Appendix Worked Examples - ftp.feq.ufu.brftp.feq.ufu.br/Luis_Claudio/Segurança/Safety... · 12. The reactor is pressure purged three times with 15 psig nitrogen to displace the hydrogen.

AppendixWorkedExamples

This appendix contains two example problems which are intended to illustratethe use of the techniques and thought processes given in Chapters 2-12 of thisbook. Each example will use specific process situations to show how to useChapter 2 to determine the process safety system (PSS) design basis, identifythe design parameters which have the strongest impact on that basis, and assistin the selection of alternative inherently safer, passive, active and proceduraldesign solutions.

These examples are not intended to serve as a "standard" PSS design basisfor any industrial system. Each process and each design require specificprocess information (such as equipment pressure and temperature ratings,materials inventories, pipeline sizes, types of utility streams available, etc.)which differ from manufacturer to manufacturer, and process to process. Also,individual company policy and risk management procedures must providedirection concerning safety systems design, especially concerning the applica-bility of mitigation techniques. Any attempt to define an industry-wide "stan-dard" is counterproductive, in that it may prevent the thoughtful analysisrequired to define a safe, economical PSS system in favor of a "cookbook"approach which would likely miss some significant potential hazards.

AEXAMPLE PROBLEM:BATCH CHEMICAL REACTOR

This example problem is based on an existing industrial batch reaction system.It illustrates a batch reactor where a quinone-type organic compound is hydro-genated to a hydroquinone. The reaction product is an intermediate for apharmaceutical.

Reactors require a detailed hazard analysis before the proper ProcessSafety System (PSS) can be determined due to the complexity of the operation(heat and mass transfer and chemical reaction), as well as the different kindsand severity of events that can be caused by the reactants, products, catalysts,and impurities.

For this example, two process drawings are presented:

• Exhibit Al: Process Flow Diagram (PFD) with a material balance andequipment data.

• Exhibit A2: Piping & Instrumentation Diagram (PSdD).

Physical and hazardous properties were obtained from open technical lit-erature and company files. The heat of reaction and runaway potential datawere obtained from adiabatic calorimeter tests.

A. I SYSTEM DESCRIPTION

The batch reactor and associated equipment are shown in Exhibit Al, alongwith the material balance, and equipment data (sizes, dimensions, materials ofconstruction, etc.).

BRIhESUPPLY

BRINERETURN

NITROGEN

C.T. WATERRETURN

LP.STEAM

C.T.WATERSUPPLY

CONO.

TO BATCHSURGE TANK

STREAM No.

STREAM NAME

COMPONENT

QUlNONESOLVENT A

SOLVENT B

Pd/C

WATERIMPURITIESHYDROGEN

TOTAL

TEMP.(-C) JPRES.(PSIG)

S.G.

VOLUME-GAL.

VOLUME-SCF

QUINONE-SOLVENT ASOLUTION

SOLVENTSAZEOTROPICMIXTURE

CATALYSTSLURRY

SOLVENTSAZEOMIXTUREWASH FROMCATALYST HEADTANK

HYDROGEN

EXHIBITAIProcess Flow Diagram (PFD) with a material balance and equipment data.

100 PSIGNITROGEN HEADER

TO ORTHOTANK ON ROOF

TO VgNT HEADER CHILLER

CATALYST SLURRY

FROM HEAD TANK

OUINONE

SOLVENTS

AZEO MIXTUREFROM SURGETANK

SOLVENTS

AZEO MIXTUREWASH FROMCATALYST HEADTANK

!M1WFLUID RESERVOIR

HYDROGEN SUPPLY

Rftgg--^DETAIL V

SYMBOLS

FELO INSTKUkCNT

LOCAL PANEL INSTRUMENT

PROTECTIVE PIPE COVER (WEATHER CAP)

ROOF

VENT LME

NOTES:

1. BURST DISK DETECTOR

2. LOCATE H2 DETECTORHEAD AS CLOSE ASPOSSIBLE TO ANDIMMEDIATELY ABOVETHE AGITATOR SEAL.

EXHIBIT A2PIPING AND INSTRUMENTATION DIAGRAM

M- 1 MECH SEAL

FLUID RESERVOIR

TO AGITATOR

MECH. SEALDETAIL "A"

TO ISOLATION

VALVE IN H2

LINE TO R-1

C.T. WATERRETURN

8%R

HMB1*-

CONDENSATERETURN HEADER

R-1

4 BAFFLES

FuiWU

LP. STEAM

The operational sequence is as follows:

1. The reactor is charged with a solution of the quinone in solvent A.2. The reactor is charged with an azeotropic mixture of solvent A and

solvent B.3. The reactor mixture is heated to 50-550C.4. The reactor is pressure purged three times with 15 psig nitrogen to

displace the air.5. The reactor is charged with the palladium on carbon catalyst slurried in

the solvent A / solvent B azeotropic mixture.6. The catalyst slurry head tank is washed with azeotropic mixture of

solvent A and solvent B into the reactor.7. The reactor is pressure purged three times with 10 psig hydrogen to

displace the nitrogen.8. The reactor jacket is switched from heating to cooling service.9. The reactor hydrogen pressure is raised to 15 psig and the hydrogena-

tion is continued until the hydrogen uptake stops (about 2l/2 hours).10. The reactor hydrogen pressure is raised to 20 psig, the hydrogen is

isolated, and the reactor pressure is held for 20 minutes.11. The reactor is vented down to about 1 psig.12. The reactor is pressure purged three times with 15 psig nitrogen to

displace the hydrogen.13. The reactor jacket is switched from cooling to heating service.14. The reactor mixture is heated to 60-7O0C.15. The reaction mass is transferred with 5 psig nitrogen pressure to a

surge tank. This leaves the reactor incited for the next batch.

Selection of the design basis for this example will follow the nine-stepprocess explained in Chapter 2. In order to adequately perform Step 1—Iden-tify Failure Scenarios, some discussion of information requirements in gen-eral, and batch reactor systems in particular, is warranted, along with specificinformation pertaining to this process.

A.2 GENERAL INFORMATION REQUIREMENTS

The following information will be required to properly evaluate potential fail-ure scenarios:

• Heat and material balance (HMB) data• Material Safety Data Sheets (MSDSs) for all chemicals• Pure component and mixture physical property data (e.g., electrical

conductivity, viscosity, etc.)

• Chemical reactivity data (primary and side/secondary reactions and run-away reaction kinetic data)

• Accurate piping and instrumentation diagrams (PSdDs)• Equipment arrangements and plant layouts• Pressure vessel drawings that include maximum allowable working

pressure (MAWP), maximum vacuum rating, and minimum and maxi-mum operating temperature information

• Other process equipment maximum pressure and minimum/maximumtemperature ratings

• Control valve, pressure reducing valve, and other instrument data sheets• Relief device (safety valve, rupture disk, rupture pin), conservation

vent, and flame arrester (deflagration and detonation) data sheets• Unsteady-state (startup, shutdown, upset) conditions• Cleanout and steamout procedures, including all nonprocess chemicals

used• Equipment computer models for evaluation of deviations from steady-

state conditions, or for evaluation of worst-case startup and shutdownconditions

• Utility supply information (composition, pressure, temperature, volt-age, etc.)

• Materials of construction

Some of this information will be routinely available. Less commonly useddata (such as piping isometrics) may need to be prepared (for new installa-tions) or generated from field reviews (for existing installations) before a com-plete evaluation can be made.

Quite often some of the above information is not available for existingolder plants. However, under the OSHA Process Safety Management regula-tion this information must be obtained or developed for the chemicals coveredby this regulation.

A3 PSS DISCUSSION FOR BATCH REACTORS

A3. / Vessel Design and Primary Containment

Batch chemical reactors can be expensive because of their materials of con-struction requirements due to service involving corrosive reactants, catalysts,or solvents. Many are fabricated of stainless steel, glass-lined carbon steel, ormaterials such as Hastelloy, titanium, etc. due to service involving corrosivereactants, catalysts, or solvents. In addition, in current practice batch reactorsare highly instrumented and automated (run by programmable logic control-lers (PLCs) or minicomputers), and often have associated head (charging)

tanks, condensers, and heat transfer fluid systems which add to the cost of theinstallation.

Because of the hazardous potential of many batch chemical processes it isof prime importance to minimize the occurrence of fires, deflagrations, andrelease of flammable and/or toxic vapors and gases. It is the practice at manycompanies to specify a reactor design pressure (AlAWP) of at least 50 psig,even though the reaction may be carried out essentially at atmospheric pres-sure. This vessel pressure rating should be sufficient to contain a deflagration(Noronha 1982). Reactor vessels should be designed in conformance withSection VIII of the ASME Boiler and Pressure Vessel Code. The ASME Code,or its equivalent, is law in most states and in some foreign countries.

All reactors should be provided with adequate pressure relief devices.Vacuum relief will not normally be required if the vessel is designed for at least50 psig since this pressure rating should also be adequate for full vacuum inmost cases. However, vessels with design pressures near atmospheric pressureusually require vacuum relief, and this should be evaluated. Relief require-ments will be discussed in more detail in item 3.

Most batch chemical reactors have agitators, equipped with mechanicalseals, and means must be provided to ensure that mechanical seals do not leakor fail, which could result in a release of a flammable and/or toxic vapor or gasinto the surroundings. Agitator seals will be discussed in more detail in Sec-tion 5.4.

CCPS 1993 (with emphasis on Chapters 4, 5, 6, 8, 11, and 14) also pro-vides useful information, and will be used as a reference for portions of thisexample. Other references which are applicable to batch reactor design forhazard minimization are given at the end of this example.

A.3.2 Control Systems and Safe Automation

Many chemical reactions are exothermic and require heat removal, whileothers are endothermic and require heat addition. In many batch chemicalreactors, the batch is heated up to the boiling point and refluxed for a longperiod of time to complete the reaction. In other reactors, the solvent is boiledoff after the reaction has been completed, and then a further processing step isperformed in the reactor. The heating or cooling steps often must be con-trolled in order to prevent product deterioration, production of undesired sideproducts, or a runaway reaction which could result in a catastrophic event. Inmost older batch reactors the heating and cooling control systems are of thestandard type (i.e., non-computer controlled, pneumatic PID), whereas innewer plants the control operations are often performed by a computer systemthat programs the sequence of operations and initiates interlock shutdowns.

There are no regulatory requirements in the U.S. governing the use of auto-matic control in PSS applications. The CCPS publications Guidelines for SafeAutomation of Chemical Processes (with emphasis on Chapters 4 and 5) andGuidelines for Engineering Design for Process Safety (with emphasis on Chapter 9)provide a useful summary of current industry practices. Keep in mind thatcomputer-controlled processes do not provide fool-proof control and that cata-strophic events can occur if the computer control system is not properly ana-lyzed for integrity. The U.K. Health and Safety Executive report titledProgrammable Electronic Systems in Safety Related Applications provides guidanceon what can go wrong with computer-controlled processes and how to analyzethem. The Instrument Society of America (ISA) has published a standard titledProgrammable Electronic Systems for Use in Safety Applications (ISA S84.011996).

In this example problem, the main control loops for this reaction system are:

• Pressure control of the hydrogen feed to the reactor» Temperature control of the cooling tower water to the reactor jacket

Because this is an existing reactor that has been operating for a number ofyears, the instrumentation is primarily pneumatic, with some more recentlyinstalled electronic components.

A.3.2. / Alarm Strategy

For all alarms, it should be noted that with electronic instrumentation and adistributed control system (DCS), two high and two low alarm points are usu-ally included with the control point. Thus, alarm strategies which make use ofthese "free" points can serve as a very cost-effective way of increasing thenumber of alarm points without increasing the cost of the system. These addi-tional alarm points do not provide the redundancy necessary for some inter-lock initiators. If using older, pneumatic instrumentation, alarm points of anykind are an increased cost. Of course, one thing which must be avoided is thecasual use of alarm points simply because they exist. Excessive nuisance alarm-ing can cause the operator to become indifferent to alarms (since they go off sofrequently) or deactivate diem, or become confused in a true emergency(because so many alarms are actuated simultaneously).

As mentioned above, this is an existing reactor, with primarily pneumaticinstruments. The reactor has a high temperature alarm to alert the operatorthat there may be a problem with the cooling tower water supply to the jacket.High-high temperature and pressure alarms, independent from their "high"counterparts, are also provided.

A.3.2.2 Interlock StrategyOnce alarm parameters have been determined, this same information can beused to develop a general philosophy and execution strategy for interlocks.

Process and safety interlocks differ from one another in that, whenever theprocess condition which caused the process interlock to activate is corrected,the control function usually returns to normal. Safety interlocks often must bemanually reset before control can return to normal. An analysis of the alloca-tion of supervisory roles between the operator and automatic control systemsshould be made before a decision to interlock is reached.

Another issue concerning safety interlocks is the use of automatic controlsto mitigate potential overpressure in place of relief systems. Neither ASMEnor API provide explicit guidance on the use of safety instrumentation to miti-gate relief requirements, and risk management policies very widely concerningthe use of instrumentation or any active system to protect against overpres-sure. Issues such as the reliability and cost of safety interlock systems and theirrelated field devices (sensors, isolation valves, etc.) as compared to the reliabil-ity of relief systems must be considered in weighing the tradeoffs.

The interlock strategy selected for this existing reactor is as follows: twohigh-high switches are interlocked to shut an isolation valve in the hydrogenfeed line. The high-high temperature switch takes a signal from the thermo-couple in the reactor, and the high-high pressure switch takes its signal fromthe reactor rupture disk burst detector.

A.3.2.3 Valve Failure Position

Closely related to this strategy is the decision on how automatic control andblock valves should fail under loss of motive energy or control signal. In gen-eral, energy sources (such as steam, hot oil, or high pressure gas) are designedto fail closed (FC) to isolate the process from excessive energy input. Energy-removing streams (coolants, vents, etc.) are usually fail open (FO) to bring thesystem to a lower potential energy state under emergency conditions. Whilenot always true, these guidelines should apply to most cases considered.Another issue which must be addressed is the difference in failure positionupon instrument air (IA) failure as compared to the failure position on elec-tronic signal failure. Often, a valve can be set to fail in one direction when IA islost; however, the controller manipulating this valve may have an entirely dif-ferent failure position which may take the system to an unsafe condition. Bothtypes of failure positions must be addressed independently.

There is a third category of valve failure position, that of fail-last-position(FL) which is not as frequently used in process systems. However, there maybe occasions where FL valves are needed for production reasons and also havesafety implications. These situations should be carefully analyzed before thevalve failure position is finalized.

All the control valves for this reactor were designed to fail in the fail-safeposition on loss of instrument air, as follows:

• The control valve in the cooling tower water line to the reactor jacketfails open.

• The control valve in the hydrogen feed line fails closed.• The control valve in the brine line to the reactor vent condenser fails

open.• The isolation valve in the quinone/solvent feed line to the reactor fails

closed.• The isolation valve in the hydrogen feed line to the reactor fails closed.

A3.3 Pressure and Vacuum Relief

A significant safety-related design problem for equipment in general is theappropriate selection of the sizing basis for emergency pressure and vacuumrelief devices. Relief devices are required for vessels covered by ASME Code,but the basis for sizing and selecting these devices is left up to the systemdesigner. Relief device sizing methodology is particularly critical if two-phaseflow occurs due to reactive, foaming, or viscous effects. For these systems,methodologies such as those developed by the Design Institute for EmergencyRelief Systems (DIERS) should be used. In the absence of two-phase flow,more conventional techniques can be applied.

The need for and location of relief devices should be identified as early inthe design as possible, as an integral part of PSS strategy formulation. The dis-position of relief effluents (flaring, secondary containment, quenching, orrelief to atmosphere) may influence the type and position of relief devicesneeded. The forthcoming CCPS publication "Guidelines for Pressure Reliefand Effluent Handling Systems" provides guidance on the selection anddesign of disposal systems. Relief system design bases may also be altered bythe presence of other passive or active safety systems, such as fireproof insula-tion or instrumentation, back pressure influences, or the need for downstreameffluent disposal systems such as flares.

Once the proper design basis has been determined, sizing of the appropri-ate devices can proceed using requirements and information listed in the refer-ence section at the end of this example.

Since most reactors are designed for pressures greater than 15 psig theyare considered pressure vessels and are subject to the requirements of SectionVIII of the ASME Boiler and Pressure Vessel Code. This means that theymust be provided with pressure relief and, if necessary, vacuum relief. Reliefdevices can be either safety valves or rupture disks, or a combination of thetwo. Rupture disk/safety valve combinations are quite common where thereactants, catalyst, or solvents are corrosive and the rupture disk is provided toprotect the safety valve from corrosion. Rupture disk/safety valve combina-

tions are also used on polymerization reactors to prevent the safety valve frombecoming plugged.

The most common bases for sizing relief devices for batch chemical reac-tors are fire loading and runaway reactions. In this example the potential for arunaway reaction was determined to be very low based on adiabatic calorime-ter experiments. Therefore, the relief device was sized for fire loading. A rup-ture disk was selected to meet the relief requirements for the followingreasons: (1) a rupture disk is considerably cheaper than a safety valve, and (2)there was a possibility that the catalyst used could plug the safety valve.

A.3.4 Fixed Fire Protection and Passive Mitigation

Once key interlock and relief requirements have been set, post-release mitiga-tion systems must be evaluated. These include fixed fire protection systems asdescribed in NFPA15 1990, life safety code requirements per NFPA1011997,and other site-related issues. Little or no regulatory guidance exists for theseissues; API RP 752 1995 and the Guidelines for Evaluating Process Plant Build-ings for External Explosions and Fires (CCPS 1996) address the siting issues.

Selection of the PSS design basis also involves a system-wide analysis forsynergistic hazards not revealed by consideration of the failure scenarios ofindividual unit operations only. This analysis should address the relationshipbetween the operation in question and the other unit operations in theprocess, the utility and outside battery limits operations that might beadversely affected by upsets in the operation in question, and interrelationshipof utilities which might result in a common-mode failure (such as steam andelectricity cogeneration failure).

In the plant where the reactor is situated, it is company policy to providewater deluge system protection above and below all vessels larger than 4 feet indiameter, which includes the reactor with a diameter of 61Xa feet. To minimizethe accumulation of flammable liquid if a spill occurs, the floor under and sur-rounding the reactor is sloped toward a process sewer drain. Also, the reactoris insulated with jacketed insulation held in place with stainless steel straps.

A.4 SELECTION OF DESIGN BASES FOR SAFETY SYSTEMS

This section uses the systematic risk-based technique for selecting the designbases for process safety systems discussed in chapter 2. Use of the techniqueimposes discipline on the thought process, yet allows for flexibility in applica-tion. The design bases selection technique is comprised of a number of analysisand testing steps, detailed graphically in a decision tree (see Exhibit 2.2 inChapter 2).

Step 1: Identify Failure Scenarios

In this example, each of the selection steps (1-9) will be discussed generally,then, steps 2-8 will be repeated in detail for each of the five potential failureslisted below.

In this batch reaction a number of hazards must be considered:

• Hydrogen is highly flammable.• Both of the solvents are flammable.• The catalyst may ignite spontaneously if contaminated with organics.• The reactant quinone has a high flash point (960C), but violent decom-

position and toxic emissions can occur when it is heated or in a fire.

The reaction is moderately exothermic. Calorimetric studies indicate thatthe heat of reaction is about 482.7 Btu/lb of the quinone, and there is verylittle likelihood of a runaway reaction.

Corrosion will not be considered as a potential failure scenario becauseyears of operation in a stainless steel reactor have shown no evidence of corro-sion problems.

The failure scenario tables in Chapter 3 (Vessels), Chapter 4 (Reactors),and Chapter 6 (Heat Transfer Equipment) were reviewed for relevance, and afirst pass through these tables yielded 16 potential failure scenarios, as shownin Exhibit A3.

Some of the scenarios do not have as severe a consequence as others, andonly the most hazardous ones will be considered. This example will focus onthe following five specific potential failure scenarios:

A. Ignition of flammable atmosphere in reactor vapor space causedby static discharge spark (Overpressure per Table 3, no. 3)

B. Cooling system control failure (High Temperature per Table 3,no. 28)

C. External fire (Overpressure and High Temperature per Table 3,no. 5 and Table 3, no. 30)

D. Loss of sealing fluid to reactor agitator mechanical seal resultingin emission of flammable vapors (Loss of Containment per Table 3,no. 49)

E. Ignition of flammable atmosphere in reactor vapor space causedby hot mechanical seal (Overpressure per Table 4, no. 3)

The tables in this book are generic, in that they are intended to apply to awide variety of equipment configurations and installations. They are notintended for use as a "one-stop" reference. Other references may contain moredetailed information on specific subjects, such as the checklist published by theAmerican Petroleum Institute (See Section 3.2, Table 1 in API RP 520,1993),

EXHI BIT A3Potential Failure Scenarios

FailureScenarioNumber Failure Scenario Description

3-1 Liquid overfill resulting in back pressure or excessive static head

3-2 Inadvertent or uncontrolled opening of high pressure utility system

3-3 Ignition of flammable atmosphere in vessel vapor space

3-5 External fire

3-15 Blocked outlet flow path

3-17 Heating and thermal expansion of liquid

3-28 Control failure of heating/cooling system

3-30 External Fire

3-49 Loss of sealing fluid to vessel agitator resulting in emission offlammable or toxic vapors

4-1 Overcharge of catalyst resulting in runaway reaction

4-2 Addition of a reactant too rapidly resulting in runaway reaction

4-3 Loss of agitation resulting in runaway reaction or hot bearing/seals causingignition of flammables in vapor space

4-7 Overactive and/or wrong catalyst results in runaway reaction

4-8 Inactive and/or wrong catalyst leading to delayed runaway reaction inreactor or downstream vessel

6-5 Loss of heat transfer due to fouling, accumulation of noncondensables,or loss of cooling medium

6-7 Cold-side fluid blocked in while heating medium continues to flow

for specific overpressure relief systems design cases. As with any engineeringtool, its applicability to a specific problem must be established each time it isused.

Step 2: Estimate the Consequences

Step 3: Determine Tolembility ofConseqitences

Consequence estimation requires information on the physical, chemical, andtoxic properties of the materials involved in the process, the quantity of mate-

rial which could be involved in a scenario, the impact of each scenario on thesurroundings (facility siting), and an economic evaluation of the impact ofequipment damage and lost production.

Information on the physical and chemical properties of chemicals in thisprocess can be obtained from the MSDSs, other sources of product informa-tion, or technical books and brochures, or can be developed. This informationcombined with the quantity of material in the process, can be used to assessfire, explosion, and toxic effects using appropriate source terms, dispersioncalculations, and effect models for scenarios with potential for materialsrelease to the atmosphere. Facility siting issues should also be considered atthis point based on the results of the scenario assessments.

Economic consequences must also be evaluated. These will be highlydependent on such factors as alternative sources of materials supply, availabil-ity of alternative production facilities, and replacement units.

For this example, the following NFPA 704 (scale of 0-4) ratings andproperties of the materials were obtained from the MSDSs (Exhibit A4).

EXHI BIT A4

Property or Rating Hydrogen

Fire 4

Health O

Reactivity O

Flash point, 0C gas

LEL, vol. % 4.0

UEL, vol. % 75.0

AIT, 0C 520

LOG, vol. % 5.0

MIE, mj 0.016

Electrical conductivity, pS/m none

LEL is the lower explosive limitUEL is the upper explosive limitAIT is the autoignition temperatureLOG is the limiting oxygen concentrationMIE is the minimum ignition energypS/m equals picosiemens per metermj equals millijoulesn.d. indicates no data available

QuinoneCompound

O

2

1

96

n.d.

n.d.

450

n.d.

n.d.

n.d.

Solvent A

3

2

O

4.4

1.0

7.0

535

9.5

0.24

<1

Solvent B

3

1

O

12

6.0

36.0

463

10.0

0.14

4.4 XlO7

Electrical conductivity data for solvent mixtures was not determined sincethe worst electrostatic hazard case is handling of pure solvent A. Static electric-ity precautions were determined for this situation.

From the above NFPA hazard ratings and the other hazardous propertiesshown, it is obvious that fires and explosions (deflagrations) are very likelyshould there be an ignition source and sufficient oxygen. Since the reactor islocated inside a building, surrounded by other equipment containing flamma-ble liquids and gases, a significant amount of equipment damage and injury orfatalities, as well as business interruption, could result. In addition, the releaseof hydrogen and flammable vapors outside the building could result in secon-dary fires, explosions, and personnel injuries or fatalities in the surroundingareas of the building.

The consequences of unmitigated operational deviations resulting inmedium-level and high-level hazards have been determined to be unacceptablerisks by the organization represented in this example. Therefore, the designermust provide alternatives which mitigate these consequences.

Step 4: Estimate Likelihood and Risk

Step 5: Determine Tolembility of Risk

Risk estimation is often the most difficult step in the process. Consequenceestimation is usually objective, but evaluation of likelihood involves humanfactor considerations (effectiveness of individuals and group performance),and the adequacy of a specific design or equipment item. Because of these fac-tors, great care must be taken to ensure accuracy and lack of bias.

At some point in this analysis quantification of likelihood may be neces-sary, but often is superseded by standard company policies, engineering stan-dards and standard design practices. For example, failures with no or lowconsequences may be adequately controlled by normal process controls oroperating procedures, whereas severe hazards (such as those with major on-site or off-site ramifications) may require two or more independent levels ofsafeguards or mitigation, in addition to the normal ones, to reduce the risk toan acceptable level.

Assessment of likelihood often requires evaluation of both plant systems(equipment, controls, etc.) and operating procedures. Equipment failure ratedata are available from a number of sources (e.g., CCPS 1989), and whilethere are uncertainties and gaps in these data, they can be objectively and con-sistently evaluated through the use of plant data collection and componentfailure testing. Keep in mind that generic failure rate data may not necessarilyapply to every plant, as these failure rates are affected by the chemicals handledand maintenance practices, and that actual plant data from one's plant may be

the best source of failure rates. Generic data may be used to prepare compara-tive estimates of several alternates, however.

Reliability of procedural safeguards (standard operating procedures), onthe other hand, are dependent on the effectiveness of training and the strengthof managerial implementation and documentation. Not only are these hard tomeasure, but they can change significantly due to a wide variety of factors,such as personnel turnover or change in management.

For this example, company management has established the hazard levelsshown in Exhibit A5, which are comparable to those shown in Chapter 2 inExhibit 2.5. For simplicity, levels Cl and C2 have been combined into the lowhazard category.

For low-level or medium-level hazards, two levels of independent proce-dural safeguards may be substituted for a single automatic safeguard. Forhigh-level hazards, no procedural safeguard may be credited for mitigation.

Note that criteria similar to these are commonly found in industry; how-ever, each company must make its own determination of risk acceptabilitylevels.

Risk tolerability is often based on what is known as an F-N (Frequency-Number) curve. An F-N curve is a plot of cumulative frequency versus conse-quences (expressed as number of fatalities). For more details on F-N curves,see Guidelines for Chemical Process Quantitative Risk Analysis (CCPS 1993).

Step 6: Consider Enhanced and/or Alternative Designs

Step 7: Evaluate Enhancements and/or Alternatives

Step 8 Determine Tolerability of Risk and Cost

Steps 6-8 are analogous to steps 3-5, but this time one is evaluating the modi-fied system instead of the original, unacceptable design. The tables in Chapters3-12, along with other specific references, are intended to suggest potential

EXHIBIT A5

Hazard Level

Low (Cl and C2)

Medium (C3)

High (C4)

Consequence Definition

Minor Injury Potential

Major On-site Consequence(See Exhibit 2.5)

Major Off-site Consequence(See Exhibit 2.5)

Safeguards Requiredfor Acceptable Risk Level

Normal Controls

One layer of independent non-procedural safeguards above normalcontrols

Two layers of independent non-procedural safeguards above normalcontrols

alternatives to enhance the risk acceptability of the design. Not all solutionspresented in the tables will be applicable to each situation. Each potentialenhancement must be evaluated for:

• Technical Feasibility—Will it work at all?• Applicability to a specific situation—Will it work here?• Cost/Benefit—Is it the best use of resources, or can greater risk reduc-

tions be achieved by spending the same money elsewhere?• Synergistic/Mutual Exclusivity effects—Will this solution work in con-

junction with other potential enhancements, or will its implementationeliminate other potential beneficial solutions from being considered?

• Additional New Hazards—Will this solution create new hazards thatmust be evaluated?

Once a course of action is decided upon, it again must be evaluated for riskand cost acceptability. Steps 6-8 must be repeated until an acceptable reduc-tion in risk has been achieved. Note that, if all technical options are exhaustedwith the risk level remaining unacceptably high, the only alternative may be tofind a replacement process step.

The following sections provide a detailed discussion of steps 2-8 for thisexample problem's five scenarios of interest, listed in section A.4.

A.5 IGNITION OF FLAMMABLE ATMOSPHERE IN THEREACTOR VAPOR SPACE CAUSED BY STATICDISCHARGE SPARK (FAILURE SCENARIO A)

Since the solvents are flammable liquids, if there is an electrostatic spark dis-charge and the oxygen in the vapor space of the reactor is above the LOC ofthe solvents, there could be a deflagration.


Solvent A is known to be a very poor conductor that becomes electrostaticallycharged during flow through pipes, which could lead to an ignition of theflammable vapors in the reactor head space if the solvent is allowed to free-fallduring charging. This hazard is minimized by having the streams containingSolvent A enter the reactor by means of a diverter elbow, which allows thestream to flow down the reactor wall in a gentle manner so as to avoid splash-ing and mist formation. Prior to charging of any mixtures containing solvent,the reactor is already inerted with nitrogen from a prior processing step. Thereactor is also bonded and grounded to bleed off any electrostatic charges thatmight accumulate on the wall of the vessel. In addition, the reactor is purged

of hydrogen with nitrogen after the reaction is completed, and then the batchis transferred out using nitrogen, so that there is always a nitrogen atmospherein the reactor when flammable streams are charged into it.

Step 3: Determine Tolerability of Consequences

If a deflagration occurred, it would be a medium-level or high-level hazard,and company management has determined that these are unacceptable conse-quences.


Because the consequences of unmitigated medium-level or high-level hazardare unacceptable, determination of likelihood is not required.


As determined in Step 3, the risks presented are not acceptable. A minimum oftwo nonprocedural safeguards would be required normally. Nevertheless, thereactor has two passive safeguards (diverter elbow and bonding and ground-ing) and one active safeguard (purging and inciting), which should be ade-quate to minimize or eliminate the potential for an electrostatic sparkdischarge ignition of flammable vapors.


As indicated above, three of the most common safeguards for preventing elec-trostatic spark discharge ignition of flammable vapors have been providedalready, and no enhanced alternatives are required.

Step 9: Documentation

As discussed in Chapter 2, complete and thorough documentation is critical tothe safety system selection process. It is important that all failure scenarios, nomatter how seemingly insignificant, be documented, since significance maychange with process modifications or substitution of materials.

A.6 COOLING SYSTEM CONTROL FAILURE(FAILURE SCENARIO B)

For batch reactors, the most commonly installed control system is tempera-ture control for heating and cooling. Temperature control is necessary toachieve proper reaction conditions for good conversions to minimize side

product formation, and in many cases, to prevent the occurrence of productdeterioration and runaway reactions.

In this reaction, the potential for runaway reactions has been determinedto be low, but it is known that product deterioration ("tarring") can occur ifthe reaction temperature is allowed to exceed its normal limits. For thisreason, controlled cooling of the batch to remove the heat of reaction duringhydrogenation is very important. The batch must be heated up twice duringthe batch cycle, but only to a moderate increase above ambient temperature.Therefore, this heating is not automatically controlled but is manuallyadjusted by the operator. The operating instructions require the operator tolog in the temperature (a procedural safeguard).


If the supply of cooling tower water to the reactor jacket stopped, either due tothe temperature controller failure or malfunction, or because of problems withthe cooling tower itself, then the batch might be heated up to the boiling pointof the solvent mixture due to the heat of reaction. The result would be a possi-ble overpressure, requiring pressure relief.

Step 3: Determine Tolembility of Consequences

If overtemperature or overpressure should occur, this would be considered amedium-level hazard, and would be considered an unacceptable consequence.


Because the consequences of unmitigated medium-level hazards are unaccept-able, determination of likelihood is not required.

Step 5: Determine Tolerability of Risk

As discussed in Step 3, the risks presented are not acceptable. For a medium-level hazard, a minimum of one nonprocedural safeguard is required in addi-tion to the normal controls required to operate the process.

To monitor the temperature and alert the operator if the temperature isnot being controlled, the reactor has a temperature controller with a high tem-perature switch and audible alarm. In addition, the reactor is equipped with anindependent temperature sensor (capillary type) and high-high temperatureswitch interlocked with an isolation valve in the hydrogen feed line. This inter-lock will shut off the hydrogen feed to the reactor in the event of a high-hightemperature, and the heat of reaction will drop quickly. In addition, the reac-tor is equipped with a high-high pressure switch, taking a signal from the rup-

ture disk burst detector, which is also interlocked with the isolation valve inthe hydrogen feed line. The cooling tower water supply line to the reactorjacket is backed up by an interconnection to the city water system, which canbe manually turned on by the operator should the cooling tower water systemfail.


Since the reactor is provided with two nonprocedural safeguards in additionto the normal control, as well as one procedural safeguard (ability to supplycity water to the reactor jacket), no enhanced alternatives are required.



A.7 EXTERNAL FIRE (FAILURE SCENARIO C)

External fire is always a possibility when flammable liquids are being handled.A pool fire under the reactor will impinge on wetted and unwetted vessel sur-faces, boiling the liquid contained in the reactor and, eventually, resulting inoverpressurization of the vessel. If the overpressure is not relieved in time,rupture of the reactor may occur due to both thermal and pressure overstress.


To provide overpressure protection for the external fire failure scenario, thereactor was provided with a rupture disk sized by the conventional singlephase vapor relief procedure (e.g., API RP 520 1993), since experience hadshown the system not to be foamy. Appropriate environment factors (API RP520 1993, Appendix D) were taken into account in determining fire heatinput. Although a runaway reaction was determined to have a very low likeli-hood of occurring, the discharge piping from the rupture disk is routed to acatch tank.


The unmitigated control of overpressure resulting from an external fire couldresult in a medium-level hazard, and possibly a high-level hazard. Therefore,

pressure relief has been provided and the effluent stream routed to a catchtank.


Because unmitigated medium-level and high-level hazard are not consideredacceptable, determination of likelihood is not required.


Since the risks presented are not tolerable, a minimum of two nonproceduralsafeguards are required in addition to the normal controls required to operatethe process.

The reactor is provided with the following active safeguards:

• Rupture disk set at 30 psig (below the MAWP of 35 psig)• Automatic fixed water spray fire protection system

The rupture disk is provided with a burst disk detector (with an audiblealarm), which is also connected to a high-high pressure switch interlockedwith an isolation valve in the hydrogen feed line to stop hydrogen flow.


Since the reactor is provided with two automatic safeguards for this failurescenario, no enhanced alternatives are required.



A.8 LOSS OF SEALING FLUID TO REACTORAGITATORMECHANICAL SEAL (FAILURE SCENARIO D)

The loss of sealing fluid to the reactor agitator mechanical seal can result inlarge emissions of flammable hydrogen and solvents into the building, andpossibly outside, which could deflagrate if the vapor cloud encountered anenergy source of sufficient strength. Since hydrogen has a very low MIE(0.016 mj) it can very easily be ignited. Appreciable equipment damage andinjury or fatality could result if a deflagration occurred inside the building.

Step 2 Estimate the Consequences

The agitator mechanical seal fluid is provided by means of a seal fluid reservoirconnected by piping to the seal, pressurized by 50 psig nitrogen. The seal fluidreservoir is provided with a level glass and the nitrogen line to the reservoir isprovided with two pressure gauges. The operator is supposed to check the sealfluid level in the reservoir and the nitrogen line pressure gauges every shift.These administrative procedures are the only safeguards for the seal fluid res-ervoir. If the operator forgets to do this checking and the reservoir level orpressure drops below the required level or pressure, then a seal failure canoccur, resulting in a large release of flammable hydrogen and solvent vapors.


Release of flammable hydrogen and solvent vapors into the building, and pos-sibly outside of it, can result in a catastrophic event which constitutes a high-level hazard. The present monitoring procedure can result in consequenceswhich are not tolerable. Therefore, a more positive monitoring of the seal fluidreservoir level and pressure is required.


Because an unmitigated high level hazard is unacceptable, determination oflikelihood is not required.

Step 5: Determine Tolerability of Risk

As discussed in Section 3 the risks presented are not acceptable and a mini-mum of two nonprocedural safeguards in addition to the normal controls arerequired to operate the process.


To enhance the reliability of providing seal fluid to the reactor agitatormechanical seal the following additional safeguards will be provided:

• A low level switch and audible alarm on the seal fluid reservoir• A low pressure switch and audible alarm on the seal fluid reservoir

Both of the above switches will be interlocked with an isolation valve inthe hydrogen feed line to stop hydrogen flow to the reactor should a problemoccur with the seal fluid reservoir level or pressure.

To provide die required second safeguard level, a hydrogen gas sensorwith a high concentration alarm will be provided at the seal to warn of a seal

leak. High concentration will be interlocked to close another isolation valve inthe hydrogen line.

Step 7: Evaluate Enhancements and/or Alternatives

Providing the suggested enhanced safeguard alternatives outlined in Step 6will add two active safeguards above normal control (operator monitoring ofthe seal fluid reservoir level and nitrogen pressure), which are required for ahigh level consequence. The risk of losing agitator mechanical seal failure hasbeen significantly reduced by these enhancements which are shown on Detail"A35 of the PSdD.

Step 8: Determine Tolembility of Risk and Cost

The enhanced PSS recommended in Step 6 will satisfy the requirements of themanagement guidelines. The capital project evaluation team determined thatthe cost required for these modifications is acceptable.



A.9 IGNITION OF FLAMMABLE ATMOSPHERE IN REACTORVAPOR SPACE CAUSED BY HOT MECHANICAL SEAL(FAILURE SCENARIO E)

If die reactor agitator mechanical seal becomes hot, due to loss of seal fluid,then it can become an ignition source and cause a fire or deflagration in thereactor vapor space. The reasons that this seal can fail are discussed in SectionA.8 (Failure Scenario D). All the steps given in Section A.5 apply to thisscenario and should be referred to for the recommended enhanced alterna-tive/design.



AJO DOCUMENTATION

It is critical to provide accurate, detailed, and readily available documentationof all PSS design bases, so that assumptions can be easily verified, and criticalsafety components be identified. In the case of existing plants, such as the onein this example, these documents may not be readily available, and it may benecessary to contact equipment vendors or make new calculations (e.g., forsizing of relief devices). This documentation is particularly important whenone element of the analysis (e.g., instrumentation) eliminates or mitigates thesize and/or scope of protection of another element (e.g., relief devices). Theremay also be regulatory record keeping requirements, such as those concerningprocesses covered by the OSHA Process Safety Management regulation (29CFR 1910.119). In addition, there may be documentation requirements forthe new EPA Risk Management Program (40 CFR 68). Complete mechanicaldesign information on vessels and other process equipment, interlock strate-gies and alarm points, relief and venting systems sizing bases (including casesthat were eliminated through other active or passive means), and siting andfire protection design bases all may need to be recorded permanently as part ofthe Process Safety Information file. Without this information, potential futuremodifications to a PSS cannot be made until a complete revaluation of thePSS basis is complete. This re-evaluation will be difficult and time-consumingwithout the detailed information on the original basis. Similarly, items used tomitigate or eliminate potential hazards may not be intuitively obvious, asexample 2.6.1 in Chapter 2 illustrates so graphically.

Procedural controls are perhaps the most critical of all controls to docu-ment well, since identification of safe upper and lower operating limits, andtraining requirements are critical to gaining and retaining safety managementeffectiveness. In many processes, the only place that procedural controls aredocumented is in the operating procedures. A separate listing of these proce-dural controls would make die safety documentation more inclusive and com-plete. Above all, documentation must tell the why as well as the what, so thatfuture evaluators will have the full benefit of the knowledge and rationaleoriginally used to specify the safeguards.

The PSdD shown in Exhibit A2 illustrates the PSS additions to the BasicControl System on Detail "A". Note that the mechanical seal fluid reservoirlow level and nitrogen low pressure switches and the interlocks to the isolationvalve in the hydrogen feed line to the reactor are now included on the PSdD.A number of PSS features shown on the PSdD were added after a HAZOPwas performed, but the new PSS features for the seal fluid reservoir were notconsidered at that time.

REFERENCES

API RP 520 1993. Sizing, Selection, and Installation of Pressure-Relieving Devices in Refineries. Part!-Sizing and Selection. Washington, DC: American Petroleum Institute.

API RP 752 1995. Management of Hazards Associated with Locations of Process Plant. 1st Edition.Washington, DC: American Petroleum Institute.

ASME 1995. Boiler and Pressure Vessel Code. Section VIII, Division 1. New York: American Soci-ety of Mechanical Engineers.

CCPS 1989. Guidelines fir Process Equipment Reliability Data. Center for Chemical Process Safety,New York: American Institute of Chemical Engineers.

CCPS 1993a. Guidelines fir Engineering Design fir Process Safety. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1993b. Guidelines fir Safe Automation of Chemical Processes. Center for Chemical ProcessSafety, New York: American Institute of Chemical Engineers.

CCPS 1993c Guidelines fir Chemical Process Quantitative Risk Analysis. 2ded. Center for Chemi-cal Process Safety, New York: American Institute of Chemical Engineers.

CCPS 1996. Guidelines fir Evaluating Process Plant Buildings for External Explosions and Fires.Center for Chemical Process Safety, New York: American Institute of Chemical Engineers.

EPA1996. Risk Prevention Program for Chemical Accident Prevention. U.S. Environmental Protec-tion Agency, 40 CFR, Part 68.

ISA S84.011996. Programmable Electronic Systems for Use in Safety Applications. Research TrianglePark, NC: Instrument Society of America.

NFPA 101 1997. Code for Safety to Life from Fire in Buildings and Structures. Quincy, MA:National Fire Protection Association.

NFPA 15 1990. Water Spray Fixed Systems for Fire Protection. Quincy, MA: National Fire Protec-tion Association.

NFPA 704 1996. Standard System for the Identification of the Fire Hazards of Materials. _Q\imcy,MA: National Fire Protection Association.

Noronha, J., Merry, J., Reid, W., and Schiffhauser, E. 1982. Deflagration Pressure Containment forVessel Safety Design, Plant/Operations Progress, Vol. 1, No. 1., pp 1-6,1982.

OSHA 1992. Process Safety Management of Highly Hazardous Chemicals. 29 CFR 1910.119.Washington, DC: Occupational Safety and Health Administration.

Suggested Additional Reading

API RP 2003 1991. Protectim Against Ignition Rising out of Static, Lightning, and Stray Currents.Washington, DC: American Petroleum Institute.

Barton, J. and Rogers, R. 1996. Chemkal Reaction Hazards. 2d ed. Rugby, Warwickshire, UK:Institution of Chemical Engineers.

Benuzzi, A. and Zaldivar, J. M. eds. 1991. Safety of Chemical Batch Reactors and Storage Tanks.Dordrecht and Boston: Kluwer Academic Publishers.

Britton, L. 1992. Using Material Data in Static Hazard Assessment. Plant/Operations Progress. 11 :2 (April): 56-70.

British Standards Institute BS-5958 1991. Code of Practice for Control of Undesirable Static Electric-ity: Part 1, General Considerations, and Part 2, Recommendations for Particular IndustrialSituations. London: British Standards Institute.

CCPS 1995. Guidelines for Chemical Reactivity Evaluation and Application to Process Design. Centerfor Chemical Process Safety, New York: American Institute of Chemical Engineers.

CCPS 1997. Guidelines for Pressure Relief and Effluent Handling Systems. Center for ChemicalProcess Safety, New York: American Institute of Chemical Engineers.

DIERS (Design Institute for Emergency Relief Systems) 1992. Emergency Relief System DesignUsing DIERS Technology. DIERS Project Manual. New York: AIChE.

UK HSE 1987. Programmable Electronic Systems in Safety Related Applications. UK Health andSafety Executive. London: Her Majesty's Stationery Office.

Appendix Worked Examples - ftp.feq.ufu.brftp.feq.ufu.br/Luis_Claudio/Segurança/Safety... · 12. The reactor is pressure purged three times with 15 psig nitrogen to displace the hydrogen.

Documents