Issue 5 - September 2006 Page 36 of 656.2.5 System Time ConstraintsWhen the configuration of the Triguard SC300E includes the requirement of a system timeconstraint the process must be shut down if a repair has not been successfully completed afterthe system time constraint has elapsed.6.2.6 Life Cycle Proof TestThe safety integrity level requirements and field device configuration will determine a Life CycleProof Test for each safety loop.The Life Cycle Proof Test ensures that all devices in the safety loop, from sensor to finalelement, operate correctly.The application of a certified Triguard SC300E System as the logic solver does not remove therequirements for full safety loop proof testing.6.2.6.1 Watchdog MaintenanceThe external watchdog should be checked during the normal proof test maintenance cycle. Thewatchdog configuration links must also be inspected during commissioning and maintenance.6.2.7 Maintenance OverridesThe user must maintain strict control of maintenance overrides. It is recommended that the userfollows TUV maintenance override procedure version 2.2 0.8 September 1994.When the TriBuild Maintenance Override facility is used to apply maintenance overrides directly,the number of maintenance overrides in place at any one time will be limited to the maximumnumber configured by the system administrator. Overrides applied by the use of the TriBuildworkstation will have limited time duration related to the shift operating time (typically 8 hours).A warning is provided by the system that the maintenance overrides will be automaticallyremoved unless reinstated.5.3 ModificationsWherever possible on-line modifications to a safety system should be avoided. If on-linemodifications are required, the complete safety case must be documented and approved by theplant safety committee.If the proposed modifications are not extensive, then providing the precautions documented inthe lifecycle models of IEC61508 and IEC61511 (Draft) are followed and providing the followingadditional verification measures are taken, it will not be necessary to validate the completesafety system.WARNINGIf in the process of a modification of a ladder network an energised coil (output) is deleted andthe coil(s) are not used elsewhere on other networks, then the Output State will be maintained inthe last valid state (energised).6.2.8 Minor ModificationsThe following verification measures should be followed on all minor modifications to avoid thenecessity to complete a full system validation.Verification should be completed and documented that the configuration changes required andonly those required has been implemented. These are recorded in the Build report log in theBuild directory