Table of Contents Table of Contents
Previous Page  676 / 973 Next Page
Information
Show Menu
Previous Page 676 / 973 Next Page
Page Background

Fire and Gas System (FGS) – a hazard mitigation system which detects gas release,

fire, heat or smoke, and executes fire fighting and other mitigation actions such as

water deluge.

Emergency Shutdown System (ESD) – a hazard mitigation system, generally

triggered by Fire or Gas detection, which executes process depressurisation,

electrical isolations and other global shutdown functions including those associated

with platform abandonment.

The following terms are used in this paper:

Override or bypass refers to facilities designed into the logic solver to enable

operators to defeat shutdown functions for maintenance or operational reasons,

usually in a controlled and self-revealing way.

Software forces refer to changes to the logic solver application software made by a

control system technician to defeat a shutdown function.

2

Code Reviews

2.1

Methodology and timing

IEC61511-1 section 12.7.2.3 describes the requirement for application software code

reviews. SBM Offshore have taken these principles and supplemented them with a full

offline test of safety application software on a safety logic solver platform, running on the

same hardware as the target project. A scope of work has been developed, including

specific checks to be made to ensure that the persons executing such code reviews perform

consistent checks. Furthermore, known recurring errors are highlighted as specific points to

check. As required by IEC61511 for SIL3 functions, an independent company has been

used for such reviews.

The timing of code reviews can be particularly tricky – they should be performed on the final

version of the safety application software having undergone validation testing. The code

review also requires final as-built design documents to which the software is programmed.

But the code review also needs to be complete early enough to allow errors found to be

corrected before the plant is started up. For this reason, and especially when applied to

large safety systems, it’s recommended to ensure that code reviews are conducted in

phases – within a hydrocarbon facility this could mean that the fire and gas system code

review is conducted separately to the Process Shutdown System. Critical errors identified

must be rectified before plant start-up by a competent engineer, with shutdown functions re-

tested.

2.2

Basic software structure of a safety instrumented function

Let’s first examine what a basic safety instrumented function looks like, programmed using a

Function Block language.

1 668-669 670-671 672-673 674 675 676 677 678 679 680 681 682 972-973  FlippingBook