11th International TV Rheinland Symposium

Functional Safety in Industrial Applications

May 13 14, 2014, Cologne - Germany

Sujith Panikkar
Yokogawa Electric International Pte Ltd, Singapore

Preventing Spurious Trips in the Chemical Process Plant:

The Role of Functional Safety Management
Vermeidung von unerwnschten Abschaltungen in Chemischen Anlagen:
Die Rolle des Functional Safety Management

Introduction, Spurious trips

Spurious trips are a consequential outcome of spurious operation of the safety function
to put the EUC (or part thereof) into a safe state.
Spurious trips may result in partial or total shutdown of plant and equipment.
While spurious trips are deemed to be safe, these are of course undesirable from a
plant operations perspective due to obvious reasons of business interruption and the
consequent losses.
Chemical industry plant owners and operators are increasingly concerned about
spurious trips or safe failures and the impact on safety

Necessity to address spurious trips, Safety Impact

Global trend: Larger size of plants, integrated petro-chemical complexes involving:
- chain of process plants due to scale of economies
- increased inter-connects between various process units creates additional safety
dependencies ,
- places emphasis on smooth and optimized safe operation.
- For eg. Spurious trip of common facilities causing a total plant shutdown
Spurious trips in a process plant involves a down time and a re-start-up phase to bring
the plant back in normal operation.
- Shutdown and Start-up phase involves non-routine plant operations which
represents an elevated hazard level and contributes largely to safety incidents.
Recent incidents include:
- BP Texas refinery (March 2005)
- Tesoro Anacortes- Washington refinery (April 2010)
A process trip and re-start of operations involves thermal and mechanical stress on
piping and equipment- affects safety in the longer term

Factors affecting - Stress, Corrosion, Fatigue

From HSE Ageing Plant Study Phase 1 report:
Across Europe, between 1980 and 2006, there have been 96 major accident potential
loss of containment incidents reported in the EU Major Accident Database (MARS)
which are estimated to be primarily caused due to ageing plant mechanisms.
This represents 30% of all reported major accident loss of containment events in the
MARS database, and 50% of the technical integrity and control and instrumentation
related events.
These ageing events equate to an overall loss of 11 lives, 183 injuries and over
170Million of economic loss, demonstrating the significant extent and impact of
ageing plant related failures on safety and business performance.

Case Example - Stress, Corrosion, Fatigue

Case example: Tesoro Anacartes- Washington refinery incident of 2010
- Startup of Naphtha Hydrotreater unit heat exchanger after maintenance
- operating conditions: 630 710 F, 590 psig
Incident:
- Catastrophic rupture of heat exchanger
- Release of hydrogen and naphtha, fire and explosion, 7 fatalities
Findings/ Excerpts from US CSB Investigation report:
- Inadequate attention to corrosion hazards in PHAs
- The heat exchangers were severely weakened by a long term damage mechanism
known as HTHA (High temperature hydrogen attack) which causes fissures and
cracking
- Process data indicated the exchanger tube outlet temperature increased 75 F in a
span of 3 minutes prior to the rupture
- In addition to the increased mechanical stress from the start-up of the heat
exchangers, this momentary increasing temperature appears to have been
sufficient to cause the actual material strength of one critically weakened heat
exchanger to be exceeded, rupturing the heat exchanger at its weakest point
5

Case Example - Stress, Corrosion, Fatigue

Case example: Delayed coker plant incident in 2009
- Fractionator column bottom pump discharge line
- operating conditions: 370 degC, 60 kg/cm2
- 4 inch pipeline including bends made of alloy steel(5 Cr Mo)
Incident:
- Rupture of bend resulting in release of hot liquid
- Fire and explosion
- 2 fatalities
Investigation and root cause analysis: From Inspection & Measurement records:
- Thickness of the bend had eroded over 50% in about 5 years (8.9mm in 2001 to
4.3mm in 2006) and a replacement had been recommended.

Degradation Mechanisms & Equipment life assessment

J. Moubray proposed the potential failure or P-F diagram as a basis for Reliability
Centered Maintenance

Increasing impact of
Spurious trips

Spurious trip occurrences as piping and equipment approaches end of life increases
the likelihood to trigger failure and consequential hazards and incidents.

Degradation Mechanisms & Equipment life assessment

Spurious trips and Longer term safety impact due to:
- Aging, corrosion
- Erosion in pipelines
- Thermo-mechanical stress, Fatigue
In most processing plants, a large percentage (80-90%) of the total unit risk will be
concentrated in a relatively small percentage (10-20%) of the equipment
Industry is increasingly adopting a risk based integrity management program for plant
and assets which includes:
- Systematic study and equipment lifetime assessment due to CorrosionErosion- Aging- Fatigue for the specific plant environment and processes
- Guidance is available from international standards and recommended practices
such as API RP 571- Damage Mechanisms Affecting Fixed Equipment in the
Refining Industry, API RP 939C- Guidelines for Avoiding Sulfidation (Sulfidic)
Corrosion Failures in Oil Refineries etc.
- API 581 Appendix G: Tables provide notional corrosion rates for assessment
of corrosion risk and risk-based inspection

Spurious trips- Causal factors

Causal factors leading to spurious trips of the SIS include:
- Safe failures in the SIS hardware (element/ subsystem/ system)- Initiators,
Logic solver and interfaces, final elements, associated equipment like power
supplies
- Failure of safety communications (e.g, inter system trips)
- Failure of time synchronization in the safety communication network
- Systematic failures from design and modifications
- Errors introduced during maintenance
- False demands (not real process demands)
- Human error in operations

Efforts in quantitative treatment

Spurious or safe failure of safety related elements, SFF: The standards emphasise on
a high SFF, implies a large fraction of failures of a safety related element results in safe
failures.
IEC 61508-4 cl. 3.6.8 def. safe failure: Failure of an element and/or subsystem and/or system that plays a part in
implementing the safety function that:
a) Results in the spurious operation of the safety function to put the EUC (or part thereof) into a safe state or
maintain a safe state; or
b) Increases the probability of the spurious operation of the safety function to put the EUC (or part thereof) into a
safe state or maintain a safe state

Mary Ann Lundteigen, Marvin Rausand (Reliability Engineering and System Safety,
Volume 94- 2009) have described why safe failures are not always positive for safety
Illustration based on SIF architecture with type B components, HFT=0 (Low Demand):

10

Efforts in quantitative treatment

SIF designs may tolerate a high safe failure rate regardless of the SIL design target in
this context

61511 cl 10.3.1 SIS Safety requirements: shall be sufficient to design the SIS and shall
include the following: maximum allowable spurious trip rate

11

Qualitative approach, importance

Requires measures to assess and control factors affecting spurious trips in each phase
of the safety lifecycle
Systematic failures: Design with the objective of spurious trip avoidance
Human failures:
- Training & Competence
- Establish and continuously improve procedures for start-up, shutdown and
operation & maintenance
- Independent verification, reviews
- System to compile lessons learnt and systematic knowledge sharing
Evaluation of spurious trips and identification of spurious trip rate design targets at the
analysis phase
61508-4 cl 3.4.6- 61511 NOTE 1 - Redundancy is used primarily to improve reliability
(probability of functioning properly over a given period of time) or availability (probability
of functioning at given instant). It may also be used in order to minimize spurious actions
through architectures such as 2oo3.

12

Avoidance
A rigorous approach based on Functional Safety Management for avoidance of
spurious trips- necessary to ensure safety in the longer term
Controlling factors affecting spurious trip rates in various safety lifecycle phases
- Risk Analysis: Include study of spurious trips and consequences.
61511-1 cl 10.3 SIS safety requirements 10.3.1 These requirements shall be sufficient
to design the SIS and shall include the following:
- a definition of any individually safe process states which, when occurring
concurrently, create a separate hazard (for example, overload of emergency
storage, multiple relief to flare system);

13

Concept

Overall scope definition

Hazard and risk analysis

Overall safety requirements

Safety requirements allocation

SIS Response to Safe Failures

SIS actions can be calibrated for detected faults, depending on consequences
analysed and also the current operating state of the plant:
- Safe Shut-down: A shutdown action can be initiated directly or
- Delayed shutdown actions making use of time delays and filters, subject to process
safety time constraints
- Alarm and operator action with plant being placed in a state of heightened
operational safety alert level followed by a time delayed shutdown by the SIS
upon expiry of MTTR, if the failures are not repaired in time.
- Safe Ramp-down: A diagnostic annunciation along with a time delay based on
MTTR during which the system can be restored or the process can be ramped
down by external means (e.g, through manual means or via the BPCS) to a safe
state. After expiry of the time delay, if the fault still exists, a shutdown action can be
initiated
The actions required on detected safe faults must be planned from the analysis phase

14

Conclusions
Holistic design approach: To view safety beyond the sum of the SIFs- Design the
overall control and safety system architecture with the specific intent of spurious trip
avoidance and optimized operations to meet longer term safety objectives
- Evaluation of spurious trips and consequences during the hazards and risk
analysis.
- Planning for SIS actions on detected faults based on ultimate consequences
- An approach based on a combination of quantitative and qualitative factors is called
for in order to assess and control spurious trip rates.
- Apart from economic considerations, estimation of erosion-corrosion-aging and life
assessment of piping and equipment can be used to evolve spurious trip rate
targets.

15

Quis custodiet ipsos custodes?

16