demand. 9 In HAZOPs, PSVs are sometimes credited as two or three layers of protection. When instrumented systems are used as the last line of defence, it is not uncommon to assign a SIL-3 requirement. Alternatively, a risk assess- ment based on client risk tolerances or other local jurisdic- tion requirements can be completed. For example, refer to the discussion in API-521 Section 4.2.6, and Annex E. 4 API-521 requires a risk review to be completed that considers failure of operator intervention. Therefore, a risk assessment via a HAZOP/LOPA would be appropriate to ensure the plan meets the required reliability. A PSV is self-actuating and does not rely on external transmitters to act. However, in the case of an operator stationed at the PSV bypass, failure of several items would result in failure to identify or prevent the overpressure. For example: • If a single DCS pressure transmitter were to be used to provide an alarm for the operator to act, it would typically be assigned a failure rate of one in 10 years in a HAZOP. Failure of that single transmitter would mean the operator was never alerted to act and would miss the opportunity to prevent the overpressure. •Operator procedures, in the author’s experience, are sometimes assigned a one in 10-year failure rate. Failure of the follow procedure would itself result in failure of the mitigation. • Failure of the bypass valve to fully open could result in failure of the mitigation. The bypass valve is not normally exercised/operated. It may only be operated once or twice When overpressure protection is provided by other means than a pressure safery valve, it is good design practice to ensure it is as reliable as a PSV every few years. Failure of the globe valve would not be immediately obvious to operations. This is considered a potential latent failure and it would not be considered dou- ble jeopardy to have a failed bypass valve at the same time as an unrelated overpressure upset. If failure of the indicator, procedures, or the bypass valve are assumed independent, the probability of failure of operator intervention would be the sum of each probability and therefore would not be better than one in 10 years, which is not equivalent to a PSV. When viewing the likelihood of failure on demand, it is not appropriate to credit enabling conditions for the over- pressure in a LOPA; it is assumed the upset has occurred, and the reliability of the operator to successfully prevent the overpressure is assessed. It is the author’s experience that operator intervention alone will not be sufficient to meet the same reliability as a PSV, and additional SIS systems would be required (which are designed to be full layers of protection against overpressure) as additional safeguards.
Figure 4 Example of columns
Consequences of operator failure The consequences of the operator failing to mitigate the overpressure must also be considered as part of a risk assessment. In cases where the upset pressure is self-limit- ing, then little to no damage is typically presumed when the unmitigated maximum upset pressure does not exceed the corrected hydrotest pressure. However, not all jurisdictions allow such temporary pressure excursions. 9 Nor would a minor leakage at flange of innocuous materials (such as tepid potable water) be considered a likely cause of fatality in a risk review. However, in cases of hazardous materials (such as H₂S, LPG, and other flammable/explosive materi - als), a minor release may lead to severe consequences. In cases where the maximum upset pressure without inter- vention is significantly higher than design pressures, vessel rupture can lead to multiple fatalities. PSVs and bypasses are frequently located at the top of the vessel. Also, some owners will credit limited occupancy in the area during an upset when determining the required reliability of safeguards. There is no question that the oper- ator is expected to be present during an upset and would typically be stationed at the top of the vessel. In this case, occupancy credit would not be appropriate. Frequently, vessel PSVs are required to prevent overpres- sure during a pool fire at the base of the vessel. Having an operator trapped on top of a vessel during a pool fire would be a very serious situation, and the risk exists in day-to- day operations. As such, it is prudent to minimise the time an operator must spend atop a vessel. There is no viable escape route for an operator located on top of the vessel after opening the PSV bypass, particularly tall towers (see Figure 4 ) with a pool fire below. This fact can sometimes be overlooked when sweeping plans of using operators at the bypass of all PSVs are established. It should be clear that this practice is not suitable for fire cases. API-521 provides some alternatives for fire protection when a PSV cannot provide practical protection. These cases are sometimes considered when the vessel contents have high boiling points or are vapour filled, which results in excessively high relief temperatures. These alterna- tive methods consist of fire monitors, deluges, automatic depressurisation, and so on. 4 If the risks are carefully mea- sured, these might provide some reasonable protection
59
PTQ Q3 2022
www.digitalrefining.com
Powered by FlippingBook