AADvance Safety Manual - Tuv-fs.com

More documents

Recommendations

Info

AADvance Safety ManualTest MethodEach function to be tested shall be placed within an application test harness using theAADvance tool set that exercises its capabilities. The implementation of this harnessshall be such that the function block is exercised automatically, so that the test isrepeatable.As a minimum each test harness shall include all of the following: The function block under test An alternative implementation of the function block A function generator, to generate the stimuli for the function under test Main and alternative comparison Pass/Fail Flag A test results register, that records the functionality of the function blockWhere practical, and with the exception of time, results of the test shall beautomatically recorded and should not require a human to count or record dynamicdata.The alternative implementation of the function being tested shall be performed usingfeatures of the tool set that are as diverse as possible from the actual function block.For example an Or gate can be simulated by counting the number of inputs set to alogical 1 and determining that the count is greater than or equal to 1.The function generator shall be as simple as possible and shall not contain the functionunder test.The results of the alternative implementation shall be compared with the results of thefunction under test; discrepancies shall cause a 'main and alternative comparison failflag' to be set.The registration of test results should be as detailed as possible and use as manypredictable features as possible.ExampleA two-input logical Or gate stimulated by the two lower bits of a 16-bit counter willrecord 32768 logical high states if the counter is allowed to make one complete upcount from 0 to 65536. The results register would count these states and present anumber to the human operator. In this case the results register should also record thatno two consecutive states of the counter caused a logical 1 at the output of the gate.5-28 Document number 553630 Issue 7: February 2010
Chapter 5 AADvance Functional Safety SystemImplementationPartitioning the ApplicationIt is impractical and unnecessary to apply the same degree of rigorous developmentand testing to all functions within the Application where some of those functions arenot safety related.The identification of safety functions is, in part, dependent on the specific safetyphilosophy. Examples of non-safety may include status indication, data reporting andsequence of events. It is important to establish that these elements are not safetyrelated. For example, some safety cases rely on human intervention and therefore thecorrect operation of status indication.Defensive MeasuresThe safety related elements shall be implemented within separate programs tothose of non-safety related elements. Where information passes between theseelements, it shall be arranged that the direction of flow is from safety relevant to nonsafetyrelevant only.In defining the Application the programmer must consider the potential sources oferror and apply reasonable defensive programming techniques. Where values arereceived from other programs or external communications interfaces, the validity ofthe values should be checked where possible. Similarly, values received from inputinterfaces should be checked where possible. In many cases, it will also be possible tomonitor permutations of data, inputs and plant operating modes to establish theplausibility of the information and program measures to ensure safe responses in caseof implausible conditions.Testable BlocksSafety related functions shall be latched when in their tripped state to preventintermittent field faults from removing the trip condition. The application softwareshall be written to ensure that safety related functions are in their safe state duringsystem startup.Each safety-related software block shall be 100% testable, such functions could be: Burner flame supervision including temperature and air/gas pressure monitoring Burner gas-to-air ratio control/supervision Parts or whole of the start-up sequence of a batch reactorThe fewer the number of inputs, outputs and signal paths, the fewer the number ofpermutations that require testing. However, a single safety function should not be splitinto separate blocks; such a division is likely to lead to the introduction of errorsduring maintenance activities.The interaction between the individual software blocks shall be minimized. Whereinteraction is necessary, it should be kept as simple as possible, for example a singleshutdown initiation signal.Document number 553630 Issue 7: February 2010 5-29
Page 1 and 2:
ICS TriplexAADvance Safety ManualIS
Page 3 and 4:
Issue RecordIssueNumberDateRevisedb
Page 5 and 6:
ForewordThis technical manual defin
Page 7 and 8:
ContentsChapter 1 Introduction ....
Page 11 and 12:
IntroductionChapter 1This chapter p
Page 13 and 14:
Chapter 1 IntroductionAssociated Do
Page 15 and 16:
The AADvance SystemChapter 2.An AAD
Page 17 and 18:
Chapter 2 The AADvance SystemThe AA
Page 19 and 20:
Functional Safety ManagementChapter
Page 21 and 22: Chapter 3 Functional Safety Managem
Page 31 and 32: AADvance System ArchitecturesChapte
Page 33 and 34: Chapter 4 AADvance System Architect
Page 45 and 46: Chapter 5AADvance Functional Safety
Page 47 and 48: Chapter 5 AADvance Functional Safet
Page 71: Chapter 5 AADvance Functional Safet
Page 83 and 84: ChecklistsChapter 6This chapter con
Page 85 and 86: Chapter 6 ChecklistsEngineering Che
Page 87 and 88: Chapter 6 ChecklistsInput/Output Mo
Page 89 and 90: Chapter 6 Glossary of TermsGlossary
Page 91 and 92: Chapter 6 Glossary of Termscoverage
Page 93 and 94: Chapter 6 Glossary of TermsIEC 6150
Page 95 and 96: Chapter 6 Glossary of Termsprogram
Page 97: Chapter 6 Glossary of Termsvoting s
show all

AADvance Safety Manual - Tuv-fs.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?