Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 13 of 103

2.2.1.9 Safety System Validation

Safety system validation shall test the integrated system to ensure compliance with the
requirements specification at the intended safety requirements class. The validation
activities should include those necessary to establish that the required safety functions
have been implemented under normal start-up, shutdown and abnormal fault modes.

The validation shall ensure that each functional safety requirement has been
implemented at the required safety integrity level, and that the realisation of the
function achieves its performance criteria, specifically that the process safety time
requirements have been met. The validation shall also consider the potential external
common cause failures, i.e. power sources, environmental conditions, and ensure that
the system will provide fail-safe operation in the event of conditions exceeding its
capabilities.

2.2.1.10 Operation and Maintenance Plan

This Operation and Maintenance requirement ensures that functional safety continues
beyond the design, production, installation and commissioning of the system. The in-
service operation and maintenance is normally beyond the system integrator
responsibility. However, guidance and procedures shall be provided to ensure that the
persons or organisations responsible for Operation and Maintenance maintain the
intended safety levels.

The Operating and Maintenance Plan shall include the following:

• Although the TMR

product requires no specific power-up and power-down

requirements, it is possible that the project specific implementation will
dictate specific action sequences. These sequences shall be clearly defined,
ensuring that the sequences cannot result in periods of the system’s inability
to respond safely whilst a hazard may be present.

• The Maintenance Plan shall detail the procedures to be adopted when

re-calibrating sensors, actuators and I/O modules. The recommended
calibration periods shall also be included.

• The Maintenance Plan shall include the procedure to be adopted for testing

the system, and the maximum intervals between manual testing.

• Sensor and actuator maintenance will require the application of overrides in

certain circumstances. Where these are required, they shall be implemented
in accordance with the guidance provided within this document.

2.2.1.10.1 Planned Maintenance

In most system configurations there will be some elements that are not tested by the
system’s internal test facilities. These may be the final passive elements in some I/O
modules types, the sensors and actuators themselves and the field wiring. A regime of
Planned Maintenance testing shall be adopted to ensure that faults do not accumulate
within those elements that could ultimately lead to the system’s inability to perform its
required safety functions. The maximum interval between these tests shall be defined
during the system design, i.e. before installation. It is highly recommended that the
test interval be less than 12 months.