What if the Failure of Safety Instrumented System (SIS) occurred in Operations?
As we have known that Safety Instrumented System (SIS) is the system which designed to respond to conditions of a plant, which may be hazardous in themselves, or if no actions were taken could eventually give rise to hazardous conditions. So, what happen if the SIS is not operating properly when needed (there is a demand)? How about the consequences? How do we properly manage our SIS in our plant? Alright, we will see the answer of the questions respectively through this SafetyBuzz. Let’s talk about an SIS failure during tank filling operations with flammable and combustible products.
On Wednesday, October 21st, 2009 the cargo ship arrived at the CAPECO (company) dock in San Juan Bay to unload 11.5 million gallons of gasoline. CAPECO planned to pump the gasoline shipment to the four tanks (through approximately 4 KM pipelines), they are tank 405, 504, 411, and 409 with respectively capacity of 4,410 bbls; 62,984 bbls; 74,197 bbls; and 115,666 bbls. The filling operation takes more than 24 hours to complete.
In October 22, 2009 (at 10 p.m) the tanks (405, 504, and 411) reach the maximum capacity, then operator fully open the input valve on Tank 409. Since the side level gauge on Tank 409 is out of service, the operator manually calculated and concluded that Tank 409 would be full at 1 a.m. But what happen? At the 11 p.m., the tank farm operator observed that Tank 409 began to overflow to the secondary containment dike. Tank 409 overflowed for 26 minutes and resulted about 200,000 gallons of gasoline spill. The spilled gasoline evaporated, forming a vapor cloud, which ignited after reaching an ignition source. About seven (7) seconds after ignition the vapor cloud exploded, creating pressure wave that damaged hundreds of homes and businesses up to 2 KM from the site. The explosions of each tank reached 2.9 on the Richter scale. Fortunately, there was no fatality.
The investigator found that multiple layers of protection failed, especially unreliable level control and monitoring system. Level control failure made the Tank 409 lack of independent safeguards. There is also no independent high-level alarm and no automatic overfill prevention system that allow for automatic shutdown. Thus, the investigator recommends that:
- Regularly inspect and test automatic overfill prevention system to ensure their proper operation in accordance with good engineering practices,
- Engineer, operate, and maintain automatic overfill prevention systems to achieve appropriate safety integrity levels in accordance with good engineering practices (IEC 61511 – Functional Safety – Safety Instrumented Systems for the Process Industry Sector.
Btw, the sad fact is that the above CAPECO incident occurred in 2009 which was after the very similar incident with a very similar cause happened in Buncefield Fuel Depot in UK. The Buncefield fire and explosions occurred on 11-Dec-2005. It is telling the fact that the industry is not learning well from each other.
I have some thoughts that I want to discuss with you on how to design, operate, and maintain the safety instrumented system in your plant. Are you sensitive to the possibility of defects of your SIS in your plant that might introduce an unacceptable level of risk? I am interested in your SIS healthiness. Let’s discuss!
You can see the video on youtube:
Kind Regards and wassalam,
Ir. Beny Destiawan, SFS
Process Safety Engineer