Safety and environmental standards for fuel storage sites

Final report

32

Figure 2

Overfilling protection: Tank levels (based on API 2350

13

)

Response time 3: LAHH to overfill/damage level (maximum capacity)

96 This is the response time between the LAHH and the overfill level (or maximum capacity –

at which loss of containment or damage results). It should be assumed that the action taken

to respond to the LAH has not been successful, eg the valve did not close or the wrong valve

closed, and so corrective or alternative contingency action is now urgently required.

97 The response time to do this is identified as the worst combination* of filling rate and time

taken to travel from the control room to the tank and positively stop the flow. This may be an

alternative valve and may need additional time to identify and close it if not regularly used.

98 This could be done per tank or, more conservatively, standardised at the longest margin time

for a group of or all tanks. In all cases, however, it should be recorded in writing.

Response time 2: LAH to LAHH

99 The response time between the LAH and the independent LAHH should again be defined

based on the worst combination of filling rate and time taken to activate and close a remotely

operated valve (ROV) if installed, or to get from the control room to the tank manual valve if not.

†

* The tank with the highest fill rate might have a remotely operated valve operated conveniently from the control

room, allowing for very rapid shutdown, whreas a slower filled (and/or smaller diameter) tank that required a

long journey to get to a local manuyal valve may in fact result in a lengthy time before the fill is stopped.

† It is essential to take into account all of the organisational and human factors relevant to the site, eg failure

of remote operation, loss of communications etc.

Response

Time 2

Response

Time 3

Response

Time 1

Overfill level (maximum capacity)

Tank rated capacity

The tank rated capacity is a theoretical tank level, far enough below the overfill level to allow time to

respond to the final warning (eg the LAHH) and still prevent loss of containment/damage.

It may also include an allowance for thermal expansion of the contents after filling is complete.

Any increase in level beyond the overfill level will result in loss of containment and/or damage

to the tank. (All other levels and alarm set points are determined relative to the overfill level.)

The LAHH is an independant alarm driven by a separate level sensor etc. It will warn of a failure

of some element of a primary (process) control system. It should be set at or below the

tank rated capacity to allow adequate time to terminate the transfer by alternative means

before loss of containment/damage occurs.

Ideally, and where necessary to achieve the required safety integrity, it should have a trip action to

automatically terminate the filling operation.

The LAH is an alarm derived from the ATG (part of the process control system). This alarm is the first

stage overfilling protection, and should be set to warn when the normal fill level has been exceeded;

it should NOT be used to control filling.

Factors influencing the alarm set point are: providing a prompt warning of overfilling and maximising

the time available for corrective action while minimising spurious alarms -

eg due to transient level fluctuations or thermal expansion.

Normal fill level (normal capacity)

Defined as the maximum level to which the tank will be intentionally filled under routine

process control.

Provision of an operator configurable ‘notification’ also driven from the ATG may assist

with transfers though it offers minimal if any increase in safety integrity.

Alarm

LAH

LAHH

Notification

(optional)

Trip

(where necessary)