Estimating the likelihood of overfill is complicated by the combination of manual and automated control that's necessary as equipment is started up and operated. Figure 1 shows the range of automation commonly found in tank farms and terminals. The degree of automation generally relates to the expected rate of level rise and operator workload. Automated control and safety systems typically are added when control changes must be made too often to be continuously managed by the operator or when work complexity has increased to where the expected human error rate is no longer acceptable.
It's important to specify the safe fill limit and explain in operating procedures the consequence of exceeding it. Without clearly stated limits and consequences, the operator may not adequately monitor level, especially during intense work periods. Overfill is a credible event; it takes good operating procedures to reduce its likelihood.
Excessive reliance on the operator. The length of time required to reach overfill encourages a tendency to "blame the operator." In many applications an operator does have adequate time to control level within acceptable tolerance — but human error always is possible. Workload and piping network complexity decrease the operator's ability to reliably control level and maintain process safety. Debottlenecking and expansions to increase production often raise operator workload and erode time available to respond to abnormal events. In some cases available time has been reduced to where manual response is no longer effective and automated overfill protection must be implemented.
Don't neglect hazards to operators posed by manual actions such as draining knockout drums. Local response generally moves the operator into the hazard zone, increasing risk to that individual. Consequently, the design must provide sufficient time for the operator to take action and means to verify the intended process response. Further, there should be time to evacuate the area if the action doesn't work as expected. When fast response is required, consider drills to allow the operator to practice the response and to verify the time required to detect and respond. These drills can identify issues with the design, installation and labeling, as well as with procedures and training.
Automated controls are often added to increase operating efficiency and reliability. They also should be provided to reduce reliance on operator response near a hazardous event. For significant hazardous events, automated trips ensure continuous protection even when an operator is focused on other duties. A safety instrumented system (SIS) detects high level and prevents filling beyond the safe fill limit. The SIS can be a simple hardwired system using an independent level sensor (e.g., switch or transmitter) to spot high level and an independent final element (e.g., motor control circuit or block valve) to terminate or divert feed. The SIS is automatically initiated at a setpoint that allows sufficient time for the action to be completed safely. Risk analysis determines the safety integrity level (SIL) required to provide adequate protection — usually SIL 1 or SIL 2.
No defined safe fill limit. In many applications the entire level range from empty to postulated failure point isn't displayed. Instead, the measurement device only covers the expected operating range. While this provides the most accurate measurement across the operating range, it unfortunately leaves the operator with no indication of level when it rises above that range.