Is your staff prepared to handle a process interruption? Would their quick and correct action save the day or miss the mark? Your plant is equipped with the tools you need to keep your process in control. Understanding what they are telling you is important.

Apply your knowledge of your process and its instrumentation to avoid predictable hazards.
On July 24, 1994, around 8 a.m., an electrical storm affected the power system at the Milford Haven oil refinery in the United Kingdom. In the hours following, operators tried to keep the cracker running, aided by signals from the plant instrumentation system and VDU displays.

At 1:23 p.m, some 20 metric tons of liquid hydrocarbon burst through a pipe leading to the flare stack, forming a vapor cloud and exploding. Twenty-six people suffered minor injuries, and a van just missed entering an area that became enveloped in the fireball. Had it not been Sunday, multiple deaths would have occurred in the plant, and injuries would have occurred in an area two miles away where shop windows were blown in.

Repairs were estimated in excess of $80 million and loss of production at several times that amount. An inquiry by the U.K. Health and Safety Executive revealed that the incident could have been prevented - had the operators diagnosed that the debutaniser outlet valve was stuck closed. However, signal outputs in the control room wrongly indicated it had opened. Other flow signals implied it was closed, but the operators failed to identify the inconsistency. This was due, in part, to the fact that while a number of detailed graphics for individual sections of the plant were provided, there were no overviews of the complete process. Alarms were coming in every two or three seconds, being cancelled by operators and adding to their information overload. During the investigation, out of 39 instrument loops, 24 were found faulty - a significant contributor to the causes of the incident.

As disasters go, this was a small one, but its lessons prompt us to look at practices and specific techniques applicable to the process cooling workplace.

"I could have told you something like that was going to happen." This could be you talking, whether from management, engineering, procurement, plant design and manufacture, process technology, maintenance, production or plant operations. Any one of you could be in the line of fire when the coroner asks, "Do you talk to each other? Did you report your concern?"

Transparency is vital at all levels of the operation - including cooperation of all of the above-mentioned personnel during specification, design, documentation, construction and startup. The Milford Haven plant now has an $800,000 process simulator to train operators and give them hands-on experience about how the plant feels and responds in normal - and abnormal - situations.

Your part in plant safety:

  • Make sure that your instrumentation provides both an overview and detailed information about the plant's operating condition.

  • Carry out regular checks and maintenance on all control loops and safety-critical instrumentation.

  • Have access to layout and schematic drawings and descriptions of wiring, equipment and piping with identification of plant items. Use them to evaluate the control and safety implications.

  • Place identification labels on indicators, controls, internal cabinet wiring, terminals, piping and components. Labeling should include such simple matters as which switch position is "off" and which way is "increase" on manual controls.

  • Put in place procedures and priority rankings to be observed when responding to plant alarms and off-normal events.

  • Post stickers on cabinets and plant items showing manufacturer's or outside supplier's service phone numbers.
I'll try to be specific by referring to some well-used techniques and examples. This involves applying your knowledge of your process, its instrumentation and monitoring to the challenge of heading off predictable hazards. While the examples below concentrate on temperature, the principles apply equally to other variables such as pressure, flow or level. I'll start with sensors.

Temperature Sensor Location

Ensure that your thermocouples or RTDs are located where they can "see" the required temperature, e.g., in the product or medium, not on a vessel or pipe surface. Ensure that the wiring is sound. A misplaced or pulled-out-of-place sensor, or one whose wiring is shorted, can lead to overheating or overcooling of the process.

Broken Temperature Sensor

In a heating process, you want a broken (open-circuit) sensor to make your controller default to a high reading or "broken sensor" message and turn the heat off. This is sometimes called "upscale burnout." Controllers normally comes configured this way.

But, cooling processes may require a broken sensor to default to an extreme low reading and some predefined percentage of full cool action. This is called "downscale burnout." It also is used to heat trace an outdoor pipe or a vessel that must not be allowed to cool off. If a downscale burnout controller is used, be sure that the controller is properly configured, labeled and not mixed with upscale burnout controllers.

Reversed Thermocouple

Thermocouple wires often are crossed when a process is being rewired or commissioned. This would give the controller indication a severe downscale error on a heated process and a severe upscale error on a chilled process. Some controllers are designed to recognize this as an unrealistic temperature and default to power off or to the level you specify.

Replacing Thermocouples

Some plants have a mixture of different sensors. It is easy to take a Type J thermocouple off the spares shelf and install it where a Type T came out. This would make the controller drive the temperature up or down past your setpoint while indicating falsely that the process is at the required temperature. Identify and label spare thermocouples and controllers by sensor type to prevent improper replacement.

You must analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection.

Control and Alarm Options

Be-sides the control output, a controller can have extra relay or logic outputs that can be configured as high, low, deviation high, deviation low or deviation band alarms (deviation, that is, from the working setpoint). The usual convention is to have the relay or logic signal drop out in the alarm condition. This often is defined as "fail-safe" because bad relay contacts and broken wires will give a false alarm - reckoned to be preferable to an unrevealed alarm which the opposite logic would suffer. However, before you rely too much on the term "fail safe," you must thoroughly analyze the failure modes in any alarm, interlock or shutdown chain for loss of protection. For vital under- or overtemperature protection, remember that a defective controller could lie, so do not depend on the alarm circuit in the controller. Instead, provide an independent second opinion in the form of a separate alarm instrument or module on its own dedicated thermocouple or RTD.

If you are to trust your picture of the plant, you must pick up indications of plant condition directly from the parameter you want to monitor - not by inference from other outputs such as the percentage output display on a controller or from a 4 to 20 mA output signal.