Overfilling tanks: Disasters and prevention
The recent 3-part article by Shelley and Tarantino said “Overfill ground, dike, or bund fires result from piping or tank leakage. This may be caused by operator error, equipment or instrument failure.” Filling the tank to the point of overflow, without the piping or tank actually leaking, can lead to the same result.
While this may appear at first instance to be due to operator error, equipment or instrument failure, deeper investigation will lead to root causes such as inadequate design, failure to conduct proper safety studies, failure to set up and maintain proper testing and inspection of protective systems, or the organisation’s culture to place production and cost well ahead of safety.
One of the most significant such incidents was the overfilling of a petroleum terminal tank receiving petrol from a tanker ship in Puerto Rico in 2009. There was an overflow of 200,000 US gallons (760,000 litres) until it was detected and the transfer stopped. As the bund drain valve had been left open, petrol flowed from the bund and reached the waste treatment plant where it was ignited by un-rated electrical equipment. This caused a flame front to run back to the bund causing an explosion of the vapour cloud there which rated 2.9 on the Richter scale. Fortunately, nobody was killed, but 17 tanks were destroyed and 300 nearby buildings were damaged.
The shipment, of more than 11.5 million gallons (43.5 million litres) of unleaded petrol, was expected to take 24 hours. No single tank was available for the full load, so it was planned to pump to 4 small tanks and the remainder would top up another. Operators adjusted flow rates by tank valves and manually calculated fill times based on an hourly level check of float and tape gauges. This was normal practice as the data transmission to a central PC frequently suffered from transmitter problems. The tanks were not fitted with any high level alarms or automatic overfill protection system (AOPS).
After transfer had begun, the valve to one tank was closed as the gauge was seen to be stuck. At the 11 p.m. hourly walk-around, the tank farm operator observed the gauge on Tank 409. The operator radioed the level to the supervisor who calculated once again that the tank should be full at 1 am. At the midnight check, before reaching the tank, the operator observed a vapour cloud and a strong smell of petrol and contacted the dock operator to stop the flow of petrol to the tank. He then notified the other operator and the supervisor to meet at the edge of the terminal.
They observed a white fog approximately 1 metre above ground, but could not hear or see petrol overflowing from the vents on Tank 409 due to lack of lighting and the topography. Approaching the fog, they noticed the air cool as the fog condensed on their hands, despite the 26°C temperature. Noting the potential danger, the supervisor sent one operator to the security gate, while the supervisor and another operator drove to a high vantage point, attempting to find the source of the leak and developing vapour cloud. Meanwhile, petrol flowed through an open bund drain valve to the waste treatment plant where it was ignited by electrical equipment. A flash fire raced back to the tanks.
Security cameras recorded the ignition of the vapour cloud in the waste water treatment area. 7 seconds after ignition, the cloud exploded, creating a pressure wave damaging hundreds of homes and businesses up to 2km from the site and registering 2.9 on the Richter scale. The fire propagated through the cloud and ignited multiple subsequent tank explosions. The fire burned for two days. Investigation revealed that a total of 194,000 US gallons (735,000 litres) overflowed during a period of 26 minutes.
The US Chemical Safety Board investigation found (among other findings):
An unreliable level control and monitoring system did not provide accurate and timely information for the operator to prevent overfilling Tank 409.
- The failure-prone float and tape gauges and the unreliable level transmitters proved ineffectual. The level transmitters were frequently out of service due to lightning damage.
- Insufficient independent and separate safeguards to prevent overfill, such as a high-level alarm and an automatic overfill prevention system (AOPS) compromised facility safety.
Safety Management Systems
- Inadequate formal tank filling procedures
- Tanks were not equipped with an independent high-level alarm system.
- Tanks were not equipped with an independent Automatic Overfill Prevention System (AOPS
- The bund drain valves were difficult to distinguish between open and closed positions
- Insufficient lighting in the tank farm areas.
Sadly, the lessons from the Buncefield incident in the United Kingdom in 2005 had not been taken into consideration by the Puerto Rican operators. While Buncefield had better instrumentation installed, it was not functional at the time resulting in much the same result. The comparisons are highlighted in the CSB report on Puerto Rico.
On a smaller scale, the same sorts of incident have occurred many times and quite often the flammable liquid has luckily not found a source of ignition. However, it is better to rely on good management rather than good luck.
Good management includes going on site and looking at the actual equipment, piping, instrumentation etc. For example, during a hazard and operability (HAZOP) review of an existing tank, the process engineer explained how the tank had both an independent high level alarm sounding locally and an independent high-high level shutdown system that stopped the feed pump via a hardwired interlock. Since the depiction on the drawing was not particularly clear, it was checked on site, where it was found that both the alarm and the shutdown system relied on the basic level gauge, i.e. they were not independent.
In another example, a tank had a high level switch based on the process control system, set up to close the inlet actuated valve via software in the event of failure of the level transmitter (which was to close the valve when the tank was full). The level transmitter had been giving trouble for months and during one fill erroneous readings caused the inlet valve to shut. Operators visually checked the tank and found adequate space for the road tanker’s contents. The actuated inlet valve was put in manual mode from the control room and opened. Filling was completed without any overfill.
The actuated valve was not returned to automatic mode. The next time the vessel was filled, the level transmitter again gave trouble and overfilling occurred. The high level switch did alarm at the control room but did not close the valve. The control room operator believing that the valve would close automatically did not initially take action. Approximately 2,000L of flammable solvent spilled but did not ignite. To be independent, the high level switch should have been hardwired or controlled by an independent logic device such as a separate programmed logic controller (PLC). However, it is also vital that change control procedures cover temporary software / control system changes in addition to equipment and process changes.
Material was pumped to a tank in a manual operation for many years without incident. Then, one day, there was a small overflow which the operator quickly stopped. A recommendation of the incident investigation was to add a high level alarm which would shut off the feed to the tank if the operator failed to stop flow, and this was installed. Supervisors decided that the operator could be given other work while the tank was filling, since there was a high level shutdown. No management of change review was done. A device that was intended to be a second layer of protection became the primary control. When the high level trip failed, there was nobody in the area and the spill was actually larger than before. The trip had the normal failure rate for such equipment, about once in two years, so another spillage after about two years was inevitable. A reliable operator had been replaced by a less reliable trip.
We all need to remember Murphy’s Law; what can go wrong will go wrong and usually at a bad time. It is important to review design of equipment, actual equipment in the field and what operators and supervisors do to have the best chance of safe operation.
- SUS CSB Final Investigation Report – CAPECO
- US CSB video “Filling Blind”
- CCPS Process Safety Beacon; Sep 2004, Sep 2006, Sep 2009, Oct 2009, Feb 2016
- Loss Prevention Bulletin No 247, Feb 2016
- Kletz, Trevor, “What Went Wrong”, 5th ed, Elsevier
- Mostia, W.L. “Prevent Tank Farm Overfill Hazards”