The risk of overfilling

Column May 2010

The risk of overfilling

The explosion and fire at the Buncefield fuel depot in Hemel Hampstead, UK in 2005 caused an international review of guidelines for overfill prevention of storage tanks. What happened in Buncefield: a gasoline storage tank was overfilled from a pipeline. The pumping continued even after the tank was completely full. The thank overflowed and a kind of fuel droplet mist developed (see the drawing of the event below). After ignition, a huge explosion occurred. Its strength was unusually high. But that is not the topic of this column. I will discuss this in one of my following columns.

Now I want to talk about the classic scenario of overfilling a tank. There have been many disasters due to that (compare also BP Texas 2005). The risk of overfilling is underestimated and not well controlled so far. After Buncefield, the regulators and industry woke up. The Buncefield investigation report were studied and the key recommendation about automatic overfill protection systems was generally  taken over. The incident investigation reports mention rightly so that an overfill protection system must be tailored to the risk of overfilling. The higher the risk, the more reliable it should be. Reference is made to the risk based approach (the SIL concept) from the IEC 61511 standard. This is the worldwide standard and ‘best practice’ for designing Safety Instrumented Systems (SIS) like an overfill protection system.

The IEC 61511 standard is not obligatory. An equivalent approach may be followed. Regulators allow companies not to use the IEC 61511 by e.g. using an internal company policy. However: the strength of the IEC 61511 approach is that it is transparent and verifiable. Consider the horror scenario that you as a responsible manager after a “Buncefield type’ of overfill incident have to appear in court. The judge ask you why the overfill protection system was only tested one in the four year. With the IEC/ SIL concept he answer is easy: a risk analysis was performed (SIL Classification), the SIS was designed according to the SIL requirements and with a test once in the four year, the Probability of Failure on Demand (PFD) fulfills the requirements of the SIL level. Problem solved.
The answer with your ‘internal company policy’ will most likely not be so easy! My message is: either follow the IEC 61511 or face the possibility of  that you have to think about why not having done it in jail for some time. Or otherwise you may be facing giant financial penalties. See the example of BP in Texas here. This is also a risk of overfilling!.

Would you like to react to this column? Send an email: