Safety Considerations Guide for Trident v2 Systems - TUV ...
Safety Considerations Guide for Trident v2 Systems - TUV ... Safety Considerations Guide for Trident v2 Systems - TUV ...
28 Chapter 2 Application Guidelines Table 3 describes the design requirements for handling maintenance overrides when using Triconex communication capabilities. Table 3 Design Requirements for Maintenance Override Handling Design Requirements Control program logic and the controller configuration determine whether the desired signal can be overridden. Control program logic and/or system configuration specify whether simultaneous overriding in independent parts of the application is acceptable. Controller activates the override. The operator should confirm the override condition. Direct overrides on inputs and outputs are not allowed, but should be checked and implemented in relation to the application. Multiple overrides in a controller are allowed as long as only one override applies to each safety-critical group. The controller alarm should not be overridden. DCS warns the operator about an override condition. The operator continues to receive warnings until the override is removed. A second way to remove the maintenance override condition should be available. If urgent, a maintenance engineer may remove the override using a hard-wired switch. During an override, proper operating measures should be implemented. The time span for overriding should be limited to one shift (typically no longer than eight hours). A maintenance override switch (MOS) light on the operator console should be provided (one per controller or process unit). Safety Considerations Guide for Trident v2 Systems Responsible Person TriStation 1131 DCS Software Project Engineer, Commissioner Project Engineer, Commissioner Project Engineer Project Engineer, Type Approval Operator, Maintenance Engineer Maintenance Engineer, Type Approval Project Engineer Project Engineer, Type Approval Project Engineer, Commissioner Project Engineer Project Engineer, Commissioner, DCS, TriStation 1131 software N/A Maintenance Engineer, Type Approval
Guidelines for Triconex Controllers 29 Table 4 describes the operating requirements for handling maintenance overrides when using Triconex communication capabilities. Table 4 Operating Requirements for Maintenance Override Handling Operating Requirements Maintenance overrides are enabled for an entire controller or for a subsystem (process unit). Controller activates an override. The operator should confirm the override condition. Additional Recommendations These procedures are recommended in addition to the recommendations described in the tables on page 28 and page 29: • A DCS program should regularly verify that no discrepancies exist between the override command signals issued by a DCS and override-activated signals received by a DCS from a PES. This figure shows the procedure: Figure 6 PES Block Diagram DCS Operator, Maintenance Engineer Operator, Maintenance Engineer Controller removes an override. Operator, Maintenance Engineer Sensors Safeguarding Application Program Actuators Hard- Wired Switch Safety-Instrumented System Controller Maintenance Override Handling (Application Program) Distributed Control System Inputs Engineering Workstation Operator Warning Responsible Person TriStation 1131 Software Maintenance Engineer, Type Approval Maintenance Engineer, Type Approval Maintenance Engineer Safety Considerations Guide for Trident v2 Systems
- Page 1 and 2: Trident v2 Systems Safety Considera
- Page 3 and 4: Contents Preface vii Summary of Sec
- Page 5 and 6: Contents v Partitioned Processes. .
- Page 7 and 8: Preface This guide provides informa
- Page 9 and 10: • All other requests are handled
- Page 11 and 12: 1 Safety Concepts Overview 2 Hazard
- Page 13 and 14: Protection Layers Methods that prov
- Page 15 and 16: Hazard and Risk Analysis Hazard and
- Page 17 and 18: Sample SIL Calculation Hazard and R
- Page 19 and 20: Safety Life Cycle Model Hazard and
- Page 21 and 22: Hazard and Risk Analysis 11 • Eac
- Page 23 and 24: CAN/CSA-C22.2 No. 61010-1-04 Safety
- Page 25 and 26: 2 Application Guidelines Overview 1
- Page 27 and 28: General Guidelines This section des
- Page 29 and 30: General Guidelines 19 Safety Measur
- Page 31 and 32: Emergency Shutdown Systems The safe
- Page 33 and 34: Safety-Shutdown Guidelines for Tric
- Page 35 and 36: Guidelines for Triconex Controllers
- Page 37: Guidelines for Triconex Controllers
- Page 41 and 42: Guidelines for Triconex Controllers
- Page 43 and 44: 3 Fault Management Overview 34 Syst
- Page 45 and 46: System Diagnostics System Diagnosti
- Page 47 and 48: Operating Modes Each input or outpu
- Page 49 and 50: Analog Output (AO) Modules Module D
- Page 51 and 52: Calculation for Diagnostic Fault Re
- Page 53 and 54: External Communication Module Diagn
- Page 55 and 56: 4 Application Development Developme
- Page 57 and 58: Array Index Errors Infinite Loops D
- Page 59 and 60: Setting Scan Time 49 application. T
- Page 61 and 62: Sample Safety-Shutdown Programs Sam
- Page 63 and 64: Sample Safety-Shutdown Programs 53
- Page 65 and 66: When Some I/O Modules Are Safety-Cr
- Page 67 and 68: Sample Safety-Shutdown Programs 57
- Page 69 and 70: Partitioned Processes Sample Safety
- Page 71 and 72: Alarm Usage Alarm Usage 61 To imple
- Page 73 and 74: A Triconex Peer-to-Peer Communicati
- Page 75 and 76: Data Transfer Time Data Transfer Ti
- Page 77 and 78: Data Transfer Time 67 A typical dat
- Page 79 and 80: Examples of Peer-to-Peer Applicatio
- Page 81 and 82: B HART Communication Overview 72 HA
- Page 83 and 84: 2008-04-01 Automation, Software and
- Page 85 and 86: 2008-04-01 HART Position Paper from
- Page 87 and 88: 2008-04-01 A possible impact to the
<strong>Guide</strong>lines <strong>for</strong> Triconex Controllers 29<br />
Table 4 describes the operating requirements <strong>for</strong> handling maintenance overrides when using<br />
Triconex communication capabilities.<br />
Table 4 Operating Requirements <strong>for</strong> Maintenance Override Handling<br />
Operating Requirements<br />
Maintenance overrides are enabled <strong>for</strong> an entire<br />
controller or <strong>for</strong> a subsystem (process unit).<br />
Controller activates an override. The operator<br />
should confirm the override condition.<br />
Additional Recommendations<br />
These procedures are recommended in addition to the recommendations described in the tables<br />
on page 28 and page 29:<br />
• A DCS program should regularly verify that no discrepancies exist between the<br />
override command signals issued by a DCS and override-activated signals received by<br />
a DCS from a PES. This figure shows the procedure:<br />
Figure 6 PES Block Diagram<br />
DCS<br />
Operator,<br />
Maintenance<br />
Engineer<br />
Operator,<br />
Maintenance<br />
Engineer<br />
Controller removes an override. Operator,<br />
Maintenance<br />
Engineer<br />
Sensors<br />
Safeguarding<br />
Application<br />
Program<br />
Actuators<br />
Hard-<br />
Wired<br />
Switch<br />
<strong>Safety</strong>-Instrumented System<br />
Controller<br />
Maintenance<br />
Override Handling<br />
(Application Program)<br />
Distributed<br />
Control System<br />
Inputs<br />
Engineering<br />
Workstation<br />
Operator<br />
Warning<br />
Responsible Person<br />
TriStation 1131<br />
Software<br />
Maintenance<br />
Engineer, Type<br />
Approval<br />
Maintenance<br />
Engineer, Type<br />
Approval<br />
Maintenance<br />
Engineer<br />
<strong>Safety</strong> <strong>Considerations</strong> <strong>Guide</strong> <strong>for</strong> <strong>Trident</strong> <strong>v2</strong> <strong>Systems</strong>