Table of Contents Table of Contents
Previous Page  287 / 1143 Next Page
Information
Show Menu
Previous Page 287 / 1143 Next Page
Page Background

• Consider reducing the trip setpoint

• Relax allowed pressure rise (e.g. design pressure + 15%)

• Optimise process modelling of pressure rise (e.g. including hold-up time of full

inventory of piping instead of just vessel)

• Model shutdown valve movement (when the SIF operates, as the valve closes, it will

start to restrict the flow)

3.3

Redesign the process to make the hazard development slower

There are numerous possible ways in which the speed of hazard development could be

slowed. This could include installing a “surge dampening vessel” or in the case of the riser

de-packing hazard, this could be a speed limitation on the choke valve (the too-quick

opening of which was the initiating event). This could be the gearing on the handle for a

manual valve, or the speed of operation possible for an actuated choke. The maximum

opening speed needs to be reduced to such a level that the calculated Process Safety Time

can be achieved by the reactive SIF designed.

3.4

Redesign the process to eliminate the hazard

A process re-design could be to implement an inherently safe design by removing the HP/LP

interface by fully rating downstream equipment. Less expensive options could include the

provision of additional Independent Protection Layers which are able to reduce risk down to

the tolerable target level. These could include:

• Fit a restriction orifice to limit flow to within relief system capacity (and thus take

credit for the relief system as an IPL)

• Fit check valves to prevent backflow (e.g. 2 dissimilar check valves)

• Change valve mechanical locking philosophy to prevent hazard

3.5

Prevent the hazard (reduce the risk) by mechanical locking of valves

If the operation of a manual on/off valve is the initiating event, prevention may only be

possible via a mechanical means such as locking of valves in open/closed positions or key

interlocking solutions. An inhibit SIF cannot be designed to prevent the operation of a

manually operated valve.

In other cases, even when the Initiating Event is a remote operation through the control

system, and therefore an Inhibit SIF is under consideration, a change to the locking

procedures for manual valves could prevent the hazard. This solution was applied to one of

the Cargo Pump scenarios (see 1.3.2), via the lock open of cross-over valves on the suction

side to remove the overpressure scenario.

HAZOPs may consider the mal-operation of locked valves as not being credible. Even

IEC61511 refers to only considering hazards “under all reasonably foreseeable

circumstances…and reasonably foreseeable misuse”. But no protection layer is either 100%

reliable or completely resistant to abuse; a LO/LC valve is not a fool-proof solution. CCPS

[7] and other sources suggest finite values for risk reduction possible from LO/LC valves plus

procedure. Key interlocking systems can are often seen as having a higher reliability.

Applying a mechanical solution to eliminate the need for an Instrumented Function takes us

1 282 283 284 285 286 287 288 289 290 292-293 294-295 296-297 1143  FlippingBook