Tank level monitoring should include a level gauge (L), a high-level alarm (LAH), and an automatic overfill protection system (LAHH), in addition to operator and facility procedures. Adapted from U.S. Chemical Safety and Hazard Investigation (CSB) Report No. 2010-02-I-PR.

A company was performing a hazard and risk assessment on their flammable liquid tank farm. While reviewing the safety systems, the team questioned the setpoint of the high-high level alarm (LAHH). The engineer (meekly) replied that this point was at 99% of the tank height. If true, during filling, the tank could overflow before the LAHH could warn the operator and action could be taken to stop the flow. The team recognized this as a very serious gap and stopped the process hazard analysis (PHA).

A small team of maintenance employees checked the high-high position on several tanks and found that they were indeed positioned to activate at 99%. A temporary procedure was implemented to safely fill the tanks until new level devices could be installed at the proper level.

The only reason the plant had not experienced overfilling of tanks was a single administrative control. The person who ordered bulk solvents carefully monitored tank levels and solvent consumption and would only order the quantity to fill the tank to the 85% level. This single layer of protection was entirely based on the performance of an individual, but the ordering criteria was not documented in a procedure.

Did You Know?

  • In the hierarchy of controls, a properly designed engineering safeguard (e.g., high-level shutoff system) is more reliable than an administrative safeguard (e.g., an operator manually closing valves in response to the high-level alarm).
  • Engineering controls need to be properly designed, installed, and maintained (i.e., inspected, calibrated, and tested).
  • Several attributes must be in place for safeguards that are based on administrative control: a procedure must document proper actions and sequence, the operators must be trained on how to safely follow the procedure, and the operators must be able to demonstrate that they can perform the task as documented.
  • All safeguards — engineering or administrative — must be able to respond quickly enough to avoid the undesirable event that they are intended to prevent or minimize the impacts of.

What Can You Do?

  • When working on a process, you need to understand the safety systems and their function so you can properly respond when an upset occurs.
  • If you discover a safeguard that is not working properly during rounds or operation, report it immediately. You never know when it will be needed.
  • When participating in hazard reviews such as a PHA, do not hesitate to point out deficiencies in safety systems.

Safeguards must be properly designed.

