Recently Kenexis was asked to develop an SIS design for an NGL processing facility. The hazards were associated with operation of equipment beyond design temperature and pressure ratings of equipment including pressure vessels, distillation towers, condensers, reboilers, and pressurized liquid storage tanks. A third party conducted a hazard and risk analysis to establish target Safety Integrity Levels (SIL) for various Safety Instrumented Functions (SIF). Our challenge was to identify requirements for both field instrumentation and the SIS Logic Solver. During our review of the risk analysis, which was conducted using Layer of Protection Analysis (LOPA), we discovered several requirements for SIL 3 shutdown of equipment. Most SIL 3 requirements arose from postulated risk scenarios in which equipment could be subject to temperature beyond the Maximum Allowable Working Temperature (MAWT), which was specified by the mechanical designers of pressure vessels in accordance with the ASME Boiler and Pressure Vessel Code, Section VIII.
The LOPA team contemplated that failure of temperature control in a distillation column reboiler could subject equipment to temperatures as high as 500 F, when the design limit is approximately 300 F. The LOPA identified concerns associated with “loss of vessel tensile strength” and a significant release of flammable hydrocarbons to the atmosphere. However, the scenario also involved no elevated pressure of equipment, which would be well within the allowances of Maximum Allowable Working Pressure (MAWP). Instead of implementing a SIL 3 shutdown on high temperature, Kenexis recommended the end user consult with the mechanical designers of the equipment. Operating a carbon steel pressure vessel above the MAWT is undesirable, and can result in damage to the equipment over time. At worst, some flange leakage might be expected in the long term. However, often there is no potential for acute degradation of the mechanical performance to contain the process pressure, because the vessel is operating well below its MAWP, and within the allowable working stress. It requires a competent mechanical engineer to address this concern, and in this case, the existing vessels were re-rated to limits that were within the bounds of the scenario the LOPA team contemplated. This eliminated the need to install several SIL 3 loops, which would have required significant field instrumentation upgrades as well as a SIL 3 capable logic solver. The SIS was then designed for hazards that resulted in a maximum SIL of SIL 2, and saved significant resources in terms of implementation.
The key learning is to ensure that any SIL 3 finding from a LOPA is subjected to proper scrutiny before accepting that high target as the basis of design. Spending a bit more time and effort in the risk analysis phase can pay big dividends in terms of simplicity of the SIS, lower maintenance and testing requirements, and more effective use of scarce resources to be applied to other, more critical safety issues.