Table of Contents Table of Contents
Previous Page  66 / 975 Next Page
Information
Show Menu
Previous Page 66 / 975 Next Page
Page Background

POTENTIAL BENEFITS FROM HYBRID SCHEME 3

The only benefit is the specification of performance requirements for the equipment via the SIL, but

this is probably outweighed by the significantly increased complexity of the overall SIS and its

associated testing load.

For all of these approaches it is important to realise that, because the functions required by API

RP14C are implemented the SIS is much larger and more complex than it would be if based on

IEC61511 for safety SIF’s at SIL1 or above. This may well be by a factor of 3 or more. It is also

fundamental to remember that since IEC61511 is not a regulatory requirement deviations from the

standard can be agreed between the operator and designer. This can include reduction in achieved

SIL compared to assessed SIL, less rigorously enforced validation, special consideration for packages,

etc.

ASSET PROTECTION AND ITS EFFECT ON SIS SIZE FOR IEC61511 PROJECTS

The implementation of asset protection in the SIS is also a form of hybrid design when the regulatory

design basis is IEC61511 (most asset protection is inherently provided in an API RP14C design so

asset protection does not have a significant impact if the design basis is API). Asset protection is not

generally part of the regulatory basis for a plant since it is a user cost/benefit exercise. However, its

implementation is often part of a contract requirement for IEC61511 projects and its

implementation methodology is usually addressed via a reference to IEC61511. Understanding the

implementation basis in relation to IEC61511 is important in order to fully define the asset

protection scope and responsibilities. Its implementation can significantly affect the design and size

of the SIS and result in uncertainty about the SIS implementation. There are two main issues

addressed here - the basis of asset integrity level assessment, and separation of safety and asset

functions into different systems.

The first stage is to define and understand the assessment basis for asset protection. As with

personnel safety, the assessment basis must reflect a defined and demonstrated level of tolerable

risk. Too often this is ignored when deciding the basis for asset integrity level assessment and an

almost arbitrary risk graph is used without true understanding of its implications. If we are to keep a

link to the principles of 61511, an approach based on orders of magnitude risk reduction rather than

a true cost/benefit analysis, then we need to start by defining the equivalent to tolerable safety risk.

This would be the tolerable financial loss per hazard per year. One way to start this off is to look at

the (typical) cost per year of the protection function (CAPEX and OPEX), if it were to be

implemented. Clearly, the annual loss one is protecting against must be greater than this. Since at

the assessment phase we do not know what integrity level is required, and given that the cost of the

protection function is quite variable, this number needs to be some average generic cost. We could

for instance start with something like $10k pa, to cover the CAPEX of the protection loop equipment

discounted for the project life, plus the annual costs of testing, maintenance etc. The annual loss we

are protecting against must be greater than this. The graph or LOPA can then be calibrated to

deliver this tolerable financial risk. If this more analytical approach is taken to defining and

1 60-61 62 63 64 65 66 67 68-69 70-71 72-73 74-75 76-77 974-975  FlippingBook