![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0385.jpg)
the development of standard software solutions (e.g. a new function block) for logic
requirements prone to error in implementation.
Application software design must take into account the required testing regimes and possible
phases of plant modes during operation. Otherwise, the operating company may need to
apply software forces, rather than use a more controlled method of bypassing shutdowns
during certain operations. Prohibiting overrides may necessitate software forces during
commissioning phases, and even to re-start the plant after a shutdown during operation.
3.3
The benefits of simplicity
A fundamental principle of IEC61511 is the limiting of size and complexity in safety systems,
concentrating effort on hazards where risk reduction is actually needed. As described
earlier, small, manageable safety systems designed to IEC61511 are often made larger and
more complex through the addition of asset/financial protection functions. It’s common in
many oil and gas facilities to retain prescriptive API RP 14C shutdown functions, even when
IEC61511 is applied in full.
A typical hydrocarbon production facility designed to IEC61511 may have between 30-50
safety and environment SIL functions which will be subject to the rigours of functional safety
management. By comparison, Process Shutdown Systems designed to API RP 14C may
consist of 300-400 shutdown functions.
Most shutdown functions are relatively simple, but many are made more complex via the
inclusion of multiple “convenience shutdown” actions, whereby the plant is aligned ready for
re-start. More complex shutdown functions require a very clear design description to ensure
correct implementation and testing.
The larger and more complex the overall safety system, and the more it is subjected to
change, the more opportunities exist for errors to be introduced. Small well defined safety
systems can be more easily locked down, with software signatures taken to ensure no
change is made post-validation. Where Safety systems are not designed to IEC61511, or
where SIL functions are mixed with other shutdown functions, there are benefits in
identifying and segregating critical functions for additional rigour. This can include the
segregation of the highest SIL functions into a dedicated logic solver, subject to yet more
rigorous controls.
3.4
Non-software based solutions
One solution to prevent software errors is to use non-programmable systems for the highest
integrity functions. This approach is encouraged by the UK HSE (see reference [4]) for the
protection of pipelines and risers from oil well pressure. Many international oil companies
indeed employ solid state logic solvers for such functions, where the safety instrumented
function may be the only layer of protection. Whilst the riser overpressure safety function is
the most high profile, other high SIL hazards may exist where the instrumented function is
either the only or the last layer of protection, which may merit similar precautions.