Safety and environmental standards for fuel storage sites

Final report

141

Figure 39

Effect of architecture and proof test interval on system PFD

(avg)

Annex 4 Points for consideration in meeting the requirements of BS EN 61511 so

far as is reasonably practicable

52 Where an existing tank meets the requirements set out in paragraphs 73–77 of the main

report in all respects other than fully complying with BS EN 61511, then the following issues may

be considered:

Sensors: Whether the high-high level device is independent of the high level alarm, the ATG

■

■

system or any other high level alarm.

Logic solvers: Whether there is sufficient independence between the overfill protection system

■

■

and the tank gauging system.

System: Whether the configuration of the automated overfill protection system is restricted

■

■

and controlled as a SIS to prevent inadvertent modification.

Final elements: Whether fail safe motorised valves (MOVs/EOVs) or the stopping of supply

■

■

pumps may be an alternative to installing a new valve or modifying an existing manual valve.

Whether the power supplies for an automated overfill system are independent from the BPCS

■

■

used for tank level indication and provides redundancy for protection against common mode

failure (Note that if the Final Element fails safe on loss of power, a new independent power

supply may not be reasonably practicable).

Whether the hardware fault tolerance and PFD

■

■

(avg)

of the overfill protection system meets the

SIL requirement and can be demonstrated by the end user.

1.0E+00

1.0E-01

1.0E-02

1.0E-03

1.0E-04

0

1

2

3

4

5

6

7

8

9

10

Proof test interval (years)

SIL1 Region

SIL2 Region

SIL3 Region

PFD(avg)

1oo1

1oo2

Architecture influence on PFD

(avg)