General

• When planning a safety instrumented function with a safety-related programmable controller, the safety section of the manufacturer´s handbook is to be used.
• The tested and certified components are listed in the test reports fo the TÜV test institutes. Requirements related to other components of installation will be specified by the application and have to be determined and assessed during the local inspection.

Planning / Protecting

• The configuration and the operation of the safety-related programmable controller should be based on a hazard analysis.
• The protective targets of the realised application shall be defined.
• Care is to be given to the possibility of a safety shutdown whilst the control process is starting up or closing down. The behaviour of the programmable controller in all different operating conditions, error conditions and restarting should to be defined.
• The conditions for use specified by the manufacturer are to be observed. Particular attention is to be paid to:
• Protection from excessive voltage and EMC;
• Environmental conditions;
• Ex-protection - if required.
• Care is to be taken that system parameters which may have an affect upon safety are set correctly in safety-critical applications, particularly:
• Requirement class / Safety integrity level
• Maximum cycle time
• System configuration
• Process safety time, interval for foreground tests and background tests
• Time limit for monitoring of the communication
• Access limitations for external communicators (e.g. programming equipment and process control systems)
• I/O configuration and connections
• Reaction to I/O errors
• Reaction to system errors
• Equipment and components which are used must be certified. Only safety-related components may be used in safety-critical operation.
• Either the equipment in the shutdown path must be made of type approved fail safe components, or the application must have two separate, independent shutdown paths.
• The safe state of an ESD must be the de-energised state or low (0) state.
• In general, the closed loop principle is to be maintained for all external safety circuits which are connected to the system. Signals should be dynamic where possible.
• Care must be taken when projecting, that non-safety related functions can never interfer with safety-related functions / components in any operating situation.
• The conditions and restrictions for operation in degraded mode shall observed. Typically a timing restriction should be planned for the degraded mode of operation.
• The low state of the output components (current and voltage) is to be considered for the appropriate application.
• In systems with components which are to be serviced cyclically (e.g. backup batteries) administrative measures shall ensure that the required work is carried out.
• Regarding cabling the local respectively national installation and equipping requirements are to be adhered to.

Programming

• Application programming is to be carried out in accordance with the information in the safety section of the manufacturer´s handbook.
• Safety orientated configuration and application programming must be carried out with safety tools and checked by a competent person who is independent of the application developer.
• Care is to be taken that the details of the planning and engineering (system parameters which may have an affect upon safety) are set correctly in safety critical application.
• Programs and data which are relevant to safety must be separated from programs and data which are not relevant to safety. Safety paths are to be marked in logic plans and parameter lists. Proof of freedom of interaction (interference-free) of non-safety-related program parts must be shown for every modification.
• System reaction times to external requirements are to be tested. System reaction times to internal errors are to be taken into account.
• Discrepancy times are to be specified application-specific, as far as is necessary.
• Conformity of the programs that are loaded in the safety-related programmable controller with the programs theoretically checked previously must be proved. This especially includes proof that the compiled version of the programs, which are to be jointly used, provide the specified safety functions.
• The correct operation of the safety related program should to be shown by means of a complete functional test. The usage a certified revision comparator during the test of modifications is strongly recommended.

Operation

• Safety relevant error reactions which only lead to signalling alarms are only permitted under supervised operation.
• On-line modification reduces the safety by its nature and are not supported by TÜV. On-line modifications are under the sole responsibility of the operator.
• Modification of the system software (operating system, I/O-drives, diagnostics, libraries e.g.) are subject to the type certi fication.
• In addition to the printed documentation of the application program, copies of the program must be stored on write-protected data carrier.
• PID and other control algorithms must not be used for safety relevant functions.
• If it is intended to take safety-related functions temporarily out of operation for maintenance (so-called "maintenance ovrride) then:
• This factor is to be taken into account at the planning stage.
• It is to be ensured that the plant operator is clearly informed about this operating condition.
• It is to be ensured that the plant operator still receives sufficient information about the safety status of the plant.
• A detailed instruction is to be produced for switching this special condition on or off.

It is recommended, to consider the actual version of the document "Maintenance Override" of TÜV Süddeutschland (TÜV Product Service) and TÜV Rheinland.