Safety and environmental standards for fuel storage sites
Final report
129
Appendix 4 Guidance on automatic
overfill protection systems for bulk
gasoline storage tanks
Introduction
1 This appendix provides guidance on good practice on overfill protection for new and existing
in-scope tanks. It covers the design, implementation, lifecycle management, maintenance and
proof testing for an automatic system on tank overfill protection to achieve the required SIL in
compliance with BS EN 61511 so far as is reasonably practicable. It includes annexes on PFD
calculations, hardware reliability, configuration requirements for fault tolerance and redundancy.
2 The following items are not covered:
mechanical integrity of pipelines and delivery systems;
■
■
the effects of automatic shutdown on continuous processes;
■
■
the integrity of manual response to alarms where automatic shutdown is not provided.
■
■
3 This guidance is not intended to replace BS EN 61511 but supplement it specifically in relation
to tank overfill protection SIS (safety instrumented system). It does not cover all the requirements
of BS EN 61511. Where guidance is not given on any requirement such as protection against
systematic failures then reference should be made to the standard.
Standards of overfill protection
4 Paragraphs 70–77 in the main report set out the overall requirement for overfill protection.
Tanks meeting the criteria in paragraph 24 of the main report should be provided with a high
integrity overfill prevention system that, as a minimum, provides a level of SIL 1 as defined in
BS EN 61511-1. To reduce risk as low as reasonably practicable the overfill prevention system
should preferably be automatic and should be physically and electrically separate from the tank
gauging system.
Detailed design requirements
5 The following specific requirements from BS EN 61511 should all be complied with:
the design must meet the safety requirement specification;
■
■
the system architecture must meet the hardware fault tolerance requirements for the specified
■
■
SIL (see Annexes 1 and 2);
the overall PFD of the safety instrumented function design must meet the PFD as determined
■
■
by the risk assessment (see Annex 3);
subsystems should meet the general requirements of BS EN 61511 section 11.5.2 and
■
■
section 12 for programmable subsystems.