2350 1 1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

Tank Overfll Protection - API 2350 and IEC 1511Safety

Considerations
Authors: Don Newell, Shamrock Gulf
Gene Cammack, Siemens Industry Inc.
Praveen Muniyappi, Siemens Industry Inc.
Keywords: Tank Overfll; Safety; Process Safety; Level Control
ABSTRACT
For overfll protection on tanks holding volatile, petroleum fluids, the industry best practice has been
documented in API 2350. Recent events have begun to cause the industry to rethink the overfll
protection requirements and to move to a more functional safety approach. For the process industry,
the standard for designing a Safety Instrumented System (SIS) is IEC 61511. The IEC 61511 standard
for Safety Instrumented Systems (SIS) has been widely adopted to evalate risk associated with safety
related systems in the process industry. Many companies want to apply the IEC standard, in addition
to the API Standard. This creates consistency in their approach to safety and helps verify the specific
risks associated with their facilities.
This paper examines trends in the industry, particularly related to the Buncefield incident and the
report of the Major Incident Investigating Board, and the issues and possible solutions to designing
Tank Overfll Protection Systems that can meet both the API Recommended Practice and the IEC
standard.
INTRODUCTION
The American Petroleum
Institute (API) has a
Recommended Practice (API
23 5 O)
1
that was published in
January of 2005 that details
the recommended practice
for Overfill Protection on
Petroleum Fluid Storage
Tanks. Since that standard
was released, a number of
incidents, most noticeably
the Buncefield Explosion in
2005 and the significant
consequences of those events
have heightened the interest
in safety issues around
Petroleum Storage Tanks.
The final report of the Major
Incident Investigation Board
on the Buncefield Incident
2
made significant recommendations that begin to marry the previous prescriptive standards of API RP
2350 to the functional safety standards described in IEC 61511:
Functional safety: Safety
Instrumented Systems for the
process industry sector
3
API is
preparing a revisin of API 2350
that will reflect these changes.
Figure 1: The Buncefield Explosion
From the Buncefield Investigation Homepage: www.buncefieldinvestigation.gov.uk
Courtesy of Royal Chiltem Air Support Unit
The Buncefield Final Report: Recommendation 1
The Competent Authority and operators of Buncefield-type sites should develop
and agree a coimnon methodology to determine safety integrity level (SIL)
requirements for overfill prevention systems in line with the principies set out in
Part 3 of BS EN 61511.(ref 3) Tliis methodology should take account of:
the existence of nearby sensitive resources or populations;
the nature and intensity of depot operations;
realistic reliability expectations for tank gauging systems; and
the extent/rigour of operator monitoring.
Application of the methodology should be clearly demonstrated in the COMAH
[Control of Major Accident Hozars] safety report submitted to the Competent
Authority for each applicable site. Existing safety reports will need to be
reviewed to ensure tliis methodology is adopted._____________________________
Figure 2: Recommendation 1 of the Final Report of the Major
Incident Investigation Board on the Buncefield Incident
2
This paper examines the current
API 2350 standard, and the IEC
standards in process safety and
how they might work together.
In addition, it looks at some of
the issues in applying IEC 61511
to tank overfill and how they can
be addressed.
PRESCRIPTIVE AND FUNCTIONAL STANDARDS
In the process industries, there are two approaches to Safety. A prescriptive approach defines a precise
solution for an application. A functional approach defines a methodology and performance standards
in lieu of a specific remedy. For specific applications, like tank overfill protection, which are
consistent and defmable, a prescriptive standard can be written that can work very well. However,
when a consistent, unified approach is needed for a variety of processes and variables, a functional
standard provides a more usable approach.
API 2350, as currently written, draws a very narrow box around the application. It is industry specific
and deais with only certain classes of petroleum fluids. When handling and storing Class I and Class II
Fluids, the current API 2350 Recommended Practice on Overfll Protection for Storage Tanks in
Petroleum Facilities
1
provides a straight-
forward, prescriptive solution. As a
recommended practice in the industry, it
sets a minimum standard for a company
to follow. However, a prescriptive
standard cannot foresee the individual
issues in a specific location and
application as pointed out in the
Buncefield recommendation 1.
That is where functional standards can be
useful. The IEC 61511 standard for
Safety Instrumented Systems (SIS) has
been widely adopted to evalate risk
associated with safety related systems in
a variety of applications across the
process industry. Companies see two
major benefits to applying the functional IEC standard even when a less restrictive prescriptive
standard exists. First, they are aware that the functional standard will uncover other mitigating factors
that may warrant additional safeguards, i.e. mitgate the specific risks associated with their facilities.
Second, they use IEC 61511 to provide consistency in their approach to safety across facilities and
areas of facilities.
APPLICATION OF THE STANDARDS
API 2350 REQUIREMENTS
It must be noted that the API is in the process of revising API 2350 and that one of the major areas
being addressed is in the area of correlation with safety standards
4
. We are addressing only the
current (2005) versin.
The API 2350 standard requires a formal approach to training and procedures that is consistent with
safety standards and regulations and IEC 61511 specifically. While not as detailed in the Safety
Lifecycle, it is clear that operators and procedures are critical and must be part of the overall approach
to safety.
In terms of an overfll protection system it separates attended operation and unattended operation.
Petroleum Liquids Classification System
used by
National Fire Protection Association (NFPA)
The U S Department of Transportation (DOT)
US Enviromnental Protection Agency (EPA)
US Occupational Safety and Health Adininistration (OSHA)
and others
Class 1: Liquids with Flashpoints below 100 F
Class 2: Liquids with flashpoints between 100 and 139 F
Class 3: Liquids with flashpoints equal to or greater than 140 F
Table 1: Petroleum Liquids Classification System
For attended tanks, the basic monitoring system, with the backup layer of qualified personnel on site is
deemed adequate. For unattended tanks, the additional layer of protection of independent safety
detection (level sensor) and shutdown system is required.
IEC 61511 REQ UIREMENTS
The IEC 61511 standard would not require a specific remedy but rather a performance level based on a
Process Hazard Analysis (PHA) and determination of an acceptable risk factor for the application. The
benefit of a functional standard is that it can take into account a wide variety of location and
application specific issues. After the risks are determined, an analysis of available methods to mitgate
those risks identifies what safety systems might be needed. Layers of Protection Analysis (LOPA)
method is the most popular method for determining required systems and the resulting Safety Integrity
Level (SIL).
For the attended tanks, the qualified personnel would constitute an independent layer of protection but
as operators, would be limited to no more than one order of magnitude reduction in the process risk.
For a SIL 1 requirement of the tanks overfill safety function, no additional SIS system would be
required which is consistent with the API Standard. For unattended tanks, timely operator intervention
cannot be assumed and a SIL 1 requirement for the tank process would require an additional
Independent Protection Layer. A separate Instrumented Safety Monitoring system as detailed in API
2350 could be designed to meet that requirement. If additional risks are identified that require a higher
than SIL 1 SIS, then additional or higher SIL systems would need to be employed.
The IEC 61511 methodology is a way to validate the requirements and account for additional risk
factors such as high volatility or proximity to other processes and personnel. This makes the systems
consistent with the analysis and documentation in other process facilities using IEC 61511.
SAFETY SYSTEM ISSUES IN TANK OVERFILL PROTECTION
There are several SIS related issues that should be addressed with tank overfill protection.
SAFETY RESPONSE TIME
The safety response time in tank level is typically slow relative to other process safety applications.
API 2350 gives a good description of response time and the effect on tank level alarm settings.
However, the other consideration is that often the tanks are in more remte locations and therefore the
human response time to emergencies may be delayed. This may increase the risk factors in the SIS
Analysis.
REDUNDANCY
Redundancy on Process Safety Systems is done for one of three reasons, 1) either the safety system
requires it to meet certification to a specific SIL level (i.e. 2oo3 architectures), 2) the user desires
higher system reliability (i.e. there is an economic or safety penalty for going to a failsafe condition) or
3) at higher SIL Levels, IEC 61511 specifies a minimum redundancy level. Typically in Tank
Overfll, the SIL levels are low and, more importantly, the penalty for shutdown is generally low as
well. Therefore, redundancy may only be required if the system selected requires it for certification or
to meet higher SIL levels under IEC 61511.
PROBABILITY OF FAILURE ON DEMAND (PFD)
One area not currently addressed by API 2350 but recommended by the Buncefield report, is the
possibility of undetected failures in the Safety Monitoring System. In IEC 61511, the PFD is tied to
the Diagnostic Coverage, i.e. how well is the device monitored for failures. By using devices that are
either independently certified (TUV) or Proven-in-Use, the Probability of Failure on Demand for the
system can be determined.
TESTING
API 2350 requires a formal testing schedule. In IEC 61511, the time between system proof testing
(test interval) is the ultmate watchdog against undetected failures in the Safety System. If API testing
intervals are used, then the IEC 61511 test interval used in the calculations must match in the analysis
and proof testing must be carried out on that schedule.
APPROACHES TO A COMBINED SOLUTION
OVERFILL PROTECTION CHALLENGES
While monitoring and protecting an individual tank is not very complex, the tank location and use can
present challenges in system design.
I/O COUNT
Tank Overfll Safety Systems present unique challenges for implementing a system. The safety system
needs to be separate from the basic tank monitoring system. Therefore the number of Input and
Outputs (I/O) at each tank is very low, typically 2 to 5 signis. Small, relay type or stand-alone
systems can be used however; the advantages of electronic systems for Communications and
diagnostics make them attractive. Traditional Process Safety Systems have been designed for large,
highly reliable, emergency shutdown systems and may not adapt to small, geographically separated
systems with the need for high integrity but not for high reliability.
Additional challenges are presented by existing facilities where existing communication infrastructures
may not be designed for creating a parallel safety system.
GEOGRAPHY
In addition to the small number of small I/O drops, many tank farms are spread over a large area or
located a sizable distance from the main monitoring site. This means a large, but separate
communication path must be established.
These two issues combine to make a traditional approach to tank level monitoring and safety system
implementation very expensive. However, by examining the needs of the system, alternatives exist
that will achieve the protection intent of the system while keeping the cost structure more reasonable.
ARCHITECTURE
SYSTEM ARCHITECTURE
Traditional process safety systems for emergency shutdown functions are designed for large central
systems with large I/O counts and high reliability. Architectures are generally 2oo3 or loo2D and
minimize spurious trips. These systems do not lend themselves to the spread geography of a typical
tank application. The lesson to be learned from Buncefield is that the solution should not be a lack of
safety. On a tank farm, the economic cost of a spurious trip is often low, i.e. a delay in loading or
unloading. Therefore in the system design we have to separate Safety which is the availability of the
system to act when needed (demand) and Reliability, which is the number of times the system goes
to a failsafe condition when the process did not demand it (spurious trips). The tank application will
need the safety part but not necessarily extremely high reliability.
While each installation is unique, at the system
level, two basic options exist for implementing a
Tank Overfill Protection System in compliance
withboth API 2350 and IEC 61511. One
approach is to use a small, non-redundant SIL
rated Safety System can be placed at each tank
or tank cluster with safety rated Communications
back to a central for reporting and alarm system.
Safety PLC
/o ttn
Safety PLC
/o ttn
Safety PLC

r
, Monitoring
Safety
Svstem
Communication
oy
*
iem
Figure 3: Independent SIL System at Tank
Remte
Monitoring
System
vfrf
Figure 4: Remte I/O with Central SIL System
A second approach is to use remte I/O
located at each tank or cluster of tanks
and communicate back to a central
Safety CPU over safe Communications.
For either option, the system can be SIL
rated and equipped with Hart or Fieldbus
options for remte diagnostics and
parameterization.
The use of smaller, modular and non-
redundant, SIL rated systems provides
the high integrity for Safety
considerations while substantially
lowering the capital costs. In addition,
the communication options in electronic
Safety Instrumented Systems should allow non-interfering connections to the monitoring SCADA or
DCS systems through proven interfaces.
SAFETY COMMUNICATIONS
The cost of the safety system hardware
can be overwhelmed by the cost of the
communication network. If the
monitoring is considered safety critical
as detailed in API 2350, the safety
portion of the system must extend to the
safety monitoring package as well. This
means that the data from the tank is
transmitted in a failsafe manner to a
central monitoring site. In order to
maintain the overall Safety Integrity
Level of the system, a high safety
communication channel must be
implemented. Several safety rated
Communications networks are emerging,
for example, TV certifies ProfiBus and
ProfiNet (Ethernet) with ProfiSafe
protocol for SIL 3 applications.
Foundation Fieldbus is following with its
certification.These safety protocols are
Network
D
Figure 5: PROFIsafe Protocol implementation
Remedy
Fallune Typs '
Ssquence
Number
Tima Out
with Receipt
Codename
for Sender
and Receiver
Cyclic
Red Lindancy
Ghock
Repetition
X
Deletion
X x
Insertion
X X X
Resequsncing
X
Data Cormption
X
Delay
X
Masquerade (standard
message mi mies failsafsj X X K
FIFO Failura within
Router X
Figure 6: PROFIsafe Diagnostics
usually independent of the media and
instead rely on high diagnostics on either
end of the link to verify that the
communication systems is working
properly.
As mentioned, retrofit installations
present particular challenges. While
wireless has not been generally accepted
for safety applications, the low penalty
for spurious trips and the relatively slow
response time requirements for tank
applications allow longer communication
cycles for a more reliable wireless
implementation.
If an existing communication link is available on the monitoring system it may be possible to use the
same infrastructure for the Safety communication in a non-interfering mode. This maintains safety
while lowering installation costs.
INSTR UMENA TION AND FINAL CONTROL ELEMENTS
The traditional tank monitoring system can consist of a variety of inputs including Level, Pressure,
Temperature and Flows.
Depending on the
requirements of the system
for inventory, custody
transfer or diffcult fluids,
the tank monitoring
systems can become quite
complex. When looking at
process safety issues,
simple is typically better.
API 2350 only requires a
level indication. Aer the
SIL verification phase
under IEC 61511, a simple
level transmitter or point
level switch may be
adequate and many are
available with a TV SIL
rating. In addition, other sensors could be included in the SIS if they are deemed safety critical, either
to the basic level SIF or to other defined SIFs.
Figure 7: Tank Safety Instrumentation and Final Control Elements
Finally, the mitigation method, should the tank overfill protection be triggered will need to be
considered. Particularly at unmanned locations, an Emergency Shutdown Valve may need to be
included in the Safety System.
CONCLUSION
In examining petroleum tank overfill protection, the API Recommended Practice 2350: Overfill
Protection for Storage Tanks in Petroleum Facilites and IEC 61511: Safety Instrumented Systems for
the Process Industry Sector both can be used to address the issues. API 2350 takes a prescriptive
approach and IEC 61511 uses a functional safety approach. In light of some recent major accidents,
the industry is moving to a more functional approach that addresses a wider range of issues. While
API 2350 is being revised to reflect this trend, companies want to be consistent with both the API
document and the more general IEC 61511. This gives them the ability to address more complex
issues specific to the facility and also provides a consistency methodology across the safety landscape
for other applications on the facility and across the enterprise. For companies wanting to meet API
RPs and still provide consistent safety implementation and validation through the IEC 61511
methodologies, the standards can be combined to yield a solution that meets both. By careful
examination of the core issues around tank automation, the restrictions around safety, and emerging
technologies, systems can be designed to accommodate both of the standards and still manage to
operational and budget constraints.
REFERENCES
1) API Recommended Practice 2350: Overfill Protection for Storage Tanks in Petroleum
Facilities Third Edition, American Petroleum Institute, January 2005
2) Buncefield Major Incident Investigation Board. The Buncefield Incident 11 December 2005:
The final report of the Major Incident Investigation Board, Volumes 1, 2a, 2b. 2008
http://www.buncefieldinvestigation.gov.Uk/reports/index.htm#final
3) IEC 61511 Functional Safety: Safety Instrumented Systems for the Process Industry Sector,
Parts 1-3 Geneva: International Electrotechnical Commission, 2003.
4) Crochet Earl J. Update On API 2350 (The Future of Tank Overfill Protection: Potential
Fallout from Buncefield) API Storage Tank Conference 9 October 2008.
5) Welander, Peter. Safety on FieldbusHanging by a Wire? Control Engineering June 2009:
26+.
6) OBrien, Chris. High-integritv Overflow Protection. Intech June 2009: 20-24.

You might also like