Table of Contents Table of Contents
Previous Page  98 / 648 Next Page
Information
Show Menu
Previous Page 98 / 648 Next Page
Page Background

Safety and environmental standards for fuel storage sites

Final report

97

70 Some tank monitoring systems include alarms and systems which monitor for ‘stuck’ tank

gauges and ‘unscheduled movement’.

71 While these are useful aids to operation, neither the systems themselves nor the human

interface with them are designed or managed in accordance with BS EN 61511. Therefore the

credit to be taken for them should be limited. As they also typically rely on the same operator

who has to bring the transfer to a stop, it is not appropriate for them to be considered as a

protection layer. Instead they may be considered as a contributing factor to the reliability claimed

for the operator, for example in relation to error recovery, in carrying out the basic process control

function, and are therefore part of the basic process control system.

72 Care needs to be taken to identify situations where the operator has come to rely on the

‘assist’ function to determine when to take action. It is important to identify this type of situation to

avoid making unrealistic reliability claims.

The role of cross-checking

73 Many tank-filling operations include a number of cross-checking activities as part of the

operation. These may include checks before the transfer starts (eg routing valve line-up, tank dips,

available ullage) and periodic checks during the filling operation (eg to confirm the filling rate, carry

out tank dips or check for unusual instrument behaviour).

74 Depending on the circumstances, cross-checks may be represented in the LOPA as modifiers

to the initiating event frequency or as part of a protection layer. If the initiating events include a

contribution for misrouting, then the frequency of misrouting may be adjusted if a suitably rigorous

cross-check is carried out. If the tank filling operation requires an initial tank dip to be carried out, the

frequency of the dip being incorrectly carried out or recorded may be affected by a suitable cross-

check. If the tank filling operation requires periodic checks of the level to be carried out, this may

provide an opportunity to identify that a level gauge has stuck or that the wrong tank is being filled.

75 Cross-checks can provide an opportunity to detect and respond to an error condition,

whether the condition has been caused by a human error or an equipment failure. The amount of

credit that can be taken for the cross-check will depend on the specifics of what is being checked

and the degree of independence of the check. This is discussed in more detail in Annex 6.

76 Various human reliability assessment techniques may be used to evaluate the effectiveness of

cross-checking activities – eg THERP (Technique for Human Error Rate Prediction) and HEART

(Human Error Assessment and Reduction Technique). It is important that any assessment is made

by a competent human reliability specialist and that it is based on information provided by the

operators who actually carry out the filling operation.

Protection layers

General principles

77 The LOPA methodology relies on the identification of protection layers, and in specifying

protection layers it is important that all the rules for a protection layer are met. A valid protection

layer needs to be:

effective in preventing the consequence; and

independent of any other protection layer or initiating event; and

auditable, which may include a requirement for a realistic functional test.

78 Note that the requirement for all three criteria to be met for each protection layer is a stronger

requirement than in the Informative Annex D to BS EN 61511-3, where these requirements

are only applied to so-called ‘independent layers of protection’. The approach adopted in this

guidance is consistent with the approach in the CCPS book

Layer of Protection Analysis

.

1 93 94 95 96 97 98 99 100 101 102 103 104 648 P & I Design Ltd