Safe Operating Limits – Part 1
A systematic evaluation and identification of safe operating limits is useful in maintaining efficient and effective operations, meeting environmental restrictions, and ensuring process safety, yet efforts to implement compliance with this PSM element1 suffer from many factors, including semantics and definitions as well as varying degrees of usefulness across the equipment in a facility.
The most typical procedure we’ve encountered for definition of safe operating limits during design looks something like this: a ‘margin’ (oftentimes arbitrary) is used to determine upper and lower operating bounds around a target operating value. These upper and lower design values are then used in the design of the processing equipment. The actual equipment material selection and fabrication set upper and lower mechanical integrity values, and the safe operating limits are then set at these mechanical integrity values.
As an example, take temperature limits for a pressure vessel constructed out of carbon steel. The lowest operating temperature specified during design was +20°F, based on “the lowest operating temperature, operational upsets, autorefrigeration, atmospheric temperature, and any other sources of cooling” (per ASME Section VIII §UG-20(b)). These design values then guided selection of metallurgy, and the minimum design metal temperature (MDMT) was set to -20°F based on that metallurgy. Despite the lower design temperature specification of +20°F, there is a tendency to set the lower safe operating temperature equal to the MDMT of -20°F to “not limit ourselves in the future”.
The highest operating temperature specified during design was 120°F and a maximum design temperature of 200°F (per ASME Section VIII §UG-20(a)) was specified, with a healthy ‘margin’ above what is expected for the operating temperature. One may note the vessel can often handle the stresses at higher temperatures; however, the Maximum Allowable Working Pressure for the vessel is directly dependent on this maximum design temperature (demonstrating dependence of one process parameter’s limits on another parameter), and so the maximum design temperature becomes the upper safe mechanical integrity temperature. Again, there is a tendency to set the upper safe operating temperature equal to this design temperature.
This typical procedure can sometimes fail to take into account other key limiting values for the process parameter, and does not reflect good engineering practice to drive the safe operating limits as far from the mechanical integrity limits as reasonably practical (or conversely, as close to the operating envelopes as practical)2. We suggest the following heuristic be used when setting safe operating limits:
Obtain the planned (or historically acceptable) operating envelopes for all modes of operation. This becomes a minimum for the safe operating limits; in other words, the normal operating envelope must be within the safe operating envelope.
Identify key limit values for the process parameter. These values may include design limits, mechanical integrity limits, equipment and instrumentation dependencies, and other parameter dependencies. These values become maxima within which the safe operating limits are placed.
Add limit values commensurate with the process / system complexity and risk. These values may include process upsets, alarms, high-integrity protection systems, and safety instrumented systems. In some cases, these values may need to be derived from response times. In other cases, these values may be derived from environmental considerations, as there are some systems where environmental restrictions are in place, with specific consequences when limits are exceeded. Although we could certainly understand arguments for partially decoupling environmental restrictions from process and occupational safety, we have found cases where it is convenient to consider the environmental restriction envelope when defining the safe operating limits.
Drive the Safe Operating Limits as close to the operating envelope as reasonably practical. The safe operating envelope is placed within the limit values identified, and outside of the operating envelope; then the safe operating envelope is ratcheted as tight to the operating envelope as practical. Often, this effort requires input and agreement from all stakeholders in the process, including operations, engineering, and safety. We recognize this is the most controversial part of the heuristic given the many competing priorities – for example, operational flexibility, project opportunity, and safety conservatism.
Evaluate consequences of deviations. With the definition of a safe operating limit comes the requirement to evaluate and document the consequences of the deviations beyond that limit (for US facilities covered by PSM3).
Using this heuristic for our very simplistic example discussed initially, we would come up with something as shown in the graphic below, where the stakeholders agreed that a buffer of ±20°F around the planned operating envelope is sufficient for operational flexibility, and there were no adverse consequences identified with operation at these temperatures.
Example temperature envelopes
We recognize that the evaluation of the consequences of deviation and management of change are the primary motivations for setting safe operating limits at the mechanical integrity limits. It is much easier to define the consequences of deviation from the mechanical integrity limits in quantifiable terms. In addition, if the operating envelopes are adjusted while the safe operating limits are defined at the mechanical integrity limits, there is less paperwork and processing without the need for formal management of change.
With respect to consequences of deviation, there is no reason that the evaluation cannot say something to the effect of the following: “There is no anticipated consequence to process safety when exceeding the upper safe operating limit of 140°F, up to a temperature of 200°F. The upper safe operating limit of 140°F was selected in an effort to reduce the likelihood of unanticipated consequences. Above 200°F, weakening of the pressure vessel may occur.”
With respect to management of change, we would suggest this is more of a framing perspective. In our experience, better outcomes result when one has to justify a change to a vested, experienced team. Initially setting safe operating limits well within the mechanical integrity limits incorporates an admission that perhaps we have not looked at all of the consequences of deviations, particularly for other dependencies outside of the particular piece of equipment being focused upon at a given time. As stated above, a more restrictive safe operating limit should be selected to reduce the likelihood of unanticipated consequences. Enforcing management of change on more restrictive safe operating limits at least provides another opportunity for investigating potential consequences before that change is made.
Up next in Part II, we will look at defining upper pressure limits for simple processes.
 For example, see US 29 CFR 1910.119, Process safety management of highly hazardous chemicals, §1910.119(d)(2)(i)(D) and UK 2000 No. 128, Pressure Systems Safety Regulations 2000, §7.
 “Establishing Safe Upper and Lower Limits”, Safety Info Posts – Chemical Process Safety (PSM/RMP), Written by Bryan Haywood; Friday 30 December 2011. Source: SAFTENG.net. Retrieved From: http://www.safteng.net/index.php?option=com_content&view=article&id=1553&Itemid=4. Accessed date: 3/21/2013.
 29 CFR 1910.119, Process safety management of highly hazardous chemicals. §1910.119(d)(2)(i)(E).