equipments and tools for safety

GUIDELINES FOR

DESIGN SOLUTIONSFORPROCESS EQUIPMENT FAILURES

CENTER FOR CHEMICAL PROCESS SAFETYof theAMERICAN INSTITUTE OF CHEMICAL ENGINEERS345 East 47th Street • New York, New York 10017

Copyright © 1998American Institute of Chemical Engineers345 East 47th StreetNew York, New York 10017

All rights reserved. No part of this publication may be reproduced, storedin a retrieval system, or transmitted in any form or by any means, elec-tronic, mechanical, photocopying, recording, or otherwise without theprior permission of the copyright owner.

Library of Congress Cataloging-in Publication DataGuidelines for design solutions for process equipment failures,

p. cm.Includes bibliography and index.ISBN 0-8169-0684-X1. Chemical plants—Safety measures. 2. Petroleum refineries—

safety measures. 3. Hazardous materials—safety measures.I. American Institute of Chemical Engineers. Center for ChemicalProcess Safety. II. Title: Design solutions for process equipmentfailures.TP155.5.G784 1997 97-20538660/.280^-dc21 CIP

This book is available at a special discount when ordered inbulk quantities. For information, contact the Center forChemical Process Safety at the address shown above.

It is sincerely hoped that the information presented in this volume will lead to an even

more impressive safety record for the entire industry; however, the American Institute of

Chemical Engineers, its consultants, CCPS Subcommittee members, their employers'

officers and directors and Arthur D. Little Corporation disclaim making or giving any

warranties or representations, express or implied, including with respect to fitness,

intended purpose, use or merchantability and/or correctness or accuracy of the content

of the information presented in this document. As between (1) American Institute of

Chemical Engineers, its consultants, CCPS Subcommittee members, their employers,

their employers' officers and directors, and Arthur D. Little Corporation and (2) the

user of this document, the user accepts any legal liability or responsibility whatsoever for

the consequences of its use or misuse.

FOREWORD

Engineers like to think of their discipline as a rigorous application of scientificand mathematical principles to the problem of creating a useful object. To acertain extent, this is an appropriate description of the tools of engineering—those techniques that we use to translate a concept in the mind of the designerinto a physical object. But, where does that mental image of the object to bebuilt come from? At its heart, engineering is intuitive, and an art form. Theengineer/designer's accumulated experience, and that of others, is applied to adefined problem. By intuitive and creative problem solving processes the engi-neer develops and refines a conceptual design, and uses the mathematical andscientific tools of engineering to translate a mental concept into reality.

The selection of the design basis for a process safety system is a problemlike any other engineering problem. There is no equation or formula, no scien-tific principle, which will define the "best" design. Yes, there are scientific andmathematical tools which will help convert a design concept into somethingwhich can actually be constructed. But there is no general answer to the ques-tion ccWhat is the best design?" Each system must be considered on its own,with a thorough evaluation of all of the details of its environment and requiredfunctions, to determine what the optimal design will be.

The number of potential solutions to any engineering problem is large.For each specific problem, there will be some solutions which meet the overallobjectives better than others. How can we best find the optimal solution? Ibelieve that the critical first step is to consider a large number of potential solu-tions, thereby increasing the likelihood that the best solution will be amongthose identified. Where do we get those potential solutions? One importantsource is accumulated experience—our own, and that of others who havefaced similar problems in the past. This book collects much of that accumu-lated experience from a large number of experts in the chemical process indus-try for equipment in common use. Use of the tables which make up the heartof this book will allow the reader to take advantage of many years of practicalexperience. By considering a large number of potential solutions to the prob-

lem of specifying the design basis for safety systems, the design engineer ismore likely to be able to identify the solution which best meets his needs.

This book emphasizes a risk-based approach to the evaluation of safetysystem design. Potential safety systems suggested are categorized as inherentlysafer/passive, active, and procedural, in decreasing order of robustness andreliability. Inherently safer approaches are often preferred, but there can be nogeneral answer to the question of which approach or specific solution is bestfor a particular situation. Instead, the design engineer must take a very broadand holistic approach to the complete design, accounting for the many differ-ent, and often competing, objectives which the design must accomplish.Safety, health effects, environmental impact, loss prevention, economic andbusiness factors, product quality, technical feasibility, and many other factorsmust be considered. This book challenges the engineer to adopt a risk-basedapproach to evaluating many competing goals when deciding among anumber of potential design alternatives.

This book can be extremely useful in conducting process hazard analysisstudies. The failure mode tables in Chapters 3-12 can be the basis for hazardidentification checklists, and also offer a variety of potential solutions for iden-tified concerns. However, the book will be even more beneficial if used by theindividual engineer at the earliest stages of the design process, before anyformal hazard reviews.

The message of this book can be summarized very briefly:

• Consider a large number of design options• Identify opportunities for inherent and passive safety features early• Use a risk-based approach to process safety systems specification

I hope that this book will find a home on the desk (not gathering dust onthe bookshelf!) of every chemical process designer, particularly those involvedin the earliest phases of conceptual design where the basic chemistry and unitoperations are defined. It should be consulted frequently in the course of thedesigner's day to day work in specifying and designing process facilities. If youare a process safety professional, make sure that all of the process design engi-neers in your organization read and use this book. It will make your job a loteasier!

Dennis C. Hendershot

PREFACE

The Center for Chemical Process Safety (CCPS) was established in 1985 bythe American Institute of Chemical Engineers (AIChE) for the express pur-pose of assisting the Chemical and Hydrocarbon Process Industries in avoid-ing or mitigating catastrophic chemical accidents. To achieve this goal, CCPShas focused its work on four areas:

• establishing and publishing the latest scientific and engineering prac-tices (not standards) for prevention and mitigation of incidents involv-ing toxic and/or reactive materials,

• encouraging the use of such information by dissemination through pub-lications, seminars, symposia and continuing education programs forengineers,

• advancing the state-of-the-art in engineering practices and technicalmanagement through research in prevention and mitigation of cata-strophic events, and

• developing and encouraging the use of undergraduate education curric-ula which will improve the safety knowledge and consciousness of engi-neers.

This book, Guidelines for Design Solutions for Process EquipmentFailures ^ isthe result of a project begun in 1994 in which a group of volunteer profession-als representing major chemical, pharmaceutical and hydrocarbon processingcompanies, worked with Arthur D. Little Inc., the contractor, to produce abook that attempts to describe the ways that major processing equipment canfail and be the cause of a catastrophic accident. The book then identifies theavailable design solutions that might avoid or mitigate the failure in a series ofoptions ranging from inherently safer/passive solutions to active and proce-dural solutions. The book is concerned with engineering design that reducesrisk due to process hazards only. It does not focus on operations, maintenance,transportation or personnel safety issues, although improved process safetycan benefit each area. Detailed engineering designs are outside the scope of the

work, but the authors have provided an extensive guide to the literature toassist the designer who wishes to go beyond safety design philosophy to thespecifics of a particular safety system design.

By capturing industry experience in how major processing equipment canfail, the book provides a very useful tool for the selection of process safety sys-tems which should be of service to process design engineers as well as mem-bers of process hazards analysis teams. The inherently safer solutions that aresuggested may, in some cases, come as a surprise to the process and designengineer in that they may in fact be the most cost effective solution as well, if atrue life cycle analysis is made of the cost of maintaining add-on safety systemsor the resulting cost of operator failure to carry out procedural controls is con-sidered. In other cases the procedural solution may be the best choice becauseit involves operators so that they may better understand and therefore bettercontrol the process as opposed to the replacement of operator intelligencewith process interlocks. The book offers engineers inherently safer/passive,active and procedural design solutions but, ultimately engineers must makethe case for the solutions that best satisfy their company's requirements for abalance between risk reduction and cost.

This book has been organized into three major sections:

• First, a technique is provided for making risk-based design decisions.• Second, a description of potential failure scenarios is presented for ten

major processing equipment categories along with the potential designsolutions that are available to the engineer.

• Third, the book contains two worked examples that illustrate how therisk-based decision technique can be applied to two process plant sys-tems.

The major equipment categories that are covered are; Vessels, Reactors,Mass Transfer Equipment, Heat Transfer Equipment, Dryers, Fluid TransferEquipment, Solid-Fluid Separators, Solids Handling and Processing Equip-ment, Fired Equipment, and Piping and Piping Components. The potentialequipment failure scenarios and design solutions for each equipment categoryare provided in tabular form in each equipment chapter. To facilitate use ofthis information, particularly in hazard identification studies such asHAZOPs, these tables have been provided in electronic format on a 3.5" disk-ette as Microsoft Word© files. It is hoped that this will encourage the expan-sion of these tables based on the users experience.

ACKNOWLEDGMENTS

The Center for Chemical Process Safety (CCPS) and those involved in itsoperation, wish to thank its many sponsors whose funding made this projectpossible, the members of its Technical Steering Committee who conceived ofand supported this Guidelines project and the members of its EngineeringPractices Subcommittee for their dedicated efforts, technical contributions,and enthusiasm. The subcommittee played a major role in the writing of thebook by suggesting examples, by offering failure scenarios for the majorequipment covered in the book and by suggesting possible design solutions. Itis their collective industrial experience captured in this book that makes thebook especially valuable to the process and design engineer. The members ofthe subcommittee wish to thank their employers for providing time and sup-port to participate in this project.

The members of the Engineering Practices Subcommittee were:

Robert H. WaIz (Chairman), ABB Lummus Global Inc.Laurence G. Britton, Union Carbide Corp.Stephen E. Cloutier, UOPGlenn R. Davis, DuPontKenneth W. Linder, Industrial Risk InsurersPeter N. Lodal, Eastman Chemical Co.Joseph B. Mettalia, Jr., CCPS StaffJohn A. Noronha, Eastman Kodak Co.Carl A. Schiappa, Dow Chemical USA

Technical contributors and reviewers were:

Steven R. Bruce, EQE InternationalMyron Casada, JBF Associates Inc.William F. Early, Early Consulting, L. C.Rudolph C. Frey, The M. W. Kellogg Company

John A. Hoffmeister, Lockheed Martin Energy SystemsT. Janicik, MallinckrodtInc.Robert W. Johnson, EaUeIIeJoseph Keel, The Eechtel CorporationD. Harper Meek, ^LRCO Chemical CompanyMark A. Moderski, Stone & Webster Engineering CorporationHarvey Rosenhouse, FMC CorporationStanley J. Schecter, ConsultantAdrian L. Sepeda, Occidental Chemical CorporationAnthony A. Thompson, Monsanto CompanyLester H. Wittenberg, CCPS

The Engineering Practices Subcommittee is particularly indebted to itschairman, Bob WaIz, for his leadership, and to Peter Lodal of EastmanChemical Company and Joe Keel of The Bechtel Corporation for their dedi-cated efforts in preparing the VCM/HC1 fractionation worked example in thebook. Dennis C. Hendershot of the Rohm and Haas Company wrote the fore-word to the book and is appreciated for his ongoing interest in this project andhis able assistance and review of the work as it was being produced. SanjeevMohindra, P. J. Bellomo and R. Peter Stickles directed the project at ArthurD. Little, Inc. and were the authors of the risk-based design techniquedescribed in Chapter 2. Stanley S. Grossel, consultant and former chairman ofthe Engineering Practices Subcommittee, was the author of Chapter 4 (Reac-tors), Chapter 7 (Dryers), Chapter 9 (Solid-Fluid Separators), Chapter 10(Solids Handling and Processing Equipment) and the Batch Reactor workedexample.

v This page has been reformatted by Knovel to provide easier navigation.

Contents

Foreword ............................................................................... xiii

Preface .................................................................................. xv

Acknowledgments ................................................................. xvii

1. Introduction ................................................................... 1 1.1 Objectives .......................................................................... 1 1.2 Scope ................................................................................. 2 1.3 Background ........................................................................ 2 1.4 Applicability and Audience ................................................. 3 1.5 Organization of This Book ................................................. 3 1.6 References ........................................................................ 4

Suggested Additional Reading ....................................... 4

2. Technique for Selecting the Design Bases for Process Safety Systems ............................................... 5 2.1 Risk-Based Design Decisions ............................................ 5 2.2 The Concept of Risk .......................................................... 7 2.3 Selection of Design Bases for Safety Systems .................. 9

2.3.1 Step 1: Identify Failure Scenarios ....................... 9 2.3.2 Step 2: Estimate the Consequences ................... 9 2.3.3 Step 3: Determine Tolerability of

Consequences ................................................... 11 2.3.4 Step 4: Estimate Likelihood and Risk .................. 11 2.3.5 Step 5: Determine Tolerability of Risk ................. 12

vi Contents

This page has been reformatted by Knovel to provide easier navigation.

2.3.6 Step 6: Consider Enhanced and/or Alternative Designs ............................................ 12

2.3.7 Step 7: Evaluate Enhancements and/or Alternatives ........................................................ 13

2.3.8 Step 8: Determine Tolerability of Risk and Cost ................................................................... 13

2.3.9 Step 9: Document Results .................................. 13 2.4 Guidelines for Risk Tolerability .......................................... 14 2.5 Potential Process Safety Systems Design Solutions ......... 20

2.5.1 Four Categories of Design Solutions ................... 20 2.5.2 Characteristics of Design Solution

Categories ......................................................... 24 2.6 Applying the Risk-Based Design Bases Selection

Technique .......................................................................... 27 2.6.1 Locking Open a Valve (a Simple Design

Case) ................................................................. 27 2.6.2 Selecting the Relief System Basis for a

Reactor (a Complex Design Case) ..................... 30 2.7 References ........................................................................ 34


3. Vessels ........................................................................... 37 3.1 Introduction ........................................................................ 37 3.2 Past Incidents .................................................................... 37

3.2.1 Storage Tank Autopolymerization Incident .......... 37 3.2.2 Storage Tank Stratification Incident .................... 38 3.2.3 Batch Pharmaceutical Reactor Accident ............. 39

3.3 Failure Scenarios and Design Solutions ............................ 40 3.4 Discussion ......................................................................... 40

3.4.1 Use of Potential Design Solutions Table ............. 40 3.4.2 Special Considerations ....................................... 41

Contents vii


3.5 References ........................................................................ 43 Suggested Additional Reading ....................................... 44

Table 3. Failure Scenarios for Vessels ...................................... 45

4. Reactors ......................................................................... 61 4.1 Introduction ........................................................................ 61 4.2 Past Incidents .................................................................... 61

4.2.1 Seveso Runaway Reaction ................................. 62 4.2.2 3,4-Dichloroaniline Autoclave Incident ................ 62 4.2.3 Continuous Sulfonation Reaction Explosion ........ 63


4.4.1 Use of Potential Design Solutions Table ............. 64 4.4.2 General Discussion ............................................ 64 4.4.3 Special Considerations ....................................... 66


Table 4. Failure Scenarios for Reactors .................................... 69

5. Mass Transfer Equipment ............................................ 79 5.1 Introduction ........................................................................ 79 5.2 Past Incidents .................................................................... 79

5.2.1 Distillation Column Critical Concentration ........... 80 5.2.2 Ethylene Purifier Vessel Rupture ........................ 80 5.2.3 Ignition of Pyrophoric Materials in Gasoline

Fractionator ........................................................ 81 5.3 Failure Scenarios and Design Solutions ............................ 82 5.4 Discussion ......................................................................... 82


viii Contents



Table 5. Failure Scenarios for Mass Transfer Equipment ......... 84

6. Heat Transfer Equipment ............................................. 89 6.1 Introduction ........................................................................ 89 6.2 Past Incidents .................................................................... 89

6.2.1 Ethylene Oxide Redistillation Column Explosion ........................................................... 89

6.2.2 Brittle Fracture of a Heat Exchanger ................... 90 6.2.3 Cold Box Explosion ............................................ 91




Table 6. Failure Scenarios for Heat Transfer Equipment .......... 95

7. Dryers ............................................................................. 101 7.1 Introduction ........................................................................ 101 7.2 Past Incidents .................................................................... 101

7.2.1 Drying of Compound Fertilizers .......................... 102 7.2.2 Fires in Cellulose Acetate Dryer ......................... 102 7.2.3 Pharmaceutical Powder Dryer Fire and

Explosion ........................................................... 102 7.3 Failure Scenarios and Design Solutions ............................ 103 7.4 Discussion ......................................................................... 103


Contents ix



Table 7. Failure Scenarios for Dryers ........................................ 106

8. Fluid Transfer Equipment ............................................. 117 8.1 Introduction ........................................................................ 117 8.2 Past Incidents .................................................................... 117

8.2.1 Reciprocating Pump Leak ................................... 117 8.2.2 Pump Leak Fire .................................................. 118 8.2.3 Compressor Fire and Explosion .......................... 118 8.2.4 Start-up of Parallel Centrifugal Pumps ................ 119




Table 8. Failure Scenarios for Fluid Transfer Equipment .......... 122

9. Solid-Fluid Separators .................................................. 127 9.1 Introduction ........................................................................ 127 9.2 Past Incidents .................................................................... 127

9.2.1 Batch Centrifuge Explosion ................................ 128 9.2.2 Filter Explosion .................................................. 128 9.2.3 Dust Collector Explosion .................................... 129



9.5 References ........................................................................ 131

x Contents


Suggested Additional Reading ....................................... 131 Table 9. Failure Scenarios for Solid-Fluid Separators ............... 132

10. Solids Handling and Processing Equipment .............. 137 10.1 Introduction ........................................................................ 137 10.2 Past Incidents .................................................................... 138

10.2.1 Silicon Grinder Fire and Explosion ...................... 138 10.2.2 Blowing Agent Blender Operation Explosion

Incident .............................................................. 138 10.2.3 Screw Conveyor Explosion ................................. 139 10.2.4 Bucket Elevator Explosion .................................. 139


10.4.1 Use of Potential Design Solutions Table ............. 140 10.4.2 General Discussion ............................................ 140 10.4.3 Special Considerations ....................................... 140


Table 10. Failure Scenarios for Solids Handling and Processing Equipment ....................................................... 144

11. Fired Equipment ............................................................ 149 11.1 Introduction ........................................................................ 149 11.2 Past Incidents .................................................................... 149

11.2.1 Light-off Error ..................................................... 149 11.2.2 Ethylene Cracking Furnace Overfiring ................ 150 11.2.3 Furnace Tube Failure ......................................... 150


11.4.1 Use of Potential Design Solutions Table ............. 151

Contents xi


11.4.2 Special Considerations ....................................... 151 11.5 References ........................................................................ 152

Suggested Additional Reading ....................................... 153 Table 11. Failure Scenarios for Fired Equipment ...................... 154

12. Piping and Piping Components ................................... 161 12.1 Introduction ........................................................................ 161 12.2 Past Incidents .................................................................... 161

12.2.1 Flixborough Expansion Joint Failure ................... 161 12.2.2 Chemical Storage Terminal Fire ......................... 162 12.2.3 Line Pluggage .................................................... 163 12.2.4 External Corrosion ............................................. 163




Table 12. Failure Scenario for Piping and Piping Components ...................................................................... 168

Appendix A Example Problem: Batch Chemical Reactor ........................................................................... 179 A.1 System Description ............................................................ 179 A.2 General Information Requirements .................................... 181 A.3 PSS Discussion for Batch Reactors .................................. 182

A.3.1 Vessel Design and Primary Containment ............ 182 A.3.2 Control Systems and Safe Automation ............... 183 A.3.3 Pressure and Vacuum Relief .............................. 186 A.3.4 Fixed Fire Protection and Passive Mitigation ....... 187

xii Contents


A.4 Selection of Design Bases for Safety Systems .................. 187 A.5 Ignition of Flammable Atmosphere in the Reactor

Vapor Space Caused by Static Discharge Spark (Failure Scenario A) ........................................................... 193

A.6 Cooling System Control Failure (Failure Scenario B) ........ 194 A.7 External Fire (Failure Scenario C) ..................................... 196 A.8 Loss of Sealing Fluid to Reactor Agitator Mechanical

Seal (Failure Scenario D) ................................................... 197 A.9 Ignition of Flammable Atmosphere in Reactor Vapor

Space Caused by Hot Mechanical Seal (Failure Scenario E) ........................................................................ 199

A.10 Documentation ................................................................... 200 References ................................................................................ 201


Appendix B Example Problem: Distillation System ........ 203 B.1 System Description ............................................................ 204 B.2 General Information Requirements .................................... 204 B.3 PSS Discussion for Distillation Operations ........................ 206

B.3.1 Vessel Design and Primary Containment ............ 206 B.3.2 Control Systems and Safe Automation ............... 207 B.3.3 Pressure and Vacuum Relief .............................. 209 B.3.4 Fixed Fire Protection, Passive Mitigation and

System-Wide Concerns ...................................... 210 B.4 Design Basis Selection Process ........................................ 210 B.5 Uncontrolled Energy Input (Failure Scenario A) ................ 215 B.6 External Fire (Failure Scenario B) ...................................... 220 B.7 Internal Deflagration (Failure Scenario C) ......................... 225 B.8 Vacuum Collapse of the Column (Failure

Scenario D) ........................................................................ 226

Contents xiii


B.9 Blocked-in Liquids in Heat Transfer Equipment (Failure Scenario E) ........................................................... 230

B.10 Documentation ................................................................... 230 References ................................................................................ 233


Glossary ............................................................................... 235

Acronyms and Abbreviations ............................................. 245

Index ..................................................................................... 249

IINTRODUCTION

The Center for Chemical Process Safety (CCPS) publication Guidelines forEngineering Design for Process Safety (CCPS 1993) emphasized the importanceof focusing on process safety at the earliest stages of design. The 1993 Guide-lines presented process safety design philosophies and approaches to avoidcatastrophes through:

• Making good initial design choices• Understanding and controlling chemical processing hazards

The purpose of this book is to provide a companion book to the 1993Guidelines. This book narrows the design focus farther, concentrating onknown process safety problems and associated design solutions for specifictypes of process equipment.

IJ OBJECTIVES

A broad objective of this book is to help in the design and evaluation of spe-cific types of process equipment, from a process safety standpoint. The overallgoal is to help reduce process safety related incidents and resulting downtime.More specific objectives include:

• Providing a risk-based and cost-based technique for selecting the designbases for process safety systems

• Listing known process safety failure scenarios associated with differentcategories/types of process equipment

• Identifying known design solutions that prevent or mitigate risks associ-ated with the various failure scenarios

• Illustrating application of the risk-based technique with worked exam-ples

This book compiles successful safety system design approaches, so thatdesign engineers can benefit from the prior experiences of the industry atlarge, and thus avoid known design traps. Having all this equipment-specificfailure scenario information—and associated design solution discussions—inone reference should facilitate design and risk analysis in the process indus-tries.

1.2 SCOPE

The focus of this work is the avoidance of acute, catastrophic incidents that canresult in:

• Fires• Explosions• Releases of toxic chemicals• Major equipment damage

The scope of this volume specifically excludes:

• Transportation safety• Routine environmental control• Personnel safety and industrial hygiene practices

Although detailed engineering design and process safety management arenot emphasized in this book, engineers who are involved in those activitieswill benefit greatly from the concepts and information discussed.

1.3 BACKGROUND

Since its inception in 1985, CCPS has advocated deliberate process safetyapproaches in all aspects of facility design, operation, and maintenance. Yetunlike other technical endeavors of the engineer, the day-to-day practice ofprocess safety has often lacked a deliberate, systematic approach. How oftenhave engineers installed process safety systems simply because it "felt" like theright thing to do or because it "seemed" to make the overall process safer?

In the evolution of its process safety thinking, CCPS has sensed the needto state and discuss what some might find obvious:

• Analogous to the sizing and specification of process equipment, processsafety systems have specific design bases.

• Process safety system design decisions deserve systematic technicalapproaches similar to those associated with other process design decisions.

• The designs of process facilities should, from the outset, accommodateknown or potential failure scenarios associated with the types of equip-ment employed.

Thus, the reason for producing this book is to capture the hard-won expe-rience of industry experts in understanding how process equipment can failand how these failures could be avoided through proper design. No attempt ismade to provide detailed design suggestions, but the reader is supplied with aguide to the available literature that should enable him or her to investigatepotential designs in some depth.

1.4 APPLICABILITY AND AUDIENCE

The history of process safety related incidents suggests that engineers have les-sons to learn about the most "standard" process equipment and components,such as storage tanks, pumps, and piping systems. Accordingly, these guide-lines apply to standard process equipment and components and their known,related failure scenarios—for both new and existing process facilities. Giventhe broad range of standard process equipment covered, this book shouldapply to a wide variety of system designs.

While it is expected that this book will have general appeal to anyoneinvolved in process design or process safety evaluation, the book is intendedfor a particular audience. This audience is comprised of (1) process designengineers, (2) plant operations and maintenance engineers, and (3) processhazard analysis (PHA) leaders and teams. Readers can benefit from the wealthof knowledge derived from others' experiences, informed judgment, andproven design solutions. PHA leaders and teams should find the book usefulas a reference for possible failure mechanisms to consider during PHAs.

1.5 ORGANIZATION OF THIS BOOK

This book begins with this brief introductory chapter, followed by Chapter 2,which presents a practical and systematic technique for selecting the designbases for process safety systems. A series of "equipment chapters" follows, pre-senting known failure scenarios for the specific equipment in question along-side associated design solutions. Finally, the book concludes with an appendixcomprised of two worked examples. In summary, this book has four parts:

Chapter L Introduction

Chapter 2. Technique for Selecting Process Safety System Design Eases

Chapters 3-12. Equipment Chapters

Appendix. Worked Examples

The equipment chapters comprise the bulk of this book. The content ofthese chapters is standardized and includes: (1) equipment descriptions, (2)past incidents, (3) discussions of potential design solutions, and (4) failurescenario tables. The heart of an equipment chapter is the failure scenario table.This table presents failure scenarios in a format similar to a PHA log sheet.

Alongside each failure scenario, process safety system design solutions arepresented and divided into categories as described in 2.5.1:

• Inherently Safer/Passive systems• Active systems• Procedural systems

Since the first two categories of Inherently Safer and Passive can overlap,they are presented in a single column as Inherently Safer/Passive. In addition toaddressing the risk reduction of associated failure scenarios, discussions ofprocess safety system design solutions touch on issues impacting system oper-ability and maintainability. Chapter 2 provides a deeper discussion of thedesign solution categories and their scope of coverage within this book.Chapter 2 should be studied before using the information in Chapters3-12.

!^REFERENCES

CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

Suggested Additional Reading

Lees, F. P. 1996. Loss Prevention in the Process Industries. 2nd Edition. Oxford, UK: Butterworth-Heinemann.

Bellinger, R. E., Clark, D. G., Dowell, A. M., Euwank, R. M., Hendershot, D. C., Lutz, W. K.,Meszaros, S. L, Park, D. E., and Wixom, E. D. 1996. Inherently Safer Chemical Processes: ALife Cycle Approach} ed. D. A. Growl. New York: American Institute of Chemical Engineers.

Englund, S. M. 1991. Design and Operate Plants for Inherent Safety, Part 1, Chemical EngineeringProgress, 85-91, March, 1991; Part 2, Chemical Engineering Progress, 79-86, May, 1991.

Lin, D., Mittelman, A., Halpin, V. and Cannon, D. 1994. Inherently Safer Chemistry: A Guide toCurrent Industrial Processes to Address High Risk Chemicals. Office of Pollution Preventionand Toxics, September 21,1994. Washington, DC: US Environmental Protection Agency.

Lutz, W. K. 1995. Putting Safety into Chemical Plant Design. Chemical Health and Safety,November/December, 1995.

2TECHNIQUE FOR SELECTINGTHE DESIGN BASES FORPROCESS SAFETY SYSTEMS

2.1 RISK-BASED DESIGN DECISIONS

Anyone involved with process or equipment design sooner or later faces theproblem of choosing among alternative designs with differing process effi-ciency, safety, environmental control, cost, and schedule implications. Toaccomplish this, the formation of a multidisciplinary design team is required atthe beginning of a project in order to obtain total integration of process safetywith process design and environmental protection considerations (Windhorst1995). Sometimes the safety considerations clearly dominate and the decisionsare already made in the form of special design approaches (e.g., design ofnitromethane and ethylene oxide facilities). In some instances codes and standardsexist that either mandate or suggest design approaches to known high risks.

In a majority of situations, however, no one factor dominates, except per-haps cost. When there are recognized safety implications, optimizing on costalone is not an acceptable strategy. In the process of arriving at a design basisdecision, the risks of each option are typically dealt with judgmentally or quali-tatively (CCPS 1995a). In some instances, one component of risk is quantified(i.e., either consequence or probability) to justify the design selection. Forlarge projects, full risk quantification is sometimes used to assess the combinedimpacts of multiple hazards.

To take a generic case, imagine a core process design at the stage of an ini-tial process flow diagram, whereby designers have specified the general con-figuration of all major system equipment (i.e., for all primary unit operations).At this point, the design is defined in terms of heat and material balances, andbasic process controls.

With the core system established, an engineering team proceeds to detailand enhance the process design. Questions of quality, safety, health, and envi-ronmental impact arise. Designers begin imagining things that can go wrongwith the system, (i.e., failure scenarios). Focusing here on process safety sys-tems, we suggest that designers begin thinking like risk analysts, asking:

• What can go wrong? What failure scenarios can we realistically expectwith this process?

• What impact can those failure scenarios have? Can we live with suchconsequences?

• Do we need to worry about these potential failure scenarios actuallyhappening? How likely are they to occur?

• What is the risk? Can we tolerate the potential consequences at the esti-mated likelihood?

Historically design engineers have typically answered these questionsaccording to their own best judgment. This is how process safety systemscame to be: designers made risk-based decisions when considering the needfor, and when selecting design bases for, process safety systems.

If posed at the conceptual stage of a process design, these questions offergreat opportunity for the application of inherently safer design solutions.While inherently safer solutions should emerge as recurring themes through-out the design cycle (i.e., laboratory stage, pilot plant scale, production design,operations), the earlier the application of inherently safer solutions, the morecost-effective these solutions will be.

It is important to recognize that, irrespective of the specific approachesand the level of effort, engineers and technical managers are already directly orindirectly factoring risk into the selection of design options. Unfortunately,the process used to assess risk is often neither systematic nor comprehensive.This chapter presents a decision process for design bases selection that explic-itly incorporates the elements of risk into process safety system design selec-tion. The purpose of this technique is not to require designers to conductrigorous risk assessments, but rather to provide a logical approach and frame-work for considering risk factors, even when the situation only warrants quali-tative analysis. This decision process can be applied at any stage of the design.

A systematic technique can provide a consistent risk management frame-work for process safety system design basis decisions. Inconsistencies inapproach can develop not only between different processes and facilities, butalso in the case of large, complex design projects, different design engineersmay follow different risk management philosophies.

Consistency with respect to risk tolerability decisions is necessary toassure all stakeholders (e.g., owners, employees, customers, and the general

public) that risks are being properly managed. In some countries, govern-ments are also explicit stakeholders in the effort to reduce the risk of chemicalindustry accidents, providing such regulations as OSHA 1992, EPA 1996,and HSE 1989. Consequently, having a consistent, documented technique forthe selection and design of process safety systems is not only prudent manage-ment, it is evolving into a regulatory requirement.

However, systematic does not necessarily imply quantitative. Quantitativerisk assessment is similar to strong medication—you don't want to overdose! Inmany simple design situations, qualitative approaches will satisfy the require-ments of the technique for selecting process safety system design bases. Morecomplex design cases may occasionally require rigorous quantitative riskanalysis approaches. But even in these complex cases, quantitative approachesshould only be employed to the degree required to make a decision. This con-cept of the selective use of quantitative risk analysis has been incorporated intothe technique presented later in the chapter.

For example, consider a company that has toxic impact criteria limitingpotential off-site vapor concentrations to a specific, quantified level of con-cern. By performing vapor dispersion calculations (i.e., by quantitatively char-acterizing the consequences of potential releases), the company can determinewhether particular loss of containment scenarios associated with specific fail-ures exceed the toxic impact criteria. If the consequences of a scenario satisfythe off-site toxic impact tolerability criteria, then the quantification of the riskstops right there. No analysis of event likelihood is needed to reach a decision.

2.2 THE CONCEPT OF RISK

As mentioned earlier, the design basis selection technique for process safetysystems set forth later in this chapter is a risk-based technique. An overview ofthe concept of risk is therefore useful before presentation of the technique.

In prior CCPS books, discussions of risk evolved from the definition ofhazard. These earlier works defined a hazard as a chemical or physical condi-tion or characteristic that has the potential for causing damage to people, theenvironment, or property (CCPS 1989; CCPS 1993). A hazard represents apotential source of harm.

Based on this concept of hazard, we can define an incident as anunplanned event or series of events with the potential for undesirable conse-quences (CCPS 1992a). An incident has the potential to expose people, theenvironment, or property to the harmful effects of a hazard.

Risk is defined as a measure of loss in terms of both "the incident likeli-hood and the magnitude of the loss" (CCPS 1989). This concept of risk cou-

pies an undesirable outcome, i.e., a consequence such as safety impact orfinancial loss, with the likelihood of that outcome. The likelihood is expressedin terms of frequency or probability of occurrence. The outcome is expressedin terms of impacts such as loss of life, environmental damage, or businessinterruption.

In summary, inherent in the assessment of risk are the dimensions of con-sequences (outcomes/impacts) and likelihood (frequency/probability). Vari-ous techniques, both qualitative and quantitative, have evolved for assessmentof risk. It is not the intent of this book to cover these techniques. A thoroughdiscussion of this subject can be found in Guidelines for Chemical Process Quan-titative Risk Assessment (CCPS 1989) and Guidelines for Chemical Transporta-tion Risk Analysis (CCPS 1995b). For the purpose of this book, the descriptionof four key risk assessment steps in Exhibit 2.1 suffices.

EXHIBIT 2.1Four Key Integrated Activities in Risk Analysis

Activity

1. HazardIdentification

2. ConsequenceEstimation

3. LikelihoodEstimation

4. Risk Estimation

Description

• Systematic identification of hazards and related failure scenariosthat can lead to incidents

• Frequently involves application of standard techniques such asHAZOP, FMEA, and What-If

• Process used to estimate the consequence of failure scenarios

• Typically involves a range of activities from simple application ofqualitative damage criteria to complex computer models for char-acterizing impacts of hazardous materials releases that result infires, explosions, and toxic vapor clouds

• Characterization of the release conditions (i.e., source term) is acritical step in quantitative consequence analysis, having greatinfluence on the validity of the results

• Process used to estimate the likelihood (probability or frequency)of a particular incident or outcome

• Where available, historical data are used to quantify the likelihood

• When historical data are unavailable, incomplete, or inappropri-ate, analytical approaches such as fault tree and event trees areemployed to determine the likelihood of incident/outcomes basedon more fundamental failure data

• Process of combining consequence and likelihood estimations ofall selected scenarios into a measure of overall risk

• Includes various ways of displaying risk such as individual riskcontours or overall likelihood of various levels of consequence

• Prioritization of risks

2.3 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS

This section describes a systematic risk-based technique for selecting thedesign bases for process safety systems. Use of the technique imposes disci-pline on the thought process, yet allows for flexibility in application. Thedesign bases selection technique is comprised of a number of analysis and test-ing steps detailed graphically in a decision tree (See Exhibit 2.2).

2.3.1 Step /: Identify Failure Scenarios

Step 1 assumes the existence of a core process design. Whether a new processor a modification of an existing process, designers have specified the majorequipment, including heat and material balances. With this core system estab-lished, address things that can go wrong, i.e., failure scenarios. For example,refer to the equipment chapters of this book, consult design checklists, or per-form hazard evaluations by employing the standard techniques described inGuidelines for Hazard Evaluation Procedures (CCPS 1992b).

2.3.2 Step 2: Estimate the Consequences

In this step, estimate the consequences of the failure scenarios identified instep 1. In general terms, these can relate to quality, safety, health, and environ-mental impacts. For these Guidelines, consequences of interest include fires,explosions, toxic material releases, and major equipment damage. Engineersmay, in some cases, uncover potential consequences by direct observation,engineering judgment or use of qualitative consequence criteria. In other casesthe use of quantitative consequence estimation techniques may be necessary.

Consequence estimation requires information on the physical, chemicaland toxic nature of the materials involved in the process, the quantity of mate-rial which could be involved in a scenario, the impact of each scenario on thesurroundings (facility siting) and an economic evaluation of the impact ofequipment damage and lost production.

This information can be obtained from the MSDS or other sources ofproduct safety information. This, combined with the quantity of material inthe process, can be used to assess fire, explosion and toxic effects using appro-priate source terms, dispersion calculations and effect models for scenarioswith the potential for materials release to the environment. Facility sitingissues may also be brought in at this point.

Economic consequences must also be evaluated. These are highly depend-ent on such factors as alternative sources of supply, availability of alternativeproduction facilities, and replacement units.

EXHIBIT 2.2Technique for Selecting the Design Bases for Process Safety Systems

Step 1:Identify failure scenarios

iStep 2

Estimate the consequences

YES

NO

Step 4Estimate likelihood and risk

YES

NO

YES

Step 9Document results

Step 3Are consequences

tolerable?

StepSIs the risk tolerable?

Step 6Consider enhanced and/or alternative designs

Step?Evaluate enhancements and/or alternatives

Step 8Are the risk and costs

tolerable?

2.3.3 Step 3: Determine Tb/erabi/ity of Consequences

In this step, for each failure scenario ask: "Can we tolerate the consequences?"Answering this question requires guidance from established tolerabilitycriteria.

Established criteria might take the form of (1) company-specific criteria(such as not exceeding a specified hazardous material concentration at thefence line), (2) known engineering codes and standards, (3) industry initia-tives, or (4) government regulations. If application of the criteria yields toler-able consequences, then no additional process safety system is needed, and nofurther risk assessment is required. Proceed to step 9 and document theresults. For intolerable consequences, continue the risk assessment in step 4.

2.3.4 Step 4: Estimate Likelihood and Risk

First, estimate the likelihood of the failure scenarios identified in step 1. Fre-quency estimates may derive from comparisons to past experience or writtenqualitative criteria, such as the simple differentiation between scenariosinvolving single failures and scenarios involving multiple failures. Other casesmay require quantified estimates, such as the estimates resulting from faulttree analysis.

Next, to estimate the risk, couple the consequence and likelihood. Meth-ods for combining likelihood and consequence estimates to obtain risk meas-ures are presented in Guidelines for Chemical Process Quantitative Risk Analysis(CCPS 1989a). Again, some cases may reveal themselves by comparison toother systems or past analyses, or by employing qualitative tools such as riskmatrices. Other cases may require quantified approaches, such as determiningrisk profiles or risk contours (see Chapter 7 of CCPS 1992b for a descriptionof various approaches).

Risk estimation can be the single most difficult step in this process. Whileconsequence estimation is objective, likelihood evaluation often involves adirect and specific performance assessment in the ability of both individualsand organizations to manage risk, or the adequacy of a specific design orequipment item given its age and operating history. Because of this, great caremust be taken to ensure its accuracy and lack of bias.

At some point, quantification of likelihood may be necessary, but often itis superseded by standardization into policies, engineering standards and stan-dard practices. For example, failures with no or low consequences may be con-sidered adequately controlled by normal process controls, whereas severehazards (such as those with off-site ramifications) may require two or moreindependent levels of control or mitigation in addition to normal to bring therisk into an acceptable range.

Assessment of likelihood often requires evaluation of both plant systemsand procedures. Equipment failure data are available from a number ofsources, and while there are uncertainties and gaps in the data, these can beobjectively and consistently evaluated through the use of plant data collectionand component failure testing. Also, a comprehensive risk management planbased on the results of studies such as these can provide typical componentfailure rates to be used for a wide range of evaluations. The CCPS book Guide-lines for Process Equipment Reliability Data, (CCPS 1989b) is a source of bothdata and references for additional information.

Reliability of procedural safeguards, on the other hand, is tied to the effec-tiveness of training and the strength of managerial implementation and docu-mentation. Not only are these hard to measure, they can change significantly,in either a positive or negative manner, due to a wide variety of factors, such aspersonnel turnover or change in management.

2.3.5 Step 5: Determine Tolerability of Risk

In this step, ask: "Can we tolerate the estimated risk?" Like step 3, answeringthis question requires guidance in the form of established tolerability criteria.The topic of risk tolerability is discussed in more detail in Section 2.4 of thistext.

If application of the criteria yields tolerable risk, then no additionalprocess safety system is needed; proceed to step 9 to document the results. Forintolerable risk, continue with risk reduction efforts in step 6.

2.3.6 Step 6: Consider Enhanced and/or Alternative Designs

If steps 1-5 established the need for a process safety system, i.e., a risk reduc-tion measure, now consider how to reduce risk, mitigate consequences, lowerthe likelihood of realizing the failure scenario, or prevent the consequencesaltogether via design alternatives. Employ general loss prevention concepts,such as those in the Guidelines for Engineering Design for Process Safety (CCPS1993), or consider the risk reduction design solutions discussed in the equip-ment chapters of this book. The tables in Chapters 3-12, along with other spe-cific references, such as general industry practices, internal companystandards, external consensus codes and standards, and regulations areintended to suggest potential alternatives to enhance the risk tolerability of thedesign. Not all solutions presented in the tables will be applicable to everysituation.

2.3.7 Step 7: Evaluate Enhancements and/or A/ternat/ves

Review the design enhancements and/or alternatives. Ensure that these pro-posed design changes would sufficiently reduce the risk estimated in step 4.Also, evaluate the degree to which the design enhancements and/or alterna-tives introduce new failure scenarios, and therefore new risks; re-estimate therisk by repeating steps 1-4, considering the changes as an integral part of theprocess. Each potential enhancement must be evaluated for:

• Technical Feasibility—Will it work at all?• Applicability to a specific situation—Will it work here?• Cost/Benefit—Is it the best use of resources, or can greater risk reduc-

tions be achieved by spending the same money elsewhere?• Synergistic/Mutual Exclusivity effects—Will this solution work in con-

junction with other potential enhancements, or will its implementationeliminate other potential beneficial solutions from being considered?

• Additional New Hazards—Will this solution create new hazards thatmust be evaluated?

2.3.5 Step 8: Determine Tolerability of Risk and Cost

Based on the risk estimated with the design enhancements and/or alternativesin step 7, ask: "Can we tolerate the risk and cost?55 As in steps 3 and 5, answer-ing this question requires guidance in the form of established tolerability crite-ria. In this instance the tolerability determination must address both risk andcost because, like all design decisions, process safety system designs must sat-isfy the process economics.

Cost information can be coupled with the risk reduction benefit of eachalternative, so that the cost-benefit trade-off can be assessed. In most cases, thecost-benefit analysis is likely to be qualitative in nature (CCPS 1995a). How-ever, when this methodology is applied to a large number of competingprocess safety systems, such as those resulting from process hazard analysis(PHA) reports, quantitative cost-benefit techniques can be applied (Stevensand Stickles 1992).

If application of the criteria yields tolerable risk and cost, then continue tostep 9 to document the results and then implement the design enhancementsand/or alternatives. For intolerable risks or costs, go back to step 6 to consideradditional or alternative risk reduction strategies.

2.3.9 Step 9: Document Results

Document the results derived from applying this technique. The failure sce-narios and the associated consequences, likelihood, and risks comprise the

conceptual design basis for the process safety system. Documentation of thedesign basis captures and preserves vital information, and will prove especiallyimportant during hazard evaluations, management of change situations, andother related risk management activities, including future design efforts.Without proper design documentation (CCPS 1995c), important informa-tion may not be available for consideration in future situations involving safetydecisions.

Even in situations where the tolerability criteria applied in steps 3 or 5determine that no process safety system is needed, it is important to documentthis decision so that the design basis is not contradicted by future operating ordesign changes. If for no other reason, document the rationale to avoid theneed to repeat the exercise in the future.

2.4 GUIDELINES FOR RISKTOLERABILITY

Application of a systematic risk-based technique for selecting safety systemdesign bases depends on the availability and use of risk tolerability guidelines.In steps 3, 5, and 8 of the technique, the designer must ask: "Can we toleratethe risk posed by the process, or do we need to add a process safety system toreduce the risk to a tolerable level?" Answering this question requires practicaland robust guidelines on risk tolerability.

Attitudes about the tolerability of risks vary widely, depending on theindividual, the nature of the risk (Is it voluntary or involuntary? Will it impactone person or many people or the environment?), the presence of other risks,the degree to which the risk can be controlled or reduced, past experience, etc.This helps to explain why there are no universal norms for risk tolerability.Even within a particular community, attitudes change over time. So how doesa company go about establishing a set of criteria to guide it in making deci-sions about the tolerability of certain consequences, likelihoods, or risks—both qualitatively and quantitatively?

It helps to start with the purpose of risk criteria or guidelines. Companiesestablish risk criteria to provide consistency in decision-making about risk,with the end purpose of protecting the community, the environment, employ-ees, and equipment and operations as well as controlling the cost of doingbusiness. The level of concern is not necessarily equal across all these groups,but decisions that protect people will often reduce the risk of property damageor environmental impact as well. Thus risk criteria or guidelines do not repre-sent levels of risk that are tolerable to the public or some other group, butinstead represent levels of risk that an organization believes will minimizeimpacts to continued operations.

Typically, people think risk criteria are used to compare the final results ofa risk assessment against some internal or external standards. However, steps3, 5, and 8 of Exhibit 2.2 all require "risk55 criteria or guidelines of some formfor a company to make consistent, effective decisions. Exhibit 2.3 presentsexamples of both qualitative and quantitative criteria that address conse-quences, likelihoods, risk, and risk and cost together. A description of each ofthe examples appears below. Throughout the descriptions that follow, the ref-erences to "steps55 refer to the steps of the design basis selection technique pre-sented in Exhibit 2.2.

Release Limits

As a means of addressing the tolerability of the potential consequences of arelease, simply consider the amount of material that could be released. The"tolerable55 quantity might vary by material to reflect different hazards andphysical states—such as 200 pounds for chlorine and 5000 pounds for gaso-line. The tolerable quantity might also vary as a function of the receptor(s) ofconcern—such as workers, the public, or the environment. If a potential maxi-mum release does not exceed the established threshold, then application ofrelease limit criteria in step 3 of the technique would yield tolerable conse-quences.

Threshold Impact Criteria for Fence or Property LineUse typical impact criteria, such as those given in Exhibit 2.4, along withcoarse or sophisticated consequence modeling to see if property or fence linevalues exceed the chosen thresholds. If values do not exceed the thresholds,

EXHIBIT 2.3Examples of Tolerability Criteria and Applicationto Design Basis Selection Technique

Applicability

Step 3: Tolerability ofConsequences

Step 5: Tolerability ofLikelihood

Step 5: Tolerability of Risk

Step 8: Tolerability of Riskand Cost

Qualitative CriteriaExamples

Release limits

Single versus multiplecomponent failures

Risk matrix

Risk matrix and costthreshold

Quantitative CriteriaExamples

Threshold concentration levelsfor fence or property line

Critical event frequency

Individual and/or societal riskcriteria

Cost-benefit criteria

EXHIBIT 2.4Representative Threshold Impact Criteria

ConsequenceType

Toxic

ThermalRadiation(Fireball)

BlastOverpressure

Impact Criteria

• IDLH (Immediately Dangerous to Life or Health), 30 minutes withoutirreversible effects

• ERPG-I (Emergency Response Planning Guideline), 1 hour withoutany significant effects

• ERPG-2, 1 hour without irreversible effects

• ERPG-3, 1 hour without life threatening effects

Heat Flux

9.5 kW/m2

(3010 Btu/h-ft2)

4kW/m2

(1270 Btu/h-ft2)

1.6kW/m2

(510 Btu/h-ft2)

Pressure (psig)

0.5-1

2-3

10

>15

Duration

8 sec.

20 sec.

20 sec.

Direct Effects

Windows usuallyshattered

Concrete or cinder walls(not reinforced) shattered

Probable total destructionof buildings

Likely fatality

Direct Effect

Pain threshold reached

Second degree burns

Pain threshold reached

No discomfort forlong exposure

Indirect Effects

Injury from flyingglass

Injury/fatality fromfalling debris

Injury/fatality frombuilding collapse

then application of threshold impact criteria in step 3 of the technique wouldyield tolerable consequences.

Single versus Multiple Component FailuresAs a qualitative measure of likelihood, companies might choose to tolerateevent scenarios that require three independent failures before the event canoccur, and not tolerate events arising from single component failures. Forevents arising from two component failures, companies might conduct furtheranalysis.

Critical Event Frequency

A critical event is an event with a specified, high consequence such as an eventinvolving an offsite community impact, critical system damage, a severe injuryor a fatality.

In general, a continuum of various threshold frequencies might beselected, e.g., 1 X l(H/year to Ixl0~7/year

5 depending on the extent andnature of worst-case consequences (e.g., property or environmental impact,on-site or off-site fatalities, etc.). As noted previously, companies must consid-er numerous factors in setting such risk tolerability thresholds. One event fre-quency limiting value that is sometimes used is 1X 1(H critical events per year,based on the design-basis event concept used for North Sea platforms andother major installations (Advisory Committee on Major Hazards 1976;Conway 1981; Tompkins and Riffee 1983; Chicken 1986).

Risk MatrixUse qualitative or semi-quantitative frequency and severity categories to esti-mate the risk of an event as illustrated in Exhibit 2.5. If an event has low risk(i.e., a risk rank of "C" or "D" per Exhibit 2.5) then it is considered tolerable instep 5. Exhibit 2.5 is illustrative of an application involving human injury. Thecriteria can be expanded to include environmental impacts and/or propertyloss potential (CCPS 1992b).

Individual Risk CriteriaIn step 5, one can use numerical criteria for the maximum and average levels ofrisk posed to employees and the public. Such criteria consider the frequency ofthe event or events to which an individual might be exposed, the severity ofthat exposure, and the amount of time for which the individual is at risk. Thereis no consensus on appropriate values, but an individual mortality value of1X 10~5 per year at the fence line to represent the maximum risk level for thepublic is not unusual among those using such criteria (Royal Society 1983;Chicken 1986; Bendixen 1988; Gibson 1976; CCPS 1989).

Societal Risk CriteriaInstead of, or in addition to, individual risk criteria, one can use societal riskcriteria such as those shown in Exhibit 2.6. These are criteria that provide amore detailed evaluation of the distribution of risk. That is, both high fre-quency/low consequence and low frequency/high consequence events can beaddressed explicitly. This can be of particular concern if a company hasrecently experienced an undesired event and cannot tolerate another one nomatter how small the consequences, or if there is a potential for an eventinvolving large numbers of people or that would release large quantities of ahazardous material into the environment.

EXHIBIT 2.5Illustrative Risk Matrix

ConsequenceRange

C4

C3

C2

Cl

Qualitative Consequence Criteria

One or more fatalities

Injuries or fatalities within community

Permanent disabilities within localized section of process or building

Lost time injuries or hospitalizations outside of local area

One lost time injury

Multiple recordable injuries

One recordable injury

Emergency response call-out without injury

Likelihood Range

IA

L3

L2

Ll

Qualitative Frequency Criteria

Once in 10 years

Once in 100 years

Once in 1000 years

Less than once in 1000 years

Risk Rank

A

B

C

D

Qualitative Description of Risk

Intolerable risk. Risk reduction required.

Intolerable risk. Risk reduction or more rigorous risk estimationrequired.

Tolerable risk. Consider need for risk reduction.

Tolerable risk. No risk reduction required.

EXHIBIT 2.6Societal Risk Criteria. [Adapted from Health and Safety Commission, U.K. 1991.]

F (f

requ

ency

of

N o

r m

ore

fata

litie

s / y

r)

N (number of fatalities)

Risk Matrix and Cost Threshold

Qualitative assessments in step 8 must account for both the risk reduction andthe associated costs of an enhancement. While this may appear straight-forward if the risk reduction benefit is obviously large and the cost is small, thetradeoffs are usually more complex than this. A risk matrix can help in suchassessments. For example, an enhancement or alternative that reduces a highrisk to a medium risk and costs less than X dollars might be considered feasibleand effective, as might an alternative costing 3QX dollars and reducing a highrisk to a low risk. Specify such "rules55 or thresholds in advance.

Cost-Benefit CriteriaIf one employs quantitative estimates of risk, then it is possible to set specificcriteria for the amount of risk reduction expected for each dollar expended.Consider anything less than this ratio ineffective. In some instances, one mighthave two thresholds—one for the dollars necessary to achieve a tolerable risklevel, and another for any further risk reduction beyond this point.

Select or develop criteria that are representative of your company's phi-losophy and culture, and which match the type of analysis (qualitative orquantitative) you commonly conduct in the design stage. This is a corporateresponsibility and requires the involvement and support of senior management,as it determines the levels and types of risk that the company will tolerate.

2.5 POTENTIAL PROCESS SAFETY SYSTEMS DESIGNSOLUTIONS

2.5. / Four Categories of Design Solutions

Before proceeding with examples illustrating the application of the techniquefor selection of safety system design bases, a review of generic design solutionsfor minimizing risk is appropriate. Safety system designs fall into one of fourcategories.

INHERENTLY SAFER design solutions eliminate or mitigate thehazard by using materials and process conditions that are less hazardous. Foran extensive discussion of the concept of inherently safer chemical processes,see CCPS 1996.

Examples of inherently safer solutions include:

• Substituting water for a flammable solvent• Reducing or eliminating inventories of hazardous intermediates

Approaches to the design of inherently safer processes and plants havebeen grouped into four major strategies by IChemE and IPSG (1995) andKletz(1991):

• Minimize. Use smaller quantities of hazardous substances (also calledIntensification]

• Substitute. Replace a material with a less hazardous substance.• Moderate. Use less hazardous conditions, a less hazardous form of a

material, or facilities which minimize the impact of a release of hazard-ous material or energy (also cidledAttenuation and Limitation of Effects).

• Simplify. Design facilities which eliminate unnecessary complexity andmake operating errors less likely, and which are forgiving of errorswhich are made (also called Error Tolerance).

PASSIVE design solutions do not require any device to sense and/oractively respond to a process variable and have very reliable mechanical design.

Examples of passive design solutions include:

• Using incompatible hose couplings, nonsplash filling using perma-nently installed dip-pipes, permanent grounding and bonding via con-tinuous metal equipment and pipe rather than with removable cables

• Designing high pressure equipment to contain overpressure hazardssuch as internal deflagration

• Containing hazardous inventories with a dike that has a bottom sloped toa remote impounding area, which is designed to minimize surface area

ACTIVE design solutions require devices to monitor a process variableand function to mitigate a hazard.

Frequently active solutions involve a considerable maintenance and pro-cedural component and are therefore typically less reliable than inherentlysafer or passive solutions. To achieve necessary reliability, redundancy is oftenused to eliminate conflict between production and safety requirements (suchas having to shut down a unit to maintain a relief valve).

Active solutions are sometimes referred to as engineering controls. Exam-ples of active solutions include:

• Using a pressure safety valve or rupture disk to prevent vessel overpres-sure

• Interlocking a high level sensing device to a vessel inlet valve and pumpmotor to prevent liquid overfill of the vessel

• Installing check valves

PROCEDURAL design solutions require a person to perform an actionto avoid a hazard. This would include following a standard operating proce-dure or responding to an indication of a problem such as an alarm, an instru-ment reading, a noise, a leak, or a sampling result. Since an individual isinvolved in performing the corrective action, consideration needs to be givento human factors issues (CCPS 1994a), e.g., over-alarming, improper alloca-tion of tasks between machine and person, inadequate support culture.Because of the human factors involved, procedural solutions are generally theleast reliable of the four categories.

Procedural solutions are sometimes referred to as administrative controls.Examples of procedural solutions include:

• Following standard operating procedures to keep process operationswithin established equipment mechanical design limits

• Manually closing a feed isolation valve in response to a high level alarmto avoid tank overfilling

• Executing preventive maintenance procedures to prevent equipmentfailures

• Manually attaching bonding and grounding systems

Throughout the equipment chapters in this volume, design solutions willappear for each failure scenario, divided into three categories: (1) inherentlysafer/passive, (2) active, and (3) procedural.

Inherently safer and passive design solutions often overlap. For thisreason, the inherently safer and passive solution categories have been com-bined in the tables presented in the equipment chapters of this book.

An important aspect in the classification of design solutions is the distinc-tion between inherently safer/passive and active systems. It is generallyaccepted that a containment dike is a passive solution (EPA 1995). Whatabout safety devices such as a rupture disk or end-of-line flame arresters? In thecase of the rupture disk, it can be argued that it must sense pressure in order tofunction and therefore would be an active solution. This analogy does notapply so well to end-of-line flame arresters. However, there are many instancesof flame arresters that have failed to function or otherwise contributed to haz-ardous incidents, due to neglect or lack of preventive maintenance. While theauthors of this book recognize these distinctions are legitimately debatable, itwas decided that both relief devices (pressure safety valve, rupture disks, etc.)and flame arresters would be classified as active solutions. This convention isfollowed throughout the equipment chapters, unless otherwise noted.

Other examples of design solutions that illustrate the classification catego-ries are presented below.

INHERENTLY SAFER/PASSIVEContinuous metal equipment such as a steel pipe is inherently bonded andonce it is grounded permanently at any point (such as via multiple steel pilingsanchoring the equipment) requires minimal maintenance of ground connec-tions. This is an inherently safer design than one incorporating rubber boots,swivel joints or other potential breaks in electrical continuity that wouldrequire external bond connections and associated maintenance.

A vessel designed to contain the maximum pressure predicted due to anycredible upset, such as an internal explosion, is inherently safer than onedesigned to mitigate the event via pressure reliefer suppression systems, etc.

In both the above examples, the systems described are "inherently safer55

via the "simplify55 strategy shown in 2.5.1. However, they would be betterdescribed as "passive systems.55 As discussed, true "inherently safer55 designsreduce the hazard by using materials or process conditions that are less hazard-ous. In the examples, higher levels of inherent safety might be provided bydesigning the process to eliminate flammable atmospheres that would requirebonding or equipment reinforcement.

Passive designs may be complemented by procedural or active systems,especially where transient conditions are routinely experienced. As an example,a passive system might comprise a permanent dip pipe going to the bottom of aflammable liquid storage tank to avoid splash filling. However, until this dippipe is covered by a substantial depth of liquid, splashing may still occur. Vari-ous standards (API RP 2003, 1991; BS 5958, 1991) provide that a slow start(limited flow velocity) be used until the pipe outlet is covered to the recom-mended depth. Since this normally requires operator action to control the flow,

operation may not be entirely splash-free during the initial stages of filling andcontains a procedural element. In principle, the procedural element could bereplaced by an active system controlling flow rate by monitoring liquid depth inthe tank. A completely passive system for avoiding splash filling might involvemaintaining a minimum liquid level in a tank via appropriate elevation of theproduct outlet pipe. However, even if a tank is dedicated to one product andminimum liquid level can be maintained, the presence of a stagnant layer in thetank base may make this solution impractical for product quality reasons.

ACTIVEAn end-of-line flame arrester would be a passive design solution without theneed for maintenance to achieve the desired reliability. In practice it is an"active" solution since the arrester may be subject to corrosion and plugging ofthe element. End-of-line flame arresters require maintenance to ensure there isno blockage which, for example, might cause an atmospheric storage tank toexperience vacuum while being emptied. In-line detonation arresters shouldbe additionally monitored for stationary flames on the arrester face (U.S.Coast Guard 1990) and are usually equipped with pressure taps to monitorincreased pressure drop due to element blockage or corrosion.

Other active solutions include pressure relief valves, deflagration vents,explosion suppression systems, fast acting valves, check valves and regulators.All these devices require maintenance, operate by responding to a process vari-able, or both.

PROCEDURALProcedural reliability tends to be more dependent on human factors and con-sideration should be given to issues such as over-alarming, improper alloca-tion of tasks between machine and person, inadequate support culture, etc.(CCPS 1994a).

Frequently both active and procedural design solutions are used to com-plement each other. For example, in a tank truck bonding procedure, an"active" ground indicating device could be installed to show the presence of apositive ground connection. In such a case, it would still be necessary to ensurethat the system is not defeated by simple neglect of an alarm or even bypassingof the indicating device. A ground indicating device might additionally beinterlocked with a pump to prevent operator error. For an "active55 flamearrester, a complementing "procedural35 system might be monitoring the pres-sure drop periodically and performing maintenance when a specific differen-tial has been reached.

The design solutions presented in the tables are established and often wellproven approaches for mitigating the failure scenarios. However, a potentialdesign solution is false protection if it is not reliably engineered and main-

tained. Active systems in particular may need redundancy (i.e., dual sensors,separation of control and interlock functions) to provide the required level ofreliability and risk reduction. True redundancy must include the absence ofcommon mode failures by providing independence and functional diversity(e.g., independent power supplies, sensors operating on different principles)Additional discussion on redundancy for process safety systems can be foundin CCPS 1989 and CCPS 1994b. The advantage of a risk based approach todesign selection is that it provides the means for determining how muchredundancy is enough.

The design should also take into account the need for periodic inspectionand proof testing of systems. For example pressure safety valves (PSVs) mayneed testing at intervals that are shorter than scheduled plant turnarounds. Agood solution is the installation of dual PSVs with a three-way valve to allowtesting at prescribed intervals without interfering with production.

Safety design solutions can contribute to hazards if not properly main-tained. While system maintenance is not specifically addressed, the bookassumes the safety equipment will be subjected to a systematic maintenanceand inspection program once installed.

It should also be recognized that the failure scenarios presented focus onprocess related hazards rather than maintenance initiated incidents. Therefore,it is further assumed that the facility into which the equipment is placed hasadequate safe work practices, which encompass hot work permits, confinedspace entry, ignition control, lock-out/tag-out, etc.

2.5.2 Characteristics of Design Solution Categories

An illustrative comparison of the four categories of design solutions withrespect to several cost and functional attributes appears in Exhibit 2.7. Whileprocedural solutions can be less complex, they are usually the least reliable. Foractive solutions, as compared to inherently safer/passive solutions, reliability istypically lower and complexity is greater. Inherently safer/passive solutionstend to have higher associated initial capital outlays; however, operating costsare usually lower than those for the other design solutions. Operating costs arelikely to be the greatest for active solutions.

Exhibit 2.8 offers an example of the four types of safety system designsolutions applied to the same design basis situation. The example concerns aheat exchanger with an incompatible process stream and heat transfer fluid. Adesign engineer might choose one of the design solutions offered or choose toutilize solutions from more than one category. Ultimately, design engineersshould make decisions based on the prevailing risk tolerability and cost crite-ria, and their understanding of the operations and maintenance requirementsfor the design.

EXHIBIT 2.7Comparison of Cost and Functional Attributes for Design Categories (typical trends)

Higher

AttributeValue

Lower

Higher

AttributeValue

Lower

Reliability

Inherently PassiveSafer

Active Procedural Inherently Passive Active ProceduralSafer

Initial Capital

OperatingCosts

Complexity

Category of Design Solution Category of Design Solution

As in the case of the heat exchanger example in Exhibit 2.8, engineersshould not consider the four types of design as mutually exclusive. Many oppor-tunities arise for utilizing solutions from different design categories in tandem.In equipment design, this often happens inadvertently, because the design usu-ally has to address multiple safety concerns and failure modes. The goal is to bemore proactive in the consideration of multiple levels of protection.

EXHIBIT 2.8Process Safety System Design Solutions for a Heat Exchanger Failure Scenario

Design Basis Failure Scenario

Tube to tube-sheet joint failure results in mixing of incompatible fluids, resulting in asystem over-pressure and/or the formation and release of a toxic material

Design Solution Type

1. Inherently Safer

2. Passive

3. Active

4. Procedural

Description

A heat transfer fluid compatible with the process fluid

Double tube-sheet construction

Pressure relief system with discharge to safe location

Periodic manual sampling of the lower pressure fluid

Returning to the heat exchanger example in Exhibit 2.8, the overall risk oftoxic vapor release might be further reduced by decreasing the inventory ofhazardous material contained within associated process equipment. A combi-nation of reduced inventory (inherently safer) and double tubesheet construc-tion (passive) might produce the optimal risk reduction alternative.

Historically, designers have underutilized inherently safer solutions. Thisstems in part from an overemphasis on minimizing initial capital investment,and on time constraints which often favor active or procedural systems. Butwith the increased application of risk management practices has come moredependency on multiple layers of alarms (procedural) and interlocks (active)to obtain tolerable risk levels. The economic analysis in the initial design stagesoften fails to account for the cost of maintaining and proof-testing these sys-tems, which can be significant for large process facilities. When comparinginherently safer design solutions to other solutions, designers should includethe total life-cycle cost of each alternative before reaching a decision. Forexample, Noronha et al (1982) describe the use of deflagration pressure con-tainment design in preference to using inciting deflagration suppression orother means of explosion prevention based on lifecycle cost and reliability con-siderations.

Inherently safer strategies should be considered especially for new facilitydesigns. In general, such projects allow more flexibility in the selection of designsolutions as compared to an alteration or upgrade to an existing facility. Forexample, tradeoffs between the level of process integration and safety design areeasier to accommodate in new facilities. Also, designers have more freedom inthe choice of utility services that may have an impact on inherent safety.

When altering or upgrading existing facilities, designers should notsimply overlook inherently safer design solutions because they are harder toimplement. The following provides a good example of an inherently saferdesign solution that was ultimately selected for an existing facility.

At this facility, the design problem was to avoid a significant leak in sev-eral water-cooled heat exchangers. These exchangers had material on theprocess-side that reacted violently with water, producing corrosive and toxicby-products. Alternative solutions considered included combinations of pas-sive (double tubesheet or falling film exchangers), active (multiple sensor leakdetection with interlocks), and procedural (a variety of nondestructive test-ing/inspection techniques, periodic leak testing with inert gas, improvedcleaning procedures). While all of these design alternatives resulted in a lowerrisk level than the original design, none was totally acceptable. When manage-ment realized how much effort and commitment of resources were required tomaintain a less than satisfactory risk level, they chose a design that used a com-patible heat transfer fluid, an inherently safer design.

2.6 APPLYING THE RISK-BASED DESIGN BASES SELECTIONTECHNIQUE

From the outset, the practical nature of this process safety system design basestechnique has been emphasized. This technique applies to all design cases,from the simplest to the most complex. Again, this follows quite naturallyfrom the fact that the technique is derived from the problem-solvingapproaches commonly employed by process design engineers.

To fully illustrate application of the technique, worked examples havebeen prepared and included in the Appendix. To reinforce understanding ofthis risk-based technique, however, two short examples of significantly differ-ent complexity are discussed here.

2.6. / Locking Open a Valve (A Simple Design Case)

Locking open a valve is a commonly used procedural design solution, appliedto a wide range of potential operational and safety problems. At first glance,locking open a valve may not even seem like a design decision. Such a decisionseems more an act of common sense: (1) someone identifies a safety problemarising from the inadvertent closing of a valve; (T) the valve does not get usedthat often; so, the "obvious" solution is to (3) lock open the valve.

For process facilities operating under a strict management of changesystem, the situation is not so clear-cut. Locking open a valve is not merely acommon sense decision; rather, at an operating facility it is a design change. Itis a procedural design solution that requires a documented design basis and asubsequent safety review.

Similarly, locking open a valve in the original design must represent adesign decision. However simple it may seem, the selection of this proceduralprocess safety system must have a documented design basis.

An incident at an oil and gas production facility involving a locked-openvalve illustrates how safety system design logic typically follows the risk-baseddesign basis technique outlined in this chapter. In addition, it emphasizes theimportance of completely following the technique, including the final step ofdocumenting the process safety system design bases.

This incident involved an uncontrolled release of natural gas into a con-fined process area. An analysis reveals that designers followed the first eightsteps of the process safety system design basis selection technique. When itcame time to execute the ninth step, however, the designers failed to docu-ment the design basis for the locked-open valve.

Background Information

The oil and gas production facility handled a stream referred to as "mixedfluids"—crude oil, natural gas, and water. Throughout the process, the facilityhad its pressure safety valves (PSVs) vented to a flare system. The facility'sdesign configuration included (1) a locked-open block valve downstream ofthe PSV to allow isolation from the flare header during periodic inspectionand testing of the PSV, and (2) a piping specification break at the PSV dis-charge flange. A simple diagram of the relief valve configuration is shown inExhibit 2.9.

The designers foresaw high risk from failure scenarios which required aprocess safety system and consequently, the designers provided a risk reduc-tion solution. The designers employed the risk-based design technique, asdescribed in Exhibit 2.10.

Nevertheless, this facility experienced the failure scenario and related con-sequences foreseen by the designers. Many factors contributed to the incident,including failure to clearly document the process safety system design bases(step 9).

Incident DescriptionIn a process upset situation that developed over a number of hours, a PSVstarted to "chatter,55 alternately lifting and reseating. Operations personnelmisdiagnosed the situation, thinking that the chattering involved a malfunc-tion of the PSV rather than an upstream pressure excursion. Concerned about

EXHIBIT 2.9Schematic of Pressure Safety Valve (PSV) Detail

Specification Break

Line rupture occurredhere. (See text fordescription of incident)

High PressureEquipment

Low PressureEquipment

PSV

Block Valve(Locked Open)

To Flare System

Mixed Fluidsfrom 1st StageSeparator

Mixed Fluids to2nd StageSeparator

EXHIBIT 2.1 0Selecting the Design Basis for a "Locked Open" Valve (an example, based onExhibit 2.9, of a failure during design basis selection)

Step in Design Basis SelectionTechnique

1. Identify Failure Scenario

2. Estimate the Consequences

3. Determine Tolerability ofConsequences

4. Estimate the Frequency andthe Risk

5. Determine Tolerability of Risk

6. Consider Enhanced and/orAlternative Designs

7. Evaluate Enhancement and/orAlternatives

8. Determine Tolerability of Risk

9. Document Results

Result from Executing Step

Closing of block valve during system operation

a. Overpressure of system upstream of PSV; or

b. Overpressure of PSV body and outlet pipingupstream of the block valve and downstream of thePSV

Both a. and b. potentially result in an uncontrolledrelease of natural gas.

Intolerable (based on judgment)

High likelihood of human error (based onjudgment)

Intolerable (based on judgment)

Locked open (LO) the block valve

No new operational deviations identified from LOvalve; frequency, and thus risk, of inadvertent clos-ing estimated as low (based on judgment)

Tolerable (based on judgment)

Design bases not documented; P&ID merelymarked as "LO" for locked open

Note: Failure to properly document design basis (Step 9) is the point of failure.

tion of the PSV rather than an upstream pressure excursion. Concerned aboutuncontrolled venting to the flare system in the event of a PSV failure, opera-tions personnel considered unlocking and closing the block valve. Both theoperators and responsible supervisor intuitively thought the locked-open blockvalve (clearly marked as CCLO" on the piping and instrumentation diagram)served solely to ensure an unobstructed PSV relief path.

Facility operations personnel were unaware of the specification break inthe piping and were unaware that an additional design basis of the locked-open valve was to ensure that the low pressure specification piping down-

stream of the PSV did not ever "see" the high system pressure (see step 2results in Exhibit 2.10). When operations closed the block valve to stop thechattering, the low pressure line downstream of the PSV and upstream of theblock valve failed from the over-pressure, resulting in an uncontrolled releaseof natural gas (see point of release depicted in Exhibit 2.9). As a result of thefirst failure, adjacent natural gas lines were damaged.

Fortunately, operations managed to isolate and shut down the system,and the flammable natural gas cloud dissipated without ignition. Conse-quences were limited to equipment damage and production downtime.

A Lesson Learned

As alluded to in the background information, many factors contributed to theincident. Factors relating to operations staffing as well as recent maintenancework aggravated the situation. Since the design basis was not documented orcommunicated to the operations staff or plant supervision, other importantelements of process safety management (PSM), such as training programs andadministrative procedures to regulate valve locking/unlocking, could not besuccessfully implemented. However, the focus is on the absence of designbasis documentation for the locked-open valve, as it was a primary contributorto the incident.

Among the most compelling features of this incident is the universalnature of the design solution: a locked-open valve. How many locked-openvalves are in use in process plants and how many have a well understood anddocumented design basis?

Engineers can easily overlook the importance of clearly documentingdesign bases. Documenting and communicating design bases can prove criti-cal for operations personnel and those who may alter the design at some timeafter startup. Unfortunately, this last step in the technique can appear merelybureaucratic, and it sometimes takes an incident to fully appreciate the impor-tance of documenting and communicating process safety system design bases.

2.6.2 Selecting the Relief System Basis for a Reactor(A Complex Design Case)

This example has its origins in a past engineering design problem where engi-neers faced the task of upgrading a series of existing emergency relief systems.The problem involved selecting the emergency relief system (ERS) sizingbasis for a reactor vessel that processed a potentially reactive chemical system(Bellomo and Stickles 1995). The hazardous chemical was a liquid aliphaticacid chloride (AC). The intended liquid-phase chemical reaction can be sum-marized as:

O

Intended Reaction: R-C-Cl + Reactant X Solvent ^ procjuct Y

In this instance, the risk-based design bases selection technique was delib-erately applied to the problem, as described below.

Step 1: Engineers used a What-If technique to identify the failure scenariosthat might control the ERS design basis. Included in this effort was the devel-opment of a reactivity/compatibility matrix to assess all possible reactivedesign bases for the chemistry at hand. A possible unintended reaction,whereby AC reacts vigorously and exothermically with water to producehydrogen chloride (HCl) gas, coupled with the presence of water at facilitiesundergoing ERS upgrades, strongly influenced the direction of the engineers'problem-solving efforts.

Possible Unintended Reaction:O O

R-C-Cl + H2O > R-C-OH + HCl (v) + Heat

In addition, the engineers had to address the typical ERS case of a firebeneath the reactor vessel. As a result, the engineers ultimately focused theirevaluation on three separate scenarios. Brief descriptions of these three scenar-ios appear below.

• Immediate Unintended Reaction (process induced case of water contamina-tion). Several plausible scenarios were identified (e.g., a residual waterheel from a reactor vessel clean-out) whereby water would come intocontact with unreacted AC, resulting immediately in the unintendedside reaction which generated HCl gas.

• Delayed Unintended Reaction (process induced case of layering and watercontamination). In the absence of strong solvents and mixing, AC andwater will form two liquid layers. In such scenarios, the AC-water reac-tion initially takes place at the interface of the two layers and is diffusionlimited. As the interface heats-up from the reaction, a critical tempera-ture is reached where the vapor pressure of the interface material isgreater than the system pressure plus the liquid head of the top layer.This results in rapid turnover of the liquid and mixing, causing rapidHCl vapor generation.

• External Fire. The third case involved a reactor full of AC and exposed toexternal fire. Since neither the AC, the solvent, nor the product wereself-reactive, and all-vapor venting occurs, conventional ERS sizingapplied.

Step 2: In order to properly characterize the delayed unintended reaction, sev-eral experiments were conducted in small-scale and large-scale reactors.Because the actual chemistry takes place in the presence of a strong solvent,small-scale experiments were also carried out to investigate the behavior in thepresence of solvents. With a solvent present, layering was not observed, andthe reaction with water was essentially instantaneous.

Another factor that needed to be considered in the characterization of thissystem was the solubility effects of HCl in water and AC. An enthalpy-concentration diagram for HCl-water solutions was generated using equa-tions of state and published binary interaction parameters. As a result of thelarge difference between the solubility of HCl in water versus the solubility ofHCl in AC, it was determined that the vessel pressure-temperature behaviorwas much worse (i.e., a higher peak pressure) if water was added to a batch ofAC as opposed to AC added to a batch of water (Melhem et al. 1995).

Using detailed mathematical models, engineers analyzed the consequencesof the study scenarios on reactor vessel temperature-pressure history and vent-ing flow. An evaluation of the model simulation results indicated that protect-ing the vessel from the delayed reaction required an impracticable vent size.

Step 3: Inadequately mitigated pressure rise caused by any of the three scenar-ios could have ruptured the reactor vessel. Such consequences were consideredintolerable. Therefore, an assessment of the risk was necessary.

Step 4: An evaluation of the specific pathways and likelihood for mixing ACand water was performed using fault tree analysis. A fault tree for an extendedexternal fire was also developed. A risk analyst, working in conjunction withdesign and process engineers, assigned frequencies to the basic events in thefault tree. This exercise provided a quantification of the risk.

Step 5: The designers had adopted "working" tolerability guidelines for select-ing ERS design bases. These working guidelines specified that the ERS designhad to accommodate the relief requirements of any scenario estimated at a fre-quency greater than or equal to 1X l(H/year. In contrast, designers would tol-erate scenarios estimated at less than 1X KH/year. That is to say, designerswould proceed with an ERS design that would not necessarily accommodatethe relief requirements of scenarios estimated at frequencies less than1X lO^/year. Comparison of the consequences and likelihood of the scenarioswith the tolerability guidelines revealed that the risk was intolerable for thetwo process-induced scenarios involving the unintended reaction with water.

Incidentally, the threshold frequency used by the designers, 1X !(H/year,related strongly to a worst-case consequence estimation. This worst-case con-

sequence estimation considered the system energy and hazardous materials aswell as the geographic distribution and total number of possible receptors.

Step 6: At this point, it is instructive to review the situation faced by the engi-neers tackling specification of the ERS design. The external fire was the lowestconsequence scenario (step 2, consequence estimation) and did not controlvent size. Accordingly, the external fire scenario was dropped from furtherconsideration and the rationale for doing so was documented.

The delayed unintended reaction scenario represented the worst case — itrequired the largest ERS. As indicated in step 2, however, the designers con-sidered such vent sizing requirements impracticable for the existing facility.Nonetheless, the estimated frequency for this scenario exceeded the thresholdtolerability frequency (i.e., IxlO^/year).

The immediate unintended reaction scenario represented the secondhighest consequence case. Like the delayed reaction scenario, the estimatedfrequency for this scenario exceeded the threshold tolerability frequency.

Since no inherently safer design approaches were readily available, engi-neers turned their attention to passive, active, and procedural design enhance-ments that would reduce the estimated frequencies of the immediate anddelayed unintended reaction scenarios. A number of solutions were identifiedto reduce the likelihood of contacting water and AC, such as incompatiblewater/steam hose connectors (passive), interlocks (active), and water usepermit (procedural).

Step 7: Fault trees developed in step 4 were updated and requantified to reflectthe proposed risk mitigation. Through the application of design enhance-ments, the estimated frequency for both immediate and delayed unintendedreactions decreased. The focus of the design enhancements was on engineer-ing and procedural controls that would reduce the likelihood of getting waterand AC into the reactor vessel in such a way that they would layer. Since theproposed modifications were not considered high-cost items, a detailed quan-titative cost estimate was not prepared.

Step 8: With the addition of the design enhancements, the delayed unintendedreaction satisfied the threshold frequency (i.e., less than lxl(M/year). Sincethe estimation for the immediate unintended scenario remained above thethreshold frequency, the decision was made to select this scenario as the designbasis for ERS sizing.

Step 9: The documentation covered the experimental work, risk evaluationresults, vent sizing calculations, and qualitative cost estimates. This documen-tation became part of the facility's permanent design information file.

2.7 REFERENCES

Advisory Committee on Major Hazards. 1976. First Report. London: Her Majesty's StationaryOffice.

API RP 2003 1991. Protection Against Ignition Rising Out of Static, Lightning, and Stray Currents.Washington, DC: American Petroleum Institute.

Bellomo, PJ., and R.P. Stickles. 1995. Select Design Bases for Emergency Relief and Other Proc-ess Safety Systems Based on Risk. Paper presented at International Symposium on RunawayReaction and Relief Design, August 1995, Boston, Massachusetts.

Bendixen, L.M. 1988. Risk Acceptability in the Chemical Process Industry Working TowardSound Risk Management. Spectrum: Arthur D. Little Decision Resources.

British Standards Institute BS-5958. Code of Practice for Control of Undesirable Static Electricity:Part I, General Considerations, and Part 2, Recommendations for Particular Industrial Situa-tions. London: British Standards Institute.

Chicken, J. 1986. Risk Assessment for Hazardous Installations. Commission of the European Com-munities, Oxford: Pergamon Press.

Con way, A., ed. 1981. Engineering Hazards: Assessment, frequency, and Control. London :OyezPublishing Ltd.

CCPS 1989. Guidelines for Chemical Process Quantitative Risk Analysis. Center for Chemical Proc-ess Safety, New York: American Institute of Chemical Engineers.

CCPS 1992a. Guidelines for Investigating Chemical Process Incidents. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1992b. Guidelines for Hazard Evaluation Procedures. Second Edition with Worked Examples.Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.


CCPS 1994a. Guidelines for Preventing Human Error in Process Safety: Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1994b. Guidelines for Safe Automation of Chemical Processes. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1995a. Tools for Making Acute Risk Decisions. Center for Chemical Process Safety, NewYork: American Institute of Chemical Engineers.

CCPS 1995b. Guidelines for Chemical Risk Transportation. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.

CCPS 1995c. Guidelines for Process Safety Documentation. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.

CCPS 1996. Bollinger, R. E., Clark, D. G., Dowell, A. M., Euwank, R. M., Hendershot, D. C.,Lutz, W. K., Meszaros, S. L, Park, D. E., and Wixom, E. D., Inherently Safer Chemical Proc-esses: A Life Cycle Approach, Center for Chemical Process Safety, New York: American Insti-tute of Chemical Engineers.

EPA 1996. Risk Prevention Program for Chemical Accident Prevention, Environmental ProtectionAgency. 40 CFR, Part 68.

Gibson, S.B. 1976. Risk Criteria in Hazard Analysis. Chemical Engineering Progress 72(2), 59.Health and Safety Executive 1989. Risk Criteria for Land Use Planning in the Vicinity of Major

Industrial Hazards. London: HMSO.Health and Safety Commission 1991. Major Hazard Aspects of the Transport of Dangerous Sub-

stances. London: HMSO.IChemE and IPSG 1995. Inherently Safer Process Design. Rugby, England: Institution of Chemical

Engineers.

Kletz, T.A. 1984. Cheaper, Safer Plants or Wealth and Safety at Work. Rugby, Warwickshire, UK:Institution of Chemical Engineers.

Kletz, T. A. 1991. Plant Design for Safely. New York: Hemisphere.Melhem, G. A. et al, 1995. An Advanced Method for the Etimation of Reaction Kinetics, Scaleup,

and Pressure Relief Design. Process Safety Progress., 14(1), 15-36.Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment

for Vessel Safety Design, Plant/Operations Progress, 1(1), 1-6.NFT*A 69, Explosion Prevention Systems, Chapter 5 on Deflagration Pressure Containment, 1982.OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119.

Washington, DC: Occupational Safety and Health Administration.Royal Society 1983. Risk Assessment: Report of a Royal Society Study Group, London: Royal Society.Stevens, G., and R.P. Stickles 1992. Prioritization of Safety Related Plant Modifications Using

Cost-Risk Analysis. Paper presented at International Conference on Hazard Identification andRisk Analysis, January 1992, Orlando, Florida.

Tompkins, B., and Riffee, D. 1983. Careful Safety Evaluation Identifies Fire Hazards on OffshoreFacilities. Oil & Gas Journal (October 3): 98-101.

US Coast Guard 1990.^4 Guideline for Detonation Flame Arresters 33 CFR Part 154, AppendixA,United States Coast Guard: US Department of Transportation.

Windhorst, J. C. A. 1995. Application of Inherently Safe Design Concepts, Fitness for Use andRisk Driven Design Process Safety Standards to an LPG Project. Loss Prevention and SafetyPromotion in the Process Industries Volume 77, ed. JJ. Mewis, HJ. Pasman and E.E. De Rade-macker: Elsevier Science B.V.


Arendt, J. S., Lorenzo, D. K. and Lusby, A. F. 1989. Evaluating Process Safety in the ChemicalIndustry: A Manageris Guide to Quantitative Risk Assessment. Washington, DC: ChemicalManufacturers Association.

Covello, V. T., Sandman, P. M. and Slovic, P. 1988. Risk Communication, Risk Statistics and RiskComparisons: A Manual for Plant Managers. Washington, DC: Chemical ManufacturersAssociation.

DIERS 1994. Risk Considerations for Runaway Reactions, Design Institute for Emergency ReliefSystems, New York: American Institute of Chemical Engineers.

Greenberg, H. R. and Cramer, J. J. 1991. Ed. Risk Assessment and Risk Management for the Chemi-cal Process Industry. New York: Van Nostrand Reinhold.

Hendershot, D. C. 1996. Risk Guidelines As a Risk Management Tool. Process Safety Progress,15(4), 213-218.

Kathren, R.L., Selby, J. M. and Vallario, E. J. 1980. A Guide to Reducing Radiation Exposure to asLow as Reasonably Achievable (ALARA). WCRP 108.0656, US Department of Energy,April.

Lewis, H. W. 1990. Technological Risk. New York: Norton, W. W. and Co.NFPA 30 1993. Flammable and Combustible Liquids Code. Quincy, MA: National Fire Protection

Association.NUREG/CR-2300. 1982. A Guide to the Performance of Probabilistic Risk Assessment for Nuclear

Power Plants.: US NRC.

Noronha, J., and Torres, A., 1990. Runaway Risk Approach Addressing Many Issues-Matching thePotential Consequences with Risk Reduction Methods, Proceedings of the 24th Loss PreventionSymposium, AIChE National Meeting, San Diego, CA.

Philley, Jack, O. 1992. Acceptable Risk -An Overview. Halliburton NUS Environmental Corpora-tion, Houston, TX, October.

Sawery et al. 1991. Risk Assessment and Risk Management fir the Chemical Process Industry. NewYork: Van Nostrand Reinhold.

The Institution of Engineers. Australia 1993 Dealing With Risk. Canberra, Australia.Wang, O. S., and Field, J. G. 1992. Risk Management ofOnsite Transportation of Hazardous Materi-

als. Westinghouse Hanford Company, Richland, Washington.Wells, G. 1996. Hazard Identification and Risk Assessment. Institution of Chemical Engineers,

Rugby, Warwickshire, UK.

3VESSELS

3.1 INTRODUCTION

This chapter presents potential failure mechanisms for vessels and suggestsdesign alternatives for reducing the risks associated with such failures. Thetypes of vessels covered in this chapter include:

• In-process vessels (surge drums, accumulators, separators, etc.)• Pressurized tanks (spheres, bullets)• Atmospheric, fixed roof storage tanks (cone/dome roof)• Atmospheric, floating roof storage tanks

Reactors are a unique subset of vessels, in that they are specificallydesigned to contain chemical reactions. Because reactors have unique failurescenarios specifically attributable to the reaction (e.g., reactant accumulation),a complete chapter (Chapter 4) is devoted to this important class of equip-ment. However, many of the generic vessel failure modes discussed in thischapter, such as corrosion related failures or autopolymerization may alsoapply to reactors.

3.2 PAST INCIDENTS

"Those who cannot remember the past are condemned to repeat it" (Santay-ana 1905). Important lessons can be learned from prior mistakes. Several casehistories of incidents involving vessel failures are provided to reinforce theneed for the safe design and operating practices presented in this chapter.

3.2. / Storage Tank Autopolymerization Incident

Plant operating problems had resulted in the production of a tank (approxi-mately 32,000 Ib) of glacial acrylic acid (GAA) which did not meet specifica-

tions due to high water content. The material was held in storage until it wasloaded into a tank wagon, where it was to be kept until the GAA could bereworked. The operator's logbook specified that warm water (250C maxi-mum) was to be used to keep the GAA from freezing (freezing point = 130C).The outside temperature was 5-1O0C at the time. A standard steam-watermixing station was used to supply the warm water to the tank wagon coils.Water flow was maintained to the tank wagon, but no measuring devices wereavailable for observing actual temperature or flow rate. The steam-watermixing station operation was monitored and adjusted by observing that warmwater was running out of the coil outlet (noting vapor evolving from water inthe cold weather). It was not clear after the incident whether the tank wagondome lid was open, or just loosened to allow "breathing" during the holdperiod.

Approximately l5l/2 hours after the tank wagon was filled, vapors startedblowing out the loosened tank wagon lid and accumulating in the vicinity of thetank wagon. The steam-water mixer was shut off and approximately six minuteslater the tank wagon exploded. The blast effect from the explosion destroyed anadjacent loading rack/pipe rack, and damaged other plant structures.

A combination of local overheating (hot surface) and local inhibitor defi-ciency was considered the most probable mechanism for initiation of polym-erization. Contamination may have contributed to the violence of thepolymerization once it was initiated. Water and iron were the two main candi-dates in contamination considerations. Screening experiments showed thatwater can reduce GAA stability at temperatures > 10O0C, and that soluble ironin the 1-100 ppm range can also reduce stability. See item 10 in Table 3 forpotential design solutions.

Ed. Note: This example illustrates the hazard of using temporary facilities forthe storage of hazardous materials. Such facilities are often not subject to the samescrutiny as permanent facilities.

3.2.2 Storage Tank Stratification Incident

Acetic anhydride is used as an acetylating agent for many compounds. When itreacts with a hydroxyl group, acetic acid is formed as a byproduct. Pure aceticanhydride will react energetically with water to form acetic acid. In typical ace-tylation reactions, an excess of anhydride is used to drive the reaction to com-pletion. This excess is then reacted in the receiver tank with water to convertthe excess anhydride to acid. The acid is then refined and remanufactured intoanhydride. This operation can be performed safely, since die presence of aceticacid makes water and acetic anhydride miscible, and therefore the rate of reac-tion can be controlled by the rate of water addition.

In this case, the acetylation reaction did not proceed as designed, due to aninadvertent omission of the strong mineral acid catalyst needed to initiate thereaction at low temperatures (-1O0F). Thus, the receiver tank did not contain amixture of acetic anhydride and acetic acid, but only very cold, pure anhy-dride. The operator in charge of the water addition did not realize the changein composition, and additionally failed to turn the tank agitator on prior tobeginning the water addition. After several minutes of water addition, he real-ized his mistake with the agitator, and hit the start button. Immediately, thewater, which had layered out on top of the cold anhydride, mixed and reactedviolently. This caused a partial vaporization in the tank, and eruption throughan open manway, resulting in fatal burning of the operator.

Had the agitator been turned on prior to beginning the water addition,the reaction rate would have again been controlled by the water addition rate.In this case, the water was added at near-stoichiometric concentrations virtu-ally instantaneously, resulting in an uncontrolled exotherm.

3.2.3 Botch Pharmaceutical Reactor Accident

While two operators were charging fiber drums containing a penicillinpowder into a reactor containing a mixture of acetone and methanol, an explo-sion occurred at the reactor manhole. The two operators were blown back bythe force of the explosion, and were covered with solvent-wet powder.

The incident was initiated by the ignition of solvent vapors, whichresulted in a dust explosion of the dry powder. The solvent liquid mixture inthe reactor did not ignite. Tests on the polyethylene liner inside the fiberdrums, which had been grounded at the time of the incident, showed that theywere of the non-conducting type. The most probable cause of the ignition wasan electrostatic discharge from the polyethylene liner during reactor charging.

After this accident, the company instituted the following procedures(Drogaris 1993):

• Requiring nitrogen inerting when pouring dry solids into flammablesolvents

• Adding dry powder to the reactor by means of grounded metal scoops,where possible, rather than by pouring in directly from drums withpolyethylene liners

• Using only conductive polyethylene liners• Using a closed charging system rather than pouring dry powders into

flammable solvents directly via an open manhole• Performing an electrostatic hazard review of the whole plant and all the

processes whenever powders and flammable solvents are used

Ed. Note: Even though this incident involved a reactor, it applies as well to anyvessel, open-manhole, charging operation. Most likely the liners were loose and theoperators not grounded. If fixed liners were in place and the operators grounded, theaccident might not have occurred.

3.3 FAILURE SCENARIOS AND DESIGN SOLUTIONS

The information on equipment failure scenarios and associated designsolutions is introduced in table format in this chapter and followed in eachsubsequent equipment chapter. The organization of the tables is the same ineach chapter. The table headings used are described below.

• Operational Deviation—generic operational parameter deviation suchas overpressure. Analogous to HAZOP parameter deviation.

• Failure Scenario—specific failure mechanism/cause for specifiedgeneric parameter deviation (e.g., overpressure due to upstream controlsystem failure).

• Potential Design Solution—potential design solutions that could beconsidered to reduce the risk of the failure scenario. For the reasonsgiven in Chapter 2, the design solutions are grouped into the followingthree categories: inherently safer/passive, active and procedural.

Vessel failure scenarios, along with associated design solutions, are pre-sented in Table 3. Design solutions are provided for each scenario, althoughsome scenarios do not have practical design solutions for all categories. Opera-tional deviations marked with (T) are discussed in further detail in the chaptertext.

3.4 DISCUSSION

3.4. / Use of Potential Design Solutions Table

It should be recognized that the design solutions presented are possibleapproaches for reducing the risk of the associated failure scenario. The authorsof this book could not anticipate all the possible applications nor conditionsthat may pertain to a specific design situation. Also, the design solutions arenot necessarily equivalent in terms of benefit in reducing the risk of the statedhazard scenario. Therefore, it is intended that the table be used in conjunctionwith the design basis selection methodology presented in Chapter 2 to arriveat the optimal design solution for a given application. Furthermore, somesolutions are not applicable to all classes of vessels. (For example, designing

for maximum expected deflagration pressure is not practical for tanks designedto API Std 650 (1988) but should be considered for some pressure vessels.)

Use of the design solutions presented in Table 3 should be combined withsound engineering judgment and consideration of all relevant factors. Forexample, let us assume that it is decided that a nitrogen blanketing system willbe installed on an atmospheric storage tank to reduce the risk of internal explo-sion. Typically nitrogen supply pressures are significantly higher than thedesign pressure of a storage tank designed to API Std 650 (1988). Conse-quently the total system design also needs to address the hazard of overpres-sure due to uncontrolled opening of a high pressure utility system.

This example illustrates an important aspect of the intended use of theequipment failure tables. The design and installation of safety systems, espe-cially active systems, can also introduce potential hazards that were not origi-nally present. Therefore, it is necessary to use the table in the context of thetotal design concept to insure that all hazards have been considered. As shownin the example, this may involve combining several scenario design solutionsto arrive at a final acceptable design. Consequently, the table should be con-sulted at various stages of the design to reaffirm that all failure mechanisms areconsidered.

Utilizing several design solutions for the same scenario is also possible andoften desirable. Again referring to the design of a flammable liquid storagetank, employing ignition source controls (e.g., non-splash filling, grounding)as well as vapor space inerting may be desirable based on the consequences ofcatastrophic tank failure.

In addition to providing the required degree of reliability for any one fail-ure scenario, multiple safeguards may be the optimum approach to processdeviations caused by very different failure scenarios. For example, suppose avessel can be overpressured by deflagration in the vapor space in one scenarioand by runaway reaction in another scenario. The deflagration event may becharacterized by a high pressure rise rate but a modest pressure rise ratio. Thereaction runaway may be characterized by a very high pressure rise ratio but amodest reaction rate early in the runaway. With this disparity in the scenarios,the optimum safeguard design might be pressure containment for the defla-gration and emergency pressure relief for the runaway reaction. In this situa-tion, these safeguards are not redundant.

3.4.2 Special Considerations

The tables contain numerous design solutions derived from a variety ofsources and actual situations. Many of the solutions are readily understood. Insome instances, additional explanation is warranted to fully appreciate the

approach. This section contains additional information on selected designsolutions. The information is organized and cross referenced by the Opera-tional Deviation Number in the table.

Ignition of Flammable Atmosphere (3,19)

When applying vapor space inerting, there are some special circumstances thatneed to be recognized; namely, the presence of oxygen is needed for somehazard mitigation measures. For example, the corrosion inhibiting mecha-nism of certain metals (e.g., stainless steel) depends on the presence of someoxygen. Likewise, some polymer formation inhibitors that are added to reac-tive materials need oxygen to stay active. In such situations, a reduced oxygenatmosphere may achieve the desired balance between inhibitor activity andflammability protection.

The use of flame arresters deserves additional consideration. Flame arrest-ers are often implicated in vessel incidents, not because they are ineffective, butbecause they are misapplied or improperly maintained. Flame arresters thatare not routinely inspected can become plugged (e.g., condensation/corrosionby stored fluids, foreign debris). Eventually, the protected vessel can be sub-jected to overpressure or vacuum conditions if the vessel is not protected by arelief device.

Flame arresters do not necessarily provide protection against detonationunless specifically designed for that purpose. When using in-line flame arrest-ers, it is necessary to evaluate the potential for deflagration to detonation tran-sition (DDT) in the piping systems being considered. Information on analysisof DDT can be found in CCPS 1993, Chapter 13.

Chemical Reaction Increases Pressure (10)In the case of cold storage tanks, emergency cooling needs to be independentsince loss of primary cooling may be a cause of high reaction rate.

When polymerization inhibitor is used, the solubility of the inhibitor inthe reactive monomer over the range of potential operating conditions needsto be considered. For example, as acrylic acid melts, the inhibitor tends to stayin the solid producing a potential runaway hazard in the molten liquid. SeeSection 3.2.1.

Pressure Generated by Rollover (12)The earliest recognized incident of rollover occurred in a Liquefied NaturalGas (LNG) tank due to density stratification. In this incident LNG was trans-ferred from a tanker to a partially filled LNG tank. The LNG transferred wasmore dense than the LNG in the tank and was added to the bottom of thetank. As a result, two discrete layers of LNG existed in the tank. With heat

transfer from the surroundings, energy accumulated in the lower layer sincethe hydrostatic head of the upper layer suppressed vaporization. As the lowerlayer temperature increased, its specific gravity decreased. Heat transfer to theupper layer resulted in boil-off of methane and an increase in the specific grav-ity as the concentration of heavier components increased. In time the differ-ence in specific gravity between the two layers disappeared, and the resultingrapid equilibration released the stored energy in the lower layer as a high rateof liquid vaporization. Fortunately, in this situation tank safety relief deviceswere able to provide adequate protection, and tank failure was averted (Drakeetal. 1973).

Rollover can also occur with two immiscible, reactive materials, such asacetic anhydride and water. As the materials react at the interface, acetic acid isformed as a reaction product. Once a sufficient amount of acid is generated,the two phases become miscible, collapsing together and generating a large,nearly instantaneous exotherm. With this energy release, the resulting reactionmixture can be partially vaporized, with an accompanying rapid rise in vesselpressure.

Tank Failure under Vacuum (20 to 25)

In flammable service, generally it is not desirable to allow air into a vessel toprevent vacuum conditions. Bleeding in an inert gas under pressure control isa design solution that is often utilized. Depending on the consequences ofinert gas failure, an emergency supply of inert gas may be needed. In someinstances, an air vacuum breaker is provided as a last line of defense. Thisdesign approach is based on acceptance of the lower likelihood of ignitioninstead of the much more likely prospect of damaging the tank which couldresult in loss of containment.

Tank Failure from Frost Hea/e (47)

This is a serious problem for design of cryogenic fluid storage tanks. However,it can be managed through proper foundation design. Design solutions thathave been used include elevated foundation pedestals to minimize heat trans-fer from the soil and foundation heating elements.

3.5 REFERENCES

API Std 650 1988. Welded Steel Tanks far Oil Storage. Washington, DC: American PetroleumInstitute.

CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical ProcessSafety, New York: American Institute for Chemical Engineers.

Drake, E.M., Geist, J. M., and Smith, K. A. 1973. Preventing LNG "Rollover." HydrocarbonProcessing.

Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified.Amsterdam: Elsevier Science Publishers, B.V.

Santayana, G., 1905. The Life of Reason Vol. I, Reason and Common Sense.


API Publ 2210 1982. Flame Arrestersfor Vents of Tank Storing Petroleum Products, 2nded., Wash-ington, DC: American Petroleum Institute.

US Coast Guard 1990. Specifications for Tank Vent Flame Arresters 33 CFR Part 154, Appendix B,United States Coast Guard: US Department of Transportation.

UL 525 1984. Flame Arresters for Use on Vents of Storage Tanks for Petroleum Oil and Gasoline, 5thed. UL.

TABLE 3. FAILURE SCENARIOS FORVESSELS

Potential Design SolutionslProcedural 1ActiveInherently Safer/PassiveFailure Scenarios

OperationalDeviationsNo.

• Instructions to monitorlevel during transfer

• Verify tank has sufficientfree board prior to transfer

• High level alarm withinstructions to intervene toprevent overfilling

• Emergency relief device

• Level device interlocked toprevent overfill

• Vessel designaccommodating maximumsupply pressure

• Use open vent or overflowline

Liquid overfill resultingin back pressure or exces-sive static head

Overpressure1

•Labeling of utilityconnections

• Emergency relief device onvessel or utility line

• Pressure sensor interlockedto isolate utility pressure

• No utility connectionsabove pressure rating ofvessel

• Incompatible utilitycouplings to preventconnections of highpressure utilities

• Mechanical flow restriction(e.g., restriction orifice) ofutility with open vent onvessel

• Vessel designaccommodating maximumutility pressure

Inadvertent or uncon-trolled opening of highpressure utility system

Overpressure2

Potential Design Solutions

ProceduralActiveInherently Safer/PassiveFailure ScenariosOperationalDeviationsNo.

• Oxygen analyzer withalarm

• Instructions to feedempty tanks at low rateuntil fill line submerged,avoiding splash filling

• No transfers duringelectrical storms

• Low feed rate untilfloating roof is afloat

• Explosion venting (e.g.frangible roof for fixedroof tank)

• Store material attemperature below itsflash point (cooling)

• Vapor space combustibleconcentration control

• Vapor space inerting

• Flame arrester in ventpath

• Emergency purge and/orisolation activated bydetection of flammableatmosphere

• Floating roof tank instead of fixed roof(see procedural)

• Ignition source controls (e.g., lightningprotection, permanentgrounding/bonding, non-splash fillingincluding dip pipe, fill line flowrestriction, or bottom inlet)

• Vessel design accommodatingdeflagration pressure

• Store below flash point (if not heating)

• Use non-intrusive instrumentation (e.g.,radar level detection)

Ignition of flamma-ble atmosphere invessel vapor space

Overpressure (seeitems 18, 19)

3(T)

• Operating instructions tolimit flow to a maximumsafe value

• Operating instructions tomonitor filling rate andintervene to preventexcessive fill rate

• Flow shutdown interlockactivated by high pressureor high flow

• Automated flow controlloop on fill line with highflow alarm


• Use open vent (e.g., vent diameter largerthan fill line for short vent lines)

• Flow restriction orifice in fill line

• Vessel design accommodating maximumsupply pressure

Excessive fill rateresulting in backpressure from vent-ing vapor

Overpressure4

• Emergency response plan

• Manual activation of fixedfire protection waterspray (deluge) and/orfoam systems

• Operating instructions toverify open vent pathbefore initiating filloperation

• Operating instructions toperiodically examine ventopening for obstructions

• Periodic sampling/analysis of contents forleakage

• Emergency action plan totransfer contents to safelocation if adversereaction can occur

• Fixed fire protectionwater spray(deluge)and/or foam systemsactivated by flammablegas, flame, and/or smokedetection devices



• Heat tracing of vent toavoid condensation andsolidification


• High pressure interlockthat activates utilityclosure

• Back pressure controlwith external heating/cooling circulation toavoid leak into vessel

• Buried (underground or bermed) tank(consider environmental issues)

• Fireproof insulation (limits heat input)

• Slope-away diking with remoteimpounding of spills

• Locate outside fire affected zone

• Provide recommended tank-to-tankseparation

• Use open vent

• Vessel design accommodating maximumsupply pressure

• Vent screen to avoid entrance of foreignobjects

• Use of external heater/cooler (panel coil)

• Use of heating/cooling medium which isnot reactive with vessel contents

• Vessel design accommodating maximumheating/cooling medium pressure

• Use electrical heating

• Use lower pressure/temperature heatingor cooling medium

• Vessel design accommodating maximumstored material vapor pressure atmaximum heating medium temperature

External fire

Inadequate orobstructed vent path,resulting in highvapor space pressureduring filling

Internal heat-ing/cooling coil leakor rupture

Overpressure

Overpressure

Overpressure (seeitem 54)

5

6

7



• Isolation of volatilematerials by blinding,removable spool,disconnection, etc.

• High temperature orpressure alarm withoperator activation ofheating medium isolation

• Operating instructions toperiodically test forinhibitor concentration oractivity

• High temperature and/orpressure alarm andmanual addition ofquench, diluent orinhibitor

• Manual activation ofquench or cooling system

• Periodic draining ofaccumulation points (i.e.,knock-out pots)


• Weak seam roof for tanks


• High temperature orpressure alarm andinterlock which isolatesthe heating medium


• High temperature and/orpressure alarm andautomatic addition ofquench/diluent fluid orinhibitor

• Automatic activation ofemergency coolingsystem

• Vessel design accommodating maximumexpected pressure

• Use of incompatible couplings


• Limit the temperature or flow of theheating medium (e.g., use hot waterinstead of steam)


• Limit or avoid the storage or unintendedaccumulation of reactive materials

• Consume reactive intermediate processmaterials as soon as they are produced

Vessel contaminationwith high vaporpressure material(introduction ofvolatiles)

Excessive heat inputresulting in highvapor pressure

Chemical reactionresulting in increasedpressure

Overpressure

Overpressure

Overpressure

8

9

10(T)

• Operator startup of sparecompressor on highpressure indication

• Operating instructions onfilling procedure to avoidstratification

• Operator activation offlow isolation on highpressure indication

• Operator activation ofwater spray on indicationof high temperature invessel

• Procedures for securingvalves open via seals orlocks


• High pressure interlockto automatically startspare compressor

• Mechanically agitate orrecirculate tank contents



• High pressure alarm andinterlock which isolatesthe inlet flow(s)

• Emergency relief deviceor breather vent valve

• Automatic externalcooling water spray


• Interlock to isolate vesselinlet or trip feed pumpon high pressure


• Additional insulation to prolongacceptable refrigeration outage


• Use of in-line mixer external to vessel topremix feeds

• Provide tank filling system design thatavoids tank stratification (e.g., top splashfilling)

• Vessel design accommodating maximumexpected or upstream pressure

• Ensure control valves are not oversized


• Use of buried (underground oraboveground) tank

• Insulate tank

• Open vent on fixed roof tanks

• Place tank under a roof

• Use reflective coating on vessel

• Vessel design accommodating maximumupstream pressure

• Eliminate unnecessary outlet block valves

• Outlet sized to eliminate or reducelikelihood of plugging

Control or equip-ment failure in vaporrecovery system onrefrigerated/chilledstorage

Roll-over of strati-fied layers, resultingin high vapor pres-sure

Failure of upstreamprocess controls,resulting in vapor orflashing liquid feed

Ambient tempera-ture change, result-ing in higher vaporspace pressure

Blocked outlet flowpath

Overpressure

Overpressure

Overpressure

Overpressure

Overpressure

11

12

(T)

13

14

15



• Operating instructions tomaintain liquid level aboveheating surface at all times

• Manual response to lowlevel indication

• Operating instructions oncontrol of temperaturebelow a certain limit, orrestrictions on the lengthof time that heat can beapplied

• Instructions on limitingthe maximum liquid level

• Manual shutoff ondetection of high level

• Instructions on drainingvessel or isolating sourceof heat input beforeblocking in

• Automatic level controlwith low level alarm andshutdown of liquidwithdrawal system toensure liquid is aboveheating surface at all times

• Vapor space inerting

• Temperature controls onheating medium toprevent overheating

• High level shutoffpreventing liquid fromrising above level whereexpansion would causeoverfill

• Thermal expansion reliefvalve

• Vessel design to accommodate maximumexpected temperature and pressure

• Use of external recirculation heatingsystem

• Maintain submergence of heating surfaceby locating liquid withdrawal connectionabove the heating element

• Limit temperature of heating medium

• Selection of materials to avoid rust (i.e.,eliminate potential catalytic effects)

• Install open overflow nozzle tocontainment system

• Elimination of all unnecessary heatingconnections

• Eliminate capability to "block in" system

• Provide vapor space in vessel

Ignition/reaction dueto high temperatureat unwetted internalheating element sur-face

Heating and thermalexpansion of liquid

Overpressure

Overpressure

16

17

• Manual inerting of vesselprior to solids addition

• Procedures for manualgrounding and bondingof solids container andrunnel to vessel

• Ground operator

• Avoid use of non-conductive plasticcontainers

• Verify acceptable oxygenconcentration beforecharging

• Periodic inspection ofroof seals

• Periodic testing forcombustibles in tankvapor space

• Manual vacuum breakingon indication of highvacuum

• Automatic inerting ofvessel prior to solidsaddition

• Ground indicator withinterlock to preventmanhole opening ifground connection tosolids container is faulty

• Use of fixed roof tankwith inerting

• Provide inerting betweenfixed roof and floatingdeck

• End-of-line flame arrester

• Vacuum relief device

• Automatic isolation ofvacuum system on highvacuum

• Eliminate addition of materials as solids(e.g., use slurry)

• Charging of solids through a nozzle bymeans of a closed system (e.g., hopperand rotary airlock, screw feeder, double-dump valve system, etc.)

• Provide double roof seal

• Provide adequate natural ventilationbetween fixed roof and floating deck

• Eliminate fixed roof provided over thefloating deck

• Ignition source controls (e.g., lightningprotection, permanentgrounding/bonding)

• Vessel design to accommodate maximumvacuum (full vacuum rating)

Electrostatic sparkdischarge and igni-tion of vaporsduring charging ofsolids through anopen manhole orcharging chuteresulting in deflagra-tion or flash fire

Ignition of flamma-ble atmosphere intank vapor space fol-lowing seal failureon internal floatingroof

Failure of vacuumsystem control

Overpressure(batch or semi-batch)

Overpressure

(Floating RoofTank)

Underpressure orVacuum

18

19(T)

20(T)


ProceduralActiveInherently Safer/PassiveFailure ScenariosOperationalDeviationsI No.

• Operating instructions toverify open vent pathbefore initiatingwithdrawal operation

• Operating instructions toperiodically examine ventopening for obstructions

• Operating procedure formonitoring temperatureand addition rate ofmaterials

• Procedural limitations onthe maximum rate ofliquid withdrawal

• Manual vacuum breakingon low pressure alarm

• Use of blanketing gaspressure control system tominimize vacuum


• Heat tracing of vent toavoid condensation andsolidification

• Low pressure interlock toisolate outlet path

• Use of blanketing gaspressure control system tominimize vacuum

• Vacuum relief system

• Feed heater

• Use of blanket gaspressure control system tominimize vacuum


•Use of blanket gaspressure control system tominimize vacuum



• Vent screen to avoid entrance of foreignobjects


• Insulation

• Open vent


• Open vent

• Restrict withdrawal rate


• Open vent on fixed roof tanks

• Insulation

• Locate tank under roof

Obstructed vent path

Uncontrolled con-densation/absorptionof vapor phase com-ponent

Excessive liquidwithdrawal rate

Ambient tempera-ture change, result-ing in vapor spacevacuum





21(T)

22(T)

23(T)

24(T)

• Manual shutdown ofcompressor/blower onlow pressure alarm

• Operating instructions toinspect dike periodicallyand drain as necessary

• Operating instructions todrain storm watercollected in the dike afterheavy rainfall

• Keep tanks filled to aminimum liquid level

• Instructions to cool orshut off feed whentemperature rises above acertain level

• Manual shutdown onhigh temperatureindication

• Use of blanket gaspressure control systemto minimize vacuum

• Air vacuum breakerdevice

• Interlock to shutdowncompressor/blower onlow pressure

• Dike level measurementwith automatic drain orpump-out

• Storm water drain system

• High temperatureinterlock to activatecooling or shut off feedsat desired temperature

• High temperature alarmand shutdown interlock

• Auxiliary cooling/quenchor heat transfer system



• Vessel design to accommodate maximumexternal pressure

• Use of remote impounding instead ofdike

• Anchor tanks

• Elevate tank

• Dike height limits liquid level

• Vessel design to accommodate maximumexpected temperature and pressure offeed material(s)

• Vessel design to accommodate maximumexpected temperature and pressureexperienced due to loss of heat transfer

• Use of heating medium whose maximumtemperature is limited to vessel designtemperature

Control or equip-ment failure in vaporrecovery system onrefrigerated/chilledstorage

High external pres-sure on vessel wallsfrom water level indike or vault result-ing in dislodgingtank or external col-lapse of tank wall

High temperaturematerial fed to vessel

Control failure ofheating/coolingsystem


High external levelliquid

High Temperature

High Temperature

25(T)

26

27

28



• Manual initiation of hightemperature shutdownand/or quench/coolingaddition

• Emergency responseprocedures

• Manual activation of fixedfire protection water spray(deluge) and/or foamsystems

• Monitoring of vessel walltemperature withthermocouples or opticaldevices

• Instructions to turn offagitator on hightemperature indication


• High temperature alarmand interlock shutdown

• Automatic addition ofreaction inhibitor and/orquench fluid

• Automatic activation ofemergency cooling system

• Fixed fire protection -water spray (deluge)and/or foam systemsactivated by flammablegas, flame, and/or smokedetection devices


• Fire detectors

• Agitator shutdown onhigh temperaturedetection

• Vessel design to accommodate maximumexpected temperature and pressure of apossible exothermic reaction

• Substitute less-reactive material

• Use of buried (underground oraboveground) tank (considerenvironmental issues)

• Insulate with fireproof insulation

• Provide remote impounding offlammable liquid spills

• Locate vessel to minimize exposure

• Provide recommended tank-to-tankspacing

• Vessel design to accommodate maximumexpected temperature and pressure

• Limit agitator motor power

• Leave vessel uninsulated to allow heatloss

Chemical reaction(also see Chapter 4)

External fire or fail-ure of internalrefractory liner

Excessive mechanicalagitation

High Temperature

High Temperature

High Temperature

29

30

31

• Manually activate heatingsystem or drain materialswhich could freeze

• Operate system manuallyor activate back-upheating/cooling system

• Instructions to isolatefeed on low temperatureindication

• Manual system shutdownon low temperatureindication

• Instructions todeinventory liquid beforedepressuring

• Instructions to warm-upvessel before repressuring

• Instructions to stop feedwhen level reaches acertain point

• Automatic activation ofheating system

• Low temperature alarmand shutdown interlock

• Auxiliary heating system

• Low temperature alarmand feed isolationinterlock

• Low temperature alarmactivates external heating

• Low temperature alarmand refrigerant systemshutdown and/orisolation interlock

• Interlock to closedepressuring valve atspecific pressure

• Provide external heating

• High level alarm andautomatic feedcutoff/isolation

• Vessel design to accommodate minimumexpected (ambient) temperature

• Use of buried (underground oraboveground) tank

• Insulate tank

• Locate equipment indoors

• Vessel design to accommodate minimumexpected temperature

• Vessel design to accommodate minimumexpected feed temperature

• Vessel design to accommodate minimumexpected refrigerant temperature

• Use refrigerant with vapor pressurebelow process pressure

• Provide metallurgy suitable for lowtemperature


• Closed loop filling

• Diking or drainage to remoteimpounding

Low ambient tem-perature

Control failure ofheating/coolingsystem

Low temperaturematerial fed to vessel

Refrigerant leak intovessel

Depressuring ofvessel containing liq-uified gases

Level control failurecausing spill

Low Temperature

Low Temperature

Low Temperature

Low Temperature

Low Temperature

Over-fill

32

33

34

35

36

37



• Operating instructions oncorrect or permitted cross-connections between tanksand vessels

• Operating/maintenanceinstructions to isolatetanks via blinding anddisconnection

• Manual isolation on highlevel

• Leak detection devices(e.g., pH, conductivity,capacitance) and manualisolation

• Operator isolation (e.g.,disconnection, blinding,double block and vent) ofutilities

• Leak detection devices(e.g., pH, conductivity,capacitance) and manualisolation

• High level alarm andautomatic feedcutoff/isolation

• High level alarm andautomatic heating/coolingmedium cutoff/isolation

• Electrical bonding offloating roof to tank

• High level alarm withutility isolation interlock


• Use of dedicated connections

• Use of incompatible connections


• External heating/cooling system

• Operation of heating/cooling system atpressures below process pressure

• Double tubesheet heat exchanger

• Intermediate heat transfer fluid at apressure below process pressure


• Orifice restriction in utility connection

Incorrect or unantici-pated cross-connection

Leak from heat-ing/cooling system

Leak or excessive fillfrom liquid utilitysystem (e.g., utilitywater)

Over-fill

Over-fill

Over-fill

38

39

40

• Manual shutoff on lowlevel indication

• Operating instructions onthe correct or permittedcross-connectionsbetween tanks and vessels

• Operating/maintenanceinstructions to isolatetanks via blinding anddisconnection

• Manual outflow isolationon low level indication

• Operating instructions tomonitor tank levelperiodically

• Instructions to stopagitation atpredetermined level

• Low level alarm withshutoff preventingfurther liquid withdrawalfrom vessel via eitherpump shutdown orclosure of block valve

• Low level alarm withshutoff preventingfurther liquid withdrawalfrom vessel via eitherpump shutdown orclosure of block valve

• Low level alarm withinterlock to automaticallyshutdown the transferpump

• Electrical bonding offloating roof to tank

• Low level shutoffpreventing further liquidwithdrawal from vessel

• Low level alarm withinterlock to automaticallyshutdown the agitator

• Locate underflow nozzle to maintain aminimum liquid level in the vessel


• Eliminate all unnecessary cross-connections

• Use incompatible couplings to avoidimproper cross-connections where hosesare used

• Locate underflow nozzle to maintain aminimum liquid level in the tank


• Agitator designed to run stably duringfilling and emptying (e.g., stiffer shaft,foot bearing)

Level control failure

Incorrect or unan-ticipated cross-connection causinguncontrolled out-flow

Ignition of flamma-ble atmosphere intank vapor space fol-lowing low level thatresults in floatingroof sitting on itsinternal legs

Incompletely sub-merged agitatorimpeller causesexcessive forces onvessel wall and heads

Low Level

Low Level

Low Level

(Floating RoofTank)

Loss of Contain-ment

41

42

43

44

1Potential Design Solutions


• Corrosion coupons withperiodic withdrawal andanalysis

• Regular thicknessmeasurements (i.e.,nondestructive testing) atkey points

• On-line corrosion analysiswith alarm

• Respond to indication oftank subsidence

• Operating/maintenanceinstructions to blinddrains when not in use

• Operators to visuallycheck reservoir levels onregular basis

• Seal liquid reservoir to havelow level sensor and alarm

• Flammable and/or toxicvapor sensors

• Operator emergencyresponse to indications ofa seal leak

• Automatic addition ofcorrosion inhibitor

• Foundation heatingsystem

• Self-closing drain valves

• Excess flow check valves

• Flammable and/or toxicvapor sensors interlockedwith agitators

• Use corrosion resistant materials ofconstruction

• Protective coatings and paints

• Double walled tank design

• Design and construction of tankfoundation (piling and soil compaction)

• Design and construction of tankfoundation (elevated pedestal)

• Insulation between tank and foundation

• Eliminate bottom connections

• Limit size of drain connections

• Circulate vessel contents via external,seal-less pump

• Use of double or tandem mechanical seal

• Alternative design which does not use asealed agitator (i.e., continuous reactorwith static mixer)

Corrosion fromprocess fluid

Subsidence of soilbelow vessel

Frost heave (on cryo-genic tanks)

Open drain connec-tions

Loss of sealing fluidto vessel agitatorresulting in seal fail-ure and emission offlammable or toxicvapors

Loss ofContainment

Loss ofContainment

Loss ofContainment

Loss ofContainment

Loss ofContainment

45

46

47(T)

48

49

• Operating procedures forperiodic draining of roof

• Periodic inspection andrepair of pontoons


• Fire fighting foam system

• Corrosion coupons withperiodic withdrawal andanalysis

• Regular thicknessmeasurements at keypoints

• Periodic leak detection

• Operating instructions onthe correct or permittedcross-connectionsbetween tanks and vessels

• Isolate tanks and vesselsvia blinding anddisconnection

• Sample/analyze prior totransfer

• Color coding andlabeling of lines

• Cathodic protection

• Use of interlocks whichprevent certain additioncombinations

• Provide fixed roof to protect the floatingroof

• Double deck or pontoon floating roof

• Corrosion-resistant material selection forfloating roof

• Use fixed roof tank

• Double roof seal

• Electrical bonding/grounding of roof andshell

• Protective coatings and paints

• Use above-ground construction

• Do not insulate tank

• Locate below-ground vessel in secondarycontainment

• Install weatherproof jackets to protectinsulation from moisture especially wherechlorides may also be present

• Use of dedicated connections

• Use of incompatible couplings

• Physically separate points of connectionof incompatible materials

Floating roof sinksfrom snow or wateron top of roof orcorrosion ofroof/pontoons

Fire following sealfailure on externalfloating roof

Corrosion from

• contaminated earth

• moisture trappedbetween insulationand vessel walls

• chemicalcontamination

• aggressiveenvironment

Incorrect or unan-ticipated cross-connection


(Floating RoofTank)


(Floating RoofTank)


(UndergroundStorage Tanks andInsulated Vessels)

WrongComposition

50

51

52

53

IPotential Design Solutions


• Periodic analysis to detectthe presence of water orother coil fluid in thestored material

• Periodic draining offloating roof

• Intermittent samplingand analysis withinstructions to cut-offfeed

• Operating instructionsto verify inhibitioneffectiveness periodically

• Manual activation ofback-up pump aroundsystem

• Manual shut off of feedon detection of loss ofagitation

• On-line analyzer withalarms and interlock

• Automatic control ofinhibitor addition rate

• Agitator monitorinterlocked to stop feedstream

• Automatic backup pumparound system

• Indoor location (shielded from rain)

• External heating/cooling with leakprotection

• Electrical heating instead of steam

• Design for all possible feed variations

• External, inline mixing of feeds beforeentering tank

• Use of compatible/mutually solublematerials

Leaking tank roofsor coils

Change in feed com-position

Incorrect inhibitorcomposition or con-centration

Failure of agitatorcausing stratificationof immiscible layers

WrongComposition

WrongComposition

WrongComposition

Less Agitation

54

55

56

57

4REACTORS

4.1 INTRODUCTION

This chapter presents potential failure mechanisms for reactors and suggestsdesign alternatives for reducing the risks associated with such failures. Thetypes of reactors covered in this chapter include:

• Batch reactors• Semi-batch reactors• Continuous-flow stirred tank reactors (CSTR)• Plug flow tubular reactors (PFR)• Packed-bed reactors (continuous)• Packed-tube reactors (continuous)• Fluid-bed reactors

This chapter presents only those failure modes that are unique toreaction systems. Some of the generic failure scenarios pertaining to vesselsand heat exchangers may also be applicable to reactors. Consequently, thischapter should be used in conjunction with Chapter 3, Vessels, and Chapter 6,Heat Transfer Equipment. Unless specifically noted, the failure scenariosapply to more than one type of reactor.

4.2 PAST INCIDENTS

Reactors are a major source of serious process safety incidents. Several casehistories are presented to reinforce the need for safe design and operating prac-tices for reactors.

4.2. / Seveso Runaway Reaction

On July 10, 1976 an incident occurred at a chemical plant in Seveso, Italy,which had far-reaching effects on the process safety regulations of many coun-tries, especially in Europe. An atmospheric reactor containing an uncompletedbatch of 2,4,5-trichlorophenol (TCP) was left for the weekend. Its tempera-ture was 1580C, well below the temperature at which a runaway reactioncould start (believed at the time to be 23O0C, but possibly as low as 1850C).The reaction was carried out under vacuum, and the reactor was heated bysteam in an external jacket, supplied by exhaust steam from a turbine at 19O0Cand a pressure of 12 bar gauge. The turbine was on reduced load, as variousother plants were also shutting down for the weekend (as required by Italianlaw), and the temperature of the steam rose to about 30O0C. There was a tem-perature gradient through the walls of the reactor (30O0C on the outside and16O0C on the inside) below the liquid level because the temperature of theliquid in the reactor could not exceed its boiling point. Above the liquid level,the walls were at a temperature of 30O0C throughout.

When the steam was shut off and, 15 minutes later, the agitator wasswitched off, heat transferred from the hot wall above the liquid level to thetop part of the liquid, which became hot enough for a runaway reaction tostart. This resulted in a release of TCDD (dioxin), which killed a number ofnearby animals, caused dermatitis (chloracne) in about 250 people, damagedvegetation near the site, and required the evacuation of about 600 people(Kletz 1994).

Ed. Note: The lesson learned from this incident is that provision should havebeen made to limit the vessel wall temperature from reaching the known onset tem-perature at which a runaway could occur.

4.2.2 3,4-DichloroanHine Autoclave Incident

In January 1976, a destructive runaway reaction occurred during the opera-tion of a large batch hydrogenation reactor used in the production of 3,4-dichloroaniline. The process involved the hydrogenation of 3,4-dichloronitro-benzene (DCNB) under pressure in an agitated autoclave. The autoclave wasfirst charged with DCNB and a catalyst and then purged with nitrogen toremove air. A hydrogen purge followed the nitrogen purge, after which steamwas applied to the reactor jacket and the temperature raised to within 2O0C of thereaction temperature before additional hydrogen was admitted through a sparger.The heat of reaction carried the temperature to the desired operating level.

During the early stages, the rate of reaction was limited by the heatremoval capacity of the autoclave cooling coil. This resulted in a relatively low

autoclave pressure. Later, when the hydrogenation rate fell off, the autoclavepressure was allowed to increase. Based on field evidence and subsequent labo-ratory work the following conclusions were reached as to the cause of the inci-dent (Tong 1977):

• The primary cause was a sudden pressure increase due to runaway reac-tion at about 26O0C.

• The reaction mass reached runaway temperature due to the buildup andrapid exothermic disproportionation of an intermediate (3,4-dipheny-hydroxylamine). The most likely trigger for this reaction was a 1O0Cincrease in the reactor temperature set point (operator error).

Ed. Note: The lesson learned from this incident is that a, study should have beenmade of exotherm potential and provision should have been made to limit tempera-ture setpoint or an interlock provided to address this hazard. If possible a larger oper-ating temperature margin should have been employed.

4.2.3 Continuous Sulfonation Reaction Explosion

During the startup phase of a continuous system (3 CSTRs in series) for thesulfonation of an aromatic compound, a thermal explosion occurred in apump and recirculation line. Although the incident damaged the plant andinterrupted production, no personnel were injured.

Investigation revealed that, while recirculation of the reaction mass wasstarting up, the pump and the line became plugged. This problem was cor-rected and line recirculation was restarted. Four hours later the explosionoccurred, resulting in the blow-out of the pump seal, which was immediatelyfollowed by rupture of the recirculation line.

Investigation further revealed that during pipe cleanout some insulationhad been removed, leaving a portion of the line exposed and untraced. Thiscondition apparently led to slow solidification of the reaction mass and a dead-headed pump. Calculations based on pump data indicated that a temperatureof 6O0C above the processing temperature could be reached within 5 minutesafter dead-heading occurred. Previous studies had determined that the rate ofdecomposition is considerable at this temperature and that the total heat ofdecomposition (500 kcal/kg) is large (Quinn 1984).


Table 4 presents information on equipment failure scenarios and associateddesign solutions specific to reactors. The table heading definitions are pro-vided in Chapter 3, section 3.3.

4.4 DISCUSSION

4.4.1 Use of Potential Design Solutions Table

To arrive at the optimal design solution for a given application, use Table 4 inconjunction with the design basis selection methodology presented in Chapter2. Use of the design solutions presented in the table should be combined withsound engineering judgment and consideration of all relevant factors.

4.4.2 General Discussion

Reactors may be grouped into three main types: batch, semi-batch, and con-tinuous.

In a batch reactor, all the reactants and catalyst (if one is used) are chargedto the reactor first and agitated, and the reaction is initiated, with heat beingadded or removed as needed. In a semi-batch reactor, one of the reactants isfirst charged to the reactor, catalyst is also charged and the reactor contents areagitated, after which the other reactants and possibly additional catalyst areadded at a controlled feed rate, with heat being added or removed as needed.In a continuous reactor all the reactants and catalyst (if one is used) are fedsimultaneously to the reactor, and the products, side products, unconvertedreactants, and catalyst leave the reactor simultaneously. In some continuousreactors, the catalyst is held stationary, either in tubes or occupying the entirecross-section of the vessel.

Batch and semi-batch reactors are used primarily where reaction rates areslow and require long residence times to achieve a reasonable conversion andyield. This often means large inventories and, if the contents are flammable,there is a potential for serious fires should a leak develop. Many of these reac-tors have agitators, and if there is an agitator failure (stoppage or loss of theimpeller), some reactions can run away (Ventrone 1969; Lees 1996).

Heat removal is also a concern for batch or semi-batch reactors conduct-ing exothermic reactions. Since the external jacket may not be adequate toremove the heat of reaction, it may be necessary to install an internal coolingcoil as well, or an external heat exchanger with recirculation of the reactor con-tents. These additional items of heat transfer equipment increase the potentialfor leakage problems and may lead to a runaway if the coolant leaks into thereactants.

Continuous reactors are considered to be inherently safer than batch orsemi-batch reactors as they usually have smaller inventories of flammableand/or toxic materials. Tubular reactors are generally used for gaseous reac-tions, but are also suitable for some liquid-phase reactions. Gas phase reactorsgenerally have lower inventories than liquid-phase continuous reactors of

equal volumes, and thus are usually inherently safer. Long, thin tubular reac-tors are safer than large batch reactors as the leak rate (should a leak occur) islimited by the cross-section area of the tube, and can be stopped by closing aremotely operated emergency isolation valve in the line (Kletz 1990).Continuous-flow stirred tank reactors (CSTR) are also considered to be inher-ently safer than batch reactors as they contain smaller amounts of flammableor toxic liquids. Since they are agitated, however, they have the same agitatorfailure hazard as batch reactors, and can experience runaways if this occurs.Exhibit 4.1 is a comparison of different types of reactors from the safety per-spective (CCPS 1995).

EXHI BIT 4.1Comparison of Different Reactor Types from the Safety Perspective

Plug Flow Reactor(PFR)

Continuous-FlowStirred Tank

Reactor (CSTR) Batch Semi-Batch

ADVANTAGES

• Low inventory

• Stationarycondition (steadystate operation)

• Stationarycondition (steadystate operation)

• Agitation providessafety tool

• Streams may bediluted to slowreaction


• Controllableaddition rate


• Large exothermcontrollable

DISADVANTAGES

• Processdependency

• Potential for hotspots

• Agitation presentonly if in-linemixers areavailable

• Difficult to design

• Large inventory

• Difficult to coollarge mass

• Difficult start-upand shutdownaspects

• Precipitationproblems

• Low throughputrate

• Large exothermdifficult to control

• Large inventory

• All materialspresent

• Startingtemperature iscritical (if too low,reactants willaccumulate)

• Precipitationproblems


Table 4 contains numerous design solutions derived from a variety of sourcesand actual situations. This section contains additional information on selecteddesign solutions. The information is organized and cross-referenced by theOperational Deviation Number in the table.

Overpressure due to Loss of Agitation (3)

Runaway reactions are often caused by loss of agitation in stirred reactors(batch, semi-batch, and CSTR) due to motor failure, coupling failure, or lossof the impeller. Agitation can be monitored by measuring the amperage orpower drawn by the agitator drive. Nevertheless, this has its drawbacks as the"measurement" of agitation takes place outside of the reactor, and sometimes,if the reactor contents are not viscous enough, the amperage or power drawwill not detect that the agitator impeller has fallen off or corroded away.Wilmot and Leong (1976) present a method of detecting agitation inside areactor, which will detect the loss of the impeller by using an internal flowswitch. The flow switch, or a similar in-vessel detection device, can be inter-locked to cut off feed or catalyst being added to a semi-batch reactor or CSTR.

If agitation is critical to the operation of a batch, semi-batch, or CSTRreactor then an independent, uninterrupted power supply backup for the agi-tator motor should be provided. Alternatively, some degree of mixing can beprovided by sparging the reactor liquid with inert gas.

Failure of mechanical seals can act as a potential high-temperature sourceinitiating vapor phase ignition. Agitator mechanical seal failure is often causedby a lack of seal fluid, and results in release of flammable or toxic vapors fromthe reactor. A dry mechanical seal is now available which can sometimes beused to replace the older type of mechanical seals which required a liquid sealfluid. Dry mechanical seals use a gas such as air or nitrogen to provide the seal-ing barrier. If a liquid seal fluid is used, monitoring of the agitator mechanicalseal fluid supply reservoir should be implemented. Monitoring can be doneautomatically, by installing a low-level switch and alarm in the seal fluid reser-voir to alert the operator, or by administrative means such as requiring theoperator to check the reservoir level on a regular schedule (e.g., once per shift)and recording the level on a log sheet.

Overpressure due to Addition of Incorrect Reactant (5)The addition of a wrong reactant can result in a runaway reaction. To mini-mize this error, the following measures can be taken:

• Provide dedicated feed tanks (for liquids) or feed hoppers (for solids)for batch reactors.

• Have two operators check the drums or bags of reactants before they areadded, and then sign off on a log sheet.

• Properly color-code and label all process lines so the operators knowwhat is in them.

If the risk of adding an incorrect reactant is still present, further protectivemeasures can be implemented, such as providing a temperature sensor tomonitor the reaction and shut off a valve in the feed line upon detection of anabnormal temperature rise or rate of temperature rise.

Overpressure due to Inactive/Semi-Active or Wrong Catalyst Addition (8)The addition of a semi-active or wrong catalyst to a reactor may result in a run-away either in the reactor or in downstream equipment. If the catalyst is fedcontinuously or at a controlled rate to a semi-batch reactor, protection can beprovided by installing a temperature sensor in the reactor, interlocked with anisolation valve in the reactant feed line, which will shut the valve when thesensor detects an abnormal temperature rise. The temperature sensor couldalso be interlocked with a valve to stop the catalyst feed. Administrative con-trols, such as procedures for verifying catalyst identity and activity, can also beapplied.

Overpressure due to Monomer Emulsion Feed Breaking during FeedLeading to a Runaway Reaction (12)In some semi-batch emulsion polymerization processes, a mixture of mono-mers emulsified in water is fed from an agitated storage tank to the reactor. Ifthe monomer emulsion feed breaks into separate oil and water phases, thepotential exists for a runaway reaction in the oil (bulk monomer) phase with-out the heat sink provided by the water. To guard against this, the monomeremulsion feed can be sampled to determine that it remains stable to separationfor a predetermined period of time without agitation before the feed is begun.

4.5 REFERENCES

CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. NewYork: American Institute of Chemical Engineers.

Kletz, T. A. 1990. Critical Aspects of Safety and Loss Prevention, p. 265. London :Butterworth &Co. Ltd.

Kletz, T. A. 1994. What Went Wrong: Case Histories of Process Plant Disasters. 3d ed., pp. 309-310.Houston, TX: Gulf Publishing Co.

Lees, F. P. 1996. Loss Prevention in the Process Industries. 2d ed. Woburn, MA: Butterworth Inc.Quinn, M. E., Weir, E. D., and Hoppe, T. F. 1984. IChemE Symposium Series, no. 85:31-39.Tong, W. R., Seagrave, R. L., and Wiederhorn, R. 1977. Loss Prevention Manual. 11: 71-75.

New York: American Institute of Chemical Engineers.

Ventrone, T. A. 1969. Loss Prevention Manual. Vol. 3, pp. 41-44. New York: American Instituteof Chemical Engineers.

Wilmot, D. A. and Leong, A. P. 1976. Another Way to Detect Agitation. Loss Prevention Manual.Vol. 10, pp. 19-22. New York: American Institute of Chemical Engineers.


CCPS 1993. Problem Set for Kinetics, Problem 16, Prepared for SACHE. New York: AmericanInstitute of Chemical Engineers.

CCPS 1995. Guidelines for Process Safety Fundamentals in General Plant Operations. New York:American Institute of Chemical Engineers.

Benuzzi, A., and Zaldivar, J. M. (eds.). 1991. Safety of Chemical Batch Reactors and Storage Tanks.Kluwer Academic Publishers, Norwell, MA.

Burton, J. and Rogers, R. 1996. Chemical Reaction Hazards, 2ded. Institution of Chemical Engi-neers, London, UK.

DIERS 1994. Risk Considerations for Runaway Reactions. Design Institute of Emergency ReliefSystems, New York: American Institute of Chemical Engineers.

Gygax, R. W. 1988. Chemical Reaction Engineering for Safety. Chemical Engineering Science.43(8), 1759-1771.

Gygax, R. W. 1990. Scaleup principles for Assessing Thermal Runaway Risks. Chemical Engi-neering Progress, February 1990, 53-60.

International Symposium on Runaway Reactions. 1989. Cooling Capacities of Stirred Vessel,Unstirred Container, Insulated Storage Tank, Uninsulated 1 cu meter Silo, Uninsulated 25 cumeter Silo: 65. Sponsored by CCPS, IChemE and AIChE, Cambridge, MA.

Maddison, N., and Rogers, R. 1.1994. Chemical Runaways: Incidents and Their Causes. Chemi-cal Technology Europe, November/December, 28-31.

Noronha, J., Merry, J., Reid, W., and SchifFhauser, E. 1982. Deflagration Pressure Containmentfor Vessel Safety Design, Plant/Operations Progress, 1(1), 1-6.

Noronha, J., and Torres, A. 1990. Runaway Risk Approach Addressing Many Issues-Matching thePotential Consequences with Risk Reduction Methods, Proceedings of the 24th Loss PreventionSymposium, AIChE National Meeting, San Diego, CA.

Wier, E., Gravenstine, G. and Hoppe, T. 1986. Thermal Runaways—Problems with AgitatioaLoss Prevention Symposium. Paper 830: 142.

TABLE 4. FAILURE SCENARIOS FOR REACTORS

IPotential Design Solutions


• Procedural controls on theamount or concentration ofcatalyst to be added

• Manual activation of bottomdischarge valve to drop batch intodump tank with diluent, poison,or short-stopping agent, or to anemergency containment area

• Manual addition of diluent,poison, or short-stopping agentdirectly to reactor

• Intermediate location for pre-weighed catalyst charges


• Manual shutdown on high flowalarm

• Manual activation of bottomdischarge valve to drop batchinto dump tank with diluent,poison, or short-stopping agent,or to an emergency containmentarea

• Procedural controls onconcentration of reactants


• Pressure or temperature sensorsactuating bottom discharge valveto drop batch into a dump tankwith diluent, poison or short-stopping agent, or to anemergency containment area

• Automatic addition of diluent,poison, or short-stopping agentdirectly to reactor

• Limit quantity of catalyst addedby flow totalizer

• Temperature or pressure sensorinterlocked to a shutoff valve inthe feed line

• Emergency relief device• Pressure or temperature sensors

actuating bottom discharge valveto drop batch into a dump tankwith diluent, poison or short-stopping agent, or to anemergency containment area


• High flow shutdown alarm andinterlock

• Use dedicated catalystcharge tank sized to holdonly the amount of catalystneeded

• Vessel designaccommodating maximumexpected pressure

• Use different type ofreactor

• Limit delivery capacity offeed system to within safefeed rate limitations (e.g.,screw feeder for solids orflow orifice for liquids)


• Select feed system pressurecharacteristic so that feedcannot continue at reactoroverpressure

• Use different type ofreactor

Overcharge ofcatalyst resultingin runawayreaction

Addition of areactant toorapidly resulting inrunaway reaction

Overpressure(Batch, Semi-batch, and PlugFlow Reactors)

Overpressure(Batch andSemi-batchReactors)

1

2

Procedural

• Operators to visually checkmechanical seal fluid on regularbasis

• In-vessel agitation (velocity)sensor with alarm

• Mechanical seal fluid reservoirlow level sensor with alarm

• Speed or vibration sensor withalarm


• Manual activation of inert gassparging of reactor liquid toeffect mixing


Active

• Agitator power consumption orrotation indication interlockedto cutoff feed of reactants orcatalyst or activate emergencycooling

• Uninterrupted power supplybackup to motor


• Pressure or temperature sensorsactuating bottom discharge valveto drop batch into a dump tankwith diluent, poison, or short-stopping agent, or to anemergency containment area

• Inerting of vapor space

• Provide nitrogen buffer zonearound seal using enclosurearound seal

• Automatic agitator trip on lowagitation (velocity) sensor, lowseal fluid, or low shaft speed

Inherently Safer/Passive


• Use different type ofreactor (plug flow)

• Alternative agitationmethods (e.g., externalcirculation eliminates shaftseal as a source of ignitionin vapor space)

Failure Scenarios

Loss of agitationresulting in run-away reaction orhot bearing/sealscausing ignition offlammables invapor space

OperationalDeviations

Overpressure(Batch, Semi-batch andCSTRReactors)

No.

3

• Manual feed charge shutdownvia indication from feed totalizeror weight comparison in chargetank


• Procedures to shutdown feedbased on indication ofunexpected reaction progress

• Procedure for double checkingreactant identification andquality

• Dedicated storage areas/unloading facilities for reactants


• Reactant feed charge interlockedvia feed totalizer or weightcomparison in charge tank

• Pressure or temperature sensorsactuating bottom discharge valveto drop batch into a dump tankwith diluent, poison, or short-stopping agent, or to anemergency containment area



• Automatic feed shutdown basedon detection of unexpectedreaction progress (i.e., abnormalheat balance)

• Use of dedicated reactantcharge tank sized only tohold amount of reactantneeded


• Use of continuous reactor

• Use of dedicated feed tankand reactor for productionof one product


• Elimination of cross-connections

• Use of dedicated hoses andincompatible couplings forreactants where hoseconnections are used

Overcharge oroverfeed of reac-tant resulting inrunaway reaction

Addition ofincorrect reactantresulting inrunaway reaction

Overpressure(Batch andSemi -batchReactors)

Overpressure

4

5(T)

Procedural

• Manual activation of secondarycooling system




Active

• Low coolant flow or pressure orhigh reactor temperature toactuate secondary coolingmedium via separate supply line(e.g., city water or fire water)

• Automatic isolation of feed ondetection of loss of cooling


• Pressure or temperature sensorsactuating bottom discharge valveto drop batch into a dump tankwith diluent, poison, or short-stopping agent, or to anemergency containment area(This approach may not beeffective for systems such aspolymerization reactions wherethere is a significant increase inviscosity.)




• Use of large inventory ofnaturally circulating,boiling coolant toaccommodate exotherm

Failure Scenarios

Loss of coolingresulting inrunaway reaction


Overpressure

No.

6

• Passivate fresh catalyst prior touse

• Procedures for testing andverification of catalyst activityand identification

• Manual isolation of catalystand/or feed based on detectionof unexpected reaction rate


• Procedures for testing andverification of catalyst activityand identification

• Manual isolation of catalystand/or feed based on detectionof unexpected reaction rate

• Manual feed isolation ondetection of low diluent addition

• Manual isolation of feed basedon detection of unexpected heatbalance


• Automatic isolation of catalystand/or feed based on detectionof unexpected reaction rate (i.e.,abnormal heat balance)

• Pressure or temperature sensorsactuating bottom discharge valveto drop batch into dump tankwith diluent, poison, or short-stopping agent, or to anemergency containment area


• Automatic isolation of catalystand/or feed based on detectionof unexpected reaction rate (i.e.,abnormal heat balance)

• Automatic feed isolation ondetection of low diluent addition

• Automatic isolation of feedbased on detection ofunexpected reaction rate (i.e.,abnormal heat balance)


• Use prediluted catalyst

• Reactor or downstreamvessel designaccommodating maximumexpected pressure


Overactive and/orwrong catalystresults in runawayreaction

Inactive and/orwrong catalystleading to delayedrunaway reactionin reactor ordownstream vessel

Underfeed ofdiluent resultingin insufficient heatsink

Overpressure

Overpressure

Overpressure

7

8(T)

9

Procedural

• Manual isolation of feed basedon detection of unexpectedreaction progress

• Manual isolation of feed basedon indication of mis-sequencing

• Manual activation of fixed fireprotection

• Manual reactor dump to dumptank with diluent, poison orshort-stopping agent

• Manual injection of diluent,poison or short-stopping agentinto reactor

• Operator samples the monomeremulsion feed and observes thatsample is stable without agita-tion for a predetermined lengthof time before feed is begun

• Manual feed shut-off ordumping on change of heatbalance


Active

• Sequence control viaprogrammable logic controller

• Interlock shutdown of reactantaddition based on detection ofmis-sequencing

• Automatic isolation of feedbased on detection ofunexpected reaction progress(i.e, abnormal heat balance)

• Automatically activated fixed fireprotection - water spray (deluge)and/or foam systems


• Automatic reactor dump todump tank with diluent, poison,or short stopping agent

• Automatic injection of diluentpoison or short-stopping agentinto reactor


• Automatic feed shut-off ordumping on change of heatbalance



• Fireproof insulation(reduced heat input)

• Slope-away grading underreactor to remote spillcollection

• Locate reactor outside offire affected zone

• Vessel designaccommodating themaximum pressure arisingfrom run-away reaction ofbulk (non-emulsified)monomer phase

• Static mixer ahead ofreactor

Failure Scenarios

Reactants added inincorrect order

External fireinitiates runawayreaction

Feed of monomeremulsion breaksinto a separate oilphase on top of awater phase whilebeing fed to thereactor leading torunaway reaction


Overpressure(Batch & Semi-batch)

Overpressure

Overpressure

No.

10

11

12(T)

• Manual dumping of reactorcontents

• Manual injection of inhibitor

• Manual isolation of heatingmedia or feed

• Manual shutdown of reactorupon detection of hightemperature in bed

• Monitoring of exterior walltemperature with infraredoptical detection system

• Manual depressuring based ondetection of high bedtemperature

• Manual introduction of quenchfluid into packed bed or tubeson detection of high localtemperature

• Procedures for packing tubes toensure uniformity of catalystfilling


• Automatic depressuring

• Automatic injection of inhibitor

• Automatic isolation of heatingmedia or feed

• Emergency cooling

• High temperature sensorsinterlocked to shut down reactor

• Automatic depressuring basedon detection of high bedtemperatures or low flow

• Automatic introduction ofquench fluid into packed bed ortubes based on detection of highlocal temperature

• Limit temperature ofheating media


• Use alternative reactordesign (e.g., fluid bed)

• Use multiple small diameterbeds to reducemaldistribution

• Minimize reactor headspace volume to reduceresidence time (partialoxidation reactors) andmitigate autoignition

High reactor tem-perature due tofailure of heatingsystem initiatesrunaway reaction

Hot spot developsin catalyst expos-ing vessel wall tohigh temperatureand potentialmechanical failureor initiation ofrunaway reaction

Overpressure

High Tempera-ture (Continu-ous Packed Bedor Packed TubeReactors)

13

14

Procedural

• Manual closure of isolationvalve(s) in feed line on detectionof low or no flow in feed line

• Periodic testing of process fluidfor contamination

• Procedures for leak/pressuretesting of jacket, coil or heatexchanger prior to operation

• Procedure for testing liner withcontinuity meter

Potential Design Solutionsi

Active

• Provide check valve(s) in feedline

• Automatic closure of isolationvalve (s) in feed line on detectionof low or no flow, or reversepressure differential in feed line

• Emergency relief device on feedvessel or feed line




• Provide positivedisplacement feed pumpinstead of centrifugal pump

• Elevate feed vessel abovereactor with emergencyrelief device on reactor setbelow feed vessel minimumoperating pressure

• Use heat transfer fluid thatdoes not react with processfluid


• Use jacket rather thaninternal coil for heattransfer

• Upgrade metallurgy or useresistant liner

• Heat transfer loop pressurelower than process pressure

Failure Scenarios

Reactor contentsinadvertentlyadmitted toupstream feedvessel resulting inrunaway reaction

Contaminationfrom leakage ofheating/coolingmedia or introduc-tion of other for-eign substances(e.g., corrosion)


Reverse Flow

WrongComposition

No.

15

16

• Manual feed isolation based ondetection of low reactortemperature

• Manual feed isolation based oncontinuous on-line reactorcomposition monitoring or"grab" sampling

• Automatic feed isolation basedon detection of low reactortemperature

• Automatic feed isolation basedon continuous on-line reactorcomposition monitoring

• Reactor or downstreamvessel design accom-modating maximumexpected pressure

Incomplete reac-tion due to insuffi-cient residencetime, low tem-perature, etc. lead-ing to unexpectedreaction in subse-quent processingsteps (in reactor ordownstreamvessel)

WrongComposition

17

SMASS TRANSFER EQUIPMENT

5.1 INTRODUCTION

This chapter presents potential failure mechanisms for mass transfer equip-ment and suggests design alternatives for reducing the risks associated withsuch failures. The types of mass transfer operations covered in this chapterinclude:

• Absorption• Adsorption• Extraction• Distillation• Scrubbing• Stripping• Washing

This chapter presents only those failure modes that are unique tomass transfer equipment. Many of the generic failure modes presented inChapter 3 may also apply to vessels used for mass transfer. Mass transferequipment failure may also result from disturbances in heat transfer processesin associated ancillary equipment. Refer to Chapter 6, Heat Transfer Equip-ment, for failures associated with heat transfer equipment. Unless specificallynoted, the failure scenarios apply to more than one class of mass transferequipment.

5.2 PAST INCIDENTS

This section describes past incidents that illustrate hazard scenarios involvingmass transfer equipment.

5.2. / Dfsti7/ation Column Critical Concentration

In 1969 an explosion occurred in a butadiene recovery unit at Texas City. Thelocation of the center of the explosion was found to be the lower tray section ofthe butadiene refining (final purification) column. The butadiene unit recov-ered byproduct butadiene from a crude C4 stream. The overhead of the refin-ing column was a high-purity butadiene product. The heavy components ofthe feed stream, including vinylacetylene (VA), were removed as a bottomsproduct. The bottoms vinylacetylene concentration was normally maintainedat about 35%. Explosibility tests had indicated that VA concentrations as highas 50% were stable at operating conditions. Highly concentrated VA decom-poses rapidly on exposure to high temperature.

When the butadiene unit was shut down to undertake necessary repairs,the refining column was placed on total reflux. The refining column explosionoccurred approximately 9 hours after it was placed on total reflux. This opera-tion had been performed many times in the past without incident. The opera-tors did not observe anything unusual about this particular switch over to totalreflux. Subsequent examination of the records indicated that the column hadbeen slowly losing material through a closed but leaking valve in the columnoverhead line. As a result, reflux and reboiler steam flow continued to fallslowly throughout the shutdown period.

Loss of butadiene through the leaking valve resulted in substantialchanges in tray composition in the lower section of the column. The concen-tration of vinylacetylene in the tray liquid in the vicinity of the tenth trayapparently doubled to an estimated 60%. The loss of liquid level in the base ofthe column uncovered the reboiler tubes, allowing the tube wall temperatureto approach the temperature of the steam supply. The combination ofincreased vinylacetylene concentration and high tube wall temperature led tothe decomposition of VA and set the stage for the explosion that followed(Jarvis 1971; Freeman 1971; Keister 1971). See item 16 in Table 5 for poten-tial design solutions.

5.2.2 Ethylene Purifier Vessel Rupture

Ethylene was purified in a bed containing 13X molecular sieve. The bedwas regenerated using hydrogen-methane gas at 26O0C, then flow purgedwith nitrogen. The temperature was allowed to drop to 17O0C, then the bedwas pressurized with nitrogen. Ethylene was then introduced into the bed,and nitrogen displaced.

The temperature in the bed was not being measured, but a temperaturesensor was located 20 inches above the bed. After 7 hours of operation (pre-loading) with the bed open to a line pressure of 280-295 psig, the bed tern-

perature had dropped to 13O0C. A small flow was then started off the top withethylene going in at the bottom. The bed temperature rose to 18O0C in 31^hours and over the next 4 hours the flow was adjusted to maintain this tem-perature. Shortly afterwards the shell ruptured, creating a longitudinal % inchby 32 inch hole. The gas caught fire immediately and burned for 25 to 30 min-utes. The fire was not controlled because high temperature prevented the inletvalves from being closed; all the gas up to the closed feed valve at the gas plantwas burned.

The principal cause of this incident was the failure to measure tempera-tures in the bed during regeneration and preloading with ethylene. Sieve 13Xis a polymerization catalyst. Due to its large pore size, 13X also adsorbs ethyl-ene and releases heat. The temperature measured above the bed gave no indi-cation of the temperature anywhere within the bed, where these exothermicprocesses would occur. Even though the pressure of ethylene involved in thisincident was unusually low (280 psig), evidently there was enough potential(via adsorption and polymerization) to generate the temperature required tocause thermal failure of the vessel. Had the bed temperature been comprehen-sively measured, any shortcomings in the purging and preloading procedureswould have become apparent in time to take action. Such temperature meas-urement should be done via fast-acting thermocouples distributed throughoutthe bed and not via thermocouples mounted in heavy thermowells locatednear the walls, since the sieves are effective thermal insulators (Britton 1994).See items 8, 12 and 15 in Table 5 for potential design solutions.

5.2.3 Ignition ofPyrophoric Materials in Gasoline Fractionator

During a shutdown for maintenance, a gasoline fractionator in an olefins unitwas readied for internal entry. After purging, the tower manways wereremoved and air ventilation begun. Shortly thereafter an exothermic processstarted in the packed section of the tower, resulting in severe overheating ofthe tower. The heat release rate grew so quickly that corrective action, such asapplying cooling, was not effective in avoiding excessive temperature. Thetower, which glowed a dull red during the incident, sustained extensivedamage. Tower damage including buckled packing supports, fused packing,and visible distortion of the tower shell.

The cause of the incident was determined to be the ignition of a pyro-phoric material that accumulated during the fractionation process. This mate-rial was distributed over the large surface area of the tower packing, whichpromoted a high combustion rate upon contact with air. Such incidents havesince been avoided by the performance of proper purging and washout proce-dures prior to opening the vessel. Note that spontaneous combustion can alsooccur with non-pyrophoric materials.

53 FAILURE SCENARIOS AND DESIGN SOLUTIONS

Table 5 presents information on equipment failure scenarios and associateddesign solutions specific to mass transfer equipment. The table heading defini-tions are provided in Chapter 3, section 3.3.

5.4 DISCUSSION




This section contains additional information on selected design solutions. Theinformation is organized and cross-referenced by the Operational DeviationNumber in the table.

Line Blockage by Internals (I)During process upsets, the internals in mass transfer vessels may dislodge andbe displaced into process lines where they create blockages. Such blockagescan cause vessel pressure to increase, possibly to the relief device set pressure.Of particular concern is the possibility of internals lodging in the inlet pipingof the relief device, thus impairing overpressure protection. This may result ina pressure condition that exceeds acceptable limits.

The first level of protection is to design supports and hold down grids towithstand fluctuations in differential pressure. Screens can be installed to pre-vent large pieces of internals from entering lines. For packings that are suscep-tible to abrasion, duplex filters supplied with differential pressure indicationcan be employed.

Pressure relief devices should be located upstream of potential blockagepoints. For example, the inlet to a pressure safety valve (PSV) should be placedbelow the mist eliminator in the top of a column if severe fouling of the misteliminator is possible.

Packing/Tray Blockage (2)

Mass transfer equipment internals are susceptible to blockage due to processpressure and flow fluctuations of fouling material. When fouling conditions

are encountered, a possible solution is to place chevron-type baffles or large-hole sieve trays where the most severe fouling is expected.

Hazards with Adsorbers (5,7,9,11,12,13,15)Adsorption systems, such as dehydrators and purifiers, often require periodicregeneration with high temperature steam or gas. Should the process streambe reintroduced before the system is sufficiently cold, a hazardous situationcould result. For example, an ignition hazard would exist if air containingorganic vapor was prematurely introduced to a hot activated carbon bed.Another possibility is that an exothermic reaction will be initiated. The use ofprogrammable logic controllers (PLC) for automatically switching adsorptionbeds into and out of regeneration can reduce the risk of human error, at theexpense of control system complexity.

When exothermic reaction potential exists, it is possible to generate highlocalized vessel wall temperatures. This can result in an effective maximumallowable working pressure (MAWP) for the vessel being lower than the setpressure of the pressure safety valve, with potential for vessel rupture. In suchcases, some means to reduce vessel wall stress or quench the reaction is needed.Options include automatic emergency depressurization, injecting inert gas, orflooding with a compatible liquid.

5.5 REFERENCES

Britton, L.G. 1994. Loss Case Histories in Pressurized Ethylene Systems. Process Safety Progress,Vol. 13,No. 3.

Freeman, R.H. and McCready, M.P. 1971. Butadiene Explosion at Texas City-2, Plant Saftty &Loss Prevention, Vol. 5.

Jarvis, H.C. 1971. Butadiene Explosion at Texas City-1, Plant Safity &Loss Prevention, Vol. 5.Keister, R.G., et al. 1971. Butadiene Explosion at Texas City-3, Plant Safety & Loss Prevention,

Vol. 5.


Akell, R. B. 1981. Safety Aspects of Activated Carbon Technology, Chap. 10 in Activated Carbonfor Wastewater Treatment, cd. J.R. Perrich. Boca Raton, Fl: CRC Press, Inc.

TABLE 5. FAILURE SCENARIOS FOR MASS TRANSFER EQUIPMENT

Procedural

• Differential pressure indicationand manual shutdown withinstructions to inspect vessel

• Differential pressure indicationand instructions to shutdownand inspect vessel

• On-line wash to eliminatefouling material

• Operating instructions toperiodically test for inhibitorconcentration

• Operating instructions toshutdown on high temperatureor high pressure


Active

• Emergency relief device (e.g.,upstream of potential blockagepoint)

• Differential pressure indicationand automatic shutdown

• Emergency relief deviceupstream of potential blockagedevice

• Automatic shutdown on highpressure

• Emergency relief device nearexpected point of reaction

• Automatic high temperatureand/or pressure shutdown ofheat input

• Continuous injection of reactioninhibitor

• Automatic isolation and purgeof equipment with inert gas onloss of vacuum


• Design support grids, andhold down grids tominimize internal migration

• Vessel design accommodat-ing maximum supply pressure

• Large surface area screensto avoid entrance ofinternals into lines

• Select and design internalsto minimize blockage andfouling

• Use of vessel withoutinternals (e.g., spray tower)

• Vessel design accommodat-ing maximum supply pressure

• Vessel design accommodat-ing maximum expectedpressure

• Limit inventory of reactivematerials

• Limit heating mediumtemperature

Failure Scenarios

Migration ofinternals into linesresulting inblockages

Blockage ofpacking /traysleading toexcessive pressurein column

Liquid/vapordecompositioninitiated by hightemperatureresulting fromloss of vacuum


Overpressure

Overpressure

Overpressure

No.

1

(T)

2

(T)

3

• Pressure check for leaks beforestart-up

• Oxygen analyzer with alarm andmanual activation of inert gasaddition on detection of highoxygen concentration

• Proper procedures forreinstating process flow afterregeneration and cooling

• Manual isolation procedure onhigh temperature/pressure alarm

• Operating procedure for manualaddition of vacuum breaking gas

• Procedures for reinstitutingprocess flow after regeneration

• Manually isolate feed ondetection of high bedtemperature

• Manual emergency depressuringand/or flooding/inerting ondetection of high temperature


• Oxygen analyzer with automaticactivation of inert gas additionon detection of high oxygenconcentration


• Interlock to isolate feed ondetection of high bedtemperature or pressure

• Use of blanketing gas pressurecontrol system to minimizevacuum


• Interlock to isolate feed ondetection of high bedtemperature

• Automatic emergencydepressuring and/orflooding/inerting on detectionof high temperature



• Vessel design toaccommodate maximumvacuum

• Select adsorbent tominimize combustionpotential

Autoigni-tion/deflagrationof vapor caused byair leakage intoequipment operat-ing under vacuum

Process liquidreintroduced intoimproperly cooledadsorber and sub-sequent vaporiza-tion

Uncontrolled con-densation/absorp-tion of vaporphase component

Premature intro-duction of processstream containingair to hot adsorb-ent bed

Overpressure

Overpressure(adsorbers)

Underpressureor Vacuum

HighTemperature(adsorber)

4

5

(T)

6

7

(T)

Procedural

• Instructions for proper vesselwash-out/cooldown prior toopening

• Procedures for maintenanceunder inert atmosphere ifnecessary

• Instructions to monitor bedtemperature/CO and takeappropriate action (e.g.,inerting/flooding)

• Manual vessel interfacial levelcontrol


Active

• Continuous monitoring of bedtemperatures or CO at certainlocations and interlockshutdown and/orinerting/flooding on hightemperature

• High/low interfacial level alarmwith shutoff preventing furtherliquid withdrawal from vessel


• Use of nonstick internals(e.g., plastic packing)

• Use vessel without internals(e.g., spray tower)

• Proper design of vesseldistributors to avoidregions of flowmaldistribution in the bed

• Minimize adsorber crosssectional area

• Control interface level viaoverflow leg or weir

Failure Scenarios

Fire whenexposing packinginternals withflammable materialto air during main-tenance or by airleakage into equip-ment operatingunder vacuum

Poor vapor flowdistributionthrough adsorbersleads to hot spotsand fire

Interfacial levelcontrol failure inliquid-liquidextractor resultingin carryover ofunwanted materialto downstreamequipment


HighTemperature

HighTemperature

(adsorbers)

High or LowLevel

(extractor)

No.

8

9

(T)

10

• Manual isolation on detection ofhigh flammable concentration

• Verification of adsorbentcompatibility with processmaterials

• Testing of adsorbents prior toloading into vessel

• Bed high temperature alarmsand instructions for operatorresponse

• Verification of adsorbentmoisture content prior toplacing in service

• Manual steam injection torehydrate bed prior to feed start-up

• Manual water deluge ondetection of fire

• Automatic control of inletstream outside flammable limits

• Deflagration venting

• Inerting of process stream

• Automatic isolation of feed ondetection of high flammableconcentration

• Automatic steam injection torehydrate bed prior to feed start

• Automatic water deluge ondetection of fire

• Vessel design toaccommodate maximumexpected pressure

High concentra-tion of flammablesin the inlet streamto a carbon bedadsorber leadingto deflagration

.Impurities inadsorbents catalyzedecomposition/reaction ofadsorbate

Low moisturecontent inactivated carbonbed adsorber leadsto fire

WrongComposition

(carbon bedadsorber)

WrongComposition

(adsorber)

WrongComposition

(carbon bedadsorber)

11

(T)

12

(T)

13

(T)

Procedural

• Differential pressure indicationand instructions to reduce vaporflow

• Procedures for preconditioningadsorber bed

• On-line measurement (e.g.,level, temperature, composition)and manual removal of reactivematerial

• On-line measurement (e.g.,corrosion probes, streamanalysis, temperature) andmanual operating adjustment


Active

• Removal of liquid from thevapor stream using, for example,knock out pots with automaticlevel control

• Differential pressure indicationand automatic reduction ofvapor flow

• Automatic preconditioningsequence prior to feed startup

• Multi-point temperaturemonitoring with automaticshutdown of feed (for highpressure adsorbers)

• CO monitoring with automaticshutdown (for carbon bedadsorbers)

• On-line measurement (e.g.,level, temperature, composition)and automatic side draw-off ofreactive material

• On-line measurement (e.g.,corrosion probes, streamanalysis, temperature) andautomatic operating adjustment


• Vessel design with propervapor-liquid disengagement(e.g., low superficial vaporvelocity)

• Liquid removal via demister,cyclone or other device withopen liquid discharge

• Select adsorbents to adsorbonly trace contaminantsand not carrier gas (e.g.,olefin purification)


• Change in feedstock toavoid reactive material

• Select metallurgy suitablefor worst case composition.

Failure Scenarios

Excessive vaporflow resulting incarryover of liquidto undesiredlocation

Failure to precon-dition adsorberbed before read-mission of processstream resulting inhigh temperature

Accumulation ofreactive material insection of fractiona-tor leads to rapiddecomposition

Insufficient orexcessive fractiona-tion leading tocompositions out-side of metallurgi-cal limits (e.g.,corrosion)


WrongComposition/Phase

WrongComposition

(adsorber)

WrongComposition

(distillationcolumns)

WrongComposition

No.

14

15

(T)

16

17

6HEAT TRANSFER EQUIPMENT

6.1 INTRODUCTION

This chapter presents potential failure mechanisms for heat transfer equip-ment and suggests design alternatives for reducing the risks associated withsuch failures. The types of heat exchangers covered in this chapter include:

• Shell and tube exchangers• Air cooled exchangers• Direct contact exchangers• Others types including helical, spiral, plate and frame, and carbon block

exchangers

This chapter presents only those failure modes that are unique toheat transfer equipment. Some of the generic failure scenarios pertaining tovessels may also be applicable to heat transfer equipment. Consequently, thischapter should be used in conjunction with Chapter 3, Vessels. Unless specifi-cally noted, the failure scenarios apply to more than one class of heat transferequipment.

6.2 PAST INCIDENTS

This section provides several case histories of incidents involving failure ofheat transfer equipment to reinforce the need for the safe design practices pre-sented in this chapter.

6.2. / Ethylene Oxide Redistillation Column Explosion

In March 1991, an Ethylene Oxide (EO) redistillation column exploded at aSeadrift, Texas chemical facility. The explosion was caused by energeticdecomposition of essentially pure EO vapor and liquid mist inside the column.

A set of extraordinary circumstances was found to have coincided, resulting inthe catalytic initiation of decomposition in a localized region of a reboilertube. Extensive investigation (Viera et al., 1993) showed that:

1. A low liquid level in the column, plus a coinciding temporary conden-sate backup and accumulation of inert gas in the reboiler shell, signifi-cantly diminished the EO liquid fraction leaving the reboiler.Nevertheless, sufficient heat transfer capacity remained to satisfy thevaporization rate required by the column controls, so operationappeared normal.

2. A localized imbalance resulted in some reboiler tubes losing thermosy-phon action, so that the existing EO was essentially all vapor. Due toongoing reaction with traces of water, high boiling glycols accumu-lated in the stalled tubes, increasing the boiling point while reducingthe heat flux and resulting mass flow rate. This self-reinforcing processcontinued leading to minimal EO vapor velocity through the stalledtubes. Since the vapor was no longer in equilibrium with boiling EO itcould momentarily attain the 15O0C temperature of the reboiler steamsupply.

3. The insides of the reboiler tubes had collected a thin film of EO poly-mer containing percent-level amounts of catalytic iron oxides. Thisfilm had in numerous places peeled away from the tube wall producinga catalytic surface of low heat capacity and negligible effect on massflow rate. EO vapor heating was aided by the absence of liquid plus thesmall vapor velocity through the stalled tubes. These conditions led toa rapid rate of film heating which encouraged a fast disproportionationreaction of EO to predominate over slower polymerization reactions.The previously unknown fast reaction between EO vapor andsupported high surface area iron oxide led to a hotspot and initiationof vapor decomposition. Once ignited the EO decomposition flamespread rapidly through the column causing overpressurization.

6.2.2 Brittle Fracture of a Heat Exchanger

An olefin plant was being restarted after repair work had been completed. Aleak developed on the inlet flange of one of the heat exchangers in the acety-lene conversion preheat system. To eliminate the leak, the control valve sup-plying feed to the conversion system was shut off and the acetylene conversionpreheat system was depressured. Despite the fact that the feed control valvewas given a signal to close, the valve allowed a small flow. High liquid level inan upstream drum may have allowed liquid carryover which resulted inextremely low temperature upon depressurization to atmospheric pressure.

The heat exchanger that developed the leak was equipped with bypass andblock valves to isolate the exchanger. After the leaking heat exchanger wasbypassed, the acetylene conversion system was repressured and placed back inservice. Shortly thereafter, the first exchanger in the feed stream to the acety-lene converter system failed in a brittle manner, releasing a large volume offlammable gas. The subsequent fire and explosion resulted in two fatalities,seven serious burn cases, and major damage to the olefins unit.

The acetylene converter pre-heater failed as a result of inadequate low-temperature resistance during the low temperature excursion caused bydepressuring the acetylene converter system. The heat exchanger that failedwas fabricated from ASTM A515 grade 70 carbon steel. After the accident, allprocess equipment in the plant which could potentially operate at less than2O0F was reviewed for suitable low-temperature toughness (Price 1989).

Ed. Note: It should have been recognized that upstream cryogenic conditions mayhave a deleterious effect on downstream equipment during normal and abnormaloperations.

6.2.3 Cold Box Explosion

Ethylene plants utilize a series of heat exchangers to transfer heat between anumber of low temperature plant streams and the plant refrigeration systems.This collection of heat exchangers is known collectively as the "cold box." Inone operating ethylene plant, a heat exchanger in the cold box that handled astream fed to the demethanizer column required periodic heating and back-flushing with methane to prevent excessive pressure drop due to the accumula-tion of nitrogen-containing compounds.

During a plant upset which resulted in the shutdown of the plant refrig-eration compressors, the temperature of the cold box began to increase.During this temperature transient an explosion occurred which destroyed thecold box and disabled the ethylene plant for about 5 months. An estimated 20tons of hydrocarbon escaped. Fortunately, the hydrocarbon did not ignite.

An investigation revealed that the explosion was caused by the accumula-tion and subsequent violent decomposition of unstable organic compoundsthat formed at the low temperatures inside the cold box. The unstable "gums55

were found to contain nitro and nitroso components on short hydrocarbonchains. The source of the nitrogen was identified as nitrogen oxides (NOx)present in a feed stream from a catalytic cracking unit. Operating upsets couldhave promoted unstable gums by permitting higher than normal concentra-tions of 1, 3-butadiene and 1, 3-cyclopentadiene to enter the cold box. To pre-vent NOx from entering the cold box, the feed stream from the catalyticcracking unit was isolated from the ethylene plant (Kohler 1991).


Table 6 presents information on equipment failure scenarios and associateddesign solutions specific to heat transfer equipment. The table heading defini-tions are provided in Chapter 3, section 3.3.

6.4 DISCUSSION





Leak/Ruptu of the Heat Transfer Surface (1-3)This common failure scenario may result from corrosion, thermal stresses, ormechanical stresses of heat exchanger internals. The leak/rupture of tubes leadsto contamination or overpressure of the low-pressure side. Failure to maintainseparation between heat transfer and process fluids may lead to violent reac-tion in the heat transfer equipment or in the downstream processing equip-ment. To make the heat transfer process inherently safer, designers must lookat possible interactions between heating/cooling fluids and process fluids.

For relatively low-pressure equipment (<1000 psig), a complete failureof tubes may not be a credible overpressure scenario if the design pressure ofthe low-pressure side and associated equipment is greater than two-thirds ofthe design pressure of the highpressure side (API RP 521 1993), or if thegeometry of the tube layout is such that a complete break is not physically pos-sible. For high-pressure equipment (> 1000 psig), however, a complete failureshould be considered credible, regardless of pressure differential.

Double tube sheets or seal welding may be used for heat exchangers han-dling toxic chemicals. For heat transfer problems involving highly reac-tive/hazardous materials, a triple-wall heat exchanger may be used. This typeof heat exchanger consists of three chambers and uses a neutral material totransfer heat between two highly reactive fluids. Alternatively two heatexchangers can be used with circulation of the neutral fluid between them.

There are known cases of cooling tower fires that have resulted from con-tamination of cooling water with hydrocarbons attributable to tube leakage.Gas detectors and separators may be installed on the cooling water returnlines, or in the cooling tower exhaust (air) stream.

Thermal stresses can be reduced by limiting the temperature differencesbetween the inlet and outlet streams. In addition, alternate flow arrangementsmay be used to avoid high thermal stresses. Thermal cycling of heat transferequipment should be kept to a minimum to reduce the likelihood of leaks andruptures.

Fouling, or Accumulation ofNoncondensable Gases (5)

It is desirable to design heat exchangers to resist fouling. Sufficient tube sidevelocity may reduce fouling. However, higher tube side velocities may alsolead to erosion problems. In some cases fouling will cause higher tube walltemperatures, leading to overheating of reactive materials, loss of tubestrength, or excessive differential thermal expansion.

Accumulation of noncondensable gases can result in loss of heat transfercapability. Heat exchangers in condensing service may need a vent nozzle, orother means of removing noncondensable gases from the system.

External Fire (9)Emergency relief devices are often sized for external fire. Heat transfer equip-ment, such as air coolers, present a unique challenge when it comes to sizingrelief devices. These exchangers are designed with large heat transfer areas.This large surface area may result in very large heat input in case of externalfire. Indeed, it may not be practical to install a relief device sized for externalfire case due to large relief area requirements. Other mitigation measures, suchas siting outside the potential fire zone or diking with sloped drainage, may beused to reduce the likelihood and magnitude of external fire impinging on theheat exchanger. Alternative heat exchanger designs may also be used to reducethe surface area presented to an external fire.

6.5 REFERENCES

API RP 521 1993. Guide for Pressure Relieving and Depressuring Systems. Washington D.C.:American Petroleum Institute.

Kohler, J. 1991. Cold Box Explosion at Shell Steam Cracker in Berre, France. Paper presented atAIChE Spring National Meeting, Houston, Texas.

Price, J. H. 1989. Personal communication to T.W. Carmody, Director CCPS.Viera, G. A., L. L. Simpson and B. C. Ream 1993. Lessons Learned from the Ethylene Oxide

Explosion at Seadrift, Texas, Chemical Engineering Progress, August 1993.


CCPS 1993. Guidelines for Engineering Design fir Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

Kletz, T. A. 1994. Learning from Accidents, Oxford: Butterworth-Heinemann Ltd.McCarthy, A. J., and Smith, B. R. 1994. Reboiler System Design—The Tricks of the Trade Proc-

ess Plant Safety Symposium, February 28-March 2,1994, Houston, TX, ed. M. C. Cousins,Volume 1. 537-561. Houston, TX: South Texas Section of the American Institute ofChemical Engineers.

TABLE 6. FAILURE SCENARIOS FOR HEAT TRANSFER EQUIPMENT



• Corrosion detectiondevice (e.g., coupons)

• Periodic inspection/analysis of low pressurefluid for high pressurefluid leakage

• Procedural control ofintroduction of processfluids on start-up andshutdown



• Emergency relief deviceon low pressure side


• Automatic control ofintroduction of processfluids on start-up andshutdown


• Double tube sheets• Seal welding of tubes to tubesheets• Open low pressure side return• Design changes to reduce erosion (e.g.,

lower velocities, inlet baffle)• Secondary heat transfer fluid• Design pressure of low pressure side equal

to design pressure of high pressure side• Use of more corrosion resistant alloys• Use of less corrosive heat transfer media

• U-tube exchanger design

• Shell expansion joint or internal floatinghead

• Design pressure of low pressure side equalto design pressure of high pressure side

• Use of designs other than shell and tube(e.g., spiral, plate and frame)

• Mechanical design (e.g., proper bafflespacing) accommodating maximumanticipated inlet feed pressure/velocity

• Design pressure of low pressure side equalto design pressure of high pressure side

• Use of designs other than shell and tube(e.g., spiral, plate and frame)

Corrosion/erosionof exchangerinternals resultingin a heat transfersurface leak orrupture and possi-ble overpressure ofthe low pressureside

Differentialthermal expansion/contractionbetween tubes andshell resulting intube leak/rupture(Fixed Tubesheet)

Excessive tubevibration resultingin tube leak/rup-ture and possibleoverpressure of thelow pressure side

Overpressure

Overpressure

(Shell and TubeExchanger)

Overpressure(Shell and TubeExchanger)

1

(T)

2

(T)

3

(T)



• Manual control ofheating medium basedon temperatureindication

• Manual adjustment ofcooling mediumtempering

• Periodic exchangercleaning

• Manual venting on highpressure indication

• Manual activation ofbackup cooling

• Manual isolation ofinput flow on detectionof high vent temperature

• Manual adjustment ofvaporization pressure


• High temperatureindication with alarmand interlock whichisolates the heatingmedium


• Back-up coolingmedium supply withautomatic switch-over

• Automatic tempering ofcooling mediumtemperature to avoidlow tube walltemperature resulting insolids deposition

• Automatic venting ofnoncondensables

• Automatic isolation ofinput flow on detectionof high vent temperature


• Automatic adjustment ofvaporization pressure tocontrol vaporization rate

• Limit the temperature of the heatingmedium

• Design pressure of cold-side fluid equal tomaximum expected pressure

• Design exchanger for suitable velocity tominimize fouling

• Heat exchanger design less prone tofouling (e.g., direct contact)

• Provide additional surface area in air coolerto transfer heat via natural convection

• Continuous open venting ofnoncondensables

• Design for maximum expected pressure

• Mechanical design accommodatingmaximum pressure/temperature

• Use heating medium other than air

Excessive heatinput resulting invaporization of thecold-side fluid(e.g., controlsystem failure, cold-side blocked in)

Loss of heat trans-fer due to fouling,accumulation ofnoncondensables,or loss of coolingmedium

Ambient tempera-ture increaseresulting in highervaporization ratein air heatedexchanger

Overpressure

Overpressure(CondensingSide)

Overpressure

(air heatedexchanger)

4

5

(T)

6

• Procedural controls onblock valve closing

• Manual isolation ofheating medium onindication of no flow oncold side

• Manual vacuumbreaking

• Manual adjustment of airinlet temperature

• Emergency responseplan

• Manual activation offixed fire protectionwater spray (deluge)and/or foam systems

• High temperatureindication with alarm

• Manual control ofheating mediumtemperature

• Periodic inspection

• Thermal relief device

• Interlock to isolateheating medium upondetection of no flow oncold-side

• Automatic vacuumbreaking system

• Automatic air inlettemperature control viaair preheating withsteam or air recirculation

• Fixed fire protectionwater spray (deluge)and/or foam systemsactivated by flammablegas, flame, and/or smokedetection devices


• Use of exchanger designless sensitive to fouling(e.g., scraped surfaceexchanger)

• Automatic control ofheating mediumtemperature

• Open cold side return

• Mechanical design to accommodateminimum expected temperature andpressure

• Use of alternative heat exchanger designs

• Use alternate heat exchanger design tominimize impact of external fire

• Fireproof insulation (limits heat input)

• Slope-away drainage with remoteimpounding of spills

• Locate outside fire affected zone

• Use cellular glass insulation to avoidinsulation fires

• Mechanical design to accommodatemaximum expected temperature andpressure

• Design exchanger for suitable velocity tominimize fouling

• Use of heating medium with a maximumtemperature that is limited to exchangerdesign temperature

Cold-side fluidblocked in whileheating mediumcontinues to flow

Excessive heattransfer rate due toambient tempera-ture drop or rain

External fire

Loss of mechanicalintegrity of tube

Overpressure

Underpressure(air cooledexchanger)

HighTemperature

HighTemperature

(on tubesurface)

7

8

9

(T)

10



• Manual adjustment of airtemperature or flow

• Downstream fluidanalyzers withconcentration alarms

• Periodic sampling andanalysis of fluids

• Manual fan shutdown onindication of excessivevibration

• Provide air inlettemperature control viaair preheating withsteam or air recirculation

• Provide air flow control(e.g., variable pitch fans)


• Downstream fluidanalyzers withconcentration alarmsinterlocked withautomatic shutdown

• Vibration monitoringwith automatic fanshutdown

• Select different type of exchanger tominimize or eliminate consequences offreezing

• Select heat transfer media which arechemically compatible with processmaterials

• Mechanical design to accommodatemaximum expected temperature andpressure of a possible exothermic reaction

• Intermediate heat transfer fluid system

• Double tubesheet design

• Seal weld tubes to tubesheets

• Use of alternative heat exchanger designs

Low ambient tem-perature causesfluid freezing andtube rupture

Mixing of fluidsresulting in exo-thermic reactions,phase changes,and/or fluidsystem contamina-tion due to corro-sion/erosion,vibration or differ-ential thermalexpansion

Vibration/fan fail-ure and tube rup-ture due to impactwith fan blade

LowTemperature

(air cooledexchanger)

WrongComposition

Loss of Con-tainment

(air cooledexchanger)

11

12

13

• Manual shutdown ofmotor on high amperageor power


• Manual activation of fireextinguishing system


• Manual activation of fireextinguishing system

• Automatic shutdown ofmotor on high amperageor power

• Automatic fireextinguishing system

• Automatic fireextinguishing system

• Screens at entrance of heat exchanger toremove foreign objects

• Use of alternative exchanger designs

• Use of alternative exchanger design

• Locate exchanger outside fire affected zone

• Use fire resistant (metal jacketed) gaskets

• Use of welded plate design

• Provide splash shields around exchanger

• Use of alternative exchanger design

• Locate exchanger outside fire affected zone

Scraper puncturesheat transfersurface due tomisalignment orentrance of foreignobjects

Fire exposurecauses gasketfailure

Fire exposurecauses combustionand failure ofexchanger

Loss ofContainment(ScrapedSurface)

Loss ofContainment(Plate andFrame)

Loss of Con-tainment(Carbon Block)

14

15

16

7DRYERS

7.1 INTRODUCTION

This chapter presents potential failure mechanisms for dryers and drying sys-tems, and suggests design alternatives for reducing the risks associated withsuch failures. The types of equipment covered in this chapter include:

• Spray dryers• Tray dryers• Fluid bed dryers• Conveying (flash, mechanical, and pneumatic) dryers• Rotary dryers

This chapter presents only those failure modes that are unique todryers. Some of the generic failure scenarios pertaining to vessels and heattransfer equipment may also be applicable to dryers. Consequently, this chap-ter should be used in conjunction with Chapter 3, Vessels and Chapter 6, HeatTransfer Equipment. Also, since drying equipment is often associated withsolid-fluid separators and solids handling and processing equipment, refer toChapters 9 and 10 for additional information. Unless specifically noted, thefailure scenarios apply to more than one class of dryers.

7.2 PAST INCIDENTS

This section presents three case histories involving fires and explosions (defla-grations) to reinforce the need for safe design and operating practices fordryers and drying systems.

7.2. / Drying of Compound Fertilizers

A fire and explosion occurred in a dryer handling a blended fertilizer that con-tained single and triple super-phosphates and a mixture of nitrogen-phosphorous-potassium-fertilizers. The blend was prone to self-sustaineddecompositions, and began decomposing while passing through the dryer.When the temperature of the blend rose to about 13O0C, the operator inter-vened and shut down the dryer. Subsequently, a rapid exothermic reactionoccurred within the dryer which resulted in a fire and explosion. One personwas killed and 18 were injured (Drogaris 1993). See item 1 in Table 7 forpotential design solutions.

Ed. Note: A prior study of exotherm potential might have led to safer operatinglimits.

7.2.2 Fires in Cellulose Acetate Dryer

A continuous belt dryer used to dry cellulose acetate powder had experiencedrepeated small internal fires over a two-year period. After performing a basket(self-heating) test to determine if exothermic behavior was present under vari-ous solids depths, investigators discovered that an exotherm was initiated at2230C under process conditions. Because the dryer was heated with 100 psigsteam (saturation temperature of 1720C) it was initially thought that this exo-thermic behavior was not the cause of the fires. Further examination revealedthat the 100 psig steam at this particular location was superheated to 2350C,well above the exotherm initiation temperature. After a steam desuperheaterwas installed immediately upstream of the dryer, the fire problem disappeared.See item 19 in Table 7 for potential design solutions.

7.2.3 Pharmaceutical Powder Dryer Fire and Explosion

An operator had tested dryer samples on a number of occasions. After the lastsampling, he closed the manhole cover, put the dryer under vacuum, and startedrotation of the dryer. A few minutes later an explosion and flash fire occurred,which self-extinguished. No one was injured. Investigations revealed that afterthe last sampling, the dryer manhole cover had not been securely fastened. Thisallowed the vacuum within the dryer to draw air into the rotating dryer andcreate a flammable mixture. The ignition source was probably an electrostaticdischarge (the Teflon coating on the internal lining of the dryer could have builtup a charge). No nitrogen inciting had been used (Drogaris 1993).

After this incident, the following precautions were instituted to preventsimilar incidents from occurring in the future:

• Nitrogen purging is carried out before charging or sampling of thedryer.

• If the absolute pressure rises to about 4 psia, the rotation stops, an alarmsounds, and a nitrogen purge starts automatically.


Table 7 presents information on equipment failure scenarios and associateddesign solutions specific to dryers. The table heading definitions are providedin Chapter 3, section 3.3.

7.4 DISCUSSION





Buildup and Auto ignition of Deposits in Dryers/Ductworks (I)Some dryers and drying systems (including ductwork and associated equip-ment such as cyclones, dust collectors, etc.) are prone to accumulation ofdeposits on dryer walls and ductwork. Solids often accumulate on spraydevices at the top of dryers where the highest dryer temperature is often expe-rienced. Frequent cleaning and monitoring may be required to ensure thatthese deposits do not overheat and autoignite. Tests should be conducted toevaluate the hazards of dust deposit ignitability. The characteristics of materi-als deposited on walls or other surfaces may change over time when the mate-rials are exposed to high temperatures or other process conditions.

Electrostatic Hazards (3, 14, 15)

Electrostatic sparks are a common cause of dust and flammable vapor deflagra-tions. Dryers and drying systems that can generate electrostatic charges mustbe properly bonded and grounded to drain off these charges and minimize thepossibility of deflagrations. Inerting is often needed to prevent the occurrenceof a deflagration.

Hybrid Mixtures (I I)Many drying operations involve the evaporation of a flammable solvent from acombustible powder. This combination of a flammable vapor and combusti-ble powder fines (dust) is called a hybrid mixture. Hybrid mixtures represent agreater explosion hazard than that presented by the combustible dust alone.This increased hazard is characterized by the following:

1. The hybrid mixture may explode more severely than a dust-air mixturealone, i.e., the maximum pressure and maximum rate of pressure risemay be greater, even if the vapor concentration is below its lowerexplosive limit (LEL).

2. The minimum ignition energy of hybrid mixtures is usually lower thanthat of the dust-air mixture alone.

3. The minimum explosible concentration (MEC) of a dust is reduced bythe presence of a flammable vapor even if the latter is below its LEL.Measurable effects are observed as low as 20% of the vapor LEL.

Decomposition of Process Materials (19, 20, 22)Many powders are thermally sensitive and may decompose at high tempera-ture, resulting in an overpressure or fire. Some dried materials, such as sodiumhydrosulfite, may also exothermically decompose when exposed to water. It isvery important to determine if organic powders are thermally unstable and, ifso, that they be tested for thermal stability to establish a safe operating tem-perature for the drying operation. The potential for decomposition willdepend on the characteristics of the solid, including depth, composition, tem-perature, duration of exposure, and dryness.

7.5 REFERENCES

Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified.Amsterdam: Elsevier Science Publishers B. V.


Abbot, J. 1990. Prevention of Fires and Explosions in Dryers—A User Guide. 2d ed. London: TheInstitution of Chemical Engineers.

Bartknecht, W. 1989. Dust Explosions: Course, Prevention, Protection. New York: Springer-Verlag.Chatrathi, K. 1991. How to Safely Handle Explosible Dust—Part I Powder and Bulk Engineering.

January 1991: 22-28.Chatrathi, K. 1991. How to Safely Handle Explosible Dust—Part II. Powder and Bulk Engineer-

ing. February 1991: 12-18.Ebadat, V. 1994. Testing to Assess Your Powder's Fire and Explosion Hazards. Powder and Bulk

Engineering. January 1994: 19-26.Garcia, H., and Guarici, D. 1995. How to Protect Your Drying Process from Explosions. Powder

and Bulk Engineering. April 1995: 53-64.Gibson, N., Harper, D. J. and Rogers, R. L. 1985. Evaluation of the Fire and Explosion Risk in

Drying Powders. Plant/Operations Progress. 4: 181-189.Narayan, S. B., and Majumdar, A. A. 1987. Fire and Explosion Hazards in Drying Plants, Ch. 28

in Handbook of Industrial Drying. New York: Marcel Dekker, Inc.Palmer, K. N. 1973. Dust Explosions and Fires. London: Chapman and Hall Ltd.Palmer, K. N. 1990. Dust Explosions: Initiations, Characteristics, and Protection. Chemical Engi-

neering Progress. March 1990: 24-32

TABLE 7. FAILURE SCENARIOS FOR DRYERS

Procedural

• Periodic inspection and cleaning

• Emergency response procedures

• Procedure to process moststable materials first whencampaigning multiple productsto avoid ignition of unstablematerials

• Procedure for determiningmaximum tolerable materialaccumulation

• Manual activation of firefighting/inerting system

• On-line flammable gasdetection and manual activationof CO2 total flooding system


• Manual bonding and grounding


Active

• Automatic sprinkler system/CO2 total flooding system

• Use of inert atmosphere


• Deflagration suppressionsystem

• Automatic isolation ofassociated equipment via quickclosing valves


• Ventilation system to keepflammable concentration belowlower flammable limit

• Deflagration vents




• Dryer design which minimizesbuildup of deposits (smoothsurfaces, elimination of potentialpoints of solids accumulation)

• Use dryer with short residencetime (e.g., flash dryer)

• Design dryer to containoverpressure where practical

• Permanent bonding andgrounding

• Dryer design to preventcondensation in ductwork

• Provision for drainage of ducts(e.g., sloped, low point drains)

• Eliminate ignition sourceswithin the ductwork

• Eliminate flammables



Failure Scenarios

Buildup andautoignition ofdeposits in dryersand ductworkresulting infire/explosion

Ignition ofcondensingflammable vaporin ductworkresulting infire/explosion


Overpressure

Overpressure

No.

1(T)

2

• Good housekeeping




• Vibration monitoring ofrotating equipment






• Deflagration suppression system


• Automatic activation of firefighting/inerting system





• Automatic isolation ofassociated equipment viaquick closing valves

• Automatic shutdown onvibration alarm

• Dryer design which minimizesbuildup of deposits (smoothsurfaces, elimination of potentialpoints of solids accumulation.)

• Grounding/bonding



• Dryer design which minimizesbuildup of deposits (smoothsurfaces, elimination of potentialpoints of solids accumulation)

• Use of electrical equipment withthe correct classification to reducethe probability of ignition

• Selection of appropriateelectrical area equipment

• Use of non-sparking equipment



Ignition ofdeposits inductwork due tostatic dischargeresulting infire/explosion

Ignition ofdeposits inductwork due tosparks from elec-trical equipmentor mechanicalsources such asmotors, switches,wiring, fans, bear-ings, conveyorchains resulting infire/explosion

Overpressure

Overpressure

3

(T)

4

Procedural

• Manual feed trip on loss ofventilation



• Operator response to indicationof higher conveyor speed




Active


• Ventilation system to keepflammable concentration belowlower flammable limit





• Automatic feed trip on loss ofventilation or high concen trationof flammable vapor

• Ventilation system flow rateinterlocked with the conveyorspeed






• Conveyor speed control withhigh alarm and shutdown


• Eliminate flammables

• Design dampers so that systemwill handle the minimum safeventilation rate at maximumdamper throttling

• Provide damper mechanicalposition stop to preventcomplete closure of damper



• Ventilation system designed tohandle the maximum solventevaporation rate

• Eliminate flammable solvent(e.g., water based)



Failure Scenarios

Inadequateventilation due toobstructions orclosed dampersleading to crea-tion of flammableatmosphere andsubsequentignition resultingin fire/explosion

Increase inconveyor speedcausing excessivegeneration ofsolvent vaporsfrom the feed andsubsequentignition resultingin fire/explosion


Overpressure

Overpressure(conveyordryer)

No.

5

6

• Operator response to indicationof higher feed rate



• Startup and normal operatingprocedures which allow for theunsteady evaporation ratesduring batch operations



• Ventilation system flow rateinterlocked with the feed flowrate





• Provide upstream surgecapacity to equalizecomposition


• Automatic control of feed rate






• Ventilation system designed tohandle the maximum solventload

• Eliminate flammable solvent(e.g. use water based solvents)



• Ventilation system designed tohandle the peak solventevaporation rate

• Dryer designs where natural circ-ulation is sufficient to keep solventconcentration at a safe level

• Use continuous or semi-continuous dryer design




Excessive solventload on ventila-tion system dueto feed supplyvariations causingbuildup offlammables withsubsequentignition resultingin fire/explosion

Batch operationresulting in a highpeak evaporationrate of flammablesolvent causingbuildup offlammables withsubsequent igni-tion leading tofire or explosion

Overpressure

Overpressure

7

8

Procedural

• Manual dryer shutdown on lowcirculation



• Shutdown procedures tomaintain fans running for asufficient time, after shutdownof heating




Active






• Automatic shutdown ondetection of low circulatingflow

• Postventilation interlocks keepfans running for a sufficienttime after shutdown of heating







• Dryer designs where naturalcirculation is sufficient toprevent accumulation offlammables




• Dryer designs where naturalcirculation is sufficient toprevent accumulation offlammables and/or creation ofhot spots



Failure Scenarios

Inadequatecirculation indryers causingaccumulation offlammablepockets withsubsequentignition leadingto fire orexplosion

Shutdown offans/ventilationsystem immedi-ately followingshutdown of heatinput resulting inhot spots andflammablepockets with sub-sequent ignitionresulting in fire orexplosion


Overpressure

Overpressure

No.

9

10



• Operator action to isolatevarious ducts on detection offire/flammable atmosphere



• Pressure control to regulate thenozzle pressure






• Automatic isolation via quickclosing valves of manifold ductsystem on detection of fire/flammable atmosphere in ductsystem





• Vent individual dryers throughconservation vents to preventback flow

• Install flame arresters in dryervents

• Use alternate type of dryer


• Inlet temperature of heatingmedium should be sufficientlybelow the minimum ignitiontemperature

• Eliminate flammable solvent

• Permanant bonding andgrounding

• Use dedicated exhaust ducts

• Design dryer and ductwork tocontain overpressure wherepractical


Excessiveatomization innozzle leading toproduction of finepowder, andpossibility of adust/hybridexplosion

Manifolding ofventilationexhaust ducts ofseveral dryersleading to spreadof fire or deflagra-tion from onelocation to thenext

Overpressure(SprayDryer)

Overpressure

11

(T)

12

Procedural

• Operating conditions to keepparticle size out of explosiverange



• Manual grounding and bondingfor portable units


Active

• Use inert atmosphere





• Automatic shutdown on highoutlet temperature



• Deflagration suppression

• Use nitrogen as fluidizing gasin a closed loop system




• Select alternate dryer designwhich reduces attrition rate



• Use alternative dryer design



• Permanent grounding andbonding



Failure Scenarios

Attrition of solidsresulting inparticle sizereduction andsubsequent dustexplosion

Deflagration dueto ignition offlammabledust/vapor causedby an electrostaticspark (vessel isnonconductivedue to glasslining)

Deflagration dueto ignition offlammabledust/vapors abovethe bed caused byan electrostaticspark


Overpressure

Overpressure(Double-ConeTumblingDryer —Glass-Lined)

Overpressure(Fluid BedDryer)

No.

13

14

(T)

15

(T)

• Procedure to limit rate oftemperature decrease in dryer

• Operator action in response toobserving high surfacetemperatures




• Operator action in response toobserving high dryertemperature and/or hightemperature alarm



• Automatic vacuum reliefsystem on detection of lowpressure

• Inert gas injection

• Automatic fixed fire protectionsystems

• Fines removal from exit gas(bag filters)

• Automatic control of dryertemperature

• High temperature alarms andshutdown systems



• Dryer design for minimumexpected pressure

• Limit temperature of the dryerto below the safe temperaturelimit of surrounding materials

• Insulation of external dryersurfaces to reduce surfacetemperature to a safe limit

• Maintain proper clearancesbetween hot surfaces andcombustible materials

• Dryer design which does not usecombustible materials ofconstruction

• Use of heating medium whichautomatically limits thetemperature exposure of dryerinternals

Sudden loss ofheating mediumwith vapor con-densation result-ing in partialvacuum

Ignition ofsurroundingcombustibles(includingfugitive emissionsfrom the dryer)caused by highsurface tempera-ture in dryers andductworkresulting in fire

Ignition ofcombustiblematerial used inthe constructionof dryer in theevent of a hightemperatureexcursionresulting in fire

Underpressure

HighTemperature

HighTemperature

16

17

18

.

Procedural

• Operator action in response toobserving high dryertemperature and/or hightemperature alarm



• Operator action in response toobserving high temperature,and low feed rate




Active

• Automatic control of dryertemperature



• Automatic heating mediumtemperature control (e.g.,steam desuperheating)


• Automatic control of heatinput to dryer based on feedflow rate




• Automatic control of feed rate


• Use of heating medium whichautomatically limits thetemperature to which thefeed is exposed

• Alternative dryer design limitingfeed inventory

• Design dryer to minimizeinternal accumulation of product

• Use of heating medium whichautomatically limits thetemperature to which thefeed is exposed

• Alternative dryer design

Failure Scenarios

Decomposition ofprocess materialcaused byexposure to hightemperatureresulting in afire/explosion

Decomposition ofprocess materialcaused by lowfeed rate to dryerresulting in afire/explosion


HighTemperature

HighTemperature

No.

19

(T)

20

(T)

• Periodic bearing and sealinspection


• Provide high and low torquealarms for mechanical devices

• Manual response to lube oilreservoir low level alarm



• Provide torque limiting devices(i.e., shear pins) for mechanicalcomponents



• Double mechanical seals

• Use dryer with no mechanicalseals

• Use dryer component typeswhich minimize mechanicalheat input

• Alternative dryer design

• Use nonflammable/high flashpoint lubricants

Introduction offlammable liquidinto dryer via lubeoil leakage fromdamagedbearing/seal andsubsequent igni-tion resulting in afire/explosion

Decomposition ofheat sensitiveprocess materialdue to heatgenerated frommechanical input(i.e., plugging ofrotary feeders,paddle dryers,screw conveyors)

HighTemperature

HighTemperature

21

22

(T)

8FLUID TRANSFER EQUIPMENT

8.1 INTRODUCTION

This chapter presents potential failure mechanisms for fluid transfer systemsand suggests design alternatives for reducing the risks associated with suchfailures. The types of fluid transfer equipment covered in this chapter include:

• Blowers• Pumps• Compressors

This chapter presents only those failure modes that are unique to fluidtransfer systems. Some of the generic failure scenarios pertaining to vessels mayalso be applicable to fluid transfer systems. Consequently, this chapter shouldbe used in conjunction with Chapter 3, Vessels. Unless specifically noted, thefailure scenarios apply to more than one class of fluid transfer systems.

8.2 PAST INCIDENTS

This section provides several case histories of incidents involving failure offluid transfer systems to reinforce the need for the safe design practices pre-sented in this chapter.

8.2.1 Reciprocating Pump Leak

A high-pressure reciprocating pump, originally used for pumping heavyhydrocarbons, was put into service to pump propylene in an unventilatedbuilding. A leak occurred from the gland due to failure by fatigue of the studsholding the gland in position. The escaping liquid vaporized and was ignited

by a furnace 76 meters away. Four men were badly burned and the glass win-dows on the buildings were broken. The failure was attributed to the fact thatplant management had not implemented effective management of change pro-cedures. As a result of the deflagration, gas detectors and remote isolationcapability were provided. Also, the pump was moved to an open buildingwhere small leaks would be dispersed by natural ventilation.

8.2.2 Pump Leak Fire

In November 1990 a fire occurred at a flammable liquid tank farm supportingDenver's Stapleton international airport. Eight of the farm's twelve storagetanks contained jet fuel, totaling almost 4.2 million gallons. The fire burnedfor 55 hours, destroying seven tanks.

Investigators concluded that a damaged pump in a valve pit near the stor-age tanks may have caused the initial leak and also may have ignited the fuel. Inaddition, the investigators concluded that a pipe simultaneously cracked, thusreleasing fuel into the fire area. The subsequent fire fed on the fuel collecting inthe pit and spewing from the two leaks, and impinged on piping and relatedequipment in the valve pit. As this fire continued to burn, flange gaskets dete-riorated, causing more leaks and allowing more fuel to flow out of the storagetanks. The growing fire encroached on two storage tanks adjacent to the valvepit. Approximately 12 hours into the incident, a friction coupling parted,allowing fuel from one storage tank to suddenly increase the fire size. The firespread to an impounding area and involved two more fuel tanks.

The following changes to the tank farm site would have mitigated the out-come of this incident:

• Increased distance between the tanks and the pumping/valve area• Increased tank-to-tank separation• Installation of internal excess flow or fail-safe remotely operated valves

for tanks at locations where piping connects• Provisions for the removal of fuel in the event the storage tanks' primary

discharge means becomes inoperable• Simple and recognizable means for fire fighters to shut off fuel flow into

the facility• Increased structural support for piping

8.2.3 Compressor Fire and Explosion

An ethylene leak occurred in a high-pressure pipe joint in an enclosed, unven-tilated ground floor area underneath a compressor house. The escaping ethyl-ene ignited and four men were killed. The source of ignition was never

established with certainty, but may have been faulty or misapplied electricalequipment. The welding on the joint that leaked was also faulty.

After the incident, the following recommendations were made:

• Surround the compressors and associated equipment with a steam cur-tain to hinder leaks from reaching a source of ignition

• Install flammable gas detectors to detect leaks promptly• Install remotely operated valves so that leaking compressors can be iso-

lated and depressured from a safe distance• Locate the compressors in an open-sided building so that small leaks can

be dispersed by natural ventilation

8.2.4 Start-up of Parallel Centrifugal Pumps

Parallel high-head centrifugal pumps were used to transfer an organic acidstream approximately 1.5 miles from a distillation facility to another manufac-turing unit in the same complex. Because both the distillation unit and the des-tination manufacturing unit had significant inventory capacity, switchingfrom primary to spare pump was not automated since timing was not criticaland short breaks in service were tolerable. After one such changeover, thepump taken off-line was not properly isolated and drained. Consequently,when the spare pump was started, the off-line pump immediately saw full dis-charge pressure on its seal which caused the off-line pump seal to fail, spillingabout 500 gallons of material into a contained area until the pump could beshut off.

Ed. Note: (1) Adding a, check valve in the discharge line of each pump might haveprevented the problem from occurring. (2) The seal should have been suitable forpump maximum discharge pressure.


Table 8 presents information on equipment failure scenarios and associateddesign solutions specific to fluid transfer equipment. The table heading defini-tions are provided in Chapter 3, section 3.3.

8.4 DISCUSSION


To arrive at the optimal design solution for a given application, use Table 8 inconjunction with the design basis selection methodology presented in Chapter

2. Use of the design solutions presented in the table should be combined withsound engineering judgment and consideration of all relevant factors.



Deadheading (I)Pump and compressor systems should be designed to minimize the probabil-ity of deadheading. Deadheading a pump may result in high temperature, highpressure, or both. This situation is especially dangerous if the fluid being trans-ferred is shock sensitive, or prone to exothermic decomposition. Becausedeadheading of a positive displacement pump or compressor can lead to abuildup of very high pressures, a means must be provided to protect againstoverpressure.

Capitation/Surging (8,9)Cavitation in pumps can cause severe damage to the pump impeller and seals,resulting in loss of containment. Cavitation problems usually can be avoidedby designing the pump so that the net positive suction head (NPSH) require-ment is met.

Compressor surge may lead to excessive vibration, high bearing tempera-tures, and extensive mechanical damage. This risk can be managed by provid-ing automatic anti-surge systems and vibration monitoring systems.

Reverse Flow through Pumps/Compressors (10, 11)There are various pump/compressor configurations that may result in thebackflow of fluid through the machine. In a parallel configuration, where twoor more machines discharge fluid to a common line, the fluid may backflowthrough the machine that is not in operation. Procedures for isolating standbymachines help to prevent this problem. In addition, check valves placed on thedischarge will reduce the probability of backflow through idle or trippedmachines. Additional backflow protection via automatic isolation valves maybe warranted in fouling service or where the consequence of backflow is severe(API RP 521 1990).

Loss of Containment—Seal Leaks (13)Seal leaks are a major source of concern, especially when handling toxic orflammable materials. Centrifugal pumps with double mechanical seals, dia-

phragm pumps, and various types of sealless pumps may be used for highlyhazardous duty. For a review of the advantages and disadvantages of varioustypes of sealless pumps, refer to Newby and Forth 1991. Considerationshould be given to eliminating pumps and compressors, and transferring fluidvia gravity flow or differential pressure, where possible. See Grossel 1990 formore details.

8.5 REFERENCES

API RP 5211990. Guide far Pressure Relieving andDepressuring Systems. Washington, DC: Ameri-can Petroleum Institute

Grossel, S.S. 1990. Highly Toxic Liquids—Moving Them Around the Plant. Part 1. ChemicalEngineering, 97(4).

Newby, T. and Forth, D. 1991. Glandless Pumps and Valves—A Technical Update. The Institu-tion of Chemical Engineers Symposium Series. 124: Institution of Chemical Engineers.


Bloch, H. P., Cameron, J. A., James, Jr., R., Swearinger, J. S., and Weightman, M. E. 1982. Com-pressors and Expanders. New York: Marcel Dekker, Inc.


Eierman, R.B. 1995. Improving Inherent Safety with Sealless Pumps. Proceedings of the 29thAnnual Loss Prevention Symposium, July 31-August 2, 1995, Boston, MA, ed. E.D.Wixom and R. P. Benedetti, Paper Ie. New York: American Institute of Chemical Engi-neers.

Kletz,T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company.Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd.Reynolds, J. A. 1989. Canned Motor and Magnetic Drive Pumps. Chemical Processing, no. 12.

TABLE 8. FAILURE SCENARIOS FOR FLUID TRANSFER EQUIPMENT

Procedural

• Operator action in responseto high temperature,pressure and/or low flowindication

• Procedural controls to avoiddeadheadingpump/compressor

• Operator action in responseto high pressure indication

• Leak test suction systemprior to start-up


Active

• High temperature shutdown interlock

• High pressure shutdown interlock

• Low flow or power shutdowninterlock

• Emergeny relief device

• Minimum flow recirculation line(flow automatically controlled)


• Automatic pump/compressorshutdown on high discharge pressuredetection

• Automatic oxygen monitoringinterlocked to blower and/or isolationvalves on high oxygen measurement

• Inerting or gas enrichment system

• Automatic pressure control whichlimits rate of oxygen infiltration ornegative pressure

• Flame arresters

• Explosion suppression systems


• Minimum flowrecirculation line toensure a minimum flowthrough the machine(flow controlled byorifice)

• Downstream pipingspecified to withstanddeadhead pressure

• Design for maximumexpected pressure

• Positive pressurethroughout system

Failure Scenarios

Failure of control orclosure of downstreamblock valve, or failureto remove blind, orplugged outlet whichdeadheads pump/compressor resultingin possible overpres-sure and/or excessivetemperature

Pump/compressorused for higher thandesign density fluidservice especiallyduring startup andupset conditions

Leakage on suctionside of blower/com-pressor pulls air intosystem creating aflammable atmosphere


Overpressure

Overpressure

Overpressure(blower orcompressor)

No.

1

(T)

2

• Operator action in responseto high temperatureindication

• Operator action in responseto high temperatureindication/alarm on lube oilreservoir

• Operator action in responseto low pressure alarm on thedischarge of lube-oil pump

• Operator action in responseto high inlet temperatureand/or or low coolant flowindication / alarm

• Operator action in responseto high temperatureindication

• High temperature/pressure shutdowninterlock


• High bearing temperature shutdowninterlock

• Low lubrication pressure/levelshutdown interlock


• Low coolant flow shutdown interlock


• Cooler in recycle loop

f• Design casing to contain

decompositionoverpressure

• Limit individual stagecompression ratio toavoid high temperature

• Eliminate dead legs andother stagnant regions

• Choice of materials anddesign to maximumtemperature conditions

• Choice of materials anddesign to maximumtemperature conditions

Exothermic decompo-sition of pumped/compressed fluid (e.g.,acetylene) leading tooverpressure

Failure of lubricationsystem resulting inbearing failure due tooverheating

Loss of upstream/interstage coolingresulting in highenough inlettemperature in subse-quent stages of thecompressor to causecompressor damage

Operation on totalrecycle withoutadequate cooling

Overpressure

HighTemperature(bearing)

HighTemperature

(compressor)

HighTemperature

4

5

6

7

Procedural

• Operator action in responseto low flow indicationand/or high vibration

• Procedure for isolation ofnonoperating parallelmachine


Active

• Low flow shutdown interlock

• High vibration shutdown interlock

• Automatic recirculation fromdischarge to suction side onlow flow alarm

• Automatic anti-surge system

• Low flow shutdown interlock

• High vibration shutdown interlock

• Check valve placed at the dischargeside

• Automatic isolation valve ondischarge activated on machine trip orhigh pressure


• Check valve or automatic isolationvalve to protect against backflow fromdownstream side

• Restriction to limit back flow

• Emergency relief valve for protectionof low pressure stages sized formaximum backflow


• Eliminate suction systemrestrictions

• Use compressor designother than centrifugal

• Use seal-less pumps

• Eliminate parallelmachine

• Design low pressurestages for higherpressure

Failure Scenarios

Reduced flow to theinlet of a centrifugalpump causing cavita-tion, excessivevibration and damageto pump seal

Reduced flow througha centrifugal compres-sor causing surgeleading to highvibrations andcompressor damage

High pressure ondischarge side ofpump/compressorcauses backflow lead-ing to seal failure andloss of containment

Backflow via recycleloop due to controlsystem failure result-ing in overpressure oflow pressure stagesand loss of contain-ment


Low Flow(centrifugalpump)

Low Flow(centrifugalcompressor)

Reverse Flow

Reverse Flow(centrifugalcompressor)

No.

8(T)

9

(T)

10(T)

11

(T)

• Provide a strainer or filter inpump or compressor inletwith manual cleaning

• Provide seal leak detectionsystem with alarm

• Provide remotely operatedisolation valves at inlet andoutlet with manualactivation

• Periodic inspection of shaftseals

• Procedural controls to avoidoperating at too low a flow

• High speed alarm and compressoroverspeed shutdown system

• Automatic pump trip on detection ofloss of seal fluid

• Automatic back-flushing strainer

• Minimum flow recirculation line(flow automatically controlled)

• Pump trip on minimum flow

• Use solid versus built-uprotor

• Double or tandem seals

• Use pump design thatcan accommodate solids(e.g., diaphragm)

• Use a pump sizematched to the service

• Minimum flowrecirculation line toensure a minimum flowthrough the pump (flowcontrolled by orifice)

Compressor overspeedleading to equipmentdamage due to speedcontrol system failureand loss of contain-ment

Particulate matter inpump feed leading toseal damage and lossof containment

Pump operated at afraction of capacityresulting in excessiveinternal recirculation,frequent seal and bear-ing failure

Overspeed(Compressor)

Loss ofContainment

Loss ofContainment

12

13(T)

14

Procedural

• Operator action on alarmfrom axial displacementsensors

• Periodic audible/visualinspection of machine

• Operator action in responseto high level alarm in theKO drum


Active

• On-line vibration monitoring withautomatic shutdown

• Provide a Knock Out (KO) drumwith automatic liquid removal andhigh level switch to trip thecompressor

• Heat trace the line between the KOdrum and the compressor

• On-line vibration monitoring withautomatic shutdown


• Alternative pump orcompressor designwithout shaft alignmentneeds (e.g., diaphragm/piston)

• Use liquid-tolerantdesign (e.g., liquid ringcompressor)

Failure Scenarios

Improper shaft align-ment causing bearingand/or mechanical sealproblems leading toseal leakage or hot-spot,resulting in ignition

Liquid in compressorsuction leading todamage of compressorrotor


Loss ofContainment

WrongComposition/Phase(compressor)

No.

15

16

9SOLID-FLUID SEPARATORS

9.1 INTRODUCTION

This chapter presents potential failure mechanisms for solid-fluid separators,and suggests design alternatives for reducing the risks associated with suchfailures. The types of equipment covered in this chapter include:

• Centrifuges• Filters• Dust collectors• Cyclones• Electrostatic precipitators

This chapter presents only those failure modes that are unique tosolid-fluid separators. Some of the generic failure scenarios pertaining tovessels may also be applicable to solid-fluid separators. Consequently, thischapter should be used in conjunction with Chapter 3, Vessels. Solid-fluidseparation equipment is also often associated with dryers, and solids handlingand processing equipment. Refer to Chapters 7 and 10 for information onthese types of equipment. Unless specifically noted, the failure scenarios applyto more than one type of solid-fluid separator.

9.2 PAST INCIDENTS

This section presents several case histories involving fires and explosions(deflagarations) are presented to reinforce the need for safe design and operat-ing practices for solid-fluid separators.

9.2./ Batch Centrifuge Explosion

A crystalline finished product was spinning in a batch centrifuge when anexplosion occurred. The product had been cooled to -70C before it was sepa-rated from a methanol/isopropanol mixture in the centrifuge. It was subse-quently washed with isopropanol precooled to -90C. The mixture wasspinning for about 5 minutes when the explosion occurred in the centrifuge.The lid of the centrifuge was blown ofFby the force of the explosion. The over-pressure shattered nearby glass pipelines and windows inside the process area(up to 20 meters away), but nearby plants were not damaged. As no operatorwas in the vicinity at the time of the explosion, no one was injured. No nitro-gen inerting was used and enough time had elapsed to allow sufficient air to bedrawn into the centrifuge to create a flammable atmosphere. Sufficient heatcould also have been generated by friction to raise the temperature of the pre-cooled solvent medium above its flash point. Because the Teflon® coating onthe centrifuge basket had been worn away, ignition of the flammable mixturecould also have been due to metal-to-metal contact between the basket and thebottom outlet chute of the centrifuge, leading to a friction spark. A static dis-charge might also have been responsible for the ignition. Since the incident,the company has required use of nitrogen inerting when centrifuging flamma-ble liquids at all temperatures (Drogaris 1993).

Ed. Note: (1) Additional safety could be achieved by monitoring the oxygen concen-tration in conjunction with inerting. (2) The bottom outlet can also be sealed tominimize air entry.

9.2.2 Filter Explosion

In 1987 an industrial filter used in the purification of an electrolytic platingsolution exploded at a printing wire board manufacturing plant, rupturing thefilter vessel. The process was shut down, and a team was formed to investigatethe cause of the explosion.

A failure modes and effects analysis (FMEA) identified five possible mecha-nisms which might have caused the explosion. Based on the available physicalevidence and limited analytical results, the team felt that the most likely reasonthat the filter ruptured was due to overpressure resulting from hydrogen per-oxide decomposition. Hydrogen peroxide is used in the process to treat thespent plating solution. The team concluded that the probable causes of theincident were: (1) a valving error (by the operator) that allowed the inadver-tent pumping of the peroxide-laden treating solution to flow through thefilter, (2) isolating (blocking in) the filter, and (3) having no means to purgehydrogen peroxide from the filter (Arendt and Lorenzo 1991).

9.2.3 Dust Collector Explosion

An explosion occurred in a dust collector used to collect a pharmaceuticalproduct from a hammer mill/flash drying operation. The impact hammer millhad been operating for approximately 10 minutes when the operator heardunusual grinding sounds coming from inside the mill. He immediately shutdown the mill just as an explosion occurred within the dust collector, locatedinside the building on the second floor.

The pressure wave caused the explosion vent (a hinged panel) of the dustcollector to open, and the explosion products and unburned powder weredirected outside the building via a vent duct. However, a screen had beensecurely fastened at the end of the duct to prevent birds from entering, and asthe vent panel swung upward and outward, it struck the screen and opened nofarther. It is estimated that the screen prevented the explosion vent panel fromopening to more than 50 percent of capacity. With the vent partiallyobstructed, the access door to the collector failed under pressure and released adust cloud into the building. The flame front followed the dust cloud throughthe vent and through the access door, resulting in a fireball at both locations.Also, on the first floor, a fireball was seen exiting the vicinity of the of rotaryvalve outlet at the bottom of dust collector, which feeds a sifter. There was nosecondary explosion on the first or second floors. However, windows wereblown out on both floors. The ensuing fire in the dust collector engulfed thewool filter bags (which were burned up) and the remaining powder in the col-lector hopper, but the fire was quickly extinguished by the automatic sprinklersystem inside the dust collector.

A subsequent investigation of the incident revealed that a carbon steel boltfrom the inside of the feeder (which feeds wet powder to the hammermill/flash dryer) fell into the hammer mill. The bolt became trapped inside the3600 RPM mill, where it heated to above the ignition temperature of thepowder. The hot metal ignited some of the powder in the mill which waspneumatically conveyed into the dust collector. In the collector, a dust cloudcreated by the blow ring (pulse jet), was ignited by the hot powder conveyedin from the hammer mill. An inspection of the feeder revealed that six 3/8-inchcarbon steel bolts and nuts were missing.

Ed. Note: All nuts and bolts in rotating equipment should be tack-welded to preventthem from entering equipment and causing sparks.


Table 9 presents information on equipment failure scenarios and associateddesign solutions specific to solid-fluid separators. The table heading defini-tions are provided in Chapter 3, section 3.3.

9.4 DISCUSSION





Dust Deflagrations due to Electrostatic Spark Dischargeor Glowing Port/'c/es from Upstream Equipment (4)Dust deflagrations can occur in cyclones and dust collectors because explosivedust clouds are readily formed inside these types of separators due to turbulence.Dust clouds are created continuously when dust collector bags are shaken orpulsed. Use of nitrogen, rather than air, as the pulsing gas when a combustibledust is being collected may be considered and is used by some companies.Because electrostatic charges are usually associated with powders that are pneu-matically conveyed to solid-fluid separators, the separators must be adequatelygrounded and bonded. Glowing particles from a previous operation can act asan ignition source when they are transferred into a separator (see Section 9.2.3).Because of the great propensity for dust cloud formation in cyclones and dustcollectors, they are usually protected either by deflagration venting or suppres-sion systems (NFPA 68 1994; NFPA 69 1997).

If flammable dust clouds can also be formed in the electrostatic precipita-tors by the rapping of the plates and electrodes, deflagration vents should beprovided. Factory Mutual Engineering Corporation (FMEC) does not recom-mend the use of electrostatic precipitators when dry combustible dust concen-trations in air may exceed the lower explosive limit due to the possibility ofignition by arcing in the precipitator (FMEC 1991). Industrial Risk Insurers(IBJ) recommends an automatic fixed water spray system be provided for pre-cipitators handling combustible materials. The system should provide a spraydensity of 0.25 gpm/ft2 over the plates, oil baths (if any), and hoppers. Also,an automatic sprinkler system designed for a minimum density of 0.2 gpm/ft2

should be installed in the ductwork to the precipitator, and collectors or hop-pers ahead of the precipitator (IRI1990).

9.5 REFERENCES

Arendt, J. S. and Lorenzo, D. K. 1991. Journal of Loss Prevention in the Process Industries. 4: 338-43October 1991.

Drogaris, G. 1993. Major Accident Reporting System: Lessons Learned from Accidents Notified.Amsterdam: Elsevier Science Publishers, B.V.

FMEC (Factory Mutual Engineering Corporation) 1991. Dust Collectors. Loss Prevention DataSheet 7-73. Norwood, MA: Factory Mutual Engineering Corporation.

IRI 1990. Electrostatic Precipitators. IRInformation Manual 9.3.2.1. Hartford, CT: IndustrialRisk Insurers.

NFPA 68 1994. Guide for Venting of Deflagrations. Quincy, MA: National Fire ProtectionAssociation.

NFPA 69 1997. Explosion Prevention Systems. Quincy, MA: National Fire Protection Associa-tion.


ASTM 1986. Industrial Dust Explosions. Symposium on Industrial Dust Explosions. June 10-13,1986, Pittsburgh, PA.

IChemE. 1992. Dust and Fume Control: A User Guide, 2d ed., London, Institution of ChemicalEngineers.

TABLE 9. FAILURE SCENARIOS FOR SOLID-FLUID SEPARATORS



• Procedures for re-inertingprior to restart of a batchcentrifuge

• Manual shutdown of batchcentrifuge on detection oflow inert gas pressure orflow

• Manual bonding andgrounding for portableunits

• Manual periodic flush ofinlet to relief device withpurge fluid

• Provide automatic inerting

• Provide low pressure orlow flow sensor onnitrogen supply line withinterlocks to shut downfilter or centrifuge



• Provide rupture diskupstream of relief valvewith appropriate rupturedisk leak detection

• Automatic sweep of inletto relief device with purgefluid

• Permanent grounding and bonding

• Use more electrically conductive washliquid

• Use less volatile/flammable wash liquid

• Avoid use of nonconductive linedcentrifuge

• Centrifuge design accommodatingmaximum expected pressure

• Use nonflammable or high flash pointsolvent

• Provide flow sweep fitting at inlet torelief device

• Filter design accommodatingmaximum expected pressure in place ofrelief device

Ignition of flam-mable vapors incentrifuge by staticelectricity

Relief deviceplugged by filtercake particlesnegating adequateoverpressure pro-tection

Overpressure

(Centrifuges)

Overpressure(Pressurefilters)

1

2

• Operator shut down ofcentrifuge on detection ofexcessive vibration

• Manual introduction ofinert gas on detection ofhigh oxygen via on-lineoxygen analyzer

• Operator activation of firesuppression system inresponse to hightemperature indication

• Periodic cleaning ofaccumulated flammabledust deposits

• Provide proximity/vibration sensorinterlocked to shut downcentrifuge

• Provide automatic inerting

• Provide low pressure orlow flow sensor on inertgas supply with interlockto shut down centrifuge





• Automatic isolation ofassociated equipment viaquick closing valves orchemical barrier (flamesuppression)

• Automatic introduction ofinert gas via on-lineoxygen analyzer

• Automatic fire suppressionsystem activated by hightemperature sensor

• Automatic inerting system

• Elimination of flammable solvent

• Permanent bonding and grounding

• Equipment design accommodatingmaximum expected pressure

• Use other type of separator (e.g., wet-type precipitator or scrubber)

• Use nitrogen as conveying gas

• Use fire-retardant filter bags or ceramiccartridges

• Use of other type of separator (e.g.,wet-type precipitator or scrubber)

Ignition of flam-mable vapors incentrifuge ormajor mechanicaldamage caused bymechanical fric-tion, e.g., out-of-balance basketrubbing againsthousing or bottomchute

Dust deflagrationdue to electrostaticspark discharge orglowing particlesfrom upstreamequipment

Fire caused byignition of dustdeposits on walls(tarry or sticky dust)or bags (Fire mayinitiate deflagra-tion. See item 4)

Overpressure(Centrifuges)

Overpressure(Cyclones, dustcollectors, andelectrostaticprecipitators)

HighTemperature(Cyclones, dustcollectors, andelectrostaticprecipitators)

3

4(T)

5



• Procedures to ensure thatfilter cake is sufficientlyflushed with water beforefilter is opened up

• Manual activation of fixedwater spray

• Operator shuts downoperation in response tovapor detection alarm

• Operator shut down ofcentrifuge on detection ofhigh bearing temperature,or lubricating oil low flowor pressure

• Manual activation ofexternal fire suppressionsystem

• Automatic fixed waterspray

• Local exhaust ventilationconnected to a controlsystem (vent condenser,adsorber, scrubber orincinerator)

• Interlock bearing tempera-ture sensor to shut downthe centrifuge at hightemperature

• Automatic centrifuge shut-down on detection oflubricating oil low flow orpressure

• Automatic centrifuge shutdown on detection ofexcessive vibration

• External automatic firesuppression system

• Use filter with cake removal byspinning plates and/or sluicing withliquid (filter does not have to beopened up)

• Use totally enclosed, vapor-tight filter

Fire frompyrophoric filtercake exposed toair when filter isopened to removecake

Loss of vacuum ondischarge resultingin excessiveemission of toxicor flammablevapors

Catastrophic bear-ing failure resultsin major equip-ment damage andpossible processfluid leak/fire

HighTemperature(Batch Filters)

Loss ofContainment(Vacuum beltfilter, vacuumpan filter,rotary vacuumfilter)

Loss ofContainment(Centrifuges)

6

7

8

• Operator control of feedrate to avoid imbalance ofbasket and vibration

• Operator shut down ofcentrifuge on detection ofexcessive vibration

• Operator shut down ofcentrifuge on detection ofhigh speed

• Pretest filter for leaks withwater before feedingprocess slurry

• Procedures for testingcompatibility of gasketmaterial with process fluid


• Provide adequate supplyof wash liquid or watermanually as feed is reducedunder emergencyshutdown conditions


• Provide vibration sensorinterlocked to shut downcentrifuge

• Provide control system toadmit feed at proper flowrate and appropriate timein acceleration period

• Provide speed detectorinterlocked to shut downthe centrifuge at overspeedpoint


• Provide adequate supplyof wash liquid or waterautomatically as feed isreduced under emergencyshutdown conditions


• Use continuous centrifuge design

• Consider alternate solid-fluid separatordesigns

• Consider alternate solid-fluid separatordesigns

• Use different type of filter or centrifugewith fewer gaskets

• Enclose filter in splash shield housing

• Locate filter in leak containmenttrough

• House filter in containment vessel

• Use higher integrity gaskets

• Use a design that is more tolerant toloss of feed (e.g., pusher typecentrifuge)

Mechanical failurecaused by basketimbalance andvibration due toimproper loading

Mechanical failuredue to centrifugeoperating abovethe maximumdesign speed

Spills or leaks offlammable or toxicliquids due togasket failure

Mechanical failuredue to loss of feed(running dry)

Loss ofContainment(BatchCentrifuges)

Loss ofContainment(Centrifuges)

Loss ofContainment(Filter presses)

Loss ofContainment(Clarifier andseparatorcentrifuges, i.e.,disc bowl,nozzle bowl,chamber bowl,desludger,opening bowl)

9

10

11

13

IOSOLIDS HANDLING ANDPROCESSING EQUIPMENT

IO. I INTRODUCTION

This chapter presents potential failure mechanisms for solids handling andprocessing equipment, and suggests design alternatives for reducing the risksassociated with such failures. The types of equipment covered in this chapterinclude:

• Mechanical conveyors• Pneumatic conveying systems• Comminution equipment (mills, grinders, crushers)• Sieving (screening) equipment• Powder blenders (mixers)• Solids feeders (rotary valves, screw feeders, etc.)• Solids enlargement equipment (extruders, briquetters, etc.)• Spray granulators and coaters

This chapter presents only those failure modes that are unique tosolids handling and processing equipment. Some of the generic failure sce-narios pertaining to vessels and solid-fluid separators may also be applicable tosolids handling and processing equipment. Consequently, this chapter shouldbe used in conjunction with Chapter 3, Vessels, and Chapter 9, Solid-FluidSeparators. Unless specifically noted, the failure scenarios apply to more thanone type of solids handling and processing equipment.

10.2 PAST INCIDENTS

Several case histories involving failures in solids handling and processingequipment are presented to reinforce the need for safe design and operatingpractices presented in this chapter.

10.2.1 Silicon Grinder Fire and Explosion

A chemical plant which processed silicon-based chemicals experienced a fireand explosion in a grinder. Raw silicon was received in 1- or 2-inch lumpswhich had to be ground to a 200-mesh powder before being used in chemicalprocesses. The air-conveyed silicon powder discharged from the grinderpassed through a cyclone and then through a bag filter. An explosion and sub-sequent fire occurred in the system. The fire was extinguished within 15 min-utes by a water hose stream. The system had explosion relief, but no sprinklers.

Investigation showed that this incident was caused by hot spot ignitionresulting from grinder parts scraping against the inside of the unit. This mecha-nism was supported by observation of high current draw on the grinder motorbefore the incident. See item 2 in Table 10 for potential design solutions.

Ed. Note: This hazard could have been mitigated by monitoring current-draw andpossibly interlocking current-draw with the motor or a deluge system.

/0.2.2. Blowing Agent Blender Operation Explosion Incident

An explosion occurred in a 3.7 m3 Nautamixer (conical orbiting screw mixer)during the blending of azodicarbonamide (AC) with an aqueous solution ofsalts to produce an AC formulation. During the batch blending cycle, hotwater (8O0C) is circulated through the blender jacket for several hours, and thevacuum in the blender is released by purging with nitrogen.

The explosion caused the mixer vessel to rupture and two large sections ofthe top were torn out completely and struck the floor above. The cone sectionwas thrust downwards into the hopper below. There was extensive damage tothe building, windows were broken up to 90 meters away by the pressurewave, and missiles were projected up to 120 meters away. The four people inthe plant at the time of the explosion were shaken up, but uninjured, whilethere were a few cuts to people in the nearby buildings due to flying glass. TheTNT-equivalence of the blast was estimated at 3.3 kg.

Subsequent experimental testing indicated that the explosion was causedby a decomposition which reached high rates due to a critical degree of con-finement. The initiating source of the decomposition was not positively iden-tified, but it was assumed that the heat was generated by mechanical frictiondue, for example, to the screw rubbing on the vessel wall. Another possibility

is that a small metal item found its way into the vessel and became trappedbetween the screw and the wall (Whitmore et al. 1993). See item 5 in Table 10for potential design solutions.

Ed. Note: A deflagration suppression system might have prevented the explosion.

/0.2.3 Screw Conveyor Explosion

Three employees were killed, and two seriously injured, and a factory buildingcompletely destroyed in an explosion involving skimmed milk powder. Themilk powder was fed into a screw conveyor from a feed hopper and was thencarried to a blender. A deformation occurred in the screw conveyor housing,causing parts of the screw flights to grind against the housing. The grindingproduced sufficient frictional heat and sparks to ignite the dust-air cloud in thefree space of the conveyor. The primary explosion burst the screw conveyorhousing, dispersing a significant amount of additional dust into the air fromthe freshly filled feed hopper. A secondary explosion was then ignited by theflames of the primary explosion (Field 1982). See items 5, 8, and 12 in Table10 for potential design solutions.

/0.2.4 Bucket Elevator Explosion

A dust explosion in a sugar refinery caused two injuries and severely damagedthe plant. A number of factors led to the explosion. The factory had been shutdown for a 9-day period and the explosion occurred within two minutes ofrestarting the plant. Before the shutdown, all sugar dust had been removedfrom the pit of the elevator shaft, but during the shutdown sugar had accumu-lated in the pit via a leaking flap valve.

The bucket elevator ran through all 13 stories of the building, collectingsugar from ground level and transferring it to the appropriate processingequipment. On startup, the bucket elevator was under a load for which it wasnot designed. The strain caused a tensioning device to fail, the bucket chainslackened, and the elevator buckets ran out of alignment. The frictional heatproduced by the rubbing metal surfaces was sufficient to ignite the sugar dustsuspension in the elevator shaft (Field 1982). See item 4 in Table 10 for poten-tial design solutions.


Table 10 presents information on equipment failure scenarios and associateddesign solutions specific to solids handling and processing equipment. Thetable heading definitions are provided in Chapter 3, section 3.3.

10.4 DISCUSSION


To arrive at the optimal design solution for a given application, use Table 10 inconjunction with the design basis methodology presented in Chapter 2. Useof the design solutions presented in the table should be combined with soundengineering judgment and consideration of all relevant factors.

/0.4.2 General Discussion

Fires and explosions (deflagrations) have the potential to occur in equipmentthat handles and processes combustible powders and bulk solids. These haz-ards can be minimized by the use of appropriate preventive measures, such asthe following:

• Increasing the particle size of the powder raises the minimum ignitionenergy (MIE) and reduces the rate of pressure rise of a dust explosion.

• Using solid additives with large particle size and/or high MIEs.• Using dense-phase pneumatic conveying in lieu of dilute-phase convey-

ing reduces the attrition of the solids conveyed, reduces the static gen-eration per unit mass, and may result in nonflammable mixtures in thetransfer line.

• Using low-speed mills rather than higher-speed ones minimizes dustcloud formation and reduces the potential for high energy metal-to-metal contact.

• Using fluid energy mills in lieu of high-impact mills (e.g., hammermills); nitrogen can be used as the milling gas rather than air, which inmost cases will make the operation inherently safer.

• Using an ionizing spray to dissipate electrostatic charges where possible.

/0.4.3 Special Considerations


Dust Deflagration in Pneumatic Conveying Systems (I)Dust deflagrations often occur in end-of-line equipment (e.g., silos, dust col-lectors, cyclones) of pneumatic conveying systems due to electrostatic sparks.The rubbing of particles against particles and the walls of the pneumatic con-veying line generate electrostatic charges on the powder, which are then dis-

charged in the end-of-line equipment, where a dust cloud is often formed, anda dust explosion occurs. A number of preventive and protective measures arecommonly used such as using nitrogen in lieu of air as the conveying gas, usingdense-phase conveying in lieu of dilute-phase conveying to minimize attritionof the powder, providing deflagration venting or suppression systems for theend-of-line equipment, and good grounding and bonding of the pipeline andequipment. Other measures that can be taken involve modification of thesolids being conveyed, such as increasing the particle size (making pellets) orformulating the solids so that they are less friable. Also, it is important to iso-late the pneumatic conveying line from end-of-line equipment by a quick-closing valve or suppressant barrier so that the flame front developed in theend-of-line equipment does not propagate backwards into the equipmentupstream of the conveying system.

Static ignition mechanisms in recovery bins, silos and related equipmentare discussed by Eckhoff 1996. Recommended preventive and protectivepractices are described in BS 5958 1991.

Dust Deflagration in M/7/s, Grinders, and Other Size Reduction Equipment (2)Size reduction equipment, such as mills, grinders, and the like, create turbu-lent dust clouds due to their operation, which can result in a dust explosion(deflagration) caused by mechanical energy (impact). This hazard can beminimized by using fluid energy mills in place of high-impact mills such ashammer mills. Fluid energy mills use a gas, such as air or nitrogen (an inher-ently safer fluid), to reduce the size of solids. Some types of mills are designedto contain a deflagration; these should be used whenever possible. Care mustbe taken to prevent the entry of tramp metal and other foreign materials intosize reduction equipment. This can be accomplished by installing screens ormagnetic separators upstream of size reduction equipment.

Dust Deflagration and Loss of Containment in Gyratory Screeners (3)Dust explosions (deflagrations) have occurred in gyratory screeners (sieves)because dust clouds are readily formed due to the nature of the operation.Because of its vibratory motion, gyratory screeners are connected to processequipment by flexible sleeves (e.g., rubber socks or boots) as they vibrate. If adeflagration occurs, the flexible sleeves could rupture ejecting a burning dustcloud into the room or building, which then can cause a secondary explosion.To minimize this hazard, several things can be done:

• Install the gyratory screener in a room with an outside wall equippedwith blow-out vent panels.

• Use a rotary screener, which does not vibrate, in lieu of a gyratory screener.• Use nitrogen inerting where feasible.

All metal components, including the screening surfaces, should bebonded and grounded because of the vigorous motion of the powder in thescreeners and the possible generation of static electricity. Considerationshould be given to the use of conductive or anti-static flexible sleeves. Also, fordusts of low MIE, provision of anti-static footwear for operators is recom-mended (Palmer 1973; BS 5958 1991).

Leaky flexible sleeves can result in fugitive emissions from gyratoryscreeners. Leaks can be minimized, or even eliminated, by operating under aslight vacuum, with the screener connected to a dust collector (Palmer 1973).

Overpressure In Racket Elevators and En-masse Conveyors (4)

Bucket elevators and en-masse conveyors contain belts or chains which canloosen and rub against the housing and cause impact sparks or frictional heat-ing, which in turn may cause a dust explosion. Tramp metal that gets into en-masse conveyors can also cause frictional heating which can act as an energysource for an explosion. Sensors for hot material can be installed and inter-locked with a water quench system to extinguish the hot solids. Also, it is veryimportant to prevent the propagation of a dust explosion flame into theupstream and downstream equipment connected to conveying equipment.This can be accomplished by installing material "chokes55 such as rotary valvesor screw feeders at the inlet and outlet sides of conveyors. It has been foundthat material "chokes55 (plugs of powder) quench the flame (Field 1982; Eck-hoff 1996). Quick-closing valves and suppressant barriers can also be used toisolate upstream and downstream equipment from conveyors.

fire Caused by Electrostatic Sparks Igniting Powder on a Belt Conveyor (10)Powders being conveyed on a belt conveyor can be ignited by an electrostaticspark if the powder has a low MIE. The electrostatic spark can often be gener-ated by the belt itself, and the use of belts of anti-static (conductive) materialscan minimize this problem. Electrostatic charges can also be reduced by use ofionized air or inductive neutralizes, such as static combs and tinsel bars(NFPA 77 1993).

10.5 REFERENCES

British Standards Institute BS-5958 1991. Code of Practice for Control of Undesirable Static Electric-ity: Part 1, General Considerations, and Pan 2, Recommendations for Particular IndustrialSituations. London: British Standards Institute.

Eckhoff, R. K. 2nd ed. 1996. Dust Explosions in the Process Industries. Butterworth-Heinemann,Boston.

Field, P. 1982. Dust Explosions. New York: Elsevier Scientific Publishing Company.

NFPA 77 1993. Recommended Practice on Static Electricity. National Fire Protection Association,Quincy, MA.

Palmer, K. N. 1973. Dust Explosions and Fires. London: Chapman and Hall.Whitmore, M. W., Gladwell, J. P. and Rutledge, P. V. 1993. Journal of Loss Prevention in the Proc-

ess Industries. 6:169-175.


Grossel, S. S. 1988. Safety Considerations in Conveying Bulk Solids and Powders Journal ofLossPrevention in the Process Industries. 6:62-74.

TABLE 10. FAILURE SCENARIOS FOR SOLIDS HANDLING AND PROCESSING EQUIPMENT



• Manual bonding acrosspotential breaks in continuitysuch as nonconductive rubbersocks

• Deflagration venting of end-of-line equipment

• Deflagration suppression inend-of-line equipment

• Quick-closing isolation valveat inlet to end-of-lineequipment

• Deflagration suppressionbarrier in piping at inlet toend-of-line equipment

• Permanent grounding and bondingvia continuous metal piping

• Use of heavy wall piping andflanges in lieu of tubing andcouplings so that system canwithstand maximum expecteddeflagration pressure

• Use of nitrogen in lieu of air forconveying gas (closed loop system)

• Use dense phase conveying insteadof dilute phase

• Convey solids as pellets instead ofgranules or powder. However,avoid transport of pellets containingeasily ignitable fines fraction.

• Increase particle size

• Use nonfriable solids formulation(avoid fines)

• Use additives with high ignitionenergy

• Use of conductive rubber sleeves(boots and socks) when flexibleconnections are required

Dust deflagrationin end-of-lineequipment (silo,cyclone, dustcollector) dueto electrostaticspark dischargegenerated bypneumaticconveying

Overpressure

(Pneumaticconveyingsystem)

i(T)

• Manual removal of trampmetals and other foreignmaterials

• Manual bonding andgrounding

• Good housekeeping to reducedust

• Frequent routine inspectionand scheduled replacement ofsleeves

• Manual bonding andgrounding

• Good housekeeping to reducedust in building

• Manual grounding andbonding

• Provide inerting• Deflagration venting• Water deluge system in mill• Deflagration suppression in

the mill• Deflagration suppression/

barrier in inlet/outlet piping• Use magnets to remove

tramp metals and otherforeign materials

• Install gyratory screener in aseparate room with blow-outwalls (deflagration vents)

• Operate under vacuum toavoid escape of dusts intobuilding

• Deflagration venting• Deflagration suppression• Provide chokes• Provide negative pressure for

bucket elevators installedinside buildings to minimizedust leakage

• Provide deflagrationsuppression/barrier at feedand discharge points

• Provide hot materialdetection and automaticquench system

• Provide inerting for smallen-masse conveyors

• Permanent grounding of housing


• Use of fluid energy mill with inertgas instead of air

• Use screens to remove tramp metalsand other foreign materials

• Use of nongyratory (rotary) type ofscreener

• Permanent bonding and grounding

• Use of outboard bearings to avoidpotential source of ignition

• Equipment design accommodatingmaximum expected pressure fortubular en-masse conveyors


• Convey solids as pellets instead ofgranules or powder


Dust deflagrationdue to mechanicalenergy or electro-static spark

Dust deflagrationcausing rupture offlexible sleeves andsubsequent secon-dary deflagrationin building

Dust deflagrationdue to impact orfrictional heatingfrom slipping beltsor chains withpossible secondarydeflagration inbuilding

Overpressure

(Mills,Grinders andother sizereductionequipment)

Overpressureand Loss ofContainment(gyratoryscreener)

Overpressure

(bucketelevators and

en-masseconveyors)

2(T)

3(T)

4(T)



• Procedures to verify adequatepurging of bottom bearing


• Procedures for periodicinspection and cleaning ofcombustible materials onwalls

• Procedures to process moststable materials first whencampaigning multipleproducts to avoid ignition ofunstable materials


• Manual shutdown on motoroverload

• Manual shutdown ondetection of high pressure

• Provide inerting



• Provide an overload trip onthe motor driving theorbiting screw

• Provide inerting



• Deflagration barriers (quick-closing isolation valve orsuppressant) in the pathfrom granulator or coater todownstream equipment (dustcollector, scrubber)

• Provide emergency reliefdevice

• Provide overload trip onmotor

• Provide pressure measure-ment at die with interlockshutdown on high pressure






• Eliminate use of flammable solvents(e.g., aqueous solvents)

• Use high flash point solvents

Dust deflagrationdue to electrostaticspark discharge orfrictional heating(orbiting screw orribbon rubbingagainst vessel wall)

Deflagrationand/or firescaused by use offlammable orcombustiblesolvents

Blockage of die

Overpressure(orbitingscrew powderblender, fluidbed blender,or ribbonblender)

Overpressure(spraygranulatorsand coaters)

Overpressure

(extruder)

5

6

7

• Provide a temperature sensorin the conveyor trough/barrelwith an alarm alerting theoperator to activate delugesystem or deluge steam

• Manual removal of trampferrous metals

• Operator activation ofsprinklers or water spray

• Manual shutdown ondetection of low speed

• Operator activation ofsprinklers or water spray

• Provide an overload trip onthe motor driving the screw

• Provide a temperature sensorin the conveyor trough/barrelautomatically tripping themotor and/or activating awater deluge system orsnuffing steam

• Use magnets to removetramp ferrous metals

• Provide automatic sprinklersor water spray protectioninterlocked to shutdown thebelt drive on sprinkler waterflow initiation

• Provide belt velocitydetection interlocked toshutdown on low speed

• Provide automatic sprinklersor water spray protectioninterlocked to shutdown thebelt drive on sprinkler waterflow initiation

• Provide ionizing blower toeliminate static charge

• Use other type of conveyor (e.g.,vibratory conveyor)

• Use screens to remove trampmaterials

• Provide "fire retardant" belts

• Use other type of conveyor (e.g.,vibratory type)

• Use sealed roller bearings tominimize ingress of solids

• Provide belts of anti-static material

• Increase minimum ignition energy

• Provide passive static eliminationdevice (e.g., tinsel bar)

Fire caused byjamming ofconveyed materialand frictionalheating

Fire caused byoverheating due toa jammed idlerroller, or if the beltjams, as a result ofdrive rollers con-tinuing to run

Fire caused byelectrostatic sparksigniting powderon the belt

HighTemperature(screwconveyorsor extruders)

HighTemperature

(beltconveyors)

HighTemperature(beltconveyors)

8

9

10(T)



• Provide a temperature sensorin the valve body with analarm alerting the operator totrip motor and activatequench

• Ensure dust collector bagsand cages are properlysecured

• Provide temperature sensorsin the trough with an alarmalerting the operator to tripmotor and activate quench

• Provide a temperature sensorin the extruder barrel (body)with an alarm to alert theoperator to take action

• Periodic contaminationtesting of area

• Provide an overload trip onthe motor driving the rotaryvalve

• Provide a temperature sensorin the valve bodyautomatically tripping themotor and/or admittingquench water into the valve

• Provide an overload trip onthe motor driving the screw

• Provide temperature sensors(multipoint or line type) inthe trough automaticallytripping the motor and/oradmitting quench water tothe conveyor trough

• Provide an overload trip onthe motor driving theextruder screw

• Provide a temperature sensorin the extruder barrel (body)automatically tripping themotor

• Provide negative pressureventilation to contain andcapture any emissions

• Design dust collector bag cages andfilters to be properly secured toavoid falling into rotary valve

• Provide robust bar screen at rotaryvalve inlet

• Provide outboard bearings toprevent failure due to solidscontamination

• Use different type of conveyor(e.g., vibratory conveyor)

• Provide "dust-tight" design

• Use other type of conveyor (e.g.,en-masse conveyor)

Fire caused byjamming andfrictional heating

Fire caused byshaft misalignmentresulting infrictional heatingdue to the shaftrubbing againstthe trough

Fire caused byjamming andfrictional heating

Emission ofcombustibleand/or toxic duststo the atmosphereor building

HighTemperature(rotaryvalves)

HighTemperature(screwconveyors)

HighTemperature(extruders)

Loss ofContainment(bucket ele-vators, screwconveyors)

11

12

13

14

IlFIRED EQUIPMENT

11.1 INTRODUCTION

This chapter presents potential failure mechanisms for fired equipment andsuggests design alternatives for reducing the risks associated with such failures.The types of fired equipment covered in this chapter include:

• Process furnaces• Boilers• Thermal incinerators• Catalytic incinerators

This chapter presents only those failure modes that are unique tofired equipment. Some of the generic failure scenarios pertaining to vesselsand heat transfer equipment may also be applicable to fired equipment. Con-sequently, this chapter should be used in conjunction with Chapter 3, Vessels,and Chapter 6, Heat Transfer Equipment. Unless specifically noted, the fail-ure scenarios apply to more than one class of fired equipment.

11.2 PAST INCIDENTS

This section describes several case histories of incidents involving failure offired equipment to reinforce the need for the safe design practices presented inthis chapter.

11.2.1 Light-Off Error

A safety shut-off valve on the gas supply to a burner remained open after theunit was shut down. There was no indicator to show that the valve was open

or closed. On start-up, the operator opened the main valve on the gas supplyto the burner before lighting the pilot burner. When he tried to light theburner, an explosion occurred (MCA 1966).

/ /.2.2 Ethylene Cracking Furnace Overfiring

During operation of an ethylene unit, various light byproduct off gases werebeing collected and recycled to the fuel system. For start-up and any other con-dition during which plant-produced fuel gases could not meet demand for fuelin the cracking furnaces, C3 LPG was available for admission to the fuelsystem to satisfy demand.

Normally, the firing control system on the cracking furnaces utilized aWobbe Index analyzer to adjust fuel rate based on heating value. However, forreasons unknown, the plant operators had disabled the Wobbe Index analyzerand had also disabled the coil outlet temperature cascade to the fuel gas firingvalve pressure controller.

While operating the cracking heaters on light byproduct off gases with alow calorific value, a plant upset resulted in the trip of the cracked gas compres-sor. The heaters were maintained on-line with cracked gas routed to a flare. Sub-sequently, without forward flow of cracked gas to the downstream separationfacilities, the production of plant-produced ofFgas diminished and LPG wasautomatically added to the fuel gas system. With the addition of LPG the heat-ing value of the fuel gas increased significantly, this resulted in the overfiring ofthe heaters and major damage to the coil and associated supports.

Ed. Note: There appear to be both procedural and design flaws which contributed tothis incident. First, disabling process controls which have an important bearing onprocess safety should not have been permitted. Operators should not have been able todisable the temperature cascade. If this capability were needed, this change shouldhave been managed with appropriate permit procedures. Second, the provision of aheater emergency shutdown based on a measurement of coil outlet temperature inde-pendent from process controls would have been advantageous.

/1.2.3 Furnace Tube Failure

A furnace was protected by a relief valve on the inlet line. The low flow alarmand trip were based on a flow measurement upstream of the relief valve. Ablockage in the line exiting the furnace caused the relief valve to lift, which inturn caused the flow through the furnace tubes to drop sharply. As a result, thefurnace tubes overheated and burst (Kletz 1994).


Table 11 presents information on equipment failure scenarios and associateddesign solutions specific to fired equipment. The table heading definitions areprovided in Chapter 3, section 3.3.

11.4 DISCUSSION





Delayed Ignition (I)The most common cause of explosions in furnaces and fired boilers is errorduring light-off. Repeated unsuccessful attempts to light the pilot or theburner can result in accumulation of a large amount of fuel in the furnace.When the attempt is finally successful, the accumulated flammable inventoryignites, resulting in an explosion. A leaky fuel valve may also result in fuelbuildup in the furnace which, when ignited, can result in an explosion. Fuelmay also build up in the furnace due to "flame-out.55 If proper purge proce-dures are not followed during the relighting step, the accumulated fuel mayexplode.

For more information on prevention of explosions in furnaces and firedequipment, refer to these National Fire Prevention Association Standards:NFPA 8501 1992, NFPA 8502 1995, and NFPA 86 1995.

Rapid Readmission of Air (3)Adequate delivery of combustion air to fired heaters at all heat load conditionsis essential for safe furnace operation. Firing without sufficient air will result inunburned fuel in the firebox with the potential for subsequent uncontrolledcombustion. Firing controls should be configured so that air "leads55 fuel on afiring demand increase and "lags55 fuel on a firing demand decrease. However,

even with a "lead-lag" system, rapid reduction in air availability due to the tripof a fan, for example, may result in insufficient air delivery.

To avoid the accumulation of unburned fuel and a possible positive pres-sure pulse in the firebox during rapid readmission of air, interlock shutdownvia detection of a low air-to-fuel ratio may be warranted. If an automatic airrestoration response strategy is used, such as auto-start of a spare fan, suitablesystem dynamic response analysis should be employed to ensure that suddenloss of air can be effectively managed.

For additional information on fired equipment combustion controls, seeLiptak(1985).

Tube Rupture (5)

Tube rupture is the second most common failure mode in fired equipment.Overheating tubes drastically reduces their useful life. A pressure vessel may beable to withstand several times its design pressure, but a furnace tube may onlywithstand a few percent increase in its absolute temperature (Kletz 1993).

Closure of Stack Damper (6)

Closure of the stack damper, or the loss of the induced draft fan can lead tobuildup of pressure inside the firebox. This may result in fire/gases coming outof the furnace and risk of personnel exposure and equipment damage. To pre-vent such a situation it is desirable to maintain an open flue-gas path by put-ting a minimum position stop on the damper. It may also be necessary toprovide a spare induced draft fan or design the furnace to transfer to naturaldraft operation. If these alternatives are not available, the system should beshut down on detection of high firebox pressure.

11.5 REFERENCES

Kletz, T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company.Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd.Liptak,B.G. 1985. InstrumentEngineers Handbook: Process Control Radnor, PA: Chilton Books.MCA 1966. Case Histories of Accidents in the Chemical Industry. MCA 1966 Vol.2, Case His-

tory 1068.NFPA 8501 1992. Standard for Single Burner Boiler Operation. National Fire Prevention Associa-

tion, Quincy, MA.NFPA 8502 1995. Standard for the Prevention of Furnace Explosions/Implosions in Multiple Burner

Boilers. National Fire Prevention Association, Quincy, MA.NFPA 86 1995. Standard for Ovens and Furnaces. National Fire Prevention Association, Quincy,

MA.


Anderson, S. E., Dowell, A. M., andMynaugh, J. B. 1992. Flashback From Waste Gas Incinera-tor into Air Supply Piping Plant/Operations Progress 11(2), 85-88.

Desai, V. M. 1996. A Flare Deflagration Incident at Rohm and Haas. Process Safety Progress 15(3),166-167.

CCPS 1993. Guidelines for Engineering Design fir Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

Ghosh, H. 1992. Improve Your Fired Heaters. Chemical Engineering 99(3), 116-122.IRI1990. Boilers, Pressure Vessels and Piping. !Reformation Manual 7. Hartford, CT: Industrial

Risk Insurers.Vervalin, C.H., ed. 1985. Fire Protection Manual for Hydrocarbon Processing Plants—Volume I.

Houston, TX: Gulf Publishing Company.Vervalin, C.H., ed. 1981. Fire Protection Manual for Hydrocarbon Processing Plants—Volume II.

Houston, TX: Gulf Publishing Company.

TABLE 1 1. FAILURE SCENARIOS FOR FIRED EQUIPMENT

Procedural

• Lighting procedures whichensure that each ignition trial isof limited duration, and isfollowed by purge, if unsuccessful

• Ensure that all individual gascocks to burners are closed untillight-off

• Procedures/valving to ensure thatonly one burner is ignited at atime

• Provide individual burner cocksso that only one burner may belighted at a time to minimizepotential accumulation of fuelprior to light-off

• Lighting procedures to ensurepilots are lit and stable beforeadmission of burner fuel


Active

• Timed purge prior to light offwith interlocks to ensure that allfuel supply valves are closed

• Reliable fuel gas isolation (e.g.,double block and vent)

• Provide flame surveillance systemto prevent fuel admission until anignition source is present

• Provide interlocks to ensure thatfuel and combustion air controlsare in proper lighting offpositions, before the ignitionsequence can proceed

• Provide flame surveillance systemto prevent fuel admission until anignition source is present


• Provide continuouspilots for all burners

• Provide pilot burnerswith a separate fuel line

• Take pilot gas supplyfrom the upstream sideof the main shutoff valvefor all burners

Failure Scenarios

Deflagration infirebox due todelayed ignition onlight-off, fuel leak-age into the firebox,or insufficient fire-box purging

Failure to establishreliable pilot flamesbefore openingmain fuel supplyleading to explosion


Overpressure(Firebox)


No.

1

(T)

2

• Procedures to limit fuel firing toair availability

• Procedures to control rate of airreadmission in response toinsufficient air flow

• Manual control of waste gasconcentration

• Manual temporary diversion ofwaste gas to alternative disposal

• Interlock fuel supply and airsupply so that loss of, orsignificant reduction in air willisolate the fuel supply

• Provide "lead-lag" firing controlsystem to avoid firing withoutsufficient air

• Provide automatic firesuppression system

• Provide deflagration ordetonation arresters asappropriate


• Automatic control of waste gasconcentration

• Automatic temporary diversionof waste gas to alternativedisposal

• Use alternative waste gasdisposal method (e.g.,adsorbtion)

Rapid readmissionof air to correctinsufficient airsituation leading topositive fireboxpressure

Flashback intowaste gas supplymanifold toincinerator


Overpressure

3(T)

4

Procedural

• Burner adjustment to eliminateflame impingement

• Procedures to prevent excessivefiring rates

• Addition of inhibitors to reduceprocess coking rate

• Periodic decoking

• Operator remote isolation of coilinlet/outlet in response todetecting tube rupture onindication of stack temperatureincrease, loss of tube pressure orhigh fireboxpressure/temperature

• Procedures to prevent aciddewpoint corrosion

• Visual observation of coils forhot spots

• Tube wall temperature indicationand high alarm

• Manual activation of steam purgeof firebox to extinguish burningheavy oils


Active

• Automatic heater shutdown onhigh tube outlet temperature

• Automatic heater shutdown onlow process flow


• Enhanced tubemetallurgy

• Heavier wall thickness

• Indirect firing

• Elimination of liquid toburner by usingnoncondensing gas

• Use sulfur-free fuel

Failure Scenarios

Tube rupture dueto thermal shock,overfiring,corrosion/erosion,or high temperaturedue to flameimpingement orinternal tubefouling


Overpressure

(Firebox)

No.

5(T)

• Manual heater shutdown onindication of high fireboxpressure

• Visual observation of tubesurface for hot spots

• Periodic decoking

• Procedures to limit fuel firing toair availability

• Procedures to take correctiveaction or shutdown heater onindication of high flue gastemperature or low stack oxygenconcentration

• Automatic heater shutdown onclosure of damper

• Automatic heater shutdown ontrip of induced draft fan

• Automatic heater shutdown onhigh firebox pressure

• Automatic heater shutdown onloss of forced draft fan

• Automatic transfer to naturaldraft operation

• Continuous injection of additiveto retard fouling

• Provide "lead-lag" firing controlsystem to avoid firing withoutsufficient air

• Automatic heater shutdown onlow air flow and/or low air/fuelratio

• Provide mechanicalposition stop to preventcomplete closure ofdamper

• Design firebox forshutoff pressure offorced draft fan

• Use natural draft designto eliminate induceddraft fan and/or damper

• Design firebox forminimum pressureproduced by induceddraft fan

• Select alternative designwithout induced draft fan

• Enhanced tube metallurgy


• Design heater forreduced heat fluxes

• Indirect firing

Closure of flue gasdamper or trip ofinduced draft fan

Trip of forced draftfan in balanceddraft system

Process side fouling(e.g., coking oftubes) resulting inlocalized hot spotsand tube rupture

Firing with insuffi-cient air resulting inafterburning inconvection sectionand flue gas system


Underpressure(Firebox)

HighTemperature(Process side)

HighTemperature(Firebox)

6(T)

7

8

9

Procedural

• Manual shutdown on low or highburner fuel pressure

• Manual shutdown on high fluegas temperature

• Manual heater shutdown on lowor high burner fuel pressure

• Manual heater shutdown on lowatomizing fluid differentialpressure

• Extinguishment with snuffing steam

• Visual inspection of firebox andmanual adjustment of pressure

• Manual shutdown of incineratoron low fuel gas flow

• Manual shutdown of incineratoron low combustion temperature

• Manual sampling of incineratoroffgas for concentration ofhazardous materials


Active

• Automatic heater shutdown onlow or high burner fuel pressure

• Automatic heater shutdown onlow or high burner fuel pressure

• Automatic heater shutdown onlow atomizing fluid differentialpressure

• Automatic shutdown ofincinerator on low fuel gas flow

• Automatic shutdown ofincinerator on low combustiontemperature


• Use burners with widerturndown ratio

• Use gaseous fuel

• Alternate means of dispo-sal of hazardous material

• Increased stack height toreduce ground levelconcentration ofhazardous materials

• Selection of catalyst witha wider temperaturerange of activity

Failure Scenarios

High or low burnerfuel gas pressureresulting in incom-plete combustionand possible after-burning and flameimpingement ontubes

High or low burnerliquid fuel pressureor low atomizingfluid differentialpressure resulting infuel burning on theheater hearth

Low flow of fuelgas, high excess air,or insufficientoxygen results inincompletedestruction ofhazardous materials




LowTemperature(Incinerator)

No.

10

11

12

• Manual shutdown of heater onlow process flow or high tubeoutlet temperature

• Manual addition of cooling fluidto heater tubes

• Manual shutdown on high fluetemperature

• Manual shutdown of heater onhigh firebox temperature or highprocess outlet temperature

• Automatic shutdown of heater onlow process flow

• Automatic control of flow toindividual heater passes

• Automatic shutdown of heater onhigh coil outlet temperature

• Automatic addition of coolingfluid to heater tubes

* Automatic shutdown on highflue temperature

• Automatic boiler water levelcontrol

• Interlock to shutdown firing onlow drum level

• Interlock to shutdown firing onlow boiler feed water flow

• Automatic adjustment of firingon process outlet temperatureand fuel heating value (on-lineBtu analyzer)

• Automatic heater shutdown onhigh process outlet temperatureor high firebox temperature

• Enhanced tubemetallurgy


• Orifices or Venturis tobalance parallel tubepasses

• Design tubes in theconvection section tooperate "dry"

• Use of dedicatedconstant heating valuefuel gas

Cessation of flow orflow maldistribu-tion through indi-vidual heater passesresults in high tubetemperature andtube rupture

Loss of boiler waterlevel leading to tubeoverheating andrupture

Rapid increase infuel gas heatingvalue leading tooverfiring and tuberupture

Low Flow(Process side)

Low Level(Boiler Drum)

Wrong Compo-sition (FuelGas)

13

14

15

Procedural.

• Periodic analysis of fuel forsulfur, vanadium and/or sodium

• Liquid knock-out (KO) drumwith manual liquid removal

• Manual shutdown of incineratoron high offgas temperature




Active

• Liquid knock-out drum withautomatic liquid removal

• Heat tracing of feed system

• Feed preheating to vaporize anyentrained liquid

• Automatic shutdown ofincinerator on high offgastemperature


• Heat tracing of fuel gas system



• Enhanced metallurgy atpoints of possible aciddew point corrosion

• Use of sulfur, vanadiumor sodium-free fuel source

• Alternative incineratordesign

• Eliminate piping cross-connections upstream ofheater which couldinadvertently admitliquid

Failure Scenarios

High sulfur/vanadium/sodiumin fuel

Introduction ofliquid onto hotcatalyst bedresulting in hightemperature or fire

Introduction ofliquid (flammableor nonflammable)into firebox via fuelsystem resulting inloss of flame andpossible explosionon reignition

Introduction ofliquid to gas heaterresulting in thermalshock and tubefailure


WrongComposition(Fuel)

WrongComposition(CatalyticIncinerator)

WrongComposition

WrongComposition(Process side)

No.

16

17

18

19

12PIPING AND PIPINGCOMPONENTS

12.1 INTRODUCTION

This chapter presents potential failure mechanisms for piping and piping com-ponents and suggests design alternatives for reducing the risks associated withsuch failures. The types of piping and piping components covered in this chap-ter include:

• Piping (metallic, nonmetallic, lined, jacketed, double walled)• Components (flanges, expansion joints, gaskets, bolts, etc.)

This chapter presents only those failure modes that are unique topiping and piping components. Some of the generic failure scenarios per-taining to vessels may also be applicable to piping and piping components.Consequently, this chapter should be used in conjunction with Chapter 3,Vessels. Unless specifically noted, the failure scenarios apply to more than oneclass of piping and piping components.

12.2 PAST INCIDENTS

This section describes several case histories of incidents involving failure ofpiping and piping components to reinforce the need for the safe design prac-tices presented in this chapter.

/2.2./ Flixborough Expansion Joint Failure

The explosion in the Nypro Ltd. factory in Flixborough, U.K., which killed28 people and destroyed the plant, resulted from catastrophic failure of bel-

lows expansion joints. The plant had six reactors in series. The liquid flowedby gravity from one reactor to the next through short 28-inch diameter con-necting pipes. To account for expansion each connecting pipe contained a bel-lows expansion joint. When one of the reactors (Reactor 5) developed a crackand had to be removed, it was replaced by a temporary 20-inch diameter pipe,which had two bends in it to account for the difference in height of Reactor 4and Reactor 6. The existing 28-inch bellows were left in position at each endof the pipe.

The temporary connection performed satisfactorily until pressure roseabove the normal level, causing the temporary pipe to twist since it was notproperly supported. The bending moment was enough to shear the bellows. Alarge quantity of cyclohexane from the reactors was released to the atmos-phere. The ignition, which happened about one minute after the release,resulted in a large vapor cloud explosion (Kletz 1994).

/2.2.2 Chemical Storage Terminal Fire

Following the Coode Island accident (State Coroner 1994) in which a seriesof explosions was initiated following flame transmission through a complextank vent collection header system, the first explosion which occurred in Tank80 containing acrylonitrile was blamed on a PV (pressure-vacuum or conser-vation) vent whose pressure pallet had been removed and not replaced duringmaintenance. Whatever the actual cause of ignition, it was blamed on "St.Elmo's Fire" (corona-type static discharge) caused by atmospheric electricity.This was supposed to have ignited acrylonitrile vapor emanating from the PVvent body, which was not gas tight. According to the State Coroner's official1994 report into the Coode Island incident, all the tanks that explodedbelonged to the same zone as Tank 80 and communicated with each other viathe vapor recovery ductwork. Forensic examination found evidence of lightcharring or sooting consistent with a fast flame passing through the ductwork.The coroner believed that there were flammable vapors in the ductwork sinceplant power was cut off at an early stage; the vapor extraction fan ceased oper-ating; heat from the fire caused tanks to exhale into the ductwork and at thesame time provided flame passage into the tanks. The interconnected ductscaused the rapid spread of the fire.

A significant feature of the PV vent on this acrylonitrile tank was that itsoutbreathing was connected to the vapor collection header, containing adownstream blower. It should be understood that the principle of PV ventoperation is that it is designed to prevent flashback into the tank by maintain-ing some minimum gas velocity through a narrow gap controlled by the pres-sure pallet. The design gas velocity through these narrow PV vent gaps results

from testing (Johnson 1983) and long experience using petroleum gases; it ishowever far from clear what work, if any, has ever been done with faster burn-ing gases. For example, a PV vent on a waste tank which can generate hydro-gen is unlikely to prevent flashback to the tank.

If the vent outlet is connected to any significant length of pipe and igni-tion occurs at the end of this pipe, the flame running back to the PV vent willaccelerate to high speed and possibly even detonate. The gas velocity in the PVvent narrow gap will likely not prevent passage of this flame into the tank. In1983 Mancini (Johnson 1993) cautioned that this phenomenon might occurand recent unpublished work appears to confirm it. Note that these conditionsexisted at Coode Island and might also apply where spill pipes are used in con-junction with PV vents to direct liquid overflow to a diked area.

Where it is required to reduce atmospheric emissions via PV vents whileretaining the in-breathing capability of the devices, additional vents opening ata slightly lower positive tank pressure can be connected to a collection system.These vent lines can safely be equipped with detonation arresters since if thearrester becomes blocked the tank will not be sucked in while the PV ventremains in service. See item 53 in Table 3 for potential design solutions.

f 2.2.3 Line Pluggage

A line that had been used to blow down wet hydrocarbon formed an ice-hydrate plug, blocking the 18-inch blowdown line. As a result of externalsteaming, the plug loosened and the pressure above it caused it to move withsuch force that it ruptured the line at a tee (Kletz 1994).

/2.2.4 External Corrosion

A valve in a 10-inch liquefied butane line was located in a pit. The pit accumu-lated rainwater contaminated by sulfuric acid from a leaking line nearby. Thebolts on the valve bonnet corroded and gave way, resulting in a massive butanerelease. The ensuing explosion killed seven people and caused extensivedamage (Kletz 1994).


Table 12 presents information on equipment failure scenarios and associateddesign solutions specific to piping and piping components. The table headingdefinitions are provided in Chapter 3, section 3.3.

12.4 DISCUSSION





blockage of the Relief Path (5,6)Process systems that can be overpressured must never be isolated from ade-quate overpressure protection. The inherently safer design alternative to pro-viding individual isolation valves at the inlet/outlet points of safety reliefdevices is to provide a parallel relief path. A parallel relief path uses redundantsafety relief devices and a three-way valve, thus ensuring that one relief path isalways open. Note that flame arresters located in the relief path may also be asource of blockage, particularly if the process fluid is fouling, or can solidify orpolymerize.

Deflagration to Detonation Transition in Pipe Lines (7)Pipelines containing flammable mixtures either normally or under upset con-ditions may need to be equipped with devices to limit the consequences of anignition. Where pipelines connect large items of process or storage equipmenttogether it is most important to prevent flame spread via the connecting pipe.The deflagration flame initially produced by an ignition source generallyincreases in speed as it travels through a pipeline; flame acceleration isenhanced by turbulence promoters such as tees, elbows, and other flow restric-tions. After some distance of travel, deflagration-to-detonation transition(DDT) may occur. This is marked by a sudden increase in flame speed andpressure. As flame speed increases it becomes more difficult to arrest flames;for fast flames and detonations, special flame arresting devices are required.The overall mitigation strategy is highly dependent on the circumstances andshould be considered at the earliest possible design stage.

Avoidance of flammable mixtures by design and control is an inherentlysafer option, often used in conjunction with flame arresting devices. Flamma-ble mixture control is usually achieved by operating below the limiting oxygen

concentration (LOC) or the lower flammability limit (LFL) as described inNFPA 69. Operation above the upper flammability limit (UFL) using anenrichment gas such as methane can offer advantages in some situations suchas vapor control systems. Operation below the LFL might be the safest ofthese strategies where air could leak into a system (for example, at a blowerintake), increasing the oxygen concentration. It is important to consider theeffects of start-up, shut-down and credible upset conditions during whichflammable mixtures are produced. If flammable operation cannot be dis-counted, flame arresting devices should be incorporated (Britton 1996).

Devices for gas systems include liquid seals, deflagration arresters, detona-tion arresters, suppression systems and fast-acting valves. The first three arethe most common. Deflagration flame arresters can only be used under spe-cific circumstances such as at the end of an atmospheric vent line, where DDTon the unprotected side cannot occur. Flame arresters situated in-line mustgenerally be detonation arrester types certified for the actual conditions of use.These devices have pros and cons in terms of installation cost, effectiveness(e.g., risk of failure under upset conditions) and operability (e.g., back pres-sure, instrumentation and maintenance needs) which should be consideredbefore the process design is finalized.

Powder (dust) systems cannot be equipped with liquid seals, or deflagra-tion/detonation flame arresters. Options include inert operation (typicallyclosed loop nitrogen conveying) and active devices such as suppression sys-tems and fast-acting valves. The response speed of these devices must bedesigned in accordance with the deflagration index (Kst) of the powder (anexperimental quantity depending on powder composition and particle size),and the size and geometry of the equipment. There must be sufficient time fora flame to be detected and the arresting device to function before the flamearrives at vulnerable "protected" equipment such as a bin. Large items ofequipment containing powders (e.g., bins) are often equipped with deflagra-tion vents and rotary valves as additional protective measures (NFPA 68 and69). Active devices for powders are described in the Guidelines for Engineer-ing Design for Process Safety (CCPS 1993) and Howard 1991. Dependingupon peak deflagration pressure, an equipment design for pressure contain-ment might be a preferable alternative.

Loss of Containment (15)

Piping and piping components are the most common single sources of flam-mable and toxic materials release. The Institution of Chemical Engineersreports that 40% of losses are due to pipework failure (IChemE 1987). Sev-eral codes have been established for the design of piping and piping compo-nents (CCPS 1993). To reduce the probability of releases, minimize the use of

fittings on lines and glass rotameters and eliminate gauges when practical. Forhazardous service, minimize flanges by welding pipes together and do not usethreaded fittings. Where flanges are required for maintenance and inspection,proper selection of flanges and gaskets can reduce the risk of leaks.

Thermal Stresses (/8J

Careful attention must be paid to pipe support and flexibility to account forthermal expansion. Designs must address expansion or contraction due to ther-mal stresses, and also take into account requirements for steam purging, hydro-testing, startup, shutdown, cyclic conditions, etc. Piping flexibility must beprovided by the proper design of anchors, supports, and expansion bends. Keepin mind that expansion bends themselves are prone to erosion and cracking.

12.5 REFERENCES

Britton, L.G. 1996. Operating Atmospheric Vent Collection Headers Using Methane GasEnrichment, Process Safety Progress, 15(4).

CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical ProcessSafety. New York: American Institute of Chemical Engineers.

Howard, W.B. 1991. Use Precaution in Selection, Installation and Operation of Flame Arresters,Chemical Engineering Progress, April.

IChemE 1987. Hazard Workshop Module 012 Safer Piping Volume I. Rugby, Warwickshire, U.K:The Institution of Chemical Engineers.

Johnson, O. W. 1983. An Oil Industry Viewpoint on Flame Arresters in Pipe Lines, Plant/Opera-tions Progress, 2(2).

Kletz, T. A. 1994. Learning from Accidents. Oxford: Butterworth-Heinemann Ltd.NFPA 68 1994. Guide for Venting of Deflagrations. Quincy, MA: National Fire Protection

Association.NFPA 69 1997. Explosion Prevention Systems. Quincy, MA: National Fire Protection Association.State Coroner 1994. Inquest Into Fire at Coode Island on August 21 and22,1991, finding, Case No.

2755/91, June 17th (1994), Victoria, Australia: State Coroner.


API Publ 2028 1991. Flame Arresters in Piping Systems, 2nd Ed.,Washington, DC: AmericanPetroleum Institute.

API Publ 2210 1982. Flume Arresters for Vents of Tanks Storing Petroleum Products, 2nd Ed., Wash-ington, DC: American Petroleum Institute.

BS 7244 1990. Flame Arresters for General Use, London: British Standards Institute.Blything, K. W., and Party, S. T. 1988. Pipework Failures—A Review of Historical Incidents.

Warrington, U. K.: United Kingdom Atomic Energy Authority Safety and ReliabilityDirectorate.

B orklundjl. A, Kushida, R. O., and Flessner, M. F. 1982. Experimental Evaluation of Flash-back Flame Arresters, Plant/Operations Progress, Vol. 1, No. 4.

Broschka, G.L., Ginsburgh, L, Mancini, R. A., and Will, R. G. 1983. A Study of Flame Arrestersin Piping Systems, Plant/Operations Progress, 2(1).

Bush, S. H. 1988. Statistics of Pressure Vessel and Piping Failures. Journal of Pressure Vessel Tech-nology 110,225-233 August 1988.

CSA-Z343 1991. Test Methods fir In-Line and Firebox Flame Arresters, Draft Standards RevisionNumber 9: Canadian Standards Association.

Coast Guard 1990. A Guideline far Detonation Flame Arresters 33 CFR Part 154, Appendix A,United States Coast Guard: US Department of Transportation.

Coast Guard 1990. Specifications for Tank Vent Flame Arresters 33 CFR Part 154, Appendix A,United States Coast Guard: US Department of Transportation.

FMRC Class 6061. Flame Arresters for Vent Pipes of Storage Tanks. Norwood, MA: Factory MutualResearch Corporation.

FMRC Class 7371 1992. Test Procedures for Detonation Flame Arresters, Norwood, MA: FactoryMutual Research Corporation.

Flessner, M. F., and Bjorklund, R. A. 1981. Control of Gas Detonations in Pipes, Loss PreventionManual. Vol. 14. New York: American Institute of Chemical Engineers.

Geyer, T. A. W., Bellamy, L. J., Astley, J. A., and Hurst, N. W. 1990. Prevent Pipe Failures Dueto Human Errors. Chemical Engineering Progress, November, 66-70.

Hurst. N. W., Bellamy, L. J., Geyer, T. A. W., and Astley, J. A. 1991. A Classification Scheme forPipework Failures to Include Human and Socio-technical Errors and Their Contribution toPipework Failure Frequencies. Journal of Hazardous Materialsj 26, 159-186.

IMO, Revised Standards for the Design., Testing and Locating of Devices to Prevent the Passage of Flameinto Cargo Tanks in Tankers, MSC Circ. 373 Rev. 1: International Maritime Organization.

Kletz, T. A. 1993. Lessons from Disaster. Houston, TX: Gulf Publishing Company.Roussakis, N., and Lapp, K. 1991. A Comprehensive Test Method for Inline Flame Arresters.

Plant/Operations Progress. 10(2).UL 525 1991. Standard for Flame Arresters. Draft Proposal for Sixth Edition. Underwriters Labo-

ratory.

TABLE 12. FAILURE SCENARIO FOR PIPING AND PIPING COMPONENTS

Procedural

• Removal of solids from processstream (KO pot, filter, etc) withmanual blowdown of solids

• Periodic manual system cleaning

• Operator response to highpressure alarm

• Periodic cleaning via flushing,blowdown, internal line cleaningdevices (e.g., "pigs")

• Use parallel switchable flamearresters

• Operating procedures to closevalves slowly


Active


• Removal of solids from processstream (KO pot, filter, etc.) withautomatic blowdown of solids

• Tracing of piping to minimizesolid deposition

• Provide surge arrester


• Size piping system tomaintain minimumrequired velocity to avoiddeposition

• Piping designed formaximum expectedpressure

• Eliminate flame arrester

• Limit closing rate formotor operated valves viaappropriate gear ratio

• Limit closing rate forpneumatic actuator viarestriction orifice in air line

• Use slow closing manualvalves (i.e., gate instead ofquarter turn)

Failure Scenarios

Blockage ofpiping, valves orflame arrestersdue to solid depo-sition

Valve in linerapidly closedresulting in liquidhammer and piperupture


Overpressure

Overpressure

No.

1

2

• Procedures for draining of allblocked-in lines duringshutdown

• Car-seal open or lock open allblock valves upstream anddownstream of relief valves perapplicable codes and provideadministrative procedures toregulate opening and closing ofsuch valves

• Manual periodic or continuousflush of relief device inlet withpurge fluid

• Pressure relief device

• Expansion tank

• Pressure relief device to protectdownstream piping

• Use rupture disks alone or incombination with safety valveswith appropriate rupture diskleak detection

• Automatic flush of relief deviceinlet with purge fluid

• Elimination of potentialfor blocking in byremoving valves and otherclosures (e.g. blinds)

• Drill small hole in valvegate to allow pressureequalization

• Design all downstreampiping and equipment tohandle full upstreampressure

• Provide limit stop toprevent control valve fromopening fully, or arestriction orifice

• Eliminate all block valvesin relief path

• Provide trans-flow three-way block valve at inlet ofdual relief deviceinstallation

• Provide flow sweep fittingat inlet of relief device

Thermal expan-sion of liquid inblocked-in lineleading to linerupture

Automatic controlvalve opensinadvertentlyleading to highpressure down-stream of thevalve

Block valveupstream ordownstream ofrelief deviceaccidentally closedresulting in loss ofrelief capability

Blockage of reliefdevice by solidsdeposition(polymerization,solidification)

Overpressure

Overpressure

Overpressure

Overpressure

3

4

5(T)

6(T)

Procedural

• Inert purging prior to start-up

• Operator action in response tohigh temperature indication andalarm


Active

• Multiple rupture disks/explosionvents located at appropriatepoints on piping

• Detonation or suitabledeflagration arresters betweenprotected equipment andpotential ignition sources

• Liquid seal drum isolatingignition source (e.g., flare)

• Operate outside flammablerange, e.g., O2 analyzer orhydrocarbon analyzer controlinert purge or enrichment gasaddition

• Detect gas flame and actuate fastclosing valve or suppressionsystem

• Electrical tracing withtemperature limitation controls


• Limit temperature,pressure or pipe diameterto prevent DDT fromoccurring (e.g., acetylene)

• Avoid/minimize use ofelbows and fittings whichcan cause turbulence andflame acceleration

• Use of insulating materialbetween tracer and pipe(sandwich tracer)

• Use of heat transfer mediawith maximumtemperature limited to asafe level (jacketed pipe)

Failure Scenarios

Deflagration anddetonation inpipelines causingloss ofcontainment

Faulty tracing orjacketing of lineleading to hotspots resulting inexothermicreaction


Overpressure

HighTemperature

No.

7(T)

8

• Fire detection system withmanual water spray

• Procedures to maintain aminimum flow through line

• Manual draining of potentialcollection points

• Procedures to slowly warm-updownstream piping

• Instructions to limit flow velocity

• Periodic inspection of high wearpoints

• Fire detection system withautomatic water spray

• Heat tracing of lines

• Automatic drainage of potentialcollection points

• Heat tracing of lines

• Fireproof insulation withstainless steel sheathingand banding

• Continuous welded pipe

• Insulation of process lines

• Elimination of collectionpoints or deadends

• Deadends should be slopedto avoid accumulation

• Slowdown lines should besloped to avoid accumulation

• Securely anchor piping

• Sizing of pipe to limitvelocities

• Material selection to resisterosion

• Heavier walls at tees,elbows, and other highabrasion points

• Minimize use of fittingswhere erosion can occur

• Use tees instead of elbowsin abrasive solid service

External fire lead-ing to undesiredprocess reaction(e.g., acetylenedecomposition)

Cold weatherconditions causingfreezing ofaccumulatedwater or solidifi-cation of productin line ordeadends

Condensation insteam lines due tocold ambient con-ditions resultingin steam hammer

High fluidvelocity in pipewhich causeserosion especiallyif two phase flowor abrasive solidsare presentleading to loss ofcontainment

HighTemperature

LowTemperature

LowTemperature

High Flow

9

10

11.

T

Procedural

• Procedures for proper isolationof interconnected lines

• Manual isolation on detection oflow differential pressure

• Provide double block and bleedvalves, valve plugs, caps, blinds,etc.


Active

• Check valve on lower pressureline to prevent reverse flow

• Automatic isolation on detectionof low differential pressure

• Automatic closed loop samplingsystem


• Locate valve as close to thevessel inlet as possible

• Provide multiple inter-mediate pressure letdowndevices (valve or orifices)

• Use valve type suitable forhigh pressure drop andflashing service

• Securely anchor piping

• Use incompatible fittingsto prevent unwantedconnections

• Use separate lines to finaldestination

• Provide "deadman" (self-closing) valve

Failure Scenarios

High pressuredrop acrosscontrol valvecausing flashing/vibration leadingto loss of contain-ment

Differential pres-sure on joininglines, drains ortemporaryconnectionscausing back flowof productresulting in unde-sirable reaction,overfilling, etc.

Failure to isolateflow from sampleconnection, drainand other fittingsresulting indischarge toenvironment


High Flow

Reverse Flow

Loss ofContainment

No.

13

14

15(T)

• Procedure to normally isolatesight glass when not in use

• Provide manual isolation viaremotely located valve

• Procedural restrictions to avoiddamage (crane restrictions,climbing restrictions)

• Periodic inspection for leaks

• Provide excess flow check valvesto limit discharge due to sightglass or rotameter failure

• Provide automatic isolation ondetection of high flow, lowpressure, or external leak

• Use fusible link valves forautomatic closure under fireconditions

• Eliminate the use of sightglasses and rotameters

• Provide flow restrictionorifice in glass connection

• Provide physical protectionagainst damage (i.e.,armored sight glass)

• Provide glasses withpressure design ratingexceeding maximumexpected pressure

• Maximize use of all-weldedpipe

• Avoid use of undergroundpiping

• Use double walled pipe

• Minimize use ofunnecessary fittings

• Use of higher integrityclosures (e.g., clampedconnectors)

• Shielding at flanges toprevent operator exposure

• Use of minimum diameterpipe for physical strength

• Proper design and locationof piping supports

• Physical collision barriers

Breakage of sightglasses and glassrotameters due tooverpressure,thermal stress, orphysical impact

Loss of contain-ment from pipingdue to leak, flangeleak, valve leak,pipe rupture,collision, orimproper support

Loss ofContainment

Loss ofContainment

16

17

Procedural

• Pressure test transfer hose beforeuse

• Manual isolation based ondetection of high flow, lowpressure or external leak

• Periodic replacement of hoses

• Provide hose protection (e.g.,ramp) when laying hoses acrossroadway

• Avoid sharp angle changes indirection

• Periodic thickness testing ofmetal pipe wall

• Periodic process stream analysisfor metals content


Active

• Provide excess flow check valveupstream and check valvedownstream of hose

• Automatic isolation based ondetection of high flow, lowpressure or external leak

• Use fusible link valves forautomatic closure under fireconditions


• Expansion loops and joints

• Insulation of pipeexpansion joints

• Additional support toprevent sagging

• Eliminate hose connections(hard piped)

• Use higher integrity hose(e.g., metallic braided)

• Use higher pressure hose

• Use pipe metallurgy whichdoes not require lining

• Use semi-conductive linerto reduce degradation dueto static build-up

• Use thicker liner material

• Limit liquid velocity tominimize static buildup

Failure Scenarios

Pipe failure due toexcessive thermalstress

Degradation oftransfer hosebetween useresults in hoseleak

Breakdown ofpipe/hose lining


Loss ofContainment

Loss ofContainment

Loss ofContainment(linedpipe/hose)

No.

18(T)

19

20

• Procedures to preventinadvertent cross-connections

• Labeling and color coding oflines

• Specify incompatible endsto prevent misconnection

• Avoid use of quickconnects for hazardousservice

Operator connectsquick connectcoupling towrong connection

WrongComposition

21

AppendixWorkedExamples

This appendix contains two example problems which are intended to illustratethe use of the techniques and thought processes given in Chapters 2-12 of thisbook. Each example will use specific process situations to show how to useChapter 2 to determine the process safety system (PSS) design basis, identifythe design parameters which have the strongest impact on that basis, and assistin the selection of alternative inherently safer, passive, active and proceduraldesign solutions.

These examples are not intended to serve as a "standard" PSS design basisfor any industrial system. Each process and each design require specificprocess information (such as equipment pressure and temperature ratings,materials inventories, pipeline sizes, types of utility streams available, etc.)which differ from manufacturer to manufacturer, and process to process. Also,individual company policy and risk management procedures must providedirection concerning safety systems design, especially concerning the applica-bility of mitigation techniques. Any attempt to define an industry-wide "stan-dard" is counterproductive, in that it may prevent the thoughtful analysisrequired to define a safe, economical PSS system in favor of a "cookbook"approach which would likely miss some significant potential hazards.

AEXAMPLE PROBLEM:BATCH CHEMICAL REACTOR

This example problem is based on an existing industrial batch reaction system.It illustrates a batch reactor where a quinone-type organic compound is hydro-genated to a hydroquinone. The reaction product is an intermediate for apharmaceutical.

Reactors require a detailed hazard analysis before the proper ProcessSafety System (PSS) can be determined due to the complexity of the operation(heat and mass transfer and chemical reaction), as well as the different kindsand severity of events that can be caused by the reactants, products, catalysts,and impurities.

For this example, two process drawings are presented:

• Exhibit Al: Process Flow Diagram (PFD) with a material balance andequipment data.

• Exhibit A2: Piping & Instrumentation Diagram (PSdD).

Physical and hazardous properties were obtained from open technical lit-erature and company files. The heat of reaction and runaway potential datawere obtained from adiabatic calorimeter tests.

A. I SYSTEM DESCRIPTION

The batch reactor and associated equipment are shown in Exhibit Al, alongwith the material balance, and equipment data (sizes, dimensions, materials ofconstruction, etc.).

BRIhESUPPLY

BRINERETURN

NITROGEN

C.T. WATERRETURN

LP.STEAM

C.T.WATERSUPPLY

CONO.

TO BATCHSURGE TANK

STREAM No.

STREAM NAME

COMPONENT

QUlNONESOLVENT A

SOLVENT B

Pd/C

WATERIMPURITIESHYDROGEN

TOTAL

TEMP.(-C) JPRES.(PSIG)

S.G.

VOLUME-GAL.

VOLUME-SCF

QUINONE-SOLVENT ASOLUTION

SOLVENTSAZEOTROPICMIXTURE

CATALYSTSLURRY

SOLVENTSAZEOMIXTUREWASH FROMCATALYST HEADTANK

HYDROGEN

EXHIBITAIProcess Flow Diagram (PFD) with a material balance and equipment data.

100 PSIGNITROGEN HEADER

TO ORTHOTANK ON ROOF

TO VgNT HEADER CHILLER

CATALYST SLURRY

FROM HEAD TANK

OUINONE

SOLVENTS

AZEO MIXTUREFROM SURGETANK

SOLVENTS

AZEO MIXTUREWASH FROMCATALYST HEADTANK

!M1WFLUID RESERVOIR

HYDROGEN SUPPLY

Rftgg--^DETAIL V

SYMBOLS

FELO INSTKUkCNT

LOCAL PANEL INSTRUMENT

PROTECTIVE PIPE COVER (WEATHER CAP)

ROOF

VENT LME

NOTES:

1. BURST DISK DETECTOR

2. LOCATE H2 DETECTORHEAD AS CLOSE ASPOSSIBLE TO ANDIMMEDIATELY ABOVETHE AGITATOR SEAL.

EXHIBIT A2PIPING AND INSTRUMENTATION DIAGRAM

M- 1 MECH SEAL

FLUID RESERVOIR

TO AGITATOR

MECH. SEALDETAIL "A"

TO ISOLATION

VALVE IN H2

LINE TO R-1

C.T. WATERRETURN

8%R

HMB1*-

CONDENSATERETURN HEADER

R-1

4 BAFFLES

FuiWU

LP. STEAM

The operational sequence is as follows:

1. The reactor is charged with a solution of the quinone in solvent A.2. The reactor is charged with an azeotropic mixture of solvent A and

solvent B.3. The reactor mixture is heated to 50-550C.4. The reactor is pressure purged three times with 15 psig nitrogen to

displace the air.5. The reactor is charged with the palladium on carbon catalyst slurried in

the solvent A / solvent B azeotropic mixture.6. The catalyst slurry head tank is washed with azeotropic mixture of

solvent A and solvent B into the reactor.7. The reactor is pressure purged three times with 10 psig hydrogen to

displace the nitrogen.8. The reactor jacket is switched from heating to cooling service.9. The reactor hydrogen pressure is raised to 15 psig and the hydrogena-

tion is continued until the hydrogen uptake stops (about 2l/2 hours).10. The reactor hydrogen pressure is raised to 20 psig, the hydrogen is

isolated, and the reactor pressure is held for 20 minutes.11. The reactor is vented down to about 1 psig.12. The reactor is pressure purged three times with 15 psig nitrogen to

displace the hydrogen.13. The reactor jacket is switched from cooling to heating service.14. The reactor mixture is heated to 60-7O0C.15. The reaction mass is transferred with 5 psig nitrogen pressure to a

surge tank. This leaves the reactor incited for the next batch.

Selection of the design basis for this example will follow the nine-stepprocess explained in Chapter 2. In order to adequately perform Step 1—Iden-tify Failure Scenarios, some discussion of information requirements in gen-eral, and batch reactor systems in particular, is warranted, along with specificinformation pertaining to this process.

A.2 GENERAL INFORMATION REQUIREMENTS

The following information will be required to properly evaluate potential fail-ure scenarios:

• Heat and material balance (HMB) data• Material Safety Data Sheets (MSDSs) for all chemicals• Pure component and mixture physical property data (e.g., electrical

conductivity, viscosity, etc.)

• Chemical reactivity data (primary and side/secondary reactions and run-away reaction kinetic data)

• Accurate piping and instrumentation diagrams (PSdDs)• Equipment arrangements and plant layouts• Pressure vessel drawings that include maximum allowable working

pressure (MAWP), maximum vacuum rating, and minimum and maxi-mum operating temperature information

• Other process equipment maximum pressure and minimum/maximumtemperature ratings

• Control valve, pressure reducing valve, and other instrument data sheets• Relief device (safety valve, rupture disk, rupture pin), conservation

vent, and flame arrester (deflagration and detonation) data sheets• Unsteady-state (startup, shutdown, upset) conditions• Cleanout and steamout procedures, including all nonprocess chemicals

used• Equipment computer models for evaluation of deviations from steady-

state conditions, or for evaluation of worst-case startup and shutdownconditions

• Utility supply information (composition, pressure, temperature, volt-age, etc.)

• Materials of construction

Some of this information will be routinely available. Less commonly useddata (such as piping isometrics) may need to be prepared (for new installa-tions) or generated from field reviews (for existing installations) before a com-plete evaluation can be made.

Quite often some of the above information is not available for existingolder plants. However, under the OSHA Process Safety Management regula-tion this information must be obtained or developed for the chemicals coveredby this regulation.

A3 PSS DISCUSSION FOR BATCH REACTORS

A3. / Vessel Design and Primary Containment

Batch chemical reactors can be expensive because of their materials of con-struction requirements due to service involving corrosive reactants, catalysts,or solvents. Many are fabricated of stainless steel, glass-lined carbon steel, ormaterials such as Hastelloy, titanium, etc. due to service involving corrosivereactants, catalysts, or solvents. In addition, in current practice batch reactorsare highly instrumented and automated (run by programmable logic control-lers (PLCs) or minicomputers), and often have associated head (charging)

tanks, condensers, and heat transfer fluid systems which add to the cost of theinstallation.

Because of the hazardous potential of many batch chemical processes it isof prime importance to minimize the occurrence of fires, deflagrations, andrelease of flammable and/or toxic vapors and gases. It is the practice at manycompanies to specify a reactor design pressure (AlAWP) of at least 50 psig,even though the reaction may be carried out essentially at atmospheric pres-sure. This vessel pressure rating should be sufficient to contain a deflagration(Noronha 1982). Reactor vessels should be designed in conformance withSection VIII of the ASME Boiler and Pressure Vessel Code. The ASME Code,or its equivalent, is law in most states and in some foreign countries.

All reactors should be provided with adequate pressure relief devices.Vacuum relief will not normally be required if the vessel is designed for at least50 psig since this pressure rating should also be adequate for full vacuum inmost cases. However, vessels with design pressures near atmospheric pressureusually require vacuum relief, and this should be evaluated. Relief require-ments will be discussed in more detail in item 3.

Most batch chemical reactors have agitators, equipped with mechanicalseals, and means must be provided to ensure that mechanical seals do not leakor fail, which could result in a release of a flammable and/or toxic vapor or gasinto the surroundings. Agitator seals will be discussed in more detail in Sec-tion 5.4.

CCPS 1993 (with emphasis on Chapters 4, 5, 6, 8, 11, and 14) also pro-vides useful information, and will be used as a reference for portions of thisexample. Other references which are applicable to batch reactor design forhazard minimization are given at the end of this example.

A.3.2 Control Systems and Safe Automation

Many chemical reactions are exothermic and require heat removal, whileothers are endothermic and require heat addition. In many batch chemicalreactors, the batch is heated up to the boiling point and refluxed for a longperiod of time to complete the reaction. In other reactors, the solvent is boiledoff after the reaction has been completed, and then a further processing step isperformed in the reactor. The heating or cooling steps often must be con-trolled in order to prevent product deterioration, production of undesired sideproducts, or a runaway reaction which could result in a catastrophic event. Inmost older batch reactors the heating and cooling control systems are of thestandard type (i.e., non-computer controlled, pneumatic PID), whereas innewer plants the control operations are often performed by a computer systemthat programs the sequence of operations and initiates interlock shutdowns.

There are no regulatory requirements in the U.S. governing the use of auto-matic control in PSS applications. The CCPS publications Guidelines for SafeAutomation of Chemical Processes (with emphasis on Chapters 4 and 5) andGuidelines for Engineering Design for Process Safety (with emphasis on Chapter 9)provide a useful summary of current industry practices. Keep in mind thatcomputer-controlled processes do not provide fool-proof control and that cata-strophic events can occur if the computer control system is not properly ana-lyzed for integrity. The U.K. Health and Safety Executive report titledProgrammable Electronic Systems in Safety Related Applications provides guidanceon what can go wrong with computer-controlled processes and how to analyzethem. The Instrument Society of America (ISA) has published a standard titledProgrammable Electronic Systems for Use in Safety Applications (ISA S84.011996).

In this example problem, the main control loops for this reaction system are:

• Pressure control of the hydrogen feed to the reactor» Temperature control of the cooling tower water to the reactor jacket

Because this is an existing reactor that has been operating for a number ofyears, the instrumentation is primarily pneumatic, with some more recentlyinstalled electronic components.

A.3.2. / Alarm Strategy

For all alarms, it should be noted that with electronic instrumentation and adistributed control system (DCS), two high and two low alarm points are usu-ally included with the control point. Thus, alarm strategies which make use ofthese "free" points can serve as a very cost-effective way of increasing thenumber of alarm points without increasing the cost of the system. These addi-tional alarm points do not provide the redundancy necessary for some inter-lock initiators. If using older, pneumatic instrumentation, alarm points of anykind are an increased cost. Of course, one thing which must be avoided is thecasual use of alarm points simply because they exist. Excessive nuisance alarm-ing can cause the operator to become indifferent to alarms (since they go off sofrequently) or deactivate diem, or become confused in a true emergency(because so many alarms are actuated simultaneously).

As mentioned above, this is an existing reactor, with primarily pneumaticinstruments. The reactor has a high temperature alarm to alert the operatorthat there may be a problem with the cooling tower water supply to the jacket.High-high temperature and pressure alarms, independent from their "high"counterparts, are also provided.

A.3.2.2 Interlock StrategyOnce alarm parameters have been determined, this same information can beused to develop a general philosophy and execution strategy for interlocks.

Process and safety interlocks differ from one another in that, whenever theprocess condition which caused the process interlock to activate is corrected,the control function usually returns to normal. Safety interlocks often must bemanually reset before control can return to normal. An analysis of the alloca-tion of supervisory roles between the operator and automatic control systemsshould be made before a decision to interlock is reached.

Another issue concerning safety interlocks is the use of automatic controlsto mitigate potential overpressure in place of relief systems. Neither ASMEnor API provide explicit guidance on the use of safety instrumentation to miti-gate relief requirements, and risk management policies very widely concerningthe use of instrumentation or any active system to protect against overpres-sure. Issues such as the reliability and cost of safety interlock systems and theirrelated field devices (sensors, isolation valves, etc.) as compared to the reliabil-ity of relief systems must be considered in weighing the tradeoffs.

The interlock strategy selected for this existing reactor is as follows: twohigh-high switches are interlocked to shut an isolation valve in the hydrogenfeed line. The high-high temperature switch takes a signal from the thermo-couple in the reactor, and the high-high pressure switch takes its signal fromthe reactor rupture disk burst detector.

A.3.2.3 Valve Failure Position

Closely related to this strategy is the decision on how automatic control andblock valves should fail under loss of motive energy or control signal. In gen-eral, energy sources (such as steam, hot oil, or high pressure gas) are designedto fail closed (FC) to isolate the process from excessive energy input. Energy-removing streams (coolants, vents, etc.) are usually fail open (FO) to bring thesystem to a lower potential energy state under emergency conditions. Whilenot always true, these guidelines should apply to most cases considered.Another issue which must be addressed is the difference in failure positionupon instrument air (IA) failure as compared to the failure position on elec-tronic signal failure. Often, a valve can be set to fail in one direction when IA islost; however, the controller manipulating this valve may have an entirely dif-ferent failure position which may take the system to an unsafe condition. Bothtypes of failure positions must be addressed independently.

There is a third category of valve failure position, that of fail-last-position(FL) which is not as frequently used in process systems. However, there maybe occasions where FL valves are needed for production reasons and also havesafety implications. These situations should be carefully analyzed before thevalve failure position is finalized.

All the control valves for this reactor were designed to fail in the fail-safeposition on loss of instrument air, as follows:

• The control valve in the cooling tower water line to the reactor jacketfails open.

• The control valve in the hydrogen feed line fails closed.• The control valve in the brine line to the reactor vent condenser fails

open.• The isolation valve in the quinone/solvent feed line to the reactor fails

closed.• The isolation valve in the hydrogen feed line to the reactor fails closed.

A3.3 Pressure and Vacuum Relief

A significant safety-related design problem for equipment in general is theappropriate selection of the sizing basis for emergency pressure and vacuumrelief devices. Relief devices are required for vessels covered by ASME Code,but the basis for sizing and selecting these devices is left up to the systemdesigner. Relief device sizing methodology is particularly critical if two-phaseflow occurs due to reactive, foaming, or viscous effects. For these systems,methodologies such as those developed by the Design Institute for EmergencyRelief Systems (DIERS) should be used. In the absence of two-phase flow,more conventional techniques can be applied.

The need for and location of relief devices should be identified as early inthe design as possible, as an integral part of PSS strategy formulation. The dis-position of relief effluents (flaring, secondary containment, quenching, orrelief to atmosphere) may influence the type and position of relief devicesneeded. The forthcoming CCPS publication "Guidelines for Pressure Reliefand Effluent Handling Systems" provides guidance on the selection anddesign of disposal systems. Relief system design bases may also be altered bythe presence of other passive or active safety systems, such as fireproof insula-tion or instrumentation, back pressure influences, or the need for downstreameffluent disposal systems such as flares.

Once the proper design basis has been determined, sizing of the appropri-ate devices can proceed using requirements and information listed in the refer-ence section at the end of this example.

Since most reactors are designed for pressures greater than 15 psig theyare considered pressure vessels and are subject to the requirements of SectionVIII of the ASME Boiler and Pressure Vessel Code. This means that theymust be provided with pressure relief and, if necessary, vacuum relief. Reliefdevices can be either safety valves or rupture disks, or a combination of thetwo. Rupture disk/safety valve combinations are quite common where thereactants, catalyst, or solvents are corrosive and the rupture disk is provided toprotect the safety valve from corrosion. Rupture disk/safety valve combina-

tions are also used on polymerization reactors to prevent the safety valve frombecoming plugged.

The most common bases for sizing relief devices for batch chemical reac-tors are fire loading and runaway reactions. In this example the potential for arunaway reaction was determined to be very low based on adiabatic calorime-ter experiments. Therefore, the relief device was sized for fire loading. A rup-ture disk was selected to meet the relief requirements for the followingreasons: (1) a rupture disk is considerably cheaper than a safety valve, and (2)there was a possibility that the catalyst used could plug the safety valve.

A.3.4 Fixed Fire Protection and Passive Mitigation

Once key interlock and relief requirements have been set, post-release mitiga-tion systems must be evaluated. These include fixed fire protection systems asdescribed in NFPA15 1990, life safety code requirements per NFPA1011997,and other site-related issues. Little or no regulatory guidance exists for theseissues; API RP 752 1995 and the Guidelines for Evaluating Process Plant Build-ings for External Explosions and Fires (CCPS 1996) address the siting issues.

Selection of the PSS design basis also involves a system-wide analysis forsynergistic hazards not revealed by consideration of the failure scenarios ofindividual unit operations only. This analysis should address the relationshipbetween the operation in question and the other unit operations in theprocess, the utility and outside battery limits operations that might beadversely affected by upsets in the operation in question, and interrelationshipof utilities which might result in a common-mode failure (such as steam andelectricity cogeneration failure).

In the plant where the reactor is situated, it is company policy to providewater deluge system protection above and below all vessels larger than 4 feet indiameter, which includes the reactor with a diameter of 61Xa feet. To minimizethe accumulation of flammable liquid if a spill occurs, the floor under and sur-rounding the reactor is sloped toward a process sewer drain. Also, the reactoris insulated with jacketed insulation held in place with stainless steel straps.

A.4 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS

This section uses the systematic risk-based technique for selecting the designbases for process safety systems discussed in chapter 2. Use of the techniqueimposes discipline on the thought process, yet allows for flexibility in applica-tion. The design bases selection technique is comprised of a number of analysisand testing steps, detailed graphically in a decision tree (see Exhibit 2.2 inChapter 2).

Step 1: Identify Failure Scenarios

In this example, each of the selection steps (1-9) will be discussed generally,then, steps 2-8 will be repeated in detail for each of the five potential failureslisted below.

In this batch reaction a number of hazards must be considered:

• Hydrogen is highly flammable.• Both of the solvents are flammable.• The catalyst may ignite spontaneously if contaminated with organics.• The reactant quinone has a high flash point (960C), but violent decom-

position and toxic emissions can occur when it is heated or in a fire.

The reaction is moderately exothermic. Calorimetric studies indicate thatthe heat of reaction is about 482.7 Btu/lb of the quinone, and there is verylittle likelihood of a runaway reaction.

Corrosion will not be considered as a potential failure scenario becauseyears of operation in a stainless steel reactor have shown no evidence of corro-sion problems.

The failure scenario tables in Chapter 3 (Vessels), Chapter 4 (Reactors),and Chapter 6 (Heat Transfer Equipment) were reviewed for relevance, and afirst pass through these tables yielded 16 potential failure scenarios, as shownin Exhibit A3.

Some of the scenarios do not have as severe a consequence as others, andonly the most hazardous ones will be considered. This example will focus onthe following five specific potential failure scenarios:

A. Ignition of flammable atmosphere in reactor vapor space causedby static discharge spark (Overpressure per Table 3, no. 3)

B. Cooling system control failure (High Temperature per Table 3,no. 28)

C. External fire (Overpressure and High Temperature per Table 3,no. 5 and Table 3, no. 30)

D. Loss of sealing fluid to reactor agitator mechanical seal resultingin emission of flammable vapors (Loss of Containment per Table 3,no. 49)

E. Ignition of flammable atmosphere in reactor vapor space causedby hot mechanical seal (Overpressure per Table 4, no. 3)

The tables in this book are generic, in that they are intended to apply to awide variety of equipment configurations and installations. They are notintended for use as a "one-stop" reference. Other references may contain moredetailed information on specific subjects, such as the checklist published by theAmerican Petroleum Institute (See Section 3.2, Table 1 in API RP 520,1993),

EXHI BIT A3Potential Failure Scenarios

FailureScenarioNumber Failure Scenario Description

3-1 Liquid overfill resulting in back pressure or excessive static head

3-2 Inadvertent or uncontrolled opening of high pressure utility system

3-3 Ignition of flammable atmosphere in vessel vapor space

3-5 External fire

3-15 Blocked outlet flow path

3-17 Heating and thermal expansion of liquid

3-28 Control failure of heating/cooling system

3-30 External Fire

3-49 Loss of sealing fluid to vessel agitator resulting in emission offlammable or toxic vapors

4-1 Overcharge of catalyst resulting in runaway reaction

4-2 Addition of a reactant too rapidly resulting in runaway reaction

4-3 Loss of agitation resulting in runaway reaction or hot bearing/seals causingignition of flammables in vapor space

4-7 Overactive and/or wrong catalyst results in runaway reaction

4-8 Inactive and/or wrong catalyst leading to delayed runaway reaction inreactor or downstream vessel

6-5 Loss of heat transfer due to fouling, accumulation of noncondensables,or loss of cooling medium

6-7 Cold-side fluid blocked in while heating medium continues to flow

for specific overpressure relief systems design cases. As with any engineeringtool, its applicability to a specific problem must be established each time it isused.

Step 2: Estimate the Consequences

Step 3: Determine Tolembility ofConseqitences

Consequence estimation requires information on the physical, chemical, andtoxic properties of the materials involved in the process, the quantity of mate-

rial which could be involved in a scenario, the impact of each scenario on thesurroundings (facility siting), and an economic evaluation of the impact ofequipment damage and lost production.

Information on the physical and chemical properties of chemicals in thisprocess can be obtained from the MSDSs, other sources of product informa-tion, or technical books and brochures, or can be developed. This informationcombined with the quantity of material in the process, can be used to assessfire, explosion, and toxic effects using appropriate source terms, dispersioncalculations, and effect models for scenarios with potential for materialsrelease to the atmosphere. Facility siting issues should also be considered atthis point based on the results of the scenario assessments.

Economic consequences must also be evaluated. These will be highlydependent on such factors as alternative sources of materials supply, availabil-ity of alternative production facilities, and replacement units.

For this example, the following NFPA 704 (scale of 0-4) ratings andproperties of the materials were obtained from the MSDSs (Exhibit A4).

EXHI BIT A4

Property or Rating Hydrogen

Fire 4

Health O

Reactivity O

Flash point, 0C gas

LEL, vol. % 4.0

UEL, vol. % 75.0

AIT, 0C 520

LOG, vol. % 5.0

MIE, mj 0.016

Electrical conductivity, pS/m none

LEL is the lower explosive limitUEL is the upper explosive limitAIT is the autoignition temperatureLOG is the limiting oxygen concentrationMIE is the minimum ignition energypS/m equals picosiemens per metermj equals millijoulesn.d. indicates no data available

QuinoneCompound

O

2

1

96

n.d.

n.d.

450

n.d.

n.d.

n.d.

Solvent A

3

2

O

4.4

1.0

7.0

535

9.5

0.24

<1

Solvent B

3

1

O

12

6.0

36.0

463

10.0

0.14

4.4 XlO7

Electrical conductivity data for solvent mixtures was not determined sincethe worst electrostatic hazard case is handling of pure solvent A. Static electric-ity precautions were determined for this situation.

From the above NFPA hazard ratings and the other hazardous propertiesshown, it is obvious that fires and explosions (deflagrations) are very likelyshould there be an ignition source and sufficient oxygen. Since the reactor islocated inside a building, surrounded by other equipment containing flamma-ble liquids and gases, a significant amount of equipment damage and injury orfatalities, as well as business interruption, could result. In addition, the releaseof hydrogen and flammable vapors outside the building could result in secon-dary fires, explosions, and personnel injuries or fatalities in the surroundingareas of the building.

The consequences of unmitigated operational deviations resulting inmedium-level and high-level hazards have been determined to be unacceptablerisks by the organization represented in this example. Therefore, the designermust provide alternatives which mitigate these consequences.

Step 4: Estimate Likelihood and Risk

Step 5: Determine Tolembility of Risk

Risk estimation is often the most difficult step in the process. Consequenceestimation is usually objective, but evaluation of likelihood involves humanfactor considerations (effectiveness of individuals and group performance),and the adequacy of a specific design or equipment item. Because of these fac-tors, great care must be taken to ensure accuracy and lack of bias.

At some point in this analysis quantification of likelihood may be neces-sary, but often is superseded by standard company policies, engineering stan-dards and standard design practices. For example, failures with no or lowconsequences may be adequately controlled by normal process controls oroperating procedures, whereas severe hazards (such as those with major on-site or off-site ramifications) may require two or more independent levels ofsafeguards or mitigation, in addition to the normal ones, to reduce the risk toan acceptable level.

Assessment of likelihood often requires evaluation of both plant systems(equipment, controls, etc.) and operating procedures. Equipment failure ratedata are available from a number of sources (e.g., CCPS 1989), and whilethere are uncertainties and gaps in these data, they can be objectively and con-sistently evaluated through the use of plant data collection and componentfailure testing. Keep in mind that generic failure rate data may not necessarilyapply to every plant, as these failure rates are affected by the chemicals handledand maintenance practices, and that actual plant data from one's plant may be

the best source of failure rates. Generic data may be used to prepare compara-tive estimates of several alternates, however.

Reliability of procedural safeguards (standard operating procedures), onthe other hand, are dependent on the effectiveness of training and the strengthof managerial implementation and documentation. Not only are these hard tomeasure, but they can change significantly due to a wide variety of factors,such as personnel turnover or change in management.

For this example, company management has established the hazard levelsshown in Exhibit A5, which are comparable to those shown in Chapter 2 inExhibit 2.5. For simplicity, levels Cl and C2 have been combined into the lowhazard category.

For low-level or medium-level hazards, two levels of independent proce-dural safeguards may be substituted for a single automatic safeguard. Forhigh-level hazards, no procedural safeguard may be credited for mitigation.

Note that criteria similar to these are commonly found in industry; how-ever, each company must make its own determination of risk acceptabilitylevels.

Risk tolerability is often based on what is known as an F-N (Frequency-Number) curve. An F-N curve is a plot of cumulative frequency versus conse-quences (expressed as number of fatalities). For more details on F-N curves,see Guidelines for Chemical Process Quantitative Risk Analysis (CCPS 1993).

Step 6: Consider Enhanced and/or Alternative Designs

Step 7: Evaluate Enhancements and/or Alternatives

Step 8 Determine Tolerability of Risk and Cost

Steps 6-8 are analogous to steps 3-5, but this time one is evaluating the modi-fied system instead of the original, unacceptable design. The tables in Chapters3-12, along with other specific references, are intended to suggest potential

EXHIBIT A5

Hazard Level

Low (Cl and C2)

Medium (C3)

High (C4)

Consequence Definition

Minor Injury Potential

Major On-site Consequence(See Exhibit 2.5)

Major Off-site Consequence(See Exhibit 2.5)

Safeguards Requiredfor Acceptable Risk Level

Normal Controls

One layer of independent non-procedural safeguards above normalcontrols

Two layers of independent non-procedural safeguards above normalcontrols

alternatives to enhance the risk acceptability of the design. Not all solutionspresented in the tables will be applicable to each situation. Each potentialenhancement must be evaluated for:





Once a course of action is decided upon, it again must be evaluated for riskand cost acceptability. Steps 6-8 must be repeated until an acceptable reduc-tion in risk has been achieved. Note that, if all technical options are exhaustedwith the risk level remaining unacceptably high, the only alternative may be tofind a replacement process step.

The following sections provide a detailed discussion of steps 2-8 for thisexample problem's five scenarios of interest, listed in section A.4.

A.5 IGNITION OF FLAMMABLE ATMOSPHERE IN THEREACTOR VAPOR SPACE CAUSED BY STATICDISCHARGE SPARK (FAILURE SCENARIO A)

Since the solvents are flammable liquids, if there is an electrostatic spark dis-charge and the oxygen in the vapor space of the reactor is above the LOC ofthe solvents, there could be a deflagration.


Solvent A is known to be a very poor conductor that becomes electrostaticallycharged during flow through pipes, which could lead to an ignition of theflammable vapors in the reactor head space if the solvent is allowed to free-fallduring charging. This hazard is minimized by having the streams containingSolvent A enter the reactor by means of a diverter elbow, which allows thestream to flow down the reactor wall in a gentle manner so as to avoid splash-ing and mist formation. Prior to charging of any mixtures containing solvent,the reactor is already inerted with nitrogen from a prior processing step. Thereactor is also bonded and grounded to bleed off any electrostatic charges thatmight accumulate on the wall of the vessel. In addition, the reactor is purged

of hydrogen with nitrogen after the reaction is completed, and then the batchis transferred out using nitrogen, so that there is always a nitrogen atmospherein the reactor when flammable streams are charged into it.

Step 3: Determine Tolerability of Consequences

If a deflagration occurred, it would be a medium-level or high-level hazard,and company management has determined that these are unacceptable conse-quences.


Because the consequences of unmitigated medium-level or high-level hazardare unacceptable, determination of likelihood is not required.


As determined in Step 3, the risks presented are not acceptable. A minimum oftwo nonprocedural safeguards would be required normally. Nevertheless, thereactor has two passive safeguards (diverter elbow and bonding and ground-ing) and one active safeguard (purging and inciting), which should be ade-quate to minimize or eliminate the potential for an electrostatic sparkdischarge ignition of flammable vapors.


As indicated above, three of the most common safeguards for preventing elec-trostatic spark discharge ignition of flammable vapors have been providedalready, and no enhanced alternatives are required.

Step 9: Documentation

As discussed in Chapter 2, complete and thorough documentation is critical tothe safety system selection process. It is important that all failure scenarios, nomatter how seemingly insignificant, be documented, since significance maychange with process modifications or substitution of materials.

A.6 COOLING SYSTEM CONTROL FAILURE(FAILURE SCENARIO B)

For batch reactors, the most commonly installed control system is tempera-ture control for heating and cooling. Temperature control is necessary toachieve proper reaction conditions for good conversions to minimize side

product formation, and in many cases, to prevent the occurrence of productdeterioration and runaway reactions.

In this reaction, the potential for runaway reactions has been determinedto be low, but it is known that product deterioration ("tarring") can occur ifthe reaction temperature is allowed to exceed its normal limits. For thisreason, controlled cooling of the batch to remove the heat of reaction duringhydrogenation is very important. The batch must be heated up twice duringthe batch cycle, but only to a moderate increase above ambient temperature.Therefore, this heating is not automatically controlled but is manuallyadjusted by the operator. The operating instructions require the operator tolog in the temperature (a procedural safeguard).


If the supply of cooling tower water to the reactor jacket stopped, either due tothe temperature controller failure or malfunction, or because of problems withthe cooling tower itself, then the batch might be heated up to the boiling pointof the solvent mixture due to the heat of reaction. The result would be a possi-ble overpressure, requiring pressure relief.

Step 3: Determine Tolembility of Consequences

If overtemperature or overpressure should occur, this would be considered amedium-level hazard, and would be considered an unacceptable consequence.


Because the consequences of unmitigated medium-level hazards are unaccept-able, determination of likelihood is not required.

Step 5: Determine Tolerability of Risk

As discussed in Step 3, the risks presented are not acceptable. For a medium-level hazard, a minimum of one nonprocedural safeguard is required in addi-tion to the normal controls required to operate the process.

To monitor the temperature and alert the operator if the temperature isnot being controlled, the reactor has a temperature controller with a high tem-perature switch and audible alarm. In addition, the reactor is equipped with anindependent temperature sensor (capillary type) and high-high temperatureswitch interlocked with an isolation valve in the hydrogen feed line. This inter-lock will shut off the hydrogen feed to the reactor in the event of a high-hightemperature, and the heat of reaction will drop quickly. In addition, the reac-tor is equipped with a high-high pressure switch, taking a signal from the rup-

ture disk burst detector, which is also interlocked with the isolation valve inthe hydrogen feed line. The cooling tower water supply line to the reactorjacket is backed up by an interconnection to the city water system, which canbe manually turned on by the operator should the cooling tower water systemfail.


Since the reactor is provided with two nonprocedural safeguards in additionto the normal control, as well as one procedural safeguard (ability to supplycity water to the reactor jacket), no enhanced alternatives are required.



A.7 EXTERNAL FIRE (FAILURE SCENARIO C)

External fire is always a possibility when flammable liquids are being handled.A pool fire under the reactor will impinge on wetted and unwetted vessel sur-faces, boiling the liquid contained in the reactor and, eventually, resulting inoverpressurization of the vessel. If the overpressure is not relieved in time,rupture of the reactor may occur due to both thermal and pressure overstress.


To provide overpressure protection for the external fire failure scenario, thereactor was provided with a rupture disk sized by the conventional singlephase vapor relief procedure (e.g., API RP 520 1993), since experience hadshown the system not to be foamy. Appropriate environment factors (API RP520 1993, Appendix D) were taken into account in determining fire heatinput. Although a runaway reaction was determined to have a very low likeli-hood of occurring, the discharge piping from the rupture disk is routed to acatch tank.


The unmitigated control of overpressure resulting from an external fire couldresult in a medium-level hazard, and possibly a high-level hazard. Therefore,

pressure relief has been provided and the effluent stream routed to a catchtank.


Because unmitigated medium-level and high-level hazard are not consideredacceptable, determination of likelihood is not required.


Since the risks presented are not tolerable, a minimum of two nonproceduralsafeguards are required in addition to the normal controls required to operatethe process.

The reactor is provided with the following active safeguards:

• Rupture disk set at 30 psig (below the MAWP of 35 psig)• Automatic fixed water spray fire protection system

The rupture disk is provided with a burst disk detector (with an audiblealarm), which is also connected to a high-high pressure switch interlockedwith an isolation valve in the hydrogen feed line to stop hydrogen flow.


Since the reactor is provided with two automatic safeguards for this failurescenario, no enhanced alternatives are required.



A.8 LOSS OF SEALING FLUID TO REACTORAGITATORMECHANICAL SEAL (FAILURE SCENARIO D)

The loss of sealing fluid to the reactor agitator mechanical seal can result inlarge emissions of flammable hydrogen and solvents into the building, andpossibly outside, which could deflagrate if the vapor cloud encountered anenergy source of sufficient strength. Since hydrogen has a very low MIE(0.016 mj) it can very easily be ignited. Appreciable equipment damage andinjury or fatality could result if a deflagration occurred inside the building.

Step 2 Estimate the Consequences

The agitator mechanical seal fluid is provided by means of a seal fluid reservoirconnected by piping to the seal, pressurized by 50 psig nitrogen. The seal fluidreservoir is provided with a level glass and the nitrogen line to the reservoir isprovided with two pressure gauges. The operator is supposed to check the sealfluid level in the reservoir and the nitrogen line pressure gauges every shift.These administrative procedures are the only safeguards for the seal fluid res-ervoir. If the operator forgets to do this checking and the reservoir level orpressure drops below the required level or pressure, then a seal failure canoccur, resulting in a large release of flammable hydrogen and solvent vapors.


Release of flammable hydrogen and solvent vapors into the building, and pos-sibly outside of it, can result in a catastrophic event which constitutes a high-level hazard. The present monitoring procedure can result in consequenceswhich are not tolerable. Therefore, a more positive monitoring of the seal fluidreservoir level and pressure is required.


Because an unmitigated high level hazard is unacceptable, determination oflikelihood is not required.


As discussed in Section 3 the risks presented are not acceptable and a mini-mum of two nonprocedural safeguards in addition to the normal controls arerequired to operate the process.


To enhance the reliability of providing seal fluid to the reactor agitatormechanical seal the following additional safeguards will be provided:

• A low level switch and audible alarm on the seal fluid reservoir• A low pressure switch and audible alarm on the seal fluid reservoir

Both of the above switches will be interlocked with an isolation valve inthe hydrogen feed line to stop hydrogen flow to the reactor should a problemoccur with the seal fluid reservoir level or pressure.

To provide die required second safeguard level, a hydrogen gas sensorwith a high concentration alarm will be provided at the seal to warn of a seal

leak. High concentration will be interlocked to close another isolation valve inthe hydrogen line.


Providing the suggested enhanced safeguard alternatives outlined in Step 6will add two active safeguards above normal control (operator monitoring ofthe seal fluid reservoir level and nitrogen pressure), which are required for ahigh level consequence. The risk of losing agitator mechanical seal failure hasbeen significantly reduced by these enhancements which are shown on Detail"A35 of the PSdD.

Step 8: Determine Tolembility of Risk and Cost

The enhanced PSS recommended in Step 6 will satisfy the requirements of themanagement guidelines. The capital project evaluation team determined thatthe cost required for these modifications is acceptable.



A.9 IGNITION OF FLAMMABLE ATMOSPHERE IN REACTORVAPOR SPACE CAUSED BY HOT MECHANICAL SEAL(FAILURE SCENARIO E)

If die reactor agitator mechanical seal becomes hot, due to loss of seal fluid,then it can become an ignition source and cause a fire or deflagration in thereactor vapor space. The reasons that this seal can fail are discussed in SectionA.8 (Failure Scenario D). All the steps given in Section A.5 apply to thisscenario and should be referred to for the recommended enhanced alterna-tive/design.



AJO DOCUMENTATION

It is critical to provide accurate, detailed, and readily available documentationof all PSS design bases, so that assumptions can be easily verified, and criticalsafety components be identified. In the case of existing plants, such as the onein this example, these documents may not be readily available, and it may benecessary to contact equipment vendors or make new calculations (e.g., forsizing of relief devices). This documentation is particularly important whenone element of the analysis (e.g., instrumentation) eliminates or mitigates thesize and/or scope of protection of another element (e.g., relief devices). Theremay also be regulatory record keeping requirements, such as those concerningprocesses covered by the OSHA Process Safety Management regulation (29CFR 1910.119). In addition, there may be documentation requirements forthe new EPA Risk Management Program (40 CFR 68). Complete mechanicaldesign information on vessels and other process equipment, interlock strate-gies and alarm points, relief and venting systems sizing bases (including casesthat were eliminated through other active or passive means), and siting andfire protection design bases all may need to be recorded permanently as part ofthe Process Safety Information file. Without this information, potential futuremodifications to a PSS cannot be made until a complete revaluation of thePSS basis is complete. This re-evaluation will be difficult and time-consumingwithout the detailed information on the original basis. Similarly, items used tomitigate or eliminate potential hazards may not be intuitively obvious, asexample 2.6.1 in Chapter 2 illustrates so graphically.

Procedural controls are perhaps the most critical of all controls to docu-ment well, since identification of safe upper and lower operating limits, andtraining requirements are critical to gaining and retaining safety managementeffectiveness. In many processes, the only place that procedural controls aredocumented is in the operating procedures. A separate listing of these proce-dural controls would make die safety documentation more inclusive and com-plete. Above all, documentation must tell the why as well as the what, so thatfuture evaluators will have the full benefit of the knowledge and rationaleoriginally used to specify the safeguards.

The PSdD shown in Exhibit A2 illustrates the PSS additions to the BasicControl System on Detail "A". Note that the mechanical seal fluid reservoirlow level and nitrogen low pressure switches and the interlocks to the isolationvalve in the hydrogen feed line to the reactor are now included on the PSdD.A number of PSS features shown on the PSdD were added after a HAZOPwas performed, but the new PSS features for the seal fluid reservoir were notconsidered at that time.

REFERENCES

API RP 520 1993. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries. Part!-Sizing and Selection. Washington, DC: American Petroleum Institute.

API RP 752 1995. Management of Hazards Associated with Locations of Process Plant. 1st Edition.Washington, DC: American Petroleum Institute.

ASME 1995. Boiler and Pressure Vessel Code. Section VIII, Division 1. New York: American Soci-ety of Mechanical Engineers.

CCPS 1989. Guidelines fir Process Equipment Reliability Data. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.

CCPS 1993a. Guidelines fir Engineering Design fir Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1993b. Guidelines fir Safe Automation of Chemical Processes. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1993c Guidelines fir Chemical Process Quantitative Risk Analysis. 2ded. Center for Chemi-cal Process Safety, New York: American Institute of Chemical Engineers.

CCPS 1996. Guidelines fir Evaluating Process Plant Buildings for External Explosions and Fires.Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.

EPA1996. Risk Prevention Program for Chemical Accident Prevention. U.S. Environmental Protec-tion Agency, 40 CFR, Part 68.

ISA S84.011996. Programmable Electronic Systems for Use in Safety Applications. Research TrianglePark, NC: Instrument Society of America.

NFPA 101 1997. Code for Safety to Life from Fire in Buildings and Structures. Quincy, MA:National Fire Protection Association.

NFPA 15 1990. Water Spray Fixed Systems for Fire Protection. Quincy, MA: National Fire Protec-tion Association.

NFPA 704 1996. Standard System for the Identification of the Fire Hazards of Materials. _Q\imcy,MA: National Fire Protection Association.

Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment forVessel Safety Design, Plant/Operations Progress, Vol. 1, No. 1., pp 1-6,1982.

OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119.Washington, DC: Occupational Safety and Health Administration.


API RP 2003 1991. Protectim Against Ignition Rising out of Static, Lightning, and Stray Currents.Washington, DC: American Petroleum Institute.

Barton, J. and Rogers, R. 1996. Chemkal Reaction Hazards. 2d ed. Rugby, Warwickshire, UK:Institution of Chemical Engineers.

Benuzzi, A. and Zaldivar, J. M. eds. 1991. Safety of Chemical Batch Reactors and Storage Tanks.Dordrecht and Boston: Kluwer Academic Publishers.

Britton, L. 1992. Using Material Data in Static Hazard Assessment. Plant/Operations Progress. 11 :2 (April): 56-70.

British Standards Institute BS-5958 1991. Code of Practice for Control of Undesirable Static Electric-ity: Part 1, General Considerations, and Part 2, Recommendations for Particular IndustrialSituations. London: British Standards Institute.

CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. Centerfor Chemical Process Safety, New York: American Institute of Chemical Engineers.

CCPS 1997. Guidelines for Pressure Relief and Effluent Handling Systems. Center for ChemicalProcess Safety, New York: American Institute of Chemical Engineers.

DIERS (Design Institute for Emergency Relief Systems) 1992. Emergency Relief System DesignUsing DIERS Technology. DIERS Project Manual. New York: AIChE.

UK HSE 1987. Programmable Electronic Systems in Safety Related Applications. UK Health andSafety Executive. London: Her Majesty's Stationery Office.

BEXAMPLE PROBLEM:DISTILLATION SYSTEM

This example problem is taken from the CCPS publication Guidelines forHazard Evaluation Procedures, Second Edition (CCPS 1992) Figure 19.1. Itillustrates a distillation separation between vinyl chloride monomer (VCM)and hydrogen chloride (HCl), a byproduct of the VCM formation reaction.HCl is a potentially valuable by-product, but its presence in the VCM streamin even small quantities will inhibit the polymerization of VCM to polyvinylchloride (PVC), the desired final product.

Distillation operations require a detailed hazard analysis before the properProcess Safety Systems (PSS) design basis can be determined, due to the com-plexity of the operation (both heat and mass transfer), as well as the differentkinds and severity of events that impurities can introduce. The information inCCPS (1992) illustrates the types and results of several hazard evaluation pro-cedures for the VCM/HC1 separation, and will not be repeated here.

Note that, for the purposes of this example, the flow sheet shown in CCPS(1992) has been somewhat simplified. This example is intended to illustrate aproposed new design, with preliminary equipment sizes and ratings basedupon similar existing installations. Also, while the VCM/HC1 separation is anindustrially important process, the feed composition and purity requirementschosen for this example are for illustration only, and do not necessarily reflectcurrent industrial practice. The physical properties for VCM and HCl wereobtained from standard open-literature references (Gallant 1968; Yaws1977). For the purposes of this example problem, vapor-liquid equilibriumdata were estimated, since experimental data were not readily available in theopen literature.

B.I SYSTEM DESCRIPTION

The system in question is illustrated in Exhibit Bl with the steady state mate-rial balance and basic process control information. Exhibit B2 provides anequipment list for this portion of the process.

This system is intended to purify a 90 mole % VCM stream contaminatedwith HCl to a purity of greater than 99.8% via distillation. The overheadproduct is a 75%/25% VCM/HC1 mixture to be recycled back into theprocess.

This example follows the nine-step process laid out in Chapter 2 for selec-tion of the design basis for this installation's process safety systems. In order toadequately perform Step 1, "Identify Failure Scenarios,55 some discussion ofinformation requirements in general, and distillation systems in particular iswarranted, along with specific information pertaining to this process.

B.2 GENERAL INFORMATION REQUIREMENTS

The following information will be required to properly evaluate potential fail-ure scenarios. Some of this information will routinely exist; other, less com-monly used data (such as piping isometrics) may need to be estimated (fornew installations) or generated from field reviews (for existing installations)before a proper evaluations can be completed.

• Heat and material balance (HMB) data (steady state)• Material safety data sheets (MSDSs) for all chemicals• Chemical reactivity data (primary and side/secondary reactions, if appli-

cable)• Accurate piping and instrumentation diagrams (PScIDs)• Equipment arrangements and plant layouts• Pressure vessel drawings (with maximum allowable working pressure,

or MAWP), maximum vacuum, and maximum and minimum operat-ing temperature information)

• Control valve and relief valve instrument data sheets• Unsteady state (startup, shutdown, upset) conditions• Cleanout procedures, including all non-process chemicals used• Equipment computer models for evaluation of deviations from steady

state conditions, or for evaluation of worst-case startup and shutdownconditions

• Utility supply information (composition, pressure, temperature, volt-age, etc.)

EXHIBITBIMater/a/ Balance and Basic Process Control System

OVERHEADPRODUCT

UNDERFLOWPRODUCT

•A^8765432ISTREAMNO.

EGXH2OEGXH2O100« STEAMVENTOVERHEADPRODUCT

MC "2LIQ. OUT

MC "ILlQ. OUT

WAlN COND."2 <MC"2)

MAIN COND"KMC'D

OVERHEADPRODUCT

UNDERFLOWPRODUCT

REFLUXFEEDSTREAM

450.000650.00024.300NORMALLYNO FLOW58.35040,84558.35040.815

158.35099.195181.25040,845239.600iDXhr

40X60(BY W T . )XEGXH2O

40X60(BY WT. )XEGXH2O

OXO0.364X0.6360.364X0.6360.364X0.6360.364X0.6360.364X0.6360.364X0.636'VOXI.O0.364X0.6360.1X0.9I MOLE FRAC.

HCLXVCM

-20,338IOIO.95.395.395.3-IO32TEMPC F)

8080.200IH.5111.4112.2H2.2_±i_117.2112.2125.7PRESS.(PSIA)

B.3 PSS DISCUSSION FOR DISTILLATION OPERATIONS

6.3. / Vessel Design and Primary Containment

A common feature of many distillation systems is their initial expense, or capi-tal cost. Particularly for large volume products, the physical size and cost of theequipment can be large. This leads to a great deal of effort in optimizing theequipment sizes, relative to one another and to the rest of the production facil-ity. If this optimization is not done with a systems approach with due consid-eration of process safety, savings in vessel cost can be more than offset by therelatively greater expense of additional active or procedural PSSs required.

Although not always recognized as such, the proper design, constructionand maintenance of primary containment systems (process pressure vesselsand storage tanks) is the first and best line of defense against catastrophicevents. As such, the ASME Boiler and Pressure Vessel Code (1995), APIStandard 650 1993 and API Standard 620 1990 are key PSS-relatedresources. In most states and some countries, the ASME code is followed bylaw. ASME Code Section VIII contains specific requirements for design, test-ing and relief of vessels whose operating pressure is greater than 15 psig.

EXHIBIT B2Equipment List

Equipment Item

VCM Column

Item No. C-201

Main OverheadCondenser # I

Item No. E-201A

Main OverheadCondenser # 2

Item No. E-201B

RefluxAccumulator

Item No. V-208

Reboiler

Item No. E-207

Description andTentative Size

8 ft dia x 62 ft

52 sieve trays

46 in dia x 16 fttube length

5655 ft2

40 in x 16 ft tubelength

3927 ft2

6 ft dia x

6 ft straight side

40 in dia x 10 fttube length

3927ft2

Material ofConstruction

Zirconium-clad steel

Zirconiumtubes, steelshell


Zirconium-clad steel


PreliminaryDesign

Pressure

200 psig and

-2 psig(vac)

200 psig andfull vacuum




PreliminaryDesign

Temperature

35O0F

35O0F

35O0F

35O0F

35O0F

The CCPS Publication Guidelines for Engineering Design for Process Safety(CCPS 1993) also provides useful information, and will be used as a referencefor this portion of the example. Other specific references, such as NFPA 771993, and API RP 2003 1991 may also have applicability.

B.3.2 Control Systems and Safe Automation

Distillation operations typically involve large quantities of potential energy,either in the form of utility energy (steam, hot oil, refrigeration, etc.) or associ-ated in the process (heated feed streams, elevated operating pressure, largeinventories of volatiles and flammables, etc.). Most control strategies focusinitially on keeping these processes at steady state, as the purity from distilla-tion operations is extremely sensitive to small changes in process variables.Without giving due consideration to the startup, shutdown, upset, and otherpotential unsteady state conditions that the system may encounter, a goodcontrol strategy for operation at steady state may prove wholly inadequate indealing with unusual or infrequent deviations. Thus, the control strategy,examined as a part of the overall safe automation plan, must be put together inorder to have a reliable, cost-effective system capable of optimal productionunder normal circumstances, and must respond adequately in the event ofabnormal or upset conditions.

Unlike vessel design and construction, there are very few regulatoryrequirements surrounding the use of automatic controls for PSS applications.The CCPS Publications "Guidelines for Safe Automation of Chemical Proc-esses" (1994) Chapters 4 and 5, and "Guidelines for Engineering Design forProcess Safety" (1993), Chapter 9 provide a useful compilation of currentindustry practices.

For this example, Exhibit Bl shows only six primary control loops neededto maintain this process at steady state. This is what CCPS (1994), Chapter 4refers to as the Basic Process Control System (BPCS). Like vessel design,proper attention to this fundamental design is the first, and best defenseagainst an uncontrolled release of process material to the environment. How-ever, given the potential hazards involved, it is reasonable to expect that addi-tional measurement and control points will be needed to provide adequateearly warning of potentially dangerous deviations from normal conditions. Itis important to develop a clear strategy of safe operating limits, alarms, inter-locks and emergency shutdown devices (ESDs) which constitute the SafetyInstrumented Systems (SIS) at an early stage of process development. This isso that costs can be estimated, equipment designed to accommodate the nec-essary additional measurement points, and to evaluate the appropriate level ofreliability needed. The effect of instrument location and the reliability of com-ponents, as well as other process requirements must also be determined. To do

this, some information on the possible upset conditions and unsteady stateoperating conditions will be needed to evaluate the effectiveness and deter-mine the location of SIS sensors and devices. Some additional process and unitoperations simulation may be necessary to generate the required design infor-mation. CCPS (1994), Chapter 5 gives additional information on this subject.

8.3.2. / Alarm Strategy

For all alarms, it should be noted that with electronic instrumentation and adistributed control system (DCS), two high and two low alarm points are usu-ally included with the control point. Thus, alarm strategies which make use ofthese "free55 points can serve as a very cost-effective way of increasing thenumber of alarm points without increasing the cost of the system. These addi-tional alarm points do not provide the redundancy necessary for some inter-lock initiators. If using older, pneumatic instrumentation, alarm points of anykind are an increased cost. Of course, one thing which must be avoided is thecasual use of alarm points simply because they exist. Excessive nuisance alarm-ing can cause the operator to become indifferent to alarms (since they go off sofrequently) or deactivate them, or become confused in a true emergency(because so many alarms are actuated simultaneously).

B.3.2.2 Interlock StrategyOnce alarm parameters have been determined, this same information can beused to develop a general philosophy and execution strategy for interlocks.Process and safety interlocks differ from one another in that, whenever theprocess condition which caused the process interlock to activate is corrected,the control function usually returns to normal. Safety interlocks often must bemanually reset before control can return to normal. An analysis of the alloca-tion of supervisory roles between the operator and automatic control systemsshould be made before a decision to interlock is reached.

Another issue concerning safety interlocks is the use of automatic controlsto mitigate potential overpressure in place of relief systems. Neither ASMEnor API provide explicit guidance on the use of safety instrumentation to miti-gate relief requirements, and risk management policies vary widely concerningthe use of instrumentation or any active system to protect against overpres-sure. Issues such as the reliability and cost of safety interlock systems and theirrelated field devices (sensors, isolation valves, etc.) as compared to the reliabil-ity of relief systems must be considered in weighing the tradeoffs.

6.3.2.3 Valve Failure PositionClosely related to this strategy is the decision on how automatic control andblock valves should fail under loss of motive energy or control signal. In gen-

eral, energy sources (such as steam, hot oil, or high pressure gas) are designedto fail closed (FC) to isolate the process from excessive energy input. Energy-removing streams (coolants, vents, etc.) are usually fail open (FO) to bring thesystem to a lower potential energy state under emergency conditions. Whilenot always true, these guidelines should apply to most cases considered.Another issue which must be addressed is the difference in failure positionupon instrument air (IA) failure as compared to the failure position on elec-tronic signal failure. Often, a valve can be set to fail in one direction when IA islost; however, the controller manipulating this valve may have an entirely dif-ferent failure position which may take the system to an unsafe condition. Bothtypes of failure positions must be addressed independently.

There is a third category of valve failure position, that of fail-last-position(FL) which is not as frequently used in process systems. However, there maybe occasions where FL valves are needed for production reasons and also havesafety implications. These situations should be carefully analyzed before thevalve failure position is finalized.

8.3.3 Pressure and Vacuum Relief

A significant safety-related design problem for equipment in general is theappropriate selection of the sizing basis for emergency pressure and vacuumrelief devices. Relief devices are required for vessels covered by ASME Code,but the basis for sizing and selecting these devices is left up to the systemdesigner. Relief device sizing methodology is particularly critical if two-phaseflow occurs due to reactive, foaming or viscous effects. For these systems,methodologies such as those developed by the Design Institute for EmergencyRelief Systems (DIERS) should be used. In the absence of two-phase flow,more conventional techniques can be applied.

The need for and location of relief devices should be identified as early inthe design as possible, as an integral part of PSS strategy formulation. The dis-position of relief effluents (flaring, secondary containment, quenching, orrelief to atmosphere) may influence the type and position of relief devicesneeded. The CCPS publication "Guidelines for Pressure Relief and EffluentHandling Systems53 (CCPS 1997a) provides guidance on the selection anddesign of disposal systems. Relief system design bases may also be altered bythe presence of other passive or active safety systems, such as fireproof insula-tion or instrumentation, back pressure influences, or the need for downstreameffluent disposal systems such as flares.

Once the proper design basis has been determined, sizing of the appropri-ate devices can proceed using requirements and information listed in the refer-ence section at the end of this example.

B.3.4 Fixed Fire Protection, Passive Mitigation and System-Wide Concerns

Once key interlock and relief requirements have been set, post-release mitiga-tion systems must be evaluated. These include fixed fire protection systems asdescribed in NFPA 15 1990, life safety code requirements per NFPA 1011997, and other mitigation techniques such as plant layout, equipmentarrangement, diking and berming, and other site-related issues. Little or noregulatory guidance exists for these issues; API RP 752 1995 and the CCPSbook "Guidelines for Evaluating Process Plant Buildings for External Explo-sions and Fires55 (CCPS 1996) address the siting issues.

Selection of the PSS design basis also involves a system-wide analysis forsynergistic hazards not revealed by consideration of the failure scenarios ofindividual unit operations only. This analysis should address the relationshipbetween the operation in question and other unit operations in the process,the utility and outside battery limits operations that might be adverselyaffected by upsets in the operation in question, and interrelationship of utili-ties which might result in a common-mode failure (such as steam and electric-ity cogeneration failure)

B.4 DESIGN BASIS SELECTION PROCESS

This section uses the systematic risk-based technique for selecting the designbases for process safety systems discussed in Chapter 2. Use of the techniqueimposes discipline on the thought process, yet allows for flexibility in applica-tion. The design bases selection technique is comprised of a number of analysisand testing steps, detailed graphically in a decision tree (See Exhibit 2.2 inChapter 2).

Step 1: Identify Failure Scenarios

In this example, each of the selection steps (1-9) will be discussed generally.Then, steps 2-8 will be repeated in detail for each of the five potential failureslisted below. The primary hazards of interest for VCM and HCl are flamma-bility and toxicity; therefore, efforts for this example will be focused in theseareas. Reactivity hazards will not be considered in this example, although in areal VCM process, this area would need considerable attention, since unsteadystate or upset conditions in other portions of the plant could lead to reactivehazards in the VCM/HC1 separation area as well. Corrosion will be consideredas a potential failure scenario (leading to loss of containment) rather than ahazard in and of itself. Some equipment, such as pumps, filters and other auxil-iary equipment has not been considered in this example in order to focus onidentification of potential failure scenarios using the tables in Chapters 3 (Ves-sels), 5 (Mass Transfer Equipment) and 6 (Heat Transfer Equipment).

A first pass through these tables yields 33 potential failure scenarios asshown in Exhibit B3. Several of these scenarios are duplicates, and many fallinto similar areas of concern (e.g., overpressure) and could be evaluatedtogether.

This example will focus on five specific potential failure scenarios:

A. Uncontrolled energy (steam) input (Overpressure, Overtemper-ature per Table 3-9)

B. External fire (Overpressure, Overtemperature per Table 3-5,3-29, 6-9)

C. Internal deflagration (Loss of Containment per Table 3-3)D. Vacuum collapse of column (Underpressure, Loss of Contain-

ment per Table 3-21, 4-4)E. Blocked-in liquids in heat transfer equipment (Overpressure per

Table 3-17, 6-7)

The tables in this book are generic, in that they are intended to apply to awide variety of equipment configurations and installations, and are notintended as a "one-stop" reference. Other references may contain moredetailed information on specific subjects, such the checklist published in APIRP 520, Section 3.2, Table 1 (1993) for specific overpressure relief systemdesign cases. As with any engineering tool, its applicability to a specific prob-lem must be established each time it is used.



Consequence estimation requires information on the physical, chemical andtoxic nature of the materials involved in the process, the quantity of materialwhich could be involved in a scenario, the impact of each scenario on the sur-roundings (facility siting) and an economic evaluation of the impact of equip-ment damage and lost production.

This information can be obtained from the MSDS or other sources ofproduct safety information. This, combined with the quantity of material inthe process, can be used to assess fire, explosion and toxic effects using appro-priate source terms, dispersion calculations and effect models for scenarioswith the potential for materials release to the environment. Facility sitingissues may also be brought in at this point.

Economic consequences must also be evaluated. These will be highlydependent on such factors as alternative sources of supply, availability of alter-native production facilities, and replacement units.

EXHIBIT B3

FailureScenarioNumber Failure Scenario Description

3-1 Liquid overfill resulting in backpressure or excessive static head

3-2 Inadvertent or uncontrolled opening of high pressure utility system

3-3 Ignition of flammable atmosphere in vessel vapor space

3-5 External fire

3-6 Inadequate or obstructed vent path, resulting in high vapor space pressure duringfilling

3-7 Internal heating/cooling coil leak or rupture

3-9 Excessive heat input resulting in high vapor pressure

3-15 Blocked outlet flow path

3-17 Heating and thermal expansion of liquid

3-19 Failure of vacuum control system

3-20 Inadequate or obstructed vent path

3-21 Uncontrolled condensation/absorption of vapor phase component

3-22 Excessive liquid withdrawal rate

3-27 Control failure of heating/cooling system

3-29 External fire

3-36 Level control failure causing spill

3-38 Leak from heating/cooling system

3-39 Leak or excessive fill from liquid utility system (e.g., utility water)

3-40 Level control failure

3-41 Incorrect or unanticipated cross-connection causing uncontrolled outflow

3-44 Corrosion from process fluid

3-47 Open drain connections

4-1 Migration of internals into lines resulting in blockages

4-2 Blockage of packing/trays leading to excessive pressure drop in column

4-4 Uncontrolled condensation/absorption of vapor phase component

4-6 Fire when exposing packing internals with flammable material during maintenance

6-1 Corrosion/erosion of exchanger internals resulting in a heat transfer surface leakor rupture and possible overpressure of the low pressure side

6-2 Differential thermal expansion/contraction between tubes and shell resulting intube leak/rupture (fixed tubesheet)

6-3 Excessive tube vibration resulting in tube leak/rupture and possible overpressureof the low pressure side

6-5 Loss of heat transfer due to fouling, accumulation of noncondensables, or loss ofcooling medium

6-7 Cold side fluid blocked in while heating medium continues to flow

6-9 External fire

6-10 Loss of mechanical integrity of tube

EXHIBIT B4

NFPA 704 Rating VCM HCl

Fire 4 O

Health 2 3

Reactivity 2 1

For this example, from the MSDS, the NFPA 704 (scale of 0-4) ratingsare shown in Exhibit B4.

With a fire rating of 4, VCM represents a significant fire and explosionpotential. Also, with a reactivity rating of 2, there may also be a significanthazard inside the equipment as well. Given the relatively high preliminarydesign pressure of the equipment in this process (200 psig), shrapnel genera-tion due to catastrophic vessel failure would also present a serious hazard topersonnel or other process equipment in the vicinity of the installation.

Finally, given the size, throughput and materials of construction of thisequipment, a significant incident that causes damage to the equipment wouldhave severe .economic property damage and business interruption potential.

Unmitigated operational deviations resulting in medium-level and high-level hazards have been determined to be unacceptable by the organizationrepresented in this example. Therefore, the designer must provide alternativeswhich mitigate these consequences.



Risk estimation can be the single most difficult step in this process. While con-sequence estimation is objective, likelihood evaluation often involves a directand specific performance assessment in the ability of both individuals andorganizations to manage risk, or the adequacy of a specific design or equip-ment item given its age and operating history. Because of this, great care mustbe taken to ensure its accuracy and lack of bias.

At some point, quantification of likelihood may be necessary, but often itis superseded by standardization into policies, engineering standards and stan-dard practices. For example, failures with no or low consequences may be con-sidered adequately controlled by normal process controls, whereas severehazards (such as those with off-site ramifications) may require two or moreindependent levels of control or mitigation in addition to normal to bring therisk into an acceptable range.

Assessment of likelihood often requires evaluation of both plant systemsand procedures. Equipment failure data are available from a number ofsources, and while there are uncertainties and gaps in the data, these can beobjectively and consistently evaluated through the use of plant data collectionand component failure testing. Also, a comprehensive risk management planbased on the results of studies such as these can provide typical componentfailure rates to be used for a wide range of evaluations. CCPS (1989) is asource of both data and references for additional information.

Reliability of procedural safeguards on the other hand, are tied to theeffectiveness of training and the strength of managerial implementation anddocumentation. Not only are these hard to measure, they can change signifi-cantly, in either a positive or negative manner, due to a wide variety of factors,such as personnel turnover or change in management.

For this example, management has determined that the criteria shown inExhibit B5 apply. The hazard levels described here are comparable to thoseshown in Exhibit 2.5. For simplicity, levels Cl and C2 have been combinedinto the low hazard category.

For low or medium-level hazards, two levels of independent proceduralsafeguards may be substituted for a single automatic safeguard. For high-levelhazards, no procedural safeguards may be credited for mitigation.

Note that criteria similar to these are commonly found in industry; how-ever, each company must make its own determination of risk acceptabilitylevels.

EXHIBIT B5

Hazard Level

Low (Cl and C2)

Medium (C3)

High (C4)

Consequence Definition

Minor Injury Potential

Major On-site Consequence

(See Exhibit 2.5)

Major Off-site Consequence

(See Exhibit 2.5)

Safeguards Required forAcceptable Risk Level

Normal Controls

One layer of independent non-procedural safeguard above normalcontrols

Two layers of independent non-procedural safeguards above normalcontrols


Step 7: Evaltiate Enhancements and/or Alternatives

Step 8: Determine Tolerability of Risk and Cost

Steps 6-8 are analogous to steps 3-5, evaluating the modified system insteadof the original, unacceptable design. The tables in Chapters 3-12, along withother specific references, are intended to suggest potential alternatives toenhance the risk acceptability of the design. Not all solutions presented in thetables will be applicable to every situation. Each potential enhancement mustbe evaluated for:





Once a course of action is decided upon, it again must be evaluated for riskand cost acceptability. Steps 6-8 must be repeated until an acceptable reduc-tion in risk has been achieved. Note that, if all technical options are exhaustedwith the risk level remaining unacceptably high, the only alternative may be tofind a replacement the process step.

Following is a detailed discussion of steps 2-8 for each of the five scenar-ios of interest for this example.

B.5 UNCONTROLLED ENERGY INPUT(FAILURE SCENARIO A)

As is the case with most distillation operations, unmitigated heat input in theform of steam or other heating medium has the potential for generating anoverpressure condition in a distillation unit. Such could be the case here, as thepreliminary column design pressure is 200 psig, and VCM's vapor pressure at100 psig steam saturation temperature (~170°C) is over 800 psig. Rupture ofthe distillation column or any auxiliary equipment (such as heat exchangers)has been classified as a high hazard consequence, requiring two levels of safe-guards above normal controls. Reboiler tube rupture can often be a source of

uncontrolled energy input; however, in this example, reboiler tube rupture isnot a credible case since the process design pressure is above the steam supplypressure.


The failure scenario of uncontrolled energy input resulting in high vapor pres-sure may result in an operational deviation of overpressure as noted in Table 3,Failure Scenarios for Vessels, item 9. Vessel overpressure and the resultingloss of vessel containment may present several medium-level and high-levelhazards as defined in Exhibit B5. These consequences include potential fatali-ties or injuries and capital losses resulting from ignition of a flammable vaporcloud, as well as mechanical failure of the process equipment from overpres-sure and the potential damage to the environment resulting from release ofprocess chemicals.


Unmitigated operational deviations resulting in medium-level and high-levelhazards have been determined to be unacceptable by the organization repre-sented in this example. The system designer must provide appropriate processsafety systems to further mitigate the consequences.


Because unmitigated medium-level and high-level hazards are unacceptable,determination of likelihood is not required.


As discussed in Step 3, the risks presented are not acceptable. A minimum oftwo nonprocedural safeguards are required in addition to the normal controlsrequired to operate the process.


From Table 3, Item 9, the following options are available to the systemdesigner for overpressure from uncontrolled energy input including:

Inherently safer/passive:• Vessel design accommodating maximum expected pressure• Limit temperature or flow of heating medium

Active:• Emergency relief device• High temperature or pressure alarm with interlock to isolate heating

medium

Procedural:• High temperature or pressure alarm with operator activation of heating

medium isolation

Inherently safer/passiveProviding a pressure rating of the process equipment greater than the maxi-mum expected pressure can eliminate the failure of heating medium controlsscenario. If the pressure rating of the equipment is greater than the vapor pres-sure of the process chemicals at the maximum heating medium temperature,failure of the heating medium controls cannot overpressure the process equip-ment. The cost of providing the increased pressure rating varies dependingupon the materials of construction, the optional heating media available andthe vapor pressure of the process chemicals.

The designer can limit the maximum vapor pressure of the process chemi-cals by limiting the temperature of the heating medium. For steam heatedreboilers, this can be accomplished by selecting the lowest pressure steamavailable and further reinforced by installation of a relief valve in the steamsupply to limit the effects of upsets in the steam system. If the vapor pressureof the process chemicals is limited by the maximum heating medium tempera-ture to less than the pressure rating of the equipment, the failure scenario iseffectively mitigated. Limitation of heating medium temperature is not feasi-ble, since the temperature required to boil VCM with a reasonably sizedreboiler is still hotter than required to exceed the system MAWP with pureVCM. However, limitation of the heating medium temperature by means of asteam desuperheater may still be desirable to protect against reactivity con-cerns which may be initiated by excessive temperature.

Additionally, the designer may limit the heat input to the system by limit-ing the flow of the heating medium. Limiting the heat input does not elimi-nate the failure scenario, but can reduce the vapor boilup and reduce the size ofany relief device sized for failure of heating medium controls. Limitation offlow is feasible, and may be an attractive alternative which can be accom-plished economically by restricting the size of the steam control valve's trim,or using a smaller valve.

ActiveSince all of the primary vessels in this system will be ASME Section VIII pres-sure vessels, some form of emergency relief is a requirement. Design of therelief system will be done in accordance with standard practices API RP 5201993 and 521 1990 for nonreactive relief. If the designer chooses to mitigatethis case with emergency relief, then relief device design bases should includerelieving the vapor generated by uncontrolled heat input to the system, and

sized to relieve the vapor boilup generated by the reboiler operating at maxi-mum efficiency (i.e., with a clean heat transfer surface and maximum expectedheating medium temperature). Discharges from the relief devices must berouted either to a location where the vapor release will not create further con-sequences or to an effluent handling system such as a flare. Because distillationreboilers often contain large surface area overdesign factors such as foulingfactors and operating temperatures below maximum expected heatingmedium temperatures, the vapor relief rate from uncontrolled heat input maybe very large. The system designer should evaluate the hazards posed by reliefof the process vapor and the cost of installation of the relief system.

The system designer may choose to mitigate the failure scenario by install-ing a safety interlock to isolate the heating medium if safe process limits areexceeded. The designer must ensure that the interlock is dependable and mayconsider redundant initiators, logic and actuators. If possible, diverse redun-dancy (such as the use of one pressure and one temperature initiator) is desir-able to protect against a common-mode failure. Additionally, the designercannot select instrumentation that may be inoperable due to process condi-tions or interlock bypasses. The use of a high temperature sensor to isolate theheating medium is an attractive option here. Using a temperature measure-ment in the condenser vapor outlet line gives a fast indication of excessiveenergy input. Because this is a high hazard operation, at least two tempera-tures, or a temperature and pressure measurement through independent logicpaths and two final field devices (i.e., valves) will be needed to activate thesteam isolation system.

For reboilers, the steam can be isolated by use of an emergency block valveinstalled in the steam supply. The steam control valve may not be an effectiveisolation device by itself, but may be used with an isolation valve to give twofinal field devices. Careful consideration should be given to the effectiveness ofthe control device in this service. The temperature and/or pressure in the distil-lation system may be used to initiate the interlock. The facility managementresponsible for operating and maintaining the system must establish effectivecontrols to ensure that the interlock system is operational whenever theprocess unit is operating.

ProceduralThe system designer may mitigate the failure scenario through proceduralcontrols by requiring operator action to isolate the heating medium when safeprocess limits are exceeded. The warning system requirements are the same aspreviously discussed for interlock initiators. Additionally, the facility manage-ment must ensure that the system operators are trained to react properlyshould safe process limits be exceeded. This option is less reliable than inter-

locks due to the possibility of human error. Because of its classification as ahigh-level hazard, procedural options may not be used to mitigate hazards atthis level. However, it would be wise to include a discussion of operatoractions on high temperature indication even if no mitigation credit is claimed.


Inherently safer/passiveProviding a mechanical design with the process vapor pressure at the maxi-mum expected heating medium temperature will mitigate the failure scenario.For the system used in this example, the designer determined this option to beimpractical. The vapor pressure of the process chemicals was too high to allowa cost effective mechanical design. However, even if the failure scenario cannotbe completely eliminated, designing the vessels for the maximum practicaldesign pressure will help reduce the size of the relief device.

Limiting the heating medium flow via a reduced valve size or a restrictionorifice will reduce the vapor boilup rate, but will not eliminate the failure sce-nario. The designer was able to demonstrate, through atmospheric dispersionmodeling of the column relief discharge, that the vapor boilup at the maxi-mum steam flow would not create a major off-site incident. Use of this controlwas considered one of the two nonprocedural safeguards required by com-pany management to adequately mitigate a high-level hazard event. However,to ensure that other, non-safety-related changes not be made to this valvewhich could adversely impact its safety function, maintenance of the valve wasincluded on the plant's critical equipment list.

ActiveInstallation of an emergency relief device can effectively mitigate the effects ofuncontrolled energy input. However, the vapor rate discharged through therelief device to atmosphere was, in itself, a significant safety hazard andrequired mitigation by flare or scrubber. The cost in installation of the reliefsystem was considerable. The designer elected not to install a relief devicesized for the maximum possible uncontrolled energy input, electing instead toinvestigate and implement other, more cost-effective ways to reduce the reliefsystem design basis.

Installation of an interlock system can mitigate the failure scenario. Therisk management guidelines for the organization represented in this examplehave determined that independent redundant systems are required to mitigatea medium-level or high-level hazard. The guidelines permit installation of asingle isolation valve to provide the interlock action provided that it is prop-erly maintained and is not used for process control. The designer elected toinstall an emergency block valve in the steam supply initiated by either high

column pressure or high column temperature. In addition, the interlock initia-tors also close the steam control valve as an added measure of protection.Maintenance of the interlock equipment was included on the plant's criticalequipment list, which must be tested on a regularly scheduled basis. Modifica-tions of all the interlock equipment, including initiators, logic and steam valve,was included in the plant's management of change (MOC) procedure.

ProceduralAs described in the risk management guidelines, procedural controls were notconsidered sufficient to mitigate the effects of the consequences described inthis example. The designer elected to use a safety interlock system rather thanprocedural safeguards.

Step 8: Determine Tolembility of Risk and Cost

The PSS selected by the designer included installation of two levels of inde-pendent non-procedural safety interlocks and use of a restricted steam controlvalve size to limit the heat input. This system meets the requirements providedby the management guidelines. The capital project evaluation team deter-mined the cost acceptable to permit installation of the process. Note however,that this did not eliminate the need for a relief device, as outlined in the follow-ing section.


As already discussed in Chapter 2, complete and thorough documentation iscritical to the safety system selection process. It is important that all failure sce-narios, no matter how seemingly insignificant, be documented, since signifi-cance may change with process modifications or substitutions of materials.

B.6 EXTERNAL FIRE (FAILURE SCENARIO B)

External fire as a failure scenario almost always occurs where flammables andcombustibles are processed and/or stored. Impingement fires on wetted andunwetted vessel surface constitute a major threat to the integrity of the affectedvessel, and unlike the uncontrolled energy input case, are external to theprocess and therefore can't be mitigated by instrumented solutions. Some-times the fire case can be eliminated as a credible failure by burying equip-ment, or elevating equipment out of the fire affected zone. However, for largeequipment which needs to be supported by a foundation, elevation above the

fire affected zone is not always practical. Also, jet flame impingement concernsfor reaction initiation cannot be mitigated by elevation. Deluge fire protectionmay also help mitigate fire exposure to limit the consequences of a fire, but isnot always taken credit for in reducing relief device size.


The failure scenario of external fire may result in operational deviations ofoverpressure or high temperature as noted in Table 3, item 5, Failure Scenar-ios for Vessels. Vessel overpressure and the resulting loss of vessel contain-ment may present several medium-level and high-level hazards as defined inthe general discussion for step 4 in this example. These consequences includethe potential fatalities, permanent disabilities or injuries and capital lossesresulting from ignition of a flammable vapor cloud or mechanical failure of theprocess equipment from overpressure and the potential damage to the envi-ronment resulting from release of process chemicals.

In this example, the operational deviation of high temperature does notresult in a potential consequence, since the materials of construction of theequipment are compatible with and maintain their mechanical integrity atprocess temperatures generated under fire relieving conditions, and all majorequipment is automatically deluged for fire protection.


Unmitigated operational deviations resulting in medium-level and high-levelhazards have been determined to be unacceptable risks by the organizationrepresented in this example. The system designer must provide appropriateprocess safety systems to further mitigate the consequences.


Because unmitigated medium-level and high-level hazards are unacceptable,determination of likelihood is not required.


As discussed in Step 3, the risks presented are not acceptable. A minimum oftwo nonprocedural safeguards are required in addition to the normal controlsrequired to operate the process.


From Table 3, Item 5, the following options are available to the systemdesigner for overpressure from external fire including:

Inherently safer/passive:• Buried Tank• Fireproof insulation• Slope away diking with remote impounding of spills• Locate outside effective fire zone• Adequate tank-to-tank separation• Secondary enclosure

Active:• Fixed fire protection water spray (deluge)• Emergency relief device• Flammable gas, flame, and/or smoke detection devices

Procedural:• Emergency response plan• Manual activation of fixed water spray fire protection

Inherently safer/passiveProcess equipment may be buried to mitigate or eliminate the failure scenarioof external fire. This design is most often used for equipment which does notrequire access by maintenance or operations except from above. It is not prac-tical for distillation systems which require access both for operations andmaintenance.

Fireproof insulation does not eliminate the failure scenario, however, itcan greatly reduce the heat input from a fire, lower the corresponding vaporboilup rate and reduce the size of any relief device sized for fire relief. Heatinput from external fire can be reduced by 90% or more by installation of fire-proof insulation systems. The cost of installing fireproof insulation is consid-erably higher than for normal insulation systems due to the requirement forinsulation materials and appurtenances which can withstand fire temperatures,such as stainless steel sheathing and banding to ensure that the insulation staysin place during a fire.

Slope-away diking with remote impounding of spills can be used toremove flammable chemicals to a location where they can be safely dealt with.Industry practices such as API RP 520 1993 and Federal Regulations such as29 CFR1910.106 do not permit the system designer to eliminate external fireas a failure scenario by installation of adequate drainage alone, but they dopermit reduction in heat input by 50-60%. This system may require installa-tion of a remote remediation system as well as a special containment dike anddrains. A preventive maintenance program is also required to ensure thesystem is operational, including periodic draining of rainwater to ensure theavailability of adequate containment volume. The cost of installation is signifi-cant, particularly when remote remediation (e.g., impounding) is required.

The failure scenario of external fire can be eliminated completely byinstalling the process equipment outside the fire zone, either laterally or verti-cally. Equipment may be located above the fire zone (typically 25 to 30 ftabove a surface that can sustain a pool fire). This is impractical for the largedistillation equipment used in this example because of the need for structuralsupport. Because the process equipment used in this example contains flam-mable chemicals which may fuel the fire, equipment cannot be located laterallyoutside the fire zone.

The system designer may elect to mitigate the effects of failure from over-pressure on adjacent vessels by locating the equipment at a spacing that willnot allow a leak from one vessel to seriously threaten another vessel with poolfire exposure. For systems connected by large piping or requiring close cou-pling of process equipment, this may prove impractical.

Secondary enclosures may be used to isolate the equipment from a liquidpool caused by a leak from a neighboring vessel that may sustain the fire, par-ticularly in applications that do not require access for maintenance or opera-tions. Installation of secondary enclosures is not practical for distillationsystems which often require access by both operations and maintenance per-sonnel.

ActiveFixed fire protection, activated by local heat, smoke or flame sensing devices,may be installed to mitigate the effects of external fire. Industry practices suchas API RP 520 1993 and Federal Regulations such as 29 CFR 1910.106 donot allow the system designer to use fixed fire protection systems to eliminateexternal fire as a failure scenario requiring overpressure protection; howeverthey do permit reduction in design heat input by up to 70%. The incrementalcost of adding a process unit to an existing plant fire protection system is usu-ally minimal.

Emergency relief devices may be installed to relieve the vapor generatedby the fire heat input to the system. The devices are sized based on theprocesses described in API RP 520 1993. Discharges from the relief devicesmust be routed either to a location where the vapor release will not create fur-ther consequences or to an effluent disposal system such as a flare.

Flammable gas, flame or smoke detection devices can be used to reducethe consequence of an incident by either activation of a mitigation system orwarning operators or emergency response personnel. Gas detection effective-ness is subject to atmospheric conditions such as humidity and wind and maybe unreliable for primary mitigation for die outdoor installation described inthis example, or for the timely detection of liquid spills. Flame or smoke detec-tion, or other more sophisticated chemical-specific devices, or scanning

devices (such as tuned lasers) may be used to activate other mitigation systemssuch as fixed fire protection systems and emergency response.

ProceduralEmergency response plans reduce the consequences of an incident by activat-ing emergency response teams, shutting down other process which may con-tribute to the incident or may be threatened by the incident and removingpeople from the area.


Inherently safer/passiveThe buried tank and secondary enclosure options were eliminated by thesystem designer because of the need to access the equipment by maintenanceand operations. The option of locating the equipment outside the fire zone didnot apply to the system due to the inventory of flammable material. Thedesigner chose not to use distance as a mitigating control due to the cost, bothin piping and real estate, of the installation.

Both the fireproof insulation and diking and drainage options mitigatethe effects of external fire but do not eliminate them. The system designerelected to not install any of these options based on increased cost. Relief devicesizing was done without taking credit for any of these mitigations.

ActiveInstallation of both fixed fire protection and emergency relief devices caneffectively mitigate the effects of external fire. The system designer elected toinstall both options. Addition of flammable gas, flame or smoke detection canprovide warning but will not eliminate the failure scenario. The designerelected not to install the detectors, instead relying on operator surveillance.

ProceduralProcedural controls were not considered sufficient to mitigate the effects ofthe consequences described in this example. However, the system designerelected to provide an emergency response plan to reduce the magnitude of theconsequences.


The PSS selected by the designer included installation of fixed fire protectionand emergency relief devices and the additional procedural control of an emer-gency response plan. This system meets the requirements provided by themanagement guidelines. In the evaluation step, it was determined that a rup-

ture disk/relief valve combination installation was the preferred cost alterna-tive, since the column material of construction (Zirconium 702) wasextremely costly, and the combination of a Zirconium disk and a stainless steelrelief valve, even with the additional required instrumentation, was signifi-cantly less expensive than a Zirconium relief valve alone. The capital projectevaluation team determined the cost acceptable to permit installation of theZirconium disk and a stainless steel relief valve.



BJ INTERNAL DEFLAGRATION (FAILURE SCENARIO C)

Internal deflagrations can occur inside process and storage vessels if oxygenenters to form a flammable atmosphere in the head space of the vessel or tank.Generally, this is a more prevalent condition for batch vessels which areopened frequently during processing operations for material addition or sam-pling. For this example, the probability of this occurring is near zero, given thehigh vessel design pressure, unless oxygen is not adequately purged duringstartup. For large, continuous operations such as distillation, the primarycauses for creating a flammable atmosphere in the equipment are improperstartup conditions (oxygen is not properly removed after maintenance opera-tions which put air into the vessel) or by process upsets or changes which causeair to be drawn in to prevent vacuum collapse of the vessel. For this proposedprocess, air can only be introduced into the system during startup or mainte-nance conditions, when the column pressure is near atmospheric. Thereforethe consequences will be estimated not at column operating conditions, but atthe condition most likely to lead to the hazard (i.e., atmospheric pressure).


NFPA 69 1997, Chapter 5 gives guidance on the design basis for vesselsdesigned for deflagration pressure containment. The presence of HCl, whichacts as non-flammable diluent and thus reduces the ultimate maximum defla-gration pressure, is ignored in order to simplify the analysis. The limiting oxi-dant concentration (LOG) of VCM, per NFPA 69 1997 Appendix C is 13.4volume percent in the nitrogen /air system.

Assuming the vessel to be initially filled with air the partial pressure ofoxygen is that of ambient air, or 0.21 X 14.7 =3.1 psia. If we solve for thetotal system pressure Pt where the oxygen concentration is at the LOG, we get:

Y02 = LOG = 0.134

0.134 = 3.1/Pt

Pt = 3.1/0.134 = 23 psia

Therefore, the system becomes non-flammable once the total pressureexceeds 23 psia during start-up. Assuming the deflagration was initiated at thispressure, and a maximum pressure rise of 10 times starting pressure, the finalpressure that would be obtained is:

Pmax = 10 x Pt

^max = 10 x 23 = 230 psia = 215.3 psig

However, the VCM concentration at the initial pressure is approximately36 volume percent (i.e., 100 - 13.4/0.21). Since this is much richer than thestoichiometric concentration, the deflagration pressure rise ratio should beconsiderably less than 10. Since the proposed column design pressure is 200psig, this pressure is less than the 10% accumulation allowed for by ASMECode Section VIII 1995. Therefore, the consequence of this situation iswithin the design limits of the column, and is therefore acceptable. No furtheranalysis is required.

Step 3: Determine Toterability of Consequences

As stated above, the consequences are acceptable, and no further analysis isrequired. The system designer may forego any further safety analysis andmove to Step 9 to document the failure scenario, consequences and controls.



B.8 VACUUM COLLAPSE OF THE COLUMN (FAILURESCENARIO D)

As discussed for Failure Scenario C, vacuum relief and potential deflagrationconcerns go hand-in-hand. For vessels not designed for full vacuum, or for a

vessel system where some component of the system limits the availablevacuum rating, some method of relieving vacuum conditions due to vapor col-lapse or liquid pump-out must be provided, or the vessel risks collapse and lossof containment. Distillation operations are particularly susceptible to thiseffect, since they involve large energy inputs and removals at steady stateoperation. Therefore, loss of heat input can lead to a large vacuum generationvery quickly.


Underpressure (vacuum) concerns in distillation units and other boilingoperations occur because of the large energy removal capacity of the overheadcondensing systems. Loss of heat input to a distillation operation results in therapid collapse of vapor at the top of the column, with a corresponding drop inpressure due to the volumetric change from vapor to liquid.

Underpressure scenarios are generally of concern because of the loss ofcontainment aspects. Although property damage caused by vacuum collapseof a vessel can be significant, the loss of material to the environment, as well asthe potential for pulling air (oxygen) into an otherwise incited system consti-tute potentially more serious scenarios.

Step 3: Determine Jblerability of Consequences

Since this hazard is classified as medium, at least one level of non-proceduralsafeguard beyond the normal process controls will be required to adequatelyreduce the risk. Thus, at this stage of development, the consequences are nottolerable.


Because unmitigated medium-level hazards are unacceptable, determinationof likelihood is not required.


As discussed in Failure Scenario C, the risks presented are not acceptable. Aminimum of one non-procedural safeguard is required in addition to thenormal controls required to operate the process.


From Table 3, Item 22, the following options are available to the systemdesigner for underpressure due to uncontrolled condensation of the vaporphase:

Inherently safer/passive:• Vessel design accommodating minimum expected pressure, that is, full

vacuum (FV) rating• Insulation• Open vent• Locate tank inside building

Active:• Vacuum relief system• Inerting/blanketing to minimize vacuum generation• Feed heater

Procedural:• Procedures to monitor the addition of materials

Inherently safer/passiveAn often-used solution to underpressure hazards is to design vessels to accom-modate full vacuum. This is especially attractive if it can be obtained for "free,'5

that is, the wall thickness required for pressure rating is more than sufficientfor full 15 psi external pressure. If this option is used, all system componentsmust be capable of a full vacuum rating.

The other options listed in this category only apply to storage tanks,where the vapor condensation occurs due to a source external to the process(i.e., ambient temperature change). The presence of a large overhead con-denser in distillation operations dwarfs the impact of these other effects.

ActiveVacuum relief systems and introduction of blanketing gases to preventvacuum generation are related options that should be evaluated jointly. Typi-cally, an inert gas blanketing system supplied via the plant inert gas system isused as the primary means of vacuum relief. This is often backed up by emer-gency vacuum relief, which introduces only enough air into the system to pre-vent vessel collapse. The emergency vacuum relief illustrates the type oftradeoff that is sometimes made in safety system design. Although it is notdesirable to bring air into a flammable system and cause an internal deflagra-tion, it may be a greater hazard to allow the complete loss of containment ofthe system due to vessel rupture from vacuum collapse. More detailed analysismay be required to determine the higher risk case.

ProceduralBecause the potential consequences for this case fall into the mediumcategory, none of the procedural options listed may be used to mitigate thisscenario.

Sup 7: Evaluate Enhancements and/or Alternatives

Inherently safer/passiveGiven their relatively high proposed system design pressure, some investiga-tion into the feasibility for minor vessel modification (such as stiffening rings)to obtain full vacuum rating is advisable. All system components should beincluded in this analysis to ensure a "weak link" is not inadvertently left in thesystem.

ActiveInerting was evaluated, both for deflagration prevention and vacuum relief.Since this site has a readily available and reliable source of nitrogen, inertingwas included as a part of the PSS package. However, design of the system forvacuum protection is significantly different than for inerting only. Lodal 1995describes a procedure for sizing vacuum relief systems for distillation opera-tions which can be applied to both the gas blanketing (primary) and vacuumrelief (emergency) portions of this system.

ProceduralProcedural controls were not considered sufficient to mitigate the effects ofthe consequences described in this example.


The PSS considered by the designer was to change the vacuum rating of thecolumn to accommodate the maximum expected vacuum for this system.Again, from Gallant 1968, the vapor pressure of VCM at -2O0F is 7.7 psia, so anew rating accommodating this maximum expected vacuum was proposed.An active inert gas blanketing system designed for inert gas blanketing onlywas also included. This system meets the requirements provided by the man-agement guidelines for high hazard events. The capital project evaluation teamdetermined the cost acceptable to permit modification of the column specifi-cation.


As already discussed in Chapter 2, complete and thorough documentation iscritical to the safety system selection process. It is important that all failure sce-narios, no matter how seemingly insignificant, be documented, since significancemay change with process modifications or substitutions of materials.

B.9 BLOCKED-IN LIQUIDS IN HEAT TRANSFER EQUIPMENT(FAILURE SCENARIO E)

Isolation of streams in energy exchange devices such as heat exchangers canpose the potential for equipment damage due to hydraulic overpressure.While damage to the piece of equipment in question may be significant,hydraulic overpressure incidents rarely lead to shrapnel generation, so theirimpact is more localized.


The heat exchanger failure scenario of isolated cold side liquid (glycol) whileheating may result in an operational deviation of overpressure of the tubesideof the main condenser. Tubeside overpressure may result in minor damage tothe equipment and the resulting capital loss and the release of a small amountof process or utility chemicals.


The consequences of low-level hazards mitigated by normal process controlsand operating procedures (such as draining and venting prior to isolation)have been determined to be acceptable risks by the organization represented inthis example. Additional safeguards are not required. The system designermay elect to forego any further safety analysis and move to Step 9 to documentthe failure scenario, consequences and controls. Should the financial riskand/or regulatory requirements posed by the failure scenario require furtheranalysis, the system designer may elect to continue using this or a similaranalysis technique.



B. IO DOCUMENTATION

It is critical to provide accurate, detailed and readily available documentationof all PSS design bases, so that assumptions can be easily verified, and criticalsafety components be identified. This is particularly important when one ele-ment of the analysis (e.g., instrumentation) eliminates or mitigates the size

and/or scope of protection of another element (e.g., relief devices). There mayalso be regulatory recordkeeping requirements, such as those concerningprocesses covered by the OSHA Process Safety Management Standard, 29CFR 1910.119 1992 and the EPA Risk Management Plan, 40 CFR 68 1996.Complete mechanical design information of vessels and other process equip-ment, interlock strategies and alarm points, relief and venting systems sizingbases (including cases that were eliminated through active or passive means)and siting and fire protection design bases all need to be recorded permanentlyas a part of the process safety information file. Without this information,future modifications to PSS cannot be made until a complete reevaluation ofthe PSS basis is complete. This reevaluation will be difficult and time consum-ing without the detailed information on the original basis.

Similarly, items used to mitigate or eliminate potential hazards may notbe intuitively obvious, as example 2.6.1 in Chapter 2 illustrates so graphically.Here, the use of valve size to limit steam flow to a process reboiler falls into asimilar category. Valves are routinely changed to debottleneck processes. Ifthe safety implications of doing so were not clearly documented, an inappro-priate substitution could easily be made. Also, since valves do wear and fail,inclusion of this item in the proper documentation ensures that its mechanicalintegrity (MI) classification as a critical safety element is made. This will facili-tate more frequent inspection, testing and replacement than a normal processcontrol device might otherwise receive.

Procedural controls are perhaps the most critical of all controls to docu-ment well, since identification of safe upper and lower operating limits, andtraining requirements are critical to gaining and retaining effectiveness. Aboveall, documentation must tell the why as well as the what, so that future evalu-ators will have the full benefit of the knowledge originally used to specify thesystem.

The P&ID shown in Exhibit B6 represents a summary of the PSS addi-tions to the Basic Process Control System. Note that the interlocks to shut offthe steam to the reboiler, including their necessary process measurements, arenow included on the PSdD, as is the nitrogen purge system. Other instrumen-tation additions include those necessary to properly monitor a rupturedisc/relief valve combination installation, and pressure measurements to con-trol the primary vacuum relief system.

2" VACUUMVENT

SET 0-0.6 PSIG

OVERHEADPRODUCT

4--SST-2-JNS-

VENT

NOTE 2

GlYCOLRETURN

GLYCOLSUPPLY

J^jMjNb ANU INbIKLW-NIAi IUIN UlAbKAM

GLYCOLRETURN

GLYCOLSUPPLY

6 ' T OVENT

STACK

FEED

EXHIBIT B6Piping and InstrumentationDiagram.

NOTES:I. SET SLIGHTLY POSITIVE: 2' W.C.2. SET PSH ft MO PSIG3. INSTRUMENT NOMENCLATURE PER ISA-S5.I

REFERENCES

API RP 520 1993. Sizing, Selection, and Installation cf Pressure-Relieving Devices in Refineries. Part1—Sizing and Selection. 6th Edition. Washington, DC: American Petroleum Institute.

API RP 520 1994. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries. PartII—Installation. 4th Edition. Washington, DC: American Petroleum Institute.

API RP 5211990. Guide for Pressure Relieving and Depressuring Systems, 3rd ed. Washington, DC:American Petroleum Institute.

API Std 620 1990. Design and Construction of Large, Welded Low-Pressure Storage Tanks. 8th ed.Washington, DC: American Petroleum Institute.

API Std 650 1993. Welded Steel Tanks for Oil Storage, 9th ed. Washington, DC: American Petro-leum Institute

API RP 752 1995. Management of 'Hazards Associated with Locations of 'Process Plants, lsted. Wash-ington, DC: American Petroleum Institute.

API RP 2003 1991. Protection Against Ignition Rising out of Static, Lightning, and Stray Currents.5th ed. Washington, DC: American Petroleum Institute.

ASME 1995. Boiler and Pressure Vessel Code (Section VUI). New York: American Society ofMechanical Engineers.

CCPS 1989. Guidelines far Chemical Process Quantitative Risk Analysis. Center for Chemical Proc-ess Safety. New York: American Institute of Chemical Engineers.

CCPS 1992. Guidelines for Hazard Evaluation Procedures. Second Edition with Worked Examples.Center for Chemical Process Safety. New York: American Institute of Chemical Engineers.

CCPS 1993. Guidelines for Engineering Design for Process Safety. Center for Chemical ProcessSafety. New York: American Institute of Chemical Engineers.

CCPS 1994. Guidelines for Safe Automation of Chemical Processes. Center for Chemical ProcessSafety. New York: American Institute of Chemical Engineers.

CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. Centerfor Chemical Process Safety. New York: American Institute of Chemical Engineers.

CCPS 1996. Guidelines for Evaluating Process Plant Buildings for Explosions and Fires. Center forChemical Process Safety. New York: American Institute of Chemical Engineers.

CCPS 1997a. Guidelines for Pressure Relief and Effluent Handling Systems. Center for ChemicalProcess Safety. New York: American Institute of Chemical Engineers.

DIERS 1992. Emergency Relief System Design Using DIERS Technology. DIERS Project Manual.Design Institute for Emergency Relief Systems. New York: American Institute of ChemicalEngineers.

EPA (Environmental Protection Agency) 40 CFR 68 1996 Accidental Release Protection Provisions.US Government Printing Office, Washington, DC.

Gallant, Robert W. 1968. Physical Properties of 'Hydrocarbons, Volumes I and II. Houston TX: GulfPublishing Company.

Lodal, P.N., Mahanes, J.L., Calvert, J.I. and Keel, J.M. 1995. Revised Emergency Vacuum ReliefDevice Sizing for Atmospheric Distillation Systems. Journal of Loss Prevention in the ProcessIndustries, 8(6): 331-341.

NFPA 15 1990. Water Spray Fixed Systems for Fire, Quincy, MA: National Fire Protection Asso-ciation.

NFPA 69 1997. Standard on Explosion Prevention Systems, Quincy, MA: National Fire ProtectionAssociation.

NFPA 771993. Recommended Practice on Static Electricity, Quincy, MA: National Fire ProtectionAssociation.

NFPA 101 1997. Code far Safety to Life from Fire in Buildings and Structures, Quincy, MA:National Fire Protection Association.

NFPA 704 1996. Standard System far the Identification of the Hazards of Materials far EmergencyResponse, Quincy, MA: National Fire Protection Association.

OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119.Washington, DC: Occupational Safety and Health Administration.

OSHA1995. Flammable and Combustible Liquids. 29 CFR 1910.106. Washington, DC: Occupa-tional Safety and Health Administration.

Yaws, C.L. 1977. Physical Properties. In Chemical Engineering. New York: McGraw Hill.


API Std 2000 1992. Venting Atmospheric and Low Pressure Storage Tanks. 4th ed. Washington,DC: American Petroleum Institute.

CCPS 1997b. Guidelines far Chemical Process Quantitative Risk Analysis. 2nded. Center for Chemi-cal Process Safety. New York: American Institute of Chemical Engineers.

NFPA 30 1993. Flammable and Combustible Liquids Code. Quincy, MA: National Fire ProtectionAssociation.

NFPA 58 1995. Liquefied Petroleum Gases. Quincy, MA: National Fire Protection Association.NFPA 68 1994. Venting of Deflagrations. Quincy, MA: National Fire Protection Association.

GLOSSARY

Administrative Controls: See Design Solutions.Autoignition Temperature: The autoignition temperature of a substance, whether

solid, liquid, or gaseous, is the minimum temperature required to initiate or causeself-sustained combustion, in air, with no other source of ignition.

Basic Event: An event in a fault tree that represents the lowest level of resolution in themodel such that no further development is necessary (e.g., equipment item failure,human failure, or external event).

Boiling-Liquid-Expanding-Vapor Explosion (BLEVE): A type of rapid phase tran-sition in which a liquid contained above its atmospheric boiling point is rapidlydepressurized, causing a nearly instantaneous transition from liquid to vapor witha corresponding energy release. A BLEVE is often accompanied by a large fireballif a flammable liquid is involved, since an external fire impinging on the vaporspace of a pressure vessel is a common BLEVE scenario. However, it is not neces-sary for the liquid to be flammable to have a BLEVE occur.

Basic Process Control System (BPCS): The control equipment which is installed tosupport normal production functions.

Bonding: The process of connecting two or more conductive objects together bymeans of a conductor.

Car Seal: A metal or plastic cable used to fix a valve in the open position (car seal open)or closed position (car seal closed). Proper authorization, controlled via adminis-trative procedures, must be obtained before operating the valve. The physical sealshould have suitable mechanical strength to prevent unauthorized valve operation.Indiscriminate use of the "car sealing" policy can lead to the dilution of this admin-istrative safeguard.

Catastrophic Incident: An incident involving a major uncontrolled emission, fire orexplosion that causes significant damage, injuries and/or fatalities onsite and oftenhas an outcome effect zone that extends into the surrounding community.

Combustible Liquid: A term used to classify certain liquids that will burn on the basisof flash points. The National Fire Protection Association (NFPA) defines a "com-

bustible liquid" as having a flash point of 10O0F (37.80C) or higher. See also,"Flammable". Combustible liquids do not ignite as easily as flammable liquids;however, combustible liquids can be ignited when heated and must be handledwith caution. Class II liquids have flash points at or above 10O0F, but below14O0F. Class III liquids are subdivided into two subclasses.

Class IUA: Those having flash points at or above 14O0F but below 20O0F.

Class IIIB:Those having flash points at or above 20O0F.

Common Mode Failure: An event having a single cause with multiple failure effectswhich are not consequences of each other.

Critical Event: A critical event is an event with a specified, high consequence such asan event involving an offsite community impact, critical system damage, a severeinjury or a fatality.

Critical Event Frequency: The frequency of occurrence of a critical event.Dead-heading: A blockage on the discharge side of a pump/compressor which results

in the flow reducing to zero and the discharge pressure increasing to a maximumvalue characteristic of the machine. The maximum discharge pressure can beobtained from the pump/compressor curves for centrifugal machines.

Deflagration: The chemical reaction of a substance in which the reaction frontadvances into the unreacted substance at less than the sonic velocity in the unre-acted material. Where a blast wave is produced that has the potential to causedamage, the term explosive deflagration may be used.

Deflagration to Detonation Transition: A reaction front that starts out with veloci-ties below the speed of sound and subsequently accelerates to velocities higherthan the speed of sound is said to have undergone a Deflagration to DetonationTransition. The possibility of transition is enhanced by confinement/turbulencegenerators in the path of the reaction front.

Detonation: A release of energy caused by the extremely rapid chemical reaction of asubstance in which the reaction front advances into the unreacted substance atequal to or greater than the sonic velocity in the unreacted material.

Design Institute for Emergency Relief Systems (DIERS): Institute under the aus-pices of the American Institute of Chemical Engineers founded to investigaterequirements for emergency relief systems for chemically reactive systems whichoften involve multiphase flow.

Design Solutions—Inherently Safer, Passive, Active, and ProceduralInherently safer design solutions eliminate or mitigate the hazard by using mate-rials and process conditions that are less hazardous. Examples of inherently safersolutions include:

• Substituting water for a flammable solvent• Reducing or eliminating inventories of hazardous intermediatesApproaches to the design of inherently safer processes and plants are usuallygrouped into four major strategies:

• Minimize. Use smaller quantities of hazardous substances (also called Intensifi-cation)

• Substitute. Replace a material with a less hazardous substance.• Moderate. Use less hazardous conditions, a less hazardous form of a material, or

facilities which minimize the impact of a release of hazardous material or energy(also czllcdAttenuation and Limitation of Effects).

• Simplify. Design facilities which eliminate unnecessary complexity and makeoperating errors less likely, and which are forgiving of errors which are made(also called Error Tolerance).

Passive design solutions do not require any device to sense and/or activelyrespond to a process variable and have very reliable mechanical design. Examplesof passive design solutions include:

• Using incompatible hose couplings, nonsplash filling using permanentlyinstalled dip-pipes, permanent grounding and bonding via continuous metalequipment and pipe rather than with removable cables

• Designing high pressure equipment to contain overpressure hazards such asinternal deflagration

• Containing hazardous inventories with a dike that has a bottom sloped to aremote impounding area, which is designed to minimize surface area.

Active design solutions require devices to monitor a process variable and functionto mitigate a hazard. Frequently, active solutions involve a considerable mainte-nance and procedural component and are therefore typically less reliable thaninherently safer or passive solutions. To achieve necessary reliability, redundancyis often used to eliminate conflict between production and safety requirements(such as having to shut down a unit to maintain a relief valve).Active solutions are sometimes referred to as engineering controls. Examples ofactive solutions include:

• Using a pressure safety valve or rupture disk to prevent vessel overpressure• Interlocking a high level sensing device to a vessel inlet valve and pump motor to

prevent liquid overfill of the vessel• Installing check valves

Procedural design solutions require a person to perform an action to avoid ahazard. This would include following a standard operating procedure or respond-ing to an indication of a problem such as an alarm, an instrument reading, a noise,a leak, or a sampling result. Since an individual is involved in performing the cor-rective action, consideration needs to be given to human factors issues e.g., over-alarming, improper allocation of tasks between machine and person, inadequatesupport culture. Because of the human factors involved, procedural solutions aregenerally the least reliable of the four categories.Procedural solutions are sometimes referred to as administrative controls. Exam-ples of procedural solutions include:

• Following standard operating procedures to keep process operations withinestablished equipment mechanical design limits

• Manually closing a feed isolation valve in response to a high level alarm to avoidtank overfilling

• Executing preventive maintenance procedures to prevent equipment failures• Manually attaching bonding and grounding systems

Distributed Control System: A system which divides process control functions intospecific areas interconnected by communications (normally data highways) toform a single entity. It is characterized by digital controllers and typically by cen-tral operation interfaces.

Dow Fire and Explosion Index (F&EI): A method (developed by Dow ChemicalCompany) for ranking the relative fire and explosion risk associated with aprocess. Analysts calculate various hazard and explosion factors using materialcharacteristics and process data.

Emergency Relief Device: A device that is designed to open during emergency orabnormal conditions to prevent rise of internal fluid pressure in excess of a speci-fied value. The device also may be designed to prevent excessive internal vacuum.The device may be a pressure relief valve, a nonreclosing pressure relief device, or avacuum relief valve.

Emergency Shutdown Device: A device that is designed to shutdown the system to asafe condition on command from the emergency shutdown system.

Emergency Shutdown System: The safety control system which overrides the actionof the basic control system and shuts down the process when predetermined con-ditions are violated.

Equipment Reliability: The probability that, when operating under stated environ-ment conditions, process equipment will perform its intended function adequatelyfor a specified exposure period.

Explosion: A rapid or sudden release of energy that causes a pressure discontinuity orblast wave.

Fail-Safe: Design features which provide for the maintenance of safe operating condi-tions in the event of a malfunction of control devices or an interruption of anenergy source (e.g., direction of failure of a control valve on loss of signal). Asystem is fail-safe if failure of a component, signal, or utility initiates an action thatmaintains the system in a safe condition.

Failure: An unacceptable difference between expected and observed performance.

Failure Mode and Effects Analysis (FMEA): A failure identification methodologywhere the failure modes of a component sub-system are identified. An analysis ofthese failure modes on the safety of the entire system is performed.

Fire Point: The temperature at which a liquid continues to burn when the ignitionsource is removed.

Flammability Limits: The range of gas or vapor concentration in air that will burn if aflame or other ignition source is present. The range represents a gas or vapor mix-

ture with air that may ignite or explode. Usually, the wider the range the greaterthe fire potential. See also Lower Flammable Limit and Upper Flammable Limit.

Flammable Liquid: A "Flammable Liquid" is defined by NFPA as a liquid with a flashpoint below 10O0F (37.80C). Flammable liquids provide ignitable vapor at roomtemperatures and must be handled with caution. Precautions such as bonding andgrounding must be taken. Flammable liquids are: Class I liquids and may be sub-divided as follows:

Class IA: Those having flash points below 730F and having a boiling point below10O0F

Class IB: Those having flash points below 730F and having a boiling point at or above10O0F

Class 1C: Those having flash points at or above 730F and below 10O0F

Flash Fire: The combustion of an unconfined flammable vapor and air mixture inwhich flame passes through that mixture at less than sonic velocity, such that neg-ligible damaging overpressure is generated.

Flash Point: The lowest temperature at which vapors above a liquid will ignite at apressure of 760 mm Hg absolute. The temperature at which vapor will burn whilein contact with an ignition source, but which will not continue to burn after theignition source is removed. There are several flash point test methods, and flashpoints may vary for the same material depending on the method used. Conse-quently, the test method is indicated when the flash point is given. A closed cuptype test is used most frequently for regulatory purposes. The lower the flash pointtemperature of a liquid, the greater the fire hazard following a release.

Froth-over: When water is present or enters a tank containing hot viscous oil, thesudden conversion of water to steam causes a portion of the tank contents to over-flow.

Fugitive Emissions: Emissions of material from process equipment due to leakage.

Grounding: The process of connecting one or more conducting objects to the ground.It is a specific form of bonding.

Hazard: An inherent chemical or physical characteristic that has the potential for caus-ing damage to people, property, or the environment. In this document it is typi-cally the combination of a hazardous material, an operating environment, andcertain unplanned events that could result in an accident.

Hazard Analysis: The identification of undesired events that lead to the materializa-tion of a hazard, the analysis of the mechanisms by which these undesired eventscould occur and usually the estimation of the consequences.

Hazard and Operability Study (HAZOP): A systematic qualitative technique toidentify process hazards and potential operating problems using a series of guidewords to study process deviations.

A HAZOP is used to question every part of a process to discover what devia-tions from the intention of the design can occur and what their causes and conse-quences may be. This is done systematically by applying suitable guide words.

This is a systematic detailed review technique, for both batch and continuousplants, which can be applied to new or existing processes to identify hazards.

Hazardous Material: In a broad sense, any substance or mixture of substances havingproperties capable of producing adverse effects on health, safety or the environ-ment. These dangers may arise from but are not limited to toxicity, reactivity,instability, or corrosivity.

Human Factors: A discipline concerned with designing machines, operations, andwork environments so that they match human capabilities, limitations, and needs.Includes any technical work (engineering, procedure writing, worker training,worker selection, etc.) related to the human factor in operator-machine systems.

Inert Gas: A noncombustible, nonreactive gas that renders the combustible materialin a system incapable of supporting combustion.

Inherently Safe: A system is inherently safe if it remains in a nonhazardous situationafter the occurrence of nonacceptable deviations from normal operating condi-tions.

Interlock System: A system that detects out-of-limits or abnormal conditions orimproper sequences and either halts further action or starts corrective action.

Intrinsically Safe: Equipment and wiring which is incapable of releasing sufficientelectrical or thermal energy under normal or abnormal conditions to cause igni-tion of a specific hazardous atmospheric mixture or hazardous layer.

Likelihood: A measure of the expected frequency with which an event occurs. Thismay be expressed as a frequency (e.g., events per year), a probability of occurrenceduring a time interval (e.g., annual probability), or a conditional probability (e.g.,probability of occurrence, given that a precursor event has occurred).

Limiting Oxidant Concentration (LOG): The limiting oxidant concentration(LOG) is that concentration of oxidant below which a deflagration (flame propa-gation in the gas, mist, suspended dust, or hybrid mixture) cannot occur. Formost hydrocarbons where oxygen is the oxidant and nitrogen is the diluent theLOG is approximately 9 to 11 vol% oxygen. The LOG for dusts is dependent onthe composition and particle size distribution of the solid. Values of LOG formost organic chemical dusts lie in the range of 10 to 16 vol% oxygen, again wherenitrogen is the diluent

Lower Flammable Limit (LFL): The lowest concentration of a vapor or gas (thelowest percentage of the substance in air) that will produce a flash of fire when anignition source (heat, arc, or flame) is present. See also Upper Flammable Limit.At concentrations lower than the LFL, the mixture is too "lean" to burn.

Minimum Explosible Concentration (MEC): The lowest concentration of combus-tible dust necessary to produce an explosion.

Minimum Ignition Energy (MIE): Initiation of flame propagation in a combustiblemixture requires an ignition source of adequate energy and duration to overcomeradiative and conductive heat losses to the cooler surrounding material. Dust and

vapor clouds may be readily ignited if exposed to electric discharges that exceedthe minimum ignition energy (MIE) for the combustible mixture.

Mitigation: Reducing the risk of an accident event sequence by taking protectivemeasures to reduce the likelihood of occurrence of the event, and/or reduce themagnitude of the event and/or minimize the exposure of people or property to theevent.

Net Positive Suction Head (NPSH): The net static liquid head that must be pro-vided on the suction side of the pump to prevent cavitation.

Oxidant: Any material that can react with a fuel (either gas, dust or mist) to producecombustion. Oxygen in air is the most common oxidant.

Pool Fire: The combustion of material evaporating from a layer of liquid at the base ofthe fire.

Procedural Design Solution: See Design Solutions.

Process Safety: A discipline that focuses on the prevention and mitigation of fires,explosions, and accidental chemical releases at process facilities. Excludes classicworker health and safety issues involving working surfaces, ladders, protectiveequipment, etc.

Piping and Instrument Diagram (P&ID): A diagram that shows the details aboutthe piping, vessels, and instrumentation.

Process Flow Diagram (PFD): A diagram that shows the material flow from onepiece of equipment to the other in a process. It usually provides information aboutthe pressure, temperature, composition, and flow rate of the various streams, heatduties of exchangers, and other such information pertaining to understanding andconceptualizing the process.

Process Hazard Analysis (PHA): A structured procedure whereby hazards associ-ated with a process are identified and evaluated.

Pressure Relief Valve (PRV): A relief valve is a spring loaded pressure relief valveactuated by static pressure upstream of the valve. The valve opens normally in pro-portion to the pressure increase over opening pressure. A relief valve is normallyused with incompressible fluids.

Pressure Safety Valve (PSV): A safety valve is a spring loaded pressure relief valveactuated by static pressure upstream of the valve and characterized by rapid open-ing or pop action. A safety valve is normally used with compressible fluids.

Process Safety System (PSS): A process safety system comprises the design, proce-dures, and hardware intended to operate and maintain the process safely.

Programmable Electronic System (PES): A system based on a computer connectedto sensors and/or actuators in a plant for the purpose of control, protection ormonitoring (includes various types of computers, programmable logic control-lers, peripherals, interconnect systems, instrument distributed control system con-trollers, and other associated equipment).

Programmable Logic Controller (PLC): A microcomputer-based solid-state controlsystem which receives inputs from user-supplied control devices such as switchesand sensors, implements them in a precise pattern determined by instructionsstored in the PLC memory, and provides outputs for control or user-supplieddevices such as relays and motor starters.

Purge Gas: A gas that is continuously or intermittently added to a system to render theatmosphere nonignitable. The purge gas may be inert or combustible.

Quenching: Rapid cooling from an elevated temperature, e.g., severe cooling of thereaction system in a short time (almost instantaneously), "freezes" the status of areaction and prevents further decomposition or reaction.

Reactors:Continuous-flow Stirred Tank Reactor (CSTR): A reaction vessel in whichthe feed is continuously added, and the products continuously removed. Thevessel (tank) is continuously stirred to maintain a uniform concentration withinthe vessel.Plug Flow Reactor (PFR): A plug flow reactor is a tubular reactor where thefeed is continuously introduced at one end and the products continuouslyremoved form the other end. The concentration/temperature in the reactor is notuniform.Batch Reactor: In a batch reactor, the reactants are added to the reactor at thestart of the reaction. The reactants are allowed to react in the reactor for a fixedtime. No feed is added or product withdrawn during this time. The reaction prod-ucts are removed at the end of the batch.

Semi-Batch Reactor: In a semi-batch reactor, some reactants are added to thereactor at the start of the batch, while others are fed continuously during thecourse of the reaction.

Runaway: A thermally unstable reaction system which exhibits an uncontrolled accel-erating rate of reaction.

Safety Instrument System (SIS): The instrumentation, controls, and interlocks pro-vided for safe operation of the process.

Safety Layer: A system or subsystem that is considered adequate to protect against aspecific hazard. The safety layer• is totally independent of any other protective layers• cannot be compromised by the failure of another safety layer• must have acceptable reliability• must be approved according to company policy and procedures• must meet proper equipment classification• may be a noncontrol alternative (i.e., chemical, mechanical)• may require diverse hardware and software packages• may be an administrative procedure

Source Term: The estimated release parameters such as release mass, flow rate, veloc-ity, temperature, concentration, aerosol content, density, etc. which are used asinput to dispersion models. The source term modeling is usually based on mathe-

nonconfined space (i.e., not in vessels, buildings, etc.). The flame speed may accel-erate to high velocities and produce significant blast overpressure. Vapor cloudexplosions in plant areas with dense equipment layouts may show acceleration inflame speed and intensification of blast.

Upper Flammable Limit (UFL): The highest concentration of a vapor or gas (thehighest percentage of the substance in air) that will produce a flash of fire when anignition source (heat, arc, or flame) is present. See also Lower Flammable Limit.At concentrations higher then the UFL, the mixture is too "rich" to burn.

Vapor Density: The weight of a vapor or gas compared to the weight of an equalvolume of air at the same temperature and pressure; an expression of the density ofthe vapor or gas. Materials lighter than air have vapor densities less than 1.0(example: acetylene, methane, hydrogen). Materials heavier than air (examples:propane, hydrogen sulfide, ethane, butane, chlorine, sulfur dioxide) have vapordensities greater than 1.0. All vapors and gases will mix with air, but the lightermaterials will tend to rise and dissipate. It should be kept in mind that when gaseswhich have vapor densities less than 1.0 are released into atmosphere, the releasemass itself may be heavier than air depending on the release temperature and aero-sol content. Heavier vapors and gases are likely to concentrate in low places - alongor under floors, in sumps, sewers and manholes, in trenches and ditches - and cantravel great distances undetected where they may create fire or health hazards.

Valve Failure Positions: In the event of instrument air or electrical power failure,valves either Fail Closed (FC), Fail Open (FO), or Fail in the last position (FL).The position of failure must be carefully selected so as to bring the system to, orleave the system in a safe operating state.

Vapor Pressure: The pressure exerted by a vapor above its own liquid. The higher thevapor pressure, the easier it is for a liquid to evaporate and fill the work area withvapors which can cause health or fire hazards.

Venting: Emergency flow of vessel contents out of a vessel. The pressure is controlledor reduced by venting, thus avoiding a failure of the vessel by overpressurization.The emergency flow can be one-phase or multi-phase, each of which results in dif-ferent flow characteristics.

ACRONYMS ANDABBREVIATIONS

ACGIH American Conference of Government Industrial Hygienists

ACI American Concrete InstituteACS American Chemical Society

AGA American Gas Association

AIChE American Institute of Chemical Engineers

AIHA American Industrial Hygiene Association

AISC American Institute of Steel Construction

AISI American Iron and Steel InstituteAIT Autoignition temperatureANSI American National Standards InstituteAPFA American Pipe Fittings AssociationAPI American Petroleum Institute

ASM American Society for Metals

ASME American Society of Mechanical EngineersASSE American Society of Safety Engineers

ASNT American Society for Nondestructive TestingASTM American Society for Testing and Materials

AWS American Welding SocietyBLEVE Boiling Liquid Expanding Vapor ExplosionBPCS Basic Process Control SystemBtu British thermal unitBTX Benzene, Toluene, and Xylene

CAA Clean Air ActCAAA Clean Air Act Amendments

CCPS Center for Chemical Process Safety

CEM Continuous Emissions MonitorCERCLA Comprehensive Environmental Response, Compensation,

and Liability Act

CFR Code of Federal Regulations

CGA Compressed Gas AssociationCIA Chemical Industries Association

CMA Chemical Manufacturers Association

CRT Cathode Ray Tube

CSTR Continuous-Flow Stirred-Tank ReactorCWA Clean Water Act

DAF Dissolved Air FlotationDCS Distributed Control SystemDDT Deflagration to Detonation Transition

DIERS Design Institute for Emergency Relief Systems

DIPPR Design Institute for Physical Property Data

DOT Department of TransportationDPC Deflagration Pressure Containment

EEGL Emergency Exposure Guidance Level

EJMA Expansion Joint Manufacturers AssociationEPA Environmental Protection AgencyEPRI Electric Power Research Institute

ERPG Emergency Response Planning GuidelineERS Emergency Relief SystemERD Emergency Relief DesignESCIS Expert Commission for Safety in the Swiss Chemical Industry

ESD Emergency Shutdown DeviceFIBC Flexible Intermediate Bulk Containers

FScEI Fire and Explosion Index

FMEA Failure Mode and Effects AnalysisFMEC Factory Mutual Engineering Corporation

FRP Fiber Reinforced PlasticGPM Gallons Per MinuteGPSA Gas Processors Suppliers Association

HAZOP Hazard and Operability studyHEI Heat Exchanger InstituteHMB Heat and Material Balancehp horsepower

HSE Health and Safety Executive

HVAC Heating, Ventilation, and Air ConditioningIChemE The Institution of Chemical Engineers

LEL Lower Explosive LimitLFL Lower Flammable Limit

LNG Liquefied Natural Gas

LOC Limiting Oxidant Concentration

LPG Liquefied Petroleum Gas

mA milliampereMAWP Maximum Allowable Working Pressure

MEC Minimum Explosible ConcentrationMIE Minimum Ignition Energymj millijouleMSDS Material Safety Data SheetMSS Manufacturers Standardization Society

NACE National Association of Corrosion EngineersNAS National Academy of Science

NBIC National Board Inspection Code

NEC National Electrical Code

NEMA National Electrical Manufacturers Association

NESC National Electrical Safety CodeNDE Nondestructive examinationNFPA National Fire Protection AssociationNIOSH National Institute of Occupational Safety and Health

NPCA National Paint and Coatings AssociationNPDES National Pollutant Discharge and Elimination System

NPSH Net Positive Suction HeadNRC National Research CouncilNSPS New Source Performance Standards

NTIAC Nondestructive Testing Information Analysis Center

OSHA Occupational Safety and Health Administration

PCB Polychlorinated BiphenylPEL Permissible Exposure LimitPES Programmable Electronic System

PFD Process Flow DiagramPFR Plug Flow Reactor

PLC Programmable Logic Controller

P&ID Piping and Instrumentation DiagramPHA Process Hazard Analysis

PID Proportional Integral Derivativeppm parts per millionpS picoSiemen

PSD Process Safety DevicePSV Pressure Safety ValvePSS Process Safety System

PVRV Pressure-Vacuum Relief Valve

RCRA Resource Conservation and Recovery ActRP Recommended PracticeRT Radiographic testing

RTD Resistance Temperature DetectorSCBA Self-contained Breathing ApparatusSCC Stress Corrosion Crackingscf standard cubic foot

SAE Society of Automotive EngineersSIS Safety Interlock System

SPCC Spill Prevention Control and Countermeasures

SPEGL Short-term Public Emergency Guidance LevelSPFE Society of Fire Protection EngineersSSPC Steel Structures Painting CouncilTEMA Tubular Exchanger Manufacturer Association

TLV Threshold Limit ValueTOC Total Organic CompoundsTSCA Toxic Substance Control Act

UBC Uniform Building CodeUEL Upper Explosive Limit

UFL Upper Flammable LimitUL Underwriters Laboratory Inc.

UPS Uninterruptible power supply

UT Ultrasonic testingUVCE Unconfined Vapor Cloud ExplosionVOC Volatile Organic CompoundWEEL Workplace Environmental Exposure Limit

249 This page has been reformatted by Knovel to provide easier navigation.

Index

Index terms Links

A Absorption equipment 79

Adsorption equipment 79

Agitation (vessels) 57

Air cooled exchangers 88

American Petroleum Institute 188

ASME Boiler and Pressure Vessel Code 183 186 205

B Batch centrifuge explosion case history 128

Batch chemical reactor example problem 179

Batch pharmaceutical reactor accident case history 39

Batch reactors 61

Blowers 117

Blowing agent blender operation explosion case history 138

Boilers 149

Brittle fracture heat exchanger case history 90

Bucket elevator explosion case history 139

250 Index terms Links


C Case histories 37 61

79 89 101 117 127 138 149 161

Catalytic incinerators 149

Centrifuges 127

Chemical storage terminal fire case history 162

Cold box explosion case history 91

Comminution equipment 137

Compressor fire and explosion case history 118

Compressors 117

Continuous flow stirred tank reactors 61

Continuous sulfonation reaction explosion case history 63

Conveying dryers 101

Conveyors 137

Coode Island 162

Cyclones 127

D Design bases for safety systems 9 20

Design Institute for Emergency Relief Systems 186 208

3,4-Dichloroaniline autoclave case history 62

Direct contact exchangers 88

Distillation column critical concentration case history 80

Distillation equipment 79

Distillation system example problem 203

Dryers 101

Drying of compound fertilizers case history 102



Dust collector explosion case history 129

Dust collectors 127

E Electrostatic precipitators 127

Emergency relief system 30

EPA Risk Management Program 200

Ethylene cracking furnace overfiring case history 150

Ethylene oxide redistillation column explosion case history 89

Ethylene purifier vessel rupture case history 80

External corrosion case history 163

Extraction equipment 79

F Failure scenarios 45 69

84 95 106 122 132 144 154 168

Filter explosion case history 128

Filters 127

Fired equipment 149

Fires in cellulose acetate dryer case history 102

Flixborough expansion joint failure case history 161

Fluid bed dryers 101

Fluid bed reactors 61

Fluid transfer equipment 117

Furnace tube failure case history 150

Furnaces 149



H Heat exchangers 88

Heat transfer equipment 89

High flow (piping) 171

High temperature (dryers) 113

High temperature (fired equipment) 157

High temperature (heat transfer) 97

High temperature (mass transfer) 85

High temperature (reactors) 75

High temperature (separators) 133

High temperature (solids handling) 147

High temperature (vessels) 54

High temperature (piping) 170

High/low level (mass transfer) 86

I Ignition of pyrophoric materials in gasoline fractionator case history 81

Incinerators 149

In-process vessels 37

L Light-off error case history 149

Line pluggage case history 163

Locked open valve (design case) 27

Loss of containment (fluid transfer) 125

Loss of containment (heat transfer) 98

Loss of containment (piping) 172

Loss of containment (separators) 134

Loss of containment (solids handling) 148



Loss of containment (vessels) 57

Low flow (fired equipment) 159

Low flow (fluid transfer) 124

Low level (fired equipment) 159

Low level (vessels) 57

Low temperature (fired equipment) 158

Low temperature (heat transfer) 98

Low temperature (piping) 171

Low temperature (vessels) 55

M Mass transfer equipment 79

Mechanical conveyors 137

O OSHA Process Safety Management 182 200

Overfill (vessels) 55

Overpressure (dryers) 106

Overpressure (fired equipment) 154

Overpressure (fluid transfer) 122

Overpressure (heat transfer) 95

Overpressure (mass transfer) 84

Overpressure (piping) 168

Overpressure (reactors) 69

Overpressure (separators) 132

Overpressure (solids handling) 144

Overpressure (vessels) 45

Overspeed (fluid transfer) 125



P Packed bed reactors 61

Packed tube reactors 61

Pharmaceutical powder dryer fire and explosion case history 102

Piping and piping components 161

Plug flow tubular reactors 61

Pneumatic conveying systems 137

Powder blenders 137

Pressurized tanks 37

Process furnaces 149

Pump leak fire case history 118

Pumps 117

R Reactor (batch chemical) example problem 179

Reactor relief system (design case) 30

Reactors 61

Reciprocating pump leak case history 117

Relief system, reactor (design case) 30

Reverse flow (fluid transfer) 124

Reverse flow (piping) 172

Reverse flow (reactors) 76

Risk matrix 18

Risk tolerability 14

Risk 7

Rollover 42

Rotary dryers 101

Runaway reactions 41 62 187



S Safety systems design bases 9 20

Screw conveyor explosion case history 139

Scrubbing equipment 79

Semi-batch reactors 61

Seveso runaway reaction case history 62

Shell and tube exchangers 88

Sieving equipment 137

Silicon grinder fire and explosion case history 138

Solid-fluid separators 127

Solids enlargement equipment 137

Solids feeders 137

Solids handling and processing equipment 137

Spray dryers 101

Spray granulators and coaters 137

Stapleton international airport 118

Startup of parallel centrifugal pumps case history 119

Storage tank autopolymerization case history 37

Storage tank stratification case history 38

Storage tanks 37

Stripping equipment 79

T Thermal incinerators 149

Tray dryers 101

U Underpressure (dryers) 113

Underpressure (fired equipment) 157



Underpressure (heat transfer) 97

Underpressure/vacuum (mass transfer) 85

Underpressure/Vacuum (vessels) 51

V Vessels 37

W Washing equipment 79

Wrong composition (fired equipment) 159

Wrong composition (heat transfer) 98

Wrong composition (mass transfer) 87

Wrong composition (piping) 175

Wrong composition (reactors) 76

Wrong composition (vessels) 59

Wrong composition/phase (fluid transfer) 126

equipments and tools for safety

Documents

Transcript of equipments and tools for safety