Managing Critical Conditions

Critical Condition Management (CCM) is a market that is growing both in size and importance. Major critical events usually fall into a category referred to as “incidents leading to losses.” These critical events can lead to the largest category of performance downgrading, otherwise known as unscheduled downtime, as well as the loss itself.

In the process industries, unscheduled downtime averages between 2 percent and 5 percent of production. In the chemical industry alone, the average loss per incident is almost $90 million.

A critical condition is defined as a state in a manufacturing process that is beyond normal but has not quite reached an emergency situation. Critical Condition Management functions should always be active in the background to reduce the possibility of transition from a normal to a critical state and, in the event of an emergency, to minimize its effect.

A process plant may have multiple protective layers. The first is the process control system. Its primary function is to ensure safe, predictable operation of the process. The second layer may be a safety system, whose primary function is to drive an orderly shutdown when the control system is unable to control the process in a predictable fashion. In some cases, a third layer is provided by a fire and gas protection system. These systems operate reactively and provide little guidance to the operator. The CCM function works in a predictive mode over these protection layers, providing guidance and actions for mitigation in the case of a critical situation.

While CCM systems can be direct acting in nature, the majority of CCM implementations are advisory. In most cases, the operator is advised how to return the process to a safe state and, in the case of an emergency, provided alternatives for mitigating the incident.

An effective alarm strategy plays a critical role in CCM. The EEMUA 191 standard published by the Engineering Equipment and Materials Users Association can provide a good basis for compliance in any alarm rationalization, while the Occupational Safety and Health Administration (OSHA) 1910 process safety management standard and Responsible Care initiatives must also play a role. A best practice for developing an alarm strategy is to commit your best operator and your best control engineer to the project. Defining each alarm will require five to ten minutes. Bringing in a hired gun and letting him or her work in a vacuum usually fails.

Intelligent alarming can be defined as the next level above simple alarming, in which a single variable triggers an alarm. Intelligent alarms, triggered by multiple inputs, are usually context sensitive, and their value is also in their dynamic nature and the fact they can be state based. Intelligent alarming should be based on in-depth engineering, because in many cases, the alarm can be counter-intuitive. In most cases, the CCM implementation should do self-validation. This is a place for first principle correlations and interlocks to eliminate false positives to insure suggested action is accurate and does not worsen the situation.

It is usually more of a challenge to justify a CCM expenditure than a control system expenditure. The latter can be justified based on a predictable monetary gain, whereas the former must be justified on avoiding an unpredictable possible loss. Usually, the criteria for justification are improved reliability, fewer incidents, and ultimately, less unscheduled downtime. A relevant point to make in any CCM justification is that a single critical incident can erase the annual benefits for an advanced process control application on the same unit.

Following are some points to remember about CCMs: • CCM should be considered in heavy process industry plants where there is an exposure to extraordinary human health or monetary loss.

• CCM is normally an advisory function and not a substitute for a set of well-engineered and implemented protective layers, including a well-rationalized alarm strategy.

• When implementing a CCM application, always integrate a self-validation strategy to eliminate false positive trips, which can cause an incident rather than avoid or mitigate one.

• When justifying a CCM project, use incident history and the associated trend line to establish future unscheduled downtime and loss exposure.

Asish Ghosh,, and Dave Woll, dwoll@, are both vice presidents at ARC Advisory Group.

More in Control