Process upsets at many chemical plants can quickly turn dangerous. Dynamic simulation can give engineers and operators the power to reduce potential process upsets or non-routine situations.
Long accepted for its strength in training, dynamic simulation can provide additional far-reaching value for enhancing safety. By using a digital twin as a double for the existing process (Figure 1), dynamic simulation offers a protected environment in which to practice safe deployment of process strategies and justify further safety improvements. Unfortunately, myths about such simulation (see Don't Fall For Common Myths below) frequently thwart its application.
Figure 1. An identical replica in the virtual world allows testing process changes and providing hands-on training and real-world results without affecting the actual plant.
As facilities attempt to achieve their safety risk tolerance by performing a layers of protection analysis (LOPA), simulation can help determine how to improve the individual risk factors involved in reaching the defined tolerance. (For details on how to avoid coincident failures in layers of protection, see “Prevent the Illusion of Protection.”)
A wide variety of chemical plants can benefit from dynamic simulation. Here, we’ll use examples from ammonia production. Ammonia facilities often choose to perform shutdowns during process upsets because there’s so little time, minutes at best, to react to potentially hazardous situations. While many process plants don’t require as aggressive a response to conditions, an ammonia facility provides an ideal environment to illustrate the value of dynamic simulation.
Improved Response To Non-Routine Situations
Research shows that in stressful environments, such as during non-routine and emergency situations, operators make more errors than under routine circumstances. The goals of simulation include improving safety by reducing stress and preparing operators to perform non-routine tasks often enough so they feel more routine. Carrying out simulated tasks at an operator station, as if in real life, improves response time by invoking muscle memory in ways that learning via pen and paper or classroom instruction can’t.
Operator response time is a factor in a LOPA. If performed often and well enough, a task can be considered routine rather than non-routine; this, in turn, could lower the risk factor of a process area.
At an ammonia plant, a loss of feed water can create a low level within the steam drum, which may lead to water being reintroduced to a hot drum, causing catastrophic vessel failure. In this case, during simulation, operators might find a low level inside the steam drum and practice implementing a course of action to fix the cause, loss of feed water.
After using dynamic simulation during training, the response of personnel becomes more accurate and faster, thus enhancing the independent layer of protection (IPL). Because the team acts safely and quickly, the safety instrumented system (SIS) activates less.
Actually, a dynamic simulator opens up a number of opportunities related to operator performance.
Train on a digital twin instead of the real plant. Training on a live, working control system is less than ideal because of risks to the process and the associated stress in the learning environment. By training on a digital replica of the process — including devices, control system, and higher networks and systems — operators know how to work with the system interfaces. The simulation doesn’t affect the live process in any way.
Create a solid baseline of performance. Using dynamic simulation, a facility can establish a minimum acceptable performance for operators in given situations. Ammonia plants, which often are located in remote locations, usually face a shortage of experienced operators. Simulation enables training all operators to the same baseline level as well as evaluating how quickly they detect a situation, how much time they need to respond, and how long it takes for the action to produce results. After baselines are set, trainers can benchmark operators over time until tasks are performed to achieve desired safe outcomes.
Design structured training. In an emergency, each person plays a role in de-escalating the situation. A dynamic simulator enables the trainer at the facility to educate every operator in standard plant procedures to execute that person’s emergency role — and then to evaluate the operator’s skills over time. The skillsets themselves can be evaluated to ensure they’re effective in emergencies.
Save time during refresher training. Simulation can expedite operator review of updated safety situations. Ammonia plant startups have many hazardous simultaneous activities and can benefit from, for example, compressing tank-fill time so operators learn skills without waiting for the fill.
Provide proof to safety evaluators. Under many circumstances, safety evaluators that go into a facility must weigh the soundness of performance reviews provided to them. A simulator can document how operators performed during training, giving the evaluators more confidence they have an accurate report of abilities.
Safe Deployment Of Process Strategies
Plant staff must be sure of the changes they make to improve process safety. By combining LOPA and simulation, personnel can detect weaknesses in design and refine process areas.
For example, while performing a LOPA on a section of the simulated facility, engineers might find conditions that either are unsafe or non-optimized. Digging further into the simulation and experimenting with designs, they might identify ways to improve that area of the plant.
An ammonia process can be vulnerable to many deviations, such as low level on jacket water or turbine over-speeds. While these conditions themselves don’t pose a danger to the work site, if not reacted to properly, their consequences can injure or kill employees who operate the process. Personnel can safely test, via simulation, proposed responses to ensure they do what they should. Key in all these activities: the live process remains unaffected until the updates are polished and safe.
When considering dynamic simulation to help ensure design and deployment of safe processes, keep in mind a variety of opportunities.
Perform alarm evaluation. A team can affect safety meaningfully by designing an alarm strategy that reduces, for example, nuisance alarms so that an operator only sees significant alarms, i.e., ones that demand action. For instance, during an ammonia plant startup, alarms frequently are set to align with nameplate as recommended by the manufacturer. However, the nameplate often eventually gets exceeded as a facility continues to improve operations and systems through debottlenecking. Dynamic simulation enables re-evaluation of potential events in the plant environment so they cause fewer alarms. Without simulation, that re-evaluation requires a great deal of time and can fall to the bottom of the to-do list.
Match the fidelity of the simulation to the need. The area of the plant that most needs improvements in safety may not require a high-fidelity simulation. Indeed, in safety analysis, setting the fidelity at a low level sometimes may suffice, thus saving some costs and time.
Conduct regression testing. With a valid simulation of the existing process, an engineering team can set up tests to compare proposed and existing conditions to ensure that changes won’t create unsafe conditions. Using simulation, this testing can be largely automated and easily documented for record and compliance purposes.
Test the SIS. By simulating the SIS together with the distributed control system, a site can confirm that, if the SIS were called upon, the systems would act together as they should. Or it can see where changes are necessary to improve response and safety.
Justification Of Safety Improvements
Simulation can give the safety team tools to prove how process or equipment changes can enhance safety, quality and production time. Simulation also provides an opportunity to test the effectiveness of safety system IPLs.
For instance, the design team might notice that a process change can offer a provable four hours of better production or save several hours in a startup. Further investigation might show how to improve an area’s safety integrity level (SIL) rating.
An ammonia plant’s SIS often is programmed aggressively to shut down the process for a variety of situations that could, but don’t always, pose dangers. Although an SIS responding unnecessarily can result in a substantial expense, the SIS must act just in case. Many facilities would benefit if their teams could realistically evaluate potentially hazardous situations before programming the SIS to activate.
To improve safety and avoid situations where the SIS must activate, many teams perform a LOPA. Combined with dynamic simulation, a LOPA worksheet (Figure 2) helps them determine the most effective deployment of layers of protection. After using simulation to analyze the potential problems, teams can add layers of protection or adjust the process to avoid the potential problems. Then they can re-simulate the revised process to evaluate the solutions.
Figure 2. In this project, a non-routine task contributes ten times more than a routine one to the ultimate risk results.
Dynamic simulation can play a valuable role in several ways.
Avoid over-engineering. A LOPA that indicates a facility needs double redundant block valves may lead to significant over-engineering. In general, over-engineered safety systems aren’t necessarily safer; they’re just over-engineered. Simulation could check, for example, whether loss of lube oil pressure requires a SIS response at an ammonia plant before a facility incurs the added expense of extra engineering and maintenance. Facilities need the least complex systems that implement the process safely. Simulation can show where alternative technologies or people, rather than systems, can handle unique and complex tasks.
Set the IPL accurately. Simulation allows a team to test the automation IPL and reduce system errors. In fact, the testing might indicate the facility has more IPLs than required, enabling elimination of those that aren’t needed — thus maintaining safety while avoiding unnecessary costs. Of course, the opposite also might occur — testing might show the need for more IPLs, thus saving the facility from potentially dangerous conditions.
Verify human factors. A well-designed simulator can confirm that human factors in a process and system are proper and need no additional capital expense. For example, does the operators’ human/machine interface (HMI) enable them to respond more quickly and efficiently by giving them easy navigation and information at their fingertips, or is it bulky and obstructive to the point of actually reducing their effectiveness? Simulation allows testing new systems well in advance of their implementation and reviewing by all interested parties rather than just their designer.
Achieve A Safer Reality
As the ammonia applications highlight, use of dynamic simulation in many process situations can save time and money toward creating a safer facility. In addition, dynamic simulation prepares a team to go online with fewer errors by helping them understand and reduce the risks and training them for the hazards that could happen.
As teams design the process and before they implement the physical design, dynamic simulation can tell them if they are improving the LOPA results. If other design options are on the table, the team can try those ideas before moving ahead.
Don’t Fall For Common Myths
Five myths too often impede the wider use of dynamic simulation:
1. Low-fidelity simulation is useless. Low-fidelity simulations aren’t exact replicas of the real system. However, in creating a LOPA, a near replica could provide enough proof that a person would know what to do in certain situations.
2. Simulation is just for startup. When kept current, simulations are valuable during skill re-evaluation. For example, alarms change over time and responding to them is critical, so keeping those current in the simulation is important.
3. Testing individual sensors and assets is enough. Facilities that don’t test assets together in the system put themselves at risk. Simulation brings all devices together to verify, for example, that voting works as designed.
4. Use experienced operators to train new ones. As operators perform tasks, they inadvertently might modify procedures. If included in training, such shortcuts can compromise approved safe procedures. Training through simulation preserves the approved procedures.
5. Alarm hitting and tripping are the same. High-level alarms don’t necessarily need to stop the process. With enough practice, personnel can recognize situations and be ready to respond before a higher alarm trips and stops the process.
TIMOTHY HERBIG is a safety consultant for Bluefield Process Safety, St. Louis, Mo. Email him at [email protected].
ACKNOWLEDGMENT
The process simulation team at Emerson Automation Solutions provided support and technical information for this article.
