Table of Contents Table of Contents
Previous Page  288 / 1143 Next Page
Information
Show Menu
Previous Page 288 / 1143 Next Page
Page Background

outside the remit of IEC61511, but it should still be evaluated whether the mechanical

solution provides acceptable risk reduction.

4

Design of an Inhibit SIF

Finally, we arrive at what might be considered the last resort – the design of an Inhibit SIF.

An inhibit SIF prevents the operator making a command from the control system HMI. The

terminology here is important – referring to such functions as permissives turns them upside

down and is confusing when considering failure states. This paper recommends to not use

the term “permissive” in the SRS; the SIF is an

inhibit

.

4.1

SRS

Some specific issues apply to the specification of Inhibit SIFs; requirements are slightly

different than for reactive trip functions.

In the event of sensor failure, the logic should ensure that the inhibit function is active.

However, in some cases, the safe (no inhibit) condition is indicated by a high pressure

(PSHH), see the example below. This logic is the reverse that might be programmed for a

reactive high pressure trip function where the fail-safe state would be to treat a failed sensor

as generating the high-high trip.

Figure 3: two sensors used to prevent the opening of the riser shutdown valve. In addition to

the choke limit switch (ZSC), a high pressure (PSHH) confirms that the choke (HCV) must

be closed, because procedure requires the section of line to be pressurised with methanol

before start-up.

Similarly, the software latching of a condition used in inhibit functions must be carefully

considered. Using the above example, the PSHH should not be latching in the high-high

state (as might be normal for a reactive high-high trip function), since the high-high state is

the no-inhibit state. Until reset, the inhibit function would be latched in the no-inhibit state,

regardless of the current process measurement. In this case, the SRS must specify that the

software latch is disabled for this sensor.

The two above points should be verified as part of application program code reviews to

ensure that the logic solver is programmed correctly.

Other factors which the SRS must consider include:

1 283 284 285 286 287 288 289 290 292-293 294-295 296-297 298-299 1143  FlippingBook