Overfill of vapour recovery units
Health and Safety Executive - Safety notice
Department name: Chemicals, Explosives and Microbiological Hazards Division (CEMHD)
Bulletin number: CEMHD02-2023
Issue date: 12/23
Target audience: Operators of vapour recovery units (VRUs) including fuel terminals, and COMAH site operators.
A Health and Safety Executive (HSE) investigation into a gasoline overfill of a carbon adsorption vapour recovery unit (VRU) revealed concerns with the design of the VRU. The overfill prevention system was not independent of the basic process control system (BPCS).
When the BPCS failed the overfill prevention system also failed. This resulted in loss of containment, and risked a significant fire and explosion, as well as extensive environmental damage.
Outline of the problem
VRUs are used to recover hydrocarbon vapour that is displaced during transfer operations such as filling road and rail tankers and ships at a fuel storage and distribution terminals.
HSE’s investigation identified that the unit’s overfill prevention system was not independent of the BPCS, so when the BPCS failed the overfill prevention system also failed.
There were no independent remotely operated shut-off valves in the absorbent supply and return lines. There were no safety functions independent of the BPCS to prevent overfill. So, failure of the BPCS held the absorbent inlet and outlet valves in the open position. The head pressure from the absorbent storage tank caused the absorbent to flow through the VRU via the carbon adsorption vessel before being ejected through the air outlet stack. Other safety functions including over-temperature (hot spot) protection and emergency shutdown (ESD) also relied on the BPCS.
Duty holders should follow a safe system of work to assess the risk of overfill, check equipment and, where appropriate modify VRU control systems and/or implement independent control measures.
You should consult with the VRU manufacturer and specialist support contractors as required.
Carry out a suitable and sufficient assessment of the risk of overfilling the absorber column and any other risks associated with the VRU.
As part of the assessment process, the VRU control system architecture must be examined to determine which safety functions, if any, are implemented within or are dependent upon the BPCS.
Compare physical examinations against any electrical schematic drawings, cause and effects matrices, Hazard and Operability (HAZOP) studies, Layer of Protection Analyses (LOPAs) or equivalent.
Safety functions include (but are not necessarily limited to):
- overfill prevention
- over-temperature protection
- emergency shutdown (ESD)
- high priority alarms
It may be sufficient to review existing risk assessments if these are available.
Inspect, maintain and test
Duty holders must physically verify that all identified safety functions and equipment are in place on the VRU. Ensure that they are suitably inspected, maintained and tested in accordance with relevant good practice.
Modify control measures if required
Following your risk assessment, and the identification and verification of safety functions, you may need to modify the VRU control system architecture and/or implement independent control measures to achieve the required risk reduction. Ensure that you follow a suitable Management of Change (MoC) process.
'BS EN 61511, Functional safety - Safety instrumented systems for the process industry sector,' provides relevant good practice:
- "11.2.4 – If it is intended not to qualify the BPCS to the IEC 61511 series, then the SIS shall be designed to be separate and independent from the BPCS to the extent that the safety integrity of the SIS is not compromised."
- "11.2.9 – The design of the SIS shall take into consideration all aspects of independence and dependency between the SIS and BPCS, and the SIS and other protection layers."
- "11.2.10 – A device used by the BPCS shall not be used by the SIS where a failure of that device may result in both a demand on the Safety Instrumented Function (SIF) and a dangerous failure of the SIF, unless an analysis has been carried out to confirm that the overall risk is acceptable."
Energy Institute guidelines
The Energy Institute guidelines for the design and operation of petrol vapour emission controls at distribution terminals provides specific guidance on VRUs:
- "22.214.171.124 - … A potential hazard can arise from petrol over-filling the VRU if a shut-off valve in the lines to-from the supply tank fails. Consideration, therefore, should be given to fitting two valves in series in the petrol supply and return lines."
- "126.96.36.199 – Where alarms and shutdowns are high risk, consideration should be given to making them high-integrity, hard-wired and fail-safe items and not simply derived from the VRU programmable logic control system."
- "7.4.1 – A formal Hazard and Operability (HazOp) study should be carried out on each vapour recovery system installed. This exercise should take account of all abnormal circumstances that could occur either in the unit or in associated and adjacent facilities on the installation… The findings of the HazOp study should be assessed following the principles for high integrity systems."