Pt C, Ch 3, Sec 3
SECTION 3 COMPUTER BASED SYSTEMS
1 General requirements
1.1 General
1.1.1 The characteristics of the system are to be compatible
with the intended applications, under normal and abnormal
process conditions. The response time for alarm function is
to be less than 5 seconds.
1.1.2 When systems under control are required to be dupli-
cated and in separate compartments, this is also to apply to
control elements within computer based systems.
1.1.3 As a rule, computer based systems intended for
essential services are to be type approved.
1.2 System type approval
1.2.1 The type approval is to cover the hardware and basic
software of the system. The type approval requirements are
detailed in Ch 3, Sec 6. A list of the documents to be sub-
mitted is provided in Ch 3, Sec 1.
1.3 System operation
1.3.1 The system is to be protected so that authorised per-
sonnel only can modify any setting which could alter the
system.
1.3.2 Modification of the configuration, set points or
parameters is to be possible without complex operations
such as compilation or coded data insertion.
1.3.3 Program and data storage of the system is to be
designed so as not to be altered by environmental condi-
tions, as defined in Ch 2, Sec 2, [1], or loss of the power
supply.
1.4 System reliability
1.4.1 System reliability is to be documented as required in
Ch 3, Sec 1, [2.3.4].
1.4.2 When used for alarm, safety or control functions, the
hardware system design is to be on the fail safe principle.
1.5 System failure
1.5.1 In the event of failure of part of the system, the
remaining system is to be brought to a downgraded opera-
ble condition.
1.5.2 A self-monitoring device is to be implemented so as
to check the proper function of hardware and software in
the system. This is to include a self-check facility of input
/output cards, as far as possible.
April 2009 Bureau Veritas
1.5.3 The failure and restarting of computer based systems
should not cause processes to enter undefined or critical
states.
1.6 System redundancy
1.6.1 If it is demonstrated that the failure of the system,
which includes the computer based system, leads to a dis-
ruption of the essential services, a secondary independent
means, of appropriate diversity, is to be available to restore
the adequate functionality of the service.
2 Hardware
2.1 General
2.1.1 The construction of systems is to comply with the
requirements of Ch 3, Sec 4.
2.2 Housing
2.2.1 The housing of the system is to be designed to face
the environmental conditions, as defined in Ch 2, Sec 2,
[1], in which it will be installed. The design will be such as
to protect the printed circuit board and associated compo-
nents from external aggression. When required, the cooling
system is to be monitored, and an alarm activated when the
normal temperature is exceeded.
2.2.2 The mechanical construction is to be designed to
withstand the vibration levels defined in Ch 2, Sec 2,
depending on the applicable environmental condition.
3 Software
3.1 General
3.1.1 The basic software is to be developed in consistent
and independent modules.
A self-checking function is to be provided to identify failure
of software module.
When hardware (e.g. input /output devices, communication
links, memory, etc.) is arranged to limit the consequences of
failures, the corresponding software is also to be separated
in different software modules ensuring the same degree of
independence.
3.1.2 Computer based systems are to be configured with
type approved software according to Ch 3, Sec 6, [2.3].
3.1.3 Application software is to be tested in accordance
with Ch 3, Sec 6, [3.3].
3.1.4 Loading of software, when necessary, is to be per-
formed in the aided conversational mode.
111
Pt C, Ch 3, Sec 3
3.1.5 Software versions are to be solely identified by num-
ber, date or other appropriate means. Modifications are not
to be made without also changing the version identifier. A
record of changes is to be maintained and made available
upon request of the Society.
3.2 Software development quality
3.2.1 Software development is to be carried out according
to a quality plan defined by the builder and records are to
be kept. The standard ISO 9000-1, or equivalent interna-
tional standard, is to be taken as guidance for the quality
procedure. The quality plan is to include the test procedure
for software and the results of tests are to be documented.
4 Data transmission link
4.1 General
4.1.1 The performance of the network transmission
medium (transfer rate and time delay) is to be compatible
with the intended application.
4.1.2 When the master /slave configuration is installed, the
master terminal is to be indicated on the other terminals.
4.2 Hardware support
4.2.1 The data transmission is to be self-checked, regarding
both the network transmission medium and the inter-
faces/connections.
The data communication link is to be automatically started
when power is turned on, or restarted after loss of power.
4.2.2 The choice of transmission cable is to be made
according to the environmental conditions. Particular atten-
tion is to be given to the level characteristics required for
electromagnetic interferences.
4.2.3 The installation of transmission cables is to comply
with the requirements stated in Ch 2, Sec 11. In addition,
the routing of transmission cables is to be chosen so as to be
in less exposed zones regarding mechanical, chemical or
EMI damage. As far as possible, the routing of each cable is
to be independent of any other cable. These cables are not
normally allowed to be routed in bunches with other cables
on the cable tray.
4.2.4 The coupling devices are to be designed, as far as
practicable, so that in the event of a single fault, they do not
alter the network function. When a failure occurs, an alarm
is to be activated.
Addition of coupling devices is not to alter the network
function.
Hardware connecting devices are to be chosen, when pos-
sible, in accordance with international standards.
When a computer based system is used with a non-essential
system and connected to a network used for essential sys-
tems, the coupling device is to be of an approved type.
112
4.3 Transmission software
4.3.1 The transmission software is to be so designed that
alarm or control data have priority over any other data. For
control data, the transmission time is not to jeopardise effi-
ciency of the functions.
4.3.2 The transmission protocol is preferably to be chosen
among international standards.
4.3.3 A means of transmission control is to be provided
and designed so as to verify the completion of the data
transmitted (CRC or equivalent acceptable method). When
corrupted data is detected, the number of retries is to be
limited so as to keep an acceptable global response time.
The duration of the message is to be such that it does not
block the transmission of other stations.
4.4 Transmission operation
4.4.1 When a hardware or software transmission failure
occurs, an alarm is to be activated. A means is to be pro-
vided to verify the activity of transmission and its proper
function (positive information).
4.5 Redundant network
4.5.1 Where two or more essential functions are using the
same network, redundant networks are required according
to the conditions mentioned in [1.6.1].
4.5.2 Switching of redundant networks from one to the
other is to be achieved without alteration of the perfor-
mance.
4.5.3 When not in operation, the redundant network is to
be permanently monitored, so that any failure of either net-
work may be readily detected. When a failure occurs in one
network, an alarm is to be activated.
4.5.4 In redundant networks, the two networks are to be
mutually independent. Failure of any common components
is not to result in any degradation in performance.
4.5.5 When redundant data communication links are
required, they are to be routed separately, as far as practica-
ble.
5 Man-machine interface
5.1 General
5.1.1 The design of the operator interface is to follow ergo-
nomic principles. The standard IEC 60447 Man-machine
interface or equivalent recognised standard may be used.
5.2 System functional indication
5.2.1 A means is to be provided to verify the activity of the
system, or subsystem, and its proper function.
Bureau Veritas April 2009

5.2.2 A visual and audible alarm is to be activated in the
event of malfunction of the system, or subsystem. This
alarm is to be such that identification of the failure is simpli-
fied.
5.3 Input devices
5.3.1 Input devices are to be positioned such that the oper-
ator has a clear view of the related display.
The operation of input devices, when installed, is to be log-
ical and correspond to the direction of action of the con-
trolled equipment.
The user is to be provided with positive confirmation of
action.
Control of essential functions is only to be available at one
control station at any time. Failing this, conflicting control
commands are to be prevented by means of interlocks and
/or warnings.
5.3.2 When keys are used for common/important controls,
and several functions are assigned to such keys, the active
function is to be recognisable.
If use of a key may have unwanted consequences, provision
is to be made to prevent an instruction from being executed
by a single action (e.g. simultaneous use of 2 keys, repeated
use of a key, etc.).
Means are to be provided to check validity of the manual
input data into the system (e.g. checking the number of
characters, range value, etc.).
5.3.3 If use of a push button may have unwanted conse-
quences, provision is to be made to prevent an instruction
from being executed by a single action (e.g. simultaneous
use of 2 push buttons, repeated use of push buttons, etc.).
Alternatively, this push button is to be protected against
accidental activation by a suitable cover, or use of a pull
button, if applicable.
5.4 Output devices
5.4.1 VDU’s (video display units) and other output devices
are to be suitably lighted and dimmable when installed in
the wheelhouse. The adjustment of brightness and colour of
VDU’s is to be limited to a minimum discernable level.
When VDU’s are used for alarm purposes, the alarm signal,
required by the Rules, is to be displayed whatever the other
information on the screen. The alarms are to be displayed
according to the sequence of occurrence.
When alarms are displayed on a colour VDU, it is to be
possible to distinguish alarm in the event of failure of a pri-
mary colour.
The position of the VDU is to be such as to be easily read-
able from the normal position of the personnel on watch.
The size of the screen and characters is to be chosen
accordingly.
When several control stations are provided in different
spaces, an indication of the station in control is to be dis-
played at each control station. Transfer of control is to be
effected smoothly and without interruption to the service.
April 2009
Pt C, Ch 3, Sec 3
5.5 Workstations
5.5.1 The number of workstations at control stations is to
be sufficient to ensure that all functions may be provided
with any one unit out of operation, taking into account any
functions which are required to be continuously available.
5.5.2 Multifunction workstations for control and display
are to be redundant and interchangeable.
5.5.3 The choice of colour, graphic symbols, etc. is to be
consistent in all systems on board.
5.6 Computer dialogue
5.6.1 The computer dialogue is to be as simple and self-
explanatory as possible.
The screen content is to be logically structured and show
only what is relevant to the user.
Menus are to be organised so as to have rapid access to the
most frequently used functions.
5.6.2 A means to go back to a safe state is always to be
accessible.
5.6.3 A clear warning is to be displayed when using func-
tions such as alteration of control condition, or change of
data or programs in the memory of the system.
5.6.4 A ‘wait’ indication is to warn the operator when the
system is executing an operation.
6 Integrated systems
6.1 General
6.1.1 Operation with an integrated system is to be at least
as effective as it would be with individual, stand alone
equipment.
6.1.2 Failure of one part (individual module, equipment or
subsystem) of the integrated system is not to affect the func-
tionality of other parts, except for those functions directly
dependant on information from the defective part.
6.1.3 A failure in connection between parts, cards connec-
tions or cable connections is not to affect the independent
functionality of each connected part.
6.1.4 Alarm messages for essential functions are to have
priority over any other information presented on the display.
7 Expert system
7.1
7.1.1 The expert system software is not to be implemented
on a computer linked with essential functions.
7.1.2 Expert system software is not to be used for direct
control or operation, and needs human validation by per-
sonnel on watch.
Bureau Veritas 113
Pt C, Ch 3, Sec 3

8 System testing 9 System maintenance

8.1 9.1 Maintenance

8.1.1 The system tests are to be carried out according to Ch 9.1.1 System maintenance is to be planned and docu-
3, Sec 6. mented.

8.1.2 All alterations of a system (hardware and software) 9.1.2 Remote software maintenance amy be considered on
are to be tested and the results of tests documented. case by case basis.

114 Bureau Veritas April 2009