Changes from an external source (e.g., HMI) can be accepted in a safety-related system only if the following sequence of events occurs:
a. The new parameter value must be sent twice to two different tags; that is, both values must not be written to with one command.
b. The two standard tags that receive the parameter value from the HMI must be mapped into two safety tags.
c. Safety-related code that executes in the controller, must check both safety tags for equivalency and make sure that they are within range (boundary checks).
d. Both new variables must be read back and displayed on the HMI device. The HMI display reads the safety tags that received the mapped tag values from the standard tags.
e. Trained operators must visually check that both variables are the same and are the correct value.
f. Trained operators must manually acknowledge that the values are correct on the HMI display that sends a command to the safety logic, which allows the new values to be used in the safety function.
In every case, the operator must confirm the validity of the change before they are accepted and applied in the safety loop.
The use of standard data in a safety tag does not make it safety data.
RE: 1756-RM012
Leave a Reply