Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com
34 Guidelines for Tricon ControllersDesign RequirementsDuring an override, properoperating measures should beimplemented. The time span foroverriding should be limited to oneshift (typically no longer than 8hours). A maintenance overrideswitch (MOS) light on the operatorconsole should be provided (oneper a controller or process unit).DCSProject Engineer,Commissioner, DCS,TriStationResponsible PersonTriStationOperating RequirementsThe following table describes operating requirements for handling maintenanceoverrides when using serial communication.Operating RequirementsDCSResponsible PersonTriStationMaintenance overrides areenabled for an entire controller orfor a subsystem (process unit).Controller activates an override.The operator should confirm theoverride condition.Controller removes an override.Operator,Maintenance EngineerOperator,Maintenance EngineerOperator,Maintenance EngineerMaintenance Engineer,Type ApprovalMaintenance Engineer,Type ApprovalMaintenance EngineerTricon Safety Considerations Guide
Guidelines for Tricon Controllers 35Additional RecommendationsThe following procedures are recommended in addition to the recommendationsdescribed in the tables on page 33 and page 34:• A DCS program should regularly verify that no discrepancies exist betweenthe override command signals issued by a DCS and override-activatedsignals received by a DCS from a PES. The following diagram depicts thisprocedure:Safety-Instrumented SystemControllerSensorsSafeguardingApplicationProgramActuatorsPES Block DiagramHard-WiredSwitchMaintenanceOverride Handling(Application Program)OperatorWarningDistributedControl SystemInputsEngineeringWorkstation• Use of the maintenance override capability should be documented in a DCSor TriStation log. The documentation should include:– Begin- and end-time stamps of the maintenance override.– Identification of the maintenance engineer or operator who activates amaintenance override. If the information cannot be printed, it should beentered in a work-permit or maintenance log.– Tag Name of the signal being overridden.– Communication packages that are different from a type-approvedModbus should include CRC, address check, and check of thecommunication time frame.– Loss of communication should lead to a warning to the operator andmaintenance engineer. After loss of communication, a time-delayedremoval of the override should occur after a warning to the operator.Chapter 2Application Guidelines
- Page 1 and 2: TriconVersion 9Safety Consideration
- Page 3: AcknowledgementTriconex acknowledge
- Page 6 and 7: viRelated DocumentsRelated Document
- Page 8 and 9: viiiHow to Contact TriconexHow to C
- Page 10: xTrainingFor Turbomachinery Systems
- Page 13 and 14: xiCONTENTSAbout This Guide ........
- Page 15 and 16: xiiiAnalog Input Module Alarms ....
- Page 17 and 18: CHAPTER 1Safety ConceptsThis chapte
- Page 19 and 20: Safety Overview 3Protection LayersT
- Page 21 and 22: Hazard and Risk Analysis 5Hazard an
- Page 23 and 24: Hazard and Risk Analysis 7Completio
- Page 25 and 26: Hazard and Risk Analysis 9Equation
- Page 27 and 28: Hazard and Risk Analysis 11Flowchar
- Page 29 and 30: Hazard and Risk Analysis 13Some key
- Page 31 and 32: Safety Standards 15Safety Standards
- Page 33 and 34: Safety Standards 17Application-Spec
- Page 35 and 36: CHAPTER 2Application GuidelinesThis
- Page 37 and 38: General Guidelines 21• Under cert
- Page 39 and 40: Guidelines for Tricon Controllers 2
- Page 41 and 42: Guidelines for Tricon Controllers 2
- Page 43 and 44: Guidelines for Tricon Controllers 2
- Page 45 and 46: Guidelines for Tricon Controllers 2
- Page 47 and 48: Guidelines for Tricon Controllers 3
- Page 49: Guidelines for Tricon Controllers 3
- Page 53 and 54: CHAPTER 3Fault ManagementThis chapt
- Page 55 and 56: System Diagnostics 39System Diagnos
- Page 57 and 58: Operating Modes 41Operating ModesEa
- Page 59 and 60: Module Diagnostics 43Module Diagnos
- Page 61 and 62: Module Diagnostics 45Relay Output M
- Page 63 and 64: Module Diagnostics 47System Attribu
- Page 65 and 66: CHAPTER 4Application DevelopmentThi
- Page 67 and 68: Important TriStation Commands 51Imp
- Page 69 and 70: Setting Scan Time 53Setting Scan Ti
- Page 71 and 72: Sample Safety-Shutdown Programs 55S
- Page 73 and 74: Sample Safety-Shutdown Programs 57I
- Page 75 and 76: Sample Safety-Shutdown Programs 59A
- Page 77 and 78: Sample Safety-Shutdown Programs 61P
- Page 79 and 80: Sample Safety-Shutdown Programs 63O
- Page 81 and 82: Sample Safety-Shutdown Programs 65D
- Page 83 and 84: Sample Safety-Shutdown Programs 67P
- Page 85 and 86: APPENDIX APeer-to-Peer Communicatio
- Page 87 and 88: Data Transfer Time 71ParameterTS =S
- Page 89 and 90: Examples of Peer-to-Peer Applicatio
- Page 91 and 92: TR_CRITICAL_IO Function Block 75TR_
- Page 93 and 94: TR_CRITICAL_IO Function Block 77Par
- Page 95 and 96: TR_CRITICAL_IO Function Block 79Str
- Page 97 and 98: TR_CRITICAL_IO Function Block 81CO
- Page 99 and 100: TR_SHUTDOWN Function Block 83Parame
<strong>Guide</strong>lines for <strong>Tricon</strong> Controllers 35Additional Re<strong>com</strong>mendationsThe following procedures are re<strong>com</strong>mended in addition to the re<strong>com</strong>mendationsdescribed in the tables on page 33 and page 34:• A DCS program should regularly verify that no discrepancies exist betweenthe override <strong>com</strong>mand signals issued by a DCS and override-activatedsignals received by a DCS from a PES. The following diagram depicts thisprocedure:<strong>Safety</strong>-Instrumented SystemControllerSensorsSafeguardingApplicationProgramActuatorsPES Block DiagramHard-WiredSwitchMaintenanceOverride Handling(Application Program)OperatorWarningDistributedControl SystemInputsEngineeringWorkstation• Use of the maintenance override capability should be documented in a DCSor TriStation log. The documentation should include:– Begin- and end-time stamps of the maintenance override.– Identification of the maintenance engineer or operator who activates amaintenance override. If the information cannot be printed, it should beentered in a work-permit or maintenance log.– Tag Name of the signal being overridden.– Communication packages that are different from a type-approvedModbus should include CRC, address check, and check of the<strong>com</strong>munication time frame.– Loss of <strong>com</strong>munication should lead to a warning to the operator andmaintenance engineer. After loss of <strong>com</strong>munication, a time-delayedremoval of the override should occur after a warning to the operator.Chapter 2Application <strong>Guide</strong>lines
Change language