101 / 648
Safety and environmental standards for fuel storage sites
Final report
100
92 If the initiating event involves a failure of part of the BPCS, the simplest approach under a
LOPA would be to discount any further protection layer operating through the BPCS. Some
analysts may consider this approach excessively conservative for their situation. However, other
analysts and some operating companies are known to apply this approach because of the
difficulties associated with making the required demonstrations. Annex 5 gives further guidance on
the level of independence required where more than one function is delivered through the BPCS.
93 Claims for risk reduction achieved by the BPCS should meet the requirements of BS EN 61511-1
and 61511-2 (eg clauses 9.4, 9.5 and 11.2).
Response to alarms
94 Dutyholders should review and where necessary revise the settings of the level alarms on
their tanks in accordance with Appendix 3. Where the alarm settings meet the requirements,
it is considered legitimate to consider operator response as a protection layer under suitable
conditions.
95 Where process alarms are delivered through the BPCS, consult Annex 5 for further guidance
on independence when credit is being claimed for more than one function implemented through
the BPCS. The analysis should meet the requirements of BS EN 61511-1 (for example clauses
9.4, 9.5 and 11.2).
96 The wider considerations of operator response to alarms are discussed in Annex 8. Where the
alarm is delivered through the BPCS, the risk reduction factor of the alarm layer should be limited
to at best 10 in accordance with BS EN 61511-1 clause 9.4.2.
97 As with other protection layers, the alarm itself is only part of the protection layer. The full
protection layer needs to include the alarm, the operator, the machine-operator interface, any
communications systems (if communications between operators is required to deliver the required
alarm function) and a final element. For the response to the alarm to be included as a protection
layer, the following requirements should be met:
The alarm protection layer should not include any failed component of it which is part of an
■
■
initiating event. Therefore:
if the initiating event is due to a failure of the tank gauge, it would not be legitimate to rely
––
on an alarm generated by the same tank gauge;
if the initiating event involves the failure of a valve or pump to stop on demand, the alarm
––
protection layer cannot rely on the same valve or pump to bring the transfer to a stop.
There must be sufficient time for the transfer to be brought safely to a halt.
■
■
Where the initiating event is a failure within the BPCS and the alarm system uses the same
■
■
BPCS, credit for the alarm may only be taken if sufficient independence can be shown
between the alarm function and the failed BPCS elements (see Annex 5).
Safety instrumented systems
98 In LOPA studies, the normal convention is that the need for SIS is determined when all other
protection layers have been considered. If an existing SIS complies with BS EN 61511 then a
reliability performance consistent with the SIL-rating of the SIS and its design and operation
can be claimed. If any ‘instrumented protection’ does not comply with BS EN 61511 then a risk
reduction factor of no greater than 10 can be claimed for it. However, experience has shown
that it is unlikely that an instrumented protection system that does not comply with BS EN 61511
would have a reliability assessment associated with it, and therefore an assessment would have to
be made to determine the performance level that could be claimed.
Other safety-related protection systems
99 It is possible to argue that some other protection layers can be considered so long as they
meet the requirement for a protection layer set out in paragraphs 77–87 of this appendix. Such
protection layers are referred to as ‘other technology’ in BS EN 61511 and are not subject to the
performance limits required by BS EN 61511, eg pressure relief valves.