outside the remit of IEC61511, but it should still be evaluated whether the mechanical
solution provides acceptable risk reduction.
4
Design of an Inhibit SIF
Finally, we arrive at what might be considered the last resort – the design of an Inhibit SIF.
An inhibit SIF prevents the operator making a command from the control system HMI. The
terminology here is important – referring to such functions as permissives turns them upside
down and is confusing when considering failure states. This paper recommends to not use
the term “permissive” in the SRS; the SIF is an
inhibit
.
4.1
SRS
Some specific issues apply to the specification of Inhibit SIFs; requirements are slightly
different than for reactive trip functions.
In the event of sensor failure, the logic should ensure that the inhibit function is active.
However, in some cases, the safe (no inhibit) condition is indicated by a high pressure
(PSHH), see the example below. This logic is the reverse that might be programmed for a
reactive high pressure trip function where the fail-safe state would be to treat a failed sensor
as generating the high-high trip.
Figure 3: two sensors used to prevent the opening of the riser shutdown valve. In addition to
the choke limit switch (ZSC), a high pressure (PSHH) confirms that the choke (HCV) must
be closed, because procedure requires the section of line to be pressurised with methanol
before start-up.
Similarly, the software latching of a condition used in inhibit functions must be carefully
considered. Using the above example, the PSHH should not be latching in the high-high
state (as might be normal for a reactive high-high trip function), since the high-high state is
the no-inhibit state. Until reset, the inhibit function would be latched in the no-inhibit state,
regardless of the current process measurement. In this case, the SRS must specify that the
software latch is disabled for this sensor.
The two above points should be verified as part of application program code reviews to
ensure that the logic solver is programmed correctly.
Other factors which the SRS must consider include: