SAFETY SYSTEMS

26 Valve��World JANUARY / FEBRUARY 2008 www.valve-world.net

Safety systems for tank overfill pCrude oil, chemical and liquid refined product spills at processing, transportation and handlingfacilities, as well as large oil lightering tankers, are not isolated incidents for the industry. Anumber of recent events have brought a new awareness to the cost and risk involved in an overfillevent. In many of the incidents, the equipment on the tank or vessel designated to help preventsuch occurrences is overridden, gets ignored or is in non-working order. In many filling operationsand tank terminals, no automated emergency shutoff receipt valves, high level alarms or otherpreventive instruments and sensors are even installed. Terminal operations personnel have oftenplayed a role by being “over-alarmed', undertrained or relying on instruments that should havebeen operable, but were not. The consequences of these spills have been, in many cases, disastrousto corporate assets and fatal to civilian and facility personnel. This article looks at how most ofthese overfill events could have been averted or at least significantly mitigated with a SafetyInstrumented System (SIS).

Tom Jeansonne, Emerson Process Management, Waller, Texas, USA

Standards and basic concept Major energy corporations havedeveloped internal standards incompliance with safety standards, such asANSI/ISA S84.01, IEC 61508, IEC61511 & OSHA CFR 1910.119.As these standards have gained acceptanceand developed, the outcome is that the

most modern facilities utilize a BasicProcess Control System (BPCS) inconjunction with but independent of aSafety Instrumented System (SIS).TheBPCS controls the process (such as a tankfilling operation) while the purpose of theSIS is to take the BPCS to a safe statewhen pre-determined “un-acceptable”

conditions are violated.In the case of the process industry,including refineries and storage facilities,a current primary international standardfor addressing such hazards is IEC 61511.The standard focuses on SIS andencompasses a scope for the plant's SISlifecycle - includes concept, design,

VW Emerson 23/1/08 08:08 Page 26

SAFETY SYSTEMS

www.valve-world.net JANUARY / FEBRUARY 2008 Valve��World 27

protectionoperation, maintenance and ultimatefacility deactivation.A SIS is a set of many components,including sensors, logic solvers and finalcontrol elements (FCE - automatedshutdown valves) arranged for thepurpose of taking the process to a safestate.With a SIS, the concern is morewith how the system fails rather than howthe system operates.Should the SIS determine that a shutdownis required (a safe state) it will initiate oneor more Safety Instrument Functions(SIF).These SIFs are the final action itemsof a SIS, such as closing a valve ordiverting flow. A well designed SIS wouldvery likely prevent a tank overfill event - asafe state.A bulk liquid tank farm SIS mightminimally consist of a sensor (such as ahigh-high or sensor at the tank) tomonitor the critical safe tank level, a relaylogic solver that constantly monitors thehigh-high tank level sensor signal and afinal control element (FCE) that shuts

down the tank filling operation whenconditions warrant. Alternatively, it couldbe configured to divert to a relief tankwhich would also be similarly equipped.An ever growing number of corporationshave turned to leading technology firmswho can not only provide an integrated,final control element (FCE) but also acomplete final control solution (SIS) inaddition to performing a safety analysis tohelp determine and define the neededSafety Integrity Levels (SIL). SILstranslate risk reduction factors topredefined required safety levels or - ameans of quantifying risk based on itsfrequency and consequences.Here we describe summary points forconsideration as developed by EmersonProcess Management,Valve Automation,in partnership with a major energycorporation , to assist that company instandardizing procedures for overfillprevention at its global tank farmterminals.

Summary conditionsThe final control element (FCE) isessentially one third of a SafetyInstrument Function (SIF).The SIS maycontain several Safety InstrumentedFunctions (SIF) and Final ControlElements (FCE), each with a likelydifferent Safety Integrity Level (SIL)requirement. Other components of theSIS are the various sensors and the logicsolver.The SIS creates a demand for a SIF- which addresses a specific hazardousevent under the SIS, and the FCE's job isto perform that final critical controlfunction or safety action item. FCEs arecritical to the SIS and SIF because theFCE is what physically stops or divertsthe flow.Of significant concern is everycomponent of the FCE as they are

subjected to environmental and operatingconditions which can impact itsperformance. One of the primary issuesthat must be addressed is stagnation or“long, stand-still time”.The automatedvalve package (FCE) typically remainsenergized in a fixed position for longperiods of time.The valve is subjected tothe variable nature of the media in theline which it controls. As such, the abilityto provide its primary function (SIF -shut off or flow diversion) is subject todegradation and increased probability offailure on demand.The actuator andother components can also be impactedby environmental conditions, whichcould affect its ultimate performance.Despite these less than ideal conditions,the FCE has to perform as designedwhen a SIF is required. If the FCE fails toperform, the SIS may not be able to takethe terminal to a safe state.• It has been reported that one-half of all

industrial malfunctions in the SIS havebeen attributed to the FCE. In order tomeet specific reliability criteria, theFCE should be designed for certaindefined levels, or Safety Integrity Levels(SIL). SILs are an established means ofquantifying risk based on its frequencyand consequences.The FCE(s) need tobe designed to meet a required SIL foran application (often SIL 2 for tankfarm receipt block valves and SIL 3 fordiversion applications).

• The primary objective is to: Reduce theProbability of Failure on Demand(PFD) by meeting a pre-determined SILrequirement.

What should the integrated FCEinclude?Based on the joint work of Emerson andthe owner/operator the recommendedFCE should be designed with the

Safety Integral Level - SIL(ISA/IEC)

SIL 4

SIL 3

SIL 2

SIL 1

Probability of Failure OnDemand Per Year (PFD)

(Demand Mode Of Operation)

>=10-5 To <10-4

>=10-4 To <10-3

>=10-3 To <10-2

>=10-2 To <10-1

Risk Reduction Factor- 1/PFD

100000 To 10000

10000 To 1000

1000 To 100

100 To 10

VW Emerson 23/1/08 08:09 Page 27

SAFETY SYSTEMS

28 Valve��World JANUARY / FEBRUARY 2008 www.valve-world.net

following summary of typical componentsand concerns in mind:• The valve used as part of the FCE

should be as minimum ANSI rated, fullported, quarter-turn ball valve, eithertrunnion-mounted or floating. It shall befire rated per API-607 and meet ASMEB16.34.

• Existing valves, sensors and otherequipment shall not be used ascomponent part of the FCE. Only newequipment purchased and validated forthe SIL and FCE shall be used.

• The supplier of the actuator componentof the FCE should offer as standard,published guaranteed minimum torqueoutputs which are critical to operate thevalve to “a safe state” for the SIF.

• The actuator shall be sized with aminimum torque output of 125%against the torque recommended by thevalve manufacture at all positions andboth directions of travel at full operatingor process system design pressure.Theactuator maximum torque output shallnot exceed the maximum allowablevalve input torque (MAVIT).

• The valve actuator should be of asymmetric, scotch-yoke design andcontrol system shall contain a fusibleplug with a minimum of 195ºF andmaximum 250ºF melting point in theevent of a fire (which may notnecessarily be related to tank overfill).The FCE should normally remain in theopen position.The actuator should bepneumatically powered with air,nitrogen or a special self-contained localhydraulic system.

• The weatherproof actuator and actuatorto valve mounting adaptation must betotally enclosed with over-pressurizationpressure venting and shall have Xylan™cylinder coating or a minimum of 25micron, electroless nickel plating.

• No mechanical manual overrides, lock-out devices or by-passes are permitted.

• If hydraulic actuators are used thevendor shall certify that actuator'shydraulic pressure containingcomponents are designed to ASMESection VIII.

• Electric actuators (part turn or multiturn) shall not be used in thisapplication.

• A digital valve controller (DVC) shouldbe included in the FCE for valveposition determination, recordretention, automated partial stroke anddiagnostic capabilities and alerts.Additional design concern requirementsinclude:

• DVC should be designed to typically

accept a 24 VDC signal and have self-diagnostics using HART communicationprotocol.

• SIF may be based on relay logic whenappropriate.

• DVC should be used increase theDiagnostic Coverage (DC factor) on aSIS loop FCE and enhance the SafeFailure Fraction (SSF)

• System may utilize limit switches forredundancy only and shall not beincluded in SIL calculations

• DVC will abort any test, before theactuator supply pressure can drop to alevel to cause a false trip if the FCE isphysically immobile and shall alert theoperator (Fail Dangerous Detected) inthis event

• DVC can be used to test externalsolenoid valves in order to reduce theproportion of the dangerousundetectable failures.

• DVC should be used as redundant to asolenoid valve to ensure the SIF. Suchredundancy could be required to eithermeet the project specification orbecause a single shut down element maynot provide an acceptable PFDavg tomeet the safety function SIL suitabilityrequirement.

• In common with any other componentsof the SIS loop the solenoid valve willcontribute and impact the total PFD ofthe final element.

• Any SIS or BPCS (safety) demand shalloverride any partial stroke test.

• DVC shall be able to automatically,configure, initiate and record partialstroke travel and retain records of suchevents

VW Emerson 23/1/08 08:09 Page 28

SAFETY SYSTEMS

www.valve-world.net JANUARY / FEBRUARY 2008 Valve��World 31

• FCE shall also restrict stroking speed asrequired to avoid hydraulic shock to thepumping system.

Why use an integrated system?The oil and gas industry, with its storageand handling of hazardous liquids,recognizes the need for a formal SIS and aFCE comprised of components applied tospecific SIL levels. It is prudent andadvantageous for the entire FCE to beprovided in a fully integrated, factory-tested and certified package that can beinstalled easily at the terminal.This integrated systems approach allowsthe end user to specify functionality andSIL required rather than attempting toselect individual components to bemerged together in a SIS.This integratedcontrol solution system should containthe actuator, valve, DVC, relief valves,regulators, air relays, fusible devices,solenoids and all tubing and hardwareneeded.The SIL (safety/lambda) data utilized forthese integrated solutions shall have beenprovided by or certified by a recognizedthird party independent entity andcertified by the SIL packaging orintegrating vendor.The certificationprocess provides functional safetyassessments of the components intendedfor FCE. A vendor certification shall beissued minimally describing the productanalysis methodology, components andthe application criteria needed tocontinually meet the SIL levelrequirement and certification.

Impact of SIS in preventing tank overfill In addition to reducing risk and exposureto the facility personnel, civilians andassets, the following SIS overfillimplications should be considered• Preserving and protecting the

environment - Operating responsibility• Mitigation of the effects of any overfill -

Risk, event cost and life cycle costreduction

• Legal actions and resultant regulations -Lower cost & regulatory compliance

• Lower operating costs, reduction ofdowntime - Increased availability andefficiency gains by extended healthdiagnosis

• Fines, penalties and property damageclaims - Lower risk and reducedoperating cost

• Lost revenue, goods and production -Revenue efficiency by extended healthdiagnosis

• “Alarm overload”, inexperience andphysical reaction time -Event Mitigationand prevention

• Transportation, outside businessdisruption and emergency supportdilution - Lower risk, event mitigationand operating cost savings

• Damaged reputation, corporatecitizenship, socio-economic issues -Corporate operating value

• A deterrent to product theft and betterinventory control. - Product lossprevention and efficiency gains

• Effect on future expansion, permits,locations or scope plans - Hiddenoperating value increased and reduced

regulatory compliance cost• Your very own disaster marker on an

internet map!

What you typically get with PST• PFD values will be lowered by partial

stroke testing (PST)• Partial Stoke Testing (PST) can safely

extend time between plant shutdowns• Partial Stoke Testing (PST) equals lower

proof test intervals• PST Allows SIL Rating To Be Maintained

For Longer Continuous OperatingPeriods

• Have a higher overall reliability levelbecause of better Safe Failure Fraction(SFF)

Achieving target PFD values with PartialStroke Testing

ConclusionThe application of a qualitative, riskassessment and/or hazard operability(HAZOP) study followed by theinstitution of a proactive SIS, integratedby a true solution provider will benefitall. It has been illustrated that with arealistic full close/open Proof Test TimeInterval, significant improvements can bemade with the introduction of a PartialStroke Testing regime at a rate of tentimes the demand rate.This allows aquantifiably higher level of operatingconfidence with very minimal disruptionto the facilities operation or investment.The best Safety Integrated System in theworld is not effective if the SIF is notcarried out because of an inoperable orpoorly designed or deficient FCE.How do you know your FCE willfunction when required?

About Tom JeansonneTom Jeansonne istechnical productmanager at EmersonProcess ManagementValve Automation,Waller,TX. He hasmore than 30 years ofexperience in the valve and valveautomation industry with bothdistributors and manufacturers. Hecan be reached attom.jeansonne@emersonprocess.com

Achieving target PFD values via

Partial Stroke Testing

VW Emerson 23/1/08 08:37 Page 31