Protecting against overfill
Author : Ian Parry, functional safety specialist at Hima-Sella
20 September 2010
It is a fact of life that accidents in safety-critical industries do happen; despite the designing-in of seemingly suitable safety systems and procedures.
Most of the time these accidents tend to be the result of conspiring circumstances, rather than any single event; and the explosion at the Buncefield fuel storage depot almost five years ago is a prime example.
The explosion occurred in the early hours of Sunday 11 December 2005, when a storage tank overflowed. Fuel cascading down from vents at the top of the tank mixed with air to form a petroleum-vapour cloud which subsequently ignited. As for how the overflow occurred, two significant factors are believed to be that: a) a servo-level gauge had stuck, indicating that the tank was only at 85% capacity and therefore allowed for the addition of further fuel, and b) an independent high-level alarm failed to operate and shut down the feed to the tank.
The reasons for the failure of the gauge, which had apparently failed before, and the high-level alarm (which it is reported can be placed into an inoperable position after testing, and on which a safety alert had been issued by the HSE) are still unclear; and not for us to comment on within the scope of this article. Suffice it to say that the explosion led to an investigation, conducted by the Buncefield Major Incident Investigation Board (MIIB).
As a direct result of the incident, and subsequent investigation, the UK Petroleum Industry Association (UKPIA) and Tank Storage Association (TSA) announced, in September 2008, that their members had committed to the standards of BS EN 61508 Safety Integrity Levels (SILs) and the installation of automatic shutdown systems to prevent the overfilling of storage tanks (that receive fuels via pipeline transfer).
In response to the above initiative many companies began developing, from scratch, ways of affording greater levels of safety for fuel storage tanks. Others though had been implementing overfill protection, as part of broader Emergency Shutdown (ESD) systems, long before the Buncefield incident. Hima-Sella, for example, first provided overfill protection as part of a safety upgrade at a tank farm in Grangemouth in the 1990s.
However, in the wake of the Buncefield incident - and with many petrochemical facilities wishing to add or enhance tank overfill protection without embarking on a site-wide upgrade - there was perceived within Hima-Sella the need for an easy means of ‘layering on’ tank overfill protection. Accordingly, and channelling almost two decades’ worth of relevant experience into the task, the company soon developed a tank overfill protection solution (TOPS) around its HIMatrix family of programmable logic controllers (PLCs).
Many oil and gas industry safety-related functions had already been, and continue to be, successfully implemented using HIMatrix; and these functions include fire & gas detection, burner management systems, High Integrity Pressure Protection Systems (HIPPS) and ESD.
When used with suitable valves and transmitters, HIMatrix can be included in BS EN 61508 safety loops up to and including SIL 3. In addition, the platform is suitable for use in Zone 2 ATEX areas so, for TOPS, it can be sited close to the tanks it protects; thus simplifying cabling and reducing associated costs.
Also of great appeal to facilities seeking overfill protection was the fact that the HIMatrix hardware building blocks (the PLCs and I/O modules) plus suitable sensors can be configured to serve a range of safety requirements - from protecting a single tank through to a depot-wide network (using safeethernet) if need be. But hardware is only part of the story. System behaviour is set in software – with the programs compiled using ‘certified functional blocks’.
Indeed, it is through a combined hardware and software architecture, plus ‘how’ functions like TOPS can be implemented, that made HIMatrix – which is IEC 61508 certified by the TÜV – such a suitable platform.
For example, consider what TOPS sets out to do. A basic control loop for filling a tank might use a level gauge as a trigger to shut off a pump; and to a large degree this is just "hard-wired logic". The tank is either full or it isn’t. Clearly though, such black-or-white logic fails if the gauge sticks below its trigger level; as the tank will continue to fill. Such a system could not be built using BS EN 61508 certified equipment and engineering methodologies; in that – within the system development tools - the architecture would not compile (without errors anyway).
The safest approach is to be aware of changing levels; to go analogue if you wish. And an intelligent safety system would question why, when telling the pump to work, the level in the tank is not changing. Whether it is the pump or level sensor at fault is almost irrelevant. Something is amiss, so stop.
Also of great appeal to those seeking to layer-on tank overfill protection is of course the speed with which it can be introduced to a site. In the latter case, it is worthy of note that one of the first sites in the UK to adopt Hima-Sella’s TOPS was (in the summer of 2008) the Mayflower fuel storage depot at Plymouth.
There, the initial requirement was to protect a single tank. This was achieved using a HIMatrix F20 PLC mounted in an enclosure on the side of the tank. It monitors a fuel level gauge and can trip an inlet valve if necessary; whilst transmitting data back to a DCS on the site. In addition, there is an ESD pushbutton. This is line-monitored to provide extra safety should a failure of the pushbutton or its associated wiring occur.
In 2009, additional tanks on the Mayflower and Cattedown sites were fitted with TOPS, bringing the total (between the sites) to around 20.
With important, automated decisions being made based on the outputs of sensors, much then hinges on the transducers. In this respect, Hima-Sella is working closely with a number of sensor manufacturers - including Vega, Krohne and Endress & Hauser – and evaluating a variety of technologies including radar and differential pressure and ultrasonic level measurement.
Contact Details and Archive...