Most fleet operators and terminal managers interact with overfill protection systems at the interface level: a green light means go, a red light means stop, and if something triggers, the transfer shuts down. But between the moment a level sensor detects a critical fill state and the moment a control valve actually closes, a precisely engineered chain of events must execute correctly, every time, in sequence, within a very narrow time window.
Understanding this chain is not academic. It is the difference between knowing your system is installed and knowing your system will work when it matters.
The trigger: what the sensor sees
Overfill protection begins with a level-sensing element inside the tank compartment. In the most common configuration for road tankers, this is a float-type sensor conforming to EN 13616. The float sits at a predetermined height inside the compartment, corresponding to the maximum safe fill level. As the liquid surface rises during loading, the float lifts. When it reaches the trigger point, it changes the state of an electrical circuit.
There are several sensing principles in use. Mechanical float switches physically break or make a contact. Optical sensors detect the presence of liquid at the sensor tip by measuring changes in light refraction. Capacitive sensors measure changes in the dielectric constant as liquid surrounds the probe. Each principle has different characteristics in terms of response speed, susceptibility to fouling, and behaviour across different product densities.
The signal path: getting from sensor to controller
In a cable-based system, the sensor's state change travels through a hardwired connection to the control unit. The signal is straightforward: a change in impedance, a contact closure, or an analogue current shift. The control unit monitors this signal continuously and responds when it crosses a threshold.
In a wireless system, the signal path is more complex and introduces additional engineering challenges. The sensor's state change must be converted into a radio signal, transmitted across the air gap between the tank and the control unit, received, decoded, and validated, all within milliseconds and all within an environment that may be classified as an EX zone (explosive atmosphere).
Wireless transmission in EX zones requires intrinsically safe (IS) design. This means the radio transmitter on the tank side must be engineered so that even under fault conditions (short circuit, component failure), the energy it can release is insufficient to ignite a flammable gas or vapour mixture. This constraint limits the available transmission power, which in turn affects range and reliability. Modern systems operating in the 433 MHz band achieve reliable transmission over the distances required for tanker operations (typically 10 to 50 metres) while remaining within IS energy limits.
The radio link also introduces the question of signal integrity. In a wired system, if the cable is intact, the signal arrives. In a wireless system, the control unit must distinguish between three states: sensor OK (normal fill level), sensor triggered (overfill condition), and signal lost (communication failure). The third state is critical. If the radio link drops, the system must fail safe, meaning it must treat loss of signal as an alarm condition, not as "everything is fine."
The decision: what the controller does
The control unit receives the sensor signal (wired or wireless) and makes a binary decision: continue or stop. But the decision logic is more nuanced than a simple on/off threshold.
First, the controller validates the signal. Is this a genuine sensor trigger, or is it noise? Debounce logic filters out transient spikes that could cause false shutdowns. The debounce window must be short enough to not delay a genuine alarm but long enough to reject electrical noise. Typical debounce times are in the range of 10 to 50 milliseconds.
Second, the controller checks the system state. Is the transfer actually in progress? Are all other safety conditions still met (earthing connected, vapour recovery confirmed, dead-man active)? In integrated systems that combine overfill protection with product identification and earthing monitoring, the shutdown decision considers multiple inputs simultaneously.
Third, the controller issues the shutdown command. This is an output signal sent to the actuator (typically a solenoid-operated valve or a pump control relay) that physically stops the flow of product.
The action: stopping the flow
The shutdown command must translate into physical action: a valve closing, a pump stopping, or both. The actuator's response time adds to the total chain delay. A solenoid valve closing under spring return typically achieves full closure in 50 to 150 milliseconds depending on valve size and the pressure differential across it. A pump shutdown initiated via relay may take longer if the pump has significant rotational inertia.
During the actuator response time, product continues to flow. This is the overrun volume: the quantity of liquid that enters the tank between the moment the sensor triggers and the moment flow actually stops. Overrun volume depends on the flow rate at the time of trigger, the total system response time (sensor + signal path + controller + actuator), and any hydraulic effects in the pipeline (water hammer, pressure decay).
Why this matters operationally
The entire chain, from sensor trigger to flow stop, must execute correctly every single time. Not most of the time. Every time. A 99.9% reliability rate sounds impressive until you consider that a fleet making 500 deliveries per month will experience a failure approximately every two months at that rate.
This is why overfill protection systems are designed with redundancy, fail-safe defaults, and testable architectures. And it is why periodic verification of the complete chain (not just the sensor, not just the valve, but the complete path from trigger to shutdown) is essential. Testing the sensor in isolation tells you the sensor works. It does not tell you the system works.
