waterAPI standard 521 provides a possibility to take credit for operator response to avert relief. It says that a commonly accepted time range for the response is between 10 min and 30 min, depending on the complexity of the plant. In practice this criterion is often used to rule out liquid overfill as relief contingency for large vessels like for instance distillation columns. A ‘nice’ fringe benefit of this action that we do not have to account for liquid discharges to the flare system (at least not on paper that is!).

Is Operator Intervention Safe?

An ‘interesting’ situation will occur if the shut-off pressure of a charge pump significantly exceeds the design pressure of the downstream vessel while the installed relief valve is not sized for the pump capacity (taking credit for operator intervention). This would then mean that catastrophic failure would occur in case the operator “fails on demand” to stop the overfill.

SIL classification

For this reason (and in response to the Texas City disaster) The may 2008 addendum on the API 521 requires that the “risk of failure of the operator to properly intervene” shall be addressed in case credit for his actions is taken.

A proper way to do so is to perform a SIL classification on the overfill scenario, which would normally be done during or after the HAZOP session, but is also easily conducted by the engineer prior to these sessions.

If we would perform such a classification (in accordance with IEC 61511-3: Guidance for the determination of safety integrity levels, Annex D, IEC:2003) we would get:

Demand Rate W2: Once per 3 – 30 years
Health and Safety Consequence C3 (=Cc) : Death to one person, long term disability
Occupancy F1:  Rare to occasional exposure in hazardous zone (< 10%)
Possibility of Avoiding the Hazard P2 (=Pb) : as less than 1 hour is available for necessary actions
Loss Consequence (optional) L3: Major operational upset and/or equipment damage 100k-1M$/EURO
Environmental Consequence E3 (=Cc): – Vapour or aerosol release with or without liquid fallout that causes temporary damage to plants or fauna.
Possibility to avoid L/E conseq P2 (=Pb) : as less than 1 hour is available for necessary actions

This evaluation would not even be conservative as more than one person could die if a vessel fails catastrophically, losses and environmental consequences could be worse depending on what is in the vessel. Only in case of systems filled up with “harmless”  liquids or in situations where the operator can definitely react within 30 minutes would we get less severe outcomes.

The resulting SIL level would be 3, meaning a high integrity instrumental protection would be required to avoid the hazard that we chose not to protect against by not sizing our relief valve for it. It shall be noted also that according to the IEC we would still need a SIL 2 protection if the operator has more than one hour (!) to respond (Possibility to avoid conseq. =P1).


The clear message here is that we should be careful to rule out liquid overfill as relief contingency solely on the basis of 30 minutes holdup for operator intervention The IEC demands at least one hour unless we can be sure less is required (and when can we?). If a liquid overfill situation can lead to overpressure we should either design for it or size the relief valve for it. In that case the SIL classification will only take into account the nuisance of liquid discharge into the flare system which will lead to a mild classification at worst. The system will be intrinsically safe while the instrumental protection will merely reduce the likelihood (frequency) of demand.

As a last remark it must be stated that the flare system will need to be capable of handling the liquid. If it is not, the SIL classification will need to take into account the consequences of liquid discharge into the flare which may lead to a high classification again. In such situations it could be defendable not to design the relief valve for overfill if that it does not increase the SIL classification to a next level.


