Trusted – Rockwell Automation T80016 Application Note Maintenance Override Programming User Manual

Trusted

TM

AN-T80016 Maintenance Override Programming

Issue 1 June 08

AN-T80016

3

have a part in ESD or F&G actions, but which may cause a significant nuisance if accidentally tripped
(e.g. control room alerts).

4. Maintenance overrides are enabled for the whole PLC or a subsystem (process unit) by the

DCS or other applicable authorized procedures (e.g. key switch, or password authorization).
Note: “enabling” the overrides permits, but does not necessarily turn on the overrides.

The Maintenance Override Enable is a secure way of ensuring that overrides can only be applied
under the site authorization procedures. Since it is only one or a limited number of points, it is usually
implemented with a panel keyswitch; this is secure and easily accessible. The statement above also
allows for a DCS-based Enable. This application note advises that this should be considered only if
there cannot be a keyswitch (e.g. for remote servicing); note the comments on override removal in
clause 10 below.

Beyond requiring an Enable, the statement above is quite open. The Enable must be active to allow
overrides to be set, but it can be implemented equally as a pre-requisite (must be set before overrides
may be set) or as a final authorisation. There is no indication whether removing the Enable will also
remove all maintenance overrides; however this is the common interpretation when the Enable is a
pre-requisite (see clause 10 below).

5. Because of organizational measures the operator should confirm the override condition.

This prevents accidental application of overrides, providing a measure of security. This application note
recommends that this is tied in with the suggested method for security in clause 1 above, where the
command and acknowledgement must agree before the override can be applied.

This command – acknowledgement security has one disadvantage. If a command is sent,
acknowledged and not confirmed, then the transaction remains permanently waiting and may be
inadvertently completed in the future. This application note recommends that if an override is not
acknowledged within a time window, the transaction is reset. The window is typically 30 seconds which
allows for decision making time and communications/graphics delays.

6. Direct overrides on inputs and outputs are not allowed (e.g., using clamps). Overrides have to

be checked and implemented in relation to the application.

This also does not allow variable locking. Overrides must be applied in a planned controlled manner.

7. Multiple overrides in a PLC are allowed as long as only one override is used in a given safety

related group.

A safety related group is a set of I/O that has the same safety function. For example, do not allow the
override of more than one of a set of three gas detectors in a group of three, or allow all high pressure
safety alarms to be overridden for a vessel. Ensure that the process is still protected. The definition of
‘safety related group’ should be limited to all devices supplying the same or similar detection/protection
to the same or associated safety parameter (level, pressure, fire, gas) in the same or in linked areas.

8. The alarm shall not be overridden. It should always be clear that signals are in a maintenance

condition.

This statement is referring to the alarm raised at the DCS to indicate an active maintenance override
and would make more sense if it followed clause 9. However, clauses 10 and 11 imply a similar
requirement on the safety system that the operator must be still aware of the alarm state during the
override of an input.

Keep the DCS alarm separate from the overridden safety point (do not use the safety point as the DCS
alarm). The DCS alarm should still indicate when the input is in alarm. This will create nuisance alarms
during maintenance, but the operators will be aware of the maintenance through the site permit system
and can check if the alarm is genuine.

9. The PLC alerts the operator (e.-g. via the DCS) indicating the override condition. The operator

will be warned until the override is removed.

See clause 8. The presence of an override should be clear to the operator, e.g. by an alarm and an
entry in the event log. The second clause is sometimes implemented as a returning alarm alerting the
operator every new shift, so that new personnel do not have to hunt through hundreds of historical
alarms to be aware of override status. Some sites demand that permits are suspended and overrides