Emergency Shutdown of LPG Tank Farms

Is It Allowed from the Standard Point of View to Use the Existing Level Transmitters to Control the Inlet and Outlet Shutdown Valves?

By Béla Lipták

Share Print Related RSS
Page 2 of 2 1 | 2 Next » View on one page

I do not know what type level transmitters you have now, but if they are the differential pressure (d/p) type, they do not correct for swelling variations or density changes. They measure weight, not volume. Therefore, if in addition to EDS, you also want to provide weight-based inventory management, weighing is recommended because the radar readings can't be directly used for that purpose.

Béla Lipták
liptakbela@aol.com

A: If your goal is to separate the existing S/D systems to comply with IEC 61511/ISA 84-2005 with all these additions of proposed components, keep in mind your risk tolerance levels and company policy. I expect it is in line with industry practices to meet the highest level of safety integrity levels.

Points to keep in mind:

  • It is not a good idea to use existing analog transmitters, signals or share them due to common-mode failures, handicapped testing and nuisance trips.
  • Using switches in place of independent digital transmitters with self-diagnostic features will limit the availability numbers if you plan to use quantitative methods to validate your design, test frequency and completeness of testing to meet the SIL levels selected. Safety instrumented functions (SIFs), as you well know, depend on calculations based on mean time between failures of components. Published data tables indicate switches at 15 years; digital transmitters at 50 years: smart valves at 100 years; and digital logic solvers at 10,000 years.
  • In general, SIF failures are rated at transmitters <40%; logic solvers <10%; and the big contributors, final control elements at  <50%. There is no  published data regarding human error and wiring mistakes.
  • In general, tank farm areas located far from operating areas are considered to be SIL 1 or SIL 0 or SIL-a, depending on the product stored.
  • You can eliminate all switches by installing two independent, reliable transmitters with deviation alarms inputting to the DCS and SIS. That kind of system can share to meet SIL 0 requirements, including trip designs.
  • The trend nowadays is to avoid islands of PLC operations dedicated to hydraulic systems, alarms and S/Ds. PLCs per se contribute to common-mode failures if they are not triple-redundant systems. It is easier to integrate the systems in DCS, and the standard gives you that flexibility—if you use the right transmitters, test procedures and completeness of testing to meet availability numbers.
  • Keep in mind that simple systems with minimum components that are tested frequently are better than complex systems that are not tested, leading owners to face covert failures unforeseen at the time of design.
    Many of us here join Béla in complimenting your youth revolution to bring the country to the digital age.

Ram.G.Ramachandran
ram@micromix-usa.com

A: The answer to your question, based on the fact that the transmitters are being used as a part of a safety system is, "maybe." You need to do a probability-of-failure analysis and determine what, if any, SIL rating the transmitters can have, and whether they should be used in a safety system at all.

There's no real reason, other than conformance to standards, that you can't do what you want to do—but you're opening yourself to point failures in your control system and safety system simultaneously. I'm a cautious person, and I prefer the "belt and suspenders" approach. I'd put in new transmitters just for the redundancy that provides. The cost of doing so is miniscule in comparison to the cost of the current project, or God forbid, the cost of the damage an overfilled LPG storage vessel could cause.

Walt Boyes
wboyes@putman.net

A: I understand the narrative description to indicate that Mr. Fattah has two limited-range transmitters, one for low-level safety and one for high-level. With a limited range, there is little value or need for correction for change in density.

The general tone of the discussion seems to be that they intend to improve the safety of the system. Adding new limited range transmitters for high and low levels would further reduce the dangers. It all depends on the "value of the measurements."  A safety analysis should indicate if the required SIL is satisfied and possibly indicate the need for additional measurements.

There may also be a need for inventory management. For this, a wide-range transmitter based on weight and thus, value, is usually desired.

I believe that inventory control and physical level interlock are measurements that are best separated. Use all the measurements in managing the system, but do not compromise measurement robustness in order to save a few parts.

Cullen Langford
CullenL@aol.com

Page 2 of 2 1 | 2 Next » View on one page
Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • The solution recommended is the best to improve the safety system in place.

    However,I want to know in such system,could it be that the hydraulic whesseo valve usually at the liquid inlet/outlet has been eliminated since automatic control shutdown valves are now installed?

    Reply

RSS feed for comments on this page | RSS feed for all comments