Back to Basics: Independent Protection Layers – Are We Inherently Safe?

Explore how each protection layer performs in a real-world hazardous environment.

A safety risk can arise at anytime, anywhere, due to any combination of factors. What happens if an abnormal situation occurs? Is your first line of defense solid or does it have a few potential pitfalls?

For hazardous environments, several specifications and requirements must be met through safety standards, such as the Occupational Safety and Health Administration (OSHA) 29 CFR 40 Part 1910.119 “Process Safety Management” and ISA84 / IEC 61511. Process control systems have automated safety layers that are designed to prevent accidents, but if equipment fails and alarms go unnoticed or warning signs aren’t heeded, the potential for risk can be huge.

A basic process control system (BPCS) is typically designed to run the process, providing operator alarms and basic interlocking. Safety instrumented systems (SISs) are independent of BPCS and have layers of safety functions and built-in safeguards to eliminate or reduce risk. The BPCS runs the process, but also functions as one of the first lines of defense for the operators. SIS intervenes if that process gets out of safe control limits.

Many facilities are still using legacy control equipment that operates based on designs developed and built in the 1960s. Are those facilities up to code or using compatible materials with the current process? Is the equipment still operating within maximum allowable working temperature (MAWT) and maximum allowable working pressure (MAWP)? Are their processes meeting recognized and generally accepted good engineering practices (RAGAGEP)?

Let’s look at a real-world example that highlights an equipment failure.

A chemical facility is pumping nitric acid through appropriately designed 304 stainless steel pipes and one of the fittings starts to leak. An operator puts a bucket under the drip and writes a work order, but it doesn’t say “urgent” on it. Meanwhile, the nitric acid drip turns into a spray and covers the pump and all its stainless-steel wetted parts, which are put together with carbon steel bolts. The acid eats away the carbon steel, and the pump falls apart, spraying acid all over the place and shutting everything down. Unfortunately, the spray also covered a chain link fence external to the facility, causing a potential environmental impact to the local community.

In this situation, let’s use the “swiss cheese” analogy to review how this safety hazard made it through all the Independent Protection Layers (IPLs) (Figure 1). First, we’ll dive into the “block and tackle” or process layer.

Layer 1: Process – Compatible Materials

In the scenario above, some of the materials weren’t made of 304L SS, but rather an easily mistaken 316 stainless-steel alloy (Figure 2). Thus, those materials eventually failed.

Use of compatible materials is critical, regardless of whether you are specifying valves, pumps, tubing or instruments, or any other material in the many disciplines. Using broad thinking about the process and arrangements and saying “what if” when determining specifications, can go a long way toward ensuring a safe and reliable system.

For instance, think about the exterior non-wetted parts that hold the assemblies together. What if the process not only flowed through the pumps and valves, but a small leak develops from the piping above? Or what if wisps of fugitive emissions from other nearby fittings contact and corrode the exterior over time? The equipment is in that environment 24/7 (Figure 3).

Don’t just specify the wetted parts for the pump casing and valve body to be compatible with, say, an acid but look at the exterior fasteners holding the casing together or the yoke nut locking down the top-works of a valve. These items are often made of standard materials.

An undetected leak could wreak havoc quickly. Facility personnel might miss the effects of slow, continuous corrosion from other sources. There is no substitute for asking that additional question, “What if…,” then looking at cross-section views of the equipment, including those normally non-wetted parts.

Layer 2: Basic Process Control Systems

The process flowmeter and area sensors didn’t register the small nitric acid drip as a problem, so there was no specific alarm. Therefore, this layer of protection was of no help in this situation.

Layer 3: Prevention – Operator responses to alarms, time to respond, operations and maintenance procedures

In a continuously manned process operation, operators routinely tour the process checking for issues. However, issues can pop-up in between rounds, or as in the scenario above, the small drip could be seen as common. Getting used to issues like this can lead to complacency. It can tone down the “sense of urgency” or realizing how the issue could grow in severity.

Layer 4: Mitigation – Automation Control Action

Once the pump came apart, two SISs shut down the pump, via one of the following ways: A low motor load sensor or a temperature sensor (ironically whose wires were either sliced through during the event or melted through from the acid). This mitigation layer is present to keep the situation from getting worse; however, some damage can occur during the safety function trip.

Layer 5: Emergency Response – Plant and Surrounding Community

During the incident, acid sprayed on the fence, creating damage and the potential that the chemical got just outside the fence, requiring agency notifications and environmental cleanup.

Being trained on the emergency response plan and what you should do during an incident, such as knowing which direction the wind is blowing, what chemicals can spread to where and many other safety procedures and communication requirements, is critical to your personal safety. Always keep safety top of mind and work with facility personnel to ensure an effective, planned and safe response.

Each IPL adds its own brand of protection to help prevent a safety risk from occurring. Complacency is the enemy of process operations. With a mix of process control safeguards and safety policies, strategies and initiatives in place, an effective corporate safety culture can be built to keep automation systems and people safe.

For additional examples, research any of the following well-documented incidents: Piper Alpha, Deep Water Horizon or BP Texas City. Compare the events with the IPL chart (Figure 1) and see if you can identify which layers of protection should have mitigated these events.

Mike Rockefeller

Mike Rockefeller

is a Senior Project Manager at MAVERICK Technologies. He has 33 years of experience in Pulp & Paper and Chemical Fertilizer processes.

View all posts

Add comment

Your email address will not be published. Required fields are marked *


Video Link
Subscribe to the Inside Automation eNewsletter