HOW TO ASSESS SAFETY AND PROTECTION LAYERS

March 19, 2020
Amin Almasi

Amin Almasi is senior rotating equipment consultant in Australia. He is chartered professional engineer from Engineers Australia and IMechE and registered professional engineer in Australia and Queensland (M.Sc. and B.Sc. in mechanical engineering). He specializes in rotating equipment, condition monitoring and reliability.

There are various ways to assess safety as well as a variety of layers of protection available for turbomachinery. A safety issue with a 100 kW centrifugal water pump may have limited consequences. However, a safety incident with a 25 MW turbocompressor operated at 100 Barg for gas could lead to extensive damage.

In most situations, safety is best achieved by developing an inherently safe design. If necessary, this may be combined with a protective system to address residual risks.

Protective systems rely on different technologies including mechanical, hydraulic, pneumatic, electrical, electronic and programmable electronic. Nowadays, it is possible to achieve excellent safety and reliability levels for all types of turbomachinery.

Therefore, more protective systems and safety devices in the form of trips and alarms, emergency isolation valves, fire protection systems and gas detectors should be considered for critical turbomachinery.

Various levels of safety should be considered. The first layer depends on the materials and chemicals being used. It is best to stick to low-risk material where possible.

The second layer of safety is related to operating conditions. Take the case of a heater for a turbomachinery package where there may be the risk of fire or explosion. If the temperature goes above 150°C using a steam heater, an inherently safer configuration would be to use an electrical heater with temperature below 100°.

The third layer of safety addresses structural and mechanical details. It is the engineer’s job to specify the parts, components and properties, such as strength, corrosion allowance, materials of construction and pressure ratings.

The fourth layer of safety is control. In the absence of good control, high pressures, high temperatures or other deviations may be experienced. With effective control in place, the control system will normally be able to cope with all transients, malfunctions and emergencies. It is rare that pressure, temperature or other parameters pass to the alarm stage.

"Protective systems include mechanical, hydraulic, pneumatic, electrical, electronic and programmable electronic technologies."

The fifth layer of safety concerns passive safety devices. These are devices that do not rely on an actuation system, electronics or motor. They include relief valves and bursting discs, for example.

The sixth layer of safety includes powered or active safety devices, such as suppression systems and safety shutdown systems. These instrumented systems should be carefully assessed as they contain many parts.

One component failure means the whole system has failed. Such systems should be used only when needed. In other words, the sixth layer of safety should be resorted to only when lower layers cannot offer sufficient protection.

Engineers should also be aware of the safety integrity level (SIL) system. It provides the relative level of risk-reduction provided by a safety function. In simple terms, SIL is a measurement of the performance required for a safety instrumented function.

If the preceding layers offer a good degree of safety when compared to the targeted degree of risk reduction, the safety trip or safety action does not usually need to have a high SIL rating. A SIL assessment looks at the design as a whole to decide if there is a residual risk to be covered by the safety instrumented system.

Layer of protection analysis

A layer of protection analysis (LOPA) is a study of residual risk to assess requirements for safety-critical instrument loops. LOPA studies identify how often the initiating event occurs and the probability that everything that acts against it might fail simultaneously leading to an unwanted event.

There has been a tendency to rely on published data and calculations for such studies rather than knowledge derived directly from operators and experts. The knowledge and experience of those who know the specifics of the turbomachinery package under study are important. It is better to combine published data with expert data to avoid LOPA becoming a complex academic calculation.

Surge protection for a turbocompressor, for example, should be assured by an anti-surge system. This is a safety instrumented system that includes sensors and specially actuated (fast-acting) anti-surge valve(s). If one element fails, the entire anti-surge system fails. High integrity and reliability are needed for each element and for the entire system. A high SIL rating is required.