Successfully reported this slideshow.

Interlocked isolation valves - less is more

0

Share

Loading in …3
×
1 of 25
1 of 25

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Interlocked isolation valves - less is more

  1. 1. Tel: (+44) 01492 879813 Mob: (+44) 07984 284642 andy@abrisk.co.uk www.abrisk.co.uk 1 Interlocked isolation valves – less is more Andy Brazier
  2. 2. “Those bloody interlocks” “They are fine if you are starting in exactly the right place, doing exactly the right task and everything is working perfectly. Most of the time they are a complete nightmare”. Process operator talking about a pig launcher. 2
  3. 3. Paper overview Use of interlocks to reduce human error risk Trend to more interlocks Additional complexity Purchase and maintenance costs Over reliance Could they increase risks? 3
  4. 4. What are interlocks? Means of making the state of components dependent on each other One item cannot be operated unless another item is in its required state Can be electrical, electronic or mechanical Primarily concerned with ‘trapped key’ interlocks Not computer controlled sequences such as ‘start-up permissives.’ 4
  5. 5. Use of trapped key interlocks Ensure a spared item remains Relief valves Filters Ensure an item is in its correct status before carrying out a task Pig launcher is fully isolated before opening Filter Ensuring an item is fully isolated before carrying out a task Steps performed in correct sequence. 5
  6. 6. Simple example – spared relief valves 6 Vessel Emergency vent header RV-A RV-B Vessel Emergency vent header RV-A RV-B Interlocked valves Interlocked valves
  7. 7. Human factors of interlocking Appears to provide a ‘fail safe’ control “Remove the ‘human factor’ by ensuring dangerous processes happen only in a designated sequence” Vendor of proprietary interlock system “Enforce and guarantee a pre-defined sequence of operation and so eliminate human error.” Vendor of proprietary interlock system. 7
  8. 8. Is this true? An interlock is only as good as the person maintaining it Edmonds 2016 When an interlock fails the operator is usually the only line of defence Marsden et al 2003 Interlocks do fail They can be defeated. 8
  9. 9. A critical look at the human factors Assuming it is safe to operate a valve because the key fits. Prone to design and maintenance failures Being forced to continue with a sequence of steps that may not be the most effective or safe. Proving isolation integrity Using ‘master’ keys to override interlocks due to equipment problems or non-routine activities Paying less attention because the perception is that a task cannot be done incorrectly. 9
  10. 10. Increased use of interlocks Advances in technology and software to design More interlocked steps More complex interactions Key exchange units Integrated with PLC, DCS and SIS Risk aversion Can’t be criticised for interlocking May be criticised for not. 10
  11. 11. Current guidance “Interlock arrangements may be provided as safety systems, particularly where they prevent inadvertent operation. The guideline to the Pipelines Safety Regulations 1996 (HSE 1996) “Pig launcher and pig receiver shall be equipped with an interlock system to prevent opening of isolation valves around the launcher when the launcher door is open.” The NORSOK Standard P-100 for Process Systems (NORSOK 2001) 11
  12. 12. Simple example Goal is to open door ‘D’ To do this safely: Close inlet valve ‘I’ Close outlet valve ‘O’ Open vent valve ‘V’ Monitor the vent to confirm successful isolation. 12 I V O D
  13. 13. Potential errors I left open – vessel not isolated – process release when D is opened O left open – vessel not isolated – process release when D is opened V is left closed – vessel remains pressurised – release of trapped material when D is opened V is not monitored – integrity of isolation is not confirmed – possible release if I or O pass. 13 I V O D
  14. 14. Error likelihood – no interlocks Any of the potential errors is possible Operator needs to think what they are doing Will be very focussed on opening the vent before opening the door May feel that monitoring the vent is not necessary. 14 I V O D
  15. 15. Error likelihood – I and O interlocked Cannot open the door until the vessel is isolated Once both isolation valves are closed the operator will have the key to open the door May be more inclined to overlook the requirement to open and monitor the vent. 15 I V O D
  16. 16. Error likelihood – I, O and V interlocked Cannot open the door until the vessel is isolated and vented Task requires very little thought – can’t be done incorrectly Will the operator even think about monitoring the vent? 16 I V O D
  17. 17. Error likelihood – V interlocked Isolation valves may be left open Errors will be discovered when vent is opened May feel that monitoring the vent is not necessary. 17 I V O D
  18. 18. Quantifying human error likelihood Do not believe any of these numbers!!! 18
  19. 19. Suggested rates (per operation) Operator fully engaged in task and fully understands the need for the step - 0.001 Operator engaged in task but may not appreciate step significance - 0.01 Operator not engaged in task - 0.1 19
  20. 20. Error likelihood calculations None I+O I+O+V V Vent not opened 0.001 0.01 0 0 Vent not monitored 0.01 0.01 0.1 0.01 Error likelihood 0.011 0.02 0.1 0.01 20 0.001 – Fully engaged 0.01 – May not appreciate significance 0.1 – Not engaged
  21. 21. Interlock failure Very likely that if an operator obtains Key D they will assume valves are in the correct state Mechanical failures do occur Someone may have used a Master Key 21 None I+O I+O+V V Vent not opened 0.001 0.01 0.1 0.1 Vent not monitored 0.01 0.01 0.1 0.01 Error likelihood 0.011 0.02 0.2 0.11 0.011 0.02 0.1 0.01
  22. 22. Conclusion Simple example illustrates interlocks do not “Remove the human factor” “Eliminate human error” Quantification illustrates how human error likelihood may increase due to interlocks Especially when interlock failure is taken into account Don’t believe the numbers 22
  23. 23. That was a very simple example 23 Pipeline Kicker line Closed drain Process vent header Pig receiver Relief valve Emergency vent header Purge medium Local vent
  24. 24. What is the solution? We need to define strategies for interlocking Fully Partial Minimal We need to be very careful about managing interlock failures and overrides What do you think? Increased use of interlocks has improved safety? Less is more? 24
  25. 25. 25

Editor's Notes

  • Good morning.
  • This has been a bit of a hobby horse of mine for a couple of years. My concern has been that people assume interlocks make plant and equipment safe, and hence more interlocks must make things safer.
    Late last year I was in a control room talking about safety critical tasks. Pipeline pigging was mentioned. This was how the operator responded. This was with no prompting from me – I hadn’t had a chance to mention interlocks at this stage.
    We had a short discussion and established that there were a lot of interlocked steps, and this was causing a problem. If everything was done exactly to plan, the interlocks worked fine. But the real life experience was that this rarely happened and there were always problems they had to deal with.
    These photos show multiple interlocks had been fitted and at least one key exchange unit was in use. I have blanked out the vendors logo to protect the guilty.
  • My main aim with this paper is to discuss the impact interlocks can have on human error risks.
    I particularly was to explore the potential downside of the current trend to include more interlocks in our system. This inevitably increases complexity and has immediate and longer term cost implications. But does is result in an over reliance and could this actually result in risks being increased?
  • An interlock is a means of making the state of components dependent on each other. Typically this means on item cannot be operated unless another is in a required state. A simple example would be your washing machine which will not operate unless its door is closed.
    Interlocks can be achieved in a number of different ways. This paper is primarily concerned with ‘trapped key’ interlocks. This is where a key has to be inserted to operate an item, usually a valve, and once that item has been operated a different key is released that can be used to perform the next step. I am not talking about computer controlled sequences such as on a fire heater or compressor, which are sometimes called interlocks, but I would call ‘start-up permissives.’
  • The types of areas where trapped key interlocks are typically used include spared items. The purpose in this case is to make sure that at least one of the spared items is in its operational state at any time. Examples include spared relief valves, where interlocks may be used to make sure the spare is lined up before the online valve is isolated. And spared filters, making sure at least one is online at all times.
    Another use of trapped key interlocks is to make sure an item is in the correct status before a task is performed. A good example of this opening a pig launcher or receiver. Interlocks can be used to make sure isolation valves are closed before the door is opened. Opening a filter body for cleaning is another example.
    Another use of interlocks, which is subtly different is to make sure steps are performed in a required sequence. It can be applied to similar items include pig launchers and filters, but is quite a lot more complex. In this case it is not good enough to simply know that an isolation valve is closed because some valves may be opened and closed a number of times in performing the isolation.
  • Spared relief valves are a fairly simple example of where interlocks can be used, with some clear justification. The usual purpose of sparing the valve is to allow a standby to be available if the online valve starts to pass. It allows production to continue quite safely until an opportunity arises to shutdown and remove the relief valve for calibration.
    In this case each relief valve has a single isolation valve. We can manage with a single key that will only allow one valve to be closed at any time.
    Unfortunately life is not always that simple. We may need to have the relief valves isolated on their outlet as well as their inlet. This does the number of valves, but will probably mean we need three keys instead of one. Immediately we see an increase in cost and complexity. And this is with single valve isolation. If we ever want to remove an isolation valve whilst the plant is online, we may need double-block-and-bleed isolation, which takes things to a whole new level.
  • The problem is, in my opinion, that interlocks appear to provide a fail safe solution. They create a physical barrier that prevents people making mistakes.
    This is something perpetuated by vendors of proprietary systems. A quick look at their websites shows that claims their interlocks to “remove the human factor” and another claiming they can “eliminate human error.”
  • I don’t think this interlocks eliminate risk, and they may even increase it.
    As Janette Edmonds points out – an interlock is only as good as the person maintaining it. Hence they do not remove the human factor.
    And Sara Marsen and colleagues pointed out that when interlocks do fail we are entirely reliant on the operator to deal with the problem.
    And the reality is that interlocks do fail and they can certainly be defeated; and these facts need to be considered when are evaluating risks.
  • I believe there are a number of human factors issues associated with interlocks.
    They certainly change the interaction the operator has with his or her plant and can affect their perception of risks. I think there is a very strong belief that if you have a key and it fits in a valve it must be safe to operate that valve. This can override other information that may be available indicating that there may be something wrong, and highlights that if we are going to use interlocks we need to be very precise with our design and keep them fully operational at all times.
    One problem is that once we have interlocked steps we have taken away the operators ability to work flexibly to deal with real life situations. A good example of this is if the integrity of an isolation valve cannot be confirmed. Without interlocks the operator may repeat a step or consider using a different combination of valves. Interlocks will often prevent them doing this and they have to continue, even though they know there is a problem.
    Master keys are generally available, to allow operators to deal with unforeseen situations. My view is that once a master key is in use the whole interlocking system has been defeated, but I don’t think this is necessarily how an operator would see it when working at the sharp end.
    Ultimately I think one of the human factors issues is that operators start to pay less attention to what they are doing, feeling that the interlocks are making everything safe. In fact, when there are a lot of interlocked steps it becomes almost impossible to understand what is happening. Ironically, there can be a greater use of procedures, which appears to be a good thing, but often it is a necessity to know which key to use when rather than what is being achieved by followed the defined set of steps.
  • It appears to me that more interlocks are being used. This is partly due to vendors having clever software that allows them to offer a ‘full solution,’ which means they can interlock more steps and create more complex interactions. Of course this is good for their sales figures as they are able to sell more expensive systems.
    Use of key exchange units certainly allows for more complex systems, and modern technology allows trapped key interlocks to be integrate with computer based systems such as PLC, DCS and SIS.
    And for purchaser of these systems, whether they are the operating company or a designer, risk aversion is driving decisions. People feel they are unlikely to be criticised for specifying interlocks, but may be criticised if they don’t. Also, there may be a view that ‘brownie points’ will be gained with regulators etc. as they can prove that investment has been made to improve safety.
  • The problem is that there is very little relevant guidance. In fact this is all I could find.
    The HSE pipelines is very vague, saying interlocks may be provided.
    The Norsok guidance is more prescriptive, but does not say how many items of steps need to be isolated.
    As is often the case, a void leaves things wide open for people to interpret this as they see fit. As vendors are fairly vocal on the subject, it is not a surprise that the trend is for more interlocks.
  • The remainder of my paper explores the human factors issues associated with interlocks using this very simple example.
    In this case the goal is to open Door D on the vessel.
    To do this we need to close the Inlet and Outlet isolation valves I and O. We then open vent V to depressurise the vessel. Also, we need to monitor the vent for some time to confirm that the isolation valves are holding OK.
  • Even with this simple system there are four potential errors:
    Leaving I or O open will mean the vessel remains live to the process
    Leaving V closed means the vessel will remain pressurised
    Failing to monitor V means that if I or O pass then the door may be opened with a flow from the process continuing.
    But it is important to note that there are different types of error possible. In fact, as long as V is opened and monitored, any error resulting in I or O being left open will be discovered. Hence, it can be argued that these are the most critical steps.
  • I would first like to look at what will influence error likelihood if we do not have any interlocks.
    It is true that any of the identified errors can occur, but I think it is reasonable to assume that the operator will be thinking quite carefully about what they are doing. In particular, I think they would be very unlikely to open the door without first opening the vent. And if they do that they are very likely to identify if one of the isolation valves has been left open.
    However, the requirement to monitor the event may not be so clear. It seems quite likely that if they open the vent and there is no obvious problem that they will assume it is OK to open the door. Hence there is a risk of a process release.
  • If we decide that interlocks should be used, we then need to decide what to interlock.
    We may decide that isolating the vessel is the most important thing, as if we don’t do this we will get a significant process release.
    One problem I can see here is that once I and O are closed the operator will have the key to open the door. This could be quite a strong signal that they can proceed without opening the vent. This will result in a release of the material contained in the vessel. This is likely to be less than a process release that would occur if an isolation valve had been left open. But it is still a very undesirable outcome.
    Another factor is that if the operator has failed to open the vent they will almost certainly fail to monitor the vent. Hence, if a valve does pass a process release will occur.
    This illustrates that this partial interlocking increase the likelihood of some of the potential errors.
  • Based on the previous slide. We may conclude that a full interlock solution is required. In this case the isolation valves will have to be closed and the vent open before the key to open the door is released. This is clearly the status we want, but I think it is reasonable to assume that the operator will be thinking even less about the task they are performing and will be even more susceptible to the signal that having the key to the door must mean it is safe to open. In this case, I think it is very unlikely that they would consider monitoring the vent to be important or even understand why it may be required.
  • An alternative option is to only interlock the vent. This creates a simpler (and cheaper) system, and as pointed out previously, opening the vent is very likely to allow isolation errors to be discovered. We still have this strong signal that having the key to the door must mean it is safe to open, and again monitoring the vent may be overlooked.
  • My qualitative assessment has highlighted how different uses of interlock may influence human error likelihood. It would be useful if we could quantify this to decide which is the best.
    The first thing to say is that this is not possible. Definitely do not believe any of the numbers I use on the next couple of slides. In fact, please do not believe any human error likelihood numbers you see anywhere, they are all wrong.
    However, using numbers can help us to understand the issues. So here goes.
  • I have decided to use these human error rates, depending on the operator’s engagement in the task.
    So if they are fully engaged and thinking carefully about what they are doing they may get it wrong once in every 1000 operations.
    If they are partially engaged this may increase to one in every 100 and if not engaged at all this may be one in 10.
    As I said, don’t believe these numbers but we could at least discuss whether they are in the right ballpark if you ever wanted to examine the results more carefully. And they would allow some sensitivity analysis to be carried out, which I think should be always be done whenever you try to quantify human error rates but is something that seems to be overlooked most of the time.
  • So I am only looking at the two key errors of not opening the vent and not monitoring the vent. This is because, if you do these steps you will discover errors in isolation.
    So this is what I have come up with.
    With no interlocks it seems reasonable that the operator will be fully engaged and be very keen to open the vent. Hence this is given the lowest likelihood on the scale. However, they may be less focussed on monitoring the vent and so that is given the next likelihood.
    If we interlock the isolation valves the operator is less engaged in the task. This means they are more likely to overlook opening the vent. If they do open the vent, the likelihood of them not monitoring it is probably the same as the non-interlocked scenario.
    We can see straight away that the human error likelihood has increased.
    The next one is to interlock all the valves. In this case I have concluded this will mean the operator will have very little engagement in the task so the likelihood of them monitoring the vent is reduced. There is only one potential error, but it becomes likely.
    The final scenario is where the vent is interlocked. I have concluded that because less steps are interlocked the likelihood of not monitoring the vent is the same as for the first two scenarios. Based on these numbers the error likelihood for this arrangement is the least.
    Now I fully appreciate that this is far from the full picture. It only gives human error likelihood and not risk, and each error type is associated with different potential consequences and so the risks will be different. However, the key selling message for interlocks is that the prevent human errors, which I think these calculations show is not the case.
  • The previous calculations assume that the interlocks are 100% reliable. But we know that is not the case. The problem is that once the operator has key D they are very likely to assume it is safe to open the door. But it is possible that the key became available due to a mechanical failure or someone using a master key.
    In this case I decided that the error rates will only change if the fault affects an interlock on the vent. This is because, once again this is a key step in its own right and allows other errors to be discovered.
    As you can see this significant changes the results for the 3rd and 4th scenarios. In particular, if we only interlock the vent, a failure of that interlock is going to have a much bigger impact on operator behaviour, although the likelihood is still less than the total interlock scenario.
    Again, I do recognise that this is not the full picture as it does not include the likelihood of an interlock failure, just the error likelihood if there is a failure. But it does at least highlight the importance of maintaining interlocks, not allowing tasks to continue if there is a fault with an interlock and keeping very strict control of master keys and any other override mechanism
  • My aim has to been to use this very simple example to highlight the interlocks do not, despite the marketing hype, either remove the human factors or eliminate human error. In fact, the quantified results illustrate that interlocks may well increase the likelihood of errors, especially when interlock failure is taken into account.
    Once again I want to emphasise that you should not believe the numbers.
  • But I also want you to remember that this was a very simple example. Real life systems have many more steps that may be interlocked. And I think this can amplify the influences on operator behaviour, especially as complexity means they are less able to understand what they are doing and are less likely to engage.
  • I want you to think about what interlocking strategy you use, and to think whether you have any guiding principles you follow if any.

    If nothing else, this paper has shown that failures of interlocks do occur and have can have a very large impact on human error likelihood

    So what do you think
    Is the current trend to more interlocks a good thing or am I right to say less is more. If I am right, what do we need to do.
  • ×