safety in process plant design

C:\My Documents\Article for Hydrocarbon Engineering.doc

Article for Hydrocarbon Engineering - July 2000

SAFER SAFETY

HUGH WAKELING OF FOSTER WHEELER ENERGY LIMITED, UK, EXPLAINS HOWSAFETY IN DESIGN CAN IMPROVE SAFETY IN FOUR NEW AREAS.

A Brief Look Back:

For a number of years Safety in Design has included the following now traditional features:

• The invention of the HAZOP Study was a clear milestone in the establishment of astrategy for safety in design. It was rapidly discovered that the thorough and systematicapplication of this technique could make a substantial improvement to the safety of plantoperation. It has also become an invaluable tool for assessing the safety and operabilityof new designs. It is still an excellent way to analyse the safety of plant design if carriedout in a proper manner. To make a HAZOP effective the Chairman needs training,experience and a particular set of skills.

• ‘Inherent Safety’ is a second key to safety in design. This is different from intrinsicsafety which relates to special electrical equipment provided to work in potentiallyhazardous areas. Inherent safety involves, for instance, the provision of equipment thatcannot be overpressured, because it has such a high design pressure, or using water as acooling medium instead of a flammable oil, as water cannot be set alight. There are infact a large number of techniques that can be used, including using smaller inventories oftoxic or flammable materials, and using a catalyst to reduce operating temperatures, butthe reader needs to refer to the references at the end of this article for a full explanation ofthis topic.

• A time-related set of design reviews is the third key to safety in design. The HAZOPStudy is an excellent review, but it only looks for certain kinds of hazards, at a particularstage of the design. One or two reviews should take place well before the HAZOP Study,and other reviews are required later in the design process. These include constructabilityreviews and plotplan reviews which focus on layout problems, and the model reviewwhich looks at how everything fits together, when they are all shown on the sameprojection. For a comprehensive set of hazard identification reviews see the references atthe end of this article.

• Finally it has been recognised for a long time that the carrying out of the HAZOP Studiesand the other reviews is only half the story. It is one thing to carry out the reviews, it isanother thing to ensure that the actions raised are faithfully implemented into the design.

All the above items, which could be explained in much more detail, are well known, and formthe tradition of Safety in design, as expounded for instance in the Energy Industry Council’sbook, Guide to Engineering Safety Reviews and Audits for Process Plant Contractors.


Typical Pump Skid

MotorPF

MotorPF

MotorPF

MotorPF

MotorPF

MotorPFMotor P F

Motor P F

Better Pump Skid Layout

Traditional Safety in Design New Safety in Design

• HAZOP Studies• Inherent Safety• Other Safety Reviews• Implementing the Actions

• Ergonomics (or Human Factors)• Emergency Shutdown Systems• Better Construction Safety• Safer Plant Startup

New developments in Safety in Design:

Now there is a new generation of techniques which widen the scope of Safety in Design andare able to bring improved operational safety to four new areas:

1. Ergonomics or Human Factors

The way we design facilities has now to take into account the size of the men and womenwho will operate and maintain the plant. In Singapore a significant part of the work forcemay be women who are small in stature. One project thought they were doing a good thingwhen they designed a Singapore plant for the ‘typical European man’. These daysinternational contractors need to have the ability to recognise the height and the horizontalreach of the intended workforce.

Designing for safer maintenance means that we must not allow compressor manufacturers toprovide the skid with the seal oil and lube oil pumps mounted all in a row. One possibleimprovement is to have the skid with the four pumps mounted along the four edges of theskid. The hazard we are trying to avoid is to require the person maintaining the spare lube oil,or spare seal oil pump to have to lean across an operating pump to reach the spare pump.

Two possible layoutsfor a skid containingfour sets of filterspumps and motors

Another aspect of ergonomics is to recognise very early on in the design process the numberof the operators and the level of their education. In some parts of the world labour is cheapand there are likely to be a significant number of operators. In other parts minimum manninglevels are the key to profitable operation, and the design must be honed to reduce the numberof activities that need to be carried out inside and outside the control room. Under thesecircumstances it can help to design the plant layout so that the few items of equipment that


SIL 4 High Integrity Protective System (HIPS)

These three SILs require differentdesigns of instrument and controlsystems to provide the SIL required

SIL 3SIL 2SIL 1

No SIL required Distributed Control System (DCS)

need to be visited regularly by an operator are located so as to minimise the distance travelledby the operator, or at least to ensure that the number of stairs, or ladders that he has to climb,are kept to a minimum.

Ergonomics really comes into its own in the design of the Control Room where everythingfrom the content and layout of the VDU screens to the lighting of the room (for 24 houroperation) and the layout of the Control Room, and the colour scheme for the floor and wallsand ceiling all need to be taken into account.

It is important that the operators are not overloaded with information, as happened in thenuclear meltdown at Three Mile Island in the USA, when far too many alarms went off at thesame time, and nobody could work out what had gone wrong. A different sort of informationoverload occurs when we try to provide operators with, for instance, temperatures to twoplaces of decimals, just because we have the technology to do so! Temperatures accurate to1°C are generally quite accurate enough. It may be a better use of our technology to showtemperatures in one colour when they are healthy, and in another colour when they aremoving out of their optimum range.

VDU displays must be easy to read, easy to understand, and easy to use for the diagnosis ofhazards or faults. If there are two or three similar plants, then the layouts and colour schemesfor the VDU screens need to be identical, as the operators are likely to be transferred fromone unit to another, or to cover for someone who is off sick. The real test comes when thereis a sudden emergency at 0300 hours, when the operator has come to work feeling off colour,and is not at his or her best. Are the alarms and the information provided on the VDU screengoing to provide the clearest possible picture of what has gone wrong. It should not benecessary to have an MSc in Computer Science to successfully control plant operation!

Ergonomics needs to be tackled with vigour in the design office, but part of the strategy needsto be implemented by those who erect the equipment and instrumentation in the field.Construction workers need to be instructed in what we are aiming to do, or else they mayunwittingly defeat the design strategy by failing to follow it through in the final installationstage.

2. Emergency Shutdown Systems

There is no doubt that IEC 61508 Functional Safety Related Systems has brought a lot morescience into the design of emergency shutdown systems. In the bad old days there were justthree types of instrument and control systems:

• Distributed Control System (DCS) for normal control.• Emergency Shutdown System (ESD) for when the DCS failed.• High Integrity Protective Systems (HIPS) for final protection.

But IEC 61508 helps us to understand that we need to consider five levels of Safety IntegrityLevel (or SILs).


The requirements for a particular SIL may be established by looking at three differentconsiderations:

• Potential risk to personnel, and the number of personnel, who would be affected, if theprotective instrument system were to fail.

• Potential financial loss which might be suffered if the system were to fail. This includesactual damage to the plant, but is very likely to also include consequential loss ofproduction due to a shutdown.

• Potential environmental damage which needs to be taken very seriously, particularly if itextends outside the refinery fence.

If all these three are to be considered then the calculations for all three are carried out, and theSIL level required for the instrument protective system is based on the worst, or most severe,requirement.

One of the most helpful aspects of carrying out this process is that in some cases the ESDsystem will be found to be unnecessary. This result comes from the requirement for a lessthan SIL 1 rating in all three cases. In this case an ESD control and instrument system is notrequired, and money can be saved from the capital cost of the facility. On the other handsome serious risks may be identified where a SIL 2 or SIL 3 instrument and control systemwill be required. These systems will be more expensive than the more standard SIL 1 system,but at least one knows that the addition expenditure is targeted on the area where the risk isgreatest.

Implementing the different SIL levels in hardware is a major topic that cannot be fullycovered here, but a general impression can be gained by looking at the two possibleconfigurations below. For instance a SIL 3 instrument protective system might looksomething like this:

SIL 3 ESD SystemSIL 3 ESD System1oo21oo2

Here there are two input devices, either of which will initiate the system. There is a highintegrity electronic system which will try to shut the two ESD valves if the system is initiated.Note that this is not the only configuration for SIL 3 ESD Systems, and in fact this would beunsuitable for an application where a high plant availability is also a consideration.

On the other hand a SIL 1 protective device is likely to require only one input and one outputas follows:

SIL 3 ESD SystemSIL 1 ESD System


3. Better Construction Safety

Here we will look at how safety on the construction site can be significantly improved byactivities that take place in the Design Office. The key to this activity is to get members ofthe construction team to come into the design office to take part in appropriate engineeringsafety reviews. HAZCON (Hazards in Construction) Reviews need to be attended by DesignEngineers, as well as the Construction Engineers. It is not just a matter of ConstructionEngineers commenting on the designs prepared by others, but there needs to be a partnershipso that the designs take into account the need to reduce the level of hazard on the constructionsite.

To some extent this is a process of iteration. There needs to be an outline design and apreliminary layout, based on process and maintenance requirements. But then theconstruction team need to visit the site and investigate various options and the routes fortransporting major items of equipment, etc. They need to decide the location of the laydownareas, the temporary site offices, and the locations where large cranes can be located for themain lifts.

Once the construction team have prepared a preliminary construction plan they can comeback to the design team and make suggestions which would possibly change the designstrategy for the facility. They might suggest bringing in some sections of the plant as pre-assembled units. There might be a useful discussion between design and constructionEngineers about the virtues of dressing distillation columns (adding all the platforms andladders) while in the horizontal position, and about shop assembly, as opposed to siteassembly, for some items of equipment.

Site safety can be significantly improved by reducing risks in the following ways:

• Ensuring that all work, which can be done at grade, is done at grade. We have alreadymentioned dressing distillation columns in the horizontal position, but the same principalcan be applied to other applications. For a high level platform, the whole unit can be pre-assembled at grade and lifted into position as one unit.

• Avoiding hot work close to operating plant. When a revamp is being carried out, thensometimes it is necessary to install new equipment within an operating area. With somecareful design it may be possible to avoid all hotwork, such as welding, until the plant isshutdown for the final linkup to the new equipment.

• Preparing a very detailed electronic model as part of the design process, showing allsteelwork, all pipework with valves and instrumentation, as well as the details of all itemsof equipment, electrical cables, lighting and field switches and junction boxes.

The result of preparing this very detailed model is that all clashes (and other mismatches)can be identified and resolved at the model stage, so that when the real plant is actuallyconstructed, the problems and hazards are greatly reduced. If potential difficulties orhazards are identified by studying the model then these can be anticipated and suitablemitigation steps can be planned well ahead of the erection activities.

It is of course vital for the construction team to have access to the electronic model on siteas well as in the design office, so that they can refer to it at all stages and can, forinstance, check clearances for lifting operations, if any last minute changes have to bemade.


The key to all this is to include construction engineers in the project team at the early stagesof design so that appropriate design decisions can be made, and so that they have time to plantheir construction activities in detail well ahead of the work being carried out.

4. Safer Plant Startup

In the past Commissioning Engineers started to work on a project when they arrived on siteto begin commissioning activities. I do recall a project some years ago, when I worked for adifferent Contractor, when the Construction team completed the process units ahead ofutilities, and the startup was much delayed.

We have now discovered that detailed planning and preparation of commissioning activitiesneeds to be carried out before personnel are mobilized to site. More than actually planningtheir work, our Commissioning Engineers now attend our HAZOP Studies and ModelReviews so that they can provide vital feedback into the design of the facilities.

One key area for input by Commissioning Engineers is into the overall construction scheduleto ensure that facilities will be completed in the correct order and that there will be time tosafety precommission, and then commission, the facilities. For instance it is usually essentialto complete the utilities ahead of the process units and to have a commissioning sequencesuch as the following:

• Startup and operation of all utilities while the process units are still in the final stages ofconstruction.

• Startup of Units 1 and 2, using the utilities, while other units are still being finished off.

• Startup of Units 3 and 4, which will bring the whole facility into production.

Once we have a commissioning plan like this it needs to be reflected in the layout andisolation philosophy of the design. The above plan would require, for instance that:


• The utilities need to be located in a distinctive area which is far enough away from theprocess units to permit operation of the utilities while construction is still taking place inother areas.

• Units 1 and 2 need to be separated from Units 3 and 4, so that Units 1 and 2 can beoperated while Units 3 and 4 are still being finished off.

• The distribution of steam, electricity, instrument air, nitrogen, cooling water, etc must besuch that it can be provided to Units 1 and 2, without affecting construction work onUnits 3 and 4.

Separation and Isolation to permit a three stage start-up1 Utilities only2 Utilities plus Units 1 and 23 Utilities plus all four Units

Unit 1and

Unit 2Unit 3

andUnit 4

Utilities

Clearly it would be unsatisfactory if the utilities had to be provided to Units 1 and 2 acrossUnits 3 and 4. The problem is that the distribution headers and the basic layout of the facilitywill be fixed very early in the design process, and are not easily changed when thecommissioning team arrive at site say six months before the facility should be in fulloperation.

So it is a matter of getting Commissioning Engineers involved with the basic design of thefacility, so that there can be an agreed strategy for startup, the appropriate safety factors canbe built into the design of the facilities, and sufficient time allowed for a safe startup.

CONCLUSION

Safety in Design, like many other things, needs to be subject to continuous improvement.There is a traditional methodology which is well known and widely used, but there is now anew generation of techniques which will improve safety in four areas as indicated above.However, do not assume that this is the ultimate solution, other developments will follow inthis vibrant field, and we hope in due course to get safety plants and better value from ourintelligent drawings and more intelligent electronic models. The use of ‘intelligence’ in thiscontext refers to the electronic storage of process and hardware information on the drawingsand models concerned.


References:

1. Plant Design for Safety by Trevor Kletz - Hemisphere Publishing Corporation.

2. Guide to engineering safety reviews and audits for process plant contractors.Energy Industries Council (1991).

3. The functional safety of electrical, electronic and programmable electronic safetyrelated systems (IEC 61508).

H M Wakeling 2 June 2000