Process Safety Management:

Standardizing Safe Operating

Limit Information

15th Annual International Symposium

Mary Kay O’Connor Process Safety Center
College Station
October 23-25, 2012

Mike Richardson
Principal Engineer, Process Safety
HSE Department
ConocoPhillips Company, Houston
Agenda

 Introduction
 The Operating Envelope
 Review of Definitions and Concepts
 Advantages Standardized SOL Documentation
 SOL Table Information
 Example SOL Table
 Importance of the ‘Journey’
 Summary and Conclusions

1
Introduction
 2010 ConocoPhillips Upstream A&OI produced a ‘Safe Operating Limits Guideline’ to
address the following:
• Clear definition of what a Safe Operating Limit is and is not
• A standardized way of documenting Safe Operating Limits (SOL)
• A method of meeting the requirements of various international standard requirements
(OSHA example):
– 1910.119(d)(2)(i) Information concerning the technology of the process shall include at
least the following:
 1910.119(d)(2)(i)(D) Safe upper and lower limits for such items as temperatures,
pressures, flows or compositions; and,
 1910.119(d)(2)(i)(E) An evaluation of the consequences of deviations, including
those affecting the safety and health of employees.
– 1910.119(f) Operating procedures.
– 1910.119(f)(1) The employer shall develop and implement written operating
procedures that provide clear instructions for safely conducting activities involved in
each covered process consistent with the process safety information and shall address
at least the following elements.
 1910.119(f)(1)(ii) Operating limits:
 1910.119(f)(1)(ii)(A) Consequences of deviation; and
 1910.119(f)(1)(ii)(B) Steps required to correct or avoid deviation.

2
The Operating Envelope
TYPICAL TYPICAL
SAFE OPERATING
OPERATING ZONES ALARMS AUTOMATED OPERATOR
LIMITS
RESPONSE RESPONSE

POTENTIALLY
UNSAFE CATASTROPHIC Process is UNSAFE
INCIDENT and immediate action
OPERATION is required to
establish SAFE
Mechanical Design MI BUFFER ZONE conditions
Limit (MDL)
(e.g. Design Max
Pressure) EMERGENCY Setting of 2nd Layer
of Protection (e.g. Operations needs to
RESPONSE
PSV, PAHHH - HIPPS) take steps to correct
ZONE deviation above SOL
(Protection Activated)
Safe Operating Limit Emergency Priority Setting of 1st Layer of
(SOL) (HH) Protection
High Limit SOL Alarm Process Shutdown

Operations needs to
TROUBLESHOOTING
take steps to avoid
ZONE SOL
Normal Operating
High Priority
Limit
(H)
(NOL) Pre-SOL Alarm
High Limit
POTENTIAL UPSET Increased awareness
CONDITIONS for Operations

Low Priority
(Advisory) Alarm
(if configured)
SAFE NORMAL Range of normal Normal process
OPERATING CONTROL automated process control by
ZONE control Operations
ENVELOPE
Low Priority
(Advisory) Alarm
(if configured)

POTENTIAL UPSET Increased awareness

CONDITIONS for Operations
Normal Operating
High Priority
Limit
(L)
(NOL) Pre-SOL Alarm
Low Limit
Operations needs to
TROUBLESHOOTING
take steps to avoid
ZONE SOL
Safe Operating Limit Emergency Priority Setting of 1st Layer of
(SOL) (LL) Protection
Low Limit SOL Alarm Process Shutdown
EMERGENCY
Operations needs to
RESPONSE Setting of 2nd Layer take steps to correct
ZONE of Protection (e.g. deviation below SOL
Mechanical Design (Protection Activated) LALLL - HILPS)
Limit (MDL)
(e.g. Design Min
Temperature) MI BUFFER ZONE Process is UNSAFE
and immediate action
is required to
UNSAFE POTENTIALLY establish SAFE
OPERATION CATASTROPHIC conditions
INCIDENT

3
The Operating Envelope

4
Review of Definitions and Concepts
 Process Parameter
• A Process Parameter is any process variable with characteristics that can be
measured, such as temperature, pressure, flow, level, concentration, etc, that
are controlled in a required range.
• Digital signals such as valve status (open/closed) and on/off status of bypass
switches are not process parameters.
 Critical Process Parameter
• If exceeded, at some measurable value, represents an unacceptable risk to
safety, the environment, or to the business in terms of equipment damage
• Can be controlled either directly or indirectly in normal operation by operator
action.
• Not all Process Parameters have Safe Operating Limits
– If only causes degradation of equipment / facility over a long period, reduced
operating reliability / efficiency or off-specification product of effluent streams
– Assigned a Normal Operating Limit.
• A Safe Operating Limit is not normally assigned to parameters that are used for
equipment condition monitoring or for SCE condition targets

5
Review of Definitions and Concepts
 Normal Operating Limit (NOL)
• High or low value of a Process Parameter at the limit of the normal operating
range
• Demarked by a high priority alarm (Pre-SOL Alarm).
• Operator must take action (such as troubleshooting, set point changes, etc.) to
restore normal operation.
• Can be applied to all types of variables, including those associated with
feed/product quality, process stability and/or equipment reliability.
• Any change to the Normal Operating Limit requires MOC:
– To assure the capacity of the operator to respond and avoid an upset condition when
having deviations or excursions outside the Normal Operating Limit.
– To assure that non-immediate equipment / facility integrity and reliability risks are
not overlooked.
– To assure that off-specification product or effluent streams are quickly identified

6
Review of Definitions and Concepts
 Safe Operating Limit (SOL)
• The point at which operational and mechanical troubleshooting ends and
immediate, predetermined protection action is taken (either manual or
automatic).
• When the safety instrumented systems trip, and in many situations the pressure
relief systems (PSV’s or rupture disks) activate.
• The point at which the Protection Systems are activated
• Critical Process Parameter limits beyond which the process is unsafe to operate.
• Any change to the Safe Operating Limit (or the Layers of Protection) requires
MOC to assure that the risk of an unsafe event (undesirable consequence)
occurring is assessed by an engineering review.
 Mechanical Design Limit (MDL)
• The ultimate design condition or “not to exceed” limit of a Critical Process
Parameter, which if exceeded may lead to a catastrophic failure with release of
energy or a toxic, reactive, flammable or explosive material.
• The point at which the process is not be operated for any reason and “all” the
appropriate safety critical protection systems have activated to protect the
people, environment and the facility integrity.

7
Advantages of Standardized SOL Documentation
 Shows the basis and logic for determining SOL values relative to NOL and
MDL values
 Links SOL’s to the HAZOP study – makes the key HAZOP results ‘visible’ to
operators
 Links SOL’s to the LOPA study (for Safety Instrumented Systems) – makes
the key LOPA results ‘visible’ to operators including the key Layers of
Protection provided (either manual or automatic)
 Assists with the risk analysis when a SIF is bypassed, inhibited etc
 Provides a quick reference guide for operator training and during process
upsets
 SOL values are not ‘buried’ within a large text document operating manual
 As a reference during Alarm Management (alarm minimization and
rationalization) processes to avoid inadvertently removing SOL critical
alarms

Project Process Engineers need to prepare preliminary SOL Tables during basic design
engineering to document their layers of protection strategy

8
SOL Table Information
 For Critical Process Parameters, the identification of measurement devices (sensors)
by tag numbers together with the alarm set point values and the various priority
levels, which would include the SOL and NOL values
 Values for the associated Mechanical Design Limits
 The NOL Basis if required for other non-SOL related reasons (e.g. corrosion inhibitor
injection rate affecting medium term piping integrity)
 Any ‘non-safety’ consequences of deviation outside NOL
 Steps to avoid the deviation in summary (the operating procedures would have a
more detailed description).
 The SOL Basis
 Immediate safety consequences of deviation outside SOL and the associated severity
level.
 Steps to correct the deviation in summary (the operating procedures would have a
more detailed description).
• Details of any manual operator actions required in lieu of automated safety devices
associated with each Layer of Protection.
• Details of any automatic safety devices (including tag numbers and required actions)
associated with each Layer of Protection including their Target SIL Rating for SIF’s.
Mechanical Protection Devices, such as PSV’s would be included here.
• The corrective action statement should be short, direct and to the point to resolve the
issue.

9
Example SOL Table

Data in the spreadsheet is fictitious and is provided by way of hypothetical example only

10
Importance of the ‘Journey’
 SOL Workshops
• Multi-discipline team similar to a HAZOP with operators present
• Work through each process step methodically
• Review HAZOP and LOPA study reports and findings
• Review Operating Manuals / Procedures
• Discuss the values of the Mechanical Design Limits of all components in the
process step
• Determine the actions required to avoid and correct SOL deviations
• Determine whether operator intervention is actually feasible within the
expected time with the current alarm set points
• Propose revisions to alarm values and protections
• Document findings where further work / action is required
• Familiarization, ‘buy-in’ and ownership by the operators of the hazards and
corrective actions required

Found a significant number of potential issues where HAZOP and LOPA Studies have
not identified them due to their different focus

11
Summary and Conclusions

 One-stop standard reference document to be used rather than filed.

 Documents protection rationales - Layers of Protection are ‘visible’
 Operators own the information and have assisted with the preparation
 Defines operations’ expectations from Projects and Contractor organizations
 Often surfaces issues not found by formal HAZOP and LOPA Studies

The ‘journey’ is often more important than the destination

12