Pt C, Ch 3, Sec 3

SECTION 3 COMPUTER BASED SYSTEMS

1 General requirements 1.5.3 The failure and restarting of computer based systems
should not cause processes to enter undefined or critical
states.
1.1 General
1.1.1 The characteristics of the system are to be compatible 1.6 System redundancy
with the intended applications, under normal and abnormal
process conditions. The response time for alarm function is 1.6.1 If it is demonstrated that the failure of the system,
to be less than 5 seconds. which includes the computer based system, leads to a dis-
ruption of the essential services, a secondary independent
1.1.2 When systems under control are required to be dupli- means, of appropriate diversity, is to be available to restore
cated and in separate compartments, this is also to apply to the adequate functionality of the service.
control elements within computer based systems.
2 Hardware
1.1.3 As a rule, computer based systems intended for
essential services are to be type approved.
2.1 General
1.2 System type approval 2.1.1 The construction of systems is to comply with the
requirements of Ch 3, Sec 4.
1.2.1 The type approval is to cover the hardware and basic
software of the system. The type approval requirements are
detailed in Ch 3, Sec 6. A list of the documents to be sub- 2.2 Housing
mitted is provided in Ch 3, Sec 1.
2.2.1 The housing of the system is to be designed to face
the environmental conditions, as defined in Ch 2, Sec 2,
1.3 System operation [1], in which it will be installed. The design will be such as
to protect the printed circuit board and associated compo-
1.3.1 The system is to be protected so that authorised per- nents from external aggression. When required, the cooling
sonnel only can modify any setting which could alter the system is to be monitored, and an alarm activated when the
system. normal temperature is exceeded.
1.3.2 Modification of the configuration, set points or 2.2.2 The mechanical construction is to be designed to
parameters is to be possible without complex operations withstand the vibration levels defined in Ch 2, Sec 2,
such as compilation or coded data insertion. depending on the applicable environmental condition.
1.3.3 Program and data storage of the system is to be
designed so as not to be altered by environmental condi- 3 Software
tions, as defined in Ch 2, Sec 2, [1], or loss of the power
supply. 3.1 General

1.4 System reliability 3.1.1 The basic software is to be developed in consistent

and independent modules.
1.4.1 System reliability is to be documented as required in A self-checking function is to be provided to identify failure
Ch 3, Sec 1, [2.3.4]. of software module.
When hardware (e.g. input /output devices, communication
1.4.2 When used for alarm, safety or control functions, the
links, memory, etc.) is arranged to limit the consequences of
hardware system design is to be on the fail safe principle.
failures, the corresponding software is also to be separated
in different software modules ensuring the same degree of
1.5 System failure independence.
1.5.1 In the event of failure of part of the system, the 3.1.2 Computer based systems are to be configured with
remaining system is to be brought to a downgraded opera- type approved software according to Ch 3, Sec 6, [2.3].
ble condition.
3.1.3 Application software is to be tested in accordance
1.5.2 A self-monitoring device is to be implemented so as with Ch 3, Sec 6, [3.3].
to check the proper function of hardware and software in
the system. This is to include a self-check facility of input 3.1.4 Loading of software, when necessary, is to be per-
/output cards, as far as possible. formed in the aided conversational mode.

April 2009 Bureau Veritas 111

Pt C, Ch 3, Sec 3

3.1.5 Software versions are to be solely identified by num- 4.3 Transmission software
ber, date or other appropriate means. Modifications are not
to be made without also changing the version identifier. A 4.3.1 The transmission software is to be so designed that
record of changes is to be maintained and made available alarm or control data have priority over any other data. For
upon request of the Society. control data, the transmission time is not to jeopardise effi-
ciency of the functions.
3.2 Software development quality
4.3.2 The transmission protocol is preferably to be chosen
3.2.1 Software development is to be carried out according among international standards.
to a quality plan defined by the builder and records are to
be kept. The standard ISO 9000-1, or equivalent interna- 4.3.3 A means of transmission control is to be provided
tional standard, is to be taken as guidance for the quality and designed so as to verify the completion of the data
procedure. The quality plan is to include the test procedure transmitted (CRC or equivalent acceptable method). When
for software and the results of tests are to be documented. corrupted data is detected, the number of retries is to be
limited so as to keep an acceptable global response time.
The duration of the message is to be such that it does not
4 Data transmission link block the transmission of other stations.

4.1 General 4.4 Transmission operation

4.1.1 The performance of the network transmission 4.4.1 When a hardware or software transmission failure
medium (transfer rate and time delay) is to be compatible occurs, an alarm is to be activated. A means is to be pro-
with the intended application. vided to verify the activity of transmission and its proper
function (positive information).
4.1.2 When the master /slave configuration is installed, the
master terminal is to be indicated on the other terminals.
4.5 Redundant network
4.2 Hardware support 4.5.1 Where two or more essential functions are using the
same network, redundant networks are required according
4.2.1 The data transmission is to be self-checked, regarding to the conditions mentioned in [1.6.1].
both the network transmission medium and the inter-
faces/connections. 4.5.2 Switching of redundant networks from one to the
The data communication link is to be automatically started other is to be achieved without alteration of the perfor-
when power is turned on, or restarted after loss of power. mance.

4.2.2 The choice of transmission cable is to be made 4.5.3 When not in operation, the redundant network is to
according to the environmental conditions. Particular atten- be permanently monitored, so that any failure of either net-
tion is to be given to the level characteristics required for work may be readily detected. When a failure occurs in one
electromagnetic interferences. network, an alarm is to be activated.

4.2.3 The installation of transmission cables is to comply 4.5.4 In redundant networks, the two networks are to be
with the requirements stated in Ch 2, Sec 11. In addition, mutually independent. Failure of any common components
the routing of transmission cables is to be chosen so as to be is not to result in any degradation in performance.
in less exposed zones regarding mechanical, chemical or
EMI damage. As far as possible, the routing of each cable is 4.5.5 When redundant data communication links are
to be independent of any other cable. These cables are not required, they are to be routed separately, as far as practica-
normally allowed to be routed in bunches with other cables ble.
on the cable tray.
5 Man-machine interface
4.2.4 The coupling devices are to be designed, as far as
practicable, so that in the event of a single fault, they do not
alter the network function. When a failure occurs, an alarm 5.1 General
is to be activated.
5.1.1 The design of the operator interface is to follow ergo-
Addition of coupling devices is not to alter the network
nomic principles. The standard IEC 60447 Man-machine
function.
interface or equivalent recognised standard may be used.
Hardware connecting devices are to be chosen, when pos-
sible, in accordance with international standards.
5.2 System functional indication
When a computer based system is used with a non-essential
system and connected to a network used for essential sys- 5.2.1 A means is to be provided to verify the activity of the
tems, the coupling device is to be of an approved type. system, or subsystem, and its proper function.

112 Bureau Veritas April 2009

 Pt C, Ch 3, Sec 3

5.2.2 A visual and audible alarm is to be activated in the 5.5 Workstations

event of malfunction of the system, or subsystem. This
alarm is to be such that identification of the failure is simpli- 5.5.1 The number of workstations at control stations is to
fied. be sufficient to ensure that all functions may be provided
with any one unit out of operation, taking into account any
5.3 Input devices functions which are required to be continuously available.

5.5.2 Multifunction workstations for control and display

5.3.1 Input devices are to be positioned such that the oper-
are to be redundant and interchangeable.
ator has a clear view of the related display.
The operation of input devices, when installed, is to be log- 5.5.3 The choice of colour, graphic symbols, etc. is to be
ical and correspond to the direction of action of the con- consistent in all systems on board.
trolled equipment.
The user is to be provided with positive confirmation of 5.6 Computer dialogue
action.
5.6.1 The computer dialogue is to be as simple and self-
Control of essential functions is only to be available at one
explanatory as possible.
control station at any time. Failing this, conflicting control
commands are to be prevented by means of interlocks and The screen content is to be logically structured and show
/or warnings. only what is relevant to the user.
Menus are to be organised so as to have rapid access to the
5.3.2 When keys are used for common/important controls, most frequently used functions.
and several functions are assigned to such keys, the active
function is to be recognisable. 5.6.2 A means to go back to a safe state is always to be
If use of a key may have unwanted consequences, provision accessible.
is to be made to prevent an instruction from being executed
by a single action (e.g. simultaneous use of 2 keys, repeated 5.6.3 A clear warning is to be displayed when using func-
use of a key, etc.). tions such as alteration of control condition, or change of
data or programs in the memory of the system.
Means are to be provided to check validity of the manual
input data into the system (e.g. checking the number of 5.6.4 A ‘wait’ indication is to warn the operator when the
characters, range value, etc.). system is executing an operation.

5.3.3 If use of a push button may have unwanted conse-

quences, provision is to be made to prevent an instruction
6 Integrated systems
from being executed by a single action (e.g. simultaneous
use of 2 push buttons, repeated use of push buttons, etc.). 6.1 General
Alternatively, this push button is to be protected against
accidental activation by a suitable cover, or use of a pull 6.1.1 Operation with an integrated system is to be at least
button, if applicable. as effective as it would be with individual, stand alone
equipment.
5.4 Output devices 6.1.2 Failure of one part (individual module, equipment or
subsystem) of the integrated system is not to affect the func-
5.4.1 VDU’s (video display units) and other output devices
tionality of other parts, except for those functions directly
are to be suitably lighted and dimmable when installed in dependant on information from the defective part.
the wheelhouse. The adjustment of brightness and colour of
VDU’s is to be limited to a minimum discernable level. 6.1.3 A failure in connection between parts, cards connec-
When VDU’s are used for alarm purposes, the alarm signal, tions or cable connections is not to affect the independent
required by the Rules, is to be displayed whatever the other functionality of each connected part.
information on the screen. The alarms are to be displayed
according to the sequence of occurrence. 6.1.4 Alarm messages for essential functions are to have
priority over any other information presented on the display.
When alarms are displayed on a colour VDU, it is to be
possible to distinguish alarm in the event of failure of a pri-
mary colour. 7 Expert system
The position of the VDU is to be such as to be easily read-
able from the normal position of the personnel on watch. 7.1
The size of the screen and characters is to be chosen
7.1.1 The expert system software is not to be implemented
accordingly.
on a computer linked with essential functions.
When several control stations are provided in different
spaces, an indication of the station in control is to be dis- 7.1.2 Expert system software is not to be used for direct
played at each control station. Transfer of control is to be control or operation, and needs human validation by per-
effected smoothly and without interruption to the service. sonnel on watch.

April 2009 Bureau Veritas 113

Pt C, Ch 3, Sec 3

8 System testing 9 System maintenance

8.1 9.1 Maintenance

8.1.1 The system tests are to be carried out according to Ch 9.1.1 System maintenance is to be planned and docu-
3, Sec 6. mented.

8.1.2 All alterations of a system (hardware and software) 9.1.2 Remote software maintenance amy be considered on
are to be tested and the results of tests documented. case by case basis.

114 Bureau Veritas April 2009