Products Solutions Services. High Level Alarms. Industrial Safety

Products Solutions Services High Level Alarms Industrial Safety

Erwin Post Product Manager Level Tankgauging Praxis mit Gamma. Only a safe plant is economical Endress+Hauser B.V. Nikkelstraat 6 1411 AJ Naarden The Netherlands Phone: +31 35 6958 710 Mobile: +31 6 51836 366 Fax: +31 35 6954 921 Erwin.Post@nl.endress.com www.nl.endress.com

Topics Overfill prevention Bunchfield lessons learned PGS29 translation Tank types and level detection State of the art SIL level technology Only a safe plant is economical

The Buncefield facility

Buncefield overspill incident

Even visible from space

Buncefield days after.

And no casualties (thank God it s was Sunday)

The Buncefield incident Fuel depot in Buncefield near London Sunday morning, December 11th, 2005 Failure of level measurement, no change in level indication High level alarm in override. Overspill of 300m 3 of gasoline. Heavy explosion 40 people injured No fatal casualties Depot and surroundings have been heavily damaged Took several days before the fire was under control Environmental emissions and damage.

Products Solutions Services High Level Alarms

Lessons learned Recommendation 3: Operators of Buncefield-type sites should protect against loss of containment of petrol and other highly flammable liquids by fitting a high integrity, automatic operating overfill prevention system (or a number of such systems, as appropriate) that is physically and electrically separate and independent from the tank gauging system.

Lessons learned Recommendation 5: All elements of an overfill prevention system should be proof tested in accordance with the validated arrangements and procedures sufficiently frequent to ensure the specified safety integrity level is maintained in practice in accordance with the requirements of Part 1 of BS EN 61511.

Post Buncefield effect Oops, can that happen to us too? Are the risk assessments OK? Are the HAZOP studies done? Did we cover all scenarios? Authorities start to interfere Regulations are improved or re-written (PGS 29) Proof testing becomes mandatory! What about SIL?

SIL Legal status Legal framework Seveso Directive [ Seveso II - Directive 96/84/EC] Workers protection regulations (social) Environmental regulations Associated permits or license system, local, regional or even national Regulations require state of the art equipment for safety assurance State of the art is defined in standards. i.e. for functional safety EN/IEC 61508 [EN August 2002] (generic standard) EN/IEC 61511 [EN August 2004] (process industry standard)

PGS29:2008, 84 pages.

PGS29:2008, 84 pages. 6.3.6 Hoogniveau-alarmering en overvulbeveiliging 87. Tanks moeten zijn uitgevoerd met: a. een hoogniveau-alarmering die ter plaatse en / of in de controlekamer, alarm geeft, voordat het hoogst toelaatbare vloeistofniveau in de tank wordt bereikt, zodat maatregelen genomen kunnen worden om de pompcapaciteit te verminderen of het verpompen te stoppen, en; b. een fysiek onafhankelijke instrumentele overvulbeveiliging die bij het bereiken van het hoogst toelaatbare vloeistofniveau in de tank de toevoer naar de tank doet stoppen.

PGS29:2008, 84 pages. De betrouwbaarheid van de instrumentatie en beveiligingen moet in relatie staan tot het veiligheidsrisico. Er dient een methodiek gehanteerd te worden die de samenhang tussen de risico s, vastgesteld middels veiligheidsstudies, en (de betrouwbaarheid van de) maatregelen (instrumentatie en beveiligingen) aantoont en documenteert. Voorbeelden van methodieken: SIL-systematiek waarin, afhankelijk van de gewenste risicoreductie, eisen worden gesteld aan de keuze en onderhoudsfrequentie/type van de benodigde regelingen en beveiligingen; (NEN-EN 61511/61508) safety-layerssystematiek, bijv. LOPA; bedrijfsbeleid waarmee het risico gekoppeld wordt aan de maatregel; b.v. bij een scenario met risicowaardering X moeten minimaal twee onafhankelijke LOD s (Lines Of Defense) worden ingezet om het risico te beheersen.

PGS29:2008, 84 pages. Toelichting: Indien bij scheepslossingen de tweede beveiliging technisch niet mogelijk is, kan in overleg met het bevoegd gezag hiervan afgezien worden of een alternatieve oplossing worden overeengekomen met een aanvaardbaar beschermingsniveau. Onder fysiek onafhankelijk wordt verstaan: Los van niveaumeting Apart stuursignaal Onder overvulbeveiliging wordt verstaan: Elk systeem dat de toevoer tot de tank automatisch doet stoppen zonder tussenkomst van een operator.

Simple instrument safety rules still apply A good High Level Alarm typically: is based on a different physical phenomenon (avoid systematic failures) is Fail to Safe classified for SIL services is active (needs power to operate) is proven technology has all appropriate certificates (IEC 61508/61511) is provided with internal diagnostics is preferably provided with a separate failure alarm can be checked easily. Proof testing has a long, predictable lifetime can be repaired immediately without process interference

Typical bulk liquid storage tanks Possibilities are determined by tank constructions Fig. a. storage tank with conical roof Fig. b. storage tank with external floating roof

Fixed Roof SAFE HHLA Solutions Tuning Fork Measurement of aggregation phase by density, Gas versus Liquid Radar and Guided Wave Radar. Measurement of true level using di-electric impedance jump at phase change

Liquid Bulk Storage, Independent High Level Alarms State of the art. Liquiphant is always the first solution. SIL2/3 Compliant - IEC61508/IEC61511 Loop approach! Suitable for all Cone Roof Tanks using existing tank fittings. Very simple and cost effective proof testing by push button only!

Liquiphant summary Liquiphant is an active in-situ density measurement rather than a switch! Density change of liquids is huge and the absolute density of liquid phase is irrelevant thus providing a robust physical deviation. Easy test methodology using push button activated test generator Simplicity of the concept offers extremely low failure rates. Availability joined to the highest safety level! Proven as robust. Reliable lifetime is typically long!

Function Principle evaluation electronic filter / amplifier phase shift amplifier

Self-Monitoring Safe alarm function Immersion depth fa -15% switch point approx. 850 Hz fa oscillation frequency in air approx. 1 khz 25 mm 0 A L A R M A L A R M 0 400 fa -15% fa fa + 6,5% 1500 f [Hz] sensor alarm 0,4 s delayed normal operation corrosion alarm 60 s delayed sensor Alarm 0,4 s delayed

Recurring Proof Test of Overspill Protections switch relay test generator switch switching electronic pulse switch receiver fault relay

Push button proof test coverage (1) λ du 40 FIT Drive current Resonance frequency Only the resonance controller is not covered Frequency λ du controller: 10 FIT [FIT = 10-9 1 -h )

Push button proof test coverage (2) Failure rate FTL5* and 7* series connected to FTL325P 2,100E-03 1,750E-03 1,400E-03 PFD 1,050E-03 7,000E-04 PTC 75% 3,500E-04 0,000E+00 0 1 2 3 4 5 6 7 8 9 10 yr

Overview of measures for SIS according to IEC61511 Component Level Systematic Failures & Random Failures & Certified IEC61508 + Prove in application or Proven-in use [supplier] or Prior-use demonstration [user] PFD avg Certified IEC61508 Failure Tolerance Redundancy 1oo1 1oo2 2oo2 2oo3

Fixed Roof SAFE HHLA Solutions Tuning Fork Measurement of aggregation phase by density, Gas versus Liquid Radar and Guided Wave Radar Measurement of true level using di-electric impedance jump at phase change

Liquid Bulk Storage - Fixed Roof Tanks Guided radar Suitable for all Cone Roof Tanks using existing tank fittings on tank. Continuous level Measurement. Flexible set points via 4-20mA Signal Deviation alarms possible (comparing with ATG) Provided with internal redundancy using End Of Probe algorithm SIL 2/3 Compliant - IEC61508 Safety parameters are state of the art. Proof testing by generating test signals.

Developed according IEC61508 Continuous automatic internal check in the device Logic program run control Check Reference pulse HF Quartz synchronization Measuring cycle time Supply voltage Temperature Check sum RAM Cable breakage Continuous self-monitoring to check the correct functionality of the device More than 80 diagnostic measures and techniques permanently running in the background

Proof test from control room Proof procedure via manual started self check (proof test) Check Send Developed acc. to IEC61508, also the data communication between Device-DTM and device is secured (send check).

HistoROM Example HistoROM functionality Electronic change during night shift The HistoROM is fixed in the housing (can not be lost or forgotten )

Floating Roof Safe HHLA Solutions (Tuning fork Stilling well mounted is always preferred) Free Field Radar, Time of Flight Measurement of roof level using dielectric reflection at phase change Capacitance type contact switching Measurement of dielectric impedance change by roof contact

Floating Roof Tanks Free Space Radar Free Space Radar Suitable for all tank types (Excluding Spheres). Continuous level Measurement. Flexible set points via 2-wire 4-20mA Signal SIL2/3 Compliant - IEC61508 Proof testing by test generator

Floating Roof Tanks Free Space Radar Proof Testing external External Swivel plate for functional proof testing

Floating Roof Tanks Radar Proof Testing integral design Complete with checker mechanism to enable safe alarm checks can be performed and ensuring Zone segregation.

Developed according IEC61508 Continuous automatic internal check in the device Logic program run control Check Reference pulse HF Quartz synchronization Measuring cycle time Supply voltage Temperature Check sum RAM Cable breakage Continuous self-monitoring to check the correct functionality of the device More than 80 diagnostic measures and techniques permanently running in the background

Floating Roof Safe HHLA Solutions (Tuning fork Stilling well mounted is always preferred) Free Field Radar, Time of Flight Measurement of roof level using dielectric reflection at phase change Capacitance type contact switching Measurement of dielectric impedance change by roof contact

Floating Roof Tanks (alternatively) Capacitance Capacitance Probe Suitable for all Cone Roof Tanks using existing tank fittings on tank. Suitable for Floating Decks. Flexible set points via 4-20mA Signal, or via switch point. SIL2 Compliant - IEC61508/IEC61511 Snow tolerant solution Hard to test (mechanical contact required)

Secure Switch Settings using Contact Plate

Floating roof failure scenarios Snow cover Damaged deck Lost deck Free space Radar May lead to lost echo Fails Safe Availability increased using new Advanced May lead to lost and deflected echo depending on deck position Fails Safe May lead to some switch point deviation (up to 100 mm) No failure Dynamics design Capacitance type Top of snow detected as raised level No Failure Switch level may raise depending on deck position May fail when deck gets over flooded May lead to severe switch point deviation Fails dangerous May become safe when weight is modified

Summary Overfill prevention Bunchfield lessons learned PGS29 translation Tank types and level detection State of the art SIL level technology Only a safe plant is economical

Products Solutions Services Thank you very much for your attention