evaluate plant-wide safety of your interlock system

7/29/2019 Evaluate Plant-wide safety of your Interlock system

1/14

GCPS 2013

__________________________________________________________________________

Evaluate Plant-Wide Safety Of Your Interlock SystemPrincipal Author: Mohammed Naved Khan

Ingenero Technologies India Pvt Ltd.

Mumbai, [email protected]

Presenter: Swapnil Pathak



Co-author: Jim Brigman

Ingenero Technologies Inc.

Houston, Texas, [email protected]

Prepared for Presentation at

American Institute of Chemical Engineers

2013 Spring Meeting

9th Global Congress on Process Safety

San Antonio, Texas

April 28 May 2, 2013


2/14

GCPS 2013

__________________________________________________________________________

UNPUBLISHED


3/14

GCPS 2013

__________________________________________________________________________

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications


4/14

GCPS 2013

__________________________________________________________________________

Evaluate Plant-Wide Safety Of Your Interlock System

Principal Author: Mohammed Naved Khan



Presenter: Swapnil Pathak



Co-author: Jim Brigman

Ingenero Technologies Inc.

Houston, Texas, [email protected]

Keywords: IRM, interlock relationship, interlock-process interference, holistic, isolated

information, PHA, mitigation

Abstract

Interlocks serve as important safety systems in industrial settings, where they protect

equipment from damage and employees from toxic and harmful releases from that

equipment arising out of unsafe conditions. The same safety systems can lead to damage

of process systems, if not analyzed properly. In some of the cases we encountered,initiation of interlocks in equipment caused severe damage to other equipment (due to

change in composition) or initiation of interlock caused damage to the same equipment it

was intended to protect (due to incorrect sequencing of interlocks).

The information available with the interlock design documents (like cause and effect

diagrams) is limited to the vicinity of that particular interlock. It does not give any

information about the relationship of the interlock, under study, with other processequipment or even with other interlocks (except for initiation). The relationship betweensafety interlocks and process system arises out of the behavior of the process system (e.g.

change in composition) to the actions taken by the interlock. This paper proposes how a

holistic view for these behavioral responses can be obtained by developing the IRM(Interlock Relationship Matrix). IRM is a single process document (excluding

instrumentation and logic details) that provides information on the effects of all interlocks

on each element of process system. Developing IRM is crucial in evaluating the

interlock-process interference (behavioral responses) and is beneficial in managerial

decision making to assess the likely damage to equipment and provide mitigation thereof.


5/14

GCPS 2013

__________________________________________________________________________

1. IntroductionInterlocks form the most critical and independent layer of safety in industrial settings.They are primarily designed for:

Equipment - protect the equipment from damage due to unsafe conditions (eg.over speed) and the resulting economic loss arising out of replacement and

downtime.

Personnel - protect the personnel from exposure to harmful and toxic materialsthat may get released from equipment damage (e.g. Seal leaks from rotating

equipment).

Plant - maintain the integrity of the plant (e.g. flare mitigation methods employedto limit the flaring during global utility failures and avoid exposure of un-burnt

hydrocarbons to the general public).

The design intention of the approaches employed for interlock systems are two-fold; first

is the isolated view to protect the equipment at hand and second is the global view tomaintain integrity of the plant. Although the approach seems to be looking fair, they

(even the global interlock system) lack in considering the interlock-process systems

relationships in designing interlock systems.

The very definition of an independent protection layer provided by interlock systems

(whether a single or global interlock) has an inherent element of relationship between

interlock actions and the behavior of process systems i.e. the actions of the interlock

system are taken independent of the responses of process system. This relationship mayor may not be relevant as far as the functions of that particular interlock is concerned, butin no case it should cause upset in other process units that could jeopardize their integrity

and cause irreparable damage. In the following sections, we will look into some of the

incidences that lead to irrevocable equipment damage as a direct result of the interlock-

process interference and we will suggest an approach as to how a holistic view for these

behavioral responses of the process systems to interlock actions can be obtained for

effective mitigation. Also the major points of differences between global interlock

systems and holistic view of individual interlock systems will be highlighted.

2. Interlock Design InformationThe design of interlock systems starts with the development of interlock diagrams or

narratives. They provide key information as to the analysis and identification of scenarios

that can cause damage to particular equipment (initiating causes) and the actions that are

required to be taken for the protection of that equipment. They are of the following three

types:


6/14

GCPS 2013

__________________________________________________________________________

2.1 NarrativesNarratives provide descriptive statements for the various elements of the interlock

system. Narratives are a short description stating the primary function of the interlock,events that can lead to unsafe conditions (initiating causes) and finally actions required

by the interlock to mitigate these events. They are written in a simple but precise mannerwithout making use of detail identification tags.

2.2 Cause and Effect (C&E) DiagramC&E diagrams are the next level of detail information about the interlock. C&E diagrams

are presented in a tabular format, detailing the initiating causes and the actions taken in

the form of individual tag numbers, usually initiating causes are activation of suitable

switches due to unsafe conditions and corresponding actions taken (opening or closing a

valve). Actions taken are segregated for each initiating cause. They also provideinformation about time delays. C&E diagrams provide detail accounting of each element

of the interlock.

2.3 Logic and Ladder DiagramThe information provided in logic and ladder diagrams is specific to the instrumentationpart of interlock system. They provide the circuit diagrams of the relay logic hardware

used for the interlock system under consideration.

3. Limitations of Design InformationInterlock design information is limited to the vicinity of the particular interlock under

consideration. The actions taken (or required) are bound by the isolated view of the

equipment to be protected. They are limited in their ability to evaluate and analyze the

effect of actions taken by the interlock systems on other process systems.

The structure of the C&E and ladder-logic diagrams is incompatible with identifying and

analyzing such kind of relationships. Interlock narratives can incorporate this informationin a piece-meal fashion (similar to the way information is presented in a narrative - oneinterlock at a time), however the utility of such disintegrated information is questionable

due to the following facts

Language - The information presented in narratives is written in easy tounderstand language and hence lacks a structured and objective approach.

Lack of specific information - They are prepared usually at a stage where systemspecific detail information is not available and lot of re-work might be required to

make them consistent and compatible to receiving detail information.


7/14

GCPS 2013

__________________________________________________________________________

4. Need for Holistic ViewWe will discuss two incidences where interlock activation in an equipment led to severe

damage in the same or other equipment.

4.1 Incident one Activation of Interlock in Acetylene Hydrogenation Reactor ofEthylene Unit

Ethylene cracker unit was operating with an acetylene hydrogenation reactor locatedbetween fourth and fifth stages of cracked gas compressor after Deethanizer and before

the chilling train that produces tail gas (front end configuration). Tail gas, usually, is a

methane-rich stream that is used as fuel in cracking furnaces. Fuel gas system for

crackers also has backup from imported LPG to handle contingencies.

For this case, interlock was designed for shutting down, boxing up and depressurizingacetylene reactor to purge out reactive hydrocarbons from the catalyst bed and preventrunaway reactions that might cause a meltdown of the reactor. However, shutting down

the reactor also meant stopping of tail gas flow to furnaces. Thus LPG from backupsystem was lined up, which changed the calorific value of fuel to the furnaces. The

cracking furnace temperature controller was working without duty correction to account

for change in composition and, therefore, was sluggish in taking appropriate corrective

actions and closing the valves. This time gap led to increased heat input to the furnaces

which resulted in a spike in the tube metal temperatures of the coils and subsequent coil

damage. Thus to protect acetylene reactor, interlock actions lead to damage of cracking

furnace coils due to inappropriate handling of fuel gas composition change.

In this case, the behavioral response of process system to the actions of interlock was

change in fuel gas composition to the cracking furnaces. This information was not

apparently or directly visible from interlock design information.

4.2 Incident two - Activation of Total Shutdown interlock of Cracking furnace ofEthylene Unit

Cracking furnaces in Ethylene units usually have two levels of interlock shutdown in case

of upset, first is steam standby with isolation of hydrocarbon feed and operating the

firebox in hot condition and second is the total shutdown where firebox is cooled.

Usually, first interlock is designed for faster restart after a partial shutdown by sustaining

close to operating conditions inside the firebox and maintaining minimum inventory of

BFW in the steam drum. The second interlock is designed to maintain integrity of the

furnace and cool the firebox, which might be operating close to 1100 deg C, to a safe

condition. Both interlocks have different functional requirements and are designed in a

way so as to be independent of each other. However, from process point of view,

initiation of first interlock also provides the necessary time lag for controlled rate heatrelease from the firebox, by maintaining minimum firing, before the cooling down of the

firebox is initiated by total shutdown interlock.


8/14

GCPS 2013

__________________________________________________________________________

For the case under consideration, in order to maintain minimum BFW inventory for first

shutdown, the trigger was set at significantly low-level point. This resulted in activationof both interlocks with minimum time delay resulting in rapid cooling of firebox. The

coke layer deposited inside the coils has very different coefficient of expansion than coilmetallurgy leading to unequal contraction and subsequent mechanical failure of coils.

The incident gives the interlock interference or dependence that may be sometimes

necessary due to process behavior. Design information of both interlocks, when observed

in isolation, was sufficient to perform their designated tasks. However without a holistic

view of looking at them, integrity of the equipment was jeopardized.

With the above-discussed instances, it is evident that sole reliance on interlock design

information to provide the hindsight necessary to avoid damage to other equipment is

insufficient. It requires a holistic view, encompassing all individual interlock systems, tostudy the interlock-process relationship for each element of the process system to better

understand these relationships rather than piece-meal and isolated interlock designinformation.

One can argue that global interlock systems responsible for maintaining the integrity of

the entire plant can take care of these relationships. We think that such a system ispractically infeasible. The reasoning starts with the very definition of an interlock which

states that it is the actuation of the initiating causes that triggers the interlock responses

irrespective of the process. For global interlock systems to take care of interlock-process

relationships, all the elements of the process system must be allowed to trigger them

(along with the upsets in global utility networks).

Another approach could be to trigger specific interlock systems put in place to protect

these relationships. The practicality of such an interlock system is bound to fail becauseof two reasons. First the investment required in putting up these extra interlock systems

or triggers is huge as the permutations and combinations of initiating causes from all

process elements is gigantic. Second it can lead to loss of earnings and operationalprudence due to the higher cost of production for increased number of instances of

unsteady plant operation due to spurious activations.

5. IRMWe propose to develop IRM as a tool to give the necessary holistic view forunderstanding the interlock-process relationship. IRM is an acronym for InterlockRelationship Matrix. It is the final outcome of the study for evaluation of interlock

actions and is a single document that shows the effect of actions of each interlock

systems on all elements of the process system.


9/14

GCPS 2013

__________________________________________________________________________

It is prepared in a tabular format with interlock systems arranged in rows and process

system elements arranged in columns. A typical IRM is shown in Table 1 for referencelayout.

Table 1. Typical IRM Layout

Elements of Process

System

Element 1 Element 2 Element 3 Element 4 ...

Interlock Systems

Interlock 1

Interlock 2

Interlock 3

...

The effect of each interlock action is documented in the corresponding column for

process elements. For example, if the actions of Interlock 2 change the feed compositionof Element 3, then change in feed composition is typed in cell corresponding to

Interlock 2 and Element 3.

IRM should include only those effects of interlock actions that have the potential to causesignificant damage to process elements. This will avoid ambiguity and redundancy of

information. Populating IRM with all effects of interlock actions reduces the utility of thetool. Existing safeguards should also be considered for evaluating the potential damage to

the equipment. If damage is possible after considering existing safeguards, only then IRM

should be updated with the relevant effect. For earlier example, it can be analyzed

whether change in feed composition can cause damage to the equipment if it is not

corrected (by the absence of density or composition meter) for changed composition.

However, reference of existing safeguards, for effects that have potential for damage, can

be made in IRM to ensure and document that the analysis of the interlock actions has

been conducted.

6. Why IRMThere are generic approaches available for evaluating hazards for process system. They

can be studied under two categories: Software Evaluation and PHA.

6.1 Software evaluation techniquesThese techniques include Software Systems Hazards Analysis like Fault/Event TreeAnalysis, Failure Mode and Effects Analysis, Software Failure Mode, Effects, and

Criticality Analysis, etc. They are deemed to analyze and identify whether software

system components' operation or failure (functioning or lack of functionality) could result

in hazards for process systems. It begins when the components are designed sufficiently,

and is updated as their design matures to take care of the potential hazards.


10/14

GCPS 2013

__________________________________________________________________________

Functional difference between these analyses and IRM is that they are more concerned

with the effects of software (interlock) systems on process elements in case the softwaregoes rogue and malfunctions (lack of functionality). Moreover, the analysis of

components' operation (functionality) on process systems is unable to understandinterlock-process relationship as it is concerned only for segregating and avoiding

intermixing interlock (safety actions) and process (control actions) systems.

Whereas, in the case of IRM, it analyzes the effects of interlock actions on process

element considering that software (interlock) system has fulfilled its functionality and

there is no sharing of functions from either side. It is not intended to find any design fault

in software (interlock) systems but to evaluate and understand the probable responses of

process system to software (interlock) system actions.

6.2 PHA

PHA techniques include operational and process hazards analysis like HAZOP, LOPA,

HAZAN, etc. These techniques use guidewords in combination with process parametersto evaluate deviation scenarios from normal operation and verify the utility of existing

safeguards. If the existing safeguards are not sufficient, new safeguards are suggested.

Safeguards can include interlocks, process control, alarms, relief valves, operating

procedures, etc.

Key difference between PHA and IRM is that PHA considers only the process parameters

as the potential causes for deviation and subsequent consequences. To mitigate such

consequences, PHA provides the scope for defining actions required by a safety system.

However, it does not evaluate the actions of a safety system like an interlock as probablecauses of deviation.

IRM fills this gap of analyses of actions of an interlock as potential causes of deviationfor the process elements and gives insight to unearth latent harmful events of interlock

actions.

7. Developing IRMIRM can be developed in a structured way such that the aftereffects of interlock actions

can be analyzed under the considerations of core parameters critical to the industrial

setting. This approach will avoid ambiguity and subjectivity.

Simple IRM layout discussed in Table 1 can be modified to include critical parameters as

shown in Table 2.


11/14

GCPS 2013

__________________________________________________________________________

Table 2. Typical IRM Layout with critical parameters (cp)

Elements of Process

System

Element 1 Element 2 Element 3 Element 4 ...

Interlock Systems

Interlock 1

cp1: cp1: cp1: cp1: ...

cp2: cp2: cp2: cp2: ...

cp3: cp3: cp3: cp3: ...

... ... ... ... ...

Interlock 2

cp1: cp1: cp1: cp1: ...

cp2: cp2: cp2: cp2: ...

cp3: cp3: cp3: cp3: ...

... ... ... ... ...

Interlock 3

cp1: cp1: cp1: cp1: ...

cp2: cp2: cp2: cp2: ...

cp3: cp3: cp3: cp3: ...

... ... ... ... ...... ... ... ... ... ...

For the refining and petrochemical industry, critical parameters are pressure, temperature,

flow and composition. Other parameters like chemical reaction, liquid level, etc. can be

evaluated from these four parameters. Each action of an interlock system should be

evaluated with respect to above four parameters for understanding the relationship with

each process element.

We will prepare IRM for the two incidents discussed in Section 4 as case study (Table 3

and 4). These tables will form a subset of the overall IRM for the plant.

Table 3. IRM for interlocks and equipment involved in Incident 1

Elements of Process

System

Cold box Cracking Furnace

Interlock Systems

Front End Acetylene

Reactor shutdown

interlock

Pressure: no change, cold box is

boxed up

Pressure: no change, OSBL

pressure controller is designed for

backup

Temperature: no effect, temperature

will rise gradually due to ambient

heating

Temperature: no effect

Flow: no flow to cold box resulting

in loss of tail gas and H2

Flow: flow of tail gas will be

replaced by LPG


12/14

GCPS 2013

__________________________________________________________________________

Elements of Process

System

Cold box Cracking Furnace

Interlock Systems

Composition: no effect on cold boxstreams composition

Composition: methane-rich tail gaswill be replaced by propane-butane

rich LPG increasingly thevolumetric calorific value, no heat

value correction available. Likely

to increase firing duty due to

sluggish temperature control of

furnace coils.

Table 4. IRM for interlocks and equipment involved in Incident 2

Elements of Process

System

Cracking Furnace

Interlock Systems

First shutdown

interlock of Cracking

Furnace

Pressure: no change in firebox and furnace coil pressure

Temperature: firebox temperature is maintained at lower level by

minimum firing.

Flow: less flue gas flow due to low firing

Composition: NA

Second shutdown

interlock of Cracking

Furnace

Pressure: firebox pressure will rise to ambient due to unavailability of ID

fan

Temperature: firebox temperature will reduce rapidly to ambient due to

fuel gas shutdown. Controlled rate heat release is required to avoid rapid

cooling by maintaining minimum firing conditions (first shutdown

interlock) for some duration or stopping flue gas instantly by closing the

damper. However, neither the duration of firebox operation under first

shutdown is sufficient, nor the damper will close to allow controlled rate

heat release and avoid thermal shock. Likely damage to coils.

Flow: no flue gas flow

Composition: NA

8. Integration of IRM with PHAA structured IRM described in Section 7 provides compatibility to integration with PHA

techniques such as HAZOP, LOPA, etc. PHA technique like HAZOP analyzes each andevery parametric deviation on process system that is applicable for an industrial setting.

For refining and petrochemical industry, the parameters include pressure, temperature,

level, flow, composition, chemical reaction, mixing, contaminants, special procedures,

etc.


13/14

GCPS 2013

__________________________________________________________________________

Development of IRM along with PHA study starts by identification of a subset of critical

or primary parameters out of the PHA parametric set on which other parameters depend(like pressure, temperature, flow and composition). It then incorporates and analyzes

actions of a safety system (interlock) as potential sources of deviation (in addition to theparametric deviations) for each process element (equipment or node) where the

deviations of interlock actions are evaluated under the guidance of critical parameter

subset.

9. ConclusionInterlock design information, in the form of narratives, cause and effect diagrams or

ladder/logic diagrams, is limited to the vicinity of the interlock system. It is unable to

evaluate and analyze the effect of actions taken by the interlock systems on other process

systems. This inability might result in irrevocable damage of equipment or potentialpersonnel exposure to toxic materials as evident from the two case studies presented in

Section 4. These damages can be avoided by understanding the interlock-process

relationship to gauge probable process responses to interlock actions.

The interlock-process relationship is not visible explicitly in evaluation techniques like

Software Systems Hazards Analysis (Fault/Event Tree Analysis, Failure Mode and

Effects Analysis) and PHA (HAZOP, LOPA, HAZAN). These techniques intend to

eliminate operational hazards caused by either malfunctioning of the software (interlock)

system or deviations in process parameters. However, they do not take into consideration

the probable causes that can occur in process elements after the actions of a software

(interlock) system have successfully executed.

IRM (Interlock Relationship Matrix) can overcome the isolated nature of interlock design

information by providing a holistic view of all interlock systems and process elements in

the plant (in the form of a matrix) and evaluate critical interlock-process relationship

under the guidance of critical parameters applicable for the industrial setting. It can also

fill the gap in other evaluation techniques by analyzing actions of a safety system

(interlock) as potential causes of deviation for the process elements. It provides efficientincorporation of new interlock systems or functions for existing process systems and

vice-a-versa by giving a ready platform for analyzing the interlock actions on the processsystem. IRM is a managerial decision making instrument that provides valuable

information to assess the likely damage to equipment and provide mitigation thereof.

Understanding interlock-process relationship is crucial to avoid jeopardizing mechanical

integrity of the process system by the very interlock system installed to protect them and

IRM makes it happen.


14/14

GCPS 2013

__________________________________________________________________________

10. References

1. Guidelines for Hazard Evaluation Procedures, 3rd edition, Center for ChemicalProcess Safety (CCPS), John Wiley & Sons, 2008.

2. Lees Loss Prevention in the Process Industries, Hazard Identification, Assessmentand Control, Volume 1, 3rd edition, Sam Mannan, Elsevier Butterworth-Heinemann,

2005.

Additional references not cited:

1. Instrumentation and Control systems, Princeton Plasma Physics Laboratory,ES&HD 5008 Section 2, Chapter 10, Revision 6, 2005.

2. Code Walk-Through, 1984, Dunn, Robert, Software Defect Removal, McGraw-Hill, Inc.

3. "Event Trees and their Treatment on PC Computers", Limnious, N. and J.P.Jeannette, Reliability Engineering, Vol. 18, No. 3, 1987.

4. "A Guide to Hazard and Operability Studies", Chemical Industry Safety and HealthCouncil of the Chemical Industries Association, Alembic House, London, UK.

5. "HAZOP and HAZAN", Klutz, T.V., Institution of Chemical Engineers, UK, 1986.6. "Nuclear Surety Design Certification for Nuclear Weapon System Software and

Firmware", Air Force Regulation 122-4, Department of the Air Force, 24 August

1987.

7. Petri Net Theory and Modeling of Systems, Peterson, J.L., Prentice Hall, 1981.8. "Procedures for Performing A Failure Mode and Effect Analysis", MIL-STD-1629A,

Department of Defense, 24 Nov 1980.

9. "Generic Techniques in Reliability Assessment, Fussel, J., Noordhoff PublishingCo., Leyden, Holland, 1976.

evaluate plant-wide safety of your interlock system

Documents