Hydrocracker Safeguarding with SIS

White Paper

Kenexis
 Hydrocracker Safeguarding with SIS

>> INTRODUCTION

Emergency depressuring of Hydrocracking process units in refineries

received a large amount of attention after the 1997 accident that
occurred at Martinez, California. Many refiners decided that automatic
depressuring of the unit when excess temperature was detected should
be a safety instrumented function and replace the traditional manual
depressuring. When attempting to implement the ISA 84.01 safety
lifecycle, Refiners found that applying this safety instrumented function
is quite difficult in terms of risk analysis to determine the required safety
integrity level (SIL). This difficulty is due to the large number of
measurements that can detect out of control conditions and variety of
means for returning the process to a safe state, which all depend on the
Many refiners initial failure mode.
decided that
automatic This white paper discusses the selection of a safety integrity level for the
depressuring of depressuring function. The Hydrocracking process is of great interest in
the unit when terms of SIL selection because of the advanced methods that are
excess required to provide reasonable results. Although simple methods are
temperature was available and are even promoted in SIS standards, those methods
detected should typically provide results that are unacceptable when applied to the
be a safety Hydrocracking runaway reaction problem. This white paper not only
instrumented provides typical results of this type of study, but also provides an
function and overview of some of the more advanced techniques that can be applied
replace the to the SIL selection methods along with guidelines for when more
traditional manual advanced techniques should be used.
depressuring
Quantitative Risk Analysis (QRA) is rarely performed for selecting SIL.
QRA requires highly trained analysts and increased effort when
compared to qualitative methods. In addition, using the numerical
results that are generated by the method requires that decision criteria
that are also numerical, which many organizations do not desire to
employ due to the perception of liability that is created. Even though
QRA is not widely practiced for SIL selection, there are some situations
where all of the other SIL selection methods, which are essentially
various degrees of shortcutting QRA, are inadequate and will lead to
artificially inflated requirements (i.e., a higher SIL, more equipment,
frequent testing, and overall higher costs). An excellent example of this
situation is the emergency depressuring of a Hydrocracker reactor
section upon detection of a thermal runaway reaction. In order to
improve SIL selection, a limited amount of QRA should be incorporated
into the SIL selection procedures and to support decisions about the
need for risk reduction alternatives. The key to effective implementation
is only use small amount of QRA calculations to support your existing
processes instead of trying to use QRA for every scenario.

2
 Hydrocracker Safeguarding with SIS

2.0 HYDROCRACKING PROCESS AND HAZARDS

Many refineries employ Hydrocracking technology to convert heavy

hydrocarbon oils into lighter and more valuable products. Figure 1
presents a typical flow sheet for a single stage Hydrocracking process 1 .

Figure 1 – Typical Hydrocracker Flow Sheet

Recycle Com pressor
Fractionation
Reactors Section

Flash Gas
HP Separator

Charge Heater

Hot Separator

HC Charge

H2 Charge

HC Recycle

The Hydrocracker unit is fed with hydrocarbon liquid and hydrogen.

Hydrocrackers are capable of processing a wide range of liquid
hydrocarbon feed stocks, but typically process heavy oils such as
vacuum gas oils and atmospheric residuals. The hydrogen /
hydrocarbon feed blend is typically heated in a fired heater and sent to
the reactors where the cracking reaction occurs. After heat exchange,
the hydrocarbon products are separated from hydrogen and light gases
in a series of separators and flash drums. Hydrocarbon products are
further processed in a fractionation section. Both heavy hydrocarbon
Excessive liquids and hydrogen may be recycled.
cracking reactions
can spiral out of The reactions taking place in the Hydrocracker process include cracking,
control and result whereby long chain hydrocarbons are broken into smaller chains, and
in a potential loss hydrogenation, where any free radicals or double bonds are saturated.
of integrity of the The end result is a hydrocarbon product whose average molecular
reactor vessel or weight is much smaller than the molecular weight of the feed. The
piping due to overall reaction is significantly exothermic. Under some circumstances,
excessive there is a possibility that the heat generated in the reaction will increase
temperature. the temperature of the catalyst bed, leading to increased reaction rates
and more heat generation. This effect can spiral out of control and
result in a potential loss of integrity of the reactor vessel or piping due to
excessive temperature.

1
Meyers, Robert A., “UOP UNICRACKING PROCESS FOR HYDROCRACKING”, Handbook of
Petroleum Refining Processes, Second Edition, McGraw-Hill, New York, NY, 1997, 7.41-7.49
3
 Hydrocracker Safeguarding with SIS

The reaction occurs as liquid hydrocarbon contacts a fixed bed of

catalyst with excess hydrogen at a high pressure. During normal
operation, adding a cold hydrogen quench to sweep away the heat of
reaction to the downstream heat exchangers controls temperature. In
an emergency situation depressuring the reactor can stop the reaction.
When a depressuring occurs, the reactor pressure and thus the partial
pressure of hydrogen decreases. The decrease in hydrogen partial
pressure essentially decreases the concentration of reactant available,
and in accordance with traditional chemical reaction kinetics, the reaction
rate quickly falls off. The speed at which the reaction rate falls is a
function of how fast the reactor pressure drops. Many Hydrocrackers
High rate are equipped with two different means of depressuring: a slow system,
depressuring is and a fast system. Obviously, the fast system is capable of bringing the
capable of process to a safe state more rapidly, but causes unwanted side effects
bringing the such as intense flaring and equipment degradation due to hydrogen
process to a safe embrittlement. In an emergency scenario, an operator will first attempt
state rapidly, but to bring the process under control using the slow depressuring and only
causes unwanted use the fast depressuring system if the other is not capable of stopping
side effects such the runaway reaction from continuing.
as intense flaring
and equipment The analysis in this white paper focuses on a Safety Instrumented
degradation due Function (SIF) that will initiate a fast depressuring upon detection of a
to hydrogen high temperature condition in the hydrocracking reactors. This analysis
embrittlement. is complicated by the fact that there is an additional SIF specified which
causes a slow depressuring upon detection of low of recycle hydrogen
flow. These two SIF prevent the same hazard from occurring, but do
not completely overlap because the low recycle gas flow SIF does not
protect against all of the possible initiators of runaway reaction.

3.0 BASIC SIL SELECTION METHODS

The white paper scenario employs a typical method for selecting SIL.
The methodology is based on a hazard matrix to contain the tolerable
risk decision criteria and use of layer of protection analysis to account for
the impact of existing and proposed non-SIS engineered safeguards.
The process includes the steps shown below.

1. Select the consequence severity category for this hazard

2. Select the category representing likelihood of the initiating event

3. Determine the required degrees of risk reduction based on the

hazard matrix shown in Figure 2

4. Determine the number of independent protection layers

5. Calculate the required SIL by subtracting the number of

independent protection layers from the required degrees of risk
reduction.

4
 Hydrocracker Safeguarding with SIS

The hazard matrix shown in Figure 2 is a typical example of a matrix that

is used in industry. In addition to qualitative descriptions of categories,
such as “Severe” and “Rare”, the categories are also associated with
quantitative ranges. This paper will demonstrate that inclusion of
quantitative ranges in qualitative tools, such as risk graph, will allow
decision support through quantitative risk analysis (QRA) calculations.
The example shown below was calibrated 2 using tolerable risk guidelines
suggested by the UK Health and Safety Executive 3 .

Figure 2 – Typical Hazard Matrix

Frequency
Range
(per year)
Frequent 10 - 1 3 4 5 6

Moderate 1 – 0.1 2 3 4 5
Likelihood

Infrequent 0.1 – 0.01 1 2 3 4

Rare 0.01 – 10-3 --- 1 2 3
Remote 10-3 – 10-4 --- --- 1 2
-4 -5
* Calculated 10 – 10 --- --- --- 1
0.001 – 0.01

0.01 – 0.1

1.0 – 10.0
0.1 – 1.0
Consequence
Range (PLL)
Severe
Serious

Catastrophic
Minor

Consequence
* This category should only be used when supported by quantitative frequency calculations

4.0 SIL SELECTION PROBLEMS

Short-cut risk While the procedure shown above is typically very successful, a small
analysis methods, percentage of scenarios that are analyzed (usually < 5%) do not yield
yields poor results satisfactory results (e.g., the selected SIL was higher than expected and
when the yields an unacceptably costly / complex design compared to industry
assumptions upon benchmarks). The method shown above as well as other short-cut risk
which the process analysis methods yields poor results when the assumptions upon which
is built are not the method is built are not valid. For the white paper scenario, the
valid. following considerations make the simple hazard matrix protocol invalid.

2
Marszal, E.M., and Scharpf, E.W., Safety Integrity Level Section – Systematic Methods including Layer
of Protection Analysis, First Edition, Instrumentation, Systems, and Automation Society, Research Triangle
Park, NC, 2002.
3
United Kingdom Health and Safety Executive, The Setting of Safety Standards – A Report by an
Interdepartmental Group of Advisors, Her Majesty’s Stationery Office, London, 1996..
5
 Hydrocracker Safeguarding with SIS

1. There are a large number of events that can result in a runaway

reaction (initiating events).

2. None of the initiating events has a significantly larger frequency

than the rest that it can be treated as representative of the
overall risk.

3. The safeguards that are employed in the process are not

effective against all initiating events.

4. There is a large number of SIF that are intended to prevent

essentially the same hazardous event.

5. Multiple SIF share common equipment

6. BPCS protection functions share final elements with SIF.

7. Many of the SIF are not 100% effective in preventing all of the
initiating events from propagating into an accident.

8. There are mitigating events that decrease the probability of the

occurrence of an accident that do not fit the description of an
independent protection layer as given in the SIL Selection
Guidelines.

5.0 SUPPORTING SIL SELECTION WITH FAULT TREE ANALYSIS

Based on the reasons stated above, a SIL selection team should consider
a detailed Fault Tree Analysis (FTA) to determine the estimated
frequency of occurrence of this event. Although detailed analysis is
typically required to estimate the frequency of the unwanted event, the
consequence category selection can typically be done qualitatively with a
reasonable degree of accuracy. The result of the FTA can then used to
select a likelihood category, and subsequently the required SIL.

In general, a FTA is performed by identifying all of the basic events that

can either be the root cause of the accident (i.e., initiating event), or can
prevent the initiating event from propagating into the unwanted
accident. It is important to note that the term “DCS Protective Function”
is used throughout the discussion as a description of a layer of
protection. When this term is used, the system that is being described is
a basic process control system (BPCS) function that is separate from the
SIS that is under study. The basic events are then logically related to
each other using a graphical representation. The result of the fault tree
analysis is the frequency, or probability, of the “top event” or unwanted
accident, which is calculated using the probabilities and frequencies of
the basic events and a graphical description of how they are logically
related. A typical Hydrocracker application has at least nine (potentially
more depending on configuration) initiating events that can cause a

6
Hydrocracker Safeguarding with SIS

runaway reaction if no mitigating actions were taken after those events

occurred. The events are shown below.

1. Recycle compressor failure

When a recycle compressor failure occurs, the flow rate of hydrogen

through the reactor decreases. The decrease in hydrogen flow rate
effects both the hydrogen-to-hydrocarbon ratio of the feed and also will
stop the flow of quench gas. When this occurs, the heat removal with
excess hydrogen stops, but the reaction continues to occur because
there is still ample hydrogen available at a high pressure. Since the rate
of heat removal loss is so great it is virtually impossible for an operator
to prevent a runaway reaction from starting. Therefore, this scenario
requires depressuring. Depressuring will either occur due to the low
recycle gas flow SIF, which activates the slow depressuring upon loss of
recycle flow, or manual activation of the slow depressuring.

2. Reactor internals failure

The failure of reactor internals, such as catalyst support screens and

distribution boxes, can result in a temperature runaway. Failure of
equipment located above a Hydrocracking catalyst bed will result in
debris resting on top of the bed. The debris will cause flow
misdistribution and channeling. As a result, the areas of the bed where
flow has decreased will suffer a decrease in heat removal and increased
temperature. The increased temperature may propagate into a runaway
reaction. The thermal runaway in this scenario is much slower to
develop than for the recycle compressor failure scenario. As a result,
automatic control and operator intervention have a good chance of being
able to prevent a runaway reaction by adjusting quench rates to the
effected bed. While recovery from internals failure is possible, in some
cases the damage is so severe that recovery is impossible and a
depressuring must occur to bring process to a safe state.

3. Quench failure

Failure of quench control resulting in low or no quench flow could occur

as the result of either controller failure or quench control valve failure.
In either case, reactor temperatures would rise at a moderate rate as a
result of loss of heat removal. Recovery from the failure is possible
either through manual operation of the control valve from the control
room, or hand-jacking the control valve in the field if control room
operation is not possible.

4. Plugging and channeling due to coking and

contamination

During the normal course of operation of the Hydrocracker, coking and

plugging will occur in all of the catalyst beds. Coking and plugging can
result in misdistribution of flow and channeling through the catalyst bed.
As channeling occurs, heat removal from the catalyst bed will lose its
uniformity, allowing hot spots to occur in areas where flow has
decreased. The increased reaction in hot spots can result in a
temperature runaway. The development of temperature runaway in this
scenario is quite slow compared to other initiating events, allowing
7
Hydrocracker Safeguarding with SIS

automatic control and operator intervention to prevent the runaway in

most cases.

5. Improper catalyst loading results in channeling

Plugging and channeling can also occur as the result of poor catalyst
loading. The mechanism for runaway reaction is identical to the
mechanism described in the paragraph above. In this scenario, it is
expected that the operator will not have enough information or time to
detect the cause of the problem and the channeling could be quite
severe. As a result, no credit is typically given for the operator being
able to regain control of the process.

6. Bed temperature measurement failure leads to runaway

Failure of a bed temperature measurement can lead to a temperature

runaway if the result of the failure is decreasing or stopping quench flow.
An erroneous low bed temperature measurement will result in the
automatic quench controller decreasing quench flow rate. The
decreased, or stopped, quench flow will result in a moderately rapid
temperature rise as the heat removal from the bed decreases. If failure
of the temperature measurement can be detected, the reactor can be
returned to normal operation by switching the temperature
measurement used for control. In addition, manual operation of the
quench valve from the control room will also prevent a runaway from
occurring.

7. Failure of a recycle gas flow controller

Failure of the recycle gas flow controller in a position where flow is

stopped or significantly reduced will result in a temperature runaway.
This scenario will result in the same outcome as loss of the recycle
compressor. In this scenario, there is an opportunity for recovery by
operator intervention. Depending on the control loop’s failure mode, the
operator can take manual control of the loop either from the control
room or the field.

8. Change in feed flow rate and/or hydrogen-to-

hydrocarbon ratio

A significant change in feed flow rate can result in a temperature

runaway due to rapid change of the hydrogen-to-hydrocarbon ratio.
Significant changes in feed flow rate are the result of failures in feed
flow controllers and feed pumps. The temperature rise that will occur in
this scenario is moderately fast, but recovery is possible through
automatic and manual adjustment of quench rates and readjustment of
feed flow rates. In addition to manual and automatic attempts to
recover control of the process, a DCS function can be employed to loss
of hydrocarbon feed and subsequently perform a slow depressuring.

9. Failure of fired heater outlet temperature control causes

high heater outlet temperature

Excessive temperature of the reactor feed can also result in temperature

runaway, under certain circumstances. Excessive temperature of the

8
Hydrocracker Safeguarding with SIS

reactor feed is possible as the result of a failure of temperature control

of the charge heater such that maximum firing occurs. This failure may
result in reactor inlet temperatures that are so high that maximum
quench rates cannot bring the reactant temperature back down to the
stable range. If this failure occurs, the operator has the capability of
bringing the process back under control by manually operating the failed
temperature control loop. If manual temperature control fails, the
operator also has the option of manually stopping the heater, which will
bring the process to a safe state.

All of the initiating events described above can result in a runaway

reaction none of the listed corrective actions are taken. Once a runaway
reaction reaches the point where normal control cannot be re-
established, the process can be brought back to a safe state by either
manual or automatic depressuring. As described above, there are two
different depressuring systems, one for slow depressuring and another
for fast depressuring. In order to minimize the negative impact of a
depressuring on the process equipment, the slow depressuring is always
attempted first.

A slow depressuring can be activated by a manual switch in the control

room or in the white paper scenario by exceeding the high-high
temperature, as determined by a DCS protective function. In either
case, the slow depressuring valve is opened by de-energizing its
associated solenoid valve. Even if the slow depressuring system is
activated, there is a possibility that it will not decrease the reaction rate
quickly enough to prevent the runaway from propagating. In this case,
a fast depressuring will also be required to bring the process to a safe
state. Although failure of the slow depressuring to stop a runaway
reaction has been postulated, no instances where this has occurred are
known to the authors of this paper.

A fast depressuring can also be activated by a manual switch in the

control room or by exceeding the high-high-high temperature (in the
white paper scenario), as determined by a DCS protective function. In
either case, the fast depressuring valve is opened by de-energizing its
associated solenoid valve. If a fast depressuring is attempted from the
control room and fails, the depressuring can then be accomplished by
opening a manual depressuring valve in the field.

A fault tree was developed that represents the information presented

above. This fault tree was quantified based on a variety of information
sources. Control system and instrumentation failure rates were derived
from public and private databases of industrial equipment failure rates.
Failure rates of large piece of process equipment can be categorized
using expert judgment failure statistics. Other mitigating events
probabilities can also be quantified using industry data but in some cases
conservative expert judgment is required.

Based on the failure characteristics determined by the team, the

frequency of the top event can be calculated. Kenexis recommends the
use of fault tree analysis software that is capable of performing minimal
cut set analysis to perform this task, as gate-by-gate hand calculations
will deliver poor results. It is important to note that the calculated event
frequency makes assumptions about the integrity of SIF that are used to
9
 Hydrocracker Safeguarding with SIS

prevent the runaway reaction in various ways. The scenario under study
contains two SIF that can mitigate a runaway reaction, depending on the
initiating event that causes the runaway. Specifically, there is a SIF
which will cause a fast depressuring upon detection of high temperature
at the reactor outlet (this is the SIF for which this SIL selection analysis
is being performed), and there is also a SIF that will perform a slow
When two functions depressuring upon detection of loss of recycle gas flow.
are available to
prevent a single When two or more SIF are used to perform to mitigate the same hazard;
hazard, one SIF theoretically, there are an infinite number of combinations of allocation
should be arbitrarily of risk reduction between the two SIF that will yield a valid result. Since
assigned a the SIL selection process can only yield the required SIL for a single
proposed SIL, function, other means are required to allocate required risk reduction to
typically SIL 1, and one of the SIF. When this occurs one of the SIF should have a SIL
the balance of the arbitrarily assigned, such as assigning a SIL of 1 to the loss of recycle
required risk gas depressuring SIF, and then the SIL required of the high temperature
reduction should be depressuring SIF was calculated based on the residual risk. When more
allocated to the than one SIF is available to prevent a single hazard, all of the SIF except
remaining SIF to one should be arbitrarily assigned a SIL, and the balance should be
determine its “made up” with the remaining SIF. The “arbitrary” assignment should
required SIL level. start out by assigning a SIL of 1 (i.e., lowest cost) to the SIF that is most
expensive to install and maintain.

6.0 INCORPORATION OF FAULT TREE ANALYSIS RESULTS

A fault tree built and quantified for this scenario represents the
frequency at which the runaway reaction will occur without considering
the benefit of the SIF that is under consideration. The SIF under
consideration is “high reactor temperature causes fast depressuring”.
The FTA, in this scenario will result in a quantitative frequency at which
this event is expected to occur. While some organizations have
quantitative risk acceptance criteria that use this frequency result
directly, those criteria are not required. As an option to directly using
the frequency results, the FTA outcome can simply be used as support in
selection of a likelihood category from the matrix tables. This approach
is facilitated if the risk matrix category tables are set up to explicitly
show numerical ranges. It is important to note that the FTA result will
already incorporate the layers of protection that are available to prevent
the initiating events from propagating into the unwanted accident. As a
result, they should not be applied again. The required level of risk
reduction can then be obtained from a hazard matrix in, such as the one
in Figure 2. This required risk reduction value is the required SIL for this
scenario. For example, if the FTA calculated a value that fell into the
“remote” category for likelihood and the consequence was determine to
fall into the “severe” category, a SIL requirement of SIL 1 is obtained for
this SIF, based on the hazard matrix in Figure 2. The numbers in the
hazard matrix represent the orders of magnitude of risk reduction that
are required to make a given situation tolerable. Note that in some
cases the required risk reduction can be 5 or 6. According to the SIS
standards, SIS are only capable or performing up to 3 (ISA) or 4(IEC)

10
 Hydrocracker Safeguarding with SIS

orders of magnitude of risk reduction. If the analysis process yields a

need for risk reduction of 5 or 6, this cannot be accomplished with a
single SIF alone. Practically speaking, SIL 4 is not obtainable with
existing technology, and even SIL 3 is extremely costly over the lifecycle
of a process.

It is also important to note that the approach where the SIF can be
considered outside of the fault tree may not be appropriate. This
situation will occur when the SIF under study utilizes some of the same
equipment as other SIF or BPCS and operator intervention protection
layers. In this case, the SIF under study would also need to be included
in the fault tree. Using this approach, the design of all of the SIF would
need to be iteratively altered until the FTA result yields a likelihood
category, that for a given consequence does not require any further risk
reduction, in accordance with the tolerable risk matrix.

7.0 CONCLUSION

Short-cut methods that are commonly used for SIL selection such as
hazard matrices, risk graph, and even LOPA are effective in most
situations. However, there are some scenarios where selecting SIL using
these tools provides unsatisfactory results, usually because the selected
SIL was significantly higher than original expectations and good
engineering judgment dictates. In these scenarios supporting these
qualitative tools with quantitative risk analysis (QRA) calculations will
provide more reasonable and accurate results. The results of the
additional quantitative analysis can easily be incorporated into a risk
analysis tool’s format if inclusion of this type of analysis is planned
during the construction of the tool.

The high temperature emergency depressuring of a Hydrocracker reactor

is an example of a situation where the short-cut methods cannot provide
a realistic result due to the complexity and interrelationship of the
multiple safeguards and multiple initiating events. Use of additional QRA
will allow SIL to be effectively assigned for the multiple SIF involved in
mitigating this hazard.

11
 Hydrocracker Safeguarding with SIS

KENEXIS’ CAPABILITY AND EXPERIENCE

FOR HYDROCRACKER SIS TECHNOLOGY

Implementing the ISA and IEC consensus standards is not a trivial

activity because they require understanding of the risks of a
hydrocracker process and how to effectively manage risk using an
integrated system comprised of instrumentation, logic solvers, and final
control elements. Furthermore, these new standards come at a time
when business face ever-increasing pressures to reduce costs and
increase profits. In the face of these challenges, Kenexis is an
engineering consulting company that can help you implement standards
for Safety Instrumented Systems and cost-effectively manage your risks.

Kenexis’ innovative strategy for Safety Life Cycle services is built on the
foundations of:

• Risk Analysis Expertise

• Substantial Experience in the Process Industries

• Excellence in Control System Engineering

Kenexis provides consulting and engineering services, training, and tools

to make implementing safety instrumented systems cost effective.
Whether designing new safety systems, making major upgrades, or even
managing existing installations, Kenexis can help.

Safety Integrity Level Selection

The amount of risk reduction required of the SIS is specified by the

Safety Integrity Level (SIL). Kenexis provides procedures, tools, and
expert advice to help you select your SIL requirements. It’s important to
know that your equipment costs could multiply unnecessarily if you
select a stringent SIL rating when it’s not needed.

Safety Requirements Specification

This document specifies what actions the SIS should take, and how
effective it needs to be. Kenexis offers coaching and templates to help
you prepare the specification that most effectively meets your SIL
requirements.

Safety Integrity Level Verification

You are required to verify that the as-designed system meets the
required SIL rating. This can be a complex exercise in reliability analysis.
Kenexis can help by providing essential tools for your use, or by having
our staff perform an independent verification.

Operation and Maintenance / Function Testing

A key step is having procedures to operate, maintain and regularly test

the SIS. We help develop and execute procedures needed to effectively
test your equipment and demonstrate it meets the SIL target. We also

12
Hydrocracker Safeguarding with SIS

assist in meeting the requirements of Pre-Startup Acceptance Testing

and validation.

Kenexis has ample experience in the analysis, design, and

implementation of Hydrocracking technologies from a variety of
licensors. Kenexis’ experts have developed SIS design basis packages
for the following projects.

Unicracker SIS Upgrade – 2001 – Northern California US

Isocracker SIS Upgrade – 2002 – Gulf Coast US

Unicracker Addition – 2003 – Mid-Continent US

Unicracker Addition – 2004 – North-Midwest US

Unicracker Addition – 2005/6 – Gulf Coast US

13
 Hydrocracker Safeguarding with SIS

About the Authors

Ed Marszal, PE, CFSE

Kenexis
[email protected]
2929 Kenny Road, Suite 225
Columbus, OH 43221
+1 (614) 451-7031

Ed Marszal has over ten years of experience in instrumentation, safety systems design and risk analysis. Mr. Marszal
has worked with UOP, a developer and supplier of process units to the petroleum and petrochemical industries,
where he performed field verification of control and safety instrumented systems at customer sites world-wide. At
UOP, he also designed and managed development of custom control and safety system projects. After leaving UOP,
he joined a risk management consulting firm specializing in financial risk analysis and process safety management. In
this position he performed and managed risk assessment projects that included quantitative consequence and
likelihood analysis, including development of EPA Risk Management Programs with off site consequence analysis. He
has solid experience in numerous projects involving evaluation of the integrity of safety systems, financial risk
analysis and system design. Mr. Marszal has a BSChE from Ohio State University. He is a registered professional
engineer in the States of Ohio and Illinois, USA, and the certified functional safety expert (CFSE). Mr. Marszal is a
senior member of the Instrumentation, Systems, and Automation Society (ISA) and has held numerous positions of
responsibility in that organization, and also a member of the National Fire Protection Association (NFPA), and the
American Institute of Chemical Engineers (AIChE).

Kevin Mitchell, PE, CFSE

Kenexis
[email protected]
2929 Kenny Road, Suite 225
Columbus, OH 43221
+1 (614) 451-7031

Kevin Mitchell has over ten years of experience in chemical process safety and risk management. During much of this
time he worked as a consulting engineer for DNV and ERM-Risk, helping companies in the petroleum and chemical
industries implement process safety technology and management systems. Mr. Mitchell specializes in state-of-the-art
assessment of the risk of toxic, flammable, and explosive materials on people, property, the environment, and,
ultimately, the business. He uses risk assessment and cost-benefit analysis to assist in making engineering and
business decisions. Mr. Mitchell has defined safety integrity requirements for clients using the principals of risk
assessment in over 100 project assignments covering such diverse operations as oil & gas production, refining,
petrochemical, specialty chemical, plastic resin, transportation, and general manufacturing. He also has extensive
experience in investigating major chemical accidents to identify causes and develop lessons-learned. Mr. Mitchell has
a BS in Chemical Engineering from The University of Minnesota and is a Registered Professional Engineer in the state
of Ohio. He is also a member of the American Institute of Chemical Engineers and the Instrumentation, Systems, and
Automation Society. He has numerous technical publications and is a Certified Functional Safety Expert (CFSE).

This document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for
incidental or consequential damages in connection with the application of the document.
This report is copyright © 2005, Kenexis Consulting Corporation, all rights reserved. No part of this document may be
circulated, quoted, or reproduced for distribution other than the above named client without prior written approval from
Kenexis Consulting Corporation.