Petroleum Storage Tank Overfill Prevention

API 2350: Tank Overfill Protection An OverviewMonday, April 23 2012Dallas, Texas

By PEMY Consulting

Philip E. Myers

Disclaimer

View and opinions are strictly those of the presenter and do not represent those of the American Petroleum Institute (API) or those of the API 2350 Overfill Revision Taskgroup

At the time of this presentation the editorial process for API 2350 may still be in progress. While every effort is made to present the final outcome, no guarantee that the editorial process may result in changes to what is presented here can be made.

All diagrams and drawings are conceptual in nature and cannot be directly used for design and construction of actual facilities. Such facilities must be individually engineered and designed for each tank and site by qualified personnel

Side Note about API/ANSI Process

Standards Development Processes set by American Nations Standards Institute (ANSI). Not all codes use this process (e.g. International Building Code)

Consensus

Openness

Due Process

Committee balance (manufacturers, contractors, consultants, owner/operators, etc)

public review

All comments must be considered

standards are updated or reaffirmed by the same process at intervals not exceeding 5 years. The 2nd edition was already late and we issued the 3rd edition with a change that expanded the scope to include Class II liquids

regularly audited to ensure compliance with the Rules for Standards Committees and that are consistent with the American National Standards Institute (ANSI)

Why API 2350 Is Needed

Overfill Prevention in Nutshell

The Overfill Prevention Process (OPP) is simple in concept. When receiving product into a tank the flow is terminated prior to the tank level reaching the critical high (CH) level. Use of the word terminate in this standard means any of the following:

Terminating the source of pressure (e.g. shutting down a pump), or

Diverting the incoming flow, or

Shutting down the flow (closing a receipt valve), or

Using an alternative way appropriate way of bringing the receipt process to a safe state without overfilling the tank

While this desired end-result termination seems simple, experience suggests the need for a systematic Overfill Prevention Process (OPP) to ensure success over time

Drivers for Current Changes

API Revision Cycle past due

Update API 2350 with current applicable standards such as S84 and IEC 61511 for automated safety instrumented systems

Make it more enforceable and prescriptive

Buncefield incident occurred at Sunday December 11th 2005 at the Buncefield Oil Storage Depot, Hemel Hempstead, Hertfordshire in the UK

Questions You May Be Asking

Is the new edition really that different than previous editions?

Do I need to upgrade to the latest edition of API 2350?

What are the benefits of upgrading?

What is the rest of industry going to do about it?

Historical Background

2350 first issued in March 1987. Scope restricted to Terminals receiving transfer of Class I materials (e.g. gasoline) from mainline pipelines or marine vessels.

The second edition in January 1996 maintained that narrow scope and clarified that it covered ONLY gasoline, mainline pipelines and marine, and not other internal or external transfers. Minor non substantive revisions

The third edition in January 2005 built on the second edition with the Scope significantly expanded to include both Class I and Class II hydrocarbon liquids as well as tankage in broader usage. Receipts of petroleum products from wheeled vehicles are specifically excluded from the Scope of API 2350, referring to PEI 600 for guidance.

Scope

The scope of this Standard is specifically limited to storage tanks associated with marketing, refining, pipeline, terminals and similar facilities containing Class I or Class II petroleum liquids. (Note: API 2350 is recommended for Class III liquids)

This standard does not apply to:

Underground storage tanks

Aboveground tanks of 1320 US gallons (5000 liters) or less

Aboveground tanks which comply with PEI 600

Tanks (process tanks or similar flow through tanks) that are integral to a process.

Tanks containing non-petroleum liquids

Tanks storing LPG and LNG

Tanks at Service Stations

Loading or delivery from wheeled vehicles (such as tank trucks or railroad tank cars)

New -Key Components of API 2350

Management System

Risk Assessment System

Defining Operational Parameters and Categorization

Procedures

Equipment Systems (addition of AOPS)

Management System

Management System

Formal written operating procedures (including emergency response)

Trained and qualified personnel

Equipment systems testing and maintenance

Normal and abnormal operating conditions addressed

Moc (management of change)

Investigation process for near misses and incidents

Lessons learned

Communications protocols esp between transporter and owner/operator

API 2350 does NOT specify how to develop/deploy a management system (we will do this in the workshop)

Important Note: On request PEMY will send you a 25 page detailed write up on how to develop and deploy not only a safety management system but an overfill management system as well.

Risk Assessment Systemexample of verbal risk assessment I am willing to take the risk

API 2350 and Risk Assessment

Risk Assessment system shall be used to categorize risks associated with potential overfilling operations as acceptable or unacceptable

Risks are site and owner specific

API 2350 does NOT specify how risk assessments should be conducted

IEC 31010 Risk management Risk assessment techniques lists many such methods. LOPA has been used extensively in the UK for tanks where risks considered significant.

API 2350 Annex E Conceptual Tank Overfill Risk Evaluation

Risk

From the Italian word risicare:

to dare

Risk defines the difference between

a choice and a fate

Risk assessment:

The foundation for rational decision making.

Insights.

Actions.

Impact

Why do risk assessment?

Event /

Scenario

Pathway

Dose

Response

Consequences

Customer

Satisfaction

Values and Consequences

Environmental

Impacts

Health

&

Safety

Public

Workers

Customers / Consumers

Regulatory

Relations

Strategic

Alignment

Employee

Commitment/

Alignment

Corporate

Public/

Community

Reputation

Community relations

Corp reputation

Financial Performance

Values for a Pipeline Company

Be the preferred provider of

liquid pipeline transportation

16

3

Impact

Why do risk assessment?

Event /

Scenario

Pathway

Dose

Response

Consequences

Because the consequences matter to us; values are adversely affected

Risk assessment

Risk assessment is a means to an end

It aids us in protecting something of value from potential adverse consequences

It is the foundation for decision making

Impact

Event /

Scenario

Pathway

Dose

Response

Consequences

Eliminate the

root cause

Sever the

pathway

Protect the

target

Change the response curve

Eliminate the

consequences

Assessment Management

Qualitative

Quantitative

Verbal

SWOT

Risk

Matrix

Index

models

Optimization

Simulation

Regression

Decision-

analytic

Full economic

model with

uncertainty

Nominal Categorical Ordinal Cardinal Interval

Name

only

By

category

Rank

order

Differences

have

meaning

Zero

has

meaning

Data

Risk model

Multi-

attribute

decision analysis

Tank Overfill Protection Basic Concept of Risk

21

Incident

Product Receipt P

Product receipt plan was not completed

Tank flow was not verified

Tank rise was not monitored

Alarms did not work

Behaviors

Procedures/Training

Equipment:

Gauges

Alarms

Auto shutdown

No automatic shutdown

21

Instructor Notes:

These were actual root causes of a recent tank overfill incident

Point out the individual layers of protection and remind class that no one layer is perfect (i.e. not a complete circle of protection)

The first layer in this example is a product receipt plan which was not followed, resulting in a gap.

If the second layer (verification of tank flow) was performed, then the incident would not occur; however, this was not done and it resulted in another gap.

If all safeguard gaps line-up then an incident occurs; if only a few gaps line-up, this results in a near loss.

(Instructor: press enter to illustrate point #5)

Instructor explain to class that the number of layers required will be based on a risk analysis as determined by Engineerings Tank Gauging & Alarm Equipment Standard. So in some cases you may have three layers of protection, some five layers and others may be less. Point is, there must be some level of redundancy in protection.

Methods of Risk Assessment

Many methods ranging from qualitative to semi-quantitative to quantitative:

Checklists

Risk matrices

HAZOP approach

Risk Graph

Quantitative Methods

Layers of Protection Analysis (LOPA)

Consider These Likelihood Factors:

Frequency, rate and duration of filling

Systems used to properly measure and size receipts to tanks

Accurate tank calibration (both strapping and verified Critical High)

Systems used to monitor receipts

Extent of monitoring / supervision of manual and automatic tank gauging

Impact of complexity and operating environment on the ability of Operating Personnel to execute overfill prevention tasks

Filling multiple tanks simultaneously

Switching tanks during receipt

Large elevation changes between tanks and backflow

Consider these Consequence Factors

Hazard characteristics of material (product) in tank

Volatility, flammability, dispersion, VCE potential

Number of people onsite who might be affected by a tank overflowing

Number of people offsite who might be affected by a tank overflowing

Possibility of a tank overflowing resulting in (escalation) of hazardous events onsite or offsite

Possibility of impact to nearby sensitive environmental receptors

Physical and chemical properties of product released during overflowing

Maximum potential overfill flow rates and duration

Secondary containment

Initializing Operating Parameters

Level: Critical High (CH)

Overfill or Damage occurs

Activate Emergency Response

Level: High-High (HH)

Alarm or AOPS

Level: High (Optional)

Alerts NOT Alarm

Normal Fill Level (NFL)

Highest working level

Initializing Operating Parameters - LOCs

Review/revise LOCs when

New tank

Change in floating roof tank seals

Installation of geodesic domes or other kinds of fixed roofs (e.g. when external floating roof tanks receive retrofit covers).

New internal or external floating roof

Side vent changes

Shell extensions

New tank bottom

Addition of ancillary equipment such as foam chambers

Recalibration or re-strapping of the tank

Change of tank gauging equipment

Addition of a gauge tube with datum or change in datum/strike plate

Change in product

Change in incoming or outgoing lines

Change in flow rates,

Change in service if it impacts structural integrity [corrosion, temporary repairs, etc]

Change in operations, such as: parallel tank, floating or high suction, continuous mixer operation

Change in response time resulting from staffing, operation or equipment changes

Initializing Operating Operating Parameters - Categories

Operators shall categorize each tank

A way to classify tank overfill systems

Category I: manual system

Category II: ATG with transmittable data to control center

Category III: ATG and independent level alarm transmittable to control center

AOPS: independent addition to Categories I, II, or III

Given all things equal, the higher the category of overfill protection system, the more robust and reliable it is.

When a manual system (MOPS) does not have sufficiently low probability of failure on demand, then AOPS should be considered as a means of increasing the OPS reliability (availability)

Category I

Configuration

30

Does not have transmitted alarms

Tank Level is determined by HAND gauging or local Automatic Tank Gauging (ATG) system.

Requires Local manual shutdown or diversion or transporter shutdown after receiving manual communications from facility

Use only at fully-attended facilities

Monitor continuously first and last and every in-between hour of receipt

Do not use for high frequency or complex receipt operations

30

Instructor Notes:

Now that we have covered the first bullet on slide 7 understanding LOCs, we will talk about Tank Gauging & Alarm system categories.

There are 4 categories and as you go up in category, the systems provide increasing levels of protection.

Category 1 can be a completely manual operation, with or without an ATG.

If a tank does not consist of an automatic tank gauge, operations would have to use an manual tape gauge to gauge the tank for product level.

Hand gauging requires personnel to access the top of the tank, open the tank to atmosphere, and lower a manual tape to verify the tank level.

Product paste is required to verify the cut between product and water.

Category 2

Configuration

31

Tank level (ATG required) and alarm is transmitted to remote location (control room)

ATG Alarm set at LOC: HH

Alarm are not independent of ATG system (same sensor for ATG and alarm)

May use Cat 2 at fully or semi attended facility if receipts monitored at the control room

On site monitoring required 30 minutes at start, at end of receipt; for semi attended transporter must participate in monitoring

Alerts recommended at LOC: H

31

Instructor Notes

The next category requires an ATG on the tank that has the capability to transmit tank level and alarm information to a remote location.

A float and tape device is not acceptable for this category because of the level of reliability a newer automatic tank gauge provides

The required alarm is set at the High LOC.

Some gauges comes with 2 contacts so that multiple alarms can be set. In such cases, an optional alarm may be set at the High-High LOC.

For new installations, the remote monitoring system shall have the capability of monitoring gauge status and level alarms.

Category 3

Configuration

32

Tank level and alarm is transmitted to remote location (control room).

Alarm is independent of ATG system and set at High-High LOC.

Requires Local manual shutdown or diversion

For unattended operation, alarm shall automatically notify transporter or automatically terminate receipt (AOPS) and receipt termination shall commence in event of power outage

32

Instructor Notes:

Category 3 is requiring an addition level of protection an independent alarm. As the figure illustrates, the alarm set at the High-high level is triggered by a sensor separate from the ATG.

In this case, you will have a High level alarm triggered by the ATG, and a second independent alarm set at the High-High level.

Automatic Overfill Protection System (AOPS)

Configuration

33

Basic Process Control system can be Category I, 2 or 3

AOPS in independent of operation

AOPS added as another layer of protection on top of Category I, 2 or 3 if risk assessment shows acceptable risk cannot be attained otherwise

Two Options:

1 Existing Facilities Annex A

2 New Facilities ISA S84.01 or IEC 61511

33

Instructor Notes:

Category 4 is the highest level specified in the standard. In this case, a shut/down diversion system is required when liquid reaches the High-High level.

As mentioned previously, there is a separate equipment standard that covers the details of the requirement of this automatic shutdown/diversion system. That standard is 10.10.3.6.2 to be published later this year. When you find that a category 4 system is required, make sure you consult this standard so that the system can be properly designed.

Just like a category 3 system, a category 4 system uses the same gauging and alarm equipment as a category 2 system. The added layer of protection involves installing equipment to handle shutting down or diverting the receipt.

Explain importance of communication plan between the terminal and the shipper, regarding shutdown procedures if communication is disrupted beyond an agreed upon time.

Response Times

Save time: Do the calculation

Table 1: Minimum High-High Tank (HH) Response Time (if not calculated)CategoryTime in Minutes145230315

Beware The Response Time

Recommenation: never less than 5 minutes no matter the calculation

Putting It Together (partial list)

Management System

Risk assessment system

Top management support

Mission vision values

Define Operational Parameters

People and resources

Tank data base, tank standards, field verification, upgrading policy, prioritization for upgrading, policy/consultants for AOPS, etc. etc. etc.

procedures

Training, competancy

Questions

Is the new edition really that different than previous editions?

Do I need to upgrade to the latest edition of API 2350?

What are the benefits of upgrading?

What is the rest of industry going to do about it?

Conclusions and Recommendations

The New API 2350 will represent a significant change from past practices but it is consistent with todays best practices in areas of safety and environmental protection as well as state-of-the-art technology

Authorities will consider it minimum requirements

OMS must be a corporate way of life created by a vision, a mission and a philosophy

A high level of top level commitment and resources is required - But the alternatives can be costly too

Must be embedded into the corporate value system so that it is a long term process and can outlast the managers and executives who often get promoted out of their positions and who never really truly understood what a safety management system is

Do your part to educate top management that this is really the best way to go if you are going to be in the petroleum business. Do it thru knowledge, education and expertise and hopefully not because of a serious incident

MAX WORKING LEVEL(MW)

CRITICAL HIGH (CH)

HIGH LEVEL

(OPTIONAL; ALERT)

HIGH HIGH LEVEL(HH)

(ALARM)

75 mm (3") min

75 mm (3") min

75 mm (3") min

A Response time of no

less than 5 minutes and

75 mm (3 inches)

between levels (which

ever is the greater) shall

be used to determine

LOCs

MAX WORKING LEVEL(MW)

HIGH HIGH LEVEL(HH) (ALARM)

CRITICAL HIGH (CH)

HIGH LEVEL (OPTIONAL; ALERT)

75 mm (3") min

75 mm (3") min

75 mm (3") min

A Response time of no less than 5 minutes and 75 mm (3 inches) between levels (which ever is the greater) shall be used to determine LOCs

ATG

ATG

LAH

ATG

LSH

LT

LSH

LAH

ATG

LT

LAHH

ATG

LAH

LAHH

ATG

LAH

LSHH

LAH

ATG

LSHH

LAH

ATG

0.00001

0.0001

0.001

0.01

0.1

1

5123560150010000

Time Available for Diagnosis (Minutes)

Probability of Error

Chart25123560150010000

Time Available for Diagnosis (Minutes)

Probability of Error

1

0.1

0.01

0.001

0.0001

0.00001

Sheet1MinutesProbability51120.1350.01600.00115000.0001100000.00001

Sheet1

Time Available for Diagnosis (Minutes)

Probability of Error

Sheet2

Sheet3