The vessel you are viewing is part of a PSM Covered process. I have blacked out pipe and vessel labeling, as it does not matter what the HHC/EHS is or the type of process. Pay close attention to the sight glass column in the center of the picture. The process vessel shown has a safe upper level of 80%. Exceed the safe upper level and liquid is sent to a compressor, which will result in a catastrophic failure of the compressor and a catastrophic release of the HHC. So why is ISA-84 needed?
Below is the same photo, but in a larger scale so you can see the design of the level control system. Explanation below photo...
You will notice there is a leg off of the sight glass column at the 25% and 55% with a float switch which is wired to a set of transfer pumps. This system is the "Level Control System" and it maintains the level within the safe upper and lower limits for level within the vessel. As we move up the sight glass to the very top we will see another float switch and this switch is the "Hi-Level Interlock" which shuts down the compressor(s) if it is tripped. This is a very common arrangement on this type of process.
Imagine you are part of a PHA Team using the Hazard and Operability (HAZOP) methodology and we are analyzing TOO MUCH LEVEL in this vessel. Keep in mind that the PHA team MUST consider Consequences of failure of engineering and administrative controls in the PHA. So what could be a CAUSE of TOO MUCH LEVEL? The picture above shows two valves that I have circled yellow. These valves are used to isolate the sight glass column if necessary for maintenance. What would happen if an operator either:
- inadvertently CLOSED this valve? or
- this valve was NOT opened as the vessel was returned to service?
Both scenarios are very plausible and both are a SINGLE FAILURE MODE, meaning only one error has to be made to initiate an event! With just the single bottom valve to the sight glass CLOSED, we have essentially eliminated BOTH the level control system AND the hi-level interlock. As the vessel fills with the liquid HHC there is NO LEVEL INDICATION provided because of that CLOSED valve. I will accept the fact that a "well trained operator" who is stationed at the vessel should realize that something is wrong when he/she sees no level indication in the sight glass; but in this type of process there is NO CONTROL ROOM Operator monitoring a computer screen for these types of deviations. In this process, it is usually a one person show and maybe 2-3 if it is start-up after a major shutdown; but in no matter of fact way is this an industry staffing trend! 9 out of 10 times it will be one operator bringing this process up; which in the pictured process contains two other vessels with sight glasses, 5 pumps, and a very large number of smaller components spread throughout the facility. So this operator (or operators) are covering a lot of ground and are not stationed at the 3 vessels ensuring levels are increasing as expected. So giving credit to this in a PHA would be just plain wrong.
The process, as it is designed, has relied on the Level Control System and the Hi-Level Interlock for decades to be the engineered safeguards for "overfilling the vessel" and sending liquid to a compressor. But with this design, which permits BOTH system to be taken out of service with only one valve to be either inadvertently closed or left closed during start-up, appears to be miss leading some businesses into thinking they have "layers of protection" and this is being translated into "we have adequate safeguards in place".
So what would ISA-84 do for a business with this type of set up on a critical parameter?
1) The PHA team would list the sight glass, the level control, and the hi-level interlock as a SINGLE safeguard and NOT three independent safeguards. With only one engineered safeguard designed to PREVENT the even from intiating, rather than the three previously assumed layers, the risk for this scenario increases dramatically.
2) ISA-84 establishes the framework for how "safety instrumented systems" (SIS) should be designed and the guidelines to establish some reliability of the Safety Instrumented Function. ISA-84 states the SIS will include three types of components including: 1) sensor components, 2) a logic solver component, and 3) final control elements. Together these components detects out-of-control process conditions and automatically returns the process to a safe condition, regardless of the functioning of the Basic Process Control System (BPCS). Notice the last part of that sentence... regardless of the functioning of the Basic Process Control System. The INDEPENDENCE of the safety system (e.g. the sight glass, the level controller, and the hi-level interlock) are greatly compromised in the shown set up and this is not meeting a FUNDAMENTAL design feature of any safety system. The intent is to have the hi-level interlock as the last line of defense should the level controller fail for some reason; however, in our set up the closing of a single valve disables all three (3) safeguards for a very critical deviation!
3) ISA-84 establishes a methodology for our safety systems called the "Safety Life Cycle". This methodology consist of several phases of establishing what a safety system should look like, how it should function, its reliability, and how it will be maintained- all based on the level of risk it is intended to manage. The steps in this life cycle include:
- Hazard and Risk Assessment
- Allocation of Safety Functions
- Safety Requirement Specifications
- Detail Design and Engineering
- Design and Development
- Installation, Commissioning, and Validation
- Operation and Maintenance
There are also three other steps of the Safety Life Cycle that occur over the entire length of an SIS lifetime and in no particular order or time within the cycle. These steps are
- Management of Functional Safety and Functional Safety Assessment and Auditing
- Safety Life Cycle Structure and Planning
4) ISA-84 establishes a "Safety Integrity Level" (SIL) for each SIS that is based on the simple fact of "how critical is this SIS?". The higher the risk, the higher the SIL will need to be to ensure that the SIS performs with a high level of probability when called upon to function.
Businesses need to become educated on SIS and embrace this methodology, rather than fear it. ISA-84 is a RAGAGEP so it is NOT a requirement for complying with PSM or RMP and is only one way for a business to manage it's safety systems. But in the scenario above, I think we can say that had ISA-84 been embraced by the process designers we would not have three safeguards capable of being eliminated by a single valve being closed!
Much like OSHA's PSM standard was the start of process safety life style for many businesses in the USA, then came EPA's RMP which threw in a new element call "Hazard Assessment" where businesses were forced to look at the real impact potential their process(es) contained. The time will come when the majority of businesses will recognize that ISA-84 brings structure to their safety systems (e.g. alarms and interlocks), which in turn will improve process safety with a MUCH HIGHER DEGREE OF CERTAINTY. So ISA-84 is the next logical step for process safety; even before "Inherently Safer Design" takes hold!