Products Solutions Services

High Level Alarms

Industrial Safety

Erwin Post

Only a safe plant is economical

• Product Manager Level• Tankgauging• Praxis mit Gamma.

Endress+Hauser B.V. | Nikkelstraat 6 | 1411 AJ Naarden | The NetherlandsPhone: +31 35 6958 710 | Mobile: +31 6 51836 366 | Fax: +31 35 6954 921Erwin.Post@nl.endress.com | www.nl.endress.com

Topics

Only a safe plant is economical

Overfill prevention

• Bunchfield lessons learned• PGS29 translation• Tank types and level detection• State of the art SIL level technology

The Buncefield facility

Buncefield overspill incident

Even visible from space

Buncefield days after.

And no casualties…(thank God it’s was Sunday)

The Buncefield incident

• Fuel depot in Buncefield near London• Sunday morning, December 11th, 2005• Failure of level measurement, no change in level indication• High level alarm in override.• Overspill of 300m3 of gasoline.• Heavy explosion• 40 people injured• No fatal casualties• Depot and surroundings have been heavily damaged• Took several days before the fire was under control• Environmental emissions and damage.

Products Solutions Services

High Level Alarms

Lessons learned

Recommendation 3: Operators of Buncefield-type sites should protect against loss of containment of petrol and other highly flammable liquids by fitting a high integrity, automatic operating overfill prevention system (or a number of such systems, as appropriate) that is physically and electrically separate and independent from the tank gauging system.

Lessons learned

Recommendation 5: All elements of an overfill prevention system should be proof tested in accordance with the validated arrangements and procedures sufficiently frequent to ensure the specified safety integrity level is maintained in practice in accordance with the requirements of Part 1 of BS EN 61511.

Post Buncefield effect

• Oops, can that happen to us too?• Are the risk assessments OK? • Are the HAZOP studies done? • Did we cover all scenarios?• Authorities start to interfere• Regulations are improved or re-written (PGS 29)• Proof testing becomes mandatory! • What about SIL?

SIL – Legal status

• Legal framework• Seveso Directive [„Seveso II“ - Directive 96/84/EC]• Workers protection regulations (social) • Environmental regulations• Associated permits or license system, local, regional or even national

• Regulations require “state of the art” equipment for safety assurance

• „State of the art” is defined in standards. i.e. for functional safety

• EN/IEC 61508 [EN August 2002] (generic standard)• EN/IEC 61511 [EN August 2004] (process industry

standard)

PGS29:2008, 84 pages.

PGS29:2008, 84 pages.

6.3.6 Hoogniveau-alarmering en overvulbeveiliging

87. Tanks moeten zijn uitgevoerd met:

a. een hoogniveau-alarmering die ter plaatse en / of in de controlekamer, alarm geeft, voordat het hoogst toelaatbare vloeistofniveau in de tank wordt bereikt, zodat maatregelen genomen kunnen worden om de pompcapaciteit te verminderen of het verpompen te stoppen, en;

b. een fysiek onafhankelijke instrumentele overvulbeveiliging die bij het bereiken van het hoogst toelaatbare vloeistofniveau in de tank de toevoer naar de tank doet stoppen.

PGS29:2008, 84 pages.

De betrouwbaarheid van de instrumentatie en beveiligingen moet in relatie staan tot het veiligheidsrisico. Erdient een methodiek gehanteerd te worden die de samenhangtussen de risico’s, vastgesteld middels veiligheidsstudies, en (de betrouwbaarheid van de) maatregelen (instrumentatie en beveiligingen) aantoont en documenteert.

Voorbeelden van methodieken:− SIL-systematiek waarin, afhankelijk van de gewensterisicoreductie, eisen worden gesteld aan dekeuze en onderhoudsfrequentie/type van de benodigderegelingen en beveiligingen; (NEN-EN 61511/61508)− safety-layerssystematiek, bijv. LOPA;− bedrijfsbeleid waarmee het risico gekoppeld wordt aan de maatregel; b.v. bij een scenario met risicowaardering X moeten minimaal twee onafhankelijke LOD’s (Lines Of Defense) worden ingezet om het risico te beheersen.

PGS29:2008, 84 pages.

Toelichting:Indien bij scheepslossingen de tweede beveiliging technisch niet mogelijk is, kan in overleg met het bevoegd gezag hiervanafgezien worden of een alternatieve oplossing worden overeengekomen met een aanvaardbaar beschermingsniveau.

Onder fysiek onafhankelijk wordt verstaan:− Los van niveaumeting− Apart stuursignaal

Onder overvulbeveiliging wordt verstaan:− Elk systeem dat de toevoer tot de tank automatischdoet stoppen zonder tussenkomst van een operator.

Simple instrument safety rules still apply

• A good High Level Alarm typically:• is based on a different physical phenomenon (avoid systematic

failures)• is “Fail to Safe” classified for SIL services• is active (needs power to operate)• is proven technology • has all appropriate certificates (IEC 61508/61511)• is provided with internal diagnostics• is preferably provided with a separate failure alarm• can be checked easily…………. Proof testing• has a long, predictable lifetime• can be repaired immediately without process interference

Typical bulk liquid storage tanks

Fig. a. storage tank with conical roof Fig. b. storage tank with external floating roof

Possibilities are determined by tank constructions

Fixed Roof – SAFE HHLA Solutions

Tuning Fork Measurement of aggregation phase by density, Gas versus Liquid

Radar and Guided Wave Radar.Measurement of true level using di-electric impedance jump at phase change

Liquid Bulk Storage, Independent High Level Alarms

State of the art.• Liquiphant is always the first solution.

• SIL2/3 Compliant - IEC61508/IEC61511 – Loop approach!• Suitable for all Cone Roof Tanks using existing tank fittings.• Very simple and cost effective proof testing by push button only!

Liquiphant summary

• Liquiphant is an active in-situ density measurement rather than a switch!

• Density change of liquids is huge and the absolute density of liquid phase is irrelevant thus providing a robust physical deviation.

• Easy test methodology using push button activated test generator• Simplicity of the concept offers extremely low failure rates. Availability

joined to the highest safety level!• Proven as robust. Reliable lifetime is typically long!

Function Principle

filter / amplifier

phaseshift amplifier

evaluation electronic

Self-Monitoring

sensoralarm

0,4 s delayed

400fa-15%

fafa+ 6,5%

1500 f [Hz]

25 mm

0

0

Immersion depth

corrosionalarm

60 s delayed

sensorAlarm

0,4 s delayed

normal operation

fa-15% switch point approx. 850 Hz

ALARM

ALARM

Safe alarm function

fa oscillation frequency in air approx. 1 kHz

Recurring Proof Test of Overspill Protections

switc

hing

elec

tron

ic

receiver

switch

test generator

switch

pulse

switch relay

fault relay

Push button proof test coverage (1)

Driv

e cu

rren

t

Reso

nanc

e fr

eque

ncy

Only the resonance

controller is not covered

λdu controller: 10 FIT [FIT = 10-9 · 1-h)

Frequency

λdu 40 FIT

Push button proof test coverage (2)

0,000E+00

3,500E-04

7,000E-04

1,050E-03

1,400E-03

1,750E-03

2,100E-03

0 1 2 3 4 5 6 7 8 9 10

PFD

yr

Failure rate FTL5* and 7* series connected to FTL325P

PTC 75%

Overview of measures“ for SIS according to IEC61511Component Level

Redundancy1oo1 • 1oo2 • 2oo2 • 2oo3

• Certified IEC61508 + „Prove in application“

or• Proven-in use [supplier]

or •Prior-use demonstration [user]

Systematic Failures

RandomFailures

&

FailureTolerance

&

∑PFDavg

• Certified IEC61508

Fixed Roof – SAFE HHLA Solutions

Tuning Fork Measurement of aggregation phase by density, Gas versus Liquid

Radar and Guided Wave RadarMeasurement of true level using di-electric impedance jump at phase change

Liquid Bulk Storage - Fixed Roof TanksGuided radar

• Suitable for all Cone Roof Tanks using existing tank fittings on tank.• Continuous level Measurement.• Flexible set points via 4-20mA Signal

• Deviation alarms possible (comparing with ATG)• Provided with internal redundancy using End Of Probe algorithm• SIL 2/3 Compliant - IEC61508• Safety parameters are state of the art.• Proof testing by generating test signals.

Developed according IEC61508

Continuous automatic internal check in the device

• Logic program run control

• Reference pulse HF

• Quartz synchronization

• Measuring cycle time

• Supply voltage

• Temperature

• Check sum RAM

• Cable breakage

Check

• Continuous self-monitoring to check the correct functionality of the device • More than 80 diagnostic measures and techniques permanently running in the

background

Proof test from control room

Proof procedure via manual started self check (proof test)

Send

Check

Developed acc. to IEC61508, also the data communication between Device-DTM and device is secured (send – check).

HistoROM

Electronic change during night shift

The HistoROM isfixed in the housing(can not be lost or“forgotten”)

Example HistoROM functionality

Floating Roof – Safe HHLA Solutions

(Tuning fork – Stilling well mounted is always preferred)

Free Field Radar, Time of FlightMeasurement of roof level using dielectric reflection at phase change

Capacitance type contact switchingMeasurement of dielectric impedance change by roof contact

Floating Roof TanksFree Space Radar • Free Space Radar

• Suitable for all tank types (Excluding Spheres).• Continuous level Measurement.• Flexible set points via 2-wire 4-20mA Signal• SIL2/3 Compliant - IEC61508• Proof testing by test generator

Floating Roof TanksFree Space Radar – Proof Testing external

External Swivel plate for

functional proof testing

Floating Roof TanksRadar – Proof Testing integral design

• Complete with checker mechanism to enable safe alarm checks can be performed and ensuring Zone segregation.

Developed according IEC61508

Continuous automatic internal check in the device

• Logic program run control

• Reference pulse HF

• Quartz synchronization

• Measuring cycle time

• Supply voltage

• Temperature

• Check sum RAM

• Cable breakage

Check

• Continuous self-monitoring to check the correct functionality of the device • More than 80 diagnostic measures and techniques permanently running in the

background

Floating Roof – Safe HHLA Solutions

(Tuning fork – Stilling well mounted is always preferred)

Free Field Radar, Time of FlightMeasurement of roof level using dielectric reflection at phase change

Capacitance type contact switchingMeasurement of dielectric impedance change by roof contact

Floating Roof Tanks (alternatively)Capacitance

• Capacitance Probe• Suitable for all Cone Roof Tanks using existing tank fittings on tank.• Suitable for Floating Decks.• Flexible set points via 4-20mA Signal, or via switch point.• SIL2 Compliant - IEC61508/IEC61511• Snow tolerant solution• Hard to test (mechanical

contact required)

Secure Switch Settings using Contact Plate

Floating roof failure scenariosDamaged deck

• May lead to lost and deflected echo depending on deck position• Fails Safe

• Switch level may raise depending on deck position• May fail when deck gets over flooded

Lost deck

• May lead to some switch point deviation (up to 100 mm)• No failure

• May lead to severe switch point deviation• Fails dangerous

• May become safe when weight is modified

Snow cover

• May lead to lost echo• Fails SafeAvailability increased

using new Advanced Dynamics design

• Top of snow detected as raised level

• No Failure

Free space Radar

Capacitancetype

Summary

Only a safe plant is economical

Overfill prevention

• Bunchfield lessons learned• PGS29 translation• Tank types and level detection• State of the art SIL level technology

Products Solutions Services

Thank you very much for your attention