Table of Contents Table of Contents
Previous Page  289 / 1143 Next Page
Information
Show Menu
Previous Page 289 / 1143 Next Page
Page Background

• Specify that it must not be possible to accomplish the inhibited valve action locally at

the valve

• Ideally maintenance bypasses/overrides should not normally be allowed

• How the inhibit action shall be realised - Section 4.2 addresses options for the final

element of the Inhibit function.

To avoid errors, and to ensure best practices are followed, a generic template should be

developed for the SRS, with appropriate fields to be completed.

4.2

Final element of an inhibit

When designing an inhibit function, it’s important to consider what is the final element. If a

hardware inhibit is applied, such as a safety relay breaking the output circuit to prevent the

operator command being transmitted, Hardware Fault Tolerance (HFT) must be considered.

However, software solutions where the operator action is prevented in the logic solver must

also be approached with care. If the inhibit is accomplished in software, HFT requirements

only apply in terms of the required logic solver architecture. But if the inhibit is visible to the

operator in the HMI system, there could be an issue of dependency.

In terms of risk reduction, we assume that the operator error rate is independent of the

Inhibit SIF. However, if the operator can see the status of the Inhibit function, his reliability

may no longer be independent of the Inhibit reliability. In short – does the operator faithfully

follow his operating procedure when he is able to see the inhibit status, or to some extent

does he rely on waiting for a green light?

One solution to address the issue of dependency is to apply a hardware function where the

state of the Inhibit SIF is not visible to the operator. Hardware inhibits may also present

advantages in terms of proof testing – in the example of a safety relay, the SIF can be tested

to the successful operation of the safety relay.

4.3

Proof test challenges

The Inhibit SIF is designed to prevent a hazard being triggered by an operator error; the

proof test strategy must ensure that a mistake during proof testing cannot initiate the same

hazard.

Ideally proof testing should be performed during a shutdown when the hazard is not present.

This is not possible when the pressure source is the oil reservoir permanently connected to

the riser, or may not be practical where short test intervals are required.

Detailed Proof Test Procedures should at all times ensure there are at least two barriers

preventing the hazard from occurring by mistake. An inhibit function must not be tested by

pressing the OPEN button to check that the valve doesn’t open!

Validation test procedures are considered by some as being the same as Operations Proof

Test Procedures. In fact these test procedures have slightly different objectives, and may

require different strategies because during Validation testing the hazard may not be present.

This needs to be carefully addressed in the Operations Proof Test Procedure.

1 284 285 286 287 288 289 290 292-293 294-295 296-297 298-299 300-301 1143  FlippingBook