Trusted – Rockwell Automation T80016 Application Note Maintenance Override Programming User Manual

Trusted

TM

AN-T80016 Maintenance Override Programming

Issue 1 June 08

AN-T80016

4

are removed at the end of a shift; in this case the fresh re-application of an override will automatically
generate a new alarm.

10. During the period of override proper operational measures have to be implemented to assure

that the intervention can be removed again.

Removing the override should be guaranteed. A suggested solution is to ensure there is more than one
way to remove overrides. In addition to individual override removal procedures, removing the
Maintenance Override Enable could remove all overrides that it enables (see clause 4 above). This is a
typical solution.

However, if the Maintenance Override Enable is based in the DCS, and the DCS fails with overrides
still set, there is no remaining secure way to remove overrides. This is a good reason to make the
Maintenance Override Enable a hardwired keyswitch instead of a DCS operation.

11. During the period of override proper operational measures have to be implemented to assure

that the intervention into the process does not lead to unacceptable conditions.

This is linked to clause 7 above. If it is not possible to assure supervised safe operation within the
safety system using multiple monitoring points for the same safety function, then manual monitoring
(e.g. a firewatch) or a partial shutdown is needed; these ‘operational measures’ are outside of the
system’s scope.

12. A program in the DCS checks regularly that no discrepancies exist between the override

command signals from the DCS and the override activated signals received by the DCS from
the PLC.

This is often overlooked. It is possible to cancel overrides using the Toolset online debugger; the DCS
alarm and override indication will quietly disappear. Application changes could also cause the system
to ‘forget’ applied overrides. In addition to the override control in the system, there must also be
functions running in the DCS that highlight dropped or unauthorized overrides. This could either be via
scripts that generate alarms or by graphical indications that make the discrepancy obvious, e.g. a partly
coloured icon on an override summary page. A script is better because it doesn’t require the override
summary page to be permanently visible.

13. The use of the maintenance override function should be documented on the DCS and on the

programming environment if connected. The print-out should include:

o

the time stamp of start and end of maintenance override

o

the ID of the person who activated the maintenance override - maintenance engineer
or operator

o

If the override information cannot be printed online (preferred), it should be entered in
the work-permit

o

the tag name of the signal being overridden

This requires an event log; on newer systems this is more likely to be on disk than on paper. The DCS
will record the currently logged-in username as the ‘ID’.