Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 43 of 103

3.11.3.5 Test Results Register

Each harness shall include registers that record the functionality of the function block.
This registration should be as comprehensive as possible and should utilise as many
predictable features as possible.

For example, a 2 input logical “Or Gate” stimulated by the two lower bits of a 16-bit
counter will record 32768 logical high states if the counter is allowed to make one
complete up count from 0 to 65536. The results register would count these states and
present a number to the human operator. In this case the results register should also
record that no two consecutive states of the counter caused a logical “1” at the output
of the Gate.

3.11.3.6 Test Coverage

Where possible, all combinations of input shall be simulated.

For certain functions, such as adders and comparators, this is not practical. In these
cases, the test harness shall utilise a significant number of test cases to prove the
functions operation. The use equivalence class, boundary cases and random
numbers shall be used as the preferred method of generating these cases.

Functions containing complex algorithms or with extensive retained state or value
dependence require an extensive number of test cases, and are therefore considered
impractical to achieve a sufficient level of test coverage and shall be used in non-
safety programs only.

3.11.3.7 Recording and Filing of Results

The tests shall utilise formally approved test procedures and the test results shall be
formally recorded. The test harness, details of the test environment and test result
shall be retained.

Any deviation between the results and expected results shall be examined; where this
results from deficiencies in the test harness these shall be corrected and the test
repeated. Should any function fail it shall be:

• Not used within safety related applications, or

• The conditions that result in erroneous operation shall be explicitly recorded

and published. If the function is used, other function(s) shall be added to the
application to specifically detect the conditions leading to erroneous
operation and take a fail-safe action.

To maintain system certification, any test harness used to prove a function block
should be archived as part of the test record so that the tests can be repeated at later
date and if required, reviewed by TЬV.