Pilot Plant and Laboratory Unit Safety Systems Part I

Safety systems, also called safety shut down systems, safety interlock systems, protective systems or alarm systems, are an integral part of the overall safety of a pilot plant or laboratory unit. They represent the instrumentation and wiring intended to respond in a predetermined manner to a given event or failure. This area covers a broad range and shares many similarities with traditional plant concerns; indeed, many of the issues, problems and solutions are directly transferable between laboratory, pilot plant and plant scale except for the number of interlocks, trips or units involved. Nevertheless, unlike a plant, a pilot plant and laboratory research unit may receive a significantly less through and/or rigorous analysis of its safety systems. This can lead to an unsafe condition or at least the potential for a serious fault latter.

 

This paper does not attempt to make the reader an expert in this complex area. Rather it will try and identify some of the most common and some of the more overlooked concerns of interest to pilot plant and laboratory research operations. It will try and explain some of these concerns to those with less experience in the area and identify the more frequently implemented solutions.

 General Considerations

The safety system design is directly related to the hazard analysis performed on the unit or equipment and the failure prevention philosophy of the organization. A failure is only addressed if identified. Hence, if the hazard analysis misses the potential problem or draws the wrong conclusion about what will happen or what preventive measure is required, then the safety system will not correct the problem. Similarly, the safety system will respond in a way that mirrors the failure prevention philosophy of the organization which performed the hazard analysis. If a small fire is considered acceptable, the safety system may not take any action in the event of a small spill or leak. If no fire is considered acceptable, the safety system may act to shut down all operations immediately. These two facts are important when evaluating a safety system's performance. No two systems will ever look exactly the same or be constructed the same unless the two organizations share a common philosophy and hazard analysis methodology.

 Typical safety systems are a mixture of several elements. The first element is not a part of the physical system but nevertheless an integral part of the overall system. It is the operational and/or procedural safeguards the organization implements to protect its personnel. Ideally almost all hazards can be prevented by some combination of these safeguards; practically speaking these are the weakest element in most systems as they rely on personnel following the procedures and operational restrictions faithfully. In addition to the element of human fallibility and unreliability, many such safeguards are difficult to implement effectively. The procedure that calls for a temperature in a reactor which can change rapidly to be constantly monitored for extended periods invites an operator's attention to wander. Continuous operator monitoring of a mixture of flammable gases and air at high temperature to keep the concentration below the lower explosive limit may not allow the operator sufficient time to recognize the problem and react before an accident occurs. The need to confirm multiple conditions are established before proceeding with starting a piece of equipment leads to errors. For these reasons, most organizations prefer to limit the types of safeguards implemented purely by procedural and/or operational restrictions, typically keeping them to the least dangerous and slowest developing hazards with the least hazardous potential consequences.

 The second part of any safety system is the process design safeguards included as part of the operation. These may include such measures as feedstock limitations such as using mixtures below the lower explosive limit, fail safe process design such as selecting a process route that slows the reaction as the mixture heats itself inherently limiting the potential for thermal runaways, to numerous other approaches. This element, while usually the safest and most effective safeguard, is often not a viable option for process reasons. Hence, while desirable, it is usually the least able to be used.

 Passive secondary safety measures are another integral part of the safety system. These may include such measures as barricades (to protect personnel from fires or explosions), high area ventilation (to minimize the buildup of potentially dangerous concentrations of toxic or flammable gases), higher area electrical classification (to minimize the chance of an ignition source) among many others. Passive secondary safety measures are usually not a major part of most safety systems as they are somewhat riskier to rely upon exclusively.  When intended as the primary part of a safety system, a primary failure, such as a leak or explosion, would have to be allowed to occur and all the protective ability of the safety system would rest on the ability of the passive system to respond quickly and effectively enough to prevent operator injury or major facility damage. The uncertainties inherent in any failure always raises the potential that the passive secondary measures will not prove adequate. Hence passive measures are usually only used as part of, but rarely the primary part of, an overall safety system.

 The next component of the safety system is the control system design and operation. The control system is intended to keep the process within predetermined and - presumably - safe limits. When it is working effectively, no process hazard should be able to develop. The control system may be simple, an operator monitoring a flow meter and adjusting a valve, or complex, a distributed control system involving several levels of computers and numerous loops and sequences. No matter how simple or complex the system, however, there are usually numerous conditions which can arise when the control system will be unable to keep the process within the predetermined safe limits. Typical examples include inappropriate tuning, equipment failures, poor control action, a response required which was not envisioned as part of the control system, an unexpected demand on the capacity of part of the control system and numerous other conditions. Hence relying solely on the control system to maintain the process within safe limits is dangerous. Indeed, paradoxically, the more complex and sophisticated the control system, the higher the potential part of it will fail when required.

 Finally, the last part of a safety system is the safety shut down or interlock system design and operation. This is a combination of alarms and devices intended to operate independently of the control system. Typically, these systems function in one of three modes.

 

o As an over watch system, monitoring the process independent of the control system and actuating when a predetermined limit is reached. This limit is usually outside the desired control range indicating the control system is unable to compensate.

 o As a passive system, preventing a device from operating unless a series of conditions are satisfied indicating it is safe to proceed.

 o As an active system, intervening in the operation if a given series of conditions which indicate a potential hazard has arisen.

 Most safety shut down systems operate in a combination of all three modes.

 Safety systems try and protect against safety related accidents such as personnel injury; they may also try to prevent damage to equipment and/or facilities, environmental releases and undesirable process occurrences. Other purposes may be integrated into the safety system such as attempts to maximize operational efficiency by minimizing downtime, maximizing productivity or improving overall operating effectiveness. It is important to recognize the wide range of potential concerns which can - and usually will - be included. The level of uncertainty in the safety system's performance may differ depending on the purpose. The safety system must be as close to perfect as possible to protect personnel but a significantly less effective system may be acceptable if it's only purpose is to limit unit down time.

 Control Systems Versus Safety Systems

 Control systems are designed to correct a process variable when it deviates from set point and keep it within a predetermined limit.  A properly designed control system is also designed to prevent the process from going out of control due to a single component failure.

 A safety system is designed to prevent - or at least minimize - safety, environmental and operational incidents. It is usually called upon to function when the control system fails to keep the process with in the predetermined limits but may also be designed to ensure a safe condition exists before allowing an action - such as running a pump - to start or continue. A safety system should initiate a predictable set of operations when certain process limits are exceeded, certain predetermined conditions exist or arise, power is lost or components fail individually or in series. The safety system must be able to override the process control system in an emergency; it also usually is designed to override many or all of the operators' actions. Most pilot plant and laboratory safety systems are relatively simple and are single level systems which take action when a given set of conditions arises independent of the operating personnel. Many plant safety systems are multiple level systems which first alert the operating personnel to a developing problem and take action only when their response has proven to be ineffective in containing or correcting the problem. Some systems for both applications alert the operating personnel but can be routinely overridden if desired by the operators. In this case the safety system takes action only by default, when the operating personnel chose to let it. These safety systems are rare and significantly less effective than of the other approaches because of the potential for human error.

 All safety systems should be independent of the process control system as they are most likely to be needed when the control system is in trouble. (Trouble may involve a control system failure or problem or a process upset beyond the ability of the control system to handle.) Hence shared components or functions would least likely to be available. The safety system should be fail-safe, i.e. it should fail in a safe or de-energized condition; this may not always be possible to include in a control system.

 Control and safety systems were easily separated for many years when they were each based on separate devices. The only real concern was usually to evaluate the sensing devices, typically thermocouples, RTD's and transmitters, to confirm they were separate for each function or, if shared, did not pose an unacceptable risk. With the advent of computer and microprocessor based controllers, the separation has become less straightforward. It has also become more expensive as a separate device may now be required when the function could be provided by the primary controller at little or no extra cost. Hence a large impetus has arisen to ignore or at least compromise the independence of the two systems. This can lead to very hazardous conditions as discussed above.

Fail-Safe Design

 Fail safe design starts with a good hazard analysis which identifies all the potential failure modes involved in the process and also looks at the failure modes of the control and safety systems. In general, fail safe design requires that all systems fail to their lowest energy state. While straightforward, some analysis is required. A cooling loop, intended to lower a large reactor's bulk temperature to prevent the chance of a thermal runaway, should fail to a seemingly higher energy state (full cooling flow) to ensure the primary device, the reactor, fails to its lowest energy state. Similarly, while a flow loop of a flammable feedstock should fail closed, to shut off the flow of the hazardous feed, the pressure control loop should typically fail open to vent the system.

 Whenever possible, the control system should assist the overall fail safe design by driving the final actuator to the failsafe direction in the event of a power loss. This prevents unsafe conditions from developing due to a loss in power due to external events or due to another failure, such as fire or explosion, on the unit.

 All components that comprise the safety system should have the same power supply. This is designed to prevent a power failure in part of the unit from disabling part of the safety system. Contrary to what might seem obvious, a partially powered safety system is usually more dangerous than no safety system at all. Loss of part of the safety system may do any number of things, many of which will prove difficult to predict reliably. Loss of the entire safety system should shut down the entire unit. All instrumentation not part of the safety system should be powered separately but remain energized in an emergency to provide the operating personnel with information as to the system's condition.

 System Reliability

 A safety system's reliability is a key issue in evaluating its effectiveness. In most pilot plant and laboratory research operations, the safety system will operate for extended periods without being called upon to function. This can breed a false sense of security. Safety systems are only as reliable as their weakest link. Figure [7.1] shows a very simple system and its associated safety system. Typical figures for the reliability of each element are also given. As can be seen, the overall reliability of the system is considerably less than that of the individual elements. We inherently understand this concept when we know that more complex systems are more likely to fail than simple systems. They literally have more things which can break and hence more chances to fail.

 More than 80% of all failures in safety systems are in the field components. This suggests that these components are an area that must be most carefully evaluated when trying to ensure a safety system will perform satisfactorily. To ensure they function effectively three key elements should be evaluated.

 First, the field device should be carefully matched to the intended service. Not only must the temperature and pressure ratings be adequate but the device must be able to function effectively in the ambient operating conditions of temperature and humidity; these may have a wide latitude if the installation is in an exterior location. Other external influences must be evaluated such as the potential for exposure to rain, snow, hail, etc., the likelihood of wash-down, the probability for physical abuse, the potential for internal condensation and numerous other adverse effects on the device. The effectiveness of the device with respect to the process must also be evaluated. Is it likely to clog? Is a diaphragm likely to be pierced? Are the electronics likely to be overheated? Is corrosion a concern?

 Second, the device should be the simplest one which can do the job envisioned. As with systems, simple field devices are inherently more reliable than complex ones. A device with a single moving part such as a spring or diaphragm is generally inherently more reliable than one with a dozen.

 Finally, regular checks of all field sensors is a key to reliability of the entire safety system. These checks must be appropriate to the device. They must include all the devices in the safety system, not just those viewed as most likely to fail. The checks must be performed on a routine basis dependent on the devices and the process. Weekly to annual checks are common with quarterly common for most pilot plant and laboratory research operations.

 Field devices are generally classified as either electro-mechanical, involving a combination of electrical components and mechanical systems, or solid state, involving electronic systems only. Solid state systems are widely touted as being more reliable as they have no moving parts. Electromechanical systems are, however, usually considered fail-safe as the mechanical component, typically a spring, can be counted on to force the device to a given - usually de-energized - state upon failure. Hence the failure modes are well known and understood. A standard relay or snap action pressure switch is a good example of an electro-mechanical device. A solid state device, while less likely to fail, can fail in any state: open, closed or somewhere in between. Despite some vendor claims, these failure modes are essentially unpredictable. Hence the overall reliability of a solid state device usually is less than for an electro-mechanical one. This is aggravated by the increased reliance on programmable systems for part or all of a safety system. These systems commonly use solid state devices, typically relays, exclusively. They are also software driven and the combination renders their failure modes inherently unpredictable. The solid state device can fail unpredictably, other components of the device may fail, the software is also liable to failure in a variety of ways and the combination, even if it works flawlessly, can be programmed incorrectly. While the overall reliability of solid state programmable devices such as programmable logic controllers are excellent, their use as the final line of defense in a safety system carries significant inherent risk. Hence, for the highest level of safety, field devices should be electro-mechanical whenever possible. If not, the consequences of a failure of a solid state component or a programmable element must be carefully evaluated. This will be discussed further later in this chapter.

 Another part of a safety system's reliability is the potential for any part of the safety system being bypassed. Bypassing or overriding a safety system is the same as taking it out of service. Bypass of safety systems should be carefully controlled and limited to only the most mandatory requirements. Automatic bypass/automatic re-engage circuits are safer than manual bypass circuits as these do not rely on the operating personnel to re-engage the safety system; rather these systems do so automatically when a predetermined set of conditions is established or a given time interval has passed. It is important to carefully evaluate any potential bypasses - both deliberate and inadvertent - when evaluating overall system reliability.

I will discuss other issues in Part II

Michael Felzien

Consulting Engineer | Chemical Engineering

8y

Richard, I believe I agree in that safety systems need to be considered earlier on in the project development phase. But, many of these details aren't started until the P&IDs are issued for design, and the safety analysis has been completed (by another company) LOPA and nodes are chosen and safety envelopes are determined and then SIF items or ESDs are added to the P&IDs. How would you proposed discussing details in a preliminary manner, when those details are not clear? Pilot plant design isn't usually concerned with this detail. However, gross items like unit op sequencing could aid in the safety features. Just wondering what you think on this. I enjoy your writing also. Respectfully Yours, Michael Felzien

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics