Process Safety Safeguards

Print Article
Citation
, XML
Authors
  • Sutton Ian

Abstract

This knol describes the development and analysis of layers of safeguards for hazardous processes.

Introduction

Most process systems are protected by layers of safeguards,sometimes referred to as Levels or Layers of Protection, as shown in Figure 1. They are an integral part of any Process Safety Management program [1] The lowest layer consists of normal operational controls, which are not safeguards even though they control the great majority of deviations. The upper four layers, which are implemented in ascending order once the Safe Limit Value has been breached, represent increasing levels of safeguards.

Figure 1
Levels of Protection


The types of safeguard are illustrated in this knol using the sketch in Figure 2.

Figure 2
Standard Example

Safeguards reduce the magnitude of either the consequence or the predicted frequency term (they do not remove the hazard). For example, a berm/bund wall around the Tank, T-100, reduces the consequences of a spill from that tank. The pressure relief valve on V-101 reduces the likelihood that the vessel will rupture due to high pressure.

Safeguards can themselves create a hazard, although such hazards usually have much lower consequence than those that they are protecting against. For example, a relief valve that discharges directly to atmosphere protects against vessel rupture, but, when it opens, an employee may be affected by the discharged vapors. Another example of safeguards creating hazards occurs when unreliable safety instruments cause spurious shutdowns that in themselves create hazardous transient operations.

Some would add Emergency Response as being a sixth level of safeguard. However, if the event has reached the point where fire teams and other emergency responders are needed, the process is out of control — the incident has occurred.

Table 1 illustrates the types of safeguard for high level in T-101 and for high pressure in V-101. A Table such as this can be prepared for any significant hazard. The first row — Normal Operations — has been shaded to indicate that responses at this level are not really safeguards; they are simply the normal operating response. Similarly the sixth row — Emergency Response — has been shaded because, as discussed above, once the emergency situation is underway the actions taken are not really safeguards. If the situation has reached this point the safeguards have demonstrably failed.

Table 1
Levels of Safeguard

Level of Safeguard

T-101 Overflow

V-101 Pressure

1.   Normal Operations

Operator responds to rising level by adjusting flow rates into and out of T-100 using normal control systems and equipment.

Operator responds to rising pressure by adjusting flow rates out of V-101 using normal control systems and equipment.

2.   Procedural Safeguards

Operator responds to a high level alarm.

Operator responds to a high pressure alarm.

3.   Safety Instrumented Systems

Safety instrumentation takes the corrective actions needed to keep the level under control. The operator and normal control systems no longer play a role.

 

Safety instrumented systems responds to bring the pressure back below the safe upper limit. The operator and normal control systems no longer play a role.

4.   Mechanical Safeguards

An overflow pipe near the top of the tank directs spill to a safe location.

The pressure safety relief valve opens.

5.   Passive Safeguards

The berm shown in Figure 10 can contain 110% of the tank’s volume.

None.

6. Emergency Response

The Emergency Response Team works to contain the spill and to prevent further environmental or safety losses.

Evacuation of the area followed by fire and spill control by the Emergency Response Team.

Safeguard Level 1: Normal Operations

The first response to a hazard is for the system’s normal operational and control systems to bring the situation under control. In the case of T-101, a high level alarm will sound when the liquid approaches the top of the tank. Either the operator will cancel the alarm and take the appropriate corrective action or the level control instrumentation will adjust the incoming or outgoing flow rates.

Although normal operational responses such as these will handle the vast majority of hazardous situations it could be argued that they are not true safeguards because they are not dedicated to safety. Hence the following are not true safeguards:

  • Normal operating procedures and training;
  • Normal instrumentation and control systems;
  • Alarm devices that are used in the course of normal operations; and
  • Inspection (although risk-based inspection may be an exception).

A normal operating response usually takes place before a safe limit has been breached. If the safe high level for T-101 is designated as 95% then normal operations will be conducted as the level rises toward the 95% value. Once the level goes above that point, the systems is, by definition, in an unsafe condition and the safeguards proper take over.

Safeguard Level 2: Procedural Safeguards

Procedural safeguards rely upon people either to trigger an automated safety system or to carry out the response to an on-going situation. For example, if an operator is expected to respond to an instrument alarm, say high level in T-100, then his or her response constitutes a procedural safeguard.

Procedural safeguards are the least reliable due to the relatively high chance of human error, particularly during a true emergency. It has been estimated that, during an emergency an untrained responder has an error rate of 50%, i.e., the chance of that person taking the right action (such as closing the correct valve) is only one in two. Therefore, if a person is asked to carry out ‘n’ tasks during an emergency, the probability he will succeed is 0.5n. If an operator is expected to perform six tasks during an emergency, then the chance of his getting them all right is 0.56, which is only 3%. In other words, the person involved is virtually certain not to respond correctly. For this reason, it is best not to expect the operator to take action during an emergency. He or she should initiate an automatic shutdown (instruments do not panic), then remove himself from the area of the incident. If the incident continues to be out of control it should be handled by a trained emergency response team.

Figure 1 shows that procedural safeguards are applied when the variable in question has gone beyond its safe limit value. In practice, alarms will often be initiated before that value has actually been reached. In other words, the alarm will sound to indicate that an unsafe condition is being approached.

Safeguard Level 3: Safety Instrumented Systems

Safety instrumented systems, with their associated Safety Integrity Levels (SILs), play an increasingly important part in assuring the safety of process plants. Referring to the standard example once more, a high-level interlock can be installed on LRC-101 such that when the level drops below, say, 5% of the tank height, a dedicated safety valve on the line from Pumps P-101 A/B will be closed.

Emphasis must be placed on the problems associated with common cause effects. In the case of safety instruments it is important to identify any problems that could simultaneously disable all the instruments. For example, solid material in a liquid stream could plug both instruments thus canceling out perceived redundancy. In order to minimize the problem of common cause events, good practice calls for different types of instrument and transmitter to be used when redundancy is called for.

Safeguard Level 4: Mechanical Safeguards

A mechanical safeguard is one that operates regardless of either instrument or human response. Two common examples of mechanical safeguards are check valves and pressure safety relief valves.

Check Valves

A check (non-return-return) valve is a commonly used safeguard to prevent the fluid backflow. It is, however, liable to failures such as the following:

  • Solid deposits wedge themselves into the check valve’s mechanism such that it does not close on demand;
  • Corrosion products present the flapper from closing; and
  • The flapper fails to seat properly, thus allowing some leakage.

For reasons such as the above check valves are normally regarded as being only a weak safeguard, and should not be relied upon in critical service. As one hazards analysis leader has said, “If you rely on a check valve to be safe, then you’re not safe”. Another leader uses a figure of 49 in 50 for check valve reliability in clean service, i.e., he anticipates that a check valve will not work on demand 2% of the time.

Pressure Safety Relief Valves

Pressure safety relief valves (PSRVs) are required on all pressure vessels (with some rare exceptions). They are critical to the safety of virtually all process facilities.

Pressure relief systems usually represent the last line of defense. If they fail ton respond then a serious incident could well occur. This means that pressure relief systems should never actually be needed; high pressure events should be handled by other safeguards in the lead-up to the event. But, if the pressure relief system is needed, then it must work. Hence the quotation, ‘Relief valves must always work; relief valves should never work’.

Many facilities require that, if a pressure relief valve opens during a high pressure excursion, then a full Incident Investigation must be carried out.

Some process operations use relief valves as part of their normal operation; when the internal pressure rises above a certain point the relief valve opens and the system pressure is reduced. In such situations, the relief valve is not a safeguard because it is not a pressure safety relief valve.

Safeguard Level 5: Passive Safeguards

A passive safeguard controls a hazard simply through its presence; such a safeguard does not have to do anything or to respond to unsafe conditions.

For example, many chemical storage tanks are surrounded by an earthen berm, as shown in Figure 3 for the Tank, T-100. The volume of the berm should be at least 110% of the volume of the largest tank in the contained area. The berm wall is totally passive, requiring neither equipment nor human intervention in order to be effective. The wall will always be there, regardless of what else is going on.

Figure 3
Storage Tank Berm

Another common example of a passive safeguard is a flare system. Any flammable vapors that are released from the process will be burned in the flame of the flare.

Safeguard Level 6: Emergency Response

Emergency response measures come into play after the incident has occurred. Therefore such measures are not truly safeguards. They are only used when the various levels of safeguards have failed to control the event. Emergency response safeguards do not prevent an incident from occurring; they merely limit the consequences.

The following are typical safeguards at the emergency response level:

  • Fire-fighting equipment;
  • The fire brigade;
  • Personal protective equipment (PPE) used to allow affected personnel to evacuate.
Follow

Get every new post delivered to your Inbox.