functional safety management processes are relied upon to protect against errors being
introduced during perhaps 20 years of operation. Proof testing during operation should
reveal software errors that could be introduced, but as we will see later, most of the errors
found in code reviews would not be revealed by testing.
This paper discusses some of the counter measures that can be put in place to reduce the
likelihood of application software errors being introduced or remaining undetected, and
contrasts these measures with those required by IEC61511. In many cases, the software
anomalies found simply serve to highlight the benefits of applying Functional Safety
Management principles described in IEC61511 to all safety systems.
1.1
What is an FPSO?
A Floating Production Storage and Offloading vessel is usually a ship either purpose built or
converted from an oil tanker. FPSOs are typically around 300m long, and are moored in
offshore locations where they perform the same functions as offshore production platforms.
These include the separation and treatment of produced hydrocarbons and the injection of
treated seawater and gas into the reservoir. Unlike fixed platforms which generally pump
produced oil into a pipeline or to a remote loading terminal, the FPSO can store crude oil on
board, periodically offloading it directly to a shuttle tanker.
FPSOs are well suited to deep water applications, while their large storage capacity makes
them particularly effective as early production systems, where there is no oil pipeline.
Currently there are over 200 FPSOs operating worldwide.
Figure 1: SBM Offshore’s FPSO Cidade de Paraty, sailing away from the shipyard
1.2
Terminology
On an FPSO there are typically three main safety instrumented systems. The following
terminology is used throughout this paper:
•
Process Shutdown System (PSS) – the hazard prevention system which detects
potentially dangerous conditions and executes process shutdowns, also known as
the Safety Instrumented System.