Table of Contents Table of Contents
Previous Page  132 / 648 Next Page
Information
Show Menu
Previous Page 132 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

130

6 General good practice: The following should be considered during the design, development

and maintenance of an automatic overfill protection system:

Dominant failure modes of any device should be to the safe state or dangerous failure

detected, unless architecture allows for fault tolerance.

Diagnostics for all subsystems are recommended where necessary to detect dangerous

unrevealed failures. Procedures should be in place to respond to diagnostic alarms.

Diagnostics should be tested during proof testing

The SIS should be capable of carrying out its designed function on loss of power (pneumatic,

electric, hydraulic) (BS EN 61511 section 11.2.11).

Operation of the SIF should generate an alert to the operator.

Sufficient independence and separation should be demonstrated between the SIS and the

BPCS (BS EN 61511 section 9.5).

User’s own valid failure rate data should be used within PFD calculations. Where this is not

available use of appropriate recognised external data sources is acceptable.

The SIS design should provide facilities for ease of proof testing.

All equipment should be suitably designed for the process and operating conditions, the

environment and the hazardous area requirements.

Input overrides should only be provided where justified (as described in paragraph 24). Output

overrides should not be used.

7 Level sensors:

Analogue level sensors are preferred to digital (switched) sensors.

A discrepancy alarm between the tank level indication system and an analogue trip system

can be used to alert that there is a problem with the level measurement.

8 Logic solver fault tolerance:

Non-programmable logic solvers should comply with Table 6 of BS EN 61511.

Programmable logic solvers should comply with Table 5 of BS EN 61511.

9 Final elements:

Electrically operated valves that do not fail safe on loss of power should have a backup power

supply. The loss of power supply should be alerted to the operator.

Auto reset of the final element should not be possible.

An adequate margin of safety factor should be provided for actuator torque on shut-off valves.

The break off (from open position) force/torque recommended as minimum 1.5 times.

Manual operating facilities which inhibit the SIF operation on valves (eg hand wheels) are not

recommended.

Performance of the shut-off valve should meet the requirements of the safety requirement

specification (eg shut-off classification)

Closure of shut-off valves should be designed to prevent pressure surges on the system

pipework and couplings (particularly to flexible pipes on ship to shore).

Note To prevent damage to pipelines and flexible hoses due to pressure surges or over-pressure

in the event of a shutdown for any reason including inadvertent export valve closure, the supplying

source (eg ships) should already be fitted with the necessary protection against over-pressure

or no flow in the event of dead head or other effect of shutdown. This is the responsibility of the

shipping company and ship owner but the terminal owner has the responsibility of informing the

shipping company that an automatic shutdown system is in operation and may operate at any

time.

1 127 128 129 130 131 132 133 134 135 136 137 138 648 P & I Design Ltd