Layers of Protection in

Process Plant
NAZIR @2010
 Layers of Protection for High Reliability

Strength in Reserve
EMERGENCY RESPONSE
• BPCS - Basic process
A control
CONTAINMENT
U • Alarms - draw attention
RELIEF T • SIS - Safety interlock
O system to stop/start
SIS M equipment
ALARMS
A • Relief - Prevent excessive
T pressure
BPCS I • Containment - Prevent
O materials from reaching,
N workers, community or
environment
• Emergency Response -
evacuation, fire fighting,
health care, etc.

2
Key Concept in process Safety: REDUNDANCY

SAFETY STRENGTH IN DEPTH !

Seriousness
of event
Divert material safely
RELIEF SYSTEM

Stop the operation of part of process

SAFETY INTERLOCK
SYSTEM Four
independent
Bring unusual situation to attention protection
ALARM SYSTEM of a person in the plant layers (IPL)
In automation
BASIC PROCESS Closed-loop control to maintain process
CONTROL SYSTEM within acceptable operating region

PROCESS
3
Objectives of Process Control
1. Safety We are emphasizing
2. Environmental Protection these topics

3. Equipment Protection
4. Smooth Operation &
Production Rate
5. Product Quality
6. Profit
7. Monitoring & Diagnosis

4
 Basic Process Control System (BPCS)
• First line of defense
• Process control maintains variables at set points, which are
fixed at some desired values
• Technology - Multiple PIDs, cascade, feedforward, etc.
• Guidelines
• Always control unstable variables (Examples in flash?)
• Always control “quick” safety related variables
Stable variables that tend to change quickly (Examples?)
• Monitor variables that change very slowly
Corrosion, erosion, build up of materials
• Provide safe response to critical instrumentation failures
- But, we use instrumentation in the BPCS?
5
Where could we use BPCS in the flash process?

F1

6
 The pressure will
change quickly and
affect safety; it must
be controlled.

The level is
unstable; it must
be controlled.

F1

7
 2. Alarm System
• Alarm has an anunciator and visual indication
- No action is automated!
- require analysis by a person - A plant operator
must decide.
• Digital computer stores a record of recent alarms
• Alarms should catch sensor failures
- But, sensors are used to measure variables for
alarm checking?

8
 2. Alarm System
• Common error is to design too many alarms
- Easy to include; simple (perhaps, incorrect) fix to prevent
repeat of safety incident
- One plant had 17 alarms/h - operator acted on only 8%
• Establish and observe clear priority ranking
- HIGH = Hazard to people or equip., action required
- MEDIUM = Loss of RM, close monitoring required
- LOW = investigate when time available

9
Where could we use alarm in the Flash Process ?

F1

10
 The pressure affects
PAH
safety, add a high
alarm

A low level could

damage the pump;
a high level could
allow liquid in the
vapor line.

F1

LAH
LAL

Too much light key

could result in a large AAH
economic loss

11
 3. Safety Interlock System
• Automatic action usually stops part of plant
operation to achieve safe conditions
- Can divert flow to containment or disposal
- Can stop potentially hazardous process, e.g.,
combustion
• Capacity of the alternative process must be for
“worst case”
• SIS prevents “unusual” situations
- We must be able to start up and shut down
- Very fast “blips” might not be significant

12
 3. Safety Interlock System
• Also called emergency shutdown system (ESS)
• SIS should respond properly to instrumentation
failures
- But, instrumentation is required for SIS?
• Extreme corrective action is required and
automated
- More aggressive than process control (BPCS)
• Alarm to operator when an SIS takes action

13
 3. Safety Interlock System
• The automation strategy is usually simple, for example,

If L123 < L123min; then, reduce fuel to zero

How do we
steam automate this SIS
PC when PC is adjusting
the valve?
LC

water

fuel
14
 If L123 < L123min; then, reduce fuel to zero

LS = level switch, note that separate sensor is used

s
= solenoid valve (open/closed) fc = fail closed

steam 15 psig
PC

LC LS s s

water

fuel

fc fc

Extra valve with tight shutoff

15
 3. Interlock System
• The automation strategy may involve several variables, any one of
which could activate the SIS

If L123 < L123min; or

If T105 > T105max Shown as “box”
……. in drawing with
then, reduce fuel to zero details elsewhere

L123
T105 SIS s

….. 100

16
 3. Safety Interlock System
• The SIS saves us from hazards, but can shutdown the plant
for false reasons, e.g., instrument failure.

False Failure on
shutdown demand
T100 1 out of 1
s
must indicate
failure
Better 5 x 10-3 5 x 10-3
performance,
more expensive

T100 2 out of 3
s
T101 must indicate
T102 failure 2.5 x 10-6 2.5 x 10-6
Same variable,
multiple sensors!

17
 3. Safety Interlock System
• We desire independent protection layers, without common-
cause failures - Separate systems

SIS and Alarms associated

BPCS and Alarms with SIS

Digital control system SIS system

i/o …………. i/o i/o …………. i/o

sensors sensors

18
 KEY CONCEPT IN PROCESS SAFETY -
REDUNDANCY!
What do we do if a major incident occurs that causes
• loss of power or communication
• a computer failure (hardware or software)

SAFETY STRENGTH IN DEPTH !

Divert material safely

RELIEF SYSTEM

SAFETY INTERLOCK
Stop the operation of part of process These layers require
SYSTEM electrical power, computing,
Bring unusual situation to attention communication, etc.
ALARM SYSTEM of a person in the plant

BASIC PROCESS Could these all fail due to a

Closed-loop control to maintain process
CONTROL SYSTEM within acceptable operating region common fault?

PROCESS
19
 4. Safety Relief System
• Entirely self-contained, no external power required
• The action is automatic - does not require a person
• Usually, goal is to achieve reasonable pressure
- Prevent high (over-) pressure
- Prevent low (under-) pressure
• The capacity should be for the “worst case”
scenario

20
 RELIEF SYSTEMS IN PROCESS PLANTS

• Increase in pressure can lead to rupture of vessel or pipe

and release of toxic or flammable material
•
• - Also, we must protect against unexpected vacuum!

• Naturally, best to prevent the pressure increase

• - large disturbances, equipment failure, human error, power

failure, ...

• Relief systems provide an exit path for fluid

• Benefits: safety, environmental protection, equipment

protection, reduced insurance, compliance with governmental
code

21
Location of Relief System
Identify potential for damage due to high (or low) pressure
(HAZOP Study)

In general, closed volume with ANY potential for pressure

increase

- may have exit path that should not be closed but could be
- hand valve, control valve (even fail open), blockage of line

Remember, this is the last resort, when all other safety

systems have not been adequate and a fast response is
required!

22
 Standard Relief Method: Valves
BASIC PRINCIPLE: No external power required -
self actuating - pressure of process provides needed force!

VALVES - close when pressure returns to acceptable value

- Relief Valve - liquid systems
- Safety Valve - gas and vapor systems including steam
- Safety Relief Valve - liquid and/or vapor systems

Pressure of protected
system can exceed
the set pressure.

23
 Standard Relief Method: Rupture Disk

BASIC PRINCIPLE: No external power required -

self acting

RUPTURE DISKS OR BURST DIAPHRAGMS -

must be replaced after opening
.

24
 Relief Valves
Two types of designs determine influence of pressure immediately
after the valve
- Conventional Valve -pressure after the valve affects the valve lift
and opening
- Balanced Valve - pressure after the valve does not affect the valve
lift and opening

Conventional Balanced

25
 Some Information about Relief Valves
ADVANTAGES

- simple, low cost and many commercial designs

available
- regain normal process operation rapidly because
the valve closes when pressure decreases below set
value

DISADVANTAGES

- can leak after once being open (O-ring reduces)

- not for very high pressures (20,000 psi)
- if oversized, can lead to damage and failure (do
not be too conservative; the very large valve is not
the safest!) 26
Rupture Disk/Burst Diaphragm
ADVANTAGES
- no leakage until the burst
- rapid release of potentially large volumes
- high pressure applications
- corrosion leads to failure, which is safe
- materials can be slurries, viscous, and
sticky

DISADVANTAGES
- must shutdown the process to replace
- greater loss of material through relief
- poorer accuracy of relief pressure the
valve

27
 Symbols used in P&I D

• Spring-loaded safety relief valve

To effluent handling

Process

• Rupture disc

Process To effluent handling

28
Add Relief to the Following System

F1

29
Add Relief to the Following System
The drum can be isolated
with the control valves;
pressure relief is required.
We would like to recover
without shutdown; we
select a relief valve.

F1

30
Add Relief to the Following System

Positive
displacement
pump

31
Add Relief to the Following System

The positive displacement pump

will be damaged if the flow is
Positive stopped; we need to provide
displacement relief.
pump We would like to recover without
shutdown; we select a relief
valve.

32
Add Relief to the Following System

Why are all

those valves
in the process?

33
Add Relief to the Following System

The extra “hand”`valves

enable us to isolate and
remove the heat
exchanger without
stopping the process.
The shell side of the heat
exchanger can be isolated;
we need to provide relief.
We would like to recover
without shutdown; we
select a relief valve.

34
In some cases, relief and diaphragm are used in series –
WHY?
• What is the advantage
of two in series?
• Why not have two relief
valves (diaphragms) in
series?

Why is the pressure

indicator provided?
Is it local or remotely
displayed? Why?

35
In some cases, relief and diaphragm are used
in series – WHY?
Why is the pressure
indicator provided?
If the pressure increases,
the disk has a leak and
should be replaced.
Is it local or remotely
displayed? Why?
The display is local to
reduce cost, because we
do not have to respond
• What is the advantage immediately to a failed
of two in series? disk - the situation is not
hazardous.
The disc protects the
valve from corrosive or
sticky material. The
valve closes when the
pressure returns below
the set value.

36
Vents required to control or direct
vapour/dust explosion effect

Structure vent closed

Structure

explosion

37
 Materials from relief must be process or dispose safely

To environment Vent steam, air

Holding for later processing Waste water treating

From
relief

Recycle to process Fuel gas, fuel oil,

solvent

Recover part to process

Immediate neutralization Flare, toxic materials

38
 5. Containment
• Use to moderate the impact of spill or an
escape
• Example
– Bund containment for storage tanks
– Location of relief valves and vents
– diversion to temporary storage /drain system
(following breakage of rupture disk)
– Safety management in containment areas.
– Containment building (if applicable)
 6. Emergency Response Management

• Also used to moderate impact on incidents

• All plants should ERP (emergency
response plan)
– Assembly, head-counts, evacuation etc…
 Summary
EMERGENCY RESPONSE 1. Inherent design starts at project
conceptualization
CONTAINMENT 2. Three main strategy
• Substitution
RELIEF • Intensification
• Attenuation
SIS
3. Six Layers of Protection
ALARMS

BPCS