Issue 5 - September 2006 Page 33 of 656 Maintenance And Modifications6.1 IntroductionThis section of the Safety Manual covers the safety aspects of two life cycle functions of aTriguard SC300E System, Maintenance and Modifications. The Operations and MaintenanceManual supplied by the Systems Integrator will cover all standard operational and maintenanceprocedures and be written specifically for the systems configuration supplied.With a fault tolerant system such as the Triguard SC300E one of the primary tasks ofmaintenance is to maintain the system in a 100% healthy state to enable the full power of thefault tolerance provided, to be delivered to the safeguarding of the plant. Although the TriguardSC300E is inherently fail-safe, on a second major fault it should be noted that an operating plantis inherently more safe when operating than during a start-up or shutdown phase. Therefore,unnecessary trips due to poor maintenance should be avoided.6.2 Routine MaintenanceAs with all safety-related systems, there will be a number of routine maintenance tasks requiredfor any Triguard SC300E supplied. The routine maintenance tasks are documented in theOperations and Maintenance Manual supplied with the System by the System Integrator and therelevant Product User Manuals. This section deals only with specific safety aspects related toroutine maintenance.6.2.1 System VerificationWhen first connecting the TriBuild workstation to the Triguard System the on-line system ischecked against the off-line system stored on the workstation. If the systems are different awarning is given and the off-line system must be closed down and the correct system selectedprior to connecting to the Triguard system.6.2.1.1 Application Logic VerificationThe application logic can be verified by using the TriBuild Ladder compare facility. Thiscompares the on-line ladder logic with the off-line ladder logic held on the TriBuild workstation.6.2.2 Diagnostic Alarms and MessagesThe structure of the diagnostics in a Triguard SC300E System is both hierarchical and fail-safe.In principle, whenever the first hardware fault is found the fault call indicates this error bychanging the status of the relevant fault call bit.Certain fault call bits are specific and down effectively to module level (eg CPU health). Themajority of the input and output faults, however, appear as monitor errors, LFD errors, data/voteerrors or initialisation errors.As stated in the application section, the initialisation error will cause, by correct use ofapplication logic, a shutdown to occur as this may indicate the removal of a vital input or outputmodule.These initial diagnostic alarms are readily reported to the operator, by LED’s, lamps, alarmsounders, printer messages or alarm messages on the operator display console and shouldinitiate action by Operations to inform Maintenance that a problem exists.With the exception of catastrophic failures, which in general would need to be personnelinstigated (eg incorrectly removing an on-line module) all first failures are tolerated without theneed to shut down the process.