6.3.2
An I&C system can be designed to force a preferred state in the event of a software CCF
Software diagnostic features not subject to the software CCF can provide a means to detect and respond by forcing an I&C system to a preferred state in the event of software CCF. A preferred state maybe fail- as-is, fail-off, shutdown, etc, with an attendant notification or alarm.
6.3.3
Detection of an event or condition due to a software CCF provides an opportunity for
response and recovery
Detection of a software CCF provides an opportunity to respond and recover from the event. If the software CCF occurs in a system that can initiate a plant event, or it occurs in a mitigating system that is required to respond to an initiating event, then independent means for detection and response via automation and/or manual action can terminate the sequence of events within acceptable limits.
6.4
Operating history can provide evidence of software quality
Operating history can provide evidence of adequate software quality. The depth and rigor of acceptable operating history (e.g., relevant, successful, substantial, available errata, etc) from all safety industries can also be scaled and matched to the risk of a software CCF in various system elements.
Share with your friends: |
