Rockwell Automation AADvance Controller Safety Manual User Manual





Document: 553630
ICSTT-RM446K-EN-P Issue: 10

_C

4-39

Partitioning the Application

It is impractical and unnecessary to apply the same degree of rigorous

development and testing to all functions within the Application where some of
those functions are not safety related.
The identification of safety functions is, in part, dependent on the specific

safety philosophy. Examples of non-safety may include status indication, data

reporting and sequence of events. It is important to establish that these
elements are not safety related. For example, some safety cases rely on human

intervention and therefore the correct operation of status indication.

The safety related elements shall be implemented within separate

programs to those of non-safety related elements. Where information passes
between these elements, it shall be arranged that the direction of flow is from

safety relevant to non-safety relevant only.

Defensive Measures

In defining the Application the programmer must consider the potential

sources of error and apply reasonable defensive programming techniques.

Where values are received from other programs or external communications

interfaces, the validity of the values should be checked where possible.
Similarly, values received from input interfaces should be checked where

possible. In many cases, it will also be possible to monitor permutations of

data, inputs and plant operating modes to establish the plausibility of the
information and program measures to ensure safe responses in case of

implausible conditions.

Safety related functions shall be latched when in their tripped state to

prevent intermittent field faults from removing the trip condition. This can be
achieved with the application logic or with measures external to the logic

solver. The application software shall be written to ensure that safety related

functions are in their safe state during system startup.

Individual Safety Related Functions

The AADvance Workbench allows the definition of up to 250 individual

programs within a single project. This facility should be exploited to enable the

allocation of individual safety related functions to separate programs. Where
such programs contain independent logic paths, these should be investigated to

determine if they are separate safety functions. Where they are separate, it is

recommended that these be further allocated to their own program, subject to
conforming to the recommendation to minimizing the coupling between

programs.
Cases should be looked for that allow the creation of individual logic paths by
repeating small sections of logic rather than fanning out the resultant signal(s).