Collapse to view only § 62.30-10 - Testing.

§ 62.30-1 - Failsafe.

(a) The failsafe state must be evaluated for each subsystem, system, or vessel to determine the least critical consequence.

(b) All automatic control, remote control, safety control, and alarm systems must be failsafe.

§ 62.30-5 - Independence.

(a) Single non-concurrent failures in control, alarm, or instrumentation systems, and their logical consequences, must not prevent sustained or restored operation of any vital system or systems.

(b)(1) Except as provided in paragraphs (b)(2) and (b)(3) of this section, primary control, alternate control, safety control, and alarm and instrumentation systems for any vital system must be independent of each other.

(2) Independent sensors are not required except that sensors for primary speed, pitch, or direction of rotation control in closed loop propulsion control systems must be independent and physically separate from required safety control, alarm, or instrumentation sensors.

(3) The safety trip control of § 62.35-5(b)(2) must be independent and physically separate from all other systems.

(c) Two independent sources of power must be provided for all primary control, safety control, instrumentation and alarm systems. Failure of the normal source of power must actuate an alarm in the machinery spaces. One source must be from the emergency power source (see part 112 of this chapter, Emergency Lighting and Power Systems) unless one of the sources is—

(1) Derived from the power supply of the system being controlled or monitored;

(2) A power take-off of that system; of

(3) An independent power source equivalent to the emergency power source.

§ 62.30-10 - Testing.

(a) Automated vital systems must be tested in accordance with subpart 61.40 of this chapter.

(b) On-line built-in test equipment must not lock out or override safety trip control systems. This equipment must indicate when it is active.