Table of Contents Table of Contents
Previous Page  120 / 648 Next Page
Information
Show Menu
Previous Page 120 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

118

helping the diagnosis of the error and the time available for diagnosis and recovery before effective

recovery is impossible. Where credit is taken for error recovery, this should be supported by detailed

analysis by a person competent in appropriate human reliability assessment techniques.

Annex 6 Cross-checking

Discussion

188 Many tank-filling operations include a number of cross-checking activities as part of the

operation. These may include checks before the transfer starts (eg routing valve line-up, tank dips,

available ullage) and periodic checks during the filling operation (filling rate, tank dips, unusual

behaviour of instruments).

189 The risk reduction that can be claimed for checking activities varies greatly with the kind of

check being carried out. Experience shows that the risk reduction due to checking is frequently

not as great as might be expected. Operators asked to ‘check’ each other may be reluctant to

do so, or the checker may be inclined to believe that the first operator has done the task correctly

because they are known to be experienced. Therefore the intended independence of the checking

process may not in fact be achieved.

190 This report distinguishes between self-checking activities and those carried out by a third party.

Self-checking activities, such as those carried out by the operator responsible for monitoring the

filling operation, should be considered as part of the basic reliability of the operator in carrying out

the filling operation and hence included in the risk reduction claimed for that activity. The extent

and nature of the self-checks may legitimately be considered a factor in the reliability claimed, but

they would not warrant separate identification, and hence a claim for risk reduction, within the study

unless an error recovery assessment is performed and fully supports any claims made.

191 Third party checks, which may offer risk reduction include: third party verification of tank dips

prior to transfer; verification of tank dips for customs purposes. Supervisor verification of valve

line-ups prior to transfer may suffer from similar dependencies to that of a second operator as

described above. The following guidance applies under these circumstances.

General requirements

192 It can be claimed that an ‘independent’ cross check will affect the frequency of the initiating

event and the demand on any layer of protection if the cross check can be shown to be a formal

requirement of a standard operating procedure and the cross-check is:

independent;

effective; and

proper auditable records kept.

193 Note that management system and standard operating procedures cannot be claimed as

a protection layer in their own right. On their own, procedures do not meet the requirement of

effectiveness for a protection layer because they cannot identify a hazard or perform an action.

Instead, procedures are incorporated in the performance claimed for a protection layer because

they define requirements for the conduct of activities and therefore are included implicitly rather

than explicitly within the analysis.

194 An important task for a LOPA team is to distinguish between those checks that are formally

required and those that are carried out as a matter of custom and practice. Checks which are not part

of a formal procedure cannot be considered to offer significant risk reduction. For example, where field

operators carry out informal checks on tank levels from time to time, the check cannot be considered

a valid cross-check because there is no formal requirement to carry it out even though it may offer

some risk reduction. Additionally, they may vary over time without requiring any change control.

1 115 116 117 118 119 120 121 122 123 124 125 126 648 P & I Design Ltd