The PetrolPlaza audio version is presented to you by UNITI expo, the leading retail petroleum and car wash trade fair in Europe.

Aboveground Tank Overfill Protection Part 1 - General Discussion and Assessment of API Recommendations

In July we announced a three-part feature concerning overfills of aboveground tanks by Chevron tank and environmental expert Phil Myers. Following is Part 1, a general discussion of AST overfill prevention and API bulletin 2350 related to the subject.



Last update:
Author: Myers Philip E.

Introduction
Overfills of aboveground storage tanks are and should be a concern to anyone interested in safety and the environment. Tank overfills have the potential to negatively impact both. More important, overfills can cause injury or death to people.

In Part 1, we will review current industry practices and rely heavily on the most comprehensive approach to overfill prevention that is currently in the public domain-API 23501. In spite of the criticisms of API 2350 that will be apparent in this article, it must be remembered that the document was created using "consensus". This means that it is the lowest common denominator of those who worked the document. However, it becomes apparent on close reading and study that API 2350 was a marvel of excellence when developed and credit belongs to those who worked on the last editions.2

Overfills typically occur because a transfer of petroleum liquid exceeds the capacity of the tank. Tanks generally receive transfers in 3 basic ways:

• From pipeline

• From marine (barge or ship)

• Transfers from other tanks at the same facility or from a process which is manufacturing the stored product

Thus, there are at least three ways that overfills can occur.

However, overfills can occur from unexpected scenarios. For example, if there is a tall tank and a short tank, that are connected by piping, gravity can cause the taller tank to flow through open or failed valves to the shorter tank causing and overflow. The same applies to tanks that are at different elevations. This is commonly called "gravitating", a movement that occurs without operator intervention. A stuck check valve has been the cause of this scenario more times than I care to count.

In fact, overfills in tanks can occur in so many ways, that there is no single method that will prevent overfills. A comprehensive approach including at least the following must be taken and this includes at least the following factors:

• Operating practices

• Written procedures

• Training

• Equipment systems, selection, testing, inspection and maintenance

• Management of change

While it should be understood that the impact of an overfill can vary from minimal to serious, there are two impacts of concern to the industry. A single, serious overfill can result in negative and substantial results to a company. The impact of one such serious overfill is documented in the NFPA 30 Handbook3. On January 6, 1983 a calamitous gasoline tank overfill in Newark, New Jersey at a marketing terminal resulted in one fatality and 24 injuries. Blast effects flattened freight cars and destroyed other tanks. This incident cost nearly 50 million dollars. This incident resulted in the first major step in the evolution of industry practices to mitigate tank overfills - NFPA 30 Chapter 2-10. In 1996, the second edition of API Recommended Practice API 2350 was published, that incorporates the NFPA 30 rules, but goes further and covers the basic principles that a petroleum owner/operator must know in order to reduce the chances of a tank overfill.

The other consequence of concern is frequent overfills that result in environmental damage. These collectively lead to the conclusion by the regulatory community that the industry is not sufficiently concerned with protecting the people and the environment. There is some truth to this as more can be done. I urge you to benchmark your current practice with those described in this paper to "grade yourself" in an effort to see if my assertion about being sufficiently concerned is valid or not.

We will first look at both the NFPA requirements, then the recommendations of API 2350. It should be remembered that the NFPA rules derived largely from the expertise of the same committee members who worked on the API 2350 revisions so that are essentially compatible and non conflicting requirements.

NFPA 30 Rules
Incidents such as the one above cause permanent changes in the industry to occur, usually in the form of a modification to an existing standard. NFPA has the most basic minimum requirements associated with tank overfill prevention. The NFPA requirements shown below are options, which include:

• Use secondary containment that would contain a spill equal to the contents of the largest tank on the facility.

• Gage tanks at frequent intervals during transfers with frequent communications between transporter and operator, allowing shutdown/diversion if an overfill may occur

• Equip tanks with high level alarms to signal on-duty persons about an impending overfill; make the high level alarm independent of the tank gauging equipment

• Equip tanks with automatic shutdown systems to automatically shutdown/divert flow.

• Other alternatives acceptable to the authority having jurisdiction

Notice that NFPA 30 allows an overfill prevention system that uses no alarms or equipment, but instead relies entirely on personnel and operations. The same is true of the rules included in API 2350. There have been cases where the use of an alarm actually lulled the operator by a false sense of security and actually causes an overfill to occur, it has been argued. While this may be true under unique circumstances, it cannot be argued credibly that a tank filling system, which relies on operations alone, is the most reliable system possible when considering the millions of tank filling operations annually. It just does not stand up to the facts. In other wolds, proper use of alarms and automated shutdown systems combined with good operating practices is better than tank filling operations that rely on operations and procedures only.

Risk Analysis
Just how serious is an overfill? To determine this we must understand what risk is. Figure 1 shows that risk is a product of two simple factors.

Figure 1 – A "working" definition of risk

The first factor is the consequence of an event. This factor is the severity of the event. For example, if an overfill results in a fire and explosion, this will be a more severe event or a consequence, than if the same tank only overflows. In formal risk management terms, the severity can be measured in a generic scale, such as dollars lost.

The second factor is the likelihood or frequency of the event occurring. This is the probability of it occurring. An example of likelihood is the occurrence of a large overfill or a small overfill. An internal study shows that small volume ovefills are more likely than very large overfills.

The risk then includes both the severity and the probability of an event. Risk managers often make a simple mapping of risk such as the map shown in Figure 2. It shows the risk of an overfill in order to rank the importance of the event relative to the many other potential events that can occur in the facility. It puts this specific risk in perspective for the many risks that might exist at a terminal facility. Obviously, this kind of mapping would have to be done for all considered risks for the facility.

Figure 2
Qualitative Risk Ranking Matrix
Mapping Tank Overfills
This is an example only!

1 - Minor risk, no action required
2 - Complete prevention after 3,4, 5 completed
3 - Must address risks
4 - High risk, mitigate risk
5 - Unacceptabl risk; mitigate immediately

Figure 2 shows my personal opinion about the risk of a generic tank overfills. Is it right? The answer, of course, is that it depends. API 2350 states "Because the level of risk and potential loss varies from location to location, a flexible approach should be used in providing alternatives for meeting the objectives of the facility overfill protection program." Some of the risk factors are:

• Flammability of the stored liquid

• Toxicity of the stored liquid

• Proximity of storage to sensitive receptors

• Proximity of storage to population, infrastructure or other facilities

• Rate of receipt

• Types of overfill prevention procedures, hardware, operating practices, etc.

It should be clear that the risk of each site and even each tank could be widely different based upon many factors. This should also provide some insight as to why the one of the key tasks to protect against overfills is a careful risk assessment. It also shows that no single system or program is appropriate for all tanks. What can be said, however, is that as the risks are deemed to be higher and higher, the amount and degree of controls and preventive measures must be increased to keep the risks at the acceptable levels. Because a recommended practice such as API 2350 must cover ALL situations, it must necessarily be written with minimal prescriptive requirements as in doing so would create unwarranted costs with little benefit in many circumstances. We will discuss this more in detail later.

Fundamentals of Overfill Prevention
API 2350 is organized as follows:

• General - covers scope, definitions, and general provisions for all facilities

• Attended facilities

• Unattended facilities

• Procedures

• Appendix A - How to install overfill protection systems

• Appendix B - How to determine tank capacity and product levels

• Appendix C - Overfill protection equipment

Each of these topics is discussed in detail below: The appendices are covered in Part 1.2.

Scope of API 2350
In this section we will discuss the basic principles of API 2350. API 2350 is an outstanding document in that it provides all of the basic and essential principles that will really reduce overfills to an acceptable level. However, it does have some weakness and we will also cover these.

NFPA 30 relies heavily on liquid classifications to control risks. These same classifications are used in API 2350 as well as most other documents dealing with fire prevention.

There are three NFPA classes of liquids is:

NFPA Classification

Flashpoint

Liquid Name

Fire Danger

Class I

Flashpoint < 100F

Flammable liquids

Most dangerous

Class II

100F < Flashpoint < 140F

Combustible liquids

Medium danger

Class III

Flashpoint > 140F

Combustible liquids

Least dangerous

The greatest hazard is represented by the lowest flashpoint. Class I liquids for example, include gasoline and crude oils. Class III liquids; on the other hand, include lube oils and other heavy non-volatile stocks. An easy way to remember hazard is the expression "low flash, high hazard"5

The first thing that should be understood regarding overfill prevention is the extremely narrow focus of API 2350. It applies only to Class 1 liquids where the receipt is strictly from a pipeline or marine delivery. This excludes Class II liquids and it excludes all tank-to-tank transfers. It is clear this publication is minimal in scope and emphasizes the prevention of spills for very volatile liquids, which are delivered at high rate (i.e. via pipeline or ship).

API 2350 thus addresses the highest risks for petroleum storage tanks, yet does not address at all, the risks of any other kind of transfer. This has several important implications:

• An owner/operator cannot "adopt" API 2350 and expect that it the facility is protected against overfill.

• A regulatory agency cannot prescribe API 2350 and expect any significant reduction of overfills.

• There may be a highly varied level of risk at a given facility since applying API 2350 may cause the Owner/Operator only to apply it as per the document scope, neglecting to consider applying it to all tank receipts or transfers, especially if they are hazardous ones. For example, after applying API 2350 the marine receipt risk may be low because the rules of API 2350 are applied, but a tank transfer risk may be very high because these same rules were not considered or were even possibly waived.

When the goal is uniform and appropriate reduction of overfill risk, then the owner, stakeholder, regulator or agency interested in using API 2350 must supplement API 2350 to broaden its scope. While API 2350 has a narrow scope, it should be noted that there are many comprehensive principles that may be applied to all tank fillings and all classes of liquids in all industries that store flammable, toxic or dangerous liquids, however. Applying these principles universally and appropriately is a relatively simple task, once the principles of API 2350 are understood, since it is a matter of making the scope more generalized and implementing the alarms and shutdown systems that are fully and properly described in the document. However, it is a task, not completed by API 2350 and an exercise left to the owner, operator or regulator.

API 2350 Definitions Section
Understanding the definitions of API 2350 is somewhat confusing and subject to varied interpretation. However, the basic understanding of Figure 3 as well as the following should clear up any confusion.

Figure 3
Example of API 2350 Levels
Based on API 2350 Definitions
(Courtesty of the API)

Normal Fill Level or Normal Capacity
This is the level beyond which operations should never go. It should be recognized that this is usually far lower than the "shell capacity" of the tank. A good quick way to determine if there is sufficient capacity in a tank for good overfill protection is to note that if the Normal Fill Level is above about 80 percent of the shell capacity then there could be a problem with insufficient reaction time to close down valves or improper setting of alarms.

High Level Detector
This is the level at which an alarm is typically set. It should be set so that under worst case conditions operations can safely shutdown the receipt or transfer it to another tank.

Safe Fill Level
This is the "last chance" level prior to an overfill occurring. It should be set so that an orderly shutdown can really be accomplished considering reaction time, site-specific conditions and worst-case conditions such as high flow rate. If there is an automated shutdown system or a high-high level alarm, these should be set at this level.

Overfill Level
is really the lower of overflow or when damage occurs such as an internal floating roof bumping into the rafters of a fixed roof or a seal popping out of the tank shell on an external floating roof tank. An overflow may or may not occur at this level.

API 2350 General Section
This section provides the requirements that apply to all kinds of terminals. These are summarized:

• Establish the normal fill level and the safe fill level and the overfill level for all tanks, enter this information on the strapping tables and stencil it near the hatch on the tank or at grade where it is easily visible.

• Use tank product transfer or receipt forms, noting the various levels on the form and communicating this information with the supplier or transporter (pipeline or marine company), prior to starting the receipt.

• Manually or with an automatic tank gauge, establish that there is sufficient ullage prior to a receipt.

• Document the forms above as well as any testing, inspection or maintenance activity related to overfill protection and maintain in files

API 2350 Sections on Attended and Unattended Facilities
Facilities can be classified as attended if operations is on site during the entire receipt, whereas unattended facilities are monitored remotely from another location and operations is not required to be at the facility during the entire transfer. The key difference for the purpose of API 2350 is that unattended facilities are not required to have any instrumentation to operate. If instrumentation for alarms and shutdowns is applied to attended facilities then the rules applicable to unattended facilities are also applicable. API 2350 further includes provisions for "fully automated operation" that requires that an independent detector system be used to automatically shutdown the receipt. Shutdown means either turning off the supply pump(s), closing the tank inlet valve automatically, or automatically diverting flow to another tank or pipeline.

Fundamentals of Overfill Prevention
API 2350 is organized as follows:

• General - covers scope, definitions, and general provisions for all facilities

• Attended facilities

• Unattended facilities

• Procedures

• Appendix A - How to install overfill protection systems

• Appendix B - How to determine tank capacity and product levels

• Appendix C - Overfill protection equipment

Each of these topics is discussed in detail below: The appendices are covered in Part 1.2.

Scope of API 2350
In this section we will discuss the basic principles of API 2350. API 2350 is an outstanding document in that it provides all of the basic and essential principles that will really reduce overfills to an acceptable level. However, it does have some weakness and we will also cover these.

NFPA 30 relies heavily on liquid classifications to control risks. These same classifications are used in API 2350 as well as most other documents dealing with fire prevention.

There are three NFPA classes of liquids is:

NFPA Classification

Flashpoint

Liquid Name

Fire Danger

Class I

Flashpoint < 100F

Flammable liquids

Most dangerous

Class II

100F < Flashpoint < 140F

Combustible liquids

Medium danger

Class III

Flashpoint > 140F

Combustible liquids

Least dangerous

The greatest hazard is represented by the lowest flashpoint. Class I liquids for example, include gasoline and crude oils. Class III liquids; on the other hand, include lube oils and other heavy non-volatile stocks. An easy way to remember hazard is the expression "low flash, high hazard"5

The first thing that should be understood regarding overfill prevention is the extremely narrow focus of API 2350. It applies only to Class 1 liquids where the receipt is strictly from a pipeline or marine delivery. This excludes Class II liquids and it excludes all tank-to-tank transfers. It is clear this publication is minimal in scope and emphasizes the prevention of spills for very volatile liquids, which are delivered at high rate (i.e. via pipeline or ship).

API 2350 thus addresses the highest risks for petroleum storage tanks, yet does not address at all, the risks of any other kind of transfer. This has several important implications:

• An owner/operator cannot "adopt" API 2350 and expect that it the facility is protected against overfill.

• A regulatory agency cannot prescribe API 2350 and expect any significant reduction of overfills.

• There may be a highly varied level of risk at a given facility since applying API 2350 may cause the Owner/Operator only to apply it as per the document scope, neglecting to consider applying it to all tank receipts or transfers, especially if they are hazardous ones. For example, after applying API 2350 the marine receipt risk may be low because the rules of API 2350 are applied, but a tank transfer risk may be very high because these same rules were not considered or were even possibly waived.

When the goal is uniform and appropriate reduction of overfill risk, then the owner, stakeholder, regulator or agency interested in using API 2350 must supplement API 2350 to broaden its scope. While API 2350 has a narrow scope, it should be noted that there are many comprehensive principles that may be applied to all tank fillings and all classes of liquids in all industries that store flammable, toxic or dangerous liquids, however. Applying these principles universally and appropriately is a relatively simple task, once the principles of API 2350 are understood, since it is a matter of making the scope more generalized and implementing the alarms and shutdown systems that are fully and properly described in the document. However, it is a task, not completed by API 2350 and an exercise left to the owner, operator or regulator.

API 2350 Definitions Section
Understanding the definitions of API 2350 is somewhat confusing and subject to varied interpretation. However, the basic understanding of Figure 3 as well as the following should clear up any confusion.

Figure 3
Example of API 2350 Levels
Based on API 2350 Definitions
(Courtesty of the API)

Normal Fill Level or Normal Capacity
This is the level beyond which operations should never go. It should be recognized that this is usually far lower than the "shell capacity" of the tank. A good quick way to determine if there is sufficient capacity in a tank for good overfill protection is to note that if the Normal Fill Level is above about 80 percent of the shell capacity then there could be a problem with insufficient reaction time to close down valves or improper setting of alarms.

High Level Detector
This is the level at which an alarm is typically set. It should be set so that under worst case conditions operations can safely shutdown the receipt or transfer it to another tank.

Safe Fill Level
This is the "last chance" level prior to an overfill occurring. It should be set so that an orderly shutdown can really be accomplished considering reaction time, site-specific conditions and worst-case conditions such as high flow rate. If there is an automated shutdown system or a high-high level alarm, these should be set at this level.

Overfill Level
is really the lower of overflow or when damage occurs such as an internal floating roof bumping into the rafters of a fixed roof or a seal popping out of the tank shell on an external floating roof tank. An overflow may or may not occur at this level.

API 2350 General Section
This section provides the requirements that apply to all kinds of terminals. These are summarized:

• Establish the normal fill level and the safe fill level and the overfill level for all tanks, enter this information on the strapping tables and stencil it near the hatch on the tank or at grade where it is easily visible.

• Use tank product transfer or receipt forms, noting the various levels on the form and communicating this information with the supplier or transporter (pipeline or marine company), prior to starting the receipt.

• Manually or with an automatic tank gauge, establish that there is sufficient ullage prior to a receipt.

• Document the forms above as well as any testing, inspection or maintenance activity related to overfill protection and maintain in files

API 2350 Sections on Attended and Unattended Facilities
Facilities can be classified as attended if operations is on site during the entire receipt, whereas unattended facilities are monitored remotely from another location and operations is not required to be at the facility during the entire transfer. The key difference for the purpose of API 2350 is that unattended facilities are not required to have any instrumentation to operate. If instrumentation for alarms and shutdowns is applied to attended facilities then the rules applicable to unattended facilities are also applicable. API 2350 further includes provisions for "fully automated operation" that requires that an independent detector system be used to automatically shutdown the receipt. Shutdown means either turning off the supply pump(s), closing the tank inlet valve automatically, or automatically diverting flow to another tank or pipeline.

API 2350
Reference
Paragraph

Provisions

Attended
No detectors
No ATG

Unattended
Or Attended
with Detectors

Unattended
Fully Automated

 

General Requirements Applicable to All Facilities

1.4.2,1.4.2.1

Establish normal, safe, and overfill level Enter into strap tablesDisplay near gage hatch, ground level at gages or where visible to operations

Y

Y

Y

1.4.2.3

Prepare product transfer or receipt documents which have the normal, safe and overfills documented and communicate to shipper, transporter or supplier of receipt prior to receipt

Y

Y

Y

1.4.3

Prior to receipt manually gage or use ATG to confirm adequate ullage for receipt

Y

Y

Y

1.4.4

All product receipts, records relating to inspection, testing or maintenance of the overfill prevention system shall be retained for a suitable period as determined by the Owner / Operator policy

Y

Y

Y

 

Detector and ATG Requirements

3.1.1

Detectors required

N

Y

Y

3.1.6

If ATG used with detector, it shall be independent

NA

Y

Y

3.2.1

Independent automated shutdown / diversion system required2

N

N

Y

R3

Verify accuracy of ATG (handgage)

NA

Y

Y

 

Pre Receipt Activities

1.3.1

Operator on premises at all times during receipt

Y

N

N

2.1.1, 4.2.6

Established acknowledged communications which continue throughout receipt

Y

N

N

1.4.3

Hand gage tank before receipt begins

Y

N

N

1.4.3

Automatically gage tank before receipt using ATG

N

Y

Y

2.1.1,4.2.4

Visual verification of valve line up with open valve to tank to be filled4

Y

Y

Y

2.1.1,4.2.4

Visual verification of valve line up set with valves closed to other tanks

Y

Y

Y

 

During Receipt

2.1.2

Maintain frequent and acknowledged communication with supplier

Y

N

N

3.1.2

Continuous monitoring of receipt

N

Y

Y

2.1.3

Immediately after start, verify flow to correct tank

Y

N

N

2.1.3

Verify ATG operation confirms receipt

Y

Y

Y

2.1.4

Check tanks periodically, record gage readings

Y

N

N

2.1.5

Walk the tank field inspecting pumps, piping, sec containment drainage valves, etc

Y

N

N

2.1.6.1

Operator monitoring completion of receipt continuously near completion of receipt and until complete


Y
30 min.


Y
30 min.

Y

 

Post Receipt

R

Close receipt valve immediately afterAlso, after extended interuption of receipt

Y

Y

Y

R

File paperwork in system

Y

Y

Y

1 The setting of alarm or shutdown levels should provide sufficient time for an orderly shutdown or diversion based upon the highest expected flow rates.

2 Shutdown/diversion may be accomplished by shutting down a pump, closing the inlet valve on the tank or diverting flow to another tank or pipeline

3 Designation of "R" indicates that this requirement is not in API 2350 but is recommended by the author

4 Valve line up means that only the valve open to the receipt tank is open and the valves to all other tanks are closed.

Table 1 shows the basic operating requirements for unattended and attended facilities in a more concise and clearer format than as presented in API 2350. Three columns are provided for attended, unattended and unattended fully automated systems. The table clarifies the requirements by sequencing them into general-purpose requirements, pre-receipt requirements, during receipt requirements and post receipt requirements. A few requirements, which are not in API 2350, are included as good practice and are indicated in the paragraph reference column by "R".

One of the most confusing aspects of API 2350 is the distinction of single stage and two stage systems. It becomes clear that the authors of 2350 wanted to account for the various systems in existence but made no attempt to clarify when or how these systems are used. Typically, tanks may use a "high" or a "high-high" alarm. The second level may be an alarm, and or an automated shutdown or both. The issues related to the rationale and use of single versus two stage systems is beyond the scope of this paper. However, a few comments are in order. More stages mean more complexity. If 2 stages of alarm are used, then the response should typically be a "graded response", meaning that some kind of response is required for the first alarm, and a new response, presumably more intense response, is required for the second alarm stage. If this is not done, then the first alarm may be considered an operating alarm as opposed to an alarm that requires action. This tends to lull the operator into a false sense of security.

API 2350 Procedures Section
Much of the essential information regarding this section is captured in Table 1. A key provision for effective procedures is that they be updated according to management of change practices. An example of a change, that could create significant problems, is an increase of receipt flow rate. The operator reaction time would be increased to the point where there is no longer adequate time to enact an orderly shutdown in the event that the normal fill level is unexpectedly exceeded. There are many other examples of unique and site-specific circumstances that all argue that site specific procedures should be used that can take into account the individual equipment, site conditions and risk. Procedures should be written.

One of the implicit assumptions that API 2350 makes is that a receipt is a simple batch process wherein the receipt is a given size, which is smaller than the ullage in the tank. In reality, a receipt may not fit into a tank, without other activities such as loading out to trucks simultaneously, all without having an overfill. This simple scenario of filling tanks is not always the case. In some cases the tank is being filled and emptied at the same time. These kinds of problems must be worked out individually and with the involvement of the stakeholders, including local operations, management, and the transporter.

If a company uses a behavior-based system that tracks near misses and incidents, then procedures can be implemented that identify which stage corresponds to a near miss or to an incident. For example, a near miss might be assigned to tripping a high level alarm, and an incident attributed to tripping the second stage alarm or the automated shutdown system. There are other ways to assign near misses and incidents. What is important about this is that a consistent approach that provides lessons learned be implemented that helps those responsible for the future of these operations to avoid or eliminate overfills.

The written procedures must also address the requirements for testing and maintaining the overfill system. The actual requirements are covered separately.

1 American Petroleum Institute, "Overfill Protection for Storage Tanks in Petroleum Facilities", API Recommended Practice 2350, 2nd edition, January 1996

2 I would particularly like to acknowledge Frank Berto, retired from Chevron, whose efforts and activities provided outstanding guidance in the development of the document.

3 I would like to acknowledge Dick Krause, Petrosafe Inc., who provided expertise as well as the primary document writing effort, which resulted in a document that has effectively stood the test of time.

4 NFPA 30 paragraph 2-3.4.3).

5 NFPA 30 Handbook, 1996 Edition.

Philip E. Myers, retired from Chevron Products Co., where he specialized in tank and pressure-vessel technology. He is currently consulting.

Discuss