Safety and environmental standards for fuel storage sites

Final report

28

Automatic overfill protection systems for bulk gasoline storage tanks

70 Appendix 4 provides guidance on good practice on overfill protection for new and existing

in-scope tanks. It covers the design, implementation, lifecycle management, maintenance and

proof testing for an automatic system on tank overfill protection to achieve the required SIL

in compliance with BS EN 61511 so far as is reasonably practicable. It includes annexes on

probability of failure on demand (PFD) calculations, hardware reliability, configuration requirements

for fault tolerance and redundancy.

71 The following items are not covered:

mechanical integrity of pipelines and delivery systems;

■

■

the effects of automatic shutdown on continuous processes;

■

■

the integrity of manual response to alarms where automatic shutdown is not provided.

■

■

72 This guidance is not intended to replace BS EN 61511 but to supplement it specifically in

relation to tank overfill protection SIS. It does not cover all the requirements of BS EN 61511.

Where guidance is not given on any requirement, such as protection against systematic failures,

then reference should be made to the standard.

Overfill

protection

standards

73 All in-scope tanks should be fitted with a high integrity overfill prevention system that complies with

BS EN 61511-1 (Appendix 4 provides further guidance for new and existing installations). Dutyholders

should conduct a risk assessment to determine the appropriate SIL to meet the requirements of BS

EN 61511-1. The outcome of that risk assessment should demonstrate that the risk arising from

a tank overfilling in a way that may give rise to a major accident is ALARP. Appendix 2 provides

guidance on the use of LOPA as a means of undertaking a suitable risk assessment.

MIIB Recommendation 3

Operators of Buncefield-type sites should protect against loss of containment of petrol and other

highly flammable liquids by fitting a high integrity, automatic operating overfill prevention system

(or a number of such systems, as appropriate) that is physically and electrically separate and

independent from the tank gauging system.

Such systems should meet the requirements of Part 1 of BS EN 61511 for the required safety

integrity level, as determined by the agreed methodology (see Recommendation 1). Where

independent automatic overfill prevention systems are already provided, their efficacy and reliability

should be reappraised in line with the principles of Part 1 of BS EN 61511 and for the required

safety integrity level, as determined by the agreed methodology (see Recommendation 1).

MIIB Recommendation 4

The overfill prevention system (comprising means of level detection, logic/control equipment and

independent means of flow control) should be engineered, operated and maintained to achieve

and maintain an appropriate level of safety integrity in accordance with the requirements of the

recognised industry standard for ‘SIS’, Part 1 of BS EN 61511.

MIIB Recommendation 5

All elements of an overfill prevention system should be proof tested in accordance with the validated

arrangements and procedures sufficiently frequently to ensure the specified safety integrity level is

maintained in practice in accordance with the requirements of Part 1 of BS EN 61511.