Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 15 of 103

• Methods for detecting systematic failure that may affect other elements of the

system or other systems, and links to the satisfactory resolution of the
issues.

• Procedures for tracking all reported anomalies, their work around and/or

resultant corrective action where applicable.

2.2.1.11 System Modification

Design changes will inevitably occur during the system lifecycle; to ensure that the
system safety is maintained, such changes shall be carefully managed. Procedures
defining the measures to be adopted when updating the plant or system shall be
documented. These procedures shall be the responsibility of the end-user. The
system integrator shall provide sufficient guidance to ensure that these procedures
maintain the required level of functional safety. Special consideration shall be given to
the procedures to be adopted in case of product level updates and enhancement, i.e.
module and firmware updates. Updates to the system shall include considerations of
the requirements for application changes and firmware changes. These procedural
measures shall include:

• Requirement to undertake impact analysis of any such changes

• The measures to be implemented during the modification to the system and

its programming. These measures shall be in-line with the requirements
within this document. Specifically, the requirements defined in sections 2.2
to 2.2.1.8 shall be applied, as well as the additional requirements defined in
this paragraph (2.2.1.11).

• The definition of these procedures shall include the review and authorisation

process to be adopted for system changes.

2.2.1.11.1 Baselines

Baselines shall be declared beyond which any change shall follow the formal change
management procedure. The point within the lifecycle at which these baselines are
declared depends on the detail of the processes involved, the complexity of the
system, how amenable to change these processes are, and the required safety
requirements class. It is recommended that the baseline for formal change process is
the completion of each step in the lifecycle. However, as a minimum the baseline shall
be declared before the presence of the potential hazards, i.e. before start-up.

2.2.1.11.2 Modification Records

Records of each requested or required change shall be maintained. The change
management procedure shall include the consideration of the impact of each of the
required/requested changes before authorising the implementation of the change. The
implementation of the change should repeat those elements of the lifecycle
appropriate to the change. The test of the resultant changes should include non-
regression testing in addition to test of the change itself.