API 2350: Tank Overfill Protection –
An Overview
Monday, April 23 2012
Dallas, Texas
By PEMY Consulting
Philip E. Myers
Disclaimer
• View and opinions are strictly those of the presenter and
do not represent those of the American Petroleum Institute
(API) or those of the API 2350 Overfill Revision Taskgroup
• At the time of this presentation the editorial process for API
2350 may still be in progress. While every effort is made to
present the final outcome, no guarantee that the editorial
process may result in changes to what is presented here
can be made.
• All diagrams and drawings are conceptual in nature and
cannot be directly used for design and construction of
actual facilities. Such facilities must be individually
engineered and designed for each tank and site by qualified
personnel
Side Note about API/ANSI Process
• Standards Development Processes set by American Nations Standards
Institute (ANSI). Not all codes use this process (e.g. International Building
Code)
• Consensus
• Openness
• Due Process
• Committee balance (manufacturers, contractors, consultants,
owner/operators, etc)
• public review
• All comments must be considered
• standards are updated or reaffirmed by the same process at intervals not
exceeding 5 years. The 2nd edition was already late and we issued the 3rd
edition with a change that expanded the scope to include Class II liquids
• regularly audited to ensure compliance with the Rules for Standards
Committees and that are consistent with the American National Standards
Institute (ANSI)
Why API 2350 Is Needed
Overfill Prevention in Nutshell
• The Overfill Prevention Process (OPP) is simple in concept.
When receiving product into a tank the flow is terminated
prior to the tank level reaching the critical high (CH) level.
Use of the word “terminate” in this standard means any of
the following:
– Terminating the source of pressure (e.g. shutting down a pump),
or
– Diverting the incoming flow, or
– Shutting down the flow (closing a receipt valve), or
– Using an alternative way appropriate way of bringing the receipt
process to a safe state without overfilling the tank
• While this desired end-result termination seems simple,
experience suggests the need for a systematic Overfill
Prevention Process (OPP) to ensure success over time
Drivers for Current Changes
• API Revision Cycle past due
• Update API 2350 with current applicable
standards such as S84 and IEC 61511 for
automated safety instrumented systems
• Make it more enforceable and prescriptive
• Buncefield incident occurred at Sunday
December 11th 2005 at the Buncefield Oil
Storage Depot, Hemel Hempstead,
Hertfordshire in the UK
Questions You May Be Asking
• Is the new edition really that different than
previous editions?
• Do I need to upgrade to the latest edition of
API 2350?
• What are the benefits of upgrading?
• What is the rest of industry going to do about
it?
Historical Background
• 2350 first issued in March 1987. Scope restricted to
“Terminals receiving transfer of Class I materials (e.g.
gasoline) from mainline pipelines or marine vessels.”
• The second edition in January 1996 maintained that narrow
scope and clarified that it covered ONLY gasoline, mainline
pipelines and marine, and not other internal or external
transfers. Minor non substantive revisions
• The third edition in January 2005 built on the second
edition with the Scope significantly expanded to include
both Class I and Class II hydrocarbon liquids as well as
tankage in broader usage. Receipts of petroleum products
from wheeled vehicles are specifically excluded from the
Scope of API 2350, referring to PEI 600 for guidance.
Scope
• The scope of this Standard is specifically limited to storage tanks
associated with marketing, refining, pipeline, terminals and similar
facilities containing Class I or Class II petroleum liquids. (Note: API
2350 is recommended for Class III liquids)
• This standard does not apply to:
–
–
–
–
–
–
–
–
Underground storage tanks
Aboveground tanks of 1320 US gallons (5000 liters) or less
Aboveground tanks which comply with PEI 600
Tanks (process tanks or similar flow through tanks) that are integral to
a process.
Tanks containing non-petroleum liquids
Tanks storing LPG and LNG
Tanks at Service Stations
Loading or delivery from wheeled vehicles (such as tank trucks or
railroad tank cars)
New -Key Components of API 2350
• Management System
• Risk Assessment System
• Defining Operational Parameters and
Categorization
• Procedures
• Equipment Systems (addition of AOPS)
Management System
• Management System
–
–
–
–
–
–
–
–
Formal written operating procedures (including emergency response)
Trained and qualified personnel
Equipment systems testing and maintenance
Normal and abnormal operating conditions addressed
Moc (management of change)
Investigation process for near misses and incidents
Lessons learned
Communications protocols esp between transporter and
owner/operator
• API 2350 does NOT specify how to develop/deploy a management
system (we will do this in the workshop)
• Important Note: On request PEMY will send you a 25 page detailed
write up on how to develop and deploy not only a safety
management system but an overfill management system as well.
Risk Assessment System
example of verbal risk assessment
“I am willing to take the risk”
API 2350 and Risk Assessment
• Risk Assessment system shall be used to categorize
risks associated with potential overfilling operations as
acceptable or unacceptable
• Risks are site and owner specific
• API 2350 does NOT specify how risk assessments
should be conducted
• IEC 31010 “Risk management – Risk assessment
techniques” lists many such methods. LOPA has been
used extensively in the UK for tanks where risks
considered significant.
• API 2350 Annex E Conceptual Tank Overfill Risk
Evaluation
Risk
• From the Italian word “risicare:”
– “to dare”
• Risk defines the difference between
– a choice and a fate
• Risk assessment:
– The foundation for rational decision making.
Insights.
Actions.
Why do risk assessment?
Consequences
Pathway
Response
Event /
Scenario
Dose
Impact
Values and Consequences
Values for a Pipeline Company
“Be the preferred provider of
liquid pipeline transportation”
Customer
Satisfaction
Environmental
Impacts
Health
&
Safety
Public
Workers
Customers /
Consumers
Regulatory
Relations
Strategic
Alignment
Employee
Commitment/
Alignment
Corporate
Public/
Community
Reputation
Community
relations
Corp
reputation
Financial
Performan
ce
Why do risk assessment?
Because the consequences
matter to us; values are
adversely affected
Consequences
Pathway
Response
Event /
Scenario
Dose
Impact
Assessment
Management
Change the response
curve
Eliminate the
consequences
Event /
Scenario
Response
Consequences
Pathway
Dose
Impact
Protect the
Eliminate the
root cause
Sever the
pathway
target
Tank Overfill Protection –
Basic Concept of Risk
•Behaviors
•Procedures/Training
•Equipment:
Gauges
Alarms
Incident
Auto shutdown
Product receipt plan was not
No automatic
completed
Product
shutdown
Tank flow
was P
not
Receipt
Alarms did not
Tank rise was not
work
monitored
verified
21
Methods of Risk Assessment
• Many methods ranging from qualitative to
semi-quantitative to quantitative:
– Checklists
– Risk matrices
– HAZOP approach
– Risk Graph
– Quantitative Methods
– Layers of Protection Analysis (LOPA)
Consider These Likelihood Factors:
•
•
•
•
•
Frequency, rate and duration of filling
Systems used to properly measure and size receipts to tanks
Accurate tank calibration (both strapping and verified Critical High)
Systems used to monitor receipts
Extent of monitoring / supervision of manual and automatic tank
gauging
• Impact of complexity and operating environment on the ability of
Operating Personnel to execute overfill prevention tasks
– Filling multiple tanks simultaneously
– Switching tanks during receipt
– Large elevation changes between tanks and backflow
Consider these Consequence
Factors
• Hazard characteristics of material (product) in tank
• Volatility, flammability, dispersion, VCE potential
• Number of people onsite who might be affected by a tank
overflowing
• Number of people offsite who might be affected by a tank
overflowing
• Possibility of a tank overflowing resulting in (escalation) of
hazardous events onsite or offsite
• Possibility of impact to nearby sensitive environmental receptors
• Physical and chemical properties of product released during
overflowing
• Maximum potential overfill flow rates and duration
• Secondary containment
Initializing Operating Parameters
Initializing Operating Parameters LOCs
–
Level: Critical High (CH)
• Overfill or Damage occurs
• Activate Emergency Response
–
Level: High-High (HH)
• Alarm or AOPS
–
Level: High (Optional)
• Alerts NOT Alarm
–
Normal Fill Level (NFL)
• Highest working level
CRITICAL HIGH (CH)
75 mm (3") min
HIGH HIGH LEVEL(HH)
(ALARM)
75 mm (3") min
HIGH LEVEL
(OPTIONAL; ALERT)
75 mm (3") min
MAX WORKING LEVEL(MW)
A Response time of no
less than 5 minutes and
75 mm (3 inches)
between levels (which
ever is the greater) shall
be used to determine
LOCs
Review/revise LOCs when
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
New tank
Change in floating roof tank seals
Installation of geodesic domes or other kinds of fixed roofs (e.g. when external floating roof
tanks receive retrofit covers).
New internal or external floating roof
Side vent changes
Shell extensions
New tank bottom
Addition of ancillary equipment such as foam chambers
Recalibration or re-strapping of the tank
Change of tank gauging equipment
Addition of a gauge tube with datum or change in datum/strike plate
Change in product
Change in incoming or outgoing lines
Change in flow rates,
Change in service if it impacts structural integrity [corrosion, temporary repairs, etc]
Change in operations, such as: parallel tank, floating or high suction, continuous mixer
operation
Change in response time resulting from staffing, operation or equipment changes
Initializing Operating Operating
Parameters - Categories
•
•
•
•
Operators shall categorize each tank
A way to classify tank overfill systems
Category I: manual system
Category II: ATG with transmittable data to
control center
• Category III: ATG and independent level alarm
transmittable to control center
• AOPS: independent addition to Categories I, II, or
III
• Given all things equal, the higher the category
of overfill protection system, the more robust
and reliable it is.
• When a manual system (MOPS) does not have
sufficiently low probability of failure on
demand, then AOPS should be considered as a
means of increasing the OPS reliability
(availability)
Category I
– Configuration
 Does not have transmitted alarms
 Tank Level is determined by HAND
gauging or local Automatic Tank
Gauging (ATG) system.
 Requires Local “manual” shutdown or
diversion or transporter shutdown
after receiving “manual”
communications from facility
ATG
 Use only at fully-attended facilities
 Monitor continuously first and last
and every in-between hour of receipt
 Do not use for high frequency or
complex receipt operations
30
Category 2
– Configuration
 Tank level (ATG required) and alarm is
transmitted to remote location (control
room)
 ATG Alarm set at LOC: HH
 Alarm are not independent of ATG
system (same sensor for ATG and alarm)
LAH
LSH
ATG
LT
 May use Cat 2 at fully or semi attended
facility if receipts monitored at the
control room
 On site monitoring required 30 minutes
at start, at end of receipt; for semi
attended transporter must participate in
monitoring
 Alerts recommended at LOC: H
31
Category 3
– Configuration
 Tank level and alarm is transmitted
to remote location (control room).
 Alarm is independent of ATG
system and set at High-High LOC.
LAH
 Requires Local “manual” shutdown
or diversion
ATG
LAHH
 For unattended operation, alarm
shall automatically notify
transporter or automatically
terminate receipt (AOPS) and
receipt termination shall commence
in event of power outage
32
Automatic Overfill Protection
System (AOPS)
– Configuration
 Basic Process Control system can be
Category I, 2 or 3
LSHH
 AOPS in independent of operation
ATG
LAH
 AOPS added as another layer of
protection on top of Category I, 2 or
3 if risk assessment shows
acceptable risk cannot be attained
otherwise
 Two Options:
 1 Existing Facilities Annex A
 2 New Facilities ISA S84.01 or
IEC 61511
33
Response Times
• Save time: Do the calculation
Table 1: Minimum High-High Tank (HH) Response Time
(if not calculated)
Category
Time in Minutes
1
45
2
30
3
15
Beware The Response Time
Recommenation: never less than 5 minutes no matter
the calculation
5
12
35
60
1500
Probability of Error
1
0.1
0.01
0.001
0.0001
0.00001
Time Available for Diagnosis (Minutes)
10000
Putting It Together (partial list)
Top
management
support
Management
System
procedures
Mission vision
values
People and
resources
Define
Operational
Parameters
Risk
assessment
system
Training,
competancy
Tank data base, tank standards, field verification, upgrading policy, prioritization for
upgrading, policy/consultants for AOPS, etc. etc. etc.
Questions
• Is the new edition really that different than
previous editions?
• Do I need to upgrade to the latest edition of
API 2350?
• What are the benefits of upgrading?
• What is the rest of industry going to do about
it?
Conclusions and
Recommendations
• The New API 2350 will represent a significant change from past practices
but it is consistent with today’s best practices in areas of safety and
environmental protection as well as state-of-the-art technology
• Authorities will consider it minimum requirements
• OMS must be a corporate way of life – created by a vision, a mission and a
philosophy
• A high level of top level commitment and resources is required - But the
alternatives can be costly too
• Must be embedded into the corporate value system so that it is a long
term process and can outlast the managers and executives who often get
promoted out of their positions and who never really truly understood
what a safety management system is
• Do your part to educate top management that this is really the best way to
go if you are going to be in the petroleum business. Do it thru knowledge,
education and expertise and hopefully not because of a serious incident