List of Type Approvals > List of Type Approved Programmable Electronic Systems (PES) (PLC's)

Product-independent Conditions and Restricitons

• Specification of Safety Instrumented Loops

  - Specification based on the hazard analysis
    Safety functions, immediate safety states, process safety time (PST)
    Structure of each safety instrumented loop
    Independent control and protective structure of the plant automation
    Interacting of plant subsystems
    Consider a safety shutdown while the process is in start up or controlled shutdown down.
    Specification of organisational measures (operation , inspection)
    Hazards to be covered by full / major responsibility of the plant operator.
  - Suitable Ex-protection
    Overvoltage, surge and other EMC protection
  - Observe the conditions of use specified by the manufacturer
    Example: Monitored threshold limits and leakage current of the digital I/O modules
    Electrical insulation provided by the I/O moduls
    Specified environmental stress conditions
  - Current loop principle (de-energized to trip, 4-20mA)
    Signals should be dynamic, to the extend possible

• Configuration of Safety Instrumented System

  - Follow the system documentation incl. safety manual
    Follow the conditions and restrictions stated in the TÜV report to the certificate
  - Configuration based on the specification of the safety functions
    Check by a competent and independent person (four eye principle)
  - Separate safety-related and non-safety-related programs and data
    Highlight the safety-related paths and data in the logic diagrams and parameter lists
  - Configuration with the delivered safety engineering tools only
  - Specify the safety-related configuration
    I/O configuration, process safety time (PST), SIL, max. cycle time,
    System reaction to internal failures and failures of the periphery
    Application-specific processing of the discrepancy of inputs
  - Select system structure suitable for the required availability, SIL and PST
    (Certified systems provide increased availability but rare software and hardware failures
    can lead to a complete shutdown)
    Time limitation of degraded operation
  - Only certified safety-related modules for safety functions
    Interference-free modules ("Rückwirkunsfrei") for non-safety-related functions

• Communication

  - Safety-related communication is currently only supported between systems of the same
    family   - vendor-independent safety bus specifications are currently under certification
    Communication with other non-safety-related systems can be made safe only by additional
    measures in the application program
    Access control for external communication partners
    (Examples: Engineering work station and DCS)
  - Communication adds to the safety-related reaction time
    Specify and configure time limit for the monitoring of the communication
    Unfavourable communication structures and parameters may reduce the plant availability

• Application Programming

  - Program based on logic diagrams or cause + effect matrices only
  - Program with the delivered safety engineering tools only
    (if no safety engineering tools exist, each path must be fully tested)
  - Avoid instruction lists / mnemonics
    Use function block diagrams, cause + effect matrix or sequential function charts
  - Use proven-in-use or pre-tested function blocks
    Maintain a library of such blocks
  - Keep the reaction time of the application program constant
    Test of the maximum system reaction time to all external events
  - Test the re-start after power failure in all operating modes
  - Check modifications always with the certified revision comparator
  - Check during commissioning that the compiled configuration loaded in the safety instru-
    mented system and the configuration theoretically checked previously are equal

• Operation and Modifications

  - Safety relevant fault reactions which only lead to signalling are only permitted under
    supervised operation. (Operator must have enough information and time to react)
  - Maintenance Override requires (operator-specified) guidelines
    Plant operator must nevertheless receive sufficient information about the safety status
    of the plant see the Document "Maintenance Override"
  - Hazards associated with on-line modifications
    On-line modifications reduce safety by its nature. Full functional testing should be done at
    simulators or at a similar plant.

• Timing restriction after degradation

  - The generic standards ( IEC 61508 and DIN 19250 in companion with DIN 0801) don't give
    exact figures or guidelines for a system, when a fault has been detected in the system, and
    the system strucure has been degraded as a result of that fault.
  - For ESD applications, where the AK system according to the DIN 19250 is used, only super-
    vised operation should be possible after reaching a single channel mode of operation. Online
    repair is possible. If not repaired, single channel operation is possible with the following maxi-
    mum timing :
  - in AK 5 : shutdown after a maximum of 72 hours of supervised operation in single channel mode
  - in AK 6 : shutdown after a maximum of 1 hour of supervised operation in single channel mode