after an adjustable time (also refer to the Bypass concept
document).
Logging
Each SIF trip must be logged with a time stamp
Alarming
Each SIF trip must be alarmed with high priority in the process control system
The simultaneous tripping of several SIFs must not result in dangerous process states.
The prioritization of individual SIFs can be found in the document SIL classification and
should be noted during software realization.
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 6 of 7
(general section) Rev.date : XXXXX
The design of the protective housing and the choice of devices and controls should be
specified for all extreme ambient condition values. If not defined for each specific SIF, the
following parameters should be observed:
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc
Specification of Safety Requirements Page 7 of 7
(general section) Rev.date : XXXXX
The safety integrity (SIL) to be observed per SIF is specified in the document SIL
classification.
Unless otherwise noted in the document SIL classification, it is assumed that all safety-
related functions (SIF) are operated in low demand mode, i.e. that the requirement of the
relevant SIF occurs less often than once a year. Since we do not have any precise
statistical values, we must assume the worst case limit value and therefore the
requirement quota of once a year for reliability considerations.
The test interval requirement can be optimized as part of the design verification. The
following assumptions serve as initial values:
Test T1
In principle, in low demand mode IEC 61508/1511 permits the definition of a MTTR even
for SIFs where HFT=0. However, in such cases an equivalent safety action would then
have to be taken during the repair period and in most cases this would prove difficult. The
following MTTR times therefore apply. Compliance with them should be ensured by
means of organizational measures.
HFT MTTR
HFT = 0 0
D:\03_Projekte\0905_BMS_Schweden\SRS_general_e, 080813.doc