Paper Ref: S1710_P0585 3rd International Conference on Integrity, Reliability and Failure, Porto/Portugal, 20-24 July 2009

HAZOP BASED ALARM AND CRITICAL ALARM SYSTEM DESIGN

Tetsuo Fuchino1) and Yukiyasu Shimada2) 1) Chemical Engineering Department, Tokyo Institute of Technology, Tokyo, Japan, Email: fuchino@chemeng.titech.ac.hp 2) Chemical Safety Research Gr., National Institute of Occupational Safety and Health, Tokyo, Japan Email: shimada@s.jniosh.go.jp

SYNOPSIS The process alarms and critical alarms are corresponding to the second and the third layers of Independent Protection Layers (IPLs) in chemical processes, and the logicality in their design affects consistency of overall IPLs design. The purpose of a process alarm is informing an operator of an abnormal process condition, and requires the operator to identify and cancel the cause of deviations from the normal condition. The critical alarm alerts an operator of the critical process condition, and requires the operator to prevent or mitigate the expected process upsets. However, in the current engineering procedure, the process alarms and the critical alarms are designed for individual hazard scenario captured in Process Hazard Analysis (PHA) such as Hazard and Operability Study (HAZOP) for the detailed engineering phase, and the number of alarm points is increased inconsistently. It prevents the operators to identify the causes of any abnormal deviations from process alarms, and to recognize the expected process upsets from the critical alarms, in operation. This is one of the major reasons for the alarm flooding issue, and for the inconsistency of IPLs design. In this study, we propose a design method of process alarm and critical alarm on the basis of HAZOP. To overcome the above mentioned current engineering problem, we dissociate the mitigation information from HAZOP log, and a method to choose the consistent alarm points from alternative ones by considering all the hazard scenarios simultaneously is developed. 1. Introduction The safety of chemical process plants is designed through Independent Protection Layers (IPLs) (Center for Chemical Process Safety, 1993). Chemical process plants treat flammable materials, and they have potential hazard. An initiating event would lead an abnormal process deviation, and the process deviation would draw a hazardous event. Furthermore, the hazardous event would finally lead up to an impact and/or disaster. On the basis of the anatomy of incident, the IPLs are considered not to propagate the initial event to the impact, and consist of the following eight layers. IPL1: Process Design IPL2: Basic Controls, Process Alarms, and Operator Supervision IPL3: Critical Alarms, Operator Supervision, and Manual Intervention IPL4: Automatic Action SIS (Safety Instrument System) or ESD (Emergency Shutdown) IPL5: Physical Protection (Relief Devices) IPL6: Physical Protection (Containment Dikes) IPL7: Plant Emergency Response IPL8: Community Emergency Response The first layer is to design inherently safety for process in concept, and the second to fifth layers are proactive protection layers. Released impact is kept in the process area by the sixth
-1-

layer, and emergency response of inside and outside is designed at the seventh and eighth layers. From the view point of engineering design, the safety design is carried out by the proactive protection layers, and logicality and exhaustively through the second to fifth layers are very important. Other than Guidelines for Safety Automation of Chemical Processes from Center for Chemical Process Safety (CCPS), several descriptive papers and standards focused on the fourth IPL design have been released. Drake (Drake, 1994) reviewed IPLs, and introduced a framework for Risk based Safety Instrument System (SIS) integrity evaluation. ANSI/ISAS84.01-1996 (Instrument Society of America, 1996) standardizes steps to determine necessary SIS and to determine their Safety Integrity Levels (SIL). Dowell (Dowell 1998) proposed to determine SIL from Layer of Protection Analysis (LOPA). These standard and papers aim to decide SIL of SIS based on the hazard scenarios from initial events to impact evens identified by Process Hazard Analysis (PHA) represented by HAZOP (HAZard and OPerability study) (Chemical Industry Safety and Health Council of the Chemical Industries Association, (1981)). Required reliability of SIS is calculated from frequency of the initial event, failure probabilities of the recovery operations and the operator intervention operations designed in the second and third IPLs and failure probability of relief devices of the fifth IPL. The SIL of SIS and/or necessity of any modification for other IPLs design are decided from the required reliability of respective hazard scenario. However, to consider the operational failure in design of SIS, the process alarms and critical alarms consistent with recovery operations and operator intervention operations should be designed on the basis of PHA beforehand. The second and third IPLs are layers to prevent occurrence of impact events by operators response. In these layers, process alarms inform an operator an abnormal process condition, and the operator is required to cancel the deviations from the normal condition by recovery operations. Unfortunately, if the process abnormal deviations were not canceled, the critical alarms would alert an operator of the critical process condition, and require the operator to intervene and to prevent or mitigate the expected process upsets; i.e. partially or totally shutdown the plant manually. To perform the proper recovery operation for an abnormal process condition, the operator must know the cause of the deviations, so that the process alarms should be designed to be able to identify the cause of the deviations from all the hazard scenarios captured by PHA. As same as the process alarm, to perform proper operator intervention for a critical process condition, the operator must predict a hazardous event caused by the critical process condition, so that the critical alarms should be designed to be able to specify the hazardous event caused by the critical process condition from all the expected hazardous events in the hazard scenarios captured by PHA. However, according to the current engineering procedure, the process alarms and the critical alarms are designed for individual hazard scenario at the detailed engineering phase, and the relations between hazard scenarios are not considered. As a result, the number of alarm points is increased, and only the abnormity would be informed to operator without identifying the cause of deviations. It makes IPLs inconsistent, and also makes operators response impossible. Recently, alarm flooding phenomena becomes serious in operating plants, and Instrumentation Systems and Automation Society (ISA) published a handbook (Hollifield and Habibi, 2007) for this issue. This handbook pointed out that the rationalization of alarm is the solution, and that the PHA teams recommend exceeding number of alarm points inconsistently. The function of PHA is categorized into three, i.e. hazard identification, hazard evaluation and mitigation. In performing HAZOP, a mitigation plan including alarm installation recommendation is provided respective for a hazard scenario. That is why the relations between hazard scenarios

-2-

have not been considered in designing alarm, and the operators response could not be designed. In this study, to overcome the above mentioned problem of process and critical alarm design problem, we dissociate the function of recommending mitigation plan from HAZOP. All the hazard scenarios are identified priori to designing process alarms and critical alarms, and initial events, deviations, propagated deviations and hazard events of these hazard scenarios are recorded as HAZOP log. On the basis of this modified HAZOP log, method to design process alarms configurations and the critical alarms configurations, which enable operators identifying the causes of deviations and predicting hazardous events caused by the critical process conditions, is developed. The developed method is explained by using case study of HDS (Hydro Desulfuration) process. In the next section, HDS process and its modified HAZOP log defined here are briefly explained. The design method of process alarm and critical alarm is explained while performing alarm design of HDS process. 2. Problem Definition
FIC
5203

Fuel Gas To Flare

FCV-5203

H2 Make-Up

PCV-5054

From Recycle Gas Compressor

PCV-5156

FIC PIC
5202

TIC
5228

Diesel

5201

FCV-5202A/B LIC
5223

H-201
FIC
5201

R-201
Reactor
PIC PCV-5203
5203

D-201
Feed Surge Drum

Reactor Charge Furnace

Fuel Gas
TIC
5227

FCV-5201A/B

P-201A
Feed Pump TCV-5227

To Stripper

E-201
To Sewer Low Temperature Combined Feed E-203 Exchanger E-202 High Temperature Reactor Effluent-Stripper To High Pressure Combined Feed Exchanger Feed Exchanger Separator

From Stripper Feed-Bottom Exchanger

Figure 1 Process Flow Diagram of Hydro Desulfurization Process

In this study, the location of all the process alarms and critical alarms is to be decided on the basis of HAZOP results, so that premised no alarms is yet designed. It means that HAZOP study is performed for PFD (Process Flow Diagram). Figure 1 shows the PFD of HDS process around reactor. The purpose of this process is to convert organic sulfur in diesel oil to hydrogen sulfide, and to remove. In this process, diesel oil is received in Feed Surge Drum, and is pumped up by Feed Pump after removed gaseous and aqueous components. The pressurized diesel oil is mixed with make-up and recycled hydrogen, and heated up by two heat exchangers and Reactor Charged Furnace. The Reactor converts organic sulfur to

-3-

hydrogen sulfide on fixed bet catalyst. The heat of reactor effluent is recovered by three heat exchangers, and the effluent is fed to the High Pressure Separator. Based on the PFD, HAZOP study is assumed to be performed. To carry out HAZOP study, the process is divided into several arias, which is called study nodes. The study node from Feed Surge Drum to Reactor feed oil line is concerned as the scope of alarm design here. A part of modified HAZOP log sheet as shown in Table 1 is applied.
Table 1 Modified HAZOP Log Sheet
Potential Causes Deviation No Description No Description Consequences Level of Feed Surge Drum (D-201) rises and overflows. If inflow from upstream is continued, there can be inflow to flare line. Process malfunction occurs Reverse flow to D-201 through Pump mini flow line. Hydrogen can also reverse to D-201. Furnace tube is overheated because Feed oil to Reactor Charge Furnace Tube (H-201) is lost and there is only High temperature rupture and Severe hydrogen flow inside. If this at H-201 tube fire inside continues long time, tube ruptures H-201 and fire break out inside H-201 Stop of Desulfuration in Reactor(R-201) is None desulfuratio Minor stopped because of lack of Feed Oil n Insufficient heat exchange in Low temperature Process Reactant Effluent Feed Minor of feed flow to malfunction Exchange(E-202) causes stripper malfunction in Stripper (outside of Level of High Pressure Separator Level of High Process Minor lowers and process malfunction Pressure malfunction occurs Separator is low Severity M.A.R.T.1) Intermediate Posible Deviation Impact (1) Level of D201 is high Process Minor Long (2) Overflow in malfunction D-201 and inflow to flare line Reverse flow None None through pump mini flow line

No Flow

Mechanical failure of Feed Pump (P-201)

Short

Insufficient

Insufficient

Immediate

The conventional HAZOP sheet records the description of potential causes and consequences, and mitigation. In the modified HAZOP log sheet, the record of the recommended mitigation is eliminated, and the intermediate deviations and possible impacts are explicitly recorded to consider the propagation of abnormity in design of process and critical alarms. Moreover, the severity of the possible impact and the Maximum Available Response Time (MART) for each consequence are to be recorded to take into account the operators responses. The severity is categorized in to four ranks; i.e. Non, Minor, Major and Severe, and MART is categorized into also four ranks; i.e. Insufficient, Immediate, Short and Long here. Although, the consequences for the first possible cause are listed in Table 1, total eighteen possible causes are identified for the concerning study node as shown in Table 2. The same HAZOP log format is applied for the rest of sixteen possible causes here, but it is skipped here. Based on the modified HAZOP log sheet for PFD design, the process and critical alarms are to be designed.

-4-

Table 2 Possible Causes for Node from Feed Surge Drum to Reactor
Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Description Mechanical failure of Feed Pump (P-201) Feed Surge Drum (D-201) level controller (LIC-5223) stop because of D-201 feed flow controller failure. P-201 outlet flow control valve (FCV-5201A) failure P-201 outlet flow control valve (FCV-5201B) failure Bypass valve for start-up operation close by mistake Air fin cooler partially plugged because of water injection failure stop Reactor (R-201) head plugged LIC-5223 controller failure and FCV-5201A/B close LIC-5223 controller failure or FCV-5201A bypass valve open by mistake LIC-5223 controller failure or FCV-5201B bypass valve open by mistake P-201A/B run simultaneously D-201 pressure regulation controller (PIC-5201) failure and pressure increased D-201 pressure regulation controller (PIC-5201) failure and pressure decreased R-201 feed temperature controller (TIC-5228) failure and fuel pressure regulation valve (PCV-5203) full High Temperature Combined Feed Exchanger (E-203) bypass three way valve (TCV-5227) open by mistake Air fin cooler (C-204) failure stop Reactor Charge Furnace (H-201) heat duty shortage Water incorporation into oil because of D-201 aqueous surface rise at boot.

3. Alarm Design 3.1 Process Alarm Design An initial event in process makes an abnormal process condition, and it propagate through the process. An initial event would activate plural process alarms, and one process alarm would be activated by plural initial events. Therefore, it is impossible to design each process alarm to identify occurrence of respective potential initial events. However, in operation plants, when an initial event occurred, although some process alarms would be activated according to propagation of abnormal process condition, others would not be activated. The well experienced operators should identify the cause of abnormal process condition from such a pattern recognition of activating alarms. Consequently, designing consistent process alarms is to configure total alarms so that a different alarm set would be activated for respective initial event. In this study, the following two steps are applied to design process alarm. (1) Enumerate the deviation and the intermediate deviation of process parameters respective for all potential causes. These deviations and intermediate deviations are analyzed in HAZOP and recorded in the modified HAZOP log sheet as shown in Table 1. These process parameters become candidates of process alarms. (2) Add priorities to the process parameters for each potential causes according to propagation of abnormal process condition. The process parameter, which is closest to an initial event is highest. The priorities for a process parameter are different from initial events.
-5-

(3) Optimize the configuration of all process alarms so that a different alarm set would be activated for respective initial event.
Table 3 Result of Process Alarm Configuration
Alarm Locations Code A Exit of P201S B FCV5201A Line C FCV5201B Line D Start-up bypass E F G H I J K L M N O P C-204 Reactor(R-201)

Variables Low Pressure No flow No flow Flow Detectoin Stop of Water injection Pressure difference High More flow More flow Flow Detectoin High Pressure Low Pressure High Temperature

FCV-5201A Line FCV-5201B Line Exit of P-201A D-201 D-201 Furnace exit Line By-pass line exit at High Temperature E-203 C-204 High Temperature Furnace exit Line Low Temperature Boot interface at Level High D201

The optimization problem of the third step becomes so called knapsack problem, and several approaches can be considered; i.e. mixed integer linear programming (MILP), evolutionary method and trial and error method. In the HDS process case, we adopted trial and error approach. Table 4 Process Alarm Activation Pattern
Potential Causes 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

A B C D E F G H I J K L M N O P

Al s arm

-6-

The result of the process alarm design for the HDS process case is as shown in Table 3. Sixteen alarms (A to P) are configured. These alarms are designed so that a different alarm set would be activated for respective initial event as shown in Table 4. The Table 4 shows the activating alarms for respective potential causes (1 to 18) by circles. The blank circles express the alarms which would be activated by the initial events directly, and the painted out circles express the alarms which would activated according to the propagation of abnormal process condition. It is obvious that the patterns of activation for each potential causes are different for each other. Therefore, it becomes possible to consider operators response to cancel the process abnormal condition. 3.2 Critical Alarm Design The purpose of the critical alarm is to require operators responses, even if operators cannot identify a cause of abnormal conditions. To determine the critical alarm configurations, necessity and feasibility of operators response should be evaluated based on the seriousness of hazardous situations, and time margin for operators actions. In this study, the priority of the critical alarms is defined as shown in Table 5 by using Severity and M.A.R.T. of modified HAZOP log sheet as shown in Table 1. The priority is categorized into three levels; i.e. Emergency, High and Low here.
Table 5 Critical Alarm Priority
Severity Major Severe Low High High High Emergency Emergency No Alarm,but SIS is necessary

None Long Short Immediate Insufficient MART No Alarm

Minor Low Low High High

Table 6 Result of Critical Alarm Configuration

Code a b c d e f g h i j k l m n o p q r

Place D-201 D-201 D-201 D-201 Boot Feed Pump Line Reactor Charge Furnace Tube FCV-5201A Line FCV-5201B Line FCV-5201A Line FCV-5201B Line Reeactor(R-201) R-201 Exit Reactor Charge Furnace Tube D-202 Feed Line to T-202 from E-202 Both Lines of FCV-5201A/B Start-up Bypass Exit of C-204

Parameter Level High Level Low Pressure High Level High Pressure High Temperature High More Flow More Flow Less Flow Less Flow Pressure Difference Temperature High Temperature Low Level Low Temperature Low More Flow Flow Detection Temparature High

Priority Low High Low Low Low Emergency High High Low Low Low Low Low Low Low Low Low Low

-7-

The priority for all the consequence in modified HAZOP log sheet are decided, and then the location and the deviation of process variables to be detected is designed. Basically, intermediate deviation which directly leads to possible impacts will be favorable for the variable to detect, but in case that there is no intermediate deviation, the process variable which would be deviated from normal process condition by the initial event should be selected. The result of the critical alarms for HDS process case is as shown in Table 6. Conclusion Safety of chemical process plants is provided through Independent Protection Layers (IPLs) design. The process alarms and critical alarms are corresponding to the second and the third layers of IPLs, and the logicality in their design affects consistency of overall IPLs design. This study proposed a method to design configuration of process and critical alarms on the basis of a result of HAZOP. In the current engineering procedure, the process and critical alarms are designed for individual hazard scenario captured in HAZOP for the detailed engineering phase, and the number of alarm points is increased inconsistently. To overcome this current engineering problem, we dissociate the mitigation information from HAZOP log, and a method to optimize the consistent alarm points from alternative ones by considering all the hazard scenarios simultaneously is developed. The proposed design method and its performance is illustrated through the case study of HDS process around the reactor. It becomes possible to relate the process and critical alarms with operators response, and to design IPLs consistently. REFERENCES Center for Chemical Process Safety (CCPS), "Guidelines for Safety Automation of Chemical Processes," Americah Institute of Chemical Engineers, New York, (1993) Drake, Elisbeth M., "Determining Integrity Levels for Safety Interlock System," Center for Chemical Process Safety (CCPS) Proceedings of International Symposium & Workshop on Process Safety Automation, American Institute of Chemical Engineers, Houston, (1994) Instrument Society of America (ISA), "Application of Safety Instrumented Systems to the Process Industries, ANSI/ISA-S84.01-1996," Instrument Society of America, North Carolina (1996) Dowell, Arthur M., "Layer of Protection Analysis for Determining Safety Integrity Level," ISA Transactions, 37, PP155-165 (1998) A Guide to Hazard and Operability Studies, Chemical Industry Safety and Health Council of the Chemical Industries Association (1981). Hollifield, B. R. and E. Habibi, "Alarm Management: Seven Effective Methods for Optimum Performance," Instrument Scociety of America (2007)

-8-