AADvance Safety Manual - Tuv-fs.com
AADvance Safety Manual - Tuv-fs.com AADvance Safety Manual - Tuv-fs.com
AADvance Safety ManualDecommissioningThe procedure for decommissioning the system shall be defined. This procedureshould include specific requirements for the safe decommissioning of the system and,where applicable, the safe disposal or return of materials.As with commissioning, it is likely the decommissioning will be performed in a phasedmanner. The decommissioning procedure shall ensure that a plan be developed thatmaintains the functional safety whilst the corresponding hazards are present. Similarly,the physical environment of the control equipment shall be maintained whilst theequipment is required to function.The procedure for decommissioning shall address the following items: The sequence in which the hazards are to be removed. Methods which permit the removal of interactions between safety functions whilstmaintaining functional safety for the remaining potential hazards and withoutinitiating safety responses. This shall include the interaction between systems. A definition of the modules and materials which are to be returned to ICS Triplexfor safe disposal following decommissioning.Functional Safety AssessmentThe functional safety assessment shall confirm the effectiveness of the functional safetyperformance of the system. The assessment, in this context, is limited to the safetyrelatedsystem and should confirm that the system is designed, constructed andinstalled in accordance with the specified safety requirements.The assessment shall consider each required safety function and its associated safetyproperties. The effects of faults and errors within the system and application programs,failures external to the system and procedural deficiencies in these safety functions areto be considered.The assessment is to be carried out by an audit team that shall include independentassessors from outside of the project. At least one functional safety assessment shall beperformed before the start-up of the system and the introduction of any potentialhazards.Safety Integrity DesignSafety IntegrityThe architecture of the AADvance system has been designed to allow a scalable systemto be configured using standard components. The configurations available range fromsimplex fail-safe to TMR fault tolerance.3-10 Document number 553630 Issue 7: February 2010
Chapter 3 Functional Safety ManagementThe processor module has been designed to meet the requirements for SIL2 with one,two or three processor modules and SIL3 when two or three modules are fitted. Inputand output modules have been designed to meet SIL3 requirements with a singlemodule in a fail-safe mode.The processor module and the individual I/O modules have built in redundancy andhave been designed to withstand multiple faults and support a fixed on-line repair byreplacement configuration in dual and triple modular redundant configurations. Theinput and output modules support a number of architecture options; the effects of thechosen architecture should be evaluated against the system and application specificrequirements.Document number 553630 Issue 7: February 2010 3-11
- Page 1 and 2: ICS TriplexAADvance Safety ManualIS
- Page 3 and 4: Issue RecordIssueNumberDateRevisedb
- Page 5 and 6: ForewordThis technical manual defin
- Page 7 and 8: ContentsChapter 1 Introduction ....
- Page 11 and 12: IntroductionChapter 1This chapter p
- Page 13 and 14: Chapter 1 IntroductionAssociated Do
- Page 15 and 16: The AADvance SystemChapter 2.An AAD
- Page 17 and 18: Chapter 2 The AADvance SystemThe AA
- Page 19 and 20: Functional Safety ManagementChapter
- Page 21 and 22: Chapter 3 Functional Safety Managem
- Page 23 and 24: Chapter 3 Functional Safety Managem
- Page 25 and 26: Chapter 3 Functional Safety Managem
- Page 27: Chapter 3 Functional Safety Managem
- Page 31 and 32: AADvance System ArchitecturesChapte
- Page 33 and 34: Chapter 4 AADvance System Architect
- Page 35 and 36: Chapter 4 AADvance System Architect
- Page 37 and 38: Chapter 4 AADvance System Architect
- Page 39 and 40: Chapter 4 AADvance System Architect
- Page 41 and 42: Chapter 4 AADvance System Architect
- Page 43 and 44: Chapter 4 AADvance System Architect
- Page 45 and 46: Chapter 5AADvance Functional Safety
- Page 47 and 48: Chapter 5 AADvance Functional Safet
- Page 49 and 50: Chapter 5 AADvance Functional Safet
- Page 51 and 52: Chapter 5 AADvance Functional Safet
- Page 53 and 54: Chapter 5 AADvance Functional Safet
- Page 55 and 56: Chapter 5 AADvance Functional Safet
- Page 57 and 58: Chapter 5 AADvance Functional Safet
- Page 59 and 60: Chapter 5 AADvance Functional Safet
- Page 61 and 62: Chapter 5 AADvance Functional Safet
- Page 63 and 64: Chapter 5 AADvance Functional Safet
- Page 65 and 66: Chapter 5 AADvance Functional Safet
- Page 67 and 68: Chapter 5 AADvance Functional Safet
- Page 69 and 70: Chapter 5 AADvance Functional Safet
- Page 71 and 72: Chapter 5 AADvance Functional Safet
- Page 73 and 74: Chapter 5 AADvance Functional Safet
- Page 75 and 76: Chapter 5 AADvance Functional Safet
- Page 77 and 78: Chapter 5 AADvance Functional Safet
<strong>AADvance</strong> <strong>Safety</strong> <strong>Manual</strong>De<strong>com</strong>missioningThe procedure for de<strong>com</strong>missioning the system shall be defined. This procedureshould include specific requirements for the safe de<strong>com</strong>missioning of the system and,where applicable, the safe disposal or return of materials.As with <strong>com</strong>missioning, it is likely the de<strong>com</strong>missioning will be performed in a phasedmanner. The de<strong>com</strong>missioning procedure shall ensure that a plan be developed thatmaintains the functional safety whilst the corresponding hazards are present. Similarly,the physical environment of the control equipment shall be maintained whilst theequipment is required to function.The procedure for de<strong>com</strong>missioning shall address the following items: The sequence in which the hazards are to be removed. Methods which permit the removal of interactions between safety functions whilstmaintaining functional safety for the remaining potential hazards and withoutinitiating safety responses. This shall include the interaction between systems. A definition of the modules and materials which are to be returned to ICS Triplexfor safe disposal following de<strong>com</strong>missioning.Functional <strong>Safety</strong> AssessmentThe functional safety assessment shall confirm the effectiveness of the functional safetyperformance of the system. The assessment, in this context, is limited to the safetyrelatedsystem and should confirm that the system is designed, constructed andinstalled in accordance with the specified safety requirements.The assessment shall consider each required safety function and its associated safetyproperties. The effects of faults and errors within the system and application programs,failures external to the system and procedural deficiencies in these safety functions areto be considered.The assessment is to be carried out by an audit team that shall include independentassessors from outside of the project. At least one functional safety assessment shall beperformed before the start-up of the system and the introduction of any potentialhazards.<strong>Safety</strong> Integrity Design<strong>Safety</strong> IntegrityThe architecture of the <strong>AADvance</strong> system has been designed to allow a scalable systemto be configured using standard <strong>com</strong>ponents. The configurations available range fromsimplex fail-safe to TMR fault tolerance.3-10 Document number 553630 Issue 7: February 2010