SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
SAFETY MANUAL - Tuv-fs.com
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SAFETY</strong> <strong>MANUAL</strong><br />
Where the interaction does not fall within these categories, the affects of incorrect<br />
values and sequences of values shall be considered and measures taken to ensure<br />
that the system will respond safely in the event of erroneous data. Alternatively,<br />
measures may be implemented within the application to ensure the integrity and<br />
validity of the data.<br />
3.11.6 Program Testing<br />
Even with a small number of inputs, it is possible to reach a point where the number<br />
of tests be<strong>com</strong>es unreasonable. Eliminating impossible or unlikely scenarios<br />
should be used to reduce the number of logic path tests that need to be performed.<br />
The selection of what constitutes a scenario that does not require testing can be<br />
performed only after a suitable hazard analysis.<br />
The scenarios should include possible plant conditions, sequences of plant<br />
conditions, system conditions (including partial power conditions, module removal<br />
and fault conditions).<br />
Where it is not possible to define a representative suite of test cases, all<br />
permutations of input conditions, i.e. all possible states on all possible inputs, shall<br />
be exercised. Where the logic includes memory or timing elements, additional<br />
tests shall be defined to exercise all the possible sequences of input permutations<br />
leading to their operation.<br />
All safety-related functions shall be tested and the results of the tests<br />
recorded. The tests shall include the system scan time, fault detection time,<br />
fault reaction time and throughput delay for shutdown logic. The system<br />
scan time, including Peer-to-Peer Communications where appropriate, shall<br />
be less than ½ PST E .<br />
Functional testing of all safety related programs is considered to be 100% if:<br />
• All inputs are exercised through their entire allowable range<br />
• All outputs are exercised through their entire program determined range<br />
• All logic paths are exercised<br />
• All timers have been tested regarding their timing characteristics without<br />
changing timing parameters<br />
• All <strong>com</strong>binatorial permutations of digital signals, with the exception of<br />
100% tested function blocks, are tested, including fault states.<br />
• All <strong>com</strong>binatorial permutations of analogue signals, with the exception of<br />
100% tested function blocks, are tested within the safety accuracy<br />
granularity.<br />
• All timing properties of each safety loop have been verified<br />
3.11.6.1 Cross Reference Checking<br />
While the aim shall be to minimise the coupling and dependencies between<br />
individual programs, there will inevitably be occasions where, for example, a<br />
variable is used within two or more programs. It is important to ensure that any<br />
application program changes that affect these interactions do not jeopardise the<br />
functional safety.<br />
The TMR system Toolset includes two cross-reference check tools. One of these<br />
verifies the source cross-references, the other the <strong>com</strong>piled code cross-references.<br />
Once the application program baseline has been established, these tools<br />
shall be used following application modification. The identified<br />
Doc No P8094 Page 64 of 67<br />
Issue 14 September 2003