Guideline Loading Arm Overfill Prevention

CDOIF
Chemical and Downstream Oil Industry Forum
Guideline
Automatic Overfill Prevention Systems for

Terminal Loading Racks
Guideline – Automatic Overfill Prevention Systems for Terminal Loading Racks v2 Page 1 of 23
CDOIF CDOIF is a collaborative venture formed to agree strategic areas for
joint industry / trade union / regulator action aimed at delivering
health, safety and environmental improvements with cross-sector
Chemical and Downstream Oil benefits.
Industry Forum
Foreword
In promoting and leading on key sector process safety initiatives, CDOIF has developed through its
members a guideline on automatic overfill prevention systems for terminal loading racks.
It is not the intention of this document to specify the detailed design of overfill prevention systems,
nor replace any existing corporate policies or design standards. The intent is to provide a reference
for those organisations developing or wishing to review their existing terminal loading rack overfill
prevention architectures.
There are no limitations on further distribution of this guideline to other organisations outside of
CDOIF membership, provided that:
1. It is understood that this report represents CDOIF’s view of common guidelines as applied
to overfill prevention systems at terminal loading racks.
2. CDOIF accepts no responsibility in terms of the use or misuse of this document.
3. The report is distributed in a read only format, such that the name and content is not
changed and that it is consistently referred to as "CDOIF Guideline – Automatic Overfill
Prevention Systems for Terminal Loading Racks".
4. It is understood that no warranty is given in relation to the accuracy or completeness of
information contained in the report except that it is believed to be substantially correct at the
time of publication.
This guidance is not intended to be an authoritative interpretation of the law, however Competent
Authority (CA) inspectors may refer to it in making judgements about a duty holders compliance
with the law. This will be done in accordance with the CA’s published enforcement policies (refer to
www.hse.gov.uk/pubns/hse41.pdf) and it is anticipated that this document will facilitate a consistent
national approach.
It should be understood however that this document does not explore all possible options for overfill
prevention, not does it consider individual site requirements – Following the guidance is not
compulsory and duty holders are free to take other action. If the duty holder does follow the
guidance they will normally be doing enough to comply with the law. Health and Safety inspectors
seek to secure compliance with the law and may refer to this guidance as illustrating good practice.
Industry Forum
Contents
FOREWORD ..................................................................................................................................... 2
CONTENTS ....................................................................................................................................... 3
1. EXECUTIVE SUMMARY........................................................................................................ 4
2. SCOPE .................................................................................................................................. 5
3. OVERVIEW............................................................................................................................ 6
3.1 Causes of Overfills ................................................................................................................. 6
3.2 Overfill Prevention System Goal............................................................................................. 7
4. RISK ASSESSMENT ............................................................................................................. 8
4.1 Assessing the Suitability of Road Tanker Loading System Architectures ............................... 8
4.1.1 Specification of Valves ........................................................................................................... 8
4.1.2 Automated Shutdown Valves ................................................................................................. 9
4.1.3 Initiation of Automated Shutdown Valves ............................................................................... 9
4.1.4 Effectiveness of Emergency Shutdown Valves ..................................................................... 11
4.1.5 Testing of Valves ................................................................................................................. 11
4.1.6 Maintenance of Valves ......................................................................................................... 12
4.1.7 Management of Risk ............................................................................................................ 12
5. SYSTEM DESIGN AND OPERATION ................................................................................. 13
5.1 Overfill Prevention System Equipment ................................................................................. 13
5.2 Overfill Prevention System Control Philosophy .................................................................... 15
ABBREVIATIONS ............................................................................................................................ 17
GLOSSARY OF TERMS ................................................................................................................. 17
OTHER RELEVANT PUBLICATIONS ............................................................................................. 18
ACKNOWLEDGEMENTS ................................................................................................................ 19
REVISION HISTORY....................................................................................................................... 20
APPENDIX 1 – EXAMPLES OF FACTORS THAT MAY INFLUENCE RESPONSE TIMES............. 21
Industry Forum
1. Executive Summary
A number of overfilling incidents have occurred during the loading of gasoline into road
tankers. Overfilling has occurred due to the failure of people and equipment, resulting in
an uncontrolled flow and significant quantities of gasoline being lost from containment1.
In each case there were unrecognised deficiencies in the architecture of the loading
system which were exposed by a single failure. The deficiencies in the loading system
have included the inability of the emergency shutdown system to stop gasoline flow. The
majority of these occurrences were due to failure of the flow control valve.
Personnel have been exposed to risks of serious injury during overfilling incidents due to
their presence in the spill area. In some cases personnel have purposely entered the
spill area during attempts to diagnose faults and to stop the flow of gasoline.
The target Audience for this document is primarily operators of fuel distribution terminals,
including terminal managers, engineering managers, HSE/SHE managers, C&I and risk
control engineers. Suppliers of equipment/packages and system integrators may also
find the guidance provided in this document informative.
A working group was commissioned under CDOIF to develop a guideline for overfill
prevention systems at terminal loading racks. This guideline is not intended to be
prescriptive in defining the detailed design criteria for these systems, but aims to raise
awareness within industry of existing good design practice, and highlight where
appropriate key areas against which duty holders may review their existing systems.
A second working group was commissioned to look into hazard awareness of tanker
drivers and terminal personnel during filling operations, the guidance for which can be
found in the CDOIF publication entitled ‘CDOIF Guideline – Terminal Loading Operations
Hazard Awareness’.
Note 1
Each tank compartment’s overfill prevention sensor is set to provide ullage of not
less than 150 litres between the point of it being tripped and overfilling. This is to
ensure that all the product passed by the gantry flow control valve from the
triggering of the overfill prevention sensor until flow is ceased will be contained
within the compartment (even if the event is triggered at the maximum flow rate)
Note that the overfill prevention system plays no part in ensuring that the tanker is
not overloaded nor in ensuring that the maximum degree of filling (ADR 4.3.2.2)
has not been exceeded
Industry Forum
2. Scope
This document provides guidance on the architecture of loading systems for delivering
gasoline into bottom loaded road tankers.
This guideline does not cover toxic hazards, fuels that are below their flash point at
normal loading temperatures and atmospheric pressures, non ignition risks. This
document does not comment on the safety integrity level (SIL) of any measure or system
used to prevent the overfilling of road tankers, or the measures necessary to control risk
during any recovery operation following an overfill. The need for, and definition of, any
additional layers of protection should be completed as part of an operator’s standard
design processes for hazard identification, risk assessment and SIL determination,
where necessary.
For the purposes of this guidance overfilling means filling a compartment to the point that
gasoline flows out of that compartment, for example into a vapour recovery system or
through a pressure relief valve.
Industry Forum
3. Overview
Overfilling can occur for a variety of reasons, including:
• filling a compartment that already contains gasoline that the driver is unaware of
or does not take account of,
• filling the wrong compartment,
• failure of equipment intended to automatically stop gasoline flow.
Where a flow control (or metering) valve fails there is often very little time from the onset
of the failure before the compartment overflows. This is because compartments have a
limited ullage of about 5% (for transport), and because high flow rates can continue even
if the pump has been turned off. The high flow may continue under flow control valve
failure conditions because of the momentum of the flow in the pipe work, and the large
liquid head arising from the tall supply tanks at many installations.
An example of an automated road tanker loading system can be seen in figure 1 below.
Vapour Recovery Emergency Earth/Overfill

Knock-Out Pot Shutdown System Monitor
Preset/Batch Loading Permissive

Controller
Preset/Batch
Controller
Alarm 6 0 0 0
Storage Tank
ROSOV Pump Pump Automated Flow Control

Valve Shutdown Valve Valve
Tank Farm Loading Bay
Figure 1 – Example road tanker loading system
3.1 Causes of Overfills
Flow control valves are generally considered to be reliable. However, flow control valves
have failed to close when expected either because the flow control valve itself has failed,
or because a pilot valve has failed. Valves have failed due to damage to elastomer
materials as a result of changes in gasoline blends, due to the ingress of foreign material
preventing closure, or due to physical wear. In each case the failure has been sudden;
there were few clear signs of performance deterioration.
Industry Forum
Many incidents have occurred because there is no automated shutdown valve. In these
cases, a failure of the flow control valve has led to an uncontrolled flow of gasoline that
can only be stopped by the closure of a manual isolation valve. This requires a fast
response. Experience has showed that it is not realistic to expect overfilling to be
prevented by a person closing a manual valve (see table 2 on the response times
required).
A number of incidents have occurred even where there is an automated emergency

shutdown valve that can close in the event of the failure of the flow control valve. This
has been because the emergency shutdown valve was not triggered to close by the
overfill event, the automated emergency shutdown valve closed too slowly, or the
emergency shutdown valve was triggered too late to prevent an overfill.
Failure to trigger the emergency shutdown valve has been caused by a reliance on an
overfill signal that may not occur in certain circumstances, such as a high liquid level in
the vapour recovery line knock out pot.
A rule of thumb applied to valve closure speeds is that it takes approximately one second
per inch diameter for a valve to close, but some valves may close more slowly than this.
A limitation of the speed of closure is the ‘hammer’ effect caused by the momentum of
the fuel which can increase pipe pressure to dangerous levels if the flow rate is slowed
too quickly.
The emergency shutdown valve may be triggered too late for a number of reasons
including where human action is relied on to quickly identify the developing overfill and
respond.
3.2 Overfill Prevention System Goal
The goal of an overfill prevention system is self-evidently to prevent the overfilling of a

road tanker or any of its compartments. In this context overfilling means exceeding the
capacity of a compartment to the point that gasoline flows out of that compartment
(including into the vapour recovery system). The extent to which overfill prevention
measures are implemented is subject to formal risk assessment as described in section
4.
Industry Forum
4. Risk Assessment
It is essential that the risks arising from all road tanker loading operations are assessed,
and measures put in place to ensure these risks are, ‘as low as reasonably practicable’.
This includes any risks that may arise from potential component failures or design
inadequacies in the engineering architecture. Risks may include risks to people, risks to
installations, and risks to the environment.
4.1 Assessing the Suitability of Road Tanker Loading System Architectures
The adequacy of the measures used to control risks during filling operations should be
assessed. This can be achieved by asking a number of questions regarding the
architecture of a loading system.
1. Is the flow control valve, and any associated pilot valves, correctly specified for
the function it is expected to perform? (refer to 4.1.1)
2. In the event of a failure of the flow control valve, is there an automated shutdown
valve to stop gasoline flow? (refer to 4.1.2)
3. Is an automated shutdown valve triggered in response to identified faults or

failures(refer to 4.1.3)
4. Is an emergency shutdown automated valve able to prevent or mitigate against

overfilling of a road tanker, taking into account realistic scenarios? (refer to 4.1.4)
5. Are automated shutdown valves tested at a suitable frequency, according to

specific criteria? (refer to 4.1.5)?
6. Are automated shutdown valves maintained according to appropriate

instructions? (refer to 4.1.6)?
7. Are indications of failures recorded and assessed, and actions to address these
taken? (refer to 4.1.7)
Any dependencies between risk control measures should be identified, and eliminated if
possible. It is good practice to be able to detect the failure of a measure as soon as
possible after it occurs, preferably by automated means, so that adequate risk control is
maintained.
4.1.1 Specification of Valves
Site operators should document the design requirements for the different valves in the
loading system, and should ensure suitable valves are installed. Design requirements
should include compatibility with the gasoline being loaded and number of operations.
Valve failures have occurred due to;
• Excessive number of operations. Manufacturers produce specifications regarding

the maximum number of cycles a valve should be expected to perform,
depending upon the conditions the valve is operating under. For example, it is
common for pilot valves to operate many times during each loading operation,
Industry Forum
and, if rate adjustment valves are not correctly set, for excessive pilot valve
cycling to occur. Consideration should be given to the use of any extended
diagnostic functionality that may be available.
• Product incompatibility. Valve failures have occurred because of incompatibility

between gasoline and seal elastomers, so it is important that valves are suitable
for the gasoline to which they are exposed (especially gasoline/ethanol blends
with ethanol content, even as low as 5%). Further investigation on compatibility of
materials used in handling ethanol and gasoline/ethanol blends has been
undertaken by the Energy Institute, reference to the latest manufacturer’s
guidance on material compatibility should also be sought. Any significant change
in gasoline formulation should trigger an assessment to verify valves continue to
be suitable, and any remedial action required. This should be part of a suitable
Management of Change process.
• Incorrect selection. Valves have failed because they have been incorrectly
selected for use based on sales literature that was incomplete, not more detailed
technical specifications. Personnel responsible for device selection should have a
design requirement specification for each device, and the competence to assess
the potential impact of any deviation.
• Incorrect pressure specifications. Whilst working pressures in many loading

systems are relatively low, large pressure spikes may be experienced as a result
of fast changing flow rates, such as those experienced towards the end of a filling
operation.
Valve specifications should be archived so that they can be used by competent staff to
select a new valve in the event of a replacement being required at some time in the
future.
Spare valves in stock should be clearly labelled to ensure the correct replacement valve
can be selected.
4.1.2 Automated Shutdown Valves
Correct specification, operation, and maintenance will reduce the risk of a flow control
valve failure. However, the range of challenges to a particular flow control valve means
this risk cannot be eliminated. An automated shutdown valve when triggered prevents
uncontrolled flow of gasoline in the event of a failure of the flow control valve. Use of an
automated shutdown valve has been shown to be a reasonably practicable way of
managing this risk. A manually operated secondary valve has been shown to be
ineffective in preventing overfill and loss of containment.
A means of regularly testing the required functions of the automated shutdown valve
should be incorporated into the design, including the ability of the valve to actually stop
liquid flow. Information on this is given in section 4.1.3.
4.1.3 Initiation of Automated Shutdown Valves
Automated shutdown valve closure should be initiated as soon as possible after a loss of
control. Detection may be via a number of means, and a combination of means may be
Industry Forum
necessary to adequately control risk. Closure of automated shutdown valves may be

initiated by several, or all, of the following;
• An alarm resulting from the preset/batch controller detecting a flow rate outside
that programmed for the phase of loading
• An alarm resulting from the preset/batch controller detecting an overrun beyond

the programmed amount
• A detection of high level in the road tanker
• An emergency shut-down button being pressed
• Gasoline detection in the vapour recovery system
• Action being taken from a remote location such as a control room
Other initiators may be available from a variety of engineered systems and human
sources.
The initiator at the top of the list above is likely to provide the fastest response to a loss
of flow control, and the initiator at the bottom of the list is likely to provide the slowest
response. The overfill prevention system should be designed so the automated
shutdown valve closure is initiated as soon as possible after the loss of flow control. This
reduces the chance that gasoline will be lost from containment.
The initiators listed above depend upon a range of mechanical, electrical, electronic and
programmable electronic systems. These should be effective for a range of different
failure scenarios such as failure of the preset/batch controller electronics (that may have
caused the loss of control in the first place), and variations in the mechanical
arrangement of the vapour recovery system. Some measures, such as human
responses, and desktop computers should not be expected to provide significant
amounts of risk control.
The effectiveness of each initiator for automated shutdown valves should be tested on a
regular basis using tests that confirm the correct operation of as much of the system as
possible. More frequent partial checks may be appropriate where more complete tests
are intrusive.
Effective management processes should be in place to ensure the operability and

continued maintenance of the high level probe in each road tanker compartment which is
connected to the earth/overfill monitor. Management processes may include
participation in a scheme which aims to control the hazards associated with road tankers
when they are loaded at distribution terminals such as the Safe Loading Pass Scheme,
or other similar initiatives.
Industry Forum
4.1.4 Effectiveness of Emergency Shutdown Valves
Emergency shutdown valves should be effective in preventing a loss of containment

when triggered by an engineered system such as the high level detection system in the
road tanker. This should take into account the time between the loss of flow control, to
the flow reaching zero. An example of timings is shown in figure 2.
Pump
into tanker stopped
Flow rate
A B C D
Normal Loss of Loss of Secondary Secondary Flow
loading control of control of valve valve ceases
flow flow starts to closed
detected close
Time
Figure 2 – Time to stop flow on loss of flow control
Definition of times:
A. Time between loss of control and detection of the loss of control.
B. Time between the detection of the loss of control and closure initiation of the
automated shutdown valve. This includes any delays caused by logic.
C. Time that the automated shutdown valve takes to close. A rule of thumb is one
second per inch diameter of the valve, but certain automated valve types may
take longer.
D. Time between the emergency shutdown valve becoming fully closed, and
cessation of all flow.
The total time to stop flow using the automated shutdown valve after a loss of flow
control is A+B+C+D. The exact timing of each of the components A, B, C, and D will
depend upon the configuration of the loading system, and what has led to the loss of flow
control. Refer to appendix 1 for examples of factors that may influence response times.
4.1.5 Testing of Valves
Valves should be tested at a frequency that is appropriate, according to the extent that
the valve is being relied upon for risk control. Test frequencies should be set so that
there is little chance of valves failing between two tests.
Industry Forum
Valve tests should cover as much of the functionality of the valves as possible. This may
include speed of response and the actual ability of the valve to shut against an upstream
pressure.
Some valve functions may be automatically tested during their cycling in normal
operation through a control system. This may significantly improve confidence that the
valve will continue to perform correctly, and a failure may trigger a very early response
that may minimise risk.
Where there are indications of deterioration of a valve, action to correct the fault should
be taken. The frequency of tests should be managed, and may need to be changed in
response to a significant number of test failures.
Valve test records should be kept as part of the maintenance process providing evidence
of the tests conducted, results of the test and any remedial actions carried out.
4.1.6 Maintenance of Valves
Valves should be maintained according to the specification from the manufacturer. In

addition, certain aspects of maintenance may be specified locally, in order to manage
risks. Locally originated maintenance should be specified by a person who is competent,
who may need to liaise with the valve manufacturer regarding the particular valve usage.
Valves have failed because:
• Maintenance has not been carried out
• Maintenance has as not been carried out correctly
• Faults have been identified but not remedied
Personnel who maintain valves should be competent to do so, and should know when to
refer difficulties to other personnel with the appropriate knowledge and skills for
correction. Senior staff should be competent to direct others such that the risk is
adequately managed.
4.1.7 Management of Risk
Risks must be managed using appropriate means, and should be regularly re-assessed.
It may be necessary for indications of failures to be recorded and assessed, so changes
can be made to prevent failures that could lead to overfills.
Industry Forum
5. System Design and Operation
The following sections provide a high level overview of the equipment that may form part
of an overfill prevention system for a terminal loading rack, and the interactions between
those components as part of an overall control philosophy.
Note that this represents one design philosophy; it should not be considered as the only
or the preferred solution. This will be dependent on the individual site requirements, and
in consideration of the risks and appropriate measures discussed in section 4.
5.1 Overfill Prevention System Equipment
Typical equipment that may be incorporated into a loading rack control and overfill
prevention system is provided below. Reference should be made to figure 1, Example
road tanker loading system contained in section 3.
1. Loading Rack Control System – the loading rack control system is the
PLC/SCADA system which provides control operation for the terminal or the
loading rack, or both. In some instances, interlocks and permissives may be
hardwired via relays, and not via the loading rack control system. Where risk
assessment has determined that the overfill prevention system requires a further
layer of protection, this functionality may be provided by an independent safety
related logic solver.
2. Electronic preset/batch controller – the system which controls loading

operations. The electronic preset/batch controller accepts earth and overfill
interlocks (hardwired from relays or via the loading rack control system), which
provides a permissive for pump demands, flow control and controls flow rates.
The electronic preset/batch controller should prevent or stop loading on loss of
interlocks or on detection of abnormal conditions (such as high or low flow, batch
quantity overrun)
3. Earth/overfill monitor – the system monitors tanker earth integrity and tanker
overfill detectors. Outputs from the monitor should be hardwired via relays or via
the loading rack control system, providing the interlock signal to the electronic
preset/batch controller, and allowing automatic closure of the automated
shutdown valve(s). Faults detected on the monitor should allow unit to fail safe.
4. Flowmeter – connected to the electronic preset/batch controller to provide flow

signal. Typically the flowmeter type will be positive displacement or turbine.
5. Flow control valve – connected to the electronic preset/batch controller, controls

flow rates and stops/starts the batch flow.
6. Vapour knockout pot high level detector – monitors fluid level at lowest point
in vapour system as close as possible to the tanker vapour hose/arm. The signal
should be hardwired from relays or via the loading rack control system providing
the interlock signal to the electronic preset/batch controller, and allowing
automatic closure of the automated shutdown valve(s).
7. Emergency shutdown pushbutton - hardwired via relays or via the loading rack
control system, providing the interlock signal to the electronic preset/batch
Industry Forum
controller, and allowing automatic closure of the automated shutdown valve(s).

Faults detected on the pushbutton, or loss of power should allow unit to fail safe.
8. Automated shutdown valve(s) – the automated shutdown valve should

automatically close on detection of fault conditions, either through hard wired
relays or from the loading rack control system. The automated shutdown valve
should ideally be located at ground level on loading bay. There may be one valve
per arm, or one valve per grade depending upon the individual site requirements.
The automated shutdown valve may be either motor, hydraulic or gas operated
and should be fail safe closed under fault/loss of power condition.
Industry Forum
5.2 Overfill Prevention System Control Philosophy
Reference should be made to the simplified cause and effect diagram provided in figure
3 as an example control philosophy for overfill prevention.
Note: automated shutdown valve may

be per bay or per grade
Close S/D Valve - Bay A
Close S/D Valve - Bay B
Close S/D Valve - Bay C

Close FCV - Bay A
Close FCV - Bay B
Close FCV - Bay C

Meter Overrun - Bay A X
Meter Overrun - Bay B X
Meter Overrun - Bay C X
Earth/Overfill Monitor - Bay A

Loss of Earth Signal X
High Level Detected X X
Earth/Overfill Monitor - Bay B
Earth/Overfill Monitor - Bay C
Vapour K-O Pot High Level - Bay A X X

Vapour K-O Pot High Level - Bay B X X
Vapour K-O Pot High Level - Bay C X X
Site ESD Initiated X X X X X X
Figure 3 - Simplified cause and effect diagram
Note that pumps have been excluded from the cause and effect diagram in figure 3.
Determining what action to take for pumps should form part of the risk assessment and
design process.
1. Electronic Preset/Batch controller – a healthy earth/overspill interlock from the

earth/overfill monitor provides a healthy permissive signal allowing pump demand
Industry Forum
and flow control valve outputs. Loss of the interlock removes the permissive and
stops flow by closing the flow control valve. Depending on the preset/batch
controller type, various internal parameters (for example high/low flow, additive
high/low flow, loss of flowmeter pulses) can be configured to operate an internal
alarm relay, which may be used to indicate “preset/batch controller overrun” and
remove the permissive stopping flow by closing the flow control valve and/or
closing the automated shutdown valve.
2. Earth/overfill monitor –
a) Loss of the earth signal should remove the earth/overspill input from the
preset/batch controller, hence removing the permissive signal and stopping
flow by closing the flow control valve.
b) Loss or activation of overfill signal should remove the earth/overspill input

from the preset/batch controller, hence removing the permissive signal and
stopping flow by closing the flow control valve. Additionally the overspill signal
should close the automated shutdown valve(s) on the loading bay the overfill
signal was generated on; all other loading bays can remain operational.
3. Flow control valve – the preset/batch controller will close the flow control valve
on loss of earth/overspill signal, activation of preset/batch controller alarm relay
(where available to indicate preset/batch controller overrun) or end of batch.
4. Vapour knockout pot high level detector – the vapour knockout pot high level
should be part of the electronic preset/batch controller permissive. Activation of
the high level detector should remove the permissive, thereby closing the flow
control valve on that loading bay. Additionally the automated shutdown valve(s)
on the loading bay that the knockout pot high level signal was detected on should
close. All other loading bays can remain operational.
5. Emergency shutdown pushbutton – activation of any of the tanker loading bay

emergency shutdown pushbuttons should remove the permissive for all electronic
preset/batch controllers thereby closing the flow control valves and automated
shutdown valves.
6. Automated shutdown valve(s) – automated shutdown valve(s) should close on

activation of the road tanker overfill signal via the earth/overfill monitor, vapour
knockout pot high level signal associated with that loading bay or activation of
any terminal ESD pushbutton.
Industry Forum
Abbreviations
Abbreviation Description
CA Competent Authority
C&I Control and Instrumentation
CDOIF Chemical and Downstream Oil Industry Forum
ESD Emergency Shut Down
FCV Flow Control Valve
HSE Health, Safety and Environment; Health and Safety Executive
K-O Knock Out
PLC Programmable Logic Controller
ROSOV Remotely Operated Solenoid Valve
S/D Shutdown (Automated Shutdown Valve)
SCADA Supervisory Control and Data Acquisition
SIL Safety Integrity Level
SHE Safety, Health and Environment
Glossary of Terms
Loading Loading is synonymous with the ADR related term ‘filling’

Flow control valve The valve used to accurately meter gasoline into road tankers, sometimes
referred to as a metering valve.
Automated
Shutdown valve The valve used to shutdown the flow of gasoline on detection of fault or overfill
conditions
Gasoline low flashpoint liquid fuel, also known as petroleum spirit or petrol, including
where blended with ethanol, where there is a significant probability of flammable
vapour present at normal loading temperatures and pressures.
Metering valve See flow control valve.
Overfilling For the purposes of this guidance overfilling is considered to be filling a
compartment to the point that gasoline flows out of that compartment, for
example into a vapour recovery line or through a pressure relief valve .
Overflow The point at which a compartment is overfilled to the extent that the addition of
more liquid will result in liquid beginning to flow out of the compartment.
Industry Forum
Other Relevant Publications
Further information relating to road tanker installations can be found in the following publications.
1) HSG 176 [1998]

2) EI Model Code of Safe Practice - Marketing safety code [1978 – revised in 1998, and again
in 2005.
3) EI Model Code of Safe Practice – Design, construction and operation of petroleum
distribution installations [September 2005]
4) API RP 1004 [Eighth Edition, January 2003].
Industry Forum
Acknowledgements
This document was created as part of the Chemical and Downstream Oil Industry Forum Process
Safety work stream.
CDOIF wish to record their appreciation to the working group members who were responsible for
creating this guideline:
Name Organisation
Mark Jolliffe (Chair) Total

Darren Peck Nustar Energy
Andrew Dodd Nustar Energy
Clive Dennis Health and Safety Executive
Andrew White Health and Safety Executive
Eddie Watts Chevron
Ian Goldsworthy Chevron
Kevin Shepherd Vopak
Peter Lloyd Vopak
Rex May BP
Robert Harris Amber Engineering Consulting Ltd.
Peter Davidson UK Petroleum Industry Association
Industry Forum
Revision History
Rev. Section Description Date Changed By

0 All First Issue 05-Jan-2011 PSD
1 All Update following working group comments 04-Feb-2011 PSD
2 4.1.1 Update following CDOIF comments 06-May- PSD
2011
Industry Forum
Appendix 1 – Examples of factors that may influence response times
Examples of factors that may influence the times;
A.
• Where the loss of flow control has been caused by a failure of the flow control
valve and is detected in the preset/batch controller, and this detection feature
has been correctly configured, time A may be short.
• Where the loss of control is detected by a high level detection in the road
tanker, time A will be longer.
B.
• The time between the detection of the loss of control of flow and the initiation
of the closure of the automated shutdown valve will normally be short. This
time could be longer or may vary where there is significant electronic
processing prior to the close signal being given, or where the initiation is
delayed by, for example, the dumping of pneumatic pressure.
• The rate of flow will generally reduce after the pump is stopped. However,
where a centrifugal pump (or other non positive displacement pump) is used,
then any upstream pressure, such as that caused by fluid head in the storage
tank, will continue to drive the gasoline at a constant flow rate. The flow rate
will depend upon the upstream pressure and the diameter and configuration
of pipe work and any orifices.
• Some preset/batch controller systems are designed to delay the stopping of
the pump until the flow control valve has closed. Depending upon the exact
arrangement, this may delay the stopping of the pump so this occurs later
than shown on the diagram.
C.
• The speed of closure of the automated shutdown valve will depend upon its
design and configuration. Larger valves generally take longer to close than
smaller valves. Closing a valve too quickly can cause high pressures to be
developed upstream of the valve, with the subsequent risk of damage that
could lead to leakage.
• The momentum of the gasoline will tend to continue driving the gasoline out
of the pipe work due to the initially high linear speeds of the gasoline at
maximum loading rates.
D.
• This time between the complete closure of the emergency shutdown valve
and the cessation of all flow will depend on the physical arrangement of the
loading system and the road tanker. For example, fuel may enter the vapour
recovery pipe work from the tanker vapour recovery manifold. A table of
example pipe work capacities for pipe diameters and lengths is given in table
1.
The amount of gasoline stored in pipe work can be estimated using the following
formula:
Volume (litres) = (Pipe diameter (inches) / 2 * 2.54)^2 * 3.14 * pipe length (metres) /10
Example volumes of pipe work are given in table 1
Industry Forum
Pipe diameter (inches)

Pipe length 3 4 6 8 10 12 14
(metres) Volume (litres)
10 45.604 81.073 182.41 324.29 506.71 729.66 993.15
20 91.207 162.15 364.83 648.59 1013.4 1459.3 1986.3
30 136.81 243.22 547.24 972.88 1520.1 2189 2979.4
50 228.02 405.37 912.07 1621.5 2533.5 3648.3 4965.7
Table 1 – Liquid volume of pipe work (litres)
The total amount of gasoline that will flow into the road tanker, for the various detection
routes, will be the area under the graph in figure 2, which will be unique for each loading
arrangement. Whether the road tanker becomes overfilled, or gasoline is lost from
containment depends on how much empty volume there is in the tanker compartment
when the control of flow is lost, and whether gasoline flows into other unfilled
compartments and the vapour recovery system. Experience has shown that whilst
gasoline from an overfilled compartment does flow into other unfilled compartments, and
into the vapour recovery line, it preferentially flows out of containment. Consequently,
when estimating whether a configuration will be able to prevent a loss of containment, no
claim should be made that gasoline can flow into other compartments or the vapour
recovery system.
The time between the high level detection in a tanker

compartment and overflow occurring depends on the size of the compartment, and the
flow rate. Table 2 shows example times based on a range of flow rates and compartment
sizes.
Compartment size (litres)

7600 7000 6000 5000 4000 3000 2500
Approximate remaining volume in compartment at
high level detection point (litres) @ 95% full
Flow rate 380 350 300 250 200 150 150*
after failure Time to loss of containment after high level detection
(litres/min) (seconds)
2500 9.1 8.4 7.2 6.0 4.8 3.6 3.6
2200 10.4 9.5 8.2 6.8 5.5 4.1 4.1
1900 12.0 11.1 9.5 7.9 6.3 4.7 4.7
1700 13.4 12.4 10.6 8.8 7.1 5.3 5.3
1500 15.2 14.0 12.0 10.0 8.0 6.0 6.0
1200 19.0 17.5 15.0 12.5 10.0 7.5 7.5
1000 22.8 21.0 18.0 15.0 12.0 9.0 9.0
800 28.5 26.3 22.5 18.8 15.0 11.3 11.3
500 45.6 42.0 36.0 30.0 24.0 18.0 18.0
300 76.0 70.0 60.0 50.0 40.0 30.0 30.0
Table 2 – Time before overflow of a tanker compartment
Industry Forum
* The minimum remaining ullage volume at the high level detection point is normally 150
litres.
Additional measures may have to be taken to prevent risks arising from gasoline entering
the vapour recovery system. This document does not comment on these

Guideline Loading Arm Overfill Prevention

Uploaded by

Copyright:

Available Formats

Guideline Loading Arm Overfill Prevention

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guideline Loading Arm Overfill Prevention

Uploaded by

Copyright:

Available Formats

CDOIF

Chemical and Downstream Oil Industry Forum

Automatic Overfill Prevention Systems for

Overfilling can occur for a variety of reasons, including:

• filling the wrong compartment,

• failure of equipment intended to automatically stop gasoline flow.

Vapour Recovery Emergency Earth/Overfill

Preset/Batch Loading Permissive

ROSOV Pump Pump Automated Flow Control

Tank Farm Loading Bay

Figure 1 – Example road tanker loading system

3.1 Causes of Overfills

A number of incidents have occurred even where there is an automated emergency

3.2 Overfill Prevention System Goal

The goal of an overfill prevention system is self-evidently to prevent the overfilling of a

4.1 Assessing the Suitability of Road Tanker Loading System Architectures

3. Is an automated shutdown valve triggered in response to identified faults or

4. Is an emergency shutdown automated valve able to prevent or mitigate against

5. Are automated shutdown valves tested at a suitable frequency, according to

6. Are automated shutdown valves maintained according to appropriate

4.1.1 Specification of Valves

Valve failures have occurred due to;

• Excessive number of operations. Manufacturers produce specifications regarding

• Product incompatibility. Valve failures have occurred because of incompatibility

• Incorrect pressure specifications. Whilst working pressures in many loading

4.1.2 Automated Shutdown Valves

4.1.3 Initiation of Automated Shutdown Valves

necessary to adequately control risk. Closure of automated shutdown valves may be

• An alarm resulting from the preset/batch controller detecting an overrun beyond

• A detection of high level in the road tanker

• An emergency shut-down button being pressed

• Gasoline detection in the vapour recovery system

• Action being taken from a remote location such as a control room

Effective management processes should be in place to ensure the operability and

4.1.4 Effectiveness of Emergency Shutdown Valves

Emergency shutdown valves should be effective in preventing a loss of containment

Figure 2 – Time to stop flow on loss of flow control

A. Time between loss of control and detection of the loss of control.

4.1.5 Testing of Valves

4.1.6 Maintenance of Valves

Valves should be maintained according to the specification from the manufacturer. In

Valves have failed because:

• Maintenance has not been carried out

• Maintenance has as not been carried out correctly

• Faults have been identified but not remedied

4.1.7 Management of Risk

5. System Design and Operation

5.1 Overfill Prevention System Equipment

2. Electronic preset/batch controller – the system which controls loading

4. Flowmeter – connected to the electronic preset/batch controller to provide flow

5. Flow control valve – connected to the electronic preset/batch controller, controls

controller, and allowing automatic closure of the automated shutdown valve(s).

8. Automated shutdown valve(s) – the automated shutdown valve should

5.2 Overfill Prevention System Control Philosophy

Note: automated shutdown valve may

Close S/D Valve - Bay A

Close S/D Valve - Bay B

Close S/D Valve - Bay C

Close FCV - Bay B