SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SAFETY</strong> <strong>MANUAL</strong><br />
The interaction between the individual software blocks shall be minimised. Where<br />
interaction is necessary, it should be kept as simple as possible, for example a<br />
single shutdown initiation signal.<br />
Each safety function shall be responsible for the control of the corresponding<br />
outputs. Sharing of outputs between functions shall not be permitted.<br />
3.11.4.4 Individual Safety Related Functions<br />
The TMR system IEC1131 TOOLSET allows the definition of up to 250 individual<br />
programs within a single project. This facility should be exploited to enable the<br />
allocation of individual safety related functions to separate programs. Where such<br />
programs contain independent logic paths, these should be investigated to<br />
determine if they are separate safety functions. Where they are separate, it is<br />
re<strong>com</strong>mended that these be further allocated to their own program, subject to<br />
conforming to the re<strong>com</strong>mendation to minimising the coupling between programs.<br />
Cases should be looked for that allows the creation of individual logic paths by<br />
repeating small sections of logic rather than fanning out the resultant signal(s).<br />
3.11.4.5 Minimise Logic Depth<br />
Where possible, the logic depth should be minimised. This helps reduce visual<br />
<strong>com</strong>plexity, simplifies testing, minimises the number of interconnects required and<br />
improves program efficiency.<br />
Where there is nested logic, it shall be possible to establish the correct operation of<br />
all intermediate logic connections.<br />
The use of memory, i.e. latches, <strong>com</strong>ponents within the safety function shall be<br />
minimised. Similarly, the permutation of conditions that lead to their activation shall<br />
be minimised.<br />
3.11.5 Communications Interaction<br />
The TMR system provides a range of <strong>com</strong>munications options to allow interaction<br />
with external systems. Where this <strong>com</strong>munication is used for reporting (or outgoing)<br />
<strong>com</strong>munications, there are no specific safety requirements.<br />
Data received from external equipment that either controls safety-related functions<br />
or affects their operation must be handled with caution. The Application Program<br />
shall handle the received data.<br />
The received data should be such that it is limited to interaction which:<br />
• Initiates safety operations, i.e. initiates shutdown sequences<br />
• Resets signals, with the reset action only possible once the initiating<br />
conditions have been removed<br />
• Initiate timed start-up override signals which are removed automatically<br />
either on expiration of the start period or once the associated signal has<br />
stabilised in the normal operating condition<br />
• Adjust control parameters within defined safe operational limits, i.e.<br />
lowering of trip thresholds<br />
Doc Number P8094<br />
Issue 14 September 2003 Page 63 of 67