An industrial process such as an installation for extraction or production of oil and gas products has a physical implementation comprising components such as devices and apparatuses for operation, control, regulation and protection of the process. The industrial process also comprises systems for functionality, control and supervision. This results in a complex combination of system and components. In the oil and gas industry and in other process industry contexts it is necessary to protect the humans, or an individual environment, process systems, subsystems and/or components. As part of the functions of the elements in the system, measurements for parameters such as currents, voltages, phases, temperatures and so on are made substantially continuously and may result in different safety scenarios up to and even including a plant shut-down.
The safety-related functions of the industrial system are performed by a dedicated safety system with input from safety devices and safeguarding outputs. Safety systems have been developed for the purpose of enabling safeguarding actions in reaction to the safety events. Safety systems in industry have a general criterion of engineering with strong emphasis on quality and verification. Such systems are typically not fully standard but are often purpose-built and usually include various and different devices and/or subsystems, software and communication protocols.
A safety system must perform very reliably, even more reliably than the process systems they protect; this means that a different standard of engineering must be used, with stronger emphasis on quality and verification. This approach is especially important if a customer is seeking Safety Integrity Level (SIL) classification of their safety system that is according to the standards relevant for that industry or branch, e.g. IEC-61508 Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC/TR3 61510 RMBK nuclear reactors-Proposals for instrumentation and control, IEC-61511 Functional safety-Safety instrumented systems for the process industry sector.
U.S. Pat. No. 5,361,198 entitled Compact work station control room and assigned to Combustion Engineering describes a concept including a safety system, comprising software, displays for input, a general safety system and hand-coded functions. US2007276514 entitled Method In A Safety System For Controlling A Process Or Equipment, and assigned to ABB, describes an industrial safety system (ISS) and methods for controlling a process or equipment. The industrial safety system includes components with safety devices and enables signals to be generated as a result of an event or alarm. An automated link is created between the event or alarm and an action to be taken upon receipt of the event or alarm signal due to the event. This is done using in part a display or HMI associated with selection means for input etc. The structure of the system is to create a grid/matrix of related objects. The grid/matrix is a system of rows and columns, an interface and type of application often referred to as a Cause and Effect matrix or diagram. This is often done by manually entering information, or importing one or more signal lists and/or cause and effect information in a worksheet or calculation sheet format, into a tool for editing a Cause and Effect matrix. The graphic user interface of the cause and effect matrix editor contains Causes arranged in horizontal rows and Effects arranged in vertical columns. A sensor device such as a level sensor provides an input signal, which is handled as a Cause. This is represented in the cause and effect matrix by a program logic component, which is a portion of control code, usually a standardized or logic component held eg in a library, which is commonly in the form of a function block, or control module or similar. This form of control code is often referred to as an intermediate code, as it is computer program code which is not yet in a compiled form.
During an engineering phase configuration is carried out with the Cause and Effect matrix editor to make a software connection between a Cause eg and an Effect. This has the effect of making a software connection between an input signal from level sensor being “software connected” to an output signal to an effect actuator for the planned event and safeguarding action. This may be thought of as resulting in the software connection of a signal path from an input device to a signal path to an output device (actuator, motor) providing the action or event. When the matrix has been configured the Cause and Effect matrix editor then converts the “software connected” for the program logic components of each cause and the program logic components of each effect and generates a IEC61311-3 control code from the matrix, usually in intermediate code. This IEC61311-3 control code may then be compiled into executable computer code and downloaded into the memory of a safety controller of a safety system.
However when generating IEC61311-3 control code from a Cause and Effect matrix, the load calculation per controller is often calculated manually by using an estimate or approximation based on the number of I/O signals and multiplying it with a factor that is related in some way to the complexity of the application. It may also be calculated using lists of the IEC61311-3 function blocks used in the control code, or other measures for entities in other types of control code, and adding up their memory values and cycle times. Then when the predicted loads have been calculated, the user can decide whether the load can be handled by a selected safety controller (or other device) or if some control code can be added or should be relocated to another safety controller. The distribution of control code over several controllers is done manually today. This process takes time, it may have results that have not been predicted, and it presents opportunities for mistakes occurring in manual inputs and manual calculations. In addition, distributing control code over several controllers creates a requirement for cross-communication between safety controllers running parts of the same control code. The safety controller cross-communication is also generally created manually.
For the emergency and process shutdown logic, shutdown levels are used. A shutdown level is a group of causes and effects, grouped together either by process sections or site areas. Process section means a specific part of the process and site area means a specific location of a site, e.g. Hazardous area, Non-hazardous area. A typical shutdown level will have a number of causes connected and will trip the effects connected to it. Ideally, all causes and effects are connected to exactly one shutdown level. All causes and effects should be connected to a shutdown level. For the Fire & Gas IEC61311-3 logic, fire areas are used. A fire area is for the fire and gas logic the equivalent to a shutdown level in for the emergency and process shutdown logic.
These shutdown levels and Fire and Gas areas are normally implemented manually within the control code. They are often part of known Cause and Effect diagram systems, however, although the control code is often generated automatically from the Cause and Effect diagram, the shutdown levels are normally not included, so that shutdown levels have to be manually added to the control code.