Application software integrity: is your logic solver as reliable as you think?

Neil Wakeling BA MA CEng FInstMC MIET (CFSE),

Group Technical Authority for Functional Safety and ICSS, SBM Offshore, Monaco

Abstract

The logic solver is generally by far the most reliable part of a Safety Instrumented Function in terms of random

hardware failures. However, the largest source of failures is likely to be systematic factors, often dormant errors,

discrepancies or forces in the application software not detected during the safety system validation, or introduced

during the start-up or operations phases. Whilst IEC61511 addresses application software in some detail,

including via the implementation of a code review performed prior to plant start-up, it’s certainly not correct to say

that once validated, the logic solver needs no further attention. The challenges of maintaining the integrity of

safety application software is a point not lost on some national regulators and major oil companies who prohibit

software-based systems for certain high integrity protection systems.

This paper draws on the experience of safety logic code reviews conducted across the world’s largest fleet of

FPSOs, covering Process Safety, but also Fire and Gas and Emergency Shutdown systems where particular

considerations apply. It focuses on methods for eliminating errors before plant start-up, and how to maintain the

integrity of application software during the longest phase of the safety lifecycle: operation. A comprehensive set

of procedures throughout the project execution, operation and indeed brownfield modification stages of the

lifecycle is needed to reduce the chances of safety reliability being impacted. Without such measures, your logic

solver might not be as reliable as you first thought.

1. Introduction

Over the past five years, SBM Offshore has undertaken a comprehensive code review and

offline test of all safety application software across the world’s largest fleet of leased

hydrocarbon production facilities. This exercise has been conducted for over 15000 Process

Shutdown I/O, and for more than 18000 Fire and Gas and Emergency Shutdown I/O. The

review process spans brand new to 10 year old production facilities, and has been

embedded in the company’s Group Technical Standards as a requirement for all new

facilities. This paper presents some of the key conclusions, challenges and lessons to be

learnt from this process, which has enabled residual errors to be rectified, making oil and

gas production facilities safer.

Process Shutdown systems on many hydrocarbon facilities are designed to the American

Petroleum Institute’s Recommended Practice 14C, essentially a prescriptive rather than a

risk-based approach to safety, which results in large shutdown systems. Maintaining the

integrity of such systems, which may consist of over 1000 I/O, poses significant challenges.

Fire and Gas and Emergency Shutdown systems are yet larger, with 1500 or more inputs

and outputs, and are subject to their own unique issues.

The extension of IEC61511 code reviews to large safety systems not designed to IEC61511

is a useful means of eliminating residual application software errors. By analysing the

recurring errors found in such code reviews, weaknesses in design, commissioning and

operations processes and systems can be identified and counter measures put in place.

For facilities designed to IEC61511, the mandatory independent code review (IEC61511-1

section 12.7.2.3) should ensure that errors are removed before plant start-up, while