GCPS 2013 __________________________________________________________________________

Evaluate Plant-Wide Safety Of Your Interlock System

Principal Author: Mohammed Naved Khan Ingenero Technologies India Pvt Ltd. Mumbai, India nkhan@ingenero.com Presenter: Swapnil Pathak Ingenero Technologies India Pvt Ltd. Mumbai, India spathak@ingenero.com Co-author: Jim Brigman Ingenero Technologies Inc. Houston, Texas, USA jbrigman@ingenero.com

Prepared for Presentation at American Institute of Chemical Engineers 2013 Spring Meeting 9th Global Congress on Process Safety San Antonio, Texas April 28 May 2, 2013

GCPS 2013 __________________________________________________________________________

UNPUBLISHED

GCPS 2013 __________________________________________________________________________

AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications

GCPS 2013 __________________________________________________________________________

Evaluate Plant-Wide Safety Of Your Interlock System

Principal Author: Mohammed Naved Khan Ingenero Technologies India Pvt Ltd. Mumbai, India nkhan@ingenero.com Presenter: Swapnil Pathak Ingenero Technologies India Pvt Ltd. Mumbai, India spathak@ingenero.com Co-author: Jim Brigman Ingenero Technologies Inc. Houston, Texas, USA jbrigman@ingenero.com

Keywords: IRM, interlock relationship, interlock-process interference, holistic, isolated information, PHA, mitigation

Abstract
Interlocks serve as important safety systems in industrial settings, where they protect equipment from damage and employees from toxic and harmful releases from that equipment arising out of unsafe conditions. The same safety systems can lead to damage of process systems, if not analyzed properly. In some of the cases we encountered, initiation of interlocks in equipment caused severe damage to other equipment (due to change in composition) or initiation of interlock caused damage to the same equipment it was intended to protect (due to incorrect sequencing of interlocks). The information available with the interlock design documents (like cause and effect diagrams) is limited to the vicinity of that particular interlock. It does not give any information about the relationship of the interlock, under study, with other process equipment or even with other interlocks (except for initiation). The relationship between safety interlocks and process system arises out of the behavior of the process system (e.g. change in composition) to the actions taken by the interlock. This paper proposes how a holistic view for these behavioral responses can be obtained by developing the IRM (Interlock Relationship Matrix). IRM is a single process document (excluding instrumentation and logic details) that provides information on the effects of all interlocks on each element of process system. Developing IRM is crucial in evaluating the interlock-process interference (behavioral responses) and is beneficial in managerial decision making to assess the likely damage to equipment and provide mitigation thereof.

GCPS 2013 __________________________________________________________________________

1. Introduction
Interlocks form the most critical and independent layer of safety in industrial settings. They are primarily designed for: Equipment - protect the equipment from damage due to unsafe conditions (eg. over speed) and the resulting economic loss arising out of replacement and downtime. Personnel - protect the personnel from exposure to harmful and toxic materials that may get released from equipment damage (e.g. Seal leaks from rotating equipment). Plant - maintain the integrity of the plant (e.g. flare mitigation methods employed to limit the flaring during global utility failures and avoid exposure of un-burnt hydrocarbons to the general public).

The design intention of the approaches employed for interlock systems are two-fold; first is the isolated view to protect the equipment at hand and second is the global view to maintain integrity of the plant. Although the approach seems to be looking fair, they (even the global interlock system) lack in considering the interlock-process systems relationships in designing interlock systems. The very definition of an independent protection layer provided by interlock systems (whether a single or global interlock) has an inherent element of relationship between interlock actions and the behavior of process systems i.e. the actions of the interlock system are taken independent of the responses of process system. This relationship may or may not be relevant as far as the functions of that particular interlock is concerned, but in no case it should cause upset in other process units that could jeopardize their integrity and cause irreparable damage. In the following sections, we will look into some of the incidences that lead to irrevocable equipment damage as a direct result of the interlockprocess interference and we will suggest an approach as to how a holistic view for these behavioral responses of the process systems to interlock actions can be obtained for effective mitigation. Also the major points of differences between global interlock systems and holistic view of individual interlock systems will be highlighted.

2. Interlock Design Information

The design of interlock systems starts with the development of interlock diagrams or narratives. They provide key information as to the analysis and identification of scenarios that can cause damage to particular equipment (initiating causes) and the actions that are required to be taken for the protection of that equipment. They are of the following three types:

GCPS 2013 __________________________________________________________________________

2.1

Narratives

Narratives provide descriptive statements for the various elements of the interlock system. Narratives are a short description stating the primary function of the interlock, events that can lead to unsafe conditions (initiating causes) and finally actions required by the interlock to mitigate these events. They are written in a simple but precise manner without making use of detail identification tags. 2.2 Cause and Effect (C&E) Diagram

C&E diagrams are the next level of detail information about the interlock. C&E diagrams are presented in a tabular format, detailing the initiating causes and the actions taken in the form of individual tag numbers, usually initiating causes are activation of suitable switches due to unsafe conditions and corresponding actions taken (opening or closing a valve). Actions taken are segregated for each initiating cause. They also provide information about time delays. C&E diagrams provide detail accounting of each element of the interlock. 2.3 Logic and Ladder Diagram

The information provided in logic and ladder diagrams is specific to the instrumentation part of interlock system. They provide the circuit diagrams of the relay logic hardware used for the interlock system under consideration.

3. Limitations of Design Information

Interlock design information is limited to the vicinity of the particular interlock under consideration. The actions taken (or required) are bound by the isolated view of the equipment to be protected. They are limited in their ability to evaluate and analyze the effect of actions taken by the interlock systems on other process systems. The structure of the C&E and ladder-logic diagrams is incompatible with identifying and analyzing such kind of relationships. Interlock narratives can incorporate this information in a piece-meal fashion (similar to the way information is presented in a narrative - one interlock at a time), however the utility of such disintegrated information is questionable due to the following facts Language - The information presented in narratives is written in easy to understand language and hence lacks a structured and objective approach. Lack of specific information - They are prepared usually at a stage where system specific detail information is not available and lot of re-work might be required to make them consistent and compatible to receiving detail information.

GCPS 2013 __________________________________________________________________________

4. Need for Holistic View

We will discuss two incidences where interlock activation in an equipment led to severe damage in the same or other equipment. 4.1 Incident one Activation of Interlock in Acetylene Hydrogenation Reactor of Ethylene Unit

Ethylene cracker unit was operating with an acetylene hydrogenation reactor located between fourth and fifth stages of cracked gas compressor after Deethanizer and before the chilling train that produces tail gas (front end configuration). Tail gas, usually, is a methane-rich stream that is used as fuel in cracking furnaces. Fuel gas system for crackers also has backup from imported LPG to handle contingencies. For this case, interlock was designed for shutting down, boxing up and depressurizing acetylene reactor to purge out reactive hydrocarbons from the catalyst bed and prevent runaway reactions that might cause a meltdown of the reactor. However, shutting down the reactor also meant stopping of tail gas flow to furnaces. Thus LPG from backup system was lined up, which changed the calorific value of fuel to the furnaces. The cracking furnace temperature controller was working without duty correction to account for change in composition and, therefore, was sluggish in taking appropriate corrective actions and closing the valves. This time gap led to increased heat input to the furnaces which resulted in a spike in the tube metal temperatures of the coils and subsequent coil damage. Thus to protect acetylene reactor, interlock actions lead to damage of cracking furnace coils due to inappropriate handling of fuel gas composition change. In this case, the behavioral response of process system to the actions of interlock was change in fuel gas composition to the cracking furnaces. This information was not apparently or directly visible from interlock design information.

4.2

Incident two - Activation of Total Shutdown interlock of Cracking furnace of Ethylene Unit

Cracking furnaces in Ethylene units usually have two levels of interlock shutdown in case of upset, first is steam standby with isolation of hydrocarbon feed and operating the firebox in hot condition and second is the total shutdown where firebox is cooled. Usually, first interlock is designed for faster restart after a partial shutdown by sustaining close to operating conditions inside the firebox and maintaining minimum inventory of BFW in the steam drum. The second interlock is designed to maintain integrity of the furnace and cool the firebox, which might be operating close to 1100 deg C, to a safe condition. Both interlocks have different functional requirements and are designed in a way so as to be independent of each other. However, from process point of view, initiation of first interlock also provides the necessary time lag for controlled rate heat release from the firebox, by maintaining minimum firing, before the cooling down of the firebox is initiated by total shutdown interlock.

GCPS 2013 __________________________________________________________________________

For the case under consideration, in order to maintain minimum BFW inventory for first shutdown, the trigger was set at significantly low-level point. This resulted in activation of both interlocks with minimum time delay resulting in rapid cooling of firebox. The coke layer deposited inside the coils has very different coefficient of expansion than coil metallurgy leading to unequal contraction and subsequent mechanical failure of coils. The incident gives the interlock interference or dependence that may be sometimes necessary due to process behavior. Design information of both interlocks, when observed in isolation, was sufficient to perform their designated tasks. However without a holistic view of looking at them, integrity of the equipment was jeopardized.

With the above-discussed instances, it is evident that sole reliance on interlock design information to provide the hindsight necessary to avoid damage to other equipment is insufficient. It requires a holistic view, encompassing all individual interlock systems, to study the interlock-process relationship for each element of the process system to better understand these relationships rather than piece-meal and isolated interlock design information. One can argue that global interlock systems responsible for maintaining the integrity of the entire plant can take care of these relationships. We think that such a system is practically infeasible. The reasoning starts with the very definition of an interlock which states that it is the actuation of the initiating causes that triggers the interlock responses irrespective of the process. For global interlock systems to take care of interlock-process relationships, all the elements of the process system must be allowed to trigger them (along with the upsets in global utility networks). Another approach could be to trigger specific interlock systems put in place to protect these relationships. The practicality of such an interlock system is bound to fail because of two reasons. First the investment required in putting up these extra interlock systems or triggers is huge as the permutations and combinations of initiating causes from all process elements is gigantic. Second it can lead to loss of earnings and operational prudence due to the higher cost of production for increased number of instances of unsteady plant operation due to spurious activations.

5. IRM
We propose to develop IRM as a tool to give the necessary holistic view for understanding the interlock-process relationship. IRM is an acronym for Interlock Relationship Matrix. It is the final outcome of the study for evaluation of interlock actions and is a single document that shows the effect of actions of each interlock systems on all elements of the process system.

GCPS 2013 __________________________________________________________________________

It is prepared in a tabular format with interlock systems arranged in rows and process system elements arranged in columns. A typical IRM is shown in Table 1 for reference layout. Table 1. Typical IRM Layout
Elements of Process System Interlock Systems Interlock 1 Interlock 2 Interlock 3 ... Element 1 Element 2 Element 3 Element 4 ...

The effect of each interlock action is documented in the corresponding column for process elements. For example, if the actions of Interlock 2 change the feed composition of Element 3, then change in feed composition is typed in cell corresponding to Interlock 2 and Element 3. IRM should include only those effects of interlock actions that have the potential to cause significant damage to process elements. This will avoid ambiguity and redundancy of information. Populating IRM with all effects of interlock actions reduces the utility of the tool. Existing safeguards should also be considered for evaluating the potential damage to the equipment. If damage is possible after considering existing safeguards, only then IRM should be updated with the relevant effect. For earlier example, it can be analyzed whether change in feed composition can cause damage to the equipment if it is not corrected (by the absence of density or composition meter) for changed composition. However, reference of existing safeguards, for effects that have potential for damage, can be made in IRM to ensure and document that the analysis of the interlock actions has been conducted.

6. Why IRM
There are generic approaches available for evaluating hazards for process system. They can be studied under two categories: Software Evaluation and PHA. 6.1 Software evaluation techniques

These techniques include Software Systems Hazards Analysis like Fault/Event Tree Analysis, Failure Mode and Effects Analysis, Software Failure Mode, Effects, and Criticality Analysis, etc. They are deemed to analyze and identify whether software system components' operation or failure (functioning or lack of functionality) could result in hazards for process systems. It begins when the components are designed sufficiently, and is updated as their design matures to take care of the potential hazards.

GCPS 2013 __________________________________________________________________________

Functional difference between these analyses and IRM is that they are more concerned with the effects of software (interlock) systems on process elements in case the software goes rogue and malfunctions (lack of functionality). Moreover, the analysis of components' operation (functionality) on process systems is unable to understand interlock-process relationship as it is concerned only for segregating and avoiding intermixing interlock (safety actions) and process (control actions) systems. Whereas, in the case of IRM, it analyzes the effects of interlock actions on process element considering that software (interlock) system has fulfilled its functionality and there is no sharing of functions from either side. It is not intended to find any design fault in software (interlock) systems but to evaluate and understand the probable responses of process system to software (interlock) system actions. 6.2 PHA

PHA techniques include operational and process hazards analysis like HAZOP, LOPA, HAZAN, etc. These techniques use guidewords in combination with process parameters to evaluate deviation scenarios from normal operation and verify the utility of existing safeguards. If the existing safeguards are not sufficient, new safeguards are suggested. Safeguards can include interlocks, process control, alarms, relief valves, operating procedures, etc. Key difference between PHA and IRM is that PHA considers only the process parameters as the potential causes for deviation and subsequent consequences. To mitigate such consequences, PHA provides the scope for defining actions required by a safety system. However, it does not evaluate the actions of a safety system like an interlock as probable causes of deviation. IRM fills this gap of analyses of actions of an interlock as potential causes of deviation for the process elements and gives insight to unearth latent harmful events of interlock actions.

7. Developing IRM
IRM can be developed in a structured way such that the aftereffects of interlock actions can be analyzed under the considerations of core parameters critical to the industrial setting. This approach will avoid ambiguity and subjectivity. Simple IRM layout discussed in Table 1 can be modified to include critical parameters as shown in Table 2.

GCPS 2013 __________________________________________________________________________

Table 2. Typical IRM Layout with critical parameters (cp)

Elements of Process System Interlock Systems Interlock 1 Element 1 Element 2 Element 3 Element 4 ...

Interlock 2

Interlock 3 ...

cp1: cp2: cp3: ... cp1: cp2: cp3: ... cp1: cp2: cp3: ... ...

cp1: cp2: cp3: ... cp1: cp2: cp3: ... cp1: cp2: cp3: ... ...

cp1: cp2: cp3: ... cp1: cp2: cp3: ... cp1: cp2: cp3: ... ...

cp1: cp2: cp3: ... cp1: cp2: cp3: ... cp1: cp2: cp3: ... ...

... ... ... ... ... ... ... ... ... ... ... ... ...

For the refining and petrochemical industry, critical parameters are pressure, temperature, flow and composition. Other parameters like chemical reaction, liquid level, etc. can be evaluated from these four parameters. Each action of an interlock system should be evaluated with respect to above four parameters for understanding the relationship with each process element. We will prepare IRM for the two incidents discussed in Section 4 as case study (Table 3 and 4). These tables will form a subset of the overall IRM for the plant. Table 3. IRM for interlocks and equipment involved in Incident 1
Elements of Process System Interlock Systems Cold box Cracking Furnace

Pressure: no change, cold box is boxed up

Pressure: no change, OSBL pressure controller is designed for backup Temperature: no effect

Front End Acetylene Reactor shutdown interlock

Temperature: no effect, temperature will rise gradually due to ambient heating Flow: no flow to cold box resulting in loss of tail gas and H2

Flow: flow of tail gas will be replaced by LPG

GCPS 2013 __________________________________________________________________________

Elements of Process System Interlock Systems Cold box Cracking Furnace

Composition: no effect on cold box streams composition

Composition: methane-rich tail gas will be replaced by propane-butane rich LPG increasingly the volumetric calorific value, no heat value correction available. Likely to increase firing duty due to sluggish temperature control of furnace coils.

Table 4. IRM for interlocks and equipment involved in Incident 2

Elements of Process System Interlock Systems Cracking Furnace

Pressure: no change in firebox and furnace coil pressure Temperature: firebox temperature is maintained at lower level by minimum firing. Flow: less flue gas flow due to low firing Composition: NA Pressure: firebox pressure will rise to ambient due to unavailability of ID fan Temperature: firebox temperature will reduce rapidly to ambient due to fuel gas shutdown. Controlled rate heat release is required to avoid rapid cooling by maintaining minimum firing conditions (first shutdown interlock) for some duration or stopping flue gas instantly by closing the damper. However, neither the duration of firebox operation under first shutdown is sufficient, nor the damper will close to allow controlled rate heat release and avoid thermal shock. Likely damage to coils. Flow: no flue gas flow Composition: NA

First shutdown interlock of Cracking Furnace

Second shutdown interlock of Cracking Furnace

8. Integration of IRM with PHA A structured IRM described in Section 7 provides compatibility to integration with PHA techniques such as HAZOP, LOPA, etc. PHA technique like HAZOP analyzes each and every parametric deviation on process system that is applicable for an industrial setting. For refining and petrochemical industry, the parameters include pressure, temperature, level, flow, composition, chemical reaction, mixing, contaminants, special procedures, etc.

GCPS 2013 __________________________________________________________________________

Development of IRM along with PHA study starts by identification of a subset of critical or primary parameters out of the PHA parametric set on which other parameters depend (like pressure, temperature, flow and composition). It then incorporates and analyzes actions of a safety system (interlock) as potential sources of deviation (in addition to the parametric deviations) for each process element (equipment or node) where the deviations of interlock actions are evaluated under the guidance of critical parameter subset.

9. Conclusion
Interlock design information, in the form of narratives, cause and effect diagrams or ladder/logic diagrams, is limited to the vicinity of the interlock system. It is unable to evaluate and analyze the effect of actions taken by the interlock systems on other process systems. This inability might result in irrevocable damage of equipment or potential personnel exposure to toxic materials as evident from the two case studies presented in Section 4. These damages can be avoided by understanding the interlock-process relationship to gauge probable process responses to interlock actions. The interlock-process relationship is not visible explicitly in evaluation techniques like Software Systems Hazards Analysis (Fault/Event Tree Analysis, Failure Mode and Effects Analysis) and PHA (HAZOP, LOPA, HAZAN). These techniques intend to eliminate operational hazards caused by either malfunctioning of the software (interlock) system or deviations in process parameters. However, they do not take into consideration the probable causes that can occur in process elements after the actions of a software (interlock) system have successfully executed. IRM (Interlock Relationship Matrix) can overcome the isolated nature of interlock design information by providing a holistic view of all interlock systems and process elements in the plant (in the form of a matrix) and evaluate critical interlock-process relationship under the guidance of critical parameters applicable for the industrial setting. It can also fill the gap in other evaluation techniques by analyzing actions of a safety system (interlock) as potential causes of deviation for the process elements. It provides efficient incorporation of new interlock systems or functions for existing process systems and vice-a-versa by giving a ready platform for analyzing the interlock actions on the process system. IRM is a managerial decision making instrument that provides valuable information to assess the likely damage to equipment and provide mitigation thereof. Understanding interlock-process relationship is crucial to avoid jeopardizing mechanical integrity of the process system by the very interlock system installed to protect them and IRM makes it happen.

GCPS 2013 __________________________________________________________________________

10. References
1. Guidelines for Hazard Evaluation Procedures, 3rd edition, Center for Chemical Process Safety (CCPS), John Wiley & Sons, 2008. 2. Lees Loss Prevention in the Process Industries, Hazard Identification, Assessment and Control, Volume 1, 3rd edition, Sam Mannan, Elsevier Butterworth-Heinemann, 2005.

Additional references not cited: 1. Instrumentation and Control systems, Princeton Plasma Physics Laboratory, ES&HD 5008 Section 2, Chapter 10, Revision 6, 2005. 2. Code Walk-Through, 1984, Dunn, Robert, Software Defect Removal, McGrawHill, Inc. 3. "Event Trees and their Treatment on PC Computers", Limnious, N. and J.P. Jeannette, Reliability Engineering, Vol. 18, No. 3, 1987. 4. "A Guide to Hazard and Operability Studies", Chemical Industry Safety and Health Council of the Chemical Industries Association, Alembic House, London, UK. 5. "HAZOP and HAZAN", Klutz, T.V., Institution of Chemical Engineers, UK, 1986. 6. "Nuclear Surety Design Certification for Nuclear Weapon System Software and Firmware", Air Force Regulation 122-4, Department of the Air Force, 24 August 1987. 7. Petri Net Theory and Modeling of Systems, Peterson, J.L., Prentice Hall, 1981. 8. "Procedures for Performing A Failure Mode and Effect Analysis", MIL-STD-1629A, Department of Defense, 24 Nov 1980. 9. "Generic Techniques in Reliability Assessment, Fussel, J., Noordhoff Publishing Co., Leyden, Holland, 1976.