h - protection & controls

8/20/2019 H - Protection & Controls

1/121

Designing in

Engineering Risk Controls?

H - Engineering Controls

HAZARD ELIMINATION is better than

PREVENTION is better than

CONTROL is better than

MITIGATION is better than

EMERGENCY RESPONSE

Inherently Safer Design Philosophy

PASSIVE controls are more reliable thanACTIVE controls are more reliable than

OPERATIONAL or PROCEDURAL controls.

AND

Prevent/Control/Mitigation Systems

• Keep equipment within safe operating limits

– Operational controls

– Alarms

– Trips

• Minimize

escalation by

Containment > Isolation > Survival > Relieving

H

A

Z

A

R

D

C

O

N

S

E

Q

U

E

N

C

E

PREVENTION

BARRIERS

PREVENTION

BARRIERS

CONTROL - MITIGATION

ESCALATION BARRIERS

CONTROL - MITIGATION

ESCALATION BARRIERS

TOP EVENT


2/122

• Overpressure protection

• Protective instrumentationto alert/alarm/control

• Devices to maintain SafeOperating Limits

• Ignition preventionmeasures

• Fire/gas detection,alarms

• Emergency shutdown,isolation, and flare

• Fire protection

• Evacuation/survivalequipment

Class 1 Div. 1

Prevent/Control/Mitigation Systems

TO FLARE

Emergency Isolation Valves

1. Provide isolation between different hazards within asystem.

2. Quickly interrupt flow through a system or preventgross movement of hazardous material into anexposed location.

3. Block in specific pieces of hardware that may be

involved in an incident.4. Cause an orderly shutdown of equipment.

EIV’s are typically actuated into the closed position.

Process Control

• Measure all significant variables.

• Control those variables which have

the greatest influence on the process.

Control Hazards

• Determine independent and dependent variables.

• Evaluate relative sensitivities.

• Alarm flood.

• Consider prevalent failure modes in system design,instrumentation, hardware including human error.

Instrumentation & Control


3/123

• Incorrect sensing• Contamination of process stream• Inaccurate readings• Wrong response• Delayed response• Wrong sensor location• Defective actuator• Plugged or restricted impulse line• Process upset outside range of specified

control loop.• Control valve failure

AAA

1

Common Control Problems

PSVs: Last overpressure barrier

Process alarms/trips: The first barriers


4/124

Plant Area

Gas

OilWater

Well Fluids

ESD Valve

HighPressure

Sensor

MechanicalRelief Valve

to Flare

Shutdown SystemLogic Solver

Control Room

Operator Interface

Separator

Safety Instrumented System

• IEC 61508 (ISA S84.01) requires all criticalinstruments to demonstrate level of integrityrequired in design.

• Analyze the reliability of the safety instrumentedfunction as an overall system

•Each instrument loop must be individually

analyzed to determine how and when failuresmight occur.

• Required reliability may be achieved throughredundancy, increased testing, use of PLCs

Safety Instrumented Systems

SAFETY INTEGRITY

LEVEL *

PROBABILITY OF THE SYSTEM

FAILING ON DEMAND (PFD)

SIL-1 10-1 TO 10-2

SIL-2 10-2 TO 10-3

SIL-3 10-3 TO 10-4

* SIL performance can be improved by th e addition of redundancy,

more frequent testing, use of diagnostic fault detection, diverse

sensors and control element selection.

Safety Integrity Level - SIL


5/125

• Gas detection is used to determine the presenceof undesired vapors and gases at some specifiedconcentration.

• Used to support some action or decision.

• Sensor needs to be located where gas is mostlikely to accumulate.

Gas Detection

WHAT WE KNOW

Concentration oftest gas at point ofmeasurement atspecific time.

WHAT WE DON’T KNOW

1. How much gas is present.

2. How far the gas cloudextends.

3. Concentration profile withinthe cloud.

4. What other gases arepresent.

5. How fast the gas is moving.

Gas Detection – interpretation of results

• Conduct a Fire HazardAnalysis to understandresidual risk that warrantsfire protection– Type of fire, size, duration

Fire Protection

•Fireproofing onstructural and processequipment (2-4 hr) and 30minutes on critical E&Isystems.


6/126

• Fire water pump, supply, and deliverysystems– Fire hydrants and monitors

– Deluge protection in critical areas such aspump bays.

– Sprinkler systems

– Foam Systems

– Carbon dioxide

systems

Fire Protection

Safety Critical Equipment

• Define what equipment is “Safety Critical”

– What % of all equipment?

• Define what maintenance and testing regime is

required for “Safety Critical Equipment”

– SCE needs to work when you want it to

Safety critical equipment (SCE)• Equipment that has the greatest influence on

the safety of:– People

– Environment

– Integrity of equipment

• Identifies equipment that is most critical tothe management of major accident hazards

• Allows management to optimise maintenanceand inspection of equipment to manage MAR’s

• Recorded in registers that includeperformance standards


7/127

Critical equipment assessments

In general, static equipment, e.g. hydrocarbon duty piping,is not considered SCE unless there is a reasonableexpectation that the equipment might fail in service,e.g. due to corrosion

“80-20” Rule Equipment-Risk Distribution

Safety-Related Devices (pressure)

• Maintain Equipment in Design Envelope– Relief valves

– Bursting discs

– Vacuum breakers

– Restriction orifices

– Flame arrestors

– High integrityprotective systems

– Check valves

– Flow-limiting control valves

– Fire resistant insulation

Full Equipment

Inventory

Safety Critical

Equipment List


8/128

Evacuation / Survival equipment is SCE

How do you ensure youget what you want?

Safe Plant?

Codes, Standards, ETPs

Design reviews

Eng and Tech Authorities

Approved contractors/vendors

Certification / Handover

BP Capital Value Process

Design and Construction Assurance

How do you ensure you getwhat you want?


9/129

Capital Value Process

APPRAISE

DSP

Gate

DSP

GateSELECT

DSP

GateEXECUTE


DSP

GateDEFINE OPERATEDSP

Gate

Finalize project

scope, cost and

schedule and

getproject funded

Produce an

operating asset

consistent

with scope,cost and

schedule

Main ProjectCVP Staged deliverables

Front End Loading

Select the

preferred

project

option(s)

Determine

project feasibility

and alignment

with businessstrategy

Evaluate asset

to ensure

performance to

specifications andmaximum return to

the shareholders

YEAR 1 YEAR 2 YEAR 3

CONCEPTUAL

WHAT IF

TECHNOLOGY SAFETY

REVIEWS

TECHNOLOGYSCREENING STUDIES

PFD DEVELOPMENT

PLOT PLANREVIEW

CONSEQUENCEMODELING

INHERENT SAFETY

REVIEWS

FIRE CODES

FIRE PROTECTIONREVIEWS

ENGINEERING QUALITY REVIEWS

H&M BALANCESPRODUCTION

MODELING

WHAT IF ANALYSIS HAZOPS

PRE-STARTUPSAFETY REVIEWS

REVIEW OF PROCESSSAFETY CONCEPTS

REVIEW OF SPEC

DEVIATIONS

SCENARIOPLANNING

LOPA

RE-VISIT FACILITYSITING

Safety Reviews in Projects

What is a PHSSER?

Project Health, Safety, Security and Environment Review

• Seven reviews matching key gates of Projectdevelopment

• Face-to-face discussion withproject/contractor/operations personnel

• Focuses only on HSSE issues not schedule and cost• Team of independent, experienced specialists• Reports findings and recommendations to client and

project

ETP GP 48-01 HSSE Review of Projects


10/1210

PHSSER Alignment with CVP

APPRAISE

DSP

Gate

DSP

GateSELECT

DSP

GateEXECUTE


DSP

GateDEFINE OPERATEDSP

Gate

Finalize project

scope, cost and

schedule and

getproject funded

Produce an

operating asset

consistent

with scope,cost and

schedule

Main ProjectCVP Staged deliverables

HSSE Review Requirements

Pre-Startup

PHSSER

Front End Loading

Construction

PHSSER

Operate

PHSSER

Detailed

Engineering

PHSSER

Pre-Sanction

PHSSER

Select

PHSSER

Appraise

PHSSER

Select the

preferred

project

option(s)

Determine

project feasibility

and alignment

with businessstrategy

Evaluate asset

to ensure

performance to

specifications andmaximum return to

the shareholders

BP Grangemouth - UK

Case History – CH9

Case History 9-Grangemouth Power

1999 – BP Grangemouth Refinery, UK

• New 33kV Sub Station in main power feed

• Sub Station commissioning in stages

• Full power tripped new Sub Station

• Site not able to recover and almost the entire siteexperienced an electrical shutdown.


11/1211

The Incident

What Happened

• Two wires in the protection circuit were interchanged.

• Full Over-current protection testing not completed.

• Protection coped when first half board commissioned

• Protection tripped after second half board was switched

in took full power.

• Site not able to recover and almost the entire site

experienced an electrical shutdown.

Major Lessons Learned

• Be sure you have tested allfunctionality beforecommissioning

• Reviews may not catcheverything.

P r e - s t a r t u p S a f e t y R e v i e w s P r o c e s s S a f e t y A u d i t


12/12

Al l Tr ip Checks have been tested???

Grangemouth July 1999Incomplete 33kV Breaker TestsComplex Shutdown

h - protection & controls

Documents