Safety Instrumented Systems

Prevent Tank Farm Overfill Hazards

Catastrophic Incidents Have Led to Useful Rules for Systems That Help Avoid Them

By William L. Mostia

Driving around petrochemical plants, oil fields or fuel distribution terminals or facilities, it's common to see large tank farms with vessels of various forms and shapes—cylinders, spheres, bullets and spheroids. These tanks can store feedstocks, intermediates and final products. For refineries, many of these tanks are used for what are called oil movements, which blend various products together to provide the many grades of gasoline, diesel and other refinery products required by the market and government regulations.

Process unit tank farms are typically a bit separate from the process units, located in bunds or diked areas, and spread over a large acreage. Fuel distribution terminals, which commonly straddle pipelines, are physically similar and may butt up against residential and light industrial areas, as can some plant tank farms. Many of these tank farms started out as remote sites, but plant expansions have sometimes met external industrial and residential sprawl to increase the potential consequences of a disastrous event.

It's safe to say that thousands of filing, emptying and transferring operations go on each month in these tank farms—maybe even every day. The overwhelming majority are done safely, but some result in overfills, which have led in a few cases to major incidents. Data compiled by a reputable operator in the United States estimated that an overfill occurred once in every 3,300 filling operations ("Atmospheric Storage Tanks," Risk Engineering Position Paper 01, Marsh Ltd.).

Also read "Emergency Shutdown of LPG Tank Farms"

Looking over the past couple of decades, we have had some notable tank overfill incidents: Laem Chabang, Thailand, in 1999 (seven dead); Buncefield, UK, in 2005 (43 injured), and the Cataño oil refinery in Bayamón, Puerto Rico, (three injured). All these involved spectacular explosions and fires with extensive damage to the facility.

As it turns out, tank farm overfills that lead to a fire and explosion may not be considered common, but they're certainly not rare. A study of storage tank accidents for the period of 1960-2003 covered 242 tank farm accidents. Fifteen overfill incidents were reported, of which 13 resulted in a fire and explosion ("A Study of Storage Tank Accidents," James Changa and Cheng-Chung Lin, Journal of Loss Prevention in the Process Industries, 19 [2006], p.51–59). The numbers of tank farm overfill incidents were probably under reported in this study, but still, tank farm overfill incidents in the study occurred on average every three years. One interesting fact that arose while looking at overfill incidents is that they mostly occurred off day shift, which is very advantageous in regard to people occupancy/exposure, but where supervision is typically more relaxed, and there is less general oversight.

What really brought tank farm overfills to the forefront was an industry-changing incident that occurred on Dec. 11, 2005, at the Buncefield oil storage and transfer depot, Hemel Hempstead, UK. A gasoline tank overflowed, leading to an unconfined vapor cloud explosion that was deemed to be unprecedented—the largest ever explosion in peacetime Europe. It was fortunate that the explosion occurred in the early morning hours on the weekend, for while the damage was extensive, no fatalities occurred. However, 43 people were injured. Had the 6:01 a.m. blast happened during working hours on a weekday, it could have been far, far worse.

On Oct. 23, 2009, another large overfill event led to a fire and explosion at the Cataño oil refinery in Bayamón, Puerto Rico, injuring three and resulting in the Caribbean Petroleum Corp. having to file for bankruptcy. Another tank farm overfill also occurred in Kuwait, resulting in a fire and explosion ("Overfill + Ignition = Tank Farm Fire," Presentation for HSE Moments/Alerts, bit.ly/1rHCPrB).

While not due to an overfill event, but showing the potential consequences, a 2009 tank farm fire and explosion in Jaipur, India, killed 12 people, injured more than 200 and completely destroyed the tank farm.

Poor Instrumentation, Bad Practices

The Buncefield tank that overflowed had both a level gauge and an independent high-level shutdown, neither of which worked. Kuwait also had a level gauge and independent high-level alarm—neither functioned. In Puerto Rico, the liquid level in the tank could not be determined because the facility's computerized level monitoring system was not fully operational. It seems there is a potential pattern: poor instrument maintenance, poor testing practices, lack of operational discipline—take your pick. Since tank farms do not "make money," many times they can suffer when maintenance budgets are constrained.

Another interesting thing to come out of the Buncefield U.K. Control of Major Accident Hazards (COMAH) report, "Buncefield: Why Did It Happen?" (COMAH, 02/11), was the practice of Buncefield operators "working to alarms." Both API 2350-January 1996 and 2005 state that, "High-level detectors and/or automatic shutdown/diversion systems on tanks containing Class I and Class II liquids (2005 only) shall not be used for control of routine tank fining operations." The 2012 version specifically prohibits this practice, but poor operational discipline always seems to trump standards and procedures.

The practice is not new in the process industries, but may deserve more looking into, as it may be more common than one might think, particularly where there are automatic shutdowns protecting transfers into a tank or other process operations. Trust in the protection systems is a form of faith-based risk-taking founded on prior experience, and generally represents normalization of non-conformance to procedures resulting from poor or slack operating discipline. How do your operators really operate your tank farm transfers?

The U.K. issued a number of comprehensive reports and recommendations regarding Buncefield that are worthwhile reading. From a standards perspective, after Buncefield, the U.K. Health and Safety Executive (HSE) required the competent authority and operators of Buncefield-type sites to develop and agree on a common methodology to determine safety integrity level (SIL) requirements for overfill prevention systems in line with the risk assessment principles in BS EN 61511, Part 3. They should then apply the BS EN 61511, Part 1 for SIL-related systems that come out of the risk assessment. In 2009, the HSE issued the reports, "A Review of Layers of Protection Analysis (LOPA) Analyses of Overfill of Fuel Storage Tanks" and "Safety and Environmental Standards for Fuel Storage Sites."

Meanwhile, on the west side of the Atlantic, API RP 2350 3rd Edition, "Overfill Protection for Storage Tanks in Petroleum Facilities," which covers atmospheric tanks storing Class I (flammable) and Class II (combustible) petroleum liquids, was issued in January 2005, the same year as Buncefield.

The third edition of API 2350 was prescriptive in nature and a compilation of best practices that had over the years expanded its reach to these categories.
From an instrumentation perspective, API 2350 had minimal requirements for safety instrumentation and no requirement for evaluation of the safety risk, even though ANSI/ISA S84 (1996, 2003) and IEC 61511 (2004) were in place at that time. This standard divided facilities into attended and unattended operations. For attended facilities, there were no requirements for level detectors on the tanks, while unattended facilities required continuous monitoring, alarms and an automatic shutdown if the operator response time was not adequate, or the operation was fully automatic. This highlights a cautionary note that one should always remember: All standards provide minimum requirements, not maximum. Following good engineering practice and in most cases common sense (an old friend who some say has passed on, bit.ly/1oRKeQZ ) should not be hijacked by "minimum" safety requirements in a standard, particularly for cost reasons.

Because of the Buncefield explosion, the API 2350, 4th Ed., (2012) committee took the lessons learned to heart and introduced a number of new risk- and performance-based requirements, which brought it closer conformance to the SIS standards. (See sidebar, "Buncefield's Legacy: API 2350's New Requirements.")

Technology Can Help

Placing instrumentation on widely geographically distributed tanks, particularly on existing tanks, can be a challenge both technically and in cost, but technology has advanced significantly in the past 10 years. We can easily digitally transmit multiple sensor inputs across a pair of wires, reducing wiring costs, using any one of the more than 50 fieldbuses available, a number which are third party-approved safety protocols (for example, Profisafe, Foundation fieldbus, ASIsafe).

Tank farm remoteness and geographical distribution often make them suitable for wireless monitoring applications, which can be easily added to existing tanks. These can also be solar-powered. There are wireless applications for tank monitoring systems available using IEEE 802.15.4 (ISA 100.11a and WirelessHART), wireless cellular networks and global satellite networks. Another developing technology is mobile wireless applications, which allow tank farm field operators, in addition to the control room operator, to monitor tank levels.

Available automated safety shutdown systems geared to the tank farm environment range from local, high-reliability shutdown systems connected by Modbus to centralized systems to using safety PLCs. Tank level and inventory management system technologies also have advanced.

Improvements have been made in guided-wave radar (GWR), through-the-air radar and traditional level measurement technologies. One of the main issues remains, which is how to proof-test these to meet API 2350 and ANSI/ISA 84.00.01 (IEC 61511 modified).

On June 10, the FAA authorized BP to use a commercial drone, supplied by Aerovironment Inc., at its Prudhoe Bay, Alaska, site to fly aerial surveys over Alaska's North Slope. The same type of drone has been used in test flights by ConocoPhillips. It seems like a reasonable prediction that in the not-too-distant future, drones could be used to fly continuous circuits above a refinery or chemical plant, use visual and IR sensors, pattern recognition and analytical technology to detect abnormal conditions in the facility, and report them to the control room and field operators. This technology could easily be applied to tank farms.

Heed API 2350

API 2350 has been updated to be better in line with the industry standard ANSI/ISA 84.00.01-2004 (IEC 61511 modified), which is virtually identical to IEC 61511. To make our tank farms safe, we should apply the same safety rigor of assessment that we apply to our process units to our tank farms to ensure that a significant safety, environmental and/or financial incident does not occur in the future.

This API 2350 standard is listed as a "recommended practice," but do not be fooled. In the United States and in other countries that recognize API standards as recommended and generally accepted good engineering practice (RAGAGEP), if you have an incident in your refinery or fuel distribution tank farm, you will be held to this standard or the burden of proof otherwise. Chemical plants should meet NFPA 30, but may also be held to API 2350 overfill requirements as RAGAGEP.

One area that API 2350 does not address in tank farms is the use of combustible gas detectors and fire detectors. Open-path gas detectors could be particularly effective, as they can have a path length up to 200 meters, and point-source gas detectors can be effective inside bunds, since many of the gases involved are heavier than air.

Fire detectors are not as effective for overfill situations, but can help prevent pool fires from spreading to other tanks by detecting rim fires and jet fires. While this seems to be a case of reaction rather than prevention, the sooner you can act to bring an developing incident to heel, even if you can't prevent it, the less the consequences will be.

It would seem important to minimize the potential of an electrical ignition source by properly, electrically classifying tank farm areas and ensuring that electrical equipment and instrumentation meet (and maintain) the classification.

This discussion only covered atmospheric tanks in tank farms, which obviously can create a hazard. One of the biggest hazards in a refinery tank farm typically comes from butane or other compressed gas spheres, which by some estimation can range up there with a hydrofluoric acid leak hazard in a refinery. But that is a discussion for another day.