Table of Contents Table of Contents
Previous Page  65 / 975 Next Page
Information
Show Menu
Previous Page 65 / 975 Next Page
Page Background

increase risk is also retained. None of the later stage benefits related to software and systematic

issues, formal validation, FSA etc., are considered. However, the impact on schedule is minimised.

Maybe this is why this hybrid compromise is the most popular!

SCHEME 3 - API DESIGN BUT WITH PRE-DEFINED INTEGRITY LEVEL REQUIREMENTS PLUS VALIDATION

As an example of this approach, I have seen specifications that state that all safety functions must

meet SIL2 and then also often identify one or two additional named functions for SIL3 (eg flare

drums, HIPPS). This really is the least beneficial type of hybrid, since it rejects the risk-based concept

of IEC61511 completely as well as missing out the critically important later stages related to

software and systematic faults. Further, these specifications rarely go on to define what is meant by

safety functions. A typical SIS will contain a large number of functions (maybe 50% of the SIS

functionality) that are not safety related at all. They are “housekeeping” trips consequential to a

safety trip, which are placed in the SIS for convenience. This must be clarified at an early stage to

avoid confusion and dispute over the SIS design.

This approach will at least have the benefit of specifying performance standards for the equipment

via the SIL.

What will result from this type of hybrid is a SIS that is even larger and more complex than the base

regulatory design and this approach should be avoided whenever possible. If it is required to

implement any content of IEC61511 it should as a minimum include the hazard identification and

risk assessment phases.

POTENTIAL BENEFITS FROM HYBRID SCHEMES 1 & 2

Although the design that results from a hybrid is not the optimum that should result from a

regulatory IEC61511 approach, schemes 1 and 2 do bring benefits, some of which have already been

discussed. These include:

Understanding of high risk plant areas and maybe even reconsideration of

process/mechanical design to reduce risk (inherently safer design)

Performance standards specified for equipment

Fault tolerance in design for high risk SIF’s

Attention to systematic faults (scheme 1)

Competency is considered (certainly for scheme 1 and to a lesser degree for scheme 2)

Further, it may be possible to open dialogue with the regulatory authority with regard to testing

frequency. This is certainly feasible for scheme 1 (full lifecycle) although the argument diminishes as

the extent of the applied lifecycle is reduced. For instance, it is hard to argue for reduced testing if

software and systematic faults have not been addressed.

1 58-59 60-61 62 63 64 65 66 67 68-69 70-71 72-73 74-75 974-975  FlippingBook