Issue 5 - September 2006 Page 12 of 653 Configuration Application Design3.1 IntroductionThis section provides the guidelines that must be followed if certification to DIN VDE 0801 AK 6 /IEC 61508 SIL 3 is to be maintained. The guideline deals only with the Triguard SC300E SafetyPLC and its implementation into a Safety System. It does not remove the responsibility of theSystems Designer to ensure that all other analysis and design processes have been completedcorrectly.This section covers the design and configuration of a Safety System based on the TriguardSC300E Product up to and including the factory acceptance stage.3.2 AssumptionsThe following assumptions have been made in this section.The system design/integration company is operating accredited quality procedures for thedesign and manufacture of Software based Safety Systems to the standard of ISO 9001, TOPSor equivalent or higher standard and has received training on Triguard SC300E systemintegration.That all earlier life cycle parts of the design phase have been completed correctly includingHazops and Safety Loop Systems Integrity Level (Safety Classification) RequirementsThat the specified plant input and output configuration fully meets the required SafetyClassification (Safety Integrity Level) Selections (eg for Safety Classification AK6 (SafetyIntegrity Level 3) Loops at least 2 independent final element paths are established).That the Cause and Effect, Fault Schedule, Function Block Diagrams or other primary designinformation is correct.That the process safety times have been defined.That the process safety time constraint has been defined.3.3 Safety Related Inputs and OutputsThe Safety Loops, Cause and Effect Charts or other design data will define which loops are tobe considered as Safety Loops. All inputs and outputs associated with Safety Loops mustfollow the design guidelines laid out in this section.All Modules must be configured for 320 fail safe operation.All output modules associated with Safety Loops must be configured with adjacent hot repairpartner slots. The hot repair partners for output modules must not be fitted during normaloperation.Output hot repair (HR) partners can be left installed if using RTTS 8.30-009 (or later versions)and TriBuild 1.44 (or later versions). This combination supports an auto hot repair feature. Thesystem will swap the control duty of one HR partnership every 1 to 255 hours, set using aTriBuild low level system parameter.