Safety and environmental standards for fuel storage sites

Final report

99

continue to perform at the right level, but also that the overall performance of the management

system remains at the right level. Whatever the details, the auditing needs to address the following

questions:

How can the performance of this protection layer be degraded?

■

■

What needs to be checked to make sure that the performance has not degraded?

■

■

How often do the checks need to be carried out?

■

■

How can it be confirmed that all the required audits are being carried out with sufficient

■

■

rigour?

87 For example, routine inspection, testing and maintenance of a level sensor may provide

assurance that the sensor will continue to operate, and likewise for the final element. Where

people are involved in the protection layer, an ongoing means of demonstrating their performance

against defined criteria will need to be developed. This may involve a combination of management

system checks (eg by verifying training records and confirming that key documents are available

and up-to-date) and observed practical tests (eg carrying out emergency exercises, testing

communications arrangements and reviewing the presentation of information by instrumentation

systems). Additionally, some form of testing that is analogous to the functional test required for

hardware systems should be developed. Regardless of the details for a specific protection layer, it

is essential that records of the various ‘audits’ are retained for future examination and reference.

Prevention layers

General process design

88 An underlying assumption is that the storage tanks being studied by the LOPA are capable

of producing the hazard in question by complying with the scope requirements. This does

not mean that tanks outside the scope present no risk, but these other risks have not been

specifically considered in developing this guidance. For example, if the tank is equipped with an

overflow arrangement which precluded the formation of a vapour cloud, this would take the tank

outside the scope of this guidance. However, even if the tank has an overflow arrangement which

prevents the formation of a large vapour cloud from a liquid cascade, significant safety hazards

may still arise from the evaporation and ignition of a liquid pool in the bund, and significant

environmental hazards may arise if the liquid leaks through the walls or floor of the bund. The

guidance in this report may assist in the assessment of these scenarios.

89 Issues to do with the mode of operation of the tank (eg typical parcel sizes for filling, normal

operating levels) are accounted for as enabling events and conditions forming part of the initiating

event (see paragraphs 54–76).

The basic process control system as a protection layer

90 It may be possible to take credit for the BPCS as a protection layer if sufficient independence

can be demonstrated between the required functionality of the BPCS in the protection layer

and any other protection layer and the initiating event. Clauses 9.4 and 9.5 of BS EN 61511-1

and BS EN 61511-2 present the requirements on the BPCS when used as a protection layer. In

particular, BS EN 61511-1 9.5.1 states:

‘The design of the protection layers shall be assessed to ensure that the likelihood of

common cause, common mode and dependent failures between protection layers and

between protection layers and the BPCS are sufficiently low in comparison to the overall

safety integrity requirement of the protection layers. This assessment may be qualitative or

quantitative.’

91 The demonstration of independence is most straightforward if the initiating event does not

involve a failure of the BPCS, eg if the initiating event involves misrouting flow to the storage tank

and there is sufficient independence between the person making the routing error and the person

controlling the filling of the tank.