5 communications interaction – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 45 of 103

Each safety function shall be responsible for the control of the corresponding outputs.
Sharing of outputs between functions shall not be permitted.

3.11.4.4 Individual Safety Related Functions

The TMR system

IEC1131 TOOLSET allows the definition of up to 250 individual

programs within a single project. This facility should be exploited to enable the
allocation of individual safety related functions to separate programs. Where such
programs contain independent logic paths, these should be investigated to determine if
they are separate safety functions. Where they are separate, it is recommended that
these be further allocated to their own program, subject to conforming to the
recommendation to minimising the coupling between programs.

Cases should be looked for that allows the creation of individual logic paths by
repeating small sections of logic rather than fanning out the resultant signal(s).

3.11.4.5 Minimise Logic Depth

Where possible, the logic depth should be minimised. This helps reduce visual
complexity, simplifies testing, minimises the number of interconnects required and
improves program efficiency.

Where there is nested logic, it shall be possible to establish the correct operation of all
intermediate logic connections.

The use of memory, i.e. latches, components within the safety function shall be
minimised. Similarly, the permutation of conditions that lead to their activation shall be
minimised.

3.11.5 Communications Interaction

The TMR system provides a range of communications options to allow interaction with
external systems. Where this communication is used for reporting (or out-going)
communications, there are no specific safety requirements.

Data received from external equipment that either controls safety-related functions or
affects their operation must be handled with caution. The Application Program shall
handle the received data.

The received data should be such that it is limited to interaction which:

• Initiates safety operations, i.e. initiates shutdown sequences

• Resets signals, with the reset action only possible once the initiating

conditions have been removed

• Initiate timed start-up override signals which are removed automatically

either on expiration of the start period or once the associated signal has
stabilised in the normal operating condition

• Adjust control parameters within defined safe operational limits, i.e. lowering

of trip thresholds.

Where the interaction does not fall within these categories, the affects of incorrect
values and sequences of values shall be considered and measures taken to ensure
that the system will respond safely in the event of erroneous data. Alternatively,
measures may be implemented within the application to ensure the integrity and
validity of the data.