An industrial process such as an installation for extraction or production of oil and gas products has a physical implementation comprising components such as devices and apparatuses for operation, control, regulation and protection of the process. The industrial process also comprises systems for functionality, control and supervision. This results in a complex combination of system and components. In the process industry contexts it is necessary to protect the humans, or an individual environment, process systems, subsystems and/or components. As part of the functions of the elements in the system, measurements for parameters such as currents, voltages, phases, temperatures and so on are made substantially continuously and may result in different safety scenarios up to and even including a plant shut-down.
The safety-related functions of the industrial system are performed by a dedicated safety system with input from safety devices and safeguarding outputs. Safety systems have been developed for the purpose of enabling safeguarding actions in reaction to the safety events. Safety systems in the process industry have a general criterion of engineering with strong emphasis on quality and verification. Such systems are typically not fully standard but are often purpose-built and usually include various and different devices and/or subsystems, software and communication protocols.
A safety system must perform very reliably, even more reliably than the process systems they protect; this means that a different standard of engineering must be used, with stronger emphasis on quality and verification. This approach is especially important if a customer is seeking Safety Integrity Level (SIL) classification of their safety system that is according to the standards relevant for that industry or branch, e.g. IEC-61508 Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC/TR3 61510 RMBK nuclear reactors-Proposals for instrumentation and control, IEC-61511 Functional safety-Safety instrumented systems for the process industry sector.
U.S. Pat. No. 5,361,198 entitled Compact work station control room and assigned to Combustion Engineering describes a concept including a safety system, comprising software, displays for input, a general safety system and hand-coded functions. The patent application US2007/276514 entitled “Method In A Safety System For Controlling A Process Or Equipment”, and assigned to ABB, describes an industrial safety system (ISS) and methods for controlling a process or equipment. The industrial safety system includes components with safety devices and enables signals to be generated as a result of an event or alarm. An automated link is created between the event or alarm and an action to be taken upon receipt of the event or alarm signal due to the event. This is done using in part a display or HMI associated with selection means for input etc. The structure of the system is to create a grid/matrix of related objects. The grid/matrix is a system of rows and columns, an interface and type of application often referred to as a Cause and Effect matrix or diagram. The matrix is often populated by manually entering information, or importing one or more signal lists and/or cause and effect information in a worksheet or calculation sheet format, into a tool for editing a Cause and Effect matrix. FIG. 3 (Prior Art) shows a cause and effect matrix. The graphic user interface of the cause and effect matrix editor shows Causes 22 arranged in horizontal rows and Effects 26 arranged in vertical columns. A sensor device 10 such as a level sensor provides an input signal, which is handled as a Cause. This is represented in the cause and effect matrix by a program logic component, which is a portion of control code, usually a standardized or logic component held e.g. in a library, which is commonly in the form of a function block, or control module or similar. This form of control code is often referred to as an intermediate code, as it is computer program code which is not yet in a compiled form.
During an engineering phase configuration is carried out with the Cause and Effect matrix editor to make a software connection 19 between a Cause and an Effect. This has the result of making a software connection between an input signal such as from level sensor 10 being “software connected” to an output signal to an effect actuator 14 for the planned event and safeguarding action. This may be thought of as resulting in the software connection of a signal path S1 from an input device to a signal path S2 to an output device (actuator, motor) providing the action or event. When the matrix has been configured the Cause and Effect matrix editor then converts the “software connected” for the program logic components of each cause and the program logic components of each effect and generates an IEC61311-3 control code from the matrix, usually in intermediate code. This IEC61311-3 control code may then be compiled into executable computer code and downloaded into the memory of a safety controller of a safety system.
For the emergency and process shutdown logic, shutdown levels are used. A shutdown level is a group of causes and effects, grouped together either by process sections or site areas. Process section means a specific part of the process and site area means a specific location of a site, e.g. a Hazardous area, a Non-hazardous area. A typical shutdown level will have a number of causes connected and will trip the effects connected to it. Ideally, all causes and effects are connected to exactly one shutdown level. All causes and effects should be connected to a shutdown level. For the Fire & Gas IEC61311-3 logic, fire areas are used. A fire area is for the fire and gas logic the equivalent to a shutdown level for the emergency and process shutdown logic.
These shutdown levels and Fire and Gas areas are normally implemented manually within the control code. They are often part of known Cause and Effect diagram systems and however, although the control code is often generated automatically from the Cause and Effect diagram, the shutdown levels are normally not included, so that shutdown levels have to be added to the control code manually.
When the control code has been designed or generated by a cause and effect editor or builder tool and the compiled code is running in a controller the cause and effect matrix may be examined by operators or other users to examine the system and relationships between the inputs (causes) and the alarms and outputs (or effects). In some systems, the operator can see or otherwise get access to the values of the causes or effects in an online mode or online view of the cause and effect matrix. This assists the operator to investigate an event or alarm. However, to operate or configure a device i.e. an output device such as actuator or motor of an effect in the cause and effect matrix operators and other users have to navigate through the safety system or industrial control system to select the device which can be a lengthy and time-consuming process. In cases when time is limited the time taken to investigate whether a device has tripped may be critical and if the time is excessive it could lead to a partial or full process shutdown.