Table of Contents Table of Contents
Previous Page  124 / 648 Next Page
Information
Show Menu
Previous Page 124 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

122

Initiating event frequency calculation

214 The frequency for each human initiating event is based on two parameters:

Task frequency (/yr).

HEP – as assessed using an appropriate method or selected from a table of generic task error

probabilities, with suitable account taken for any conditions that could impact on the operator’s

ability to consistently and reliably perform their task, eg error producing conditions used in the

HEART method.

215 For each human initiating event, the initiating event frequency would be calculated by:

Initiating event frequency (/yr) = Task frequency (/yr) x HEP

For example, a task carried out once a week, with an assessed human error probability for a

specific error of 0.01; the initiating event frequency can be calculated:

Initiating event frequency (/yr) = Task frequency (/yr) x HEP

= 52 x 0.01

= 0.52 per year

Note that enabling events or conditions can be included in the task frequency (the number of

times the activity is carried out under operational conditions which could lead to the undesired

consequence) and do not require separate identification.

216 For initiating events, the error probability should be conservative.

Annex 8 Response to alarms

217 When considering the alarm function as a protection layer it is helpful to have a mental model

along the lines of that shown in Figure 30.

Figure 30

Alarm function

218 This shows four elements: the sensor, the annunciator, the operator and the final element.

For complete independence, each of these four elements must be different from those used by

other protection layers and from the initiating event for the hazardous scenario in question. Should

any of these elements not be independent for the situation being considered then the alarm

function should not be included in a simple LOPA analysis.

219 Where there is some commonality of elements between the alarm function and the initiating

event or other protection layers, inclusion of the alarm function should be supported by a more

detailed analysis. Typically this will require that an initiating event caused by the BPCF is broken down

into individual failures of the constituent elements. Credit for the alarm function could only be claimed

if there is a means of carrying out the function which is independent of the failed component, and if

the person carrying out the function has sufficient knowledge, time and training to carry out any tasks

correctly. The factors outlined below for operator response need to be considered.

Definition of the required performance of the alarm function

220 Before proceeding with the analysis of the performance of the alarm function, the required

function should be carefully defined. It is not enough simply to identify an instrument and consider

that as a protection layer. The protection layer will need to make up a complete loop and should

therefore include:

Task type

Alarm function

Sensor

Annunciator

Operator

Final element

1 119 120 121 122 123 124 125 126 127 128 129 130 648 P & I Design Ltd