![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0378.jpg)
Application software integrity: is your logic solver as reliable as you think?
Neil Wakeling BA MA CEng FInstMC MIET (CFSE),
Group Technical Authority for Functional Safety and ICSS, SBM Offshore, Monaco
Abstract
The logic solver is generally by far the most reliable part of a Safety Instrumented Function in terms of random
hardware failures. However, the largest source of failures is likely to be systematic factors, often dormant errors,
discrepancies or forces in the application software not detected during the safety system validation, or introduced
during the start-up or operations phases. Whilst IEC61511 addresses application software in some detail,
including via the implementation of a code review performed prior to plant start-up, it’s certainly not correct to say
that once validated, the logic solver needs no further attention. The challenges of maintaining the integrity of
safety application software is a point not lost on some national regulators and major oil companies who prohibit
software-based systems for certain high integrity protection systems.
This paper draws on the experience of safety logic code reviews conducted across the world’s largest fleet of
FPSOs, covering Process Safety, but also Fire and Gas and Emergency Shutdown systems where particular
considerations apply. It focuses on methods for eliminating errors before plant start-up, and how to maintain the
integrity of application software during the longest phase of the safety lifecycle: operation. A comprehensive set
of procedures throughout the project execution, operation and indeed brownfield modification stages of the
lifecycle is needed to reduce the chances of safety reliability being impacted. Without such measures, your logic
solver might not be as reliable as you first thought.
1. Introduction
Over the past five years, SBM Offshore has undertaken a comprehensive code review and
offline test of all safety application software across the world’s largest fleet of leased
hydrocarbon production facilities. This exercise has been conducted for over 15000 Process
Shutdown I/O, and for more than 18000 Fire and Gas and Emergency Shutdown I/O. The
review process spans brand new to 10 year old production facilities, and has been
embedded in the company’s Group Technical Standards as a requirement for all new
facilities. This paper presents some of the key conclusions, challenges and lessons to be
learnt from this process, which has enabled residual errors to be rectified, making oil and
gas production facilities safer.
Process Shutdown systems on many hydrocarbon facilities are designed to the American
Petroleum Institute’s Recommended Practice 14C, essentially a prescriptive rather than a
risk-based approach to safety, which results in large shutdown systems. Maintaining the
integrity of such systems, which may consist of over 1000 I/O, poses significant challenges.
Fire and Gas and Emergency Shutdown systems are yet larger, with 1500 or more inputs
and outputs, and are subject to their own unique issues.
The extension of IEC61511 code reviews to large safety systems not designed to IEC61511
is a useful means of eliminating residual application software errors. By analysing the
recurring errors found in such code reviews, weaknesses in design, commissioning and
operations processes and systems can be identified and counter measures put in place.
For facilities designed to IEC61511, the mandatory independent code review (IEC61511-1
section 12.7.2.3) should ensure that errors are removed before plant start-up, while