• Specify that it must not be possible to accomplish the inhibited valve action locally at
the valve
• Ideally maintenance bypasses/overrides should not normally be allowed
• How the inhibit action shall be realised - Section 4.2 addresses options for the final
element of the Inhibit function.
To avoid errors, and to ensure best practices are followed, a generic template should be
developed for the SRS, with appropriate fields to be completed.
4.2
Final element of an inhibit
When designing an inhibit function, it’s important to consider what is the final element. If a
hardware inhibit is applied, such as a safety relay breaking the output circuit to prevent the
operator command being transmitted, Hardware Fault Tolerance (HFT) must be considered.
However, software solutions where the operator action is prevented in the logic solver must
also be approached with care. If the inhibit is accomplished in software, HFT requirements
only apply in terms of the required logic solver architecture. But if the inhibit is visible to the
operator in the HMI system, there could be an issue of dependency.
In terms of risk reduction, we assume that the operator error rate is independent of the
Inhibit SIF. However, if the operator can see the status of the Inhibit function, his reliability
may no longer be independent of the Inhibit reliability. In short – does the operator faithfully
follow his operating procedure when he is able to see the inhibit status, or to some extent
does he rely on waiting for a green light?
One solution to address the issue of dependency is to apply a hardware function where the
state of the Inhibit SIF is not visible to the operator. Hardware inhibits may also present
advantages in terms of proof testing – in the example of a safety relay, the SIF can be tested
to the successful operation of the safety relay.
4.3
Proof test challenges
The Inhibit SIF is designed to prevent a hazard being triggered by an operator error; the
proof test strategy must ensure that a mistake during proof testing cannot initiate the same
hazard.
Ideally proof testing should be performed during a shutdown when the hazard is not present.
This is not possible when the pressure source is the oil reservoir permanently connected to
the riser, or may not be practical where short test intervals are required.
Detailed Proof Test Procedures should at all times ensure there are at least two barriers
preventing the hazard from occurring by mistake. An inhibit function must not be tested by
pressing the OPEN button to check that the valve doesn’t open!
Validation test procedures are considered by some as being the same as Operations Proof
Test Procedures. In fact these test procedures have slightly different objectives, and may
require different strategies because during Validation testing the hazard may not be present.
This needs to be carefully addressed in the Operations Proof Test Procedure.