Common Audit Findings 1 – Operating/Safe Limits Tables

Introduction: Process safety audits frequently uncover confusion regarding PSM program requirements and implementation. This is Part 1 in a five-part series highlighting common audit findings. This section includes selected audit findings related to Operating/Safe Limits Tables. Since audit findings are very common for this topic, more discussion is provided compared to the other parts of this series. Please see the reference for the complete discussion.

Selected Audit Findings (see reference for complete list)

Operating/Safe Limits Tables

Introduction

Operating limits and safe limits tables are typically part of the process safety information (PSI) and operating procedures (OP). They are important because they define the ranges of safe operation for a process, both as operating limits in the OPs and as the ultimate safe (or design) limits in the PSI.  Exceeding operating limits can cause process upsets, quality issues, and other problems. Exceeding safe limits will likely cause significant process incidents and result in possible equipment damage, personnel injuries, and environmental harm.  Failure to properly document these limits can therefore lead to misoperation and significant operability and safety issues. The consequences of the deviations from these limits must also be documented, including the safety and health effects on personnel.  The OPs must document correct operator responses to regain desired control of the process. Many companies choose to combine these sets of limits tables as part of the Ops for ease of reference and use, which while common, sometimes also becomes a source of confusion if the information is not clearly presented.

Based on our experience, having a complete, accurate, and thorough set of operating limits and safe limits tables available to process operators (particularly board operators) as well as engineers, maintenance, etc. is invaluable in (1) focusing them on the really important process parameters, (2) reminding them of the worst-case consequences associated with exceeding these parameters, and (3) providing a ready reference for actions to take when parameters are exceeded. Limits tables are therefore important training tools. Exceeding one flow rate may have minor consequences, but exceeding a different flow rate could lead to destruction of the plant. Knowing these differences and how to respond to these deviations are fundamental to safe design, operation, and maintenance of the plant.

We have also noted that many companies refer to “safe operating limits” (SOLs), which can also lead to confusion since the OSHA regulation refers only to safe limits and operating limits, as discussed. SOL likely means that the operating limits have been set based on safety (rather than other) considerations, but SOLs should not necessarily be equated to safe limits. Auditors should understand company intent and practice relative to the OSHA PSM regulation to determine if requirements are met.

Requirements

There are two basic approaches for meeting these requirements:

• The PSI and OP requirements are implemented separately, with the PSI safe limits tables providing the basic process variables to be addressed in the operating limits tables implemented in the OPs (see Figure 1).
• The PSI and OP requirements are combined into limits tables in the OPs (see Figure 2).

Both approaches as valid for meeting the regulatory requirements, but there are pluses and minuses to each approach if not implemented and maintained appropriately. For example, combined tables help reduce discrepancies that could develop over time in separate tables as process equipment changes occur. Combined tables are also periodically reviewed as part of OP reviews to confirm that they are current and accurate and therefore are also frequently part of refresher training activities. Improper design and implementation of combined tables, though, can lead to confusion around whether limits are safe limits, operating limits, or something else (e.g., control system alarm points).

 

Figure 3 provides a typical way of thinking of limits. Most processes will have a normal operating zone, such as a temperature range from 100-120°C, based on safety, quality, and other operability considerations. This range is used to define the desired upper and lower operating limits. Deviations above or below the operating limits will result in troubleshooting activities by operators and/or automatic response by the control system to return to normal. Usually a response zone is defined before safe limits are exceeded, although the available response time may be very short. In some cases, there may be a buffer zone above the safe limits before worst case consequences can occur, but in many cases, the safe limit defines the point where undesirable safety consequences are possible without a buffer. Figure 4 shows these limits and the activation points for possible process safeguards for pressure in a reactor due to a runaway reaction, based on layers of protection as evaluated in a PHA. An example operating limits table is shown in Table 1.

Figure 3: Typical limits diagram showing normal operating zone, operating limits, safe limits, and response zones.

 

Figure 4: Example of limits and safeguard activation points for pressure in a reactor due to runaway reaction.

 

Table 1: An example operating limits table.

 

Common Audit Findings

Separate operating and safe upper/lower limits are not provided: As noted in the “Requirements/Background” section, the OSHA regulation and good industry practice clearly require/expect that each covered process will have two separate sets of limits:

• operating limits , defining the boundaries outside of which a system upset or abnormal operating condition could occur.
• safe limits, representing the design safe upper and lower limits of the equipment or process, above or below which it is considered unsafe to operate.

However, we still observe that facilities:

• establish only one set of documented “limits,” rather than two sets, and it is often not clear whether they are operating or safe limits.
• establish operating limits in tables in the OPs, but have not included safe limits in these OP tables or in separate tables as part of the PSI. The reverse of this (i.e., establishing safe limits in tables in the PSI, but not operating limits in tables in the OPs) is less common.
• reference the alarm/interlock settings in the distributed control system (DCS) and the pressure safety valve (PSV) settings as providing their operating/safe limits.

In the first and second cases, there is clear non-compliance with the regulations, since both sets of required limits are not provided. In the third case, many DCS alarm settings are not established for safety reasons but are for quality or operability purposes. Therefore, defaulting to the DCS parameters may indicate the requirements of operating limits are not well understood. In some cases, listed safe limits may also be part of the tables but may be difficult to distinguish from quality limits, environmental limits, etc.

Guidance: Ensure that both operating and safe limits are provided in the PSI, OPs, or combined tables and (2) the limits documentation addresses the different zones of operation shown in Figure 3, as applicable. Also, avoid imprecise terminology when possible. 

 

All pertinent operating/safe limits are not addressed: In some cases, inspection of the limits tables may suggest that some critical variables are missing (e.g., temperature in a reactor), leading to additional discussion with site personnel to understand (1) how the limits tables were developed and (2) why, in the case of high temperature in a reactor, the particular limits have not been established. Operating/safe limit tables for all the pertinent process parameters can be effectively evaluated (as time permits) by comparing the limits tables data to the current PHA for the process and other PSI documentation. This can be done by:

• reviewing the PHA report worksheets for parameter deviations leading to potential hazardous events (e.g., loss of containment) that are not addressed in the operating/safe limits. If high flow or high level in a HAZOP table, for example, is shown to lead to hazardous events in the PHA, then it would be reasonable that limits for these variables should be provided in the limits tables. Note: PHAs typically do not provide the actual limits.  Use the PSI to find this information.
• reviewing listed safeguards in the PHA (e.g., alarms, interlocks, pressure safety valves) or a separate safeguards table (if available) to determine if the associated process parameters are included in the operating/safe limits table. If a high flow alarm or PSV is included as a safeguard, then it would be reasonable that limits for flow or pressure would be provided in the limits tables.
• reviewing PSI documentation for specific equipment to see if design limits have been correctly listed in the limits table.

Based on review of PHAs and other PSI documentation, we often find that a significant number of pertinent process parameters are not included in the operating/safe limits tables.  From our experience, this situation often develops because the operations and engineering personnel developing/updating the limits tables perform this work independently, without ever looking at the operating/safe limits through the “lens” of the PHA reports or PSI documentation. Audits also provide an opportunity to review the “reasonableness” of the limits. If the limits table shows a high pressure safe limit of 100 psig but the PSI and/or PHA shows the related PSV setpoint as 150 psig, further discussion to understand the difference is warranted.

Guidance: Review PHAs and other PSI documents to ensure that appropriate process  variables are addressed in the limits table and that values appear correct. Clearly address both upper and lower limits and note as “not applicable” where there is no low/high limit. Also review relevant management of change documentation to see if limits tables have been updated as needed.

 

Consequences of Deviation are not clearly documented: The consequences of deviation beyond both operating and safe limits must be documented.  For operating limits, simple descriptions, such as “process upset,” or something similar  are often listed, which does not adequately describe the possible consequences., It is frequently observed that the regulatory requires that the consequences of deviation from safe limits including those “affecting the safety and health of employees” is not addressed. Fundamentally, all of these consequences should match, or at least be similar, should be described in the PHA worksheets and should describe potential safety and health impacts on personnel, as well as impacts on processes and equipment. For example, the PHA and safe limits table for high pressure in a reactor might indicate overpressure leading to loss of containment and potential toxic exposure to a specific chemical(s) or fire/explosion hazards.

When auditing consequences of deviation, we often see:

• worst-case consequences are not adequately addressed (no column provided or left blank)
• the consequences say something like “leading to a high pressure interlock” or “lifting the PSV” rather than the potential worst-case consequence of over-pressuring a vessel and loss of containment. Note that activation on of a PSV may also result in a hazardous release at the discharge point.
• safety and health effects on personnel are not documented, such as a toxic exposure hazard resulting from the release of a hazardous chemical
• safety consequences are mixed with operability/quality/environmental consequences.

Guidance: Review PHAs to ensure that consequences of deviation outside the safe limits are properly documented, including possible worst cases and potential safety and health effects on personnel. Clearly distinguish between operating/safe limits and quality, environmental, and other limits.

 

Corrective actions are not clearly provided: The steps required to avoid or correct deviation must be addressed in Ops, but this information is not always provided or corrective actions are provided for only some operating limits with varying degrees of clarity. Although the regulation does not specifically require the documentation of corrective actions for deviations from safe upper/lower limits, OSHA’s guidance (see Tables 3 and 4) indicates that “emergency shutdown” should be a final corrective action. Obviously, the steps to correct a deviation outside operating limits will help prevent upset situations or safe limits from being exceeded, but the required actions are likely to be different as a potential deviation approaches and/or exceeds documented safe limits. For example, operators are typically encouraged to safely shutdown a process when in doubt about continued safe operation; even before reaching an interlock/trip point or safe limit.

Guidance: Review PHAs, OPs, emergency procedures, and other documents as needed to ensure that clear guidance is provided on corrective actions for deviations outside of both operating and safe limits.

 

Process safeguard setpoints are not included: As a best practice, it is valuable for operators to know at what point various process safeguards will activate as they potentially deal with process deviations. What alarms and interlocks are provided and when will they activate? What are the setpoints for pressure relief? This information may be included in the DCS, in the OPs, in training materials, and/or PSI documents.  It is therefore desirable to consider adding this information to the limits tables to provide for immediate operator access relative to the defined limits listed in the table. For example, as shown in Figure 4, several safeguards for high pressure in a reactor are provided to activate as the upper safe limit is approached. Knowledge of these setpoints as operators respond to process deviations is important, both so the operators can anticipate safeguard action and so they can respond appropriately if the safeguard fails to activate as expected.

Guidance: Consider including process safeguard setpoints in the limits tables as appropriate.

References

The published version of this complete article can be found on Chemical Processing’s website where you can also access more tools and resources to help you run safe, efficient facilities.

• Process Safety Management Audits Find Confusion
  co-authored with James R. Thompson Chemical Processing, pp. 18-24, October 2021

• Operating Procedure, Safe Work Practice, and Training Issues

• Mechanical Integrity Issues

• Process Safety Information and Process Hazards Analysis Issues
• Other PSM Elements