Buddy Creef, vice president of sales at RTP Corp., adds it’s vital for users to first do a hazardous operability (hazop) study and a risk assessment (RA), so they can be plotted against what the risk levels user’s organization is willing or not willing to accept. Next, a layer of protection analysis (LOPA) can help users’ decide what protection they need or indicate that they might need a dedicated safety system. “Users have a lot more safety options these days, but they still need to resolve the traditional tradeoff between availability and safety,” says Creef.
One of the main causes of process safety accidents are overspill incidents due to loss of level control. Summers reports in her whitepaper, “Overfill Protective Systems—Complex Problem, Simple Solution,” that these incidents caused the Esso Longford explosion that killed two people and injured eight in Australia in September 1998, the BP Texas City explosion that killed 15 people and injured 170 in March 2005 and the Buncefield explosion that injured 45 people in the U.K. in December 2005. Each tragedy was attributed to a combined lack of hazard recognition, underestimated likelihood of overfill, excessive reliance on operators, no defined safe-fill limits and inadequate mechanical integrity. Summers adds that catastrophic overfills are easily prevented by:
- Acknowledging that overfill of any vessel is credible regardless of time required to overfill;
- Identifying each high-level hazard and addressing risk in the unit where it’s caused rather than allowing it to propagate downstream;
- Determine a safe-fill limit based on the mechanical limits of the process or vessel, measurement error, maximum fill rate and time required to complete action that stops filling;
- When operator response can be effective, provide an independent, high-level alarm at a setpoint that allows enough time for the operator to bring the level back into the normal operating range prior to reaching a trip setpoint;
- When the overfill leads to the release of highly hazardous chemicals or to significant equipment damage, design and implement an overfill protection system that provides an automated trip at a setpoint that allows sufficient time for the action to be completed safely. Risk analysis, such as layers of protection analysis (LOPA), should be used to determine the safety integrity level (SIL) required to ensure that overfill risk is adequately addressed. While there are exceptions, most overfill protection systems are designed and managed to achieve SIL 1 or SIL 2.
- Determine the technology most appropriate for detecting level during abnormal operation. The most appropriate technology may be different than the one applied for level control and custody transfer.
- Provide means to fully proof test any manual or automated overfill protective systems to demonstrate the ability to detect level at the high setpoint and to take action on the process in a timely manner.
To address some similar issues, BP Oil recently contracted with Emerson Process Management to add its DeltaV SIS to BP’s tank overspill protection systems at fuel storage and distribution sites across the U.K (Figure 1). These updated protection systems will monitor tank levels and automatically shut off feeds if levels reach a high cut-off limit. DeltaV’s SIS uses predictive diagnostics to monitor each tank’s whole safety loop, and its logic solver communicates via HART protocol with smart devices to diagnose fault before they cause spurious trips.
Performance, Tasks and Life Cycles
While process safety and risk assessment begin with qualitative judgment, they don’t stay there. The quest to improve RAs and safety inevitable lead to evaluating and measuring process performance, operator tasks and interaction with it, and indeed the entire time span in which that process and its equipment functions.
Figure 1: BP Oil is using Emerson Process Management’s Delta V SIS for tank overspill protection systems at its U.K.-based storage facilities.
Kevin Klein, Center of Reliability Excellence (CORE) for instrumentation at Celanese Chemicals in Houston, says his firm’s RAs start with a traditional, qualitative, judgment-based process hazard analysis (PHA), but then move to include a data-driven, semi-quantitative method. “We do a hazop to identify the hazard, conduct a qualitative assessment of it, and do the semi-quantitative RA to make sure we have the right protection in place or learn what we need to add,” says Klein. “We perform these assessments routinely and continuously to check new equipment, or when we change equipment, or to reexamine existing applications every couple of years. For instance, if we have a storage tank with a flammable liquid that could auto-polymerize, we do a semi-quantitative RA to decide if it needs SIL 1, 2 or 3. A semi-quantitative study is based on numbers, and so it the takes the emotion out of our decisions.”
Also, because Celanese makes regular acquisitions, Klein adds, it uses its continuous RA method to evaluate its new companies and bring them up to speed on Celanese’s safety policies. “A Yugo or a Cadillac will get you where you want to go, but we don’t want either. We just want to get in line with what everybody else in our industry is doing, and that means IEC 61511,” says Klein. “The best way to improve your own process safety is to get involved and join one of the many organizations that can answer your questions and help you get the knowledge you need. You don’t have to go it alone. I found that when I joined a process safety committee, its members were struggling with the same problems that I was. So, I was able to quiz them about their solutions, and we could compare experiences and come up with a better solution together. Sharing information and benchmarking is a very effective way to judge where you are.”