the development of standard software solutions (e.g. a new function block) for logic

requirements prone to error in implementation.

Application software design must take into account the required testing regimes and possible

phases of plant modes during operation. Otherwise, the operating company may need to

apply software forces, rather than use a more controlled method of bypassing shutdowns

during certain operations. Prohibiting overrides may necessitate software forces during

commissioning phases, and even to re-start the plant after a shutdown during operation.

3.3

The benefits of simplicity

A fundamental principle of IEC61511 is the limiting of size and complexity in safety systems,

concentrating effort on hazards where risk reduction is actually needed. As described

earlier, small, manageable safety systems designed to IEC61511 are often made larger and

more complex through the addition of asset/financial protection functions. It’s common in

many oil and gas facilities to retain prescriptive API RP 14C shutdown functions, even when

IEC61511 is applied in full.

A typical hydrocarbon production facility designed to IEC61511 may have between 30-50

safety and environment SIL functions which will be subject to the rigours of functional safety

management. By comparison, Process Shutdown Systems designed to API RP 14C may

consist of 300-400 shutdown functions.

Most shutdown functions are relatively simple, but many are made more complex via the

inclusion of multiple “convenience shutdown” actions, whereby the plant is aligned ready for

re-start. More complex shutdown functions require a very clear design description to ensure

correct implementation and testing.

The larger and more complex the overall safety system, and the more it is subjected to

change, the more opportunities exist for errors to be introduced. Small well defined safety

systems can be more easily locked down, with software signatures taken to ensure no

change is made post-validation. Where Safety systems are not designed to IEC61511, or

where SIL functions are mixed with other shutdown functions, there are benefits in

identifying and segregating critical functions for additional rigour. This can include the

segregation of the highest SIL functions into a dedicated logic solver, subject to yet more

rigorous controls.

3.4

Non-software based solutions

One solution to prevent software errors is to use non-programmable systems for the highest

integrity functions. This approach is encouraged by the UK HSE (see reference [4]) for the

protection of pipelines and risers from oil well pressure. Many international oil companies

indeed employ solid state logic solvers for such functions, where the safety instrumented

function may be the only layer of protection. Whilst the riser overpressure safety function is

the most high profile, other high SIL hazards may exist where the instrumented function is

either the only or the last layer of protection, which may merit similar precautions.