SPA Process Safety Open to connect
All insights
· 5 min read

The safety margin is not spare capacity

A plant runs well below the pressure where its trips and relief valves act. The space in between is a safety margin, and using it up to get more output is the same as making the plant less safe.

  • Barrier health
  • Operating limits
  • Production

Sooner or later, every operations meeting comes round to the same question. Can we push a bit harder and get more out of the same kit? It’s a fair thing to ask, because that is the business. The catch is where the extra output sometimes comes from. A plant normally runs at a pressure well below the point where its alarms, trips and relief valves start to act, and that space in between is a safety margin. When a unit gets pushed for more rate, the operating pressure often creeps up into that margin. The margin then starts to look like spare capacity that nobody is using, but it isn’t spare at all. It’s the room the plant needs to cope when something goes wrong.

What the margin is for

Picture the pressure in a vessel as a reading on a dial. Normal operation sits at one point. Higher up there’s a point where a high alarm comes in, higher still where a trip shuts the unit down, and higher again where the relief valve opens to protect the vessel. The distance between normal operation and those higher points is there for a reason. It gives the operator, and the automatic systems, time and room to catch a problem before it turns into damage.

Two things set those higher points. The first is the operating limits the plant is run to. Under the US process safety management rule, the operating procedures have to state those limits, and for each one they have to say what happens if you cross it and what the operator should do (OSHA 29 CFR 1910.119(f)(1)(ii)). The point is that you work this out in advance, not in the middle of an upset. The second is the integrity operating window, which is simply the range of pressure and temperature a piece of equipment can sit in without slowly damaging itself (API Recommended Practice 584). Run a vessel hotter, or with a more corrosive stream, than that window allows, and you’re wearing the metal out faster, even if nothing trips that day.

So there are really two kinds of protection at work. One stops a sudden over-pressure, and that’s the job of the relief valve and the flare system, designed to the rules in API Standard 521. The other protects the equipment itself over time, and that’s the job of the integrity operating window. When a plant is pushed for rate, both of them come under strain at once, and that’s the part people tend to forget when they talk about keeping production within protection.

The space between normal operation and the safeguards is there to absorb problems. Use it up to win extra output and you’ve taken away the plant’s room to cope.

A worked example

Take a unit with a trip that shuts it down at a set pressure, and a relief valve set a little above that. Normally it runs well below both. Now suppose a debottlenecking exercise raises the normal operating pressure, moving it up closer to the trip, to win a few percent more output. (The numbers here are just for illustration; the real ones depend on the plant.) At the new operating point nothing looks wrong. But there’s now much less room between normal operation and the trip. A disturbance the unit used to ride out, a swing in the feed or a problem with cooling, now pushes the pressure all the way to the trip, and the unit shuts down. The trip did its job, but a shutdown and the restart that follows are themselves risky and costly, so what you’ve really done is swap steady production for a hard stop.

Push the operating pressure higher still and you start reaching the relief valve more often. That valve was sized for one particular emergency, and running close to it doesn’t change how big it needs to be, it just means you call on it more often than anyone intended. What you’ve actually done is lean on the plant’s last line of defence to get output the process couldn’t give you any other way. The extra capacity was never really there. You borrowed it from the plant’s ability to cope.

How the margin gets used up without anyone deciding to

  • The most common mistake is treating the gap between the alarm and the trip as free headroom. It isn’t headroom. It’s the time the operator has to react.
  • Another is running the process harder without going back to check the protection basis. Change the duty and you might have changed one of the relief cases or an integrity window, and none of that updates itself on paper.
  • Then there’s slow creep. Each small change to a limit looks reasonable on its own, and a long series of them eats away the margin without any single step ever looking like the wrong call.
  • And it’s easy to mix up two different limits. The limit that keeps the product on-spec is not the same as the limit that protects the metal, and API 584 is clear that they’re separate things.

The takeaway

My advice is always the same. Work out where the real limit is first, whether that’s the equipment, the over-pressure protection or an environmental consent, and then run the plant as hard as you sensibly can inside that limit rather than against it. Keeping production within protection isn’t about running slowly. It’s about being honest with yourself about where the extra output is coming from. If it’s genuinely there inside the safe envelope, take it. If the only way to get it is to run closer to the safeguards, then you haven’t really debottlenecked the plant. You’ve made its protection thinner and not told anyone.

The best-run units I’ve worked on aren’t the ones operating closest to the trip. More often they’re the ones that know exactly where every limit is, keep a sensible distance from it, and so almost never have to find out whether that last line of defence still works.

References

  • OSHA 29 CFR 1910.119, Process safety management of highly hazardous chemicals, operating procedures and operating limits at (f)(1)(ii).
  • API Recommended Practice 584, Integrity Operating Windows, 2nd edition (American Petroleum Institute).
  • API Standard 521, Pressure-relieving and Depressuring Systems, the recognised basis for relief and flare system design (American Petroleum Institute).