Document no: GEN 49 Type: Site Technical Practice

Overfill Prevention for Fixed Storage Tanks

GEN 49

Document owner:

A J Mitchell 30 April 2008 1

Document approver: S J Ritchie Date issued: Issue number:

Overfill prevention for fixed storage tanks

Copyright Air BP Limited All rights reserved. This document and the information it contains, or may be extracted from it, is subject to the terms and conditions of the agreement or contract under which the document was supplied to the recipient's organisation. None of the information contained in this document shall be disclosed outside of the recipient's own organisation without prior written permission of Air BP Limited, unless the terms of such agreement.

Date Issued: 22 Apr 08 30 Apr 08

Revision No: 0 1

Reason for issue: Initial issue, clarification of Air BP Regulations requirements and incorporating GEN 50 requirements. Section 5.8 rewritten entirely, Appendix 2 added no other changes

Registered Address: Air BP Limited Chertsey Road Sunbury-on-Thames Middlesex TW16 7LN UNITED KINGDOM

Air BP Limited

GEN 49_1 Page 2 of 18

30 April 2008

Overfill prevention for fixed storage tanks

TABLE OF CONTENTS
1 2 3 4 5 5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.4 5.4.1 5.5 5.6 5.6.1 5.6.2 5.6.3 5.6.4 5.6.5 5.6.6 5.6.7 5.7 5.7.1 5.7.2 5.7.3 5.8 5.8.1 5.8.2 5.8.3 5.8.4 5.8.5 INTRODUCTION ....................................................................................................................... 5 SCOPE ...................................................................................................................................... 5 OVERFILL PREVENTION PRINCIPLE .................................................................................... 5 TERMINOLOGY ........................................................................................................................ 5 FIXED STORAGE TANKS ........................................................................................................ 5 Common Requirements .......................................................................................................... 6 Tanks <1000 litres.................................................................................................................... 6 Storage Tanks (>1000 litres) ................................................................................................... 7 Buried Tank Vent Height............................................................................................................ 7 High Level Function ................................................................................................................... 7 High High Level Function........................................................................................................... 7 Infrequent Bridger Deliveries ..................................................................................................... 9 Test Rig Returns........................................................................................................................ 9 Intermediate Bulk Containers (IBCs) ......................................................................................... 9 Other Requirements .................................................................................................................. 9 Deadman for Bridger Offloading ............................................................................................ 9 Typical Deadman Arrangement ................................................................................................. 9 De-aeration Tanks.................................................................................................................. 10 Setting of Fill Levels.............................................................................................................. 10 Overfill/Damage Level ............................................................................................................. 10 LSHH Maximum Setting .......................................................................................................... 11 Response Time 3: LSHH to Overfill/Damage Level (Maximum Capacity).............................. 11 Response Time 2: LSH to LSHH ............................................................................................ 11 Response Time 1: Normal Fill Level to LSH ........................................................................... 11 Normal Fill Level to LSHH ....................................................................................................... 11 Single High Level Shut-off Device ........................................................................................... 12 Alarm Operation..................................................................................................................... 12 Alarm Location and Tone......................................................................................................... 12 Accepting Alarms..................................................................................................................... 12 Alarm Over-ride ....................................................................................................................... 12 Overfill Protection System Testing & Maintenance............................................................ 12 Test Frequency........................................................................................................................ 13 General Common to most Methods...................................................................................... 13 Controlled Filling to High.......................................................................................................... 14 Controlled Filling to High High ................................................................................................. 15 Software Simulation................................................................................................................. 15 GEN 49_1 Page 3 of 18 30 April 2008

Air BP Limited

Overfill prevention for fixed storage tanks 5.8.6 5.8.7 5.8.8 5.9 Built-In Testing......................................................................................................................... 15 Mechanical Simulation............................................................................................................. 15 Records ................................................................................................................................... 16 Reporting................................................................................................................................ 16

APPENDIX 1: TANK LEVEL DEFINITIONS (BASED ON API 2350)................................................ 17 APPENDIX 2: TYPICAL LEVEL ALARM TEST RECORD CONTENTS........................................... 18 ATTACHMENT 1: GEN 49.Vertical Tank Fill Levels.xls

Air BP Limited

GEN 49_1 Page 4 of 18

30 April 2008

Overfill prevention for fixed storage tanks

INTRODUCTION This document is intended to set out the minimum requirements to ensure that product transfers into new and existing fixed storage tanks are carried out safely and that the risk of tank overfills is reduced. HAZOPs and Layers of Protection Analysis (LOPA) may require further protection layers to be installed, but shall not be used to reduce the minimum requirements detailed herein. This technical practice re-affirms some long-standing requirements of the Air BP Regulations Fuelling & Quality Control and sets some new requirements. It is also aligned with the BP Process Safety Booklet: Safe Tank Farms and (Un)loading Operations 3rd Edition.

SCOPE The document sets out common requirements that shall be applied to all types of fixed storage tank facilities and specific requirements for certain transfer processes and configurations. Tanks filled using a bucket/sample jar or using a hose with a gravity nozzle that cannot be latched open (i.e. the operator is positioned at the fill point) do not require overfill protection (e.g. drums (except automated drum filling), some trailers, some diesel/gas oil storage tanks, Flo-bins).

OVERFILL PREVENTION PRINCIPLE The basic principle is that there shall be two systems to prevent overfills: People & Process: Provided by a suitably trained operator continuously monitoring and controlling the transfer into storage and ensuring that there is sufficient space in the tank (ullage) to contain the product being transferred. Plant: Provided by an automatic system that warns of an unsafe condition or stops the transfer of product if the level in the tank or vessel exceeds predetermined levels.

TERMINOLOGY The following terms are used in control terminology used on Piping and Instrumentation Diagrams (P&IDs) and the abbreviations are used throughout this document: LSH LSHH LAH LAHH Level Switch High an instrument/sensor or output from sensor, e.g. a high level alarm signal derived from a tank gauging system Level Switch High High an instrument/sensor independent from LSH Level Alarm High an automatic alarm that is generated by the output from the LSH Level Alarm High High an automatic alarm that is generated by the output from the LSHH

The LAL (Level Alarm Low) and LALL terms are not relevant to overfill protection. 5 FIXED STORAGE TANKS A fixed storage tank is defined as a tank either permanently or temporarily sited to receive, hold and dispense aviation fuel. It excludes all forms of mobile tanks used to transport fuel.

Air BP Limited

GEN 49_1 Page 5 of 18

30 April 2008

Overfill prevention for fixed storage tanks 5.1 Common Requirements The common requirements are: a. Site Specific Task Breakdowns (SSTBs) shall be in place for all routine product transfers into fixed storage tanks, e.g. pipeline, rail tank car, ship/barge, road tanker (bridger) and test rig receipts and tank-to-tank transfers. b. Operators shall be trained and approved against the SSTBs. c. All storage tank filling shall be monitored at all times. Monitoring is defined as being able to react to all alarms at all times: A competent person should be present around the tank area, although some highly automated and instrumented systems may allow remote or control room based monitoring (typically for pipeline or ship receipt). d. The operator (the driver for Driver Controlled Deliveries) shall verify that there is sufficient ullage in the receiving vessel to complete the transfer without exceeding the Normal Fill Level (NFL). Where the transfer is intended for multiple tanks (e.g. pipeline receipts into a succession of tanks) then the operator shall verify that there is sufficient total ullage in the receiving vessels (within their NFLs) and SSTBs shall be created to manage the receiving tank change, either with an interruption to flow or with a flying switch flying switches shall only be carried out where there are non-return valves on the inlet valves (to stop tank levelling). e. For pipeline and ship/barge receipts the estimated transfer time shall be calculated prior to the start of each transfer. The transfer shall be stopped and ullage checks shall be carried out if the transfer time is exceeded. Ideally the transfer time should be monitored and updated as necessary, e.g. if there is a supply disruption or if the flow rate changes. f. Vessels receiving product from relief systems shall be sized to accommodate the maximum expected discharge volume. Flow from safety-related pressure relief systems shall not be stopped automatically even if the NFL in the tank/vessel is exceeded manual interventions on the pressure relief system are permitted (e.g. if a relief valve malfunctions), however pressure relief shall be maintained or the requirement for relief removed (e.g. by draining down). Where Pipeline Service Tanks are used for a common duty, e.g. pig cloud receipts and pressure relief, sufficient ullage shall be maintained to fulfil all the duties. g. A SSTB shall be in place for level alarm system testing. h. There should be a SSTB which requires the level of fuel in a tank to be monitored regularly or lowered if the LSHH or the high level shut-off device is activated. If the high level is not monitored regularly, for aboveground tanks the fuel level shall be lowered sufficiently to allow ullage for the maximum thermal expansion of the tank contents envisaged under extreme climatic or operating conditions (a 10C temperature rise is assumed equating to 1% volume increase for Jet and 1.7% for Avgas from product coefficient of expansion). 5.2 Tanks <1000 litres If a fixed tank/vessel is used for flushing or sampling: an automatic shutoff system, which may be mechanical, shall be fitted to stop flow when the NFL is reached if the level is not monitored visually at all times during filling.

Air BP Limited

GEN 49_1 Page 6 of 18

30 April 2008

Overfill prevention for fixed storage tanks if the level of product is monitored visually at all times during filling a spring loaded valve may be used to control filling without an automatic shut-off system. 5.3 5.3.1 Storage Tanks (>1000 litres) Buried Tank Vent Height Buried tanks used for receipts shall have vents at least 4m above the ground level and in all circumstances shall be higher than the top of the bridger/rail tank car (to prevent gravity or column surge flow out of the vent pipe in the event of an overfill). For existing sites that meet national height regulations no retrospective modification action is required Note that there are many national regulations for minimum vent height. The height of any potential liquid column in the vent shall not exceed the design pressure of the tank. There is no minimum vent height requirement for buried or semi-buried tanks used for sample returns however the vent shall be above the height of the sampling station if there is no automatic shut-off. 5.3.2 High Level Function A LSH shall be installed and its associated LAH shall: Warn the operator, by means of an audible and visual alarm, that the NFL has been exceeded (the SSTB shall require the receipt to be halted or to be directed into another tank), or; Warn the operator, by means of an audible and visual alarm, that the NFL has been exceeded and initiate the automatic operation of tank inlet valves so that fuel is directed into another tank; this operation does not require LOPA assessment, which will be limited to the final overfill protection, or; Stop the flow, similar to LAHH (see below), and warn the operator with an audible and visual alarm even if the pump has stopped or an air operated pump has stalled) to indicate why the pump has stopped: This alarm requirement is for new systems but is not retrospective (i.e. existing systems may stop the flow without any alarm). 5.3.3 High High Level Function In addition to the LSH (detailed above) a LSHH shall be installed, although some exceptions are listed below. When the LSHH is activated (i.e. there is a High High level condition) it shall initiate an audible and visual alarm as well as activate automatic shutdown of product transfer into the tank by: a. Closing pipeline receipt block valves for cross-country pipelines: These valves should be of a fail-safe type which will close automatically should the control signal be lost or if there is a power failure. Activation of this system must not give rise to system overpressure or potential loss of containment elsewhere in the supplying system therefore receipt from a pipeline shall have a surge analysis for all conceivable flow scenarios. b. Stopping all offloading pumps (vehicle, railcar and ship/barge) that are part of the receiving facility. c. Stopping any pumps in a connected depot which could be used to transfer fuel from a tank there into the tank with the LSHH signal. If the tops of the tanks in the connected depot are higher than the tops of the tanks in the receiving depot, there should also be automatic closure of a valve in the transfer line.

Air BP Limited

GEN 49_1 Page 7 of 18

30 April 2008

Overfill prevention for fixed storage tanks In some circumstances it may not be necessary to automatically stop the transfer pumps if there is a fail-safe valve in the transfer line which automatically closes in the event of a LSHH condition. d. Closure of a fail-safe emergency shutdown valve in the test rig return line (not required if all tankside valves close but the valve closure time may be longer). e. Stopping any tank-to-tank transfer pumps (sample return pumps may be excepted if the maximum volume they could transfer could not cause an overflow). If the top of the receiving tank is lower than the top of the delivering tank, the LSHH should also cause automatic closure of a valve in the transfer line. f. Closing the tank inlet valve when fitted with an electric actuator; this may not be desirable if fuel is to be received from a ship or barge which pumps into the tank (see below). g. Where practicable, closing a fail-safe emergency shutdown valve in each pipeline (or manifold) used for the receipt of fuel from a ship or barge which uses its own pumps for offloading fuel. Activation of this system must not give rise to system overpressure or potential loss of containment elsewhere in the supplying system, therefore receipt from a ship/barge shall have: A surge analysis for all conceivable flow scenarios, and; Ship to shore communications on an open channel (either telephone line to ship control room or permanently manned position, or radio tuned to and turned on to a defined frequency) at all times during the transfer, and; [Note that the International Safety Guide for Oil Tankers and Terminals (ISGOTT) requires a back-up system of communication as well.] LAHH with automatic shutdown, except where surge considerations dictate that shutdown shall be activated by the ship using radio command or other communication method.

Where closure of a fail-safe emergency shutdown valve is not practicable, reliance shall be placed on the ship's or barge's crew stopping the pumps when they hear or see an alarm. Appropriate alarms on the jetty, procedures, training and supervision shall be provided to ensure that this happens. The precise requirements for what is to be shut down by a LSHH condition shall be examined for each individual depot as there may also be a need to stop other systems, e.g. hydrant pumps: This will form part of the HAZOP review of the Emergency Shutdown (ESD) Cause and Effect chart, 5.3.3.1 It shall not be possible under normal operations to restart the fuel transfer into a tank with the High High level until the level in the tank has been lowered. It is permissible to restart the transfer into a different tank, provided that the tank at High-High is confirmed fully isolated and is also monitored. It should be possible to lower the tank fill level to NFL, although special considerations need to be made for operations recertifying product or where the control system has a time delay (e.g. for settling). The LSHH shall be completely independent of the LSH and should (shall for new systems) be fail-safe, i.e. in the event of loss of power, open circuit (broken wire) or short circuit it will activate a system shutdown. Wherever practicable, the LAHH shutdown system should be 'hard-wired' and not rely on standard programmable systems for its correct operation (this should also be the case for

5.3.3.2

5.3.3.3

Air BP Limited

GEN 49_1 Page 8 of 18

30 April 2008

Overfill prevention for fixed storage tanks other emergency shutdown systems), unless the programmable system has a formal safety rating (see ELEC 100 Safety Instrumented Systems). However, programmable systems may be used to repeat status information and to use it in other non-critical ways. 5.3.4 Infrequent Bridger Deliveries Sites with bridger deliveries only and which average less than one delivery per day shall have at least a single tank overfill protection device that stops flow, which need not incorporate an alarm (i.e. may be fitted with a single float operated mechanical device, but with no LAH or LAHH). 5.3.5 Test Rig Returns Tanks shall have an activated shutdown system (e.g. solenoid operated valve, float valve, automated tankside valve) to prevent overfilling from test rig returns. See also 4.3.3 d. 5.3.6 Intermediate Bulk Containers (IBCs) IBCs (e.g. Flo-Bins) that are filled using an unlatched overwing nozzle (and therefore operator attendance at the fill point) do not require overfill prevention equipment. The filling of Isotanks used for road or sea transportation shall be evaluated on a caseby-case basis by the Asset Operations Manager and Asset Engineering Authority. Isotanks used for static storage shall be considered as a normal tank. 5.3.7 Other Requirements Tanks shall be fitted with a measuring device or system that will allow tank ullage to be determined, e.g. automatic tank gauging, contents gauge, dip hatch (for dipstick or dip tape). Where there are interconnected storage tanks (i.e. with common fill or outlet manifolds) of differing heights then non-return valves shall be fitted to both the inlet and outlet lines. Slow bleed valve devices may be installed to allow draining of offloading hoses into the tank with the High High level after an overfill protection device has activated, provided the volume of the drained hose/pipework does not cause the tank maximum capacity to be exceeded; this only applies to gravity fill tanks. 5.4 Deadman for Bridger Offloading For new systems using a fixed pump to offload the bridger a timer deadman shall be used to stop the flow of fuel. For existing pumped bridger offloading systems a deadman system should be fitted LOPA analysis may show that there is adequate protection in place without a deadman system. If LOPA analysis shows that a deadman is required and none is fitted, then a timer deadman system shall be installed a simple deadman, which requires the operator to release the deadman to stop the operation, is a lower standard and shall not be used for new or modified installations. 5.4.1 Typical Deadman Arrangement The typical timer deadman arrangement consists of a hand switch with a 10m suzi cable, which forms part of an intrinsically safe circuit and an indicator lamp. The deadman logic operates as follows: Before starting the pump, the operator holds the deadman switch closed. The indicator lamp will come on steadily; The operator may the start the pump using the start button; After 2 minutes, the indicator shall start to flash once per second; Air BP Limited GEN 49_1 Page 9 of 18 30 April 2008

Overfill prevention for fixed storage tanks The operator must then release the deadman switch within 10 seconds of the start of the flashing and re-close it within 2 seconds; If the operator fails to do this, the pump shall be stopped and the starting process must be initiated from the beginning; When the operator releases the deadman and re-closes it, the indicator shall change from flashing and shall remain on steadily. If the operator releases the deadman for more than 2 seconds, the indicator shall go off and the pump shall stop. 5.5 De-aeration Tanks Where tanks are used for de-aerating bridger or rail tank car receipts, they may be filled completely and the vent systems may be wet provided that: no spillage will flow from the vent, and; the tank design pressures are not exceeded, and; all other tank openings are designed to be wet and are sealed to prevent a spillage. For such systems a tank overfill prevention device or level alarm and shutdown system may prevent the design intent and therefore may not be required. 5.6 Setting of Fill Levels This section should be read in conjunction with the diagram at Appendix 1. The setting of tank fill levels is determined by both the tank design and the operational constraints detailed below. All settings and assumptions shall be recorded a companion spreadsheet GEN 49.Vertical Tank Fill Levels.xls has been created for use with vertical tanks. 5.6.1 Overfill/Damage Level This is the level limited by design or reduced structural capacity and will be the lowest of the following: a. Structural. This is the maximum level (hydrostatic pressure) that the tank has been structurally designed for and is usually at the top of the shell (i.e. top of the curb angle). This level may have been modified (lowered) during the life of the tank, e.g. due to plate thinning as a result of corrosion or due to a change in duty. b. Damage. This is the maximum level where an internal floating deck will suffer damage by contacting the fixed roof or an external floating roof will suffer damage by the seals overtopping the shell of the tank to the extent that they will de damaged when the level is lowered. c. Foam pourer effectiveness. This is the maximum level for the foam pourer to be effective, i.e. there is sufficient height below the pouring aperture for the foam pourer to be able to apply foam effectively to the top of the product it shall be as per the manufacturers recommendations and shall be below the invert of the pourer (one supplier recommends 300mm for their pourers). d. Spillage. This is the level where spillage from the tank will occur and caters for those tanks that are fitted with overflows. e. Seismic considerations. This is a level to give adequate ullage to accommodate slosh and/or to limit compressive (overturning) loads in the shell. Air BP Limited GEN 49_1 Page 10 of 18 30 April 2008

Overfill prevention for fixed storage tanks 5.6.2 LSHH Maximum Setting LSHH shall be set below the curb angle for vertical tanks and below the top of the cylindrical shell for horizontal tanks. It shall be equal to or less than the Overfill/Damage level. 5.6.3 Response Time 3: LSHH to Overfill/Damage Level (Maximum Capacity) The response time is the worst combination of filling rate and time taken to travel from the control room to either close the valve (after the LAHH has warned the operator but automatic valve closure has not occurred) or to confirm that the transfer pump(s) has stopped operating (assuming no flow into tank due to gravity): This assumption shall be documented in the Operating Envelope document, and the Design Basis (where it exists). In considering filling rates careful consideration shall be taken where there: is more than one inlet / outlet on the tanks; are multiple pipeline feeds, bridger or other offloading activities; or, where the tanks can receive flow from a fuel hydrant (e.g. during flushing, depressurisation or pressure relief). For vertical tanks an additional curb angle margin (normally 50mm / 2) should be considered to allow for any possible unevenness of the curb angle. If the tank is filled to LSHH typical thermal expansion shall not cause overtopping and shall not exceed the shell height (minus the curb angle allowance). 5.6.4 Response Time 2: LSH to LSHH The response time is based on the worst combination of filling rate and time taken to: activate and close a remotely operated valve (this includes redirecting flow to another tank), or to shut down the pump (and stop the flow), or get from the control room to the tank manual valve. This assumption shall be documented in the Operating Envelope document, and the Design Basis (where it exists). 5.6.5 Response Time 1: Normal Fill Level to LSH The NFL shall be set with an adequate margin below the LSH to prevent spurious operation of the alarm, e.g. due to stopping of the inflow, but should be close enough to the LSH to enable overfilling to be detected rapidly and to utilise the maximum capacity of the tank. The LSH level may be passed by typical thermal expansion. Separation between NFL and LSH may also help to discourage inappropriate use of the LSH to control the filling operation. 5.6.6 Normal Fill Level to LSHH To prevent spurious LSHH operation due to maximum thermal expansion a minimum 10C product temperature increase shall be assumed, therefore NFL to LSHH separation shall be at least 1% by volume for Jet and 1.7% for Avgas (coefficients of expansion 0.001 and 0.0017 /C respectively). [Note that in API 2350 terminology Safe Fill Level is similar to tank rated capacity and is not the NFL therefore where different terminology is used the definition shall be recorded.]

Air BP Limited

GEN 49_1 Page 11 of 18

30 April 2008

Overfill prevention for fixed storage tanks 5.6.7 Single High Level Shut-off Device Where there is only a single shut-off device then it should be set to operate at the same level as the LSHH would otherwise be set it may be set lower but not higher. 5.7 5.7.1 Alarm Operation Alarm Location and Tone The level alarms, both LAH and LAHH, should be given by an audible alarm which can be heard everywhere in the yard and in the depot office, and visually by a light on an annunciator panel in the depot office (or appropriate manned area). If there are remote bridger, railcar, ship or barge offloading facilities, the LAHH should be repeated there, as, in most cases, should the LAH. The audible alarms for the LAH and LAHH should be easily distinguishable from each other and from the fire alarms. Consideration may be given to adopting three distinct audible alarms for the fuel system in addition to the fire alarms: Level 1 to sound in the office and yard areas: This would correspond to a shutdown condition typically caused by a tank LAHH or LALL (Level Alarm Low Low) or the operation of an emergency stop button. Level 2 to sound in the office and yard areas: This would correspond to a normal operating condition which requires prompt attention by the operator. Typically a tank LAH or LAL level alarm would fall into this category. Level 3 to sound in the office only: This alarm would normally only be appropriate for depots with a high degree of automation. It would be used to draw the operator's attention to an important but less urgent condition. 5.7.2 Accepting Alarms Normally each 'accept' alarm' button should only be located where the action is to be taken, but consideration may be given to accepting alarms for remote locations from the main depot, if this is both convenient and would not give rise to a hazard. 'Accepting' an alarm means silencing the audible alarm and changing the corresponding annunciator lamp from a flashing to a steady 'ON' state. 5.7.3 Alarm Over-ride Where there are LAHH or LAH over-ride facilities these should be simple, consistent and as few as possible to minimise disruption to the running of the operation. No over-ride shall be used unless properly sanctioned by an authorised person using an agreed process, e.g. Task Breakdown or Management of Change, and appropriate additional precautions have been identified and taken. Over-rides shall have key-switches with controlled keys. In the event that the LAH and/or LAHH systems are overridden there shall be a clear indication in the operations room, with regular reminders if necessary. 5.8 Overfill Protection System Testing & Maintenance There are too many permutations of overfill prevention systems to write an effective or safe generic Task Breakdown for the Training Manual therefore the following should be taken into consideration when creating SSTBs the list is by no means exhaustive. Some of the wording is such that it can be copied and pasted directly into a SSTB. SSTBs for testing overfill prevention equipment shall be approved by the Engineering Authority (EA) for the site.

Air BP Limited

GEN 49_1 Page 12 of 18

30 April 2008

Overfill prevention for fixed storage tanks Electrical, electronic or programmable overfill systems shall be tested in accordance with the requirements of ELEC 100 Safety Instrumented Systems, which refers to ELEC 101 Layers of Protection Analysis (LOPA). System testing falls into the following main categories, which are detailed further below (note that different methods may be appropriate for the High and High High level alarm testing): Controlled Filling Software Simulation Mechanical Simulation Built-In Testing There is little difference between High and High High level alarm system testing within the same category, but there may be different safeguards. Guidance for some methods may be applicable for others, but these are not repeated under each heading as there are too many permutations. 5.8.1 Test Frequency The test frequencies are: High level alarm minimum annually, typically monthly. High High level alarm minimum annually (as determined by LOPA). All mechanical overfill protection devices shall be tested at least annually where practicable this should be 6-monthly. If the test does not verify the floats integrity (e.g. overfill may be simulated by activating the float level mechanism by test wire/hand, but if the float itself is holed then the float may not activate the mechanism) then the integrity of the float shall be verified at least every 3 years. 5.8.2 General Common to most Methods All SSTBs shall include a thorough and accurate system description with reference, where appropriate, to manufacturers manuals: It should include where all the sirens are located, what the alarm sound should be, what lights should flash and their location, and reset requirements. Reference should be made to the Cause and Effect Chart associated with the Piping and Instrumentation Diagram (P&ID): For simple sites a P&ID is sufficient where the shutdown linkages are shown. Note that the NFL is a nominal value that can be affected by product temperature and time taken to shut down the transfer, therefore current fill level may not equal NFL. Do not stand next to the tank vent when tank filling as there will be a vapour rich atmosphere. Cabling damage is a common failure mode, whether obvious at instrument connections and bends, or hidden inside cable runs due to insulation breakdown or rat damage. Some instruments will have a built-in test capability that will analyse cable connectivity. Known failure modes for float type level switches are a holed float and dirt in the float contact. Many checkable types of mechanical float switch, e.g. TAV, have known failure modes and require accurate re-setting after testing, hence it is essential to read the manufacturers documentation.

Air BP Limited

GEN 49_1 Page 13 of 18

30 April 2008

Overfill prevention for fixed storage tanks If the activity involves opening a manway then appropriate precautions shall be taken to prevent objects and personnel from falling into the tank similar to annual tank inspection. Confined space entry procedures may be required. When a level alarm function is activated all audible and visual alarms and indications shall be checked for correct operation at each test. Where equipment is shut down (e.g. valves close, pumps stop operating) the test regime shall ensure that all equipment is tested within the minimum calendar frequency (e.g. if there are 2 bridger offloading pumps that shut down on High High then both shall be checked for shutting down within the year this may mean that the test is done 6-monthly and the pumps are tested in rotation, or that the test is done annually and the test is repeated for the other pump). It is a common error to forget about a test rig solenoid operated valve. Even though alarms from NFL may occur on a daily basis the correct operation of NFL alarms shall be recorded as part of the test procedure. Ensure that tank flying changes, which usually occur at NFL, are deactivated for the test. In order to prevent confusion of alarms and creating unnecessary shutdown events stop all product transfers into other storage tanks prior to commencing test. Carry out a visual check of the instrument and cabling prior to carrying out the test (this does not require electrical competency). Check that the accept alarm function works (description must be clear). In many cases it may be necessary to use over-rides to lower tank levels therefore correct description of the method is essential. 5.8.3 Controlled Filling to High Filling of tanks to High and High High level should be avoided if other methods can be used and may be prohibited by legislation (especially for High High). Tests of this sort are usually carried out using a Permit to Work (even where there is a SSTB). Fill tank to NFL (using normal procedure). Check NFL alarms for correct operation. Check or calculate fill volume required to set off High level alarm from the current fill level. Ensure sufficient product for the test is available, either from another tank (check settled/quarantine status) or from a vehicle (bridger/fueller). Transfer product to the tank under test at the typical fill rate and stop either when the High level alarm sounds or when the expected volume (difference between current fill level and High level alarm level) has been exceeded (typically 100 litres for a horizontal tank or by 5mm for a vertical tank the parameter shall be determined by the EA). Monitor the fill meter or tank gauging system where possible. If the alarm does not initiate check tank levels if the tank level is above the High alarm level check that the instrument is wet (see if the instrument sensor is in the product). If there is no apparent fault with the High level system but it still has not operated carry out the High High level test procedure (which may not be a controlled filling method). Note that typical fill rate may not be the normal receipt rate as tank-to-tank transfers or hydrant flushing/recirculation may be a regular occurrence. Reduce tank fill level to at least the High level; if continuing with controlled filling for the High High level test then reduce level after that test. If the level is reduced to below the High level check that the alarm functions cancel.

Air BP Limited

GEN 49_1 Page 14 of 18

30 April 2008

Overfill prevention for fixed storage tanks 5.8.4 Controlled Filling to High High If carrying out a controlled filling High High level alarm test, check the current fill level (after the High level test), re-calculate the fill volume required to reach the High High level alarm and estimate the filling time to reach this level. Consider isolating thermal relief valves that fill the tank under test, especially where there is a duplicate system. Transfer product to the tank under test at the typical fill rate and stop either when the High High level alarm sounds and activates a shutdown or when the expected volume (difference between current fill level and High level alarm level) has been exceeded (the parameter shall be determined by the EA). Monitor the fill meter or tank gauging system where possible. If the High High alarm does not initiate check tank levels if the tank level is above the High High alarm level check of the instrument is wet (see if the instrument sensor is in the product). If the product level is not above the High High level check the current fill level (as before) before continuing with the test. If the product level is above the High High level and there is no apparent fault with the system but it still has not operated seek expert help (ensure that the tank fill line is isolated and the level is reduced to below High level if this help is not immediately available) while this condition exists the tank may only be filled again for normal operations where a Management of Change (MoC) process is authorised by both the Operations Manager and Engineering Authority further testing and emptying would normally be permitted without the MoC. 5.8.5 Software Simulation Where the alarm signal is derived from the tank gauging system check the documented operating levels against the set operating levels. Investigate any discrepancy. Configure the tank for product receipt (some systems are deactivated if there is no fill pathway). Using the software maintenance function lower the alarm level to below NFL; this may be to below the current fill level in which case the level alarm should operate immediately or require filling to this level using the normal tank fill procedure. Reset the alarm level to the documented operating levels (note that a lower operating level may be in force for another reason). Note that the correct units must be used (do not confuse cm with mm etc.). A trained independent person should verify that the operating level has been reset correctly. 5.8.6 Built-In Testing This is similar to software simulation but has a lower level of risk in that it is difficult to interfere with the set levels for normal operation. Many modern types of instrumentation have a built-in test function that simulates a high level and the manufacturers guidance must be followed. Note that many manufacturers advise a wet test at a long frequency (e.g. every 5 years) to complement the simulation test. 5.8.7 Mechanical Simulation Simulate a High level using the manufacturers test method. Note that hollow floats shall be checked for integrity. It is permissible to remove the instrument mechanically from the tank (all cabling shall be left connected) and dip it into a bucket/sealed jar of product to simulate a high level however there are risks of damaging cables and/or the instrument, along with risks of taking product to the top of aboveground tanks.

Air BP Limited

GEN 49_1 Page 15 of 18

30 April 2008

Overfill prevention for fixed storage tanks Reset the instrument using the manufacturers method (this includes re-setting valves to the correct operating position for float switch side chambers). A trained independent person should verify that the instrument has been reset correctly. 5.8.8 Records The SSTB or maintenance software shall have a specific test record. Example content of a test record is shown at Appendix 2. Any faults shall be recorded in the site defect record system. Complete a Near Miss Report form for all High level alarm equipment that is found to be faulty or an Integrity Management High Potential (HiPo) Report form for all High High level equipment that is found to be faulty state the manufacturer and model number, year of installation (this enables global trend analysis of particular types of equipment). This is a critical record and should be retained for at least 3 years. 5.9 Reporting A Near Miss report (IM related) shall be completed when an automatic overfill prevention system on a fixed storage tank activates; this is both for false alarms and overfill events, but not during maintenance or testing (when routine records are kept). Any tank overfills shall be reported and recorded irrespective of volume.

Air BP Limited

GEN 49_1 Page 16 of 18

30 April 2008

Overfill prevention for fixed storage tanks

APPENDIX 1: TANK LEVEL DEFINITIONS (BASED ON API 2350)

The figure below illustrates the spacing between action levels in a storage tank.

Overfill/Damage Level (Maximum Capacity) The tank rated capacity is a theoretical level, far enough below the overfill level to allow time to respond to the final warning (e.g. LAHH) and still prevent loss of containment/damage (consider internal floating blankets fouling on roof trusses, product levels reaching top foam pourer inlets or overflow slots, reduced capacity as a result of corrosion or tank damage). It may also include an allowance for thermal expansion of the contents after filling is complete. Response Time 3

Tank Rated Capacity The LSHH should be set at or below the tank rated capacity to allow adequate time to terminate the fuel transfer before loss of containment/damage occurs. The LAH is an alarm derived either from the tank gauging system or a separate instrument; this alarm is the first stage overfill protection and should be set to warn when the Normal Fill Level has been exceeded it shall not be used to control filling. Normal Fill Level (Normal Capacity) The Normal Fill Level is defined as the maximum level to which the tank will be intentionally filled under routine process control.

LSHHLAHH Response Time 2 LSHLAH Response Time 1

Air BP Limited

GEN 49_1 Page 17 of 18

30 April 2008

Overfill prevention for fixed storage tanks

APPENDIX 2: EXAMPLE LEVEL ALARM TEST RECORD CONTENTS

Level Test (High / High High): Operator Name: Fill Rate: Fill Level Start Of High Test: High Level Alarm (Theoretical/Set): High Level Alarm (Actual/Simulated): High Level Alarm (Reset): Fill Level Start Of High High Test: High High Level Alarm (Theoretical/Set): High High Level Alarm (Actual/ Simulated): High High Level Alarm (Reset): Tank No: Independent Checker Name: Date:

Alarms and Functions: Outdoor siren No1: Outdoor siren No2: Pump 121 stopped: Pump 122 stopped: Alarm Panel Light: Alarm Panel Accept Alarm: MOV211 closed MOV221 closed SOV231 closed Confirmation that all level alarm functions operated correctly and that all instruments have been reset Signature (Operator): correctly: Independent confirmation that all instruments have Signature (Independent been reset correctly: Checker): Remarks:

Air BP Limited

GEN 49_1 Page 18 of 18

30 April 2008