c/EPA
United States
Environmental Protection
Agency
Air and Energy Engmet-rii",
Research Laboratory
Research Triangle Park iv /
Research and Development
Prevention Reference
Manual: Control
Technologies
Volume 1. Prevention
and Protection
Technologies for
Controlling Accidental
Releases of Air Toxics
-------�
EPA/600/8-87/039a
August 1987
PREVENTION REFERENCE MANUAL:
OONTROL TECHNOLOGIES
VOLUME 1; PREVENTION AND PROTECTION
TECHNOLOGIES FOR CONTROLLING ACCIDENTAL
RELEASES OF AIR TOXICS
by:
D.S. Davis
G.B. DeWolf
J.D. Quass
Radian Corporation
Austin. Texas 78766
Contract No. 68-02-3994
Work Assignment 62
EPA Project Officer
T. Keily Janes
Air and Energy Engineering Research Laboratory
U.S. Environmental Protection Agency
Research Triangle Park, North Carolina 27711
-U.S. Environmental Protection Agency
Reel on 5, Li>r-ar7 (^i'L-iG)
230 S. Dearborn Street, Room
, -JL 60604
AIR AND ENERGY ENGINEERING RESEARCH LABORATORY
OFFICE OF RESEARCH AND DEVELOPMENT
U.S. ENVIRONMENTAL PROTECTION AGENCY
RESEARCH TRIANGLE PARK, NC 27711
-------�
NOTICE
This document has been reviewed in accordance with
U.S. Environmental Protection Agency policy and
approved for publication. Mention of trade names
or commercial products does not constitute endorse-
ment or recommendation for use.
11
-------�
ABSTRACT
A toxic chemical release occurs when equipment breakdown or loss of
process control in a chemical process operation causes a loss of containment
of the chemicals. The probability that an accidental release will occur
depends on the extent to which deviations (in magnitude and duration) in the
process can be tolerated before a loss of chemical containment occurs.
Development of a satisfactory control system and equipment capable of
withstanding deviations from the design intent requires adherence to the
principles of sound process and physical plant design and to appropriate
procedures and management practices.
Process design and control are intimately related. Control of a process
is achieved by manipulating the variables of flow, temperature, pressure,
composition, and quantity, for deviations in these variables can cause
deviations from acceptable process conditions that would increase the
potential for a toxic chemical release. A control system can be improved by
improving the quality, specifications, and maintenance of physical components,
and by duplicating components (the principle of redundancy) where warranted.
Process changes that enhance control of the system will reduce the probability
of a chemical release. Such changes include reducing the severity of
operating conditions and modifying the basic chemistry, operations, and
equipment.
The probability that equipment will fail and cause a release of toxic
chemicals can also be reduced by considering various aspects of physical plant
design. Whereas process design involves the operating conditions of a
chemical process, physical plant design involves the hardware, the equipment
components, and their placement within a unit or plant.
111
-------�
A third way to reduce the probability of a release is to ensure that
proper management practices and personnel training procedures are maintained
from the initial research and development through the manufacture of a
chemical product. Finally, protection system technologies such as flares,
scrubbers, and enclosures offer a last line of defense against the occurrence
of accidental toxic chemical releases.
Each of these areas is discussed in terms of its relation to specific
categories of hazards, its effectiveness in reducing the probability of a
release, and the relative economics of its application.
iv
-------�
ACKNOWLEDGEMENTS
This manual was prepared under the overall guidance and direction of T.
Kelly Janes, Project Officer, with the active participation of Robert
P. Hangebrauck, William J. Rhodes, and Jane M. Crum, all of U.S. EPA. In
addition, other EPA personnel served as reviewers. Sponsorship and technical
support was also provided by Robert Antonopolis of the South Coast Air Quality
Management District of Southern California, and Michael Stenberg of the U.S.
EPA, Region 9. Radian Corporation principal contributors involved in
preparing the manual were Graham E. Harris (Program Manager), Glenn B. DeWolf
(Project Director), Daniel S. Davis, Nancy S. Gates, Jeffrey D. Quass, Miriam
Stohs, and Sharon L. Wevill. Contributions were also provided by other staff
members. Secretarial support was provided by Roberta J. Brouwer and others.
Special thanks are given to the many other people, both in government and
industry, who served on the Technical Advisory Group and as peer reviewers.
-------�
-------�
TABLE OF CONTENTS
Section
ABSTRACT iii
ACKNOWLEDGEMENTS v
TABLES x
FIGURES xi
1 INTRODUCTION 1
1.1 Fundamental Concepts 1
1.2 Organization of the Manual 5
2 PROCESS DESIGN CONSIDERATIONS 7
2.1 Control Characteristics of the Process 8
2.1.1 Process Control and Release Prevention 8
2.1.2 System Response 12
2.1.3 Control System Integrity 13
2.1.4 Control System Components 14
2.1.5 Effectiveness of Control Systems ........ 23
2.2 Process Characteristics and Chemistry 27
2.2.1 Process Materials 28
2.2.2 Process Mode 31
2.2.3 Reaction Thermodynamics 31
2.2.4 Process Control System 33
2.2.5 Process Type 33
2.2.6 Severity of Process Conditions 35
2.2.7 Process Complexity 37
2.2.8 Process Modifications 37
2.3 Flow Measurement and Control . 38
2.3.1 Flow Hazards 38
2.3.2 Technology of Flow Control 45
2.3.3 Control Effectiveness 54
2.3.4 Summary of Control Technologies 57
2.3.5 Costs 61
2.3.6 Case Example 61
2.4 Pressure Control ..... 61
2.4.1 Pressure Hazards 61
2.4.2 Technology of Pressure Control 64
2.4.3 Control Effectiveness 72
2.4.4 Summary of Control Technologies 80
2.4.5 Costs 80
2.4.6 Case Examples 84
2.5 Temperature Control 84
2.5.1 Temperatures Hazards 85
2.5.2 Technology of Temperature Control 90
2.5.3 Control Effectiveness 95
vii
-------�
TABLE OF CONTENTS (Continued)
Section Page
2.5.A Summary of Control Technologies 100
2.5.5 Costs 100
2.5.6 Case Examples 100
2.6 Quantity Control 104
2.6.1 Quantity Measurement and Control Hazards .... 104
2.6.2 Technology of Quantity Control 106
2.6.3 Control Effectiveness 110
2.6.4 Summary of Control Technologies ... 112
2.6.5 Costs 112
2.6.6 Case Example 112
2.7 Mixing 116
2.7.1 Mixing System Hazards 117
2.7.2 Technology of Mixing Control 120
2.7.3 Control Effectiveness 121
2.7.4 Summary of Control Technologies 122
2.7.5 Costs 125
2.7.6 Case Example 125
2.8 Composition Control 125
2.8.1 Hazards Associated With the Loss of Composition
Control 125
2.8.2 Technology of Composition Control 128
2.8.3 Control Effectiveness 130
2.8.4 Summary of Control Technologies 131
2.8.5 Costs 131
2.8.6 Case Examples 135
2.9 References 136
3 PHYSICAL PLANT DESIGN CONSIDERATIONS 139
3.1 Standards. Codes, and Recommended Practices 140
3.2 Siting and Layout Considerations 141
3.2.1 Siting 150
3.2.2 Layout 151
3.2.3 Storage Layout Considerations 156
3.2.4 Miscellaneous Design Considerations 157
3.3 Equipment Design Considerations .... 165
3.3.1 Materials of Construction 165
3.3.2 General Equipment Failure Modes 169
3.3.3 Vessels 173
3.3.4 Piping 186
3.3.5 Process Machinery 205
3.3.6 Instrumentation and Control System Hardware . . 215
3.4 References 221
viii
-------�
TABLE OF CONTENTS (Continued)
Section
4 PROCEDURES AND PRACTICES .. 223
4.1 Management Policy 223
4.2 Operator Training 228
4.3 Maintenance and Modification Practices 235
4.3.1 General Practices 235
4.3.2 Equipment Monitoring and Testing 239
4.3.3 Metal Thickness and Integrity Testing 240
4.3.4 Direct Corrosion Monitoring 242
4.3.5 Vibration Testing and Monitoring ... 243
4.3.6 Relief Valve Testing 244
4.4 Operating and Maintenance Manuals 244
4.5 References 251
5 PROTECTION TECHNOLOGIES 252
5.1 Flares 253
5.1.1 Process Description 253
5.1.2 Applicability 256
5.1.3 Control Effectiveness 260
5.1.4 Costs of Flare Systems 263
5.2 Scrubbers 265
5.2.1 Process Description 265
5.2.2 Applicability 267
5.2.3 Control Effectiveness 269
5.2.4 Costs 271
5.3 Enclosures 273
5.3.1 Process Description 273
5.3.2 Applicability 274
5.3.3 Control Effectiveness 275
5.3.4 Costs 276
5.4 References 276
APPENDIX A - GLOSSARY 278
APPENDIX B - METRIC CONVERSION FACTORS 283
ix
-------�
TABLES
Number Page
2-1 Failure Rates of Selected Process System Components 26
2-2 Properties of Materials to be Considered in Chemical Process
Hazard Evaluation 29
2-3 Considerations for Various Process Modes 32
2-4 Unit Processes in the Chemical Process Industries 34
2-5 Unit Operations in the Chemical Process Industries 36
2-6 Types of Checkvalves 51
2-7 Flowmeter Selection Guide 55
2-8 Typical Failure Rates of Flow Control Components 58
2-9 Major Hazard and Control Technology Summaries 59
2-10 Costs of Components Associated with Process Modifications
for Flow Systems 62
2-11 Pressure Sensing and Measuring Devices . 73
2-12 Typical Failure Rates of Pressure Control Components .... 81
2-13 Major Hazard and Control Technology Summaries 82
2-14 Costs of Components Associated with Process Modifications For
Pressure Measurement and Control Systems ..... 83
2-15 Temperature Sensor Selection Guide for Non-Severe Service
Under 932°F 96
2-16 Typical Failure Rates of Temperature Control Components ... 99
2-17 Major Hazard and Control Technology Summaries . 101
2-18 Costs of Components Associated with Process Modifications For
Temperature Measurement and Control Systems 103
2-19 Liquid Level Detector Selection Guide 109
2-20 Typical Failure Rates of Quantity Control Components .... 113
2-21 Major Quantity Related Hazards and Control Technology
Summaries 114
2-22 Costs of Components Related to Process Modifications for
Quantity Measurement and Control Systems (Excluding Flow Rate
Measurement. See Section 2.3) 115
2-23 Typical Failure Rates of Mixing System Components 123
2-24 Maj or Mixing Related Hazards and Control Technology
Summaries 124
2-25 Costs of Components Associated with Process Modifications for
Mixing Systems 126
2-26 Typical Failure Rates of Composition System Components . . . 132
2-27 Major Composition Related Hazards and Control Technology
Summaries 133
2-28 Costs of Components Associated with Process Modifications for
Composition Determination and Control 134
3-1 Some of the Major Organizations Providing Codes, Standards,
Recommended Practices, and Guidelines for Equipment for
Chemical and Allied Industry Process Plants 142
-------�
TABLES (Continued)
Number Page
3-2 Some of the Areas covered by Codes, Standards, and
Recommended Practices of Designated Organizations
(See Table 1-3 for Symbols Definitions) 144
3-3 Physical Components, Design, and Fabrication Features of
Vessels Covered by ASME Codes as Indicated 147
3-4 Galvanic Series of Metals and Alloys 180
3-5 Typical Failure Rates for Vessel Components 182
3-6 Vessel Hazards and Control Technologies 183
3-7 Design Bases for Vessel Controls ........ 184
3-8 Typical Failure Rates for Piping Components 201
3-9 Examples of Piping Hazards, Control Technologies, and Costs 202
3-10 Design Bases for Piping Controls 203
3-11 Typical Failure Rates for Process Machinery Components . . . 212
3-12 Examples of Process Machinery Hazards, Control Technologies,
and Costs 213
3-13 Design Bases for Process Machinery Controls 214
4-1 Aspects of Training Programs for Routine Process Operations 232
4-2 Examples of Questions Asked During Procedure Reviews .... 250
5-1 Important Considerations for Using Flares to Prevent Acci-
dental Chemical Releases 261
5-2 Cost Comparison of Elevated and Enclosed Ground Flaring
•Systems 264
5-3 Summary of Selected Typical Commercial Absorption
Efficiencies for Various Industrial Chemicals 270
5-4 Example of Performance Characteristics for a Packed Bed
Scrubber 272
FIGURES
1-1 The role of various accidental release control measures in
reducing the consequences of an accidental release 3
2-1 Generalized information flow for process control loop ... 10
2-2 Estimated typical program costs for our R&D effort to develop
process modifications 39
2-3 Check valve types 50
2-4 Examples of backflow through pumps 52
2-5 Typical rupture disc installation 67
2-6 Cross section of a typical pressure relief valve 70
3-1 Example guide for material selection under acidic conditions 167
5-1 Conceptual diagram of elevated flare system 254
5-2 Conceptual diagram of ground flare system 255
5-3 Three common types of scrubbers 266
xi
-------�
-------�
SECTION 1
INTRODUCTION
Accidental toxic chemical releases, fire, and explosion are the three
types of major accidents in chemical process facilities. Toxic chemical
releases may occur as the result of fire or explosion, but may also occur in
their absence.
This manual, which addresses the prevention of and protection from
accidental releases of toxic chemicals, is part of a three-part set of refer-
ence manuals whose purpose is to summarize the major concepts of release
hazard control so that the probability and consequences of accidental toxic
chemical releases can be reduced. The volumes in the series include:
Prevention Reference Manual - User's Guide
Prevention Reference Manual - Chemical Specific
Prevention Reference Manual - Control Technologies
Volume 1: Prevention and Protection Measures
Volume 2: Mitigation Measures
The PRM-Chemical Specific actually consists of a number of individual
volumes for specific chemicals.
This series of manuals is intended to assist both regulatory and industry
personnel in developing approaches to reducing accidental chemical releases
and their consequences. In addition to highlighting the various technical
aspects of the problem, the manuals also briefly address costs.
1.1 FUNDAMENTAL CONCEPTS
The purpose of preventing toxic chemical releases is to prevent harm to
the health of human beings and other life and to the environment. An acci-
-------�
dental toxic chemical release is the final event in a sequence of events
leading to the release. In the termin9logy of formalized fault tree and event
tree analyses, two of several formal methods for analyzing causes and effects
in event sequences, that are discussed in the PRM-User's Guide, an event
sequence begins with the initiating, or primary, event and passes along a
chain made possible by enabling events. The chain is broken by preventing
either the initiating event or the enabling events from occurring. Selection
of the best of several possible options that could prevent a particular
accidental toxic release depends on correctly identifying individual events
and event chains, on knowing the relative probability of the events, and on
the skill and knowledge of the individuals charged with solving the problem.
Figure 1-1 illustrates the place of prevention in the overall sequence
of an accidental chemical release. Prevention is the second barrier between
the realization of a toxic chemical release hazard and its consequences. It
follows proper identification of the hazards. Protection, reduction of the
quantity of material released, and mitigation, reduction of the magnitude of
consequences, are two additional barriers. Community response is also shown
as a barrier since community response measures can reduce the ultimate adverse
consequences of a release. Evacuation is an example of a community response
measure. Since the total prevention of an accidental release implies a zero
probability for that release, and since this can never be assured, prevention
in practice means reducing the probability of a release to within acceptable
limits. At present, such acceptable limits, which are related to acceptable
risk, are subjective and are not quantitatively defined.
Preventing accidental releases means preventing the loss of primary
containment. The three general classes of equipment that contain chemicals
are:
• Vessels;
• Piping; and
-------�
RELEASE
HAZARDS
HAZARD IDENTIFICATION
PRE - RELEASE PREVENTION
PRE - RELEASE PROTECTION
r
POST - RELEASE MITIGATION
1
COMMUNITY RESPONSE
i
r
ULTIMATE CONSEQUENCES
<
f-.
Figure 1-1. The role of various accidental release control measures in
reducing the consequences of an accidental release.
-------�
• Process machinery.
In the context of this manual, vessels include all major process equip-
ment: tanks, columns, heat exchangers, etc. Piping includes pipe lines,
valves and fittings, and instruments fitted into pipe lines. Process machin-
ery includes pumps, compressors, fans, and other such material moving equip-
ment, either rotating or reciprocating. To ensure containment, a process must
operate in proper sequence under acceptable conditions of temperature, pres-
sure, and composition. The equipment must operate within design limits
defined by specifications for pressure, temperature, externally applied me-
chanical stresses, chemical compatibility (corrosion, erosion), and within the
physical limits imposed by the process system as actually installed and
operated.
An accidental toxic chemical release can occur when there has been a
physical breakdown of equipment or a loss of process control that leads to a
breach in primary containment. Process modifications that enhance control
and/or physical process steps and procedures that reduce the probability of
equipment failure or a loss of process control will reduce the probability of
a release. The overall problem, then, requires consideration of:
• Process design;
• Physical plant design;
• Operation; and
• Supervision or management.
The first two elements address the process, its chemistry, and hardware;
the second two elements address the human factor.
-------�
1.2 ORGANIZATION OF THE MANUAL
Following this introduction. Section 1. the remainder of the manual
addresses the above elements. Section 2, which covers process design
considerations, addresess the basic functional and operational characteristics
of any chemical process system, highlights major hazards associated with
various characteristics of systems, and discusses the control measures that
reduce those hazards. These include specific approaches for preventing
deviations from intended operating conditions that could directly or
indirectly cause an accidental toxic chemical release.
Section 3 covers physical plant design and considers how inappropriate
design practices for the physical facility and its hardware contribute to
accidental chemical releases. Adhering to proper design and equipment
specifications for vessels, piping, valves, process machinery, and
instrumentation can reduce the probability of an accidental toxic chemical
release. Fundamental principles of configuration, layout and other design
considerations associated with process hardware are discussed.
Section A discusses procedures and practices such as management policies.
operator training, maintenance practices, and other topics. Some experts in
loss prevention believe that the most significant decreases in the probability
for accidental toxic chemical releases can be made in these areas.
Section 5 discusses protection systems, which include scrubbers, flares,
and secondary containment systems. These devices, which can provide an
emergency control system for process units handling some toxic chemicals,
reduce the quantity of toxic chemical reaching the environment once primary
containment has been breached.
A selection of hazard controls depends partly on the economics of their
application. Example control costs are presented in each section for various
process and equipment control technologies. These technologies involve
individual hardware and procedural components, as well as multicomponent
combinations for controlling an accidental release hazard. Since numerous
-------�
combinations of individual controls are possible, costs are presented for
individual hardware and procedural components that can be combined into a full
control system.
Since costs in this manual are intended to be a starting point for
initial planning, cost bases selected for each component are for specific
sizes and overall specifications representative of that class of component.
For example, for piping, one control option might be to use Schedule 80 rather
than Schedule 40 pipe in some process unit. Costs are presented for three
sizes of both Schedule 80 and Schedule 40 carbon steel pipe, two-inch,
four-inch, and six-inch, which are common sizes encountered in many process
plants handling toxic chemicals. While other sizes may be encountered, a
first estimate of the relative costs of changing the schedule size can be
estimated using one of these pipe sizes as an example.
The costs shown in this manual were obtained from various process plant
estimating references and are presented in 1986 dollars. For each component,
both capital and total annual costs are presented. Capital costs represent
direct installed equipment costs, exclusive of indirect costs such as engi-
neering or contractor's fees. Total annual costs include only labor where a
procedure is involved, or only maintenance and capital recovery where a
hardware component is involved. Maintenance costs for all hardware are
assumed to be a flat two percent of the direct installed equipment cost.
Capital recovery has been calculated at a 10 percent cost of capital over an
assumed 10-year component life.
Costs for various controls applied to new plants can be expected to
differ substantially from the same controls applied to existing plants. The
relative differences in costs will vary according the type of controls, but,
in general, retrofitted equipment is usually more costly than the same equip-
ment installed initially. Costs in this manual apply to new plants. Retrofit
costs can be roughly estimated as about fifty percent higher. Costs of
introducing changes in procedures and practices can also be expected to vary,
but generalizations about these costs cannot be as easily made as for equip-
ment.
6
-------�
SECTION 2
PROCESS DESIGN CONSIDERATIONS
A first step in hazard control is planning the initial process design.
This section describes the basic considerations of initial process design, as
well as subsequent process modifications, and identifies operational aspects
of a process where upset and loss of control could lead to a toxic chemical
release. Process design considerations involve several fundamental principles
applied to the process materials, process variables, and equipment. These
principles are addition, substitution, deletion, and redundancy (or duplica-
tion) . Each process chemical, operation, or piece of equipment should be
viewed in terms of how changes based on these qualities may lead to a reduc-
tion in the probability of an accidental release. For example, substitution
might involve the replacement of a toxic chemical with one less toxic.
Duplication or redundancy might involve the use of a second thermocouple to
measure a critical temperature.
Modifications, then, of fundamental process chemistry, operations, and
equipment can reduce the severity of operating conditions, the quantities of
toxic materials, the complexity of the process, and can enhance process
control. Such modifications involve a number of process components:
• Control characteristics of the process;
• Process thermodynamics and chemistry;
• Flow measurement and control;
• Pressure measurement and control;
• Temperature measurement and control;
-------�
• Quantity measurement and control;
• Mixing; and
• Composition measurement and control.
Process hazards associated with each area that can contribute to acci-
dental releases and the control measures that can reduce those hazards are
discussed in the following subsections. Such measures may include changes in
both hardware and operational procedures. Hardware changes may involve
individual equipment items or entire systems. Costs of hardware components
likely to be involved in process modifications are presented. Since process
modifications can involve combinations of components, costs are presented on a
component or subsystem basis, allowing the user of this manual to select those
components that apply to any specific modification for which the user wants an
approximate estimate of costs.
2.1 CONTROL CHARACTERISTICS OF THE PROCESS
Good process control, including the interaction of human operators with
the process system, is basic to successful process operations. Process
control is achieved by manipulating the variables of flow, temperature,
pressure, composition, and quantity.
2.1.1 Process Control and Release Prevention
Adequate control of the process is fundamental to accidental release
prevention, since loss of control might begin or propagate the sequence of
events leading to loss of containment and accidental release. Loss of con-
tainment through loss of control occurs when some process variable exceeds the
physical limits of the containment system. Equipment failure, operational
failure, or both can cause loss of control. The interaction of human oper-
ators with the process is not explicitly addressed here, but certain aspects
of the human factors, such as operator training, are discussed in Section 4.
-------�
Process control means maintaining process variables within prescribed
limits. Process variables are either controlled directly or indirectly. Some
indirectly controlled variables are maintained through control system action
on directly controlled or manipulated variables. The physical characteristics
of a process unit, the process chemicals, and the operating conditions deter-
mine the control characteristics of the particular system.
The following essential functions'of a process control system may be
modified to enhance control and reduce the probability of accidental releases:
• Measurement;
• Normal control; and
• Emergency or protective control.
These functions of a control system are the same whether manual* analog,
or computer control is used. In any control system, the conceptual component
configuration for controlling a variable is as shown in Figure 2-1. The
connecting arrows indicate information flows between components. The dotted
lines indicate that both direct or indirect measurement and control of vari-
ables is encountered in process systems. A sensor for the measurement device
monitoring the measured variable transmits its signal to a controller, where a
comparison or decision is made relative to specified process conditions. A
signal is then sent from the controller to the actuator of a final control
element, which adjusts the manipulated variable. In chemical process systems
the most common manipulated variable is flow and the most common final control
element is the actuator/control valve. The actuator is the device that
physically operates the valve. The manipulated variable controls change in
the measured variable. For example, a temperature might be the measured
variable and flow of a cooling medium might be the manipulated variable. In
some situations, the measured and manipulated variable may be the same: the
flow rate of a fluid stream, for example. In a completely manual system, a
human operator responds to a measurement and acts as both the controller and
-------�
Measured
Variable
Sensor/
Transmitter
Controller
Manipulated
Variable
Final
Control
Element
Figure 2-1. Generalized information flow for process control loop,
10
-------�
actuator of the final control element. In an analog system the response
occurs through electrical, electronic and/or mechanical components. A com-
puter system combines the components of an analog system with the capabilities
of logic and computations software algorithms.
The primary variables for any chemical process unit are:
• Flow;
• Pressure;
• Temperature;
• Composition; and
• Quantity.
Typically, these variables are all controlled by manipulating the flow of
some process stream.
The specified value of the controlled variable in the process system is
referred to as its set-point. Deviations from this set-point can occur in
response to various influences known as process loads.
Process loads may arise from disturbances in the following:
• Feed stream quality and rates;
• Service stream (e.g. steam, cooling water) quality and
rates;
• Product stream quality and rates (especially where there
is recycle);
• Equipment malfunctions;
11
-------�
• Process operating conditions;
• Ambient conditions; and
• Material properties and behavior.
Deviations in variables can cause deviations in the process. Deviations from
acceptable conditions are the fundamental source of process hazards. A valve
that is open when it should be closed or an overpressure leading to equipment
failure or emergency venting are two examples of direct causes of accidental
releases. The specific role of primary variables in process hazards is
explored further in Sections 2.3 through 2.8. Certain additional general
concepts of process control as they relate to hazard reduction are discussed
below.
2.1.2 System Response
The overall control characteristics of a process depend on the response
characteristics of both the process being controlled and on the control system
itself. The response characteristics of a process are known as the process
dynamics. The interaction of a control system with a process creates a new
set of dynamic responses that may differ from the dynamic responses of the
process alone. A key concept of process control and dynamics is that any
corrective action taken will not result in an instantaneous response and might
not result in the return of a deviating variable to its set point. The
response of a system to a control action can result in a continued deviation,
both "in terms of duration and magnitude, or to new deviations, if a control
system is not properly designed. Either the duration or magnitude of devia-
tion may lead directly or indirectly to a loss of containment and to an
accidental release. The relationship between deviations and specific causes
of events leading to releases is the primary theme throughout other parts of
this manual.
12
-------�
Any assessment of the probability of an accidental chemical release
depends, therefore, on the extent to which deviations in magnitude and dura-
tion can be tolerated before a loss of containment occurs. Once this is
known, the limits of control are defined, and appropriate initial design or
modifications that enhance control can be undertaken.
2.1.3 Control System Integrity
The success of process control depends on the integrity of the control
system. Integrity means that the control strategies and hardware are
adequate, reliable, for the job at hand. Judging the adequacy of a control
system requires examination of its components and specifications. An
evaluation cannot fully determine adequacy, in terms of controller settings
and response to system upsets, without understanding the intent of the basis
for design, the design, or observing the control system in operation under
actual process upset conditions. Partial insight can be achieved by examining
the control system configuration on a piping and instrumentation diagram, the
actual hardware used, by discussions with personnel familiar with operating
the process, and by formal methods of hazard identification and evaluation
such as hazard and operability studies and fault tree analysis, among others.
Such methods should be used in control system design (1). From these
approaches the control system's adequacy may be inferred.
If control strategy is correct, any increase in the reliability of a
control system depends on improving the quality, specifications, and mainten-
ance of the physical components, and on duplication of (redundancy) components
where the potential hazard warrants. This may ultimately be a subjective
decision; no specific criteria can be given here for that decision. The formal
hazard evaluation method mentioned earlier can be a guide, however. For
example, duplication could be applied to an entire loop, or only to the
components most likely to fail. This judgement must be made on a case-by-case
basis.
13
-------�
High points in design philosophy have been well-stated by one author (1).
There should be a clear design philosophy and proper performance and reli-
ability specifications for the control and instrumentation. The design
philosophy should deal with, among other things, the characteristics of the
process and of the disturbances to which it is subject, the constraints within
which the plant must operate, the definition of the functions which the
control system has to perform, the allocation of these between the automatic
equipment and the process operator, the requirements of the operator and the
administration of fault conditions. The philosophy and specification should
cover measurements, displays, alarms, control loops; protective systems;
interlocks; special valves (e.g., pressure relief, non-return, emergency
isolation); the special-purpose equipment; and the process computer(s).
A process that appears to require a complex control system should be
re-examined to determine process changes that would reduce the complexity.
The control system as a whole and the individual instruments should have
the turn-down capabilities necessary to maintain good measurement and control
at low throughputs.
Transient situations, such as startup, shutdown, and restarting after a
trip or restarting an agitator, tend to be particularly hazardous.
2.1.4 Control System Components
Major control system components discussed in this section include:
• Sensing and measurement;
• Controllers;
• Final control elements;
• Switches and alarms;
14
-------�
• Emergency shutdown and interlock systems; and
• Computer control.
Certain aspects of control systems are general to the system as a whole
or apply to all kinds of instrumentation used. Some important aspects are
(1):
1. The control loops should have fail-safe action as far as possible.
particularly on loss of instrument air or electrical power to the
control valves. The action for other equipment should also be
fail-safe where applicable. Control that adds material or energy
should receive special consideration for integrity.
2. The ways in which common cause failure can occur and the ways in
which the instrument designer's intentions may be frustrated should
be carefully considered.
3. Instrumentation which is intended to deal with a fault should not be
disabled by the fault itself. And if the process operator has to
manipulate the instrumentation during the fault, he should not be
prevented from doing so by the conditions arising from the fault.
4. The instrument system should be checked regularly and faults re-
paired promptly. It should not be allowed to deteriorate, even
though the process operator compensates for this. The process
operator should be trained not to accept instrumentation unrepaired
over long periods.
5. Ease of detection of instrument faults should be an objective in the
design of the instrument system. The process operator should be
trained to regard detection of malfunction in instruments as an
integral part of his job.
15
-------�
6. Instruments which are required to operate only under fault condi-
tions, and which may therefore have an unrevealed fault, require
special consideration.
7. Important- instruments should be checked regularly. The proof test
interval should be determined from a reliability assessment where
possible. The checks should include measurements, alarms, control
loops, etc.
8. Tests should correspond as nearly as possible to the expected plant
conditions. It should be borne in mind that an instrument may pass
a workshop test, but still not perform satisfactorily in the plant.
9. Valves, whether control or isolation valves, can leak even when
closed. Control valves in particular may not give a tight shutoff.
More positive isolation may require measures such as double block
and bleed valves.
10. Valves, particularly control valves, also tend to stick, giving rise
to conditions that do not always emerge from simple applications of
the fail-safe philosophy. Two dangerous conditions are a feed valve
jamming in an open position, or a cooling water valve jamming in a
closed condition.
11. Practices which process operators tend to develop in their use of
the instrumentation should be borne in mind, so that these practices
do not invalidate the assumptions made in the reliability
assessments.
12. The possibility of human error should be fully taken into account.
The reliability of the process operator should be assessed quanti-
tatively where possible. Human factor principles should be applied
to reduce human error.
16
-------�
It is also necessary to pay careful attention to the details of the indi-
vidual instruments used (1). Some important features are:
1. Instruments are a potential source of failure, either through a
functional fault on the instrument or through a loss of containment
at the instrument.
2. Use of inappropriate materials of construction can lead to both
kinds of failure. Materials should be checked carefully in relation
to the application, bearing in mind the possible impurities in the
bulk chemicals. It should be remembered that the instrument
supplier usually has only a very general idea of the application.
3. Instruments containing glass, such as sight glasses or rotameters,
can break and give rise to serious leaks and should be avoided,
where possible, with toxic chemicals.
4. Instruments may need protection against the corrosiveness of the
process fluid. Examples of protection are the use of inert liquids
in the connecting lines on pressure transmitters or of chemical
diaphragm seals on pressure gauges.
5. Sampling and connecting lines should be given careful attention.
Purge systems are often used to overcome blockage in sampling and
connecting lines. Freezing is another common problem, which can be
overcome by the use of steam or electrical heat tracing.
6. Temperature measuring elements should not normally be installed
bare, but should be protected by a thermowell. A thermowell is
frequently exposed to quite severe conditions, such as
erosion/corrosion or vibration and should be carefully designed.
7. Pulsating flow is a problem in flowmeters such as orifice plate
devices and can give rise to serious inaccuracies. This is a good
example of a situation where duplication of identical instruments is
no help.
17
-------�
8. Pressure transmitters and regulators are easily damaged by over-
pressure.
9. Complex instrunents such as analyzers, speed controllers, vibration
monitors and solids weighers are generally less reliable than other
instruments. This requires not only that such instruments receive
special attention, but that the consequences of failure be analyzed
with particular care.
10. Different types of pressure regulator are often confused, with
perhaps a pressure reducing valve being used instead of a non-return
valve or vice versa. It is specially necessary with these devices
to check that the right one has been used. Also, bypasses should
not be installed across pressure regulators.
11. Selection of control valves is very important. A control valve
should have not only the right nominal capacity but also appropriate
rangeability and control characteristics. It should have any
fail-safe features required, which may include not only action on
loss of power but also a suitable limit to flow when fully open. It
should have any necessary temperature protection (e.g. cooling
fins). Bellows seals may need to be provided to prevent leaks. The
valve should have a proper mechanical balance for the application,
so that it is capable of shutting off against the process pressure.
It should be borne in mind that any valve, but particularly a
control valve, may not give completely tight shutoff, and also that
a badly adjusted valve positioner can prevent shutoff.
12. Instruments should not be potential sources of ignition and should
conform with the electrical area classification requirements.
A further discussion of the loss prevention aspects of control and instrument
systems is given by Hix (2).
18
-------�
Sensing and Measurement—
Sensing and measuring both controlled and manipulated variables is
fundamental to the proper operation of any control system. A wide variety of
instrument types and vendors is available. Sensing and measuring devices
include devices for normal process control, as well as trips and alarms for
emergencies, and monitoring and detecting equipment for impending equipment
failure and chemical leakage. Once a process system is constructed, its
successful operation depends on the effectiveness of the sensing and measuring
devices on which process control decisions are based.
Components for this function of the control system vary in sensitivity.
range, accuracy, and reliability. Component selection must consider the
severity of operating conditions, including chemical attack.
The variable of interest should always be measured directly where pos-
sible, rather than being inferred from some other measurement. The measure-
ment should be made at the right location. If the variable is critical for
process safety, the same measurement should not be used for control and for an
alarm or trip.
Controllers—
The controller is the decision-making and command component of a process
control system. The controller receives information from the process sensing
and measuring equipment, compares this information with its set point, and
takes appropriate action to minimize deviations. In a manual system, the
human operator acts on the information. In a computer-supervised control
system a computer acts on the information. Traditional analog control systems
operate between these extremes.
Controllers come in a variety of types and operate in any or in all three
common control modes: proportional, integral, and derivative; or in other
specialized modes. Details of such features are beyond the scope of this
manual but are widely discussed in the literature of process control (e.g..
19
-------�
References 3. A, 5). Pneumatic controllers have been available for many years
and are still in wide use. Electronic controllers have grown in popularity
over the years and include traditional analog electronic controllers as well
as newer digital types.
The numerous changes in controller technology in recent years have
created opportunities for both increased safety and hazards. Opportunities
for safety exist because of the versatility, accuracy, and response capabil-
i
ities of the newer generation of controllers. Opportunities for hazard result
from the large number of available control systems, making inappropriate
selection, application, installation and operation a greater possibility than
before. Proper controller selection is an important step in accidental
release prevention.
Final Control Elements—
A process control loop is completed with the final control element. In
most cases this is a fluid control valve. In other cases it may be another
device, an electric heater, for example. Again, many types and vendors exist.
For a control valve, proper sizing, trim, and actuator selection are critical
in selection since these factors determine how well the valve will perform its
control function under both normal and abnormal operating conditions.
Switches and Alarms—
Switches and alarms are important devices for process upset and emergency
conditions. Alarms are devices that warn of an impending or existing abnormal
process condition; switches are action devices that divert a flow, close a
valve, or perform some other emergency function such as tripping an alarm.
Necessary characteristics are sensitivity to the condition being monitored and
hardiness in hostile environments, especially because such devices are typi-
cally used only intermittently.
The most common of these devices respond to pressure, flow, level, and
temperature. Details are described in the sections of this manual specific to
20
-------�
each of these process variables; but certain general features are discussed
here.
Switches may be indicating or non-indicating. An indicating switch has a
scale readout that allows the process operator to make changes in the switch's
set-point. A non-indicating switch is not adjustable by the process operator.
This type may be appropriate in a process where the switch's function is
crucial in controlling the potential for an accidental release and undocu-
mented changes in the settings are to be avoided. The danger with this type,
however, is that if process conditions are changed, the switch setting may
also have to be changed, but there is no indication of the switch setting to
verify that the necessary change has been made.
A switch should be applied to the parameter showing the most significant
change for the condition to be alarmed to enhance switch sensitivity. For
example, pressure switches are sometimes used in pump discharge systems to
indicate a pump failure, or to start a spare pump. However, with a low-head
pump system, the difference in pressure between the shutoff setting and
operating pressure may be small, making switch operation unreliable. The
change in flow rate between normal operation and shutoff condition may be
significant, making a flow switch the better choice. Switches differ in their
susceptibility to damage from overrange. This should be considered when
selecting a switch for a process prone to overrange upsets.
The philosophy of the alarm system should relate the variables alarmed.
the number, types and degrees of alarm, and the alarm displays and priorities
to factors such as instrument failure and operator confidence, the information
load on the operator, the distinction between emergency alarms and mere status
indications, and the action the operator should take.
Emergency Shutdown and Interlock Systems—
These systems may use a combination of many instrument components to
achieve a safe process shutdown condition. Their success depends on proper
21
-------�
design and operating strategy, as well as on the proper selection of system
hardware. An emergency shutdown system is used primarily for the shutdown of
process equipment and for the operation of block, dump, and control valves.
An interlock system presents a change in the operation of a pump, valve, or
other equipment unless certain conditions are met. In the design of these
systems, redundant components and circuits are normally recommended since
these systems are safety systems and high reliability is a fundamental re-
quirement. This is especially important in the temperature and level control
of exothermic reactions or when heat sensitive materials are handled.
Instrument Air and Electrical Backup Systems—
Backup instrument air or electrical systems also should be provided for
these systems. The backup electrical system for instruments and control may
be part of the same system for general electrical backup, or it may be an
independent system. Overall electrical backup can be achieved with
diesel-generator sets. Sometimes the needs of critical process control
instrumentation are best met by localized battery backup. These systems are
often supplied as part of standard control instrumentation packages when the
latter are purchased as a complete system, but can also be provided as pack-
ages for individual control loops, if required.
Where pneumatic systems are used, backup instrument air supplies may be
system-wide or local. System—wide backup may require tying a main compressor
into both the basic plant power supply and into the plant electrical backup
system to ensure compressor availability during power outages. Another
approach is to provide a large inventory of compressed air storage sufficient
tTo bring a process system to a safe shutdown. Sometimes backup is provided by
tying the instrument air into a liquid nitrogen system so that the nitrogen
can be substituted for air on an emergency basis. Local backup of instrument
air can be achieved by having a portable cylinder or emergency tank of either
compressed air or nitrogen tied into the instrument air system for emergency
use.
22
-------�
Computer Control—
The application of computer- and microprocessor-based control has in-
creased rapidly over the last decade. There are at least two fundamental
reasons for such growth: 1) reduced costs and a simultaneous increase in
capability, and 2) hardware developments that permit more effective automated
distributed control. An example of the former is the advent of microcomputers
that offer a small operation true computer control for the first time. An
example of the latter is the "smart" controller, a stand-alone controller that
can be programmed for its various control functions and settings. A discus-
sion of many more specific developments, including the use of coaxial cables
to replace multiple cable runs between parts of a control system and a central
computer, video screens to replace individual meters and displays in control
rooms, and other such developments, is beyond the scope of this manual, but
the reader may find ample information in the many books on process control and
in technical periodicals (e.g., References 6 and 7).
The new instrumentation and control technologies offer an increase in the
quality and quantity of data that can be handled at a given tine. Two very
desirable features are that priority scanning and rate of change monitoring
can be employed. Such systems free the human operator from many routine and
complex monitoring and evaluation functions, allowing him to focus on critical
process deviations or upsets. Sequencing and the automatic shutdown features
of such systems can make the system freer from operator error.
When computer systems are used, the ability to revert to manual control
or ordinary analog control may be desirable in many processes for safety
reasons. Such backup systems may be provided for the most critical parts of
processes handling toxic chemicals.
2.1.5 Effectiveness of Control Systems
The effectiveness of a process control system is its ability to minimize
the magnitude and duration of deviations in process variables. Maintenance of
23
-------�
process variables at or near the set point is accomplished by direct manipula-
tion of the flow of mass or energy into or out of the process unit. These
manipulations alter the values of other variables. Loss of control, which can
initiate the chain of events leading to an accidental release, can occur when
manipulations fail in sequence, time of application, or magnitude. A funda-
mental loss of control can occur from a failure of components in the control
system, including physical components and human error, or from faulty logical
design of the control system. This latter failure is most likely to occur
when deviations lead the control system to operate near or beyond the extremes
of its design capabilities, in which case the design fault may be relative to
the range of applicability rather than absolute. Proper design of the system
and proper selection of individual components are therefore essential to
ensure control system reliability and effectiveness.
The effectiveness of process control depends on the following key items:
• There are a limited number of fundamental manipulated
variables for controlling any chemical process system.
• The controllability of a process depends on the interac-
tion of both the process control system and the dynamics
of the specific process.
• Critical variables should be measured directly. For
example, a pressure indication should not be used as an
indirect indication of temperature in an exothermic
chemical reaction.
• The control system must be compatible with the level of
training and skill of both operating and maintenance
personnel.
24
-------�
• Duplication or redundancy of individual system components
can increase the reliability of individual parts of the
system.
• A redundant component must be completely independent of
its duplicate.
• A definitive evaluation of process control for the criti-
cal variables in a process once a system has been in-
stalled is not easily accomplished by an evaluator and a
judgement of its reliability must be inferred from limited
information.
The reliability of the components that make up any control system has
been studied for many common process equipment and instrumentation components
(1, 8). One measure of reliability is the mean time between failures (KTBF),
or the failure rate or frequency, the number of failures that occur per unit
of time. Table 2-1 presents some values for selected components. Additional
values are presented in other sections of this manual for specific equipment
items. Such values can be used in conjunction with standard methods of
quantitative systems analysis, fault tree analysis for example, to estimate
overall system reliability.
Changes in control strategy or control system hardware may be an appro-
priate process modification to reduce the probability of a failure leading to
an accidental toxic chemical release. However, a secondary hazard can be
introduced if the effects of the changes on the process and its operation are
not carefully reviewed beforehand. For example, although more sophisticated
instrumentation and control schemes may be desirable in theory, in practice a
lack of adequately trained or skilled operating or maintenance personnel may
make such systems more hazardous. Direct process effects may include unfore-
seen changes in process dynamics.
25
-------�
TABLE 2-1. FAILURE RATES OF SELECTED PROCESS SYSTEM COMPONENTS
Failure Rate
Component (faults/yr)
Control valve 0.25 - 0.60
Differential pressure transmitter 0.76 - 1.73
Variable area flowmeter transmitter 0.68 - 1.01
Thermocouple 0.088 - 0.52
Pneumatic controller 0.29 - 0.38
Source: Adapted from Reference 1. More detailed information may be found
in Reference 8 and other sources.
The following performance criteria should be considered when selecting
components for process control systems:
• Mechanical or electrical;
• Range;
• Accuracy (repeatability);
• Precision;
• Operating environment and materials of construction;
• Sensitivity; and
• Ability to withstand excursions from specifications or
operating conditions.
In summary, the process control system, which is understood to mean both
the human operator and the control hardware, must be one of the key elements
26
-------�
examined as a possible basis for process modifications to a process system.
The specific modifications required must be made on a case-by-case basis but,
in general, should be directed toward increasing the reliability and respon-
siveness of the control system to deviations and corrective actions for those
variables most critical in preventing a loss of control. In the sections that
follow, some of the specific fundamental principles of a chemical process, and
pertinent process variables are explored in the context of possible process
changes that could achieve the above objectives.
2.2 PROCESS CHARACTERISTICS AND CHEMISTRY
Numerous formal hazard identification and evaluation procedures are
available which include examining chemical process characteristics and
chemistry, as summarized in the PRM-TJser's Guide, that are amply discussed in
the technical literature (9, 10). Fundamental process changes can often
reduce inherent hazards by reducing in-process inventories of toxic materials
and by reducing the severity of operating conditions. Some factors important
in examining chemical processes for potential hazards are (1, 11):
• Inventory - the quantity of hazardous material in the
process;
• Energy content - the inherent energy content specific
chemical species as well as process temperature and
pressure conditions;
• Time factor - maximum rate of a potential release, and
warning time available for emergency counter measures;
* Substitutability - whether a less hazardous material can
be substituted, or whether a substitution may result in
less severe operating conditions; and
27
-------�
• Complexity - the number and kinds of process steps; the
operational sophistication required for the process.
Hazard reduction through changes in these broad process characteristics
involve other factors discussed below.
2.2.1 Process Materials
Evaluation of the properties of the materials in the process must in-
clude:
• Raw materials;
• In-process materials, such as reaction intermediates; and
• Product materials and process wastes.
The more known about all the materials in a process the better, but in
practice, all potentially significant properties and even the identity of some
intermediate process materials may not be known. Table 2-2 lists properties
of significance for process hazards (12). For release prevention, the
properties of toxic materials that should always be known are:
• Boiling point;
• Vapor pressure at ambient and process conditions;
• Specific heat;
• Heat of vaporization;
• Acute toxicity;
• Corrosiveness and reactivity properties;
28
-------�
TABLE 2-2. PROPERTIES OF MATERIALS TO BE CONSIDERED IN CHEMICAL
PROCESS HAZARD EVALUATION
GENERAL INFORMATION REQUIRED
Corrosivity
Purity (Specifications of Grade
Used)
Formula (Chemical Structure)
Contamination Factors
(Incompatibility)
Quantity of Material Anticipated
Color
Hygroscopicity
Molecular Weight
Appearance
Odor
Physical State
Solubility
Synonyms
FLAMMABILITY INFORMATION REQUIRED
Flash Point
Fire Point
Flammable Limits
Specific Gravity
Vapor Density
Vapor Pressure
Heat of Vaporization
Boiling Point
Ignition Temperature,
Autoignition Temperature
Spontaneous Heating
Dielectric Constant (Static
Hazard)
Melting Point
Flow Point
Percent Volatiles
Extinguishing Media
Special Fire Fighting Procedures
Unusual Fire and Explosion Hazard
Gases Released During
Decomposition
Heat of Fusion
REACTIVITY (INSTABILITY)
INFORMATION REQUIRED
Differential Thermal Analysis (DTA)
Impact Test
Thermal Stability
Detonation with Blasting Cap
Drop Weight Test
Thermal Decomposition Test
Lead Block Test
Influence Test
Self Acceleration Decomposition
Temperature
Card Gap Test
Thermal Stability (Under
confinement) JANAF
Critical Diameter
Limiting Oxygen Value
Hazardous Decomposition Products
Incompatibility
Conditions Contributing to
Hazardous Polymerization
Conditions Contributing to
Instability
Shock/Friction Sensitivity
Decomposition Temperature
Specific Heat
Gas Evolution
Adiabatic Temperature Rise
Heat of Reaction
Source: Reference 12.
29
-------�
• Flammability; and
• Explosive limits.
The boiling point defines the physical state of the material in the
process, whether it is a liquid or gas at ambient and process conditions, for
example. The vapor pressure defines the volatility of the material when it is
below its boiling point, and how much pressure buildup might be expected from
overheating below the boiling point. The specific heat and heat of vaporiza-
tion allow estimation of volatilization rates when the release occurs as a
liquid.
Toxicity data alerts the designer, operator, or evaluator of a chemical
process facility to what materials are most hazardous to health, and suggests
where to focus attention when taking measures for release prevention.
Parameters that should be considered include the IDLH, LC50, and others
defined in standard chemical toxicity references.
Toxic materials that are also corrosive require extra care in specifica-
tion of materials of construction and also in monitoring equipment conditions.
Corrosive materials that are not the primary toxic materials in a process are
also important; however, when they are involved in processes where toxics are
present. Corrosion can contribute to equipment failure and to a toxic
chemical release.
Unrecognized reactivity in a process can cause a release hazard. If
certain materials are accidentally mixed, or unexpected contamination occurs,
a runaway thermal reaction or violent evolution of gases can result. Both may
cause overpressure or spillage of a toxic chemical.
Flammability and explosive limits are important because fires and
explosions can cause an accidental release as well as be caused by a release
of a flammable material. A small leak could result in a major release if
ignited.
30
-------�
Other properties may be significant for other reasons. One example is
density. In a two-phase non-miscible liquid system, the denser liquid will
settle out in vessels and tanks if agitation is not provided. Another example
is viscosity, which can be a significant variable affecting process behavior
in flow, heat transfer, and mixing parts of a process. A special situation
where this might contribute to a hazard is a loss of temperature control where
emergency cooling might not respond as rapidly as expected because a viscous
layer near a cool heat transfer surface reduced the heat transfer coefficient
to a lower value than anticipated in the original process design. These are
only some examples. Evaluation of process materials may have to take into
account properties beyond those that at first appear obvious.
2.2.2 Process Mode
The mode of process operation can affect the safety of a process. Three
basic modes of process operation are: 1) batch, 2) semibatch, and 3) contin-
uous operation. Table 2-3 lists some considerations that apply to each of
these modes.
2.2.3 Reaction Thermodynamics
The fundamental thermodynamic characteristic of concern for reaction
safety is the exothermicity of a reaction. This is the direction and rate of
energy release. An exothermic reaction releases heat and an endothermic
reaction absorbs heat. Exothermic reactions are usually of concern because
they can lead to thermal runaway reactions and the attendant adverse
consequences. The hazard of a specific exothermic reaction depends on both
the magnitude of the heat of reaction and on the rate at which the heat is
released or absorbed. The magnitude is determined primarily by the specific
reaction and by the quantities of chemicals involved. The rate depends on
these variables as well as on the temperature at which the reaction takes
place. The primary process consideration when exothermic reactions are
present is provision of adequate cooling. Temperature control is discussed
more completely in Section 2.5.
31
-------�
TABLE 2-3. CONSIDERATIONS FOR VARIOUS PROCESS MODES
Residence Time
Feed System
Startup - Shutdown
In-process Inventory*
System Response
Temperature
Pressure
Composition
Flow
Fluid Dynamic Stability
Batch
Long
Intermittent -
short duration
Frequent
Large
Slow
Fast
Fast
Not applicable
Stable
Semibatch
Long
Intermittent -
long duration
Frequent
Large
Slow
Fast
Fast
Long
Stable
Continuous
Short
Continuous -
long duration
Infrequent
Small
Fast
Fast
Slow
Fast
Subject to
Fluctuation
*At same annual throughput rate.
32
-------�
Endothermic reactions are not as hazardous as exothermic reactions, but
do carry some hazard potential. Systems with endothermic reactions require
heating. The hazard lies in the potential failure of the heating system in a
way that would result in too much heat input to the process. This could cause
overpressure through flashing, boiling, or expansion, and weaken or damage
equipment.
2.2.4 Process Control System
Some fundamental concepts of control systems were discussed in Section
2.1. Types of control systems include:
• All manual,
• Manual/analog,
• Automatic/analog, and
• Automatic/digital, and
• Computer control.
The type of system used must be appropriate to the process. In general,
reliability increases with sophistication, assuming proper design and
installation.
2.2.5 Process Type
The type of process is characterized in terms of unit processes and
operations. Certain unit processes and unit operations may be inherently more
hazardous than others. The basic unit processes that make up most of the
chemical industry have been defined in a classic work by Groggins (13) and
more recently in a comprehensive study (14). Unit processes defined by the
latter are presented in Table 2-4. Recognizing the class into which a process
fits will highlight the specific hazard features associated with that class.
33
-------�
TABLE 2-4. UNIT PROCESSES IN THE CHEMICAL PROCESS INDUSTRIES
Acylation
Alkaline Fusion
Alky1ation
Amination
Aromatization
Calcination
Carboxylation
Caustization
Chlorination
Combustion
Condensation
Coupling
Cracking
Diazotization
Double Decomposition
Electrolysis
Esterification
Fermentation
Halogenation
Hydration
Hydrocracking
Hydroforming
Hydrogenation
Hydrolysis
Ion Exchange
Neutralization
Isomerization
Nitration
Oxidation-Reduction
Polymerization
Pyrolysis
Reforming
Sulfonation
34
-------�
The most common unit operations of chemical engineering are listed in
Table 2-5. Again, certain operations that may inherently be more hazardous
than others can be considered for substitution in process modification.
2.2.6 Severity of Process Conditions
The severity of process conditions is defined by the levels of pressure
and temperature for each step of the overall process, in reactors as well as
separation equipment. The effects of pressure and temperature from a process
hazard perspective are discussed in Sections 2.4 and 2.5. In general, the
higher these variables, the more hazardous the process and the greater the
accidental release potential. Pressures in excess of 1,000 psig may be
considered extreme. Pressures above 400 psig and temperatures above 500°F may
be considered high.
While severity is usually interpreted in terms of high pressure and
temperature, extremely low conditions can also be hazardous. As discussed in
Sections 2.4 and 2.5, these conditions require special precautions in design
and operations. Conditions near ambient pressures and temperatures generally
will result in safer operation than temperatures and pressures either much
above or below ambient. Since operating conditions are usually determined by
the fundamental chemistry of the process, changes in these conditions will
require research into the corresponding changes in process chemistry.
Important factors include the physical states of reactants, products and rate
processes, fundamental reaction kinetics and rates of mass transfer. These
factors of the process can be examined to determine where changes might reduce
severity.
The history of methanol synthesis is an example of a situation where
changes in the fundamental process reduced the severity of operating condi-
tions. For many years the synthesis of methanol required high temperature and
very high pressure. Research resulted in fundamental change to a new process
that allows methanol to be synthesized at much lower temperatures and
pressures (15); thus operation hazards were reduced.
35
-------�
TABLE 2-5. UNIT OPERATIONS IN THE CHEMICAL PROCESS INDUSTRIES
Absorption
Adsorption
Agglomeration
Centrifugation
Crystallization
Deionization
Desorption
Distillation
Drying
Evaporation
Extraction
Filtration
Heat Transfer
Leaching
Mixing
Membrane Transport
Size Reduction
Sublimation
Fluids Transport
Solids Transport
36
-------�
2.2.7 Process Complexity
Process complexity is characterized by the number of unit operations,
streams, and variables that must be monitored and controlled in a process. In
general, increased complexity increases the process hazard by creating more
opportunities for unforeseen process interactions and more opportunity for
errors in design, construction, and operation. Process complexity can be
roughly estimated by considering the number of equipment items and the number
of chemicals involved. A special consideration is how much recycling of
process streams is in the process.
2.2.8 Process Modifications
Potential process modifications include any changes in the previously
discussed areas that could reduce the toxicity, severity, sensitivity, or
complexity of the process. Such modifications are limited by the fundamental
constraints of process chemistry. The number and extent of possible modifica-
tions is probably greater the earlier in the development of a process they are
made. An existing process offers less opportunity for fundamental change than
a new process, but even here a change of catalyst, for example, might result
in less severe, hence less hazardous, operating conditions.
The effects of modifications on traditional process costs will be process
and plant specific. The effects will depend on equipment and operational
features of the modified process. Though such costs cannot be estimated
generically, some insight about the potential research and development costs
of modifications can be gained by talking with technical and managerial
personnel. It has been estimated that it costs about $150,000/year to main-
tain the average technical person in a large corporate environment. This
translates into about $75/hour of researcher time. If it is assumed that this
reflects the cost of the average technical professional/managerial person who
would be involved in a program to modify the basic process characteristics and
chemistry, the costs of such a program can be estimated from estimated levels
37
-------�
of effort for the program. Figure 2-2 presents a range of costs for such
programs based on average staff level commitment and program duration. Though
these costs exclude lost production while modifications are being made or the
capital investment required to physically modify a chemical process system,
they illustrate order of magnitude costs that show that fundamental process
modifications for process safety may equal the cost of new product/ process
development and implementation.
Assume that a typical chemical product may take 5 or more years of effort
and $10.000,000 to bring to market, excluding marketing costs. If a
modification required only 10% of that effort, costs would be on the order of
$1.000,000.
2.3 FLOW IflEASUREMENT AND CONTROL
Flow measurement and control of both primary process fluids and service
fluids such as steam, air, nitrogen, and heating and cooling media is at the
heart of all process system operations. This section explores the role of
fluid flow in process events that may lead to accidental toxic chemical
releases, and flow hazard controls.
2.3.1 Flow Hazards
Process hazards associated with flow involve deviations that cause the
flow to be too low, too high, reversed, or fluctuating. Flow changes may be
caused by pressure changes in some prime mover for a fluid, or by changes in
the resistance to flow in piping or other equipment. Special hazardous
consequences of flow deviations can be identified for various individual
equipment items and processes. Some consequences are obvious, while others
are not. Some causes and hazards of loss of flow control are discussed below.
38
-------�
4000
1000
o
o
o
0)
o
o
1-1
00
o
t-l
Pu
a
-3
OS
100 rfc
12
18 24 30
Program Duration, months
36
42
Figure 2-2. Estimated typical program costs for our R&D effort to
develop process modifications.
39
-------�
Low Flow—
Flow can be interrupted or reduced by factors related to the process.
equipment, or operations. These factors may act independently or in combina-
tion and include:
• Blockage;
• Vapor lock;
• Cavitation in pumps;
• Mechanical failures of prime movers; and
• Leakage.
Blockage can occur from physical obstructions such as dirt, tramp materi-
als in a line, or deposits which build up over time. These include products
of corrosion and erosion. Polymerizable fluids may cause blockage or restric-
tions to flow. Freezeup is another possibility with some materials.
Certain equipment especially prone to blockage includes all piping,
especially small diameter piping and tubing, heat exchangers, packed beds, and
filters. Support screens and perforated plates in process equipment are also
prone to blockage. Control valves, which usually have orifices much smaller
than line size, are especially prone to restrictions and blockage, as are
orifices in differential pressure flow sensors. Control valves, being
automatic devices, can sometimes jam in a full or partially closed position,
due to such conditions as dirt buildup on the stem, or mechanical failure of
the activator.
Vapor lock can occur when a gas or vapor collects in a line or other
process equipment space so that the vapor pressure exceeds the available
pressure head available for flow. Liquid flow through the line or equipment
may be restricted or stopped.
40
-------�
Cavitation in pumping equipment can occur when a liquid near its boiling
point or contains a dissolved gas. If the suction pressure to a pump falls
low enough, the dissolved gas may be suddenly released or the liquid may boil,
trapping a vapor bubble in the pump that causes the pump to lose suction and
flow.
Mechanical failures in prime movers, such as pumps and compressors, are
obvious causes of low flow. These mechanical failures include electrical
outages as well as actual breakage of mechanical components.
Leakage upstream in a fluid system can cause deficient flow downstream.
Causes of leakage are discussed in the subsections on equipment in Section 3
of this manual.
Many possible hazards are associated with low or no flow, depending on
the process, but the following are typical:
• Overheating caused by inadequate cooling to a process.
The consequences of excess temperature are discussed in
Section 2.5. Some consequences include runaway chemical
reactions or physical damage to equipment.
• Overcooling caused by inadequate heating to a process.
The consequences of deficient temperature are discussed in
Section 2.5. Some consequences include an accumulation of
unreacted material that could cause a runaway reaction on
reheating, a freezeup in a critical line, or collapse of
an atmospheric vessel due to vapor condensation and
unrelieved vacuum.
• Process upsets caused by incorrect feed rate. In some
exothermic reactions a portion of the cooling relies on a
low temperature feed. An increase in the feed temperature
or loss of one feed and not the other can lead to an
-------�
excess of one reactant. This can sometimes lead to an
excess exotherm and a runaway reaction. Too low a feed
rate to distillation columns can cause excess heating from
a reboiler if the control system does not respond
properly, causing overpressurization and a relief valve
discharge.
• Low flow in a pump can cause overheating and pump failure.
Excess Flow—
A primary cause of excess flow is an open valve which should either be
partially or completely closed. The following are some typical hazards
associated with excess flow:
• Excess flow of a cooling medium can cause the same prob-
lems as deficient flow of a heating medium, discussed
previously.
• Excess flow of a heating medium can cause the same prob-
lems as deficient flow of a cooling medium, discussed
previously.
• As with low flow, incorrect reactant ratios can result,
causing excess exotherms, or excess boilup and pressures
in heated process equipment.
• Overfilling of vessels can result if excess flow is not
detected and shut off in time.
• Unwanted siphoning of liquids is another example of excess
flow; or flow where none is intended.
42
-------�
Reverse Flow—
Reverse flow can occur when downstream pressure exceeds upstream
pressure. A common cause of reverse flow is a pump failure, or failure of a
directly pressurized fluid transport system. Reverse flow is not uncommon,
even in systems protected by check valves that may fail to close or seal
properly. Some typical hazards of reverse flow are the following:
• Reverse flow can lead to unintended chemical or physical
reactions. An unexpected exothermic reaction in a storage
tank from backflow of process reactants is an example of a
chemical reaction hazard. Overpressurization through
unintended flashing of liquid is an example of a physical
reaction hazard. This could occur, for example by reverse
flow of a liquid into a heated process vessel.
Unintentional contact of water and hot oil in refinery
systems has sometimes caused steam explosions.
• Reverse flow through pressure relief vent headers can
cause obstruction of vent lines, contamination by leakage
through unseated pressure relief valves on other equipment
connected to a common header, and excessive back pressure
on relief devices, with all the attendant hazards that may
result from these effects.
Fluctuating Flow—
Fluctuating flow can be caused by a variety of conditions. Reciprocating
prime movers such as piston pumps inherently generate a fluctuating flow, but
processes using such devices are either designed to accommodate the
fluctuations, or have special dampers to reduce the fluctuations. Fluctuating
flow may be a hazard when it is unintentional. Some common unintentional
causes of fluctuating flow include cavitation in centrifugal pumps and
improperly tuned automatic process control loops. Some hazards of fluctuating
flow include:
43
-------�
• Severe pulsations which can damage piping and equipment.
Even moderate pulsations over time may lead to fatigue
failure in piping or other process hardware.
• The overall controllability of a process is degraded.
making it inherently less safe.
• Depending on the oscillatory time period of fluctuations,
fluctuating flow can lead to the same problems as low or
excess flow, depending on the relative process system
dynamics in response to heating or cooling, for example.
Hammer Blow—
The phenomenon of hammer blow, also referred to as "water hammer," is the
propagation of a pressure shock wave through a liquid in a pipe line or other
equipment. It occurs when flow is abruptly shut off. An example is when a
control or solenoid valve is suddenly closed. It can also occur with manual
valves, such as ball valves, that can be closed quickly. The pressure shock
can be destructive to piping and other equipment in liquid-handling systems.
The primary hazard is piping or equipment rupture that could directly or
indirectly cause the release of a toxic chemical. A more insidious aspect of
this phenomenon is that even if its effects are not immediately evident, its
repeated occurrence may cause stress fatigue and eventual piping or equipment
failure.
Three conditions that can lead to "water hammer" are (16):
• Hydraulic shock;
• Thermal shock; and
• Differential shock.
44
-------�
Hydraulic shock occurs when there is an abrupt interruption of flow. The
conversion of the kinetic energy of the moving fluid to a physical pressure
force is proportional to the square of the velocity, and the resulting pres-
sure shock wave can be considerable. Hydraulic shock can occur from an abrupt
valve closure, which includes check valves in pump systems when pumps are
started or stopped. This phenomenon can be alleviated by providing a water
hammer arrester in the line or by providing slower closing valves. Special
consideration needs to be given to this effect when the line handles toxic
materials directly, or in other process lines whose rupture could indirectly
lead to a toxic release. This phenomenon must also be avoided in automated
process systems where actuator action can cause abrupt valve closures. Manual
systems may be less prone to this effect, but may not be entirely immune.
Thermal shock can occur when bubbles of vapor trapped in condensing
liquids suddenly collapse, causing rapid liquid influx and shock waves to
occur within the liquid. This can also occur in condensing two-phase systems
where gas becomes entrapped between slugs of liquids. Each of these forms of
hydraulic shock can damage equipment.
Differential shock can occur from two-phase flow in piping where the gas
phase creates a plug of liquid from wave action, resulting in a high gas side
pressure drop from the upstream to downstream side of the plug. The plug
accelerates and gains enough momentum that when a change of direction is
encountered, at an elbow for example, the inertia prevents the plug from
changing direction as rapidly as the gas and a shock occurs. This shock can
be great enough to cause damage to the piping.
2.3.2 Technology of Flow Control
The flow measurement and control system is intended to prevent flow
deviation from leading to accidental releases. Initial process design or
subsequent process modifications must provide for proper selection,
implementation, and operation of these systems. Adequacy and reliability are
the two evaluation criteria for these systems.
45
-------�
Measurement and Control—
Flowmeters are used for sensing and measuring fluid flow. A controller
responds to this measurement and commands the final control element to appro-
priate action. The primary control element for fluid flow is the valve,
actuated manually for manual control or through a mechanical actuator system
for automatic control. The reliability of the fluid flow system depends on
the reliability of the individual components.
A distinction is made between sensing and measurement elements. Sensing
refers to detection; whereas measurement refers to converting flow sensing to
a numerical quantity expressed in appropriate units of measurement. This is
an important distinction when considering the appropriateness of various
components in a flow measurement system, since different combinations of
sensors and final measurement devices may encountered. Proper sensing and
measurement of flow is the basis for controlling all other process variables:
temperature, pressure, composition, and quantities.
The primary types of flow meters in common use in chemical process plants
include the following:
• Differential static pressure;
• Momentum transfer (target, turbine, and positive displace-
ment meters);
• Variable area displacement;
• Vortex shedding; and
• Magnetic field.
Each type of meter is more appropriate for some applications than others. For
example, static pressure-based meters require small holes in either probes,
flanges, or pipe walls, which can become clogged by solids. Such meters are
46
-------�
obviously inappropriate when suspended solids are present in fluids. Improper
selection of a flowmeter can lead to a process hazard.
The controller, responding to the information received from the flow
measurement system, operates either a prime mover or a control valve. Flow
control requires only proportional and integral controller action. The
characteristic noise found in flow systems precludes derivative control
action. A further characteristic of flow control is that there may be some
transportation lag, but, in general, a flowing fluid responds quickly to the
control action.
The final control element is usually the control valve. Sometimes,
however, flow may be controlled indirectly by changing a pump setting or a gas
pressure on a pressurized fluid feed tank.
Important criteria in the selection and operation of control valves
include the proper size, trim, and action. Control valves and a pressurized
feed tank system usually allow a quicker control response than a pump, with
the exception, perhaps, of a complete shut off. This should be born in mind
when evaluating flow control options for high-hazard systems. An automatic
control valve should have a fail-safe action. It should fail appropriately
open or shut in the event of a loss of electrical power or instrument air.
Emergency Trip Systems—
Flow switches may be used to sense either the initiation or cessation of
fluid flow. These are primary devices in alarm and shutdown systems for
chemical processes based on a flowing stream.
There are two categories of flow switches: variable-area devices and
velocity-sensing devices (17). Low cost, simple switches based on both of
these operating principles are available. These switches are suitable for
applications where' accurate settings are not required, such as lubricating-oil
flow to rotating machinery.
47
-------�
More accurate switches may be required in critical applications, such as
detecting flow deviations before a process is endangered. Here variable-area
or rotameter type switches or orifice type differential pressure flow switches
would be appropriate. Differential type switches can be direct acting or can
transmit a pneumatic or electronic signal to the switch mechanism, alarms, or
relays.
Variable-area switches have good rangeability, but usually cannot be used
for flows as large as differential switches can handle. The latter are more
limited at low flow ranges because of the square-root dependency of the signal
or flow. They may become unreliable if the flow drops too rapidly below the
maximum design flow. These types of switches are sensitive to the range
selected for their application. Many other types of switches are available.
For example, a pressure switch can be used as a flow switch by sensing
pressure in a system when flow is present.
When integrated into a total emergency trip system, flow switches actuate
valves and relays to close and open lines, and turn motors on and off. As
will be discussed in other portions of this document, emergency systems
controlling fluid flows are the basis for emergency control of pressure,
temperature, quantity, and composition.
In general, exceeding the operating range of these types of switches may
cause no permanent harm. However, where the reliability of the switch is
really critical, the range must be selected with careful consideration of the
likelihood of overrange service and the risk of harm caused by it. More
details on the role of flow switches in process emergency control can be found
in various literature sources (e.g., Reference 17).
Reverse Flow Prevention—
Reverse Flow prevention can be achieved by specific equipment, equipment
configurations, and operational procedures. Equipment includes check-valves,
sensing, automatic shutoff valves, and positive displacement pumps (rather
than centrifugal pumps). Equipment configurations include relative elevation
differences or traps between equipment items. Procedural approaches include
48
-------�
direct shutoff with existing valves, or diversion of flow. The procedural
methods depend on the sensing of and corrective response to reverse flow, and
on previous provision for diversion in the design or construction of a
facility.
The technological basis for reverse flow prevention is, therefore, the
installation of the appropriate equipment. The most common device is the
check valve. Various types of check valves are shown in Figure 2-3. Typical
applications of the various types are given in Table 2-6 (18). While check
valves provide some protection, they can fail by sticking open or not
reseating properly. Sole reliance on check valves may be undesirable in
critical service.
The principle of reverse flow prevention using positive displacement
pumps is illustrated by comparison between a positive displacement pump and a
centrifugal pump, as shown in Figure 2-4. Because the inherent clearances
within a positive displacement pump are less than a centrifugal pump, reverse
flow may be reduced when a positive displacement pump is not running. When it
is running, an increase in upstream pressure is met by an increase in pumping
head and maintenance of forward flow. In a centrifugal pump, the flow falls
off sharply as upstream pressure increases and in extreme cases reverse flow
can occur even if the pump is running. An idle centrifugal pump offers very
little resistance to backflow.
Reverse flow is prevented through elevation differences when the feed
vessel is sufficiently higher than the host vessel, ensuring that no condition
in the host vessel would be sufficient to overcome the fluid head differential
between the vessels.
The trap principle of reverse flow prevention is based on interruption of
flow with an intermediate vessel. During normal flow, the fluid is repumped
for continued transport. Other arrangements may exist. The basic principle
is interruption of stream continuity so that flow is not readily reversed.
49
-------�
SWING CHECK VALVE
HORIZONTAL LIFT CHECK VALVE
BALL CHECK VALVE
CO
o
Figure 2-3. Check valve types,
50
-------�
TABIE 2-6. TYPES CF OMXVALVES
Type
Mechanism
Application
Limitations
String check Flow keeps swing gate open, while
gravity and flow reversal close it.
Tilting-type is pivoted at center
and insures closing without slam-
ming. Outside levers and weights
are used on standard swing checks
greater sensitivity for changes
in flow is required.
Piston check Flow pattern as in globe valve.
Flow forces piston up and reversal
and gravity returns it to seat.
Ball check A lift-type check consisting of
a ball with guides.
General:
lines.
Prevent back-flow in
Where mininun pressure drop is
required-Best for liquids and
for large line sizes.
Good for vapors, steam, and water.
Suitable for pulsating flow.
Stops flow reversal more rapidly
than others. Good for viscous
fluids which deposit solid residue
that would impair operation of
other types. Vertical or hori-
zontal installation is possible.
Not suitable in line subject to
pulsating flow. Sane styles
operate only in a horizontal
position.
Many designs are for horizontal
service only. Not cannon in sizes
over 6 in. Nat recommended for
service which deposit solids.
Not cannon in sizes over 6 in.
Not suitable for lines subject to
pulsating flow.
Source: Adapted fron Reference 18.
-------�
REVERSE
FLOW
NORMAL
DISCHARGE
CLEAR PATH FOR
REVERSE FLOW
NORMAL
SUCTION
PUMP CASING
SHAFT
IMPELLER
A. ILLUSTRATION OF REVERSE FLOW THROUGH CENTRIFUGAL PUMP
GEARS OBSCURE CLEAR
PATH FOR REVERSE FLOW
NORMAL
SUCTION
GEAR
PUMP CASING
NORMAL
DISCHARGE
REVERSE
FLOW
GEAR
B. ILLUSTRATION OF PREVENTION OR REDUCTION OF REVERSE FLOW IN A GEAR PUMP
Figure 2-4. Examples of backflow through pumps.
52
-------�
Blockage Prevention—
Prevention of blockage means that any valves or pumps must be prevented
from failing in a closed position when they should remain open. Lines, ports,
and orifices must be kept clear of debris.
There are numerous potential sources of debris in chemical processes.
Especially during startup especially, debris is present from pipe tape,
ordinary dirt, welding drippings, corrosion scale, and the nuts, bolts, and
other items inadvertently left in lines and equipment. Vigilance on the part
of the startup personnel is the first defense against flow blockage occurring
from such sources. Technological solutions include screens, strainers,
filters, and traps.
When in-line screens, strainers, and filter devices are applied to
prevent blockage, a secondary hazard is associated with the use of such
devices; if not properly maintained they can become the source of blockage.
The appropriateness of use must be evaluated on a case-by-case basis. Also, a
filter can be provided with a bypass activated by a high upstream pressure on
high pressure drop across the filter.
Two insidious causes of flow blockage are the buildup of corrosion
products and the accumulation of polymer materials from the side reactions of
various process fluids. Another is the attrition and breakage of solid
materials in processes such as catalyst pellets and packing using in packed
beds. Technological solutions here include the methods listed above, as well
as changes in the characteristics of the solid materials used in the process.
Blockage or flow reduction is also a possibility under certain
circumstances with slurries, high viscosity fluids, and melted materials at
low temperatures. This can occur, for example, in coolers, or due to very low
ambient temperatures. Solidification or buildup in slurries or freezing
materials can reduce flow or cause complete blockage. The increase in
viscosity can sharply reduce the flow rate for fluids.
53
-------�
Siphoning Prevention—
Siphoning can be prevented through proper design to ensure that if piping
from a lower elevation to a higher elevation is submerged at the higher
elevation end, appropriate steps have been taken to prevent backflow
siphoning. Another technique is an interlock system wherein closure of a
valve or cessation of pumping or failure of flow to stop will activate an
alarm.
2.3.3 Control Effectiveness
The effectiveness of flow control is evaluated in terms of performance,
limitations, and reliability. Proper selection is important to ensure that
these criteria are met. Some guidelines for flowmeter selection are
summarized in Table 2-7 (19).
The performance of individual components and complete systems depends on
the interaction of physical and design choices made by the designer and
fabricators. Sensors are limited by how sensitive they are to pressure and
temperature beyond their design limits, and resistance to corrosion or erosion
by process fluids. Controllers vary by type and individual vendor.
The effectiveness of emergency shutdown systems depends on individual
components and on the overall system design. A key factor here is the
response time required to achieve safe flow shutoff and the integrity of that
shutoff.
Reverse flow prevention depends on the functioning of check valves and on
the prevention of overpressurization of downstream vessels. Siphoning
prevention relies on proper process design and construction and on other
safeguards such as interlocks and alarms.
54
-------�
TABLE 2-7. FLOWMETER SELECTION GUIDE
Flowmeter
Element
Orifice
Wedge
Venturi tube
Recommended
Service
Clean, dirty
liquids; some
slurries
Slurries and
viscous liquids
Clean, dirty,
and viscous
Turn— Down
Ratio
4 to 1
3 to 1
4 to 1
Typical
Accuracy,
Percent
+ 2 to + 4
of full scale
_+0.5 to +2
of full scale
+1 of full
scale
Viscosity
Effect
High
Low
High
Relative
Cost
Low
High
Medium
Flow nozzle
Pitot tube
Elbow meter
Target meter
Variable area
Positive
Displacement
liquids, some
slurries
Clean and dirty 4 to 1
liquids
Clean liquids 3 to 1
Clean, dirty 3 to 1
liquids, some
slurries
Clean, dirty, 10 to 1
viscous liquids,
some slurries
Clean, dirty, 10 to 1
viscous liquids
Clean, viscous 10 to 1
liquids
+1 to +2
of full scale
+3 to +5
of full scale
+5 to +10
of full scale
+1 to +5
of full scale
+1 to +10
of full scale
+0.5 of
rate
High
Low
Low
Medium
Medium
High
Medium
Low
Low
Medium
Low
Medium
(Continued)
-------�
TABLE 2-7 (Continued)
01
Flowmeter
Element
Turbine
Vortex
Electro-
magnetic
Ultrasonic
(Dobbler)
Ultrasonic
(Time-of-travel)
Mass (Coriolis)
Mass (Thermal)
Weir (V-Notch)
Flume (Parshall)
Recommended Turn— Down
Service Ratio
Clean, viscous 20 to 1
liquids
Clean, dirty 10 to 1
liquids
Clean, dirty, 40 to 1
viscous
conductive
liquids and
slurries
Dirty, viscous 10 to 1
liquids and
slurries
Clean, viscous 20 to 1
liquids
Clean, dirty, 10 to 1
viscous liquids.
some slurries
Clean, dirty, 10 to 1
viscous liquids,
some slurries
100 to 1
Clean, dirty
liquids
Clean, dirty 50 to 1
liquids
Typical
Accuracy,
Percent
+0.25 of
rate
+1 of rate
+0.5 of rate
+5 of full
scale
+1 to +5
of full scale
+0.4 of rate
+1 of full
scale
+2 to +5
of full scale
+2 to +5
of full scale
Viscosity Relative
Effect Cost
High High
Medium High
None High
None High
None High
None High
None High
Very low Medium
Very low Medium
Source: Adapted from Reference 19.
-------�
Overfill protection relies on proper quantity measurement, as discussed
in Section 2.6 of this manual, as well as an overall good flow control and
proper shutoff.
The effectiveness of any system depends on its reliability. The funda-
mental elements of reliability include measurement, attenuation, and shutoff.
The primary components of measurement are sensor and measurement devices.
Attenuation is achieved by valve action, as is shutoff. System reliability
depends on the reliability of the individual components and the system hard-
ware and software. Software components include dead bands, dead time, and
other dynamic response characteristics. And, as pointed out in the discussion
on process control, the ultimate control of flow depends on the interaction of
the control system with the process flow characteristics as much as on the
characteristics of the control loop itself. Table 2-8 presents some typical
reliability information on flow control components expressed as typical
failure rates.
If a hazard evaluation discovers that the flow of specific streams is
critical to preventing conditions that could lead to an accidental release,
the entire flow sensing, measurement, and control system needs to be examined
critically for its integrity. If necessary, the system needs to be modified
to function more reliably.
2.3.A Summary of Control Technologies
Table 2-9 summarizes major hazards or hazard categories associated with
flow, and the corresponding control technology for both new and existing
facilities. Numerous individual control technologies or procedural changes
can be inferred for each category, based on the proceeding discussion of this
section.
57
-------�
TABLE 2-8. TYPICAL FAILURE RATES OF FLOW CONTROL COMPONENTS
Failure Rate
Component Failures/Year
Flowmeters
D/P cell and transmitter 0.76-1.73
Magnetic 2.18
Flow controller 0.29-0.38
Control valve 0.25-0.60
Flow switch 1.12
Flow indicators 0.026
-4
Check valve (backflow prevention) 1.10 x 10
Control loop 1.73
Source: Adapted from Reference 1.
58
-------�
TABLE 2-9. MAJOR HAZARD AND CONTROL TECHNOLOGY SUMMARIES
Process
Variable
Hazard
New Facility
Existing Facility
Flow
• Low Flow
- Blockage
• Flow, pressure,
and temperature
monitoring
• Screening or
filtration
• Materials of
construction
• Equipment selection
• Construction
supervision
• Design for
polymerization
inhibitors
• Add new flow,
pressure, and
temperature
monitoring
• Add screening or
filtration
• Change materials of
construction
• Change equipment
type
• Enhance maintenance
• Add polymerization
inhibitors
- Vapor lock
• Design of • Change temperature
temperature control control system
system
• Change equipment
• Equipment selection type
• Change process
chemistry
- Cavitation
• Design of • Change temperature
temperature control control system
system
• Change equipment
• Equipment selection type
• Change process
chemistry
Mechanical
failure in
prime mover
• Equipment selection •
Change equipment
type
(Continued)
59
-------�
TABLE 2-9 (Continued)
Process
Variable
Hazard
New Facility
Existing Facility
- Leakage
• Equipment selection • Change equipment
type
• Excess Flow
• Flow, pressure,
and temperature
monitoring
• Flow limiters
• Automatic flow
shut-off trips
• Emergency bypass
diversion
• Add new flow,
pressure, and
temperature
monitoring
« Add flow limiters
• Add automatic flow
shut-off trips
• Add emergency bypass
diversion
• Reverse Flow
» Check valves
• Pressure control
• Emergency bypass
diversion
• Add check valves
• Add pressure control
e Add emergency bypass
diversion
• Equipment selection • Change equipment
type
• Fluctuating Flow
• Use pulsation
dampeners
• Process control
system design
• Equipment selection
• Add pulsation
dampeners
• Change process
control system
• Change equipment
type
• Hammer Blow
System piping
design
Equipment selection
• Change piping
• Change equipment
type
60
-------�
2.3.5 Costs
Both rough, order—of-magnitude capital and total annual costs of the
various technological approaches to process modifications for flow have been
estimated. Table 2-10 summarizes estimated costs.
2.3.6 Case Example (1)
A serious accident occurred at a plant where ethylene oxide and aqueous
ammonia were reacted to produce ethanolamine. Ammonia backflowed in the
ethylene oxide line, reaching the ethylene oxide storage tank. The ammonia
went past several non-return valves in series, and past a positive
displacement pump through a relief valve that discharged into the pump suction
line. The ammonia reacted with 7,940 gal. of ethylene oxide in the storage
tank, which ruptured violently. The resulting vapor exploded, causing
widespread damage and destruction.
2.4 PRESSURE CONTROL
Pressure is the driving force for flow, and is therefore the driving
force in any chemical release. Control of pressure is central to the preven-
tion of accidental chemical releases. This section discusses pressure mea-
surement and control considerations.
2.4.1 Pressure Hazards
Overpressure and underpressure can increase the probability of an acci-
dental chemical release. Either can cause physical failure of process or
storage equipment. Overpressure can cause the opening of a relief device,
thereby allowing a toxic chemical to enter the environment. Potential
consequences range from a small release of hazardous materials through leakage
to a large, sudden release through the total and rapid failure of containment.
Generally, overpressures are considered more hazardous than underpressures.
61
-------�
TABLE 2-10. COSTS OF COMPONENTS
FLOW SYSTEMS
ASSOCIATED WITH PROCESS MODIFICATIONS FOR
Basis: 4 inch diameter pipe line.
Flow rate 250 gpm
Pressure 50 psig.
Capital Cost Annual Cost
Range ($) Range ($/yr) References
Flowmeter (D/P cell and
transmitter, magnetic,
and turbine)
Flow switch
Flow indicators
Check valve
Controllers
- Single loop, PID
- Simple interactive, PID
- programmable, PID
Control Valve
Control loop
- Conventional
(1986 Dollars)
2,500 - 5,100 380 - 780
380 - 1.000
380 - 570
800 - 1.600
$1,600 - 3,000
2.000 - 6,000
60 - 150
60 - 90
69 - 138
138 - 260
173 - 519
5. 20. 21
21
5. 20, 21, 22
5. 20. 21, 22
4, 24, 25
3.000 - 6,000 450 - 900 23. 26. 27
6.000 - 12,000
3.000 - 15.000
900 - 1.800 Composite
260 - 1.298
62
-------�
but process underpressure can also result in equipment failure by collapse or
by causing leakage or backflow of incompatible materials. Process design or
modification must include consideration of both over- and underpressure.
Structural failures caused by overpressure will often occur initially at
a seal or joint and secondly in cracking or rupture of vessels, piping, and
casings of other equipment (e.g.. pumps). Potential sources of process leaks
caused by overpressure include flanges, valve stems, pipe joints, welded or
riveted vessel seams, and pump or compressor seals. Structural failures in
vessel and pipe walls and equipment casings may occur as limited cracks or
total failure.
A second, indirect group of hazards are process effects from pressure
deviations from specified operating conditions. Since pressure is the driving
force for flow, pressure deviations can lead to flow deviations with their
attendant hazards, as discussed in Section 2.3 on Flow Control. Pressure also
can affect process chemistry. Disturbances in pressure for a pressure sensi-
tive process can sometimes result in the formation of unstable or incompatible
by-products that could contribute to the pressure disturbance and result in
overpressure and accidental release.
Initial process design and process modifications associated with pressure
must consider all factors contributing to pressure deviations and loss of
pressure control. These include process, equipment, and operating considera-
tions.
Three related primary process events can lead to loss of pressure con-
trol: thermal expansion, excess material generation, and flow restriction.
Thermal expansion may be caused by a loss of temperature control or by
excess heat due to a high reaction rate. Loss of temperature control may be
caused by a malfunction in cooling and heating systems, or inadequate heat
transfer due to inadequate mixing or fouling of heat transfer surfaces. Loss
63
-------�
of reaction rate control may be caused by a loss of flow, temperature, compo-
sition control, or inadequate mixing.
Excess material generation may occur from runaway reactions or from
uncontrolled flashing of liquids from sudden contact with high temperatures.
If a reaction generates more moles of material than it consumes, then an
accelerated reaction rate may generate enough excess material to result in an
overpressure. Uncontrolled flashing could occur if a liquid were inappropri-
ately introduced into a high temperature process.
Flow restrictions that occur as a result of fouling, freezing, valve
closure, or other physical blockage may lead to an overpressure upstream of
the restriction.
In many instances, the process failures listed above are caused by a
mechanical failure in equipment. These failures may be the result of
exceeding design capabilities, improper design, poor maintenance, defective
equipment, fatigue failure, or corrosion.
Since not every form of mechanical failure can be prevented, insufficient
design preparation to minimize the impact of mechanical failure can also be
listed as a factor that contributes to loss of pressure control.
A loss of pressure control may occur as a result of fundamental design
flaws, poor operating and maintenance practices, or insufficient operator
training, especially in response to non-routine operating conditions.
2.4.2 Technology of Pressure Control
The pressure measurement and control system helps prevent accidental
releases resulting from pressure deviation. Initial design or subsequent
64
-------�
process modifications must provide for proper selection, implementation, and
operation of these systems. Pressure relief for either excess over- or excess
under-pressure is a fundamental aspect of pressure control.
Measurement and Control—
Pressure measurement relies on both sensing and final measurement
devices. Control relies on how a system responds to pressure to take
corrective action. Many types of pressure sensors and measuring devices are
available, each having some unique feature in the mechanism it uses to sense
and measure pressure. Probably the most common type of device in the process
industries is the Bourdon gage, which is described in numerous texts and
handbooks. A second category of devices is electronic. The most common type
in this category is probably the strain gage sensor coupled with an
appropriate signal conditioning and read-out instrument. The choice of device
depends on the needs of the process and the operating environment. The actual
pressure device must often be protected from direct contact with the process
fluids. The device mechanism, combined with the method by which it is
protected from process fluids or even external environments will determine the
device's overall performance.
The pressure controller is the next device to be considered in a pressure
control system. Details of these devices are discussed in numerous texts and
handbooks in the general technical literature. Pressure control is achieved
through control of the flow of a fluid (discussed in Section 2.3 on flow
control).
Preventing the realization of pressure hazards requires the proper
selection of pressure measurement and control equipment in both initial design
and subsequent process modification. Proper selection must consider accuracy,
precision, and reliability. A change in a pressure sensing and measurement
element may be an appropriate process modification to enhance process safety.
65
-------�
Emergency Pressure Relief Systems—
An emergency pressure relief system is the final step in preventing
overpressure or under pressure when the basic control system fails. Under
certain circumstances a pressure relief system will be designed to vent
directly to the atmosphere. This type of system is often used for emergency
venting of explosions or where nonhazardous materials are involved. Its
appropriateness where toxic materials are involved is debatable, unless an
explosion or other effects of overpressure are a greater hazard. For toxic
materials, a total containment system designed to capture and store the
released material for later treatment and disposal, or to capture and treat
the material as it is vented to render it "nonhazardous" before it is re-
leased, may be desirable. These systems are composed of a pressure relief
device (a rupture disc, safety-relief valve or combinations), a vent header
system, and a catch vessel or a final treatment device (usually a flare or a
scrubber). The treatment devices are discussed in more detail elsewhere in
this document; descriptions of the remaining components in a total containment
system are presented below.
Rupture discs—A rupture or bursting disc is a non-reclosing pressure
relief device composed of a pressure sensitive disk or membrane held in place
by a support structure. A disc subject to reverse pressure may be fitted with
an additional support designed to prevent reverse pressure rupture of the
disc. A typical rupture disc arrangement is illustrated in Figure 2-5.
Types of rupture discs include domed discs, composite discs, reverse
domed discs, and flat discs. Materials of construction include metal, plas-
tics, resin-impregnated graphite or some combination of these. The rupture
disc is frequently constructed with a corrosion- resistant coating or liner.
A temperature shield such as an insulating flock may be installed upstream of
the disc to protect it from high temperatures; however, this device would not
be appropriate for rupture discs discharging into a downstream pipe or mani-
fold system where constrictions would trap the flock material and cause a
pressure venting discharge restriction.
66
-------�
HOLD - DOWN
DISC
1
8
BASE HOLDER
Figure 2-5. Typical rupture disc installation,
67
-------�
Discs may be piercing or non-piercing. A piercing disc has an assembly
that contains a knife edge against which the disc presses as it ruptures to
ensure a clean, complete, full-dimensional break.
Rupture discs may be used alone or upstream of a safety relief valve
(discussed below). A rupture disc is often placed upstream of a relief valve
to prevent leakage through a relief valve that may not reseat effectively, or
to protect the valve against corrosion or even plugging from protracted
polymerization of monomer vapors. This latter phenomenon has been known to
occur.
Sizing and selecting a rupture disk should follow accepted design
procedures, such as those recommended by the Design Institute for Emergency
Relief (DIERS) of the American Institute of Chemical Engineers (AIChE),
American Petroleum Institute (API) or the American Society of Mechanical
Engineers (ASME). A new set of standards that is a fairly comprehensive guide
for both manufacturers and users of bursting disks has been assembled in Great
Britain. An overview of rupture disks with numerous references is presented
in a comprehensive book on loss prevention by Lees (1).
The Design Institute for Emergency Relief Systems (DIERS) has assembled a
manual and a computer program package useful to a safety-relief system
specialist; however it is not geared toward the novice. This document is
particularly important when considering the effect of two-phase, vapor-liquid
flow on the sizing of a relief device. Two-phase flow occurs when a pressur-
ized vessel that contains liquid is rapidly depressurized. The occurrence of
two-phase flow during emergency relief almost always requires a larger relief
system (two to ten times the area), compared to that required by vapor vent-
ing. Some of the information generated by DIERS has been used by Fauske to
develop a nomograph for sizing an emergency relief device (28).
Safety-relief valves—The term "pressure relief valve" is a generic term
applied to various types of valves used to relieve pressure. API RP 520 gives
68
-------�
additional definitions within the safety relief valve category (30). A safety
valve is characterized by rapid full opening, or pop action, and is normally
used for steam, air, gases, or vapors. Relief valves are used primarily for
liquid service and are characterized by valve openings proportional to the
rise in pressure over the opening pressure. A safety-relief valve can be used
for either liquid, vapor or gas service. In practice, the terms safety valve,
relief valve, and safety-relief valve are often used interchangeably.
A conventional safety-relief valve is illustrated in Figure 2-6. For
this device, the bonnet (as shown in the diagram) may be vented either to the
atmosphere or to the discharge side of the valve. Backpressure will decrease
the set pressure for a valve with a bonnet vented to the atmosphere and will
increase the set pressure for a valve with a bonnet vented to the discharge
side of the valve. To compensate for the effects of backpressure, a balanced
safety-relief valve may be used. For this type of valve, backpressure in the
discharge line will have very little effect on the set pressure of the valve.
The balanced safety-relief valve is often the most appropriate type of valve
for a total containment system.
A final type of valve is the pilot-operated safety-relief valve, which is
designed to achieve good mixing of the substance being discharged and air. A
pilot-operated safety valve is often used when a flammable material must be
diluted below its flammable limit with air before it can be safely released.
The API, ASME, and the National Fire Protection Association (NFPA) have
each issued guidelines and standards for the sizing and installation of
safety-relief valves (29,30,31). Criteria for sizing include fire exposure,
fill rates, thermal expansion, and reaction/decomposition venting. DIERS
manual also applies to safety relief valves. William A. Scully has prepared a
brief discussion of some of the common malfunctions of safety-relief valves
and how these malfunctions can be corrected (32). D.M. Papa discusses the
effects of back pressure on a safety relief valve (33). The pitfalls of
69
-------�
SCREWED
CAP
BONNET
GASKET
ADJUSTING
SCREW
-
8
BODY
Figure 2-6. Cross-section of a typical pressure relief valve,
70
-------�
sizing a relief valve when the equipment (specifically, a distillation column)
will be used for more than one process is discussed by Bradford et. al. (34).
An overview of pressure relief valves, with numerous additional references, is
presented by Lees (1).
An important consideration in relief valve installations is to keep then
from being isolatable while still providing for their maintenance while a
process unit is-on-line. A twin-valve configuration with a two-way,
three-port block valve, which blocks only one relief valve at a time, is
desirable. When a standard block-valve is used upstream of either a single or
two relief valves, it should be locked or sealed open to prevent unintentional
or unauthorized closure.
Vent headers—The vent header is the pipework that delivers material from
the discharge side of the relief device to a point where it can be rendered
nonhazardous. These systems are often complex, having several relief devices
using one common header system. For toxic materials, it might be well to
consider addition of a header to the relief device system that leads to some
form of secondary containment or treatment. However, depending on the
situation, even with a toxic material, a discharge directly to the atmosphere
still might be a safer condition than risking a restricted relief discharge.
The appropriate configuration must be evaluated case by case.
Sizing the vent header for an emergency relief system is not a simple
matter. For safety, the system must be sized to accommodate more thant the
flow from the largest single source. For economy, the system must usually be
sized for some flow less than the sum of all sources. In approach presented
by Fitt, overpressure due to fire, electrical power failure, instrument air
failure and cooling water failure are considered (35). Fitt calculates the
effect of each of these failures for three different time periods and sizes
the pressure relief header for the maximum load that results from failure of
one of the items. A method for sizing relief headers is also given in API RP
520 (29).
71
-------�
Pressure trip systems—A pressure trip system may be used instead of an
emergency relief system. A pressure sensor activates a switch when the
pressure is approaching an unacceptable level. The switch then shuts a valve
to isolate a part of a process from the source of pressure. As an example, a
pressure switch in downstream equipment may stop the flow of steam to a feed
preheater or to a distillation column reboiler.
Because of the limitations discussed for relief systems, a pressure trip
system should be several tinu-s more reliable than a pressure relief valve for
the same application. Calculation of this reliability should be based on the
calculated proportion of the time for which a system will be in the failed
state, referred to as the fractional dead time. This method considers both
the fault-rate of the individual components and the frequency of proof
testing.
2.4.3 Control Effectiveness
The control effectiveness of pressure control is evaluated in terms of
performance, limitations, and reliability.
Measurement and Control—
Table 2-11 lists a variety of pressure sensing and measurement devices
and pressure ranges over which they may be used. In addition to a pressure
range, each device has a variety of other performance limitations, including
acceptable sensitivity, operating temperatures, reproducibility, and materials
of construction. The range of values for these parameters is quite large and
a device is routinely available for almost every temperature, pressure range,
and operating environment likely to be encountered in typical chemical pro-
cessing applications.
Because of the large number of choices, care must be taken to select an
appropriate device for each application. Each pressure device can only be
expected to perform satisfactorily within its design specifications. The
72
-------�
TABLE 2-11. PRESSURE SENSING AND MEASURING DEVICES
Applicable Pressure Ranees
ran Hg absolute
(Inn Hg = 133 fa)
type of Device
Uf1A 10 10 10"6 10 3 Uf1 1 50 200 AGO 600
= 250 Pa)
PSIG
(psro = 6.9 kFa)
11 102 103 10* 10
10
-300 -200 -100 -10 -5 -1 +0.1 +1 +5 +10 +100 +200 +300
Bellows Abe. Press, Motion Balance
Abs. Press. Force Balance
Atm. Press. Ref. Motion Bal.
Atm. Press. Ref. Force Bal.
Aneroid Mmostata
xxxxxxxxxxxxxx
aOOQOOQUUUUUOnOt
Bourdon Conventional Bourdon
Spiral Bourdon
Helical Bourdon
Quartz Helix
Dia- Abs. Press. Motion Balance
phragm Abs. Press. Force Balance
Atm. Press. Ref. Motion Bal.
Atm Press. Ref. Force Bal.
OJ
Elec- Strain gauge
tronic Electronic Tranamtters
Capacitrve Sensors
High- Dead Weight Piston Gauge
Pressure Bulk hbdulus Cell
Sensors Manganin Cell
jmjuouuuuuuooot
aOQQQOOQOOOOOUC
ffeno- Inverted Bell
meters Ring Balance «xjuuouoaxx»xjuoauoonQoooiiiji»ii»«iixxxxxxxiouoixxKioo(
Float Mancmeter xxxxxxxxxxxxxxxxxxxx
Barometers xxxxMooocxjoooQuoooouQomxjuuuuuuuuuuum xmuuouua
Visual Hjncoeters xiouuoQauououuuoouuuuuuuoDiixjLxioixiot juuuuuuuui
Micrcasnaneters
Cartesian Divers
Pressure D/P Cell
Repeaters Standard Diaphragm
Button Diaphragm
loniza- Hot Cathode m
tion Cold Cathode
Thermal Thermocouple
Thermopile
Resistance Wire
ffech- McLeod
anical Molecular Mcmentun
Capacitance xxxjaoooooaooaoooat
1: Adapted frtin Ri>ferpnc%e 19.
-------�
degree to which a device can withstand excursions beyond its operating range
varies. Some sensors may be permanently damaged by even brief excursions out
of their operating range. The sensitivity of devices to such excursions
should be taken into account during initial design or subsequent
modifications.
Because there may be no external indication that a pressure device is
giving an incorrect reading, redundancy of pressure sensing and measurement
should be used in all critical processes. For example, a common failure in a
Bourdon gage is to jam at some false reading. It may be advisable to use two
different types of devices if the potential cause of device failure is
sensitivity to process pressure excursions. An appropriate solution might be
to use a cruder, more robust type of device to roughly indicate the pressure
as a back-up for the more sensitive sensor actually used for process control.
Information on the reliability of a specific device can be supplied by
the vendor, although this information may not itself be reliable and must be
used with caution. A number of statistics on reliability have been assembled,
some of which are presented later in this section.
Emergency Pressure Relief Systems—
Rupture discs—A rupture disc is generally preferred over a relief valve
when pressure rise may be so rapid as to virtually constitute an explosion.
when even minor leakage cannot be tolerated, or when the potential for
corrosion and/or blockage would limit the effectiveness of a valve.
The set pressure for a rupture disc is usually specified by a range, that
can vary anywhere from +/-2% to +/-25% of the mean bursting pressure (34).
The reliability of rupture discs varies with type. The simplest form is
a flat disc made of a material weaker than the vessel it is designed to
protect. Because it is virtually impossible to accurately predict the
74
-------�
bursting pressure for this type of disk, a large margin is required between
the operating pressure and the bursting pressure. An exception is the brittle
bursting disc, often made of resin-impregnated graphite, which is often used
for low pressure and corrosive applications.
Several types of domed discs are available. One variety is a thin piece
of dome-shaped metal. Because they are very thin, their bursting charac-
teristics are altered by even slight corrosion, elevated temperatures, or
minor deformations of the surface. Pressure fluctuations near the set pres-
sure of these discs can result in premature rupture as a result of fatigue.
Generally these discs cannot be operated above 70% of their rated bursting
pressure, and even less at elevated temperatures (28). They will collapse
under a comparatively small back pressure and are generally installed with a
backpressure support. An improvement in domed design is a disc made of
thicker material radially scored to purposely weaken the surface. Because
most of the disc is made of heavier material, it is less susceptible to
fatigue. These discs can generally be operated at up to 80% of their design
burst pressure (1).
The inverted domed disc has advantages over either of the domed disks
described above. One variety is composed of an inverted dome with a knife
edge or some other variety of puncturing device positioned next to the disc.
When the bursting pressure is reached, the dome inverts and is punctured.
Another variety is so constructed that when the disk inverts it pops free of
its support and is caught immediately downstream. Both smooth and scored
surface inverted dome disks are available. The danger with inverted domed
discs, however, is that the disc may not be punctured when it inverts. Tht^e
discs can operate at pressures up to 90% of their design capacity and can be
manufactured to relieve within 2% to 5% of their design capacity (35).
Rupture discs are potentially hazardous because they are nonresealable
and they provide total depressurization. A rupture disc gives no external
indication that it has blown. Once a disc has blown, the vessel it was
75
-------�
protecting is no longer isolated from whatever else may be present in the
containment system, and it is possible for material to backflow into the
vessel from the containment system. This would be hazardous if the materials
were incompatible. Vessels normally at atmospheric pressure are particularly
susceptible to this since a loss of pressure from the vessel would not
indicate a ruptured disc. An undetected ruptured disc in an atmospheric
vessel could result from a previous overpressure, damage during installation,
or corrosion.
Because a rupture disc provides sudden, total pressure relief, it may
result in two-phase, vapor-liquid flow from a pressurized vessel when liquid
is initially present. This may be hazardous if the disk or the containment
system downstream is not sized for such a release. Flares and scrubbers for
these types of systems are not usually designed to handle the large quantities
of liquid that could be released. Any incompatibilities between the liquid
released and the materials within a downstream containment system might be
quite serious because of the quantity of liquid that could be present. A
knockout vessel of some type is needed when a two-phase release is possible.
In such cases, and when a heated material whose melting point is above ambient
temperature is involved (such as molten sulfur), particular care must be
taken. Lines leading up to, and including the catch vessel must be heated to
prevent plugging when the liquid cools.
A seemingly trivial, but actually very dangerous hazard associated with
the use of rupture discs is that they can be easily installed«upside down.
The consequences of installing a disk upside down will depend on the type of
disc, but in most cases the device will relieve at a substantially higher
pressure than intended. All disks should have a tag indicating the proper
direction for installation; these tags should be regularly inspected.
Other disadvantages of rupture discs are that once installed they cannot
be non-destructively tested, wrong discs can be installed, and multiple discs
nested together can be installed. Avoidance of these latter two occurrences
76
-------�
requires strict adherence to proper, installer training and auditing
procedures.
Safety-relief valves—A properly designed safety-relief valve will:
1) open automatically at a pre-adjusted set pressure using the energy of the
fluid. 2) open fully to its rated flow capacity at a pressure typically not
more than 10% above the set pressure, 3) shut flow off completely when the
pressure falls to a preset reseat pressure (minimally between 3% to 5% below
the set pressure).
Both undersizing and oversizing a valve can impair its effectiveness.
Undersizing a valve presents the obvious hazard of not being able to relieve
pressure fast enough. An oversize valve may chatter (rapid opening and
closing), resulting in excessive wear or damage to the valve. An oversized
valve may reseat improperly, resulting in leakage into or out of the vessel.
It is common to place a safety-relief valve downstream of a rupture disc.
The rupture disc will prevent minor leakage of process materials and the
safety-relief valve will allow the process to be resealed when the pressure
drops. Sometimes a rupture disk of corrosion-resistant materials is used to
protect a safety-relief valve made out of less exotic materials and expensive
materials. Care must be taken to ensure that the presence of the blown
rupture disk does not affect the anticipated performance of the safety-relief
valve.
The dangers associated with pressure-relief valves are the possibility of
isolation with shutoff valves either upstream or downstream, two-phase flow
through the valve, and the potential for failure of the valve because of human
error or mechanical failure. Another hazard is having other foulable fittings
(e.g. check valves, flame arresters) between a relief valve and a vessel or
between a relief valve and safe discharge. These can also cause isolation.
77
-------�
Since the safety-relief valve will reseat when the pressure drops, the
potential for two-phase flow is not as high as it is with a rupture disk.
However, two-phase flow is possible while the valve is open and rapid release
is occurring. In the case of a runaway reaction, a large portion of the
vessel contents may empty before the pressure falls below the reseating
pressure. As with a rupture disc, a safety-relief valve will be grossly
undersized for a two-phase release if it was sized taking only the vapor
release into account. Much research has been and continues to be conducted in
this area by the Design Institute for Emergency Relief Systems (DIERS).
Human error can result in the failure of a safety-relief valve in several
ways. Unlike a rupture disk, a safety-relief valve has internal settings that
can be adjusted to alter the performance of the valve. Incorrect adjustment
of these settings during installation or routine maintenance could increase
the potential for overpressure. The physical orientation of the valve is
important during installation. A valve should be installed vertically, or if
a type is designed for such service horizontally, with the discharge pointing
down. In addition, the valve should not be required to support the weight of
the discharge piping.
The hazards associated with any valve are the same with a safety-relief
valve. Seals may leak, the valve may plug, or corrosion and abrasion may
destroy the integrity of the valve. These hazards may be more pronounced for
a safety-relief valve since it may go for very long periods of time without
being called into service. For this reason, regular inspection and testing of
the valve is essential to ensure its proper function when required.
If a safety-relief valve is located downstream of a rupture disc, then a
pressure-detecting device should be placed in the line between the disc and
valve. A premature failure of the rupture disk would otherwise go undetected
and the safety-relief valve would be exposed to the conditions the rupture
disc was installed to prevent. Also, since the disc relies on a differential
78
-------�
pressure to rupture, a leak could reduce this differential and cause the
pressure to rise well above the set pressure before the disk gave way.
Vent header—The effectiveness of a vent header depends on its proper
sizing. The primary danger with vent headers in a total containment system
for pressure relief discharges is that the vent header may not be sized to
accommodate a worst-case event of simultaneous discharge of all or several
relief valves connected to the header system. A second hazard is the
potential for mixing incompatible materials in the vent header system or
cross-contaminating the contents of one vessel with material vented from
another vessel.
Pressure trip systems—
A trip system may be preferable to sole reliance on a pressure relief
system when a toxic material is involved. Because of its mode of operation,
no hazardous materials are discharged in the event of an overpressure. If
properly applied, a pressure trip system may be more reliable than a pressure
relief system. However, the system has no backup if not used in conjunction
with pressure relief. If a safety-relief valve fails to open at its set
pressure, it may open at some higher pressure before the structural limits of
the equipment it is protecting are reached. A pressure trip system can never
substitute for a pressure-relief valve installed to protect against
overpressure due to fire.
The reliability of a trip system is a design criterion. Generally, a
pressure trip system is designed to be at least ten times as reliable as the
pressure relief valve it is intended to complement.
The reliability of a pressure trip system can be improved by a variety of
methods that may be used to improve the reliability of any control system.
Individual system components may be replaced with more reliable (and usually
more expensive) components. Redundancy of hardware and software in various
forms of backup systems may be used.
79
-------�
For critical applications a combined system may be configured as follows:
• First line of prevention - pressure control loop;
• Second line of prevention - pressure trip system; and
• Third line of prevention - relief valve discharging to
header with protection technology system (e.g., scrubber).
The pressure for activating the system increases at each step.
Reliability of Pressure Control Components—
The reliability of pressure control depends on the reliability of the
individual components that comprise the pressure control system. The reli-
ability of a full multicomponent control system also depends on the architec-
ture of the specific system. Table 2-12 presents reliability data for some
individual components.
2.4.A Summary of Control Technologies
For both new and existing facilities, Table 2-13 summarizes major hazards
or hazard categories associated with pressure and the corresponding control
technology or procedural categories. Numerous individual control technologies
or procedural changes can be inferred for each category based on the preceding
discussions of this section.
2.A.5 Costs
Table 2-1A presents the costs of components associated with process
alternatives for pressure measurement and control systems. This table
presents a list and costs of typical components. There are many individual
variations of these component groupings, since other possible components are
not included here. These costs give an order-of-magnitude basis for
80
-------�
TABLE 2-12. TYPICAL FAILURE RATES OF PRESSURE CONTROL COMPONENTS
Failure Rate
Component Failures/year
Pressure Transducer/Transmitter 0.76-1.73
Pressure Indicator 0.026-1.41
Pressure Switch 0.34
Control Valve 0.25-0.60
Pressure Controller 0.29-0.38
Pressure Control Loop 1.73
Source: Adapted from References 2.8,19,37.
81
-------�
TABLE 2-13. MAJOR HA2ARD AND CONTROL TECHNOLOGY SUMMARIES
Process
Variable
Hazard
New Facility
Existing Facility
Pressure Overpressure
• Flow, pressure, and
temperature control
system design
• Emergency trip
system for flow
shutoff or
automatic venting
• Design to avoid flow
blockage
• Provide pressure
relief for thermal
expansion
• Provide general
pressure relief
• Change flow,
pressure, or
temperature control
system
• Add emergency trip
system for
automatic flow
shutoff or
automatic venting
• Change system to
avoid flow blockage
• Add pressure relief
for thermal
expansion
• Add or change
pressure relief
system
Underpressure
Flow, pressure, and
temperature control
system design
Emergency trip
system for flow
shutoff or
automatic vacuum
break
Mechanical vacuum
breaker
• Change flow,
pressure, or
temperature control
system
• Add emergency trip
system for
automatic flow shut
off or automatic
vacuum break
• Add mechanical
vacuum break
Fluctuating Pressure
• Control system
design
• Change control
system design
• Equipment selection • Change equipment
type
82
-------�
TABLE 2-14. COSTS OF COMPONENTS ASSOCIATED WITH PROCESS MODIFICATIONS FOR
PRESSURE MEASUREMENT AND CONTROL SYSTEMS
Basis: 4 inch diameter
piping. Pressure
range 0-300 psig
Capital Cost Annual Cost
Range ($) Range ($/yr)
(1986 Dollars)
References
General purpose pressure
transducer
Indicators
Computer interface system
Pressure gauge
Control valve
Controller
- conventional
- via process control
computer
Control loop
- simple, single loop, PID
- simple, interactive, PID
- programmable, PID
Rupture disks
Relief valves
200-500
200-600
2,000
50-250
3,000-6,000
2.000
6,000-12.000
3,000-15.000
800-1,600
1.600-3,000
2,000-6,000
150-225
7,000-12,000
33-81
33-99
330
8-43
450-900
326
910-1,800
260-1,298
69-138
138-260
173-519
28-42
609-952
40
40
40
40
3,20,21
24,25,26.27
Composite
20.23,28
20.23,27
83
-------�
estimating costs of process modifications involving the pressure measurement
and control system.
2.4.6 Case Examples (1)
An explosion occurred in a vinyl chloride pump on the "recovered" vinyl-
chloride monomer system (RVCM), seriously injuring an operator. The line
sections before and after the pump had been removed and the explosion occurred
in the idle vented pump about an hour later. Investigation showed that the
entire RVCM system was contaminated with vinyl chloride polyperoxide, an
unstable material. There had been earlier abnormal occurrences where the RVCM
gas compressors had not shut down at low pressure because a pressure switch
had failed. RVCM liquid had accumulated in the storage tanks for 20 days and
the acidity level in the vinyl chloride feed had been high.
A failure of the control system in a chlorine cellrooin caused a back-
pressure to develop. When operating personnel tried to shut the system down
manually, failure of these controls caused a serious chlorine release. One of
two compressors taking hydrogen from a low pressure gasholder continued to
operate and failure of a low level trip created a negative pressure, allowing
air to leak in and cause an explosion in the compressor cooling coils. The
hydrogen/air mixture in the holder diffused into the catalyst purification
unit, a high temperature developed, and another explosion occurred. The
gasholder trip did not operate because the timer was bypassed by a "jumper".
2.5 TEMPERATURE CONTROL
Like flow and pressure, temperature is one of the primary variables in a
chemical process. The temperature of a system strongly influences which
chemical reactions are preferred and the rate at which they occur. Phase
changes are determined by temperature. The volume of gases, and to some
extent liquids, depends on temperature. For these reasons, a loss of pressure
control, discussed in the preceding section, will often be the result of a
84
-------�
loss of temperature control. The inability to control temperature can
therefore indirectly or directly lead to conditions that cause an accidental
release. Proper design of a temperature measurement and control system is
therefore essential to preventing accidental releases.
2.5.1 Temperature Hazards
For some chemical reactions a loss of temperature control may result in a
runaway reaction with excess generation of heat and materials that could lead
to an overpressure and an accidental release.
A chemical reaction system will generally have a specified temperature
range in which it must operate to successfully produce the desired product.
This range is usually set by balancing reaction rates with economics to
achieve an acceptable reaction rate for the primary reaction, while minimizing
competing reaction rates, the size of reaction vessels, and heating and
cooling systems. The consequences of operating above or below the set operat-
ing temperature will be a function of the specific reaction system.
High temperatures are usually more hazardous than low temperatures, but
both must be considered in evaluating temperature's contribution to process
hazards. Often a low temperature will slow down or quench the reaction. This
may be hazardous if an unreacted feed stream is incompatible with downstream
operations. High temperatures may result in a number of undesirable conse-
quences. At higher temperatures, reaction rates are likely to increase, re-
sulting in excess heat and material generation that may lead to an over-
pressure. A high temperature may result in the formation of unwanted by-prod-
ucts because of thermal decomposition of the product or increased reaction
rates for competing reactions. Thermal decomposition often results in the
generation of more moles of material than are consumed; this could result in
an overpressure. The consequences of unwanted by-product formation due to the
competing reactions will depend on the nature of the by-products formed. The
presence of lighter molecular weight by-products would result in an increased
85
-------�
system pressure and could result in an overpressure. A reaction may form
by-products that react with downstream materials or that are corrosive to the
materials of construction. Both of these events could contribute to the
potential for an accidental release.
Increases in temperature result in thermal expansion, which can result in
increase in pressure and an accidental release. A loss of temperature control
in any process involving heating or cooling may lead to an accidental release.
Two-phase processes are more sensitive to temperature fluctuations than
single-phase processes. Gas phase processes are more sensitive to temperature
fluctuations than liquid phase processes. However, thermal expansion can be
very destructive in a sealed liquid-full system; a system with no vapor space.
Sometimes heating or cooling results in a phase change: freezing, condensing
or vaporization. Phase changes may lead to overpressure or underpressure.
The expansion of water on freezing is an example of one consequence of cold
temperature.
Most physical properties vary with temperature. The performance of any
physical operation will be affected. The consequences of a temperature
fluctuation must be evaluated on a case-by-case basis. Sometimes a loss of
heat to a stream will decrease the solubility of a component in the stream to
the point where it drops out of solution. Solidified material could clog
lines and would affect the chemical properties of the stream; this could
ultimately lead to an overpressure and an accidental release. Partition
coefficients are temperature dependent and processes such as liquid-liquid
extractions will not function properly as temperatures vary.
A loss of temperature control may lead to an accidental release due to
material failure. Structural or sealing materials lose physical strength as
the temperatures increases. At an elevated temperature, a construction
material may stretch, bend or crack under load conditions that were acceptable
at lower temperatures. Metals experience fatigue if subjected to repeated
heating and cooling. This can lead to eventual failure under previously
86
-------�
acceptable conditions. Plastic linings used to protect metals from corrosion
may fail at excessive temperatures. Expansion joints are often more sensitive
to high temperatures than other process piping and may fail if temperatures
are elevated above design specifications. Extremely cold temperatures may
result in brittle failure of metals, especially if the metal is subjected to
high stress under these conditions. Rapid changes in temperature can also be
destructive.
A hazard in heat transfer equipment is the possibility of accidental
mixing of a heat transfer fluid with a process fluid. Heating and cooling are
usually accomplished via heat exchangers or various forms of jacketed equip-
ment. A leak may develop in a vessel or pipe wall that allows the jacket
fluid to enter the vessel, or vice versa, depending on which pressure is
higher. A special danger arises when the process side is at a higher pressure
than the jacket side. The process side of a jacket of a vessel frequently has
a pressure rating higher than the jacket. A leak could cause high pressure
process material to rupture the jacket or exit through the jacket's relief
valve. If the jacket is at a higher pressure than the process, then the heat
transfer fluid will contaminate the process, which could result in an
accidental release if the heat transfer material is incompatible with the
process materials.
Flashing may occur when a hot liquid with a high boiling point is mixed
with a lower boiling point liquid. This flashing may result in a rapid
overpressure. The accidental mixing of a heat transfer fluid with a process
fluid, as was discussed above, may sometimes be the cause of such an event. A
number of accidents have occurred when a hot oil is transferred to a tank that
has been steam cleaned and not thoroughly cleared of condensation. The
condensate has flashed and resulted in an overpressure.
Process temperature control is closely related to flow control. Reac-
tion rates and the heat generated by a reaction is often governed by flow
87
-------�
control. The rate of heat transfer depends on the flow rate of a heating or
cooling medium. Therefore, a loss of a flow control can often result in a
loss of temperature control.
Process Considerations—
A process-related loss of temperature measurement and control occurs when
the temperature measurement and control systems are functioning according to
design standards but the heat generated by the process exceeds the capacity of
the cooling system.
Chemical reactions either generate or require heat. Anything in a
chemical reaction system that alters the rate of reaction alters the rate of
heat generation and/or consumption and affects the ability to control
temperature. As an example, loss of flow control of a reactant to an
exothermic reaction may result in the generation of excess heat. If the heat
generation rate exceeds the ability of the temperature control system to
remove it, the result is a loss of temperature control.
Failure to achieve proper mixing may result in a loss of temperature
measurement and control. Improper mixing of reactants may result in localized
hot spots. In a jacketed process vessel, for example, if there is poor mixing
then there will be very poor heat transfer between the jacket and the reactor
contents. Temperature measuring probes will not measure a representative bulk
temperature when there is inadequate mixing.
Equipment Considerations—
A failure of flow control may cause a failure of temperature control. As
mentioned above, in most cases, temperature control is achieved through
control of the flow of either the process materials or of a heat transfer
fluid. In some cases heating is accomplished by direct heating with gas. oil,
or electric heating elements. These are often used to heat a hot oil, steam,
or some other heating fluid; thus flow control is still the ultimate method
for heat transfer and temperature control.
88
-------�
As discussed above, a leak in the wall that divides process materials
from heat transfer fluids will sometimes result in an accidental release.
This is particularly a problem because these surfaces have fluid on each side
and are therefore difficult to inspect for signs of erosion, corrosion, or
defect.
Since not every form of mechanical failure can be prevented, insufficient
design preparation to minimize the impact of mechanical failure can also be
listed as a factor contributing to loss of temperature measurement and con-
trol.
Operating Considerations—
A temperature control system will only be as accurate as the standard to
which the measuring devices are calibrated; therefore, improper calibration or
maintenance of the system can contribute to failure in the control system.
A lack of chemical and thermodynamic data will contribute to the poten-
tial for a loss of temperature control. To design a proper control system,
plant engineers should have a sufficient understanding of the consequences of
temperature excursions. Operators should have training sufficient to respond
to deviations in normal operating conditions. Often plant personnel do not
know what side reactions could occur at various temperatures and do not have
enough information to quantify the temperature dependence of all the reaction
rates. This detailed information is often lost with the transfer of
information between research and development, or it was never obtained in the
rush to commercialize a new process. A total understanding of a complex
chemical process may not be possible, but a lack of chemical and thermodynamic
data will always leave plant management in the position of viewing temperature
control as a mystery.
89
-------�
2.5.2 Technology of Temperature Control
The first line of prevention of an accidental release as a result of a
loss of temperature control is the temperature measurement and control system.
Process modifications must consider the capacity and reliability of these
systems. The second line of prevention is a temperature trip system designed
to regain control of the process once temperature control has been lost. The
ability to design a system that will adequately control temperature will
depend on the chemical and thennodynamic data available; adequate data will
potentially lead to better design.
Measurement and Control—
Temperature measurement relies on both sensing and final measurement
devices. Control relies on the corrective actions that a system takes in
response to changes in temperature. A variety of temperature sensors and
measuring devices are available. Each variety has some unique feature in the
mechanism it uses to sense and measure temperature. Temperature measuring
devices organize the output of the temperature sensing device and/or convert
the output to a meaningful temperature readout.
Several commonly used temperature sensing devices are discussed below.
Additional discussions on a wide variety of temperature sensing devices may be
found in numerous sources (e.g., Reference 39). Common varieties of tempera-
ture sensing devices used in the process industries include: thermal expansion
devices, thermocouples, thermistors, resistance thermometers, and a variety of
solid state sensors.
One group of temperature sensing devices rely on thermal expansion of
materials, usually metals. The thermal expansion of these devices is often
linear with temperature, making an additional temperature measuring device
unnecessary. Additionally, the output from these devices is visual and they
are generally not used for remote sensing. Bimetallic thermometers, filled
thermal elements, and glass stem thermometers are types of temperature sensing
90
-------�
devices that rely on thermal expansion to measure temperature. These devices
are common in older plants or in situations where a rugged local backup to an
electronic temperature sensing device is desirable.
A thermocouple is a simple temperature device composed of two homogeneous
wires of dissimilar metallic composition joined at one end to form a measuring
junction and at the other end to a measuring device. The measuring device
provides an internal connection between the two wires so that they form a
closed path through which current may flow. When heat is applied to the
junction of the two dissimilar metals, a small electromotive force (emf) is
generated and current flows through the thermocouple loop. In commercially
available thermocouples the emf is linearly proportional to the temperature at
the measuring junction. Thermocouples are rugged and inexpensive. They are
best suited for applications where moderate accuracy over a wide temperature
range is required and are very common in the chemical process industry.
Thermistors are a form of solid-state sensor that use a ceramic semicon-
ductor which measures the change in the resistance of the semiconductor as
temperature varies. The resistance is nonlinear and must be converted to a
linear temperature scale by a temperature measuring device. Thermistors are
usually best-suited for applications where accuracy and rapid response are
required over a narrow temperature range; they tend not to be as well-suited
for measuring temperatures over a wide range.
A resistance thermometer is a device that uses the change in resistance
and temperature of a conductor to measure temperature. These devices have
conductors made of platinum, nickel, or a nickel/iron mix. They are accurate
and are available over a fairly wide temperature range. They are physically
compact and are well-suited for use in microprocessor-based products.
A variety of solid state sensors are available that measure temperature
induced changes in resistance, frequency, current, or voltage. Optical
91
-------�
sensors are available for measuring the temperature of a flame from a dis-
tance.
The devices mentioned above have certain applications to which they are
well-suited. It is best to consult with the vendors of each of these devices
to determine the particular applicability of a specific sensor. The key to
making an appropriate selection is to understand what process conditions may
contribute to a'n accidental release and what sensor would be best suited to
measure those conditions. Some processes must operate in a very narrow
temperature range and therefore require a sensor with high sensitivity and
accuracy over a narrow range. A process may require a narrow operating range
for producing the desired product but will be hazardous only if it operates
well above or below that range. In such a case it may be appropriate to
install two sensors; one with a narrow range for controlling normal operations
and one with a wide range for monitoring upset conditions. For some processes
a loss of temperature control will develop slowly. In such situations re-
sponse time may not be as important as accuracy. For other processes a loss
of temperature control will develop rapidly, and in these situations a rapid
response time may be more important than accuracy.
Temperature Trip and Emergency Cooling Systems—
A temperature trip system is essentially the same as a pressure trip
system. This type of control system monitors temperature and is activated
when temperature has exceeded a specified limit or a specified rate of in-
crease. When activated, the system responds in an attempt to shut the process
down by eliminating the source of heat and often by providing a source of
cooling. Usually the goal is to prevent an overpressure. Any decision about
whether temperature or pressure measurement should be used as the basis for
the trip system should be based on which would provide the most immediate and
accurate indication of an impending system failure. Once activated, a trip
system will usually disrupt the process, forcing at least a partial, temporary
shutdown. The system should be designed to trip only when necessary. An
92
-------�
intimate understanding of the chemistry and thermodynamics of the process is
essential for proper design of this type of system.
A trip system may be designed to shut off the supply of heat or it may be
designed to supply an emergency supply of cooling. Emergency cooling may be
accomplished by a number of methods. External cooling may be supplied by
flooding a heat exchanger or vessel jacket with cooling water. Internal cool-
ing may be supplied by adding chilled solvent to the reaction melt. The sol-
vent would not only cool the reaction but the extra dilution could slow the
reaction rate. A somewhat drastic measure would be to intentionally poison
the reaction by adding a material that is known to effectively stop its
progress. The more drastic measure of automatically dumping the contents of a
reactor into a diked, open area or into a supplementary containment vessel has
been applied in some cases; however, dumping into an open diked area may not
be appropriate where toxic or flammable materials are involved.
If a temperature trip system is designed to replace a pressure relief
device, then the reliability of the trip system must be ten times that of the
pressure relief device for the same application. Calculation of this reli-
ability should be based on the calculated fractional dead time (the proportion
of the time for which a system will be in the failed state). This method
considers both the fault-rate for the individual components and the frequency
of proof testing. If a temperature trip system is designed to supplement an
emergency relief device, then the designed reliability must be based on the
consequences of a loss of temperature control. In a situation where the
overpressure may be so rapid as to constitute an explosion, or where a loss of
temperature control is likely to lead to an accidental release, it is probably
appropriate to design the system to have a reliability again equal to ten
times that of the emergency relief device.
Jacketed Vessels and Heat Exchangers—
Temperature control is usually achieved via a heat transfer fluid circu-
lating through a vessel jacket or a heat exchanger. Such equipment requires
some special considerations if temperature control is to be maintained.
93
-------�
All vessel jackets and heat exchangers must have adequate pressure re-
lief. Most heat exchangers and vessel jackets are designed with valves on the
inlet and outlet lines. An overpressure could occur if a warm material is
added to a vessel whose jacket is closed at the inlet and outlet. The warm
material would heat the contents of the jacket and result in a buildup of
pressure. A similar event could occur with a heat exchanger if either the
shell or the tubes were valved off and warm material were circulated through
the other side of the exchanger. All vessel jackets and heat exchangers must
be inspected regularly to prevent a leak between the heat transfer fluid and
the reaction mixture.
General design principles for jacketed systems are found in many sources.
ASME has design codes for jacketed equipment and heat exchangers. As men-
tioned above, it is important that all jacketed vessels be supplied with
adequate pressure relief. Additional general design information is discussed
in Section A of this document.
Obtaining Chemical and Thermodynamic Data—
As mentioned above, the more chemical and thermodynamic data available,
the safer the design of the temperature control system. Where hazardous
materials are involved, a safe system must be based on as much data as possi-
ble.
Most plants cannot generate chemical reaction rate and thermodynamic
data. This type of information and data on potential side reactions must
usually be obtained from a research and development laboratory. However, a
number of methods are available for estimating the chemical hazards of a
system without extensive laboratory work.
Thermodynamic calculations or computer programs used to estimate thermo-
dynamic data may be used to calculate the potential energy available in a
94
-------�
given molecule or system. This information can be combined with correlations
to evaluate potential hazards.
A number of empirical tests using reaction mixtures provide data that
will assist in the design of a safe temperature control system (these tests
also give information that can help in the design of all of the reaction
related control systems). Differential scanning calorimetry, accelerating
rate calorimetry, differential thermal analysis, heat flow calorimetry, and a
test method developed by DIERS will all provide information useful in the
design of a temperature control system.
2.5.3 Control Effectiveness
Measurement and Control—
Table 2-15 lists a variety of temperature-sensing and measurement devices
and certain performance information. In addition to a temperature range, each
device will have a variety of other performance limitations, including items
such as acceptable sensitivity, reproducibility, materials of construction,
and reliability. Care must be taken when selecting an appropriate temperature
sensing device. Substituting an existing temperature measuring device with a
device more suited for the particular application may increase the system's
reliability and hence decrease the potential for an accidental release.
One author has summarized a number of considerations that apply to
thermocouple application (AO). Thermocouples come in at least two grades
related to error specifications of the American National Standards Institute
(ANSI) and the Instrument Society of America (ISA). Thermocouples may change
calibration over time depending on the temperature and operating environment.
Often overlooked is that the accuracy with which a thermocouple measures the
temperature of a process fluid depends on its size, shape and location. For
95
-------�
TABLE 2-15. TEMPERATURE SENSOR SELECTION GUIDE FOR NON-SEVERE SERVICE
UNDER 932°F
Sensor Type
Point
Readings
Average
Readings
Filled Element
Thermistor
Thermocouple
Resistance Bulb
Fair to good
Fair to excellent for
some applications
Fair to good
Fair to excellent
Fair
Fair to excellent for
some applications
Fair for some applications
Fair to excellent
Source: Adapted from Reference 19.
example, a thermocouple that is too small for an application or improperly
located may measure a local rather than a bulk temperature. This is espec-
ially relevant in certain equipment where poor mixing or bypassing might
occur. Leads that are too long can lead to inaccuracies, as can electrical
interference. The main point is that temperature control effectiveness
depends on accurate sensor information, which depends in turn on proper appli-
cation and installation.
There may be no external indication that a temperature sensing device is
giving an incorrect reading. Some devices, such as thermocouples, require
periodic calibration. The readout from some temperature-sensing devices, such
as thermistors, may drift as the device ages. Mechanical devices may stick at
some incorrect temperature. In situations where an incorrect temperature
reading would significantly contribute to the potential for an accidental
release it may be advisable to use two different varieties of temperature
sensing equipment.
96
-------�
Programming the software for a typical temperature control system is
often based more on empirical data than on a theoretical understanding of the
process. This is because of the complexity involved in a system where a heat
transfer fluid (which itself must be heated) is used to heat the wall of a
process vessel which then heats a reaction melt where a heat producing or
absorbing reaction is occurring. An empirical approach is adequate for
handling normal operating conditions but may be inadequate for handling the
abnormal event. Where hazardous materials are involved, it is therefore
important to obtain as much chemical and thermodynamic data as possible and to
prepare for the unexpected with temperature or pressure trip systems and
adequate pressure relief.
Temperature Trip and Emergency Cooling Systems—
A temperature trip and emergency cooling system may be necessary where a
toxic material is involved and where there are fairly well-defined temperature
boundaries beyond which the system will be out of control. If no such
temperature boundaries exist, or if the boundaries are not well defined, it
may be preferable to operate the system with a pressure—activated trip system.
Careful consideration must be given to the consequences of an emergency
cooling system. By its nature, an emergency cooling system will tend to
temporarily shut down a portion of the process. The possibility of liquid
reaction melts freezing, vapors condensing, or upstream materials accumulating
must be considered to be certain that the emergency cooling system does not
introduce new hazards. In addition, the thermal stress could have a drastic
temperature change as a result of emergency cooling on the construction
materials must be considered. A design evaluation such as a HAZOP study will
help determine the safety of an emergency cooling system.
Jacketed Vessels and Heat Exchangers—
Some of the potential limitations of jacketed equipment and heat ex-
changers have been discussed above. There are some additional considerations
97
-------�
specific to vessel jackets. One additional hazard is the possibility that a
loss of temperature control would result from a jacket relief valve that
relieves and does not reseat properly. Enough heat transfer fluid could
escape to prevent adequate temperature control of the vessel. Another concern
is that there be adequate flow and mixing of the jacket fluid to avoid
temperature stratification. The location of entry and exit nozzles on the
jacket may influence this. In spite of these limitations, controlling
temperature via jacketed vessels and heat exchangers is usually preferable
because of the ability to provide controlled, uniform heating.
Obtaining Chemical and Thermodynamic Data—
The test methods mentioned previously for use in designing a temperature
control system will provide information about what temperature ranges are
inappropriate for the system of interest. They will also give an idea about
the magnitude of the disturbance that may result if these temperatures are
exceeded. Interpretation of the test results must be made by a person with
experience in the area because the test results are qualitative as well as
quantitative and no guarantee exists that what happens in the test will happen
in the plant. Tests, however, are better than no information at all.
Reliability of Temperature Control Components—
The reliability of temperature control depends on the reliability of the
individual components that comprise the temperature control system. The
reliability of a full multicomponent control system also depends on the
architecture of the specific system. Table 2-16 presents reliability data for
some individual components. Another factor affecting the reliability of
temperature control, which is not as significant in the control of other
variables discussed, is the relatively long response time of physical systems
and of temperature devices to temperature changes. For critical applications,
high reliability requires that delays in detecting and acting on changes in
temperature under emergency conditions have been properly accounted for.
98
-------�
TABLE 2-16. TYPICAL FAILURE RATES OF TEMPERATURE CONTROL COMPONENTS
Component
Failure Rate
(Failures/Year)
Sensor With Thermowell
Thermocouple (TC)
Resistance Temperature Detector (RTD)
Temperature Transducer
Temperature Controller
Control Valve
Control Loop
Cooling Water Capacity
Refrigerated Brine Capacity
0.52
0.41
0.88
0.29-0.38
0.25-0.60
1.73
System reliability depends on
specific design and reliability of
individual components.
System reliability depends on
specific design and reliability of
individual components.
Source: Adapted from References 2, 8. 19, and 37.
99
-------�
2.5.A Summary of Control Technologies
Table 2-17 summarizes major hazards or hazard categories associated with
temperature, and the corresponding control technology for both new and
existing facilities. Based on the preceding discussions of this section,
numerous individual control technologies or procedural changes can be inferred
for each category.
2.5.5 Costs
The costs of components for, temperature measurement and control process
modifications are presented in Table 2-18. These component types and costs
are based on a typical installation. The costs presented provide an
order-of-magnitude basis for evaluating the economic impacts of process
modifications involving temperture measurement and temperature measurement and
control systems.
2.5.6 Case Examples (42)
The explosion of a batch chlorinator caused the deaths of eight employees
and extensive damage. The reaction temperature, which was controlled
automatically by manipulating the chlorine flow, fell sharply when the
thermocouple failed. Personnel stopped the agitator and shut off the brine
cooling while the instrument was repaired, but delay in stopping the chlorine
flow led to a high temperature and decomposition reactions. The explosion
blew the reactor cover through the roof, drove the reactor into the floor, and
ruptured chlorine and ammonia lines. The released flammable gases burned and
caused the eight casualties.
In another example of loss of temperature control, localized overheating
caused the failure of a refinery reactor operating at 17,225 kPa (2500 psi),
which released a large cloud of about 250,000 Ib of >C hydrocarbons and H
that ignited and caused widespread explosions and fires. Four people were
100
-------�
TABLE 2-17. MAJOR HAZARD AND CONTROL TECHNOLOGY SUMMARIES
Process
Variable
Hazard
New Facility
Existing Facility
Temperature
• Runaway
reaction
• Thermal
expansion
Property
changes
• Reactant feed
control system
• Emergency trip to
shut down reactant
feeds
• Emergency cooling
systems
• Emergency dump
systems
Design to avoid
blocked—in liquid-
full piping and
equipment
Emergency trip to
shut down heating
systems
Emergency cooling
systems
Insulation for
protection from
external sources of
heat
Temperature control
system design
Temperature control
system design
• Change reactant feed
control systen
• Add emergency trip
to shut down
reactant feeds
• Add emergency
cooling system
• Add emergency dump
system
• Change process
chemistry
• Change design to
avoid blocked-in
liquid-full piping
and equipment.
• Add emergency trip
to shut down heating
systems
• Add emergency
cooling capacity
• Insulate to protect
from external
sources of heat
Change temperature
control system
design
Change process
chemistry
(Continued)
101
-------�
TABLE 2-17 (Continued)
Process
Variable
Hazard
New Facility
Existing Facility
• Equipment
or material
failure due
to excess
or defi-
cient temp-
eratures
• Temperature control
system design
• Equipment selection
• Materials of
construction
• emergency heating
system
• Emergency cooling
system
• Change temperature
control system
• Change process
chemistry
• Change equipment
type
• Change materials of
construction
• Add emergency
heating system
• Add emergency
cooling system
• Change process
chemistry
102
-------�
TABLE 2-18. COSTS OF COMPONENTS ASSOCIATED WITH PROCESS MODIFICATIONS FOR
TEMPERATURE MEASUREMENT AND CONTROL SYSTEMS
Basis: 4 inch diameter piping
Temperature range 0-250 degree F,
Capital Cost
Range ($)
Annual Cost
Range ($/yr)
(1986 Dollars)
References
o
03
Sensor/with Thermowell
Thermocouple
Resistance Temperature Detector (RTD)
Thermistor
Integrated Circuit (I.C) Sensor
Transmitter and Indicator
Temperature switch
Controllers
Simple, single loop. PID
Simple, interactive. PID
Programmable.PID
Control Valve
Control Loop
Conventional
Via process control computer
Additional Cooling Water Capacity
(10 degree approach. 30 degree range)
Refrigerated Brine Capacity _
(20 degree F evaporator)
200 - 300
990 - 1.680
160 - 710
800 - 1.600
1.600 - 3.000
2.000 - 6.000
3.000 - 6.000
6.000 - 12.000
3.000 - 15.000
30 - 75
per gpm
of capacity
30 - 45
69 - 138
138 - 260
173 - 519
450 - 900
910 - 1.800
260 - 1.298
4.55 - 11.36
per gpm
of capacity
3.000 - 8.000 450 - 1.200
per ton of per ton of
capacity capacity
40
150 - 250 40
24 - 108 40
26.27.28.33
4.20.23.25
Composite
20
20
-------�
injured and property loss was great. Overpressures were highly directional.
2.6 QUANTITY CONTROL
The two primary objectives of quantity measurement and control are to
achieve proper process material ratios and the proper level and/or weight of
materials in process or storage vessels. Failure to perform either of these
functions .could result in the overfilling or overpressuring of process
equipment, which could lead to an accidental release.
2.6.1 Quantity Measurement and Control Hazards
Hazards associated with a failure of the two functions stated above are
discussed below.
Process Material Ratios—
Failure to maintain process material ratios can have both chemical and
physical consequences. For most chemical reaction systems, there are two
types of reactants: limiting reactants and non-limiting reactants. Often the
controlled flowrate of the non-limiting feed stream will be ratioed to the
flowrate of the limiting feedstream. In this situation, one feed stream
controls the flowrates of all other feed streams, and a failure to measure or
control the quantity of this stream may result in losing control of the
quantities of all of the other process streams. Depending on the chemical
reaction involved, such a loss in control could result in an overpressure
caused by excess heat or material generation. For the non-limiting constitu-
ents, deviation from an acceptable quantity range may also lead to overheating
or overpressure.
Level Control—
A failure to monitor and control the level in a process vessel or a
storage tank may result in the overpressure of a closed vessel or in the
overflow of a vented vessel.
104
-------�
Process problems include disturbances that lead to a change in the
chemical or physical properties of a system, resulting in a loss of quantity
measurement and control. Altering the physical properties of a process stream
may affect quantity measurement. For flowing streams, a quantity measuring
device will often be calibrated for a stream of a certain composition; a
change in that composition will often alter the accuracy of a flow meter. For
many types of quantity sensing and measuring equipment, the presence of solids
or foams may alter the accuracy of the system.
Quantity deviations or loss of control may be caused by some other
control malfunction. For example, a system failure such as a loss of temper-
ature control results in an acceleration in the rate of reaction, then the
excess reaction rate may exceed the ability of the quantity control system to
respond in reducing a reactant feed and result in an overpressure. As with
all sensing and control equipment, a number of equipment-related malfunctions
may result in a loss of quantity control. Improper application, poor design,
defective equipment, fatigue failure or corrosion may all result in a failure
to measure and control process quantities. Quantity control is often a flow
control problem; therefore, reliable quantity control depends on reliable flow
control. A quantity control system may act as a backup to a flow control
system to shut down flow when quantities are too high. Flow control conside-
rations and their role in process hazards are discussed in Section 2.3 of this
document.
Since a quantity determination and control system will only be as
accurate as the standard to which the measuring device has been calibrated,
improper calibration or maintenance can result in a failure in the control
system. Some types of quantity determination systems, such as weighing
devices, are sensitive to conditions exceeding their range, to physical abuse,
ambient conditions, and other factors. Good operating practices and operating
105
-------�
personnel who understand the limitations of the device are important to
ensuring reliable service from the equipment.
2.6.2 Technology of Quantity Control
Quantity measurement and control devices can be divided into several
categories according to their function:
o Flow meters, either mass or volume;
o Weighing devices such as load cells; and
o Level measuring devices.
Controlling quantity with weighing devices and level measuring devices is
usually accomplished via a trip system and/or alarm. A trip system will often
be used to stop the feed of material once a certain weight or level of mate-
rial is reached. If a level indicator is used in process equipment such as a
distillation column, then a trip system may be used to alter a heating rate
when a high level in a reboiler is reached. An alarm may be used in conjunc-
tion with a trip, or by itself with the quantity detection devices. Operating
personnel must then decide what response to the alarm is appropriate. This
type of arrangement will work only where the hazard potential associated with
an overfill is low or where no appropriate controlled response to an overfill
can be determined.
Flow Meters—
Probably more varieties of flow measuring devices are available than any
other type of process sensing instrumentation. One author has assembled a
list of well over 50 different flow-meter types (43). Flow measurement and
control are discussed as a separate topic in Section 2.3 of this document.
106
-------�
Weighing Systems—
Weighing devices are usually used in batch operations. Weighing, a
method of measuring and regulating the amounts of materials charged to a
reactor, is preferred in situations where the feed material is difficult to
handle. Solids, slurries, and extremely viscous materials are examples of
materials that may better be quantified by weighing than by measuring flow.
Both mechanical and electrical weighing devices are available. Mechani-
cal weighing systems are more common than electrical and include platform
scales, hopper scales, tank scales and tank truck scales. Mechanical scales
can be extremely accurate and are generally simple to maintain and operate.
Electrical weighing devices are often referred to as load cells. These
devices have the advantage of being small and easy to install. Load cells
give quick response, are not subject to the same type of wear as a mechanical
scale, and provide a signal for a readout at a remote location.
It is important to design a weighing system so that the damaging effect
of various environmental factors will be minimized. Methods for isolating the
weighing device from vibration by strengthening support foundations or by
providing vibration absorption should be considered. The design must also
ensure that the system is unaffected by connecting pipe stresses. In some
instances it may be necessary to add temperature compensation. Weighing
devices should be housed to ensure adequate drainage and protection from
moisture or chemical contamination.
Regular inspection and maintenance of weighing devices is essential.
Mechanical devices in particular must be readjusted and serviced frequently to
ensure accurate results.
Depending on the consequences of inaccurate weighing, a backup to the
weighing system may be desirable. A level measuring device may be a suitable
backup for a weighing device.
107
-------�
Level Measurement—
Level measuring devices have a number of different uses. A level
measuring device may be designed to sound an alarm or activate a switch only
if the level passes above or below some fixed point, or it may be used to give
a continuous level readout accurate enough to precisely track inventories.
Devices may be designed to give a local indication of process vessel levels or
to send a signal to a flow controller. Thus, level detection may be used
either as a backup for other control systems or as a primary control device.
Some devices must actually contact the liquid to sense level while some can
measure level without contacting the liquid. Some detectors function mecha-
nically and some function electronically.
Probably the most common variety of level measuring device is the flat
glass gauge. This device is composed of a shielded external loop, portions of
which are made of glass. The liquid level is then observed in the glass
portions of the loop. Some of these devices can send a signal to another
location. Their advantage is that they provide a visual means of measuring
the level in a vessel. They are often used as a backup for a more sophisti-
cated variety of level measuring device. Other mechanical level detection
devices, such as floats and displacers, are also available.
A common variety of level measuring device is the differential pressure
level detector, which measures level by detecting the pressure difference
between two different points in a tank. Electronic devices such as
capacitance, ultrasonic, optical, and radiation level detectors are also
available.
Generally, level devices must be inserted into process vessels and
involve additional piping or fittings. Since fittings are a potential weak
point for a process vessel, they must be designed to withstand the same
conditions that the vessel is designed to withstand. Some applicability
criteria for selected level detector devices are shown in Table 2-19.
108
-------�
TABLE 2-19. LIQUID LEVEL DETECTOR SELECTION GUIDE
Trananitter
Level Detector Type
Float
Level Gauge
Capacitance Probe
Conductivity Probe
Diaphragm
Differential Pressure
Displacement
Radiation
Ultrasonic
Tape
Local
Indicator
Fair
Fair-Good
Poor-Fair
N/A
Poor-Fair
Fair-Good
Fair-Good
Good
Fair-Good
Good-Excellent
Clean
Fluid
Poor-Fair
N/A
Fair
N/A
Poor
Good
Excellent
Good
Fair
Good
Difficult
Fluid
Poor
N/A
Poor-Fair
N/A
Poor
Fair
Poor-Fair
Excellent
Good
Poor-Fair
Switch
Clean
Fluid
Good
N/A
Good
Fair
Fair
Good
Excellent
Good
Good
Good
Foaming
Fluid
N/A
N/A
Poor-Fair
Poor
N/A
N/A
N/A
N/A
Poor-Fair
N/A
Source: Adapted fron Reference 19.
109
-------�
2.6.3 Control Effectiveness
The effectiveness of various approaches to maintaining quantity control
is evaluated in terms of performance, limitations, and reliability.
Flow Measurement and Control—
The effectiveness and secondary hazards associated with flow measurement
and control are discussed in Section 2.3.
Weighing Systems—
When functioning properly, weighing devices are an effective means of
monitoring the quantity of material added to a process vessel; however, all
weighing devices are sensitive to a variety of environmental factors that may
impair their performance.
Vibration and other related mechanical disturbances (such as impact
damage when a load is dumped onto a weighing device) can seriously affect
performance. Accuracy, stability, and repeatability can all be affected by
mechanical disturbances.
Temperature will affect the accuracy of most weighing devices. Most
mechanical scales have built-in temperature compensation; however, most
mechanical devices will not weigh accurately if subjected to a rapid tempera-
ture change. Electrical devices are also sensitive to temperature changes.
Sometimes temperature compensation will be built into an electrical device,
and sometimes it will be necessary to add temperature compensation. If
several load cells are used to weigh the contents of a reactor, any nonuni-
formity in the temperatures of the load cells is likely to result in a weigh-
ing error.
Additional environmental factors, such as moisture and chemical conta-
mination, can damage a weighing device.
110
-------�
Level Measurement—
Level measurement is sometimes used directly to control the flowrates of
streams into and out of a process vessel. In some situations this may be a
simpler method for controlling flows than direct flowrate measurement and
control. In most process situations, however, vessel feed streams are not
controlled by level detection, since the failure of a level detector to
control feed flowrates could easily result in an overfill, an overpressure
and, potentially, in an accidental release. Level detection devices are
well-suited to be a backup to flow control by activating high or low level
trip systems or alarms. Where level detection is used as the primary control
device for process flows (this is often the case for filling and emptying
storage tanks and sometimes for charging to batch reactors), then two diffe-
rent types of level detection devices should be used in series.
The operation of some varieties of level detection equipment makes them
fairly product specific.. These types of devices should be avoided where
stream compositions may vary. Many level detection devices cannot accurately
measure the level of foamy solutions.
Installation requirements for level detection equipment will influence
the suitability of a particular device for hazardous chemical service. Flat
glass gauges that stick out from the vessel must be protected from being
sheared off during a collision. Flat glass gauges are also often the first
point of failure during the overpressure of a pressure vessel. Some devices
require two points of entry into a vessel, one of which is low in the tank and
below normal liquid levels. This increases the possibility of leaks. Some
require that a probe be inserted below the liquid level. Care must be taken
to ensure that the construction materials of such a probe are compatible with
the process conditions. Additionally, care must be taken to ensure that the
additional obstruction of a probe is acceptable. Some probes can operate from
the top of a vessel without contacting the liquid. These may be preferred in
many instances; however, constructions materials are still important in
111
-------�
devices that operate above the liquid level. The vapor phase in a process
vessel is often more corrosive than the liquid phase.
Reliability of Quantity Control Components—
The reliability of quantity control depends on the reliability of the
individual components that comprise the quantity control system. The reli-
ability of a full multicomponent control system also depends on the architec-
ture of the specific system. Table 2-20 presents reliability data for some
individual components expressed as typical failure rates.
2.6.4 Summary of Control Technologies
Table 2-21 summarizes major hazards or hazard categories associated with
quantity control, and the corresponding control technology or procedural cate-
gories for both new and existing facilities. Numerous individual control
technologies or procedural changes can be inferred for each category.
2.6.5 Costs
The costs of components found in quantity measurement and control systems
are presented in Table 2-22. These component types and costs are based on a
typical installation. Since there are other types of systems, and many
variations of systems within a given type, these costs only provide an
order-of-magnitude basis for evaluating the economic effects of quantity
measurement and control system process modifications.
2.6.6 Case Examples (42)
In one example of a loss of quantity control, overfilling of a salt dome
storage well created a cloud of butane 1.25 mi. in diameter. Two explosions
occurred, one 800-1000 ft. above grade. Twenty four people were injured.
112
-------�
TABLE 2-20. TYPICAL FAILURE RATES OF QUANTITY CONTROL COMPONENTS
Failure Rate
Component (Failures/year)
Load Cell Weigh System 3.75
Level Detection System
Differential Pressure Transducer 1.71
Float System 1.64
Capacitance System 0.22
Electrical Conductivity Probes 2.36
Flow Totalizer ca. 1.0
Source: Adapted from Reference 2, 8, 19. and 37.
113
-------�
TABLE 2-21. MAJOR QUANTITY RELATED HAZARDS AND CONTROL TECHNOLOGY SUMMARIES
Process
Variable Hazard New Facility Existing Facility
Quantity • Incorrect reactant • Flow control design • Change flow control
ratio, catalyst system
level, or inerts • Equipment selection
concentration • Change type of
• Level sensing and equipment
• Incorrect level alarms
leading to • Change or add level
overfilling or • Weight sensing and sensing and alarms
underfilling alarms
• Change or add
• Incorrect volume or • Emergency trip weight sensing and
mass of material system to shut down alarms
leading to flow
overfilling or • Change or
underfilling add emergency trip
system to shut down
flow
-------�
TABLE 2-22. COSTS OF COMPONENTS RELATED TO PROCESS MODIFICATIONS FOR QUANTITY
MEASUREMENT AND CONTROL SYSTEMS (EXCLUDING FLOW RATE MEASUREMENT.
SEE SECTION 2.3)
Basis: Load cell weigh system: 10,000 gallon batch reactor.
Level system: 10,000 gallon vessel.
Flow totalizer: 33 gpm and 667 gpm.
Capital Cost Annual Cost
Component Range ($) Range ($/yr) References
(1986 dollars)
Load cell weigh system 13,800 2,100 41
Level detection system -
Sight gage 1,100 77 41
Float system 1,400 210 41
Capacitance system 2,400 365 41
Ultrasonic system 2.600 1,150 41
Nuclear system 14,900 2,260 41
Flow totalizer
33 gpm N/A N/A
667 gpm N/A N/A
115
-------�
Another accident occurred in an ethylene producing plant in Holland,
where failure of a level controller on a column caused cold liquid to pass out
of the relief valve and into a carbon steel flare header, which cracked. The
released cloud of 12,000 Ib. of propylene ignited at a furnace 150 ft. away.
Fourteen were killed, 104 injured and property damage was valued at almost A3
million dollars.
2.7 MIXING
Many processes can safely operate under a wide range of mixing rates. If
there is an upper limit for a safe mixing rate, then it is likely to be set by
foaming problems or some similar characteristic. Some processes must operate
in a very specific mixing regime. Formulating processes often fall into this
category. Usually there is a minimum mixing requirement below which reactants
are not properly contacted or heat transfer is not sufficient and uniform.
There are three basic types of mixing systems:
• Direct mechanical mixing;
• Induced flow mixing; and
• Static mixing.
Direct mechanical mixing refers to mixing by blade agitators such as
turbines or propellers. Induced flow mixing is accomplished with pumps or
other devices, especially where a recirculating liquid stream back to a vessel
is involved. Induced flow mixing can also involve ejectors and eductors.
Static mixing involves using pipeline mixers that contain stationary mixing
hardware elements inserted in the piping.
116
-------�
2.7.1 Mixing System Hazards
One group of authors has defined three basic categories of mixing
problems (44).
• Loss of agitation;
• Insufficient mixing; and
• Excess energy input from mechanical friction.
A loss of agitation is usually the primary hazard in mixing systems.
Hazards associated with a loss of mixing include:
• Incomplete reactions or formation of unwanted by-products;
• Reactant accumulation in poorly mixed zones; and
• Poor heat transfer with overall overheating or overcooling
of a reaction or localized hot or cold spots.
The hazards of incomplete reactions or the formation of unwanted
by-products is related to the chemical and physical properties of the
unreacted materials or by-products. When there is insufficient mixing to
contact reactants, a potentially dangerous excess of unreacted material can
accumulate in the reaction vessel. With highly reactive materials, or in
exothermic reactions, such a mixture could react at an uncontrolled rate if
agitation began or if additional heat were added to the system. Even without
this hazard, the unintended excess of a toxic reactant in downstream
processing might cause problems. Failure to react & gaseous material because
of insufficient agitation might lead directly to overpressure. Unwanted
byproducts could include gaseous species leading to excess pressures, or
corrosive materials that could damage equipment.
117
-------�
A loss of mixing control can cause poor heat transfer that results in
localized hot and cold spots. Runaway reaction and/or overheating and
overpressure could result. Decomposition reactions might also occur with heat
sensitive materials. Hazards from overcooling include freezeups, solids
deposition, and heat transfer surface fouling, with all their attendant
process upsets, such as plugged lines, and accumulation of unreacted material.
An accidental release could occur if adequate protection were not available to
handle such an event. The hazards associated with a loss of temperature or
pressure control are discussed in Subsections 2.3 and 2.4 of this manual.
A potential hazard associated with too much mixing is overheating as a
resulting from the energy generated by mechanical friction. A well-insulated
vessel left agitated for long periods of time may experience a temperature
rise from mixing friction. Such a temperature rise could begin the chain of
events that leads to an accidental release. For example, the additional heat
input could start a decomposition reaction which could lead to gas evolution
and overpressure.
A hazard associated with mixing is the generation of a static charge
between the process stream and the process vessel. This is a particular
problem where process vessels and piping are coated with glass or plastic
materials that act as electrical insulators. Static charge can arc and result
in fire and explosion if a flammable atmosphere is present.
Any event that leads to a dramatic change in the physical characteristics
of the process materials being mixed may result in a decrease or loss of
mixing. For example, a loss of heating resulting in frozen process materials
would result in a loss of agitation. An increase in liquid viscosity could be
caused by a decrease in temperature or by other unexpected conditions (e.g.,
improper reactant ratios). The viscosity of some liquids can increase with
increased temperature, which is particularly hazardous if the increase in
temperature leads to an increase in reaction rate and impaired mixing.
The hazard potential associated with freezing or viscosity changes is
most severe where high speed, high shear mixing is involved.
118
-------�
Probably the most frequent cause of a loss of mixing control is some type
of mechanical failure, which includes:
• Electric motor failure (either power outage or mechanical
failure);
!
• Shaft seizure or breakage in the mixing equipment; and
• Breakage or detachment of a mixing impeller.
A variety of mechanical agitation devices are available. The possible
failure modes of these devices depends on the specific type of equipment
involved. Most systems involve rotating equipment subject to common failures
such as bearing failure, shear pin failure, belt slippage or breakage, elec-
trical malfunction, and others. Corrosion or wear may also cause a failure in
the portion of the agitator system that actually contacts the process fluid.
Agitators tend to experience more severe erosion and corrosion than do process
vessels. Induced flow agitation systems may be subject to more potential
failure modes than a mechanical agitation system. An induced flow system may
fail because of a pump failure, valve failure, or piping failure.
Static mixers do not have rotating or moving components and are therefore
not directly subject to all of the failure modes associated with mechanical
agitators; however, a static mixer requires sufficient flow to induce adequate
mixing. Therefore, a reduced flow through the static mixer may result in
insufficient mixing. As with mechanical mixing systems, the static mixer is
subject to corrosion or erosion from the process fluid.
Where mechanical agitation is involved in a batch process, it is possible
for operators to forget to begin agitation at the proper time. Beginning
agitation after materials have been charged may result in a runaway reaction,
overpressure, and in an accidental release.
119
-------�
2.7.2 Technology of Mixing Control
Before an adequate mixing system can be designed it is important to
determine what the effect of various mixing rates, including no mixing, may
have on the process. One author has suggested that the effect of mixing on a
chemical reaction system may be assessed using a heat flow calorimeter, which
is capable of measuring instantaneous heat generation rates, heats of reac-
tion, reactant heat accumulation, specific heats, and heat transfer data under
simulated industrial process conditions (44).
Once the effect of mixing on a chemical process is understood, the
effects of a mixing failure can be evaluated. It is then possible to design a
system that minimizes the adverse effects of such a failure. If a mixing
failure is potentially hazardous, it may be appropriate to provide an agita-
tion detection system that is tied into flow and/or temperature control
systems so that protective measures may be taken if agitation stops. An
example would be to stop or reduce the flows of reactor feeds when agitation
ceases. An agitation detection system does not necessarily have to directly
measure agitation; it may be more appropriate to place a temperature probe or
flow meter at a location that would be sensitive to changes occurring as a
result of a loss of agitation. Where mechanical agitation is involved it is
possible to monitor the mechanical equipment as an indicator of agitation.
As discussed above, in some situations it will be hazardous for an
operator to begin a reaction addition sequence without agitation. For these
situations it may be appropriate to provide an interlock that prevents the
addition of a reactant when agitation is not present.
Proper maintenance of a mixing system is important. Mechanical agitators
are used for batch or semibatch reactors of moderate size. They are appro-
priate when thorough and continuous mixing of the bulk liquid is required. An
induced flow system may be used in conjunction with or independent of mecha-
nical agitation. When applied by itself, an induced flow system is used when
120
-------�
less agitation is required. A storage tank is often mixed using an induced
flow mixing system. An induced flow system is also used when it is desirable
to inject a reactant into a flowing stream before it is blended with the bulk
solution. With this type of system there will be high shear and good mixing
at the point of injection without going to the expense of more thorough
agitation of the entire bulk solution. For all but small vessels, an induced
flow system would be less expensive than a mechanical agitation system. An
in-line static mixer is used in continuous processes where short duration
mixing is satisfactory.
2.7.3 Control Effectiveness
People with experience in the area must determine the potential hazards
associated with a loss of mixing control. The data obtained from a device
such as a heat flow calorimeter may not be scaled up for a full-size process
without interpretation or pilot plant experimentation.
When selecting an indirect method for agitation detection, it is
important to evaluate whether the device selected will reliably detect a
problem with agitation for all potential failure modes.
Mechanical agitation is generally very effective in providing good bulk
mixing. Because mechanical agitation involves a large rotating piece of
equipment, it is possible that a severe failure in the agitator will result in
additional equipment damage. Agitators may become off balance, a situation
that tends to become more severe as the device continues to rotate, and may
destroy other portions of the system. If jammed, an agitator may shear and
puncture a vessel. Most agitators have shear pins designed to prevent exces-
sive torque on the agitator; however, with a shear pin an agitator system
could stop at an inappropriate time because of excessive liquid viscosity and
premature shear pin failure.
121
-------�
While providing a high rate of local mixing to the material in the
pump-around loop, an induced-flow mixing system will usually provide less
mixing to the bulk liquid than will a mechanical mixing system. This type of
mixing system requires additional piping and therefore creates additional
potential for a piping leak. It is possible to run the mixing loop pump with
a valve closed or with a line plugged and be unaware that no mixing is
occurring.
An in-line mixing device is generally physically smaller and less expen-
sive than an agitator-type mixing system. Such a device is appropriate where
single pass, short duration mixing is acceptable and where heat transfer
performance is satisfactory and where gas or vapor evolution are not of
concern. The extent of mixing for these devices depends on the length of the
mixing section, the design of the internals and the flow rate through the
section. Higher flow rates create a higher shear and better mixing, but they
also require more energy input to overcome pressure drop.
Since mixing involves high shear, a mixing device is often more prone to
corrosion and erosion than are other equipment components of a process system.
The reliability of mixing system depends on the reliability of individual
components that comprise the system. The reliability of a full multicomponent
control system also depends on the specific equipment and detailed design of
the system. Table 2-23 shows reliability data, expressed as typical failure
rates, for some individual components.
2.7.4 Smnmary of Control Technologies
Table 2-24 summarizes, from the point of view of both new and existing
facilities, major hazards or hazard categories associated with mixing control,
and the corresponding control technology. Numerous individual control
technologies or procedural changes can be inferred for each category.
122
-------�
TABLE 2-23. TYPICAL FAILURE RATES OF MIXING SYSTEM COMPONENTS
Failure Rate
Components (Failures/year)
Mechanical Agitator (agitator motor only)
- "Normal" Service 0.088
- "Severe" Service 8.8
Induced Flow Pump System (pump and motor only)
- "Normal" Service 0.26
- "Severe" Service 8.8
a
Static Mixer
Flow Switch 1.12
Pressure Switch 0.34
Tachometer 0.044
ot Available
Source: Adapted from References 8, 19, 37.
123
-------�
TABLE 2-24. MAJOR MIXING-RELATED HAZARDS AND CONTROL TECHNOLOGY SUMMARIES
Process Control Technology or Procedural Category
Variable Hazard New Facility Existing Facility
Mixing • Loss of cooling • Mixing detection • Add mixing
detection
• Reactant • Backup power supply
accumulation « Add backup power
• Materials of supply
• Loss of heating construction
• Change materials of
• Equipment selection construction
• Change type of
mixing system
-------�
2.7.5 Costs
Table 2-25 presents costs for components related to mixing system process
modifications. These component types and costs are based on a typical
installation. Since there are other types of systems and many variations of
systems within a given type, these costs provide an order-of-magnitude basis
for evaluating the economic effects of possible process modifications involv-
ing mixing systems.
2.7.6 Case Example (1)
In one instance of a loss of mixing control, the agitator stopped in a
batch nitration reactor, but the process operator was unaware of this since
instrumentation that would have stopped the acid feed to the reactor and given
an alarm signal of agitator stoppage failed to work. When the agitator
started up again, the reactor exploded.
2.8 COMPOSITION CONTROL
Varying a stream's composition affects its chemical and physical proper-
ties. Stream composition must usually fall within a fairly narrow range if a
process system is to operate within design specifications. Proper design and
operation of composition control systems may be important in preventing
accidental releases.
2.8.1 Hazards Associated With the Loss of Composition Control
As a stream's composition varies from the design specifications, its
chemical and physical properties also vary. The consequences are
process-specific and may range from a lower quality product to an explosion
and massive chemical release.
125
-------�
TABLE 2-25. COSTS OF COMPONENTS ASSOCIATED WITH PROCESS MODIFICATIONS FOR
MIXING SYSTEMS
Basis: Mixing vessel volume: 10,000 gallon
Agitator power: 2 hp/1.000 gallons (20 hp)
Mixing rate: 10,000 gallons/15 minutes (667 gpm)
Static mixer diameter: 50 inches (200 gpm)
Induce flow pump: 667 gpm, 50 psig
Capital Cost Annual Cost
Component Range ($) Range ($/yr) References
(1986 Dollars)
Mechanical agitator (turbine),
single impeller, impeller
speed to 45 rpm) carbon
steel
316 stainless steel
Induced flow pump system
Static mixer
Flow switch
Pressure switch
31,600
50,600
8,300
N/A
530
530
4.800
11.800
1.250
N/A
80
80
20
20
20
N/A
22
38
126
-------�
Physical properties such as vapor pressures and boiling and freezing
temperatures will vary as composition varies. Some possible consequences
include an overpressure caused by increased vapor pressure or a ruptured line
caused by frozen process materials.
The chemical properties of a process stream will vary as the composition
varies. Potential reactions and their corresponding rates will be affected by
variations in the composition that could result in a variety of consequences.
An altered composition could lead to a much more rapid reaction rate than
desired, which could result in an overpressure, which could result in unwanted
side reactions, or in an altered composition that could stop the desired
reaction completely.
Primary composition considerations involve reaction rates. Chemical
reaction rates are usually highly temperature dependent and are sometimes
pressure dependent. For a system where chemical reactions are involved,
anything that affects pressures or temperatures may affect stream
compositions. Additionally, any alternate event (such as catalyst decay) that
alters the nature of the chemical processes involved will affect stream
composition.
Any number of mechanical or electrical malfunctions could alter stream
compositions. A loss of flow control resulting from equipment malfunction may
lead to a loss of composition control. No flow, too much flow or reverse flow
of feed streams will all affect the composition of the process unit into which
they feed. Contamination of the stream via the rupture of a heat exchanger
tube is another example of a mechanical failure resulting in a loss of stream
composition control.
The instruments used to monitor composition are often sensitive, and in
some cases, prone to failure when exposed to adverse conditions. For some
varieties there is a time lag from when the sample is taken until the results
are known. In this situation it will be difficult to determine the actual
127
-------�
composition at any given time if the composition is changing rapidly. The
consequences of this time delay will depend on the nature of the reaction
system involved.
A potential shortcoming of many composition monitors is that they often
have a fairly specific range of materials that they can detect. An ideal
detector would be able to monitor the products and reactant in a given reac-
tion and all of the unwanted by-products and contaminants. Not selecting the
best detector for the given application is another potential cause of loss of
composition control.
Operational considerations also influence composition control. A lack of
proper maintenance and training will contribute to a loss of composition
determination and control. Composition determination systems require regular
maintenance to function properly. Since most systems will monitor only a few
components in the system, an operator must be trained to interpret what may
actually be happening to the entire system.
2.8.2 Technology of Composition Control
A composition analyzer is an excellent device for monitoring the overall
condition of the process, but it is rarely used directly to control a single
variable such as flow because many process variables may affect composition,
and rarely can composition be entirely controlled by one variable. An excep-
tion might be controlling pH by metering an alkaline or acid solution into a
process stream. In most cases, a composition analyzer is usually used to warn
operators when the composition of a process stream has deviated from normal
conditions.
Composition analysis may be achieved by manually taking samples from a
process stream and analyzing them in the laboratory or by installing an
automatic on-line analyzer. An industrial equivalent exists for most common
instruments used in laboratory analysis. Laboratory analysis of a process
128
-------�
sample is usually much slower than on-line analysis, though it may be more
accurate than on-line analysis. Where a process involves hazardous materials,
some type of on-line composition analysis that provides an early warning of
significant deviations may be desirable for critical streams.
Composition analysis equipment may be divided into two broad categories:
devices that analyze for chemical species in stream, and devices that measure
a chemical or physical property of the stream. Devices for measuring the
chemical and physical properties of a stream are typically used where the cost
of individual chemical species determination is excessive, or where the
information obtained from a chemical or physical property measurement is
adequate.
Common instruments used for on-line chemical species analysis include
oxygen and moisture analyzers, chromatographs, ultraviolet analyzers, flame
ionization analyzers, mass spectrometers, and infrared analyzers. Common
chemical and physical properties measured on line include density, molecular
weight, pH, viscosity, and oxidation-reduction potential. Some of these
devices take a continuous reading from an in-line probe, some take continuous
readings from a slip stream, while others automatically withdraw samples
periodically.
The output from composition analyzers varies according to the type and
sophistication of the instrument. Many of the physical and chemical property
probes generate a signal that may be read directly from a scaled meter. These
devices usually require periodic calibration. Most analyzers generate some
type of graphical spectrum. The presence of various chemical species is then
interpreted either by the operator or by the computer software available with
some modern systems.
Two important considerations in the design of a composition analyzer
systems are: 1) the location of the sensing device, and 2) the composition
data required. These considerations might be addressed by a formal evaluation
129
-------�
of the process using a hazard and operability study or some similar method
that would help identify which stream compositions are most important from the
perspective of safety and which stream conpositions best indicate the status
of the process.
Once the location and chemical species to be monitored have been
selected, the analyzer is selected. It may be impossible or prohibitively
expensive to monitor all the species desired. In such cases, the potential
hazard associated with a change in composition and the amount of useful
information that may be obtained from monitoring the composition must be
weighed against the expense.
2.8.3 Control Effectiveness
Composition deviations indicate that something is potentially wrong with
the process and provide information for diagnosing the problem's source.
However, an incorrect result on a composition analyzer may cause a process
problem to be missed and a good reading from a composition analyzer is no
guarantee that everything is in order.
The information obtained from all varieties of composition instrumenta-
tion is limited. There are no perfect analyzers, and it is likely that no
single analyzer is available to monitor every potential species within a given
process stream. Since cost and complexity prevent every process stream from
being monitored, it is important to carefully choose which streams should be
monitored and which type of composition analyzer will give the most meaningful
cost-effective information. As with all instrumentation systems accuracy,
precision, sensitivity, and tolerance to overrange are important
considerations in analyzer selection.
Interpreting the results from a composition analyzer is not necessarily
straightforward. The problem with interpretation is two-fold: 1) the output
from the device may be misread or misunderstood or 2) a correct instrument
130
-------�
reading may be made and a wrong conclusion drawn. Instruments that provide a
graphical trace are most easily misread or misunderstood. In chemical analy-
ses impurities may be obscured by the signal of other species, the chemical
character of a compound may make it invisible to the detector or it may
respond more intensely than other compounds and appear to be present in a much
highar concentration than it actually is. Any number of process deviations
that may result in composition deviations, and correct interpretation of a
composition analysis does not mean that a correct assessment of the state of
the process will be made.
The maintenance requirements of a composition analyzer depend on the
device. The sensing element in most devices must be cleaned and usually
recalibrated regularly.
The reliability of composition control depends on the reliability of the
individual components that comprise the composition control system. The
reliability of a multicomponent system also depends on the architecture of the
specific system. Table 2-26 presents reliability data expressed as typical
failure rates for some individual components.
2.8.4 Summary of Control Technologies
Table 2-27 summarizes, from the point of view of both new and existing
facilities, major hazards or hazard categories associated with composition and
corresponding control technology. Numerous individual control technologies
or procedural changes can be inferred for each category.
2.8.5 Costs
Costs of components related to composition measurement and control system
process modifications are presented in Table 2-28. These component types and
costs are based on typical installations. Since there are other types of
systems, and many variations of systems within a given type, these costs
131
-------�
TABLE 2-26. TYPICAL FAILURE RATES OF COMPOSITION SYSTEM COMPONENTS
Failure Rate
Component (Failures/Year)
Composition Determination Equipment
Density Sensor
- indicator
- transmitter
pH Meter 5.88
Viscosity Sensor
- indicator
—a
- transmitter
Chemical Species Analyzers
Chromatograph 30.6
Infrared Analyzer l.AO
Oxygen Analyzer 2.5-5.65
Moisture Analyzer (gases) 8.0
Conductivity Sensor 14.2-16.7
rtot available
Source: Adapted from References 1, 8, 19, and 37.
132
-------�
TABLE 2-27. MAJOR COMPOSITION-RELATED HAZARDS AND CONTROL TECHNOLOGY SUMMARIES
Process
Variable
Hazard
Control Technology or Procedural Category
New Facility Existing Facility
Composition
• Excess or deficient
reactant
• Excess or deficient
catalyst
• Excess corrodant
Initial design and
selection of
composition
analysis system
• Change type of
composition
analysis
• Add composition
analysis to process
stream
u>
u>
• Excess toxic
material in wrong
stream
-------�
TABLE 2-28. COSTS OF COMPONENTS ASSOCIATED WITH PROCESS MODIFICATIONS
FOR COMPOSITION DETERMINATION AND CONTROL
Capital Cost Annual Cost
Range ($) Range ($/Yr)
(1986 Dollars)
Composition Determination
Equipment
Density Sensor
- indicator
- transmitter
Molecular Weight Sensor
pH Detector
Viscosity Sensor
- indicator
- transmitter
Chemical Species Analyzers
Chromatograph
Infrared Analyzer
Refractometer
Oxygen Analyzer
Moisture Analyzer
Spectrometer
Conductivity Sensor
500-1,500
1.500-5.000
5.000-10.000
A. 000-5. 000
2,000-5.000
5.000-12.000
10,000-40.000
3,000-10,000
4.000-10,000
3,000-8.000
4.000-15.000
10,000-40.000
700-2,000
92-275
275-917
917-8,834
734-917
367-917
917-2,200
1.834-7.340
550-1.834
734-1.834
550-1.467
734-2,751
1.834-7.340
129-367
References
20,41
20,41
20,41
20,41
20,41
20,41
20,41
20,41
20.41
20.41
20,41
20,41
20.41
134
-------�
provide an order—of-magnitude basis for evaluating the economic effects of
possible process modifications involving composition measurement and control
systems.
2.8.6 Case Example (42)
A day tank containing 6500 gallons of ethylene oxide became contaminated
with ammonia. The tank ruptured, dispersing ethylene oxide into the
atmosphere, where the cloud ignited and created an explosive force equal to
18 tons of TNT. One person was killed, nine were injured and property loss
was valued at approximately 16 million dollars.
135
-------�
2.9 REFERENCES
1. Lees, F.P. Loss Prevention in the Process Industries, Volume 1 and 2.
Butterworths, London, England, 1983.
2. Hix, A.H. Safety and Instrumentation Systems. Loss Prevention, Volume
6. American Institute of Chemical Engineers, New York, NY, 1972.
3. Considine, D.M. (ed.). Process Instruments and Controls Handbook,
McGraw-Hill Book Company, New York, N.Y., 1985.
4. Shinsky, F.G. Process Control Systems. McGraw-Hill Book Company, New
York. NY, 1979.
5. Green, D.W. (ed.). Perry's Chemical Engineers' Handbook, (Sixth
Edition). McGraw-Hill Book Company, New York, NY, 198A.
6. Control Engineering. Any issue. Technical Publishing, Inc., Barrington,
Illinois.
7. Cost indices obtained from Chemical Engineering. McGraw-Hill Publishing
Company, New York, NY. November 1972, June 1974, December 1985, and
August 1986.
8. U.S Nuclear Regulatory Commission. Reactor Safety Study. National
Technical Information Service, WASH-1400 (NUREG 75/014), October 1975.
9. Process Safety Management. Chemical Manufacturer's Association.
Washington, D.C., May 1985.
10. Guidelines for Hazard Evaluation Procedures. The Center for Chemical
Plant Safety. American Institute of Chemical Engineers, 1985.
11. Kletz, T.A. Make Plants Inherently Safe. Hydrocarbon Processing.
September 1985.
12. Hazard Survey of the Chemical and Allied Industries. American Insurance
Association. Engineering and Safety Service, AIA, New York, NY, 1979.
13. Groggins, P.H. (ed.). Unit Processes in Organic Synthesis, Fourth
Edition. McGraw-Hill Book Company. New York. NY. 1952.
14. Herrick, E.G., J.A.King, R.P. Ouellette and P.N. Cheremisinoff. Unit
Process Guide to Organic Chemical Industries. Ann Arbor Publishers, Ann
Arbor. MI. 1979.
15. Courty. P.H.. J.P. Artie, A. Converse. P. Mikitinko, and A. Sugier.
C.-C, Alcohols From Syngas. Hydrocarbon Processing. November 1984. pp.
105fS.
136
-------�
16. Kreniers, J. Avoid Water Hammer. Hydrocarbon Processing. March 1983.
17. Rasmussen, E.J. Alarm and Shutdown Devices Protect Process Equipment,
Chemical Engineering. May 12, 1975.
18. Rase, H.F. Piping Design for Process Plants. John Wiley and Sons, Inc.,
New York. NY, 1963.
19. Liptak, B,G. and V. Christa (ed.). Instrument Engineers' Handbook,
Revised Edition. Chilton Book Company, Radnor, PA, 1982.
20. Peters, M.S. and K.D. Timmerhaus Plant Design and Economics for Chemical
Engineers, Third Edition. McGraw-Hill Book Company, New York, NY, 1980.
21. Liptak, B.C. Costs of Process Instruments. Chemical Engineering.
September 7. 1970.
22. Flow Measurement Handbook. Omega Engineering Corporation. 1985.
23. The Richardsen Rapid Construction Cost Estimating System, Volumes 1-4.
Richardsen Engineering Services, Incorporated, San Marcos, CA, 1986.
24. Floar, P.C. Programmable Controllers Directory, First Edition.
Technical Data Base Corporation, ConroeL Texas, 1985.
25. Telephone conversations between J.D. Quass of Radian Corporation and a
representative Of Foxboro Corporation. Corpus Christi, Texas, 1986.
26. Telephone conversation between J.D. Quass of Radian Corporation and a
representative of Fisher Controls. Stafford, TX. 1986.
27. Liptak, B.C. Safety Instruments and Control Value Costs. Chemical
Engineering. November 2, 1970.
28. Fauske, Haus K. Emergency Relief System Design. Chemical Engineering
Progress. August, 1985.
29. Recommended Practice for the Design and Installation of Pressure
Relieving Systems in Refineries: Part I - Design; Part II -
Installation. American Petroleum Institute. API RP 520, 1977.
30. Guide for Explosion Venting. National Fire Protection Association. Vol.
68. 1978.
31. American Society of Mechanical Engineers. Code for Pressure Piping B31.
Chemical Plant and Petroleum Refinery Piping. New York, NY.
32. Scully. William A. Safety-Relief-Valve Manfunctions: Symptoms, Causes
and Cures. Chemical Engineering. August 10, 1981.
137
-------�
33. Papa, D.M. How Back Pressure Affects Safety Relief Valve. Hydrocarbon
Processing. May 1983.
34 Bradford, Mike and David G Durrett. Avoiding Common Mistakes in Sizing
Distillation Safety Valves. Chemical Engineering. July 9, 198A.
35. Fitt, J.S. The Process Engineering of Pressure Relief and Slowdown
Systems, Loss Prevention and Safety Promotion in the Process Industries.
First International Loss Prevention Symposium, Amsterdam, Holland. 1974.
36. Lawley, Herbert G. and Trevor A. Kletz. High-Pressure-Trip Systems -for
Vessel Protection. Chemical Engineering. May 12, 1975.
37. Anyakora, S.N. G.F.M. Engel, and F.P. Lees. Some Data on the
Reliability of Instruments in the Chemical Plant Environment. The
Chemical Engineer. Number 255, 1971.
38. Pressure and Strain Measurement Handbook and Encyclopedia. Omega
Engineering Corporation, 1985.
39. Temperature Measurement Handbook and Encyclopedia. Omega Engineering
Corporation, 1985.
40. Bartosiak, G. Guide to Thermocouples. Instruments and Control Systems.
November, 197.8.
41. Liptak, B.G. Costs of Viscosity, Weight, and Analytical Instruments.
Chemical Engineering. September 21, 1970.
42. Davenport, J.A. A Survey of Vapor Cloud Incidents. Loss Prevention.
American Institute of Chemical Engineers. Volume 17, September 1977.
43. Weir, E.D, G.W. Gravenstine, and T.F. Hoppe. Thermal Runaways: Problems
with Agitation. Plant/Operations Progress. July 1986.
44. Wilmot, D.A., and A.P. Leong. Another Way to Detect Agitation. Loss
Prevention. American Institute of Chemical Engineers. Volume II, New
York, NY. 1977.
138
-------�
SECTION 3
PHYSICAL PLANT DESIGN CONSIDERATIONS
The preceding section of this manual addressed process design considera-
tions associated with basic process variables, the chemistry of a process, and
process control. This section addresses the physical plant design and hard-
ware of a process facility. Process and physical plant design taken together,
whether of a new facility or of the modification of an existing facility, are
the basis for preventing accidental chemical releases. In the words of one
author: "The safety of the plant is determined primarily by the quality of
the basic design rather than the addition of special safety features. It is
difficult to overemphasize this point" (1) . Safety features are part of that
basic design, but in some facilities there may have been oversights in design
and construction that warrant the addition of safety features to an existing
facility.
Physical plant design considerations address the specific hazards caused
by hardware failure, the proper design and construction of equipment to reduce
those hazards, and the siting and layout of the equipment within the process
facility. Specific hardware-related prevention measures can be identified to
reduce the probability of accidental chemical releases.
General and detailed principles for the design of chemical process
facilities comprise a vast technical literature. It is not within the scope
erf this manual to review all aspects of design, nor the intent of this manual
to be used for design. The reader is referred to other technical literature
for these purposes. It is the purpose here to highlight significant general
considerations related to accidental release prevention.
Since the fundamental purpose of the physical plant and its equipment is
to contain the chemicals under normal process operating conditions and within
139
-------�
limited ranges of deviation, sound design practices that are thoroughly
understood and faithfully followed are essential to prevent releases. Design
principles related specifically to release prevention can be grouped into four
broad categories:
• Standards, codes, recommended practices, and guidelines;
• Siting and layout;
• Miscellaneous considerations; and
• Equipment.
Each of these categories is discussed in the subsections that follow.
Some important potential hazards and their control, related to the equipment
and its layout in a process facility, are examined.
3.1 STANDARDS. CODES, AND RECOMMENDED PRACTICES
Equipment used in a process facility must be selected to function under
the specified process conditions and under upset conditions; it must ensure
containment of the chemicals being processed and must be resistant to fire and
explosion. To help industry meet these requirements, numerous codes, stan-
dards of practice, recommended practices, and guidelines (referred to here-
after as standard design criteria) exist for categories and specific kinds of
equipment. Different organizations developed standard design criteria over
the years in response to knowledge gained from actual accidents or in antici-
pation of operating and safety problems based on technical analysis. Many of
the standard design criteria were developed to meet the needs of property
insurer's and worker health and safety concerns. It is beyond the scope of
this manual to even present a detailed summary of all the standard design
criteria applicable in the chemical process induscries. Table 3-1, however,
lists some major organizations involved in developing such standard design
140
-------�
criteria. Table 3-2 summarizes some of the areas applicable to chemical
process facilities (2).
Two major equipment categories addressed by codes are vessels and piping.
Table 3-3 shows the design and physical components of vessels covered by the
American Society of Mechanical Engineer's (ASME) code for pressure vessels
(3) . This is shown as an example of how much detail must be addressed by
fabricators and constructors of process equipment and facilities. This code
has been adopted as a legal standard in many areas. For piping, an important
code was developed by the American Petroleum Institute (API); it applies to
petroleum refineries and petrochemical plants, and may be applicable to other
chemical process facilities as well (A). Many individual companies have their
own standard design criteria, especially major corporations in the chemical
process industries. Design criteria must always be carefully scrutinized when
toxic chemicals are involved, especially in new situations, because the such
criteria have often been developed for known sets of conditions, and it is
possible that adherence to a standard criterion such as a code without a full
appreciation of its basis or limitations could lead to unforeseen secondary
hazards.
In the context of accidental release prevention, any standard design
criteria, even codes, should be viewed as a minimum basis or starting point
for equipment and plant design. Many specific situations may suggest more
stringent specifications than the standard design criteria require. This if
often an overlooked aspect of code and standards compliance that can lead to
problems.
3.2 SITING AND LAYOUT CONSIDERATIONS
Siting and layout considerations are an important aspect of accidental
release prevention. Siting refers to the location of the process facility
within a community, while layout refers to the positioning of equipment within
the process facility.
141
-------�
TABLE 3-1. SOME OF THE MAJOR ORGANIZATIONS PROVIDING CODES. STANDARDS.
RECOMMENDED PRACTICES. AND GUIDELINES FOR EQUIPMENT FOR
CHEMICAL AND ALLIED INDUSTRY PROCESS PLANTS
Abbreviation
Name Symbol
Technical and Trade Groups
American Water Works Association
Air Conditioning & Refrigeration Institute
Air Moving and Conditioning Association
American Association of Railroads
American Gas Association
American Petroleum Institute
Chlorine Institute
Compressed Gas Association
Cooling Tower Institute
Chemical Manufacture's Association
Manufacturers Standardization Society
National Electrical Manufacturers Association
Pipe Fabrication Institute
Scientific Apparatus Makers Association
Society of Plastics Industry
Steel Structures Painting Council
Tubular Exchanger Manufacturers Association
U.S. Government Agencies
Bureau of Mines
Department of Transportation
U.S. Coast Guard
Hazardous Materials Regulation Board
Federal Aviation Administration
Environmental Protection Agency
National Bureau of Standards
Occupational Safety and Health Administration
Testing Standards and Safety Groups
American National Standards Institute
American Society for Testing and Materials
National Fire Protection Association
Underwriters Laboratories, Inc.
National Safety Council
Insuring Associations
American Insurance Association
Factory Insurance Association
Factory Mutual System
Oil Insurance Association
AWWA
ARI
AMCA
AAR
AGA
API
CI
CGA
CTI
CMA
MSS
NEMA
PFI
SAMA
SPI
SSPC
TEMA
BM
DOT
SCG
HMRB
FAA
EPA
NBS
OSHA
ANSI
ASTM
NFPA
UL
NSC
AIA
FIA
FM
OIA
(Continued)
142
-------�
TABLE 3-1 (Continued)
Abbreviation
Name Symbol
Professional Societies
American Conference of Governmental Industrial ACGIH
Hygienists
American Industrial Hygiene Association AIHA
American Institute of Chemical Engineers AIChE
American Society of Mechanical Engineers ASME
Amer. Soc. of Htg.. Refrig. & Air-Cond. Engs. ASHRAE
Illumination Engineers Society IES
Institute of Electrical and Electronic Engineers IEEE
Instrument Society of America ISA
Source: Adapted from Reference 2.
143
-------�
TABLE 3-2. SOME OF THE AREAS COVERED BY CODES, STANDARDS. GUIDELINES.
AND RECOMMENDED PRACTICES OF DESIGNATED ORGANIZATIONS
(SEE TABLE 3-1 FOR SYMBOLS DEFINITIONS)
Accident Case History - NFPA. NSC. AIA. FIA. FM. OIA, AIChE. AGA, API. CMA.
USCG. OSHA
Plant & Equipment Layout - NFPA, NSC. AIA. FIA. FM. OIA. AWWA, AAR, API. CGA,
CMA. USCG. HMRB
Electrical Area Classification - ANSI. NFPA. NSC, AIA, FIA, FM, OIA. API. CMA.
USCG. OSHA
Electrical Control and Enclosures - ANSI. NFPA, UL, NSC, AIA, FIA, FM. OIA.
IEEE, ISA. ARI. MCA, NEMA. USCG, OSHA
Grounding and Static Electrical - ANSI, NFPA, UL, NSC, AIA, FIA, FM, OIA,
IEEE, API. NEMA, USCG, OSHA
Power Wiring - ANSI, NFPA, UL, FIA, FM, OIA, IEEE, API. NEMA, USCG, OSHA
Lighting - ANSI, NFPA, UL. NSC. FM. IEEE. IES. NEMA. USCG
Emergency Electrical Systems - NFPA, AIA, FM, IEEE, AGA. NEMA. USCG
Instrumentation - ANSI. ASTM. NFPA, UL, AIA, FIA, FM, OIA. IEEE, ISA, AWWA,
ARI, API, CGA, SAMA, USCG, HMRB, NBS
Shutdown Systems - NFPA, UL, AIA. FIA, OIA, API, USCG
Pressure Relief Equipment Systems - NFPA, AIA, FIA, FM, OIA, ASME, API, CI,
CGA, USCG, HMRB, OSHA
Venting Requirements - NFPA, FIA, FM. API. USCG, HMRB
Product Storage and Handling - ANSI, NFPA, AIA. FIA. FM. OIA. AIChE, AAR, API.
CI, CGA, MCA. USCG. OSHA
Piping Materials and Systems - ANSI, ASTM. NFPA, UL, NSC, AIA, FIA. FM. NBS
ASHRAE. IES. AWWA. ARI. AGA. API. CI. CGA. MSS. NFPA, PFI. SPI. USCG. HMRB,
Materials of Construction - ASTM, ANSI. NFPA, UL, NSC, AIA, FM. OIA, ISA.
AWWA. CI, CGA, CTI, MCA, TEMA, USCG, HMRB, NBS
Insulation and Fireproofing - ANSI, ASTM, UL, AIA. FM, OIA, ASHRAE, USCG
Painting and Coating - ANSI, ASTM. UL. AIChE, AWWA, SSPC, HMRB. NBS, OSHA
Ventilation - ANSI, NFPA. UL, NSC. FIA. FM. ACGIH. AIHA, BM, USCG
(continued)
144
-------�
TABLE 3-2 (continued)
Dust Hazards - ANSI, NFPA. UL. NSC, FIA, EM, ACGIH, AIHA, BM, USCG
Noise and Vibration - ANSI, ASTM, NFPA, UL, NSC, AIHA, AIChE. ASHRAE, ISA.
ARI, AMCA, AGA, API, NFPA, EPA, OSHA
Lubrication - ANSI, NFPA, ASME. AMCA
Fire Protection Equipment - ANSI, NFPA, UL, NSC, AIA, FIA, OIA, AWWA, API,
CGA, CMA, NEMA, BM, USCG, OSHA
Safety Equipment - ANSI, UL, NSC, FM, ACGIH, AIHA, CI, CGA, MCA, BM, USCG,
OSHA
Pumps - ANSI, UL, OIA, AIChE, AWWA, HI NFPA. USCG
Fire Pumps - ANSI. NFPA. UL. FM, IEEE, HI, USCG
Fans and Blowers - FM, ACGIH, AIHA, ASME, ARI, AMCA, USCG
Compressors - AIA, FM. OIA, ASME, ASHRAE, ARI, USCG
Air Compressors - ANSI, AIA, FM, USCG
Steam Turbines - AIA, FM. OIA. IEEE, USCG
Gas Turbines - NFPA, FIA, FM, OIA, AGA, USCG
Gas Engines - NFPA, FM, OIA, USCG
Electric Motors - ANSI, NFPA, UL, IEEE, CMA, USCG
Shell & Tube Exchangers - AIChE, ASME. ASHRAE, ARI. AGA, CGA, PFI, USCG
Air-Fin Coolers - OIA, ASHRAE, ARI, USCG
Cooling Towers - NFPA, FM, OIA, CTI
Boilers - ANSI, NFPA, UL, NSC
Fired Heaters - ANSI, NFPA, UL, FIA, FM, OIA, ASME, USCG
Combustion Equipment & Controls - ANSI, NFPA, UL, NSC, FIA, FM, OIA, USCG
Refrigeration Equipment - ANSI, NFPA, UL, FM, ASHRAE, ARI, USCG
(continued)
145
-------�
TABLE 3-2 (continued)
Dust Collection Equipment - NFPA, FIA. FM, USCG
Pneumatic Conveying - ANSI. NFPA, FIA, USCG
Solids Conveyors - CMA
Storage Tanks - NFPA. UL. OIA, AWWA. CI. USCG. NBS. OSHA
Pressure Vessels - NFPA. NSC. AIA. ASME. ARI. CGA, HEI. DOT. USCG, OSHA
Material Handling - NFPA. NSC. CMA. OSHA
Jets and Ejectors - HEI. USCG
Gear Drives Power Transmission - ANSI. NSC. AIA. AGMA. USCG
Stacks and Flares - OIA. USCG. FAA
Drain and Waste Systems - AIChE. AWWA. CMA. USCG
Inspection and Testing - ASTM. NFPA. NSC, AIChE. ASHRAE, IEEE, AMCA, ABMA.
API. AGMA, AWWA. CGA, CTI. HEI. HI. MSS. NFPA. PFI, DOT, USCG
Source: Adapted from Reference 2.
146
-------�
TABLE 3-3. PHYSICAL COMPONENTS. DESIGN, AND FABRICATION FEATURES
OF VESSELS COVERED BY ASME CODES AS INDICATED
Component
ASME
Code Section
Component Codes
Full face gasket
Welded connection
Reinforcement pad
Code termination of vessel
Lap Joint stub end
Loose type flange
Ellipoidal head, pressures, int.
Head skirt
Optional type flanges
Nuts and washers
Studs and bolts
Applied linings
Integrally clad plate
Corrosion
Stiffener plate
Support lugs
Longitudinal joints
Tell tale holes
Attachment of jacket
Jacket vessels
Plug welds
Bars and structural shapes
Stay bolts
1/2 Apex angle
Support skirt
Studded connections
Optional type flange
Bolted flange, spherical cover
Manhole cover plate
Flued openings
Fig. UW-16.1
UG-82, Utf-15,
UA-6, UA-45
UW-15, UW-16
G-37. UG-40, UG-A1
UA-280
U-l (e)
UG-11, G-44. UG-45
UG-44. UA-45 to 52, Fig. UA-48
UG-32, Ext.UG-33, UA-4, UA-275
UG-32. Fig. UW-13.1, UW-13
UG-14, UG-44, UW-13. Fig.
UW-13.2, UA-45 to 52, UA-55,
Fig. UA-48, Appendix S
UG-13, UCS-11. UNF-13
UG-12, CS-10, UNF-12
Part UCL., UG-26, Appendix F
Part UCL, Appendix F
G-25, CS-25, UCL-25. UA-155 to
UA-160
UG-6, UG-22, UG-54, UG-82
G-6. UG-54, UG-82, Appendix G
UW-33, UW-3. UW-35.-UW-9
UG-25. UCL-25
Fig. UA-104. Fig. UA-105
UG-28, UG-47(c) Appendix IX
UW-17. UW-37
UG-14, UW-19, Fig. W-19.2 Stayed
surfaces, UG-47
UG-14, UG-27f, UG-47 toUG-50,
UW-19, Fig. UW-19.1
G-32
UG-6, UG-22, UG-54. UA-185 to
UA-189, Toriconical head
pressures. Int. UG-32, UG-36,
Fig. UG-36. Ext. UG-33. A-275
UG-43. UG-44,W-16, Fig. UW-16.1,
UW-15
UG-14, UG-44, UW-13, Fig
UA-45 to 52. UA-55. Fig. UA-48,
Appendix S
UA-6
UG-11. UG-46
UG-32. UG-38, Fig. UG-38
W-13.2.
(Continued)
147
-------�
TABLE 3-3 (Continued)
Component
ASME
Code Section
Component Codes
Yoke
Studs, nuts, washers
Spherically dished covers
Flat face flange, Appendix Y
Welded connection
Opening
Multiple openings
Non-pressure parts
Hemispherical head, pressures, int.
Unequal thickness
Shell thickness
Stiffening rings
Welded connection
Flat head
Openings, flat heads
Backing strip
Circumferential joints
Flat head
Tube sheet, no code. TEMA acceptable,
Tubes
Baffle
Channel section, cast steel
Integral type flange
Reinforcement pad
Compression ring
1/2 Apex angle
Conical heads, pressures
Small welded fittings
UG-11
UG-12, UG-13, UCS-10, UCS-11,
UNF-12, UNF-13
UA-6, Fig. UA-6
Fig. UA-1110
UW-15, UW-16. Fig. UW-16.1
UG-36 to UG-42, UA-7, UA-280
UG-42
G-6, UG-22, UG-55, UG-82
UG-32. UA-A. UA-3. Ext. UG-32,
UA-275
W-9. Fig. UW-9. UW-13, Fig.
UW-13.1
UG-16, UHA-20, Pressures,
Int. UG-27, UA-1, UA-2, UA-274.
Ext. UG-28, UA-270 to UA-272
UG-29, UG-30, UA-272
W-15, UW-16, Fig. UW-16.1
UG-34. Fig. UG-34. UW-13,
UG-93(d)(3), Fig's. UW-13.2 &
UW-13.3
UG-39
Table UW-12, UW-35
UW-3. UW-33,UW-35
UG-34. Fig. UG-34, UG-39
U2(g)
UG-9, Pressure, Int. UG-31,
Ext. UG-28, UG-31
G-6
UG-24 part UCS, UHA, Cast Iron,
UC1
UG-44, UA-45 to UA-52. Fig. UA-48,
UA-55, Appendix S
UG-22, UG-37, UG-40, UG-41, UG-82,
UW-16. UA-280
UA-5
UG-32
Pressures. Ext. UG-33. UA-275.
Int. UG-32, UG-36, Fig. UG-36,
A-4.
UG-11.UG-43, UW-15. UW-16.
Fig. UW-16.1. Fig. UW-16.2
(Continued)
148
-------�
TABLE 3-3 (Continued)
Acitivity
ASME
Code Section
Component Codes
Threaded openings
Heat attachment
Fillet welds
Knuckle radius.
Torispherical head, pressures
UG-43 (e)
UW-13. Fig. UW-13.1
UW-18. UW-36 Table UW-12
UG-32. UCS-79
Int. UG-32. UA-4, Ext. UG-33.
A-275
General Design and Fabrication Codes
Heat Treatment
Inspection
Joint Efficiency
Lethal Service
Loadings
Low Temperature
Materials
Pressure. Design
Temperature. Design
Pressure Vessels Subject to
Direct Firing
Radiographic Exam
Relief Devices
Repairs
Stress
Test, Hydrostatic
Stamping and Data
Unfired Steam Boilers
UG-85. UW-10. UW-40. UCS-56,
Table UCS-56, UCS-79(d). UCS-85.
UNF-56, UHA-32, UHA-105. & UCL-34
UG-90 thru UG-97. U-l (j)
UW-12, & Table UW-12
UW-2(a), UCD-2, & UC1-2
UG-22
UG-84, UW-2(b), UCS-65. UCS-66.
UCS-67, UNF-65, & UCL-27
UG-5 thru UG-15, UG-18, UG-77,
UCL-11 & UW-5, Tables NF-1 & NF-2
UG-19, & UG-21. Max. Allowable
Working UG-98
UG-19, UG-20
UW-2(d), U-l(h)
UW-11, UW-51. UW-52, UCS-57.
UNF-57. UHA-33. & UCLK-35, Spot
Exam of Welded Joint UW-52, No
Radiograph "W-ll(c)
UG-125 through UG-136. App. XI
UG-78. UW-38, UW-40(d)
Max. Allow., Value UG-23.
W-12(c), UNF-23. UHA-23, UCL-23
G-99. UC1-99, UCL-52, & UA-60,
Pneumatic UW-50 & UG-100; Proof.
UG-101; Non-Destructive, UG-103,
UNF-58, & UHA-34; Mag. Part,
UA-70 thru UA-73; Liq. Pene,
UA-91 thru UA-95; Ultrasonic,
UA-901 thru UA-904; Impact,
UG-84, UCS-66, UHA-51.NF-6
UG-115 thru UG-120
UW-2(c). U-l(g)
Source: Adapted from Reference 3.
149
-------�
3.2.1 Siting
Siting, as related to accidental chemical releases, is usually thought of
in terms of mitigating the consequences of a release rather than in preventing
it. Siting from the perspective of mitigation, the consequences of a release
is dealt with in a companion manual on mitigation in this series. Certain
conditions of siting, however, can influence the probability of a release.
These conditions primarily are related to natural disasters and climate, but
also to circumstances at neighboring facilities, or transportation accidents,
that could play a role in causing releases.
Examples of natural phenomena and disasters include lightening, wind-
storms, floods, earthquakes, subsidence, and landslides. Climatic factors
include rainfall patterns, temperature extremes, and temperature variability.
These factors directly influence physical plant design, and if not
properly accounted for they can result in hazardous design deficiencies. For
example, a facility in a flood-prone area may require different types of
foundations for storage tanks or process equipment. Ambient temperatures
might be important if a line freezeup in a particular process could lead to a
failure that causes an accidental release.
Lees discusses siting from a process hazard perspective and cites a
number of literature references on siting (1).
Materials of construction are influenced by the temperature extremes the
facility is subjected to and by any corrosive characteristics of the ambient
air. For example, areas of high humidity, or the presence of nearby salt
water or of a facility that emits a corrosive gas should influence the
selection of construction materials. The level of dust in the air and the
150
-------�
potential for severe dust storms may require special protection for certain
types of equipment. Special precautions should be taken wherever subfreezing
temperatures are common. Such precautions may include the addition of extra
insulation or heat tracing and may dictate the types of seals and gaskets used
on equipment.
Material strength requirements are influenced by the frequency of severe
wind and weather conditions. Process equipment and their supporting struc-
tures may need extra reinforcement or protection where high winds or severe
hail occur.
As a final example, the presence of a neighboring facility where a fire,
explosion, or accidental release could trigger an incident in one's own plant
may require consideration.
3.2.2 Layout
Layout refers to the placement and spacing of the various parts of a
process facility, including the individual equipment in the various parts. A
properly designed layout reduces the potential for and the consequences of an
accidental release by enhancing process operability and by segregating hazard-
ous areas within the facility. A great deal has been written on plant layout
in the technical literature. Both the Chemical Manufacturers Association
(CMA) and the National Fire Protection Association (NFPA) have issued stan-
dards or guidelines for plant layout (5).
Increased distances between process units tend to reduce the potential
for, and the impact of an accidental release. The value of distance depends
on the nature of the hazard. An explosion in one process unit can result in
an accidental release in another process unit because of damage from the blast
wave. The blast wave pressure front travels rapidly but its intensity de-
creases rapidly with distance. A vapor cloud associated with an accidental
release travels much more slowly than a blast wave but usually affects a
151
-------�
larger area before it is diluted enough to present no danger. A fundamental
layout consideration where flammable or explosive vapor clouds may occur is to
locate away from obvious ignition sources. While unexpected ignition sources
may still ignite a flammable cloud, there is no reason to make the process
easier.
Whenever possible, a quantitative method should be used to aid in
choosing the spacing between process units. This can be done by first devel-
oping a relative hazard ranking of individual process units. One method of
quantifying the hazard of a given process unit assigns a hazard number to
various features of a substance or process. These numbers are based on an
arbitrary scale. The numbers for various portions of the system are combined
by multiplying by weighting factors and summing the results to create an
overall hazard rating. The Dow Index is an example of this type of approach
for ranking processes in terms of fire and explosion potential (6) . An
extension of the DOW Index is the Mond Index, which extends the ranking to
include toxicity. Other methods for quantifying relative hazards and develop-
ing spacing requirements have been developed (7,8.9).
A list of basic concepts for achieving optimal layout has been assembled
by Lewis (8):
• Roads need to allow entry to the plant from at least two
points on the site perimeter, preferably from opposite
sides.
• All units in the area with a moderate or high fire risk
should have access for emergency vehicles from at least
two directions.
• Control rooms, amenity buildings, workshops, laboratories
and offices should be sited close to the site perimeter.
152
-------�
• Pipebridges should be laid out to minimize easy transfer
of incidents from one unit to another. Key pipebridges
should be assessed independently of adjacent units for
hazard potential.
• Wherever possible, units of high risk should be separated
from each other by units of mild, low or medium risk.
• Appropriate distances should separate units from identi-
fied ignition sources, such as furnaces, electrical
switchgear, flarestacks, etc.
• Control rooms, amenity buildings, workshops, laboratories
and offices should be adjacent to units of mild or low
risk, which act as a barrier from higher risk units.
Medium risk units are only acceptable adjacent to popu-
lated buildings (a) if lower risk units are not available
for separation purposes, and (b) if the risk level is only
just inside the "medium" band of Overall Risk Rating as
assigned by the Mond Index method.
• Units with the highest values of the Major Toxicity
Incident Index, assigned by the Mond Index method, should
be suitably distant from all facility buildings containing
many people, and also from activities outside the works
boundary. (This particularly applies to the locations of
schools, hospitals, places of entertainment etc.)
• Units having the highest values of the Aerial Explosion
Index, assigned by the Mond Index method, should not be
located close to a plant or facilities boundary; they
should be separated by areas occupied by low risk
153
-------�
activities with low population densities (up to 25 people
per acre).
• Major pipebridges with a medium to high "Overall Risk
Rating" (assigned by the Mond Index method) should be
located so that they are at minimal risk from incidents on
tall process units and from transport accidents arising
from the regular movement of vehicles taking materials to
or away from the plant site.
• Units previously and separately assessed for hazard
ratings can be combined into a larger single unit provid-
ing (a) the risks are similar, (b) the potential direct
and consequential losses do not become excessive and (c) a
reassessment of the rating of the combined unit is accept-
able.
• As far as possible, units should be laid out for a logical
process flow to minimize the pipebridge requirement.
• Pipebridge routes should be chosen so that they are not
likely to contribute to the spread of an accident.
Alternative route selection should allow as much process
control as possible.
• Storage units should be adequately separated from opera-
tional areas and, as far as possible, located away from
road and rail traffic routes within the plant site.
In general, optimum spacing arrangements provide straight, unobstructed
access ways that are continuous from one end of a processing unit to the other
and are connected to roads that surround the unit. Piping should be laid out
in a way that minimizes the amount of piping. Piping associated with various
154
-------�
utilities and process units should be segregated, since this will help to
avoid confusion during operations. Adequate spacing must be provided for
maintenance and construction. More than one escape route should be available
for any location within the facility. In the initial facility design, extra
room should be provided for future expansion to avoid creating future conges-
tion hazards.
The layout for indoor process units requires special considerations.
Hazardous or flammable vapors can accumulate in an indoor facility. Proper
ventilation is a primary consideration for indoor facilities that handle
hazardous materials. Many air changes per hour with little recirculation may
be in order where a hazardous material is involved. Any potential leak source
should be protected. Vents and pressure relief discharge lines which may
release toxic or flammable materials should be piped to a safe area. The
holdup of hazardous materials inside of process buildings should be minimized
and generally limited to material in process equipment and piping. Some
additional considerations for indoor facilities are listed in this manual in
Section 3.3.4.
A safe control room is essential if a plant is to respond to an acciden-
tal release once it has occurred. As far as possible, a control room should
be located in an area where exposure to fires, explosions or toxic releases is
minimum. Wherever a control room is located, it should be designed to mini-
mize the potential for injury to the employees in the event of an accident.
Examples of precautions include, explosion shielding, shatterproof windows, a
ventilation system that provides clean air while keeping the control room
under slight positive pressure, and extra fire protection. If a control room
is located within a process unit, then other buildings such as laboratories,
lunchrooms or offices should not be added onto the control room. Support
structures where personnel tend to congregate should be located outside of the
processing area.
155
-------�
Many of the layout precautions listed above are necessary for the sake of
fire prevention. Additional layout considerations specifically for fire
protection are discussed in Subsection 3.3.A.
3.2.3 Storage Layout Considerations
The arrangement of storage facilities follows the same general principles
just discussed for general siting and layout. Storage facilities may merit
special consideration, however, because they contain large inventories of
chemicals.
Storage near high-hazard process areas and loading and unloading termi-
nals should be the minimum required for the needs of the process or shipping
requirements. Storage facilities should be located on, at most, two sides of
a processing area so that the area is open on at least two sides. Inventory
should be kept to a minimum. Tank storage areas should be located away from
offices and other locations where people congregate. A tank storage area
should be located as far from a community population center as possible.
Prevailing wind direction should be considered so that the effects of a large
release from storage facilities are minimized. The natural ground contour
should be considered so that runoff from a spill would not contaminate a large
area or would not find its way to a source of ignition.
One basis for selecting tank spacings are NFPA standards (5) . These are
based on flammable materials but are a useful guide for separating flammable
and toxic materials. Two materials that may react and generate heat upon
contact should not be stored within the same diked area. A chemical should
not be stored in a diked area with a tank constructed of material that it
would react with. For example, concentrated hydrochloric acid should not be
stored in a diked area with a carbon steel tank that contains another hazard-
ous chemical.
156
-------�
Adequate spacing for fire control and maintenance should be available for
all tanks. Access roads should surround groups of tanks. As far as possible,
tanks should be located away from heavily traveled roadways to minimize the
potential for vehicle collisions with tanks. Fittings and pipe runs should be
protected from vehicle collision. This applies especially to pipe bridges
with pipes carrying toxic chemicals. Appropriate fire protection in the form
of deluge systems, and/or foam systems should be permanently in place.
3.2.4 Miscellaneous Design Considerations
A number of miscellaneous design considerations are an inherent part of
physical plant design. These include:
• Availability and dependability of utilities;
• Operability;
• Fail-Safe Design;
• Fire prevention and protection;
• Electrical system requirements;
• In-process inventories; and
• Special safety requirements.
Availability and Dependability of Utilities—
The loss of a utility can result in an accidental release if control of
the process is consequently lost. The potential for an accidental release may
be reduced if two principles are followed in designing a utility system.
The first principle of safe utility design is. if the failure of a
utility to a portion of a facility can result in a loss of control in that
157
-------�
section of the facility, then that utility should be supplied with a backup in
at least that portion of the facility. A facility electrical system backup
could be a diesel generator system. An instrument air system could be backed
up with a nitrogen system. Backup for a utility does not mean that there must
be a duplicate of the entire system. Backup for a cooling water system could
be a set of pumps that deliver municipal water to a few crucial portions of
the cooling system in the event of a cooling system breakdown. It may not
always be possible to provide backup to a utility, but when a failure could
lead to an accidental release a backup should be considered.
The second principle of safe utility design is that the loss of a utility
in one section of a plant should not result in the loss of that utility to
other sections of the plant. Breaking or plugging a utility line in one
process unit should not result in the loss of that utility to another area of
the plant. This implies parallel rather than series distribution for critical
utility systems. Loop piping systems are more effective in meeting this
criterion than are branch systems. Complete adherence to this principle will
sometimes be difficult to achieve, but it should be attempted whenever possi-
ble.
Operability—
Considering the human aspect of process operation and maintenance during
the design phase of a project, may help to reduce the potential for an acci-
dental release by enhancing operability of a plant. A plant should be capable
of running under manual control long enough to complete a safe shutdown.
Automatic process control systems can be expected to fail from time to time.
Valves, gages, and other instruments and controls should be located where they
are easy to use. Important instruments and controls should be readily distin-
guishable from less important instruments. Unnecessary complexity should be
avoided. An overcontrolled plant may be as difficult to operate as an un-
controlled plant. Operators may bypass control systems that are difficult to
maintain or that result in frequent process upsets or interruptions.
Any actions that are essential for safe operations should be set up in a
way that minimizes effort to the operator in order to facilitate their imple-
158
-------�
mentation. An important task that is difficult to perform may be overlooked
or implemented too late. Preventing this kind of error is the responsibility
of both management and the design engineer. For example, if water must be
regularly drained from a vessel or if samples must be regularly withdrawn,
then the drain or sample loop should not be located at the top of a ladder.
Important valves should be readily accessible. Movement of personnel from one
task to the next should be taken into consideration. For example, people may
take the easiest route between two points even if it means inappropriately
climbing over equipment.
Unnecessary clutter such as extra piping and equipment can make a process
difficult to operate and may increase the potential for an accidental release.
Facilities often evolve as modifications and additions are made. Care should
be taken to streamline and simplify by removing unnecessary piping and equip-
ment as modifications are made.
Fail-safe Design—
A fail-safe control device is one designed to move to a preset position
upon failure of the instrument air or electricity. For example, fail-safe
pneumatic control valves are designed to go to the fully open or fully closed
position on air failure. The purpose of fail-safe equipment is to reduce the
potential for a process upset by preassigning the failure modes for process
controls. A correct decision as to whether a device should close or open on
failure is essential for safe plant design. For most processes, some type of
formal design evaluation procedure, such as a Hazardous and Operability Study
(HAZOP) study, may be useful for evaluating what failure mode should be
selected.
Fire Prevention and Protection—
A properly designed plant will have fire protection systems external to
the process unit, such as sprinklers, as well as inherent fire protection
design features. From an accidental release perspective, fire prevention and
protection is important because fire damage could lead to an accidental
release and because many design considerations associated with fire prevention
159
-------�
are actually accidental release prevention measures. Much has been written on
fire prevention and protection.
The National Fire Protection Association has issued guidelines in the
form of "Flammable and Combustible Liquids Code" (5) . Generally, local
ordinances will have specific guidelines for fire protection systems. A
detailed discussion of the design of fire protection systems such as sprin-
klers, foams, etc. is outside the scope of this text; however, this section
provides an overview of some fire protection design measures.
The supply of fire fighting water and the availability of utilities in
the event of a fire is important. In addition to controlling fires, fire-
fighting water (and steam) are often used to control the spread of vapors from
an accidental release. The loss of utilities to the entire facility because
of a fire in one process unit may result in a loss of process control that
could end in an accidental release.
The fire fighting water distribution system is important. A loop design
rather than a branch layout design may be the best arrangement for water lines
in high hazard areas because a loop design ensures water availability even if
lines have been cut off in one area of the plant. Valves should be placed
throughout the distribution system so that a damaged line can be isolated.
These valves may need to be remotely operable.
The primary water supply is usually designed to supply water for fire
fighting for at least four hours. All sources combined are usually designed
to be able to supply water for an additional two hours (5) . Many other
features of a fire fighting water system, including specifications on water
requirements, pumps and pumping, sprinkler systems, fire extinguishers and
other aspects of fire protection, are presented in additional NFPA publica-
tions. Specialized fire fighting equipment, such as foams or extra sprinklers
or water curtains, should also be considered in highly hazardous areas.
160
-------�
Fireproofing of structural steel, piping, and machinery is often
necessary. Fireproofing may include special insulations or materials of
construction.
Adequate drainage is important for fire prevention, especially for
flammable liquid spills. Flammable solvents may be carried to other locations
within a plant on the surface of water. The contents of a drainage trench may
ignite and spread fire throughout a plant. Submerged equipment is likely to
malfunction and contribute to the hazard. Drains should be sized to handle
the maximum anticipated load. The presence of debris such as insulation and
tags that may clog drains should be accounted for in. the design. To avoid
this, trenches sometimes have a cover two thirds closed and one third grate
(5). This dampens flames within the trench if a fire occurs. Flame traps are
usually spaced periodically throughout a trench to prevent the spread of a
fire.
Indoor facilities require additional fire protection. Where flammable
dust or vapors may be present, buildings should be constructed with nonload-
bearing walls so that walls lost because of an explosion will not result in
collapse of the building. In addition to area sprinklers, it may be necessary
for each piece of equipment to be protected by a local device. Local flam-
mable gas detectors and/or area monitors are often used and placed near likely
release points. Air is handled through ducts in indoor facilities. Flammable
dusts, vapors and vapor condensate can collect in these ducts. For this
reason, vent and duct systems are specifically designed with safety features
such as those suggested in the literature (8).
Fugitive emissions of flammable materials are sometimes controlled by
constructing vented enclosures around equipment. Process fittings such as
valves or flanges, or process machinery such as pumps or compressors are
potential candidates for this type of control. The vent lines from these
enclosures are often piped into a common manifold and sent to a treatment
device. Air in the vent manifold can lead to fire and explosion. Air leaks
into the vent system can be prevented by creating a slight positive pressure
161
-------�
with an inert gas. Diluting with an excess of air is another approach to keep
the concentration below the flammable or explosive limits. A probe could be
installed to monitor oxygen levels in the vent.
Electrical Systems—
Fire hazards are reduced by selecting the appropriate class of electrical
equipment. Electrical equipment is given a classification and a division
within that classification by the manufacturer which indicates what type of
environment the equipment can safely operate in without becoming an ignition
source.
Class I equipment is often referred to as "explosion proof" and is the
class required where flammable atmospheres may be present. A summary of some
locations encountered in a chemical plant and the equipment classification
that would apply to each location is specified by the National Fire Protection
Association (5). The following definitions of Class I, Divisions 1 and 2, are
provided by the National Fire Protection Association:
Class I, Division 1. A Class I, Division 1 location is a location: 1)
in which ignitible concentrations of flammable gases or vapors can exist
under normal operating conditions; or 2) in which ignitible concentra-
tions of such gases or vapors may exist frequently because of repair or
maintenance operations or because of leakage; or 3) in which breakdown or
faulty operation of equipment or processes might release ignitible
concentrations of flammable gases or vapors, and might also cause simul-
taneous failure of electric equipment.
Class I, Division 2. A Class I, Division 2 location is a location: 1)
in which volatile flammable liquids or flammable gases are handled,
processed, or used, but in which the liquids, vapors, or gases will
normally be confined within closed containers or closed systems from
which they can escape only in case of accidental rupture or breakdown of
such containers or systems, or in case of abnormal operation of equip-
ment; or 2) in which ignitible concentrations of gases or vapors are
162
-------�
normally prevented by positive mechanical ventilation, and which might become
hazardous through failure or abnormal operation of the ventilating equipment;
or 3) that is adjacent to a Class I, Division 1 location, and to which
ignitible concentrations of gases or vapors might occasionally be communicated
unless such communication is prevented by adequate positive-pressure
ventilation from a source of clean air, and effective safeguards against
ventilation failure are provided.
It may be appropriate to use Class I equipment exclusively throughout a
plant that handles highly toxic chemicals. Ordinary electrical equipment is
usually considered acceptable in these locations if it is installed in a room
or enclosure maintained under positive pressure by ventilation air that is not
contaminated by flammable vapors. If such enclosures are used where toxic
chemicals are involved, then it would be appropriate to install an alarm
system to sound when the enclosure loses pressure. Additional details may be
found in the National Electrical Code, 1984, put out by the National Fire
Protection Association (10).
Storage and In-Process Inventories—
The potential effects of an accidental release will be reduced as both
storage and in-process inventories of toxic and flammable materials are
reduced. No generalized formal methods appear to have been developed for
reducing inventories. Each process is unique and potential reductions will be
specific for that process.
Reducing the volume of process vessels is probably the most obvious
method available for in-process inventory reduction. While it is sometimes
possible to reduce the volume of intermediate hold and feed vessels or of
process piping in an existing plant, this is best accomplished in the initial
design of the plant. A more practical approach for an existing plant is to
reduce the volume contained in process vessels rather than to reduce the
actual volume of the vessel. Improved process control would assist in this
type of volume reduction. Better process control would reduce fluctuations in
upstream and downstream processes and allow for a smaller intermediate storage
volumes.
163
-------�
Substitution of chemicals or equipment may be used to reduce both storage
in-process inventories. Some of these substitutions are practical modifica-
tions for an existing plant and some are best considered in the initial plant
design. Heat transfer systems are good candidates for substitutions. A
flammable heating fluid may be replaced with a nonflammable heating fluid.
High temperature unit operations such as distillation may possibly be replaced
with lower temperature unit operations such as adsorption, crystallization or
liquid-liquid extraction. An example of an equipment substitution is suggest-
ed by Lees (1): replace a kettle reboiler with a thermosiphon reboiler.
Thermosiphon reboilers hold a smaller inventory than do kettle reboilers.
Altering the process chemistry may reduce inventories. For example, the
necessity of storing an intermediate could be eliminated by combining two
reactions and running them simultaneously in the same reactor. A more effi-
cient catalyst could reduce reactor residence time and inventory at an equiva-
lent production rate. A non-toxic or nonflammable solvent could be substi-
tuted for & flammable or toxic solvent, or it might be possible to eliminate
the solvent altogether and run the reaction "neat." It may be possible to
substitute a nonflammable or non-toxic raw material for toxic or flammable
material. As with all potential inventory reduction methods, some of these
alternatives would best be explored in the process development stage and are
more easily applied to new rather than existing facilities, but certain
changes still might be developed for existing facilities.
Special Safety Requirements—
A hazardous process, or a process that handles toxic or flammable mater-
ials may require special safety requirements that were not called for in the
previous principles of design. Such features are generally mitigative in
nature but may also include the addition of extra preventive or protection
measures. Some of these, discussed later in this manual, are scrubbers and
flares. Blast shields, water or steam curtains, specialized spill cleanup
equipment and specialized release detection equipment and alarm systems are
164
-------�
examples of mitigation measures that may be required. Mitigation measures are
discussed in the companion manual on mitigation, in this series.
3.3 EQUIPMENT DESIGN CONSIDERATIONS
The equipment in a chemical process may be broadly divided into four
categories:
• Vessels;
• Piping (including valves);
• Process Machinery; and
• Process Instrumentation.
This section focuses on some fundamental design considerations, typical
failure modes, and control measures for these process equipment categories
that are necessary to prevent failures from causing accidental releases.
Certain general topics applicable to all equipment are discussed first. These
include materials of construction and general equipment failure modes.
3.3.1 Materials of Construction
Selecting the wrong material of construction can lead to equipment
failure by corrosion, erosion, or mechanical wear. A variety of process
characteristics determine an appropriate material of construction. Process
fluid characteristics such as alkalinity, acidity, abrasiveness, and re-
activity must be considered in combination with pressure and temperature
extremes and the frequency and magnitude of temperature and pressure fluctua-
tions. General procedures for selecting appropriate materials of construction
are well defined in the technical literature (11). Even if an appropriate
material is specified in the original design, a contractor or vendor may
substitute one material for another or maintenance personnel may replace a
part with a part made of an inappropriate material. It is valves, flanges,
165
-------�
gaskets, bolts or other small parts of a process unit that are likely to be
made of an incompatible material. These small substitutions are potentially
dangerous because their significance as a potential cause of system failure
leading to a release may not be fully appreciated.
An example qualitative guideline for evaluating the appropriateness of a
material of construction under acid conditions is presented in Figure 3-1
(11). The graph presents qualitative information on the range of conditions
for different materials. The variables include oxidizing environment, reduc-
ing environment and chloride content. This chart does not show temperature
dependency, which is also an important consideration.
The material strength requirements depend on the temperature and pressure
to which a piece of equipment is subjected. Calculation of strength require-
ments should be based on the anticipated normal operating conditions, ex-
tremes, and on the frequency of heating-cooling, pressurization-depressuriza-
tion cycles that the system will undergo. A detailed discussion of the design
specifications that would be required for different conditions is outside the
scope of this text, but is fundamental in the field of design and fabrication
for vessels and other equipment.
For vessels, piping, pipe fittings and other hardware, design codes or
standards are available that define in detail the steps required to properly
account for stresses that equipment will experience. These procedures first
define specific criteria for establishing the design pressure and temperature.
The design conditions are established by taking into account the maximum
temperature and pressure that will be experienced under normal operations, and
the frequency and severity of occasional excursions from the normal maximum
conditions. After the design conditions are set, the standards outline
methods for determining wall thickness based on the design temperature and
pressure and on forces other than pressure forces that result in torsion,
axial compression or tension, and bending. Examples of additional forces are
stresses caused by repeated temperature and pressure cycles or stresses caused
by the thermal expansion and contraction of piping. An allowance for
166
-------�
MATERIAL OF
CONSTRUCTION
REDUCING ENVIRONMENT
OXIDIZING ENVIRONMENT
TANTALUM
ZIRCONIUM
HASTELLOY B-2
Ti-Pd
TICODE-12
Ti
HASTELLOY C-4
MONEL 400
HASTELLOY G
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxx
xxxxxxxxx
xxxxxx
xxxxx
XXX
X
XXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx
CHLORIDES
COPPER ALLOYS
ALUMINUM
MONEL 400
NICKEL 200
INCONEL 600
430 SS
304 SS
316 SS
CARPENTER 20 Cb-3
INCOLOY 825
HASTELLOY B-2
HASTELLOY C-4
HASTELLOY G
Ti
Ti-Pd
CAST IRON. STEEL
ZIRCONIUM
:«;*:»,»;*:»;»;»:•:«:•;»:».»:»
:x
xxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
:»:»:»;«>:•:»»;»;»>:»,«:»;»,»;»,»:*:
X
xxxx
txxxx
xxxxxxxxxxxxxx
xxxxxxxxxxxx
xxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
:»•••*•»:*»»»« »«••»«««*«
XX
xxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx
NO CHLORIDES
xxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
Figure 3-1. Example guide for material selection under acidic conditions.
-------�
corrosion, erosion, or the depth of threads or other grooves must be made by
the designer. Such an allowance is necessary since these factors weaken the
basic material. An additional allowance is usually provided where toxic
chemicals are involved.
The published standards for determining the strength requirements for
process equipment should be considered minimum standards where toxic chemicals
are involved. These standards are general and cannot cover all possible
design, construction, and operating conditions. For example, standards cannot
account for unrelieved stresses created during fabrication or installation.
The equipment designer of a facility that handles toxic chemicals should try
to account for all stresses and allow a safety factor consistent with the
hazards involved.
At high pressures, over 3000 psig, special designs not necessarily
covered by design standards or codes are sometimes used. For example, at such
pressures, a vessel constructed from ordinary low-carbon-steel plate would
become too thick for practical fabrication by ordinary methods. The alterna-
tives are to make the vessel of high-strength plate, use a solid forging, or
use multilayer construction. Such specialized fabrication methods may not be
subject to any particular standards or codes.
Very low or high temperature operations also require special considera-
tion. These extremes are more a problem of material selection than they are
of material strength requirements (though one is closely related to the
other). Brittle fracture is possible wherever very low temperatures are
involved. The materials used in plants handling low temperature fluids should
have a ductile/brittle transition temperature below not only the normal
operating temperature but also below the minimum temperature that may be
expected to occur under abnormal conditions. Brittle fractures are serious
since the fracture can propagate at a velocity close to that of sound. For
high temperatures a lining is often used to protect the outer equipment from
168
-------�
the high temperatures. A specialized lining must be placed inside a vessel of
special construction when high temperatures and pressures are involved.
3.3.2 General Equipment Failure Modes
A number of failure modes are common to all categories of equipment, and
each of the three fundamental equipment categories of vessels, piping, and
process machinery have failure modes to which they are especially susceptible.
This subsection presents a general discussion of potential failure modes and
is a basis for the discussions specific for each of the equipment categories
presented in later subsections.
Categories of failure modes that may lead to an accidental release are:
• Process upset causing pressure or temperature to exceed
design limits of the equipment;
• Faulty fabrication;
• Faulty repair or installation;
• Corrosion;
• Erosion; and
• Mechanical failure.
Process Upsets—
A process upset, as meant here, is any event that leads to a loss of
process control that could result in an accidental release. A runaway reac-
tion and overpressure, an internal explosion, or even failure caused by an
external explosion in an adjacent process or storage unit would all be exam-
ples of process upset failures. Thus a failure occurring as a result of a
fire would also be a process upset failure. Numerous events, including
169
-------�
instrument failure, operator failure, or mechanical failure, can result in a
loss of process control. Process upsets, which can lead to equipment failure.
were discussed in Section 2 of this manual on Process Design Considerations.
Faulty Fabrication—
An equipment failure could result from faulty fabrication. A poor weld
would be an example of a fabrication fault. Incomplete penetration, lack of
fusion, or a porous weld could result from improper or careless welding
techniques. Improper heat treatment of a metal component can result in unre-
lieved stresses. As will be discussed latter, these stresses can contribute
to several forms of structural failure. Poor dimensional tolerances can
result in excess mechanical stress or poor fit at gasketed joints. The use of
an improper material of construction can result in premature corrosion and
failure. Additionally, attempted cost saving steps such as substituting one
grade of equipment for a lower grade can result in premature equipment fail-
ure. Detailed consideration of fabrication faults is beyond the scope of this
manual, but there is a voluminous literature on the subject (e.g., 13).
Faulty Repair or Installation—
Another contributor to equipment failure can be faulty repair or instal-
lation. One author believes that most initial process plant designs are
relatively safe but that problems arise because changes, substitutions or
mistakes are made during the initial construction of the plant (1A).
Corrosion—
The materials of construction in a chemical plant are subject to a number
of types of corrosion. Corrosion can structurally weaken equipment to the
point of failure under either normal process operating conditions or process
upset conditions.
There are numerous categories of corrosion. Some of these are (1):
1) General corrosion,
2) Scaling,
3) Exfoliation,
170
-------�
4) Intergranular corrosion,
5) Stress-related corrosion,
a) stress corrosion cracking,
b) corrosion fatigue,
c) stress-enhanced corrosion,
6) Galvanic corrosion,
7) Corrosion pitting,
8) Knife-line corrosion,
9) Crevice corrosion,
10) External corrosion.
These are all discussed in the cited reference. Some categories are discussed
further below.
Stress corrosion cracking is the brittle failure of normally ductile
metals that occurs under the combination of.corrosion and tensile stress. The
stress may be internal or external. The American Petroleum Institute states
that almost any alloy can be made to fail by a stress corrosion cracking
mechanism (15). Caustic embrittlement is a common form of stress corrosion
cracking, as is the well known chloride stress corrosion cracking of stainless
steels.
Intergranular corrosion occurs when austenitic steels are heated in the
temperature range of 750 to 1650°F, or cooled through this range. A complex
carbide precipitates out and collects along grain boundaries. These pockets
of carbide are susceptible to corrosion by relatively mild aqueous corrodants.
The end result of this type of corrosion is the formation of cracks.
Galvanic corrosion is used to describe an accelerated electrochemical
type of corrosion that occurs when two different metals are in contact with
each other in the presence of an electrically conductive solution such as an
aqueous salt or acid solution. An electrical current flows between the two
metals and rapidly corrodes the metal that acts as the anode.
171
-------�
Other general categories of corrosion include graphitic corrosion,
dezincification and biological corrosion. Many additional chemical-specific
varieties of corrosion are possible. Discussions of corrosion are numerous in
the technical literature (16.17,18).
Erosion—
Erosion is the physical wearing away of process equipment materials by
the abrasive action of rapidly moving liquids, gases, or solids. Erosion can
result in an equipment failure because of physical weakening. The rate of
erosion is a function of the velocity of the process stream, the angle of
impingement upon the surface of concern, the solids concentration of the
stream and the temperature of the stream. Erosion and corrosion may sometimes
occur together. Some materials form a layer of corrosion that acts as a
barrier to further corrosion. These protective layers usually have less
physical strength than the material on which they are formed. If erosion
destroys this layer, then the surface of the material will be eroded away as
new corrosion layers are formed and eroded off. A common site of erosion is
in the bends of piping.
Mechanical Failure—
Mechanical failure of equipment results from overstress, whether internal
or external. Extremes or cycles of temperature and pressure can result in
mechanical failure of process equipment. Externally applied stresses such as
vibration and supported loads can also result in the mechanical failure of
process equipment.
Creep is the flow of metals held for long periods of time at stresses
lower than the normal yield strength. Stress rupture is the failure of a
metal at stresses lower than the normal yield strength after it has reached a
point beyond which it cannot creep.
Repeated heating and cooling cycles may sometimes result in thermal
fatigue. Thermal fatigue produces cracks and may ultimately result in a
172
-------�
structural failure. A sudden change in temperature can sometimes result in
thermal shock. Thermal shock which causes the sudden unequal expansion or
contraction of different parts of a piece of equipment, can result in cracking
or separation.
Vibration can be very destructive. Metals can become fatigued and fail
in a manner similar to that of thermal fatigue. Concrete foundations can be
destroyed by vibrating equipment. The weight of insufficiently supported
equipment or the stress caused by settling foundations or supports is also
destructive.
The ensuing subsections discuss some of the design considerations,
failure modes, and control technologies specific to each of the previously
named equipment categories: vessels, piping, and process machinery.
3.3.3 Vessels
As used here, vessels include all major items of equipment containing
significant inventories of liquids or gases; this includes both process and
storage equipment. Vessels include tanks, reactors, heat exchanger shells,
receivers, columns, and similar equipment. Vessels may be atmospheric,
pressurized, or operate under vacuum.
Vessel equipment failures that could result in an accidental release
could occur in one of the following locations:
* Piping joints at vessel nozzles;
• Vessel seams, including welded attachments such as nozzles
and support lugs;
• Vessel shell wall failure; and
173
-------�
• Vessel flanged joints such as where a head joins the
shell.
Vessel Pipe Joint Failure—
Joints of piping to vessels are either threaded, flanged, or welded,
although flanged joints are probably the most common for larger process
vessels with connections over two inches. Faulty installation or repair may
be the most common causes of failure at a flanged attachment. Incorrect
gaskets may be used. Flanges may be bent by excessive bolt tightening, which
results in insufficient pressure on the gasket to assure a complete seal.
Gasket faces may be scratched or dented. A gasketed joint may be bolted with
the gasket half in the grove and half out. Mechanical stress due to inade-
quately supported loads or vibrations may overstress bolts and result in a
leak. The bolts around the perimeter of a gasketed joint often require a
specific tightening sequence at a specific tightening torque. A failure to
follow these specifications can result in a poor seal. Flanges or bolts of
incorrect specifications may be substituted during a repair, but substitutions
of this kind could result in a premature failure of the flanged joint.
Flanged or threaded joints are sometimes used to join equipment and
piping of different materials of construction. A joint of this type is
potentially subject to galvanic corrosion. The threads on a threaded attach-
ment can be destroyed by galvanic corrosion, resulting in a complete failure
of the joint.
Vessel Seam—
Generally, two types of seams are used on vessels: welded and riveted.
Riveted vessels are not recommended for use with toxic chemicals because the
overlap at a riveted seam is subject to both internal and external corrosion
and each rivet is the potential source of a leak due to corrosion. Stresses
can be concentrated around each rivet and stress or stress corrosion cracks
can form around rivets. Vessels for toxic chemicals should have welded seams,
but even these may fail under certain circumstances.
174
-------�
With vessel seams, the primary preventive measure is proper initial
welding. Sloppy welding may result in a porous or incomplete weld that does
not provide the necessary structural strength. Also, a welded seam may leak
because of corrosion. The metal surrounding a weld is heated during the
welding process, and this heating can result in unrelieved stress in the metal
which may contribute to the formation of stress corrosion cracking. Heating
can also create the precipitation of complex carbides, which can result in
intergranular corrosion.
Sometimes welding is used to join two different metals. This type of
weld is subject to thermal fatigue when it is subjected to repeated heating
and cooling cycles caused by differential expansion and contraction of the
different metals. Cracks from thermal fatigue will initially form slowly but
will progress more rapidly with time.
Some welds are actually designed to fail in the event of an overpressure.
An atmospheric storage vessel will often be designed to fail at the
shell-to-head joint to prevent the entire contents of the tank from emptying.
Vessel Shell Failure—
The nozzles attached to a vessel shell are sites for potential vessel
failure. Inadequately supported loads on fittings connected to a nozzle may
result in failure of the nozzle. Thermal expansion and contraction of piping
may create excessive stress on a nozzle. A tank settling under subsidence of
the ground beneath it can cause connection and nozzle failure. Vibration of
support piping or equipment may also cause a nozzle failure. Unrelieved
stress formed during fabrication may contribute to stress corrosion cracking.
Galvanic corrosion is a potential wherever a fitting made of a different metal
is attached to a nozzle.
External forces may cause the main vessel shell to be susceptible to
failure. Unsupported loads such as support piping, platforms or walkways can
175
-------�
cause the collapse of a vessel shell. Loads created by foundation settling
can also cause a vessel shell to collapse.
Thermal shock caused by a rapid temperature swing will result in unequal
expansion or contraction of different parts of a vessel, which may result in
damage. Thick walled vessels are more susceptible to cracking due to thermal
shock than are thin walled vessels. Some vessel coatings may pull loose and
fittings may pull away because of thermal shock. A vessel shell (particularly
around a nozzle) may crack because of repeated heating and cooling cycles.
The effect is similar to thermal shock except that the fatigue of the metals
and of the joints between different metals develops more slowly.
A vessel shell is subject to several types of corrosion. -Corrosion in
the plate body of the shell, as opposed to seam welds, can result in thinning
of the wall and cracks which lead to shell plate failure. A bottom plate in
contact with a pad is particularly susceptible to external corrosion. An
insulated vessel may be subject to external corrosion in situations where
moisture has soaked into insulation and is trapped next to the vessel. A
vessel head is susceptible to corrosion that accompanies evaporation and
condensation of trace quantities of water. Numerous additional varieties of
corrosion specific to the chemicals and materials of construction are pos-
sible.
Vessel Failure Prevention Controls—
The primary prevention control for vessel failure related to the equip-
ment itself is proper design and construction and the avoidance of the kinds
of conditions, discussed above, that can lead to failure. The ASME Boiler and
Pressure Vessel Code, which specifies design standards for boilers, and
pressure vessels, was referred to in Subsection 3.2 of this manual. Most
states have incorporated all or part of the Code into their legal require-
ments. Where toxic chemicals are involved, it may be appropriate to use the
ASME Code as a minimum standard for the design of vessels. This may not be
practical for large storage vessels, however, where at a minimum, design might
176
-------�
be according to API (19,20.21). For all vessels, more stringent design may be
appropriate than these minimum standards where toxic chemicals are involved.
Most processing vessels are designed in accordance with ASME Code Section
VIII, Division 1. Subsection B of Section VIII provides some specific in-
structions for the fabrication of vessels used in "lethal service," which is
defined as a vessel used to handle poisonous gases or liquids of such a nature
that a very small amount of the gas or of the vapor of the liquid mixed or
unmixed with air is dangerous to life when inhaled. The Code specifies that
all vessels in lethal service shall have all butt-welded joints. These joints
must be fully radiographed to test their integrity before use. All vessels
made of carbon or low-alloy steel shall be postweld-heat-treated. The ASME
Code stipulates that brazed vessels cannot be used in lethal service. In
general, butt-welded or flanged joints should be used throughout a process
handling hazardous materials. Threaded or riveted joints should be avoided.
A storage vessel usually has less strength than a process vessel (such as
a reactor). For example large atmospheric storage vessels are often designed
to withstand only 8 inches of water and will burst at about three times this
pressure. These same vessels can only tolerate about 2.5 inches of vacuum.
Because they are easy to rupture or collapse, this type of tank may not be
suitable for storing large quantities of toxic chemicals. Care must be taken
when sizing vents and inlet and outlet lines on these vessels. The vent
should be sized to accommodate the maximum possible flowrates into and out of
the vessel. To prevent an overflow from overpressuring the tank, the vent
line and overflow lines must not rise more than eight inches above the side of
the vessel. Rapid heating or cooling of these vessels can cause a rupture or
collapse due to expansion or contraction in the vapor space.
Other storage vessel designs commonly used in the chemical industry may
not be appropriate for storing toxic chemicals. For example, because of vapor
loss, external floating roof tanks are probably not appropriate.
177
-------�
The American Petroleum Institute has stated that corrosion is the prime
cause of deterioration in vessels (14). Because this deterioration is often
slow, it may go undetected. The primary defense against corrosion is the
selection of the correct materials of construction. Very rarely will a
material be completely resistant to corrosion where it is being used. In most
cases, an allowance for corrosion is provided by increasing the thickness of
the material.
Protective coatings are often used to slow the rate of corrosion. These
coatings should be used with care when hazardous materials are involved. Very
thin coatings (less than 0.75 mm thick) should not be relied on for corrosion
protection because coatings of this thickness may have very small flaws that
will allow material to contact the surface below the coating (3). Most
coatings are permeable to some chemicals. When a coated material is used, it
should be resistant to all components to which it will be exposed. If a
coating is permeable to some species in a mixture, then this species will
penetrate the coating and contact the surface below. Even if the permeable
species is not corrosive to this surface it may damage the bond between the
coating and the support surface and ultimately result in a failure of the
coating.
Vessels should be constructed to minimize crevices and allow for complete
drainage, cleaning, and easy inspection. The internals of a vessel should be
so arranged that all exposed surfaces can be cleaned and so that liquid is not
held up when the vessel is emptied. External corrosion can be reduced by
protecting all outer surfaces with a coating. If insulation is used, care
must be taken to seal the insulation so that moisture does not get in and
become trapped against the vessel wall.
Care must be taken when dissimilar metals must be contacted with each
other as galvanic corrosion can result. The degree to which galvanic corro-
sion will occur will depend on the metals involved, on the area of contact,
and on the electrolytic character of the liquid contacting the metals. Table
178
-------�
3-4 shows the Galvanic Series of Metals and Alloys. The farther apart two
metals appear on this table, the more susceptible to galvanic corrosion they
will be when in contact with each other. The American Petroleum Institute has
compiled a list of design recommendations to combat galvanic corrosion (21):
• Select combinations of metals as close together as possi-
ble in the galvanic series.
• Avoid making combinations where the area of the less noble
material is relatively small. It is good practice to use
the more noble metals for fastenings or for other small
parts in equipment built largely of less resistant
material.
• Insulate dissimilar metals wherever practical. If com-
plete insulation cannot be achieved, materials such as
paint or plastic coatings at. joints will help to increase
the resistances of the circuit.
• Apply coatings with caution. For example, do not paint
the less noble material without also coating the more
noble, otherwise greatly accelerated attack may be concen-
trated at imperfections in coatings on the less noble
metal. Keep such coatings in good repair.
• In cases where the metals cannot be painted and are
connected by a conductor external to the liquid, increase
the electrical resistance of the liquid path by designing
the equipment to keep the metals as far apart as possible.
• If practical, add suitable chemical inhibitors to the
corrosive solution.
179
-------�
TABLE 3-4. GALVANIC SERIES OF METALS AND ALLOYS
Corroded end (anodic, or least noble)
Magnesium
Magnesium alloys
Zinc
Aluminum alloys
Aluminum
Alclad
Cadmium
Mild steel
Cast iron
Ni-Resist
13% chromium stainless (active)
50-50 lead-tin solder
18-8 stainless type 304 (active)
18-8-3 stainless type 316 (active)
Lead
Tin
Muntz metal
Naval brass
Nickel (active)
Inconel 600 (active)
Yellow brass
Admiralty brass
Aluminum bronze
Red brass
Copper
Silicon bronze
70-30 cupronickel
Nickel (passive)
Inconel 600 (passive)
Monel 400
18-8 stainless type 304 (passive)
18-8-3 stainless type 316 (passive)
Silver
Graphite
Gold
Platinum
Protected end (cathodic, or most noble)
Source: Reference 3.
180
-------�
• If dissimilar materials well apart in the series must be
used, avoid joining them by threaded connections, since
the threads will probably deteriorate excessively. Welded
joints are preferred, and the use of filler material more
noble than at least one of the metals to be joined.
• If possible, install relatively small replaceable sections
of the less noble material at joints, and increase its
thickness in such regions. For example, extra-heavy wall
nipples can often be used in piping, or replaceable pieces
of the less noble material can be attached in the vicinity
of the galvanic contact.
• Install pieces (sacrificial anodes) of bare zinc, mag-
nesium, or steel to provide a counteracting effect that
will suppress galvanic corrosion.
Control Effectiveness—
The control effectiveness of various vessel design factors is measured in
terms of the reliability of vessel components. Some reliability data related
to vessels are summarized in Table 3-5. The overall reliability of multi-
component control measures depends on the reliability of the individual
components and on the specific design or procedure.
Costs—
Costs for each vessel control measure are summarized in Table 3-6, which
lists vessel hazards, corresponding control technologies, and both typical
capital and total annual costs associated with each control measure. Costs
are in 1986 dollars. Table 3-7 presents design bases for the costs.
Case Examples (1)—
A cylindrical LNG storage tank ruptured and discharged its entire con-
tents over the plant and nearby areas. The LNG vapor ignited and an intense
181
-------�
TABLE 3-5. TYPICAL FAILURE RATES FOR VESSEL COMPONENTS
Failure Rate
Component (Failures/Year)
Vessel shell ,
Complete failure 3 x 10~
Rupture equivalent to 6 inch opening 7 x 10
Flanged head joint N/A
Flanged nozzle piping connections, flange 0.0026
leak or rupture
Seam welds N/A
Source: Adapted from References 1, 23 and 24.
182
-------�
TABLE 3-6. VESSEL HAZARDS AND CONTROL TECHNOLOGIES
Costs represent incremental costs over the baseline system presented in Table 3-7.
(1986 Dollars)
Basis:
Hazard
Control Technology
Total Annual
Capital Cost ($) Cost ($/Yr)
General Failure
oo
Flanged Joint Failure
Welded Joint or
Seam Failure
Vessel Wall Rupture
Corrosion resistant materials.
Higher pressure rating.
Greater corrosion allowance.
Vibration control in attached piping
systems, and on agitators.
Extra heavy foundations and extra
support structures.
Fire protection.
Increased inspection frequency.
Pressure/temperature cycling control.
Adequate pressure relief.
Protection from external physical
damage (curbing or barrier).
Correct flange/gasket combinations for
intended service.
Full diameter, correctly torqued, and
full circle bolting.
Leak monitoring.
Correct weld type and materials.
Correct weld procedure.
Double-walled vessel.
Wall thickness testing.
30.000
16.000
6.000
630
1.500
6.60/ft2
9.500
600
6.00/ft
17.000
5.200
2.800
1,100
55
280
0.60/ft'
800
1.400
50
0.50/ft
320
320
1.000
320
320
3.000
1.200
Source: Adapted from references 25, 26 and 27.
-------�
TABLE 3-7. DESIGN BASES FOR VESSEL CONTROLS
Vessel baseline - 10,000 gallon carbon steel pressure, storage vessel, 50 psig
rating, ellipitical heads.
Increased corrosion resistance - same as vessel baseline except 316 stainless
steel.
Higher pressur.e rating - same as vessel baseline except 100 psig rating.
Greater corrosion allowance - same as vessel baseline except 1/8" thicker wall
and heads.
Vibration control for attached piping - assume increase in piping supports
from one per 1A ft. to one every 7 ft. for 100 ft. of pipeline, 4 inch pipe.
Extra heavy foundations and extra support structures - Assume 50% increase in
cost over that required for baseline vessel, where cost for the vessel is
assumed to be 10% of the baseline vessel allowed, without any peripheral
equipment.
Fire protection - Assume the addition of a water deluge system over the
baseline vessels.
Increased inspection frequency - Assume an increase of 40 hours per year at an
hourly total labor cost of $20/hour.
Pressure/temperature cycling control - Assume the installation of a better
control loop somewhere in the process unit of which the vessel is a part.
Assume a conventional control loop.
Adequate pressure relief - Assume the addition of a 4-inch rupture disk to the
vessel. The baseline vessel is assumed to already have a safety relief valve.
Protection from external physical damage - Assume the addition of vehicle
curbing around the vessel process area.
Correct flange/gasket combination - Assume increased supervisory labor at 8
hours per year and $40 per hour.
Full diameter, correctly torqued bolts, and full circle bolting - Assume
increased supervisory labor at 8 hours per year and $40 per hour.
Leak monitoring - Assume monitoring costs as primarily labor at an extra 40
hours per year at $25 per hour.
Correct weld type, materials, and procedure - Assume increased supervisory
labor at 8 hours per year and $40 per hour.
(Continued)
184
-------�
TABLE 3-7 (Continued)
Double-walled vessel - Same basic specification as baseline vessel except with
double wall allowing for space between inner and outer wall.
Wall thickness testing - Assume inspection labor requirement at 40 hours per
year and $30 per hour.
185
-------�
fire burned at the plant, causing great loss of life and extensive damage.
More LNG flowed from the plant as liquid down the storm sewers, where it mixed
with air and exploded. Though the cause of the ruptures is uncertain, an
investigation concluded that the low carbon steel used in the vessel construc-
tion may have been unsuitable and that failure may have been caused by vibra-
tion or seismic shock. The final death toll was 128 and the number of injured
was estimated to be between 200 and 400.
In another incident, an estimated 30 tons of ammonia escaped from a
ruptured anhydrous ammonia storage tank. A gas cloud 492 feet in diameter and
66 feet deep formed, killing 18 people both inside and outside the plant. The
cause of the failure was brittle fracture of the dished end of the tank.
Evidence suggested there had been no overpressure or overtemperature of the
tank contents, and no other triggering event was determined. Ultrasonic
investigation of the dished end of the tank revealed numerous subsurface
fissures, perhaps caused by progressive cold-forming of the dished end.
3.3.4 Piping
The term "piping" is used here to describe three closely associated
categories of equipment: piping, fittings and valves. Piping can be drawn,
rolled and welded, or cast. Fittings are used to connect various pipe sec-
tions or connect pipe to another piece of equipment, to change the direction
of flow, or to provide a branch. Valves are used to regulate the flowrate or
direction of flow through lines. Valves use a number of different mechanism
to regulate flow. Some common varieties include, ball valves, gate valves,
globe valves, plug valves, diaphragm valves, butterfly valves, and check
valves. Check valves as a control technology for preventing backflow have
been discussed in Section 2 of this manual. Materials of construction for all
of these devices commonly include both metals and plastics.
Piping failures may occur at the following locations:
• Piping wall (including fittings);
186
-------�
• Joints;
• Valve stems;
• Valve bodies;
• Internal valve mechanisms; and
• A hose or hose connections.
Pipe Wall Failure—
Piping can be drawn, rolled and welded, or cast. Welded piping is
fabricated with a welded seam running the length of the pipe. Welded seams
are subject to stress corrosion cracking, intergranular corrosion and defec-
tive welds, which can cause a pipe wall failure. For toxic chemicals, seam-
less rather than welded piping is preferable.
A pipe wall is subject to the same failure modes as a vessel shell,
including excessive stress. Piping can be subjected to excessive stress by:
• Vibration;
• Misalignment; or
• Thermal expansion and contraction.
Vibration can be a very destructive force to process piping. For
example, 18-8 stainless piping subjected to a stress of 30,000 psi at a peak
deflection failed after approximately one million cycles. This same pipe
subjected to a vibration frequency of 60 cycles/sec, failed from fatigue in
five hours (26). Causes of vibration include periodic mechanical motion,
pressure pulsation associated with reciprocating machinery, high-pressure drop
across a control valve or unstable two-phase flow conditions.
187
-------�
Misalignment of pipe may result in failure by fatigue or in the formation
of stress corrosion cracking. Misalignment may be caused by an error in
installation of by shifting equipment. Sometimes during construction, two
piping ends come together and are not completely in line. These out of line
ends are usually forced into position. Forcing the pipes into position will
subject them to a stress probably unanticipated in the original design speci-
fications. This unanticipated stress can result in premature pipe failure.
Even if the initial installation was done correctly, equipment can settle or
poorly placed foundations and stress a pipe run in the same way as would a
misaligned pipe. Broken or defective anchors and hangers can create stresses
on a pipe run that can result in premature failure of the pipe.
Thermal expansion and contraction that is not properly accounted for in
the initial design can cause internal stress. Even if the original design
provided for thermal expansion, broken or defective sliding saddles or rollers
could cause excess stress during expansion and contraction. In addition to
stress caused by thermal expansion, repeated thermal temperature cycles can
result in failure caused by thermal fatigue.
Piping is often insulated. Moisture can get trapped beneath the insula-
tion and cause external corrosion. Piping will be particularly susceptible to
this near joints and fittings where it is difficult to ensure a good seal for
the insulation. The potential problem of atmospheric corrosion under insula-
tion applies for all insulated equipment. It is discussed here under process
piping because piping systems are often complex and it is difficult to monitor
all portions of the piping system for corrosion problems.
Pipe Joint Failure—
Some of the potential failure modes for pipe joints were discussed in
Subsection 3.3.A on vessels.
Most flanges are attached to the end of a pipe in the form of a
flanged-end fitting (a few varieties of pipe may be purchased as flanged-end
pipe). Some types of flanged-end fittings have a weaker tolerance for cyclic
188
-------�
stress loads than the piping to which they are joined. These varieties
include slip-on, socket-welded, and lap-joint flanges. Subjecting these
flanges to cyclic stresses may cause an unanticipated failure. Flanges may
fail as a result of thermal shock. Flanges must be made of a heavier gage of
metal than the surrounding pipe because they may be more susceptible to
thermal shock cracking than the surrounding pipe. Selecting flange bolts with
inappropriate strength and corrosion resistance can lead to a flanged joint
failure.
Pipes can be joined by welding. One variety of welded joint is the
socket-weld joint, which cannot resist bending stress as well as the pipe
which it joins. This joint may fail prematurely under bending stresses.
Additionally, a crevice between the two pipe ends is formed in a socket-weld
joint. Liquid can enter this crevice and result in corrosion. A second
variety of welded joint is the butt-weld joint. For most types of piping,
this joint is as strong as the pipe to which it is joined and may, therefore,
be preferred for toxic chemicals. The exception is where a butt-weld joint is
used to connect work-hardened pipes annealed by the welding (3) . All vari-
eties of welded pipe can fail because of sloppy welding.
A threaded joint can be used to connect pipe sections. A threaded joint
is not as strong and resistant to fatigue as the pipe it is joining. Threaded
joints have other disadvantages. Turbulence will form at the contraction
caused by a threaded joint. This turbulence can contribute to corrosion at a
point where the pipe is already thinned by threading. A threaded joint may
keep its seal even after most of the threads or pipe wall are destroyed. Such
a joint may fail completely before any leakage occurs and before any external
decay is detected. Threaded joints can be crushed by the force of the pipe
wrench used to tighten the joint, which will weaken the connection and possi-
bly result in later failure. A threaded joint can loosen when subjected to
torque. Such torque could be caused by thermal expansion or contraction or by
shifting equipment. A loosened joint may not seal completely and may not have
as much resistance to stress as a tight joint.
189
-------�
Valve Stem Failure—
A common source of leaks in a piping system is valve stems. Most valves
are constructed with some type of packing material around the valve stem that
allows the valve stem to rotate while preventing the process fluid from
escaping around the stem. Exceptions are diaphragm valves where the process
liquid is separated from the stem by the diaphragm and ball valves where face
seals are used.. Valve packings are made of a number of materials including
plastics, metals, and metal composites. Because the valve packing experiences
wear every time the valve is opened or closed, it is usually the weakest point
of the piping system and will be the first point to fail in the event of an
overpressure.
Leaks around a valve stem are frequent but are rarely serious unless the
leak results in a fire or explosion. It is possible to tighten the packing to
stop a leak when the valve is in operation. However, the life of valve
packing and the number of times that the packing can be compressed is limited,
requiring periodic replacement. A valve packing failure on a very large valve
might be sufficient to discharge a significant amount of toxic chemical, but
in most cases a release from a valve steam blowout would not be catastrophic.
Leakage around valve stems could indirectly lead to major equipment or process
failures, however. For example, small amounts of leakage over a long period
of time could result in corrosion that makes the valve inoperable. Such a
failure at a critical time in a critical line could lead to a major equipment
or process failure.
Valve Body Failure—
The failure of a valve body would be comparable to a pipe failure, and
could occur for the same reasons; excessive stress, corrosion or erosion.
The effect of excessive stress is of special concern with valves. Valve
bodies are constructed in irregular shapes that may not withstand bending or
twisting stresses. Where valves consist of two or more pieces forming a body,
the seal between the parts is a weak point, especially if the assembly bolts
190
-------�
are improperly tightened. Overstressing could also occur in the body parts
themselves if not joined properly to the piping. A valve that is rapidly
closed will experience a tremendous surge in pressure. This surge is known as
a "water-hammer11 or "hammer blow." This surge in pressure can result in
failure because of overpressure of the valve body, of the pipe-to-valve
fittings, or of the pipe near the valve.
Since valves disrupt the fluid flow, considerable turbulence occurs,
which can contribute to erosion.
Internal Valve Mechanism Failure—
The potential cause of failure of an internal valve mechanism depends on
the type of valve. Basic types include:
• Gate valves;
• Globe valves;
• Plug valves or cocks;
• Ball valves;
• Diaphragm valves; and
• Check valves.
A failure of the internal valve mechanism can result in low flow or excess
flow with all their attendant hazards (see Section 2 of this manual).
A gate valve is composed of a body containing a gate that interrupts the
flow. The valve is normally used in the fully open or fully closed positions.
Gate valves must usually be constructed of metals, which could limit their
usefulness in some corrosive environments.
191
-------�
When handling high-velocity flow of dense fluids, the gate assemblies can
shake violently. This vibration can result in failure of the gate assembly,
the valve body or the attached piping and equipment. Gates have been known to
fall off gate valve stems (27).
Some portion of the stem on a gate valve must be exposed to the process
fluid. For some varieties the threaded portion of the stem is exposed. This
could result in corrosion or erosion of the stem. Liquid entering the bonnet
of this valve when it is opened can be trapped in the bonnet when the valve is
closed. Thermal expansion or contraction could rupture the bonnet.
Globe valves are commonly used to regulate fluid flow. The valve is
composed of a disk (or plug) that moves axially to seat in the valve body.
These valves have a large pressure drop and can be the source of vibrations.
In most designs the disk is free to rotate on the stems, which prevents
galling between the disk and the seat. However, the ability to rotate can
result in a tilted and misaligned disk on closure and the disk on a globe
valve can detach from the stem. Process fluid solids, scaling, or corrosion
of the seat of disk can result in an inadequate seal.
A plug valve is composed of a tapered or cylindrical plug fitted snugly
into a seat in the valve body. When in the open position, the plug has an
opening in line with the flow openings in the valve body. A plug valve can be
constructed from metals, coated metals, or plastics.
The surface area between the plug and the valve body is large, which can
make the plug difficult to rotate. Some types of plug valves use a lubricant
to act as a seal and to allow the plug to be more easily rotated. A common
way these valves can fail is by seizure of the plug. Temperatures above 500°
can cause differential expansion between the plug and the body and result in
seizure. A loss of lubrication between the plug and body can result in
192
-------�
seizure. Seizure of the valve could contribute to an accidental release if
the inability to open or close the valve results in a loss of control of the
process. An opposite problem is that a small plug valve could vibrate open or
shut if the fit between the plug and valve body became too loose (through
wear, for example).
Plug valves can trap a small quantity of the process fluid in the plug
cavity whenever the valve is closed. If the process fluid has a high coeffi-
cient of thermal expansion, this trapped fluid could result in a ruptured
valve if it were heated. An example of such a fluid is liquid chlorine.
Since water expands as it freezes, this could also occur with water that is
frozen when trapped in the valve. Some valves have a bypass built into the
plug, which relieves the plug cavity to the high pressure side of the valve
when it is closed. As long as the relief bypass does not become plugged.
these valves solve the fluid expansion problem. These valves are unidirec-
tional and are likely to leak if installed backwards.
A ball valve is similar to a plug valve except the plug is in the shape
of a ball. Plastic seats are used to seal the ball. Though not as prone to
seizure as plug valves, ball valves can seize as a result of thermal expan-
sion, corrosion or fouling. The ability of a ball valve to seal depends on
the performance of the plastic seals. Thus, once these seals are damaged or
worn, the valve could fail to function properly. Ball valves are usually
constructed of metals, which could limit their usefulness in some corrosive
environments. A ball valve also has the same disadvantage as a plug valve in
trapping process material in the ball when the valve is closed. Again,
unidirectional ball valves are available with a vent from the ball cavity to
the upstream side of the valve to prevent liquid entrapment.
A diaphragm valve is usually a packless valve composed of a diaphragm
made of a flexible material which functions as both a closure and a seal. A
compressor mechanism closes the valve by forcing the diaphragm against a seat.
Failure of the diaphragm can result in the leakage of the process fluid around
the stem, since some varieties of diaphragm valves have no packing around the
193
-------�
stem. A diaphragm rupture in a packless valve could result in a significant
release of a toxic chemical.
A butterfly valve is composed of a disc mounted on a stem in the flow
path. A 90 degree turn of the stem changes the valve from closed to com-
pletely open. The butterfly valve forms a complete seal around the perimeter
of the pipe. However, minor corrosion or erosion of the disk and seal may
cause them to not seal properly. The presence of solid deposits around the
sealing surface also may prevent a tight seal upon closure.
A number of varieties of check valves are available. Common varieties
include swing, lift (piston check or ball check). tilting-disk or
spring-loaded wafer-type check valves. Check valves are also discussed under
backflow prevention in Section 2 of this manual.
The common varieties of check valves vary slightly in their mode of
action; however, they all incorporate certain common features necessary for
their performance.
Successful function of all check valves depends on a reliable seal. The
two surfaces that form the seal must remain clean and smooth. The sealing
surfaces could be marred by corrosion, erosion, and solids in the fluid stream
that could lodge between the sealing surfaces and prevent a complete seal.
The portions of a check valve that form the seal have a coefficient of thermal
expansion typically 24 to 45 % greater then that of cast or forged carbon
steel (4) . This could cause unequal thermal expansion of portions of the
valve and prevent a tight seal.
All common varieties of check valves have moving parts that must remain
flexible and function under the influence of slight pressure changes. Corro-
sion, solids in the fluid stream, or formation of scale or polymer buildup
could prevent these moving parts from operating correctly. Corrosion could
also weaken springs and prevent valve closure.
194
-------�
Hoses and Hose Fittings—
Hoses are a frequent source of leaks and may result in large releases..
Two common causes of hose failure are physical wear and poor connections.
Because hoses are usually applied for intermittent use or quick connection, a
release can result from an incorrectly attached hose. Threaded hoses could be
incorrectly secured by only a few threads, by different thread types incor-
rectly combined, or by the attachment made with a gasket missing.
A release could result from the use of a hose-to-end connection that is
not strong enough. An example would be the use of a clamp or metal compres-
sion band connection of the type used to attach automobile hoses. These are
not suitable for use with toxic materials.
An operating error could result in an accidental release from a hose that
is disconnected before the line is properly isolated from the process.
Release Prevention Controls for Piping—
The American National Standards Institute has published standards for
chemical plant piping. ANSI standard B31.3 applies to most of the piping that
would be present at a facility handling hazardous chemicals. The standards
prescribe minimum requirements for the materials of construction, design,
fabrication, assembly, support, erection, examination, inspection, and testing
of piping systems subject to pressure or vacuum.
Where possible, seamless piping should be used for hazardous chemicals.
All joints should be either welded or flanged and threaded joints and fittings
avoided. As far as possible, all joints should be butt-welded. Properly
done, this provides joint strength equivalent to the original pipe. Flanges
should be used only where a removable joint is necessary. If a threaded joint
or fitting must be used, then it should be seal-welded. Because of their
superior strength, welding-neck flanges may be preferred over other kinds of
flanges. An exception must be made for some kinds of coated or specialty
piping that can only use lap-joint flanges. The potential for cyclic stresses
should be considered when an alternate kind of flange (other than
195
-------�
welding-neck) is used. Flange bolts must be consistent in strength and
material of construction with the design requirements of the system.
Metal-polyfluorinated ethylenes and metal-graphite spiral-wound gaskets
should be used instead of metal-asbestos gaskets where hazardous chemicals are
involved. These gaskets will often provide a better seal than the
metal-asbestos -type. A metal-ring-joint facing may sometimes be preferred
over a conventional gasket. In the event of a fire, this type of seal is less
likely to leak. The sealing surface is less likely to be damaged in handling
than a conventional gasketed seal. The metal-ring-joint facing can be more
resistant to the fluid being handled than a conventional gasket. This type of
seal is more difficult to disassemble because the flanges can be separated
only in the axial direction.
As shown in the previous sections, stress is a common failure mode for
all portions of a piping system. The potential for stress-related failures
can be reduced by proper design. Some considerations are:
• Shorten connections to reduce bending moment and raise the
fundamental frequency of vibration (destructive fre-
quencies tend to be less than 60 cycles/sec).
• Use pulsation dampeners where applicable.
• Provide engineered anchors and braces.
• Account for the potential for two-phase flow conditions by
providing extra bracing.
• Use pipe loops to control movement and vibration at
equipment connections. Avoid the use of bellows where
hazardous materials are involved.
196
-------�
• Allow for thermal expansion by using sliding supports.
• Do not support a valve body and use it to support the
attached piping but support the attached piping sepa-
rately.
• Do not allow a vessel or pump fitting to support attached
piping but support the attached piping separately.
• Consider the destructive force of "water-hammer" or
"hammer blow" when installing automatic valves. Valves
should not be allowed to close more rapidly than the
system can tolerate.
• During installation or repair, do not force piping ends
into alignment. This creates extra stress not planned for
in the original piping design.
• Use a heavier grade of flange than required by typical
practice.
A discussion of the applicability and design of each valve type for use
where hazardous materials are involved is presented below.
For reasons discussed previously, it may be preferable to avoid gate
valves when using hazardous materials.
Although globe valves have several drawbacks, they are usually the only
alternative when automatic flow control is required. When globe valves are
used, they should be designed with built-in precautions to prevent misalign-
ment of the disk with the seat. Such precautions could include guides above
and below the disk or using a spherical seat. Large globe valves must be
installed with the stems vertical.
197
-------�
Valves should be installed with the high-pressure side connected to the top of
the disk. This would result in the valve closing if the disk were to separate
from the stem.
Plug valves and ball valves probably provide the most reliable form of
off/on flow control. However, care must be taken to select a valve with the
appropriate overpressure protection where materials with high coefficients of
expansion could be trapped and heated or frozen in the valve when it is
closed. To ensure adequate sealing, ball valves should be of the fixed ball
variety with spring-loaded seats.
Diaphram valves are well-suited for applications where a high level of
solids are present in the process fluid. If solids are not a concern, it may
be advisable to avoid using diaphragm valves. If the diaphragm fails, then
the valve will leak with little or no constriction. These valves are
generally limited to low pressure applications and probably should not be used
anywhere near their rated maximum pressure. If they are used they should be
equipped with packing around the stem.
If there is any potential for corrosion, erosion or fouling, and if the
system operates at anything other than moderate pressure, then butterfly
valves should be avoided.
Whenever possible, hoses should not be used where hazardous materials are
involved, although in some operations it may be impossible to eliminate them.
Each hose should be designed to withstand the conditions to which it will be
subjected. They should be joined to end connections that can be securely
fastened to form joints with other piping. Where more than one type of hose
is in use, each variety of hose should use a different type of end connector.
The corresponding connectors should only be installed at the process equipment
locations where each hose may be used. This will help prevent the use of
hoses in applications for which they were not intended.
198
-------�
The above discussion has focused on the individual elements in a piping
system. The following discussion lists some design considerations for overall
piping systems handling hazardous materials.
• Avoid dead ends or unnecessary and rarely used piping
branches. Minimizing piping will reduce the potential for
operating errors. Rarely used piping tends to be neg-
lected. Process materials can become trapped in dead ends
and result in corrosion, plugging, or unwanted mixing with
future incompatible process material.
• Take precautions against liquid holdup. All pipe runs
should be pitched to allow liquid to drain. Drains should
be at the lowest point in the system. Often this is not
the case when piping is installed or when future changes
are made. Provisions should be made to prevent a liquid-
full condition in a blocked section of line. A liquid-
full condition can result in a pipe rupture if the liquid
expands as it warms or cools to ambient temperatures.
• Minimize locations in main arteries outside high-integrity
block valves. This decreases the likelihood of a main
artery leak where rapid isolation could be more difficult.
• Bottom drain lines on vessels handling large volumes of
hazardous materials should be limited in diameter. This
will limit the rate of material release in the event of a
failure in drain line valves. A flow limiter valve which
automatically closes if flowrate exceeds a prescribed rate
can also be used. Drain lines should always be equipped
199
-------�
with two valves in series. A remotely operated emergency
isolation valve may be appropriate.
• The line and valve sizes into and out of a vessel should
be of the same capacity. If the inlet line has a higher
capacity than the outlet, then an overflow is inevitable
once control is lost.
• Piping systems should never be designed so that the
failure of a single valve will result in a significant
accidental release.
Control Effectiveness—
The control effectiveness of various piping design considerations is
measured in terms of the reliability of piping system components. Some reli-
ability data are summarized in Table 3-8. The overall reliability of multi-
component control measures depends on the reliability of the individual
components and on the specific system design or procedure.
Costs—
The costs for each control measure applicable to piping are summarized in
Table 3-9, which lists piping hazards, corresponding control measures, and
both typical capital and total annual costs associated with each control
measure. Table 3-10 presents the design bases for these costs.
Case Examples (1)—
Dead-ends in pipes can be the source of pipe failure when water collects
in the dead-end and freezes, breaking the pipe, or when corrosive matter
dissolves in the water and corrodes the line. In one case, water and impur-
ities collected in and corroded a dead-end branch of a 12-inch diameter
natural gas pipeline operating at a gauge pressure of 550 psi. When the
dead-end failed, the escaping gas ignited immediately, killing three men who
were looking for a leak.
200
-------�
TABLE 3-8. TYPICAL FAILURE RATES FOR PIPING COMPONENTS
Component
Failure Rate
(Failures/Year)
Pipe wall, under 3 inches diameter rupture
over 3 inch diameter, rupture
Flanged joint, leak or rupture
Gasket leak
Welded joint, leak
Valve casing
Valve stem seal
Manual valve
- failure to operate
- failure to remain open (plug)
- leak or rupture
Solenoid valve - failure to operate
Automated valves
- failure to operate
- failure to remain open (plug)
- leak or rupture
Check valves
- failure to open
- reverse flow leak
- rupture
8.8 x 10
8.8 x 10
0.0026
-6
-7
,-5
0.026
2.63 x 10
N/A
N/A
0.365
0.0365
8.8 x 10~5
0.365
0.1095
0.0365
3.65 x 10~6
0.0026
1.10 x 10~4
8.8 x 10~5
Source: References 23, 24 and 28.
201
-------�
TABLE 3-9. EXAMPLES OF PIPING HAZARDS, CONTROL TECHNOLOGIES. AND COSTS
Basis; Costs represent incremental costs over the baseline system presented in Table 3-10.
(1986 Dollars)
Hazard
Control Technology
Capital Cost ($)
Total Annual
Cost ($/Yr)
General Failure
Ni
o
N>
Flanged Joint Failure
Welded Joint Failure
Pipe Wall Rupture
Valve Failure
Corrosion resistant materials. 16,000
Higher pressure rating. 2,500
Greater corrosion/erosion allowance. 23,000
Monitoring/extra supports. 630
Vibration control. 630
Thermal expansion allowance. 750
Heat tracing per 100 ft. of line for 1.000
freeze protection.
Fire protection. 200
Increased inspection frequency. —
Additional piping supports. 630
Avoidance of long unsupported piping runs. —
Pressure/temperature cycling control. 9,500
Valve selection. —
Control of "hammer blow." (Valve 500
closure rate control)
Protection from external physical damage. 60
Correct flange/gasket combination for —
intended service.
Full diameter, correctly torqued, and —
full circle bolting.
Installation/maintenance supervision. —
Leak monitoring. —
Correct weld type and materials. —
Correct weld procedure. —
Double-walled pipe. 7,500
Wall thickness testing. —
Installation/maintenance supervision. —
Correctly sized and torqued body holding. —
2,800
430
4,000
1.000
55
65
200
30
800
15
1,400
90
5
320
320
320
1,000
320
320
1,300
1.200
320
320
Source: Adapted from References 25, 26 and 27.
-------�
TABLE 3-10. DESIGN BASES FOR EXAMPLE PIPING CONTROLS
Piping baseline - 100 ft. of 4 inch. Schedule 40, carbon steel piping with
average number of fittings.
Increased corrosion resistance - Same as piping baseline except 316 stainless
steel.
Higher pressure rating - Substitute Schedule 80 for Schedule 40.
Greater corrosion/erosion allowance - Substitute Schedule 80, 316 stainless
steel for Schedule 40, carbon steel.
Vibration control - Assume an increase in piping supports from one per 14 ft.
to one every 7 ft. for 100 ft. of pipeline.
Thermal expansion allowance - Assume addition of an extra loop of 10 ft. of
piping to the baseline.
Heat tracing - Assume electrical wrap heat tracing added per 100 ft. of
baseline piping.
Fire protection - Assume fireproofing added to baseline piping.
Increased inspection frequency - Assume an increase of 40 hours per year at an
hourly total labor cost of $20/hour.
Pressure/temperature cycling control - Assume the installation of a better
control loop somewhere in the process unit of which the piping is a part.
Valve selection and control of "hammer blow" - Assume substitution of
different valve type.
Protection from external physical damage - Assume 10 ft. of curbing placed
around pipe bridge supports.
Correct flange/gasket combination - Assume increased supervisory labor at 8
hours per year and $40 per hour.
Full diameter, correctly torqued bolts, and full circle bolting. Assume
increased supervisory labor at 8 hours per year and $40 per hour.
Leak monitoring - Assume monitoring costs as primarily labor at an extra 40
hours per year at $25 per hour.
Correct weld type, material, and procedure - Assume increased supervisory
labor at 8 hours per year and $40 per hour.
(Continued)
203
-------�
TABLE 3-10 (Continued)
Double walled pipe - Same basic specification as baseline piping except with
double wall allowing for space between inner and outer wall.
Wall thickness testing - Assume inspection labor requirement at 40 hours per
year and $30 per hour.
Installation/maintenance supervision - Assume increased supervisory labor at 8
hours per year and $40 per hour.
Correctly sized and torqued body bolting - Assume increased supervisory labor
at 8 hours per year and $40 per hour.
204
-------�
In another incident, at a pumping station on a liquid propane pipeline a
sudden increase in throughput indicated a major line break. The pipeline
failure occurred on high ground and the gas flowed down a sparsely inhabited
valley, which was evacuated. The cloud ignited in a sudden flash, creating an
overpressure and a fire storm which rolled up the hillside to a highway. The
pipeline pressure was believed to have been about 942 psig, and the amount of
liquid propane estimated to have escaped in the first 24 minutes was 750
barrels.
3.3.5 Process Machinery
Process machinery is process equipment that contains moving parts and is
used to physically treat, handle, or modify process streams. Examples include
pumps, compressors, agitators and refrigeration units. The discussion in this
section focuses on features common to most types of process machinery and
highlights some design considerations for pumps and compressors. Process
machinery failures may contribute to accidental releases by directly releasing
a toxic chemical contained therein, or by causing a process upset .that in-
directly leads to a release elsewhere in the process system.
Direct releases from process machinery may occur at the following loca-
tions:
• Rotating shaft seals;
• Machinery casing; and
• Machinery attachments.
Causes of releases at these locations are discussed below. Erosion and
corrosion are not discussed in any detail since these conditions have been
discussed in the previous sections of this manual.
205
-------�
Rotating Shaft Seals—
Process machinery comprises both rotating and reciprocating equipment. A
seal is required wherever a rotating or reciprocating device contacts the
process fluid. Seals include ring seals on pistons in reciprocating compres-
sors and rotating shaft seals. Rotating shaft seals are far more common in
the process plant, and only these are discussed further. Two methods used to
make this type of seal are a "packing" or "stuffing" box, or a mechanical
seal.
The seal is made in a stuffing box by wrapping the shaft in a woven
material and enclosing the wrapped section in a box to hold the packing in
place. The advantage of a stuffing box is that the packing is inexpensive and
may be easily replaced. The disadvantage is that a packing box does not form
a complete seal. At high speeds a packing box must leak to allow for lubrica-
tion between the shaft and the packing. These devices are not usually appro-
priate for use with toxic materials.
A mechanical seal is a prefabricated assembly that forms a running seal
between flat, precision-finished surfaces. A mechanical seal can leak because
of wear, incorrect installation, erosion, or system overpressure. A mechani-
cal seal depends on a precise contact of the two sealing surfaces. A scored,
corroded or in any way deformed shaft can result in a seal failure. The
presence of solids in the pumping fluid can destroy the integrity of a seal,
which is more of a problem when pumping gases with solids than liquids with
solids.
A seal that is not properly installed can fail; all components of the
seal must be precisely aligned. Most older pumps were designed for stuffing
and the stuffing box may not be big enough to accommodate the seal. A seal
installed with too small a clearance could fail because of overheating (29).
Even a properly installed seal will fail eventually as a result of wear
between the sealing surfaces.
206
-------�
Machinery Casings—
A release from a machinery casing may be caused by stress, corrosion, or
erosion.
There are both internal and external sources of stress on a machinery
casing. An internal source of stress would be overpressure of the process
fluid. External sources of stress include vibration, unsupported weight of
attached piping, or improperly torqued, especially overtorqued. bolting that
holds casing parts together. These stresses can cause deformation or cracking
of the casing.
Corrosion and erosion may be caused by many of the factors listed in
previous sections. A pump or compressor casing is particularly susceptible to
corrosion and erosion because of the high velocity and turbulence of the
fluid. The presence of solids can result in significant wear on the casing
and the internals of the pump or compressor. The combined action of corrosion
and erosion can significantly reduce the life of a casing.
The casing on positive displacement pumps and compressors can fail
because of flow blockage at the discharge (deadheading) or flow blockage at
the inlet (resulting in cavitation). Deadheading will result in an over-
pressure, and if not relieved, can cause a ruptured casing.
The casing on centrifugal pumps and compressors can also fail because of
flow blockage at the discharge. The liquid or gas trapped in the pump or
compressor will be heated if the device is left running after the discharge
has been blocked. This heating can cause thermal decomposition of the process
fluid or thermal expansion if both the inlet and discharge are blocked. Both
may result in an overpressure and failure of the casing.
Cavitation can result in vibration, erosion, and overheating resulting
from the formation and collapse of vapor cavities in the liquid at the
metal-liquid interface. Impellers are most frequently affected by cavitation;
207
-------�
however, damage to an impeller can cause excess vibration, which can result in
a failure of the casing.
The forces that can cause the failure of a machine casing can cause the
failure of a machinery attachment. Process machinery is often the source of
most of the vibrations in a process. This vibration is often amplified as it
is transmitted to piping and supports and can be very destructive.
Some machinery attachments may fail because of neglect, abuse or improper
design. A pump case drain line will usually require a long nipple before
mounting the drain valve. An excessive force (operator standing on the drain)
may break the line. Sometimes the machine attachments provided by the manu-
facturer will be improperly designed for the specific application for which
the machine is being purchased. A compressor, pressure relief device that
comes attached to a compressor should be carefully evaluated. Unless.specif-
ically communicated, the assumptions under which the manufacturer sized the
pressure relief may not be compatible with the requirements of the actual
process.
Process Machinery Failure Prevention Controls—
Stuffing or packing boxes may not be appropriate for toxic chemicals
because these devices do not form a tight seal and small amounts of liquid,
vapors, or gases are released during normal operation. Enclosing the pump in
a ventilated enclosure connected to a control device (such as a scrubber) may
be possible but may not be an acceptable alternative in many situations.
A properly installed single mechanical seal will typically operate for
about a year without any detectable release of material (29). A seal can fail
prematurely for any number of reasons, and for toxic chemicals, any failure
may be considered unacceptable. A number of levels of control can be achieved
by altering the seal design. Seal performance might be improved by using a
larger seal, which will result in a longer wear life. A cartridge seal comes
preassembled and may be used to avoid some of the potential installation
208
-------�
errors of standard seals. A bellows seal is a mechanical seal designed in a
way that reduces the potential for seal plugging over conventional spring
designs.
The most effective method for controlling accidental releases from mech-
anical seals is to use two seals. Further protection may be added by using a
sealing fluid between the two seals. Where hazardous materials are involved,
the sealing fluid must be compatible with the process fluid and it may be
necessary to monitor the sealing fluid for the presence of the process fluid.
In addition to seals, there are many other specific design considerations
for pumps and compressors which are discussed in the remainder of this
subsection.
Some kinds of pumps do not require mechanical seals and are less suscep-
tible to failures that might directly result in an accidental release. A
canned-motor pump is designed so that the motor rotor and pump casings are
interconnected; the motor bearings run in the process liquid and all seals are
eliminated. Eliminating the seal reduces the potential for an accidental
release from these pumps. Because the motor is exposed to the process fluid,
their use is restricted to nonabrasive and relatively noncorrosive fluids.
Repairing these pumps may require employee exposure to the pumping fluid and
thus they may not be suitable where toxic materials are involved.
A diaphragm pump is another type that does not employ a mechanical seal.
This pump uses the reciprocating action of a flexible diaphragm to move the
process fluid. A diaphragm pump can be mechanically or pneumatically driven.
The advantage of this type of pump is that only the diaphragm contacts the
liquid. The disadvantage is that eventually the diaphragm will break as a
result of wear or overpressure. If these pumps are used for toxic materials,
precautions must be taken to avoid an accidental release when a diaphragm
fails, which can be accomplished by totally enclosing the pump in a ventilated
enclosure; the vent gas going to a control device. An alternative is to
connect just the nonprocess side of the diaphragm to a controlled vent. The
209
-------�
pumping system design must account for the potential of explosive mixture
formation when a diaphragm ruptures on a pneumatically actuated pump.
A final variety of sealless pump is one where the impeller and motor are
linked magnetically. The impeller is totally enclosed and leakage is possible
only by failure of the impeller casing. These pumps are generally used only
for very small, low pressure pumping operations.
Overpressure protection is important for pumps and compressors. The
potential for deadheading a positive displacement pump can be reduced by using
a pump return loop which connects the discharge directly to the intake and
allows liquid to continue to circulate when flow is stopped downstream of the
pump loop. The loop should be sized to accommodate the minimum flowrate
required by the pump. The danger of using a pump return loop is that the loop
creates a route for potential backflow when the system is shut-off. A
system's design must provide sufficient backflow protection in such a situa-
tion.
Where hazardous materials are involved, pressure relief from pumps and
compressors must be piped to a total containment system. The backpressure
created by the containment system must be accounted for in sizing the pressure
relief device.
It may often be appropriate to install remotely controlled emergency
isolation valves at the intake and discharge of a pump or compressor that is
handling a hazardous material. This combined with a remote pump shutoff
switch allows flow to be stopped in the event of an accidental release from
the pump or compressor. Where two pumps are parallel, an alternative or
addition to the above recommendations would be to add the ability to remotely
switch from one pump to the other.
Care must be taken whenever encasing a pump or compressor in a vented
enclosure. While providing some accidental release protection, such
210
-------�
enclosures can be a trap for flammable mixtures. To avoid this, vented
enclosures should be purged with an inert gas, or with sufficient quantities
of air to keep the level of flammable vapors below the flammable limit. In
either case, the contents should be monitored for the presence of flammable
mixtures.
A number of pump parameters can be continuously monitored to help detect
potential failures before they occur. The following pump or compressor para-
meters can be monitored: overspeed, low oil pressure, high jacket-water
temperature, high gas discharge, high oil temperature, high level on knockout
drums, overload relays, vibration monitors, bearing load cells, and tempera-
ture indicators imbedded in bearings. Incipient failure detection is dis-
cussed in more detail in Section 4 under maintenance and modification prac-
tices.
Control Effectiveness—
The control effectiveness of various process machinery design considera-
tions depends on the reliability of system components. Some reliability data
are summarized in Table 3-11. The overall reliability of multicomponent
control measures involving machinery depends on the reliability of the indi-
vidual components and on the specific system design or procedure.
Costs—
Table 3-12 summarizes costs for some example control measures applicable
to process machinery. This table lists process machinery hazards, corres-
ponding control measures, and both typical capital and total annual costs
associated with each control measure. Design bases for the costs are pre-
sented in Table 3-13.
Case Examples (31) —
In a polyethylene plant, fatigue failure of a vent connection on a com-
pressor suction line allowed ethylene to escape. A gas cloud formed and later
ignited. Highly directional pressure waves caused widespread damage. Six
people were killed and thirteen injured.
211
-------�
TABLE 3-11. TYPICAL FAILURE RATES FOR PROCESS MACHINERY COMPONENTS
Failure Rate
Component (Failures/Year)
Pumps
- Failure to start 0.365
- Failure to run 0.011
- Shaft seal, major leak 5 x 10
Compressors N/A
Source: Adapted from References 23 and 24.
212
-------�
TABLE 3-12. EXAMPLE PROCESS MACHINERY HAZARDS. CONTROL TECHNOLOGIES. AND COSTS
Basis; Costs represent incremental costs over the baseline system presented in Table 3-13.
~~(1986 Dollars)
Hazard
Control Technology
Total Annual
Capital Cost ($) Cost ($/Yr)
General Failure
to
Shaft Seal Failure
Bearing Failure
Corrosion resistant materials.
Higher pressure rating.
Greater corrosion/erosion allowance.
Vibration monitoring and control.
Freeze protection.
Increased inspection frequency.
Installation/maintenance supervision.
Full bolting with correctly torqued
bolts.
Pressure/temperature cycling control.
Control of hammer blow.
Adequate overpressure protection.
Protection from external physical
damage.
Proper seal type for service.
Proper seal materials and construction.
Adequate seal flushing, lubrication, and
cooling.
Adequate overpressure protection.
Vibration monitoring and control.
Increased inspection frequency.
Specialized acoustic monitoring.
Preventive maintenance.
2,500
3.000
3,000
250
9.500
500
a
120
l.OOg
430
520
520
800
50
800
320
320
1.400
90
10
90
320
320
800
800
800
160
Source: Adapted from references 25, 26 and 27.
aCosts depend on specific systems used which are not directly related to the process machinery
itself.
Proper seal material depends on specific service.
-------�
TABLE 3-13. DESIGN BASES FOR PROCESS MACHINERY CONTROLS
Baseline equipment - Centrifugal pump, carbon steel, 250 gpm, 150 psig rating,
stuffing box seal.
Corrosion resistant materials - Same as equipment baseline except 316
stainless steel.
Higher pressure rating, greater corrosion/erosion allowance - Same as
equipment baseline except heavier casing.
Vibration monitoring - Assume equivalent cost of 40 hours additional operating
labor per year at $20 per hour.
Vibration control - Assume heavier foundations and supports.
Freeze protection - Assume 25 ft. of heat tracing.
Increased inspection frequency - Assume an increase of 40 hours per year at an
hourly total labor cost of $20/hour.
Full bolting with correctly torqued bolts - Assume increased supervisory labor
at 8 hours per year and $40 per hour.
Pressure/temperature cycling control - Assume the installation of a better
control loop somewhere in the process unit of which the pump is a part.
Control of "hammer blow" - Assume substitution of different type of valve or
valve closure mechanism in liner connected to pump for a 4-inch pipeline.
Adequate overpressure protection - No general estimate possible. Costs depend
on specific systems used which are not directly related to the process
machinery itself.
Protection from external physical damage - Assume curbing around pump area for
perimeter of 20 ft.
Proper seal for type of service - Double mechanical seal substituted for
stuffing box seal on baseline centrifugal pump.
Proper seal materials of construction - Assume increased supervisory labor at
8 hours per year and $40 per hour. Actual seal materials depend on specific
service.
Adequate seal flushing, lubrication, and cooling - Assume increased
supervisory labor at 8 hours per year and $40 per hour. Actual seal flush
system depend on specific service.
Specialized acoustic monitoring for bearings - Assume equivalent cost of 40
hours additional operating labor per year at $20 per hour.
Preventive maintenance - Assume bearing replacement once a year.
214
-------�
Failure of a pump in a butadiene processing unit spilled an estimated
27,000 Ib of butadiene that resulted in a vapor cloud release which drifted
600 feet before igniting 10 minutes later. One person was killed, six were
injured, and the plant suffered major damage.
3.3.6 Instrumentation and Control System Hardware
Mechanical failure of the components of a facility's instrumentation and
control system can cause a loss of process control which could result in an
accidental release. The relationship between process control and the poten-
tial for an accidental release was discussed in Section 2 of this report.
This section focuses on potential mechanical failures for the various compo-
nents of a control system. It does not address the problems that may result
from poor control system logic, which was also addressed in Section 2.
Instrumentation equipment may fail as a result of the following condi-
tions:
• Corrosion.
• Erosion,
• Mechanical deterioration, and
• Fouling.
The relative importance of these potential causes of instrumentation
failure depend on the kind of instrumentation involved. For example, corro-
sion may be a significant consideration for temperature measurement devices,
while fouling is a well-known problem with pH control systems. The various
listed conditions are discussed below.
215
-------�
Corrosion—
Both internal and external corrosion can damage instrumentation and
control system components. Any components that contact a process stream can
be subject to internal corrosion. The nature and concentration of the corro-
sive agents in the stream and the materials of construction of the component
determine the potential for internal corrosion. Corrosion damaging to system
operation is most often encountered in such control components as
control-valves, orifice plates, analyzers, chambers of certain level instru-
ments, gage glasses, probes, or any other device in direct contact with a
corrosive process stream. Internal.corrosion can cause moving parts to seize,
and membranes or sensing elements can be destroyed. Such failures can make
sensing and other functions impossible and cause a loss of control. Corrosion
can also cause leaks through instrument connections and housings.
External corrosion can be caused by moisture, salt air, fungi or corro-
sive vapors in the atmosphere. The American Petroleum Institute states that
"in hot, humid climates, these factors are the major causes of instrument
component failure" (29). Electrical components are susceptible to failure by
external corrosion. The formation of oxides, and the growth of fungus are
examples of external corrosion that can alter electrical properties and
prevent some portion of a system's electronics from functioning properly. In
more severe cases, external corrosion can destroy the physical integrity of
casings, conduit, or other structural portions of a control system. Such
deterioration could result in a failure of the control system by exposing the
internal portions of the system to the same corrosion that destroyed the
external portions.
Erosion—
The portions of a control system exposed to flowing process streams are
susceptible to erosion, especially streams containing significant amounts of
suspended solids. The high pressure drop and rapid fluid motion through an
orifice plate make it susceptible to erosion. Erosion of the orifice would
result in an altered pressure-to-velocity relationship and hence in failure of
the device. Any sensor the protrudes into a flowing stream, such as a
216
-------�
thermowell, can be subject to failure by erosion. Failure occurs when erosion
has physically destroyed the sensing element. The operation of a control
valve and its ability to accurately regulate flow can be impaired by erosion.
Mechanical Deterioration—
Several kinds of mechanical deterioration can affect a control system.
Examples of cases of mechanical deterioration include: fatigue failure and
wear, mechanical abuse, exceeding instrument limits, and overheating or freez-
ing.
Any instrument with moving parts is subject to fatigue failure and wear.
Instruments that oscillate over a narrow portion of the operating range are
most susceptible to wear. This type of wear can result in cracked, bent, or
broken moving parts. Seals and bearings will eventually wear out. Fatigue
failure can also be caused by external vibration or by the weight of unsup-
ported attached equipment. Such forces can result in cracked, bent, or broken
casings or internals.
Mechanical abuse is damage that results frpm careless maintenance or
operation. Examples of mechanical abuse damage are broken glass, damaged
housings, and bent valve stems. Damage can occur when personnel use instru-
ments attached to equipment as steps to climb on equipment. Control-valve
stems can be distorted from excessive torque if valve wrenches on the hand-
wheel are used to free binding valves. Equipment may be damaged by collision
with moving maintenance equipment.
Each instrument has a specific acceptable operating range and exceeding
this range may result in permanent damage to the instrument. Acceptable
operating limits are usually placed on the variable being monitored by the
instrument, on some of the chemical and physical properties of the process
stream and on the electrical power supply. For example, a stainless steel
bourdon tube pressure gauge may be equipped to monitor pressures from 0 to 500
psi. Such a gauge may fail if subjected to greater than 750 psi pressures, to
temperatures over 500°F, or to acidic process streams, depending on the
materials of construction.
217
-------�
Exposure of instrumentation to external sources of heat or to freezing
temperatures can cause instrument malfunctions. External sources of heat
could include fires, adjacent hot equipment or even direct sunlight in some
cases. Heat can alter or impair the performance of or damage the electronic
components of the system, such as heat-sensitive sensing devices. Extreme
heat (such as fire) can cause total destruction of the instrument. Low
ambient temperatures can also have adverse effects. For example, freezing may
impair free movement of parts.
Fouling—
Portions of a control system exposed to process streams are subject to
fouling from direct deposition of contaminants or by or reaction by products
in the streams. Fouling may block a sensing element from exposure to the
stream it is intended to monitor, thus preventing the system from controlling
the condition of the stream.
Design Considerations—
In designing control system hardware, proper initial instrument selection
may be the most effective method for reducing the potential for subsequent
failures. For almost every process variable at least two kinds of sensing
devices are available, each kind functioning on a different principle.
Different ranges are usually available for each device. For each range
several different materials of construction are likely to be available, which
means that for every specific application there are opportunities to select
combinations of specifications suitable for any particular service.
Selecting an appropriate sensor may not be a simple matter. The more
information available about the operating conditions, the easier the selection
will be. Since vendors will be quick to point out the advantages of their
device, it will often be up to the designer to explore all of the alternatives
available and use engineering judgement to make a selection. Guidance is
available from the technical literature that describe how various sensing
devices work and that aids in selection (29). From a practical perspective.
218
-------�
it is not always possible to pick a sensing device clearly superior to the
alternatives. For critical applications it may be necessary to install
redundant sensors that operate on different principles. Such redundancy
should be considered wherever the failure of a sensor would significantly
contribute to the potential for an accidental release.
Devices that protect a sensing element from severe process conditions are
also available. Such special protection should be considered whenever the
process involves a hazardous material. These devices are designed to lengthen
the life and therefore improve the reliability of the instrumentation. Many
of these protective devices can reduce the accuracy or increase the response
time of the sensor they are protecting, which must be taken into consideration
when incorporating such a device into a control system. Examples of some
protective devices are discussed below.
Pressure sensors are almost always protected from direct contact with the
process stream by various types of diaphragms. They may also be protected
from damage by sudden shock pressure or rapidly fluctuating pressure by
pulsation dampeners. Temperature sensors are often protected from the process
stream by a thermowell. Other probes can be protected from physical damage by
perforated casings. Where solids are present, a sensor may be installed in a
filtered slip stream. Where fouling is likely to occur, automatic or manual
cleaning devices are available to periodically remove solid buildup on a
sensing surface.
Extra support, shielding and vibration suppression equipment may be in
order for various components in a control system. Where possible, sensitive
electronic portions of the system should be protected. Often, the sensor,
transducers and control valves are the only parts of the control system that
need to be out in the process itself. The rest of the system can often be
placed in the protected environment of the control room.
219
-------�
Operator training will help prevent failures caused by abuse. Regular
inspection will help reduce the potential for an accidental release by correct-
ing instrument problems before they occur. The operation of most control
equipment can be tested on line without shutting down the process. Control
systems that oscillate around the set point should be returned before such
oscillation results in a failure. Control systems should be protected from
damage during shutdown or repair. Sensors may need to be isolated before
pressure or leak testing is performed, or before equipment is cleaned.
Control systems may also need protection during sandblasting or painting.
220
-------�
3.4 REFERENCES
1. Lees, F.P. Loss Prevention in the Chemical Process Industries.
Butterworth's. London. 1980.
2. Hazard and Survey of the Chemical and Allied Industries. American
Insurance Association. New York. NY, 1979.
3. Green, D.W. (ed.). Perry's Chemical Engineers Handbook, 6th Edition.
McGraw-Hill Book Company, New York, NY. 198A.
4. Piping Component Standards for Refinery Service, Std. 593-609. American
Petroleum Institute, Washington, D.C.
5. NFPA 30, Flammable and Combustible Liquids Code. 1984. National Fire
Protection Association, Quincy, MA, 1984.
6. Battelle Columbus Division. Guidelines for Hazard Evaluation Procedures.
American Institute of Chemical Engineers. The Center for Chemical Plant
Safety, New York. NY. 1985.
7. Kletz, T.A. Plant Layout and Location: Methods for Taking Hazardous
Occurrences into Account. Loss Prevention. American Institute of
Chemical Engineers. Volume 13, 1980.
8. Lewis, D.J. The Mond Fire, Explosion and Toxicity Index Applied to Plant
Layout and Spacing. Loss Prevention. American Institute of Chemical
Engineers. Volume 13, 1980.
9. Munson, R.E. Safety Considerations for Layout and Design of Processes
Housed Indoors. Loss Prevention. American Institute of Chemical
Engineers. Volume 13. 1980.
10. National Electric Code. National Fire Protection. 1984.
11. McNaughton, K.J. Selecting Materials for Process Equipment. Materials
Engineering I. McGraw-Hill Publications Company, NY, 1980.
12. Guidelines to the Selection and Use of Corrosion Resistant Metals and
Alloys. CS79-10. Pfaudler Company. Rochester, NY, 1979.
13. Failure Analysis and Prevention. Metals Handbook, 8th Edition. Volume
10. American Society for Metals, 1975.
14. Kletz, T.A. What Went Wrong. Gulf Publishing Company, Houston, TX,
1985.
15. Guide for Inspection of Refinery Equipment. Chapter VI, American
Petroleum Institute. Washington, D.C. December 1982.
221
-------�
16. Fontana, M.G., and N.D. Greene. Corrosion Engineering. McGraw-Hill.
Incorporated, 1978.
17. Vhlig, I.H. Corrosion Handbook. John Wiley and Sons, Incorporated, New
York, New York. 1948.
18. Proceedings of the International Corrosion Forum. 4 volumes. National
Association of Engineers, Boston, MA, March 1985.
19. Spec 12D, Specification for Field Welded Tanks for Storage of Production
Liquids, 9th Edition. American Petroleum Institute, January 1982.
20. Spec 12f, Specification for Shop Welded Tanks for Storage of Production
Liquids. 8th Edition. American Petroleum Institute. January 1982.
21. Std 620, Recommended Rules for Design and Construction of Large, Welded,
Low Pressure Storage Tanks, 7th Edition. American Petroleum Institute,
1982.
22. Guide for Inspection of Refinery Equipment. American Petroleum
Institute, 1973. Chapter II.
23. Reactor Safety Study. U.S. Nuclear Regulatory Commission, WASH-1400
(NUREG-75/014). October 1985. Appendices III and IV.
24. Anyakora, S.N., G.F.M. Engel, and F.P. Lees. Some Data on the Re-
liability of Instruments in the Chemical Plant Environment. The Chemical
Engineer. Number 255, 1971.
25. Peters, Max, and Klaus Timmerhaus. Plant Design and Economics for
Chemical Engineers. McGraw-Hill Book Company, New York, NY, 1980.
26. The Richardson Rapid Construction Cost Estimating System, Richardson
Engineering Services, Inc., San Marcos, California,
27. Radian Corporation, internal cost files, 1986.
28. Tomfohode, J.H. Design for Process Safety. Hydrocarbon Processing.
December 1985.
29. Guide for Inspection of Refinery Equipment. American Petroleum
Institute, 1981. Chapter 15.
30. Liptak, B.C. Instrument Engineers' Handbook. Chilton Book co. Radnor
PA. 1982.
31. Davenport, J.A. A Survey of Vapor Cloud Incidents. Loss Prevention.
American Institute of Chemical Engineers. Volume 11. September 1977.
222
-------�
SECTION 4
PROCEDURES AND PRACTICES
A well-designed and operated process, quality hardware and mechanical
equipment, and protective devices all increase plant safety; however, they
must be supported by the safety policies of management and by clear specifica-
tions on their operation and maintenance. This section describes how manage-
ment policy and training, operation, and maintenance procedures relate to the
prevention of accidental chemical releases. Within the chemical industry,
these procedures and practices vary widely because of differences in the size
and nature of the processes and because any determination of their adequacy is
inherently subjective. For this reason, the following subsections focus
primarily on fundamental principles and do not attempt to define specific
policies and procedures.
4.1 MANAGEMENT POLICY
Management is a key factor in controlling industrial hazards and prevent-
ing accidental releases. Management establishes the broad policies and
procedures that influence the implementation and execution of specific hazard
control measures. It is important that these management policies and pro-
cedures be designed to match the level of risk in the facilities where they
will be used. Most organizations have a formal safety policy. Many make
policy statements to the effect that safety must rank equally with other
company functions, such as production and sales. The effectiveness of any
safety program, however, is determined by a company's commitment to it, as
demonstrated throughout the management structure. Specific goals must be
derived from the safety policy and supported by all levels of management.
Safety and loss prevention should be an explicit management objective.
Ideally, management should establish the specific safety performance measures,
223
-------�
provide incentives for attaining safety goals, and commit company resources to
safety and hazard control. The advantages of an explicit policy are that it
sets the standard by which existing programs can be judged, and it gives
evidence that safety is viewed as a significant factor in company operations.
In the context of accident prevention, management is responsible for (1,
2. 3):
• Ensuring worker competency;
• Developing and enforcing standard operating procedures;
• Adequate documentation of policy and procedures;
• Communicating and promoting feedback regarding safety
issues;
• Identification, assessment, and control of hazards; and
• Regular plant audits and provisions for independent
checks.
Because human error is a common cause of accidental chemical releases,
personnel selection and maintenance of a qualified, experienced workforce is a
significant part of release prevention. Managers are responsible for ensuring
that personnel selection procedures adequately assess worker competency and
match vorker skills to job responsibilities. One author identified such
abilities as signal detection, signal filtering, probability estimation,
manual control, and fault diagnosis as important process operator skills (1).
In addition, however, personal characteristics, practical training and recent
relevant experience should be considered in the selection process. The ideal
process operator should be responsible, conscientious, reliable, and
224
-------�
trustworthy (1). Temperament is important since it affects a previous re-
sponse to monotony and stress. Motivation and communication skills are other
personality traits that could be assessed during personnel selection. Partic-
ular care should be taken when selecting operators for facilities handling
hazardous materials. The qualifications and capabilities of personnel in high
hazard facilities should be higher than for those in other process facilities.
Many accidental release incidents' and/or major industrial disasters have
been caused in part by a failure to properly assign responsibilities (1, 2).
It is just as important to avoid a situation where positions critical to
safety maintenance are left unoccupied; accidents have been attributed to
situations in which key safety responsibilities were vacated and left unas-
signed. An effective management policy sees that the responsibilities of such
positions are carried out even in the event of resignations and absences.
The responsibility for safety issues such as release prevention should be
shared by all management and workforce staff. The staff must be supported by
procedures for staff training in operating and maintenance practices, handling
upset and emergency conditions, using safety equipment, and performing facil-
ity audits. Establishing standard practices for these activities is necessary
to ensure uniformity, avoid confusion, and make enforcement possible. The
enforcement of standard procedures is one of management's most fundamental
responsibilities in the area of facility safety and accident prevention.
Management is also responsible for ensuring that an adequate description
of safety policy and standard procedures is available. In the chemical indus-
try, a great deal of documentation is produced covering areas from design and
layout, operation, maintenance, and inspection, hazard identification and
assessment, and emergency planning. So that procedure and policy statements
will not be overly cumbersome and monotonous, these documents should:
• Be easy to use;
225
-------�
• Be complete;
• Establish the importance and benefits of the procedures;
• Be clear and concise.
The document should be written to a specific audience. In other words,
the users of the policy and procedures document must feel it addresses them.
These documents should explain not only how release prevention activities are
conducted, but also why it is important that they be conducted in the speci-
fied manner, so that the benefits of proper safety practices will be clear.
Finally, attention to readability and style should be an important priority in
document preparation, since if personnel find the documents cumbersome and
wordy, they won't read them and they will not be easy to use as references.
Publicizing safety material is not enough, since personnel often think
these bulletins are dull (1, 2, 3). Encouraging communication, promoting
feedback, and emphasizing facility safety as a matter of professionalism are
examples of ways of countering "safety boredom." Active communication stres-
sing the priority of accident prevention should come from all levels of
management, so that personnel will feel that discussion of the effectiveness
of current safety standards and ideas for improvement is an important part of
their job. When management demonstrates a willingness to respond to initia-
tives from below and participates directly with workers in improving safety,
worker morale increases, increasing the degree to which standard procedures
are followed. Assigning safety and loss prevention responsibility to compe-
tent people and giving them specific, meaningful objectives and adequate
resources also encourages a professional attitude about the importance of
safety.
226
-------�
Hazard identification, assessment, and control is another area that
should be addressed by management to minimize the potential for accidental
chemical release incidents. In the past, these activities have been handled
relatively informally; however, many companies now use a more systematic
approach (3). In most instances, safety hazards are identified by the experi-
enced staff. Safety review committees that evaluate processes by a "what if"
approach are an example of using staff experience to identify hazards. The
objective of hazard assessment techniques is to gather information on how
frequently accidents could occur, how severe the consequences could be, and
what changes could be made in processes, equipment and procedures to reduce
the accidents and their consequences. Management must have a mechanism for
obtaining this type of information so that they can rank potential problems
and decide how to allocate hazard control resources. Various analytical
techniques, both qualitative and quantitative, are available for performing
hazard assessments (1, 2, 3). Managers are responsible for hazard control
decisions during the design, construction, startup, operation, maintenance,
and shutdown of chemical process facilities. Hazard control has typically
been aimed at minimizing the potential for incidents such as fires and explo-
sions; however, prevention of accidental chemical releases should also be a
fundamental consideration.
A facility safety audit is a frequently used activity associated with
hazard identification, assessment, and control. A total facility safety audit
involves a thorough evaluation of a facility's design, layout, equipment and
procedures, and is aimed specifically at identifying and correcting poten-
tially unsafe conditions. Audits are often conducted during facility startup
and repeated a year after startup. Thereafter, the frequency of safety audits
varies, typically ranging from every two to five years. Specific objectives
of these audits include alerting operating personnel to process hazards,
determining whether or not safety procedures need to be changed, screening for
equipment or process changes that may have introduced new hazards, assessing
the feasibility of applying new hazard control measures, identifying addi-
tional hazards, and reviewing inspection and maintenance programs (4).
227
-------�
In-house safety audits are generally the responsibility of senior manage-
ment and are conducted by teams selected by these managers. One review of
audit procedures recommended that audit committees include the plant manager.
a safety department representative, a project or design engineer, a mainte-
nance engineer, a process engineer, and an instrumentation/control engineer
(5). Another system is the independent safety audit, which is conducted by
qualified consultants or insurers. One of the primary advantages of hiring
independent entities to perform safety audits is that in addition to
evaluating facility safety, they check management organization, policies, and
attitudes.
4.2 OPERATOR TRAINING
The performance of operating personnel is a significant factor in pre-
venting accidental chemical releases. Many case studies documenting indus-
trial incidents note the contribution of human error to accidental releases
(1,2). Causes of release incidents include improper routine operating proce-
dures, insufficient knowledge of process variables and equipment, insufficient
knowledge of emergency or upset procedures, failure to recognize critical
situations, and, in some cases, a direct physical mistake (e.g., turning the
wrong valve). A comprehensive operator training program can decrease the
potential for accidents resulting from such causes.
Operator training can include a wide range of activities and a broad
spectrum of information. Training, however, is distinguished from education
in that it is specific to particular tasks. While general education is
important and beneficial, it is not a substitute for specific training. The
content of a specific training program depends on the type of industry, the
nature of the processes used, the operational skills required, the character-
istics of the facility management system, and tradition.
Some general characteristics of quality industrial training programs
include:
228
-------�
• Establishment of good working relations between management
and personnel;
• Definition of trainer responsibilities and training
program goals;
• Use of documentation, classroom instruction, and field
training (in some cases supplemented with simulator
training);
• Inclusion of procedures for normal startup and shutdown,
routine operations, and upsets, emergencies, and acci-
dental releases; and
• Frequent supplemental training and the use of up-to-date
training materials.
In many instances, training is carried out jointly by facility managers
and by a training staff selected by management. In others, management is
solely responsible for maintaining training programs. In either case, respon-
sibilities should be explicitly designated to ensure that the quality and
quantity of training provided is adequate and that there is accountability for
the training. Training requirements and practices can be expected to differ
between small and large companies, partly because of resource needs and
availability, and partly because of differences in employee turnover.
The job of the trainer is essentially to ensure that the right type and
amount of information is supplied at the right time. To do this the trainer
must not only understand the technical content of a job, but also those
aspects of the job where operators may have difficulty. It is therefore
advantageous for trainers to spend time observing and analyzing the tasks and
skills they will be teaching. This is referred to by Lees as prior-task
analysis, and is important for finding out which factors affect the learning
229
-------�
of skills and how training programs can be organized to best address difficult
areas (1).
Factors such as pace, motivation, and feedback are standard considera-
tions in educational and training applications (1). Training programs should
be conducted at a pace that allows operators to become thoroughly familiar
with the material. Maintaining motivation is essential; interest in the
material can be fostered by focusing not only on how tasks are conducted but
on why they are performed the way they are (e.g., pointing out the hazards
associated with improper procedures can motivate workers to do the job
properly and safely). Finally, performance feedback and reinforcement during
training is needed to correct poor technique, resolve misunderstandings,
reward good technique, and encourage further skill development.
Training programs may use a combination of classroom training, where
lectures can and should be supplemented with written material (e.g., specific
training documents as well as copies of standard operating procedures),
simulator training, and training within the facility itself. In-facility
training is particularly effective because it allows the operator to become
familiar with the actual process layout and to learn directly how to operate
equipment and instrumentation. During facility startup, valuable in-facility
training exercises can be conducted in hazardous areas using safe fluids
instead of actual process chemicals (2). Digital simulators are extremely
useful training devices, particularly for training in high-hazard areas.
Using these devices to closely simulate process operation allows training to
be conducted without endangering either a process or an inexperienced oper-
ator. Although simulators are useful in routine operator training, they are
perhaps even more important for upset and emergency training. Simulated
emergencies are an effective way to allow operators to witness a variety of
situations and make judgements in a non-stressful environment (6).
The objectives of normal operator training are to familiarize operators
with the nature of processes, equipment, chemicals, and standard operating
230
-------�
procedures. A list of the aspects typically involved in the training of
process operators is presented in Table 4-1.
Upset and emergency training typically augments the information presented
during routine training. Ideally, emergency training should be integrated
with routine operation training (2). This kind of presentation allows opera-
tors to become familiar with processes as a whole and illustrates how both
process characteristics and operator responses evolve from normal operation to
upset and on to emergency conditions. Emergency training includes topics such
as:
• Recognition of alarm signals;
• Performance of specific functions (e.g., shutdown
switches);
• Use of specific equipment;
• Actions to be taken on instruction to evacuate;
• Fire fighting; and
• Rehearsal of emergency situations.
Safety training includes responses to emergency situations, but is also
concerned with preventive measures. Safety courses are typically required of
new operators at chemical process facilities, and frequently these courses are
later supplemented by more thorough safety training. Aspects specifically
addressed in safety training include (1, 3):
• Hazard recognition and communication;
• Actions to be taken in particular situations;
231
-------�
TABLE 4-1. ASPECTS OF TRAINING PROGRAMS FOR ROUTINE PROCESS OPERATIONS
Process goals, economics, constraints, and priorities
Process flow diagrams
Unit operations
Process reactions, thermal effects
Control systems
Process materials quality, yields
Process effluents and wastes
Plant equipment and instrumentation
Equipment identification
Equipment manipulation
Operating procedures
Equipment maintenance and cleaning
Use of tools
Permit systems
Equipment failure, services failure
Fault administration
Alarm monitoring
Fault diagnosis
Malfunction detection
Communications, recordkeeping, reporting
Source: Reference 1.
232
-------�
• Available safety equipment and locations;
• When and how to use safety equipment;
• Use and familiarity with documentation such as:
- plant design and operating manuals,
- company safety rules and procedures.
- procedures relevant to fire, explosion, accident, and
health hazards,
- chemical property and handling information; and
• First aid and CPR.
Although emergency and safety programs traditionally focus on incidents
such as fires, explosions, and personnel safety, the prevention of accidental
chemical releases and release responses should also be addressed. Release
incidents are often overlooked because, except for infrequent catastrophes,
their impact can be less dramatic than that of fires or explosions. Combined
training with responding agencies is also a good practice because it allows
personnel from both sides to learn how to adapt their procedures to increase
the benefits of a joint emergency response effort.
The frequency of training and the frequency with which training materials
are updated (1-5) are also important in maintaining strong training programs.
One of the main problems associated with industrial training programs is that
the level of training provided during facility startup (or new employee
orientation) is often not followed up during the life of the facility (or in
the case of the employee, during his career) (2). Additional training pro-
grams, such as refresher courses, offer many advantages, particularly when
they cover procedures that may not be used very often (e.g., startup, shut-
down, upset, emergency). In some instances, experienced operators may become
careless or complacent, and additional training reminds them of the importance
of following proper procedures. Chemical processes may be modified to the
233
-------�
extent that equipment changes require operational changes. Supplemental
training ensures that operators are aware of the changes and of the safety
considerations that accompany them. Another advantage of training experienced
operators is that these workers can often point out the weaknesses and in-
adequacies in documented procedures and suggest alternate techniques. Differ-
ences in turnover in different companies also affect the experience profile of
the operating staff and influence the frequency of training.
Maintaining updated training materials and updated process design and
operating manuals is the responsibility of managers and training personnel.
These materials should be reviewed regularly, especially when plant modifi-
cations are made, to ensure that workers have access to up-to-date descrip-
tions and procedures.
Much of the type of training discussed above is also important for
management personnel. Safety training gives management the perspective
necessary to formulate good policies and procedures, and to make changes that
will improve the quality of facility safety programs. Lees suggests that
training programs applied to managers include or define (2):
• Overview of technical aspects of safety and loss preven-
tion approach;
• Company systems and procedures;
• Division of labor between safety personnel and managers in
with respect to training; and
• Familiarity with documented materials used by workers.
The training programs in effect in industries using, manufacturing, and
storing toxic chemicals represent an effort to minimize the potential for
accidental release and. therefore, should be considered as important as
234
-------�
physical containment. The training fundamentals presented here are only an
introduction to some features of the types and content of specific training
that can be provided, but they highlight the importance of a good training
program in fostering a staff genuinely concerned with safety and aware of how
their actions can affect safe operation of the facility.
A.3 MAINTENANCE AND MODIFICATION PRACTICES
Maintenance practices include both general practices that involve overall
maintenance policy and procedures, and specific practices for specific
maintenance objectives.
4.3.1 General Practices
Proper facility maintenance ensures the functional and structural integ-
rity of chemical processing equipment, ancillary equipment, and services.
Modifications are often necessary to allow more effective production, reduce
costs, or enhance safety. However, since these activities can be a primary
source of accidental release incidents, proper maintenance and modification
practices are an important part of accidental release prevention. Use of a
formal system of controls is perhaps the most effective way of ensuring that
maintenance and modification are conducted safely. In many cases, formal
control systems have had a marked effect on the level of failures experienced
(2).
Maintenance refers to a wide range of activities, including preventive
maintenance, production assistance (e.g., adjustment of settings), servicing
(e.g., lubrication and replacement of consumables), running maintenance,
scheduled repairs during shutdown, and breakdown maintenance. These activi-
ties in turn require specific operations such as emptying, purging, and
cleaning vessels, breaking pipelines, tank repair or demolition, welding, hot
tapping (attaching a branch to an in-service line), and equipment removal (2).
235
-------�
The potential for accidents during these types of procedures is quite
high. Two of the more common maintenance problems have been identified as
equipment identification and equipment isolation (2). Accidents frequently
result from incorrect identification of the equipment on which work is to be
done. This can have disastrous effects, especially if connections associated
with high temperature, high pressure, or hazardous material operations are
involved. Failure to adequately isolate equipment is another major source of
maintenance accidents. To protect process and maintenance personnel, it is
essential to have positive isolation of both process materials and moving
parts during maintenance activities. Other potential sources of maintenance
accidents are improper venting to relieve pressure, insufficient draining, and
not cleaning or purging systems before maintenance activities begin.
Permit systems and up-to-date maintenance procedures minimize the poten-
tial for accidents during maintenance operations. Permit-to-work systems
control maintenance activities by specifying the work to be done, defining
individual responsibilities, eliminating or protecting against hazards, and
ensuring that appropriate inspection and testing procedures are followed.
Such permits generally include specific information such as (2):
• The type of maintenance operations to be conducted;
• Descriptions and identifying codes of the equipment to be
worked on;
• Classification of the area in which work will be con-
ducted;
• Documentation of special hazards and control measures;
• Listing of the maintenance equipment to be used; and
• The date and time when maintenance work will be performed.
236
-------�
Maintenance permits originate with the operating staff. In this way,
operators and operation* supervisors are aware of impending maintenance
activities and are instructed to make any required operating changes and
properly isolate the equipment to be serviced. Permits may be issued in one
or two stages. In one-stage systems, the operations supervisor issues permits
to the maintenance supervisor, who is then responsible for his staff. Two-
stage systems involves a second permit issued by the maintenance supervisor to
his workforce (2).
Permit-to-work systems offer many advantages. They explain the work to
be done to both operating and maintenance workers. In terms of equipment
identification and hazard identification, they provide a level of detail that
significantly reduces the potential for errors that could lead to accidents or
releases. They also serve as historical records of maintenance activities.
To make sure that these systems give the desired protection, various authors
recommend that they be reviewed as part of facility audit procedures (2, 5).
Another form of maintenance control is the maintenance information
system. Such a system can generate information on facility incidents, fail-
ures, and repairs (2). Ideally, these systems should log the entire mainten-
ance history of equipment, including preventive maintenance, inspection and
testing, routine servicing, and breakdown or conditional maintenance. This
type of system is also used to track incidents caused by factors such as human
error, leaks, and fires, including identification and quantification of
failures responsible for hazardous conditions, failures responsible for
downtime, and failures responsible for direct repair costs. This information
is used to assess current maintenance practices and to develop maintenance
procedures and schedules that increase facility safety and reduce operating
costs.
Maintenance of the integrity and safe operation of process equipment
depends on proper facility modification practices. To avoid confusion with
maintenance activities, a modification is defined as an intentional change in
237
-------�
process materials, equipment, operating procedures, or operating conditions
(2). Industrial facilities frequently undergo modification; these activities
sometimes start during the design phase and nearly always take place during
commissioning and operation. Modifications may be temporary or may involve
permanent changes to equipment or operation.
Accidental releases frequently result from some aspect of facility
modification. Accidents happen when equipment integrity and operation are not
properly assessed following modification, or when modifications are made
without updating corresponding operation and maintenance instructions. In
many instances, equipment is changed under the stress of attempting to get a
facility operating as soon as possible. In these situations, it is important
that careful assessment of the modification results has a priority equal to
that of getting the facility on line.
Frequently, hazards created by modifications do not appear in the exact
location of the change. Equipment modifications can invalidate the arrange-
ments for system pressure relief and blowdown and can invalidate the function
of instrumentation systems. Even relatively minor modification can introduce
hazards if proper precautions are not taken (e.g., improperly supported bypass
lines) (2).
For effective modification control, there must be established procedures
for authorization, work activities, inspection, and assessment, complete
documentation of changes, including the updating of manuals, and additional
training to familiarize operators with new equipment and procedures (2, 3) .
Several factors should be considered in reviewing modification plans before
authorizing work. According to Lees, these include (2):
• Sufficient number and size of relief valves;
• Appropriate electrical area classification;
238
-------�
• Elimination of effects which could reduce safety stand-
ards;
• Use of appropriate engineering standards;
• Proper materials of construction and fabrication stand-
ards;
• Existing equipment not stressed beyond design limits;
• Necessary changes in operating conditions; and
• Adequate instruction and training of operation and
maintenance teams.
Following authorization, established procedures should be used to ensure
that work is conducted according to appropriate codes and standards and that
systems are fully inspected before commissioning. In many cases, it is
advantageous that the people involved with authorizing modifications be
involved with the pre-startup inspection.
Formal procedures and checks on maintenance and modification practices
must be established to ensure that such practices enhance rather than adverse-
ly affect plant safety. As with other facility practices, procedure develop-
ment and complete documentation are necessary. However, training, attitude.
and the degree to which the procedures are followed also significantly influ-
ence facility safety and release prevention.
4.3.2 Equipment Monitoring and Testing
The potential for an accidental release may be reduced by repairing or
replacing equipment that appears to be headed for failure. A number of
239
-------�
testing methods are available for examining the condition of equipment. Some
of the most common types of tests are listed below:
• Metal thickness and integrity testing;
• Vibration testing and monitoring; and
• Relief valve testing.
All of the above testing procedures are nondestructive; they do not
damage the material or equipment that they test. Only a few of the most common
test methods are discussed here. Additional methods and further detail on the
methods mentioned here may be found in references on testing procedures
(1.2.3.4).
4.3.3 Metal Thickness and IntegrityTesting
Metal thickness and integrity tests are used to determine the thickness
of metal in vessels and piping and the presence of general corrosion, cracks,
pitting, or other defects. These methods are also used to inspect the integ-
rity of welds. The two most common test methods are radiographic testing and
ultrasonic testing.
Radiographic testing uses an X-ray type of photograph of the equipment of
interest. A radiation sensitive film is attached to one side of a metal
surface. A radiation source (usually gamma rays) is opened up on the other
side of the metal surface. The radiation penetrates the metal and exposes the
film. The end result is an image of the surface and interior of the metal.
If properly taken and interpreted, the presence of defects in the metal as
well as the thickness of the metal can be determined. This method is often
applied to welds, and small diameter pipes, valves and fittings may be
radiographed without opening the line or taking it out of service. For larger
240
-------�
diameter equipment, the radiation source must be placed inside the equipment,
requiring that it be taken out of service. Proper handling of the radiation
source and proper interpretation of the radiographic picture require special
training. Most companies hire outside specialists to perform their
radiography, although some companies have trained in-house personnel.
The advantages of radiography are that it provides a reliable and de-
tailed picture of the condition of the item of interest, and for small equip-
ment that does not have to be taken off line it is a fairly quick testing
method. There are several disadvantages of radiography. Many pieces of
equipment must be taken out of service and opened up to allow access for the
radiation source. In these situations, more time will probably be required to
prepare the equipment for testing than will the actual test. Additionally,
operating personnel must be cleared from an area of the process when the
radiation source is in use. This could require additional process downtime.
The radiation from the testing may also interfere with certain types of
instrumentation.
In ultrasonic testing, a probe that generates an ultrasonic pulse is held
against the bare metal. The thickness of the metal is determined by the
instrument measuring the time required for the ultrasonic signal to travel
from the probe to the opposite side of the metal surface and back to the
probe. Small pieces of metal of known thickness must be available as a
reference for each material to be tested. The pulse and echo from the probe
are displayed on a cathode ray screen. Special training is required to be
able to properly intarpret the output from this test. A signal sent perpen-
dicular to the metal surface is used to measure the wall thickness at that
spot. By placing the signal probe at various angles, and moving the probe to
various locations on the surface, a trained tester can determine the presence
of cracks, pits or other irregularities in metal equipment and welds.
The advantages of ultrasonic testing are that it often requires less
preparation than radiography. No radiation is involved so testing areas do
241
-------�
not have to be cleared of personnel. Equipment does not have to be opened for
an ultrasonic test to be performed. But there are several disadvantages to
ultrasonic testing. Test results may not be easy to interpret, and it is
difficult to generate a permanent copy of the results for future examination.
Most ultrasonic equipment is not explosion proof and flammable materials must
be eliminated from the testing area. Since the ultrasonic probe cannot be
held directly against high temperature surfaces, an insulated material must be
used. The insulation, however, reduces the sensitivity of the probe.
Other test methods are available but less commonly used. These include;
magnetic-particle examination, liquid-penetrant examination, eddy-current test
method, thermography and electrical-resistance test method. The
magnetic-particle and liquid-penetrant examination methods are simple proced-
ures used for detecting the presence of surface cracks. The eddy-current test
method is often used to test the integrity of tubing. The electrical-resis-
tance test method, which is used to locate flaws in metal structures, has been
used for years by railroads to locate transverse cracks in rails. Additional
details of these and other testing methods may be found in the technical
literature (1,2).
4.3.4 Direct Corrosion Monitoring
Direct corrosion monitoring is accomplished by visual inspection, using
corrosion coupons, or various instrumental methods that measure corrosion
products in process streams. The shortcomings of these methods, especially
the coupon method, is that special circumstances, such as corrosion in a
specific area of equipment caused by localized stress conditions, for example,
might not be detected.
242
-------�
4.3.5 Vibration Testing and Monitoring
Vibration testing and monitoring is used to detect incipient equipment
failure and to diagnose what part of the equipment is failing. The basic
premise of vibration testing and monitoring is that defects in piping, struc-
tural supports or machinery are characterized by corresponding abnormal
vibrations.
Vibrations are measured using a variety of methods. A common vibration
measuring probe is the accelerometer, which measures the motion of the probe
relative to a motionless reference mass. A proximity probe is used to measure
the motion of one point relative to another.
The science of interpreting vibration information is called vibration
signature analysis. The method used in conventional vibration signature
analysis is as follows (5) :
"Instantaneous mechanical motion (vibration) is converted into an elec-
tronic signal that is then analyzed, filtered, or otherwise manipulated.
In mechanical vibration theory, this complex signal is the result of
summing many discrete sources, each vibrating at a single frequency.
Through a process called spectrum analysis, this summing effect is
mathematically reversed so that the energy content at individual frequen-
cies can be determined. Therefore, spectrum analysis helps one to
identify the specific components in a machine that are vibrating."
Lower frequency testing is good for obtaining a detailed diagnostic
picture of different components in a. given piece of machinery, but it is not
usually a good method for detecting incipient failures. Low frequency tests
are often run once a problem has been detected. Higher frequency monitoring
is good for detecting incipient equipment failure but is not well-suited for
diagnosing what the specific problem might be. A permanent high frequency
243
-------�
probe is often attached to a piece of machinery with an alarm to warn when
abnormal vibrations occur.
4.3.6 Relief Valve Testing
Two types of tests are carried out on relief valves. In one test, the
valve open and reseat pressures are measured. In another test, the capacity
of the relief valve is measured. The test for determining .opening and
reseating pressures involves a very simple bench top apparatus that uses
hydraulic pressure. The valve is pressurized with water until it opens, at
which point a small amount of water is ejected and the valve closes. The
opening and closing pressures are recorded. Most plant maintenance shops have
this type of capability. Measuring valve capacity is a much more complicated
procedure and almost always must be done at one of a few labs that is equipped
for this type of test.
The opening and reseating pressures of a relief valve should be tested
periodically as a part of routine maintenance. Testing a valve's capacity
should be done whenever any corrosion, fouling or scaling has occurred.
4.4 OPERATING AND MAINTENANCE MANUALS
As discussed in Sections 2 and 3 of this manual, accidental chemical
releases are often caused by either improper equipment or equipment failure or
process operation. Good operating and maintenance practices are the key to
preventing such releases. In both cases, clearly and correctly defined
procedures in maintenance and operating manuals contributes to good practices.
Well-written instructions give enough information about a process that
the worker with hands-on responsibility for operating or maintaining the
process can do so safely, effectively, and economically. These instructions
not only document day-to-day procedures, but also are the basis for most
244
-------�
industrial training programs (7, 8). In the chemical industry, operating and
maintenance manuals vary in content and detail. To some extent, this varia-
tion is a function of process type and complexity; however, in many cases it
is a function of management policy. Because of their importance to the safe
operation of a chemical process, these manuals must be as clear, straight-
forward, and complete as possible. In addition, standard procedures should be
developed and documented before plant startup, and appropriate revisions
should be made throughout plant operations.
Documentation of operation and maintenance procedures may be combined or
documented separately. Procedures should include startup, shutdown, hazard
identification, upset conditions, emergency situations, inspection and test-
ing, and modifications (1. 2). Several authors think operating manuals should
include (1. 3, 7, 8):
• Process descriptions;
• A comprehensive safety and occupational health section;
• Information regarding environmental controls;
• Detailed operating instructions;
• Sampling instructions;
• Operating documents (e.g.. logs, standard calculations);
• Procedures related to hazard identification;
• Information regarding safety equipment;
• Descriptions of job responsibilities; and
245
-------�
• Reference materials.
Equipment sketches and process flow diagrams are a useful feature of the
process descriptions included in operating manuals. Since safety and occupa-
tional health information is an integral component of operating manuals, this
section should include information on the properties and hazards of materials,
special precautions to prevent exposure, and spill and fume control measures
(8).
Operating instructions must include those for normal operations, normal
startup and shutdown (including variations based on length of shutdown), and
abnormal or emergency shutdown (1). Diagnostic guides and a listing of normal
(safe) operating limits specific to each type of pperation should also be
provided (3). Sampling instructions can include the location and identifica-
tion of sampling points, sampling frequency, sampling methods, and safety
precautions. Operating documents include operator's logs, manager's logs, and
standard calculations. Safety equipment descriptions generally include a
guide to locations, the equipment inspection schedule, and manuals for their
use and maintenance. Descriptions of job responsibilities should explicitly
define the operator actions expected in both routine and upset situations, and
should explain who has authority over specific functions (3, 7).
Serious industrial accidents have occurred during startup and shutdown
periods (2). Formal startup and shutdown procedures should be described in
the operating manual or in separate but readily available documentation.
Startup manuals, or manual sections, may include descriptions of the overall
startup strategy, pre-startup conditions, required utilities, and material.
process design, and equipment performance characteristics. Frequently this
type of documentation will include checklists summarizing the sequence of
steps that must be taken during startup (7.9). Hazard identification, acci-
dent prevention, and emergency actions specifically related to startup activi-
ties should also be addressed. Shutdown procedures should define practices to
be used for both normal and emergency shutdown. In many instances, process
246
-------�
facilities cannot be shut down rapidly, and tasks must be conducted in an
orderly progression to avoid creating hazardous conditions. For this reason,
sequential checklists summarizing activities are often included in shutdown
procedures. Some of the areas typically addressed by shutdown procedures are
(9):
• Cooling and depressurizing equipment;
• Pumping out vessels (particularly if vessel contain
flammable, corrosive, or toxic materials);
• Purging flammable vapors; and
• Inspections and testing before entering equipment.
The potential for chemical releases during startup and shutdown activi-
ties is significant. Fittings and equipment placed on line (i.e.. placed in
contact with process fluids) during startup are potential leakage sources.
During shutdown, operations such as purging, depressurizing, and equipment
disassembly are potential chemical release sources. The potential for.
prevention of. and proper response to accidental chemical releases should be
specifically addressed in startup and shutdown procedures.
Upset and emergency procedures instruct workers on how to handle non-
routine operations. Situations may range from operation outside the bounds
defined as normal to serious situations involving fire, explosion, health
hazards, or pollution episodes. Other examples of hazards for which pre-
scribed response actions should be available include:
• Leaks of materials from equipment;
• Defective or damaged equipment;
247
-------�
• Detection of unusual odors or sounds;
• Abnormal conditions such as high or low temperature or
pressure.
• Infractions of operating procedures or safety regulations,
• Unauthorized hazardous work, and
• Unauthorized personnel or vehicles in hazardous areas.
Maintenance manuals typically contain procedures not only for routine
maintenance, hut also for inspection and testing, preventive maintenance, and
facility or process modifications. These procedures include specific items
such as codes and supporting documentation for maintenance and modifications
(e.g., permits-to-work, clearance certificates), equipment identification and
location guides, inspection and lubrication schedules, information on lubri-
cants, gaskets, valve packings and seals, maintenance stock requirements,
standard repair times, equipment turnaround schedules, and specific inspection
codes (e.g., for vessels and pressure systems) (2). Full documentation of the
maintenance required for protective devices is a particularly important aspect
of formal maintenance systems. These devices include:
• Pressure relief valves;
• Rupture discs;
• Tank vents and filters;
• Other pressure relief devices;
• Non-return valves (e.g., check valves);
248
-------�
• Mechanical trips and governors;
• Instrument trips; and
» Alarm, sprinkler, and fire water systems.
Maintenance manuals should also describe the way to keep equipment
records. Such records are usually maintained for individual equipment items,
and include identification, location, engineering descriptions, operating
conditions, inspection intervals and maintenance history (2). In some in-
stances, equipment records are incorporated as part of the maintenance manual;
in others these types of records are maintained separately. These records,
and the frequency with which they are reviewed, are important to release
prevention because they have the data needed to evaluate equipment integrity.
The preparation of operating and maintenance manuals, their availability,
and the familiarity of workers with their contents are all important to safe
operations. The objective, however, is to maintain this safe practice
throughout the life of the facility. Therefore, as processes and conditions
are modified, documented procedures must also be modified. The written
documentation used to control operating and maintenance activities on a
day-to-day basis must be up-to-date and include the latest process changes.
One way of ensuring that documentation is properly maintained is to institute
a regular procedure review process (1, 5). This type of review is often
conducted as part of facility safety audits, but can also be performed inde-
pendently of total system checks. Examples of the questions often asked
during procedure reviews are presented in Table 4-2.
Documented operating and maintenance procedures form the backbone of
effective safety and loss prevention policy. Adherence to these procedures is
the primary standard against which management judges the worker's performance
in safe operations, and effort put into the preparation, maintenance, and
enforcement of these procedures is a measure of management's commitment to
249
-------�
TABLE 4-2. EXAMPLES OF QUESTIONS ASKED DURING PROCEDURE REVIEWS
Are manuals written in a clear and concise manner?
Are they available to all operators and maintenance personnel?
Are they kept up to date and reviewed at regular intervals?
Are the documented procedures obeyed?
Are the procedures reviewed regularly with each employee?
Are emergency plans included?
Are hazards and preventative measures spelled out?
Source: Reference 1.
250
-------�
accident prevention. In addition, these procedures are the building blocks of
training programs, of communications between operating staff and supervisors,
and finally, of improved procedures.
4.5 REFERENCES
1. Lees, F.P. Loss Prevention in the Chemical Industries - Hazard, Identi-
fication, and Control. Volume 1. Butterworth and Company, 1983.
2. Lees, F.P. Loss Prevention in the Chemical Industries - Hazard, Identi-
fication, and Control. Volume 2. Butterworth and Company, 1983.
3. Process Safety Management (Control of Acute Hazards). Chemical
Manufacturers' Association. Washington B.C., May, 1985.
A. Kubias, F.O. Technical Safety Audit. Paper presented at the Chemical
Manufacturers' Association Process Safety Management Workshop.
Arlington, VA. May 7-8, 1985.
5. Conrad, J. Total Plant Safety Audit. Chemical Engineering. May 14,
1984.
6. Training Plant Operators - New Digital Simulators Make It Easier and
Cheaper. Chemical Week. September 21, 1983.
7. Stus, T.F. On Writing Operating Instructions. Chemical Engineering.
November 26, 1984.
8. Burk, A.F. Operating Procedures and Review. Paper presented at the
Chemical Manufacturers' Association Process Safety Management Workshop.
Arlington. VA. May 7-8, 1985.
9. Hazard Survey of the Chemical and Allied Industries. American Insurance
Association, New York, NY, 1979.
251
-------�
SECTION 5
PROTECTION TECHNOLOGIES
This section discusses the various types of technologies that may protect
against the incipient accidental air release of a toxic chemical. Protection
technologies, as defined in this manual, apply when the chemical is still
contained; it has escaped from its primary containment but has not yet escaped
to the atmosphere. An example of an incipient accidental release is a relief
valve discharge still contained within its manifold piping. The technology of
protection involves equipment and systems that capture or destroy a toxic
chemical before it is released to the environment. Protection technologies
include the following:
• Flares.
• Scrubbers, and
• Enclosures.
Each of these technologies represents an add-on to the basic process
system it protects. Flares and scrubbers are technologies in common use for
ordinary pollution control with many well-developed applications. In the
context of accidental toxic chemical releases, however, there are special
design problems and considerations that may differ from the applications of
these technologies to ordinary process or vent streams. An enclosure provides
temporary containment of a released chemical until it can be released to the
atmosphere at a controlled, non-threathening rate or treated by one of the
other technologies discussed above. While the purpose of the first two
protection technologies is to reduce the quantity of chemical ultimately
released, enclosures control the rate of release to the atmosphere or to
treatment technology.
252
-------�
The appropriate application and proper design of these systems for toxic
chemicals must be evaluated on a case-by-case basis. At present, a major
limitation of both applicability and design are that fundamental design and
performance data under the severe and unstable operating conditions en-
countered in an emergency are not well developed. The basic characteristics
of flares and scrubbers, including a brief process description and a discus-
sion of the applicability of the technique, performance, and typical costs,
are discussed below.
5.1 FLARES
Flares are devices routinely used in the chemical process industries to
burn intermittent or emergency emissions of flammable waste gases. Sources of
such emissions are generally process vessels. Flares are distinguished from
other process combustion devices such as incinerators by their design to
handle extreme flow rate variations and their unenclosed combustion zone. A
flare is basically a stack which burns a flammable gas at the discharge.
5.1.1 Process Description
A total flare system consists of collection piping, a seal pot, a liquid
knock-out vessel, and the flare itself. Figure 5-1 is a conceptual illustra-
tion of a typical flare system. The flare is a section of vertical piping
with a specially designed combustion tip. The tip consists of a pilot light
to ignite flammable gases flowing out the end of the flare pipe. Tip designs
vary according to the specific application and are an important aspect of
flare design. The system shown in the figure is for an elevated flare.
Two basic types of flares are elevated flares and ground flares. Figure
5-2 shows a typical ground flare. Elevated flares are long vertical pipes
which may range to heights as great as 600 feet, while ground flares usually
do not exceed 150 feet in height (1). Ground flares are generally surrounded
by a refractory enclosure. Elevated flares are usually designed to handle
larger flows than ground flares, and is more likely to be used for high volume
upset or emergency flaring situations. The ground flare is more likely to be
253
-------�
ASSIST
STEAM1
ASSIST
STEAM JET
TIP
FLARE
STACK
COLLECTION
SYSTEM
MAIN LINE
/
V
DRAIN
PILOT
BURNER
IGNITOR
TUBE
IGNITOR
r"lj <> IGNITION
GAS
-? PILOT GAS
WATER
SEAL
KNOCK - OUT
~ POT
i
f.
s
Figure 5-1. Conceptual diagram of elevated flare system (steam assisted).
254
-------�
fO
COLLECTION
SYSTEM
MAIN
LINE
GROUND - FLARE
ENCLOSURE
KNOCK - OUT
POT
IGNITION GAS
PILOT GAS
DRAIN
BURNER
§
Figure 5-2. Conceptual diagram of ground flare system.
-------�
used for smaller volume, routine process venting. Elevated flares may be more
common, however. A survey of 21 petroleum refineries in California indicated
that elevated flares made up 87 per cent of the total (1).
Gases are collected through the collection piping and routed to the flare.
The collection piping consists of two basic parts: the main flare line and
lateral lines to individual process units or vessels. Proper operation of a
flare system depends on sizing the collection system to accommodate possible
simultaneous discharges of different processes at different pressures into the
flare system under widely varying flow rates. Pressure drop considerations in
different parts of the collection system are. therefore, quite important. The
maximum allowable line pressure is limited by the lowest pressure relief valve
discharging into the collection system.
A seal pot is often installed between the collection piping and the flare.
This water seal maintains some positive pressure on the flare piping collec-
tion system when there is no discharge in order to prevent backflow from the
flare into the collection system. Its primary purpose is to prevent air from
getting into the collection piping. Some systems use mechanical air restric-
tion seals.
A knockout drum is used between the collection piping and the flare stack
to prevent liquid hydrocarbons entrained with the gas from entering the flare.
Entrained liquid or solid particles may not totally burn which would degrade
flare performance or even cause a "raining" fire.
Other features of flares include air or steam injection at the flare type
to ensure smokeless operation, and the use of a purge gas flow at low flow
rates to maintain gas velocity and ensure flame stability.
5.1.2 Applicability
Flares may be applicable as protection against accidental releases of
toxic chemicals when the release is initially contained within piping or
ducting or can be routed to the same, for example, from a release within a
256
-------�
building, and when the toxic chemical is also combustible. The heating value
of the chemical must be sufficient to ensure its combustion at flare tempera-
ture conditions.
Basic design requirements for flares burning toxic chemicals are:
• The ability to operate safely over a wide range of flow rates
and varying compositions.
• Have acceptable emissions of radiant heat and noise, and
• Achieve acceptable destruction efficiency for the toxic
chemical.
Flow rates for flares are highly variable because flare systems are
designed for intermittent routine process or upset and emergency venting.
Compositions vary because gases are usually controlled from multiple sources
within a process facility. Elevated flares, which are used for higher capaci-
ties than ground flares, are designed with capacities as high as 2 million
pounds per hour with turn-down ratios of as much as a thousand. There are
estimates that over 95 per cent of the time, these flares operate at less than
five per cent capacity (2). The ability of flares to accommodate large varia-
tions in flow rate is an important consideration in using them for protection
against accidental chemical releases. Depending on the size of a flare rela-
tive to a potential release, the accidental release flow rate may constitute a
large or small fraction of the total flare flow rate and, correspondingly,
could -have a significant or relatively minor effect on the instantaneous total
flow rate and flare performance. For example, in a dedicated flare system,
where the accidental release would constitute the entire flow, significant
variability and performance fluctuations could occur. In a large shared flare
system, on the other hand, the accidental release flow might not have a large
effect on variability and performance if it is a small fraction of the total
flow.
257
-------�
Whether a dedicated flare or shared flare is used depends on site
specific considerations. A shared flare may be advantageous for several
reasons. A dedicated flare system for infrequent emergency use may be dif-
ficult to safely maintain in full working condition. A shared flare may allow
connection to an existing system. With a shared flare, however, design for
emergency conditions must ensure that a large release of toxic gas does not
overwhelm the flare and lead to flame blowout, or that the pressure from the
toxic emergency release does not cause a backflow into other process units
tied into the flare collection piping.
The primary compositional requirement of flares is that the vented gases
are easily ignitable and have adequate heating value to minimize supplementary
fuel requirements.
A fundamental flare design variable is exit velocity. Typical flare exit
velocities range from 0.2 to 400 ft/sec. Excessive exit velocities cause
flame detachment from the burner tip or flare quenching (flame-out). A
typical limiting exit velocity is AOO ft/sec or less, depending on the heat
content of the flare gas. This criterion has been recommended by the EPA to
ensure 98 percent destruction efficiency of flared chemicals using a steam-
assisted flare (3). The addition of an accidental release discharge to an
existing flare must not cause this maximum flow to be exceeded. The normal
maximum gas flow is determined by an inventory of all contributors to the gas
collection system and an analysis of the probability of various streams
venting simultaneously. From this total flow and from the maximum velocity
limitation the flare diameter can be calculated. The diameter of commercial
flares varies from several inches to about 3 feet.
Empirical correlations have been developed for sizing the remaining flare
components. Flame length can be estimated from the gas molecular weight
(which is related to heat content), temperature, and flow rate. The flame
length, combined with limitations on allowable heat radiation to personnel and
equipment, is used to determine the height of the flare and the required clear
area around the base. Numerous references present these calculations (4,5,6).
258
-------�
Two other important design considerations for flares include air infil-
tration and flashback. Water seals or mechanical seals are two means used to
prevent these conditions. At low process flows a purge gas may be used to
maintain adequate flow for proper flare operation. In a dedicated flare it
might even be necessary to maintain a slight positive nitrogen pressure on the
system to preclude air infiltration.
An existing flare system collects vent gases from process units as
needed, as well as emissions from pressure relief valves and other emergency-
generated sources. Some units may not be tied into the flare system for an}'
of several reasons. If a process unit does not require periodic normal
venting or in an old facility relief valves may vent directly to the atmos-
phere. Certain precautions should be observed when connecting multiple
discharges to a flare system. The precautions are avoidance of incompatible
chemicals, corrosive materials, and chemicals prone to fouling. Concern for
these chemical characteristics is significantly greater in a chemical plant
than in a petroleum refinery where much traditional experience on flaring is
based.
For example, some processes in chemical plants contain oxygen in the vent
stream. Releasing hot gases containing oxygen into a fuel-rich mixture could
create a flashback or explosion. Similar results could occur with other
mutually reactive materials.
Besides these incompatibilities between gases, fouling caused by venting
a polymerization reaction or other viscous substance into the collection
network could occur. Plugging could eventually cause a high back pressure in
the collection system, preventing relief valves from functioning properly.
Organic liquids entering the flare could overload the knockout drums and
create rain fires. Low vapor pressure liquids could flash, condensing and
freezing water vapor in the line, which would cause high back pressure.
Another concern is corrosion of the pipe network, which is normally made
of mild steel. Chlorides and acids are detrimental, although this is not a
critical concern in an emergency situation.
259
-------�
accidental release could damage the pipes or potentially affect the venting of
other process units. Table 5-1 summarizes the factors that need to be consid-
ered to prevent accidental chemical releases when using a flare system.
5.1.3 Control Effectiveness
Flaring protects against accidental toxic chemical releases by reducing
the quantity of toxic chemical released. This reduces the overall conse-
quences of the release. Ideally a flare would destroy all of the toxic
chemical so none would be released. It is difficult to estimate the destruc-
tion and removal efficiency (DRE) of flares because of the many variables
associated with their operation. Numerous studies have been conducted to
determine the operational performance of flares. EPA has published a set of
flare requirements that are meant to ensure 98 percent or greater destruction
of the gases (3). These requirements include a gas heating value of at least
900 Btu/scf and a maximum gas velocity related to the heating value. In an
emergency condition, however, these conditions might not be met. For example.
a large release of carbon tetrachloride could significantly reduce the lower
heating value of the flare gas since carbon tetrachloride is nonflammable. A
screening study on some 25-30 compounds performed on 1/16 and 1/8 inch diame-
ter test flares generally obtained over 99 percent destruction efficiency
except for high concentrations of carbon monoxide and ammonia (7). A 100 ppm
hydrogen cyanide stream was only 85 percent controlled.
It is difficult to measure the efficiency of an operating flare because
of the intense heat and the instability of the flame. Even pilot scale
facilities encounter these difficulties. A properly run elevated flare uses
steam or forced air to increase turbulence and allow complete combustion. The
gas flow can vary instantaneously, and since the flame life is 2-3 seconds,
steady state conditions are reached very quickly. As long as the accidental
released toxic is combustible and the volumetric rate does not exceed the
capacity of the flare nozzle, one would expect a high DRE.
In the case of noncombustible vapors, the use of a flare would dramati-
cally increase the dispersion. The gas velocity in the flare of up to 400
260
-------�
TABLE 5-1. IMPORTANT CONSIDERATIONS FOR USING FLARES TO PREVENT
ACCIDENTAL CHEMICAL RELEASES
• Maximum flow rate - will it cause a flame blowout?
• Possibility of air, oxygen, or other oxidant entering system?
• Is gas combustible - will it smother the flare?
• Will any reactions occur in collection system?
• Can liquids enter the collection system?
• Will liquids flash and freeze, overload knockout drum or cause rain
fire?
• Is the back pressure of the collection system dangerous to the
releasing vessel?
• Is releasing vessel gas pressure or temperature dangerous to collec-
tion system?
• Will acids or salts enter the collection system?
• Will release go to an enclosed ground or to an elevated flare?
• If toxic is not destroyed, what are the effects on surrounding
community?
261
-------�
steam or forced air to increase turbulence and allow complete combustion. The
gas flow can vary instantaneously, and since the flame life is 2-3 seconds,
steady state conditions are reached very quickly. As long as the accidental
released toxic is combustible and the volumetric rate does not exceed the
capacity of the flare nozzle, one would expect a high DRE.
In the case of noncombustible vapors, the use of a flare would dramati-
cally increase the dispersion. The gas velocity in the flare of up to 400
feet per second associated with the buoyancy of the thermal plume could easily
dilute ambient concentrations by several orders of magnitude. Some non-
combustible compounds could possibly undergo a pyrolysis reaction in the
oxygen-lean portion of the flame, especially if hydrogen is present.
Because of the variable flow capacity, high temperature, high gas veloc-
ity, and usual remote locations, using a flare to prevent accidental chemical
releases can be a highly effective technique. Small or isolated vessels that
contain a process that does not require normal venting of a flammable gas, and
that employ relief valves and rupture disks which may have never been used,
can be connected to a flare system to prevent accidental releases.
The number of potential hazards associated with flaring include:
• Explosions in the system;
• Obstruction in the system;
• Low temperature embrittlement of the pipework;
• Heat radiation from the flame;
• Liquid carry over from the flare; and
• Emission of toxic materials from the flare.
262
-------�
In designing and operating a flare system, precautions must be taken to
prevent these hazards from occurring. A rigorous examination of all probable
accident conditions should be performed with respect to the hazards listed
above to ensure that using a flare system to prevent accidental chemical
releases does not create a greater environmental hazard.
5.1.4 Costs of Flare Systems
As protection systems, flares have relatively low capital costs. Ele-
vated flares, constructed mainly of pipe, are very inexpensive. The flare tip
has a special design for efficient steam, air and fuel mixing. Enclosed
ground flares are an order of magnitude more expensive because of the numerous
burner nozzles, refractory material, acoustical insulation, etc.
The operating costs of elevated flares, however, are high because of the
need for a purge gas and steam injection. Enclosed flares have much smaller
pilot and purge gas difference becomes a significant factor, which explains
the use of ground flares for normal process flaring in conjunction with an
elevated flare for emergencies.
Table 5-2 compares the costs (1986 dollars) of elevated and ground level
flares (8). The costs of two applications are presented, ethylene waste gas,
and a low-Btu waste gas. As can be seen, initial costs for the elevated flare
are significantly lower than for the the ground flare. Costs for connecting a
new source to an existing flare system would depend primarily on the piping
and engineering costs for the modification. The capital cost of the elevated
system is only moderately sensitive to flowrate. The operating costs, how-
ever, for the elevated flare are proportional to the flowrate. The operating
costs of the ground fare depend little on size. The costs presented in the
table do not include costs for the collection system, which could easily
exceed the flare cost. Also, the design basis for the systems in this table
may not meet recently promulgated EPA requirements for a fuel gas heat content
minimum of 300 Btu/scf. This requirement could raise the operating costs
presented for the low-Btu waste gas example.
263
-------�
TABLE 5-2. COST COMPARISON OF ELEVATED AND ENCLOSED GROUND FLARING SYSTEMS (May 1986 Dollars)
Waste Gas
Flow Rate,
Ib/hr
I. Systems designed
25.000
250,000
II. Systems designed
2,500
25,000
250.000
Flare-Tip
Diameter, in.
for smokeless
3
8
24
for flaring of
3
8
24
Capital Total Annual
Cost* Cost
(S) ($/yr)
flaring of high-Btu (ethylene)
8.000
20.000
50.000 1.
low-Btu waste gases
pilots, purge
8.000
14,000
26.000
**
waste gases
16.000
150,000
450,000
and assist gas
6.500
52,000
480.000
Capital
Cost
($)
30.000
100,000
450.000
8,000
26.000
60.000
Total Annual
Cost
($/yr)
980
1.500
3.200
pilots and purge
(no assist gas)
980
1.500
3.200
Complete elevated flaring system with stack of sufficient height to ensure mmritmn grade-level
2
radiation of 1,500 Btu/hr/ft . ladders and platforms are all painted and ready for erection.
jfjf
Operating costs are based on 10 percent running time for flaring ethylene waste gases with continuous
3
natural gas pilots and continuous natural gas purge at $2.00/1000 ft . steam at $0.02/lb.
Operating costs are based on 10 percent running time for flaring low-Btu/ft and molecular weight of
3
24-with natural gas pilots, continuous purge and assist gas at $2.00/1000 ft .
Source: Adapted fron Reference 8.
-------�
5.2 SCRUBBERS
Absorption is the transfer of a soluble (or vapor) into a relatively
nonvolatile liquid. Absorption of a gas or vapor by a liquid can be physical
only, or can result in a chemical reaction. Regardless of the absorption
mechanism, intimate mixing of the gas and liquid is needed to achieve a high
absorption efficiency.
Scrubbers or gas absorbers that remove both organic and inorganic com-
pounds from gas streams are routinely used in many process facilities for raw
material and/or product recovery and as air pollution control devices (9) .
There are several standard types as well as special designs for specific
applications. Scrubbers can be used in some situations to control emergency
releases of toxic chemicals if they are properly designed and operated.
5.2.1 Process Description
Mass transfer equations that describe the absorption process have been
presented in numerous other works and are not shown here (10,11,12). The
removal efficiency of a gas is a complex function of equilibrium-related
factors (temperature, pressure, gas phase concentration, liquid phase composi-
tion) and kinetic factors (gas-liquid interfacial area, contact time, liquid
and gas rates, etc.). In general, the removal effectiveness of a gas by
absorption can be estimated from the vapor pressure of the gas at equilibrium
with the gas in the liquid. If the gas equilibrium vapor pressure of the gas
is low, the gas can be readily absorbed in a properly designed system.
As protection devices for accidental chemical releases, scrubbers can be
used to control toxic gas releases from emergency vents and pressure relief
discharges from process equipment or vents from secondary containment enclo-
sures. All scrubbers require a liquid feed system and some type of contacting
mechanism to provide high surface area contact between the gas and liquid. A
schematic of common absorber types is shown in Figure 5-3. The internals of
column or tower absorbers vary with with application. Formed packings of
265
-------�
INLET OUTLET
7 t
MAKEUP Y_ ^^~/
LIQUID, ,, «~° g£&
i t
LIQUID Q
RECIRCULATION »
LOOP
VENTURI
GAS
OUTLET
,
MAKEUP
<§§§§§§§> INLET *~~*1
lNu£T ^"^^^i ..»'"- LIQUID
LOOP
J
PACKED BEDS
(COUNTERCURRENT)
GAS
OUTLET
t
K • i
/ \ > \ '
GAS ) fc
INLET ^ m
^r- DEMISTER
_ XMAKEU
j *"f LIQUIC
'
IN KZ$ZZ%V \J_fc. QAS
X-VvySC^^ Is ^OUTLET
>^SoB22^L~ ^
[ .
C3 LIQUID
** RECIRCULATION
LOOP
(CROSSFLOW)
, MAKEUP
~^ LIQUID
LIQUID
RECIRCULATION 5
LOOP *
SPRAY TOWER
Figure 5-3. Three common types of scrubbers.
266
-------�
plastic and other materials, perforated trays, valve trays, and open columns
with spray nozzles have all been used. The types of absorbers most applicable
to accidental chemical releases are probably spray towers, packed towers, and
Venturis. Spray towers have the advantage of low pressure drop and high
liquid-to-gas (L/G) ratios, but the disadvantage of low efficiencies. The
open spray tower is used to reduce plugging problems for liquids that may
contain solids. The other tower internals are used with clean liquids.
Venturis have the advantage of simplicity, but the disadvantage of high back-
pressure and limited removal efficiencies. Packed towers have higher effi-
ciencies than spray towers but limited L/G ratios and a moderate backpressure.
Selection of specific tower internals is based on trade-offs between the
surface area for mass transfer and gas side pressure drop. Vendors are
continually striving to develop high area packings with low pressure drop
characteristics.
The size of an absorber is determined by flow rate, the gas-liquid system
involved, and the removal efficiency required. Flow rate determines diameter,
(or cross-sectional area) and the specific system and removal efficiency
determine the height (or time in the contact zone) of an absorber. In general
for packed beds or spray towers, the gas velocity is limited to a maximum of
about 10 feet per second, which establishes the diameter for a given flow
rate. The liquid rate is set based on the L/G ratio required to achieve a
specific removal rate for the particular gas and solvent combination.
5.2.2 Applicability
In general, absorbers are appropriate for protecting against accidental
releases of toxic chemicals when the substance released is readily soluble in
some non-flammable absorbing medium, and the size of the release allows an
economically reasonable scrubber size.
As discussed earlier, an absorber is sized to handle certain flow rates.
Significant variations in the flow can cause severe operating problems. High
gas rates cause flooding, weeping, and pressure surges in the column. The
267
-------�
flow characteristics of the accidental release may be steady or it may be a
sudden surge load on the absorber. The absorber must be designed to accom-
modate these operational demands. Absorbers for emergency relief applications
typically operate under a slight positive pressure. A high pressure gas surge
beyond the absorber vessel design pressure could damage the vessel. The
absorber must also be designed so that the pressure drop does not create a
backpressure that would cause a destructive overpressure at the source of
release. Such an occurrence would cause a greater release than the one the
scrubber was trying to prevent. Additionally, scrubbers must be designed to
accommodate hot gases, or those that generate heat when absorbed, to prevent
thermal damage to the absorber, vessel liner, or other equipment.
In the event of an accidental release, the concentration of the gas being
absorbed could be much higher than typically encountered in most industrial
applications. Scrubbers designed specifically for emergency discharges will
have taken this into account. Ordinary vent scrubbers may not be able to
handle the high inlet gas concentrations. For some gases, absorption is an
exothermic reaction. At high concentrations and flow rates, the heat gener-
ated may be sufficient to boil all of the scrubbing liquid, which could damage
the internals (if plastic), or perhaps cause a fire.
Another consideration is the selection of scrubbing solution. Both
aqueous and organic solutions can be used as absorbents. The absorbent
selected depends on the absorption characteristics of the toxic material being
absorbed. For example, while water may be satisfactory for hydrogen chloride,
an alkaline solution is required for substantial removal of chlorine form a
gas stream. It might be possible to use organic liquids in some situations as
long as they are not flammable or toxic.
Compared with a flare system, which may handle waste gases from multiple
sources, absorbers are often dedicated to specific units. Total plant capac-
ity absorbers are not common because of the diverse nature of gas contaminants
and the poor turndown ratio of absorbers. A typical turndown ratio is about
10:1. Also, absorbers are not readily adapted to handling flammable gases.
268
-------�
Absorbers generate waste material in the form of blowdown liquids and
solids. Even the regenerable systems require periodic replacement of the
scrubbing solution as it degrades and loses activity. The wastes may be
hazardous, depending on the contamination present in these streams, which is
another disadvantage when absorber systems are compared to flares. However,
for infrequent emergency use these disadvantages may not be critical.
5.2.3 Control Effectiveness
The ability of an absorber to remove contaminants from gas streams is a
function of the parameters discussed previously. Absorbers in process appli-
cations or pollution control with steady flow rates and constant compositions
are capable of very efficient control. The effectiveness of a scrubber for
protecting against accidental releases depends on whether it is dedicated to
the emergency system or is used continuously with an emergency tie-in. In
general, unless the occurrence of an accidental release significantly changes
the composition and flow rate of a gas normally being scrubber, the perfor-
mance of the non-dedicated absorber during a release incident would be ex-
pected to diminish only slightly. As long as the liquid phase chemistry is
not disturbed, absorption should reduce the effects of an accidental release.
For critical applications, dedicated scrubbers are preferable to common
scrubber units.
As an indicator of the performance capabilities of scrubbers in typical
industrial applications. Table 5-3 shows the removal efficiencies for various
organic compounds and solutions. As can be seen, most of the compounds are
effectively controlled. These types of efficiencies are for commercial
scrubbers where economics may be limiting the efficiency feasible for long
term operation. For emergency scrubbers, very high efficiencies may be
achievable that would not be economical for sustained, long-term operation.
Many other compounds, including H0S, HC1. SO,. Cl_, SO-, NH,. and other
t+ J £* £t
-------�
TABLE 5-3. SUMMARY OF SELECTED TYPICAL COMMERCIAL ABSORPTION
EFFICIENCIES FOR VARIOUS INDUSTRIAL CHEMICALS
% Control
Compound Scrubbing Liquid Efficiency
Acetone/phenol water 97
Acrylonitrile water 99
Aniline dilute sulfuric acid 99.4
Chloroprene oil 100
Chloroprene/neoprene oil 97
Cyclohexanol/cyclohexanone oil 99
Formaldehyde water 7 4
Methyl chloroform water 90
Nitrobenzene water 99+
Per/tri-chloroethylene water 90
Terephthalic acid water 95.6
Dimethyl terephthalate xylene 97
Toluene diisocyante water 60
Toluene diisocyante caustic solution 98
Source: Reference 13
270
-------�
operating cost considerations less important a very high efficiency may be
feasible.
Table 5-4 provides an example of the physical size and control capabil-
ities of a scrubber for a hypothetical 50% ammonia stream. For a highly
soluble gas like ammonia, relatively high efficiencies appear to be achievable
in a "reasonably" sized system.
5.2.A Costs
For a given application, the cost of a scrubber system depends primarily
on the size, as determined by flow rate and removal efficiency required.
Materials of construction based on corrosivity and pressure conditions also
determine costs. Specific items included in the system battery limits can
vary between applications. These include ductwork, fans or compressors,
scrubber internals, reagent feed systems, instrumentation requirements, and
degree of redundancy. Without considering a specific application, it is
impossible to present a system cost. Total capital costs (including installa-
tion, indirect costs, and other fees) for absorber vessels have been presented
in the literature in terms of column weight (14). The weight is related to
the length and diameter of tie absorber. The developed correlation was
presented on a log-log graph. The data convert to the following equation:
log (June 1981 $) = 0.89 * log (column weight, Ibs) +0.62
This corresponds to about $64,000 for a 5,000 pound column and does not
include packing, platforms, ladders, ducting, fans, or other equipment. It
does include face piping, some instrumentation, painting and insulation.
Operating costs of absorbers are highly variable. They are affected by
the type of system and the reagents consumed. Tail end absorbers often
produce throwaway materials which cause high reagent costs. The regenerable
systems, although they recycle chemicals, incur costs for the regeneration
step in the form of steam, reducing gases, or other commodities. Some costs
are also associated with pumping the liquid through the column and fans or
271
-------�
TABLE 5-4. EXAMPLE OF PERFORMANCE CHARACTERISTICS FOR A
PACKED BED SCRUBBER
Basis: Inlet stream of 50% NH, in 50% air. Constant gas flow per unit
cross-sectional area ox A55 scfm/ft .
Packing: 2 inch plastic Intaloz* saddles.
Pressure Drop: 0.5 inch water column
Removal Efficiency, % 50 90
Liquid to Gas Ratio
(gal/thousand scf)
— at flooding 160 160
— operating 80 80
Packed Height, ft. 3.1 11.A
Column Diameter and Corresponding Gas Flow Rates for Both Removal Efficiencies
Column
Diameter Flow Rate
(ft) (scfm)
0.5 90
1.0 360
2.0 1.400
6.3 14,000
272
-------�
compressors to move the gas. Absorbers typically generate a gas side pressure
drop on the order of 0.1 to 0.3 psi. Venturi absorbers can have pressure
drops as high as 3 psi. depending on Venturi throat size and L/G ratios.
For emergency scrubbers, which are used rarely except for periodic
testing, operating costs other than maintenance are not particularly
important. Selection of a specific system will be determined primarily by the
performance and capital cost.
5.3 ENCLOSURES
Enclosing equipment and vessels that store or process toxic chemical are
another way of preventing or decreasing the effects of an accidental chemical
release. Enclosures are containment structures that capture toxic chemicals
spilled or vented from storage or process equipment, thereby preventing
immediate discharge to the environment. The enclosures contain the spilled
liquid or gas until it can be transferred to other containment, discharged at
a controlled rate that would not be injurious to people or to the environment,
or transferred at a controlled rate to a flare or scrubber. While enclosures
may offer some protection, there may also be disadvantages or secondary
hazards, which are discussed below.
5.3.1 Process Description
Enclosures can be constructed around individual equipment items, .process
units, and entire plants, depending on the nature of the hazard being con-
trolled. For example, many facilities using solvents might vent all of the
air in the manufacturing building through an activated carbon system. In
laboratories and other small-scale facilities, small absorbers or filters may
be used on the exhaust gases. These type of systems are effective in control-
ling smaller emissions of toxic compounds in a normal atmosphere.
Reaction vessels may also be enclosed in buildings. However, several
factors should be considered in the design of such enclosures, including
273
-------�
potential flanmability and explosive hazards. Pressures over 5 psi are
capable of destroying conventional buildings.
Another enclosure scheme is to use underground storage tanks. Although
it is not common practice to bury pressure vessels, many tanks containing
volatile liquids are underground. The overburden acts as an effective damper
on emissions from such tanks. The use of underground storage tanks for
preventing a sudden release of toxic chemicals is an attractive concept.
Regulations concerning the design and operation of underground tanks for
hazardous wastes are designed to prevent any release to the environment (15) .
Although regulations have not been promulgated for hazardous products, the
same concern would be expected. These requirements are discussed further
below.
5.3.2 Applicability
Enclosures are useful for preventing the release of small amounts of &
toxic chemical because an enclosure can temporarily contain the chemical while
it is vented at a controlled rate to a control device (see protection techno-
logies) suitable for removing the chemical from the vented stream. A second-
ary hazard is explosion. Enclosures must be used with caution, however. For
example, a small leak of a flammable vapor in an enclosure could be
concentrated to the LEL, causing an explosion if a ventilation system is not
properly designed. Also, the rupture of a pressure vessel within an enclosure
could overpressurize the enclosure, resulting in it destruction. When enclo-
sures are considered for reducing the potential of an accidental release,
safety aspects must be carefully reviewed to prevent greater hazards. Enclo-
sures are more appropriate for non-flammable toxic chemicals than for toxic
ones.
A modified form of enclosure is the underground storage tank. Hazardous
product and reactants stored in underground tanks will have to conform to
regulations for these tanks. Such tanks require approved secondary contain-
ment which include external liners, vaults, and double wall tanks (15). For
tanks of hazardous waste substances currently regulated, monitors capable of
detecting a leak within 24 hours must be used, and all underground piping must
274
-------�
be double walled. Additional requirements are specified for ignitable.
reactive, and incompatible wastes in Fart 264.198 and 199. Regulations
governing release detection, prevention, and correction are expected in the
near future. Congress has specified the following dates by which EPA regula-
tions must be promulgated for underground tanks (16):
• February 9, 1987 - regulations for existing and new
petroleum tanks
• August 9, 1987 - regulations for new hazardous chemical
product tanks
• August 9, 1988 - regulations for existing hazardous
chemical product tanks
5.3.3 Control Effectiveness
Enclosures may be a very effective means of controlling accidental
releases. Depending on the type and design of the enclosure, emissions could
be almost totally controlled since they could be confined until vented to a
destruction or capture device such as a flare or scrubber. These types of
systems are used to control exothermic reactions that use pyrophoric reactants
(17).
The effectiveness of enclosures may be compromised by two things:
flammable materials and pressurized vessels. With flammable materials,
enclosures can create a secondary hazard both without and with an accidental
release. During routine operations, small leaks of a flammable substance in
an enclosed area can lead to the accumulation of a flammable vapor-air mixture
which, if ignited, could damage the enclosure and process equipment, thus
causing the catastrophe it was intended to prevent. Proper ventilation could
reduce this hazard. During a release, a properly designed enclosure should be
effective if the release occurs at a low to moderate rate. A sudden release
from a pressurized vessel, however, could overpressure the enclosure itself,
causing damage and releasing the chemical. The enclosure would have served no
275
-------�
causing damage and releasing the chemical. The enclosure would have served no
purpose. Because the sudden catastrophic failure is less likely than a large
uncontrolled leak, however, an enclosure still might be appropriate if de-
signed with appropriate explosion relief venting.
5.3.4 Costs
The variety of enclosures that can be used makes it difficult to estimate
their costs. Total containment systems can exceed the cost of the controlled
vessel, since they must be larger than the vessel and still be designed to
meet the same criteria. Costs for buildings with directed ventilation systems
can be estimated easily; however, a total cost can not be assigned to the
control system. Small enclosures around process vessels or equipment can also
vary in cost because of safety considerations (explosion risk, temperature
limitations, atmosphere requirements, etc.). Additional costs are associated
with the cleanup equipment needed when the enclosure becomes contaminated.
5.4 REFERENCES
1. Product Line Reference Catalog. National Air Oil Burner Company, Inc.,
Philadelphia, Pennsylvania, 1984.
2. Joseph, D., et al. Evaluation of the Efficiency of Industrial Flares:
Background—Experimental Design—Facility. EPA-600/2-83-070 (NTIS
P383-263723) August 1983.
3. Federal Register. Volume 50. April 16, 1985. pp. 14,941 - 14,945.
4. Evans, F. L., Jr. Equipment Design Handbook for Refineries and Chemical
Plants. Volume 2. Gulf Publishing, Houston, TX, 1974.
5^ Tan, S. H. Simplified Flare System Sizing. Hydrocarbon Processing.
October 1967. p. 149.
6. Kent, G. R. Practical Design of Flare Stacks. Hydrocarbon Processing
and Petroleum Refiner. August 1964, p. 121.
7. Pohl, J. H. and N. R. Soelberg. Evaluation of the Efficiency of Indus-
trial Flares: Flare Head Design and Gas Composition. EPA-60072-85-106
(NTIS PB86-100559) September 1985.
8. Straitz, J. F. III. Flaring with Maximum Energy Conservation. Pollution
Engineering. Volume 12, February 1980. p. 47.
276
-------�
9. Kohl. A.L. and F.C. Riesenfield. Gas Purification, 3rd Edition. Gulf
Publishing Corporation, September 1979.
10. Perry, R.H. Chemical Engineers' Handbook, 5th Edition. McGraw Hill, New
York, NY, 1973.
11. Sherwood, T.K. and R.L. Pigford, Absorption and Extraction, 2nd Edition.
McGraw Hill, New York. NY. 1952.
12. Treyball. R.E. Mass-Transfer Operations. 2nd Edition. McGraw Hill, New
York, NY. 1968.
13. Shareef. G.S. et al. Hazardous/Toxic Air Pollutant Control Technology: A
Literature Review. EPA-600/2-84-194 (NTIS PB 85-137107) December 1984.
14. Vatavuk. W.M. and R.B. Neveril. Costs of Gas Absorbers. Part XIII.
Chemical Engineering. October 4, 1982, pp. 135-136.
15. Lees, F. P. Loss Prevention in the Process Industries. Butterworth and
Company, Boston, MA, 1980.
16. Federal Register. July 14. 1986. 40 CFR Parts 260, 261, 262, 264. 265.
270. and 271.
17. Welding, T.V. Operational Experience with Total Containment Systems in
Protection of Exothermic Reactors and Pressurized Storage Vessels. (EFCE
Event 292). Chester England, April 1984.
277
-------�
APPENDIX A
GLOSSARY
This glossary defines selected terms used in the text of this manual
which might be unfamiliar to some users or which might be used differently by
different authors.
Accidental release; The unintentional spilling, leaking, pumping, purging,
emitting, emptying, discharging, escaping, dumping, or disposing of a toxic
material into the environment in a manner that is not in compliance with a
plant's federal, state, or local environmental permits and results in toxic
concentrations in the air that are a potential health threat to the
surrounding community.
Alkane; A chemical compound consisting only of carbon and hydrogen in which
the carbon atoms are joined to each other by single bonds.
Assessment; The process whereby the hazards which have been identified are
evaluated in order to provide an estimate for the level of risk.
Autocatalytic: A chemical reaction which is catalyzed by one of the products
of the reaction.
Carcinogen; A cancer causing substance.
Containment/Control; A system to which toxic emissions from safety relief
discharges are routed to be controlled. A caustic scrubber and/or flare can
be containment/control devices. These systems may serve the dual function of
destructing continuous process exhaust gas emissions.
278
-------�
Contingency Plan; A plan which describes the actions that facility personnel
will take to minimize the hazards to human health or the environment from
fires, explosions or accidental releases of hazardous materials.
Control System: A system designed to automatically maintain all controlled
process variables within a prescribed range.
Creative Checklist; A list of major hazards and nuisances designed so that
when an individual item from the list is associated with a particular material
or a significant part of a unit, an image of a specific hazard or nuisance is
generated as a stimulus to the imagination of members of a tnultidisciplinary
team.
Creative Checklist Hazard and Operability Study; A Hazard and Operability
Study which uses a Creative Checklist to stimulate a systematic, yet creative
search for hazards.
Emergency Response Plan; A plan of action to be followed by source operators
after a toxic substance has been accidentally released to the atmosphere. The
plan includes notification of authorities and impacted population zones,
minimizing the quantity of the discharge, etc.
Event Tree; A logic diagram which depicts all pathways (success and failure)
originating from an initiating event.
Exothermic; A term used to characterize the evolution of heat. Specifically
refers to chemical reactions from which heat is evolved.
Facility; A location at which a process or set of processes are used to
produce, refine or repackage chemicals, or a location where a large enough
inventory of chemicals are stored so that a significant accidental release of
a toxic chemical is possible.
279
-------�
Fault Tree; A logic diagram which depicts the interrelationships of various
primary events and subevents to an undesired top event.
Fire Monitor: A mechanical device holding a rotating nozzle, which emits a
stream of water for use in firefighting. Fire monitors may be fixed in place
or may be portable. A fire monitor allows one person to direct water on a
fire whereas a hose of the same flowrate would require more than one person.
Guide Word Hazard and Operability Study; A Hazard and Operability Study which
uses Guide Words to stimulate a systematic yet creative search for hazards.
Hazard; A source of danger. The potential for death, injury or other forms
of damage to life and property.
Hazard and Operability Study; The application of a formal systematic critical
examination to the process and engineering intentions of the new facilities to
assess the hazard potential of maloperation of individual items of equipment
and the consequential effects on the facility as a whole.
Hygroscopic; Readily taking up and retaining moisutre (water).
Identification; The recognition of a situation, its causes and consequences
relating to a defined potential, e.g. Hazard Identification.
Lachrymator; A substance which increases the flow of tears.
Mitigation; Any measure taken to reduce the severity of the adverse effects
associated with the accidental release of a hazardous chemical.
Mutagen; An agent that causes biological mutation.
Plant; A location at which a process or set of processes are used to produce,
refine, or repackage, chemicals.
280
-------�
Prevention; Design and operating measures applied to a process to ensure that
primary containment of toxic chemicals is maintained. Primary containment
means confinement of toxic chemicals within the equipment intended for normal
operating conditions.
Primary Containment; The containment provided by the piping, vessels and
machinery used in a facility for handling chemicals under normal operating
conditions.
Probability/potential! A measure, either qualitative or quantitative, that an
event will occur within some unit of time.
Process; The sequence of physical and chemical operations for the production,
refining, repackaging or storage of chemicals.
Process machinery; Process equipment, such as pumps, compressors, heaters, or
agitators, that would not be categorized as piping and vessels.
Protection; Measures taken to capture or destroy a toxic chemical that has
breached primary containment, but before an uncontrolled release to the
environment has occurred.
Pyrophoric; A substance that spontaneously ignites in air at or below room
temperature without supply of heat, friction, or shock.
Qualitative Evaluation; Assessing the risk of an accidental release at a
facility in relative terms; the end result of the assessment being a verbal
description of the risk.
Quantitative Evaluation; Assessing the risk of an accidental release at a
facility in numerical terms; the end result of the assessment being some type
of number reflects risk, such as faults per year or mean time between failure.
281
-------�
Reactivity; The ability of one chemical to undergo a chemical reaction with
another chemical. Reactivity of one chemical is always measured in reference
to the potential for reaction with itself or with another chemical. A chemical
is sometimes said to be "reactive", or have high "reactivity", without
reference to another chemical. Usually this means that the chemical has the
ability to react with common materials such as water, or common materials of
construction such as carbon steel.
Redundancy; For control systems, redundancy is the presence of a second piece
of control equipment where only one would be required. The second piece of
equipment is installed to act as a backup in the event that the primary piece
of equipment fails. Redundant equipment can be installed to backup all or
selected portions of a control system.
Risk; The probability that a hazard may be realized at any specified level in
a given span of time.
Secondary Containment; Process equipment specifically designed to contain
material that has breached primary containment before the material is released
to the environment and becomes an accidental release. A vent duct and
scrubber that are attached to the outlet of a pressure relief device are
examples of secondary containment.
Teratogenic; Causing anomalies of formation or development.
Toxicity; A measure of the adverse health effects of exposure to a chemical.
282
-------�
TABLE B-l.
APPENDIX B
METRIC (SI) CONVERSION FACTORS
Quantity
To Convert From
To
Multiply By
Length:
Area:
Volume:
Mass (weight) :
Pressure:
Temperature:
Caloric Value;
Enthalpy:
Specific-Heat
Capacity:
Density:
Concentration:
Flowrate:
Velocity:
Viscosity:
in
ft
in
ft2
in
ft3
gal
Ib
short ton (ton)
short ton (ton)
atm
mm Hg
psia
psig
°F
°C
Btu/lb
Btu/lbmol
kcal/gmol
Btu/lb-°F
Ib/ft
Ib/gal
oz/gal
quarts/gal
gal/min
gal/day
ft /min
ft/min
ft/sec
centipoise (CP)
cm
5
cm.
2
m,
3
cm.
3
m_
3
m
kg
Mg
metric ton (t)
kPa
kPa
kPa
kPa*
°c*
K*
kj/kg
kJ/kgmol
kJ/kgmol
kJ/kg-°C
3
kg/m3
kg/m
J / J
cm /m
m./min
m,/day
m /min
m/min
m/sec
Pa-s (kg/m-s)
2.54
0.3048
6.4516
0.0929
16.39
0.0283
0.0038
0.4536
0.9072
0.9072
101.3
0.133
6.895
(psig)+14.696)x(6.895)
(5/9)x(°F-32)
°C+273.15
2.326
2.326
4.184
4.1868
16.02
119.8
25,000
0.0038
0.0038
0.0283
0.3048
0.3048
0.001
*Calculate as indicated
Source: Adapted from Reference 22.
-------� |