GENERAL SPECIFICATION FOR SAFETY INSTRUMENTED SYSTEM (SIS)

Page1/21

1. INTRODUCTION................................................................................................................3
1.1 SCOPE OF WORK........................................................................................................................3 1.2 SYSTEM STRUCTURE.................................................................................................................3

2. ABBREVIATIONS.............................................................................................................4 3. CODES AND STANDARDS..............................................................................................4 4. GENERAL REQUIREMENTS...........................................................................................5

4.1 SYSTEM ENVIRONMENT.............................................................................................................5 4.2 ELECTRICAL REQUIREMENTS...................................................................................................5 4.3 ELECTRICAL HARDARDOUS REQUIREMENTS........................................................................6 4.4 SIZING AND CAPACITY...............................................................................................................6 4.5 COMPONENT IDENTIFICATION SYSTEM..................................................................................9 4.6 SYSTEM AVAILABILITY................................................................................................................9 4.7 TIME SYNCRONIZATION.............................................................................................................9

5. HARDWARE DESIGN REQUIREMENTS.........................................................................9

5.1 SYSTEM ARCHITECTURE...........................................................................................................9 5.2 CERTIFICATION............................................................................................................................9 5.3 HARDWARE DESIGN PRINCIPLES...........................................................................................10 5.4 INPUT/OUTPUT MODULES........................................................................................................11 5.5 SAFETY/CONTROL BUS............................................................................................................12 5.6 DCS COMMUNICATION.............................................................................................................13 5.7 COMMUNICATION WITH OTHER SYSTEM .............................................................................14 5.8 REDUNDANCY............................................................................................................................14 5.9 CABINET DESIGN.......................................................................................................................15 5.10 CYCLE TIMES...........................................................................................................................16 5.11 MAINTENANCE OVERRIDES...................................................................................................16 5.12 ENGINEERING STATION.........................................................................................................16 5.13 AUXILIARY CONSOLE..............................................................................................................17

6. SOFTWARE DESIGN REQUIREMENTS.......................................................................17

6.1 CERTIFICATION.........................................................................................................................17 6.2 SEQUENCE OF EVENT RECORD FUNCTION.........................................................................18 6.3 CONFIGURATION SOFTWARE.................................................................................................19 6.4 ONLINE FUNCTION....................................................................................................................20 6.5 APPLICATION SOFTWARE........................................................................................................20 6.6 SELF-DIAGNOSTIC FUNCTIONS..............................................................................................21 6.7 SECURITY...................................................................................................................................21

Page2/21

1.

INTRODUCTION
This Specification covers design features, construction features, materials of construction and performance for a system based on the Safety Instrumented System (SIS).

1.1
1.1.1

SCOPE OF WORK
The vendor of the system will be responsible for the complete design, manufacturing programming and configuration of the system. The system offered shall be completely assembled, wired and tested. It will be the vendors responsibility to ensure that the design and construction of the equipment is suitable for the service conditions stated in this specification and in accordance with the specifications, codes and standards referred to. The selection of all materials, accessories and methods of fabrication shall be the responsibility of the Vendor and shall be carried out in accordance with good engineering practice. This shall also include materials not specifically covered by this specification, but which are necessary to complete the scope of supply of the equipment.

1.1.2

1.1.3

1.2
1.2.1

SYSTEM STRUCTURE
The SIS shall be integrated tightly with the DCS system. SIS and DCS controllers shall be form the same manufacturer. The SIS controllers shall be directly connected with the DCS data highway without any external gateway station. Engineering station is required in the specific areas of the system configuration diagram. Fiber optic cables shall be used as a part of SIS interconnection for outdoor use. The SIS shall also communicate with other systems as follows: Distributed Control System (DCS), by means of redundant network. Fire and Gas System (FGS), by means of hardwired I/O Machine Monitoring System (MMS), where applicable, by means of hardwired I/O

1.2.2

1.2.3 1.2.4

Page3/21

Compressor Control System (CCS), where applicable, by means of hardwired I/O Turbines Control System (TCS), where applicable, by means of hard wired I/O

2.

ABBREVIATIONS
Abbreviations DCS ESD HMI MOS SIL SIS SOE TV UPS Description Distributed Control System Emergency Shutdown Human Machine Interface Maintenance Override Switch Safety Integrity Level Safety Instrumented System Sequence of Event Technishcher Uberwachungs-Verein Uninterruptible power supply

3.

CODES AND STANDARDS

The system and components shall comply with the applicable sections of the following standards and regulations: IEC61511 IEC61131 IEC61508 IEEE802.3 CSA C22.2 EN61010-1 Functional Safety - Safety Instrumented Systems For The Process Industry Sector Programmable Controllers Functional Safety of Electrical/Electronic Programmable Safety Related Systems Information Processing Systems - Local Area Networks No. 1010.1 (100-120V AC Power supply specification) 220-240V AC, 24V DC power supply specification

Electromagnetic Compatibility (EMC) shall be in accordance with EN610006-2/4 and EN61000-3-2/3 The vendor shall prove and guarantee quality assurance procedures for the complete hardware equipment and software programs according to the international standards ISO 9001 and ISO 9000-3.

Page4/21

The latest edition of standards and codes, including addenda, supplements and revisions thereto shall always apply.

4. 4.1

GENERAL REQUIREMENTS SYSTEM ENVIRONMENT

The SIS equipment located in cabinet rooms, which will allow for the installation of system cabinets and marshalling cabinet etc., shall be installed in an air-conditioned, non-hazardous environment. The system environment shall be complied with the following conditions as minimum. Altitude: up to 2,000 m above sea level Temperature at normal operation: -20C to +50C Humidity at normal operation: 5 to 95% RH (non-condensing)

4.2
4.2.1

ELECTRICAL REQUIREMENTS
Power Supply System cabinets will be powered by UPS feeders into each system. V %, Hz % two parallel

All other supply voltages required by the system shall be system internally generated voltages. System internal distribution of power will be within the scope of the SIS. Power for the operation of solenoid valves (preferably EEx d solenoid valves) is 24VDC, and shall be fed from SIS. Ex i signal separation shall be fed by SIS. The UPS will NOT be within the scope of the SIS. 4.2.2 Grounding All enclosures shall be provided with 2 insulated and isolated earth bars. Each shall have a minimum of 30 termination points. Screens of signal cables will be grounded on one side only, in the marshalling cabinet. Screens inside the SIS shall be connected to the insulated earth bars.

Page5/21

Vendor shall describe his grounding principle.

4.3
4.3.1

ELECTRICAL HARDARDOUS REQUIREMENTS

In general process areas of the plant are classified as hazardous areas Class 1 Division 2 Groups B/C/D or Zone 2. Explosion protection will be required where specified in the I/O summary. In classified hazardous areas, analogue inputs/outputs from/to the field shall be intrinsically safe signals or classified for the use in hazardous areas Class 1 Div 2/Zone 2. The explosion protection for intrinsically safe equipment is achieved by the use of certified signal isolators and transmitter power supplies, and these components shall be within the scope of supply of the SIS. The wiring between components for explosion protection and input/output modules is integral part of the SIS.

4.3.2 4.3.3

4.3.4

4.4
4.4.1 4.4.2

SIZING AND CAPACITY

System shall be sized according to the given I/O summary. The following table shows the required installed spares and expansion capability of proposed system:

Page6/21

Item I/O modules

Additional spare

installed Additional capacity

spare

10% but not less than 10% one card of each type

Page7/21

nodes of communication As required network

30% space to install any node

Page8/21

4.5

COMPONENT IDENTIFICATION SYSTEM

The Safety Instrumented System is to be provided with a designation system. This system shall: provide all system components with clear, unique and unambiguous designations reflect the functional and local subdivision of the process control system allow all system components to be found easily in the plant as well as in the documentation. establish the relationship between the system components and the circuit documents.

4.6

SYSTEM AVAILABILITY
The system shall be reliable enough to have an availability of at least 99.999% in the fault tolerant configuration.

4.7
4.7.1 4.7.2

TIME SYNCRONIZATION
All the necessary components to synchronize GPS time shall be provided. The time deference between components shall be up to 1ms within a domain and up to 5ms over the domains.

5. 5.1

HARDWARE DESIGN REQUIREMENTS SYSTEM ARCHITECTURE

System architecture shall be complied with the system configuration diagram.

5.2
5.2.1

CERTIFICATION
The system shall be designed by trained engineers working within an auditable Functional Safety Management system in the vendors organization certified by reputable bodies like TV to be in compliance to IEC 61511. At the FAT it shall be demonstrated that the system comply with the Safety Requirement Specifications supplied together with this specification.

5.2.2

Page9/21

5.2.3

The following components as a minimum of a PLC used as SIS system shall be certified for use in a SIL 3 application by TV according to IEC61508 Parts 17. central processor unit I/O modules internal communication components system software (firmware) type and use of programming equipment

5.3
5.3.1

HARDWARE DESIGN PRINCIPLES

The hardware used for this purpose shall be designed with proven components and internal test circuits and test routines to assure recognition of any malfunction and to set outputs to their predefined safe state. The system in simplex mode i.e. single Input-single CPU- single Output modules shall be sufficient to provide the required SIL 3 safety protection. The system architecture shall be such that upon any I/O or CPU module failure caused at one of redundant modules, the SIL 3 rating of the system is not affected, and the system continue to run at same safety level. The system shall not be one leg fault condition even when there is a failure at the redundant CPU and IO modules. Redundancy of each pair shall be independent from other pair. The system shall not degrade to crippled mode even when there are multiple system failure in the CPU and IO modules, where these failures occur in different areas of the system and not on one pair of redundant modules. There is no safety restriction on the system in terms of time limit for the system to shutdown when such faults occur. However, the system needs to be repaired as soon as possible in order to restore the systems availability level. Empty hot standby slots are not acceptable as these slots are not continuous tested and could have contact problems when there is a requirement to use them. The SIS functions shall comply with the following criteria:

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

Page10/21

 5.3.9

closed contact circuits for all input signals in healthy condition or active signals in case of proximity or analogue signals fail-safe input and output modules for SIS functions, self testing, i.e. cyclically tested by an internal device integrated into each module.

Due care and attention in design shall facilitate interchangeability of equipment and ease of maintenance.

5.4
5.4.1

INPUT/OUTPUT MODULES
I/O modules shall have a density of no more than 16 channels per module, to minimize effect of card failure. All SIS field I/O modules shall have galvanic isolation of the field into the system. Each I/O module shall have a healthy or ready LED display to indicate any fault on the module. This prevents a field I/O fault from damaging more than one I/O module.

5.4.2 5.4.3

5.4.4 5.4.5

Input and Output shall be configured in separate generic cards and not mixed. I/O modules shall be powered in such a way that damage on one module does not have any influence on other modules. Signal inputs/outputs shall be short circuit proof. Intrinsically safe signals which shall not be powered by the system, but have a separate external power supply (e.g. magnetic flow meters, analyzers, solenoid valves) shall be provided with certified signal isolators. The standard I/O cables termination boards should accommodate these signal isolators, and there should not be a need for separate boards for the isolators.

5.4.6

5.4.7

Analogue inputs from classified areas as well as outputs to classified areas shall be designed intrinsically safe. Certified signal isolators or isolating power supplies shall be used to obtain electric isolation of inputs and outputs. Where connected to fail safe input and output modules, they shall be of fail safe design.

Page11/21

5.4.8

All analogue inputs shall be standard 4 to 20 mA or 1-5V (1-10V) signals from the field. Analogue input modules allow 0-25mA or 0-30V input. Most of them shall be powered by the analogue Input module of the SIS system. All transmitters and field contacts shall be connected to the SIS by 2conductor circuits.

5.4.9

All analogue input and output modules shall indicate failure of the module in case of open circuit or loss of transmitter.

5.4.10 Analogue input shall be applicable for 1-23mA or 0.1-11V to detect abnormality of transmitter. 5.4.11 For signal conditioning preferably modules of the same make as for the DCS shall be employed. The final choice of manufacturer and type shall depend on the selected supplier of the DCS. 5.4.12 All digital inputs shall be signals from proximity switches or potential free contacts. 5.4.13 For both Energize and De-energize to trip, line monitoring for all Digital Inputs shall be provided to monitor for stuck-on problems by setting for each input. It shall be possible to differentiate between short-circuit and open-circuit in details of line-fault messages. 5.4.14 For both Energize and De-energize to trip, line monitoring for all Digital Outputs shall be provided to monitor for stuck-on problems by setting for each output. It shall be possible to differentiate between short-circuit and opencircuit in details of line-fault messages. 5.4.15 Digital input signals shall not be wired into Analog Input modules for line monitoring. 5.4.16 Digital output modules shall be 24 V DC / 48V DC / 120V AC type capable of driving up to 2A / 0.6A / 0.5A. If solenoid valves or other actuators of higher voltage or amperage are used, the respective digital outputs shall be a potential free contact via a fail safe TV certified relay.

5.5
5.5.1

SAFETY/CONTROL BUS
The safety bus refers to the communication link between multiple SIS safety controllers that are applied as SIS systems and shall comply with the following tasks under system specific requirements:

Page12/21

 5.5.2

Safety Communication for transmission of safety critical data between safety controllers Communication between safety controllers and the engineering station, for maintenance and monitoring, downloading of application, testing Safety communication by peer to peer and multicast

The SIS shall be a dedicated system integrated to the DCS via a common Safety/Control bus of minimum speed 10Mbps.

5.6
5.6.1

DCS COMMUNICATION
It shall be possible for the safety bus to be used for control such that it is used for communication to the DCS. This link shall be redundant and failure of one link shall have no effect on the ability of the safety system to perform its intended protective function. The SIS shall be integrated to the DCS communication bus which shall make it possible to have all important data from the SIS system available at the operator interface or HMI of the DCS so that the operation of the SIS system can be observed by the DCS operator without use of any dedicated SIS operator console. It shall be possible to transmit the following information to the standard HMI of the DCS: all analogue values, if applicable threshold values set for analogue signals, if applicable trip conditions status of binary input signals status of binary output signals to solenoid valves events in the order of their occurrence with time stamp with a resolution of 1ms. all process alarms to the HMI of the integrated DCS all System Diagnostic Alarms to the HMI of the integrated DCS. all events system status to the extent, that the operator in the control room is able to see which card is failing and the type of failure, system info like security level, number of forced I/Os, cycle time, program version etc.

5.6.2

5.6.3

5.6.4

Page13/21

5.6.5

Operational interventions shall be carried out from the HMI via password-secured override blocks certified by TUV or by separate switches on the operators console. The HMI of DCS sitting on the safety bus shall be certified to be interference free by TV. It is not allowed to have the DCS write into the SIS even though SIS data can be read by the DCS. The DCS shall be able to extract SIS data by means of calling common tagnames without the need for logical implementation of tags on both sides. It shall be possible to configure at the HMI, tag plates, trending, graphics etc., using safety data by tag name access to the SIS. Under no circumstances should a failure of the communication link defeat the functions of the SIS and/or cause a nuisance trip.

5.6.6

5.6.7

5.6.8

5.7
5.7.1

COMMUNICATION WITH OTHER SYSTEM

Modbus communication between safety controller and other system shall be available for both mode of master and slave. OPC client can access diagnostic information, event, process and alarm data of safety controller. SIS shall have HART communication bridge function between asset management system and field devices.

5.7.2

5.7.3

5.8
5.8.1

REDUNDANCY
Sensing devices and I/Os shall be non redundant, dual redundant or triple redundant according to the safety class integrity requirements as defined by the safety requirement specifications. To increase the availability of the plant the SIS system hardware modules including CPU and Input and Output modules shall be of a dual redundant type. Internal bus modules and power supply units shall be dual redundant. Module redundancy for CPU and IO shall be provided for fault tolerance. Redundant modules shall be powered up in a standby mode, where the standby modules are continuously tested.

5.8.2

5.8.3

Page14/21

5.8.4

The integrated safety/control bus to the DCS shall be of redundant design to increase availability of status information of the SIS input/output signals for the operator. The bus connecting input/output modules shall be of redundant design. The switch over time from active side to standby side shall be up to 100ms for CPU and up to 500ms for IO. When exchanging CPU or IO module, configuration shall be copied automatically between redundant modules.

5.8.5 5.8.6

5.8.7

5.9
5.9.1

CABINET DESIGN
Cabinets shall be of stable construction, totally enclosed with side walls, roof, front and rear doors. The inside shall be suitably divided into compartments for system components and cables. Cable clamps, supports and adequate cable connection stress relief shall be provided. Cable entry shall be from the bottom. Cabinets for the installation within the air conditioned control or switching room building shall have protection IP 20 as minimum. Cabinets shall have inside lights, which are switched on/off by door switches. Vendor shall provide failure alarms for all cabinet fans and power units.

5.9.2

Cabinets shall have one power socket each for power level (circuit breaker/ banana socket). Input and output signals will be connected either to instruments/sensors in cabinets (Electronic Room) or to field junction boxes via multicore cables. Marshalling cabinets will be provided for the signal assortment. Component mounting in cabinets shall be such, that signal cables can easily be disconnected for testing purposes. Doors shall open fully (180) and be equipped with key-lockable door handles (common key for all cabinets). Cabinets shall be provided with suitable lifting rings and pallets to allow for transportation by crane or forklift. Cabling between system components which need to be dismantled after final factory inspection and reassembled on site shall have plugs on both sides.

5.9.3

5.9.4

5.9.5

5.9.6

Page15/21

5.9.7

All terminals, sockets and wiring shall be clearly identified in strict accordance to the system documentation. Dimensions and weight of all system components shall be submitted.

5.9.8

5.10

CYCLE TIMES
Processing of the system functions is cyclic. Cycle times shall not exceed 300 milliseconds for SIS, in order to be able to meet the fault reaction time.

5.11

MAINTENANCE OVERRIDES

5.11.1 It shall be possible to initiate an override on SIS inputs (hereinafter called MOSOVR) from the HMI via the safety/control bus. This function must be TV certified and have adequate password security protection. 5.11.2 In addition, a hardwired MOS-ENABLE keyswitch shall be provided on the panel. Only when the MOS-ENABLE switch is in the enable position, it shall the MOS-OVR be accepted in the protection logics in the SIS. Because the MOS-ENABLE switch is hardwired, the operator has the possibility to deactivate any override when the communication link fails. 5.11.3 In case the communication bus fails, the override shall remain as they were before the failure and when the link is re-established there shall be no change in status. 5.11.4 MOS shall not be applied to: - Manual ESD - RESET pushbutton, keyswitches - All outputs

5.12

ENGINEERING STATION

5.12.1 The engineering station serves for the configuration and maintenance of the PLC used for the SIS and as indication of functions of the system self diagnostic. 5.12.2 The following PC specification shall be complied as minimum. CPU Main memory : Core2 Duo 2.13 GHz : 2GB

Page16/21

Hard disk Display resolution Video memory Monitor Serial port Parallel port Ethernet port Extension slot CD-ROM drive FDD OS

: 20 GB available user disk space : 1280 1024 : 128 MB : 17 inches : One RS-232C port (when using a UPS) : One port (when using a printer) : One port : One PCI slot : One : One 3.5-inch drive : Windows Vista Business Edition SP1

5.12.3 It shall also be used as a monitoring station for maintenance purpose. Furthermore, it shall be possible to read live SIS failure diagnostics on the programming unit to the extent that system failures will have detailed error messages annunciated on the engineering station. The engineering station shall also indicate the current status of the SIS in areas of cycle time, database version, number of I/Os being forced, security level, percentage CPU idle time etc.

5.13

AUXILIARY CONSOLE

5.13.1 Vendor shall supply auxiliary console including ESD button, switch with lockout, manual reset switch, selection switch etc. 5.13.2 ESD button, switch with lockout, manual reset switch, selection switch etc. shall be connected by means of hardwired I/Os to SIS cabinet.

6. 6.1
6.1.1

SOFTWARE DESIGN REQUIREMENTS CERTIFICATION

The system shall be designed according to Cause & Effects Matrices. The system for the logic solver shall be certified by TV for IEC 61508 SIL3 applications. The function of such a system is to reduce avoidable identified risks which could result in;

6.1.2

Page17/21

 6.1.3

serious injury to people damage to the environment major loss or damage to assets

All safety relevant interlocking shall be carried out by the SIS, which shall be designed as Programmable Logic Controllers of fail-safe design i.e. Deenergize-to-trip. The HMI of the DCS shall be able to extract alarms, events and system maintenance info from the SIS, via the common bus. Communication between different SIS systems (hereinafter referred to as safety communication) shall be certified for safety critical application by TV. Both the HMI and DCS shall be certified by TV to have no effect on the SIS or safety communication, which is carried out on the same bus.

6.1.4

6.1.5

All signals to be handled in the SIS are estimated in a HAZOP STUDY and classified and listed in a separate Safety Requirement Specifications. The system shall comply with the following tasks under real time conditions: Read in of transmitted measuring signals from the field Generate threshold values of incoming analogue values Perform binary logic control and sequence control functions Execute permanent self-diagnostic functions List events in the order of their occurrence with time stamp with a resolution of 1 millisecond or better. Send all process alarms to the HMI of the integrated DCS Send all System Diagnostic Alarms to the HMI of the integrated DCS. Send all events to the HMI of the DCS Allow the HMI to read SIS system status to the extent, that the operator in the control room is able to identify which module is failing and the type of failure, system info like security level, number of forced I/Os, cycle time, program version etc.

6.1.6

6.2
6.2.1

SEQUENCE OF EVENT RECORD FUNCTION

Alarm and sequence of event lists with a time stamp resolution for digital signals of 1 millisecond shall be generated and printed. The resolution shall be independent of the scan time of the CPU.

Page18/21

6.2.2

Time stamping of alarm and events shall be performed within the host system and transferred to the DCS. The SER alarms and/or events shall be incorporated into common alarm summaries on the Operator console. Display of DCS alarms and/or events shall be merged with SER alarms and/or events in one window. SER data shall be battery back up for 6 months.

6.2.3

6.2.4

6.2.5

6.3
6.3.1

CONFIGURATION SOFTWARE
The engineering station shall be provided with all tools that are necessary for the configuration and programming of the system. The function of configuration/programming is clearly differentiated from the function of normal operation and may be entered into only with special authorization. Specified threshold values formed within the system may only be changed in the configuration function. In the configuration/programming function, it shall be possible to force inputs or outputs for test purposes. It shall be possible to do offline testing of a configuration on the engineering station without the SIS controllers. It shall be possible to notify the implicit error in programming. It shall be possible to notify the differences between the modified program and the former one. The self-documentation feature shall allow comprehensive printouts of the actually installed database, to include a Table of Content, logic diagrams with detailed service descriptions (up to 36 characters), Constants, IO parameters, Modbus addresses (if any), Alarm priority, and list of program sheets. It shall be possible to execute the unit test for SIS including safety communication and the integration test with DCS on a PC only. It shall be possible to perform a plant operation training system for integrated SIS and DCS on PC environments only.

6.3.2

6.3.3

6.3.4

6.3.5 6.3.6

6.3.7

6.3.8

6.3.9

Page19/21

6.4
6.4.1

ONLINE FUNCTION
It shall be possible to make minor logic changes online to the SIS in operating mode, along guidelines set by TV. It shall be possible to add IO node or IO module by online. It shall be possible to avoid false trips caused by miss programming. SIS shall continue to operate normally its safety function during online download.

6.4.2 6.4.3 6.4.4

6.5
6.5.1

APPLICATION SOFTWARE
The software supplied with the SIS shall comprise the system and application software necessary to operate the SIS and comply with the required tasks to control and monitor the process plant. Standard function blocks or ladder logic or a combination of both shall be used for the development of application software. It shall be possible to derive adjustable threshold values from all analogue input signals. Tasks specified by the Owner, which have to be performed with the aid of special functions or non standard programs etc., have to be indicated. Program sections processing interlocking functions that are not safety relevant shall be clearly separated from program sections employed for safety relevant interlocks. Modifications in one program sections may not affect the other section. Programming language shall be as per IEC 61131-3. Project specific software to be prepared by the vendor shall include: Configuration of the system functions Configuration of the inputs/outputs Implementation of functional diagrams into project specific programs

6.5.2

6.5.3

6.5.4

6.5.5 6.5.6

The preparation of the user software for the functions described above is integral part of the SIS system. 6.5.7 Application software once loaded to the SIS shall be stored and held in the SIS CPU module, indefinitely with flash memory.

Page20/21

6.6
6.6.1

SELF-DIAGNOSTIC FUNCTIONS
The firmware must offer self-diagnostics of all components. It has to guarantee that a failure/breakdown of one system component shall be limited to this component only. On system failure, all output signals must adopt a definite pre selected state. A system failure of one component must not create subsequent system failures of other components or the common bus system. In case of redundant components, the backup component shall take over all functions of the failing component without restrictions on the process. Take over of functions by redundant components have to be recorded as system failure with the exception of regularly recurring changeover of bus components for example. All system failures and/or activities have to be announced on the HMI and recorded on the alarm printer.

6.6.2 6.6.3

6.6.4

6.6.5

6.7
6.7.1

SECURITY
Software configuration shall be secured by password protection to prevent unauthorized access/changes. Separate password security shall be available for Application Programs to avoid unauthorized access/changes. Separate password security shall be available for the SIS controllers to segregate normal operation, maintenance and offline download modes of operation.

6.7.2

6.7.3

Page21/21