Table of Contents Table of Contents
Previous Page  97 / 648 Next Page
Information
Show Menu
Previous Page 97 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

96

63 Refer to Annex 5 for a more detailed discussion about the treatment of the BPCS in the LOPA

for the overflow of an atmospheric storage tank.

64 BS EN 61511 sets a limit on the dangerous failure rate of a BPCS (which does not conform

to IEC 61511) of no lower than 1E-5/hr. This limit is set to distinguish systems designed

and managed in accordance with BS EN 61511 from those that are not. For example minor

modifications to hardware and software elements in a BPCS may not routinely be subject

to the same rigour of change control and re-evaluation required for a SIS that complies with

BS EN 61511. The 1E-5 dangerous failures per hour performance limit should be applied to the

system(s) that implement the BPCF taken as a whole, whether operating as a continuous closed-

loop system or whether relying on the intervention of a process operator in response to an alarm.

65 The performance claimed for the BPCS should be justified, if possible by reference to actual

performance data. For the purposes of analysis, the performance of a given BPCS may be worse

than the 1E-5 dangerous failures per hour performance limit but cannot be assumed to be better

(even if historical performance data appears to show a better standard of performance) unless the

system as a whole is designed and operated in accordance with BS EN 61511.

66 The elements comprising the BPCS may be different for different filling scenarios. In particular,

while the tank level sensor may be the same, the human part of the BPCS may change (if multiple

people and/or organisations are involved) and also the final element may change (eg filling from a

ship may involve a different final element from filling from another tank). In each case, the elements

of the BPCS should be defined for each mode of operation of the tank and should be consistent

with what is required by operating procedures.

67 There are two main approaches when dealing with initiating events arising from failures in the

BPCF within the LOPA:

In the first and most conservative approach, no credit is taken for any component of the

BPCS as a protection layer if the initiating event also involves the BPCS. The failures involving

the BPCS may be lumped into a single initiating event or may be separately identified. This

approach is consistent with simple applications of LOPA. See Annex 5 for further discussion.

This approach fully meets the requirements of BS EN 61511.

The second approach is to allow a single layer of protection to be implemented where there

is sharing of components between the BPCS as an initiator and the BPCS as a layer of

protection. Where credit for such a layer is claimed, the risk reduction factor is limited to ten

and the analysis must demonstrate that there is sufficient independence between the initiating

event and the protection layer (see Annex 5 for further details). For example, a failure of an

automatic tank gauge would not necessarily prevent consideration of the same operator who

normally controls the filling operation responding to an independent high level alarm as a

protection layer, whereas a failure of the operator to stop the filling operation at the required

fill level may preclude consideration of their response to a subsequent alarm. This approach

meets the requirements of BS EN 61511 providing all the associated caveats are applied and

adequate demonstrations are made.

68 It is always preferable to base performance data on the actual operation under review, or

at least one similar to it. Care needs to be taken in using manufacturer’s performance data for

components as these may have been obtained in an idealised environment. The performance in the

actual operating environment may be considerably worse due to site- and tank-specific factors.

Additional aids to tank filling operations

69 Operators may be able to configure their own alarms to advise when a tank filling operation

is nearing its programmed stop time (‘stop gauges’). Software systems may also help with

scheduling tasks by keeping track of all the tank movement operations being carried out and

ordering the required tasks.

1 92 93 94 95 96 97 98 99 100 101 102 103 648 P & I Design Ltd