121 / 648
Safety and environmental standards for fuel storage sites
Final report
119
195 It will also be necessary for the LOPA team to review the checking activities in detail to confirm
exactly what is done and how, compared with the requirements of the procedure. Where the
procedure requires something to be confirmed visually, the team should verify that this actually
happens, as opposed to the checker relying on what they are told by the person carrying out the task.
196 The LOPA team need to be alert to hidden dependencies between the person carrying out
the task and the person checking. For example, the visual confirmation that a specific valve has
been closed may correctly verify that a valve has been closed, but not necessarily that the correct
valve has been closed. The checker may implicitly have relied on the person carrying out the task
to select the correct valve.
Quantifying the benefit from checking
197 The key to appropriate checking is the identification of what error is to be highlighted by the
check and the action that is taken following identification of the error. The analyst must ask the
question ‘If the person who has carried out the original action has not spotted the error, what is
the justification that the person checking will be able to spot the error?’
198 For example, when considering a check on opening a manual valve, there is a need to
consider each of the types of error separately; this is because the validity or benefit of checking is
likely to be different for each type of error.
199 The error may be:
omission of valve opening;
■
■
opening the wrong valve;
■
■
only partially opening the correct valve;
■
■
200 For the error of omission, the LOPA team need to ask the question as to whether the checker
will even be requested to check that the valve has been opened. Review of the procedure may
reveal that the checking part may be triggered by the completion of the original action. Hence with
an omission checking may not occur and so a claim for checking would not be appropriate.
201 For the error of opening the wrong valve, the LOPA team need to ask the question as to
how the checker knows which valve is to be checked. If the actual procedure involves the person
carrying out the original action telling the checker which valve is to be checked, then again a claim
for checking would not be appropriate. Equally if the checker uses the same information source
as the person carrying out the original action and an error in that information is the cause of the
original error, then the checker can be expected to make the same error as the person carrying
out the original action; the check has no benefit.
202 For the failure to open fully the valve, then the question arises ‘what is it that will alert the
checker to the error and yet it was not able to alert the person carrying out the original action?’
Again the LOPA team needs to question whether the checker can see anything different from
the person carrying out the original action. If there is nothing that the checker will be able to see
differently, it is difficult to justify that there is any risk reduction benefit from the checker.
203 There is another aspect in which checking needs careful thought. If the person carrying out
the original action knows that there will be checking, then there is a possibility that there may be
a level of reliance on the checker: the person carrying out the original action may take less care,
secure in the belief that any errors will be detected and corrected by the checker.
204 Making risk reduction claims for checking requires clear written discussion to say what is being
checked and how the checker will be successful when the person carrying out the original action has
not been successful.
205 Table 12 suggests some levels of checking to consider. The first level of checking would give
a low level confidence in the effectiveness of the cross check and the last level of checking in