The anomalies found however also indicate common techniques used, when parts of the

plant are running during late commissioning stages, to modify software avoiding spurious

trips. That is, a trip function is disabled to prevent an unwanted trip, modified on-line, but not

fully restored. Particular vigilance is needed for changes made once parts of the plant are

running.

Techniques can be applied to standard library function blocks to ensure that some forces are

self-revealing, via alarms. Other forces applied to fail-safe signals communicated between

logic solvers can be more difficult to make self-revealing, and specific test procedures may

be required to ensure such forces are removed.

ii)

Safety function seriously flawed: will only partly work or work too late

This group of anomalies in particular highlights the challenges in managing changes post

logic-solver FAT. Whether due to revisions in design documentation, or due to

commissioning changes, each phase of change brings with it an increased risk of introducing

errors. Examples of this group of serious anomalies include:

•

Part of logic missing – particularly a risk for complex logic with multiple inputs or

outputs.

•

Trip settings incorrect.

•

Timer periods incorrect.

•

Incorrect instrument range – usually introduced due to changes.

Strong management of change and verification procedures can prevent such errors being

introduced. Furthermore, the management of safety logic solver vendor competence

becomes a further challenge through multiple revisions of design documents where different

software engineers modify the original logic. It’s recommended to test each change made

post-FAT, rather than relying solely on the final validation testing to reveal errors.

iii)

Wrong signal connected / tag number discrepancy

Using the wrong signal in a safety function could have serious consequences. However,

experience has shown that tag number discrepancies revealed by code reviews are rarely

due to the wrong signal being connected. Rather, this highlights errors in the design

documents not corrected in as-built documentation. Such discrepancies go to the heart of

management of change procedures. Changing any tag number at any time during a project

can lead to this problem, and the importance of keeping design documents updated in line

with commissioning red-line mark-ups is evident. Global time differences between the

design authority and the commissioning team, along with 7 day working on site, can slow the

speed of response to site queries, leading to changes being made without master

documents being corrected, or worse, the wrong signal being connected.

iv)

Safety function will not work in certain circumstances

This rather general group of anomalies highlights the importance of considering wider logic

issues:

•

A maintenance override has been configured, when not permitted. Connecting the

override enable software parameter to an “override prohibited” tag is a technique to

explicitly prohibit overrides and avoid accidental re-enabling of overrides.

•

The precedence of two sets of competing logic incorrect.