Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 14 of 103

2.2.1.10.2 Field Device Maintenance

During the lifetime of the system, it will be necessary to undertake a number of field
maintenance activities that will include re-calibration, testing and replacement of
devices. Facilities should be included within the system design to allow these
maintenance activities to be undertaken. Similarly, the operating and maintenance
plan needs to include these maintenance activities, and their effect on the system
operation and design. In general, adequate provision for these measures will be
defined by the client, and provided the facilities, i.e. maintenance overrides, are
implemented within the requirements specified within this document. No further safety
requirements will be required.

It is highly recommended that the I/O forcing capability NOT be used to support field
device maintenance; this facility is provided to support application testing only. Should
this facility be used, the requirements defined in para. 3.8 shall be applied.

2.2.1.10.3 Module Fault Handling

When properly configured and installed, the TMR system

is designed to operate

continuously and correctly even if one of its modules has a fault. When a module does
have a fault it should be replaced promptly to ensure that faults do not accumulate,
thereby causing multiple failure conditions that could cause a plant shutdown. All
modules permit live removal and replacement, and modules within a fault-tolerant
configuration can be removed with no further action. Modules that do not have a
partner slot or smart slot configured and have a fail-safe configuration will require the
application of override or bypass signals for the period of the module removal to
ensure that unwanted safety responses are not generated inadvertently.

On-site repair of modules is not supported; all failed modules should be returned for
repair and/or fault diagnosis. The return procedure for modules should include
procedures to identify the nature and circumstances of the failure and the system
response. Records of module failures and repair actions shall be maintained.

2.2.1.10.4 Monitoring

In order to establish that the safety objectives have been met through the lifetime of
the system it is important to maintain records of the faults, failures and anomalies.
This requires the maintenance of records by both the end-user and the system
integrator. The records maintained by the end-user are outside the scope of this
document; however, it is highly recommended that the following information be
included:

• Description of the fault, failure or anomaly

• Details of the equipment involved, including module types and serial

numbers where appropriate

• When the fault was experienced and any circumstances leading to its

occurrence

• Any temporary measures implemented to correct or work around the problem

• Description of the resolution of the problem and reference to remedial action

plans and impact analysis

Each system integrator should define the field returns, repair and defect handling
procedure. The information requirements placed on the end user because of this
procedure should be clearly documented and provided to the end user. The defect
handling procedure shall include:

• Method of detecting product related defects and the reporting of these to the

original designers.