Summary of system programming recommendations, Trusted – Rockwell Automation T80016 Application Note Maintenance Override Programming User Manual

Trusted

TM

AN-T80016 Maintenance Override Programming

Issue 1 June 08

AN-T80016

5

Summary of System Programming Recommendations

Do not use the Debugger ‘Locking’ facility as an override.

All safety related I/O should have a maintenance override. Maintenance overrides should also be
considered for I/O that does not have a part in ESD or F&G actions, but will cause a nuisance if
tripped.

The Maintenance Override Enable should be an easily accessible keyswitch. There may be more than
one (for separate process units etc.). Overrides cannot be set if the Maintenance Override Enable is
not set to Enable. Setting the Maintenance Override Enable to Disable will remove all associated
overrides.

To set an override from the DCS,

- a command is sent from DCS to system by one tag,

- and a specific acknowledgement is sent back to the DCS by another tag.

- The operator must confirm that the acknowledgement matches the command, within a time window
(30 seconds is recommended).

- The confirmation will set the override and clear the acknowledgement. It is reset after all override
logic has run.

- The override is reported to the DCS on a separate point from the overridden safety point.

The confirmation may be one common point or individual points.

The above transaction and points are reset if a confirmation is not received within the time window.

Multiple overrides are allowed as long as only one override is used in a given safety related group.

Re-generate the DCS alarm if shift procedures do not remove and reinstate overrides on shift changes.

Override removal is effected by turning off the Maintenance Override Enable keyswitch or by clearing
the command.