GUIDELINES FOR
DESIGN SOLUTIONSFOR PROCESS EQUIPMENT FAILURES
CENTER FOR CHEMICAL PROCESS SAFETY of the AMERICAN INSTI...
405 downloads
2224 Views
11MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
GUIDELINES FOR
DESIGN SOLUTIONSFOR PROCESS EQUIPMENT FAILURES
CENTER FOR CHEMICAL PROCESS SAFETY of the AMERICAN INSTITUTE OF CHEMICAL ENGINEERS 345 East 47th Street • New York, New York 10017
Copyright © 1998 American Institute of Chemical Engineers 345 East 47th Street New York, New York 10017 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior permission of the copyright owner. Library of Congress Cataloging-in Publication Data Guidelines for design solutions for process equipment failures, p. cm. Includes bibliography and index. ISBN 0-8169-0684-X 1. Chemical plants—Safety measures. 2. Petroleum refineries— safety measures. 3. Hazardous materials—safety measures. I. American Institute of Chemical Engineers. Center for Chemical Process Safety. II. Title: Design solutions for process equipment failures. TP155.5.G784 1997 97-20538 660/.280^-dc21 CIP
This book is available at a special discount when ordered in bulk quantities. For information, contact the Center for Chemical Process Safety at the address shown above.
It is sincerely hoped that the information presented in this volume will lead to an even more impressive safety record for the entire industry; however, the American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers' officers and directors and Arthur D. Little Corporation disclaim making or giving any warranties or representations, express or implied, including with respect to fitness, intended purpose, use or merchantability and/or correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers, their employers' officers and directors, and Arthur D. Little Corporation and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequences of its use or misuse.
FOREWORD
Engineers like to think of their discipline as a rigorous application of scientific and mathematical principles to the problem of creating a useful object. To a certain extent, this is an appropriate description of the tools of engineering— those techniques that we use to translate a concept in the mind of the designer into a physical object. But, where does that mental image of the object to be built come from? At its heart, engineering is intuitive, and an art form. The engineer/designer's accumulated experience, and that of others, is applied to a defined problem. By intuitive and creative problem solving processes the engineer develops and refines a conceptual design, and uses the mathematical and scientific tools of engineering to translate a mental concept into reality. The selection of the design basis for a process safety system is a problem like any other engineering problem. There is no equation or formula, no scientific principle, which will define the "best" design. Yes, there are scientific and mathematical tools which will help convert a design concept into something which can actually be constructed. But there is no general answer to the question ccWhat is the best design?" Each system must be considered on its own, with a thorough evaluation of all of the details of its environment and required functions, to determine what the optimal design will be. The number of potential solutions to any engineering problem is large. For each specific problem, there will be some solutions which meet the overall objectives better than others. How can we best find the optimal solution? I believe that the critical first step is to consider a large number of potential solutions, thereby increasing the likelihood that the best solution will be among those identified. Where do we get those potential solutions? One important source is accumulated experience—our own, and that of others who have faced similar problems in the past. This book collects much of that accumulated experience from a large number of experts in the chemical process industry for equipment in common use. Use of the tables which make up the heart of this book will allow the reader to take advantage of many years of practical experience. By considering a large number of potential solutions to the prob-
lem of specifying the design basis for safety systems, the design engineer is more likely to be able to identify the solution which best meets his needs. This book emphasizes a risk-based approach to the evaluation of safety system design. Potential safety systems suggested are categorized as inherently safer/passive, active, and procedural, in decreasing order of robustness and reliability. Inherently safer approaches are often preferred, but there can be no general answer to the question of which approach or specific solution is best for a particular situation. Instead, the design engineer must take a very broad and holistic approach to the complete design, accounting for the many different, and often competing, objectives which the design must accomplish. Safety, health effects, environmental impact, loss prevention, economic and business factors, product quality, technical feasibility, and many other factors must be considered. This book challenges the engineer to adopt a risk-based approach to evaluating many competing goals when deciding among a number of potential design alternatives. This book can be extremely useful in conducting process hazard analysis studies. The failure mode tables in Chapters 3-12 can be the basis for hazard identification checklists, and also offer a variety of potential solutions for identified concerns. However, the book will be even more beneficial if used by the individual engineer at the earliest stages of the design process, before any formal hazard reviews. The message of this book can be summarized very briefly: • Consider a large number of design options • Identify opportunities for inherent and passive safety features early • Use a risk-based approach to process safety systems specification I hope that this book will find a home on the desk (not gathering dust on the bookshelf!) of every chemical process designer, particularly those involved in the earliest phases of conceptual design where the basic chemistry and unit operations are defined. It should be consulted frequently in the course of the designer's day to day work in specifying and designing process facilities. If you are a process safety professional, make sure that all of the process design engineers in your organization read and use this book. It will make your job a lot easier! Dennis C. Hendershot
PREFACE
The Center for Chemical Process Safety (CCPS) was established in 1985 by the American Institute of Chemical Engineers (AIChE) for the express purpose of assisting the Chemical and Hydrocarbon Process Industries in avoiding or mitigating catastrophic chemical accidents. To achieve this goal, CCPS has focused its work on four areas: • establishing and publishing the latest scientific and engineering practices (not standards) for prevention and mitigation of incidents involving toxic and/or reactive materials, • encouraging the use of such information by dissemination through publications, seminars, symposia and continuing education programs for engineers, • advancing the state-of-the-art in engineering practices and technical management through research in prevention and mitigation of catastrophic events, and • developing and encouraging the use of undergraduate education curricula which will improve the safety knowledge and consciousness of engineers. This book, Guidelines for Design Solutions for Process EquipmentFailures ^ is the result of a project begun in 1994 in which a group of volunteer professionals representing major chemical, pharmaceutical and hydrocarbon processing companies, worked with Arthur D. Little Inc., the contractor, to produce a book that attempts to describe the ways that major processing equipment can fail and be the cause of a catastrophic accident. The book then identifies the available design solutions that might avoid or mitigate the failure in a series of options ranging from inherently safer/passive solutions to active and procedural solutions. The book is concerned with engineering design that reduces risk due to process hazards only. It does not focus on operations, maintenance, transportation or personnel safety issues, although improved process safety can benefit each area. Detailed engineering designs are outside the scope of the
work, but the authors have provided an extensive guide to the literature to assist the designer who wishes to go beyond safety design philosophy to the specifics of a particular safety system design. By capturing industry experience in how major processing equipment can fail, the book provides a very useful tool for the selection of process safety systems which should be of service to process design engineers as well as members of process hazards analysis teams. The inherently safer solutions that are suggested may, in some cases, come as a surprise to the process and design engineer in that they may in fact be the most cost effective solution as well, if a true life cycle analysis is made of the cost of maintaining add-on safety systems or the resulting cost of operator failure to carry out procedural controls is considered. In other cases the procedural solution may be the best choice because it involves operators so that they may better understand and therefore better control the process as opposed to the replacement of operator intelligence with process interlocks. The book offers engineers inherently safer/passive, active and procedural design solutions but, ultimately engineers must make the case for the solutions that best satisfy their company's requirements for a balance between risk reduction and cost. This book has been organized into three major sections: • First, a technique is provided for making risk-based design decisions. • Second, a description of potential failure scenarios is presented for ten major processing equipment categories along with the potential design solutions that are available to the engineer. • Third, the book contains two worked examples that illustrate how the risk-based decision technique can be applied to two process plant systems. The major equipment categories that are covered are; Vessels, Reactors, Mass Transfer Equipment, Heat Transfer Equipment, Dryers, Fluid Transfer Equipment, Solid-Fluid Separators, Solids Handling and Processing Equipment, Fired Equipment, and Piping and Piping Components. The potential equipment failure scenarios and design solutions for each equipment category are provided in tabular form in each equipment chapter. To facilitate use of this information, particularly in hazard identification studies such as HAZOPs, these tables have been provided in electronic format on a 3.5" diskette as Microsoft Word© files. It is hoped that this will encourage the expansion of these tables based on the users experience.
ACKNOWLEDGMENTS
The Center for Chemical Process Safety (CCPS) and those involved in its operation, wish to thank its many sponsors whose funding made this project possible, the members of its Technical Steering Committee who conceived of and supported this Guidelines project and the members of its Engineering Practices Subcommittee for their dedicated efforts, technical contributions, and enthusiasm. The subcommittee played a major role in the writing of the book by suggesting examples, by offering failure scenarios for the major equipment covered in the book and by suggesting possible design solutions. It is their collective industrial experience captured in this book that makes the book especially valuable to the process and design engineer. The members of the subcommittee wish to thank their employers for providing time and support to participate in this project. The members of the Engineering Practices Subcommittee were: Robert H. WaIz (Chairman), Laurence G. Britton, Stephen E. Cloutier, Glenn R. Davis, Kenneth W. Linder, Peter N. Lodal, Joseph B. Mettalia, Jr., John A. Noronha, Carl A. Schiappa,
ABB Lummus Global Inc. Union Carbide Corp. UOP DuPont Industrial Risk Insurers Eastman Chemical Co. CCPS Staff Eastman Kodak Co. Dow Chemical USA
Technical contributors and reviewers were: Steven R. Bruce, Myron Casada, William F. Early, Rudolph C. Frey,
EQE International JBF Associates Inc. Early Consulting, L. C. The M. W. Kellogg Company
John A. Hoffmeister, T. Janicik, Robert W. Johnson, Joseph Keel, D. Harper Meek, Mark A. Moderski, Harvey Rosenhouse, Stanley J. Schecter, Adrian L. Sepeda, Anthony A. Thompson, Lester H. Wittenberg,
Lockheed Martin Energy Systems MallinckrodtInc. EaUeIIe The Eechtel Corporation ^LRCO Chemical Company Stone & Webster Engineering Corporation FMC Corporation Consultant Occidental Chemical Corporation Monsanto Company CCPS
The Engineering Practices Subcommittee is particularly indebted to its chairman, Bob WaIz, for his leadership, and to Peter Lodal of Eastman Chemical Company and Joe Keel of The Bechtel Corporation for their dedicated efforts in preparing the VCM/HC1 fractionation worked example in the book. Dennis C. Hendershot of the Rohm and Haas Company wrote the foreword to the book and is appreciated for his ongoing interest in this project and his able assistance and review of the work as it was being produced. Sanjeev Mohindra, P. J. Bellomo and R. Peter Stickles directed the project at Arthur D. Little, Inc. and were the authors of the risk-based design technique described in Chapter 2. Stanley S. Grossel, consultant and former chairman of the Engineering Practices Subcommittee, was the author of Chapter 4 (Reactors), Chapter 7 (Dryers), Chapter 9 (Solid-Fluid Separators), Chapter 10 (Solids Handling and Processing Equipment) and the Batch Reactor worked example.
Contents
Foreword ...............................................................................
xiii
Preface ..................................................................................
xv
Acknowledgments .................................................................
xvii
1. Introduction ...................................................................
1
1.1 Objectives ..........................................................................
1
1.2 Scope .................................................................................
2
1.3 Background ........................................................................
2
1.4 Applicability and Audience .................................................
3
1.5 Organization of This Book .................................................
3
1.6 References ........................................................................
4
Suggested Additional Reading .......................................
4
2. Technique for Selecting the Design Bases for Process Safety Systems ...............................................
5
2.1 Risk-Based Design Decisions ............................................
5
2.2 The Concept of Risk ..........................................................
7
2.3 Selection of Design Bases for Safety Systems ..................
9
2.3.1 Step 1: Identify Failure Scenarios .......................
9
2.3.2 Step 2: Estimate the Consequences ...................
9
2.3.3 Step 3: Determine Tolerability of Consequences ...................................................
11
2.3.4 Step 4: Estimate Likelihood and Risk ..................
11
2.3.5 Step 5: Determine Tolerability of Risk .................
12
This page has been reformatted by Knovel to provide easier navigation.
v
vi
Contents 2.3.6 Step 6: Consider Enhanced and/or Alternative Designs ............................................
12
2.3.7 Step 7: Evaluate Enhancements and/or Alternatives ........................................................
13
2.3.8 Step 8: Determine Tolerability of Risk and Cost ...................................................................
13
2.3.9 Step 9: Document Results ..................................
13
2.4 Guidelines for Risk Tolerability ..........................................
14
2.5 Potential Process Safety Systems Design Solutions .........
20
2.5.1 Four Categories of Design Solutions ...................
20
2.5.2 Characteristics of Design Solution Categories .........................................................
24
2.6 Applying the Risk-Based Design Bases Selection Technique ..........................................................................
27
2.6.1 Locking Open a Valve (a Simple Design Case) .................................................................
27
2.6.2 Selecting the Relief System Basis for a Reactor (a Complex Design Case) .....................
30
2.7 References ........................................................................
34
Suggested Additional Reading .......................................
35
3. Vessels ...........................................................................
37
3.1 Introduction ........................................................................
37
3.2 Past Incidents ....................................................................
37
3.2.1 Storage Tank Autopolymerization Incident ..........
37
3.2.2 Storage Tank Stratification Incident ....................
38
3.2.3 Batch Pharmaceutical Reactor Accident .............
39
3.3 Failure Scenarios and Design Solutions ............................
40
3.4 Discussion .........................................................................
40
3.4.1 Use of Potential Design Solutions Table .............
40
3.4.2 Special Considerations .......................................
41
This page has been reformatted by Knovel to provide easier navigation.
Contents
vii
3.5 References ........................................................................
43
Suggested Additional Reading .......................................
44
Table 3. Failure Scenarios for Vessels ......................................
45
4. Reactors .........................................................................
61
4.1 Introduction ........................................................................
61
4.2 Past Incidents ....................................................................
61
4.2.1 Seveso Runaway Reaction .................................
62
4.2.2 3,4-Dichloroaniline Autoclave Incident ................
62
4.2.3 Continuous Sulfonation Reaction Explosion ........
63
4.3 Failure Scenarios and Design Solutions ............................
63
4.4 Discussion .........................................................................
64
4.4.1 Use of Potential Design Solutions Table .............
64
4.4.2 General Discussion ............................................
64
4.4.3 Special Considerations .......................................
66
4.5 References ........................................................................
67
Suggested Additional Reading .......................................
68
Table 4. Failure Scenarios for Reactors ....................................
69
5. Mass Transfer Equipment ............................................
79
5.1 Introduction ........................................................................
79
5.2 Past Incidents ....................................................................
79
5.2.1 Distillation Column Critical Concentration ...........
80
5.2.2 Ethylene Purifier Vessel Rupture ........................
80
5.2.3 Ignition of Pyrophoric Materials in Gasoline Fractionator ........................................................
81
5.3 Failure Scenarios and Design Solutions ............................
82
5.4 Discussion .........................................................................
82
5.4.1 Use of Potential Design Solutions Table .............
82
5.4.2 Special Considerations .......................................
82
This page has been reformatted by Knovel to provide easier navigation.
viii
Contents 5.5 References ........................................................................
83
Suggested Additional Reading .......................................
83
Table 5. Failure Scenarios for Mass Transfer Equipment .........
84
6. Heat Transfer Equipment .............................................
89
6.1 Introduction ........................................................................
89
6.2 Past Incidents ....................................................................
89
6.2.1 Ethylene Oxide Redistillation Column Explosion ...........................................................
89
6.2.2 Brittle Fracture of a Heat Exchanger ...................
90
6.2.3 Cold Box Explosion ............................................
91
6.3 Failure Scenarios and Design Solutions ............................
92
6.4 Discussion .........................................................................
92
6.4.1 Use of Potential Design Solutions Table .............
92
6.4.2 Special Considerations .......................................
92
6.5 References ........................................................................
93
Suggested Additional Reading .......................................
94
Table 6. Failure Scenarios for Heat Transfer Equipment ..........
95
7. Dryers ............................................................................. 101 7.1 Introduction ........................................................................
101
7.2 Past Incidents ....................................................................
101
7.2.1 Drying of Compound Fertilizers .......................... 102 7.2.2 Fires in Cellulose Acetate Dryer ......................... 102 7.2.3 Pharmaceutical Powder Dryer Fire and Explosion ........................................................... 102 7.3 Failure Scenarios and Design Solutions ............................
103
7.4 Discussion .........................................................................
103
7.4.1 Use of Potential Design Solutions Table ............. 103 7.4.2 Special Considerations ....................................... 103
This page has been reformatted by Knovel to provide easier navigation.
Contents 7.5 References ........................................................................
ix 104
Suggested Additional Reading ....................................... 104 Table 7. Failure Scenarios for Dryers ........................................
106
8. Fluid Transfer Equipment ............................................. 117 8.1 Introduction ........................................................................
117
8.2 Past Incidents ....................................................................
117
8.2.1 Reciprocating Pump Leak ................................... 117 8.2.2 Pump Leak Fire .................................................. 118 8.2.3 Compressor Fire and Explosion .......................... 118 8.2.4 Start-up of Parallel Centrifugal Pumps ................ 119 8.3 Failure Scenarios and Design Solutions ............................
119
8.4 Discussion .........................................................................
119
8.4.1 Use of Potential Design Solutions Table ............. 119 8.4.2 Special Considerations ....................................... 120 8.5 References ........................................................................
121
Suggested Additional Reading ....................................... 121 Table 8. Failure Scenarios for Fluid Transfer Equipment ..........
122
9. Solid-Fluid Separators .................................................. 127 9.1 Introduction ........................................................................
127
9.2 Past Incidents ....................................................................
127
9.2.1 Batch Centrifuge Explosion ................................ 128 9.2.2 Filter Explosion .................................................. 128 9.2.3 Dust Collector Explosion .................................... 129 9.3 Failure Scenarios and Design Solutions ............................
129
9.4 Discussion .........................................................................
130
9.4.1 Use of Potential Design Solutions Table ............. 130 9.4.2 Special Considerations ....................................... 130 9.5 References ........................................................................ This page has been reformatted by Knovel to provide easier navigation.
131
x
Contents Suggested Additional Reading ....................................... 131 Table 9. Failure Scenarios for Solid-Fluid Separators ...............
132
10. Solids Handling and Processing Equipment .............. 137 10.1 Introduction ........................................................................
137
10.2 Past Incidents ....................................................................
138
10.2.1 Silicon Grinder Fire and Explosion ...................... 138 10.2.2 Blowing Agent Blender Operation Explosion Incident .............................................................. 138 10.2.3 Screw Conveyor Explosion ................................. 139 10.2.4 Bucket Elevator Explosion .................................. 139 10.3 Failure Scenarios and Design Solutions ............................
139
10.4 Discussion .........................................................................
140
10.4.1 Use of Potential Design Solutions Table ............. 140 10.4.2 General Discussion ............................................ 140 10.4.3 Special Considerations ....................................... 140 10.5 References ........................................................................
142
Suggested Additional Reading ....................................... 143 Table 10. Failure Scenarios for Solids Handling and Processing Equipment .......................................................
144
11. Fired Equipment ............................................................ 149 11.1 Introduction ........................................................................
149
11.2 Past Incidents ....................................................................
149
11.2.1 Light-off Error ..................................................... 149 11.2.2 Ethylene Cracking Furnace Overfiring ................ 150 11.2.3 Furnace Tube Failure ......................................... 150 11.3 Failure Scenarios and Design Solutions ............................
151
11.4 Discussion .........................................................................
151
11.4.1 Use of Potential Design Solutions Table ............. 151
This page has been reformatted by Knovel to provide easier navigation.
Contents
xi
11.4.2 Special Considerations ....................................... 151 11.5 References ........................................................................
152
Suggested Additional Reading ....................................... 153 Table 11. Failure Scenarios for Fired Equipment ......................
154
12. Piping and Piping Components ................................... 161 12.1 Introduction ........................................................................
161
12.2 Past Incidents ....................................................................
161
12.2.1 Flixborough Expansion Joint Failure ................... 161 12.2.2 Chemical Storage Terminal Fire ......................... 162 12.2.3 Line Pluggage .................................................... 163 12.2.4 External Corrosion ............................................. 163 12.3 Failure Scenarios and Design Solutions ............................
163
12.4 Discussion .........................................................................
164
12.4.1 Use of Potential Design Solutions Table ............. 164 12.4.2 Special Considerations ....................................... 164 12.5 References ........................................................................
166
Suggested Additional Reading ....................................... 166 Table 12. Failure Scenario for Piping and Piping Components ......................................................................
168
Appendix A Example Problem: Batch Chemical Reactor ........................................................................... 179 A.1 System Description ............................................................
179
A.2 General Information Requirements ....................................
181
A.3 PSS Discussion for Batch Reactors ..................................
182
A.3.1 Vessel Design and Primary Containment ............ 182 A.3.2 Control Systems and Safe Automation ............... 183 A.3.3 Pressure and Vacuum Relief .............................. 186 A.3.4 Fixed Fire Protection and Passive Mitigation ....... 187
This page has been reformatted by Knovel to provide easier navigation.
xii
Contents A.4 Selection of Design Bases for Safety Systems ..................
187
A.5 Ignition of Flammable Atmosphere in the Reactor Vapor Space Caused by Static Discharge Spark (Failure Scenario A) ...........................................................
193
A.6 Cooling System Control Failure (Failure Scenario B) ........
194
A.7 External Fire (Failure Scenario C) .....................................
196
A.8 Loss of Sealing Fluid to Reactor Agitator Mechanical Seal (Failure Scenario D) ...................................................
197
A.9 Ignition of Flammable Atmosphere in Reactor Vapor Space Caused by Hot Mechanical Seal (Failure Scenario E) ........................................................................
199
A.10 Documentation ...................................................................
200
References ................................................................................
201
Suggested Additional Reading ....................................... 201
Appendix B Example Problem: Distillation System ........ 203 B.1 System Description ............................................................
204
B.2 General Information Requirements ....................................
204
B.3 PSS Discussion for Distillation Operations ........................
206
B.3.1 Vessel Design and Primary Containment ............ 206 B.3.2 Control Systems and Safe Automation ............... 207 B.3.3 Pressure and Vacuum Relief .............................. 209 B.3.4 Fixed Fire Protection, Passive Mitigation and System-Wide Concerns ...................................... 210 B.4 Design Basis Selection Process ........................................
210
B.5 Uncontrolled Energy Input (Failure Scenario A) ................
215
B.6 External Fire (Failure Scenario B) ......................................
220
B.7 Internal Deflagration (Failure Scenario C) .........................
225
B.8 Vacuum Collapse of the Column (Failure Scenario D) ........................................................................
226
This page has been reformatted by Knovel to provide easier navigation.
Contents
xiii
B.9 Blocked-in Liquids in Heat Transfer Equipment (Failure Scenario E) ...........................................................
230
B.10 Documentation ...................................................................
230
References ................................................................................
233
Suggested Additional Reading ....................................... 234
Glossary ............................................................................... 235 Acronyms and Abbreviations ............................................. 245 Index ..................................................................................... 249
This page has been reformatted by Knovel to provide easier navigation.
I INTRODUCTION
The Center for Chemical Process Safety (CCPS) publication Guidelines for Engineering Design for Process Safety (CCPS 1993) emphasized the importance of focusing on process safety at the earliest stages of design. The 1993 Guidelines presented process safety design philosophies and approaches to avoid catastrophes through: • Making good initial design choices • Understanding and controlling chemical processing hazards The purpose of this book is to provide a companion book to the 1993 Guidelines. This book narrows the design focus farther, concentrating on known process safety problems and associated design solutions for specific types of process equipment. IJ OBJECTIVES A broad objective of this book is to help in the design and evaluation of specific types of process equipment, from a process safety standpoint. The overall goal is to help reduce process safety related incidents and resulting downtime. More specific objectives include: • Providing a risk-based and cost-based technique for selecting the design bases for process safety systems • Listing known process safety failure scenarios associated with different categories/types of process equipment • Identifying known design solutions that prevent or mitigate risks associated with the various failure scenarios • Illustrating application of the risk-based technique with worked examples
This book compiles successful safety system design approaches, so that design engineers can benefit from the prior experiences of the industry at large, and thus avoid known design traps. Having all this equipment-specific failure scenario information—and associated design solution discussions—in one reference should facilitate design and risk analysis in the process industries. 1.2 SCOPE The focus of this work is the avoidance of acute, catastrophic incidents that can result in: • • • •
Fires Explosions Releases of toxic chemicals Major equipment damage
The scope of this volume specifically excludes: • Transportation safety • Routine environmental control • Personnel safety and industrial hygiene practices Although detailed engineering design and process safety management are not emphasized in this book, engineers who are involved in those activities will benefit greatly from the concepts and information discussed. 1.3 BACKGROUND Since its inception in 1985, CCPS has advocated deliberate process safety approaches in all aspects of facility design, operation, and maintenance. Yet unlike other technical endeavors of the engineer, the day-to-day practice of process safety has often lacked a deliberate, systematic approach. How often have engineers installed process safety systems simply because it "felt" like the right thing to do or because it "seemed" to make the overall process safer? In the evolution of its process safety thinking, CCPS has sensed the need to state and discuss what some might find obvious: • Analogous to the sizing and specification of process equipment, process safety systems have specific design bases. • Process safety system design decisions deserve systematic technical approaches similar to those associated with other process design decisions.
• The designs of process facilities should, from the outset, accommodate known or potential failure scenarios associated with the types of equipment employed. Thus, the reason for producing this book is to capture the hard-won experience of industry experts in understanding how process equipment can fail and how these failures could be avoided through proper design. No attempt is made to provide detailed design suggestions, but the reader is supplied with a guide to the available literature that should enable him or her to investigate potential designs in some depth.
1.4 APPLICABILITY AND AUDIENCE The history of process safety related incidents suggests that engineers have lessons to learn about the most "standard" process equipment and components, such as storage tanks, pumps, and piping systems. Accordingly, these guidelines apply to standard process equipment and components and their known, related failure scenarios—for both new and existing process facilities. Given the broad range of standard process equipment covered, this book should apply to a wide variety of system designs. While it is expected that this book will have general appeal to anyone involved in process design or process safety evaluation, the book is intended for a particular audience. This audience is comprised of (1) process design engineers, (2) plant operations and maintenance engineers, and (3) process hazard analysis (PHA) leaders and teams. Readers can benefit from the wealth of knowledge derived from others' experiences, informed judgment, and proven design solutions. PHA leaders and teams should find the book useful as a reference for possible failure mechanisms to consider during PHAs.
1.5 ORGANIZATION OF THIS BOOK This book begins with this brief introductory chapter, followed by Chapter 2, which presents a practical and systematic technique for selecting the design bases for process safety systems. A series of "equipment chapters" follows, presenting known failure scenarios for the specific equipment in question alongside associated design solutions. Finally, the book concludes with an appendix comprised of two worked examples. In summary, this book has four parts: Chapter L Introduction Chapter 2. Technique for Selecting Process Safety System Design Eases
Chapters 3-12. Equipment Chapters Appendix. Worked Examples The equipment chapters comprise the bulk of this book. The content of these chapters is standardized and includes: (1) equipment descriptions, (2) past incidents, (3) discussions of potential design solutions, and (4) failure scenario tables. The heart of an equipment chapter is the failure scenario table. This table presents failure scenarios in a format similar to a PHA log sheet. Alongside each failure scenario, process safety system design solutions are presented and divided into categories as described in 2.5.1: • Inherently Safer/Passive systems • Active systems • Procedural systems Since the first two categories of Inherently Safer and Passive can overlap, they are presented in a single column as Inherently Safer/Passive. In addition to addressing the risk reduction of associated failure scenarios, discussions of process safety system design solutions touch on issues impacting system operability and maintainability. Chapter 2 provides a deeper discussion of the design solution categories and their scope of coverage within this book. Chapter 2 should be studied before using the information in Chapters 3-12.
!^REFERENCES CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.
Suggested Additional Reading Lees, F. P. 1996. Loss Prevention in the Process Industries. 2nd Edition. Oxford, UK: ButterworthHeinemann. Bellinger, R. E., Clark, D. G., Dowell, A. M., Euwank, R. M., Hendershot, D. C., Lutz, W. K., Meszaros, S. L, Park, D. E., and Wixom, E. D. 1996. Inherently Safer Chemical Processes: A Life Cycle Approach} ed. D. A. Growl. New York: American Institute of Chemical Engineers. Englund, S. M. 1991. Design and Operate Plants for Inherent Safety, Part 1, Chemical Engineering Progress, 85-91, March, 1991; Part 2, Chemical Engineering Progress, 79-86, May, 1991. Lin, D., Mittelman, A., Halpin, V. and Cannon, D. 1994. Inherently Safer Chemistry: A Guide to Current Industrial Processes to Address High Risk Chemicals. Office of Pollution Prevention and Toxics, September 21,1994. Washington, DC: US Environmental Protection Agency. Lutz, W. K. 1995. Putting Safety into Chemical Plant Design. Chemical Health and Safety, November/December, 1995.
2 TECHNIQUE FOR SELECTING THE DESIGN BASES FOR PROCESS SAFETY SYSTEMS
2.1 RISK-BASED DESIGN DECISIONS Anyone involved with process or equipment design sooner or later faces the problem of choosing among alternative designs with differing process efficiency, safety, environmental control, cost, and schedule implications. To accomplish this, the formation of a multidisciplinary design team is required at the beginning of a project in order to obtain total integration of process safety with process design and environmental protection considerations (Windhorst 1995). Sometimes the safety considerations clearly dominate and the decisions are already made in the form of special design approaches (e.g., design of nitromethane and ethylene oxide facilities). In some instances codes and standards exist that either mandate or suggest design approaches to known high risks. In a majority of situations, however, no one factor dominates, except perhaps cost. When there are recognized safety implications, optimizing on cost alone is not an acceptable strategy. In the process of arriving at a design basis decision, the risks of each option are typically dealt with judgmentally or qualitatively (CCPS 1995a). In some instances, one component of risk is quantified (i.e., either consequence or probability) to justify the design selection. For large projects, full risk quantification is sometimes used to assess the combined impacts of multiple hazards. To take a generic case, imagine a core process design at the stage of an initial process flow diagram, whereby designers have specified the general configuration of all major system equipment (i.e., for all primary unit operations). At this point, the design is defined in terms of heat and material balances, and basic process controls.
With the core system established, an engineering team proceeds to detail and enhance the process design. Questions of quality, safety, health, and environmental impact arise. Designers begin imagining things that can go wrong with the system, (i.e., failure scenarios). Focusing here on process safety systems, we suggest that designers begin thinking like risk analysts, asking: • What can go wrong? What failure scenarios can we realistically expect with this process? • What impact can those failure scenarios have? Can we live with such consequences? • Do we need to worry about these potential failure scenarios actually happening? How likely are they to occur? • What is the risk? Can we tolerate the potential consequences at the estimated likelihood? Historically design engineers have typically answered these questions according to their own best judgment. This is how process safety systems came to be: designers made risk-based decisions when considering the need for, and when selecting design bases for, process safety systems. If posed at the conceptual stage of a process design, these questions offer great opportunity for the application of inherently safer design solutions. While inherently safer solutions should emerge as recurring themes throughout the design cycle (i.e., laboratory stage, pilot plant scale, production design, operations), the earlier the application of inherently safer solutions, the more cost-effective these solutions will be. It is important to recognize that, irrespective of the specific approaches and the level of effort, engineers and technical managers are already directly or indirectly factoring risk into the selection of design options. Unfortunately, the process used to assess risk is often neither systematic nor comprehensive. This chapter presents a decision process for design bases selection that explicitly incorporates the elements of risk into process safety system design selection. The purpose of this technique is not to require designers to conduct rigorous risk assessments, but rather to provide a logical approach and framework for considering risk factors, even when the situation only warrants qualitative analysis. This decision process can be applied at any stage of the design. A systematic technique can provide a consistent risk management framework for process safety system design basis decisions. Inconsistencies in approach can develop not only between different processes and facilities, but also in the case of large, complex design projects, different design engineers may follow different risk management philosophies. Consistency with respect to risk tolerability decisions is necessary to assure all stakeholders (e.g., owners, employees, customers, and the general
public) that risks are being properly managed. In some countries, governments are also explicit stakeholders in the effort to reduce the risk of chemical industry accidents, providing such regulations as OSHA 1992, EPA 1996, and HSE 1989. Consequently, having a consistent, documented technique for the selection and design of process safety systems is not only prudent management, it is evolving into a regulatory requirement. However, systematic does not necessarily imply quantitative. Quantitative risk assessment is similar to strong medication—you don't want to overdose! In many simple design situations, qualitative approaches will satisfy the requirements of the technique for selecting process safety system design bases. More complex design cases may occasionally require rigorous quantitative risk analysis approaches. But even in these complex cases, quantitative approaches should only be employed to the degree required to make a decision. This concept of the selective use of quantitative risk analysis has been incorporated into the technique presented later in the chapter. For example, consider a company that has toxic impact criteria limiting potential off-site vapor concentrations to a specific, quantified level of concern. By performing vapor dispersion calculations (i.e., by quantitatively characterizing the consequences of potential releases), the company can determine whether particular loss of containment scenarios associated with specific failures exceed the toxic impact criteria. If the consequences of a scenario satisfy the off-site toxic impact tolerability criteria, then the quantification of the risk stops right there. No analysis of event likelihood is needed to reach a decision.
2.2 THE CONCEPT OF RISK As mentioned earlier, the design basis selection technique for process safety systems set forth later in this chapter is a risk-based technique. An overview of the concept of risk is therefore useful before presentation of the technique. In prior CCPS books, discussions of risk evolved from the definition of hazard. These earlier works defined a hazard as a chemical or physical condition or characteristic that has the potential for causing damage to people, the environment, or property (CCPS 1989; CCPS 1993). A hazard represents a potential source of harm. Based on this concept of hazard, we can define an incident as an unplanned event or series of events with the potential for undesirable consequences (CCPS 1992a). An incident has the potential to expose people, the environment, or property to the harmful effects of a hazard. Risk is defined as a measure of loss in terms of both "the incident likelihood and the magnitude of the loss" (CCPS 1989). This concept of risk cou-
pies an undesirable outcome, i.e., a consequence such as safety impact or financial loss, with the likelihood of that outcome. The likelihood is expressed in terms of frequency or probability of occurrence. The outcome is expressed in terms of impacts such as loss of life, environmental damage, or business interruption. In summary, inherent in the assessment of risk are the dimensions of consequences (outcomes/impacts) and likelihood (frequency/probability). Various techniques, both qualitative and quantitative, have evolved for assessment of risk. It is not the intent of this book to cover these techniques. A thorough discussion of this subject can be found in Guidelines for Chemical Process Quantitative Risk Assessment (CCPS 1989) and Guidelines for Chemical Transportation Risk Analysis (CCPS 1995b). For the purpose of this book, the description of four key risk assessment steps in Exhibit 2.1 suffices. EXHIBIT 2.1 Four Key Integrated Activities in Risk Analysis Activity 1. Hazard Identification
Description • Systematic identification of hazards and related failure scenarios that can lead to incidents • Frequently involves application of standard techniques such as HAZOP, FMEA, and What-If
2. Consequence Estimation
• Process used to estimate the consequence of failure scenarios • Typically involves a range of activities from simple application of qualitative damage criteria to complex computer models for characterizing impacts of hazardous materials releases that result in fires, explosions, and toxic vapor clouds • Characterization of the release conditions (i.e., source term) is a critical step in quantitative consequence analysis, having great influence on the validity of the results
3. Likelihood Estimation
• Process used to estimate the likelihood (probability or frequency) of a particular incident or outcome • Where available, historical data are used to quantify the likelihood • When historical data are unavailable, incomplete, or inappropriate, analytical approaches such as fault tree and event trees are employed to determine the likelihood of incident/outcomes based on more fundamental failure data
4. Risk Estimation
• Process of combining consequence and likelihood estimations of all selected scenarios into a measure of overall risk • Includes various ways of displaying risk such as individual risk contours or overall likelihood of various levels of consequence • Prioritization of risks
2.3 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS This section describes a systematic risk-based technique for selecting the design bases for process safety systems. Use of the technique imposes discipline on the thought process, yet allows for flexibility in application. The design bases selection technique is comprised of a number of analysis and testing steps detailed graphically in a decision tree (See Exhibit 2.2). 2.3.1 Step /: Identify Failure Scenarios
Step 1 assumes the existence of a core process design. Whether a new process or a modification of an existing process, designers have specified the major equipment, including heat and material balances. With this core system established, address things that can go wrong, i.e., failure scenarios. For example, refer to the equipment chapters of this book, consult design checklists, or perform hazard evaluations by employing the standard techniques described in Guidelines for Hazard Evaluation Procedures (CCPS 1992b). 2.3.2 Step 2: Estimate the Consequences
In this step, estimate the consequences of the failure scenarios identified in step 1. In general terms, these can relate to quality, safety, health, and environmental impacts. For these Guidelines, consequences of interest include fires, explosions, toxic material releases, and major equipment damage. Engineers may, in some cases, uncover potential consequences by direct observation, engineering judgment or use of qualitative consequence criteria. In other cases the use of quantitative consequence estimation techniques may be necessary. Consequence estimation requires information on the physical, chemical and toxic nature of the materials involved in the process, the quantity of material which could be involved in a scenario, the impact of each scenario on the surroundings (facility siting) and an economic evaluation of the impact of equipment damage and lost production. This information can be obtained from the MSDS or other sources of product safety information. This, combined with the quantity of material in the process, can be used to assess fire, explosion and toxic effects using appropriate source terms, dispersion calculations and effect models for scenarios with the potential for materials release to the environment. Facility siting issues may also be brought in at this point. Economic consequences must also be evaluated. These are highly dependent on such factors as alternative sources of supply, availability of alternative production facilities, and replacement units.
EXHIBIT 2.2 Technique for Selecting the Design Bases for Process Safety Systems Step 1: Identify failure scenarios
i
Step 2 Estimate the consequences
Step 3 Are consequences tolerable?
YES
NO Step 4 Estimate likelihood and risk
StepS Is the risk tolerable?
NO Step 6 Consider enhanced and/or alternative designs
Step? Evaluate enhancements and/or alternatives
Step 8 Are the risk and costs tolerable?
YES Step 9 Document results
YES
2.3.3 Step 3: Determine Tb/erabi/ity of Consequences In this step, for each failure scenario ask: "Can we tolerate the consequences?" Answering this question requires guidance from established tolerability criteria. Established criteria might take the form of (1) company-specific criteria (such as not exceeding a specified hazardous material concentration at the fence line), (2) known engineering codes and standards, (3) industry initiatives, or (4) government regulations. If application of the criteria yields tolerable consequences, then no additional process safety system is needed, and no further risk assessment is required. Proceed to step 9 and document the results. For intolerable consequences, continue the risk assessment in step 4. 2.3.4 Step 4: Estimate Likelihood and Risk
First, estimate the likelihood of the failure scenarios identified in step 1. Frequency estimates may derive from comparisons to past experience or written qualitative criteria, such as the simple differentiation between scenarios involving single failures and scenarios involving multiple failures. Other cases may require quantified estimates, such as the estimates resulting from fault tree analysis. Next, to estimate the risk, couple the consequence and likelihood. Methods for combining likelihood and consequence estimates to obtain risk measures are presented in Guidelines for Chemical Process Quantitative Risk Analysis (CCPS 1989a). Again, some cases may reveal themselves by comparison to other systems or past analyses, or by employing qualitative tools such as risk matrices. Other cases may require quantified approaches, such as determining risk profiles or risk contours (see Chapter 7 of CCPS 1992b for a description of various approaches). Risk estimation can be the single most difficult step in this process. While consequence estimation is objective, likelihood evaluation often involves a direct and specific performance assessment in the ability of both individuals and organizations to manage risk, or the adequacy of a specific design or equipment item given its age and operating history. Because of this, great care must be taken to ensure its accuracy and lack of bias. At some point, quantification of likelihood may be necessary, but often it is superseded by standardization into policies, engineering standards and standard practices. For example, failures with no or low consequences may be considered adequately controlled by normal process controls, whereas severe hazards (such as those with off-site ramifications) may require two or more independent levels of control or mitigation in addition to normal to bring the risk into an acceptable range.
Assessment of likelihood often requires evaluation of both plant systems and procedures. Equipment failure data are available from a number of sources, and while there are uncertainties and gaps in the data, these can be objectively and consistently evaluated through the use of plant data collection and component failure testing. Also, a comprehensive risk management plan based on the results of studies such as these can provide typical component failure rates to be used for a wide range of evaluations. The CCPS book Guidelines for Process Equipment Reliability Data, (CCPS 1989b) is a source of both data and references for additional information. Reliability of procedural safeguards, on the other hand, is tied to the effectiveness of training and the strength of managerial implementation and documentation. Not only are these hard to measure, they can change significantly, in either a positive or negative manner, due to a wide variety of factors, such as personnel turnover or change in management.
2.3.5 Step 5: Determine Tolerability of Risk In this step, ask: "Can we tolerate the estimated risk?" Like step 3, answering this question requires guidance in the form of established tolerability criteria. The topic of risk tolerability is discussed in more detail in Section 2.4 of this text. If application of the criteria yields tolerable risk, then no additional process safety system is needed; proceed to step 9 to document the results. For intolerable risk, continue with risk reduction efforts in step 6.
2.3.6 Step 6: Consider Enhanced and/or Alternative Designs If steps 1-5 established the need for a process safety system, i.e., a risk reduction measure, now consider how to reduce risk, mitigate consequences, lower the likelihood of realizing the failure scenario, or prevent the consequences altogether via design alternatives. Employ general loss prevention concepts, such as those in the Guidelines for Engineering Design for Process Safety (CCPS 1993), or consider the risk reduction design solutions discussed in the equipment chapters of this book. The tables in Chapters 3-12, along with other specific references, such as general industry practices, internal company standards, external consensus codes and standards, and regulations are intended to suggest potential alternatives to enhance the risk tolerability of the design. Not all solutions presented in the tables will be applicable to every situation.
2.3.7 Step 7: Evaluate Enhancements and/or A/ternat/ves
Review the design enhancements and/or alternatives. Ensure that these proposed design changes would sufficiently reduce the risk estimated in step 4. Also, evaluate the degree to which the design enhancements and/or alternatives introduce new failure scenarios, and therefore new risks; re-estimate the risk by repeating steps 1-4, considering the changes as an integral part of the process. Each potential enhancement must be evaluated for: • Technical Feasibility—Will it work at all? • Applicability to a specific situation—Will it work here? • Cost/Benefit—Is it the best use of resources, or can greater risk reductions be achieved by spending the same money elsewhere? • Synergistic/Mutual Exclusivity effects—Will this solution work in conjunction with other potential enhancements, or will its implementation eliminate other potential beneficial solutions from being considered? • Additional New Hazards—Will this solution create new hazards that must be evaluated? 2.3.5 Step 8: Determine Tolerability of Risk and Cost
Based on the risk estimated with the design enhancements and/or alternatives in step 7, ask: "Can we tolerate the risk and cost?55 As in steps 3 and 5, answering this question requires guidance in the form of established tolerability criteria. In this instance the tolerability determination must address both risk and cost because, like all design decisions, process safety system designs must satisfy the process economics. Cost information can be coupled with the risk reduction benefit of each alternative, so that the cost-benefit trade-off can be assessed. In most cases, the cost-benefit analysis is likely to be qualitative in nature (CCPS 1995a). However, when this methodology is applied to a large number of competing process safety systems, such as those resulting from process hazard analysis (PHA) reports, quantitative cost-benefit techniques can be applied (Stevens and Stickles 1992). If application of the criteria yields tolerable risk and cost, then continue to step 9 to document the results and then implement the design enhancements and/or alternatives. For intolerable risks or costs, go back to step 6 to consider additional or alternative risk reduction strategies. 2.3.9 Step 9: Document Results
Document the results derived from applying this technique. The failure scenarios and the associated consequences, likelihood, and risks comprise the
conceptual design basis for the process safety system. Documentation of the design basis captures and preserves vital information, and will prove especially important during hazard evaluations, management of change situations, and other related risk management activities, including future design efforts. Without proper design documentation (CCPS 1995c), important information may not be available for consideration in future situations involving safety decisions. Even in situations where the tolerability criteria applied in steps 3 or 5 determine that no process safety system is needed, it is important to document this decision so that the design basis is not contradicted by future operating or design changes. If for no other reason, document the rationale to avoid the need to repeat the exercise in the future.
2.4 GUIDELINES FOR RISKTOLERABILITY Application of a systematic risk-based technique for selecting safety system design bases depends on the availability and use of risk tolerability guidelines. In steps 3, 5, and 8 of the technique, the designer must ask: "Can we tolerate the risk posed by the process, or do we need to add a process safety system to reduce the risk to a tolerable level?" Answering this question requires practical and robust guidelines on risk tolerability. Attitudes about the tolerability of risks vary widely, depending on the individual, the nature of the risk (Is it voluntary or involuntary? Will it impact one person or many people or the environment?), the presence of other risks, the degree to which the risk can be controlled or reduced, past experience, etc. This helps to explain why there are no universal norms for risk tolerability. Even within a particular community, attitudes change over time. So how does a company go about establishing a set of criteria to guide it in making decisions about the tolerability of certain consequences, likelihoods, or risks— both qualitatively and quantitatively? It helps to start with the purpose of risk criteria or guidelines. Companies establish risk criteria to provide consistency in decision-making about risk, with the end purpose of protecting the community, the environment, employees, and equipment and operations as well as controlling the cost of doing business. The level of concern is not necessarily equal across all these groups, but decisions that protect people will often reduce the risk of property damage or environmental impact as well. Thus risk criteria or guidelines do not represent levels of risk that are tolerable to the public or some other group, but instead represent levels of risk that an organization believes will minimize impacts to continued operations.
Typically, people think risk criteria are used to compare the final results of a risk assessment against some internal or external standards. However, steps 3, 5, and 8 of Exhibit 2.2 all require "risk55 criteria or guidelines of some form for a company to make consistent, effective decisions. Exhibit 2.3 presents examples of both qualitative and quantitative criteria that address consequences, likelihoods, risk, and risk and cost together. A description of each of the examples appears below. Throughout the descriptions that follow, the references to "steps55 refer to the steps of the design basis selection technique presented in Exhibit 2.2. Release Limits
As a means of addressing the tolerability of the potential consequences of a release, simply consider the amount of material that could be released. The "tolerable55 quantity might vary by material to reflect different hazards and physical states—such as 200 pounds for chlorine and 5000 pounds for gasoline. The tolerable quantity might also vary as a function of the receptor(s) of concern—such as workers, the public, or the environment. If a potential maximum release does not exceed the established threshold, then application of release limit criteria in step 3 of the technique would yield tolerable consequences. Threshold Impact Criteria for Fence or Property Line
Use typical impact criteria, such as those given in Exhibit 2.4, along with coarse or sophisticated consequence modeling to see if property or fence line values exceed the chosen thresholds. If values do not exceed the thresholds, EXHIBIT 2.3 Examples of Tolerability Criteria and Application to Design Basis Selection Technique
Applicability
Qualitative Criteria Examples
Quantitative Criteria Examples
Step 3: Tolerability of Consequences
Release limits
Threshold concentration levels for fence or property line
Step 5: Tolerability of Likelihood
Single versus multiple component failures
Critical event frequency
Step 5: Tolerability of Risk
Risk matrix
Individual and/or societal risk criteria
Step 8: Tolerability of Risk and Cost
Risk matrix and cost threshold
Cost-benefit criteria
EXHIBIT 2.4 Representative Threshold Impact Criteria Consequence Type Toxic
Impact Criteria • IDLH (Immediately Dangerous to Life or Health), 30 minutes without irreversible effects • ERPG-I (Emergency Response Planning Guideline), 1 hour without any significant effects • ERPG-2, 1 hour without irreversible effects • ERPG-3, 1 hour without life threatening effects
Thermal Radiation (Fireball)
Heat Flux 9.5 kW/m2 (3010 Btu/h-ft2) 2
4kW/m (1270 Btu/h-ft2)
Duration
8 sec.
Pain threshold reached
20 sec.
Second degree burns
20 sec.
Pain threshold reached
1.6kW/m 2 (510 Btu/h-ft2) Blast Overpressure
Direct Effect
No discomfort for long exposure Direct Effects
Indirect Effects
Windows usually shattered
Injury from flying glass
2-3
Concrete or cinder walls (not reinforced) shattered
Injury/fatality from falling debris
10
Probable total destruction of buildings
Injury/fatality from building collapse
Pressure (psig)
0.5-1
>15
Likely fatality
then application of threshold impact criteria in step 3 of the technique would yield tolerable consequences. Single versus Multiple Component Failures As a qualitative measure of likelihood, companies might choose to tolerate event scenarios that require three independent failures before the event can occur, and not tolerate events arising from single component failures. For events arising from two component failures, companies might conduct further analysis.
Critical Event Frequency
A critical event is an event with a specified, high consequence such as an event involving an offsite community impact, critical system damage, a severe injury or a fatality. In general, a continuum of various threshold frequencies might be selected, e.g., 1 X l(H/year to Ixl0~7/year5 depending on the extent and nature of worst-case consequences (e.g., property or environmental impact, on-site or off-site fatalities, etc.). As noted previously, companies must consider numerous factors in setting such risk tolerability thresholds. One event frequency limiting value that is sometimes used is 1X 1(H critical events per year, based on the design-basis event concept used for North Sea platforms and other major installations (Advisory Committee on Major Hazards 1976; Conway 1981; Tompkins and Riffee 1983; Chicken 1986). Risk Matrix
Use qualitative or semi-quantitative frequency and severity categories to estimate the risk of an event as illustrated in Exhibit 2.5. If an event has low risk (i.e., a risk rank of "C" or "D" per Exhibit 2.5) then it is considered tolerable in step 5. Exhibit 2.5 is illustrative of an application involving human injury. The criteria can be expanded to include environmental impacts and/or property loss potential (CCPS 1992b). Individual Risk Criteria
In step 5, one can use numerical criteria for the maximum and average levels of risk posed to employees and the public. Such criteria consider the frequency of the event or events to which an individual might be exposed, the severity of that exposure, and the amount of time for which the individual is at risk. There is no consensus on appropriate values, but an individual mortality value of 1X 10~5 per year at the fence line to represent the maximum risk level for the public is not unusual among those using such criteria (Royal Society 1983; Chicken 1986; Bendixen 1988; Gibson 1976; CCPS 1989). Societal Risk Criteria
Instead of, or in addition to, individual risk criteria, one can use societal risk criteria such as those shown in Exhibit 2.6. These are criteria that provide a more detailed evaluation of the distribution of risk. That is, both high frequency/low consequence and low frequency/high consequence events can be addressed explicitly. This can be of particular concern if a company has recently experienced an undesired event and cannot tolerate another one no matter how small the consequences, or if there is a potential for an event involving large numbers of people or that would release large quantities of a hazardous material into the environment.
EXHIBIT 2.5 Illustrative Risk Matrix
Consequence Range
C4
Qualitative Consequence Criteria One or more fatalities Injuries or fatalities within community
C3
C2
Permanent disabilities within localized section of process or building Lost time injuries or hospitalizations outside of local area One lost time injury Multiple recordable injuries
Cl
One recordable injury Emergency response call-out without injury
Likelihood Range
Qualitative Frequency Criteria
IA
Once in 10 years
L3
Once in 100 years
L2
Once in 1000 years
Ll
Less than once in 1000 years
Risk Rank
Qualitative Description of Risk
A
Intolerable risk. Risk reduction required.
B
Intolerable risk. Risk reduction or more rigorous risk estimation required.
C
Tolerable risk. Consider need for risk reduction.
D
Tolerable risk. No risk reduction required.
F (frequency of N or more fatalities / yr)
EXHIBIT 2.6 Societal Risk Criteria. [Adapted from Health and Safety Commission, U.K. 1991.]
N (number of fatalities) Risk Matrix and Cost Threshold
Qualitative assessments in step 8 must account for both the risk reduction and the associated costs of an enhancement. While this may appear straightforward if the risk reduction benefit is obviously large and the cost is small, the tradeoffs are usually more complex than this. A risk matrix can help in such assessments. For example, an enhancement or alternative that reduces a high risk to a medium risk and costs less than X dollars might be considered feasible and effective, as might an alternative costing 3QX dollars and reducing a high risk to a low risk. Specify such "rules55 or thresholds in advance. Cost-Benefit Criteria
If one employs quantitative estimates of risk, then it is possible to set specific criteria for the amount of risk reduction expected for each dollar expended. Consider anything less than this ratio ineffective. In some instances, one might have two thresholds—one for the dollars necessary to achieve a tolerable risk level, and another for any further risk reduction beyond this point. Select or develop criteria that are representative of your company's philosophy and culture, and which match the type of analysis (qualitative or quantitative) you commonly conduct in the design stage. This is a corporate responsibility and requires the involvement and support of senior management, as it determines the levels and types of risk that the company will tolerate.
2.5 POTENTIAL PROCESS SAFETY SYSTEMS DESIGN SOLUTIONS 2.5. / Four Categories of Design Solutions
Before proceeding with examples illustrating the application of the technique for selection of safety system design bases, a review of generic design solutions for minimizing risk is appropriate. Safety system designs fall into one of four categories. INHERENTLY SAFER design solutions eliminate or mitigate the hazard by using materials and process conditions that are less hazardous. For an extensive discussion of the concept of inherently safer chemical processes, see CCPS 1996. Examples of inherently safer solutions include: • Substituting water for a flammable solvent • Reducing or eliminating inventories of hazardous intermediates Approaches to the design of inherently safer processes and plants have been grouped into four major strategies by IChemE and IPSG (1995) and Kletz(1991): • Minimize. Use smaller quantities of hazardous substances (also called Intensification] • Substitute. Replace a material with a less hazardous substance. • Moderate. Use less hazardous conditions, a less hazardous form of a material, or facilities which minimize the impact of a release of hazardous material or energy (also cidledAttenuation and Limitation of Effects). • Simplify. Design facilities which eliminate unnecessary complexity and make operating errors less likely, and which are forgiving of errors which are made (also called Error Tolerance). PASSIVE design solutions do not require any device to sense and/or actively respond to a process variable and have very reliable mechanical design. Examples of passive design solutions include: • Using incompatible hose couplings, nonsplash filling using permanently installed dip-pipes, permanent grounding and bonding via continuous metal equipment and pipe rather than with removable cables • Designing high pressure equipment to contain overpressure hazards such as internal deflagration • Containing hazardous inventories with a dike that has a bottom sloped to a remote impounding area, which is designed to minimize surface area
ACTIVE design solutions require devices to monitor a process variable and function to mitigate a hazard. Frequently active solutions involve a considerable maintenance and procedural component and are therefore typically less reliable than inherently safer or passive solutions. To achieve necessary reliability, redundancy is often used to eliminate conflict between production and safety requirements (such as having to shut down a unit to maintain a relief valve). Active solutions are sometimes referred to as engineering controls. Examples of active solutions include: • Using a pressure safety valve or rupture disk to prevent vessel overpressure • Interlocking a high level sensing device to a vessel inlet valve and pump motor to prevent liquid overfill of the vessel • Installing check valves PROCEDURAL design solutions require a person to perform an action to avoid a hazard. This would include following a standard operating procedure or responding to an indication of a problem such as an alarm, an instrument reading, a noise, a leak, or a sampling result. Since an individual is involved in performing the corrective action, consideration needs to be given to human factors issues (CCPS 1994a), e.g., over-alarming, improper allocation of tasks between machine and person, inadequate support culture. Because of the human factors involved, procedural solutions are generally the least reliable of the four categories. Procedural solutions are sometimes referred to as administrative controls. Examples of procedural solutions include: • Following standard operating procedures to keep process operations within established equipment mechanical design limits • Manually closing a feed isolation valve in response to a high level alarm to avoid tank overfilling • Executing preventive maintenance procedures to prevent equipment failures • Manually attaching bonding and grounding systems Throughout the equipment chapters in this volume, design solutions will appear for each failure scenario, divided into three categories: (1) inherently safer/passive, (2) active, and (3) procedural. Inherently safer and passive design solutions often overlap. For this reason, the inherently safer and passive solution categories have been combined in the tables presented in the equipment chapters of this book.
An important aspect in the classification of design solutions is the distinction between inherently safer/passive and active systems. It is generally accepted that a containment dike is a passive solution (EPA 1995). What about safety devices such as a rupture disk or end-of-line flame arresters? In the case of the rupture disk, it can be argued that it must sense pressure in order to function and therefore would be an active solution. This analogy does not apply so well to end-of-line flame arresters. However, there are many instances of flame arresters that have failed to function or otherwise contributed to hazardous incidents, due to neglect or lack of preventive maintenance. While the authors of this book recognize these distinctions are legitimately debatable, it was decided that both relief devices (pressure safety valve, rupture disks, etc.) and flame arresters would be classified as active solutions. This convention is followed throughout the equipment chapters, unless otherwise noted. Other examples of design solutions that illustrate the classification categories are presented below.
INHERENTLY SAFER/PASSIVE Continuous metal equipment such as a steel pipe is inherently bonded and once it is grounded permanently at any point (such as via multiple steel pilings anchoring the equipment) requires minimal maintenance of ground connections. This is an inherently safer design than one incorporating rubber boots, swivel joints or other potential breaks in electrical continuity that would require external bond connections and associated maintenance. A vessel designed to contain the maximum pressure predicted due to any credible upset, such as an internal explosion, is inherently safer than one designed to mitigate the event via pressure reliefer suppression systems, etc. In both the above examples, the systems described are "inherently safer55 via the "simplify55 strategy shown in 2.5.1. However, they would be better described as "passive systems.55 As discussed, true "inherently safer55 designs reduce the hazard by using materials or process conditions that are less hazardous. In the examples, higher levels of inherent safety might be provided by designing the process to eliminate flammable atmospheres that would require bonding or equipment reinforcement. Passive designs may be complemented by procedural or active systems, especially where transient conditions are routinely experienced. As an example, a passive system might comprise a permanent dip pipe going to the bottom of a flammable liquid storage tank to avoid splash filling. However, until this dip pipe is covered by a substantial depth of liquid, splashing may still occur. Various standards (API RP 2003, 1991; BS 5958, 1991) provide that a slow start (limited flow velocity) be used until the pipe outlet is covered to the recommended depth. Since this normally requires operator action to control the flow,
operation may not be entirely splash-free during the initial stages of filling and contains a procedural element. In principle, the procedural element could be replaced by an active system controlling flow rate by monitoring liquid depth in the tank. A completely passive system for avoiding splash filling might involve maintaining a minimum liquid level in a tank via appropriate elevation of the product outlet pipe. However, even if a tank is dedicated to one product and minimum liquid level can be maintained, the presence of a stagnant layer in the tank base may make this solution impractical for product quality reasons.
ACTIVE An end-of-line flame arrester would be a passive design solution without the need for maintenance to achieve the desired reliability. In practice it is an "active" solution since the arrester may be subject to corrosion and plugging of the element. End-of-line flame arresters require maintenance to ensure there is no blockage which, for example, might cause an atmospheric storage tank to experience vacuum while being emptied. In-line detonation arresters should be additionally monitored for stationary flames on the arrester face (U.S. Coast Guard 1990) and are usually equipped with pressure taps to monitor increased pressure drop due to element blockage or corrosion. Other active solutions include pressure relief valves, deflagration vents, explosion suppression systems, fast acting valves, check valves and regulators. All these devices require maintenance, operate by responding to a process variable, or both.
PROCEDURAL Procedural reliability tends to be more dependent on human factors and consideration should be given to issues such as over-alarming, improper allocation of tasks between machine and person, inadequate support culture, etc. (CCPS 1994a). Frequently both active and procedural design solutions are used to complement each other. For example, in a tank truck bonding procedure, an "active" ground indicating device could be installed to show the presence of a positive ground connection. In such a case, it would still be necessary to ensure that the system is not defeated by simple neglect of an alarm or even bypassing of the indicating device. A ground indicating device might additionally be interlocked with a pump to prevent operator error. For an "active55 flame arrester, a complementing "procedural35 system might be monitoring the pressure drop periodically and performing maintenance when a specific differential has been reached. The design solutions presented in the tables are established and often well proven approaches for mitigating the failure scenarios. However, a potential design solution is false protection if it is not reliably engineered and main-
tained. Active systems in particular may need redundancy (i.e., dual sensors, separation of control and interlock functions) to provide the required level of reliability and risk reduction. True redundancy must include the absence of common mode failures by providing independence and functional diversity (e.g., independent power supplies, sensors operating on different principles) Additional discussion on redundancy for process safety systems can be found in CCPS 1989 and CCPS 1994b. The advantage of a risk based approach to design selection is that it provides the means for determining how much redundancy is enough. The design should also take into account the need for periodic inspection and proof testing of systems. For example pressure safety valves (PSVs) may need testing at intervals that are shorter than scheduled plant turnarounds. A good solution is the installation of dual PSVs with a three-way valve to allow testing at prescribed intervals without interfering with production. Safety design solutions can contribute to hazards if not properly maintained. While system maintenance is not specifically addressed, the book assumes the safety equipment will be subjected to a systematic maintenance and inspection program once installed. It should also be recognized that the failure scenarios presented focus on process related hazards rather than maintenance initiated incidents. Therefore, it is further assumed that the facility into which the equipment is placed has adequate safe work practices, which encompass hot work permits, confined space entry, ignition control, lock-out/tag-out, etc. 2.5.2 Characteristics of Design Solution Categories
An illustrative comparison of the four categories of design solutions with respect to several cost and functional attributes appears in Exhibit 2.7. While procedural solutions can be less complex, they are usually the least reliable. For active solutions, as compared to inherently safer/passive solutions, reliability is typically lower and complexity is greater. Inherently safer/passive solutions tend to have higher associated initial capital outlays; however, operating costs are usually lower than those for the other design solutions. Operating costs are likely to be the greatest for active solutions. Exhibit 2.8 offers an example of the four types of safety system design solutions applied to the same design basis situation. The example concerns a heat exchanger with an incompatible process stream and heat transfer fluid. A design engineer might choose one of the design solutions offered or choose to utilize solutions from more than one category. Ultimately, design engineers should make decisions based on the prevailing risk tolerability and cost criteria, and their understanding of the operations and maintenance requirements for the design.
EXHIBIT 2.7
Comparison of Cost and Functional Attributes for Design Categories (typical trends) Higher
Higher
Initial Capital Complexity
Operating Costs
Attribute Value
Attribute Value
Reliability
Lower
Lower Inherently Safer
Passive
Active
Procedural
Inherently Safer
Category of Design Solution
Passive
Active
Procedural
Category of Design Solution
As in the case of the heat exchanger example in Exhibit 2.8, engineers should not consider the four types of design as mutually exclusive. Many opportunities arise for utilizing solutions from different design categories in tandem. In equipment design, this often happens inadvertently, because the design usually has to address multiple safety concerns and failure modes. The goal is to be more proactive in the consideration of multiple levels of protection. EXHIBIT 2.8 Process Safety System Design Solutions for a Heat Exchanger Failure Scenario
Design Basis Failure Scenario Tube to tube-sheet joint failure results in mixing of incompatible fluids, resulting in a system over-pressure and/or the formation and release of a toxic material Design Solution Type
Description
1. Inherently Safer
A heat transfer fluid compatible with the process fluid
2. Passive
Double tube-sheet construction
3. Active
Pressure relief system with discharge to safe location
4. Procedural
Periodic manual sampling of the lower pressure fluid
Returning to the heat exchanger example in Exhibit 2.8, the overall risk of toxic vapor release might be further reduced by decreasing the inventory of hazardous material contained within associated process equipment. A combination of reduced inventory (inherently safer) and double tubesheet construction (passive) might produce the optimal risk reduction alternative. Historically, designers have underutilized inherently safer solutions. This stems in part from an overemphasis on minimizing initial capital investment, and on time constraints which often favor active or procedural systems. But with the increased application of risk management practices has come more dependency on multiple layers of alarms (procedural) and interlocks (active) to obtain tolerable risk levels. The economic analysis in the initial design stages often fails to account for the cost of maintaining and proof-testing these systems, which can be significant for large process facilities. When comparing inherently safer design solutions to other solutions, designers should include the total life-cycle cost of each alternative before reaching a decision. For example, Noronha et al (1982) describe the use of deflagration pressure containment design in preference to using inciting deflagration suppression or other means of explosion prevention based on lifecycle cost and reliability considerations. Inherently safer strategies should be considered especially for new facility designs. In general, such projects allow more flexibility in the selection of design solutions as compared to an alteration or upgrade to an existing facility. For example, tradeoffs between the level of process integration and safety design are easier to accommodate in new facilities. Also, designers have more freedom in the choice of utility services that may have an impact on inherent safety. When altering or upgrading existing facilities, designers should not simply overlook inherently safer design solutions because they are harder to implement. The following provides a good example of an inherently safer design solution that was ultimately selected for an existing facility. At this facility, the design problem was to avoid a significant leak in several water-cooled heat exchangers. These exchangers had material on the process-side that reacted violently with water, producing corrosive and toxic by-products. Alternative solutions considered included combinations of passive (double tubesheet or falling film exchangers), active (multiple sensor leak detection with interlocks), and procedural (a variety of nondestructive testing/inspection techniques, periodic leak testing with inert gas, improved cleaning procedures). While all of these design alternatives resulted in a lower risk level than the original design, none was totally acceptable. When management realized how much effort and commitment of resources were required to maintain a less than satisfactory risk level, they chose a design that used a compatible heat transfer fluid, an inherently safer design.
2.6 APPLYING THE RISK-BASED DESIGN BASES SELECTION TECHNIQUE From the outset, the practical nature of this process safety system design bases technique has been emphasized. This technique applies to all design cases, from the simplest to the most complex. Again, this follows quite naturally from the fact that the technique is derived from the problem-solving approaches commonly employed by process design engineers. To fully illustrate application of the technique, worked examples have been prepared and included in the Appendix. To reinforce understanding of this risk-based technique, however, two short examples of significantly different complexity are discussed here.
2.6. / Locking Open a Valve (A Simple Design Case)
Locking open a valve is a commonly used procedural design solution, applied to a wide range of potential operational and safety problems. At first glance, locking open a valve may not even seem like a design decision. Such a decision seems more an act of common sense: (1) someone identifies a safety problem arising from the inadvertent closing of a valve; (T) the valve does not get used that often; so, the "obvious" solution is to (3) lock open the valve. For process facilities operating under a strict management of change system, the situation is not so clear-cut. Locking open a valve is not merely a common sense decision; rather, at an operating facility it is a design change. It is a procedural design solution that requires a documented design basis and a subsequent safety review. Similarly, locking open a valve in the original design must represent a design decision. However simple it may seem, the selection of this procedural process safety system must have a documented design basis. An incident at an oil and gas production facility involving a locked-open valve illustrates how safety system design logic typically follows the risk-based design basis technique outlined in this chapter. In addition, it emphasizes the importance of completely following the technique, including the final step of documenting the process safety system design bases. This incident involved an uncontrolled release of natural gas into a confined process area. An analysis reveals that designers followed the first eight steps of the process safety system design basis selection technique. When it came time to execute the ninth step, however, the designers failed to document the design basis for the locked-open valve.
Background Information
The oil and gas production facility handled a stream referred to as "mixed fluids"—crude oil, natural gas, and water. Throughout the process, the facility had its pressure safety valves (PSVs) vented to a flare system. The facility's design configuration included (1) a locked-open block valve downstream of the PSV to allow isolation from the flare header during periodic inspection and testing of the PSV, and (2) a piping specification break at the PSV discharge flange. A simple diagram of the relief valve configuration is shown in Exhibit 2.9. The designers foresaw high risk from failure scenarios which required a process safety system and consequently, the designers provided a risk reduction solution. The designers employed the risk-based design technique, as described in Exhibit 2.10. Nevertheless, this facility experienced the failure scenario and related consequences foreseen by the designers. Many factors contributed to the incident, including failure to clearly document the process safety system design bases (step 9). Incident Description
In a process upset situation that developed over a number of hours, a PSV started to "chatter,55 alternately lifting and reseating. Operations personnel misdiagnosed the situation, thinking that the chattering involved a malfunction of the PSV rather than an upstream pressure excursion. Concerned about EXHIBIT 2.9 Schematic of Pressure Safety Valve (PSV) Detail Specification Break High Pressure Equipment
Low Pressure Equipment Line rupture occurred here. (See text for description of incident)
PSV To Flare System
Block Valve (Locked Open)
Mixed Fluids from 1st Stage Separator
Mixed Fluids to 2nd Stage Separator
EXHIBIT 2.1 0 Selecting the Design Basis for a "Locked Open" Valve (an example, based on Exhibit 2.9, of a failure during design basis selection) Step in Design Basis Selection Technique
Result from Executing Step
1. Identify Failure Scenario
Closing of block valve during system operation
2. Estimate the Consequences
a. Overpressure of system upstream of PSV; or b. Overpressure of PSV body and outlet piping upstream of the block valve and downstream of the PSV Both a. and b. potentially result in an uncontrolled release of natural gas.
3. Determine Tolerability of Consequences
Intolerable (based on judgment)
4. Estimate the Frequency and the Risk
High likelihood of human error (based on judgment)
5. Determine Tolerability of Risk
Intolerable (based on judgment)
6. Consider Enhanced and/or Alternative Designs
Locked open (LO) the block valve
7. Evaluate Enhancement and/or Alternatives
No new operational deviations identified from LO valve; frequency, and thus risk, of inadvertent closing estimated as low (based on judgment)
8. Determine Tolerability of Risk
Tolerable (based on judgment)
9. Document Results
Design bases not documented; P&ID merely marked as "LO" for locked open
Note: Failure to properly document design basis (Step 9) is the point of failure.
tion of the PSV rather than an upstream pressure excursion. Concerned about uncontrolled venting to the flare system in the event of a PSV failure, operations personnel considered unlocking and closing the block valve. Both the operators and responsible supervisor intuitively thought the locked-open block valve (clearly marked as CCLO" on the piping and instrumentation diagram) served solely to ensure an unobstructed PSV relief path. Facility operations personnel were unaware of the specification break in the piping and were unaware that an additional design basis of the lockedopen valve was to ensure that the low pressure specification piping down-
stream of the PSV did not ever "see" the high system pressure (see step 2 results in Exhibit 2.10). When operations closed the block valve to stop the chattering, the low pressure line downstream of the PSV and upstream of the block valve failed from the over-pressure, resulting in an uncontrolled release of natural gas (see point of release depicted in Exhibit 2.9). As a result of the first failure, adjacent natural gas lines were damaged. Fortunately, operations managed to isolate and shut down the system, and the flammable natural gas cloud dissipated without ignition. Consequences were limited to equipment damage and production downtime. A Lesson Learned
As alluded to in the background information, many factors contributed to the incident. Factors relating to operations staffing as well as recent maintenance work aggravated the situation. Since the design basis was not documented or communicated to the operations staff or plant supervision, other important elements of process safety management (PSM), such as training programs and administrative procedures to regulate valve locking/unlocking, could not be successfully implemented. However, the focus is on the absence of design basis documentation for the locked-open valve, as it was a primary contributor to the incident. Among the most compelling features of this incident is the universal nature of the design solution: a locked-open valve. How many locked-open valves are in use in process plants and how many have a well understood and documented design basis? Engineers can easily overlook the importance of clearly documenting design bases. Documenting and communicating design bases can prove critical for operations personnel and those who may alter the design at some time after startup. Unfortunately, this last step in the technique can appear merely bureaucratic, and it sometimes takes an incident to fully appreciate the importance of documenting and communicating process safety system design bases. 2.6.2 Selecting the Relief System Basis for a Reactor (A Complex Design Case)
This example has its origins in a past engineering design problem where engineers faced the task of upgrading a series of existing emergency relief systems. The problem involved selecting the emergency relief system (ERS) sizing basis for a reactor vessel that processed a potentially reactive chemical system (Bellomo and Stickles 1995). The hazardous chemical was a liquid aliphatic acid chloride (AC). The intended liquid-phase chemical reaction can be summarized as:
O
Intended Reaction: R-C-Cl + Reactant X Solvent ^ procjuct Y In this instance, the risk-based design bases selection technique was deliberately applied to the problem, as described below. Step 1: Engineers used a What-If technique to identify the failure scenarios that might control the ERS design basis. Included in this effort was the development of a reactivity/compatibility matrix to assess all possible reactive design bases for the chemistry at hand. A possible unintended reaction, whereby AC reacts vigorously and exothermically with water to produce hydrogen chloride (HCl) gas, coupled with the presence of water at facilities undergoing ERS upgrades, strongly influenced the direction of the engineers' problem-solving efforts. Possible Unintended Reaction: O O R-C-Cl + H2O
> R-C-OH + HCl (v) + Heat
In addition, the engineers had to address the typical ERS case of a fire beneath the reactor vessel. As a result, the engineers ultimately focused their evaluation on three separate scenarios. Brief descriptions of these three scenarios appear below. • Immediate Unintended Reaction (process induced case of water contamination). Several plausible scenarios were identified (e.g., a residual water heel from a reactor vessel clean-out) whereby water would come into contact with unreacted AC, resulting immediately in the unintended side reaction which generated HCl gas. • Delayed Unintended Reaction (process induced case of layering and water contamination). In the absence of strong solvents and mixing, AC and water will form two liquid layers. In such scenarios, the AC-water reaction initially takes place at the interface of the two layers and is diffusion limited. As the interface heats-up from the reaction, a critical temperature is reached where the vapor pressure of the interface material is greater than the system pressure plus the liquid head of the top layer. This results in rapid turnover of the liquid and mixing, causing rapid HCl vapor generation. • External Fire. The third case involved a reactor full of AC and exposed to external fire. Since neither the AC, the solvent, nor the product were self-reactive, and all-vapor venting occurs, conventional ERS sizing applied.
Step 2: In order to properly characterize the delayed unintended reaction, several experiments were conducted in small-scale and large-scale reactors. Because the actual chemistry takes place in the presence of a strong solvent, small-scale experiments were also carried out to investigate the behavior in the presence of solvents. With a solvent present, layering was not observed, and the reaction with water was essentially instantaneous. Another factor that needed to be considered in the characterization of this system was the solubility effects of HCl in water and AC. An enthalpyconcentration diagram for HCl-water solutions was generated using equations of state and published binary interaction parameters. As a result of the large difference between the solubility of HCl in water versus the solubility of HCl in AC, it was determined that the vessel pressure-temperature behavior was much worse (i.e., a higher peak pressure) if water was added to a batch of AC as opposed to AC added to a batch of water (Melhem et al. 1995). Using detailed mathematical models, engineers analyzed the consequences of the study scenarios on reactor vessel temperature-pressure history and venting flow. An evaluation of the model simulation results indicated that protecting the vessel from the delayed reaction required an impracticable vent size. Step 3: Inadequately mitigated pressure rise caused by any of the three scenarios could have ruptured the reactor vessel. Such consequences were considered intolerable. Therefore, an assessment of the risk was necessary. Step 4: An evaluation of the specific pathways and likelihood for mixing AC and water was performed using fault tree analysis. A fault tree for an extended external fire was also developed. A risk analyst, working in conjunction with design and process engineers, assigned frequencies to the basic events in the fault tree. This exercise provided a quantification of the risk. Step 5: The designers had adopted "working" tolerability guidelines for selecting ERS design bases. These working guidelines specified that the ERS design had to accommodate the relief requirements of any scenario estimated at a frequency greater than or equal to 1X l(H/year. In contrast, designers would tolerate scenarios estimated at less than 1X KH/year. That is to say, designers would proceed with an ERS design that would not necessarily accommodate the relief requirements of scenarios estimated at frequencies less than 1X lO^/year. Comparison of the consequences and likelihood of the scenarios with the tolerability guidelines revealed that the risk was intolerable for the two process-induced scenarios involving the unintended reaction with water. Incidentally, the threshold frequency used by the designers, 1X !(H/year, related strongly to a worst-case consequence estimation. This worst-case con-
sequence estimation considered the system energy and hazardous materials as well as the geographic distribution and total number of possible receptors. Step 6: At this point, it is instructive to review the situation faced by the engineers tackling specification of the ERS design. The external fire was the lowest consequence scenario (step 2, consequence estimation) and did not control vent size. Accordingly, the external fire scenario was dropped from further consideration and the rationale for doing so was documented. The delayed unintended reaction scenario represented the worst case — it required the largest ERS. As indicated in step 2, however, the designers considered such vent sizing requirements impracticable for the existing facility. Nonetheless, the estimated frequency for this scenario exceeded the threshold tolerability frequency (i.e., IxlO^/year). The immediate unintended reaction scenario represented the second highest consequence case. Like the delayed reaction scenario, the estimated frequency for this scenario exceeded the threshold tolerability frequency. Since no inherently safer design approaches were readily available, engineers turned their attention to passive, active, and procedural design enhancements that would reduce the estimated frequencies of the immediate and delayed unintended reaction scenarios. A number of solutions were identified to reduce the likelihood of contacting water and AC, such as incompatible water/steam hose connectors (passive), interlocks (active), and water use permit (procedural). Step 7: Fault trees developed in step 4 were updated and requantified to reflect the proposed risk mitigation. Through the application of design enhancements, the estimated frequency for both immediate and delayed unintended reactions decreased. The focus of the design enhancements was on engineering and procedural controls that would reduce the likelihood of getting water and AC into the reactor vessel in such a way that they would layer. Since the proposed modifications were not considered high-cost items, a detailed quantitative cost estimate was not prepared. Step 8: With the addition of the design enhancements, the delayed unintended reaction satisfied the threshold frequency (i.e., less than lxl(M/year). Since the estimation for the immediate unintended scenario remained above the threshold frequency, the decision was made to select this scenario as the design basis for ERS sizing. Step 9: The documentation covered the experimental work, risk evaluation results, vent sizing calculations, and qualitative cost estimates. This documentation became part of the facility's permanent design information file.
2.7 REFERENCES Advisory Committee on Major Hazards. 1976. First Report. London: Her Majesty's Stationary Office. API RP 2003 1991. Protection Against Ignition Rising Out of Static, Lightning, and Stray Currents. Washington, DC: American Petroleum Institute. Bellomo, PJ., and R.P. Stickles. 1995. Select Design Bases for Emergency Relief and Other Process Safety Systems Based on Risk. Paper presented at International Symposium on Runaway Reaction and Relief Design, August 1995, Boston, Massachusetts. Bendixen, L.M. 1988. Risk Acceptability in the Chemical Process Industry Working Toward Sound Risk Management. Spectrum: Arthur D. Little Decision Resources. British Standards Institute BS-5958. Code of Practice for Control of Undesirable Static Electricity: Part I, General Considerations, and Part 2, Recommendations for Particular Industrial Situations. London: British Standards Institute. Chicken, J. 1986. Risk Assessmentfor Hazardous Installations. Commission of the European Communities, Oxford: Pergamon Press. Conway, A., ed. 1981. Engineering Hazards: Assessment, frequency, and Control. London :Oyez Publishing Ltd. CCPS 1989. Guidelines for Chemical Process Quantitative Risk Analysis. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1992a. Guidelines for Investigating Chemical Process Incidents. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1992b. Guidelines for Hazard Evaluation Procedures. Second Edition with Worked Examples. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1994a. Guidelines for Preventing Human Error in Process Safety: Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1994b. Guidelines for Safe Automation of Chemical Processes. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1995a. Tools for Making Acute Risk Decisions. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1995b. Guidelines for Chemical Risk Transportation. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1995c. Guidelines for Process Safety Documentation. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1996. Bollinger, R. E., Clark, D. G., Dowell, A. M., Euwank, R. M., Hendershot, D. C., Lutz, W. K., Meszaros, S. L, Park, D. E., and Wixom, E. D., Inherently Safer Chemical Processes: A Life Cycle Approach, Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. EPA 1996. Risk Prevention Program for Chemical Accident Prevention, Environmental Protection Agency. 40 CFR, Part 68. Gibson, S.B. 1976. Risk Criteria in Hazard Analysis. Chemical Engineering Progress 72(2), 59. Health and Safety Executive 1989. Risk Criteria for Land Use Planning in the Vicinity of Major Industrial Hazards. London: HMSO. Health and Safety Commission 1991. Major Hazard Aspects of the Transport of Dangerous Substances. London: HMSO. IChemE and IPSG 1995. Inherently Safer Process Design. Rugby, England: Institution of Chemical Engineers.
Kletz, T.A. 1984. Cheaper, Safer Plants or Wealth and Safety at Work. Rugby, Warwickshire, UK: Institution of Chemical Engineers. Kletz, T. A. 1991. Plant Design for Safely. New York: Hemisphere. Melhem, G. A. et al, 1995. An Advanced Method for the Etimation of Reaction Kinetics, Scaleup, and Pressure Relief Design. Process Safety Progress., 14(1), 15-36. Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment for Vessel Safety Design, Plant/Operations Progress, 1(1), 1-6. NFT*A 69, Explosion Prevention Systems, Chapter 5 on Deflagration Pressure Containment, 1982. OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119. Washington, DC: Occupational Safety and Health Administration. Royal Society 1983. Risk Assessment: Report of a Royal Society Study Group, London: Royal Society. Stevens, G., and R.P. Stickles 1992. Prioritization of Safety Related Plant Modifications Using Cost-Risk Analysis. Paper presented at International Conference on Hazard Identification and Risk Analysis, January 1992, Orlando, Florida. Tompkins, B., and Riffee, D. 1983. Careful Safety Evaluation Identifies Fire Hazards on Offshore Facilities. Oil & Gas Journal (October 3): 98-101. US Coast Guard 1990.^4 Guideline for Detonation Flame Arresters 33 CFR Part 154, Appendix A,United States Coast Guard: US Department of Transportation. Windhorst, J. C. A. 1995. Application of Inherently Safe Design Concepts, Fitness for Use and Risk Driven Design Process Safety Standards to an LPG Project. Loss Prevention and Safety Promotion in the Process Industries Volume 77, ed. JJ. Mewis, HJ. Pasman and E.E. De Rademacker: Elsevier Science B.V.
Suggested Additional Reading Arendt, J. S., Lorenzo, D. K. and Lusby, A. F. 1989. Evaluating Process Safety in the Chemical Industry: A Manageris Guide to Quantitative Risk Assessment. Washington, DC: Chemical Manufacturers Association. Covello, V. T., Sandman, P. M. and Slovic, P. 1988. Risk Communication, Risk Statistics and Risk Comparisons: A Manual for Plant Managers. Washington, DC: Chemical Manufacturers Association. DIERS 1994. Risk Considerations for Runaway Reactions, Design Institute for Emergency Relief Systems, New York: American Institute of Chemical Engineers. Greenberg, H. R. and Cramer, J. J. 1991. Ed. Risk Assessment and Risk Management for the Chemical Process Industry. New York: Van Nostrand Reinhold. Hendershot, D. C. 1996. Risk Guidelines As a Risk Management Tool. Process Safety Progress, 15(4), 213-218. Kathren, R.L., Selby, J. M. and Vallario, E. J. 1980. A Guide to Reducing Radiation Exposure to as Low as Reasonably Achievable (ALARA). WCRP 108.0656, US Department of Energy, April. Lewis, H. W. 1990. Technological Risk. New York: Norton, W. W. and Co. NFPA 30 1993. Flammable and Combustible Liquids Code. Quincy, MA: National Fire Protection Association. NUREG/CR-2300. 1982. A Guide to the Performance of Probabilistic Risk Assessment for Nuclear Power Plants.: US NRC.
Noronha, J., and Torres, A., 1990. Runaway Risk Approach Addressing Many Issues-Matching the Potential Consequences with Risk Reduction Methods, Proceedings of the 24th Loss Prevention Symposium, AIChE National Meeting, San Diego, CA. Philley, Jack, O. 1992. Acceptable Risk -An Overview. Halliburton NUS Environmental Corporation, Houston, TX, October. Sawery et al. 1991. Risk Assessment and Risk Management fir the Chemical Process Industry. New York: Van Nostrand Reinhold. The Institution of Engineers. Australia 1993 Dealing With Risk. Canberra, Australia. Wang, O. S., and Field, J. G. 1992. Risk Management ofOnsite Transportation of Hazardous Materials. Westinghouse Hanford Company, Richland, Washington. Wells, G. 1996. Hazard Identification and Risk Assessment. Institution of Chemical Engineers, Rugby, Warwickshire, UK.
3 VESSELS
3.1 INTRODUCTION This chapter presents potential failure mechanisms for vessels and suggests design alternatives for reducing the risks associated with such failures. The types of vessels covered in this chapter include: • • • •
In-process vessels (surge drums, accumulators, separators, etc.) Pressurized tanks (spheres, bullets) Atmospheric, fixed roof storage tanks (cone/dome roof) Atmospheric, floating roof storage tanks
Reactors are a unique subset of vessels, in that they are specifically designed to contain chemical reactions. Because reactors have unique failure scenarios specifically attributable to the reaction (e.g., reactant accumulation), a complete chapter (Chapter 4) is devoted to this important class of equipment. However, many of the generic vessel failure modes discussed in this chapter, such as corrosion related failures or autopolymerization may also apply to reactors. 3.2 PAST INCIDENTS "Those who cannot remember the past are condemned to repeat it" (Santayana 1905). Important lessons can be learned from prior mistakes. Several case histories of incidents involving vessel failures are provided to reinforce the need for the safe design and operating practices presented in this chapter. 3.2. / Storage Tank Autopolymerization Incident
Plant operating problems had resulted in the production of a tank (approximately 32,000 Ib) of glacial acrylic acid (GAA) which did not meet specifica-
tions due to high water content. The material was held in storage until it was loaded into a tank wagon, where it was to be kept until the GAA could be reworked. The operator's logbook specified that warm water (250C maximum) was to be used to keep the GAA from freezing (freezing point = 130C). The outside temperature was 5-1O0C at the time. A standard steam-water mixing station was used to supply the warm water to the tank wagon coils. Water flow was maintained to the tank wagon, but no measuring devices were available for observing actual temperature or flow rate. The steam-water mixing station operation was monitored and adjusted by observing that warm water was running out of the coil outlet (noting vapor evolving from water in the cold weather). It was not clear after the incident whether the tank wagon dome lid was open, or just loosened to allow "breathing" during the hold period. Approximately l5l/2 hours after the tank wagon was filled, vapors started blowing out the loosened tank wagon lid and accumulating in the vicinity of the tank wagon. The steam-water mixer was shut off and approximately six minutes later the tank wagon exploded. The blast effect from the explosion destroyed an adjacent loading rack/pipe rack, and damaged other plant structures. A combination of local overheating (hot surface) and local inhibitor deficiency was considered the most probable mechanism for initiation of polymerization. Contamination may have contributed to the violence of the polymerization once it was initiated. Water and iron were the two main candidates in contamination considerations. Screening experiments showed that water can reduce GAA stability at temperatures > 10O0C, and that soluble iron in the 1-100 ppm range can also reduce stability. See item 10 in Table 3 for potential design solutions. Ed. Note: This example illustrates the hazard of using temporary facilities for the storage of hazardous materials. Such facilities are often not subject to the same scrutiny as permanent facilities.
3.2.2 Storage Tank Stratification Incident Acetic anhydride is used as an acetylating agent for many compounds. When it reacts with a hydroxyl group, acetic acid is formed as a byproduct. Pure acetic anhydride will react energetically with water to form acetic acid. In typical acetylation reactions, an excess of anhydride is used to drive the reaction to completion. This excess is then reacted in the receiver tank with water to convert the excess anhydride to acid. The acid is then refined and remanufactured into anhydride. This operation can be performed safely, since die presence of acetic acid makes water and acetic anhydride miscible, and therefore the rate of reaction can be controlled by the rate of water addition.
In this case, the acetylation reaction did not proceed as designed, due to an inadvertent omission of the strong mineral acid catalyst needed to initiate the reaction at low temperatures (-1O0F). Thus, the receiver tank did not contain a mixture of acetic anhydride and acetic acid, but only very cold, pure anhydride. The operator in charge of the water addition did not realize the change in composition, and additionally failed to turn the tank agitator on prior to beginning the water addition. After several minutes of water addition, he realized his mistake with the agitator, and hit the start button. Immediately, the water, which had layered out on top of the cold anhydride, mixed and reacted violently. This caused a partial vaporization in the tank, and eruption through an open manway, resulting in fatal burning of the operator. Had the agitator been turned on prior to beginning the water addition, the reaction rate would have again been controlled by the water addition rate. In this case, the water was added at near-stoichiometric concentrations virtually instantaneously, resulting in an uncontrolled exotherm.
3.2.3 Botch Pharmaceutical Reactor Accident While two operators were charging fiber drums containing a penicillin powder into a reactor containing a mixture of acetone and methanol, an explosion occurred at the reactor manhole. The two operators were blown back by the force of the explosion, and were covered with solvent-wet powder. The incident was initiated by the ignition of solvent vapors, which resulted in a dust explosion of the dry powder. The solvent liquid mixture in the reactor did not ignite. Tests on the polyethylene liner inside the fiber drums, which had been grounded at the time of the incident, showed that they were of the non-conducting type. The most probable cause of the ignition was an electrostatic discharge from the polyethylene liner during reactor charging. After this accident, the company instituted the following procedures (Drogaris 1993): • Requiring nitrogen inerting when pouring dry solids into flammable solvents • Adding dry powder to the reactor by means of grounded metal scoops, where possible, rather than by pouring in directly from drums with polyethylene liners • Using only conductive polyethylene liners • Using a closed charging system rather than pouring dry powders into flammable solvents directly via an open manhole • Performing an electrostatic hazard review of the whole plant and all the processes whenever powders and flammable solvents are used
Ed. Note: Even though this incident involved a reactor, it applies as well to any vessel, open-manhole, charging operation. Most likely the liners were loose and the operators not grounded. If fixed liners were in place and the operators grounded, the accident might not have occurred.
3.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS The information on equipment failure scenarios and associated design solutions is introduced in table format in this chapter and followed in each subsequent equipment chapter. The organization of the tables is the same in each chapter. The table headings used are described below. • Operational Deviation—generic operational parameter deviation such as overpressure. Analogous to HAZOP parameter deviation. • Failure Scenario—specific failure mechanism/cause for specified generic parameter deviation (e.g., overpressure due to upstream control system failure). • Potential Design Solution—potential design solutions that could be considered to reduce the risk of the failure scenario. For the reasons given in Chapter 2, the design solutions are grouped into the following three categories: inherently safer/passive, active and procedural. Vessel failure scenarios, along with associated design solutions, are presented in Table 3. Design solutions are provided for each scenario, although some scenarios do not have practical design solutions for all categories. Operational deviations marked with (T) are discussed in further detail in the chapter text.
3.4 DISCUSSION 3.4. / Use of Potential Design Solutions Table
It should be recognized that the design solutions presented are possible approaches for reducing the risk of the associated failure scenario. The authors of this book could not anticipate all the possible applications nor conditions that may pertain to a specific design situation. Also, the design solutions are not necessarily equivalent in terms of benefit in reducing the risk of the stated hazard scenario. Therefore, it is intended that the table be used in conjunction with the design basis selection methodology presented in Chapter 2 to arrive at the optimal design solution for a given application. Furthermore, some solutions are not applicable to all classes of vessels. (For example, designing
for maximum expected deflagration pressure is not practical for tanks designed to API Std 650 (1988) but should be considered for some pressure vessels.) Use of the design solutions presented in Table 3 should be combined with sound engineering judgment and consideration of all relevant factors. For example, let us assume that it is decided that a nitrogen blanketing system will be installed on an atmospheric storage tank to reduce the risk of internal explosion. Typically nitrogen supply pressures are significantly higher than the design pressure of a storage tank designed to API Std 650 (1988). Consequently the total system design also needs to address the hazard of overpressure due to uncontrolled opening of a high pressure utility system. This example illustrates an important aspect of the intended use of the equipment failure tables. The design and installation of safety systems, especially active systems, can also introduce potential hazards that were not originally present. Therefore, it is necessary to use the table in the context of the total design concept to insure that all hazards have been considered. As shown in the example, this may involve combining several scenario design solutions to arrive at a final acceptable design. Consequently, the table should be consulted at various stages of the design to reaffirm that all failure mechanisms are considered. Utilizing several design solutions for the same scenario is also possible and often desirable. Again referring to the design of a flammable liquid storage tank, employing ignition source controls (e.g., non-splash filling, grounding) as well as vapor space inerting may be desirable based on the consequences of catastrophic tank failure. In addition to providing the required degree of reliability for any one failure scenario, multiple safeguards may be the optimum approach to process deviations caused by very different failure scenarios. For example, suppose a vessel can be overpressured by deflagration in the vapor space in one scenario and by runaway reaction in another scenario. The deflagration event may be characterized by a high pressure rise rate but a modest pressure rise ratio. The reaction runaway may be characterized by a very high pressure rise ratio but a modest reaction rate early in the runaway. With this disparity in the scenarios, the optimum safeguard design might be pressure containment for the deflagration and emergency pressure relief for the runaway reaction. In this situation, these safeguards are not redundant.
3.4.2 Special Considerations
The tables contain numerous design solutions derived from a variety of sources and actual situations. Many of the solutions are readily understood. In some instances, additional explanation is warranted to fully appreciate the
approach. This section contains additional information on selected design solutions. The information is organized and cross referenced by the Operational Deviation Number in the table. Ignition of Flammable Atmosphere (3,19)
When applying vapor space inerting, there are some special circumstances that need to be recognized; namely, the presence of oxygen is needed for some hazard mitigation measures. For example, the corrosion inhibiting mechanism of certain metals (e.g., stainless steel) depends on the presence of some oxygen. Likewise, some polymer formation inhibitors that are added to reactive materials need oxygen to stay active. In such situations, a reduced oxygen atmosphere may achieve the desired balance between inhibitor activity and flammability protection. The use of flame arresters deserves additional consideration. Flame arresters are often implicated in vessel incidents, not because they are ineffective, but because they are misapplied or improperly maintained. Flame arresters that are not routinely inspected can become plugged (e.g., condensation/corrosion by stored fluids, foreign debris). Eventually, the protected vessel can be subjected to overpressure or vacuum conditions if the vessel is not protected by a relief device. Flame arresters do not necessarily provide protection against detonation unless specifically designed for that purpose. When using in-line flame arresters, it is necessary to evaluate the potential for deflagration to detonation transition (DDT) in the piping systems being considered. Information on analysis of DDT can be found in CCPS 1993, Chapter 13. Chemical Reaction Increases Pressure (10)
In the case of cold storage tanks, emergency cooling needs to be independent since loss of primary cooling may be a cause of high reaction rate. When polymerization inhibitor is used, the solubility of the inhibitor in the reactive monomer over the range of potential operating conditions needs to be considered. For example, as acrylic acid melts, the inhibitor tends to stay in the solid producing a potential runaway hazard in the molten liquid. See Section 3.2.1. Pressure Generated by Rollover (12)
The earliest recognized incident of rollover occurred in a Liquefied Natural Gas (LNG) tank due to density stratification. In this incident LNG was transferred from a tanker to a partially filled LNG tank. The LNG transferred was more dense than the LNG in the tank and was added to the bottom of the tank. As a result, two discrete layers of LNG existed in the tank. With heat
transfer from the surroundings, energy accumulated in the lower layer since the hydrostatic head of the upper layer suppressed vaporization. As the lower layer temperature increased, its specific gravity decreased. Heat transfer to the upper layer resulted in boil-off of methane and an increase in the specific gravity as the concentration of heavier components increased. In time the difference in specific gravity between the two layers disappeared, and the resulting rapid equilibration released the stored energy in the lower layer as a high rate of liquid vaporization. Fortunately, in this situation tank safety relief devices were able to provide adequate protection, and tank failure was averted (Drake etal. 1973). Rollover can also occur with two immiscible, reactive materials, such as acetic anhydride and water. As the materials react at the interface, acetic acid is formed as a reaction product. Once a sufficient amount of acid is generated, the two phases become miscible, collapsing together and generating a large, nearly instantaneous exotherm. With this energy release, the resulting reaction mixture can be partially vaporized, with an accompanying rapid rise in vessel pressure.
Tank Failure under Vacuum (20 to 25)
In flammable service, generally it is not desirable to allow air into a vessel to prevent vacuum conditions. Bleeding in an inert gas under pressure control is a design solution that is often utilized. Depending on the consequences of inert gas failure, an emergency supply of inert gas may be needed. In some instances, an air vacuum breaker is provided as a last line of defense. This design approach is based on acceptance of the lower likelihood of ignition instead of the much more likely prospect of damaging the tank which could result in loss of containment. Tank Failure from Frost Hea/e (47)
This is a serious problem for design of cryogenic fluid storage tanks. However, it can be managed through proper foundation design. Design solutions that have been used include elevated foundation pedestals to minimize heat transfer from the soil and foundation heating elements.
3.5 REFERENCES API Std 650 1988. Welded Steel Tanks far Oil Storage. Washington, DC: American Petroleum Institute. CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety, New York: American Institute for Chemical Engineers.
Drake, E.M., Geist, J. M., and Smith, K. A. 1973. Preventing LNG "Rollover." Hydrocarbon Processing. Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified. Amsterdam: Elsevier Science Publishers, B.V. Santayana, G., 1905. The Life of Reason Vol. I, Reason and Common Sense.
Suggested Additional Reading API Publ 2210 1982. Flame Arrestersfor Vents of Tank Storing Petroleum Products, 2nded., Washington, DC: American Petroleum Institute. US Coast Guard 1990. Specifications for Tank Vent Flame Arresters 33 CFR Part 154, Appendix B, United States Coast Guard: US Department of Transportation. UL 525 1984. Flame Arresters for Use on Vents of Storage Tanks for Petroleum Oil and Gasoline, 5th ed. UL.
TABLE 3. FAILURE SCENARIOS FORVESSELS
No.
Operational Deviations
l
Potential Design Solutions
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1
Overpressure
Liquid overfill resulting in back pressure or excessive static head
• Vessel design accommodating maximum supply pressure • Use open vent or overflow line
• Emergency relief device • Level device interlocked to prevent overfill
• Instructions to monitor level during transfer • Verify tank has sufficient free board prior to transfer • High level alarm with instructions to intervene to prevent overfilling
2
Overpressure
Inadvertent or uncontrolled opening of high pressure utility system
• No utility connections above pressure rating of vessel • Incompatible utility couplings to prevent connections of high pressure utilities • Mechanical flow restriction (e.g., restriction orifice) of utility with open vent on vessel • Vessel design accommodating maximum utility pressure
• Emergency relief device on vessel or utility line • Pressure sensor interlocked to isolate utility pressure
•Labeling of utility connections
1
Potential Design Solutions No.
Operational Deviations
3(T) Overpressure (see items 18, 19)
4
Overpressure
Inherently Safer/Passive
Active
Procedural
Ignition of flammable atmosphere in vessel vapor space
• Floating roof tank instead of fixed roof (see procedural) • Ignition source controls (e.g., lightning protection, permanent grounding/bonding, non-splash filling including dip pipe, fill line flow restriction, or bottom inlet) • Vessel design accommodating deflagration pressure • Store belowflashpoint (if not heating) • Use non-intrusive instrumentation (e.g., radar level detection)
• Explosion venting (e.g. frangible roof for fixed roof tank) • Store material at temperature below its flash point (cooling) • Vapor space combustible concentration control • Vapor space inerting • Flame arrester in vent path • Emergency purge and/or isolation activated by detection of flammable atmosphere
• Oxygen analyzer with alarm • Instructions to feed empty tanks at low rate until fill line submerged, avoiding splash filling • No transfers during electrical storms • Low feed rate until floating roof is afloat
Excessive fill rate resulting in back pressure from venting vapor
• Use open vent (e.g., vent diameter larger • Flow shutdown interlock • Operating instructions to activated by high pressure limitflowto a maximum thanfillline for short vent lines) safe value or high flow • Flow restriction orifice in fill line • Operating instructions to • Automated flow control • Vessel design accommodating maximum monitor filling rate and loop on fill line with high supply pressure intervene to prevent flow alarm excessive fill rate • Emergency relief device
Failure Scenarios
5
Overpressure
External fire
• Buried (underground or bermed) tank (consider environmental issues) • Fireproof insulation (limits heat input) • Slope-away diking with remote impounding of spills • Locate outside fire affected zone • Provide recommended tank-to-tank separation
6
Overpressure
Inadequate or obstructed vent path, resulting in high vapor space pressure during filling
• Use open vent • Emergency relief device • Vessel design accommodating maximum • Heat tracing of vent to supply pressure avoid condensation and solidification • Vent screen to avoid entrance of foreign objects
• Operating instructions to verify open vent path before initiating fill operation • Operating instructions to periodically examine vent opening for obstructions
7
Overpressure (see item 54)
Internal heating/cooling coil leak or rupture
• Use of external heater/cooler (panel coil) • Emergency relief device • Use of heating/cooling medium which is • High pressure interlock not reactive with vessel contents that activates utility • Vessel design accommodating maximum closure heating/cooling medium pressure • Back pressure control with external heating/ • Use electrical heating cooling circulation to • Use lower pressure/temperature heating avoid leak into vessel or cooling medium • Vessel design accommodating maximum stored material vapor pressure at maximum heating medium temperature
• Periodic sampling/ analysis of contents for leakage • Emergency action plan to transfer contents to safe location if adverse reaction can occur
• Fixed fire protection water spray(deluge) and/or foam systems activated by flammable gas, flame, and/or smoke detection devices • Emergency relief device
• Emergency response plan • Manual activation of fixed fire protection water spray (deluge) and/or foam systems
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
8
Overpressure
Vessel contamination • Vessel design accommodating maximum • Emergency relief device • Isolation of volatile expected pressure with high vapor materials by blinding, • Weak seam roof for tanks pressure material removable spool, • Use of incompatible couplings (introduction of disconnection, etc. volatiles)
9
Overpressure
Excessive heat input resulting in high vapor pressure
10 (T)
Overpressure
Chemical reaction • Vessel design accommodating maximum • Emergency relief device resulting in increased expected pressure • High temperature and/or pressure • Limit or avoid the storage or unintended pressure alarm and accumulation of reactive materials automatic addition of quench/diluent fluid or • Consume reactive intermediate process inhibitor materials as soon as they are produced • Automatic activation of emergency cooling system
• Vessel design accommodating maximum • Emergency relief device expected pressure • High temperature or • Limit the temperature orflowof the pressure alarm and heating medium (e.g., use hot water interlock which isolates instead of steam) the heating medium
• High temperature or pressure alarm with operator activation of heating medium isolation • Operating instructions to periodically test for inhibitor concentration or activity • High temperature and/or pressure alarm and manual addition of quench, diluent or inhibitor • Manual activation of quench or cooling system • Periodic draining of accumulation points (i.e., knock-out pots)
• Emergency relief device • High pressure interlock to automatically start spare compressor
• Operator startup of spare compressor on high pressure indication
• Vessel design accommodating maximum • Mechanically agitate or expected pressure recirculate tank contents • Use of in-line mixer external to vessel to • Emergency relief device premix feeds • Provide tank filling system design that avoids tank stratification (e.g., top splash filling)
• Operating instructions on filling procedure to avoid stratification
11
Overpressure
Control or equip• Vessel design accommodating maximum ment failure in vapor expected pressure recovery system on • Additional insulation to prolong refrigerated/chilled acceptable refrigeration outage storage
12 (T)
Overpressure
Roll-over of stratified layers, resulting in high vapor pressure
13
Overpressure
Failure of upstream • Vessel design accommodating maximum process controls, expected or upstream pressure resulting in vapor or • Ensure control valves are not oversized flashing liquid feed
• Emergency relief device • High pressure alarm and interlock which isolates the inlet flow(s)
• Operator activation of flow isolation on high pressure indication
14
Overpressure
Ambient temperature change, resulting in higher vapor space pressure
• Vessel design accommodating maximum expected pressure • Use of buried (underground or aboveground) tank • Insulate tank • Open vent on fixed roof tanks • Place tank under a roof • Use reflective coating on vessel
• Emergency relief device or breather vent valve • Automatic external cooling water spray
• Operator activation of water spray on indication of high temperature in vessel
15
Overpressure
Blocked outlet flow path
• Vessel design accommodating maximum • Emergency relief device upstream pressure • Interlock to isolate vessel • Eliminate unnecessary outlet block valves inlet or trip feed pump on high pressure • Outlet sized to eliminate or reduce likelihood of plugging
• Procedures for securing valves open via seals or locks
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
16
Overpressure
Ignition/reaction due • Vessel design to accommodate maximum • Automatic level control to high temperature expected temperature and pressure with low level alarm and shutdown of liquid at unwetted internal • Use of external recirculation heating withdrawal system to heating element sursystem ensure liquid is above face • Maintain submergence of heating surface heating surface at all times by locating liquid withdrawal connection • Vapor space inerting above the heating element • Limit temperature of heating medium • Selection of materials to avoid rust (i.e., eliminate potential catalytic effects)
17
Overpressure
Heating and thermal expansion of liquid
• Temperature controls on • Install open overflow nozzle to heating medium to containment system prevent overheating • Elimination of all unnecessary heating • High level shutoff connections preventing liquid from • Eliminate capability to "block in" system rising above level where • Provide vapor space in vessel expansion would cause overfill • Thermal expansion relief valve
Procedural • Operating instructions to maintain liquid level above heating surface at all times • Manual response to low level indication
• Operating instructions on control of temperature below a certain limit, or restrictions on the length of time that heat can be applied • Instructions on limiting the maximum liquid level • Manual shutoff on detection of high level • Instructions on draining vessel or isolating source of heat input before blocking in
18
Overpressure (batch or semibatch)
Electrostatic spark discharge and ignition of vapors during charging of solids through an open manhole or charging chute resulting in deflagration or flash fire
• Eliminate addition of materials as solids (e.g., use slurry) • Charging of solids through a nozzle by means of a closed system (e.g., hopper and rotary airlock, screw feeder, doubledump valve system, etc.)
• Automatic inerting of vessel prior to solids addition • Ground indicator with interlock to prevent manhole opening if ground connection to solids container is faulty
• Manual inerting of vessel prior to solids addition • Procedures for manual grounding and bonding of solids container and runnel to vessel • Ground operator • Avoid use of nonconductive plastic containers • Verify acceptable oxygen concentration before charging
19 (T)
20 (T)
Overpressure (Floating Roof Tank)
Underpressure or Vacuum
Ignition of flamma- • Provide double roof seal ble atmosphere in • Provide adequate natural ventilation tank vapor space folbetweenfixedroof and floating deck lowing seal failure • Eliminatefixedroof provided over the on internal floating floating deck roof • Ignition source controls (e.g., lightning protection, permanent grounding/bonding) Failure of vacuum system control
• Use offixedroof tank with inerting
• Periodic inspection of roof seals
• Provide inerting between fixed roof and floating deck
• Periodic testing for combustibles in tank vapor space
• End-of-line flame arrester
• Vessel design to accommodate maximum • Vacuum relief device vacuum (full vacuum rating) • Automatic isolation of vacuum system on high vacuum
• Manual vacuum breaking on indication of high vacuum
Potential Design Solutions I No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
21 (T)
Underpressure or Vacuum
Obstructed vent path
• Vessel design to accommodate maximum • Use of blanketing gas • Operating instructions to vacuum (full vacuum rating) pressure control system to verify open vent path minimize vacuum before initiating • Vent screen to avoid entrance of foreign withdrawal operation objects • Vacuum relief device • Operating instructions to • Heat tracing of vent to periodically examine vent avoid condensation and opening for obstructions solidification • Low pressure interlock to isolate outlet path
22 (T)
Underpressure or Vacuum
Uncontrolled condensation/absorption of vapor phase component
• Vessel design to accommodate maximum • Use of blanketing gas vacuum (full vacuum rating) pressure control system to minimize vacuum • Insulation • Vacuum relief system • Open vent • Feed heater
• Operating procedure for monitoring temperature and addition rate of materials
23 (T)
Underpressure or Vacuum
Excessive liquid withdrawal rate
• Vessel design to accommodate maximum • Use of blanket gas vacuum (full vacuum rating) pressure control system to minimize vacuum • Open vent • Vacuum relief system • Restrict withdrawal rate
• Procedural limitations on the maximum rate of liquid withdrawal
24 (T)
Underpressure or Vacuum
Ambient temperature change, resulting in vapor space vacuum
• Vessel design to accommodate maximum •Use of blanket gas vacuum (full vacuum rating) pressure control system to minimize vacuum • Open vent on fixed roof tanks • Vacuum relief device • Insulation • Locate tank under roof
• Manual vacuum breaking on low pressure alarm
25 (T)
Underpressure or Vacuum
Control or equip• Vessel design to accommodate maximum • Use of blanket gas ment failure in vapor pressure control system vacuum (full vacuum rating) recovery system on to minimize vacuum refrigerated/chilled • Air vacuum breaker storage device
• Manual shutdown of compressor/blower on low pressure alarm
• Interlock to shutdown compressor/blower on low pressure 26
High external level High external pressure on vessel walls liquid from water level in dike or vault resulting in dislodging tank or external collapse of tank wall
• Vessel design to accommodate maximum • Dike level measurement external pressure with automatic drain or pump-out • Use of remote impounding instead of dike • Anchor tanks • Elevate tank
• Operating instructions to inspect dike periodically and drain as necessary
• Storm water drain system • Operating instructions to drain storm water collected in the dike after heavy rainfall
• Dike height limits liquid level
• Keep tanks filled to a minimum liquid level
27
High Temperature High temperature • Vessel design to accommodate maximum • High temperature material fed to vessel expected temperature and pressure of interlock to activate feed material(s) cooling or shut off feeds at desired temperature
• Instructions to cool or shut off feed when temperature rises above a certain level
28
High Temperature Control failure of heating/cooling system
• Manual shutdown on high temperature indication
• Vessel design to accommodate maximum • High temperature alarm expected temperature and pressure and shutdown interlock experienced due to loss of heat transfer • Auxiliary cooling/quench • Use of heating medium whose maximum or heat transfer system temperature is limited to vessel design • Emergency relief device temperature
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
29
High Temperature Chemical reaction (also see Chapter 4)
• Vessel design to accommodate maximum • Emergency relief device expected temperature and pressure of a • High temperature alarm possible exothermic reaction and interlock shutdown • Substitute less-reactive material • Automatic addition of reaction inhibitor and/or quench fluid • Automatic activation of emergency cooling system
• Manual initiation of high temperature shutdown and/or quench/cooling addition
30
High Temperature External fire or failure of internal refractory liner
• Use of buried (underground or aboveground) tank (consider environmental issues) • Insulate with fireproof insulation • Provide remote impounding of flammable liquid spills • Locate vessel to minimize exposure • Provide recommended tank-to-tank spacing
• Emergency response procedures • Manual activation of fixed fire protection water spray (deluge) and/or foam systems • Monitoring of vessel wall temperature with thermocouples or optical devices
31
High Temperature Excessive mechanical • Vessel design to accommodate maximum • Agitator shutdown on high temperature agitation expected temperature and pressure detection • Limit agitator motor power • Leave vessel uninsulated to allow heat loss
• Fixed fire protection water spray (deluge) and/or foam systems activated by flammable gas,flame,and/or smoke detection devices • Emergency relief device • Fire detectors
• Instructions to turn off agitator on high temperature indication
32
Low Temperature
Low ambient temperature
• Vessel design to accommodate minimum • Automatic activation of expected (ambient) temperature heating system • Use of buried (underground or aboveground) tank
• Manually activate heating system or drain materials which could freeze
• Insulate tank • Locate equipment indoors 33
Low Temperature
34
Low Temperature
Control failure of heating/cooling system
• Vessel design to accommodate minimum • Low temperature alarm expected temperature and shutdown interlock • Auxiliary heating system
Low temperature • Vessel design to accommodate minimum • Low temperature alarm material fed to vessel expected feed temperature and feed isolation interlock
• Operate system manually or activate back-up heating/cooling system • Instructions to isolate feed on low temperature indication
• Low temperature alarm activates external heating 35
Low Temperature
Refrigerant leak into vessel
36
Low Temperature
Depressuring of • Provide metallurgy suitable for low vessel containing liq- temperature uified gases
37
Over-fill
Level control failure causing spill
• Vessel design to accommodate minimum • Low temperature alarm expected refrigerant temperature and refrigerant system shutdown and/or • Use refrigerant with vapor pressure isolation interlock below process pressure
• Install open overflow nozzle to containment system • Closed loop filling • Diking or drainage to remote impounding
• Manual system shutdown on low temperature indication
• Interlock to close depressuring valve at specific pressure
• Instructions to deinventory liquid before depressuring
• Provide external heating
• Instructions to warm-up vessel before repressuring
• High level alarm and automatic feed cutoff/isolation
• Instructions to stop feed when level reaches a certain point
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
38
Over-fill
Incorrect or unantici- • Install open overflow nozzle to pated crosscontainment system connection • Use of dedicated connections • Use of incompatible connections
39
Over-fill
Leak from heating/cooling system
40
Over-fill
Leak or excessive fill from liquid utility system (e.g., utility water)
Active
Procedural
• High level alarm and automatic feed cutoff/isolation
• Operating instructions on correct or permitted crossconnections between tanks and vessels • Operating/maintenance instructions to isolate tanks via blinding and disconnection • Manual isolation on high level
• Install open overflow nozzle to containment system • External heating/cooling system • Operation of heating/cooling system at pressures below process pressure • Double tubesheet heat exchanger • Intermediate heat transferfluidat a pressure below process pressure
• High level alarm and automatic heating/cooling medium cutoff/isolation • Electrical bonding of floating roof to tank
• Leak detection devices (e.g., pH, conductivity, capacitance) and manual isolation
• Install open overflow nozzle to containment system • Orifice restriction in utility connection
• High level alarm with utility isolation interlock
• Operator isolation (e.g., disconnection, blinding, double block and vent) of utilities • Leak detection devices (e.g., pH, conductivity, capacitance) and manual isolation
41
Low Level
Level control failure
• Locate underflow nozzle to maintain a minimum liquid level in the vessel
• Low level alarm with shutoff preventing further liquid withdrawal from vessel via either pump shutdown or closure of block valve
• Manual shutoff on low level indication
42
Low Level
Incorrect or unanticipated crossconnection causing uncontrolled outflow
• Locate underflow nozzle to maintain a minimum liquid level in the vessel • Eliminate all unnecessary crossconnections • Use incompatible couplings to avoid improper cross-connections where hoses are used
• Low level alarm with shutoff preventing further liquid withdrawal from vessel via either pump shutdown or closure of block valve
• Operating instructions on the correct or permitted cross-connections between tanks and vessels • Operating/maintenance instructions to isolate tanks via blinding and disconnection • Manual outflow isolation on low level indication
43
Low Level (Floating Roof Tank)
Ignition of flamma- • Locate underflow nozzle to maintain a ble atmosphere in minimum liquid level in the tank tank vapor space following low level that results in floating roof sitting on its internal legs
• Low level alarm with • Operating instructions to interlock to automatically monitor tank level shutdown the transfer periodically pump • Electrical bonding of floating roof to tank
44
Loss of Containment
Incompletely sub• Locate underflow nozzle to maintain a merged agitator minimum liquid level in the vessel impeller causes • Agitator designed to run stably during excessive forces on filling and emptying (e.g., stiffer shaft, vessel wall and heads foot bearing)
• Low level shutoff • Instructions to stop preventing further liquid agitation at withdrawal from vessel predetermined level • Low level alarm with interlock to automatically shutdown the agitator
1
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active • Automatic addition of corrosion inhibitor
Procedural • Corrosion coupons with periodic withdrawal and analysis • Regular thickness measurements (i.e., nondestructive testing) at key points • On-line corrosion analysis with alarm
45
Loss of Containment
Corrosion from process fluid
• Use corrosion resistant materials of construction • Protective coatings and paints • Double walled tank design
46
Loss of Containment
Subsidence of soil below vessel
• Design and construction of tank foundation (piling and soil compaction)
47 (T)
Loss of Containment
Frost heave (on cryo- • Design and construction of tank genic tanks) foundation (elevated pedestal) • Insulation between tank and foundation
• Foundation heating system
48
Loss of Containment
Open drain connections
• Eliminate bottom connections • Limit size of drain connections
• Self-closing drain valves • Excess flow check valves
• Operating/maintenance instructions to blind drains when not in use
49
Loss of Containment
Loss of sealing fluid to vessel agitator resulting in seal failure and emission of flammable or toxic vapors
• Circulate vessel contents via external, seal-less pump • Use of double or tandem mechanical seal • Alternative design which does not use a sealed agitator (i.e., continuous reactor with static mixer)
• Flammable and/or toxic vapor sensors interlocked with agitators
• Operators to visually check reservoir levels on regular basis • Seal liquid reservoir to have low level sensor and alarm • Flammable and/or toxic vapor sensors • Operator emergency response to indications of a seal leak
• Respond to indication of tank subsidence
50
Loss of Containment (Floating Roof Tank)
Floating roof sinks from snow or water on top of roof or corrosion of roof/pontoons
• Provide fixed roof to protect the floating roof • Double deck or pontoon floating roof • Corrosion-resistant material selection for floating roof
• Operating procedures for periodic draining of roof • Periodic inspection and repair of pontoons • Emergency response procedures
51
Loss of Containment (Floating Roof Tank)
Fire following seal failure on external floating roof
• Use fixed roof tank • Double roof seal • Electrical bonding/grounding of roof and shell
• Fire fighting foam system
52
Loss of Containment (Underground Storage Tanks and Insulated Vessels)
Corrosion from • contaminated earth • moisture trapped between insulation and vessel walls • chemical contamination • aggressive environment
• Protective coatings and paints • Cathodic protection • Use above-ground construction • Do not insulate tank • Locate below-ground vessel in secondary containment • Install weatherproof jackets to protect insulation from moisture especially where chlorides may also be present
• Corrosion coupons with periodic withdrawal and analysis • Regular thickness measurements at key points • Periodic leak detection
53
Wrong Composition
Incorrect or unanticipated crossconnection
• Use of dedicated connections • Use of incompatible couplings • Physically separate points of connection of incompatible materials
• Operating instructions on the correct or permitted cross-connections between tanks and vessels • Isolate tanks and vessels via blinding and disconnection • Sample/analyze prior to transfer • Color coding and labeling of lines
• Use of interlocks which prevent certain addition combinations
I
Potential Design Solutions No. 54
Operational Deviations Wrong Composition
Failure Scenarios Leaking tank roofs or coils
Inherently Safer/Passive
Active
• Indoor location (shielded from rain)
• Periodic analysis to detect the presence of water or other coilfluidin the stored material
• External heating/cooling with leak protection • Electrical heating instead of steam
55
Wrong Composition
Change in feed composition
56
Wrong Composition
Incorrect inhibitor composition or concentration
57
Less Agitation
Failure of agitator causing stratification of immiscible layers
• Design for all possible feed variations
• External, inline mixing of feeds before entering tank • Use of compatible/mutually soluble materials
Procedural
• Periodic draining of floating roof • On-line analyzer with alarms and interlock
• Intermittent sampling and analysis with instructions to cut-off feed
• Automatic control of inhibitor addition rate
• Operating instructions to verify inhibition effectiveness periodically
• Agitator monitor interlocked to stop feed stream
• Manual activation of back-up pump around system
• Automatic backup pump around system
• Manual shut off of feed on detection of loss of agitation
4 REACTORS
4.1 INTRODUCTION This chapter presents potential failure mechanisms for reactors and suggests design alternatives for reducing the risks associated with such failures. The types of reactors covered in this chapter include: • • • • • • •
Batch reactors Semi-batch reactors Continuous-flow stirred tank reactors (CSTR) Plug flow tubular reactors (PFR) Packed-bed reactors (continuous) Packed-tube reactors (continuous) Fluid-bed reactors
This chapter presents only those failure modes that are unique to reaction systems. Some of the generic failure scenarios pertaining to vessels and heat exchangers may also be applicable to reactors. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels, and Chapter 6, Heat Transfer Equipment. Unless specifically noted, the failure scenarios apply to more than one type of reactor. 4.2 PAST INCIDENTS Reactors are a major source of serious process safety incidents. Several case histories are presented to reinforce the need for safe design and operating practices for reactors.
4.2. / Seveso Runaway Reaction
On July 10, 1976 an incident occurred at a chemical plant in Seveso, Italy, which had far-reaching effects on the process safety regulations of many countries, especially in Europe. An atmospheric reactor containing an uncompleted batch of 2,4,5-trichlorophenol (TCP) was left for the weekend. Its temperature was 1580C, well below the temperature at which a runaway reaction could start (believed at the time to be 23O0C, but possibly as low as 1850C). The reaction was carried out under vacuum, and the reactor was heated by steam in an external jacket, supplied by exhaust steam from a turbine at 19O0C and a pressure of 12 bar gauge. The turbine was on reduced load, as various other plants were also shutting down for the weekend (as required by Italian law), and the temperature of the steam rose to about 30O0C. There was a temperature gradient through the walls of the reactor (30O0C on the outside and 16O0C on the inside) below the liquid level because the temperature of the liquid in the reactor could not exceed its boiling point. Above the liquid level, the walls were at a temperature of 30O0C throughout. When the steam was shut off and, 15 minutes later, the agitator was switched off, heat transferred from the hot wall above the liquid level to the top part of the liquid, which became hot enough for a runaway reaction to start. This resulted in a release of TCDD (dioxin), which killed a number of nearby animals, caused dermatitis (chloracne) in about 250 people, damaged vegetation near the site, and required the evacuation of about 600 people (Kletz 1994). Ed. Note: The lesson learned from this incident is that provision should have been made to limit the vessel wall temperature from reaching the known onset temperature at which a runaway could occur. 4.2.2 3,4-DichloroanHine Autoclave Incident
In January 1976, a destructive runaway reaction occurred during the operation of a large batch hydrogenation reactor used in the production of 3,4dichloroaniline. The process involved the hydrogenation of 3,4-dichloronitrobenzene (DCNB) under pressure in an agitated autoclave. The autoclave was first charged with DCNB and a catalyst and then purged with nitrogen to remove air. A hydrogen purge followed the nitrogen purge, after which steam was applied to the reactor jacket and the temperature raised to within 2O0C of the reaction temperature before additional hydrogen was admitted through a sparger. The heat of reaction carried the temperature to the desired operating level. During the early stages, the rate of reaction was limited by the heat removal capacity of the autoclave cooling coil. This resulted in a relatively low
autoclave pressure. Later, when the hydrogenation rate fell off, the autoclave pressure was allowed to increase. Based on field evidence and subsequent laboratory work the following conclusions were reached as to the cause of the incident (Tong 1977): • The primary cause was a sudden pressure increase due to runaway reaction at about 26O0C. • The reaction mass reached runaway temperature due to the buildup and rapid exothermic disproportionation of an intermediate (3,4-diphenyhydroxylamine). The most likely trigger for this reaction was a 1O0C increase in the reactor temperature set point (operator error). Ed. Note: The lesson learned from this incident is that a, study should have been made of exotherm potential and provision should have been made to limit temperature setpoint or an interlock provided to address this hazard. If possible a larger operating temperature margin should have been employed.
4.2.3 Continuous Sulfonation Reaction Explosion
During the startup phase of a continuous system (3 CSTRs in series) for the sulfonation of an aromatic compound, a thermal explosion occurred in a pump and recirculation line. Although the incident damaged the plant and interrupted production, no personnel were injured. Investigation revealed that, while recirculation of the reaction mass was starting up, the pump and the line became plugged. This problem was corrected and line recirculation was restarted. Four hours later the explosion occurred, resulting in the blow-out of the pump seal, which was immediately followed by rupture of the recirculation line. Investigation further revealed that during pipe cleanout some insulation had been removed, leaving a portion of the line exposed and untraced. This condition apparently led to slow solidification of the reaction mass and a deadheaded pump. Calculations based on pump data indicated that a temperature of 6O0C above the processing temperature could be reached within 5 minutes after dead-heading occurred. Previous studies had determined that the rate of decomposition is considerable at this temperature and that the total heat of decomposition (500 kcal/kg) is large (Quinn 1984). 4.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 4 presents information on equipment failure scenarios and associated design solutions specific to reactors. The table heading definitions are provided in Chapter 3, section 3.3.
4.4 DISCUSSION 4.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 4 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. 4.4.2 General Discussion
Reactors may be grouped into three main types: batch, semi-batch, and continuous. In a batch reactor, all the reactants and catalyst (if one is used) are charged to the reactor first and agitated, and the reaction is initiated, with heat being added or removed as needed. In a semi-batch reactor, one of the reactants is first charged to the reactor, catalyst is also charged and the reactor contents are agitated, after which the other reactants and possibly additional catalyst are added at a controlled feed rate, with heat being added or removed as needed. In a continuous reactor all the reactants and catalyst (if one is used) are fed simultaneously to the reactor, and the products, side products, unconverted reactants, and catalyst leave the reactor simultaneously. In some continuous reactors, the catalyst is held stationary, either in tubes or occupying the entire cross-section of the vessel. Batch and semi-batch reactors are used primarily where reaction rates are slow and require long residence times to achieve a reasonable conversion and yield. This often means large inventories and, if the contents are flammable, there is a potential for serious fires should a leak develop. Many of these reactors have agitators, and if there is an agitator failure (stoppage or loss of the impeller), some reactions can run away (Ventrone 1969; Lees 1996). Heat removal is also a concern for batch or semi-batch reactors conducting exothermic reactions. Since the external jacket may not be adequate to remove the heat of reaction, it may be necessary to install an internal cooling coil as well, or an external heat exchanger with recirculation of the reactor contents. These additional items of heat transfer equipment increase the potential for leakage problems and may lead to a runaway if the coolant leaks into the reactants. Continuous reactors are considered to be inherently safer than batch or semi-batch reactors as they usually have smaller inventories of flammable and/or toxic materials. Tubular reactors are generally used for gaseous reactions, but are also suitable for some liquid-phase reactions. Gas phase reactors generally have lower inventories than liquid-phase continuous reactors of
equal volumes, and thus are usually inherently safer. Long, thin tubular reactors are safer than large batch reactors as the leak rate (should a leak occur) is limited by the cross-section area of the tube, and can be stopped by closing a remotely operated emergency isolation valve in the line (Kletz 1990). Continuous-flow stirred tank reactors (CSTR) are also considered to be inherently safer than batch reactors as they contain smaller amounts of flammable or toxic liquids. Since they are agitated, however, they have the same agitator failure hazard as batch reactors, and can experience runaways if this occurs. Exhibit 4.1 is a comparison of different types of reactors from the safety perspective (CCPS 1995). EXHI BIT 4.1 Comparison of Different Reactor Types from the Safety Perspective
Plug Flow Reactor (PFR)
Continuous-Flow Stirred Tank Reactor (CSTR)
Batch
Semi-Batch
ADVANTAGES • Low inventory • Stationary condition (steady state operation)
• Stationary condition (steady state operation)
• Agitation provides safety tool
• Agitation provides safety tool • Streams may be diluted to slow reaction
• Controllable addition rate • Agitation provides safety tool • Large exotherm controllable
DISADVANTAGES • Process dependency • Potential for hot spots • Agitation present only if in-line mixers are available • Difficult to design
• Large inventory • Difficult to cool large mass • Difficult start-up and shutdown aspects • Precipitation problems • Low throughput rate
• Large exotherm difficult to control • Large inventory • All materials present
• Starting temperature is critical (if too low, reactants will accumulate) • Precipitation problems
4.4.3 Special Considerations
Table 4 contains numerous design solutions derived from a variety of sources and actual situations. This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Overpressure due to Loss of Agitation (3)
Runaway reactions are often caused by loss of agitation in stirred reactors (batch, semi-batch, and CSTR) due to motor failure, coupling failure, or loss of the impeller. Agitation can be monitored by measuring the amperage or power drawn by the agitator drive. Nevertheless, this has its drawbacks as the "measurement" of agitation takes place outside of the reactor, and sometimes, if the reactor contents are not viscous enough, the amperage or power draw will not detect that the agitator impeller has fallen off or corroded away. Wilmot and Leong (1976) present a method of detecting agitation inside a reactor, which will detect the loss of the impeller by using an internal flow switch. The flow switch, or a similar in-vessel detection device, can be interlocked to cut off feed or catalyst being added to a semi-batch reactor or CSTR. If agitation is critical to the operation of a batch, semi-batch, or CSTR reactor then an independent, uninterrupted power supply backup for the agitator motor should be provided. Alternatively, some degree of mixing can be provided by sparging the reactor liquid with inert gas. Failure of mechanical seals can act as a potential high-temperature source initiating vapor phase ignition. Agitator mechanical seal failure is often caused by a lack of seal fluid, and results in release of flammable or toxic vapors from the reactor. A dry mechanical seal is now available which can sometimes be used to replace the older type of mechanical seals which required a liquid seal fluid. Dry mechanical seals use a gas such as air or nitrogen to provide the sealing barrier. If a liquid seal fluid is used, monitoring of the agitator mechanical seal fluid supply reservoir should be implemented. Monitoring can be done automatically, by installing a low-level switch and alarm in the seal fluid reservoir to alert the operator, or by administrative means such as requiring the operator to check the reservoir level on a regular schedule (e.g., once per shift) and recording the level on a log sheet. Overpressure due to Addition of Incorrect Reactant (5)
The addition of a wrong reactant can result in a runaway reaction. To minimize this error, the following measures can be taken: • Provide dedicated feed tanks (for liquids) or feed hoppers (for solids) for batch reactors.
• Have two operators check the drums or bags of reactants before they are added, and then sign off on a log sheet. • Properly color-code and label all process lines so the operators know what is in them. If the risk of adding an incorrect reactant is still present, further protective measures can be implemented, such as providing a temperature sensor to monitor the reaction and shut off a valve in the feed line upon detection of an abnormal temperature rise or rate of temperature rise. Overpressure due to Inactive/Semi-Active or Wrong Catalyst Addition (8) The addition of a semi-active or wrong catalyst to a reactor may result in a runaway either in the reactor or in downstream equipment. If the catalyst is fed continuously or at a controlled rate to a semi-batch reactor, protection can be provided by installing a temperature sensor in the reactor, interlocked with an isolation valve in the reactant feed line, which will shut the valve when the sensor detects an abnormal temperature rise. The temperature sensor could also be interlocked with a valve to stop the catalyst feed. Administrative controls, such as procedures for verifying catalyst identity and activity, can also be applied. Overpressure due to Monomer Emulsion Feed Breaking during Feed Leading to a Runaway Reaction (12)
In some semi-batch emulsion polymerization processes, a mixture of monomers emulsified in water is fed from an agitated storage tank to the reactor. If the monomer emulsion feed breaks into separate oil and water phases, the potential exists for a runaway reaction in the oil (bulk monomer) phase without the heat sink provided by the water. To guard against this, the monomer emulsion feed can be sampled to determine that it remains stable to separation for a predetermined period of time without agitation before the feed is begun.
4.5 REFERENCES CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. New York: American Institute of Chemical Engineers. Kletz, T. A. 1990. Critical Aspects of Safety and Loss Prevention, p. 265. London :Butterworth & Co. Ltd. Kletz, T. A. 1994. What Went Wrong: Case Histories of Process Plant Disasters. 3d ed., pp. 309-310. Houston, TX: Gulf Publishing Co. Lees, F. P. 1996. Loss Prevention in the Process Industries. 2d ed. Woburn, MA: Butterworth Inc. Quinn, M. E., Weir, E. D., and Hoppe, T. F. 1984. IChemE Symposium Series, no. 85:31-39. Tong, W. R., Seagrave, R. L., and Wiederhorn, R. 1977. Loss Prevention Manual. 11: 71-75. New York: American Institute of Chemical Engineers.
Ventrone, T. A. 1969. Loss Prevention Manual. Vol. 3, pp. 41-44. New York: American Institute of Chemical Engineers. Wilmot, D. A. and Leong, A. P. 1976. Another Way to Detect Agitation. Loss Prevention Manual. Vol. 10, pp. 19-22. New York: American Institute of Chemical Engineers. Suggested Additional Reading CCPS 1993. Problem Set for Kinetics, Problem 16, Prepared for SACHE. New York: American Institute of Chemical Engineers. CCPS 1995. Guidelines for Process Safety Fundamentals in General Plant Operations. New York: American Institute of Chemical Engineers. Benuzzi, A., and Zaldivar, J. M. (eds.). 1991. Safety of Chemical Batch Reactors and Storage Tanks. Kluwer Academic Publishers, Norwell, MA. Burton, J. and Rogers, R. 1996. Chemical Reaction Hazards, 2ded. Institution of Chemical Engineers, London, UK. DIERS 1994. Risk Considerations for Runaway Reactions. Design Institute of Emergency Relief Systems, New York: American Institute of Chemical Engineers. Gygax, R. W. 1988. Chemical Reaction Engineering for Safety. Chemical Engineering Science. 43(8), 1759-1771. Gygax, R. W. 1990. Scaleup principles for Assessing Thermal Runaway Risks. Chemical Engineering Progress, February 1990, 53-60. International Symposium on Runaway Reactions. 1989. Cooling Capacities of Stirred Vessel, Unstirred Container, Insulated Storage Tank, Uninsulated 1 cu meter Silo, Uninsulated 25 cu meter Silo: 65. Sponsored by CCPS, IChemE and AIChE, Cambridge, MA. Maddison, N., and Rogers, R. 1.1994. Chemical Runaways: Incidents and Their Causes. Chemical Technology Europe, November/December, 28-31. Noronha, J., Merry, J., Reid, W., and SchifFhauser, E. 1982. Deflagration Pressure Containment for Vessel Safety Design, Plant/Operations Progress, 1(1), 1-6. Noronha, J., and Torres, A. 1990. Runaway Risk Approach Addressing Many Issues-Matching the Potential Consequences with Risk Reduction Methods, Proceedings of the 24th Loss Prevention Symposium, AIChE National Meeting, San Diego, CA. Wier, E., Gravenstine, G. and Hoppe, T. 1986. Thermal Runaways—Problems with Agitatioa Loss Prevention Symposium. Paper 830: 142.
TABLE 4. FAILURE SCENARIOS FOR REACTORS
I
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1
Overpressure (Batch, Semibatch, and Plug Flow Reactors)
Overcharge of catalyst resulting in runaway reaction
• Use dedicated catalyst charge tank sized to hold only the amount of catalyst needed • Vessel design accommodating maximum expected pressure • Use different type of reactor
• Emergency relief device • Pressure or temperature sensors actuating bottom discharge valve to drop batch into a dump tank with diluent, poison or shortstopping agent, or to an emergency containment area • Automatic addition of diluent, poison, or short-stopping agent directly to reactor • Limit quantity of catalyst added by flow totalizer
• Procedural controls on the amount or concentration of catalyst to be added • Manual activation of bottom discharge valve to drop batch into dump tank with diluent, poison, or short-stopping agent, or to an emergency containment area • Manual addition of diluent, poison, or short-stopping agent directly to reactor • Intermediate location for preweighed catalyst charges
2
Overpressure (Batch and Semi-batch Reactors)
Addition of a reactant too rapidly resulting in runaway reaction
• Limit delivery capacity of feed system to within safe feed rate limitations (e.g., screw feeder for solids or flow orifice for liquids) • Vessel design accommodating maximum expected pressure • Select feed system pressure characteristic so that feed cannot continue at reactor overpressure • Use different type of reactor
• Temperature or pressure sensor interlocked to a shutoff valve in the feed line • Emergency relief device • Pressure or temperature sensors actuating bottom discharge valve to drop batch into a dump tank with diluent, poison or shortstopping agent, or to an emergency containment area • Automatic addition of diluent, poison, or short-stopping agent directly to reactor • Highflowshutdown alarm and interlock
• Manual addition of diluent, poison, or short-stopping agent directly to reactor • Manual shutdown on high flow alarm • Manual activation of bottom discharge valve to drop batch into dump tank with diluent, poison, or short-stopping agent, or to an emergency containment area • Procedural controls on concentration of reactants
Potential Design Solutions No. 3
Operational Deviations Overpressure (Batch, Semibatch and CSTR Reactors)
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
Loss of agitation resulting in runaway reaction or hot bearing/seals causing ignition of flammables in vapor space
• Vessel design accommodating maximum expected pressure
• Agitator power consumption or rotation indication interlocked to cutoff feed of reactants or catalyst or activate emergency cooling
• Operators to visually check mechanical sealfluidon regular basis • In-vessel agitation (velocity) sensor with alarm
• Uninterrupted power supply backup to motor
• Mechanical seal fluid reservoir low level sensor with alarm
• Emergency relief device
• Speed or vibration sensor with alarm
• Use different type of reactor (plug flow) • Alternative agitation methods (e.g., external circulation eliminates shaft seal as a source of ignition in vapor space)
• Pressure or temperature sensors actuating bottom discharge valve to drop batch into a dump tank with diluent, poison, or shortstopping agent, or to an emergency containment area • Inerting of vapor space
• Manual activation of bottom discharge valve to drop batch into dump tank with diluent, poison, or short-stopping agent, or to an emergency containment area
• Provide nitrogen buffer zone around seal using enclosure around seal
• Manual activation of inert gas sparging of reactor liquid to effect mixing
• Automatic agitator trip on low agitation (velocity) sensor, low sealfluid,or low shaft speed
4
Overpressure (Batch and Semi -batch Reactors)
Overcharge or overfeed of reactant resulting in runaway reaction
• Use of dedicated reactant charge tank sized only to hold amount of reactant needed • Vessel design accommodating maximum expected pressure • Use of continuous reactor
• Emergency relief device • Reactant feed charge interlocked via feed totalizer or weight comparison in charge tank • Pressure or temperature sensors actuating bottom discharge valve to drop batch into a dump tank with diluent, poison, or shortstopping agent, or to an emergency containment area • Automatic addition of diluent, poison, or short-stopping agent directly to reactor
• Manual feed charge shutdown via indication from feed totalizer or weight comparison in charge tank • Manual activation of bottom discharge valve to drop batch into dump tank with diluent, poison, or short-stopping agent, or to an emergency containment area
5 (T)
Overpressure
Addition of incorrect reactant resulting in runaway reaction
• Use of dedicated feed tank and reactor for production of one product • Vessel design accommodating maximum expected pressure • Elimination of crossconnections • Use of dedicated hoses and incompatible couplings for reactants where hose connections are used
• Emergency relief device • Automatic feed shutdown based on detection of unexpected reaction progress (i.e., abnormal heat balance)
• Procedures to shutdown feed based on indication of unexpected reaction progress • Procedure for double checking reactant identification and quality • Dedicated storage areas/ unloading facilities for reactants
Potential Design Solutions No. 6
Operational Deviations Overpressure
Failure Scenarios Loss of cooling resulting in runaway reaction
Inherently Safer/Passive
Active
Procedural
• Vessel design accommodating maximum expected pressure • Use of large inventory of naturally circulating, boiling coolant to accommodate exotherm
• Low coolantflowor pressure or high reactor temperature to actuate secondary cooling medium via separate supply line (e.g., city water or fire water) • Automatic isolation of feed on detection of loss of cooling • Emergency relief device • Pressure or temperature sensors actuating bottom discharge valve to drop batch into a dump tank with diluent, poison, or shortstopping agent, or to an emergency containment area (This approach may not be effective for systems such as polymerization reactions where there is a significant increase in viscosity.) • Automatic addition of diluent, poison, or short-stopping agent directly to reactor
• Manual activation of secondary cooling system • Manual activation of bottom discharge valve to drop batch into dump tank with diluent, poison, or short-stopping agent, or to an emergency containment area • Manual addition of diluent, poison, or short-stopping agent directly to reactor
7
Overpressure
Overactive and/or wrong catalyst results in runaway reaction
• Vessel design accommodating maximum expected pressure • Use prediluted catalyst
• Emergency relief device • Automatic isolation of catalyst and/or feed based on detection of unexpected reaction rate (i.e., abnormal heat balance) • Pressure or temperature sensors actuating bottom discharge valve to drop batch into dump tank with diluent, poison, or shortstopping agent, or to an emergency containment area
• Passivate fresh catalyst prior to use • Procedures for testing and verification of catalyst activity and identification • Manual isolation of catalyst and/or feed based on detection of unexpected reaction rate • Manual addition of diluent, poison, or short-stopping agent directly to reactor
8 (T)
Overpressure
Inactive and/or wrong catalyst leading to delayed runaway reaction in reactor or downstream vessel
• Reactor or downstream vessel design accommodating maximum expected pressure
• Emergency relief device • Automatic isolation of catalyst and/or feed based on detection of unexpected reaction rate (i.e., abnormal heat balance)
• Procedures for testing and verification of catalyst activity and identification • Manual isolation of catalyst and/or feed based on detection of unexpected reaction rate
9
Overpressure
Underfeed of diluent resulting in insufficient heat sink
• Vessel design accommodating maximum expected pressure
• Automatic feed isolation on detection of low diluent addition • Automatic isolation of feed based on detection of unexpected reaction rate (i.e., abnormal heat balance)
• Manual feed isolation on detection of low diluent addition • Manual isolation of feed based on detection of unexpected heat balance
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
10
Overpressure (Batch & Semibatch)
Reactants added in incorrect order
• Vessel design accommodating maximum expected pressure
• Sequence control via programmable logic controller • Interlock shutdown of reactant addition based on detection of mis-sequencing • Automatic isolation of feed based on detection of unexpected reaction progress (i.e, abnormal heat balance)
• Manual isolation of feed based on detection of unexpected reaction progress • Manual isolation of feed based on indication of mis-sequencing
11
Overpressure
External fire initiates runaway reaction
• Fireproof insulation (reduced heat input) • Slope-away grading under reactor to remote spill collection • Locate reactor outside of fire affected zone
• Automatically activated fixed fire protection - water spray (deluge) and/or foam systems • Emergency relief device • Automatic reactor dump to dump tank with diluent, poison, or short stopping agent • Automatic injection of diluent poison or short-stopping agent into reactor
• Manual activation of fixed fire protection • Manual reactor dump to dump tank with diluent, poison or short-stopping agent • Manual injection of diluent, poison or short-stopping agent into reactor
12 (T)
Overpressure
Feed of monomer emulsion breaks into a separate oil phase on top of a water phase while being fed to the reactor leading to runaway reaction
• Vessel design accommodating the maximum pressure arising from run-away reaction of bulk (non-emulsified) monomer phase • Static mixer ahead of reactor
• Emergency relief device • Automatic feed shut-off or dumping on change of heat balance
• Operator samples the monomer emulsion feed and observes that sample is stable without agitation for a predetermined length of time before feed is begun • Manual feed shut-off or dumping on change of heat balance
• Emergency relief device • Automatic depressuring • Automatic injection of inhibitor • Automatic isolation of heating media or feed • Emergency cooling
13
Overpressure
High reactor temperature due to failure of heating system initiates runaway reaction
• Limit temperature of heating media • Vessel design accommodating maximum expected pressure
14
High Temperature (Continuous Packed Bed or Packed Tube Reactors)
Hot spot develops in catalyst exposing vessel wall to high temperature and potential mechanical failure or initiation of runaway reaction
• Use alternative reactor • High temperature sensors design (e.g., fluid bed) interlocked to shut down reactor • Use multiple small diameter • Automatic depressuring based beds to reduce on detection of high bed temperatures or low flow maldistribution • Minimize reactor head • Automatic introduction of space volume to reduce quenchfluidinto packed bed or residence time (partial tubes based on detection of high local temperature oxidation reactors) and mitigate autoignition
• Manual dumping of reactor contents • Manual injection of inhibitor • Manual isolation of heating media or feed
• Manual shutdown of reactor upon detection of high temperature in bed • Monitoring of exterior wall temperature with infrared optical detection system • Manual depressuring based on detection of high bed temperature • Manual introduction of quench fluid into packed bed or tubes on detection of high local temperature • Procedures for packing tubes to ensure uniformity of catalyst filling
Potential Design Solutions No.
Operational Deviations
i
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
15
Reverse Flow
Reactor contents inadvertently admitted to upstream feed vessel resulting in runaway reaction
• Vessel design accommodating maximum expected pressure • Provide positive displacement feed pump instead of centrifugal pump • Elevate feed vessel above reactor with emergency relief device on reactor set below feed vessel minimum operating pressure
• Provide check valve(s) in feed line • Automatic closure of isolation valve (s) in feed line on detection of low or noflow,or reverse pressure differential in feed line • Emergency relief device on feed vessel or feed line
• Manual closure of isolation valve(s) in feed line on detection of low or noflowin feed line
16
Wrong Composition
Contamination from leakage of heating/cooling media or introduction of other foreign substances (e.g., corrosion)
• Use heat transfer fluid that does not react with process fluid • Vessel design accommodating maximum expected pressure • Use jacket rather than internal coil for heat transfer • Upgrade metallurgy or use resistant liner • Heat transfer loop pressure lower than process pressure
• Emergency relief device
• Periodic testing of process fluid for contamination • Procedures for leak/pressure testing of jacket, coil or heat exchanger prior to operation • Procedure for testing liner with continuity meter
17
Wrong Composition
Incomplete reaction due to insufficient residence time, low temperature, etc. leading to unexpected reaction in subsequent processing steps (in reactor or downstream vessel)
• Reactor or downstream vessel design accommodating maximum expected pressure
• Automatic feed isolation based on detection of low reactor temperature • Automatic feed isolation based on continuous on-line reactor composition monitoring
• Manual feed isolation based on detection of low reactor temperature • Manual feed isolation based on continuous on-line reactor composition monitoring or "grab" sampling
S MASS TRANSFER EQUIPMENT
5.1 INTRODUCTION This chapter presents potential failure mechanisms for mass transfer equipment and suggests design alternatives for reducing the risks associated with such failures. The types of mass transfer operations covered in this chapter include: • • • • • • •
Absorption Adsorption Extraction Distillation Scrubbing Stripping Washing
This chapter presents only those failure modes that are unique to mass transfer equipment. Many of the generic failure modes presented in Chapter 3 may also apply to vessels used for mass transfer. Mass transfer equipment failure may also result from disturbances in heat transfer processes in associated ancillary equipment. Refer to Chapter 6, Heat Transfer Equipment, for failures associated with heat transfer equipment. Unless specifically noted, the failure scenarios apply to more than one class of mass transfer equipment. 5.2 PAST INCIDENTS This section describes past incidents that illustrate hazard scenarios involving mass transfer equipment.
5.2. / Dfsti7/ation Column Critical Concentration
In 1969 an explosion occurred in a butadiene recovery unit at Texas City. The location of the center of the explosion was found to be the lower tray section of the butadiene refining (final purification) column. The butadiene unit recovered byproduct butadiene from a crude C4 stream. The overhead of the refining column was a high-purity butadiene product. The heavy components of the feed stream, including vinylacetylene (VA), were removed as a bottoms product. The bottoms vinylacetylene concentration was normally maintained at about 35%. Explosibility tests had indicated that VA concentrations as high as 50% were stable at operating conditions. Highly concentrated VA decomposes rapidly on exposure to high temperature. When the butadiene unit was shut down to undertake necessary repairs, the refining column was placed on total reflux. The refining column explosion occurred approximately 9 hours after it was placed on total reflux. This operation had been performed many times in the past without incident. The operators did not observe anything unusual about this particular switch over to total reflux. Subsequent examination of the records indicated that the column had been slowly losing material through a closed but leaking valve in the column overhead line. As a result, reflux and reboiler steam flow continued to fall slowly throughout the shutdown period. Loss of butadiene through the leaking valve resulted in substantial changes in tray composition in the lower section of the column. The concentration of vinylacetylene in the tray liquid in the vicinity of the tenth tray apparently doubled to an estimated 60%. The loss of liquid level in the base of the column uncovered the reboiler tubes, allowing the tube wall temperature to approach the temperature of the steam supply. The combination of increased vinylacetylene concentration and high tube wall temperature led to the decomposition of VA and set the stage for the explosion that followed (Jarvis 1971; Freeman 1971; Keister 1971). See item 16 in Table 5 for potential design solutions. 5.2.2 Ethylene Purifier Vessel Rupture
Ethylene was purified in a bed containing 13X molecular sieve. The bed was regenerated using hydrogen-methane gas at 26O0C, then flow purged with nitrogen. The temperature was allowed to drop to 17O0C, then the bed was pressurized with nitrogen. Ethylene was then introduced into the bed, and nitrogen displaced. The temperature in the bed was not being measured, but a temperature sensor was located 20 inches above the bed. After 7 hours of operation (preloading) with the bed open to a line pressure of 280-295 psig, the bed tern-
perature had dropped to 13O0C. A small flow was then started off the top with ethylene going in at the bottom. The bed temperature rose to 18O0C in 31^ hours and over the next 4 hours the flow was adjusted to maintain this temperature. Shortly afterwards the shell ruptured, creating a longitudinal % inch by 32 inch hole. The gas caught fire immediately and burned for 25 to 30 minutes. The fire was not controlled because high temperature prevented the inlet valves from being closed; all the gas up to the closed feed valve at the gas plant was burned. The principal cause of this incident was the failure to measure temperatures in the bed during regeneration and preloading with ethylene. Sieve 13X is a polymerization catalyst. Due to its large pore size, 13X also adsorbs ethylene and releases heat. The temperature measured above the bed gave no indication of the temperature anywhere within the bed, where these exothermic processes would occur. Even though the pressure of ethylene involved in this incident was unusually low (280 psig), evidently there was enough potential (via adsorption and polymerization) to generate the temperature required to cause thermal failure of the vessel. Had the bed temperature been comprehensively measured, any shortcomings in the purging and preloading procedures would have become apparent in time to take action. Such temperature measurement should be done via fast-acting thermocouples distributed throughout the bed and not via thermocouples mounted in heavy thermowells located near the walls, since the sieves are effective thermal insulators (Britton 1994). See items 8, 12 and 15 in Table 5 for potential design solutions. 5.2.3 Ignition ofPyrophoric Materials in Gasoline Fractionator
During a shutdown for maintenance, a gasoline fractionator in an olefins unit was readied for internal entry. After purging, the tower manways were removed and air ventilation begun. Shortly thereafter an exothermic process started in the packed section of the tower, resulting in severe overheating of the tower. The heat release rate grew so quickly that corrective action, such as applying cooling, was not effective in avoiding excessive temperature. The tower, which glowed a dull red during the incident, sustained extensive damage. Tower damage including buckled packing supports, fused packing, and visible distortion of the tower shell. The cause of the incident was determined to be the ignition of a pyrophoric material that accumulated during the fractionation process. This material was distributed over the large surface area of the tower packing, which promoted a high combustion rate upon contact with air. Such incidents have since been avoided by the performance of proper purging and washout procedures prior to opening the vessel. Note that spontaneous combustion can also occur with non-pyrophoric materials.
53 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 5 presents information on equipment failure scenarios and associated design solutions specific to mass transfer equipment. The table heading definitions are provided in Chapter 3, section 3.3.
5.4 DISCUSSION 5.4. / Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 5 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. 5.4.2 Special Considerations
This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Line Blockage by Internals (I)
During process upsets, the internals in mass transfer vessels may dislodge and be displaced into process lines where they create blockages. Such blockages can cause vessel pressure to increase, possibly to the relief device set pressure. Of particular concern is the possibility of internals lodging in the inlet piping of the relief device, thus impairing overpressure protection. This may result in a pressure condition that exceeds acceptable limits. The first level of protection is to design supports and hold down grids to withstand fluctuations in differential pressure. Screens can be installed to prevent large pieces of internals from entering lines. For packings that are susceptible to abrasion, duplex filters supplied with differential pressure indication can be employed. Pressure relief devices should be located upstream of potential blockage points. For example, the inlet to a pressure safety valve (PSV) should be placed below the mist eliminator in the top of a column if severe fouling of the mist eliminator is possible. Packing/Tray Blockage (2)
Mass transfer equipment internals are susceptible to blockage due to process pressure and flow fluctuations of fouling material. When fouling conditions
are encountered, a possible solution is to place chevron-type baffles or largehole sieve trays where the most severe fouling is expected. Hazards with Adsorbers (5,7,9,11,12,13,15)
Adsorption systems, such as dehydrators and purifiers, often require periodic regeneration with high temperature steam or gas. Should the process stream be reintroduced before the system is sufficiently cold, a hazardous situation could result. For example, an ignition hazard would exist if air containing organic vapor was prematurely introduced to a hot activated carbon bed. Another possibility is that an exothermic reaction will be initiated. The use of programmable logic controllers (PLC) for automatically switching adsorption beds into and out of regeneration can reduce the risk of human error, at the expense of control system complexity. When exothermic reaction potential exists, it is possible to generate high localized vessel wall temperatures. This can result in an effective maximum allowable working pressure (MAWP) for the vessel being lower than the set pressure of the pressure safety valve, with potential for vessel rupture. In such cases, some means to reduce vessel wall stress or quench the reaction is needed. Options include automatic emergency depressurization, injecting inert gas, or flooding with a compatible liquid.
5.5 REFERENCES Britton, L.G. 1994. Loss Case Histories in Pressurized Ethylene Systems. Process Safety Progress, Vol. 13,No. 3. Freeman, R.H. and McCready, M.P. 1971. Butadiene Explosion at Texas City-2, Plant Saftty & Loss Prevention, Vol. 5. Jarvis, H.C. 1971. Butadiene Explosion at Texas City-1, Plant Safity &Loss Prevention, Vol. 5. Keister, R.G., et al. 1971. Butadiene Explosion at Texas City-3, Plant Safety & Loss Prevention, Vol. 5.
Suggested Additional Reading Akell, R. B. 1981. Safety Aspects of Activated Carbon Technology, Chap. 10 in Activated Carbon for Wastewater Treatment, cd. J.R. Perrich. Boca Raton, Fl: CRC Press, Inc.
TABLE 5. FAILURE SCENARIOS FOR MASS TRANSFER EQUIPMENT Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1 (T)
Overpressure
Migration of internals into lines resulting in blockages
• Design support grids, and hold down grids to minimize internal migration • Vessel design accommodating maximum supply pressure • Large surface area screens to avoid entrance of internals into lines
• Emergency relief device (e.g., upstream of potential blockage point) • Differential pressure indication and automatic shutdown
• Differential pressure indication and manual shutdown with instructions to inspect vessel
2 (T)
Overpressure
Blockage of packing /trays leading to excessive pressure in column
• Select and design internals to minimize blockage and fouling • Use of vessel without internals (e.g., spray tower) • Vessel design accommodating maximum supply pressure
• Emergency relief device upstream of potential blockage device • Automatic shutdown on high pressure
• Differential pressure indication and instructions to shutdown and inspect vessel • On-line wash to eliminate fouling material
3
Overpressure
Liquid/vapor decomposition initiated by high temperature resulting from loss of vacuum
• Vessel design accommodating maximum expected pressure • Limit inventory of reactive materials • Limit heating medium temperature
• Emergency relief device near expected point of reaction • Automatic high temperature and/or pressure shutdown of heat input • Continuous injection of reaction inhibitor • Automatic isolation and purge of equipment with inert gas on loss of vacuum
• Operating instructions to periodically test for inhibitor concentration • Operating instructions to shutdown on high temperature or high pressure
4
Overpressure
Autoignition/deflagration of vapor caused by air leakage into equipment operating under vacuum
• Vessel design accommodating maximum expected pressure
• Emergency relief device • Oxygen analyzer with automatic activation of inert gas addition on detection of high oxygen concentration
• Pressure check for leaks before start-up • Oxygen analyzer with alarm and manual activation of inert gas addition on detection of high oxygen concentration
5 (T)
Overpressure (adsorbers)
Process liquid reintroduced into improperly cooled adsorber and subsequent vaporization
• Vessel design accommodating maximum expected pressure
• Emergency relief device • Interlock to isolate feed on detection of high bed temperature or pressure
• Proper procedures for reinstating process flow after regeneration and cooling • Manual isolation procedure on high temperature/pressure alarm
Underpressure or Vacuum
Uncontrolled condensation/absorption of vapor phase component
• Vessel design to accommodate maximum vacuum
• Use of blanketing gas pressure control system to minimize vacuum • Vacuum relief system
• Operating procedure for manual addition of vacuum breaking gas
High Temperature (adsorber)
Premature introduction of process stream containing air to hot adsorbent bed
• Select adsorbent to minimize combustion potential
• Interlock to isolate feed on detection of high bed temperature • Automatic emergency depressuring and/or flooding/inerting on detection of high temperature
• Procedures for reinstituting processflowafter regeneration • Manually isolate feed on detection of high bed temperature • Manual emergency depressuring and/or flooding/inerting on detection of high temperature
6
7 (T)
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
8
High Temperature
Fire when exposing packing internals with flammable material to air during maintenance or by air leakage into equipment operating under vacuum
• Use of nonstick internals (e.g., plastic packing) • Use vessel without internals (e.g., spray tower)
9 (T)
High Temperature (adsorbers)
Poor vapor flow distribution through adsorbers leads to hot spots and fire
• Proper design of vessel distributors to avoid regions of flow maldistribution in the bed • Minimize adsorber cross sectional area
• Continuous monitoring of bed temperatures or CO at certain locations and interlock shutdown and/or inerting/flooding on high temperature
• Instructions to monitor bed temperature/CO and take appropriate action (e.g., inerting/flooding)
10
High or Low Level (extractor)
Interfacial level control failure in liquid-liquid extractor resulting in carryover of unwanted material to downstream equipment
• Control interface level via overflow leg or weir
• High/low interfacial level alarm with shutoff preventing further liquid withdrawal from vessel
• Manual vessel interfacial level control
• Instructions for proper vessel wash-out/cooldown prior to opening • Procedures for maintenance under inert atmosphere if necessary
11 (T)
Wrong Composition (carbon bed adsorber)
12 (T)
Wrong Composition (adsorber)
13 (T)
Wrong Composition (carbon bed adsorber)
High concentration of flammables in the inlet stream to a carbon bed adsorber leading to deflagration
• Vessel design to accommodate maximum expected pressure
• Automatic control of inlet stream outside flammable limits • Deflagration venting • Inerting of process stream • Automatic isolation of feed on detection of high flammable concentration
. Impurities in adsorbents catalyze decomposition/ reaction of adsorbate
Low moisture content in activated carbon bed adsorber leads to fire
• Manual isolation on detection of high flammable concentration
• Verification of adsorbent compatibility with process materials • Testing of adsorbents prior to loading into vessel • Bed high temperature alarms and instructions for operator response • Automatic steam injection to rehydrate bed prior to feed start • Automatic water deluge on detection of fire
• Verification of adsorbent moisture content prior to placing in service • Manual steam injection to rehydrate bed prior to feed startup • Manual water deluge on detection of fire
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
14
Wrong Composition/ Phase
Excessive vapor flow resulting in carryover of liquid to undesired location
• Vessel design with proper vapor-liquid disengagement (e.g., low superficial vapor velocity) • Liquid removal via demister, cyclone or other device with open liquid discharge
• Removal of liquid from the vapor stream using, for example, knock out pots with automatic level control • Differential pressure indication and automatic reduction of vapor flow
• Differential pressure indication and instructions to reduce vapor flow
15 (T)
Wrong Composition (adsorber)
Failure to precondition adsorber bed before readmission of process stream resulting in high temperature
• Select adsorbents to adsorb only trace contaminants and not carrier gas (e.g., olefin purification)
• Automatic preconditioning sequence prior to feed startup • Multi-point temperature monitoring with automatic shutdown of feed (for high pressure adsorbers) • CO monitoring with automatic shutdown (for carbon bed adsorbers)
• Procedures for preconditioning adsorber bed
16
Wrong Composition (distillation columns)
Accumulation of reactive material in section of fractionator leads to rapid decomposition
• Vessel design accommodating maximum expected pressure • Change in feedstock to avoid reactive material
• On-line measurement (e.g., level, temperature, composition) and automatic side draw-off of reactive material
• On-line measurement (e.g., level, temperature, composition) and manual removal of reactive material
17
Wrong Composition
Insufficient or excessive fractionation leading to compositions outside of metallurgical limits (e.g., corrosion)
• Select metallurgy suitable for worst case composition.
• On-line measurement (e.g., corrosion probes, stream analysis, temperature) and automatic operating adjustment
• On-line measurement (e.g., corrosion probes, stream analysis, temperature) and manual operating adjustment
6 HEAT TRANSFER EQUIPMENT
6.1 INTRODUCTION This chapter presents potential failure mechanisms for heat transfer equipment and suggests design alternatives for reducing the risks associated with such failures. The types of heat exchangers covered in this chapter include: • • • •
Shell and tube exchangers Air cooled exchangers Direct contact exchangers Others types including helical, spiral, plate and frame, and carbon block exchangers
This chapter presents only those failure modes that are unique to heat transfer equipment. Some of the generic failure scenarios pertaining to vessels may also be applicable to heat transfer equipment. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels. Unless specifically noted, the failure scenarios apply to more than one class of heat transfer equipment. 6.2 PAST INCIDENTS This section provides several case histories of incidents involving failure of heat transfer equipment to reinforce the need for the safe design practices presented in this chapter. 6.2. / Ethylene Oxide Redistillation Column Explosion
In March 1991, an Ethylene Oxide (EO) redistillation column exploded at a Seadrift, Texas chemical facility. The explosion was caused by energetic decomposition of essentially pure EO vapor and liquid mist inside the column.
A set of extraordinary circumstances was found to have coincided, resulting in the catalytic initiation of decomposition in a localized region of a reboiler tube. Extensive investigation (Viera et al., 1993) showed that: 1. A low liquid level in the column, plus a coinciding temporary condensate backup and accumulation of inert gas in the reboiler shell, significantly diminished the EO liquid fraction leaving the reboiler. Nevertheless, sufficient heat transfer capacity remained to satisfy the vaporization rate required by the column controls, so operation appeared normal. 2. A localized imbalance resulted in some reboiler tubes losing thermosyphon action, so that the existing EO was essentially all vapor. Due to ongoing reaction with traces of water, high boiling glycols accumulated in the stalled tubes, increasing the boiling point while reducing the heat flux and resulting mass flow rate. This self-reinforcing process continued leading to minimal EO vapor velocity through the stalled tubes. Since the vapor was no longer in equilibrium with boiling EO it could momentarily attain the 15O0C temperature of the reboiler steam supply. 3. The insides of the reboiler tubes had collected a thin film of EO polymer containing percent-level amounts of catalytic iron oxides. This film had in numerous places peeled away from the tube wall producing a catalytic surface of low heat capacity and negligible effect on mass flow rate. EO vapor heating was aided by the absence of liquid plus the small vapor velocity through the stalled tubes. These conditions led to a rapid rate of film heating which encouraged a fast disproportionation reaction of EO to predominate over slower polymerization reactions. The previously unknown fast reaction between EO vapor and supported high surface area iron oxide led to a hotspot and initiation of vapor decomposition. Once ignited the EO decomposition flame spread rapidly through the column causing overpressurization. 6.2.2 Brittle Fracture of a Heat Exchanger
An olefin plant was being restarted after repair work had been completed. A leak developed on the inlet flange of one of the heat exchangers in the acetylene conversion preheat system. To eliminate the leak, the control valve supplying feed to the conversion system was shut off and the acetylene conversion preheat system was depressured. Despite the fact that the feed control valve was given a signal to close, the valve allowed a small flow. High liquid level in an upstream drum may have allowed liquid carryover which resulted in extremely low temperature upon depressurization to atmospheric pressure.
The heat exchanger that developed the leak was equipped with bypass and block valves to isolate the exchanger. After the leaking heat exchanger was bypassed, the acetylene conversion system was repressured and placed back in service. Shortly thereafter, the first exchanger in the feed stream to the acetylene converter system failed in a brittle manner, releasing a large volume of flammable gas. The subsequent fire and explosion resulted in two fatalities, seven serious burn cases, and major damage to the olefins unit. The acetylene converter pre-heater failed as a result of inadequate lowtemperature resistance during the low temperature excursion caused by depressuring the acetylene converter system. The heat exchanger that failed was fabricated from ASTM A515 grade 70 carbon steel. After the accident, all process equipment in the plant which could potentially operate at less than 2O0F was reviewed for suitable low-temperature toughness (Price 1989). Ed. Note: It should have been recognized that upstream cryogenic conditions may have a deleterious effect on downstream equipment during normal and abnormal operations. 6.2.3 Cold Box Explosion
Ethylene plants utilize a series of heat exchangers to transfer heat between a number of low temperature plant streams and the plant refrigeration systems. This collection of heat exchangers is known collectively as the "cold box." In one operating ethylene plant, a heat exchanger in the cold box that handled a stream fed to the demethanizer column required periodic heating and backflushing with methane to prevent excessive pressure drop due to the accumulation of nitrogen-containing compounds. During a plant upset which resulted in the shutdown of the plant refrigeration compressors, the temperature of the cold box began to increase. During this temperature transient an explosion occurred which destroyed the cold box and disabled the ethylene plant for about 5 months. An estimated 20 tons of hydrocarbon escaped. Fortunately, the hydrocarbon did not ignite. An investigation revealed that the explosion was caused by the accumulation and subsequent violent decomposition of unstable organic compounds that formed at the low temperatures inside the cold box. The unstable "gums55 were found to contain nitro and nitroso components on short hydrocarbon chains. The source of the nitrogen was identified as nitrogen oxides (NOx) present in a feed stream from a catalytic cracking unit. Operating upsets could have promoted unstable gums by permitting higher than normal concentrations of 1, 3-butadiene and 1, 3-cyclopentadiene to enter the cold box. To prevent NOx from entering the cold box, the feed stream from the catalytic cracking unit was isolated from the ethylene plant (Kohler 1991).
6.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 6 presents information on equipment failure scenarios and associated design solutions specific to heat transfer equipment. The table heading definitions are provided in Chapter 3, section 3.3. 6.4 DISCUSSION 6.4. / Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 6 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. 6.4.2 Special Considerations
This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Leak/Ruptu of the Heat Transfer Surface (1-3)
This common failure scenario may result from corrosion, thermal stresses, or mechanical stresses of heat exchanger internals. The leak/rupture of tubes leads to contamination or overpressure of the low-pressure side. Failure to maintain separation between heat transfer and process fluids may lead to violent reaction in the heat transfer equipment or in the downstream processing equipment. To make the heat transfer process inherently safer, designers must look at possible interactions between heating/cooling fluids and process fluids. For relatively low-pressure equipment (<1000 psig), a complete failure of tubes may not be a credible overpressure scenario if the design pressure of the low-pressure side and associated equipment is greater than two-thirds of the design pressure of the high- pressure side (API RP 521 1993), or if the geometry of the tube layout is such that a complete break is not physically possible. For high-pressure equipment (> 1000 psig), however, a complete failure should be considered credible, regardless of pressure differential. Double tube sheets or seal welding may be used for heat exchangers handling toxic chemicals. For heat transfer problems involving highly reactive/hazardous materials, a triple-wall heat exchanger may be used. This type of heat exchanger consists of three chambers and uses a neutral material to transfer heat between two highly reactive fluids. Alternatively two heat exchangers can be used with circulation of the neutral fluid between them.
There are known cases of cooling tower fires that have resulted from contamination of cooling water with hydrocarbons attributable to tube leakage. Gas detectors and separators may be installed on the cooling water return lines, or in the cooling tower exhaust (air) stream. Thermal stresses can be reduced by limiting the temperature differences between the inlet and outlet streams. In addition, alternate flow arrangements may be used to avoid high thermal stresses. Thermal cycling of heat transfer equipment should be kept to a minimum to reduce the likelihood of leaks and ruptures. Fouling, or Accumulation ofNoncondensable Gases (5)
It is desirable to design heat exchangers to resist fouling. Sufficient tube side velocity may reduce fouling. However, higher tube side velocities may also lead to erosion problems. In some cases fouling will cause higher tube wall temperatures, leading to overheating of reactive materials, loss of tube strength, or excessive differential thermal expansion. Accumulation of noncondensable gases can result in loss of heat transfer capability. Heat exchangers in condensing service may need a vent nozzle, or other means of removing noncondensable gases from the system. External Fire (9)
Emergency relief devices are often sized for external fire. Heat transfer equipment, such as air coolers, present a unique challenge when it comes to sizing relief devices. These exchangers are designed with large heat transfer areas. This large surface area may result in very large heat input in case of external fire. Indeed, it may not be practical to install a relief device sized for external fire case due to large relief area requirements. Other mitigation measures, such as siting outside the potential fire zone or diking with sloped drainage, may be used to reduce the likelihood and magnitude of external fire impinging on the heat exchanger. Alternative heat exchanger designs may also be used to reduce the surface area presented to an external fire.
6.5 REFERENCES API RP 521 1993. Guide for Pressure Relieving and Depressuring Systems. Washington D.C.: American Petroleum Institute. Kohler, J. 1991. Cold Box Explosion at Shell Steam Cracker in Berre, France. Paper presented at AIChE Spring National Meeting, Houston, Texas. Price, J. H. 1989. Personal communication to T.W. Carmody, Director CCPS. Viera, G. A., L. L. Simpson and B. C. Ream 1993. Lessons Learned from the Ethylene Oxide Explosion at Seadrift, Texas, Chemical Engineering Progress, August 1993.
Suggested Additional Reading CCPS 1993. Guidelines for Engineering Design fir Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. Kletz, T. A. 1994. Learning from Accidents, Oxford: Butterworth-Heinemann Ltd. McCarthy, A. J., and Smith, B. R. 1994. Reboiler System Design—The Tricks of the Trade Process Plant Safety Symposium, February 28-March 2,1994, Houston, TX, ed. M. C. Cousins, Volume 1. 537-561. Houston, TX: South Texas Section of the American Institute of Chemical Engineers.
TABLE 6. FAILURE SCENARIOS FOR HEAT TRANSFER EQUIPMENT Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1 (T)
Overpressure
Corrosion/erosion of exchanger internals resulting in a heat transfer surface leak or rupture and possible overpressure of the low pressure side
• Double tube sheets • Seal welding of tubes to tubesheets • Open low pressure side return • Design changes to reduce erosion (e.g., lower velocities, inlet baffle) • Secondary heat transfer fluid • Design pressure of low pressure side equal to design pressure of high pressure side • Use of more corrosion resistant alloys • Use of less corrosive heat transfer media
• Emergency relief device on low pressure side
• Corrosion detection device (e.g., coupons) • Periodic inspection/ analysis of low pressure fluid for high pressure fluid leakage
2 (T)
Overpressure (Shell and Tube Exchanger)
Differential thermal expansion/ contraction between tubes and shell resulting in tube leak/rupture (Fixed Tubesheet)
• U-tube exchanger design • Shell expansion joint or internal floating head • Design pressure of low pressure side equal to design pressure of high pressure side • Use of designs other than shell and tube (e.g., spiral, plate and frame)
• Emergency relief device on low pressure side • Automatic control of introduction of process fluids on start-up and shutdown
• Procedural control of introduction of process fluids on start-up and shutdown • Periodic inspection/ analysis of low pressure fluid for high pressure fluid leakage
3 (T)
Overpressure (Shell and Tube Exchanger)
Excessive tube vibration resulting in tube leak/rupture and possible overpressure of the low pressure side
• Mechanical design (e.g., proper baffle spacing) accommodating maximum anticipated inlet feed pressure/velocity • Design pressure of low pressure side equal to design pressure of high pressure side • Use of designs other than shell and tube (e.g., spiral, plate and frame)
• Emergency relief device on low pressure side
• Periodic inspection/ analysis of low pressure fluid for high pressure fluid leakage
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
4
Overpressure
Excessive heat input resulting in vaporization of the cold-side fluid (e.g., control system failure, coldside blocked in)
• Limit the temperature of the heating medium • Design pressure of cold-sidefluidequal to maximum expected pressure
• Emergency relief device • High temperature indication with alarm and interlock which isolates the heating medium
• Manual control of heating medium based on temperature indication
5 (T)
Overpressure (Condensing Side)
Loss of heat transfer due to fouling, accumulation of noncondensables, or loss of cooling medium
• Design exchanger for suitable velocity to minimize fouling • Heat exchanger design less prone to fouling (e.g., direct contact) • Provide additional surface area in air cooler to transfer heat via natural convection • Continuous open venting of noncondensables • Design for maximum expected pressure
• Emergency relief device • Back-up cooling medium supply with automatic switch-over • Automatic tempering of cooling medium temperature to avoid low tube wall temperature resulting in solids deposition • Automatic venting of noncondensables • Automatic isolation of inputflowon detection of high vent temperature
• Manual adjustment of cooling medium tempering • Periodic exchanger cleaning • Manual venting on high pressure indication • Manual activation of backup cooling • Manual isolation of inputflowon detection of high vent temperature
6
Overpressure (air heated exchanger)
Ambient temperature increase resulting in higher vaporization rate in air heated exchanger
• Mechanical design accommodating maximum pressure/temperature • Use heating medium other than air
• Emergency relief device • Automatic adjustment of vaporization pressure to control vaporization rate
• Manual adjustment of vaporization pressure
7
Overpressure
Cold-side fluid blocked in while heating medium continues to flow
• Open cold side return
• Thermal relief device • Interlock to isolate heating medium upon detection of no flow on cold-side
• Procedural controls on block valve closing • Manual isolation of heating medium on indication of no flow on cold side
8
Underpressure (air cooled exchanger)
Excessive heat transfer rate due to ambient temperature drop or rain
• Mechanical design to accommodate minimum expected temperature and pressure • Use of alternative heat exchanger designs
• Automatic vacuum breaking system • Automatic air inlet temperature control via air preheating with steam or air recirculation
• Manual vacuum breaking • Manual adjustment of air inlet temperature
9 (T)
High Temperature
External fire
• Use alternate heat exchanger design to minimize impact of external fire • Fireproof insulation (limits heat input) • Slope-away drainage with remote impounding of spills • Locate outside fire affected zone • Use cellular glass insulation to avoid insulation fires
• Fixed fire protection water spray (deluge) and/or foam systems activated by flammable gas,flame,and/or smoke detection devices • Emergency relief device
• Emergency response plan • Manual activation of fixed fire protection water spray (deluge) and/or foam systems
10
High Temperature (on tube surface)
Loss of mechanical integrity of tube
• Mechanical design to accommodate maximum expected temperature and pressure • Design exchanger for suitable velocity to minimize fouling • Use of heating medium with a maximum temperature that is limited to exchanger design temperature
• Use of exchanger design less sensitive to fouling (e.g., scraped surface exchanger) • Automatic control of heating medium temperature
• High temperature indication with alarm • Manual control of heating medium temperature • Periodic inspection
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
11
Low Temperature (air cooled exchanger)
Low ambient temperature causes fluid freezing and tube rupture
• Select different type of exchanger to minimize or eliminate consequences of freezing
• Provide air inlet temperature control via air preheating with steam or air recirculation • Provide air flow control (e.g., variable pitch fans)
• Manual adjustment of air temperature or flow
12
Wrong Composition
Mixing of fluids resulting in exothermic reactions, phase changes, and/or fluid system contamination due to corrosion/erosion, vibration or differential thermal expansion
• Select heat transfer media which are chemically compatible with process materials • Mechanical design to accommodate maximum expected temperature and pressure of a possible exothermic reaction • Intermediate heat transfer fluid system • Double tubesheet design • Seal weld tubes to tubesheets
• Emergency relief device • Downstream fluid analyzers with concentration alarms interlocked with automatic shutdown
• Downstream fluid analyzers with concentration alarms • Periodic sampling and analysis of fluids
13
Loss of Containment (air cooled exchanger)
Vibration/fan failure and tube rupture due to impact with fan blade
• Use of alternative heat exchanger designs
• Vibration monitoring with automatic fan shutdown
• Manual fan shutdown on indication of excessive vibration
14
Loss of Containment (Scraped Surface)
Scraper punctures heat transfer surface due to misalignment or entrance of foreign objects
• Screens at entrance of heat exchanger to remove foreign objects • Use of alternative exchanger designs
• Automatic shutdown of motor on high amperage or power
• Manual shutdown of motor on high amperage or power
15
Loss of Containment (Plate and Frame)
Fire exposure causes gasket failure
• Use of alternative exchanger design • Locate exchanger outside fire affected zone • Usefireresistant (metal jacketed) gaskets • Use of welded plate design • Provide splash shields around exchanger
• Automatic fire extinguishing system
• Emergency response procedures • Manual activation of fire extinguishing system
16
Loss of Containment (Carbon Block)
Fire exposure causes combustion and failure of exchanger
• Use of alternative exchanger design • Locate exchanger outsidefireaffected zone
• Automatic fire extinguishing system
• Emergency response procedures • Manual activation of fire extinguishing system
7 DRYERS
7.1 INTRODUCTION This chapter presents potential failure mechanisms for dryers and drying systems, and suggests design alternatives for reducing the risks associated with such failures. The types of equipment covered in this chapter include: • • • • •
Spray dryers Tray dryers Fluid bed dryers Conveying (flash, mechanical, and pneumatic) dryers Rotary dryers
This chapter presents only those failure modes that are unique to dryers. Some of the generic failure scenarios pertaining to vessels and heat transfer equipment may also be applicable to dryers. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels and Chapter 6, Heat Transfer Equipment. Also, since drying equipment is often associated with solid-fluid separators and solids handling and processing equipment, refer to Chapters 9 and 10 for additional information. Unless specifically noted, the failure scenarios apply to more than one class of dryers.
7.2 PAST INCIDENTS This section presents three case histories involving fires and explosions (deflagrations) to reinforce the need for safe design and operating practices for dryers and drying systems.
7.2. / Drying of Compound Fertilizers
A fire and explosion occurred in a dryer handling a blended fertilizer that contained single and triple super-phosphates and a mixture of nitrogenphosphorous-potassium-fertilizers. The blend was prone to self-sustained decompositions, and began decomposing while passing through the dryer. When the temperature of the blend rose to about 13O0C, the operator intervened and shut down the dryer. Subsequently, a rapid exothermic reaction occurred within the dryer which resulted in a fire and explosion. One person was killed and 18 were injured (Drogaris 1993). See item 1 in Table 7 for potential design solutions. Ed. Note: A prior study of exotherm potential might have led to safer operating limits. 7.2.2 Fires in Cellulose Acetate Dryer
A continuous belt dryer used to dry cellulose acetate powder had experienced repeated small internal fires over a two-year period. After performing a basket (self-heating) test to determine if exothermic behavior was present under various solids depths, investigators discovered that an exotherm was initiated at 2230C under process conditions. Because the dryer was heated with 100 psig steam (saturation temperature of 1720C) it was initially thought that this exothermic behavior was not the cause of the fires. Further examination revealed that the 100 psig steam at this particular location was superheated to 2350C, well above the exotherm initiation temperature. After a steam desuperheater was installed immediately upstream of the dryer, the fire problem disappeared. See item 19 in Table 7 for potential design solutions. 7.2.3 Pharmaceutical Powder Dryer Fire and Explosion
An operator had tested dryer samples on a number of occasions. After the last sampling, he closed the manhole cover, put the dryer under vacuum, and started rotation of the dryer. A few minutes later an explosion and flash fire occurred, which self-extinguished. No one was injured. Investigations revealed that after the last sampling, the dryer manhole cover had not been securely fastened. This allowed the vacuum within the dryer to draw air into the rotating dryer and create a flammable mixture. The ignition source was probably an electrostatic discharge (the Teflon coating on the internal lining of the dryer could have built up a charge). No nitrogen inciting had been used (Drogaris 1993). After this incident, the following precautions were instituted to prevent similar incidents from occurring in the future:
• Nitrogen purging is carried out before charging or sampling of the dryer. • If the absolute pressure rises to about 4 psia, the rotation stops, an alarm sounds, and a nitrogen purge starts automatically.
7.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 7 presents information on equipment failure scenarios and associated design solutions specific to dryers. The table heading definitions are provided in Chapter 3, section 3.3.
7.4 DISCUSSION 7.4. / Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 7 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. 7.4.2 Special Considerations
Table 7 contains numerous design solutions derived from a variety of sources and actual situations. This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Buildup and Auto ignition of Deposits in Dryers/Ductworks (I) Some dryers and drying systems (including ductwork and associated equipment such as cyclones, dust collectors, etc.) are prone to accumulation of deposits on dryer walls and ductwork. Solids often accumulate on spray devices at the top of dryers where the highest dryer temperature is often experienced. Frequent cleaning and monitoring may be required to ensure that these deposits do not overheat and autoignite. Tests should be conducted to evaluate the hazards of dust deposit ignitability. The characteristics of materials deposited on walls or other surfaces may change over time when the materials are exposed to high temperatures or other process conditions.
Electrostatic Hazards (3, 14, 15)
Electrostatic sparks are a common cause of dust and flammable vapor deflagrations. Dryers and drying systems that can generate electrostatic charges must be properly bonded and grounded to drain off these charges and minimize the possibility of deflagrations. Inerting is often needed to prevent the occurrence of a deflagration. Hybrid Mixtures (I I)
Many drying operations involve the evaporation of a flammable solvent from a combustible powder. This combination of a flammable vapor and combustible powder fines (dust) is called a hybrid mixture. Hybrid mixtures represent a greater explosion hazard than that presented by the combustible dust alone. This increased hazard is characterized by the following: 1. The hybrid mixture may explode more severely than a dust-air mixture alone, i.e., the maximum pressure and maximum rate of pressure rise may be greater, even if the vapor concentration is below its lower explosive limit (LEL). 2. The minimum ignition energy of hybrid mixtures is usually lower than that of the dust-air mixture alone. 3. The minimum explosible concentration (MEC) of a dust is reduced by the presence of a flammable vapor even if the latter is below its LEL. Measurable effects are observed as low as 20% of the vapor LEL. Decomposition of Process Materials (19, 20, 22)
Many powders are thermally sensitive and may decompose at high temperature, resulting in an overpressure or fire. Some dried materials, such as sodium hydrosulfite, may also exothermically decompose when exposed to water. It is very important to determine if organic powders are thermally unstable and, if so, that they be tested for thermal stability to establish a safe operating temperature for the drying operation. The potential for decomposition will depend on the characteristics of the solid, including depth, composition, temperature, duration of exposure, and dryness. 7.5 REFERENCES Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified. Amsterdam: Elsevier Science Publishers B. V. Suggested Additional Reading Abbot, J. 1990. Prevention of Fires and Explosions in Dryers—A User Guide. 2d ed. London: The Institution of Chemical Engineers.
Bartknecht, W. 1989. Dust Explosions: Course, Prevention, Protection. New York: Springer-Verlag. Chatrathi, K. 1991. How to Safely Handle Explosible Dust—Part I Powder and Bulk Engineering. January 1991: 22-28. Chatrathi, K. 1991. How to Safely Handle Explosible Dust—Part II. Powder and Bulk Engineering. February 1991: 12-18. Ebadat, V. 1994. Testing to Assess Your Powder's Fire and Explosion Hazards. Powder and Bulk Engineering. January 1994: 19-26. Garcia, H., and Guarici, D. 1995. How to Protect Your Drying Process from Explosions. Powder and Bulk Engineering. April 1995: 53-64. Gibson, N., Harper, D. J. and Rogers, R. L. 1985. Evaluation of the Fire and Explosion Risk in Drying Powders. Plant/Operations Progress. 4: 181-189. Narayan, S. B., and Majumdar, A. A. 1987. Fire and Explosion Hazards in Drying Plants, Ch. 28 in Handbook of Industrial Drying. New York: Marcel Dekker, Inc. Palmer, K. N. 1973. Dust Explosions and Fires. London: Chapman and Hall Ltd. Palmer, K. N. 1990. Dust Explosions: Initiations, Characteristics, and Protection. Chemical Engineering Progress. March 1990: 24-32
TABLE 7. FAILURE SCENARIOS FOR DRYERS Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural • Periodic inspection and cleaning • Emergency response procedures • Procedure to process most stable materials first when campaigning multiple products to avoid ignition of unstable materials • Procedure for determining maximum tolerable material accumulation • Manual activation of fire fighting/inerting system
1 (T)
Overpressure
Buildup and autoignition of deposits in dryers and ductwork resulting in fire/explosion
• Dryer design which minimizes buildup of deposits (smooth surfaces, elimination of potential points of solids accumulation) • Use dryer with short residence time (e.g., flash dryer) • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Automatic sprinkler system/ CO2 total flooding system • Use of inert atmosphere • Deflagration venting • Deflagration suppression system • Automatic isolation of associated equipment via quick closing valves
2
Overpressure
Ignition of condensing flammable vapor in ductwork resulting in fire/explosion
• Dryer design to prevent condensation in ductwork • Provision for drainage of ducts (e.g., sloped, low point drains) • Eliminate ignition sources within the ductwork • Eliminate flammables • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Automatic sprinkler system/ • On-line flammable gas CO2 total flooding system detection and manual activation of CO2 total flooding system • Ventilation system to keep flammable concentration below • Manual activation of fire lower flammable limit fighting/inerting system • Deflagration vents • Manual bonding and grounding • Use of inert atmosphere • Automatic isolation of associated equipment via quick closing valves
3
Overpressure
(T)
Ignition of deposits in ductwork due to static discharge resulting in fire/explosion
• Dryer design which minimizes buildup of deposits (smooth surfaces, elimination of potential points of solids accumulation.) • Grounding/bonding • Design dryer to contain overpressure where practical • Permanent bonding and grounding
4
Overpressure
Ignition of deposits in ductwork due to sparks from electrical equipment or mechanical sources such as motors, switches, wiring, fans, bearings, conveyor chains resulting in fire/explosion
• Dryer design which minimizes buildup of deposits (smooth surfaces, elimination of potential points of solids accumulation) • Use of electrical equipment with the correct classification to reduce the probability of ignition • Selection of appropriate electrical area equipment • Use of non-sparking equipment • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Automatic sprinkler system/ CO2 total flooding system
• Good housekeeping
• Use of inert atmosphere
• Manual activation of fire fighting/inerting system
• Deflagration vents
• Manual bonding and grounding
• Deflagration suppression system • Automatic isolation of associated equipment via quick closing valves • Automatic activation of fire fighting/inerting system • Automatic sprinkler system/ CO2 total flooding system • Use of inert atmosphere • Deflagration vents • Deflagration suppression system • Automatic isolation of associated equipment via quick closing valves • Automatic shutdown on vibration alarm
• Good housekeeping • Vibration monitoring of rotating equipment • Manual activation of fire fighting/inerting system • Manual bonding and grounding
Potential Design Solutions No.
Operational Deviations
5
Overpressure
Inadequate ventilation due to obstructions or closed dampers leading to creation of flammable atmosphere and subsequent ignition resulting in fire/explosion
6
Overpressure (conveyor dryer)
Increase in conveyor speed causing excessive generation of solvent vapors from the feed and subsequent ignition resulting in fire/explosion
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
• Eliminate flammables • Design dampers so that system will handle the minimum safe ventilation rate at maximum damper throttling • Provide damper mechanical position stop to prevent complete closure of damper • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Automatic sprinkler system/ CO2 total flooding system • Ventilation system to keep flammable concentration below lower flammable limit • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Automatic isolation of associated equipment via quick closing valves • Automatic feed trip on loss of ventilation or high concen tration of flammable vapor
• Manual feed trip on loss of ventilation • Manual activation of fire fighting/inerting system • Manual bonding and grounding
• Ventilation system designed to handle the maximum solvent evaporation rate • Eliminate flammable solvent (e.g., water based) • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Ventilation system flow rate interlocked with the conveyor speed • Automatic sprinkler system/ CO2 total flooding system • Deflagration vents • Use of inert atmosphere • Deflagration suppression system • Automatic isolation of associated equipment via quick closing valves • Conveyor speed control with high alarm and shutdown
• Operator response to indication of higher conveyor speed • Manual activation of fire fighting/inerting system • Manual bonding and grounding
7
8
Overpressure
Excessive solvent load on ventilation system due to feed supply variations causing buildup of flammables with subsequent ignition resulting in fire/explosion
• Ventilation system designed to handle the maximum solvent load • Eliminateflammablesolvent (e.g. use water based solvents) • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Ventilation system flow rate interlocked with the feed flow rate • Automatic sprinkler system/ CO2 total flooding system • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Provide upstream surge capacity to equalize composition • Automatic isolation of associated equipment via quick closing valves • Automatic control of feed rate
• Operator response to indication of higher feed rate • Manual activation of fire fighting/inerting system • Manual bonding and grounding
Overpressure
Batch operation resulting in a high peak evaporation rate of flammable solvent causing buildup of flammables with subsequent ignition leading to fire or explosion
• Ventilation system designed to • Automatic sprinkler system/ handle the peak solvent CO2 total flooding system evaporation rate • Deflagration vents • Dryer designs where natural circ- • Deflagration suppression system ulation is sufficient to keep solvent • Use of inert atmosphere concentration at a safe level • Automatic isolation of • Use continuous or semiassociated equipment via continuous dryer design quick closing valves • Eliminate flammable solvent (e.g., water based) • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Startup and normal operating procedures which allow for the unsteady evaporation rates during batch operations • Manual activation of fire fighting/inerting system • Manual bonding and grounding
Potential Design Solutions No.
Operational Deviations
9
Overpressure
Inadequate circulation in dryers causing accumulation of flammable pockets with subsequent ignition leading to fire or explosion
10
Overpressure
Shutdown of fans/ventilation system immediately following shutdown of heat input resulting in hot spots and flammable pockets with subsequent ignition resulting in fire or explosion
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
• Dryer designs where natural circulation is sufficient to prevent accumulation of flammables • Eliminate flammable solvent (e.g., water based) • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Automatic sprinkler system/ CO2 total flooding system • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Automatic isolation of associated equipment via quick closing valves • Automatic shutdown on detection of low circulating flow
• Manual dryer shutdown on low circulation • Manual activation of fire fighting/inerting system • Manual bonding and grounding
• Dryer designs where natural circulation is sufficient to prevent accumulation of flammables and/or creation of hot spots • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Postventilation interlocks keep fans running for a sufficient time after shutdown of heating • Automatic sprinkler system/ CO2 total flooding system • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Automatic isolation of associated equipment via quick closing valves
• Shutdown procedures to maintain fans running for a sufficient time, after shutdown of heating • Manual activation of fire fighting/inerting system • Manual bonding and grounding
11 (T)
Overpressure (Spray Dryer)
Excessive atomization in nozzle leading to production of fine powder, and possibility of a dust/hybrid explosion
• Use alternate type of dryer • Design dryer to contain overpressure where practical • Inlet temperature of heating medium should be sufficiently below the minimum ignition temperature • Eliminate flammable solvent • Permanant bonding and grounding
• Pressure control to regulate the nozzle pressure • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Automatic isolation of associated equipment via quick closing valves • Automatic sprinkler system/ CO2 total flooding system
• Manual activation of fire fighting/inerting system • Manual bonding and grounding
12
Overpressure
Manifolding of ventilation exhaust ducts of several dryers leading to spread of fire or deflagration from one location to the next
• Use dedicated exhaust ducts • Design dryer and ductwork to contain overpressure where practical • Permanent bonding and grounding
• Automatic isolation via quick closing valves of manifold duct system on detection of fire/ flammable atmosphere in duct system • Automatic sprinkler system/ CO2 total flooding system • Deflagration vents • Deflagration suppression system • Use of inert atmosphere • Vent individual dryers through conservation vents to prevent back flow • Installflamearresters in dryer vents
• Operator action to isolate various ducts on detection of fire/flammable atmosphere • Manual activation of fire fighting/inerting system • Manual bonding and grounding
Potential Design Solutions No.
Operational Deviations
13
Overpressure
Attrition of solids resulting in particle size reduction and subsequent dust explosion
14 (T)
Overpressure (DoubleCone Tumbling Dryer— Glass-Lined)
15 (T)
Overpressure (Fluid Bed Dryer)
Active
Procedural
• Select alternate dryer design which reduces attrition rate • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Use inert atmosphere • Automatic sprinkler system/ CO2 total flooding system • Deflagration venting • Deflagration suppression system
• Operating conditions to keep particle size out of explosive range • Manual bonding and grounding
Deflagration due to ignition of flammable dust/vapor caused by an electrostatic spark (vessel is nonconductive due to glass lining)
• Use alternative dryer design • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Use of inert atmosphere • Automatic shutdown on high outlet temperature • Automatic isolation of associated equipment via quick closing valves
• Manual bonding and grounding
Deflagration due to ignition of flammable dust/vapors above the bed caused by an electrostatic spark
• Permanent grounding and bonding • Design dryer to contain overpressure where practical • Permanent bonding and grounding
• Deflagration vents • Deflagration suppression • Use nitrogen as fluidizing gas in a closed loop system • Automatic isolation of associated equipment via quick closing valves • Use of inert atmosphere
• Manual grounding and bonding for portable units
Failure Scenarios
Inherently Safer/Passive
16
Underpressure
Sudden loss of heating medium with vapor condensation resulting in partial vacuum
• Dryer design for minimum expected pressure
• Automatic vacuum relief system on detection of low pressure • Inert gas injection
• Procedure to limit rate of temperature decrease in dryer
17
High Temperature
Ignition of surrounding combustibles (including fugitive emissions from the dryer) caused by high surface temperature in dryers and ductwork resulting in fire
• Limit temperature of the dryer to below the safe temperature limit of surrounding materials • Insulation of external dryer surfaces to reduce surface temperature to a safe limit • Maintain proper clearances between hot surfaces and combustible materials
• Automatic fixed fire protection systems • Fines removal from exit gas (bag filters)
• Operator action in response to observing high surface temperatures • Good housekeeping • Emergency response procedures • Manual activation of fire fighting/inerting system
18
High Temperature
Ignition of combustible material used in the construction of dryer in the event of a high temperature excursion resulting in fire
• Dryer design which does not use combustible materials of construction • Use of heating medium which automatically limits the temperature exposure of dryer internals
• Automatic control of dryer temperature • High temperature alarms and shutdown systems • Automatic sprinkler system/ CO2 total flooding system • Use of inert atmosphere
• Operator action in response to observing high dryer temperature and/or high temperature alarm • Emergency response procedures • Manual activation of fire fighting/inerting system
.
Potential Design Solutions No.
Operational Deviations
19 (T)
High Temperature
Failure Scenarios
Inherently Safer/Passive
Decomposition of process material caused by exposure to high temperature resulting in a
• Use of heating medium which automatically limits the temperature to which the feed is exposed • Alternative dryer design limiting feed inventory • Design dryer to minimize internal accumulation of product
• Automatic control of dryer temperature • High temperature alarms and shutdown systems • Use of inert atmosphere • Automatic heating medium temperature control (e.g., steam desuperheating) • Automatic sprinkler system/ CO2 total flooding system
• Operator action in response to observing high dryer temperature and/or high temperature alarm • Emergency response procedures • Manual activation of fire fighting/inerting system
• Use of heating medium which automatically limits the temperature to which the feed is exposed • Alternative dryer design
• Automatic control of heat input to dryer based on feed flow rate • High temperature alarms and shutdown systems • Use of inert atmosphere • Automatic sprinkler system/ CO2 total flooding system • Automatic control of feed rate
• Operator action in response to observing high temperature, and low feed rate • Emergency response procedures • Manual activation of fire fighting/inerting system
fire/explosion
20 (T)
High Temperature
Decomposition of process material caused by low feed rate to dryer resulting in a fire/explosion
Active
Procedural
21
High Temperature
Introduction of flammable liquid into dryer via lube oil leakage from damaged bearing/seal and subsequent ignition resulting in a fire/explosion
• Double mechanical seals • Use dryer with no mechanical seals
• Automatic sprinkler system/ CO2 total flooding system • Use of inert atmosphere
• Periodic bearing and seal inspection • Manual activation of fire fighting/inerting system
22 (T)
High Temperature
Decomposition of heat sensitive process material due to heat generated from mechanical input (i.e., plugging of rotary feeders, paddle dryers, screw conveyors)
• Use dryer component types which minimize mechanical heat input • Alternative dryer design • Use nonflammable/high flash point lubricants
• Provide torque limiting devices (i.e., shear pins) for mechanical components • Deflagration venting • Deflagration suppression system
• Provide high and low torque alarms for mechanical devices • Manual response to lube oil reservoir low level alarm
8 FLUID TRANSFER EQUIPMENT
8.1 INTRODUCTION This chapter presents potential failure mechanisms for fluid transfer systems and suggests design alternatives for reducing the risks associated with such failures. The types of fluid transfer equipment covered in this chapter include: • Blowers • Pumps • Compressors This chapter presents only those failure modes that are unique to fluid transfer systems. Some of the generic failure scenarios pertaining to vessels may also be applicable to fluid transfer systems. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels. Unless specifically noted, the failure scenarios apply to more than one class of fluid transfer systems. 8.2 PAST INCIDENTS This section provides several case histories of incidents involving failure of fluid transfer systems to reinforce the need for the safe design practices presented in this chapter. 8.2.1 Reciprocating Pump Leak
A high-pressure reciprocating pump, originally used for pumping heavy hydrocarbons, was put into service to pump propylene in an unventilated building. A leak occurred from the gland due to failure by fatigue of the studs holding the gland in position. The escaping liquid vaporized and was ignited
by a furnace 76 meters away. Four men were badly burned and the glass windows on the buildings were broken. The failure was attributed to the fact that plant management had not implemented effective management of change procedures. As a result of the deflagration, gas detectors and remote isolation capability were provided. Also, the pump was moved to an open building where small leaks would be dispersed by natural ventilation. 8.2.2 Pump Leak Fire
In November 1990 a fire occurred at a flammable liquid tank farm supporting Denver's Stapleton international airport. Eight of the farm's twelve storage tanks contained jet fuel, totaling almost 4.2 million gallons. The fire burned for 55 hours, destroying seven tanks. Investigators concluded that a damaged pump in a valve pit near the storage tanks may have caused the initial leak and also may have ignited the fuel. In addition, the investigators concluded that a pipe simultaneously cracked, thus releasing fuel into the fire area. The subsequent fire fed on the fuel collecting in the pit and spewing from the two leaks, and impinged on piping and related equipment in the valve pit. As this fire continued to burn, flange gaskets deteriorated, causing more leaks and allowing more fuel to flow out of the storage tanks. The growing fire encroached on two storage tanks adjacent to the valve pit. Approximately 12 hours into the incident, a friction coupling parted, allowing fuel from one storage tank to suddenly increase the fire size. The fire spread to an impounding area and involved two more fuel tanks. The following changes to the tank farm site would have mitigated the outcome of this incident: • Increased distance between the tanks and the pumping/valve area • Increased tank-to-tank separation • Installation of internal excess flow or fail-safe remotely operated valves for tanks at locations where piping connects • Provisions for the removal of fuel in the event the storage tanks' primary discharge means becomes inoperable • Simple and recognizable means for fire fighters to shut off fuel flow into the facility • Increased structural support for piping 8.2.3 Compressor Fire and Explosion
An ethylene leak occurred in a high-pressure pipe joint in an enclosed, unventilated ground floor area underneath a compressor house. The escaping ethylene ignited and four men were killed. The source of ignition was never
established with certainty, but may have been faulty or misapplied electrical equipment. The welding on the joint that leaked was also faulty. After the incident, the following recommendations were made: • Surround the compressors and associated equipment with a steam curtain to hinder leaks from reaching a source of ignition • Install flammable gas detectors to detect leaks promptly • Install remotely operated valves so that leaking compressors can be isolated and depressured from a safe distance • Locate the compressors in an open-sided building so that small leaks can be dispersed by natural ventilation 8.2.4 Start-up of Parallel Centrifugal Pumps
Parallel high-head centrifugal pumps were used to transfer an organic acid stream approximately 1.5 miles from a distillation facility to another manufacturing unit in the same complex. Because both the distillation unit and the destination manufacturing unit had significant inventory capacity, switching from primary to spare pump was not automated since timing was not critical and short breaks in service were tolerable. After one such changeover, the pump taken off-line was not properly isolated and drained. Consequently, when the spare pump was started, the off-line pump immediately saw full discharge pressure on its seal which caused the off-line pump seal to fail, spilling about 500 gallons of material into a contained area until the pump could be shut off. Ed. Note: (1) Adding a, check valve in the discharge line of each pump might have prevented the problem from occurring. (2) The seal should have been suitable for pump maximum discharge pressure. 8.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 8 presents information on equipment failure scenarios and associated design solutions specific to fluid transfer equipment. The table heading definitions are provided in Chapter 3, section 3.3.
8.4 DISCUSSION 8.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 8 in conjunction with the design basis selection methodology presented in Chapter
2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors.
8.4.2 Special Considerations
This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Deadheading (I)
Pump and compressor systems should be designed to minimize the probability of deadheading. Deadheading a pump may result in high temperature, high pressure, or both. This situation is especially dangerous if the fluid being transferred is shock sensitive, or prone to exothermic decomposition. Because deadheading of a positive displacement pump or compressor can lead to a buildup of very high pressures, a means must be provided to protect against overpressure. Capitation/Surging (8,9)
Cavitation in pumps can cause severe damage to the pump impeller and seals, resulting in loss of containment. Cavitation problems usually can be avoided by designing the pump so that the net positive suction head (NPSH) requirement is met. Compressor surge may lead to excessive vibration, high bearing temperatures, and extensive mechanical damage. This risk can be managed by providing automatic anti-surge systems and vibration monitoring systems. Reverse Flow through Pumps/Compressors (10, 11)
There are various pump/compressor configurations that may result in the backflow of fluid through the machine. In a parallel configuration, where two or more machines discharge fluid to a common line, the fluid may backflow through the machine that is not in operation. Procedures for isolating standby machines help to prevent this problem. In addition, check valves placed on the discharge will reduce the probability of backflow through idle or tripped machines. Additional backflow protection via automatic isolation valves may be warranted in fouling service or where the consequence of backflow is severe (API RP 521 1990). Loss of Containment—Seal Leaks (13)
Seal leaks are a major source of concern, especially when handling toxic or flammable materials. Centrifugal pumps with double mechanical seals, dia-
phragm pumps, and various types of sealless pumps may be used for highly hazardous duty. For a review of the advantages and disadvantages of various types of sealless pumps, refer to Newby and Forth 1991. Consideration should be given to eliminating pumps and compressors, and transferring fluid via gravity flow or differential pressure, where possible. See Grossel 1990 for more details.
8.5 REFERENCES API RP 5211990. Guide far Pressure Relieving andDepressuring Systems. Washington, DC: American Petroleum Institute Grossel, S.S. 1990. Highly Toxic Liquids—Moving Them Around the Plant. Part 1. Chemical Engineering, 97(4). Newby, T. and Forth, D. 1991. Glandless Pumps and Valves—A Technical Update. The Institution of Chemical Engineers Symposium Series. 124: Institution of Chemical Engineers.
Suggested Additional Reading Bloch, H. P., Cameron, J. A., James, Jr., R., Swearinger, J. S., and Weightman, M. E. 1982. Compressors and Expanders. New York: Marcel Dekker, Inc. CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. Eierman, R.B. 1995. Improving Inherent Safety with Sealless Pumps. Proceedings of the 29th Annual Loss Prevention Symposium, July 31-August 2, 1995, Boston, MA, ed. E.D. Wixom and R. P. Benedetti, Paper Ie. New York: American Institute of Chemical Engineers. Kletz,T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company. Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd. Reynolds, J. A. 1989. Canned Motor and Magnetic Drive Pumps. Chemical Processing, no. 12.
TABLE 8. FAILURE SCENARIOS FOR FLUID TRANSFER EQUIPMENT Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1 (T)
Overpressure
Failure of control or closure of downstream block valve, or failure to remove blind, or plugged outlet which deadheads pump/ compressor resulting in possible overpressure and/or excessive temperature
• Minimum flow recirculation line to ensure a minimum flow through the machine (flow controlled by orifice) • Downstream piping specified to withstand deadhead pressure
• High temperature shutdown interlock • High pressure shutdown interlock • Lowflowor power shutdown interlock • Emergeny relief device • Minimumflowrecirculation line (flow automatically controlled)
• Operator action in response to high temperature, pressure and/or low flow indication • Procedural controls to avoid deadheading pump/compressor
2
Overpressure
Pump/compressor used for higher than design density fluid service especially during startup and upset conditions
• Design for maximum expected pressure
• Emergency relief device • Automatic pump/compressor shutdown on high discharge pressure detection
• Operator action in response to high pressure indication
Overpressure (blower or compressor)
Leakage on suction side of blower/compressor pulls air into system creating a flammable atmosphere
• Positive pressure throughout system
• Automatic oxygen monitoring interlocked to blower and/or isolation valves on high oxygen measurement • Inerting or gas enrichment system • Automatic pressure control which limits rate of oxygen infiltration or negative pressure • Flame arresters • Explosion suppression systems
• Leak test suction system prior to start-up
4
Overpressure
Exothermic decomposition of pumped/ compressed fluid (e.g., acetylene) leading to overpressure
5
High Temperature (bearing)
Failure of lubrication system resulting in bearing failure due to overheating
6
High Temperature (compressor)
Loss of upstream/ interstage cooling resulting in high enough inlet temperature in subsequent stages of the compressor to cause compressor damage
7
High Temperature
Operation on total recycle without adequate cooling
f
• Design casing to contain decomposition overpressure • Limit individual stage compression ratio to avoid high temperature • Eliminate dead legs and other stagnant regions
• High temperature/pressure shutdown interlock • Emergency relief device
• Operator action in response to high temperature indication
• High bearing temperature shutdown interlock • Low lubrication pressure/level shutdown interlock
• Operator action in response to high temperature indication/alarm on lube oil reservoir • Operator action in response to low pressure alarm on the discharge of lube-oil pump
• Choice of materials and design to maximum temperature conditions
• High temperature shutdown interlock • Low coolantflowshutdown interlock
• Operator action in response to high inlet temperature and/or or low coolant flow indication / alarm
• Choice of materials and design to maximum temperature conditions
• High temperature shutdown interlock • Cooler in recycle loop
• Operator action in response to high temperature indication
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
8 (T)
Low Flow (centrifugal pump)
Reducedflowto the inlet of a centrifugal pump causing cavitation, excessive vibration and damage to pump seal
• Eliminate suction system restrictions
• Lowflowshutdown interlock • High vibration shutdown interlock • Automatic recirculation from discharge to suction side on low flow alarm
9 (T)
Low Flow (centrifugal compressor)
Reduced flow through a centrifugal compressor causing surge leading to high vibrations and compressor damage
• Use compressor design other than centrifugal
• Automatic anti-surge system • Lowflowshutdown interlock • High vibration shutdown interlock
10 (T)
Reverse Flow
High pressure on discharge side of pump/compressor causes backflow leading to seal failure and loss of containment
• Use seal-less pumps • Eliminate parallel machine
• Check valve placed at the discharge side • Automatic isolation valve on discharge activated on machine trip or high pressure • Emergency relief device
11 (T)
Reverse Flow (centrifugal compressor)
Backflow via recycle loop due to control system failure resulting in overpressure of low pressure stages and loss of containment
• Design low pressure stages for higher pressure
• Check valve or automatic isolation valve to protect against backflow from downstream side • Restriction to limit back flow • Emergency relief valve for protection of low pressure stages sized for maximum backflow
Procedural • Operator action in response to low flow indication and/or high vibration
• Procedure for isolation of nonoperating parallel machine
12
Overspeed (Compressor)
Compressor overspeed leading to equipment damage due to speed control system failure and loss of containment
• Use solid versus built-up rotor
• High speed alarm and compressor overspeed shutdown system
13 (T)
Loss of Containment
Particulate matter in pump feed leading to seal damage and loss of containment
• Double or tandem seals • Use pump design that can accommodate solids (e.g., diaphragm)
• Automatic pump trip on detection of loss of seal fluid • Automatic back-flushing strainer
• Provide a strainer or filter in pump or compressor inlet with manual cleaning • Provide seal leak detection system with alarm • Provide remotely operated isolation valves at inlet and outlet with manual activation • Periodic inspection of shaft seals
14
Loss of Containment
Pump operated at a fraction of capacity resulting in excessive internal recirculation, frequent seal and bearing failure
• Use a pump size matched to the service • Minimum flow recirculation line to ensure a minimum flow through the pump (flow controlled by orifice)
• Minimumflowrecirculation line (flow automatically controlled) • Pump trip on minimum flow
• Procedural controls to avoid operating at too low a flow
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
15
Loss of Containment
Improper shaft alignment causing bearing and/or mechanical seal problems leading to seal leakage or hot-spot, resulting in ignition
• Alternative pump or compressor design without shaft alignment needs (e.g., diaphragm/ piston)
• On-line vibration monitoring with automatic shutdown
• Operator action on alarm from axial displacement sensors • Periodic audible/visual inspection of machine
16
Wrong Composition/ Phase (compressor)
Liquid in compressor suction leading to damage of compressor rotor
• Use liquid-tolerant design (e.g., liquid ring compressor)
• Provide a Knock Out (KO) drum with automatic liquid removal and high level switch to trip the compressor • Heat trace the line between the KO drum and the compressor • On-line vibration monitoring with automatic shutdown
• Operator action in response to high level alarm in the KO drum
9 SOLID-FLUID SEPARATORS
9.1 INTRODUCTION This chapter presents potential failure mechanisms for solid-fluid separators, and suggests design alternatives for reducing the risks associated with such failures. The types of equipment covered in this chapter include: • • • • •
Centrifuges Filters Dust collectors Cyclones Electrostatic precipitators
This chapter presents only those failure modes that are unique to solid-fluid separators. Some of the generic failure scenarios pertaining to vessels may also be applicable to solid-fluid separators. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels. Solid-fluid separation equipment is also often associated with dryers, and solids handling and processing equipment. Refer to Chapters 7 and 10 for information on these types of equipment. Unless specifically noted, the failure scenarios apply to more than one type of solid-fluid separator.
9.2 PAST INCIDENTS This section presents several case histories involving fires and explosions (deflagarations) are presented to reinforce the need for safe design and operating practices for solid-fluid separators.
9.2./ Batch Centrifuge Explosion A crystalline finished product was spinning in a batch centrifuge when an explosion occurred. The product had been cooled to -70C before it was separated from a methanol/isopropanol mixture in the centrifuge. It was subsequently washed with isopropanol precooled to -90C. The mixture was spinning for about 5 minutes when the explosion occurred in the centrifuge. The lid of the centrifuge was blown ofFby the force of the explosion. The overpressure shattered nearby glass pipelines and windows inside the process area (up to 20 meters away), but nearby plants were not damaged. As no operator was in the vicinity at the time of the explosion, no one was injured. No nitrogen inerting was used and enough time had elapsed to allow sufficient air to be drawn into the centrifuge to create a flammable atmosphere. Sufficient heat could also have been generated by friction to raise the temperature of the precooled solvent medium above its flash point. Because the Teflon® coating on the centrifuge basket had been worn away, ignition of the flammable mixture could also have been due to metal-to-metal contact between the basket and the bottom outlet chute of the centrifuge, leading to a friction spark. A static discharge might also have been responsible for the ignition. Since the incident, the company has required use of nitrogen inerting when centrifuging flammable liquids at all temperatures (Drogaris 1993). Ed. Note: (1) Additional safety could be achieved by monitoring the oxygen concentration in conjunction with inerting. (2) The bottom outlet can also be sealed to minimize air entry.
9.2.2 Filter Explosion In 1987 an industrial filter used in the purification of an electrolytic plating solution exploded at a printing wire board manufacturing plant, rupturing the filter vessel. The process was shut down, and a team was formed to investigate the cause of the explosion. A failure modes and effects analysis (FMEA) identified five possible mechanisms which might have caused the explosion. Based on the available physical evidence and limited analytical results, the team felt that the most likely reason that the filter ruptured was due to overpressure resulting from hydrogen peroxide decomposition. Hydrogen peroxide is used in the process to treat the spent plating solution. The team concluded that the probable causes of the incident were: (1) a valving error (by the operator) that allowed the inadvertent pumping of the peroxide-laden treating solution to flow through the filter, (2) isolating (blocking in) the filter, and (3) having no means to purge hydrogen peroxide from the filter (Arendt and Lorenzo 1991).
9.2.3 Dust Collector Explosion
An explosion occurred in a dust collector used to collect a pharmaceutical product from a hammer mill/flash drying operation. The impact hammer mill had been operating for approximately 10 minutes when the operator heard unusual grinding sounds coming from inside the mill. He immediately shut down the mill just as an explosion occurred within the dust collector, located inside the building on the second floor. The pressure wave caused the explosion vent (a hinged panel) of the dust collector to open, and the explosion products and unburned powder were directed outside the building via a vent duct. However, a screen had been securely fastened at the end of the duct to prevent birds from entering, and as the vent panel swung upward and outward, it struck the screen and opened no farther. It is estimated that the screen prevented the explosion vent panel from opening to more than 50 percent of capacity. With the vent partially obstructed, the access door to the collector failed under pressure and released a dust cloud into the building. The flame front followed the dust cloud through the vent and through the access door, resulting in a fireball at both locations. Also, on the first floor, a fireball was seen exiting the vicinity of the of rotary valve outlet at the bottom of dust collector, which feeds a sifter. There was no secondary explosion on the first or second floors. However, windows were blown out on both floors. The ensuing fire in the dust collector engulfed the wool filter bags (which were burned up) and the remaining powder in the collector hopper, but the fire was quickly extinguished by the automatic sprinkler system inside the dust collector. A subsequent investigation of the incident revealed that a carbon steel bolt from the inside of the feeder (which feeds wet powder to the hammer mill/flash dryer) fell into the hammer mill. The bolt became trapped inside the 3600 RPM mill, where it heated to above the ignition temperature of the powder. The hot metal ignited some of the powder in the mill which was pneumatically conveyed into the dust collector. In the collector, a dust cloud created by the blow ring (pulse jet), was ignited by the hot powder conveyed in from the hammer mill. An inspection of the feeder revealed that six 3/8-inch carbon steel bolts and nuts were missing. Ed. Note: All nuts and bolts in rotating equipment should be tack-welded to prevent them from entering equipment and causing sparks. 9.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 9 presents information on equipment failure scenarios and associated design solutions specific to solid-fluid separators. The table heading definitions are provided in Chapter 3, section 3.3.
9.4 DISCUSSION 9.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 9 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. 9.4.2 Special Considerations
Table 9 contains numerous design solutions derived from a variety of sources and actual situations. This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Dust Deflagrations due to Electrostatic Spark Discharge or Glowing Port/'c/es from Upstream Equipment (4)
Dust deflagrations can occur in cyclones and dust collectors because explosive dust clouds are readily formed inside these types of separators due to turbulence. Dust clouds are created continuously when dust collector bags are shaken or pulsed. Use of nitrogen, rather than air, as the pulsing gas when a combustible dust is being collected may be considered and is used by some companies. Because electrostatic charges are usually associated with powders that are pneumatically conveyed to solid-fluid separators, the separators must be adequately grounded and bonded. Glowing particles from a previous operation can act as an ignition source when they are transferred into a separator (see Section 9.2.3). Because of the great propensity for dust cloud formation in cyclones and dust collectors, they are usually protected either by deflagration venting or suppression systems (NFPA 68 1994; NFPA 69 1997). If flammable dust clouds can also be formed in the electrostatic precipitators by the rapping of the plates and electrodes, deflagration vents should be provided. Factory Mutual Engineering Corporation (FMEC) does not recommend the use of electrostatic precipitators when dry combustible dust concentrations in air may exceed the lower explosive limit due to the possibility of ignition by arcing in the precipitator (FMEC 1991). Industrial Risk Insurers (IBJ) recommends an automatic fixed water spray system be provided for precipitators handling combustible materials. The system should provide a spray density of 0.25 gpm/ft2 over the plates, oil baths (if any), and hoppers. Also, an automatic sprinkler system designed for a minimum density of 0.2 gpm/ft2 should be installed in the ductwork to the precipitator, and collectors or hoppers ahead of the precipitator (IRI1990).
9.5 REFERENCES Arendt, J. S. and Lorenzo, D. K. 1991. Journal of Loss Prevention in the Process Industries. 4: 338-43 October 1991. Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified. Amsterdam: Elsevier Science Publishers, B.V. FMEC (Factory Mutual Engineering Corporation) 1991. Dust Collectors. Loss Prevention Data Sheet 7-73. Norwood, MA: Factory Mutual Engineering Corporation. IRI 1990. Electrostatic Precipitators. IRInformation Manual 9.3.2.1. Hartford, CT: Industrial Risk Insurers. NFPA 68 1994. Guide for Venting of Deflagrations. Quincy, MA: National Fire Protection Association. NFPA 69 1997. Explosion Prevention Systems. Quincy, MA: National Fire Protection Association. Suggested Additional Reading ASTM 1986. Industrial Dust Explosions. Symposium on Industrial Dust Explosions. June 10-13, 1986, Pittsburgh, PA. IChemE. 1992. Dust and Fume Control: A User Guide, 2d ed., London, Institution of Chemical Engineers.
TABLE 9. FAILURE SCENARIOS FOR SOLID-FLUID SEPARATORS Potential Design Solutions No. 1
Operational Deviations Overpressure (Centrifuges)
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
Ignition of flammable vapors in centrifuge by static electricity
• Permanent grounding and bonding
• Provide automatic inerting
• Use more electrically conductive wash liquid
• Provide low pressure or lowflowsensor on nitrogen supply line with interlocks to shut down filter or centrifuge
• Procedures for re-inerting prior to restart of a batch centrifuge
• Use less volatile/flammable wash liquid • Avoid use of nonconductive lined centrifuge • Centrifuge design accommodating maximum expected pressure
• Deflagration venting • Deflagration suppression
• Manual bonding and grounding for portable units
• Provide rupture disk upstream of relief valve with appropriate rupture disk leak detection
• Manual periodic flush of inlet to relief device with purge fluid
• Use nonflammable or high flash point solvent 2
Overpressure (Pressure filters)
Relief device plugged by filter cake particles negating adequate overpressure protection
• Provideflowsweep fitting at inlet to relief device • Filter design accommodating maximum expected pressure in place of relief device
• Manual shutdown of batch centrifuge on detection of low inert gas pressure or flow
• Automatic sweep of inlet to relief device with purge fluid
Overpressure (Centrifuges)
Ignition of flammable vapors in centrifuge or major mechanical damage caused by mechanical friction, e.g., out-ofbalance basket rubbing against housing or bottom chute
• Elimination of flammable solvent
• Provide proximity/ vibration sensor interlocked to shut down centrifuge • Provide automatic inerting • Provide low pressure or lowflowsensor on inert gas supply with interlock to shut down centrifuge • Deflagration venting • Deflagration suppression
• Operator shut down of centrifuge on detection of excessive vibration
4 (T)
Overpressure (Cyclones, dust collectors, and electrostatic precipitators)
Dust deflagration due to electrostatic spark discharge or glowing particles from upstream equipment
• Permanent bonding and grounding • Equipment design accommodating maximum expected pressure • Use other type of separator (e.g., wettype precipitator or scrubber) • Use nitrogen as conveying gas
• Deflagration venting • Deflagration suppression • Automatic isolation of associated equipment via quick closing valves or chemical barrier (flame suppression) • Automatic introduction of inert gas via on-line oxygen analyzer
• Manual introduction of inert gas on detection of high oxygen via on-line oxygen analyzer
5
High Temperature (Cyclones, dust collectors, and electrostatic precipitators)
Fire caused by ignition of dust deposits on walls (tarry or sticky dust) or bags (Fire may initiate deflagration. See item 4)
• Usefire-retardantfilterbags or ceramic cartridges • Use of other type of separator (e.g., wet-type precipitator or scrubber)
• Automatic fire suppression system activated by high temperature sensor • Automatic inerting system
• Operator activation of fire suppression system in response to high temperature indication • Periodic cleaning of accumulated flammable dust deposits
3
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
6
High Temperature (Batch Filters)
Fire from pyrophoric filter cake exposed to air when filter is opened to remove cake
• Use filter with cake removal by spinning plates and/or sluicing with liquid (filter does not have to be opened up)
• Automatic fixed water spray
• Procedures to ensure that filter cake is sufficiently flushed with water before filter is opened up • Manual activation of fixed water spray
7
Loss of Containment (Vacuum belt filter, vacuum pan filter, rotary vacuum filter)
Loss of vacuum on discharge resulting in excessive emission of toxic or flammable vapors
• Use totally enclosed, vapor-tight filter
• Local exhaust ventilation connected to a control system (vent condenser, adsorber, scrubber or incinerator)
• Operator shuts down operation in response to vapor detection alarm
8
Loss of Containment (Centrifuges)
Catastrophic bearing failure results in major equipment damage and possible process fluid leak/fire
• Interlock bearing temperature sensor to shut down the centrifuge at high temperature • Automatic centrifuge shutdown on detection of lubricating oil low flow or pressure • Automatic centrifuge shut down on detection of excessive vibration • External automatic fire suppression system
• Operator shut down of centrifuge on detection of high bearing temperature, or lubricating oil low flow or pressure • Manual activation of external fire suppression system
9
Loss of Containment (Batch Centrifuges)
Mechanical failure caused by basket imbalance and vibration due to improper loading
• Use continuous centrifuge design • Consider alternate solid-fluid separator designs
• Provide vibration sensor interlocked to shut down centrifuge • Provide control system to admit feed at proper flow rate and appropriate time in acceleration period
• Operator control of feed rate to avoid imbalance of basket and vibration • Operator shut down of centrifuge on detection of excessive vibration
10
Loss of Containment (Centrifuges)
Mechanical failure due to centrifuge operating above the maximum design speed
• Consider alternate solid-fluid separator designs
• Provide speed detector interlocked to shut down the centrifuge at overspeed point
• Operator shut down of centrifuge on detection of high speed
11
Loss of Containment (Filter presses)
Spills or leaks of flammable or toxic liquids due to gasket failure
• Use different type of filter or centrifuge with fewer gaskets • Enclose filter in splash shield housing • Locate filter in leak containment trough • House filter in containment vessel • Use higher integrity gaskets
• External automatic fire suppression system
• Pretest filter for leaks with water before feeding process slurry • Procedures for testing compatibility of gasket material with process fluid • Manual activation of external fire suppression system
13
Loss of Containment (Clarifier and separator centrifuges, i.e., disc bowl, nozzle bowl, chamber bowl, desludger, opening bowl)
Mechanical failure due to loss of feed (running dry)
• Use a design that is more tolerant to loss of feed (e.g., pusher type centrifuge)
• Provide adequate supply of wash liquid or water automatically as feed is reduced under emergency shutdown conditions • External automatic fire suppression system
• Provide adequate supply of wash liquid or water manually as feed is reduced under emergency shutdown conditions • Manual activation of external fire suppression system
IO SOLIDS HANDLING AND PROCESSING EQUIPMENT
IO. I INTRODUCTION This chapter presents potential failure mechanisms for solids handling and processing equipment, and suggests design alternatives for reducing the risks associated with such failures. The types of equipment covered in this chapter include: • • • • • • • •
Mechanical conveyors Pneumatic conveying systems Comminution equipment (mills, grinders, crushers) Sieving (screening) equipment Powder blenders (mixers) Solids feeders (rotary valves, screw feeders, etc.) Solids enlargement equipment (extruders, briquetters, etc.) Spray granulators and coaters
This chapter presents only those failure modes that are unique to solids handling and processing equipment. Some of the generic failure scenarios pertaining to vessels and solid-fluid separators may also be applicable to solids handling and processing equipment. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels, and Chapter 9, Solid-Fluid Separators. Unless specifically noted, the failure scenarios apply to more than one type of solids handling and processing equipment.
10.2 PAST INCIDENTS Several case histories involving failures in solids handling and processing equipment are presented to reinforce the need for safe design and operating practices presented in this chapter. 10.2.1 Silicon Grinder Fire and Explosion
A chemical plant which processed silicon-based chemicals experienced a fire and explosion in a grinder. Raw silicon was received in 1- or 2-inch lumps which had to be ground to a 200-mesh powder before being used in chemical processes. The air-conveyed silicon powder discharged from the grinder passed through a cyclone and then through a bag filter. An explosion and subsequent fire occurred in the system. The fire was extinguished within 15 minutes by a water hose stream. The system had explosion relief, but no sprinklers. Investigation showed that this incident was caused by hot spot ignition resulting from grinder parts scraping against the inside of the unit. This mechanism was supported by observation of high current draw on the grinder motor before the incident. See item 2 in Table 10 for potential design solutions. Ed. Note: This hazard could have been mitigated by monitoring current-draw and possibly interlocking current-draw with the motor or a deluge system. /0.2.2. Blowing Agent Blender Operation Explosion Incident
An explosion occurred in a 3.7 m3 Nautamixer (conical orbiting screw mixer) during the blending of azodicarbonamide (AC) with an aqueous solution of salts to produce an AC formulation. During the batch blending cycle, hot water (8O0C) is circulated through the blender jacket for several hours, and the vacuum in the blender is released by purging with nitrogen. The explosion caused the mixer vessel to rupture and two large sections of the top were torn out completely and struck the floor above. The cone section was thrust downwards into the hopper below. There was extensive damage to the building, windows were broken up to 90 meters away by the pressure wave, and missiles were projected up to 120 meters away. The four people in the plant at the time of the explosion were shaken up, but uninjured, while there were a few cuts to people in the nearby buildings due to flying glass. The TNT-equivalence of the blast was estimated at 3.3 kg. Subsequent experimental testing indicated that the explosion was caused by a decomposition which reached high rates due to a critical degree of confinement. The initiating source of the decomposition was not positively identified, but it was assumed that the heat was generated by mechanical friction due, for example, to the screw rubbing on the vessel wall. Another possibility
is that a small metal item found its way into the vessel and became trapped between the screw and the wall (Whitmore et al. 1993). See item 5 in Table 10 for potential design solutions. Ed. Note: A deflagration suppression system might have prevented the explosion.
/0.2.3 Screw Conveyor Explosion
Three employees were killed, and two seriously injured, and a factory building completely destroyed in an explosion involving skimmed milk powder. The milk powder was fed into a screw conveyor from a feed hopper and was then carried to a blender. A deformation occurred in the screw conveyor housing, causing parts of the screw flights to grind against the housing. The grinding produced sufficient frictional heat and sparks to ignite the dust-air cloud in the free space of the conveyor. The primary explosion burst the screw conveyor housing, dispersing a significant amount of additional dust into the air from the freshly filled feed hopper. A secondary explosion was then ignited by the flames of the primary explosion (Field 1982). See items 5, 8, and 12 in Table 10 for potential design solutions. /0.2.4 Bucket Elevator Explosion
A dust explosion in a sugar refinery caused two injuries and severely damaged the plant. A number of factors led to the explosion. The factory had been shut down for a 9-day period and the explosion occurred within two minutes of restarting the plant. Before the shutdown, all sugar dust had been removed from the pit of the elevator shaft, but during the shutdown sugar had accumulated in the pit via a leaking flap valve. The bucket elevator ran through all 13 stories of the building, collecting sugar from ground level and transferring it to the appropriate processing equipment. On startup, the bucket elevator was under a load for which it was not designed. The strain caused a tensioning device to fail, the bucket chain slackened, and the elevator buckets ran out of alignment. The frictional heat produced by the rubbing metal surfaces was sufficient to ignite the sugar dust suspension in the elevator shaft (Field 1982). See item 4 in Table 10 for potential design solutions. 10.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 10 presents information on equipment failure scenarios and associated design solutions specific to solids handling and processing equipment. The table heading definitions are provided in Chapter 3, section 3.3.
10.4 DISCUSSION 10.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 10 in conjunction with the design basis methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. /0.4.2 General Discussion
Fires and explosions (deflagrations) have the potential to occur in equipment that handles and processes combustible powders and bulk solids. These hazards can be minimized by the use of appropriate preventive measures, such as the following: • Increasing the particle size of the powder raises the minimum ignition energy (MIE) and reduces the rate of pressure rise of a dust explosion. • Using solid additives with large particle size and/or high MIEs. • Using dense-phase pneumatic conveying in lieu of dilute-phase conveying reduces the attrition of the solids conveyed, reduces the static generation per unit mass, and may result in nonflammable mixtures in the transfer line. • Using low-speed mills rather than higher-speed ones minimizes dust cloud formation and reduces the potential for high energy metal-tometal contact. • Using fluid energy mills in lieu of high-impact mills (e.g., hammer mills); nitrogen can be used as the milling gas rather than air, which in most cases will make the operation inherently safer. • Using an ionizing spray to dissipate electrostatic charges where possible. /0.4.3 Special Considerations
Table 10 contains numerous design solutions derived from a variety of sources and actual situations. This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Dust Deflagration in Pneumatic Conveying Systems (I)
Dust deflagrations often occur in end-of-line equipment (e.g., silos, dust collectors, cyclones) of pneumatic conveying systems due to electrostatic sparks. The rubbing of particles against particles and the walls of the pneumatic conveying line generate electrostatic charges on the powder, which are then dis-
charged in the end-of-line equipment, where a dust cloud is often formed, and a dust explosion occurs. A number of preventive and protective measures are commonly used such as using nitrogen in lieu of air as the conveying gas, using dense-phase conveying in lieu of dilute-phase conveying to minimize attrition of the powder, providing deflagration venting or suppression systems for the end-of-line equipment, and good grounding and bonding of the pipeline and equipment. Other measures that can be taken involve modification of the solids being conveyed, such as increasing the particle size (making pellets) or formulating the solids so that they are less friable. Also, it is important to isolate the pneumatic conveying line from end-of-line equipment by a quickclosing valve or suppressant barrier so that the flame front developed in the end-of-line equipment does not propagate backwards into the equipment upstream of the conveying system. Static ignition mechanisms in recovery bins, silos and related equipment are discussed by Eckhoff 1996. Recommended preventive and protective practices are described in BS 5958 1991. Dust Deflagration in M/7/s, Grinders, and Other Size Reduction Equipment (2) Size reduction equipment, such as mills, grinders, and the like, create turbulent dust clouds due to their operation, which can result in a dust explosion (deflagration) caused by mechanical energy (impact). This hazard can be minimized by using fluid energy mills in place of high-impact mills such as hammer mills. Fluid energy mills use a gas, such as air or nitrogen (an inherently safer fluid), to reduce the size of solids. Some types of mills are designed to contain a deflagration; these should be used whenever possible. Care must be taken to prevent the entry of tramp metal and other foreign materials into size reduction equipment. This can be accomplished by installing screens or magnetic separators upstream of size reduction equipment. Dust Deflagration and Loss of Containment in Gyratory Screeners (3) Dust explosions (deflagrations) have occurred in gyratory screeners (sieves) because dust clouds are readily formed due to the nature of the operation. Because of its vibratory motion, gyratory screeners are connected to process equipment by flexible sleeves (e.g., rubber socks or boots) as they vibrate. If a deflagration occurs, the flexible sleeves could rupture ejecting a burning dust cloud into the room or building, which then can cause a secondary explosion. To minimize this hazard, several things can be done: • Install the gyratory screener in a room with an outside wall equipped with blow-out vent panels. • Use a rotary screener, which does not vibrate, in lieu of a gyratory screener. • Use nitrogen inerting where feasible.
All metal components, including the screening surfaces, should be bonded and grounded because of the vigorous motion of the powder in the screeners and the possible generation of static electricity. Consideration should be given to the use of conductive or anti-static flexible sleeves. Also, for dusts of low MIE, provision of anti-static footwear for operators is recommended (Palmer 1973; BS 5958 1991). Leaky flexible sleeves can result in fugitive emissions from gyratory screeners. Leaks can be minimized, or even eliminated, by operating under a slight vacuum, with the screener connected to a dust collector (Palmer 1973). Overpressure In Racket Elevators and En-masse Conveyors (4)
Bucket elevators and en-masse conveyors contain belts or chains which can loosen and rub against the housing and cause impact sparks or frictional heating, which in turn may cause a dust explosion. Tramp metal that gets into enmasse conveyors can also cause frictional heating which can act as an energy source for an explosion. Sensors for hot material can be installed and interlocked with a water quench system to extinguish the hot solids. Also, it is very important to prevent the propagation of a dust explosion flame into the upstream and downstream equipment connected to conveying equipment. This can be accomplished by installing material "chokes55 such as rotary valves or screw feeders at the inlet and outlet sides of conveyors. It has been found that material "chokes55 (plugs of powder) quench the flame (Field 1982; Eckhoff 1996). Quick-closing valves and suppressant barriers can also be used to isolate upstream and downstream equipment from conveyors. fire Caused by Electrostatic Sparks Igniting Powder on a Belt Conveyor (10) Powders being conveyed on a belt conveyor can be ignited by an electrostatic spark if the powder has a low MIE. The electrostatic spark can often be generated by the belt itself, and the use of belts of anti-static (conductive) materials can minimize this problem. Electrostatic charges can also be reduced by use of ionized air or inductive neutralizes, such as static combs and tinsel bars (NFPA 77 1993).
10.5 REFERENCES British Standards Institute BS-5958 1991. Code of Practice for Control of Undesirable Static Electricity: Part 1, General Considerations, and Pan 2, Recommendations for Particular Industrial Situations. London: British Standards Institute. Eckhoff, R. K. 2nd ed. 1996. Dust Explosions in the Process Industries. Butterworth-Heinemann, Boston. Field, P. 1982. Dust Explosions. New York: Elsevier Scientific Publishing Company.
NFPA 77 1993. Recommended Practice on Static Electricity. National Fire Protection Association, Quincy, MA. Palmer, K. N. 1973. Dust Explosions and Fires. London: Chapman and Hall. Whitmore, M. W., Gladwell, J. P. and Rutledge, P. V. 1993. Journal of Loss Prevention in the Process Industries. 6:169-175.
Suggested Additional Reading Grossel, S. S. 1988. Safety Considerations in Conveying Bulk Solids and Powders Journal ofLoss Prevention in the Process Industries. 6:62-74.
TABLE 10. FAILURE SCENARIOS FOR SOLIDS HANDLING AND PROCESSING EQUIPMENT Potential Design Solutions No.
i (T)
Operational Deviations Overpressure (Pneumatic conveying system)
Failure Scenarios Dust deflagration in end-of-line equipment (silo, cyclone, dust collector) due to electrostatic spark discharge generated by pneumatic conveying
Inherently Safer/Passive
Active
Procedural
• Permanent grounding and bonding via continuous metal piping • Use of heavy wall piping and flanges in lieu of tubing and couplings so that system can withstand maximum expected deflagration pressure • Use of nitrogen in lieu of air for conveying gas (closed loop system) • Use dense phase conveying instead of dilute phase • Convey solids as pellets instead of granules or powder. However, avoid transport of pellets containing easily ignitable fines fraction. • Increase particle size • Use nonfriable solids formulation (avoid fines) • Use additives with high ignition energy • Use of conductive rubber sleeves (boots and socks) when flexible connections are required
• Deflagration venting of endof-line equipment • Deflagration suppression in end-of-line equipment • Quick-closing isolation valve at inlet to end-of-line equipment • Deflagration suppression barrier in piping at inlet to end-of-line equipment
• Manual bonding across potential breaks in continuity such as nonconductive rubber socks
2
Overpressure (Mills, Grinders and other size reduction equipment)
Dust deflagration due to mechanical energy or electrostatic spark
• Permanent grounding of housing • Equipment design accommodating maximum expected pressure • Use offluidenergy mill with inert gas instead of air • Use screens to remove tramp metals and other foreign materials
• Provide inerting • Deflagration venting • Water deluge system in mill • Deflagration suppression in the mill • Deflagration suppression/ barrier in inlet/outlet piping • Use magnets to remove tramp metals and other foreign materials
• Manual removal of tramp metals and other foreign materials • Manual bonding and grounding
3 (T)
Overpressure and Loss of Containment (gyratory screener)
Dust deflagration causing rupture of flexible sleeves and subsequent secondary deflagration in building
• Use of nongyratory (rotary) type of screener • Permanent bonding and grounding • Use of outboard bearings to avoid potential source of ignition
• Install gyratory screener in a separate room with blow-out walls (deflagration vents) • Operate under vacuum to avoid escape of dusts into building
• Good housekeeping to reduce dust • Frequent routine inspection and scheduled replacement of sleeves • Manual bonding and grounding
4 (T)
Overpressure (bucket elevators and en-masse conveyors)
Dust deflagration due to impact or frictional heating from slipping belts or chains with possible secondary deflagration in building
• Equipment design accommodating maximum expected pressure for tubular en-masse conveyors • Permanent grounding and bonding • Convey solids as pellets instead of granules or powder • Increase particle size
• Deflagration venting • Deflagration suppression • Provide chokes • Provide negative pressure for bucket elevators installed inside buildings to minimize dust leakage • Provide deflagration suppression/barrier at feed and discharge points • Provide hot material detection and automatic quench system • Provide inerting for small en-masse conveyors
• Good housekeeping to reduce dust in building • Manual grounding and bonding
(T)
Potential Design Solutions Operational Deviations
Failure Scenarios
Inherently Safer/Passive
5
Overpressure (orbiting screw powder blender, fluid bed blender, or ribbon blender)
Dust deflagration due to electrostatic spark discharge or frictional heating (orbiting screw or ribbon rubbing against vessel wall)
• Equipment design accommodating maximum expected pressure • Permanent grounding and bonding • Increase particle size
• Provide inerting • Deflagration venting • Deflagration suppression • Provide an overload trip on the motor driving the orbiting screw
• Procedures to verify adequate purging of bottom bearing • Manual grounding and bonding
6
Overpressure (spray granulators and coaters)
Deflagration and/or fires caused by use of flammable or combustible solvents
• Permanent grounding and bonding • Equipment design accommodating maximum expected pressure • Eliminate use of flammable solvents (e.g., aqueous solvents) • Use highflashpoint solvents
• Provide inerting • Deflagration venting • Deflagration suppression • Deflagration barriers (quickclosing isolation valve or suppressant) in the path from granulator or coater to downstream equipment (dust collector, scrubber)
• Procedures for periodic inspection and cleaning of combustible materials on walls • Procedures to process most stable materials first when campaigning multiple products to avoid ignition of unstable materials • Manual grounding and bonding
7
Overpressure (extruder)
Blockage of die
• Provide emergency relief device • Provide overload trip on motor • Provide pressure measurement at die with interlock shutdown on high pressure
• Manual shutdown on motor overload • Manual shutdown on detection of high pressure
No.
Active
Procedural
8
High Temperature (screw conveyors or extruders)
Fire caused by jamming of conveyed material and frictional heating
• Use other type of conveyor (e.g., vibratory conveyor)
• Provide an overload trip on the motor driving the screw
• Use screens to remove tramp materials
• Provide a temperature sensor in the conveyor trough/barrel automatically tripping the motor and/or activating a water deluge system or snuffing steam
• Provide a temperature sensor in the conveyor trough/barrel with an alarm alerting the operator to activate deluge system or deluge steam • Manual removal of tramp ferrous metals
• Use magnets to remove tramp ferrous metals 9
High Temperature (belt conveyors)
10 (T)
High Temperature (belt conveyors)
Fire caused by overheating due to a jammed idler roller, or if the belt jams, as a result of drive rollers continuing to run
• Provide "fire retardant" belts
Fire caused by electrostatic sparks igniting powder on the belt
• Provide belts of anti-static material
• Use other type of conveyor (e.g., vibratory type) • Use sealed roller bearings to minimize ingress of solids
• Increase minimum ignition energy • Provide passive static elimination device (e.g., tinsel bar)
• Provide automatic sprinklers or water spray protection interlocked to shutdown the belt drive on sprinkler water flow initiation
• Operator activation of sprinklers or water spray • Manual shutdown on detection of low speed
• Provide belt velocity detection interlocked to shutdown on low speed • Provide automatic sprinklers or water spray protection interlocked to shutdown the belt drive on sprinkler water flow initiation • Provide ionizing blower to eliminate static charge
• Operator activation of sprinklers or water spray
Potential Design Solutions No. 11
12
13
Operational Deviations High Temperature (rotary valves)
Failure Scenarios Fire caused by jamming and frictional heating
High Temperature (screw conveyors)
Fire caused by shaft misalignment resulting in frictional heating due to the shaft rubbing against the trough
High Temperature (extruders)
Fire caused by jamming and frictional heating
Inherently Safer/Passive
Active
Procedural
• Design dust collector bag cages and filters to be properly secured to avoid falling into rotary valve
• Provide an overload trip on the motor driving the rotary valve
• Provide robust bar screen at rotary valve inlet • Provide outboard bearings to prevent failure due to solids contamination
• Provide a temperature sensor in the valve body automatically tripping the motor and/or admitting quench water into the valve
• Provide a temperature sensor in the valve body with an alarm alerting the operator to trip motor and activate quench
• Use different type of conveyor (e.g., vibratory conveyor)
• Provide an overload trip on the motor driving the screw • Provide temperature sensors (multipoint or line type) in the trough automatically tripping the motor and/or admitting quench water to the conveyor trough • Provide an overload trip on the motor driving the extruder screw • Provide a temperature sensor in the extruder barrel (body) automatically tripping the motor
14
Loss of Containment (bucket elevators, screw conveyors)
Emission of combustible and/or toxic dusts to the atmosphere or building
• Provide "dust-tight" design • Use other type of conveyor (e.g., en-masse conveyor)
• Provide negative pressure ventilation to contain and capture any emissions
• Ensure dust collector bags and cages are properly secured • Provide temperature sensors in the trough with an alarm alerting the operator to trip motor and activate quench
• Provide a temperature sensor in the extruder barrel (body) with an alarm to alert the operator to take action
• Periodic contamination testing of area
Il FIRED EQUIPMENT
11.1 INTRODUCTION This chapter presents potential failure mechanisms for fired equipment and suggests design alternatives for reducing the risks associated with such failures. The types of fired equipment covered in this chapter include: • • • •
Process furnaces Boilers Thermal incinerators Catalytic incinerators
This chapter presents only those failure modes that are unique to fired equipment. Some of the generic failure scenarios pertaining to vessels and heat transfer equipment may also be applicable to fired equipment. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels, and Chapter 6, Heat Transfer Equipment. Unless specifically noted, the failure scenarios apply to more than one class of fired equipment. 11.2 PAST INCIDENTS This section describes several case histories of incidents involving failure of fired equipment to reinforce the need for the safe design practices presented in this chapter. 11.2.1 Light-Off Error
A safety shut-off valve on the gas supply to a burner remained open after the unit was shut down. There was no indicator to show that the valve was open
or closed. On start-up, the operator opened the main valve on the gas supply to the burner before lighting the pilot burner. When he tried to light the burner, an explosion occurred (MCA 1966).
/ /.2.2 Ethylene Cracking Furnace Overfiring
During operation of an ethylene unit, various light byproduct off gases were being collected and recycled to the fuel system. For start-up and any other condition during which plant-produced fuel gases could not meet demand for fuel in the cracking furnaces, C3 LPG was available for admission to the fuel system to satisfy demand. Normally, the firing control system on the cracking furnaces utilized a Wobbe Index analyzer to adjust fuel rate based on heating value. However, for reasons unknown, the plant operators had disabled the Wobbe Index analyzer and had also disabled the coil outlet temperature cascade to the fuel gas firing valve pressure controller. While operating the cracking heaters on light byproduct off gases with a low calorific value, a plant upset resulted in the trip of the cracked gas compressor. The heaters were maintained on-line with cracked gas routed to a flare. Subsequently, without forward flow of cracked gas to the downstream separation facilities, the production of plant-produced ofFgas diminished and LPG was automatically added to the fuel gas system. With the addition of LPG the heating value of the fuel gas increased significantly, this resulted in the overfiring of the heaters and major damage to the coil and associated supports. Ed. Note: There appear to be both procedural and design flaws which contributed to this incident. First, disabling process controls which have an important bearing on process safety should not have been permitted. Operators should not have been able to disable the temperature cascade. If this capability were needed, this change should have been managed with appropriate permit procedures. Second, the provision of a heater emergency shutdown based on a measurement of coil outlet temperature independent from process controls would have been advantageous.
/1.2.3 Furnace Tube Failure
A furnace was protected by a relief valve on the inlet line. The low flow alarm and trip were based on a flow measurement upstream of the relief valve. A blockage in the line exiting the furnace caused the relief valve to lift, which in turn caused the flow through the furnace tubes to drop sharply. As a result, the furnace tubes overheated and burst (Kletz 1994).
11.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 11 presents information on equipment failure scenarios and associated design solutions specific to fired equipment. The table heading definitions are provided in Chapter 3, section 3.3.
11.4 DISCUSSION 11.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 11 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. /1.4.2 Special Considerations
This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. Delayed Ignition (I)
The most common cause of explosions in furnaces and fired boilers is error during light-off. Repeated unsuccessful attempts to light the pilot or the burner can result in accumulation of a large amount of fuel in the furnace. When the attempt is finally successful, the accumulated flammable inventory ignites, resulting in an explosion. A leaky fuel valve may also result in fuel buildup in the furnace which, when ignited, can result in an explosion. Fuel may also build up in the furnace due to "flame-out.55 If proper purge procedures are not followed during the relighting step, the accumulated fuel may explode. For more information on prevention of explosions in furnaces and fired equipment, refer to these National Fire Prevention Association Standards: NFPA 8501 1992, NFPA 8502 1995, and NFPA 86 1995. Rapid Readmission of Air (3)
Adequate delivery of combustion air to fired heaters at all heat load conditions is essential for safe furnace operation. Firing without sufficient air will result in unburned fuel in the firebox with the potential for subsequent uncontrolled combustion. Firing controls should be configured so that air "leads55 fuel on a firing demand increase and "lags55 fuel on a firing demand decrease. However,
even with a "lead-lag" system, rapid reduction in air availability due to the trip of a fan, for example, may result in insufficient air delivery. To avoid the accumulation of unburned fuel and a possible positive pressure pulse in the firebox during rapid readmission of air, interlock shutdown via detection of a low air-to-fuel ratio may be warranted. If an automatic air restoration response strategy is used, such as auto-start of a spare fan, suitable system dynamic response analysis should be employed to ensure that sudden loss of air can be effectively managed. For additional information on fired equipment combustion controls, see Liptak(1985). Tube Rupture (5)
Tube rupture is the second most common failure mode in fired equipment. Overheating tubes drastically reduces their useful life. A pressure vessel may be able to withstand several times its design pressure, but a furnace tube may only withstand a few percent increase in its absolute temperature (Kletz 1993).
Closure of Stack Damper (6)
Closure of the stack damper, or the loss of the induced draft fan can lead to buildup of pressure inside the firebox. This may result in fire/gases coming out of the furnace and risk of personnel exposure and equipment damage. To prevent such a situation it is desirable to maintain an open flue-gas path by putting a minimum position stop on the damper. It may also be necessary to provide a spare induced draft fan or design the furnace to transfer to natural draft operation. If these alternatives are not available, the system should be shut down on detection of high firebox pressure.
11.5 REFERENCES Kletz, T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company. Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd. Liptak,B.G. 1985. InstrumentEngineers Handbook: Process Control Radnor, PA: Chilton Books. MCA 1966. Case Histories of Accidents in the Chemical Industry. MCA 1966 Vol.2, Case History 1068. NFPA 8501 1992. Standard for Single Burner Boiler Operation. National Fire Prevention Association, Quincy, MA. NFPA 8502 1995. Standard for the Prevention of Furnace Explosions/Implosions in Multiple Burner Boilers. National Fire Prevention Association, Quincy, MA. NFPA 86 1995. Standard for Ovens and Furnaces. National Fire Prevention Association, Quincy, MA.
Suggested Additional Reading Anderson, S. E., Dowell, A. M., andMynaugh, J. B. 1992. Flashback From Waste Gas Incinerator into Air Supply Piping Plant/Operations Progress 11(2), 85-88. Desai, V. M. 1996. A Flare Deflagration Incident at Rohm and Haas. Process Safety Progress 15(3), 166-167. CCPS 1993. Guidelines for Engineering Design fir Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. Ghosh, H. 1992. Improve Your Fired Heaters. Chemical Engineering 99(3), 116-122. IRI1990. Boilers, Pressure Vessels and Piping. !Reformation Manual 7. Hartford, CT: Industrial Risk Insurers. Vervalin, C.H., ed. 1985. Fire Protection Manual for Hydrocarbon Processing Plants—Volume I. Houston, TX: Gulf Publishing Company. Vervalin, C.H., ed. 1981. Fire Protection Manual for Hydrocarbon Processing Plants—Volume II. Houston, TX: Gulf Publishing Company.
TABLE 1 1. FAILURE SCENARIOS FOR FIRED EQUIPMENT Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1 (T)
Overpressure (Firebox)
Deflagration in firebox due to delayed ignition on light-off, fuel leakage into the firebox, or insufficient firebox purging
• Provide continuous pilots for all burners
• Timed purge prior to light off with interlocks to ensure that all fuel supply valves are closed • Reliable fuel gas isolation (e.g., double block and vent) • Provide flame surveillance system to prevent fuel admission until an ignition source is present • Provide interlocks to ensure that fuel and combustion air controls are in proper lighting off positions, before the ignition sequence can proceed
• Lighting procedures which ensure that each ignition trial is of limited duration, and is followed by purge, if unsuccessful • Ensure that all individual gas cocks to burners are closed until light-off • Procedures/valving to ensure that only one burner is ignited at a time • Provide individual burner cocks so that only one burner may be lighted at a time to minimize potential accumulation of fuel prior to light-off
2
Overpressure (Firebox)
Failure to establish reliable pilot flames before opening main fuel supply leading to explosion
• Provide pilot burners with a separate fuel line • Take pilot gas supply from the upstream side of the main shutoff valve for all burners
• Provide flame surveillance system to prevent fuel admission until an ignition source is present
• Lighting procedures to ensure pilots are lit and stable before admission of burner fuel
3 (T)
4
Overpressure (Firebox)
Overpressure
Rapid readmission of air to correct insufficient air situation leading to positive firebox pressure
Flashback into waste gas supply manifold to incinerator
• Interlock fuel supply and air supply so that loss of, or significant reduction in air will isolate the fuel supply • Provide "lead-lag" firing control system to avoid firing without sufficient air • Use alternative waste gas • Provide automatic fire disposal method (e.g., suppression system adsorbtion) • Provide deflagration or detonation arresters as appropriate • Deflagration venting • Automatic control of waste gas concentration • Automatic temporary diversion of waste gas to alternative disposal
• Procedures to limit fuel firing to air availability • Procedures to control rate of air readmission in response to insufficient air flow
• Manual control of waste gas concentration • Manual temporary diversion of waste gas to alternative disposal
Potential Design Solutions No. 5 (T)
Operational Deviations Overpressure (Firebox)
Failure Scenarios Tube rupture due to thermal shock, overfiring, corrosion/erosion, or high temperature due to flame impingement or internal tube fouling
Inherently Safer/Passive
Active
Procedural
• Enhanced tube metallurgy
• Automatic heater shutdown on high tube outlet temperature
• Burner adjustment to eliminate flame impingement
• Heavier wall thickness
• Automatic heater shutdown on low process flow
• Procedures to prevent excessive firing rates
• Indirect firing • Elimination of liquid to burner by using noncondensing gas
• Addition of inhibitors to reduce process coking rate
• Use sulfur-free fuel
• Operator remote isolation of coil inlet/outlet in response to detecting tube rupture on indication of stack temperature increase, loss of tube pressure or high firebox pressure/temperature
• Periodic decoking
• Procedures to prevent acid dewpoint corrosion • Visual observation of coils for hot spots • Tube wall temperature indication and high alarm • Manual activation of steam purge of firebox to extinguish burning heavy oils
6 (T)
Overpressure (Firebox)
Closure of flue gas damper or trip of induced draft fan
• Provide mechanical position stop to prevent complete closure of damper • Design firebox for shutoff pressure of forced draft fan • Use natural draft design to eliminate induced draft fan and/or damper
• Automatic heater shutdown on closure of damper • Automatic heater shutdown on trip of induced draft fan • Automatic heater shutdown on high firebox pressure
7
Underpressure (Firebox)
Trip of forced draft fan in balanced draft system
• Design firebox for minimum pressure produced by induced draft fan • Select alternative design without induced draft fan
• Automatic heater shutdown on loss of forced draft fan • Automatic transfer to natural draft operation
8
High Temperature (Process side)
Process side fouling (e.g., coking of tubes) resulting in localized hot spots and tube rupture
• Enhanced tube metallurgy • Heavier wall thickness • Design heater for reduced heat fluxes • Indirect firing
• Continuous injection of additive to retard fouling
• Visual observation of tube surface for hot spots • Periodic decoking
9
High Temperature (Firebox)
Firing with insufficient air resulting in afterburning in convection section andfluegas system
• Provide "lead-lag" firing control system to avoid firing without sufficient air • Automatic heater shutdown on low airflowand/or low air/fuel ratio
• Procedures to limit fuel firing to air availability • Procedures to take corrective action or shutdown heater on indication of high flue gas temperature or low stack oxygen concentration
• Manual heater shutdown on indication of high firebox pressure
Potential Design Solutions No. 10
11
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
High Temperature (Firebox)
High or low burner fuel gas pressure resulting in incomplete combustion and possible afterburning and flame impingement on tubes
• Use burners with wider turndown ratio
High Temperature (Firebox)
High or low burner liquid fuel pressure or low atomizing fluid differential pressure resulting in fuel burning on the heater hearth
• Use gaseous fuel
Active • Automatic heater shutdown on low or high burner fuel pressure
Procedural • Manual shutdown on low or high burner fuel pressure • Manual shutdown on high flue gas temperature
• Automatic heater shutdown on low or high burner fuel pressure
• Manual heater shutdown on low or high burner fuel pressure
• Automatic heater shutdown on low atomizing fluid differential pressure
• Manual heater shutdown on low atomizing fluid differential pressure • Extinguishment with snuffing steam • Visual inspection of firebox and manual adjustment of pressure
12
Low Temperature (Incinerator)
Lowflowof fuel gas, high excess air, or insufficient oxygen results in incomplete destruction of hazardous materials
• Alternate means of disposal of hazardous material
• Automatic shutdown of incinerator on low fuel gas flow
• Manual shutdown of incinerator on low fuel gas flow
• Increased stack height to reduce ground level concentration of hazardous materials
• Automatic shutdown of incinerator on low combustion temperature
• Manual shutdown of incinerator on low combustion temperature
• Selection of catalyst with a wider temperature range of activity
• Manual sampling of incinerator offgas for concentration of hazardous materials
13
Low Flow (Process side)
Cessation of flow or flow maldistribution through individual heater passes results in high tube temperature and tube rupture
• Enhanced tube metallurgy • Heavier wall thickness • Orifices or Venturis to balance parallel tube passes
• Automatic shutdown of heater on low process flow • Automatic control of flow to individual heater passes • Automatic shutdown of heater on high coil outlet temperature • Automatic addition of cooling fluid to heater tubes * Automatic shutdown on high flue temperature
14
Low Level (Boiler Drum)
Loss of boiler water level leading to tube overheating and rupture
• Design tubes in the convection section to operate "dry"
• Automatic boiler water level control • Interlock to shutdown firing on low drum level • Interlock to shutdown firing on low boiler feed water flow
15
Wrong Composition (Fuel Gas)
Rapid increase in fuel gas heating value leading to overfiring and tube rupture
• Use of dedicated constant heating value fuel gas
• Automatic adjustment of firing on process outlet temperature and fuel heating value (on-line Btu analyzer) • Automatic heater shutdown on high process outlet temperature or high firebox temperature
• Manual shutdown of heater on low processflowor high tube outlet temperature • Manual addition of cooling fluid to heater tubes • Manual shutdown on high flue temperature
• Manual shutdown of heater on high firebox temperature or high process outlet temperature
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
16
Wrong Composition (Fuel)
High sulfur/ vanadium/sodium in fuel
• Enhanced metallurgy at points of possible acid dew point corrosion • Use of sulfur, vanadium or sodium-free fuel source
17
Wrong Composition (Catalytic Incinerator)
Introduction of liquid onto hot catalyst bed resulting in high temperature or fire
• Alternative incinerator design
18
Wrong Composition
Introduction of liquid (flammable or nonflammable) into firebox via fuel system resulting in loss of flame and possible explosion on reignition
Wrong Composition (Process side)
Introduction of liquid to gas heater resulting in thermal shock and tube failure
19
• Eliminate piping crossconnections upstream of heater which could inadvertently admit liquid
Active
Procedural . • Periodic analysis of fuel for sulfur, vanadium and/or sodium
• Liquid knock-out drum with automatic liquid removal • Heat tracing of feed system • Feed preheating to vaporize any entrained liquid • Automatic shutdown of incinerator on high offgas temperature
• Liquid knock-out (KO) drum with manual liquid removal • Manual shutdown of incinerator on high offgas temperature
• Liquid knock-out drum with automatic liquid removal • Heat tracing of fuel gas system
• Liquid knock-out (KO) drum with manual liquid removal
• Liquid knock-out drum with automatic liquid removal
• Liquid knock-out (KO) drum with manual liquid removal
12 PIPING AND PIPING COMPONENTS
12.1 INTRODUCTION This chapter presents potential failure mechanisms for piping and piping components and suggests design alternatives for reducing the risks associated with such failures. The types of piping and piping components covered in this chapter include: • Piping (metallic, nonmetallic, lined, jacketed, double walled) • Components (flanges, expansion joints, gaskets, bolts, etc.) This chapter presents only those failure modes that are unique to piping and piping components. Some of the generic failure scenarios pertaining to vessels may also be applicable to piping and piping components. Consequently, this chapter should be used in conjunction with Chapter 3, Vessels. Unless specifically noted, the failure scenarios apply to more than one class of piping and piping components. 12.2 PAST INCIDENTS This section describes several case histories of incidents involving failure of piping and piping components to reinforce the need for the safe design practices presented in this chapter. /2.2./ Flixborough Expansion Joint Failure
The explosion in the Nypro Ltd. factory in Flixborough, U.K., which killed 28 people and destroyed the plant, resulted from catastrophic failure of bel-
lows expansion joints. The plant had six reactors in series. The liquid flowed by gravity from one reactor to the next through short 28-inch diameter connecting pipes. To account for expansion each connecting pipe contained a bellows expansion joint. When one of the reactors (Reactor 5) developed a crack and had to be removed, it was replaced by a temporary 20-inch diameter pipe, which had two bends in it to account for the difference in height of Reactor 4 and Reactor 6. The existing 28-inch bellows were left in position at each end of the pipe. The temporary connection performed satisfactorily until pressure rose above the normal level, causing the temporary pipe to twist since it was not properly supported. The bending moment was enough to shear the bellows. A large quantity of cyclohexane from the reactors was released to the atmosphere. The ignition, which happened about one minute after the release, resulted in a large vapor cloud explosion (Kletz 1994).
/2.2.2 Chemical Storage Terminal Fire
Following the Coode Island accident (State Coroner 1994) in which a series of explosions was initiated following flame transmission through a complex tank vent collection header system, the first explosion which occurred in Tank 80 containing acrylonitrile was blamed on a PV (pressure-vacuum or conservation) vent whose pressure pallet had been removed and not replaced during maintenance. Whatever the actual cause of ignition, it was blamed on "St. Elmo's Fire" (corona-type static discharge) caused by atmospheric electricity. This was supposed to have ignited acrylonitrile vapor emanating from the PV vent body, which was not gas tight. According to the State Coroner's official 1994 report into the Coode Island incident, all the tanks that exploded belonged to the same zone as Tank 80 and communicated with each other via the vapor recovery ductwork. Forensic examination found evidence of light charring or sooting consistent with a fast flame passing through the ductwork. The coroner believed that there were flammable vapors in the ductwork since plant power was cut off at an early stage; the vapor extraction fan ceased operating; heat from the fire caused tanks to exhale into the ductwork and at the same time provided flame passage into the tanks. The interconnected ducts caused the rapid spread of the fire. A significant feature of the PV vent on this acrylonitrile tank was that its outbreathing was connected to the vapor collection header, containing a downstream blower. It should be understood that the principle of PV vent operation is that it is designed to prevent flashback into the tank by maintaining some minimum gas velocity through a narrow gap controlled by the pressure pallet. The design gas velocity through these narrow PV vent gaps results
from testing (Johnson 1983) and long experience using petroleum gases; it is however far from clear what work, if any, has ever been done with faster burning gases. For example, a PV vent on a waste tank which can generate hydrogen is unlikely to prevent flashback to the tank. If the vent outlet is connected to any significant length of pipe and ignition occurs at the end of this pipe, the flame running back to the PV vent will accelerate to high speed and possibly even detonate. The gas velocity in the PV vent narrow gap will likely not prevent passage of this flame into the tank. In 1983 Mancini (Johnson 1993) cautioned that this phenomenon might occur and recent unpublished work appears to confirm it. Note that these conditions existed at Coode Island and might also apply where spill pipes are used in conjunction with PV vents to direct liquid overflow to a diked area. Where it is required to reduce atmospheric emissions via PV vents while retaining the in-breathing capability of the devices, additional vents opening at a slightly lower positive tank pressure can be connected to a collection system. These vent lines can safely be equipped with detonation arresters since if the arrester becomes blocked the tank will not be sucked in while the PV vent remains in service. See item 53 in Table 3 for potential design solutions.
f 2.2.3 Line Pluggage
A line that had been used to blow down wet hydrocarbon formed an icehydrate plug, blocking the 18-inch blowdown line. As a result of external steaming, the plug loosened and the pressure above it caused it to move with such force that it ruptured the line at a tee (Kletz 1994). /2.2.4 External Corrosion
A valve in a 10-inch liquefied butane line was located in a pit. The pit accumulated rainwater contaminated by sulfuric acid from a leaking line nearby. The bolts on the valve bonnet corroded and gave way, resulting in a massive butane release. The ensuing explosion killed seven people and caused extensive damage (Kletz 1994). 12.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS Table 12 presents information on equipment failure scenarios and associated design solutions specific to piping and piping components. The table heading definitions are provided in Chapter 3, section 3.3.
12.4 DISCUSSION 12.4.1 Use of Potential Design Solutions Table
To arrive at the optimal design solution for a given application, use Table 12 in conjunction with the design basis selection methodology presented in Chapter 2. Use of the design solutions presented in the table should be combined with sound engineering judgment and consideration of all relevant factors. /2.4.2 Special Considerations
This section contains additional information on selected design solutions. The information is organized and cross-referenced by the Operational Deviation Number in the table. blockage of the Relief Path (5,6)
Process systems that can be overpressured must never be isolated from adequate overpressure protection. The inherently safer design alternative to providing individual isolation valves at the inlet/outlet points of safety relief devices is to provide a parallel relief path. A parallel relief path uses redundant safety relief devices and a three-way valve, thus ensuring that one relief path is always open. Note that flame arresters located in the relief path may also be a source of blockage, particularly if the process fluid is fouling, or can solidify or polymerize. Deflagration to Detonation Transition in Pipe Lines (7)
Pipelines containing flammable mixtures either normally or under upset conditions may need to be equipped with devices to limit the consequences of an ignition. Where pipelines connect large items of process or storage equipment together it is most important to prevent flame spread via the connecting pipe. The deflagration flame initially produced by an ignition source generally increases in speed as it travels through a pipeline; flame acceleration is enhanced by turbulence promoters such as tees, elbows, and other flow restrictions. After some distance of travel, deflagration-to-detonation transition (DDT) may occur. This is marked by a sudden increase in flame speed and pressure. As flame speed increases it becomes more difficult to arrest flames; for fast flames and detonations, special flame arresting devices are required. The overall mitigation strategy is highly dependent on the circumstances and should be considered at the earliest possible design stage. Avoidance of flammable mixtures by design and control is an inherently safer option, often used in conjunction with flame arresting devices. Flammable mixture control is usually achieved by operating below the limiting oxygen
concentration (LOC) or the lower flammability limit (LFL) as described in NFPA 69. Operation above the upper flammability limit (UFL) using an enrichment gas such as methane can offer advantages in some situations such as vapor control systems. Operation below the LFL might be the safest of these strategies where air could leak into a system (for example, at a blower intake), increasing the oxygen concentration. It is important to consider the effects of start-up, shut-down and credible upset conditions during which flammable mixtures are produced. If flammable operation cannot be discounted, flame arresting devices should be incorporated (Britton 1996). Devices for gas systems include liquid seals, deflagration arresters, detonation arresters, suppression systems and fast-acting valves. The first three are the most common. Deflagration flame arresters can only be used under specific circumstances such as at the end of an atmospheric vent line, where DDT on the unprotected side cannot occur. Flame arresters situated in-line must generally be detonation arrester types certified for the actual conditions of use. These devices have pros and cons in terms of installation cost, effectiveness (e.g., risk of failure under upset conditions) and operability (e.g., back pressure, instrumentation and maintenance needs) which should be considered before the process design is finalized. Powder (dust) systems cannot be equipped with liquid seals, or deflagration/detonation flame arresters. Options include inert operation (typically closed loop nitrogen conveying) and active devices such as suppression systems and fast-acting valves. The response speed of these devices must be designed in accordance with the deflagration index (Kst) of the powder (an experimental quantity depending on powder composition and particle size), and the size and geometry of the equipment. There must be sufficient time for a flame to be detected and the arresting device to function before the flame arrives at vulnerable "protected" equipment such as a bin. Large items of equipment containing powders (e.g., bins) are often equipped with deflagration vents and rotary valves as additional protective measures (NFPA 68 and 69). Active devices for powders are described in the Guidelines for Engineering Design for Process Safety (CCPS 1993) and Howard 1991. Depending upon peak deflagration pressure, an equipment design for pressure containment might be a preferable alternative. Loss of Containment (15)
Piping and piping components are the most common single sources of flammable and toxic materials release. The Institution of Chemical Engineers reports that 40% of losses are due to pipework failure (IChemE 1987). Several codes have been established for the design of piping and piping components (CCPS 1993). To reduce the probability of releases, minimize the use of
fittings on lines and glass rotameters and eliminate gauges when practical. For hazardous service, minimize flanges by welding pipes together and do not use threaded fittings. Where flanges are required for maintenance and inspection, proper selection of flanges and gaskets can reduce the risk of leaks. Thermal Stresses (/8J
Careful attention must be paid to pipe support and flexibility to account for thermal expansion. Designs must address expansion or contraction due to thermal stresses, and also take into account requirements for steam purging, hydrotesting, startup, shutdown, cyclic conditions, etc. Piping flexibility must be provided by the proper design of anchors, supports, and expansion bends. Keep in mind that expansion bends themselves are prone to erosion and cracking. 12.5 REFERENCES Britton, L.G. 1996. Operating Atmospheric Vent Collection Headers Using Methane Gas Enrichment, Process Safety Progress, 15(4). CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. Howard, W.B. 1991. Use Precaution in Selection, Installation and Operation of Flame Arresters, Chemical Engineering Progress, April. IChemE 1987. Hazard Workshop Module 012 Safer Piping Volume I. Rugby, Warwickshire, U.K: The Institution of Chemical Engineers. Johnson, O. W. 1983. An Oil Industry Viewpoint on Flame Arresters in Pipe Lines, Plant/Operations Progress, 2(2). Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd. NFPA 68 1994. Guide for Venting of Deflagrations. Quincy, MA: National Fire Protection Association. NFPA 69 1997. Explosion Prevention Systems. Quincy, MA: National Fire Protection Association. State Coroner 1994. Inquest Into Fire at Coode Island on August 21 and22,1991, finding, Case No. 2755/91, June 17th (1994), Victoria, Australia: State Coroner.
Suggested Additional Reading API Publ 2028 1991. Flame Arresters in Piping Systems, 2nd Ed.,Washington, DC: American Petroleum Institute. API Publ 2210 1982. Flume Arresters for Vents of Tanks Storing Petroleum Products, 2nd Ed., Washington, DC: American Petroleum Institute. BS 7244 1990. Flame Arresters for General Use, London: British Standards Institute. Blything, K. W., and Party, S. T. 1988. Pipework Failures—A Review of Historical Incidents. Warrington, U. K.: United Kingdom Atomic Energy Authority Safety and Reliability Directorate. B orklundjl. A, Kushida, R. O., and Flessner, M. F. 1982. Experimental Evaluation of Flashback Flame Arresters, Plant/Operations Progress, Vol. 1, No. 4.
Broschka, G.L., Ginsburgh, L, Mancini, R. A., and Will, R. G. 1983. A Study of Flame Arresters in Piping Systems, Plant/Operations Progress, 2(1). Bush, S. H. 1988. Statistics of Pressure Vessel and Piping Failures. Journal of Pressure Vessel Technology 110,225-233 August 1988. CSA-Z343 1991. Test Methods fir In-Line and Firebox Flame Arresters, Draft Standards Revision Number 9: Canadian Standards Association. Coast Guard 1990. A Guideline far Detonation Flame Arresters 33 CFR Part 154, Appendix A, United States Coast Guard: US Department of Transportation. Coast Guard 1990. Specifications for Tank Vent Flame Arresters 33 CFR Part 154, Appendix A, United States Coast Guard: US Department of Transportation. FMRC Class 6061. Flame Arresters for Vent Pipes of Storage Tanks. Norwood, MA: Factory Mutual Research Corporation. FMRC Class 7371 1992. Test Procedures for Detonation Flame Arresters, Norwood, MA: Factory Mutual Research Corporation. Flessner, M. F., and Bjorklund, R. A. 1981. Control of Gas Detonations in Pipes, Loss Prevention Manual. Vol. 14. New York: American Institute of Chemical Engineers. Geyer, T. A. W., Bellamy, L. J., Astley, J. A., and Hurst, N. W. 1990. Prevent Pipe Failures Due to Human Errors. Chemical Engineering Progress, November, 66-70. Hurst. N. W., Bellamy, L. J., Geyer, T. A. W., and Astley, J. A. 1991. A Classification Scheme for Pipework Failures to Include Human and Socio-technical Errors and Their Contribution to Pipework Failure Frequencies. Journal of Hazardous Materialsj 26, 159-186. IMO, Revised Standards for the Design., Testing and Locating of Devices to Prevent the Passage of Flame into Cargo Tanks in Tankers, MSC Circ. 373 Rev. 1: International Maritime Organization. Kletz, T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company. Roussakis, N., and Lapp, K. 1991. A Comprehensive Test Method for Inline Flame Arresters. Plant/Operations Progress. 10(2). UL 525 1991. Standard for Flame Arresters. Draft Proposal for Sixth Edition. Underwriters Laboratory.
TABLE 12. FAILURE SCENARIO FOR PIPING AND PIPING COMPONENTS Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
1
Overpressure
Blockage of piping, valves or flame arresters due to solid deposition
• Size piping system to maintain minimum required velocity to avoid deposition • Piping designed for maximum expected pressure • Eliminate flame arrester
• Emergency relief device • Removal of solids from process stream (KO pot, filter, etc.) with automatic blowdown of solids • Tracing of piping to minimize solid deposition
• Removal of solids from process stream (KO pot, filter, etc) with manual blowdown of solids • Periodic manual system cleaning • Operator response to high pressure alarm • Periodic cleaning via flushing, blowdown, internal line cleaning devices (e.g., "pigs") • Use parallel switchable flame arresters
2
Overpressure
Valve in line rapidly closed resulting in liquid hammer and pipe rupture
• Limit closing rate for motor operated valves via appropriate gear ratio • Limit closing rate for pneumatic actuator via restriction orifice in air line • Use slow closing manual valves (i.e., gate instead of quarter turn)
• Provide surge arrester
• Operating procedures to close valves slowly
3
Overpressure
Thermal expansion of liquid in blocked-in line leading to line rupture
• Elimination of potential for blocking in by removing valves and other closures (e.g. blinds) • Drill small hole in valve gate to allow pressure equalization
• Pressure relief device • Expansion tank
4
Overpressure
Automatic control valve opens inadvertently leading to high pressure downstream of the valve
• Design all downstream piping and equipment to handle full upstream pressure • Provide limit stop to prevent control valve from opening fully, or a restriction orifice
• Pressure relief device to protect downstream piping
5 (T)
Overpressure
Block valve upstream or downstream of relief device accidentally closed resulting in loss of relief capability
• Eliminate all block valves in relief path • Provide trans-flow threeway block valve at inlet of dual relief device installation
6 (T)
Overpressure
Blockage of relief device by solids deposition (polymerization, solidification)
• Provideflowsweep fitting at inlet of relief device
• Procedures for draining of all blocked-in lines during shutdown
• Car-seal open or lock open all block valves upstream and downstream of relief valves per applicable codes and provide administrative procedures to regulate opening and closing of such valves • Use rupture disks alone or in combination with safety valves with appropriate rupture disk leak detection • Automaticflushof relief device inlet with purge fluid
• Manual periodic or continuous flush of relief device inlet with purge fluid
Potential Design Solutions No. 7 (T)
Operational Deviations Overpressure
Failure Scenarios Deflagration and detonation in pipelines causing loss of containment
Inherently Safer/Passive
Active
• Limit temperature, pressure or pipe diameter to prevent DDT from occurring (e.g., acetylene)
• Multiple rupture disks/explosion vents located at appropriate points on piping
• Avoid/minimize use of elbows and fittings which can cause turbulence and flame acceleration
Procedural • Inert purging prior to start-up
• Detonation or suitable deflagration arresters between protected equipment and potential ignition sources • Liquid seal drum isolating ignition source (e.g., flare) • Operate outside flammable range, e.g., O2 analyzer or hydrocarbon analyzer control inert purge or enrichment gas addition • Detect gasflameand actuate fast closing valve or suppression system
8
High Temperature
Faulty tracing or jacketing of line leading to hot spots resulting in exothermic reaction
• Use of insulating material between tracer and pipe (sandwich tracer) • Use of heat transfer media with maximum temperature limited to a safe level (jacketed pipe)
• Electrical tracing with temperature limitation controls
• Operator action in response to high temperature indication and alarm
9
10
11.
T
High Temperature
External fire leading to undesired process reaction (e.g., acetylene decomposition)
• Fireproof insulation with stainless steel sheathing and banding
Cold weather conditions causing freezing of accumulated water or solidification of product in line or deadends
Low Temperature
Condensation in steam lines due to cold ambient conditions resulting in steam hammer
• Securely anchor piping
High Flow
High fluid velocity in pipe which causes erosion especially if two phase flow or abrasive solids are present leading to loss of containment
• Sizing of pipe to limit velocities
Low Temperature
• Fire detection system with automatic water spray
• Fire detection system with manual water spray
• Insulation of process lines
• Heat tracing of lines
• Elimination of collection points or deadends
• Automatic drainage of potential collection points
• Procedures to maintain a minimumflowthrough line
• Continuous welded pipe
• Deadends should be sloped to avoid accumulation
• Manual draining of potential collection points
• Slowdown lines should be sloped to avoid accumulation
• Material selection to resist erosion • Heavier walls at tees, elbows, and other high abrasion points • Minimize use of fittings where erosion can occur • Use tees instead of elbows in abrasive solid service
• Heat tracing of lines
• Procedures to slowly warm-up downstream piping
• Instructions to limit flow velocity • Periodic inspection of high wear points
Potential Design Solutions No.
Operational Deviations
Failure Scenarios
Inherently Safer/Passive
Active
Procedural
13
High Flow
High pressure drop across control valve causing flashing/ vibration leading to loss of containment
• Locate valve as close to the vessel inlet as possible • Provide multiple intermediate pressure letdown devices (valve or orifices) • Use valve type suitable for high pressure drop and flashing service • Securely anchor piping
14
Reverse Flow
Differential pressure on joining lines, drains or temporary connections causing back flow of product resulting in undesirable reaction, overfilling, etc.
• Use incompatible fittings to prevent unwanted connections • Use separate lines to final destination
• Check valve on lower pressure line to prevent reverse flow • Automatic isolation on detection of low differential pressure
• Procedures for proper isolation of interconnected lines • Manual isolation on detection of low differential pressure
15 (T)
Loss of Containment
Failure to isolate flow from sample connection, drain and other fittings resulting in discharge to environment
• Provide "deadman" (selfclosing) valve
• Automatic closed loop sampling system
• Provide double block and bleed valves, valve plugs, caps, blinds, etc.
16
Loss of Containment
Breakage of sight glasses and glass rotameters due to overpressure, thermal stress, or physical impact
• Eliminate the use of sight glasses and rotameters • Provide flow restriction orifice in glass connection • Provide physical protection against damage (i.e., armored sight glass) • Provide glasses with pressure design rating exceeding maximum expected pressure
• Provide excessflowcheck valves to limit discharge due to sight glass or rotameter failure
17
Loss of Containment
Loss of containment from piping due to leak, flange leak, valve leak, pipe rupture, collision, or improper support
• Maximize use of all-welded • Provide automatic isolation on pipe detection of high flow, low pressure, or external leak • Avoid use of underground piping • Use fusible link valves for automatic closure under fire • Use double walled pipe conditions • Minimize use of unnecessary fittings • Use of higher integrity closures (e.g., clamped connectors) • Shielding at flanges to prevent operator exposure • Use of minimum diameter pipe for physical strength • Proper design and location of piping supports • Physical collision barriers
• Procedure to normally isolate sight glass when not in use
• Provide manual isolation via remotely located valve • Procedural restrictions to avoid damage (crane restrictions, climbing restrictions) • Periodic inspection for leaks
Potential Design Solutions No. 18 (T)
Operational Deviations Loss of Containment
Failure Scenarios Pipe failure due to excessive thermal stress
Inherently Safer/Passive
Active
Procedural
• Expansion loops and joints • Insulation of pipe expansion joints • Additional support to prevent sagging
19
Loss of Containment
Degradation of transfer hose between use results in hose leak
• Eliminate hose connections (hard piped) • Use higher integrity hose (e.g., metallic braided) • Use higher pressure hose
• Provide excessflowcheck valve upstream and check valve downstream of hose
• Pressure test transfer hose before use • Manual isolation based on detection of high flow, low pressure or external leak
• Automatic isolation based on detection of high flow, low pressure or external leak
• Periodic replacement of hoses
• Use fusible link valves for automatic closure under fire conditions
• Provide hose protection (e.g., ramp) when laying hoses across roadway • Avoid sharp angle changes in direction
20
Loss of Containment (lined pipe/hose)
Breakdown of pipe/hose lining
• Use pipe metallurgy which does not require lining
• Periodic thickness testing of metal pipe wall
• Use semi-conductive liner to reduce degradation due to static build-up
• Periodic process stream analysis for metals content
• Use thicker liner material • Limit liquid velocity to minimize static buildup
21
Wrong Composition
Operator connects quick connect coupling to wrong connection
• Specify incompatible ends to prevent misconnection
• Procedures to prevent inadvertent cross-connections
• Avoid use of quick connects for hazardous service
• Labeling and color coding of lines
Appendix
Worked Examples This appendix contains two example problems which are intended to illustrate the use of the techniques and thought processes given in Chapters 2-12 of this book. Each example will use specific process situations to show how to use Chapter 2 to determine the process safety system (PSS) design basis, identify the design parameters which have the strongest impact on that basis, and assist in the selection of alternative inherently safer, passive, active and procedural design solutions. These examples are not intended to serve as a "standard" PSS design basis for any industrial system. Each process and each design require specific process information (such as equipment pressure and temperature ratings, materials inventories, pipeline sizes, types of utility streams available, etc.) which differ from manufacturer to manufacturer, and process to process. Also, individual company policy and risk management procedures must provide direction concerning safety systems design, especially concerning the applicability of mitigation techniques. Any attempt to define an industry-wide "standard" is counterproductive, in that it may prevent the thoughtful analysis required to define a safe, economical PSS system in favor of a "cookbook" approach which would likely miss some significant potential hazards.
A EXAMPLE PROBLEM: BATCH CHEMICAL REACTOR
This example problem is based on an existing industrial batch reaction system. It illustrates a batch reactor where a quinone-type organic compound is hydrogenated to a hydroquinone. The reaction product is an intermediate for a pharmaceutical. Reactors require a detailed hazard analysis before the proper Process Safety System (PSS) can be determined due to the complexity of the operation (heat and mass transfer and chemical reaction), as well as the different kinds and severity of events that can be caused by the reactants, products, catalysts, and impurities. For this example, two process drawings are presented: • Exhibit Al: Process Flow Diagram (PFD) with a material balance and equipment data. • Exhibit A2: Piping & Instrumentation Diagram (PSdD). Physical and hazardous properties were obtained from open technical literature and company files. The heat of reaction and runaway potential data were obtained from adiabatic calorimeter tests.
A. I SYSTEM DESCRIPTION The batch reactor and associated equipment are shown in Exhibit Al, along with the material balance, and equipment data (sizes, dimensions, materials of construction, etc.).
BRINE RETURN
BRIhE SUPPLY
NITROGEN
C.T. WATER RETURN
LP. STEAM
C.T.
CONO.
WATER SUPPLY
TO BATCH SURGE TANK
STREAM
No.
STREAM NAME
QUINONESOLVENT A SOLUTION
SOLVENTS AZEOTROPIC MIXTURE
CATALYST SLURRY
SOLVENTS AZEOMIXTURE WASH FROM CATALYST HEAD TANK
HYDROGEN
COMPONENT QUlNONE SOLVENT A SOLVENT B Pd/C
WATER IMPURITIES HYDROGEN
TOTAL TEMP.(-C) JPRES.(PSIG) S.G.
VOLUME-GAL. VOLUME-SCF
EXHIBITAI Process Flow Diagram (PFD) with a material balance and equipment data.
100 PSIG NITROGEN HEADER
TO ORTHOTANK ON ROOF
!M1W
TO VgNT HEADER CHILLER
FLUID RESERVOIR
CATALYST SLURRY FROM HEAD TANK
OUINONE
Rftgg--^
SOLVENTS AZEO MIXTURE FROM SURGE TANK
DETAIL
V
SOLVENTS AZEO MIXTURE WASH FROM CATALYST HEAD TANK
HYDROGEN SUPPLY
C.T. WATER RETURN
LP.
STEAM
SYMBOLS
R-1 FELO INSTKUkCNT
4
BAFFLES
LOCAL PANEL INSTRUMENT
PROTECTIVE PIPE COVER (WEATHER CAP)
M- 1 MECH SEAL FLUID RESERVOIR
ROOF VENT LME
8%R
TO ISOLATION
NOTES:
HMB1*-
1. BURST DISK DETECTOR
VALVE IN H 2 LINE TO
CONDENSATE RETURN HEADER
TO AGITATOR MECH. SEAL
R-1
DETAIL "A"
FuiWU
2. LOCATE H2 DETECTOR HEAD AS CLOSE AS POSSIBLE TO AND IMMEDIATELY ABOVE THE AGITATOR SEAL.
EXHIBIT A2 PIPING AND INSTRUMENTATION DIAGRAM
The operational sequence is as follows: 1. The reactor is charged with a solution of the quinone in solvent A. 2. The reactor is charged with an azeotropic mixture of solvent A and solvent B. 3. The reactor mixture is heated to 50-550C. 4. The reactor is pressure purged three times with 15 psig nitrogen to displace the air. 5. The reactor is charged with the palladium on carbon catalyst slurried in the solvent A / solvent B azeotropic mixture. 6. The catalyst slurry head tank is washed with azeotropic mixture of solvent A and solvent B into the reactor. 7. The reactor is pressure purged three times with 10 psig hydrogen to displace the nitrogen. 8. The reactor jacket is switched from heating to cooling service. 9. The reactor hydrogen pressure is raised to 15 psig and the hydrogenation is continued until the hydrogen uptake stops (about 2l/2 hours). 10. The reactor hydrogen pressure is raised to 20 psig, the hydrogen is isolated, and the reactor pressure is held for 20 minutes. 11. The reactor is vented down to about 1 psig. 12. The reactor is pressure purged three times with 15 psig nitrogen to displace the hydrogen. 13. The reactor jacket is switched from cooling to heating service. 14. The reactor mixture is heated to 60-7O0C. 15. The reaction mass is transferred with 5 psig nitrogen pressure to a surge tank. This leaves the reactor incited for the next batch. Selection of the design basis for this example will follow the nine-step process explained in Chapter 2. In order to adequately perform Step 1—Identify Failure Scenarios, some discussion of information requirements in general, and batch reactor systems in particular, is warranted, along with specific information pertaining to this process.
A.2 GENERAL INFORMATION REQUIREMENTS The following information will be required to properly evaluate potential failure scenarios: • Heat and material balance (HMB) data • Material Safety Data Sheets (MSDSs) for all chemicals • Pure component and mixture physical property data (e.g., electrical conductivity, viscosity, etc.)
• Chemical reactivity data (primary and side/secondary reactions and runaway reaction kinetic data) • Accurate piping and instrumentation diagrams (PSdDs) • Equipment arrangements and plant layouts • Pressure vessel drawings that include maximum allowable working pressure (MAWP), maximum vacuum rating, and minimum and maximum operating temperature information • Other process equipment maximum pressure and minimum/maximum temperature ratings • Control valve, pressure reducing valve, and other instrument data sheets • Relief device (safety valve, rupture disk, rupture pin), conservation vent, and flame arrester (deflagration and detonation) data sheets • Unsteady-state (startup, shutdown, upset) conditions • Cleanout and steamout procedures, including all nonprocess chemicals used • Equipment computer models for evaluation of deviations from steadystate conditions, or for evaluation of worst-case startup and shutdown conditions • Utility supply information (composition, pressure, temperature, voltage, etc.) • Materials of construction Some of this information will be routinely available. Less commonly used data (such as piping isometrics) may need to be prepared (for new installations) or generated from field reviews (for existing installations) before a complete evaluation can be made. Quite often some of the above information is not available for existing older plants. However, under the OSHA Process Safety Management regulation this information must be obtained or developed for the chemicals covered by this regulation.
A3 PSS DISCUSSION FOR BATCH REACTORS A3. / Vessel Design and Primary Containment
Batch chemical reactors can be expensive because of their materials of construction requirements due to service involving corrosive reactants, catalysts, or solvents. Many are fabricated of stainless steel, glass-lined carbon steel, or materials such as Hastelloy, titanium, etc. due to service involving corrosive reactants, catalysts, or solvents. In addition, in current practice batch reactors are highly instrumented and automated (run by programmable logic controllers (PLCs) or minicomputers), and often have associated head (charging)
tanks, condensers, and heat transfer fluid systems which add to the cost of the installation. Because of the hazardous potential of many batch chemical processes it is of prime importance to minimize the occurrence of fires, deflagrations, and release of flammable and/or toxic vapors and gases. It is the practice at many companies to specify a reactor design pressure (AlAWP) of at least 50 psig, even though the reaction may be carried out essentially at atmospheric pressure. This vessel pressure rating should be sufficient to contain a deflagration (Noronha 1982). Reactor vessels should be designed in conformance with Section VIII of the ASME Boiler and Pressure Vessel Code. The ASME Code, or its equivalent, is law in most states and in some foreign countries. All reactors should be provided with adequate pressure relief devices. Vacuum relief will not normally be required if the vessel is designed for at least 50 psig since this pressure rating should also be adequate for full vacuum in most cases. However, vessels with design pressures near atmospheric pressure usually require vacuum relief, and this should be evaluated. Relief requirements will be discussed in more detail in item 3. Most batch chemical reactors have agitators, equipped with mechanical seals, and means must be provided to ensure that mechanical seals do not leak or fail, which could result in a release of a flammable and/or toxic vapor or gas into the surroundings. Agitator seals will be discussed in more detail in Section 5.4. CCPS 1993 (with emphasis on Chapters 4, 5, 6, 8, 11, and 14) also provides useful information, and will be used as a reference for portions of this example. Other references which are applicable to batch reactor design for hazard minimization are given at the end of this example.
A.3.2 Control Systems and Safe Automation
Many chemical reactions are exothermic and require heat removal, while others are endothermic and require heat addition. In many batch chemical reactors, the batch is heated up to the boiling point and refluxed for a long period of time to complete the reaction. In other reactors, the solvent is boiled off after the reaction has been completed, and then a further processing step is performed in the reactor. The heating or cooling steps often must be controlled in order to prevent product deterioration, production of undesired side products, or a runaway reaction which could result in a catastrophic event. In most older batch reactors the heating and cooling control systems are of the standard type (i.e., non-computer controlled, pneumatic PID), whereas in newer plants the control operations are often performed by a computer system that programs the sequence of operations and initiates interlock shutdowns.
There are no regulatory requirements in the U.S. governing the use of automatic control in PSS applications. The CCPS publications Guidelines for Safe Automation of Chemical Processes (with emphasis on Chapters 4 and 5) and Guidelines for Engineering Design for Process Safety (with emphasis on Chapter 9) provide a useful summary of current industry practices. Keep in mind that computer-controlled processes do not provide fool-proof control and that catastrophic events can occur if the computer control system is not properly analyzed for integrity. The U.K. Health and Safety Executive report titled Programmable Electronic Systems in Safety Related Applications provides guidance on what can go wrong with computer-controlled processes and how to analyze them. The Instrument Society of America (ISA) has published a standard titled Programmable Electronic Systems for Use in Safety Applications (ISA S84.011996). In this example problem, the main control loops for this reaction system are: • Pressure control of the hydrogen feed to the reactor » Temperature control of the cooling tower water to the reactor jacket Because this is an existing reactor that has been operating for a number of years, the instrumentation is primarily pneumatic, with some more recently installed electronic components. A.3.2. / Alarm Strategy
For all alarms, it should be noted that with electronic instrumentation and a distributed control system (DCS), two high and two low alarm points are usually included with the control point. Thus, alarm strategies which make use of these "free" points can serve as a very cost-effective way of increasing the number of alarm points without increasing the cost of the system. These additional alarm points do not provide the redundancy necessary for some interlock initiators. If using older, pneumatic instrumentation, alarm points of any kind are an increased cost. Of course, one thing which must be avoided is the casual use of alarm points simply because they exist. Excessive nuisance alarming can cause the operator to become indifferent to alarms (since they go off so frequently) or deactivate diem, or become confused in a true emergency (because so many alarms are actuated simultaneously). As mentioned above, this is an existing reactor, with primarily pneumatic instruments. The reactor has a high temperature alarm to alert the operator that there may be a problem with the cooling tower water supply to the jacket. High-high temperature and pressure alarms, independent from their "high" counterparts, are also provided. A.3.2.2 Interlock Strategy
Once alarm parameters have been determined, this same information can be used to develop a general philosophy and execution strategy for interlocks.
Process and safety interlocks differ from one another in that, whenever the process condition which caused the process interlock to activate is corrected, the control function usually returns to normal. Safety interlocks often must be manually reset before control can return to normal. An analysis of the allocation of supervisory roles between the operator and automatic control systems should be made before a decision to interlock is reached. Another issue concerning safety interlocks is the use of automatic controls to mitigate potential overpressure in place of relief systems. Neither ASME nor API provide explicit guidance on the use of safety instrumentation to mitigate relief requirements, and risk management policies very widely concerning the use of instrumentation or any active system to protect against overpressure. Issues such as the reliability and cost of safety interlock systems and their related field devices (sensors, isolation valves, etc.) as compared to the reliability of relief systems must be considered in weighing the tradeoffs. The interlock strategy selected for this existing reactor is as follows: two high-high switches are interlocked to shut an isolation valve in the hydrogen feed line. The high-high temperature switch takes a signal from the thermocouple in the reactor, and the high-high pressure switch takes its signal from the reactor rupture disk burst detector. A.3.2.3 Valve Failure Position
Closely related to this strategy is the decision on how automatic control and block valves should fail under loss of motive energy or control signal. In general, energy sources (such as steam, hot oil, or high pressure gas) are designed to fail closed (FC) to isolate the process from excessive energy input. Energyremoving streams (coolants, vents, etc.) are usually fail open (FO) to bring the system to a lower potential energy state under emergency conditions. While not always true, these guidelines should apply to most cases considered. Another issue which must be addressed is the difference in failure position upon instrument air (IA) failure as compared to the failure position on electronic signal failure. Often, a valve can be set to fail in one direction when IA is lost; however, the controller manipulating this valve may have an entirely different failure position which may take the system to an unsafe condition. Both types of failure positions must be addressed independently. There is a third category of valve failure position, that of fail-last-position (FL) which is not as frequently used in process systems. However, there may be occasions where FL valves are needed for production reasons and also have safety implications. These situations should be carefully analyzed before the valve failure position is finalized. All the control valves for this reactor were designed to fail in the fail-safe position on loss of instrument air, as follows:
• The control valve in the cooling tower water line to the reactor jacket fails open. • The control valve in the hydrogen feed line fails closed. • The control valve in the brine line to the reactor vent condenser fails open. • The isolation valve in the quinone/solvent feed line to the reactor fails closed. • The isolation valve in the hydrogen feed line to the reactor fails closed.
A3.3 Pressure and Vacuum Relief
A significant safety-related design problem for equipment in general is the appropriate selection of the sizing basis for emergency pressure and vacuum relief devices. Relief devices are required for vessels covered by ASME Code, but the basis for sizing and selecting these devices is left up to the system designer. Relief device sizing methodology is particularly critical if two-phase flow occurs due to reactive, foaming, or viscous effects. For these systems, methodologies such as those developed by the Design Institute for Emergency Relief Systems (DIERS) should be used. In the absence of two-phase flow, more conventional techniques can be applied. The need for and location of relief devices should be identified as early in the design as possible, as an integral part of PSS strategy formulation. The disposition of relief effluents (flaring, secondary containment, quenching, or relief to atmosphere) may influence the type and position of relief devices needed. The forthcoming CCPS publication "Guidelines for Pressure Relief and Effluent Handling Systems" provides guidance on the selection and design of disposal systems. Relief system design bases may also be altered by the presence of other passive or active safety systems, such as fireproof insulation or instrumentation, back pressure influences, or the need for downstream effluent disposal systems such as flares. Once the proper design basis has been determined, sizing of the appropriate devices can proceed using requirements and information listed in the reference section at the end of this example. Since most reactors are designed for pressures greater than 15 psig they are considered pressure vessels and are subject to the requirements of Section VIII of the ASME Boiler and Pressure Vessel Code. This means that they must be provided with pressure relief and, if necessary, vacuum relief. Relief devices can be either safety valves or rupture disks, or a combination of the two. Rupture disk/safety valve combinations are quite common where the reactants, catalyst, or solvents are corrosive and the rupture disk is provided to protect the safety valve from corrosion. Rupture disk/safety valve combina-
tions are also used on polymerization reactors to prevent the safety valve from becoming plugged. The most common bases for sizing relief devices for batch chemical reactors are fire loading and runaway reactions. In this example the potential for a runaway reaction was determined to be very low based on adiabatic calorimeter experiments. Therefore, the relief device was sized for fire loading. A rupture disk was selected to meet the relief requirements for the following reasons: (1) a rupture disk is considerably cheaper than a safety valve, and (2) there was a possibility that the catalyst used could plug the safety valve. A.3.4 Fixed Fire Protection and Passive Mitigation
Once key interlock and relief requirements have been set, post-release mitigation systems must be evaluated. These include fixed fire protection systems as described in NFPA15 1990, life safety code requirements per NFPA1011997, and other site-related issues. Little or no regulatory guidance exists for these issues; API RP 752 1995 and the Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires (CCPS 1996) address the siting issues. Selection of the PSS design basis also involves a system-wide analysis for synergistic hazards not revealed by consideration of the failure scenarios of individual unit operations only. This analysis should address the relationship between the operation in question and the other unit operations in the process, the utility and outside battery limits operations that might be adversely affected by upsets in the operation in question, and interrelationship of utilities which might result in a common-mode failure (such as steam and electricity cogeneration failure). In the plant where the reactor is situated, it is company policy to provide water deluge system protection above and below all vessels larger than 4 feet in diameter, which includes the reactor with a diameter of 61Xa feet. To minimize the accumulation of flammable liquid if a spill occurs, the floor under and surrounding the reactor is sloped toward a process sewer drain. Also, the reactor is insulated with jacketed insulation held in place with stainless steel straps.
A.4 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS This section uses the systematic risk-based technique for selecting the design bases for process safety systems discussed in chapter 2. Use of the technique imposes discipline on the thought process, yet allows for flexibility in application. The design bases selection technique is comprised of a number of analysis and testing steps, detailed graphically in a decision tree (see Exhibit 2.2 in Chapter 2).
Step 1: Identify Failure Scenarios In this example, each of the selection steps (1-9) will be discussed generally, then, steps 2-8 will be repeated in detail for each of the five potential failures listed below. In this batch reaction a number of hazards must be considered: • • • •
Hydrogen is highly flammable. Both of the solvents are flammable. The catalyst may ignite spontaneously if contaminated with organics. The reactant quinone has a high flash point (960C), but violent decomposition and toxic emissions can occur when it is heated or in a fire.
The reaction is moderately exothermic. Calorimetric studies indicate that the heat of reaction is about 482.7 Btu/lb of the quinone, and there is very little likelihood of a runaway reaction. Corrosion will not be considered as a potential failure scenario because years of operation in a stainless steel reactor have shown no evidence of corrosion problems. The failure scenario tables in Chapter 3 (Vessels), Chapter 4 (Reactors), and Chapter 6 (Heat Transfer Equipment) were reviewed for relevance, and a first pass through these tables yielded 16 potential failure scenarios, as shown in Exhibit A3. Some of the scenarios do not have as severe a consequence as others, and only the most hazardous ones will be considered. This example will focus on the following five specific potential failure scenarios: A. Ignition of flammable atmosphere in reactor vapor space caused by static discharge spark (Overpressure per Table 3, no. 3) B. Cooling system control failure (High Temperature per Table 3, no. 28) C. External fire (Overpressure and High Temperature per Table 3, no. 5 and Table 3, no. 30) D. Loss of sealing fluid to reactor agitator mechanical seal resulting in emission of flammable vapors (Loss of Containment per Table 3, no. 49) E. Ignition of flammable atmosphere in reactor vapor space caused by hot mechanical seal (Overpressure per Table 4, no. 3) The tables in this book are generic, in that they are intended to apply to a wide variety of equipment configurations and installations. They are not intended for use as a "one-stop" reference. Other references may contain more detailed information on specific subjects, such as the checklist published by the American Petroleum Institute (See Section 3.2, Table 1 in API RP 520,1993),
EXHI BIT A3 Potential Failure Scenarios Failure Scenario Number
Failure Scenario Description
3-1
Liquid overfill resulting in back pressure or excessive static head
3-2
Inadvertent or uncontrolled opening of high pressure utility system
3-3
Ignition of flammable atmosphere in vessel vapor space
3-5
External fire
3-15
Blocked outlet flow path
3-17
Heating and thermal expansion of liquid
3-28
Control failure of heating/cooling system
3-30
External Fire
3-49
Loss of sealing fluid to vessel agitator resulting in emission of flammable or toxic vapors
4-1
Overcharge of catalyst resulting in runaway reaction
4-2
Addition of a reactant too rapidly resulting in runaway reaction
4-3
Loss of agitation resulting in runaway reaction or hot bearing/seals causing ignition of flammables in vapor space
4-7
Overactive and/or wrong catalyst results in runaway reaction
4-8
Inactive and/or wrong catalyst leading to delayed runaway reaction in reactor or downstream vessel
6-5
Loss of heat transfer due to fouling, accumulation of noncondensables, or loss of cooling medium
6-7
Cold-side fluid blocked in while heating medium continues to flow
for specific overpressure relief systems design cases. As with any engineering tool, its applicability to a specific problem must be established each time it is used. Step 2: Estimate the Consequences Step 3: Determine Tolembility ofConseqitences Consequence estimation requires information on the physical, chemical, and toxic properties of the materials involved in the process, the quantity of mate-
rial which could be involved in a scenario, the impact of each scenario on the surroundings (facility siting), and an economic evaluation of the impact of equipment damage and lost production. Information on the physical and chemical properties of chemicals in this process can be obtained from the MSDSs, other sources of product information, or technical books and brochures, or can be developed. This information combined with the quantity of material in the process, can be used to assess fire, explosion, and toxic effects using appropriate source terms, dispersion calculations, and effect models for scenarios with potential for materials release to the atmosphere. Facility siting issues should also be considered at this point based on the results of the scenario assessments. Economic consequences must also be evaluated. These will be highly dependent on such factors as alternative sources of materials supply, availability of alternative production facilities, and replacement units. For this example, the following NFPA 704 (scale of 0-4) ratings and properties of the materials were obtained from the MSDSs (Exhibit A4). EXHI BIT A4
Hydrogen
Quinone Compound
Solvent A
Solvent B
Fire
4
O
3
3
Health
O
2
2
1
O
1
O
O
Flash point, C
gas
96
4.4
12
LEL, vol. %
4.0
n.d.
1.0
6.0
UEL, vol. %
75.0
n.d.
7.0
36.0
520
450
535
463
5.0
n.d.
9.5
10.0
0.016
n.d.
0.24
0.14
none
n.d.
<1
4.4 XlO 7
Property or Rating
Reactivity 0
0
AIT, C LOG, vol. % MIE, mj Electrical conductivity, pS/m LEL UEL AIT LOG MIE pS/m mj n.d.
is the lower explosive limit is the upper explosive limit is the autoignition temperature is the limiting oxygen concentration is the minimum ignition energy equals picosiemens per meter equals millijoules indicates no data available
Electrical conductivity data for solvent mixtures was not determined since the worst electrostatic hazard case is handling of pure solvent A. Static electricity precautions were determined for this situation. From the above NFPA hazard ratings and the other hazardous properties shown, it is obvious that fires and explosions (deflagrations) are very likely should there be an ignition source and sufficient oxygen. Since the reactor is located inside a building, surrounded by other equipment containing flammable liquids and gases, a significant amount of equipment damage and injury or fatalities, as well as business interruption, could result. In addition, the release of hydrogen and flammable vapors outside the building could result in secondary fires, explosions, and personnel injuries or fatalities in the surrounding areas of the building. The consequences of unmitigated operational deviations resulting in medium-level and high-level hazards have been determined to be unacceptable risks by the organization represented in this example. Therefore, the designer must provide alternatives which mitigate these consequences. Step 4: Estimate Likelihood and Risk Step 5: Determine Tolembility of Risk Risk estimation is often the most difficult step in the process. Consequence estimation is usually objective, but evaluation of likelihood involves human factor considerations (effectiveness of individuals and group performance), and the adequacy of a specific design or equipment item. Because of these factors, great care must be taken to ensure accuracy and lack of bias. At some point in this analysis quantification of likelihood may be necessary, but often is superseded by standard company policies, engineering standards and standard design practices. For example, failures with no or low consequences may be adequately controlled by normal process controls or operating procedures, whereas severe hazards (such as those with major onsite or off-site ramifications) may require two or more independent levels of safeguards or mitigation, in addition to the normal ones, to reduce the risk to an acceptable level. Assessment of likelihood often requires evaluation of both plant systems (equipment, controls, etc.) and operating procedures. Equipment failure rate data are available from a number of sources (e.g., CCPS 1989), and while there are uncertainties and gaps in these data, they can be objectively and consistently evaluated through the use of plant data collection and component failure testing. Keep in mind that generic failure rate data may not necessarily apply to every plant, as these failure rates are affected by the chemicals handled and maintenance practices, and that actual plant data from one's plant may be
the best source of failure rates. Generic data may be used to prepare comparative estimates of several alternates, however. Reliability of procedural safeguards (standard operating procedures), on the other hand, are dependent on the effectiveness of training and the strength of managerial implementation and documentation. Not only are these hard to measure, but they can change significantly due to a wide variety of factors, such as personnel turnover or change in management. For this example, company management has established the hazard levels shown in Exhibit A5, which are comparable to those shown in Chapter 2 in Exhibit 2.5. For simplicity, levels Cl and C2 have been combined into the low hazard category. For low-level or medium-level hazards, two levels of independent procedural safeguards may be substituted for a single automatic safeguard. For high-level hazards, no procedural safeguard may be credited for mitigation. Note that criteria similar to these are commonly found in industry; however, each company must make its own determination of risk acceptability levels. Risk tolerability is often based on what is known as an F-N (FrequencyNumber) curve. An F-N curve is a plot of cumulative frequency versus consequences (expressed as number of fatalities). For more details on F-N curves, see Guidelines for Chemical Process Quantitative Risk Analysis (CCPS 1993). Step 6: Consider Enhanced and/or Alternative Designs Step 7: Evaluate Enhancements and/or Alternatives Step 8 Determine Tolerability of Risk and Cost Steps 6-8 are analogous to steps 3-5, but this time one is evaluating the modified system instead of the original, unacceptable design. The tables in Chapters 3-12, along with other specific references, are intended to suggest potential EXHIBIT A5
Hazard Level
Consequence Definition
Safeguards Required for Acceptable Risk Level
Low (Cl and C2)
Minor Injury Potential
Normal Controls
Medium (C3)
Major On-site Consequence (See Exhibit 2.5)
One layer of independent nonprocedural safeguards above normal controls
High (C4)
Major Off-site Consequence (See Exhibit 2.5)
Two layers of independent nonprocedural safeguards above normal controls
alternatives to enhance the risk acceptability of the design. Not all solutions presented in the tables will be applicable to each situation. Each potential enhancement must be evaluated for: • Technical Feasibility—Will it work at all? • Applicability to a specific situation—Will it work here? • Cost/Benefit—Is it the best use of resources, or can greater risk reductions be achieved by spending the same money elsewhere? • Synergistic/Mutual Exclusivity effects—Will this solution work in conjunction with other potential enhancements, or will its implementation eliminate other potential beneficial solutions from being considered? • Additional New Hazards—Will this solution create new hazards that must be evaluated? Once a course of action is decided upon, it again must be evaluated for risk and cost acceptability. Steps 6-8 must be repeated until an acceptable reduction in risk has been achieved. Note that, if all technical options are exhausted with the risk level remaining unacceptably high, the only alternative may be to find a replacement process step. The following sections provide a detailed discussion of steps 2-8 for this example problem's five scenarios of interest, listed in section A.4.
A.5 IGNITION OF FLAMMABLE ATMOSPHERE IN THE REACTOR VAPOR SPACE CAUSED BY STATIC DISCHARGE SPARK (FAILURE SCENARIO A) Since the solvents are flammable liquids, if there is an electrostatic spark discharge and the oxygen in the vapor space of the reactor is above the LOC of the solvents, there could be a deflagration. Step 2: Estimate the Consequences Solvent A is known to be a very poor conductor that becomes electrostatically charged during flow through pipes, which could lead to an ignition of the flammable vapors in the reactor head space if the solvent is allowed to free-fall during charging. This hazard is minimized by having the streams containing Solvent A enter the reactor by means of a diverter elbow, which allows the stream to flow down the reactor wall in a gentle manner so as to avoid splashing and mist formation. Prior to charging of any mixtures containing solvent, the reactor is already inerted with nitrogen from a prior processing step. The reactor is also bonded and grounded to bleed off any electrostatic charges that might accumulate on the wall of the vessel. In addition, the reactor is purged
of hydrogen with nitrogen after the reaction is completed, and then the batch is transferred out using nitrogen, so that there is always a nitrogen atmosphere in the reactor when flammable streams are charged into it. Step 3: Determine Tolerability of Consequences If a deflagration occurred, it would be a medium-level or high-level hazard, and company management has determined that these are unacceptable consequences. Step 4: Estimate Likelihood and Risk Because the consequences of unmitigated medium-level or high-level hazard are unacceptable, determination of likelihood is not required. Step 5: Determine Tolembility of Risk As determined in Step 3, the risks presented are not acceptable. A minimum of two nonprocedural safeguards would be required normally. Nevertheless, the reactor has two passive safeguards (diverter elbow and bonding and grounding) and one active safeguard (purging and inciting), which should be adequate to minimize or eliminate the potential for an electrostatic spark discharge ignition of flammable vapors. Step 6: Consider Enhanced and/or Alternative Designs As indicated above, three of the most common safeguards for preventing electrostatic spark discharge ignition of flammable vapors have been provided already, and no enhanced alternatives are required. Step 9: Documentation As discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitution of materials.
A.6 COOLING SYSTEM CONTROL FAILURE (FAILURE SCENARIO B) For batch reactors, the most commonly installed control system is temperature control for heating and cooling. Temperature control is necessary to achieve proper reaction conditions for good conversions to minimize side
product formation, and in many cases, to prevent the occurrence of product deterioration and runaway reactions. In this reaction, the potential for runaway reactions has been determined to be low, but it is known that product deterioration ("tarring") can occur if the reaction temperature is allowed to exceed its normal limits. For this reason, controlled cooling of the batch to remove the heat of reaction during hydrogenation is very important. The batch must be heated up twice during the batch cycle, but only to a moderate increase above ambient temperature. Therefore, this heating is not automatically controlled but is manually adjusted by the operator. The operating instructions require the operator to log in the temperature (a procedural safeguard). Step 2: Estimate the Consequences If the supply of cooling tower water to the reactor jacket stopped, either due to the temperature controller failure or malfunction, or because of problems with the cooling tower itself, then the batch might be heated up to the boiling point of the solvent mixture due to the heat of reaction. The result would be a possible overpressure, requiring pressure relief. Step 3: Determine Tolembility of Consequences If overtemperature or overpressure should occur, this would be considered a medium-level hazard, and would be considered an unacceptable consequence. Step 4: Estimate Likelihood and Risk Because the consequences of unmitigated medium-level hazards are unacceptable, determination of likelihood is not required. Step 5: Determine Tolerability of Risk As discussed in Step 3, the risks presented are not acceptable. For a mediumlevel hazard, a minimum of one nonprocedural safeguard is required in addition to the normal controls required to operate the process. To monitor the temperature and alert the operator if the temperature is not being controlled, the reactor has a temperature controller with a high temperature switch and audible alarm. In addition, the reactor is equipped with an independent temperature sensor (capillary type) and high-high temperature switch interlocked with an isolation valve in the hydrogen feed line. This interlock will shut off the hydrogen feed to the reactor in the event of a high-high temperature, and the heat of reaction will drop quickly. In addition, the reactor is equipped with a high-high pressure switch, taking a signal from the rup-
ture disk burst detector, which is also interlocked with the isolation valve in the hydrogen feed line. The cooling tower water supply line to the reactor jacket is backed up by an interconnection to the city water system, which can be manually turned on by the operator should the cooling tower water system fail. Step 6: Consider Enhanced and/or Alternative Designs Since the reactor is provided with two nonprocedural safeguards in addition to the normal control, as well as one procedural safeguard (ability to supply city water to the reactor jacket), no enhanced alternatives are required. Step 9: Documentation As discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitution of materials.
A.7 EXTERNAL FIRE (FAILURE SCENARIO C) External fire is always a possibility when flammable liquids are being handled. A pool fire under the reactor will impinge on wetted and unwetted vessel surfaces, boiling the liquid contained in the reactor and, eventually, resulting in overpressurization of the vessel. If the overpressure is not relieved in time, rupture of the reactor may occur due to both thermal and pressure overstress. Step 2: Estimate the Consequences To provide overpressure protection for the external fire failure scenario, the reactor was provided with a rupture disk sized by the conventional single phase vapor relief procedure (e.g., API RP 520 1993), since experience had shown the system not to be foamy. Appropriate environment factors (API RP 520 1993, Appendix D) were taken into account in determining fire heat input. Although a runaway reaction was determined to have a very low likelihood of occurring, the discharge piping from the rupture disk is routed to a catch tank. Step 3: Determine Tolerability of Consequences The unmitigated control of overpressure resulting from an external fire could result in a medium-level hazard, and possibly a high-level hazard. Therefore,
pressure relief has been provided and the effluent stream routed to a catch tank. Step 4: Estimate Likelihood and Risk Because unmitigated medium-level and high-level hazard are not considered acceptable, determination of likelihood is not required. Step 5: Determine Tolembility of Risk Since the risks presented are not tolerable, a minimum of two nonprocedural safeguards are required in addition to the normal controls required to operate the process. The reactor is provided with the following active safeguards: • Rupture disk set at 30 psig (below the MAWP of 35 psig) • Automatic fixed water spray fire protection system The rupture disk is provided with a burst disk detector (with an audible alarm), which is also connected to a high-high pressure switch interlocked with an isolation valve in the hydrogen feed line to stop hydrogen flow. Step 6: Consider Enhanced and/or Alternative Designs Since the reactor is provided with two automatic safeguards for this failure scenario, no enhanced alternatives are required. Step 9: Documentation As discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitution of materials.
A.8 LOSS OF SEALING FLUID TO REACTORAGITATOR MECHANICAL SEAL (FAILURE SCENARIO D) The loss of sealing fluid to the reactor agitator mechanical seal can result in large emissions of flammable hydrogen and solvents into the building, and possibly outside, which could deflagrate if the vapor cloud encountered an energy source of sufficient strength. Since hydrogen has a very low MIE (0.016 mj) it can very easily be ignited. Appreciable equipment damage and injury or fatality could result if a deflagration occurred inside the building.
Step 2 Estimate the Consequences The agitator mechanical seal fluid is provided by means of a seal fluid reservoir connected by piping to the seal, pressurized by 50 psig nitrogen. The seal fluid reservoir is provided with a level glass and the nitrogen line to the reservoir is provided with two pressure gauges. The operator is supposed to check the seal fluid level in the reservoir and the nitrogen line pressure gauges every shift. These administrative procedures are the only safeguards for the seal fluid reservoir. If the operator forgets to do this checking and the reservoir level or pressure drops below the required level or pressure, then a seal failure can occur, resulting in a large release of flammable hydrogen and solvent vapors. Step 3: Determine Tolerability of Consequences Release of flammable hydrogen and solvent vapors into the building, and possibly outside of it, can result in a catastrophic event which constitutes a highlevel hazard. The present monitoring procedure can result in consequences which are not tolerable. Therefore, a more positive monitoring of the seal fluid reservoir level and pressure is required. Step 4: Estimate Likelihood and Risk Because an unmitigated high level hazard is unacceptable, determination of likelihood is not required. Step 5: Determine Tolerability of Risk As discussed in Section 3 the risks presented are not acceptable and a minimum of two nonprocedural safeguards in addition to the normal controls are required to operate the process. Step 6: Consider Enhanced and/or Alternative Designs To enhance the reliability of providing seal fluid to the reactor agitator mechanical seal the following additional safeguards will be provided: • A low level switch and audible alarm on the seal fluid reservoir • A low pressure switch and audible alarm on the seal fluid reservoir Both of the above switches will be interlocked with an isolation valve in the hydrogen feed line to stop hydrogen flow to the reactor should a problem occur with the seal fluid reservoir level or pressure. To provide die required second safeguard level, a hydrogen gas sensor with a high concentration alarm will be provided at the seal to warn of a seal
leak. High concentration will be interlocked to close another isolation valve in the hydrogen line. Step 7: Evaluate Enhancements and/or Alternatives Providing the suggested enhanced safeguard alternatives outlined in Step 6 will add two active safeguards above normal control (operator monitoring of the seal fluid reservoir level and nitrogen pressure), which are required for a high level consequence. The risk of losing agitator mechanical seal failure has been significantly reduced by these enhancements which are shown on Detail "A35 of the PSdD. Step 8: Determine Tolembility of Risk and Cost The enhanced PSS recommended in Step 6 will satisfy the requirements of the management guidelines. The capital project evaluation team determined that the cost required for these modifications is acceptable. Step 9: Documentation As discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitution of materials.
A.9 IGNITION OF FLAMMABLE ATMOSPHERE IN REACTOR VAPOR SPACE CAUSED BY HOT MECHANICAL SEAL (FAILURE SCENARIO E) If die reactor agitator mechanical seal becomes hot, due to loss of seal fluid, then it can become an ignition source and cause a fire or deflagration in the reactor vapor space. The reasons that this seal can fail are discussed in Section A.8 (Failure Scenario D). All the steps given in Section A.5 apply to this scenario and should be referred to for the recommended enhanced alternative/design. Step 9: Documentation As discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitution of materials.
AJO DOCUMENTATION It is critical to provide accurate, detailed, and readily available documentation of all PSS design bases, so that assumptions can be easily verified, and critical safety components be identified. In the case of existing plants, such as the one in this example, these documents may not be readily available, and it may be necessary to contact equipment vendors or make new calculations (e.g., for sizing of relief devices). This documentation is particularly important when one element of the analysis (e.g., instrumentation) eliminates or mitigates the size and/or scope of protection of another element (e.g., relief devices). There may also be regulatory record keeping requirements, such as those concerning processes covered by the OSHA Process Safety Management regulation (29 CFR 1910.119). In addition, there may be documentation requirements for the new EPA Risk Management Program (40 CFR 68). Complete mechanical design information on vessels and other process equipment, interlock strategies and alarm points, relief and venting systems sizing bases (including cases that were eliminated through other active or passive means), and siting and fire protection design bases all may need to be recorded permanently as part of the Process Safety Information file. Without this information, potential future modifications to a PSS cannot be made until a complete revaluation of the PSS basis is complete. This re-evaluation will be difficult and time-consuming without the detailed information on the original basis. Similarly, items used to mitigate or eliminate potential hazards may not be intuitively obvious, as example 2.6.1 in Chapter 2 illustrates so graphically. Procedural controls are perhaps the most critical of all controls to document well, since identification of safe upper and lower operating limits, and training requirements are critical to gaining and retaining safety management effectiveness. In many processes, the only place that procedural controls are documented is in the operating procedures. A separate listing of these procedural controls would make die safety documentation more inclusive and complete. Above all, documentation must tell the why as well as the what, so that future evaluators will have the full benefit of the knowledge and rationale originally used to specify the safeguards. The PSdD shown in Exhibit A2 illustrates the PSS additions to the Basic Control System on Detail "A". Note that the mechanical seal fluid reservoir low level and nitrogen low pressure switches and the interlocks to the isolation valve in the hydrogen feed line to the reactor are now included on the PSdD. A number of PSS features shown on the PSdD were added after a HAZOP was performed, but the new PSS features for the seal fluid reservoir were not considered at that time.
REFERENCES API RP 520 1993. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries. Part !-Sizing and Selection. Washington, DC: American Petroleum Institute. API RP 752 1995. Management of Hazards Associated with Locations of Process Plant. 1st Edition. Washington, DC: American Petroleum Institute. ASME 1995. Boiler and Pressure Vessel Code. Section VIII, Division 1. New York: American Society of Mechanical Engineers. CCPS 1989. Guidelines fir Process Equipment Reliability Data. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1993a. Guidelines fir Engineering Design fir Process Safety. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1993b. Guidelines fir Safe Automation of Chemical Processes. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1993c Guidelines fir Chemical Process Quantitative Risk Analysis. 2ded. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. CCPS 1996. Guidelines fir Evaluating Process Plant Buildings for External Explosions and Fires. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. EPA1996. Risk Prevention Program for Chemical Accident Prevention. U.S. Environmental Protection Agency, 40 CFR, Part 68. ISA S84.011996. Programmable Electronic Systems for Use in Safety Applications. Research Triangle Park, NC: Instrument Society of America. NFPA 101 1997. Code for Safety to Life from Fire in Buildings and Structures. Quincy, MA: National Fire Protection Association. NFPA 15 1990. Water Spray Fixed Systems for Fire Protection. Quincy, MA: National Fire Protection Association. NFPA 704 1996. Standard System for the Identification of the Fire Hazards of Materials. _Q\imcy, MA: National Fire Protection Association. Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment for Vessel Safety Design, Plant/Operations Progress, Vol. 1, No. 1., pp 1-6,1982. OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119. Washington, DC: Occupational Safety and Health Administration.
Suggested Additional Reading API RP 2003 1991. Protectim Against Ignition Rising out of Static, Lightning, and Stray Currents. Washington, DC: American Petroleum Institute. Barton, J. and Rogers, R. 1996. Chemkal Reaction Hazards. 2d ed. Rugby, Warwickshire, UK: Institution of Chemical Engineers. Benuzzi, A. and Zaldivar, J. M. eds. 1991. Safety of Chemical Batch Reactors and Storage Tanks. Dordrecht and Boston: Kluwer Academic Publishers. Britton, L. 1992. Using Material Data in Static Hazard Assessment. Plant/Operations Progress. 11 : 2 (April): 56-70. British Standards Institute BS-5958 1991. Code of Practice for Control of Undesirable Static Electricity: Part 1, General Considerations, and Part 2, Recommendations for Particular Industrial Situations. London: British Standards Institute. CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.
CCPS 1997. Guidelines for Pressure Relief and Effluent Handling Systems. Center for Chemical Process Safety, New York: American Institute of Chemical Engineers. DIERS (Design Institute for Emergency Relief Systems) 1992. Emergency Relief System Design Using DIERS Technology. DIERS Project Manual. New York: AIChE. UK HSE 1987. Programmable Electronic Systems in Safety Related Applications. UK Health and Safety Executive. London: Her Majesty's Stationery Office.
B EXAMPLE PROBLEM: DISTILLATION SYSTEM
This example problem is taken from the CCPS publication Guidelines for Hazard Evaluation Procedures, Second Edition (CCPS 1992) Figure 19.1. It illustrates a distillation separation between vinyl chloride monomer (VCM) and hydrogen chloride (HCl), a byproduct of the VCM formation reaction. HCl is a potentially valuable by-product, but its presence in the VCM stream in even small quantities will inhibit the polymerization of VCM to polyvinyl chloride (PVC), the desired final product. Distillation operations require a detailed hazard analysis before the proper Process Safety Systems (PSS) design basis can be determined, due to the complexity of the operation (both heat and mass transfer), as well as the different kinds and severity of events that impurities can introduce. The information in CCPS (1992) illustrates the types and results of several hazard evaluation procedures for the VCM/HC1 separation, and will not be repeated here. Note that, for the purposes of this example, the flow sheet shown in CCPS (1992) has been somewhat simplified. This example is intended to illustrate a proposed new design, with preliminary equipment sizes and ratings based upon similar existing installations. Also, while the VCM/HC1 separation is an industrially important process, the feed composition and purity requirements chosen for this example are for illustration only, and do not necessarily reflect current industrial practice. The physical properties for VCM and HCl were obtained from standard open-literature references (Gallant 1968; Yaws 1977). For the purposes of this example problem, vapor-liquid equilibrium data were estimated, since experimental data were not readily available in the open literature.
B.I SYSTEM DESCRIPTION The system in question is illustrated in Exhibit Bl with the steady state material balance and basic process control information. Exhibit B2 provides an equipment list for this portion of the process. This system is intended to purify a 90 mole % VCM stream contaminated with HCl to a purity of greater than 99.8% via distillation. The overhead product is a 75%/25% VCM/HC1 mixture to be recycled back into the process. This example follows the nine-step process laid out in Chapter 2 for selection of the design basis for this installation's process safety systems. In order to adequately perform Step 1, "Identify Failure Scenarios,55 some discussion of information requirements in general, and distillation systems in particular is warranted, along with specific information pertaining to this process.
B.2 GENERAL INFORMATION REQUIREMENTS The following information will be required to properly evaluate potential failure scenarios. Some of this information will routinely exist; other, less commonly used data (such as piping isometrics) may need to be estimated (for new installations) or generated from field reviews (for existing installations) before a proper evaluations can be completed. • Heat and material balance (HMB) data (steady state) • Material safety data sheets (MSDSs) for all chemicals • Chemical reactivity data (primary and side/secondary reactions, if applicable) • Accurate piping and instrumentation diagrams (PScIDs) • Equipment arrangements and plant layouts • Pressure vessel drawings (with maximum allowable working pressure, or MAWP), maximum vacuum, and maximum and minimum operating temperature information) • Control valve and relief valve instrument data sheets • Unsteady state (startup, shutdown, upset) conditions • Cleanout procedures, including all non-process chemicals used • Equipment computer models for evaluation of deviations from steady state conditions, or for evaluation of worst-case startup and shutdown conditions • Utility supply information (composition, pressure, temperature, voltage, etc.)
EXHIBITBI Mater/a/ Balance and Basic Process Control System
OVERHEAD PRODUCT UNDERFLOW PRODUCT STREAM NO. STREAM
I
I
FEED
2
3
4
5
6
REFLUX
UNDERFLOW PRODUCT
OVERHEAD PRODUCT
MAIN COND "KMC'D
WAlN COND. "2 <MC"2)
iDXhr
239.600
40,845
MOLE FRAC. HCLXVCM
0.1X0.9
0.364X0.636
TEMP C F)
32
IO
PRESS. (PSIA)
125.7
112.2
7 MC "I LlQ. OUT
'VOXI.O
117.2
99.195
58.350
40.815
0.364X0.636
0.364X0.636
0.364X0.636
95.3
_±i_
95.3
95.3
H2.2
112.2
58.350
0.364X0.636
. 111.4
•
^
MC "2 LIQ. OUT
OVERHEAD PRODUCT
VENT
100« STEAM
EGXH 2 O
EGXH 2 O
40,845
58.350
NORMALLY NO FLOW
24.300
650.000
450.000
0.364X0.636
0.364X0.636
OXO
40X60 (BY WT. )X EGXH2O
40X60 (BY W T . )X EGXH 2 O
IO
IO
338
IH.5
200
1 181.250
A
8
.
, 80
-20
80
EXHIBIT B2 Equipment List
Equipment Item
Description and Tentative Size
VCM Column
8 ft dia x 62 ft
Item No. C-201
52 sieve trays
Main Overhead Condenser # I Item No. E-201A
46 in dia x 16 ft tube length
Main Overhead Condenser # 2 Item No. E-201B
Material of Construction Zirconiumclad steel
Preliminary Design Pressure
Preliminary Design Temperature
200 psig and
35O0F
-2 psig(vac)
Zirconium tubes, steel shell
200 psig and full vacuum
35O0F
40 in x 16 ft tube length 3927 ft2
Zirconium tubes, steel shell
200 psig and full vacuum
35O0F
Reflux Accumulator Item No. V-208
6 ft dia x
Zirconiumclad steel
200 psig and full vacuum
35O0F
Reboiler
40 in dia x 10 ft tube length
Zirconium tubes, steel shell
200 psig and full vacuum
35O0F
Item No. E-207
5655 ft2
6 ft straight side
3927ft2
B.3 PSS DISCUSSION FOR DISTILLATION OPERATIONS 6.3. / Vessel Design and Primary Containment
A common feature of many distillation systems is their initial expense, or capital cost. Particularly for large volume products, the physical size and cost of the equipment can be large. This leads to a great deal of effort in optimizing the equipment sizes, relative to one another and to the rest of the production facility. If this optimization is not done with a systems approach with due consideration of process safety, savings in vessel cost can be more than offset by the relatively greater expense of additional active or procedural PSSs required. Although not always recognized as such, the proper design, construction and maintenance of primary containment systems (process pressure vessels and storage tanks) is the first and best line of defense against catastrophic events. As such, the ASME Boiler and Pressure Vessel Code (1995), API Standard 650 1993 and API Standard 620 1990 are key PSS-related resources. In most states and some countries, the ASME code is followed by law. ASME Code Section VIII contains specific requirements for design, testing and relief of vessels whose operating pressure is greater than 15 psig.
The CCPS Publication Guidelines for Engineering Design for Process Safety (CCPS 1993) also provides useful information, and will be used as a reference for this portion of the example. Other specific references, such as NFPA 77 1993, and API RP 2003 1991 may also have applicability.
B.3.2 Control Systems and Safe Automation
Distillation operations typically involve large quantities of potential energy, either in the form of utility energy (steam, hot oil, refrigeration, etc.) or associated in the process (heated feed streams, elevated operating pressure, large inventories of volatiles and flammables, etc.). Most control strategies focus initially on keeping these processes at steady state, as the purity from distillation operations is extremely sensitive to small changes in process variables. Without giving due consideration to the startup, shutdown, upset, and other potential unsteady state conditions that the system may encounter, a good control strategy for operation at steady state may prove wholly inadequate in dealing with unusual or infrequent deviations. Thus, the control strategy, examined as a part of the overall safe automation plan, must be put together in order to have a reliable, cost-effective system capable of optimal production under normal circumstances, and must respond adequately in the event of abnormal or upset conditions. Unlike vessel design and construction, there are very few regulatory requirements surrounding the use of automatic controls for PSS applications. The CCPS Publications "Guidelines for Safe Automation of Chemical Processes" (1994) Chapters 4 and 5, and "Guidelines for Engineering Design for Process Safety" (1993), Chapter 9 provide a useful compilation of current industry practices. For this example, Exhibit Bl shows only six primary control loops needed to maintain this process at steady state. This is what CCPS (1994), Chapter 4 refers to as the Basic Process Control System (BPCS). Like vessel design, proper attention to this fundamental design is the first, and best defense against an uncontrolled release of process material to the environment. However, given the potential hazards involved, it is reasonable to expect that additional measurement and control points will be needed to provide adequate early warning of potentially dangerous deviations from normal conditions. It is important to develop a clear strategy of safe operating limits, alarms, interlocks and emergency shutdown devices (ESDs) which constitute the Safety Instrumented Systems (SIS) at an early stage of process development. This is so that costs can be estimated, equipment designed to accommodate the necessary additional measurement points, and to evaluate the appropriate level of reliability needed. The effect of instrument location and the reliability of components, as well as other process requirements must also be determined. To do
this, some information on the possible upset conditions and unsteady state operating conditions will be needed to evaluate the effectiveness and determine the location of SIS sensors and devices. Some additional process and unit operations simulation may be necessary to generate the required design information. CCPS (1994), Chapter 5 gives additional information on this subject. 8.3.2. / Alarm Strategy
For all alarms, it should be noted that with electronic instrumentation and a distributed control system (DCS), two high and two low alarm points are usually included with the control point. Thus, alarm strategies which make use of these "free55 points can serve as a very cost-effective way of increasing the number of alarm points without increasing the cost of the system. These additional alarm points do not provide the redundancy necessary for some interlock initiators. If using older, pneumatic instrumentation, alarm points of any kind are an increased cost. Of course, one thing which must be avoided is the casual use of alarm points simply because they exist. Excessive nuisance alarming can cause the operator to become indifferent to alarms (since they go off so frequently) or deactivate them, or become confused in a true emergency (because so many alarms are actuated simultaneously). B.3.2.2 Interlock Strategy
Once alarm parameters have been determined, this same information can be used to develop a general philosophy and execution strategy for interlocks. Process and safety interlocks differ from one another in that, whenever the process condition which caused the process interlock to activate is corrected, the control function usually returns to normal. Safety interlocks often must be manually reset before control can return to normal. An analysis of the allocation of supervisory roles between the operator and automatic control systems should be made before a decision to interlock is reached. Another issue concerning safety interlocks is the use of automatic controls to mitigate potential overpressure in place of relief systems. Neither ASME nor API provide explicit guidance on the use of safety instrumentation to mitigate relief requirements, and risk management policies vary widely concerning the use of instrumentation or any active system to protect against overpressure. Issues such as the reliability and cost of safety interlock systems and their related field devices (sensors, isolation valves, etc.) as compared to the reliability of relief systems must be considered in weighing the tradeoffs. 6.3.2.3 Valve Failure Position
Closely related to this strategy is the decision on how automatic control and block valves should fail under loss of motive energy or control signal. In gen-
eral, energy sources (such as steam, hot oil, or high pressure gas) are designed to fail closed (FC) to isolate the process from excessive energy input. Energyremoving streams (coolants, vents, etc.) are usually fail open (FO) to bring the system to a lower potential energy state under emergency conditions. While not always true, these guidelines should apply to most cases considered. Another issue which must be addressed is the difference in failure position upon instrument air (IA) failure as compared to the failure position on electronic signal failure. Often, a valve can be set to fail in one direction when IA is lost; however, the controller manipulating this valve may have an entirely different failure position which may take the system to an unsafe condition. Both types of failure positions must be addressed independently. There is a third category of valve failure position, that of fail-last-position (FL) which is not as frequently used in process systems. However, there may be occasions where FL valves are needed for production reasons and also have safety implications. These situations should be carefully analyzed before the valve failure position is finalized.
8.3.3 Pressure and Vacuum Relief
A significant safety-related design problem for equipment in general is the appropriate selection of the sizing basis for emergency pressure and vacuum relief devices. Relief devices are required for vessels covered by ASME Code, but the basis for sizing and selecting these devices is left up to the system designer. Relief device sizing methodology is particularly critical if two-phase flow occurs due to reactive, foaming or viscous effects. For these systems, methodologies such as those developed by the Design Institute for Emergency Relief Systems (DIERS) should be used. In the absence of two-phase flow, more conventional techniques can be applied. The need for and location of relief devices should be identified as early in the design as possible, as an integral part of PSS strategy formulation. The disposition of relief effluents (flaring, secondary containment, quenching, or relief to atmosphere) may influence the type and position of relief devices needed. The CCPS publication "Guidelines for Pressure Relief and Effluent Handling Systems53 (CCPS 1997a) provides guidance on the selection and design of disposal systems. Relief system design bases may also be altered by the presence of other passive or active safety systems, such as fireproof insulation or instrumentation, back pressure influences, or the need for downstream effluent disposal systems such as flares. Once the proper design basis has been determined, sizing of the appropriate devices can proceed using requirements and information listed in the reference section at the end of this example.
B.3.4 Fixed Fire Protection, Passive Mitigation and System-Wide Concerns
Once key interlock and relief requirements have been set, post-release mitigation systems must be evaluated. These include fixed fire protection systems as described in NFPA 15 1990, life safety code requirements per NFPA 101 1997, and other mitigation techniques such as plant layout, equipment arrangement, diking and berming, and other site-related issues. Little or no regulatory guidance exists for these issues; API RP 752 1995 and the CCPS book "Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires55 (CCPS 1996) address the siting issues. Selection of the PSS design basis also involves a system-wide analysis for synergistic hazards not revealed by consideration of the failure scenarios of individual unit operations only. This analysis should address the relationship between the operation in question and other unit operations in the process, the utility and outside battery limits operations that might be adversely affected by upsets in the operation in question, and interrelationship of utilities which might result in a common-mode failure (such as steam and electricity cogeneration failure) B.4 DESIGN BASIS SELECTION PROCESS This section uses the systematic risk-based technique for selecting the design bases for process safety systems discussed in Chapter 2. Use of the technique imposes discipline on the thought process, yet allows for flexibility in application. The design bases selection technique is comprised of a number of analysis and testing steps, detailed graphically in a decision tree (See Exhibit 2.2 in Chapter 2). Step 1: Identify Failure Scenarios In this example, each of the selection steps (1-9) will be discussed generally. Then, steps 2-8 will be repeated in detail for each of the five potential failures listed below. The primary hazards of interest for VCM and HCl are flammability and toxicity; therefore, efforts for this example will be focused in these areas. Reactivity hazards will not be considered in this example, although in a real VCM process, this area would need considerable attention, since unsteady state or upset conditions in other portions of the plant could lead to reactive hazards in the VCM/HC1 separation area as well. Corrosion will be considered as a potential failure scenario (leading to loss of containment) rather than a hazard in and of itself. Some equipment, such as pumps, filters and other auxiliary equipment has not been considered in this example in order to focus on identification of potential failure scenarios using the tables in Chapters 3 (Vessels), 5 (Mass Transfer Equipment) and 6 (Heat Transfer Equipment).
A first pass through these tables yields 33 potential failure scenarios as shown in Exhibit B3. Several of these scenarios are duplicates, and many fall into similar areas of concern (e.g., overpressure) and could be evaluated together. This example will focus on five specific potential failure scenarios: A. Uncontrolled energy (steam) input (Overpressure, Overtemperature per Table 3-9) B. External fire (Overpressure, Overtemperature per Table 3-5, 3-29, 6-9) C. Internal deflagration (Loss of Containment per Table 3-3) D. Vacuum collapse of column (Underpressure, Loss of Containment per Table 3-21, 4-4) E. Blocked-in liquids in heat transfer equipment (Overpressure per Table 3-17, 6-7) The tables in this book are generic, in that they are intended to apply to a wide variety of equipment configurations and installations, and are not intended as a "one-stop" reference. Other references may contain more detailed information on specific subjects, such the checklist published in API RP 520, Section 3.2, Table 1 (1993) for specific overpressure relief system design cases. As with any engineering tool, its applicability to a specific problem must be established each time it is used. Step 2: Estimate the Consequences Step 3: Determine Tolembility of Consequences Consequence estimation requires information on the physical, chemical and toxic nature of the materials involved in the process, the quantity of material which could be involved in a scenario, the impact of each scenario on the surroundings (facility siting) and an economic evaluation of the impact of equipment damage and lost production. This information can be obtained from the MSDS or other sources of product safety information. This, combined with the quantity of material in the process, can be used to assess fire, explosion and toxic effects using appropriate source terms, dispersion calculations and effect models for scenarios with the potential for materials release to the environment. Facility siting issues may also be brought in at this point. Economic consequences must also be evaluated. These will be highly dependent on such factors as alternative sources of supply, availability of alternative production facilities, and replacement units.
EXHIBIT B3 Failure Scenario Number Failure Scenario Description 3-1
Liquid overfill resulting in backpressure or excessive static head
3-2
Inadvertent or uncontrolled opening of high pressure utility system
3-3
Ignition of flammable atmosphere in vessel vapor space
3-5
External fire
3-6
Inadequate or obstructed vent path, resulting in high vapor space pressure during filling
3-7
Internal heating/cooling coil leak or rupture
3-9
Excessive heat input resulting in high vapor pressure
3-15
Blocked outlet flow path
3-17
Heating and thermal expansion of liquid
3-19
Failure of vacuum control system
3-20
Inadequate or obstructed vent path
3-21
Uncontrolled condensation/absorption of vapor phase component
3-22
Excessive liquid withdrawal rate
3-27
Control failure of heating/cooling system
3-29
External fire
3-36
Level control failure causing spill
3-38
Leak from heating/cooling system
3-39
Leak or excessive fill from liquid utility system (e.g., utility water)
3-40
Level control failure
3-41
Incorrect or unanticipated cross-connection causing uncontrolled outflow
3-44
Corrosion from process fluid
3-47
Open drain connections
4-1
Migration of internals into lines resulting in blockages
4-2
Blockage of packing/trays leading to excessive pressure drop in column
4-4
Uncontrolled condensation/absorption of vapor phase component
4-6
Fire when exposing packing internals with flammable material during maintenance
6-1
Corrosion/erosion of exchanger internals resulting in a heat transfer surface leak or rupture and possible overpressure of the low pressure side
6-2
Differential thermal expansion/contraction between tubes and shell resulting in tube leak/rupture (fixed tubesheet)
6-3
Excessive tube vibration resulting in tube leak/rupture and possible overpressure of the low pressure side
6-5
Loss of heat transfer due to fouling, accumulation of noncondensables, or loss of cooling medium
6-7
Cold side fluid blocked in while heating medium continues to flow
6-9
External fire
6-10
Loss of mechanical integrity of tube
EXHIBIT B4
NFPA 704 Rating
VCM
HCl
Fire
4
O
Health
2
3
Reactivity
2
1
For this example, from the MSDS, the NFPA 704 (scale of 0-4) ratings are shown in Exhibit B4. With a fire rating of 4, VCM represents a significant fire and explosion potential. Also, with a reactivity rating of 2, there may also be a significant hazard inside the equipment as well. Given the relatively high preliminary design pressure of the equipment in this process (200 psig), shrapnel generation due to catastrophic vessel failure would also present a serious hazard to personnel or other process equipment in the vicinity of the installation. Finally, given the size, throughput and materials of construction of this equipment, a significant incident that causes damage to the equipment would have severe .economic property damage and business interruption potential. Unmitigated operational deviations resulting in medium-level and highlevel hazards have been determined to be unacceptable by the organization represented in this example. Therefore, the designer must provide alternatives which mitigate these consequences.
Step 4: Estimate Likelihood and Risk Step 5: Determine Tolembility of Risk Risk estimation can be the single most difficult step in this process. While consequence estimation is objective, likelihood evaluation often involves a direct and specific performance assessment in the ability of both individuals and organizations to manage risk, or the adequacy of a specific design or equipment item given its age and operating history. Because of this, great care must be taken to ensure its accuracy and lack of bias. At some point, quantification of likelihood may be necessary, but often it is superseded by standardization into policies, engineering standards and standard practices. For example, failures with no or low consequences may be considered adequately controlled by normal process controls, whereas severe hazards (such as those with off-site ramifications) may require two or more independent levels of control or mitigation in addition to normal to bring the risk into an acceptable range.
Assessment of likelihood often requires evaluation of both plant systems and procedures. Equipment failure data are available from a number of sources, and while there are uncertainties and gaps in the data, these can be objectively and consistently evaluated through the use of plant data collection and component failure testing. Also, a comprehensive risk management plan based on the results of studies such as these can provide typical component failure rates to be used for a wide range of evaluations. CCPS (1989) is a source of both data and references for additional information. Reliability of procedural safeguards on the other hand, are tied to the effectiveness of training and the strength of managerial implementation and documentation. Not only are these hard to measure, they can change significantly, in either a positive or negative manner, due to a wide variety of factors, such as personnel turnover or change in management. For this example, management has determined that the criteria shown in Exhibit B5 apply. The hazard levels described here are comparable to those shown in Exhibit 2.5. For simplicity, levels Cl and C2 have been combined into the low hazard category. For low or medium-level hazards, two levels of independent procedural safeguards may be substituted for a single automatic safeguard. For high-level hazards, no procedural safeguards may be credited for mitigation. Note that criteria similar to these are commonly found in industry; however, each company must make its own determination of risk acceptability levels.
EXHIBIT B5
Hazard Level
Consequence Definition
Safeguards Required for Acceptable Risk Level
Low (Cl and C2)
Minor Injury Potential
Normal Controls
Medium (C3)
Major On-site Consequence
One layer of independent nonprocedural safeguard above normal controls
(See Exhibit 2.5) High (C4)
Major Off-site Consequence (See Exhibit 2.5)
Two layers of independent nonprocedural safeguards above normal controls
Step 6: Consider Enhanced and/or Alternative Designs Step 7: Evaltiate Enhancements and/or Alternatives Step 8: Determine Tolerability of Risk and Cost Steps 6-8 are analogous to steps 3-5, evaluating the modified system instead of the original, unacceptable design. The tables in Chapters 3-12, along with other specific references, are intended to suggest potential alternatives to enhance the risk acceptability of the design. Not all solutions presented in the tables will be applicable to every situation. Each potential enhancement must be evaluated for: • Technical Feasibility—Will it work at all? • Applicability to a specific situation—Will it work here? • Cost/Benefit—Is it the best use of resources, or can greater risk reductions be achieved by spending the same money elsewhere? • Synergistic/Mutual Exclusivity effects—Will this solution work in conjunction with other potential enhancements, or will its implementation eliminate other potential beneficial solutions from being considered? • Additional New Hazards—Will this solution create new hazards that must be evaluated? Once a course of action is decided upon, it again must be evaluated for risk and cost acceptability. Steps 6-8 must be repeated until an acceptable reduction in risk has been achieved. Note that, if all technical options are exhausted with the risk level remaining unacceptably high, the only alternative may be to find a replacement the process step. Following is a detailed discussion of steps 2-8 for each of the five scenarios of interest for this example. B.5 UNCONTROLLED ENERGY INPUT (FAILURE SCENARIO A) As is the case with most distillation operations, unmitigated heat input in the form of steam or other heating medium has the potential for generating an overpressure condition in a distillation unit. Such could be the case here, as the preliminary column design pressure is 200 psig, and VCM's vapor pressure at 100 psig steam saturation temperature (~170°C) is over 800 psig. Rupture of the distillation column or any auxiliary equipment (such as heat exchangers) has been classified as a high hazard consequence, requiring two levels of safeguards above normal controls. Reboiler tube rupture can often be a source of
uncontrolled energy input; however, in this example, reboiler tube rupture is not a credible case since the process design pressure is above the steam supply pressure. Step 2: Estimate the Consequences The failure scenario of uncontrolled energy input resulting in high vapor pressure may result in an operational deviation of overpressure as noted in Table 3, Failure Scenarios for Vessels, item 9. Vessel overpressure and the resulting loss of vessel containment may present several medium-level and high-level hazards as defined in Exhibit B5. These consequences include potential fatalities or injuries and capital losses resulting from ignition of a flammable vapor cloud, as well as mechanical failure of the process equipment from overpressure and the potential damage to the environment resulting from release of process chemicals. Step 3: Determine Tolembility of Consequences Unmitigated operational deviations resulting in medium-level and high-level hazards have been determined to be unacceptable by the organization represented in this example. The system designer must provide appropriate process safety systems to further mitigate the consequences. Step 4: Estimate Likelihood and Risk Because unmitigated medium-level and high-level hazards are unacceptable, determination of likelihood is not required. Step 5: Determine Tolerability of Risk As discussed in Step 3, the risks presented are not acceptable. A minimum of two nonprocedural safeguards are required in addition to the normal controls required to operate the process. Step 6: Consider Enhanced and/or Alternative Designs From Table 3, Item 9, the following options are available to the system designer for overpressure from uncontrolled energy input including: Inherently safer/passive: • Vessel design accommodating maximum expected pressure • Limit temperature or flow of heating medium Active: • Emergency relief device • High temperature or pressure alarm with interlock to isolate heating medium
Procedural:
• High temperature or pressure alarm with operator activation of heating medium isolation Inherently safer/passive Providing a pressure rating of the process equipment greater than the maximum expected pressure can eliminate the failure of heating medium controls scenario. If the pressure rating of the equipment is greater than the vapor pressure of the process chemicals at the maximum heating medium temperature, failure of the heating medium controls cannot overpressure the process equipment. The cost of providing the increased pressure rating varies depending upon the materials of construction, the optional heating media available and the vapor pressure of the process chemicals. The designer can limit the maximum vapor pressure of the process chemicals by limiting the temperature of the heating medium. For steam heated reboilers, this can be accomplished by selecting the lowest pressure steam available and further reinforced by installation of a relief valve in the steam supply to limit the effects of upsets in the steam system. If the vapor pressure of the process chemicals is limited by the maximum heating medium temperature to less than the pressure rating of the equipment, the failure scenario is effectively mitigated. Limitation of heating medium temperature is not feasible, since the temperature required to boil VCM with a reasonably sized reboiler is still hotter than required to exceed the system MAWP with pure VCM. However, limitation of the heating medium temperature by means of a steam desuperheater may still be desirable to protect against reactivity concerns which may be initiated by excessive temperature. Additionally, the designer may limit the heat input to the system by limiting the flow of the heating medium. Limiting the heat input does not eliminate the failure scenario, but can reduce the vapor boilup and reduce the size of any relief device sized for failure of heating medium controls. Limitation of flow is feasible, and may be an attractive alternative which can be accomplished economically by restricting the size of the steam control valve's trim, or using a smaller valve. Active Since all of the primary vessels in this system will be ASME Section VIII pressure vessels, some form of emergency relief is a requirement. Design of the relief system will be done in accordance with standard practices API RP 520 1993 and 521 1990 for nonreactive relief. If the designer chooses to mitigate this case with emergency relief, then relief device design bases should include relieving the vapor generated by uncontrolled heat input to the system, and
sized to relieve the vapor boilup generated by the reboiler operating at maximum efficiency (i.e., with a clean heat transfer surface and maximum expected heating medium temperature). Discharges from the relief devices must be routed either to a location where the vapor release will not create further consequences or to an effluent handling system such as a flare. Because distillation reboilers often contain large surface area overdesign factors such as fouling factors and operating temperatures below maximum expected heating medium temperatures, the vapor relief rate from uncontrolled heat input may be very large. The system designer should evaluate the hazards posed by relief of the process vapor and the cost of installation of the relief system. The system designer may choose to mitigate the failure scenario by installing a safety interlock to isolate the heating medium if safe process limits are exceeded. The designer must ensure that the interlock is dependable and may consider redundant initiators, logic and actuators. If possible, diverse redundancy (such as the use of one pressure and one temperature initiator) is desirable to protect against a common-mode failure. Additionally, the designer cannot select instrumentation that may be inoperable due to process conditions or interlock bypasses. The use of a high temperature sensor to isolate the heating medium is an attractive option here. Using a temperature measurement in the condenser vapor outlet line gives a fast indication of excessive energy input. Because this is a high hazard operation, at least two temperatures, or a temperature and pressure measurement through independent logic paths and two final field devices (i.e., valves) will be needed to activate the steam isolation system. For reboilers, the steam can be isolated by use of an emergency block valve installed in the steam supply. The steam control valve may not be an effective isolation device by itself, but may be used with an isolation valve to give two final field devices. Careful consideration should be given to the effectiveness of the control device in this service. The temperature and/or pressure in the distillation system may be used to initiate the interlock. The facility management responsible for operating and maintaining the system must establish effective controls to ensure that the interlock system is operational whenever the process unit is operating. Procedural The system designer may mitigate the failure scenario through procedural controls by requiring operator action to isolate the heating medium when safe process limits are exceeded. The warning system requirements are the same as previously discussed for interlock initiators. Additionally, the facility management must ensure that the system operators are trained to react properly should safe process limits be exceeded. This option is less reliable than inter-
locks due to the possibility of human error. Because of its classification as a high-level hazard, procedural options may not be used to mitigate hazards at this level. However, it would be wise to include a discussion of operator actions on high temperature indication even if no mitigation credit is claimed. Step 7: Evaluate Enhancements and/or Alternatives Inherently safer/passive Providing a mechanical design with the process vapor pressure at the maximum expected heating medium temperature will mitigate the failure scenario. For the system used in this example, the designer determined this option to be impractical. The vapor pressure of the process chemicals was too high to allow a cost effective mechanical design. However, even if the failure scenario cannot be completely eliminated, designing the vessels for the maximum practical design pressure will help reduce the size of the relief device. Limiting the heating medium flow via a reduced valve size or a restriction orifice will reduce the vapor boilup rate, but will not eliminate the failure scenario. The designer was able to demonstrate, through atmospheric dispersion modeling of the column relief discharge, that the vapor boilup at the maximum steam flow would not create a major off-site incident. Use of this control was considered one of the two nonprocedural safeguards required by company management to adequately mitigate a high-level hazard event. However, to ensure that other, non-safety-related changes not be made to this valve which could adversely impact its safety function, maintenance of the valve was included on the plant's critical equipment list. Active Installation of an emergency relief device can effectively mitigate the effects of uncontrolled energy input. However, the vapor rate discharged through the relief device to atmosphere was, in itself, a significant safety hazard and required mitigation by flare or scrubber. The cost in installation of the relief system was considerable. The designer elected not to install a relief device sized for the maximum possible uncontrolled energy input, electing instead to investigate and implement other, more cost-effective ways to reduce the relief system design basis. Installation of an interlock system can mitigate the failure scenario. The risk management guidelines for the organization represented in this example have determined that independent redundant systems are required to mitigate a medium-level or high-level hazard. The guidelines permit installation of a single isolation valve to provide the interlock action provided that it is properly maintained and is not used for process control. The designer elected to install an emergency block valve in the steam supply initiated by either high
column pressure or high column temperature. In addition, the interlock initiators also close the steam control valve as an added measure of protection. Maintenance of the interlock equipment was included on the plant's critical equipment list, which must be tested on a regularly scheduled basis. Modifications of all the interlock equipment, including initiators, logic and steam valve, was included in the plant's management of change (MOC) procedure. Procedural As described in the risk management guidelines, procedural controls were not considered sufficient to mitigate the effects of the consequences described in this example. The designer elected to use a safety interlock system rather than procedural safeguards. Step 8: Determine Tolembility of Risk and Cost The PSS selected by the designer included installation of two levels of independent non-procedural safety interlocks and use of a restricted steam control valve size to limit the heat input. This system meets the requirements provided by the management guidelines. The capital project evaluation team determined the cost acceptable to permit installation of the process. Note however, that this did not eliminate the need for a relief device, as outlined in the following section. Step 9: Documentation As already discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitutions of materials.
B.6 EXTERNAL FIRE (FAILURE SCENARIO B) External fire as a failure scenario almost always occurs where flammables and combustibles are processed and/or stored. Impingement fires on wetted and unwetted vessel surface constitute a major threat to the integrity of the affected vessel, and unlike the uncontrolled energy input case, are external to the process and therefore can't be mitigated by instrumented solutions. Sometimes the fire case can be eliminated as a credible failure by burying equipment, or elevating equipment out of the fire affected zone. However, for large equipment which needs to be supported by a foundation, elevation above the
fire affected zone is not always practical. Also, jet flame impingement concerns for reaction initiation cannot be mitigated by elevation. Deluge fire protection may also help mitigate fire exposure to limit the consequences of a fire, but is not always taken credit for in reducing relief device size. Step 2: Estimate the Consequences The failure scenario of external fire may result in operational deviations of overpressure or high temperature as noted in Table 3, item 5, Failure Scenarios for Vessels. Vessel overpressure and the resulting loss of vessel containment may present several medium-level and high-level hazards as defined in the general discussion for step 4 in this example. These consequences include the potential fatalities, permanent disabilities or injuries and capital losses resulting from ignition of a flammable vapor cloud or mechanical failure of the process equipment from overpressure and the potential damage to the environment resulting from release of process chemicals. In this example, the operational deviation of high temperature does not result in a potential consequence, since the materials of construction of the equipment are compatible with and maintain their mechanical integrity at process temperatures generated under fire relieving conditions, and all major equipment is automatically deluged for fire protection. Step 3: Determine Tolembility of Consequences Unmitigated operational deviations resulting in medium-level and high-level hazards have been determined to be unacceptable risks by the organization represented in this example. The system designer must provide appropriate process safety systems to further mitigate the consequences. Step 4: Estimate Likelihood and Risk Because unmitigated medium-level and high-level hazards are unacceptable, determination of likelihood is not required. Step 5: Determine Tolembility of Risk As discussed in Step 3, the risks presented are not acceptable. A minimum of two nonprocedural safeguards are required in addition to the normal controls required to operate the process. Step 6: Consider Enhanced and/or Alternative Designs From Table 3, Item 5, the following options are available to the system designer for overpressure from external fire including:
Inherently safer/passive: • Buried Tank • Fireproof insulation • Slope away diking with remote impounding of spills • Locate outside effective fire zone • Adequate tank-to-tank separation • Secondary enclosure Active: • Fixed fire protection water spray (deluge) • Emergency relief device • Flammable gas, flame, and/or smoke detection devices Procedural: • Emergency response plan • Manual activation of fixed water spray fire protection Inherently safer/passive Process equipment may be buried to mitigate or eliminate the failure scenario of external fire. This design is most often used for equipment which does not require access by maintenance or operations except from above. It is not practical for distillation systems which require access both for operations and maintenance. Fireproof insulation does not eliminate the failure scenario, however, it can greatly reduce the heat input from a fire, lower the corresponding vapor boilup rate and reduce the size of any relief device sized for fire relief. Heat input from external fire can be reduced by 90% or more by installation of fireproof insulation systems. The cost of installing fireproof insulation is considerably higher than for normal insulation systems due to the requirement for insulation materials and appurtenances which can withstand fire temperatures, such as stainless steel sheathing and banding to ensure that the insulation stays in place during a fire. Slope-away diking with remote impounding of spills can be used to remove flammable chemicals to a location where they can be safely dealt with. Industry practices such as API RP 520 1993 and Federal Regulations such as 29 CFR1910.106 do not permit the system designer to eliminate external fire as a failure scenario by installation of adequate drainage alone, but they do permit reduction in heat input by 50-60%. This system may require installation of a remote remediation system as well as a special containment dike and drains. A preventive maintenance program is also required to ensure the system is operational, including periodic draining of rainwater to ensure the availability of adequate containment volume. The cost of installation is significant, particularly when remote remediation (e.g., impounding) is required.
The failure scenario of external fire can be eliminated completely by installing the process equipment outside the fire zone, either laterally or vertically. Equipment may be located above the fire zone (typically 25 to 30 ft above a surface that can sustain a pool fire). This is impractical for the large distillation equipment used in this example because of the need for structural support. Because the process equipment used in this example contains flammable chemicals which may fuel the fire, equipment cannot be located laterally outside the fire zone. The system designer may elect to mitigate the effects of failure from overpressure on adjacent vessels by locating the equipment at a spacing that will not allow a leak from one vessel to seriously threaten another vessel with pool fire exposure. For systems connected by large piping or requiring close coupling of process equipment, this may prove impractical. Secondary enclosures may be used to isolate the equipment from a liquid pool caused by a leak from a neighboring vessel that may sustain the fire, particularly in applications that do not require access for maintenance or operations. Installation of secondary enclosures is not practical for distillation systems which often require access by both operations and maintenance personnel. Active Fixed fire protection, activated by local heat, smoke or flame sensing devices, may be installed to mitigate the effects of external fire. Industry practices such as API RP 520 1993 and Federal Regulations such as 29 CFR 1910.106 do not allow the system designer to use fixed fire protection systems to eliminate external fire as a failure scenario requiring overpressure protection; however they do permit reduction in design heat input by up to 70%. The incremental cost of adding a process unit to an existing plant fire protection system is usually minimal. Emergency relief devices may be installed to relieve the vapor generated by the fire heat input to the system. The devices are sized based on the processes described in API RP 520 1993. Discharges from the relief devices must be routed either to a location where the vapor release will not create further consequences or to an effluent disposal system such as a flare. Flammable gas, flame or smoke detection devices can be used to reduce the consequence of an incident by either activation of a mitigation system or warning operators or emergency response personnel. Gas detection effectiveness is subject to atmospheric conditions such as humidity and wind and may be unreliable for primary mitigation for die outdoor installation described in this example, or for the timely detection of liquid spills. Flame or smoke detection, or other more sophisticated chemical-specific devices, or scanning
devices (such as tuned lasers) may be used to activate other mitigation systems such as fixed fire protection systems and emergency response. Procedural Emergency response plans reduce the consequences of an incident by activating emergency response teams, shutting down other process which may contribute to the incident or may be threatened by the incident and removing people from the area. Step 7: Evaluate Enhancements and/or Alternatives Inherently safer/passive The buried tank and secondary enclosure options were eliminated by the system designer because of the need to access the equipment by maintenance and operations. The option of locating the equipment outside the fire zone did not apply to the system due to the inventory of flammable material. The designer chose not to use distance as a mitigating control due to the cost, both in piping and real estate, of the installation. Both the fireproof insulation and diking and drainage options mitigate the effects of external fire but do not eliminate them. The system designer elected to not install any of these options based on increased cost. Relief device sizing was done without taking credit for any of these mitigations. Active Installation of both fixed fire protection and emergency relief devices can effectively mitigate the effects of external fire. The system designer elected to install both options. Addition of flammable gas, flame or smoke detection can provide warning but will not eliminate the failure scenario. The designer elected not to install the detectors, instead relying on operator surveillance. Procedural Procedural controls were not considered sufficient to mitigate the effects of the consequences described in this example. However, the system designer elected to provide an emergency response plan to reduce the magnitude of the consequences. Step 8: Determine Tolerability of Risk and Cost The PSS selected by the designer included installation of fixed fire protection and emergency relief devices and the additional procedural control of an emergency response plan. This system meets the requirements provided by the management guidelines. In the evaluation step, it was determined that a rup-
ture disk/relief valve combination installation was the preferred cost alternative, since the column material of construction (Zirconium 702) was extremely costly, and the combination of a Zirconium disk and a stainless steel relief valve, even with the additional required instrumentation, was significantly less expensive than a Zirconium relief valve alone. The capital project evaluation team determined the cost acceptable to permit installation of the Zirconium disk and a stainless steel relief valve. Step 9: Documentation As already discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitutions of materials. BJ INTERNAL DEFLAGRATION (FAILURE SCENARIO C) Internal deflagrations can occur inside process and storage vessels if oxygen enters to form a flammable atmosphere in the head space of the vessel or tank. Generally, this is a more prevalent condition for batch vessels which are opened frequently during processing operations for material addition or sampling. For this example, the probability of this occurring is near zero, given the high vessel design pressure, unless oxygen is not adequately purged during startup. For large, continuous operations such as distillation, the primary causes for creating a flammable atmosphere in the equipment are improper startup conditions (oxygen is not properly removed after maintenance operations which put air into the vessel) or by process upsets or changes which cause air to be drawn in to prevent vacuum collapse of the vessel. For this proposed process, air can only be introduced into the system during startup or maintenance conditions, when the column pressure is near atmospheric. Therefore the consequences will be estimated not at column operating conditions, but at the condition most likely to lead to the hazard (i.e., atmospheric pressure). Step 2: Estimate the Consequences NFPA 69 1997, Chapter 5 gives guidance on the design basis for vessels designed for deflagration pressure containment. The presence of HCl, which acts as non-flammable diluent and thus reduces the ultimate maximum deflagration pressure, is ignored in order to simplify the analysis. The limiting oxidant concentration (LOG) of VCM, per NFPA 69 1997 Appendix C is 13.4 volume percent in the nitrogen /air system.
Assuming the vessel to be initially filled with air the partial pressure of oxygen is that of ambient air, or 0.21 X 14.7 =3.1 psia. If we solve for the total system pressure Pt where the oxygen concentration is at the LOG, we get: Y02 = LOG = 0.134 0.134 = 3.1/Pt Pt = 3.1/0.134 = 23 psia Therefore, the system becomes non-flammable once the total pressure exceeds 23 psia during start-up. Assuming the deflagration was initiated at this pressure, and a maximum pressure rise of 10 times starting pressure, the final pressure that would be obtained is: Pmax = 10 x Pt ^max = 10 x 23 = 230 psia = 215.3 psig However, the VCM concentration at the initial pressure is approximately 36 volume percent (i.e., 100 - 13.4/0.21). Since this is much richer than the stoichiometric concentration, the deflagration pressure rise ratio should be considerably less than 10. Since the proposed column design pressure is 200 psig, this pressure is less than the 10% accumulation allowed for by ASME Code Section VIII 1995. Therefore, the consequence of this situation is within the design limits of the column, and is therefore acceptable. No further analysis is required. Step 3: Determine Toterability of Consequences As stated above, the consequences are acceptable, and no further analysis is required. The system designer may forego any further safety analysis and move to Step 9 to document the failure scenario, consequences and controls. Step 9: Documentation As already discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitutions of materials. B.8 VACUUM COLLAPSE OF THE COLUMN (FAILURE SCENARIO D) As discussed for Failure Scenario C, vacuum relief and potential deflagration concerns go hand-in-hand. For vessels not designed for full vacuum, or for a
vessel system where some component of the system limits the available vacuum rating, some method of relieving vacuum conditions due to vapor collapse or liquid pump-out must be provided, or the vessel risks collapse and loss of containment. Distillation operations are particularly susceptible to this effect, since they involve large energy inputs and removals at steady state operation. Therefore, loss of heat input can lead to a large vacuum generation very quickly. Step 2: Estimate the Consequences Underpressure (vacuum) concerns in distillation units and other boiling operations occur because of the large energy removal capacity of the overhead condensing systems. Loss of heat input to a distillation operation results in the rapid collapse of vapor at the top of the column, with a corresponding drop in pressure due to the volumetric change from vapor to liquid. Underpressure scenarios are generally of concern because of the loss of containment aspects. Although property damage caused by vacuum collapse of a vessel can be significant, the loss of material to the environment, as well as the potential for pulling air (oxygen) into an otherwise incited system constitute potentially more serious scenarios. Step 3: Determine Jblerability of Consequences Since this hazard is classified as medium, at least one level of non-procedural safeguard beyond the normal process controls will be required to adequately reduce the risk. Thus, at this stage of development, the consequences are not tolerable. Step 4: Estimate Likelihood and Risk Because unmitigated medium-level hazards are unacceptable, determination of likelihood is not required. Step 5: Determine Tolerability of Risk As discussed in Failure Scenario C, the risks presented are not acceptable. A minimum of one non-procedural safeguard is required in addition to the normal controls required to operate the process. Step 6: Consider Enhanced and/or Alternative Designs From Table 3, Item 22, the following options are available to the system designer for underpressure due to uncontrolled condensation of the vapor phase:
Inherently safer/passive: • Vessel design accommodating minimum expected pressure, that is, full vacuum (FV) rating • Insulation • Open vent • Locate tank inside building Active: • Vacuum relief system • Inerting/blanketing to minimize vacuum generation • Feed heater Procedural: • Procedures to monitor the addition of materials Inherently safer/passive An often-used solution to underpressure hazards is to design vessels to accommodate full vacuum. This is especially attractive if it can be obtained for "free,'5 that is, the wall thickness required for pressure rating is more than sufficient for full 15 psi external pressure. If this option is used, all system components must be capable of a full vacuum rating. The other options listed in this category only apply to storage tanks, where the vapor condensation occurs due to a source external to the process (i.e., ambient temperature change). The presence of a large overhead condenser in distillation operations dwarfs the impact of these other effects. Active Vacuum relief systems and introduction of blanketing gases to prevent vacuum generation are related options that should be evaluated jointly. Typically, an inert gas blanketing system supplied via the plant inert gas system is used as the primary means of vacuum relief. This is often backed up by emergency vacuum relief, which introduces only enough air into the system to prevent vessel collapse. The emergency vacuum relief illustrates the type of tradeoff that is sometimes made in safety system design. Although it is not desirable to bring air into a flammable system and cause an internal deflagration, it may be a greater hazard to allow the complete loss of containment of the system due to vessel rupture from vacuum collapse. More detailed analysis may be required to determine the higher risk case. Procedural Because the potential consequences for this case fall into the medium category, none of the procedural options listed may be used to mitigate this scenario.
Sup 7: Evaluate Enhancements and/or Alternatives Inherently safer/passive Given their relatively high proposed system design pressure, some investigation into the feasibility for minor vessel modification (such as stiffening rings) to obtain full vacuum rating is advisable. All system components should be included in this analysis to ensure a "weak link" is not inadvertently left in the system. Active Inerting was evaluated, both for deflagration prevention and vacuum relief. Since this site has a readily available and reliable source of nitrogen, inerting was included as a part of the PSS package. However, design of the system for vacuum protection is significantly different than for inerting only. Lodal 1995 describes a procedure for sizing vacuum relief systems for distillation operations which can be applied to both the gas blanketing (primary) and vacuum relief (emergency) portions of this system. Procedural Procedural controls were not considered sufficient to mitigate the effects of the consequences described in this example.
Step 8: Determine Tolerability of Risk and Cost The PSS considered by the designer was to change the vacuum rating of the column to accommodate the maximum expected vacuum for this system. Again, from Gallant 1968, the vapor pressure of VCM at -2O0F is 7.7 psia, so a new rating accommodating this maximum expected vacuum was proposed. An active inert gas blanketing system designed for inert gas blanketing only was also included. This system meets the requirements provided by the management guidelines for high hazard events. The capital project evaluation team determined the cost acceptable to permit modification of the column specification.
Step 9: Documentation As already discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitutions of materials.
B.9 BLOCKED-IN LIQUIDS IN HEAT TRANSFER EQUIPMENT (FAILURE SCENARIO E) Isolation of streams in energy exchange devices such as heat exchangers can pose the potential for equipment damage due to hydraulic overpressure. While damage to the piece of equipment in question may be significant, hydraulic overpressure incidents rarely lead to shrapnel generation, so their impact is more localized. Step 2: Estimate the Consequences The heat exchanger failure scenario of isolated cold side liquid (glycol) while heating may result in an operational deviation of overpressure of the tubeside of the main condenser. Tubeside overpressure may result in minor damage to the equipment and the resulting capital loss and the release of a small amount of process or utility chemicals. Step 3: Determine Tolerability of Consequences The consequences of low-level hazards mitigated by normal process controls and operating procedures (such as draining and venting prior to isolation) have been determined to be acceptable risks by the organization represented in this example. Additional safeguards are not required. The system designer may elect to forego any further safety analysis and move to Step 9 to document the failure scenario, consequences and controls. Should the financial risk and/or regulatory requirements posed by the failure scenario require further analysis, the system designer may elect to continue using this or a similar analysis technique. Step 9: Documentation As already discussed in Chapter 2, complete and thorough documentation is critical to the safety system selection process. It is important that all failure scenarios, no matter how seemingly insignificant, be documented, since significance may change with process modifications or substitutions of materials. B. IO DOCUMENTATION It is critical to provide accurate, detailed and readily available documentation of all PSS design bases, so that assumptions can be easily verified, and critical safety components be identified. This is particularly important when one element of the analysis (e.g., instrumentation) eliminates or mitigates the size
and/or scope of protection of another element (e.g., relief devices). There may also be regulatory recordkeeping requirements, such as those concerning processes covered by the OSHA Process Safety Management Standard, 29 CFR 1910.119 1992 and the EPA Risk Management Plan, 40 CFR 68 1996. Complete mechanical design information of vessels and other process equipment, interlock strategies and alarm points, relief and venting systems sizing bases (including cases that were eliminated through active or passive means) and siting and fire protection design bases all need to be recorded permanently as a part of the process safety information file. Without this information, future modifications to PSS cannot be made until a complete reevaluation of the PSS basis is complete. This reevaluation will be difficult and time consuming without the detailed information on the original basis. Similarly, items used to mitigate or eliminate potential hazards may not be intuitively obvious, as example 2.6.1 in Chapter 2 illustrates so graphically. Here, the use of valve size to limit steam flow to a process reboiler falls into a similar category. Valves are routinely changed to debottleneck processes. If the safety implications of doing so were not clearly documented, an inappropriate substitution could easily be made. Also, since valves do wear and fail, inclusion of this item in the proper documentation ensures that its mechanical integrity (MI) classification as a critical safety element is made. This will facilitate more frequent inspection, testing and replacement than a normal process control device might otherwise receive. Procedural controls are perhaps the most critical of all controls to document well, since identification of safe upper and lower operating limits, and training requirements are critical to gaining and retaining effectiveness. Above all, documentation must tell the why as well as the what, so that future evaluators will have the full benefit of the knowledge originally used to specify the system. The P&ID shown in Exhibit B6 represents a summary of the PSS additions to the Basic Process Control System. Note that the interlocks to shut off the steam to the reboiler, including their necessary process measurements, are now included on the PSdD, as is the nitrogen purge system. Other instrumentation additions include those necessary to properly monitor a rupture disc/relief valve combination installation, and pressure measurements to control the primary vacuum relief system.
J^jMjNb ANU
INbIKLW-NIAiIUIN UlAbKAM
NOTE 2
6'TO
VENT STACK 2" VACUUM VENT SET 0 -0.6 PSIG
VENT
GLYCOL RETURN
GLYCOL SUPPLY
GlYCOL RETURN
GLYCOL SUPPLY
FEED
EXHIBIT B6 Piping and Instrumentation Diagram. NOTES: I. SET SLIGHTLY POSITIVE: 2' W.C. 2. SET PSHftMO PSIG 3. INSTRUMENT NOMENCLATURE PER ISA-S5.I
OVERHEAD PRODUCT 4--SST-2-JNS-
REFERENCES API RP 520 1993. Sizing, Selection, and Installation cf Pressure-Relieving Devices in Refineries. Part 1—Sizing and Selection. 6th Edition. Washington, DC: American Petroleum Institute. API RP 520 1994. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries. Part II—Installation. 4th Edition. Washington, DC: American Petroleum Institute. API RP 5211990. Guide for Pressure Relieving and Depressuring Systems, 3rd ed. Washington, DC: American Petroleum Institute. API Std 620 1990. Design and Construction of Large, Welded Low-Pressure Storage Tanks. 8th ed. Washington, DC: American Petroleum Institute. API Std 650 1993. Welded Steel Tanks for Oil Storage, 9th ed. Washington, DC: American Petroleum Institute API RP 752 1995. Management of 'Hazards Associated with Locations of 'Process Plants, lsted. Washington, DC: American Petroleum Institute. API RP 2003 1991. Protection Against Ignition Rising out of Static, Lightning, and Stray Currents. 5th ed. Washington, DC: American Petroleum Institute. ASME 1995. Boiler and Pressure Vessel Code (Section VUI). New York: American Society of Mechanical Engineers. CCPS 1989. Guidelines far Chemical Process Quantitative Risk Analysis. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1992. Guidelines for Hazard Evaluation Procedures. Second Edition with Worked Examples. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1994. Guidelines for Safe Automation of Chemical Processes. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1996. Guidelines for Evaluating Process Plant Buildings for Explosions and Fires. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. CCPS 1997a. Guidelines for Pressure Relief and Effluent Handling Systems. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. DIERS 1992. Emergency Relief System Design Using DIERS Technology. DIERS Project Manual. Design Institute for Emergency Relief Systems. New York: American Institute of Chemical Engineers. EPA (Environmental Protection Agency) 40 CFR 68 1996 Accidental Release Protection Provisions. US Government Printing Office, Washington, DC. Gallant, Robert W. 1968. Physical Properties of 'Hydrocarbons, Volumes I and II. Houston TX: Gulf Publishing Company. Lodal, P.N., Mahanes, J.L., Calvert, J.I. and Keel, J.M. 1995. Revised Emergency Vacuum Relief Device Sizing for Atmospheric Distillation Systems. Journal of Loss Prevention in the Process Industries, 8(6): 331-341. NFPA 15 1990. Water Spray Fixed Systems for Fire, Quincy, MA: National Fire Protection Association. NFPA 69 1997. Standard on Explosion Prevention Systems, Quincy, MA: National Fire Protection Association. NFPA 771993. Recommended Practice on Static Electricity, Quincy, MA: National Fire Protection Association.
NFPA 101 1997. Code far Safety to Life from Fire in Buildings and Structures, Quincy, MA: National Fire Protection Association. NFPA 704 1996. Standard System far the Identification of the Hazards of Materials far Emergency Response, Quincy, MA: National Fire Protection Association. OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119. Washington, DC: Occupational Safety and Health Administration. OSHA1995. Flammable and Combustible Liquids. 29 CFR 1910.106. Washington, DC: Occupational Safety and Health Administration. Yaws, C.L. 1977. Physical Properties. In Chemical Engineering. New York: McGraw Hill.
Suggested Additional Reading API Std 2000 1992. Venting Atmospheric and Low Pressure Storage Tanks. 4th ed. Washington, DC: American Petroleum Institute. CCPS 1997b. Guidelines far Chemical Process Quantitative Risk Analysis. 2nded. Center for Chemical Process Safety. New York: American Institute of Chemical Engineers. NFPA 30 1993. Flammable and Combustible Liquids Code. Quincy, MA: National Fire Protection Association. NFPA 58 1995. Liquefied Petroleum Gases. Quincy, MA: National Fire Protection Association. NFPA 68 1994. Venting of Deflagrations. Quincy, MA: National Fire Protection Association.
GLOSSARY
Administrative Controls: See Design Solutions. Autoignition Temperature: The autoignition temperature of a substance, whether solid, liquid, or gaseous, is the minimum temperature required to initiate or cause self-sustained combustion, in air, with no other source of ignition. Basic Event: An event in a fault tree that represents the lowest level of resolution in the model such that no further development is necessary (e.g., equipment item failure, human failure, or external event). Boiling-Liquid-Expanding-Vapor Explosion (BLEVE): A type of rapid phase transition in which a liquid contained above its atmospheric boiling point is rapidly depressurized, causing a nearly instantaneous transition from liquid to vapor with a corresponding energy release. A BLEVE is often accompanied by a large fireball if a flammable liquid is involved, since an external fire impinging on the vapor space of a pressure vessel is a common BLEVE scenario. However, it is not necessary for the liquid to be flammable to have a BLEVE occur. Basic Process Control System (BPCS): The control equipment which is installed to support normal production functions. Bonding: The process of connecting two or more conductive objects together by means of a conductor. Car Seal: A metal or plastic cable used to fix a valve in the open position (car seal open) or closed position (car seal closed). Proper authorization, controlled via administrative procedures, must be obtained before operating the valve. The physical seal should have suitable mechanical strength to prevent unauthorized valve operation. Indiscriminate use of the "car sealing" policy can lead to the dilution of this administrative safeguard. Catastrophic Incident: An incident involving a major uncontrolled emission, fire or explosion that causes significant damage, injuries and/or fatalities onsite and often has an outcome effect zone that extends into the surrounding community. Combustible Liquid: A term used to classify certain liquids that will burn on the basis of flash points. The National Fire Protection Association (NFPA) defines a "com-
bustible liquid" as having a flash point of 10O0F (37.80C) or higher. See also, "Flammable". Combustible liquids do not ignite as easily as flammable liquids; however, combustible liquids can be ignited when heated and must be handled with caution. Class II liquids have flash points at or above 10O0F, but below 14O0F. Class III liquids are subdivided into two subclasses. Class IUA: Those having flash points at or above 14O0F but below 20O0F. Class IIIB:Those having flash points at or above 20O0F. Common Mode Failure: An event having a single cause with multiple failure effects which are not consequences of each other. Critical Event: A critical event is an event with a specified, high consequence such as an event involving an offsite community impact, critical system damage, a severe injury or a fatality. Critical Event Frequency: The frequency of occurrence of a critical event. Dead-heading: A blockage on the discharge side of a pump/compressor which results in the flow reducing to zero and the discharge pressure increasing to a maximum value characteristic of the machine. The maximum discharge pressure can be obtained from the pump/compressor curves for centrifugal machines. Deflagration: The chemical reaction of a substance in which the reaction front advances into the unreacted substance at less than the sonic velocity in the unreacted material. Where a blast wave is produced that has the potential to cause damage, the term explosive deflagration may be used. Deflagration to Detonation Transition: A reaction front that starts out with velocities below the speed of sound and subsequently accelerates to velocities higher than the speed of sound is said to have undergone a Deflagration to Detonation Transition. The possibility of transition is enhanced by confinement/turbulence generators in the path of the reaction front. Detonation: A release of energy caused by the extremely rapid chemical reaction of a substance in which the reaction front advances into the unreacted substance at equal to or greater than the sonic velocity in the unreacted material. Design Institute for Emergency Relief Systems (DIERS): Institute under the auspices of the American Institute of Chemical Engineers founded to investigate requirements for emergency relief systems for chemically reactive systems which often involve multiphase flow. Design Solutions—Inherently Safer, Passive, Active, and Procedural Inherently safer design solutions eliminate or mitigate the hazard by using materials and process conditions that are less hazardous. Examples of inherently safer solutions include: • Substituting water for a flammable solvent • Reducing or eliminating inventories of hazardous intermediates Approaches to the design of inherently safer processes and plants are usually grouped into four major strategies:
• Minimize. Use smaller quantities of hazardous substances (also called Intensification) • Substitute. Replace a material with a less hazardous substance. • Moderate. Use less hazardous conditions, a less hazardous form of a material, or facilities which minimize the impact of a release of hazardous material or energy (also czllcdAttenuation and Limitation of Effects). • Simplify. Design facilities which eliminate unnecessary complexity and make operating errors less likely, and which are forgiving of errors which are made (also called Error Tolerance). Passive design solutions do not require any device to sense and/or actively respond to a process variable and have very reliable mechanical design. Examples of passive design solutions include: • Using incompatible hose couplings, nonsplash filling using permanently installed dip-pipes, permanent grounding and bonding via continuous metal equipment and pipe rather than with removable cables • Designing high pressure equipment to contain overpressure hazards such as internal deflagration • Containing hazardous inventories with a dike that has a bottom sloped to a remote impounding area, which is designed to minimize surface area. Active design solutions require devices to monitor a process variable and function to mitigate a hazard. Frequently, active solutions involve a considerable maintenance and procedural component and are therefore typically less reliable than inherently safer or passive solutions. To achieve necessary reliability, redundancy is often used to eliminate conflict between production and safety requirements (such as having to shut down a unit to maintain a relief valve). Active solutions are sometimes referred to as engineering controls. Examples of active solutions include: • Using a pressure safety valve or rupture disk to prevent vessel overpressure • Interlocking a high level sensing device to a vessel inlet valve and pump motor to prevent liquid overfill of the vessel • Installing check valves Procedural design solutions require a person to perform an action to avoid a hazard. This would include following a standard operating procedure or responding to an indication of a problem such as an alarm, an instrument reading, a noise, a leak, or a sampling result. Since an individual is involved in performing the corrective action, consideration needs to be given to human factors issues e.g., overalarming, improper allocation of tasks between machine and person, inadequate support culture. Because of the human factors involved, procedural solutions are generally the least reliable of the four categories. Procedural solutions are sometimes referred to as administrative controls. Examples of procedural solutions include:
• Following standard operating procedures to keep process operations within established equipment mechanical design limits • Manually closing a feed isolation valve in response to a high level alarm to avoid tank overfilling • Executing preventive maintenance procedures to prevent equipment failures • Manually attaching bonding and grounding systems Distributed Control System: A system which divides process control functions into specific areas interconnected by communications (normally data highways) to form a single entity. It is characterized by digital controllers and typically by central operation interfaces. Dow Fire and Explosion Index (F&EI): A method (developed by Dow Chemical Company) for ranking the relative fire and explosion risk associated with a process. Analysts calculate various hazard and explosion factors using material characteristics and process data. Emergency Relief Device: A device that is designed to open during emergency or abnormal conditions to prevent rise of internal fluid pressure in excess of a specified value. The device also may be designed to prevent excessive internal vacuum. The device may be a pressure relief valve, a nonreclosing pressure relief device, or a vacuum relief valve. Emergency Shutdown Device: A device that is designed to shutdown the system to a safe condition on command from the emergency shutdown system. Emergency Shutdown System: The safety control system which overrides the action of the basic control system and shuts down the process when predetermined conditions are violated. Equipment Reliability: The probability that, when operating under stated environment conditions, process equipment will perform its intended function adequately for a specified exposure period. Explosion: A rapid or sudden release of energy that causes a pressure discontinuity or blast wave. Fail-Safe: Design features which provide for the maintenance of safe operating conditions in the event of a malfunction of control devices or an interruption of an energy source (e.g., direction of failure of a control valve on loss of signal). A system is fail-safe if failure of a component, signal, or utility initiates an action that maintains the system in a safe condition. Failure: An unacceptable difference between expected and observed performance. Failure Mode and Effects Analysis (FMEA): A failure identification methodology where the failure modes of a component sub-system are identified. An analysis of these failure modes on the safety of the entire system is performed. Fire Point: The temperature at which a liquid continues to burn when the ignition source is removed. Flammability Limits: The range of gas or vapor concentration in air that will burn if a flame or other ignition source is present. The range represents a gas or vapor mix-
ture with air that may ignite or explode. Usually, the wider the range the greater the fire potential. See also Lower Flammable Limit and Upper Flammable Limit. Flammable Liquid: A "Flammable Liquid" is defined by NFPA as a liquid with a flash point below 10O0F (37.80C). Flammable liquids provide ignitable vapor at room temperatures and must be handled with caution. Precautions such as bonding and grounding must be taken. Flammable liquids are: Class I liquids and may be subdivided as follows: Class IA: Those having flash points below 730F and having a boiling point below 10O0F Class IB: Those having flash points below 730F and having a boiling point at or above 10O0F Class 1C: Those having flash points at or above 730F and below 10O0F Flash Fire: The combustion of an unconfined flammable vapor and air mixture in which flame passes through that mixture at less than sonic velocity, such that negligible damaging overpressure is generated. Flash Point: The lowest temperature at which vapors above a liquid will ignite at a pressure of 760 mm Hg absolute. The temperature at which vapor will burn while in contact with an ignition source, but which will not continue to burn after the ignition source is removed. There are several flash point test methods, and flash points may vary for the same material depending on the method used. Consequently, the test method is indicated when the flash point is given. A closed cup type test is used most frequently for regulatory purposes. The lower the flash point temperature of a liquid, the greater the fire hazard following a release. Froth-over: When water is present or enters a tank containing hot viscous oil, the sudden conversion of water to steam causes a portion of the tank contents to overflow. Fugitive Emissions: Emissions of material from process equipment due to leakage. Grounding: The process of connecting one or more conducting objects to the ground. It is a specific form of bonding. Hazard: An inherent chemical or physical characteristic that has the potential for causing damage to people, property, or the environment. In this document it is typically the combination of a hazardous material, an operating environment, and certain unplanned events that could result in an accident. Hazard Analysis: The identification of undesired events that lead to the materialization of a hazard, the analysis of the mechanisms by which these undesired events could occur and usually the estimation of the consequences. Hazard and Operability Study (HAZOP): A systematic qualitative technique to identify process hazards and potential operating problems using a series of guide words to study process deviations. A HAZOP is used to question every part of a process to discover what deviations from the intention of the design can occur and what their causes and consequences may be. This is done systematically by applying suitable guide words.
This is a systematic detailed review technique, for both batch and continuous plants, which can be applied to new or existing processes to identify hazards. Hazardous Material: In a broad sense, any substance or mixture of substances having properties capable of producing adverse effects on health, safety or the environment. These dangers may arise from but are not limited to toxicity, reactivity, instability, or corrosivity. Human Factors: A discipline concerned with designing machines, operations, and work environments so that they match human capabilities, limitations, and needs. Includes any technical work (engineering, procedure writing, worker training, worker selection, etc.) related to the human factor in operator-machine systems. Inert Gas: A noncombustible, nonreactive gas that renders the combustible material in a system incapable of supporting combustion. Inherently Safe: A system is inherently safe if it remains in a nonhazardous situation after the occurrence of nonacceptable deviations from normal operating conditions. Interlock System: A system that detects out-of-limits or abnormal conditions or improper sequences and either halts further action or starts corrective action. Intrinsically Safe: Equipment and wiring which is incapable of releasing sufficient electrical or thermal energy under normal or abnormal conditions to cause ignition of a specific hazardous atmospheric mixture or hazardous layer. Likelihood: A measure of the expected frequency with which an event occurs. This may be expressed as a frequency (e.g., events per year), a probability of occurrence during a time interval (e.g., annual probability), or a conditional probability (e.g., probability of occurrence, given that a precursor event has occurred). Limiting Oxidant Concentration (LOG): The limiting oxidant concentration (LOG) is that concentration of oxidant below which a deflagration (flame propagation in the gas, mist, suspended dust, or hybrid mixture) cannot occur. For most hydrocarbons where oxygen is the oxidant and nitrogen is the diluent the LOG is approximately 9 to 11 vol% oxygen. The LOG for dusts is dependent on the composition and particle size distribution of the solid. Values of LOG for most organic chemical dusts lie in the range of 10 to 16 vol% oxygen, again where nitrogen is the diluent Lower Flammable Limit (LFL): The lowest concentration of a vapor or gas (the lowest percentage of the substance in air) that will produce a flash of fire when an ignition source (heat, arc, or flame) is present. See also Upper Flammable Limit. At concentrations lower than the LFL, the mixture is too "lean" to burn. Minimum Explosible Concentration (MEC): The lowest concentration of combustible dust necessary to produce an explosion. Minimum Ignition Energy (MIE): Initiation of flame propagation in a combustible mixture requires an ignition source of adequate energy and duration to overcome radiative and conductive heat losses to the cooler surrounding material. Dust and
vapor clouds may be readily ignited if exposed to electric discharges that exceed the minimum ignition energy (MIE) for the combustible mixture. Mitigation: Reducing the risk of an accident event sequence by taking protective measures to reduce the likelihood of occurrence of the event, and/or reduce the magnitude of the event and/or minimize the exposure of people or property to the event. Net Positive Suction Head (NPSH): The net static liquid head that must be provided on the suction side of the pump to prevent cavitation. Oxidant: Any material that can react with a fuel (either gas, dust or mist) to produce combustion. Oxygen in air is the most common oxidant. Pool Fire: The combustion of material evaporating from a layer of liquid at the base of the fire. Procedural Design Solution: See Design Solutions. Process Safety: A discipline that focuses on the prevention and mitigation of fires, explosions, and accidental chemical releases at process facilities. Excludes classic worker health and safety issues involving working surfaces, ladders, protective equipment, etc. Piping and Instrument Diagram (P&ID): A diagram that shows the details about the piping, vessels, and instrumentation. Process Flow Diagram (PFD): A diagram that shows the material flow from one piece of equipment to the other in a process. It usually provides information about the pressure, temperature, composition, and flow rate of the various streams, heat duties of exchangers, and other such information pertaining to understanding and conceptualizing the process. Process Hazard Analysis (PHA): A structured procedure whereby hazards associated with a process are identified and evaluated. Pressure Relief Valve (PRV): A relief valve is a spring loaded pressure relief valve actuated by static pressure upstream of the valve. The valve opens normally in proportion to the pressure increase over opening pressure. A relief valve is normally used with incompressible fluids. Pressure Safety Valve (PSV): A safety valve is a spring loaded pressure relief valve actuated by static pressure upstream of the valve and characterized by rapid opening or pop action. A safety valve is normally used with compressible fluids. Process Safety System (PSS): A process safety system comprises the design, procedures, and hardware intended to operate and maintain the process safely. Programmable Electronic System (PES): A system based on a computer connected to sensors and/or actuators in a plant for the purpose of control, protection or monitoring (includes various types of computers, programmable logic controllers, peripherals, interconnect systems, instrument distributed control system controllers, and other associated equipment).
Programmable Logic Controller (PLC): A microcomputer-based solid-state control system which receives inputs from user-supplied control devices such as switches and sensors, implements them in a precise pattern determined by instructions stored in the PLC memory, and provides outputs for control or user-supplied devices such as relays and motor starters. Purge Gas: A gas that is continuously or intermittently added to a system to render the atmosphere nonignitable. The purge gas may be inert or combustible. Quenching: Rapid cooling from an elevated temperature, e.g., severe cooling of the reaction system in a short time (almost instantaneously), "freezes" the status of a reaction and prevents further decomposition or reaction. Reactors: Continuous-flow Stirred Tank Reactor (CSTR): A reaction vessel in which the feed is continuously added, and the products continuously removed. The vessel (tank) is continuously stirred to maintain a uniform concentration within the vessel. Plug Flow Reactor (PFR): A plug flow reactor is a tubular reactor where the feed is continuously introduced at one end and the products continuously removed form the other end. The concentration/temperature in the reactor is not uniform. Batch Reactor: In a batch reactor, the reactants are added to the reactor at the start of the reaction. The reactants are allowed to react in the reactor for a fixed time. No feed is added or product withdrawn during this time. The reaction products are removed at the end of the batch. Semi-Batch Reactor: In a semi-batch reactor, some reactants are added to the reactor at the start of the batch, while others are fed continuously during the course of the reaction. Runaway: A thermally unstable reaction system which exhibits an uncontrolled accelerating rate of reaction. Safety Instrument System (SIS): The instrumentation, controls, and interlocks provided for safe operation of the process. Safety Layer: A system or subsystem that is considered adequate to protect against a specific hazard. The safety layer • is totally independent of any other protective layers • cannot be compromised by the failure of another safety layer • must have acceptable reliability • must be approved according to company policy and procedures • must meet proper equipment classification • may be a noncontrol alternative (i.e., chemical, mechanical) • may require diverse hardware and software packages • may be an administrative procedure Source Term: The estimated release parameters such as release mass, flow rate, velocity, temperature, concentration, aerosol content, density, etc. which are used as input to dispersion models. The source term modeling is usually based on mathe-
nonconfined space (i.e., not in vessels, buildings, etc.). The flame speed may accelerate to high velocities and produce significant blast overpressure. Vapor cloud explosions in plant areas with dense equipment layouts may show acceleration in flame speed and intensification of blast. Upper Flammable Limit (UFL): The highest concentration of a vapor or gas (the highest percentage of the substance in air) that will produce a flash of fire when an ignition source (heat, arc, or flame) is present. See also Lower Flammable Limit. At concentrations higher then the UFL, the mixture is too "rich" to burn. Vapor Density: The weight of a vapor or gas compared to the weight of an equal volume of air at the same temperature and pressure; an expression of the density of the vapor or gas. Materials lighter than air have vapor densities less than 1.0 (example: acetylene, methane, hydrogen). Materials heavier than air (examples: propane, hydrogen sulfide, ethane, butane, chlorine, sulfur dioxide) have vapor densities greater than 1.0. All vapors and gases will mix with air, but the lighter materials will tend to rise and dissipate. It should be kept in mind that when gases which have vapor densities less than 1.0 are released into atmosphere, the release mass itself may be heavier than air depending on the release temperature and aerosol content. Heavier vapors and gases are likely to concentrate in low places - along or under floors, in sumps, sewers and manholes, in trenches and ditches - and can travel great distances undetected where they may create fire or health hazards. Valve Failure Positions: In the event of instrument air or electrical power failure, valves either Fail Closed (FC), Fail Open (FO), or Fail in the last position (FL). The position of failure must be carefully selected so as to bring the system to, or leave the system in a safe operating state. Vapor Pressure: The pressure exerted by a vapor above its own liquid. The higher the vapor pressure, the easier it is for a liquid to evaporate and fill the work area with vapors which can cause health or fire hazards. Venting: Emergency flow of vessel contents out of a vessel. The pressure is controlled or reduced by venting, thus avoiding a failure of the vessel by overpressurization. The emergency flow can be one-phase or multi-phase, each of which results in different flow characteristics.
ACRONYMS AND ABBREVIATIONS
ACGIH ACI ACS AGA AIChE AIHA AISC AISI AIT ANSI APFA API ASM ASME ASSE ASNT ASTM AWS BLEVE BPCS Btu BTX CAA CAAA CCPS
American Conference of Government Industrial Hygienists American Concrete Institute American Chemical Society American Gas Association American Institute of Chemical Engineers American Industrial Hygiene Association American Institute of Steel Construction American Iron and Steel Institute Autoignition temperature American National Standards Institute American Pipe Fittings Association American Petroleum Institute American Society for Metals American Society of Mechanical Engineers American Society of Safety Engineers American Society for Nondestructive Testing American Society for Testing and Materials American Welding Society Boiling Liquid Expanding Vapor Explosion Basic Process Control System British thermal unit Benzene, Toluene, and Xylene Clean Air Act Clean Air Act Amendments Center for Chemical Process Safety
CEM CERCLA CFR CGA CIA CMA CRT CSTR CWA DAF DCS DDT DIERS DIPPR DOT DPC EEGL EJMA EPA EPRI ERPG ERS ERD ESCIS ESD FIBC FScEI FMEA FMEC FRP GPM GPSA HAZOP HEI HMB hp HSE
Continuous Emissions Monitor Comprehensive Environmental Response, Compensation, and Liability Act Code of Federal Regulations Compressed Gas Association Chemical Industries Association Chemical Manufacturers Association Cathode Ray Tube Continuous-Flow Stirred-Tank Reactor Clean Water Act Dissolved Air Flotation Distributed Control System Deflagration to Detonation Transition Design Institute for Emergency Relief Systems Design Institute for Physical Property Data Department of Transportation Deflagration Pressure Containment Emergency Exposure Guidance Level Expansion Joint Manufacturers Association Environmental Protection Agency Electric Power Research Institute Emergency Response Planning Guideline Emergency Relief System Emergency Relief Design Expert Commission for Safety in the Swiss Chemical Industry Emergency Shutdown Device Flexible Intermediate Bulk Containers Fire and Explosion Index Failure Mode and Effects Analysis Factory Mutual Engineering Corporation Fiber Reinforced Plastic Gallons Per Minute Gas Processors Suppliers Association Hazard and Operability study Heat Exchanger Institute Heat and Material Balance horsepower Health and Safety Executive
HVAC IChemE LEL LFL LNG LOC LPG mA MAWP MEC MIE mj MSDS MSS NACE NAS NBIC NEC NEMA NESC NDE NFPA NIOSH NPCA NPDES NPSH NRC NSPS NTIAC OSHA PCB PEL PES PFD PFR PLC P&ID PHA
Heating, Ventilation, and Air Conditioning The Institution of Chemical Engineers Lower Explosive Limit Lower Flammable Limit Liquefied Natural Gas Limiting Oxidant Concentration Liquefied Petroleum Gas milliampere Maximum Allowable Working Pressure Minimum Explosible Concentration Minimum Ignition Energy millijoule Material Safety Data Sheet Manufacturers Standardization Society National Association of Corrosion Engineers National Academy of Science National Board Inspection Code National Electrical Code National Electrical Manufacturers Association National Electrical Safety Code Nondestructive examination National Fire Protection Association National Institute of Occupational Safety and Health National Paint and Coatings Association National Pollutant Discharge and Elimination System Net Positive Suction Head National Research Council New Source Performance Standards Nondestructive Testing Information Analysis Center Occupational Safety and Health Administration Polychlorinated Biphenyl Permissible Exposure Limit Programmable Electronic System Process Flow Diagram Plug Flow Reactor Programmable Logic Controller Piping and Instrumentation Diagram Process Hazard Analysis
PID ppm pS PSD PSV PSS PVRV RCRA RP RT RTD SCBA SCC scf SAE SIS SPCC SPEGL SPFE SSPC TEMA TLV TOC TSCA UBC UEL UFL UL UPS UT UVCE VOC WEEL
Proportional Integral Derivative parts per million picoSiemen Process Safety Device Pressure Safety Valve Process Safety System Pressure-Vacuum Relief Valve Resource Conservation and Recovery Act Recommended Practice Radiographic testing Resistance Temperature Detector Self-contained Breathing Apparatus Stress Corrosion Cracking standard cubic foot Society of Automotive Engineers Safety Interlock System Spill Prevention Control and Countermeasures Short-term Public Emergency Guidance Level Society of Fire Protection Engineers Steel Structures Painting Council Tubular Exchanger Manufacturer Association Threshold Limit Value Total Organic Compounds Toxic Substance Control Act Uniform Building Code Upper Explosive Limit Upper Flammable Limit Underwriters Laboratory Inc. Uninterruptible power supply Ultrasonic testing Unconfined Vapor Cloud Explosion Volatile Organic Compound Workplace Environmental Exposure Limit
Index
Index terms
Links
A Absorption equipment
79
Adsorption equipment
79
Agitation (vessels)
57
Air cooled exchangers
88
American Petroleum Institute
188
ASME Boiler and Pressure Vessel Code
183
186
205
B Batch centrifuge explosion case history
128
Batch chemical reactor example problem
179
Batch pharmaceutical reactor accident case history
39
Batch reactors
61
Blowers
117
Blowing agent blender operation explosion case history
138
Boilers
149
Brittle fracture heat exchanger case history Bucket elevator explosion case history
This page has been reformatted by Knovel to provide easier navigation.
90 139
249
250
Index terms
Links
C Case histories
37
61
79
89
101
117
127
138
149
161
Catalytic incinerators
149
Centrifuges
127
Chemical storage terminal fire case history
162
Cold box explosion case history
91
Comminution equipment
137
Compressor fire and explosion case history
118
Compressors
117
Continuous flow stirred tank reactors
61
Continuous sulfonation reaction explosion case history
63
Conveying dryers
101
Conveyors
137
Coode Island
162
Cyclones
127
D Design bases for safety systems Design Institute for Emergency Relief Systems
9
20
186
208
3,4-Dichloroaniline autoclave case history
62
Direct contact exchangers
88
Distillation column critical concentration case history
80
Distillation equipment
79
Distillation system example problem
203
Dryers
101
Drying of compound fertilizers case history
102
This page has been reformatted by Knovel to provide easier navigation.
251
Index terms
Links
Dust collector explosion case history
129
Dust collectors
127
E Electrostatic precipitators
127
Emergency relief system
30
EPA Risk Management Program
200
Ethylene cracking furnace overfiring case history
150
Ethylene oxide redistillation column explosion case history
89
Ethylene purifier vessel rupture case history
80
External corrosion case history Extraction equipment
163 79
F Failure scenarios
45
69
84
95
106
122
132
144
154
168
Filter explosion case history
128
Filters
127
Fired equipment
149
Fires in cellulose acetate dryer case history
102
Flixborough expansion joint failure case history
161
Fluid bed dryers
101
Fluid bed reactors
61
Fluid transfer equipment
117
Furnace tube failure case history
150
Furnaces
149
This page has been reformatted by Knovel to provide easier navigation.
252
Index terms
Links
H Heat exchangers
88
Heat transfer equipment
89
High flow (piping)
171
High temperature (dryers)
113
High temperature (fired equipment)
157
High temperature (heat transfer)
97
High temperature (mass transfer)
85
High temperature (reactors)
75
High temperature (separators)
133
High temperature (solids handling)
147
High temperature (vessels)
54
High temperature (piping)
170
High/low level (mass transfer)
86
I Ignition of pyrophoric materials in gasoline fractionator case history Incinerators In-process vessels
81 149 37
L Light-off error case history
149
Line pluggage case history
163
Locked open valve (design case)
27
Loss of containment (fluid transfer)
125
Loss of containment (heat transfer)
98
Loss of containment (piping)
172
Loss of containment (separators)
134
Loss of containment (solids handling)
148
This page has been reformatted by Knovel to provide easier navigation.
253
Index terms Loss of containment (vessels)
Links 57
Low flow (fired equipment)
159
Low flow (fluid transfer)
124
Low level (fired equipment)
159
Low level (vessels) Low temperature (fired equipment) Low temperature (heat transfer)
57 158 98
Low temperature (piping)
171
Low temperature (vessels)
55
M Mass transfer equipment Mechanical conveyors
79 137
O OSHA Process Safety Management Overfill (vessels)
182 55
Overpressure (dryers)
106
Overpressure (fired equipment)
154
Overpressure (fluid transfer)
122
Overpressure (heat transfer)
95
Overpressure (mass transfer)
84
Overpressure (piping)
168
Overpressure (reactors)
69
Overpressure (separators)
132
Overpressure (solids handling)
144
Overpressure (vessels) Overspeed (fluid transfer)
This page has been reformatted by Knovel to provide easier navigation.
45 125
200
254
Index terms
Links
P Packed bed reactors
61
Packed tube reactors
61
Pharmaceutical powder dryer fire and explosion case history
102
Piping and piping components
161
Plug flow tubular reactors
61
Pneumatic conveying systems
137
Powder blenders
137
Pressurized tanks
37
Process furnaces
149
Pump leak fire case history
118
Pumps
117
R Reactor (batch chemical) example problem
179
Reactor relief system (design case)
30
Reactors
61
Reciprocating pump leak case history Relief system, reactor (design case)
117 30
Reverse flow (fluid transfer)
124
Reverse flow (piping)
172
Reverse flow (reactors)
76
Risk matrix
18
Risk tolerability
14
Risk
7
Rollover
42
Rotary dryers Runaway reactions
101 41 187
This page has been reformatted by Knovel to provide easier navigation.
62
255
Index terms
Links
S Safety systems design bases Screw conveyor explosion case history
9 139
Scrubbing equipment
79
Semi-batch reactors
61
Seveso runaway reaction case history
62
Shell and tube exchangers
88
Sieving equipment
137
Silicon grinder fire and explosion case history
138
Solid-fluid separators
127
Solids enlargement equipment
137
Solids feeders
137
Solids handling and processing equipment
137
Spray dryers
101
Spray granulators and coaters
137
Stapleton international airport
118
Startup of parallel centrifugal pumps case history
119
Storage tank autopolymerization case history
37
Storage tank stratification case history
38
Storage tanks
37
Stripping equipment
79
T Thermal incinerators
149
Tray dryers
101
U Underpressure (dryers)
113
Underpressure (fired equipment)
157
This page has been reformatted by Knovel to provide easier navigation.
20
256
Index terms
Links
Underpressure (heat transfer)
97
Underpressure/vacuum (mass transfer)
85
Underpressure/Vacuum (vessels)
51
V Vessels
37
W Washing equipment Wrong composition (fired equipment)
79 159
Wrong composition (heat transfer)
98
Wrong composition (mass transfer)
87
Wrong composition (piping)
175
Wrong composition (reactors)
76
Wrong composition (vessels)
59
Wrong composition/phase (fluid transfer)
This page has been reformatted by Knovel to provide easier navigation.
126