Mary Kay O’Connor Process Safety Center

Beyond Regulatory Compliance, Making Safety Second Nature

October 23-25, 2012
College Station, Texas
15th Annual International Symposium

Standardizing Safe Operating Limit Information

Mike Richardson
Health & Safety Assurance
ConocoPhillips Company
Houston, Texas 77079-1175

Email: [email protected]

Abstract

Many company, national and international standards require that safe operating limit
information be documented for each process system, however is just stating Safe Operating
Limit values in the operating manual or procedures really the best that can be done? This paper
demonstrates one approach that can be used to standardize the way that Safe Operating Limit
information can be not just documented, but can also used as an analysis tool, can be used to link
and consolidate other important safety study results and can be used as an operator reference and
training aid.

Introduction

Typically, most operating companies list the safe operating limit values for their processes
and facilities somewhere in their operating manuals or procedures, usually with these being a list
of parameters with their relevant maximum and minimum values for the operators (and the
control systems) to apply during day-to-day operations to ensure that the process does not stray
into an unsafe operating area outside the safe operating envelope relevant to the particular
equipment and systems being described.

The question is whether there is a better way of providing and documenting safe operating
limit information in order to increase operations personnel participation during its preparation
and increase operator and supervisor understanding, awareness and ownership during facility
operation. This paper provides one approach and process around safe operating limits that is
focused on satisfying the regulatory requirements in a way that is designed to gain the most
benefit from the exercise.

Background

Worldwide, there are a number of regulatory bodies that require the documentation or use of
safe operating limits to varying levels of detail. The following are just a few examples of these:
US Regulation – OSHA

 1910.119(d)(2)(i) Information concerning the technology of the process shall include at least
the following:
• 1910.119(d)(2)(i)(D) Safe upper and lower limits for such items as temperatures,
pressures, flows or compositions; and,
• 1910.119(d)(2)(i)(E) An evaluation of the consequences of deviations, including
those affecting the safety and health of employees.
 1910.119(f) Operating procedures.
 1910.119(f)(1) The employer shall develop and implement written operating procedures that
provide clear instructions for safely conducting activities involved in each covered process
consistent with the process safety information and shall address at least the following
elements.
• 1910.119(f)(1)(ii) Operating limits:
– 1910.119(f)(1)(ii)(A) Consequences of deviation; and
– 1910.119(f)(1)(ii)(B) Steps required to correct or avoid deviation.
Norwegian Regulation
The Norwegian Regulations (from the activities, facilities and management regulations), require
offshore operations to be conducted according the design. The Norsok Standard S-001 for
Technical Safety establishes that the facilities shall have the appropriate levels of protections as
specified in ISO 10418: “The Process Shutdown System shall automatically detect abnormal
operating conditions or deviations from the operating limits, within systems or equipment and
initiate actions so that uncontrolled release of hydrocarbons is prevented”
UK Regulation

Protection systems are 'operate on demand' systems, and their main purpose is to bring plant or
equipment to a safe state when an operating parameter exceeds safety limits (COMAH
Regulations, Health and Safety Executive, UK).

Safe Operating Limits and the Operating Envelope

Figure 1 presents a pictorial view of the relationships between safe operating limits,
operating zones, alarms and the required response to ensure the process remains safe. There are
many variations in the industry on this diagram; however the basic concept and relationships
should be both similar and familiar. This diagram depicts a process parameter (e.g. flow,
pressure, temperature, level et cetera) for a section of a facility that has both upper and lower
safe operating limits, but often a parameter may only have upper or lower safe operating limits,
or indeed none at all in some cases.

Within the Safe Operating Envelope (up to the Safe Operating Limit), the operator and/or
process control system will attempt to recover from an upset and continue with normal
operations. When the Safe Operating Limit is reached, the operator’s main focus is not on
returning to normal operation, but instead making the process safe often by shutting down the
process.

TYPICAL TYPICAL
SAFE OPERATING
OPERATING ZONES ALARMS AUTOMATED OPERATOR
LIMITS
RESPONSE RESPONSE

POTENTIALLY
UNSAFE CATASTROPHIC Process is UNSAFE
INCIDENT and immediate action
OPERATION is required to
establish SAFE
Mechanical Design MI BUFFER ZONE conditions
Limit (MDL)
(e.g. Design Max
Pressure) EMERGENCY Setting of 2nd Layer
of Protection (e.g. Operations needs to
RESPONSE
PSV, PAHHH - HIPPS) take steps to correct
ZONE deviation above SOL
(Protection Activated)
Safe Operating Limit Emergency Priority Setting of 1st Layer of
(SOL) (HH) Protection
High Limit SOL Alarm Process Shutdown

Operations needs to
TROUBLESHOOTING
take steps to avoid
ZONE SOL
Normal Operating
High Priority
Limit
(H)
(NOL) Pre-SOL Alarm
High Limit
POTENTIAL UPSET Increased awareness
CONDITIONS for Operations

Low Priority
(Advisory) Alarm
(if configured)
SAFE NORMAL Range of normal Normal process
OPERATING CONTROL automated process control by
ZONE control Operations
ENVELOPE
Low Priority
(Advisory) Alarm
(if configured)

POTENTIAL UPSET Increased awareness

CONDITIONS for Operations
Normal Operating
High Priority
Limit
(L)
(NOL) Pre-SOL Alarm
Low Limit
Operations needs to
TROUBLESHOOTING
take steps to avoid
ZONE SOL
Safe Operating Limit Emergency Priority Setting of 1st Layer of
(SOL) (LL) Protection
Low Limit SOL Alarm Process Shutdown
EMERGENCY
Operations needs to
RESPONSE Setting of 2nd Layer take steps to correct
ZONE of Protection (e.g. deviation below SOL
Mechanical Design (Protection Activated) LALLL - HILPS)
Limit (MDL)
(e.g. Design Min
Temperature) MI BUFFER ZONE Process is UNSAFE
and immediate action
is required to
UNSAFE POTENTIALLY establish SAFE
OPERATION CATASTROPHIC conditions
INCIDENT

Figure 1: Safe Operating Limits and the Safe Operating Envelope

 At this point pre-defined actions must take place either manually using abnormal operation
procedures or automatically using the layers of protection designed into a safety instrumented
system. The process variable may continue to rise into the Emergency Response Zone while the
corrective actions take time to have an effect before reaching the Mechanical Design Limit. An
example of this could be the continued rise in pressure in a vessel while the inlet shutdown valve
is closing, but it is expected that the engineering design function will have selected a maximum
closure time of the shutdown valve such that the mechanical design limit is not breached and
preferably the next layer of protection, such as a pressure relief device, is not activated. Of
course, it is not expected that a catastrophic failure will occur exactly on breaching the
Mechanical Design Limit, but the size of the Mechanical Integrity Buffer Zone, provided by
safety factors and over design, is usually largely undefined and as such should be treated as a
‘no-go’ zone.

Review of Definitions and Concepts

In order to be able to document the critical information relating to safe operating limits, a
number of key definitions have to be made as follows:

Process Parameter

A Process Parameter is any process variable with characteristics that can be measured, such
as temperature, pressure, flow, level, concentration, et cetera that is controlled in a required
range. Digital signals, such as valve status (open/closed) and on/off status of bypass switches, are
not process parameters. It is important to re-emphasize that it can be ‘measured’ and ‘controlled’.
Process steps may be defined in a similar way to HAZOP nodes in that they do not need to be for
individual equipment items; however the node boundaries need not be the same for all process
parameters. For example, a single pressure process parameter step or ‘node’ could be defined for
a separator and its downstream filter coalescer as long as there were no control valves in
between, but the liquid level process parameters in each of these vessels would need to be
separate process parameter ‘nodes’ as they are independently measured and controlled.

Critical Process Parameter

A critical process parameter is a process parameter that if exceeded, at some measurable

value, represents an unacceptable risk to safety, the environment, or to the business in terms of
equipment damage and that can be controlled either directly or indirectly in normal operation by
operator action.

Normal Operating Limit (NOL)

A normal operating limit is the high or low value of a process parameter at the limit of the
normal operating range. If the process parameter is also a critical process parameter, it is
demarked by a high priority alarm (or a pre-SOL alarm), so that the operator takes action (such
as troubleshooting, set point changes, etc.) to restore normal operation.

A normal operating limit is also applied to other process parameters that are not critical
process parameters, such as those associated with feed/product quality, asset integrity, process
stability and/or equipment reliability, where there is no immediate unacceptable risk to safety,
the environment, or to the business in terms of equipment damage. It is important to note that
continued operation outside the normal operating limits in these cases could pose a long term
unacceptable risk; however it is expected that other processes within the organization will
identify these risks and resolve the issues, so a safe operating limit is not assigned to these cases.
It is not intention that continued operation outside these normal operating limits be ignored, but
rather that the immediacy of reaction is not required. An example of these cases would be a
normal operating limit low-flow alarm on a corrosion inhibitor injection system (to a
hydrocarbon process): continued operation in this state would eventually pose an unacceptable
safety risk however other measures, such as the asset integrity monitoring programme would flag
these for resolution.

In most cases any change to a normal operating limit will require a management of change
procedure to be followed in order to:

 Assure that the operator is still capable of responding to the alarm to avoid an upset
condition when having deviations or excursions outside the normal operating limits
for a critical process parameter.

 Assure that non-immediate equipment / facility integrity and reliability risks are not
overlooked.

 Assure that off-specification product or effluent streams are identified in a timely

manner

Safe Operating Limit (SOL)

A safe operating limit is the high or low value of a critical process parameter at the limit of
the safe operating envelope. It is also the point at which operational and mechanical
troubleshooting ends and immediate, predetermined protection action is taken (either manually
or automatically). Typically for the pressure process parameter in automated facilities, this is
when the safety instrumented systems trip, and thereafter the pressure relief devices activate.

Operation beyond the safe operating limits should be considered unsafe.

Any change to a safe operating limit or the predetermined protection action to be taken
(either manually or automatically) requires a management of change procedure to be followed to
assure that the risk of an unsafe event (undesirable consequence) occurring is assessed by an
engineering review.

As discussed above, not all process parameters have safe operating limits, where continued
excursion or deviation does not pose an immediate risk, such as:

 Degradation of equipment / facility over a long period, reduced operating reliability /

efficiency or off-specification product or effluent streams

 Variables that are used for equipment condition monitoring or for safety critical
equipment functionality monitoring
Mechanical Design Limit (MDL)

The mechanical design limit is the ultimate design condition or “not to exceed” limit of a
Critical Process Parameter, which if exceeded may lead to a catastrophic failure with release of
energy or a toxic, reactive, flammable or explosive material: it is the point at which the process is
not be operated for any reason and “all” the safety critical protection systems (manual and
automatic) have activated to protect the people, environment and the facility integrity. The
mechanical design limits are defined during the design of the facility; however they need to be
periodically reviewed and revised based on current facility condition and status. For instance, the
asset integrity programme may have identified reduced pressure vessel wall thickness that
requires the mechanical design limit to be reduced accordingly: in this case the safe and normal
operating limits will also require review as well to ensure that the magnitude of the zones in
Figure 1 are adequate.

Safety Instrumented System (SIS), Safety Instrumented Function (SIF) and Safety Integrity
Level (SIL)

For an accurate definition of these, refer to references 1 & 2.

Design of the Safe Operating Limits Table Spreadsheet

Figures 2A and 2B are presented below as printouts from a simple spreadsheet to

demonstrate how safe operating and related information can be presented concisely in a quick
reference style format. For clarity, the spreadsheet has been printed as two sections, Figures 2A
and 2B, but in the spreadsheet (or in a larger page format) they would be positioned as left and
right sides respectively of the same spreadsheet rows.

The following are explanatory notes regarding the spreadsheet and the data to be input:

 For each process step, minimum and maximum conditions are tabulated, but in many
cases one of these conditions may not be fully completed in the table if there are no
adverse consequences identified for either the maximum or minimum condition. In
this example the minimum condition is not fully completed.

 The column labeled “Immediate safety consequences of deviation outside SOL /

severity” should be completed with reference to current HAZOP report data
concerning immediate safety consequences identified.

 The column labeled “Any additional consequences of deviation outside NOL / NOL
basis” should be completed also with reference to current HAZOP report data, but
with information concerning non-immediate safety consequences and operability
consequences identified. This could include, for example, off-specification product
consequences or long term degradation / reliability consequences. The lower cell,
‘NOL Basis’, should include the reasoning for requiring the NOL.
 The normal means of controlling the process parameter should be entered into the
column ‘Control/Monitoring’ and this could be either automatically by the basic
process control system (as shown in the spreadsheet example) or manually by the
operator.

 In this presented maximum condition example, the NOL value of 1350 psig is a SOL
pre-alarm to give the operator sufficient time to avoid reaching the SOL value of
1380 psig by taking the actions listed in the ‘Steps to avoid deviation’ column. The
description of the ‘Steps to avoid deviation’ would probably be more detailed in a
real-life example and may include reference to a more detailed step-by-step
operating procedure, if appropriate, although the ‘essence’ of the procedure should
still be included in the spreadsheet.

 The data entered into the ‘Steps to correct deviation or to make safe’ reflects an
example where there are two automatic layers of protection to bring the process to a
safe condition. The 2nd layer of protection is shown as a HIPPS (high integrity
pressure protection system) shutdown device, although more commonly a pressure
relieving device would more typically be seen as the last layer of protection for the
pressure critical process parameter. The layers of protection could also be manual
interventions, where the risk evaluation has considered it appropriate. The
description of the ‘Steps to correct deviation or to make safe’ could be more detailed
in a real-life example and may include reference to a more detailed step-by-step
operating procedure, if appropriate, although the ‘essence’ of the procedure should
still be included in the spreadsheet. If there are more than two layers of protection
then additional rows can be inserted to reflect that.

 Figure 2B is the area of the spreadsheet that describes the layers of protection (either
automatic or manual) in place to ‘correct the deviation or to make safe’. Details of
any automatic safety devices (including tag numbers and required actions) associated
with each layer of protection including their Target SIL value for SIF’s. Mechanical
Protection Devices, such as pressure relief devices would be included here. The
example here describes automated layers of protection, as the column ‘Control
System (as installed) shows the action being carried out by the Emergency Shutdown
System; however if the action to close the ESDV were manual (the operator has to
push a button to close 23ESDV-0002 based on an annunciated alarm 23PAHH-0002)
then the ‘Control System’ column would have ‘Operator’ entered. Table 1 shows a
list of suggested possible look-up values for entering into the ‘Control System’
column.
 Data in the spreadsheet is fictitious and
is provided by way of hypothetical
example only

Figures 2A and 2B: Safe Operating Limits Table Example

 Control System
SIS - ESD Emergency Shutdown System
SIS - EDP Emergency Depressurization System
SIS - F&G Fire & Gas System
SIS - PSD Process Shutdown System
SIS - HIPS High Integrity Protection System
USD Unit Shutdown
BMS Burner Management System
BPCS Basic Process Control System (e.g. DCS)
SELF-ACTING Contained within the single field device
OPERATOR Requires operations staff to manually execute

Table 1: Possible Control System field look-up values for SOL Table

 The final two columns ‘Target SIL, MPD or MAN’ and ‘Installed SIL, MPD or
MAN’ are derived utilizing data and results from the SIL Classification (Risk Graph,
Layers of Protection Analysis (LOPA) and other methodologies) and SIL
Verification exercises respectively. Further information (including definitions) on
Safety Instrumented Systems, SIL Classification and SIL Verification can be found
in references 1 & 2 and information on LOPA in reference 3.

PFD Required
- Not applicable or BPCS for Installed case
SIL (a) SIS, but no defined SIL Rating
SIL 1 SIS SIL Rating = 1
SIL 2 SIS SIL Rating = 2
SIL 3 SIS SIL Rating = 3
MPD Mechanical Protection Device
MAN Manually Executed by Operator

Note: Unit and equipment shutdowns that are not specifically

SIL Rated should be indicated as 'MPD'

Table 2: Possible Target / Installed SIL, MPD or MAN field look-up values for SOL Table

Suggested Process for Preparing and Maintaining the SOL Table

The first draft issue of the SOL Table for a new or modification project should be prepared at
the point in the project when the Piping & Instrumentation Diagrams are nearing finalization and
initial HAZOP and SIL Classification (for example, by the LOPA process) studies have been
carried out because at this point the hazard consequences and appropriate protection layers have
been developed. It is recommended that the first draft be initiated by the process engineering
group in order that the intended protection strategies, their basis and reasoning for setting
Normal Operating Limits and Safe Operating Limits relative to Mechanical Design Limits are
documented. The SOL Table then becomes a valuable precursor to the preparation of Operating
Procedures that may not be even started until later in the project, often when many of the original
design team members have been demobilized.

The next step in the suggested process is to hold SOL Table Workshops with a multi-
discipline team similar to a HAZOP with the operations function well represented. At the SOL
Workshop the following method should be used:

 Work through each process step methodically using the process parameter
guidewords, such as, flow, pressure, temperature, level, et cetera.

 Review HAZOP and LOPA study reports and findings for each process step

 Review operating procedures, if available

 Discuss the values of the Mechanical Design Limits of all components in the process
step utilizing process and mechanical data sheets for equipment items

 Determine (or review) the actions required to avoid and correct SOL deviations

 Determine (or review) whether operator intervention is actually feasible within the
expected time with the current alarm and protection layer set points (NOL and SOL).
At this point a form of Human Reliability Assessment should be considered to
determine the reliability of the operator to correctly carry out any manual actions
required to avoid and/or correct SOL deviations together with the potential
consequences of human failure. The output of this step is to recommend revisions to
alarm values / protection layer set-points, as well as, recommend changes to layers of
protection, including whether they should be manual or automatic.

 Document findings where further work / action is required to resolve issues and
assign personnel to track and follow-up.

Also similar to HAZOP studies, it is expected that SOL Workshops are repeated periodically
to confirm that the data and actions are still valid and acceptable.

The Benefits

The benefits of the suggested SOL Table and associated process are:

 Promotion of understanding and awareness, particularly with operations personnel,

of the facility safe operating envelope, the expected operator interventions and the
layers of protection provided to prevent the consequences stated, including loss of
primary containment. The objective is to achieve familiarization, ‘buy-in’ and
ownership by the operations personnel of the hazards and avoidance/corrective
actions required

 Improved focus on operability issues with the design team and stimulation of
operator involvement long before operating procedures are even started.
  Provision of a ‘quick’ reference guide for operations personnel training and for use
during process upsets containing the required actions and layers of protection. It is
intended that the SOL Table be kept as a controlled document alongside the master
P&IDs in the operations control room.

 Presentation in a simple format, key HAZOP and LOPA study results and data that
would otherwise be ‘buried’ in the design documentation package and never used as
reference by operations personnel.

 Presentation of the protection strategies with their bases in an easily understood

format.

 Discovery of potential issues where HAZOP and LOPA studies have not identified
them due to their different focus. The author’s recent experience indicates that this
could be a significant benefit.

 Assistance with the evaluation of increased risks when Safety Instrumented

Functions (SIF) are bypassed or inhibited, since the SIL information shows the
number of orders of magnitude in likelihood that are potentially added due to the
impairment of a SIF corresponding to an automated layer of protection with
reference to the potential consequences already identified in the SOL Table.

Conclusions

The use of the suggested SOL Table gives operations personnel an important easy to use
reference tool with succinct presentation of key engineering and operational data that may
otherwise not be immediately and concisely available.

Just as importantly, the process of preparing the SOL Table, particularly the SOL Table
Workshop, is invaluable in transferring the safe operating envelope and layers of protection
details to operations personnel. The depth of conversation and discussion that this process
stimulates is of tremendous benefit and is a two-way transfer of knowledge between design
engineers and operations personnel. Some have said that the ‘journey’ is often more important
than the destination” and this is definitely an appropriate statement regarding this approach.

References

1. IEC 61511-1: “Functional safety – Safety instrumented systems for the process
industry sector – Part 1: Framework, definitions, system, hardware and software
requirements”

2. IEC 61511-2: “Functional safety – Safety instrumented systems for the process
industry sector – Part 2: Guidelines in the application of IEC 61511-1”

3. “Layer of Protection Analysis: Simplified Process Risk Assessment”, Center for

Chemical Process Safety (CCPS), 2001, ISBN 0-8169-0811-7