It is possible and quite easy to define operational rules about the desired vs. forbidden relationships between the primary operational
mode and those of sub-systems. For example, such a rule may be that maintenance
activities regarding the safety add-ons (such as secondary and auxiliary pumps) are allowed only when the system is in any primary
mode other than production.
These rules can be implemented in the Scenario analyzerand stored in a scenario database. In the recommended architecture, the compliance with the rules can be checked by the scenario center.
Guidelines for scenario-situation compatibility assurance
The system may generate warnings about changing the operational
modes of sub-system, when the primary
mode is production.
These warning should stay on until the operators resume normal operation of the safety add-ons. They should not alert, as long as the risk is not acute, and they must not interfere with high-priority alarms.
Guidelines for
alarm generation
Escalation may occur when the operators disregard the warning for a while, and other
hazards introduce additional risks. If this happens, the system may remind the operators about the original risks.
The guide recommends on intervention by the supervision unit, which may change the control from the primary station to the recovery station. This is not demonstrated in this case study.
This case study does not demonstrate any method or guidelines for Recovery facilitation.
The guide recommends on intervention by the supervision unit, which may change the control from the primary station to the recovery station. This is not demonstrated in this case study.
The guide recommends on intervention by the supervision unit, which may change the control from the recovery station to the rescue station. This is not demonstrated in this case study.
Updated on 10 May 2016.