Assessing Safety Risks in Terminal Operations - Emerson Automation Experts

Assessing Safety Risks in Terminal Operations

Safety risk assessments require a methodical look at all the areas of a manufacturing process where hazardous conditions may exist. I caught up with certified functional safety expert (CFSE), Mike Schmidt, who recently worked with a terminal operator to relook at the safety risks at the terminal. Mike is a consultant in Emerson’s Refining and Chemical industry center.

Mike worked with the risk assessment team which included members from HSE (health, safety and environmental), engineering, operations, and the terminal manager.

The team looked at the layers of protection in place as well as the current safety instrumented functions (SIF) that were currently in place to reduce the risks of various hazards. For a terminal which takes in and sends refined hydrocarbon products like gasoline and diesel these possible hazards include things like ruptured pipelines, loss of pipeline containment, storage tank overfill, tank truck overfill, and barge overfill to name some.

Following the total safety lifecycle as prescribed by the global IEC 61511 safety standard (ISA S84.01 2004 in the U.S.), the team very methodically considered every risk, its likelihood, and the consequence of the hazard occurring. Areas were identified to add to the existing layers of protection and safety instrumented functions.

An example Mike shared was the hazardous condition caused by a storage tank overfill condition. These tanks are filled either by an incoming pipeline or from a marine vessel. The team determined that the likely cause of a storage tank overfill with the worst consequences is an error or failure condition during receipt of product from a pipeline, because a pipeline represents an essentially infinite source of spilled material. To mitigate this risk, redundant level sensors are placed on each tank. The operating level is monitored and controlled with a separate level transmitter. Should a possible overfill condition begin to occur the safety instrumented system initiates closure on the pipeline isolation valve. Given the consequences and impact of this potential hazard, this safety instrumented function was rated SIL 2.

Out of this assessment, the next step was to develop a detailed safety requirements specification, again consistent with the IEC 61511 standard.

The performance-based standards outlined in the IEC 61511 standard more and more require this close working relationship between the process manufacturer and safety instrumented system provider to carefully examine the hazards and develop and execute a plan to mitigate the risks identified.

Posted Thursday, January 18th, 2007 under Safety.


  1. In the assessment, was exposure to carbon monoxide taken into account? With all the hydrocarbon material not to mention the trucks and machines themselves in the terminal, I would think carbon monoxide poisoning would be an issue.

  2. Mike Schmidt says:

    Carbon monoxide was not one of the acute hazards addressed in the risk assessment. Risk is the product of both likelihood and consequence. While there is some remote possibility of carbon monoxide accumulating to lethal concentrations in this thinly staffed, outdoor storage tank facility, it is determined to be so slight as to not warrant further attention. The risk of a major spill and resulting catastrophic fire, while still very low, is much, much higher. This is both as a result of increased likelihood and worse consequences. The upshot is that carbon monoxide poisoning, along with a number of other hazards, were categorized as low risk very early in the analysis.
    One of the great advantages of formal risk assessments is that they allow facilities to focus their attention on the hazards that have the greatest impact. In a world of finite resources, allocating those resources appropriately gives the greatest achievable risk reduction.

Leave a Reply