On-Line Modification - Allen-Bradley AADvance T9110 Safety Manual

Chapter 4 AADvance Functional Safety System Implementation

On-line Modification

102
The scenarios should include possible plant conditions, sequences of plant
conditions, and system conditions including partial power conditions, module
removal and fault conditions.
Where it is not possible to define a representative suite of test cases, all
permutations of input conditions, i.e. all possible states on all possible inputs,
shall be exercised. Where the logic includes memory or timing elements,
additional tests shall be defined to exercise all the possible sequences of input
permutations leading to their operation.
ATTENTION: All safety-related functions shall be tested and the results of
the tests recorded. The tests shall include the system scan time, fault
detection time, fault reaction time and throughput delay for shutdown logic.
The system scan time, including Peer-to-Peer and bindings communications
where appropriate, shall be less than ½ PST.
ATTENTION: Functional testing of all safety related programs is considered
to be 100% if:
• All inputs are exercised through their entire allowable range
• All outputs are exercised through their entire program determined range
• All logic paths are exercised
• All timers have been tested regarding their timing characteristics
without changing timing parameters
• All combinatorial permutations of digital signals, with the exception of
100% tested function blocks, are tested, including fault states.
• All combinatorial permutations of analogue signals, with the exception
of 100% tested function blocks, are tested within the safety accuracy
granularity.
• All timing properties of each safety loop have been verified
Cross Reference Checking
While the aim shall be to minimize the coupling and dependencies between
individual programs, there will inevitably be occasions where, for example, a
variable is used within two or more programs. It is important to ensure that any
application program changes that affect these interactions do not jeopardize
the functional safety.
It is highly recommended that on-line changes are not performed unless
absolutely necessary as it could reduce the safety integrity of the system while
doing the changes. Where changes have to be carried out on-line alternative
safety measures must be implemented for the duration of the change
procedure.
Certain modifications can be performed without directly affecting the system's
safety function, for example the physical installation of additional modules.
Rockwell Automation Publication ICSTT-RM446N-EN-P - April 2018