The design basis should clearly establish the safe fill limit, based on an understanding of postulated failure level, analytical capability of instrumentation used for measurement, fill rate, and time required to achieve a safe state. The safe fill limit should ensure that action can be completed prior to reaching the postulated failure level. It should account for expected measurement drift in the process and environmental conditions.
Figure 2 shows the transition of level from normal operating range to postulated failure point. Providing an alert can support level control; its setpoint should allow enough time for the operator to respond to prevent the level from reaching the safety alarm or trip setpoints. The safety alarm should give the operator enough time to bring level back under control or to take equipment to a safe state.
The offset between trip setpoint and safe fill limit is the design safety margin. When an alarm also is implemented, its setpoint should be far enough below the trip setpoint to allow the operator sufficient time to take the process to a safe state prior to trip initiation. Otherwise the alarm loses merit as a protection layer and simply serves as a pre-trip notification.
Inadequate mechanical integrity. Many technologies are available for level measurement and detection, from simple float-type discrete switches to complex guided-wave radar transmitters. Each technology has characteristics that make it the right choice for a particular application . There are no bad level devices, only technology misapplications, improper installations and inadequate mechanical integrity programs. A properly maintained level switch can provide years of cost-effective satisfactory service. On the other hand, neglect can cause the most expensive device to fail.
For most safety applications the main considerations for equipment selection are required accuracy, process operating mode, operating environment, historical equipment performance, and ease of maintenance and testing.
No matter the technology selected, it's crucial to maintain mechanical integrity of equipment over its life. Functionality is demonstrated by forcing the sensor to "see the process variable" and to generate the correct signal at the specified setpoint. Testing must prove that equipment can operate as required to prevent overfill. Although diagnostics can detect many types of failures, a proof test is necessary to demonstrate operation at the required setpoint.
Some companies only allow transmitters in safety services, banning direct-mounted switches due to their lack of continuous signal. For columns and storage tanks, the safe fill limit usually is significantly outside normal operating level, resulting in high level alarm or trip sensors being at a very low output for long periods of time. In such a circumstance, a discrete sensor like a switch may be a better choice. Consequently, it's an acceptable practice to implement an automated control system that uses an analog measurement covering expected normal operating range and a level switch to initiate feed shutdown.
You can implement a high level alarm and trip with separate level switches at appropriate points on the vessel or with a transmitter that covers both setpoints. Although transmitters may not improve diagnostics in services that don't normally have level, they do provide the ability to monitor over a chosen range and to alarm at various points in the range.
You can easily prevent catastrophic overfills. When overfill can lead to a fatality, follow these seven simple steps to provide proper protection:
1. Acknowledge that overfill of any vessel is credible regardless of the time required to overfill.
2. Identify each high level hazard and address the risk in the unit where it's caused rather than allowing it to propagate to downstream equipment.
3. Determine safe fill limit based on mechanical limits of the process or vessel, measurement error, maximum fill rate and time required to complete action that stops filling.