Loss of level control has contributed to three significant industrial incidents:
- In Australia, the Esso Longford explosion in September 1998 resulted in two fatalities, eight injuries, and A$1.3 billion (more than U.S. $ 1 billion) in losses ;
- In the U.S., the BP Texas City explosion in March 2005 caused 15 fatalities and more than 170 injuries, profoundly affected facility production for months afterwards, and incurred losses exceeding $1.6 billion on BP ; and
- In the U.K., the Buncefield explosion in December 2005 injured 43 people, devastated the Hertfordshire Oil Storage Terminal, and led to total losses of as much as ₤1 billion (about $1.5 billion) [3, 4].
These incidents involved different industries located in different countries. Each uniquely propagated, arriving at its final outcome through different mechanisms. Yet, all suffered the same process deviation of high level and all resulted in devastating consequences. This article discusses significant factors contributing to these incidents and provides a simple seven-step solution for overfill protection.
Five factors contribute to overfill events:
Lack of hazard recognition. Level usually has little significance to plant output or product quality. "Normal" operating level often isn't well defined or tightly controlled. Absolute level frequently varies over a large range but doesn't come close to threatening equipment integrity. In tank farms, operating level is simply inventory to be managed.
High level often isn't a hazard itself. Instead, the danger comes from too much mass or volume. Some overfills challenge the tank or vessel where the level is accumulating, causing overpressure or collapse when retained mass exceeds equipment structural-design limits. Many overfills result in loss of containment when liquid passes to downstream equipment that isn't designed to receive it.
Overfill hazards vary depending on the type of vessel and associated upstream and downstream equipment. It's rarely effective to allow a high level event to propagate and to depend on downstream process variables being fast enough to prevent equipment damage. For example, high level in a knockout drum requires immediate response to avoid compressor damage; you can't wait until high compressor vibration is detected.
Underestimating the likelihood of overfill. Level seems so simple to detect that anyone should be able to recognize overfilling and respond in a timely manner. Unfortunately, operators rarely can directly see high level. It's just one of many process variables on the display. Worse yet, level often doesn't affect unit operation or cause any other significant process-variable disturbance — until safe fill level is exceeded and, suddenly, mechanical integrity of the vessel or interconnected equipment is threatened.
High level may have different causes in each mode of operation, e.g., start-up, normal or upset conditions. Start-up may require accumulation of level, so the outlet control valve initially is in manual operation and closed until normal operating level is reached. Level may vary over a large range during normal operation. During upsets, operators may run vessels at higher-than-normal levels, using available capacity to dampen impacts on upstream or downstream equipment.
Some hazard-analysis teams erroneously believe that overfill isn't a credible event because it generally takes minutes or hours rather than seconds to fill a vessel. Some events propagate slowly, such as rise of level in a product storage tank, while others occur quickly through a random event, such as a process upset sending excess liquid to a knockout drum for a compressor. The slower the event, the greater the tendency to believe the operator can adequately address it; likewise, the more sporadic the event, the greater the tendency to believe it won't last long enough to cause overfill. Believing high level isn't credible is especially attractive when the existing design doesn't provide for a high level alarm or trip.