Rockwell Automation AADvance Controller Safety Manual User Manual
Page 97
Document: 553630
ICSTT-RM446K-EN-P Issue: 10
_C
4-41
Communications Interaction
The AADvance system provides a range of communications options to allow
interaction with external systems. Where this communication is used for
reporting (or out-going) communications, there are no specific safety
requirements.
Data received from external equipment that either controls safety-related
functions or affects their operation must be handled with caution. The
Application Program shall handle the received data.
The received data should be such that it is limited to interactions which:
Initiates safety operations, i.e. initiates shutdown sequences
Resets signals, with the reset action only possible once the initiating
conditions have been removed
Initiate timed start-up override signals which are removed automatically
either on expiration of the start period or once the associated signal has
stabilized in the normal operating condition
Adjust control parameters within defined safe operational limits, i.e.
lowering of trip thresholds.
Where the interaction does not fall within these categories, the affects of
incorrect values and sequences of values shall be considered and measures
taken to ensure that the system will respond safely in the event of erroneous
data. Alternatively, measures may be implemented within the application to
ensure the integrity and validity of the data.
Program Testing
Even with a small number of inputs, it is possible to reach a point where the
number of tests becomes unreasonable. Eliminating impossible or unlikely
scenarios should be used to reduce the number of logic path tests that need to
be performed. The selection of what constitutes a scenario that does not
require testing can be performed only after a suitable hazard analysis.
The scenarios should include possible plant conditions, sequences of plant
conditions, and system conditions including partial power conditions, module
removal and fault conditions.
Where it is not possible to define a representative suite of test cases, all
permutations of input conditions, i.e. all possible states on all possible inputs,
shall be exercised. Where the logic includes memory or timing elements,
additional tests shall be defined to exercise all the possible sequences of input
permutations leading to their operation.
All safety-related functions shall be tested and the results of the tests
recorded. The tests shall include the system scan time, fault detection time,
fault reaction time and throughput delay for shutdown logic. The system scan
time, including Peer-to-Peer and bindings communications where appropriate,
shall be less than ½ PST.