SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SAFETY</strong> <strong>MANUAL</strong><br />
3.11.4 Application Development<br />
The application program development shall follow a structured approach and follow<br />
the principles defined in para. 2.2.1.5. The stages defined in the following subsections<br />
shall additionally be applied for safety related applications.<br />
3.11.4.1 Partitioning the Application<br />
It is impractical and unnecessary to apply the same degree of rigorous<br />
development and testing to all functions within the Application where some of those<br />
functions are not safety related.<br />
The identification of safety functions is, in part, dependent on the specific safety<br />
philosophy. Examples of non-safety may include status indication, data reporting<br />
and sequence of events. It is important to establish that these elements are not<br />
safety related. For example, some safety cases rely on human intervention and<br />
therefore the correct operation of status indication.<br />
The safety related elements shall be implemented within separate programs<br />
to those of non-safety related elements. Where information passes between<br />
these elements, it shall be arranged that the direction of flow is from safety<br />
relevant to non-safety relevant only.<br />
3.11.4.2 Defensive Measures<br />
In defining the Application the programmer must consider the potential sources of<br />
error and apply reasonable defensive programming techniques. Where values are<br />
received from other programs or external <strong>com</strong>munications interfaces, the validity of<br />
the values should be checked where possible. Similarly, values received from input<br />
interfaces should be checked where possible. In many cases, it will also be<br />
possible to monitor permutations of data, inputs and plant operating modes to<br />
establish the plausibility of the information and program measures to ensure safe<br />
responses in case of implausible conditions.<br />
Safety related functions shall be latched when in their tripped state to<br />
prevent intermittent field faults from removing the trip condition. The<br />
application software shall be written to ensure that safety related functions<br />
are in their safe state during system startup.<br />
3.11.4.3 Testable Blocks<br />
Each safety-related software block shall be 100% testable. A 100% testable block<br />
is the application logic that belongs to one safety function. Such functions could be:<br />
• Burner flame supervision including temperature, air/gas pressure<br />
monitoring, etc.<br />
• Burner gas-to-air ration control/supervision<br />
• Parts or whole of the start-up sequence of a batch reactor<br />
The fewer the number of inputs, outputs and signal paths, the fewer the number of<br />
permutations that require testing. However, a single safety function should not be<br />
split into separate blocks; such a division is likely to lead to the introduction of<br />
errors during maintenance activities.<br />
Doc No P8094 Page 62 of 67<br />
Issue 14 September 2003