Increased plant safety puts focus on tank gauging
The demand for safety technology in bulk liquid storage plants is increasing worldwide. This market trend can clearly be seen in tank gauging projects where Safety Integrity Level (SIL) requirements are now being incorporated.
Discussions in recent years on safety and environmental protection in tank farms for refineries and terminals have very much focused on the Buncefield incident.
On 11 December 2005, tank 912 at the Buncefield oil storage and transfer depot in the UK was overfilled.1 The escaping fuel generated vapour clouds that soon after exploded and started a large fire, injuring over 40 people. The investigation showed, among other things, that although the tank was being filled with gasoline, the mechanical servo level gauge indicated a static level. A mechanical high level switch was also installed, but failed to generate any alarm.
Lessons learned
Shortly after the incident, the Buncefield Standards Task Group (BSTG) was formed. The aim of BSTG was to translate the lessons from Buncefield into effective and practical guidance for the industry. In parallel with this work, the Buncefield Major Incident Investigation Board (MIIB) also performed an investigation into what happened at Buncefield. Information on this work is being published on an ongoing basis at the Buncefield Investigation website at http://www. buncefieldinvestigation.gov.uk/index.htm.
Several reports have been published by the MIIB. In the report ‘Recommendations on the design and operation of fuel storage sites’1, part of Recommendation 1 states:
“The Competent Authority and operators of Buncefield-type sites should develop and agree a common methodology to determine safety integrity level (SIL) requirements for overfill prevention systems in line with the principles set out in part 3 of BS EN 61511.”
Need of common methodology
In the report, sites that store and transfer petroleum products on a large scale are referred to as Buncefield-type sites. However, the recommendations could to some extent be considered for a wider range of facilities exposed to the risks of fire and explosion.
One of the overall conclusions of the work of MIIB seems to be the need for a common methodology for safety management within the industry. Although many methodologies exist today, of which some may even today address the IEC 615112 or API RP 23503, a systematic approach should be implemented for the determination of appropriate SIL to be met by the protective systems. There are 25 recommendations in total in the report, several of which refer to the BS EN 61511 standard.
Safety standards
In 2003, IEC 615112 concerning safety instrumented systems for the process industry sector was published. The purpose of this standard was to develop a single set of requirements addressing the complete safety instrumented system (SIS) life cycle for the process industry. It provides this industry with a common methodology in the area of functional safety, including guidance for the determination of the required SILs.
In the late 1990s, the IEC 615084 was published. This standard sets out a generic approach for all safety life cycle activities for systems comprising electrical, electronic or programmable electronic components that are used to perform safety functions. A major objective for this standard was to facilitate the development of application sector standards such as IEC 61511.
Using automatic tank gauges as overfill protection
An automatic tank gauge (ATG) can be used in many different ways depending on the application requirements. By measuring level, temperature, pressure and other quantities, it is often used for operational control, inventory control or custody transfer when connected to a tank gauging system.
In many cases, radar-based ATGs are also part of the safety architecture of the tank farm as an overfill protection. This is realised by having the ATG connected as the High (H) or High-High (HH) alarm switch or sometimes as a supplement to other existing alarms.
Tough design requirements
When used as an overfill protection, it is normally required that the ATG has outputs both for the regular bus communication and outputs that can be included in a safety loop separate from the tank gauging system. However, tough design requirements must be met by ATGs having this feature where the ATG is considered solely as an overfill protection device focusing on the safety function only.
|
One of the steps taken to achieve functional safety assessment in accordance with IEC 61508 is to perform a failure modes, effect and diagnostics analysis (FMEDA). Failure rates, safe failure fraction (SFF) and other characteristics are then calculated for the safety function of the overfill protection for use in the SIS design calculations.
An SFF of 80% or higher is a reasonable requirement when selecting sensors in accordance with section 11.5.3 in IEC 61511.
Proven-in-use equipment
Concerning the SIS design and engineering, section 11.5.3 of IEC 61511 gives the end user the possibility of selecting sensors based on prior use if appropriate evidence is available. In tank gauging projects where the overfill protection has to meet SIL 2 safety function requirements, one option is to use a state-of-the-art ATG proven to meet the standards.
Continuous verification
Unless a real emergency situation occurs, the High-High (HH) alarm is never used between the proof test intervals, so one can only be sure a conventional HH alarm switch works at the actual moment when it is being tested.
Compared to mechanical HH switches which are only tested and used on certain occasions, the status of a radar-based ATG is continuously monitored between the proof test intervals when connected to a tank gauging system. The advantage of an ATG is that it gives the operator continuous information about status and performance, since it is being used in the everyday operation of the tank farm.
Mechanical ATGs do not seem to share the same advantage in terms of diagnostics. The very fact they are mechanical and rely on moving parts means they are more vulnerable to a number of potential failure modes, as was highlighted in one of the MIIB reports.
Why radar dominates the market In the past, mechanical ATGs were the dominating technology in tank gauging applications. The float technology that dominated the market in the 1950s was replaced by servo technology in the 1970s. However, from 1985, radar technology has gained market share every year and is now the most common measuring method. Nowadays, refineries and bulk liquid storage plants have realised the benefits of choosing radar over mechanical servo gauges. Also, whereas the working principle of servo gauges requires moving parts in contact with the product inside the tank, radar technology has no contact with the product and no moving parts, which means more reliable operation. This fact has been highlighted in the MIIB report3, page 29: “... Tank gauging systems often employ mechanical servo gauges to sense the liquid level. However, such gauges appear to be vulnerable to a number of potential failure modes ...” |
|
Moreover:
“... A further contribution to enhanced dependability may result from the use of modern electronic gauge sensors, for example based on radar technology. Electromechanical servo gauges are intricate devices vulnerable to many failure modes. Electronic sensors eliminate the failure modes associated with mechanical components and may offer a higher reliability alternative ...”
Although radar dominates the market today, there are numerous mechanical gauges around the world still in operation. The conclusions from the Buncefield incident can be added to the list of reasons to invest in state-of-the-art tank gauging equipment based on radar technology.
Gauge emulation for cost-efficient retrofit
Most old tank gauging equipment currently in service consists of mechanical level gauges based on float or servo technology. It is not uncommon that users accept the very high maintenance costs, poor performance and unreliable measurements associated with these, instead of exchanging them for modern radar-based ATGs. There are several reasons for this. One reason is the high cost of replacing the entire system, which is considered a major project requiring a large budget.
|
However, it is possible to upgrade mechanical gauges to electronic gauges within the same bus system. Emulation means that an existing mechanical ATG installed on a tank can be replaced with another entirely different type of ATG based on radar technology. After this replacement, the existing tank gauging system will not perceive any difference between the emulating ATG and the old ATGs in the system. Although there are a few aspects to consider with this changeover, emulation has been used for many years and some modern ATGs are ready for this.
Emulation therefore offers step-by-step upgrading of old mechanical ATGs in a tank farm, making the latest features of modern ATGs available in a very cost-efficient way.
Conclusions
Recent discussions concerning safety and environmental protection in tank gauging applications have very much focused on the Buncefield incident. It seems very likely that the safety and environmental management within the tank gauging industry worldwide will develop in the direction of a common methodology as given per IEC 61511.
Available data indicate that radar-based ATGs seem to offer a higher reliability alternative than ATGs based on other technologies. Additional advantages of selecting a state-of-the-art radar-based ATG for use as an overfill protection device include:
- an option to meet safety integrity requirements in accordance with IEC 61511;
- gauge emulation, to offer a cost-efficient solution;
- the status and performance of a radar-based ATG being continuously monitored in between the proof test intervals, since it is normally being used in everyday operations.
*Christian Skaug is technical product manager, Rosemount TankRadar Rex, Emerson Process Management, Gothenburg, Sweden.
Emerson Process Management
www.ap.emersonprocess.com
References:
- Recommendations on the design and operation of fuel storage tanks (MIIB), http://www.buncefieldinvestigation. gov.uk/index.htm.
- IEC 61511 Functional safety — Safety instrumented systems for the process industry sector.
- API RP 2350 Overfill Protection for Storage Tanks in Petroleum Facilities.
- IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems.
Integrating standard signals into functional safety
Non‑binary signals such as analog inputs and encoder readings are very common and should be...
Light curtain or safety laser scanner?
Safety light curtains and safety laser scanners are the two most common machine protection...
SIS logic solvers: more choices are needed
Most safety applications can be handled by safety PLCs; however, they are frequently overkill...