What Is Safe Operating Limits

A Safe Operating Limits is a systematic evaluation and identification of safe

operating limits is useful in maintaining efficient and effective operations,
meeting environmental restrictions, and ensuring process safety, yet efforts
to implement compliance with this PSM element1 suffer from many factors,
including semantics and definitions as well as varying degrees of usefulness
across the equipment in a facility.

The most typical procedure encountered for definition of safe operating

limits during design looks something like this: a ‘margin’ (oftentimes
arbitrary) is used to determine upper and lower operating bounds around a
target operating value. These upper and lower design values are then used in
the design of the processing equipment. The actual equipment material
selection and fabrication set upper and lower mechanical integrity values,
and the safe operating limits are then set at these mechanical integrity
values.

As an example, take temperature limits for a pressure vessel constructed out

of carbon steel. The lowest operating temperature specified during design
was +20°F, based on “the lowest operating temperature, operational upsets,
auto refrigeration, atmospheric temperature, and any other sources of
cooling” (per ASME Section VIII §UG-20(b)). These design values then
guided selection of metallurgy, and the minimum design metal temperature
(MDMT) was set to -20°F based on that metallurgy. Despite the lower design
temperature specification of +20°F, there is a tendency to set the lower safe
operating temperature equal to the MDMT of -20°F to “not limit ourselves
in the future”.

The highest operating temperature specified during design was 120°F and a
maximum design temperature of 200°F (per ASME Section VIII §UG-20(a))
was specified, with a healthy ‘margin’ above what is expected for the
operating temperature. One may note the vessel can often handle the stresses
at higher temperatures; however, the Maximum Allowable Working Pressure
for the vessel is directly dependent on this maximum design temperature
(demonstrating dependence of one process parameter’s limits on another
parameter), and so the maximum design temperature becomes the upper
safe mechanical integrity temperature. Again, there is a tendency to set the
upper safe operating temperature equal to this design temperature.

This typical procedure can sometimes fail to take into account other key
limiting values for the process parameter, and does not reflect good
engineering practice to drive the safe operating limits as far from the
mechanical integrity limits as reasonably practical (or conversely, as close to
the operating envelopes as practical)2. We suggest the following heuristic be
used when setting safe operating limits:

Obtain the planned (or historically acceptable) operating

envelopes for all modes of operation.
This becomes a minimum for the safe operating limits; in other words, the
normal operating envelope must be within the safe operating envelope.

Identify key limit values for the process parameter.

These values may include design limits, mechanical integrity limits,
equipment and instrumentation dependencies, and other parameter
dependencies. These values become maxima within which the safe operating
limits are placed.

Add limit values commensurate with the process / system

complexity and risk.
These values may include process upsets, alarms, high-integrity protection
systems, and safety instrumented systems. In some cases, these values may
need to be derived from response times. In other cases, these values may be
derived from environmental considerations, as there are some systems
where environmental restrictions are in place, with specific consequences
when limits are exceeded. Although we could certainly understand
arguments for partially decoupling environmental restrictions from process
and occupational safety, we have found cases where it is convenient to
consider the environmental restriction envelope when defining the safe
operating limits.

Drive the Safe Operating Limits as close to the operating

envelope as reasonably practical.
The safe operating envelope is placed within the limit values identified, and
outside of the operating envelope; then the safe operating envelope is
ratcheted as tight to the operating envelope as practical. Often, this effort
requires input and agreement from all stakeholders in the process, including
operations, engineering, and safety. We recognize this is the most
controversial part of the heuristic given the many competing priorities – for
example, operational flexibility, project opportunity, and safety
conservatism.

Evaluate consequences of deviations.

With the definition of a safe operating limit comes the requirement to
evaluate and document the consequences of the deviations beyond that limit
(for US facilities covered by PSM3).

Using this heuristic for our very simplistic example discussed initially, we
would come up with something as shown in the graphic below, where the
stakeholders agreed that a buffer of ±20°F around the planned operating
envelope is sufficient for operational flexibility, and there were no adverse
consequences identified with operation at these temperatures.
 Example temperature envelopes

The evaluation of the consequences of deviation and management of change

are the primary motivations for setting safe operating limits at the
mechanical integrity limits. It is much easier to define the consequences of
deviation from the mechanical integrity limits in quantifiable terms. In
addition, if the operating envelopes are adjusted while the safe operating
limits are defined at the mechanical integrity limits, there is less paperwork
and processing without the need for formal management of change.

With respect to consequences of deviation, there is no reason that the

evaluation cannot say something to the effect of the following: “There is no
anticipated consequence to process safety when exceeding the upper safe
operating limit of 140°F, up to a temperature of 200°F. The upper safe
operating limit of 140°F was selected in an effort to reduce the likelihood of
unanticipated consequences. Above 200°F, weakening of the pressure vessel
may occur.”

With respect to management of change, we would suggest this is more of a

framing perspective. In our experience, better outcomes result when one has
to justify a change to a vested, experienced team. Initially setting safe
operating limits well within the mechanical integrity limits incorporates an
admission that perhaps we have not looked at all of the consequences of
deviations, particularly for other dependencies outside of the particular piece
of equipment being focused upon at a given time. As stated above, a more
restrictive safe operating limit should be selected to reduce the likelihood of
unanticipated consequences. Enforcing management of change on more
restrictive safe operating limits at least provides another opportunity for
investigating potential consequences before that change is made.

we find pressures to be much more interesting and pertinent. During design,

the maximum design pressure is specified using a ‘margin’ above the
maximum expected operating pressure. After the vessel is constructed, the
fabrication and testing process establishes the Maximum Allowable Working
Pressure (MAWP) at a value greater than or equal to the design
pressure. Again, the typical approach then says to set the upper safe
operating pressure as the MAWP, after all the ‘working’ pressure is the
‘operating’ pressure… Note that this assumes the most common situation
where a pressure relief device is set to open at the MAWP, so it may be more
appropriate to say that the upper safe operating pressure is taken to be the
relief device set pressure.

For the case of the upper pressure limit, there is also something happening
implicitly that most of us do not give much thought to unless performing a
detailed risk analysis. For most equipment, a specific passive mechanical
system is required by the code of construction to ensure the upper limit of a
safe mechanical integrity pressure is not exceeded – namely, a pressure relief
device. For a pressure vessel, the code of construction establishes a
corresponding Maximum Allowable Accumulation Pressure(s) (MAAP) for
pressure excursions. The pressure relief device is sized (based on potential
overpressure scenarios selected) to ensure the relief pressure does not exceed
the MAAP. We would therefore suggest that the MAAP (not the MAWP as is
conventionally assumed) is then implicitly taken as the safe upper
mechanical integrity pressure. If the MAWP was established as the safe
upper mechanical integrity pressure, then every time a pressure relief device
opened, one would initiate procedures to shut down and inspect the
equipment since the pressure excursion exceeded the safe mechanical
integrity pressure. In our experience, this usually doesn’t happen,
particularly for reclosing pressure relief valves. In fact, we often find that the
relief device opening is not even recorded and acted upon later, for example
as input to relief device inspection or PSM improvement efforts.

Even for low risk systems where the pressure relief device may be the only
line of defense against exceeding the maximum safe design pressure, one
should recognize the ‘operating ratio’ for the installed pressure relief
device. An operating ratio for a pressure relief device is defined in API
Standard 520 Part 1 as the ratio of the maximum system operating pressure
to the set pressure of the relief device (or some adjusted pressure, as for the
marked burst pressures of rupture disks)1, and a limit is commonly specified
by the relief device manufacturer. Operation at pressures above this
operating ratio limit can affect the operation and reliability of that relief
device – for pressure relief valves, simmering, spring weakening, seat
damage, and internal fouling may occur.2 As a result, the relief device’s
maximum allowable operating pressure becomes one of those key limiting
values for pressure: the upper safe operating pressure should be less than or
equal to the relief device’s maximum allowable operating pressure.

In the case of the simple, low risk system outlined above, the consequences
of exceeding the upper safe operating limit can be stated that “continued
operation above the safe operating pressure may affect the operability and
reliability of the relief device and if the pressure continues to rise to the set
pressure, the relief device is expected to activate”. The relief device should
be on a regular inspection (or replacement) plan, and so the effects of these
deviations can be identified and mitigated.

Example simple upper pressure limits

The figure above simply illustrates the impact of the relief device operation
on the safe operating envelope, and does not reflect any further efforts to
drive the safe operating limit closer to the operating envelope.