3.1.1 In so far as is practicable all components
in a DP-system should be designed, constructed and tested in accordance
with international standards recognized by the Administration.
3.1.2 In order to meet the single failure criteria
given in 2.2, redundancy of components
will normally be necessary as follows:
-
.1 for equipment class 2, redundancy of all active
components;
-
.2 for equipment class 3, redundancy of all components
and physical separation of the components.
3.1.3 For equipment class 3, full redundancy may
not always be possible (e.g., there may be a need for a single change-over
system from the main computer system to the back-up computer system).
Non-redundant connections between otherwise redundant and separated
systems may be accepted provided that it is documented to give clear
safety advantages, and that their reliability can be demonstrated
and documented to the satisfaction of the Administration. Such connections
should be kept to the absolute minimum and made to fail to the safest
condition. Failure in one system should in no case be transferred
to the other redundant system.
3.1.4 Redundant components and systems should
be immediately available and with such capacity that the DP-operation
can be continued for such a period that the work in progress can be
terminated safely. The transfer to redundant component or system should
be automatic as far as possible, and operator intervention should
be kept to a minimum. The transfer should be smooth and within acceptable
limitations of the operation.