System Time Constraints; Life Cycle Proof Test; Modifications; Maintenance Overrides - ABB Triguard SC300E Safety Manual

6.2.5

System Time Constraints

When the configuration of the Triguard SC300E includes the requirement of a system time
constraint the process must be shut down if a repair has not been successfully completed after
the system time constraint has elapsed.
6.2.6

Life Cycle Proof Test

The safety integrity level requirements and field device configuration will determine a Life Cycle
Proof Test for each safety loop.
The Life Cycle Proof Test ensures that all devices in the safety loop, from sensor to final
element, operate correctly.
The application of a certified Triguard SC300E System as the logic solver does not remove the
requirements for full safety loop proof testing.
6.2.6.1 Watchdog Maintenance
The external watchdog should be checked during the normal proof test maintenance cycle. The
watchdog configuration links must also be inspected during commissioning and maintenance.
6.2.7

Maintenance Overrides

The user must maintain strict control of maintenance overrides. It is recommended that the user
follows TUV maintenance override procedure version 2.2 0.8 September 1994.
When the TriBuild Maintenance Override facility is used to apply maintenance overrides directly,
the number of maintenance overrides in place at any one time will be limited to the maximum
number configured by the system administrator. Overrides applied by the use of the TriBuild
workstation will have limited time duration related to the shift operating time (typically 8 hours).
A warning is provided by the system that the maintenance overrides will be automatically
removed unless reinstated.
5.3

Modifications

Wherever possible on-line modifications to a safety system should be avoided. If on-line
modifications are required, the complete safety case must be documented and approved by the
plant safety committee.
If the proposed modifications are not extensive, then providing the precautions documented in
the lifecycle models of IEC61508 and IEC61511 (Draft) are followed and providing the following
additional verification measures are taken, it will not be necessary to validate the complete
safety system.
If in the process of a modification of a ladder network an energised coil (output) is deleted and
the coil(s) are not used elsewhere on other networks, then the Output State will be maintained in
the last valid state (energised).
6.2.8

Minor Modifications

The following verification measures should be followed on all minor modifications to avoid the
necessity to complete a full system validation.
Verification should be completed and documented that the configuration changes required and
only those required has been implemented. These are recorded in the Build report log in the
Build directory
Issue 5 - September 2006
WARNING
Page 36 of 65