Table of Contents Table of Contents
Previous Page  118 / 648 Next Page
Information
Show Menu
Previous Page 118 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

116

Figure 27

Human action

177 The human task of controlling the filling operation to stop at the intended level is represented

in Figure 27 by the letter ‘H’. This task by definition only occurs when the tank is being filled.

Therefore, the opportunity for the error of allowing the tank to overflow can only occur while

the tank is filling. This means that as the task is directly associated with the time when the

filling operation occurs, the concept of time at risk does not apply. The occurrence of the filling

operation and the possibility of error are not independent but are linked.

178 Note that an important distinction between human failure in carrying out a task and the

failure of equipment described is that human failure is characterised by a probability per event

(and is therefore dimensionless). Equipment failure is characterised by a failure rate (typically with

dimensions of (per year)).

Conclusion

179 Thus there is the generalisation, that ‘time at risk’ (the proportion of the year for which the filling

operation is happening) is relevant to equipment failure that can occur at any time during the year

– subject to the caveat of detection of any failure that occurs prior to the filling operation before it

causes over filling. Conversely, for any failure such as human error that is directly related to a task that

only occurs in relation to the tank filling operation, then the ‘time at risk’ factor should not be used.

Annex 5 The BPCS as an initiating event and as a protection layer

180 The authoritative requirements and guidance on initiating events and the independence

of BPCS-based layers of protection are given in BS EN 61511. The CCPS guidance on

LOPA presents two approaches for the application of LOPA. Approach ‘A’ generally meets

the requirements of BS EN 61511. The following guidance emphasises that the normative

requirements for assessing independence are those described in BS EN 61511 and that this

guidance is intended to indicate the issues involved in making such an assessment.

181 In a simple LOPA using a conservative approach, unless there is complete independence in

how basic process control functions are implemented through the BPCS, no credit can be taken

for any risk reduction provided by a control or alarm function implemented through the BPCS as a

protection layer if a BPCS failure also forms part of an initiating event. However, this conservative

approach may be relaxed if it can be demonstrated that there is sufficient independence to allow

credit to be taken for both. This issue is discussed in Sections 9.4 and 9.5 of BS EN 61511-1 and

BS EN 61511-2. The reader is referred to these sources for a more detailed discussion. Systematic

factors such as security, software, design errors and human factors should also be considered.

Programmable electronic systems

182 Credit can be given to more than one control function implemented through the BPCS where

there is sufficient rather than complete independence between each function. With regard to any

programmable electronic systems that are part of the BPCS the following requirements, which

may not be exhaustive, should be met.

There should be formal access control and security procedures for modifying the BPCS. The

access control procedures should ensure that programming changes are only made by trained

and competent personnel. The security procedures should prevent unauthorised changes and

should also ensure software security, in particular by minimising the potential to introduce a virus

to infect the BPCS.

January

December

H

Plant operational

Tank filling

1 113 114 115 116 117 118 119 120 121 122 123 124 648 P & I Design Ltd