Table of Contents Table of Contents
Previous Page  119 / 648 Next Page
Information
Show Menu
Previous Page 119 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

117

There should be an operating procedure which clearly defines the action to be taken if

the control screen goes blank, a workstation ‘freezes’, or there are other signs that the

programmable device has stopped working correctly during a filling operation.

A back-up power supply should be available in case the main power supply is lost. The back-

up system should give a clear indication when it is being used. The capacity of the back-up

supply should be sufficient to allow emergency actions to be taken and these actions should

be specified in a written procedure. The back-up power supply must be regularly maintained

in accordance with a written procedure to demonstrate its continuing effectiveness.

The sensors and final elements should be independent for credit to be given to more than

one control function. This is because operating experience shows that sensors and final

elements typically make the biggest contribution to the failure rate of a BPCS.

BPCS I/O cards should be independent for credit to be given to more than one control

function unless sufficient reliability can be demonstrated by analysis.

The credit taken for control and protection functions implemented through the BPCS should

be limited to no more than two such functions. The following options could be permitted:

If the initiating event involves a BPCS failure, the BPCS may only then appear once as a

––

protection layer – either as a control function or as an alarm function, and only if there is

sufficient independence between the relevant failed BPCS control or protection functions.

If the initiating event does not involve a BPCS failure, the BPCS may perform up to two

––

functions as protection layers (eg a control function and an alarm function) so long as other

requirements on independence are met.

Claims for risk reduction achieved by the BPCS should meet the requirements of

BS EN 61511-1 and 61511-2 (eg clauses 9.4, 9.5 and 11.2).

183 Figure 28 illustrates what the application of these principles could require in practice.

Figure 28

Possible structure of sufficient independent control functions within the BPCS

184 Where credit is taken for more than one function being implemented through the BPCS,

this should be supported by a detailed analysis and the analysis should form part of the LOPA

records. Determination of the degree of independence between two functions that share a common

logic solver, as depicted in Figure 28, is not a trivial task and great care should be taken not to

underestimate the level of common cause, common mode and dependent failures. Where an

operating company considers that they cannot support the level of analysis required, the BPCS

should be limited to a single function in the LOPA. It should be noted that some operating companies

preclude taking credit for more than one function from the same logic solver as a matter of policy.

185 Where the implementation of two functions involves a human operator there is evident

potential for a common cause failure due to human error affecting the performance of both

functions. This may have an impact on whether any credit can be taken for any protection layer

involving the operator if an error by the same operator is the initiating event.

186 The simplest and most conservative approach is to assume that if an error made by an individual

is the initiating event, the same individual cannot be assumed to function correctly in responding to a

subsequent alarm. Therefore, if human error is the cause of failure of a BPCS credit cannot then be

taken for the same individual responding correctly to an alarm. This approach is equivalent to taking

no credit for error-recovery even if suitable means of error recovery can be identified.

187 A more complex approach would attempt to identify and quantify the possibility of error

recovery. This approach would need to consider the type of error causing the initiating event, the

information and systems available to warn of the error, the effectiveness of the warning systems in

Sensor 1

Input card 1

Output card 1

Final element

Sensor 2

Input card 2

Output card 2

Final element

BPCS

logic

solver

(common)

1 114 115 116 117 118 119 120 121 122 123 124 125 648 P & I Design Ltd