SAFETY SYSTEMS

Safety systems for tank overfill p

Crude oil, chemical and liquid refined product spills at processing, transportation and handling facilities, as well as large oil lightering tankers, are not isolated incidents for the industry. A number of recent events have brought a new awareness to the cost and risk involved in an overfill event. In many of the incidents, the equipment on the tank or vessel designated to help prevent such occurrences is overridden, gets ignored or is in non-working order. In many filling operations and tank terminals, no automated emergency shutoff receipt valves, high level alarms or other preventive instruments and sensors are even installed. Terminal operations personnel have often played a role by being over-alarmed', undertrained or relying on instruments that should have been operable, but were not. The consequences of these spills have been, in many cases, disastrous to corporate assets and fatal to civilian and facility personnel. This article looks at how most of these overfill events could have been averted or at least significantly mitigated with a Safety Instrumented System (SIS).
Tom Jeansonne, Emerson Process Management, Waller, Texas, USA
Standards and basic concept

Major energy corporations have developed internal standards in compliance with safety standards, such as ANSI/ISA S84.01, IEC 61508, IEC 61511 & OSHA CFR 1910.119. As these standards have gained acceptance and developed, the outcome is that the
26 Valve World
JANUARY / FEBRUARY 2008

most modern facilities utilize a Basic Process Control System (BPCS) in conjunction with but independent of a Safety Instrumented System (SIS).The BPCS controls the process (such as a tank filling operation) while the purpose of the SIS is to take the BPCS to a safe state when pre-determined un-acceptable
www.valve-world.net

conditions are violated. In the case of the process industry, including refineries and storage facilities, a current primary international standard for addressing such hazards is IEC 61511. The standard focuses on SIS and encompasses a scope for the plant's SIS lifecycle - includes concept, design,

SAFETY SYSTEMS down the tank filling operation when conditions warrant. Alternatively, it could be configured to divert to a relief tank which would also be similarly equipped. An ever growing number of corporations have turned to leading technology firms who can not only provide an integrated, final control element (FCE) but also a complete final control solution (SIS) in addition to performing a safety analysis to help determine and define the needed Safety Integrity Levels (SIL). SILs translate risk reduction factors to predefined required safety levels or - a means of quantifying risk based on its frequency and consequences. Here we describe summary points for consideration as developed by Emerson Process Management,Valve Automation, in partnership with a major energy corporation , to assist that company in standardizing procedures for overfill prevention at its global tank farm terminals.
Summary conditions

protection
operation, maintenance and ultimate facility deactivation. A SIS is a set of many components, including sensors, logic solvers and final control elements (FCE - automated shutdown valves) arranged for the purpose of taking the process to a safe state.With a SIS, the concern is more with how the system fails rather than how the system operates. Should the SIS determine that a shutdown is required (a safe state) it will initiate one or more Safety Instrument Functions (SIF).These SIFs are the final action items of a SIS, such as closing a valve or diverting flow. A well designed SIS would very likely prevent a tank overfill event - a safe state. A bulk liquid tank farm SIS might minimally consist of a sensor (such as a high-high or sensor at the tank) to monitor the critical safe tank level, a relay logic solver that constantly monitors the high-high tank level sensor signal and a final control element (FCE) that shuts

The final control element (FCE) is essentially one third of a Safety Instrument Function (SIF).The SIS may contain several Safety Instrumented Functions (SIF) and Final Control Elements (FCE), each with a likely different Safety Integrity Level (SIL) requirement. Other components of the SIS are the various sensors and the logic solver.The SIS creates a demand for a SIF - which addresses a specific hazardous event under the SIS, and the FCE's job is to perform that final critical control function or safety action item. FCEs are critical to the SIS and SIF because the FCE is what physically stops or diverts the flow. Of significant concern is every component of the FCE as they are Safety Integral Level - SIL (ISA/IEC) SIL 4 SIL 3 SIL 2 SIL 1
www.valve-world.net

subjected to environmental and operating conditions which can impact its performance. One of the primary issues that must be addressed is stagnation or long, stand-still time.The automated valve package (FCE) typically remains energized in a fixed position for long periods of time.The valve is subjected to the variable nature of the media in the line which it controls. As such, the ability to provide its primary function (SIF shut off or flow diversion) is subject to degradation and increased probability of failure on demand.The actuator and other components can also be impacted by environmental conditions, which could affect its ultimate performance. Despite these less than ideal conditions, the FCE has to perform as designed when a SIF is required. If the FCE fails to perform, the SIS may not be able to take the terminal to a safe state. It has been reported that one-half of all industrial malfunctions in the SIS have been attributed to the FCE. In order to meet specific reliability criteria, the FCE should be designed for certain defined levels, or Safety Integrity Levels (SIL). SILs are an established means of quantifying risk based on its frequency and consequences.The FCE(s) need to be designed to meet a required SIL for an application (often SIL 2 for tank farm receipt block valves and SIL 3 for diversion applications). The primary objective is to: Reduce the Probability of Failure on Demand (PFD) by meeting a pre-determined SIL requirement.
What should the integrated FCE include?

Based on the joint work of Emerson and the owner/operator the recommended FCE should be designed with the Risk Reduction Factor - 1/PFD 100000 To 10000 10000 To 1000 1000 To 100 100 To 10
Valve World 27

Probability of Failure On Demand Per Year (PFD) (Demand Mode Of Operation) >=10-5 To <10-4 >=10-4 To <10-3 >=10-3 To <10-2 >=10-2 To <10-1

JANUARY / FEBRUARY 2008

SAFETY SYSTEMS accept a 24 VDC signal and have selfdiagnostics using HART communication protocol. SIF may be based on relay logic when appropriate. DVC should be used increase the Diagnostic Coverage (DC factor) on a SIS loop FCE and enhance the Safe Failure Fraction (SSF) System may utilize limit switches for redundancy only and shall not be included in SIL calculations DVC will abort any test, before the actuator supply pressure can drop to a level to cause a false trip if the FCE is physically immobile and shall alert the operator (Fail Dangerous Detected) in this event DVC can be used to test external solenoid valves in order to reduce the proportion of the dangerous undetectable failures. DVC should be used as redundant to a solenoid valve to ensure the SIF. Such redundancy could be required to either meet the project specification or because a single shut down element may not provide an acceptable PFDavg to meet the safety function SIL suitability requirement. In common with any other components of the SIS loop the solenoid valve will contribute and impact the total PFD of the final element. Any SIS or BPCS (safety) demand shall override any partial stroke test. DVC shall be able to automatically, configure, initiate and record partial stroke travel and retain records of such events

following summary of typical components and concerns in mind: The valve used as part of the FCE should be as minimum ANSI rated, full ported, quarter-turn ball valve, either trunnion-mounted or floating. It shall be fire rated per API-607 and meet ASME B16.34. Existing valves, sensors and other equipment shall not be used as component part of the FCE. Only new equipment purchased and validated for the SIL and FCE shall be used. The supplier of the actuator component of the FCE should offer as standard, published guaranteed minimum torque outputs which are critical to operate the valve to a safe state for the SIF. The actuator shall be sized with a minimum torque output of 125% against the torque recommended by the valve manufacture at all positions and both directions of travel at full operating or process system design pressure.The actuator maximum torque output shall not exceed the maximum allowable valve input torque (MAVIT). The valve actuator should be of a symmetric, scotch-yoke design and control system shall contain a fusible plug with a minimum of 195F and maximum 250F melting point in the event of a fire (which may not necessarily be related to tank overfill). The FCE should normally remain in the open position.The actuator should be pneumatically powered with air, nitrogen or a special self-contained local hydraulic system.
28 Valve World
JANUARY / FEBRUARY 2008

The weatherproof actuator and actuator to valve mounting adaptation must be totally enclosed with over-pressurization pressure venting and shall have Xylan cylinder coating or a minimum of 25 micron, electroless nickel plating. No mechanical manual overrides, lockout devices or by-passes are permitted. If hydraulic actuators are used the vendor shall certify that actuator's hydraulic pressure containing components are designed to ASME Section VIII. Electric actuators (part turn or multi turn) shall not be used in this application. A digital valve controller (DVC) should be included in the FCE for valve position determination, record retention, automated partial stroke and diagnostic capabilities and alerts. Additional design concern requirements include: DVC should be designed to typically

www.valve-world.net

SAFETY SYSTEMS FCE shall also restrict stroking speed as required to avoid hydraulic shock to the pumping system.
Why use an integrated system? Impact of SIS in preventing tank overfill

The oil and gas industry, with its storage and handling of hazardous liquids, recognizes the need for a formal SIS and a FCE comprised of components applied to specific SIL levels. It is prudent and advantageous for the entire FCE to be provided in a fully integrated, factorytested and certified package that can be installed easily at the terminal. This integrated systems approach allows the end user to specify functionality and SIL required rather than attempting to select individual components to be merged together in a SIS.This integrated control solution system should contain the actuator, valve, DVC, relief valves, regulators, air relays, fusible devices, solenoids and all tubing and hardware needed. The SIL (safety/lambda) data utilized for these integrated solutions shall have been provided by or certified by a recognized third party independent entity and certified by the SIL packaging or integrating vendor.The certification process provides functional safety assessments of the components intended for FCE. A vendor certification shall be issued minimally describing the product analysis methodology, components and the application criteria needed to continually meet the SIL level requirement and certification.

In addition to reducing risk and exposure to the facility personnel, civilians and assets, the following SIS overfill implications should be considered Preserving and protecting the environment - Operating responsibility Mitigation of the effects of any overfill Risk, event cost and life cycle cost reduction Legal actions and resultant regulations Lower cost & regulatory compliance Lower operating costs, reduction of downtime - Increased availability and efficiency gains by extended health diagnosis Fines, penalties and property damage claims - Lower risk and reduced operating cost Lost revenue, goods and production Revenue efficiency by extended health diagnosis Alarm overload, inexperience and physical reaction time -Event Mitigation and prevention Transportation, outside business disruption and emergency support dilution - Lower risk, event mitigation and operating cost savings Damaged reputation, corporate citizenship, socio-economic issues Corporate operating value A deterrent to product theft and better inventory control. - Product loss prevention and efficiency gains Effect on future expansion, permits, locations or scope plans - Hidden operating value increased and reduced

regulatory compliance cost Your very own disaster marker on an internet map!
What you typically get with PST

PFD values will be lowered by partial stroke testing (PST) Partial Stoke Testing (PST) can safely extend time between plant shutdowns Partial Stoke Testing (PST) equals lower proof test intervals PST Allows SIL Rating To Be Maintained For Longer Continuous Operating Periods Have a higher overall reliability level because of better Safe Failure Fraction (SFF) Achieving target PFD values with Partial Stroke Testing
Conclusion

Achieving target PFD values via Partial Stroke Testing

The application of a qualitative, risk assessment and/or hazard operability (HAZOP) study followed by the institution of a proactive SIS, integrated by a true solution provider will benefit all. It has been illustrated that with a realistic full close/open Proof Test Time Interval, significant improvements can be made with the introduction of a Partial Stroke Testing regime at a rate of ten times the demand rate.This allows a quantifiably higher level of operating confidence with very minimal disruption to the facilities operation or investment. The best Safety Integrated System in the world is not effective if the SIF is not carried out because of an inoperable or poorly designed or deficient FCE. How do you know your FCE will function when required?
About Tom Jeansonne

Tom Jeansonne is technical product manager at Emerson Process Management Valve Automation, Waller,TX. He has more than 30 years of experience in the valve and valve automation industry with both distributors and manufacturers. He can be reached at tom.jeansonne@emersonprocess.com
www.valve-world.net JANUARY / FEBRUARY 2008

Valve World 31