PHA Articles

Originally issued: May 6, 2024

Author

Shaun Williamson, P.L.(Eng.),  CFSE, FS Eng (TÜV Rheinland)   

Director of Operations

Watchmen Instrumented Safety Experts Ltd.

swilliamson@watchmenise.com

https://watchmenise.com

PHA Complete? Why not Put A Bowtie On It!

Upon completing a thorough Process Hazard Assessment (PHA), the question arises: How can we gain the most value for the rich information detailed in our risk assessment and effectively communicate the risk to our organization? Enter the bowtie diagram, a powerful tool that transforms abstract hazards into tangible insights. By encapsulating potential threats, their causes, and preventive and mitigative measures in a single, elegant diagram, the bowtie empowers management to navigate risk landscapes with clarity and precision. Effective risk management entails more than just identifying risks; it's about painting a vivid picture of them, enabling informed decision-making and proactive risk management strategies. So, why settle for ambiguity when you can adorn your PHA with the clarity of a bowtie diagram?

Benefits of Bowtie Diagrams

Bowtie analysis can be conducted independently or following a PHA study, offering several key benefits:

• Simplified Risk Visualization: Bowtie diagrams provide a visual depiction of identified risk scenarios, showcasing the potential initiators and hazardous outcomes, and illustrating the relationship between preventive and mitigative barriers.
• Effective Safety Critical Element Identification: Bowtie diagrams facilitate the identification of safety critical elements (SCEs), crucial for preventing major accidents or mitigating their consequences. SCEs can be visualized directly on the bowtie, supporting comprehensive risk management strategies.
• Supporting Informed Decision Making: Bowtie diagrams aid in prioritizing resources by highlighting critical barriers and scenarios requiring urgent attention. Visualizing the health of each barrier enables effective management and tracking of conditions affecting barrier performance, enhancing informed decision-making in risk management.

Application in Risk Management

Bowtie diagrams are a highly effective means of visualizing risk, even for stakeholders with limited technical background. They support the identification and management of SCEs, crucial for preventing major accidents. Having this information readily available in an easily understandable format enhances informed decision-making in risk management strategies. The bowtie risk analysis approach excels in considering multiple initiators and potential outcomes in a single graphic, focusing not only on preventative, but also mitigative barriers or safeguards.

Application in Safety Critical Element Management

Once the bowtie diagram has been developed and represents the major barriers used to prevent or mitigate safety related hazards, these can be consolidated into a Safety Critical Element list. A smart bowtie will do more than just paint a pretty picture. It can be kept current to track the health of each barrier using different colours. For example, alarms used as barriers may not be considered effective until alarms have been rationalized, prioritized and an alarm management program is in place. Fire and gas detection may not be considered effective until detector and annunciator coverage has been verified. Other barriers may not be considered effective until open PHA recommendations affecting them are closed.

The bowtie can also be used to analyze the effects of unavailability of barrier(s) due to failure or maintenance. This risk analysis can support decision making for contingency planning and maintenance scheduling.
 

Summary

In summary, incorporating a bowtie diagram after completing a PHA enhances risk visualization and supports effective risk management strategies. The clarity and simplicity of bowtie diagrams empower organizations to identify and manage safety critical elements, ensuring proactive risk mitigation. So, why settle for ambiguity? Go ahead and put a bowtie on your PHA for enhanced clarity and informed decision-making. 

Originally issued: May 24, 2024

Authors

Richard Carter, P.Eng., F.S. Eng. (TÜV Rheinland) 

Senior Functional Safety Engineer

Carsten Acker, P.L.(Eng.), F.S. Eng (TÜV Rheinland), CFSE, CSP

Director of Operations

Watchmen Instrumented Safety Experts Ltd.

This Article is part 1 of an 8 Part Series. 

Process Hazards Analysis (PHA) studies, such as HAZOP, What-If or LOPA, are an essential part of an effective Process Safety Management system, but it is easy to end up with an inadequate analysis and a false sense of security. Identifying potentially hazardous events, and ensuring that there are adequate safeguards in place to prevent the unthinkable from happening, is a critical step in keeping people safe and preventing costly downtime and repairs. Unfortunately, however, these same safeguards contain traps that are easy to fall into in a PHA session, resulting in ineffective safeguards, lack of redundancy, and a much greater risk gap than intended. This can ultimately lead to catastrophic consequences.

This article series will discuss the characteristics and requirements of a safeguard in the context of PHA, and will address detailed considerations for the following common categories of safeguards that are relied upon in PHAs to keep people, the environment and equipment safe:

·         Alarms and interlocks

·         High-integrity interlocks (SIS and HIPPS)

·         Pressure relief devices (PSVs, PVSVs, rupture discs)

·         Operator rounds

·         Fire and gas detection

·         Occupancy factor modifiers (not considered a safeguard, but often utilized as such by PHA teams).

This series will provide practical guidelines for each of these types of safeguards, and for safeguards as a whole, that can be used for any process or system to improve the quality of a PHA to better identify the true risk of the system. This will assist in making improved risk decisions that can reduce economic impacts, prevent harm to environment, and save lives.

To ensure that the safeguards being relied upon in a PHA are effective and dependable, it is first important to discuss the required attributes of any safeguard. This article will discuss the requirements that every risk mitigation method must meet in order to be considered as a sufficiently reliable safeguard in a PHA.

The first distinction to draw is the difference between “safeguards” and “normal controls”. These are often conflated in PHA, which can cause confusion in a PHA and lead to a compromised safeguarding strategy.

Normal controls are those functions that are required to keep the system running in its normal operating state. These controls are usually frequently making adjustments to keep the process parameters within their intended operating limits. In many cases, they can be modified with little oversight, such as in the case of an operator changing the setpoint of a control loop or alarm. If there is a failure of one of these controls, it normally causes a process upset or puts the system in some potentially hazardous scenario situation, such as a level control valve malfunctioning closed and causing high level in a vessel.

An example of a normal control is an electronically-controlled pressure control valve, or the accelerator and brake pedals of a car. Note that, as in the case of the car’s pedals, it is not necessary for the control to be operating at all times to count as a normal control. If it is used frequently and is required to keep the system operating within its intended operating limit, it is considered a normal control.

Safeguards, on the other hand, are not normally acting during normal operation. They are only required to act in the event that a process parameter is deviating outside of the intended operating limits. Because of this, the only times that a failure of a safeguard is identified is either during a proof test operation, or when the safeguard is required to act in a potentially unsafe situation.

An example of a safeguard is a pressure safety valve, or a car airbag. The pressure safety valve is held closed by a spring, and is intended to open if the pressure in the system is dangerously high, but the rest of the time there is no indication of whether the PSV will work as intended unless it is tested. A car airbag system is not intended to be in use except in the event of a collision, and in fact may cause a hazardous event if it activates during normal operation.

There are a number of factors which are not normally considered safeguards by themselves, but which support the normal controls and safeguard items. These factors may affect the likelihood of a cause or the reliability of a safeguard, but by themselves they do not take action to prevent hazardous situations from occurring. They are normally assumed to be in place when describing a failure and a consequence, however any deficiency in these categories may adversely affect the likelihood of a hazardous event, or the efficacy of a safeguard, and therefore must be considered as part analysis of causes, consequences and safeguards.

Training and certification – a certain level of training, certification and competency must be assumed for every individual that interacts with the process during design, construction, operation and decommissioning.

Design to codes and standards – in most cases a baseline assumption can be made that the system is designed to applicable codes and standards. If any deficiencies or deviations are found, they must be addressed, but designing to codes and standards is not a safeguard by itself.

Operating and maintenance procedures – As part of the difference between normal controls and safeguards, normal operating and maintenance procedures are assumed to be followed, unless it is known otherwise. A robust program for ensuring that these procedures are followed as intended can adjust the likelihood of a scenario caused by human factors, but is not a safeguard.

Normal testing and inspection – Similar to operating and maintenance procedures, normal testing and inspection can influence the frequency or likelihood of scenario, or the reliability of a safeguard.

Preventive maintenance – these are activities required to keep the equipment functioning as it is intended, and therefore will affect the likelihood that such equipment malfunctions. This may affect the likelihood of a scenario or the reliability of a safeguard.

Signage – Signs are not considered safeguards, as they can easily be obscured, ignored, or misinterpreted. Furthermore, individuals will become familiar with signs they see often and will stop noticing them.

PPE (Personal Protective Equipment) – The baseline set of PPE to be worn for a task should be considered in the potential hazard to personnel in a hazardous event. However, as the last line of defense against harm to a person, PPE is not intended to be relied upon to prevent injury. Furthermore, it is rarely highly reliable; for example, hazardous materials can enter the eyes around the edges of safety glasses, and serious injuries and fatalities from fires have been inflicted on workers wearing fire-retardant clothing.

Emergency response – An emergency response plan (ERP) is required to be developed in most scenarios for safe operations, however as the last line of defense they are implemented once a significantly hazardous event is already underway and therefore it is not appropriate to consider it to be a safeguard. By the time an ERP is enacted, there is usually already significant damage or injury that has occurred, and the ERP is designed to limit the extent of this damage or injury and not prevent it outright.

Time – The duration of the window between the inciting incident and the hazardous consequence may provide an opportunity for an automatic or manual response, but it does not prevent the event by itself and is therefore not a safeguard.

In order to be relied upon, each safeguard must meet certain criteria that are intended to confirm that the safeguard will be available and effective when required to act. The following four criteria are commonly used:

·         Independent of the cause and other safeguards.

·         Specific to the hazardous scenario.

·         Dependable to provide the risk reduction required and to take the system to a safe state.

·         Auditable to verify that it is ready to act.

These categories are explored further below.

One of the most commonly overlooked requirements of a safeguard is that it is independent of whatever may cause the scenario in which the safeguard is required to act, and independent of other safeguards that are intended to protect against the same scenario. In other words, there must be no common-cause event that would result in the scenario occurring and also prevent the safeguard acting, and no common-cause failure that would prevent the safeguard in question from acting correctly and also prevent any other safeguards acting correctly if they are intended to prevent the same hazardous scenario occurring.

Independence between cause and safeguard

If the event that causes the demand on the safeguard also prevents the safeguard from acting correctly, the safeguard is not adequately independent and therefore cannot be relied upon. For example, if a control function and an automated shutdown both take their input from the same sensing element then a malfunction of the sensing element, or error in the signal from the element, may cause an incorrect control action and, at the same time, prevent the safeguard from acting.

There are many industry incident examples of insufficient independence of a safeguard that has allowed a hazardous scenario to occur. As one example, the fatal liquid nitrogen release at the Foundation Food Group facility in Gainesville, GA was, in part, caused by insufficient independence between the control system measurement and the safeguard. In this incident, a liquid-nitrogen bath freezer had a level control system that measured the level in the bath with a bubbler tube instrument. The high nitrogen level automatic shutdown also took its input reading from this instrument. At some point, the tube became bent such that the end of the tube (normally immersed in the liquid) was protruding above the maximum liquid nitrogen level height in the bath. This resulted in the control system detecting no level in the bath, which caused an overflow into the surrounding room and ultimately resulted in six fatalities. The high level shutdown action, which took its input from the same instrument, also did not activate as the instrument did not detect any level in the bath, and therefore the high level shutdown could not activate. The bent bubbler tube caused an incorrect control action and also prevented the safeguard from acting correctly.

Independence between safeguards

If there is a potential failure or event which could cause multiple safeguards to fail to act correctly for a scenario, only one of the safeguards can be considered to be adequately independent. For example, if there are two independent automated shutdown commands that are intended to prevent the same hazardous scenario, but they both take the same action such as closing the same emergency shutdown valve, there is likely to be insufficient independence because both actions rely on closing the same valve.[1] If the emergency shutdown valve fails to act as required, neither shutdown command will succeed. The same approach is used for alarms with human response; if a trained operator receives one alarm they may be able to adequately respond and prevent the hazardous scenario. If the same operator receives multiple alarms for the same event, however, they will not be able to respond to multiple alarms at the same time, and many alarms may even obscure the real process condition resulting in a higher likelihood of incorrect response from the operator.

A safeguard must be intended to prevent the hazardous scenario that is under review. This may seem obvious, however there are many cases where operators of a process must rely on indirect information to identify a potential hazardous scenario, or a safeguard is relied upon for a different reason than it was intended.

For example, in a distillation system the temperature and pressure of the process are closely interlinked, and therefore if there is a known issue with measurement of one of these variables the operators may rely on the other and infer the incorrect value. There are potential scenarios, however, when the process does not operate as expected and therefore this approach is insufficient, and therefore a high temperature action cannot be solely relied upon to identify a high pressure situation, and vice versa. When identifying safeguards in a PHA, it is important to ensure that safeguards are intended to identify and protect against the scenario that is in question.

The safeguard must be dependable to perform its action and take the system to a safe state. This includes consideration that the safeguard will indeed take the system to a safe state when it functions correctly, and that it is sufficiently reliable that it can be reasonably expected to perform correctly.

If the safeguard is later found to be less reliable or effective that it was previously expected to be, the relevant portion(s) of the PHA must be revalidated to ensure that adequate safeguarding is provided, given the reduced efficacy of the safeguard in question.

The Dependable criterion may be defeated in the event that either the safeguard will not take the system to a safe state, or the safeguard is not reliable enough for the demands of the scenario in question.

It is also important to consider whether the safeguard, performing its function as intended, will introduce any new hazards that would not otherwise be present. If a safeguard activating may cause another hazardous scenario, it is necessary to either ensure there is adequate protection against that scenario or, preferably, alter or replace the safeguard such that the system is taken to a safe state by the safeguard and no new hazards are created.

An example of a safeguard that introduces a new hazard is a pressure/vacuum relief valve (PVRV), also known as a pressure/vacuum safety valve, on an atmospheric-pressure storage tank that contains flammable gas. If the pressure in the tank falls below the ambient air pressure there is the potential for the tank to implode due to the vacuum created, and the PVRV prevents this vacuum by allowing atmospheric air to enter the tank. However, this causes a new hazard by introducing oxygen to a flammable hydrocarbon gas environment, with the resultant potential for fire or explosion in the system. This new hazard must be also controlled for.

Finally, the potential for personnel working with the system to bypass or disable the safeguard must be considered. For example, an operator might disable an alarm because it activates often when not required to, creating an unnecessary distraction. While this may be a good decision for safe operation of the facility, it then means that the alarm cannot be considered a dependable safeguard in a PHA. If necessary controls must be put in place to prevent safeguards being bypassed or disabled, if they are considered necessary to control the risk, but also care must be taken to avoid introducing alarms and shutdowns that create nuisance interruptions for operators.

In qualitative assessments such as Hazard and Operability (HAZOP) studies, it is generally considered that a minimum threshold of dependability of 90% must be reached in order to consider the safeguard dependable. This means that the safeguard will take the system to a safe state at least nine out of ten times that it is required to act.

All equipment and processes, whether equipment or administrative processes, degrade over time and require maintenance and investment to maintain an adequate reliability and functionality. A key part of this maintenance is auditing the safeguard to verify that, if it is required to act, it will perform its function effectively and with adequate reliability. This may include proof testing, calibration, verification, periodic replacement, and other checks or activities to provide assurance that the safeguard’s reliability and function are maintained to an adequate level. The auditing process proves that the other safeguard criteria are being maintained. This process must be documented and verified to ensure it is meeting the requirements of the process in question.

Center for Chemical Process Safety. Layer of Protection Analysis: Simplified Process Risk Assessment. American Institute of Chemical Engineers, 2001.

Center for Chemical Process Safety. Guidelines for Initiating Events and Independent Protection Layers in Layers of Protection Analysis. John Wiley & Sons, 2015.

US Chemical Safety and Hazard Investigation Board. Fatal Liquid Nitrogen Release at Foundation Food Group: Investigation Report.  https://www.csb.gov/file.aspx?DocumentId=6268. December 2023. Accessed December 2023.

International Electrotechnical Commission. IEC 61511-1 Functional Safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements. Edition 2.1, August 2017.

[1] There are some cases where an analysis of the reliability of each component of a safeguard, and the overall reliability of the safeguard, is warranted to identify requirements for adequate independence to reach the desired risk reduction. However, for many processes it is sufficient for the operating company to sent standard minimum requirements for independence for safeguards instead of analyzing each on a case-by-case basis.

Originally issued: Feb. 21, 2025

Author

Richard Carter, P.Eng., F.S. Eng. (TÜV Rheinland) 

Senior Functional Safety Engineer

This Article is part 2 of an 8 Part Series. 

Many PHAs rely heavily on alarms and interlocks as safeguards. Alarms notify operators when a process variable exceeds safe limits, allowing them to take corrective action, while interlocks automatically intervene to prevent harm or damage.

To align with the key safeguard criteria discussed in this series, these safeguards must incorporate the following considerations.

Detection and Action

Every alarm and interlock must include both a detection and an action component. If a hazardous event is not detected, the safeguard cannot bring the system to a safe state. Likewise, if no action is taken—or if the action fails to prevent the scenario—the alarm or interlock is ineffective.

Independence

Like all safeguards, alarms and interlocks must be sufficiently independent from both the initiating cause and other safeguards. However, ensuring adequate independence can be challenging. As highlighted in the previous article on the Foundation Food Group incident—which resulted in multiple fatalities due to exposure—the bubbler tube instrument served as a single point of failure for both the liquid nitrogen bath level control and the overflow shutoff interlock.

The level of independence required depends on the specific scenario, control system architecture, and the operating company’s standards and philosophy. However, common-cause failures should generally be avoided. For two interlocks to qualify as independent safeguards for the same scenario, they must not share components with each other or with the initiating cause—unless the probability of failure is low enough to maintain the safeguard’s reliability.

Access Control

The ability to modify equipment, programming, and setpoints for alarms and interlocks must be appropriately controlled to prevent changes—whether intentional or unintentional—that compromise their reliability and effectiveness.

For example, operators may need the flexibility to adjust alarm setpoints based on operational needs. However, if an alarm is set too high or too low, it may fail to provide adequate warning, reducing the time available for a proper response to a hazardous event. Additionally, alarms that activate frequently—even when the system is operating normally—can become distractions. These "spurious alarms" may lead operators to bypass or disable them, undermining their intended function.

If a safety-critical alarm becomes a nuisance, a Management of Change (MOC) process must be followed to either resolve the issue or reassess the safeguarding strategy. This ensures that any hazardous events linked to the alarm remain adequately mitigated, even if the alarm is modified or removed.

Correct Setpoint

The setpoint of an alarm or interlock must be determined based on both the design and operation of the process. For example, a high-temperature interlock should be set below the equipment’s design temperature to ensure adequate protection. Other influencing factors—such as material interactions, upstream and downstream system dynamics, and connected utilities—must also be considered to ensure the safeguard effectively prevents hazards.

In an overpressure protection system, a common approach is to implement a high-pressure shutdown, with a pressure relief device serving as a backup if the shutdown fails. In such cases, the shutdown setpoint must be low enough to activate before the relief device is needed. If the shutdown cannot prevent overpressure without the relief device intervening, then the relief device becomes the sole safeguard.

Many organizations adopt standardized high-pressure shutdown setpoints, such as 90% of the PSV (Pressure Safety Valve) setpoint. However, this generic approach may not account for the system’s specific dynamics. Instead, each case should be evaluated based on process safety time and system response to ensure the shutdown effectively halts pressure escalation before reaching the PSV setpoint.

Adequate Process Safety Time

The setpoint of an alarm or interlock must allow sufficient process safety time for the operator or system to take action and prevent a hazardous event. If there is not enough time for a human or automated response, the incident will occur before mitigation can take effect, meaning the action does not qualify as a safeguard.

For interlocks, response time requirements can often be defined, but quick activation may introduce additional risks. For example, rapidly closing an emergency shutdown valve on a liquid pipeline could create a transient overpressure hazard.

For alarms, determining adequate process safety time must account for:

• Staffing levels and operator availability
• Time required to shift focus from other tasks or respond remotely if off-shift
• Time to assess the hazard and decide on the best course of action
• Travel time to the response location, considering worst-case scenarios (e.g., off-shift response to a remote site in bad weather)
• Time to execute the necessary action, whether remotely or in person
• Time for the process to respond to actions taken

Alarm Specific Considerations

In addition to the considerations above, the following factors must be addressed for each alarm safeguard.

Operator Identification of Issue and Response

Operators must be reasonably expected to correctly identify the issue and determine the appropriate action to prevent an incident. This consideration directly impacts process safety time—the shorter the response window, the greater the stress on the operator, increasing the likelihood of errors.

Additionally, for an alarm to function as a safeguard rather than just a notification, the operator must have a viable action to take. This action must not introduce additional risks to personnel, as seen in the 2019 KMCO Chemical Facility incident in Crosby, Texas. In that case, a flammable isobutane vapor release could not be remotely isolated, forcing operators to enter the hazardous area wearing SCBA (self-contained breathing apparatus) to attempt manual intervention. The resulting ignition led to one fatality and two severe burn injuries.

To be effective, safeguards must provide clear, actionable responses that do not expose personnel to unnecessary danger.

Avoid Alarm Flooding

Alarm flooding is a common issue in large facilities where operators receive an excessive number of alarms, making it difficult to identify and respond to critical ones. When alarms frequently activate without requiring action, important alarms requiring operator intervention can become lost in the noise. The extent of alarm flooding in a system directly impacts the reliability of any alarm safeguard within that system.

To address this, an alarm rationalization study should be conducted to filter out non-essential alarms, ensuring only critical information is relayed to operators. Each alarm should also be assigned an appropriate level of criticality to prioritize responses effectively.

Response May Exacerbate the Problem

When relying on human analysis and response, it is essential to acknowledge that human error is inevitable. Even highly trained and experienced individuals can make mistakes, act on incomplete information, make incorrect assumptions, or draw faulty conclusions. The likelihood of error increases under stress, with insufficient training or experience, or when operators lack access to necessary information. In some cases, human intervention may even worsen a situation.

A notable example is the ethylene fire at Kuraray America’s ethylene and vinyl alcohol facility in Pasadena, Texas, in May 2018. An ethylene release led to a large fire, injuring 23 workers, some severely. The U.S. Chemical Safety Board (CSB) investigation identified inadequate operator training as a contributing factor. Operators lacked the knowledge needed to respond effectively to process alarms, and the CSB concluded that proper training and procedures could have helped prevent the incident.

To mitigate this risk, facilities should implement comprehensive operator training programs, including scenario-based drills, clear alarm response procedures, and regular competency assessments. Additionally, human factors engineering should be considered in alarm and safeguard design to minimize reliance on human decision-making under pressure.

References

Center for Chemical Process Safety. Layer of Protection Analysis: Simplified Process Risk Assessment. American Institute of Chemical Engineers, 2001.

Center for Chemical Process Safety. Guidelines for Initiating Events and Independent Protection Layers in Layers of Protection Analysis. John Wiley & Sons, 2015.

US Chemical Safety and Hazard Investigation Board. Fatal Equipment Rupture, Explosion, and Fire at the KMCO Chemical Facility: Investigation Report. https://www.csb.gov/file.aspx?DocumentId=6265. December 2023. Accessed December 2023.

US Chemical Safety and Hazard Investigation Board. Ethylene Release and Fire at Kuraray America, Inc. EVAL Plant: Investigation Report. https://www.csb.gov/file.aspx?DocumentId=6204. December 2022. Accessed February 2023.

International Electrotechnical Commission. IEC 61511-1 Functional Safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements. Edition 2.1, August 2017.

Originally issued: March 7, 2025

Author

Richard Carter, P.Eng., F.S. Eng. (TÜV Rheinland) 

Senior Functional Safety Engineer

This Article is part 3 of an 8 Part Series. 

Pressure relief devices such as Pressure Safety Valves (PSVs), Pressure/Vacuum Safety Valves (PVSVs) and Rupture Discs (RDs) are all types of mechanical device that are designed to prevent excessive pressure, or in some cases vacuum, from causing damage to equipment and loss of containment.

To support the main safeguard criteria previously discussed in this series, these safeguards must include the following considerations.

Sizing Basis

Each instance of potential overpressure or vacuum will result in a maximum required capacity of the relief device, based on how much gas or liquid must be allowed into or out of the system in order to prevent damage. In order to be considered a safeguard for a given scenario, the pressure relief device must have sufficient capacity for that specific scenario. For example, a vessel with a PSV installed that is designed for fire case may not be protected against excessive flow from an upstream source, unless the PSV sizing calculations specifically include this scenario as a consideration.

Correct Setpoint

The setpoint of the relief device must consider the design pressure of all equipment and piping that the device protects, and any surplus pressure that the equipment will be exposed to at full relief. For example, most PSVs are designed such that they begin to open at the setpoint pressure, and are fully open when the pressure is 10% above the setpoint. This means that the connected system will be exposed to 110% of the setpoint pressure, which may exceed the safe limits of the system.

Testing and Maintenance

As with all safeguards, pressure relief devices must be tested and maintained to ensure that they can be relied upon to provide the required reliability when called upon to act. In addition, it is necessary for any components that are considered in the sizing basis calculations for the device to be maintained adequately also. For example, if a restriction orifice or check valve is considered in the sizing basis calculations for the relief device, then the restriction orifice is a critical part of ensuring that the relief device has adequate capacity to protect the system, and the orifice must therefore be maintained adequately based on that criticality.

Potential Failure Mechanisms

Depending on the process characteristics, a pressure relief device may be susceptible to plugging, fouling, corrosion, freezing, or other mechanisms that can prevent the safeguard from performing its function correctly. This may reduce the amount of reliability that can be placed on the safeguard, and in some cases may prevent it from being considered a safeguard at all. Many organizations do not have specific criteria for what is considered “clean service” for a pressure relief device. The operating company must therefore confirm that the device is, or will be, clean and free of these failure mechanisms, or else take less or no credit for the device as a safeguard.

If a pressure relief device that was previously expected not to be affected by these mechanisms is later found to have been compromised by them, the relevant hazardous scenarios must be reviewed to ensure that adequate safeguarding is provided given the reduced reliability of the relief device.

Safe Relief Location

Each pressure relief device must direct gas or liquid away from the system that is experiencing overpressure, towards an alternate location. In some cases this destination location is a flare or vent system, in which case the system must be designed to accept the maximum flowrate that it can be expected to receive in order to be considered a safe location. If a vent is directed towards the atmosphere, it must be directed such that it does not pose a hazard to personnel, equipment or the environment from kinetic energy or toxic effects, and there are no credible concerns of ignition of flammable materials.

In the case of the 2018 Kuraray America fire previously discussed in this series, an overpressure scenario was relieved by an emergency pressure-relief system. This system directed the ethylene through vent piping that was horizontally directed toward an area where personnel were performing welding and other maintenance. The CSB concluded that, if the outlet piping had been directed to a safe location such as vertically upward, the impact of the scenario would likely have been limited.

Center for Chemical Process Safety. Layer of Protection Analysis: Simplified Process Risk Assessment. American Institute of Chemical Engineers, 2001.

Center for Chemical Process Safety. Guidelines for Initiating Events and Independent Protection Layers in Layers of Protection Analysis. John Wiley & Sons, 2015.

US Chemical Safety and Hazard Investigation Board. Ethylene Release and Fire at Kuraray America, Inc. EVAL Plant: Investigation Report. https://www.csb.gov/file.aspx?DocumentId=6204. December 2022. Accessed February 2023.

International Electrotechnical Commission. IEC 61511-1 Functional Safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements. Edition 2.1, August 2017.