CDOIF Guidance

Safety and environmental standards for fuel storage sites

Final report

Effectiveness

79 Care needs to be taken in ensuring that each of these requirements for a protection layer is

met and avoid the type of errors described in Annex 1.

80 A protection layer must be effective. This requires that the layer has a minimum functionality

that includes at least:

a means of detection of the impending hazardous condition;

■

a means of determining what needs to be done; and finally

■

a means of taking effective and timely action which brings the hazardous condition under

■

control.

81 If any of these elements are missing from the protection layer, the layer is incomplete or

partial and the elements should be considered an enhancement to another protection layer. For

example, the presence of a level detection instrument with a high level alarm which is independent

of the normal level instrument used for filling control is not a complete protection layer in its own

right. A full protection layer would require consideration of the arrangements for determining what

action is required and the means of making the process safe, for example an independent valve/

pump shut-off.

82 For the layer to be effective, it must be capable of bringing the hazardous condition under

control and prevent the consequence from developing without the involvement of any other

protection layer or conditional modifier. The requirement for timeliness may require careful

consideration of the dynamics of the scenario and when any response from a protection layer

may be too late to be effective. Where people are involved, care needs to be taken over the

human factors of the response.

Independence

83 A protection layer needs to be independent of other protection layers and of the initiating

event. This is a requirement of clause 9.5 in BS EN 61511-1 and is a key simplifying feature of

LOPA. To ensure that protection layers are independent, it is vital that they are clearly identified.

(See Annex 5 for further details.)

84 The simplest application of LOPA requires absolute independence between protection layers,

as well as between protection layers and initiating events. Therefore, if a proposed protection layer

shares a common component with another protection layer or initiating event (eg a sensor, human

operator, or valve), the proposed protection layer could not be claimed as a separate protection

layer. Instead, the proposed protection layer would have to be included as part of the initiating

event or other protection layer.

85 A more detailed application of LOPA requires ‘sufficient’ rather than absolute independence

between protection layers or between a protection layer and an initiating event. The principles

within BS EN 61511-1 and 61511-2 (eg clauses 9.4, 9.5 and 11.2) present the requirements on

the BPCS when used as a protection layer. For example a detailed evaluation would need to be

performed of the possible failure modes of each element of the protection layer – typically involving

techniques such as Failure Modes and Effects Analysis, Human Reliability Assessment and Fault

Tree Analysis. Great care needs to be taken in using this approach to ensure that consistent

assumptions about the condition of equipment or people are made throughout the analysis.

Auditability

86 Protection layers need to be auditable. In this context, audit means far more than simply a

management system audit. In broad terms, auditing refers to the continued assessment of system

performance, including all the necessary supporting arrangements. The process of testing is

required to ensure that a layer of protection will continue to function as originally intended and that

the performance has not degraded. The details of this will vary with the details of the protection

layer, and may require programmed functional tests. Formal auditing of management systems

will also be required to ensure that not only do technical components of the protection layer