Last summer a facility in Texas spilled 3,500 gallons of diesel fuel intended for one of their emergency generators. The fuel was pushed up through a day tank vent, ran across their parking lot, and into a pond adjacent to their property. The clean-up team recovered about 2,100 gallons of fuel out of the pond, but at a cost of about $300,000.
I was called to the site two weeks after the spill and took these pictures of the pond. It’s amazing how resilient nature can be in Texas. The only damage I could see to the pond was browned grass below the waterline. Now, ten months later, the pond appears to have fully recovered.
The generator fueling system for this facility was installed in 2013. From an inspection of the day tanks, all the instrumentation and safety devices met the required NFPA and local fire codes. However, I did not recognize the systems integrator who did the PLC controls. I suspected there was an error in the PLC program exacerbated by a system design that didn’t anticipate something going wrong.
The facility owner brought in a couple of sharp corporate engineers to autopsy the existing controls. They found errors in the PLC programming logic. A level sensor failed, showing a low fuel level in the day tank, so the PLC controls energized supply pumps to re-fill the day tank from the main storage tank. With the level sensor stuck, the PLC controls ignored all the other instrumentation indicating the tank was full, continued pumping fuel, and quickly overfilled the tank. The facility engineers thought the system started pumping fuel at about midnight. Facility staff coming on duty at 7 a.m. smelled diesel fuel, noticed the fuel on the ground, and shut off the pumps.
At first glance, the control sequences for diesel generator fueling systems are not terribly complicated, so local systems integrators are often hired to provide controls for fueling systems. However, to ensure fuel is always available to mission critical emergency generators, and fuel spills are prevented, the Preferred engineers—who specialize in the design of generator fueling systems—try to anticipate every likely failure mode:
–What happens if a level sensor gets stuck?
–What happens if an analog transmitter fails and produces 0 milliamps?
–What should the controls do if a pump fails to prove flow?
–What happens if there is a break in a fuel line, or a tank starts to leak?
–What happens if an operator manually energizes a fuel transfer pump and then goes home?
After supplying so many fueling systems over the years, all of these failures will happen. Regardless of a component failure or operator error, fuel spills are still unacceptable, and the generators still need fuel.
I did boiler controls for twenty years before learning how to design and commission fuel handling systems. NFPA boiler code dictates all the safety devices and sequences required to operate boilers. As a result, at least three separate devices must fail to run the water out of a boiler, or overpressure a boiler. NFPA code for fueling systems is much less specific. In fact, the fuel system that caused the spill at this facility didn’t violate any NFPA fuel handling codes.
In the end, this facility’s Preferred installer and consulting engineer commissioned the new Preferred fuel handling system controls. Commissioning is the process of simulating all the “What happens if…” scenarios described above and verifying the fuel system responds correctly to all imaginable upset conditions.
It’s the last thing we do on every fuel handling project.
David Eoff, BSME, MBA
Preferred Utilities, National Sales Manager