TÜV Cooperation Functional Safety
Maintenance Override / Wartungseingriffe
Draft Version 3.0
20. October 2000
Preface to Draft Version 3.0
This version specifically addresses:
Not all aspects are yet addressed in this draft. Comments and suggestions that can improve this maintenance override paper in terms of safety are very welcome.
The purpose of this document is to describe the procedures for the use of maintenance override of safety related programmable electronic systems, like sensors, controllers, and actuators. The document also shows how to overcome safety problems and the inconvenience of hardwired solutions.
There are basically two methods in use to check safety relevant peripherals connected to PLC's:
In some cases, for example, where space is limited, there is the desire to integrate the maintenance console to the operator display, or to have the maintenance condition covered by other strategies. This introduces a third alternative:
The available maintenance options and communication protocols must be part of the TÜV Type Approval of the safety system in order to be applied safely. If communication takes place over open networks, then in addition to the functional safety requirements additional requirements must also be in place that guarantee security. The end user needs to take into account the advice described in the safety manual.
This option is to be handled with care and further explained in this document.
We strongly recommend to keep the tools for programming and debugging separate from the tools used for maintenance override. The engineering workstation, which is used for programming, should not be used for maintenance.
Procedure for Maintenance Override
The use of non-approved maintenance tools demands a complete test of the requirements after any change has been made. The thoroughness of the test is equal to the initial acceptance test. The tests should not only focus on the changed programmed parts but also on the non-changed parts, as it cannot be guaranteed that these changes do not have an impact on the unchanged parts. Because of the cost associated with this it is often not feasible to use non-approved tools.
When using approved tools it is possible to make changes to the program
taking into account the appropriate measures to maintain the required safety
integrity level. After changes are being made to the program it is possible
to carry out limited verification activities if this is confirmed based
on the analysis of the required regression tests.
The procedures required for override or online changes must be described in the safety manual.
Approved tools generally meet the following requirements:
Communication is established using approved protocols. It is possible to use protocols that are universally valid for the current safety level (e.g., Modbus RTU) or vendor specific, proprietary protocols that have been taken into account during the type approval process of the PLC. In general it is only allowed to use tools that have been approved for their current use.
Guidelines to carry out Maintenance Override.
These guidelines apply mainly to application engineering and operation of a plant.
|TÜV Rheinland Group
TÜV Rheinland Industrie Service GmbH
Automation - Software - Information Technology (ASI)
TÜV SÜD Group
TÜV Automotive / TÜV Product Service
Automation, Software and Electronics