A tank overfill protection system is a Safety Instrumented System (SIS) application that provides an additional layer of protection over the basic tank gauging (control) system. As with all SISs, the actual Safety Integrity Level (SIL) needs to be established for the particular tank at the storage facility, taking into account all the operational risk factors, but typically these functions are SIL 1 or SIL 2.
It is important that the instrumentation used in the SIS is totally independent from that which is used in the tank gauging system so that it does not suffer interference from the latter or be subjected to common points of failure. It is expected that the overfill protection function automatically shuts off the input feed to the tank by isolating the pump and closing the input valve (ensuring that any resulting pipeline pressure surges are suitably dealt with).
SIS is a good fit for tank overfill applications because tank level sensors can be degraded over time due to their exposed position both inside and outside the tank. As such, it is beneficial to use devices that have different characteristics from the tank gauging sensors for the SIS overfill protection system.
Why Logic Solvers Are a Logical Choice
People often assume a logic solver has to be a safety PLC (Programmable Logic Controller) to be employed in, for example, a tank overfill SIS. But in many cases a discrete logic device for each loop, which avoids the complications and expense of a complex programmable solution, is a sensible option. One of the objectives of functional safety is to engineer the protection layers so the complexity of safety-related functionality is minimized. This includes designing the overall concept for the minimum number of safety instrumented loops, avoiding the unnecessary use of more complex technology and reducing interdependency between loops and keeping safety and non-safety functionality separate.
Apart from the obvious savings in cost from a simpler architecture, perhaps the biggest gains with this approach are unseen. Consider that this straightforward approach avoids the development cost of application programming (plus associated costs such as of software maintenance, upgrades, configuration management, and back-ups) and the need for specialist competence in operation and maintenance of the programmable platform. Installation, validation and commissioning of complex programmable systems also require specific competence and procedures, which can make the functional safety management (FSM) system more onerous to set up and maintain.
READ ALSO: Level Measurement Reliability—Displacer Level Transmitters vs. Torque Tubes
Many safety-related applications in the process industry, such as tank overfill, are ideally suited to one or more single loop logic solvers because they are small scale, isolated, or located in remote locations. As mentioned, the simplified architecture of this approach can reduce the cost of hardware, software and procedural overheads.
Choosing sensors, logic solvers and final elements for any Safety Instrumented Function (SIF) requires a step by step analysis of the equipment’s failure data and applicability to the safety related function. As you see in the Table 1 below, each piece of equipment that will assist in the SIF has to be evaluated to ensure that it’s applicability meets the necessary requirements spelled out by the IEC 61508/61511 functional safety standards. The full white paper has detailed examples that help guide a safety practitioner through the process of implementing a SIL 1 and SIL 2 tank overfill protection system.
This blog post is based on a larger white paper published by Moore Industries-International, Inc.. You can download the full paper here.
