Table of Contents Table of Contents
Previous Page  679 / 973 Next Page
Information
Show Menu
Previous Page 679 / 973 Next Page
Page Background

Spurious setting of overrides or modes on logic solver start-up.

The second pulsed output to generate a general plant alarm will not work; a common

problem that can be easily solved with a standard software function block.

Fire zone inhibits defeating the wrong signals. Fire zone inhibits are a particular

challenge in fire and gas systems and should wherever possible be programmed in a

self-revealing way.

v)

Safety function will not work in a specific error state

Techniques are used in safety systems to ensure that the fail-safe state is defined, and that

shutdowns are executed using fail-safe techniques. When these techniques are not fully

applied, the overall reliability of the function will be reduced. Specific anomalies in this group

include:

Normally open field contacts used instead of normally closed.

Use of energise to trip circuits when fail-safe circuits are required.

Communications between logic solvers not set to fail-safe on loss of

communications.

Wrong voting logic used, affecting the logic degrading on sensor failure.

Revealed sensor error not programmed as required to automatically generate a trip.

vi)

Possible dangerous implications

Incorrect software techniques, especially the selection of the wrong standard software

function block, or incorrect implementation, can lead to inconsistencies that could have

dangerous implications. Examples include:

High-high trip programmed using the high alarm output. This error can mean that

there is no latch and no override facility.

Incorrect programming of energise to trip circuits – leading to spurious operation on

logic solver power-up or loss of communications.

Tripping of equipment not required to be tripped; typically resulting from changes not

fully implemented.

vii)

Works but too often, too quickly or too early, causing spurious trips

Aside from the loss of production, spurious trips increase risk since the most dangerous

plant states often occur during plant shutdown and start-up. This category of anomalies,

though less significant than those described earlier, are caused by the same breakdowns in

procedures already described. Errors include incorrect timers, trip settings, function block

implementation or software techniques.

viii) Degraded integrity

The final category of anomalies is one that also reveals poor practices, particularly by the

logic solver vendor. Not fully following the requirements of the safety manual for logic solver

integrity may not normally prevent an instrumented function from working, but will reduce the

integrity and reliability of such functions, especially when considering failure states. An

example is the use of a non-safe signal, or non-safe software blocks, as part of a safety

function.

1 674 675 676 677 678 679 680 681 682 683 684-685 686-687 972-973  FlippingBook