Guidelines For Engineering Design For PR PDF
Guidelines For Engineering Design For PR PDF
Guidelines For Engineering Design For PR PDF
ENGINEERING DESIGN
FOR PROCESS SAFETY
This book is one in a series of process safety guideline and concept books
published by the Center for Chemical Process Safety (CCPS). Please go to
www.wiley.com/go/ccps for a full list of titles in this series.
GUIDELINES FOR
ENGINEERING DESIGN
FOR PROCESS SAFETY
Second Edition
WILEY
A JOHN WILEY & SONS, INC., PUBLICATION
Copyright © 2012 by American Institute of Chemical Engineers, Inc.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to
the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in
preparing this book, they make no representation or warranties with respect to the accuracy or
completeness of the contents of this book and specifically disclaim any implied warranties of
merchantability or fitness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be
suitable for your situation. You should consult with a professional where appropriate. Neither the
publisher nor author shall be liable for any loss of profit or any other commercial damages, including
but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services please contact our Customer Care
Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or
fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print,
however, may not be available in electronic formats. For more information about Wiley products, visit
our web site at www.wiley.com.
10 9 8 7 6 5 4 3 2 1
It is sincerely hoped that the information presented in this document will lead to an even
more impressive safety record for the entire industry. However, the American Institute of
Chemical Engineers, its consultants, the CCPS Technical Steering Committee and
Subcommittee members, their employers, their employers' officers and directors, and
Aon Energy Risk Engineering, and its employees do not warrant or represent, expressly
or by implication, the correctness or accuracy of the content of the information presented
in this document. As between (1) American Institute of Chemical Engineers, its
consultants, CCPS Technical Steering Committee and Subcommittee members, their
employers, their employers' officers and directors, and Aon Energy Risk Engineering,
and its employees and (2) the user of this document, the user accepts any legal liability
or responsibility whatsoever for the consequences of its use or misuse.
v
CONTENTS
Acronyms and Abbreviations xv
Glossary xxi
Acknowledgments xxxiii
Foreword xxxv
Preface xxxvii
1 INTRODUCTION 1
1.1 Engineering Design for Process Safety Through the
Life Cycle of the Facility 2
1.2 Regulatory Review / Impact on Process Safety 5
1.3 Who Will Benefit From These Guidelines? 7
1.4 Organization of this Book 7
1.5 Other CCPS Resources 9
1.6 References 10
2 FOUNDATIONAL CONCEPTS 13
2.1 Understanding the Hazard 14
2.1.1 Dangerous Properties of Process Materials 14
2.1.2 Process Conditions 19
2.1.3 Inventory 20
2.2 Risk-Based Design 21
2.2.1 The Concept of Risk 22
2.2.2 Selection of Design Bases for Process Safety Systems 23
2.3 Intentional Unsteady State Condition Evaluation 27
2.3.1 Batch Reaction Systems 29
2.4 Unintentional Unsteady State Issues 31
2.4.1 Runaway Reactions 31
2.4.2 Deviating from the Design Intent 32
2.5 Non-Linearity of the Design Process 33
2.6 References 36
VII
VIII GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
4 ANALYSIS TECHNIQUES 63
4.1 Hazard Identification 63
4.1.1 Process Hazards 64
4.1.2 Chemical / Material Hazards 72
4.1.3 Human Impact Data 79
4.2 Hazard Analysis Techniques 94
4.2.1 A Life Cycle Approach 94
4.2.2 Qualitative 96
4.2.3 Semi-Quantitative 100
4.2.4 Quantitative 103
4.2.5 Human Factors 104
4.2.6 Selecting the Appropriate Technique 106
4.3 Risk Assessment 108
4.3.1 Technical Aspects of QRA 109
4.3.2 Risk Criteria 113
4.3.3 Quantitative Risk Assessment 117
4.3.4 Risk Tolerance / Decision Making Criteria 117
4.4 Reliability / Maintainability Analysis 118
4.5 References 119
INDEX 393
ACRONYMS AND ABBREVIATIONS
xv
XVI GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
kA kiloampere
kV kilovolt
mA milliampere
MAWP Maximum Allowable Working Pressure
MCC Motor Control Center
MEC Minimum Explosible Concentration
MIE Minimum Ignition Energy
mJ millijoule
MOC Management of Change
MSDS Material Safety Data Sheet
MSS Manufacturers Standardization Society
MT Magnetic Particle Testing
xxi
xxii GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Car Seal Metal or plastic cable used to fix a valve in the open position
(car seal open) or closed position (car seal closed). Proper
authorization, controlled via administrative procedures, must be
obtained before operating the valve. The physical seal should
have suitable mechanical strength to prevent unauthorized valve
operation.
Catastrophic An incident involving a major uncontrolled emission, fire or
Incident explosion that causes significant damage, injuries and / or
fatalities onsite and have an outcome effect zone that extends
into the surrounding community.
Combustible Capable of burning.
Combustible Liquid A term used to classify certain liquids that will burn on the
basis of flash points. The National Fire Protection Association
(NFPA) defines a combustible liquid as any liquid that has a
closed-cup flash point above 100°F (37.8°C) (NFPA 30). There
are three subclasses, as follows:
• Class II liquids have flash points at or above 100°F
(37.8°C) but below 140°F (60°C).
• Class III liquids are subdivided into two additional
subclasses:
Class IIIA are those having flash points at or above
140°F (60°C) but below 200°F (93.4°C).
Class IIIB are those having flash points at or above
200°F (93.4°C).
The Department of Transportation (DOT) defines "combustible
liquids" as those having flash points of not more than 141°F
(60.5°C) and below 200°F (93.4°C).
Common Mode An event having a single external cause with multiple failure
Failure effects which are not consequences of each other.
Continuous Reactors that are characterized by a continuous flow of
Reactors reactants into and a continuous flow of products from the
reaction system (e.g., Plug Flow Reactor (PFR) and the
Continuous Stirred Tank Reactor (CSTR)).
Continuous Stirred A reaction vessel in which the feed is continuously added and
Tank Reactor the products continuously removed. The vessel (tank) is
(CSTR) continuously stirred to maintain a uniform concentration within
the vessel.
Critical Event A critical event is an event with a specified, high consequence
such as an event involving an offsite community impact, critical
system damage, a severe injury or a fatality.
Critical Event The frequency of occurrence of a critical event.
Frequency
GLOSSARY XXIII
Flammable Liquid Any liquid that has a closed-cup flash point below 100°F
(37.8°C), as determined by the test procedures described in
NFPA 30 and a Reid vapor pressure not exceeding 40 psia
(2068.6 mm Hg) at 100°F (37.8°C), as determined by ASTM D
323, Standard Method of Test for Vapor Pressure of Petroleum
Products (Reid Method). Flammable liquids are classified as
Class I as follows:
• Class IA liquids include those liquids that have flash
points below 73°F = (22.8°C) and boiling points below
100°F(37.8°C).
• Class IB liquids include those liquids that have flash
points below 73°F (22.8°C) and boiling points at or above
100°F(37.8°C).
• Class IC liquids include those liquids that have flash
points at or above 73°F (22.8°C), but below 100°F
(37.8°C). (NFPA 30).
Flash Fire The combustion of a flammable vapor and air mixture in which
flame passes through that mixture at less than sonic velocity,
such that negligible damaging overpressure is generated.
Flash Point The temperature at which the vapor-air mixture above a liquid
is capable of sustaining combustion after ignition from an
external energy source.
Fugitive Emissions Those emissions which could not reasonably pass through a
stack, chimney, vent or other functionally-equivalent opening.
Grounding The process of connecting one or more conductive objects to
ground so that each is at the same potential as the earth. By
convention, the earth has zero potential. In practice, grounding
is the process of providing a sufficiently small resistance to
ground so that a static hazard cannot be created at the maximum
credible charging current to a system. Grounding may be
referred to as "earthing" in Europe.
Hazard An inherent chemical or physical characteristic that has the
potential for causing damage to people, property, or the
environment. In this document it is the combination of a
hazardous material, an operating environment, and certain
unplanned events that could result in an accident.
Hazard Analysis The identification of undesired events that lead to the
materialization of a hazard, the analysis of the mechanisms by
which these undesired events could occur and usually the
estimation of the consequences.
XXVI GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
SUBCOMMITTEE MEMBERS:
Committee Chairman, Pete Lodal Eastman Chemical
Mark Davis Eli Lilly
Americo Diniz Braskem
Edward Dyke Merck
Brad Fong 3M
S. Ganeshan Toyo Engineering India Ltd
Bala Chaitanya Gottimukkala CB&I Lummus
Chantell Lang CB&I Lummus
Darrin Miletello Bayer CropScience
Mikelle Moore Buckman
Mike Moosemiller BakerRisk
Perry Morse DuPont
Keith Pace Praxair
Jack Philley Baker Hughes
Ravi Ramaswamy Reliance Industries Limited
Ron Riselli Nexen
Sheri Sammons TPC Group
Narayanam Sankaran (Sank) UOP / Honeywell
Kevin Shaughnessy Dow Chemical
Gill Sigmon Honeywell
James Slaugh Lyondell Basell
Gary Solak Bayer Material Science
Angela Summers SIS-TECH Solutions
Scott Wallace Olin
CCPS Staff Consultant: Dave Belonger
XXXIII
XXXIV GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
CCPS wishes to acknowledge the contributions of the Aon Energy Risk Engineering
staff members who wrote this book, especially John Alderman, Christy Franklyn, and
Donna Pruitt.
Before publication, all CCPS books are subjected to a thorough peer review process. CCPS
gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers.
Their work enhanced the accuracy and clarity of these guidelines.
Although the peer reviewers have provided many constructive comments and suggestions,
they were not asked to endorse this book and were not shown the final draft before its
release.
Peer Reviewers:
Zaheer Ahmed Baker Hughes
Jeff Fox Dow Corning
Stan Grossel Process Safety and Design Consultant
Dave Krabacher Cognis Corporation
Haluk Kopkalli Honeywell Specialty Materials
Brook Vickery Flint Hill Resources
FOREWORD
Engineers like to think of their discipline as a rigorous application of scientific and
mathematical principles to the problem of creating a useful object. To a certain extent,
this is an appropriate description of the tools of engineering - those techniques that we
use to translate a concept in the mind of the designer into a physical object. But, where
does that mental image of the object to be built come from? At its heart, engineering is
intuitive, and an art form. The engineer / designer's accumulated experience, and that of
others, is applied to a defined problem. By intuitive and creative problem solving
processes, the engineer develops and refines a conceptual design, and uses the
mathematical and scientific tools of engineering to translate a mental concept into
reality.
The selection of the design basis for a process safety system is a problem like any
other engineering problem. There is no equation or formula, no scientific principle,
which will define the "best" design. Yes, there are scientific and mathematical tools
which will help convert a design concept into something which can actually be
constructed. But there is no general answer to the question "What is the best design?"
Each system must be considered on its own, with a thorough evaluation of all of the
details of its environment and required functions, to determine what the optimal design
will be.
The number of potential solutions to any engineering problem is large, as anybody
who has ever visited an automobile show quickly realizes. Sometimes, for a specific
problem, there will be some solutions which clearly meet the overall objectives of nearly
all stakeholders better than others. In these situations it is easy to select an optimum
design. However, in other cases, different stakeholders have significantly different
objectives, or will differ significantly in the relative importance of the different
objectives of the design. This is one of the reasons why there are so many different
kinds of cars at the automobile show, giving each potential purchaser a chance to find a
design that best meets his or her objectives. But this is not possible in the design of a
process plant - there is one plant which impacts many stakeholders with their different
objectives and priorities. How can we best find the optimal solution? While this is not
entirely a technical question, but also includes social and political aspects, I believe that
the critical first step is to consider a large number of potential solutions. This increases
the likelihood that the solution most acceptable to as many stakeholders as possible will
be among those identified. Where do we get those potential solutions? One important
source is accumulated experience our own, and that of others who have faced similar
problems in the past. This book collects much of that accumulated experience from a
large number of experts in the chemical process industry. Use of the tables which make
up the heart of this book will allow the reader to take advantage of many years of
practical experience. By considering a large number of potential solutions to the
XXXV
xxxvi GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
problem of specifying the design basis for safety systems, the design engineer is more
likely to be able to identify the solution, or combination of solutions, which best meets
most people's needs.
This book, a combination, update, and expansion of two earlier CCPS Guideline
publications, emphasizes a risk-based approach to the evaluation of safety system design.
Potential safety systems suggested are categorized as inherently safer / passive, active,
and procedural, in decreasing order of robustness and reliability. Inherently safer
approaches are often preferred, but there can be no general answer to the question of
which approach or specific solution is best for a particular situation. Instead, the design
engineer must take a very broad and holistic approach to the complete design, accounting
for the many different, and often competing, objectives which the design must
accomplish. Safety, health effects, environmental impact, loss prevention, economic and
business factors, product quality, technical feasibility, and many other factors must be
considered. This book challenges the engineer to adopt a risk-based approach to
evaluating many competing goals when deciding among a number of potential design
alternatives.
This book can be extremely useful in conducting process hazard analysis studies.
The failure mode tables in Chapter 6 can be the basis for hazard identification checklists
and also offer a variety of potential solutions for identified concerns. However, the book
will be even more beneficial if used by the individual engineer at the earliest stages of
the design process, before any formal hazard reviews.
The message of this book can be summarized very briefly:
• Consider a large number of design options
Identify opportunities for inherent and passive safety features early
• Fully understand all of the hazards and resulting risks associated with design
alternatives
• Use a risk-based approach to process safety systems specification
I hope that this book will find a home on the desk (not gathering dust on the
bookshelf!) of every chemical process designer, particularly those involved in the earliest
phases of conceptual design where the basic chemistry and unit operations are defined.
It should be consulted frequently in the course of the designer's day-to-day work in
specifying and designing process facilities. If you are a process safety professional,
make sure that all of the process design engineers in your organization read and use this
book. It will make your job a lot easier!
Dennis C. Hendershot
CCPS Staff Consultant
PREFACE
The Center for Chemical Process Safety (CCPS) was established in 1985 by the
American Institute of Chemical Engineers (AIChE) for the express purpose of assisting
the Chemical and Hydrocarbon Process Industries in avoiding or mitigating catastrophic
chemical accidents. To achieve this goal, CCPS has focused its work on four areas:
• Establishing and publishing the latest scientific and engineering practices (not
standards) for prevention and mitigation of incidents involving toxic and / or
reactive materials.
Encouraging the use of such information by dissemination through publications,
seminars, symposia and continuing education programs for engineers.
• Advancing the state-of-the-art in engineering practices and technical
management through research in prevention and mitigation of catastrophic
events.
• Developing and encouraging the use of undergraduate education curricula
which will improve the safety knowledge and consciousness of engineers.
This book, Guidelines for Engineering Design for Process Safety, Second Edition, is
the result of multiple projects. The first project was the first edition of Guidelines for
Engineering Design for Process Safety, which began in 1989 with volunteers from CCPS
member companies working with engineers from the Stone & Webster Engineering
Corporation. The intent was to produce a book that presented the process safety design
issues needed to address all stages of the evolving design of a facility. The first edition
discussed the impact that various engineering design choices have on the risk of a
catastrophic accident, starting with the initial selection of the process and continuing
through its final design.
The second project began in 1994 with volunteers from CCPS member companies
working with Arthur D. Little Inc. to produce a book entitled Guidelines for Design
Solutions for Process Equipment Failures. This book described the ways that major
processing equipment could fail, causing a catastrophic accident. This second book
identified available design solutions that might avoid or mitigate the failure in a series of
options ranging from inherently safer / passive solutions to active and procedural
solutions. By capturing industry experience in how major processing equipment can fail,
this book provided a very useful tool for the selection of process safety systems. The
inherently safer solutions that were suggested may, in some cases, have come as a
surprise to the process and design engineer because they may have been the most cost-
effective solution.
In 2009, both the Technical Steering Committee and the Planning Committee of
CCPS recognized the need to consolidate these two works into one combined, expanded
and updated volume. The result of this effort is the book you now hold in your hand.
xxxvii
xxxviii GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Guidelines for Engineering Design for Process Safety, 2nd Edition, has been
updated to provide design guidance and comprehensive references for process equipment
in a number of different categories, including vessels, reactors, heat and mass transfer
equipment, fluid transfer and separation equipment, fired equipment, dryers, and piping.
Chapter 6 contains updated equipment failure tables from the Design Solutions book.
This book focuses on engineering design to reduce risk due to process hazards. It
does not focus on operations, maintenance, transportation, or personnel safety issues,
although improved process safety can benefit each area. Detailed engineering designs
are outside the scope of this book, but the authors have provided an extensive guide to
references and other literature to assist the designer who wishes to go beyond safety
design philosophy to the specifics of a particular safety system design.
Guidelines for Engineering Design for Process Safety, Second Edition
by Center for Chemical Process Safety
Copyright © 2012 American Institute of Chemical Engineers, Inc.
1
INTRODUCTION
The Center for Chemical Process Safety (CCPS) has published a number of guidelines
that focus on the evaluation and mitigation of risks associated with catastrophic events in
process facilities. Originally published in 1993, the purpose of Guidelines for
Engineering Design for Process Safety was to shift the emphasis on process safety to the
earliest stage of the design where process safety issues could be addressed at the lowest
cost and with the greatest effect. Almost 20 years later, this 2nd edition of Guidelines for
Engineering Design for Process Safety continues to stress the importance of emphasizing
process safety during Front-End Engineering and Design (FEED) to achieve the greatest
risk reduction at the lowest cost - and also emphasizes the benefits of diligence to
process safety design issues through the life of the facility. This updated book also
incorporates material from Guidelines for Design Solutions for Process Equipment
Failures, which was originally published by CCPS in 1998 (Ref. 1-1).
This book focuses on process safety issues in the design of chemical, petrochemical,
and hydrocarbon processing facilities. Enough information is provided on each topic to
ensure that the reader understands:
• The concept and issues
• The design approach for process safety
• Areas of concern
Where to go for detailed information
The scope of this book includes avoidance and mitigation of catastrophic events that
could impact people and facilities in the plant or surrounding area. The scope is limited
to selecting appropriate designs to prevent or mitigate the release of flammable or toxic
materials that could lead to a fire, explosion, and impact to personnel and the
community. Process safety issues affecting operations and maintenance are limited to
cases where design choices impact system reliability. These Guidelines are intended to
be applicable to the design of a new facility, as well as modification of an existing
facility.
The scope excludes:
• Transportation safety
• Routine environmental control
• Personnel safety and industrial hygiene practices
• Emergency response
• Detailed design
• Operations and maintenance
• Security issues unrelated to process safety
1
2 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
These Guidelines highlight safety issues in design choices. For example, Section
7.1.1, Electrical Area Classification, covers the safe application of electrical apparatus in
the process environment required for plant safety but does not address detailed design of
the electrical supply or distribution system required to operate the plant.
It is clear that choices made early in design can reduce both the potential for large
releases of hazardous materials and the severity of such releases, if they should occur.
Research and • Identify chemical interactions that could cause runaway reactions, fires,
Development explosions, or toxic gas releases
• Identify process safety data needs
Pilot Plant • Identify ways for toxic gas to be released to the environment
• Identify ways to deactivate the catalyst
• Identify potentially hazardous operator interfaces
• Identify ways to minimize hazardous wastes
Routine Operation • Identify employee hazards associated with the operating procedures
• Identify ways an overpressure transient might occur
• Identify hazards associated with out-of-service equipment
Process • Identify whether changing the feedstock composition will create any new
Modification or Plant hazards or make any existing hazards more severe
Expansion
• Identify hazards associated with new equipment
Consensus Codes
• U.S. OSHA
Process Safety Management Standard (29 CFR 1910.119) (Ref. 1-13)
Flammable and Combustible Liquids Standard (29 CFR 1910.106) (Ref. 1-14)
PSM Covered Chemical Facilities National Emphasis Program (09-06 CPL 02) (Ref. 1-15)
Petroleum Refinery Process Safety Management National Emphasis Program (Ref. 1-16)
U.S. EPA Risk Management Program Regulation (40 CFR 68) (Ref. 1-17)
California Accidental Release Prevention Program (Ref. 1-18)
Contra Costa County Industrial Safety Ordinance (Ref. 1 -19)
Delaware Extremely Hazardous Substances Risk Management Act (Ref. 1-20)
Nevada Chemical Accident Prevention Program (Ref. 1-21)
New Jersey Toxic Catastrophe Prevention Act (Ref. 1-22)
International Laws and Regulations
Australian National Standard for Control of Major Hazard Facilities (Ref. 1-23)
Canadian Environmental Protection Agency, Environmental Emergency Planning (Section 200) (Ref.
1-24)
European Commission Seveso II Directive (Ref. 1-25)
• Korean OSHA PSM Standard (Ref. 1-26)
Malaysia, Department of Occupation Safety and Health Ministry of Human Resources Malaysia,
Section 16 of Act 514 (Ref. 1-27)
United Kingdom, Health and Safety Executive COMAH Regulations (Ref. 1-28)
It is important to note that regional or local laws and regulations often mandate more
stringent requirements than similar federal regulations. For example, the State of
California's Accidental Release Prevention Program requires compliance by facilities
with over a threshold quantity of 100 lb of chlorine, while the U.S. EPA Risk
Management Program's threshold quantity for compliance is 2,500 lb of chlorine.
1. INTRODUCTION 7
Different global, federal, and regional requirements pose challenges to facilities that
operate in different geographic locations.
1.6 REFERENCES
1 -1. CCPS. Guidelines for Design Solutions for Process Equipment Failures. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 1998.
1-2. CCPS. Guidelines for Investigating Chemical Process Incidents, Second Edition.
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, NY. 2003.
1-3. CCPS. Plant Guidelines for Technical Management of Chemical Process Safety.
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, NY. 1992.
1 -4. Baker, et al. The Report of the BP U.S. Refineries Independent Safety Review
Panel. January 2007.
1 -5. CCPS. Guidelines for Risk Based Process Safety. Center for Chemical Process
Safety of the American Institute of Chemical Engineers. New York, NY. 2007.
1-6. American Chemistry Council, 1300 Wilson Blvd., Arlington, VA 22209.
www.americanchemistry.com
1-7. European Chemical Industry Council (Cefic), Avenue E. van Nieuwenhuyse, 4
box 1, B-l 160 Brussels, www.cefic.org
1-8. American Petroleum Institute, 1220 L Street, NW, Washington, D.C. 20005.
www.api.org
1-9. American National Standards Institute, 25 West 43 rd Street, New York, NY,
10036. www.ansi.org
1-10. American Society of Mechanical Engineers, Three Park Avenue, New York, NY,
10016. www.asme.org
1-11. The Instrumentation, Systems, and Automation Society, 67 Alexander Drive,
Research Triangle Park, NC 27709. www.isa.org
1-12. National Fire Protection Association, 1 Batterymarch Park, Quincy, MA, 023169.
www.nfpa.org
1-13. Process Safety Management of Highly Hazardous Chemicals (29 CFR 1910.119),
U.S. Occupational Safety and Health Administration, May 1992. www.osha.gov
1-14. Flammable and Combustible Liquids, Occupational Safety and Health Standards
(29 CFR 1910.106), U.S. Occupational Safety and Health Administration.
www.osha.gov
1-15. PSM Covered Chemical Facilities National Emphasis Program, OSHA Notice,
09-06 (CPL 02), U.S. Occupational Safety and Health Administration, July 2009.
www.osha.gov
1-16. Petroleum Refinery Process Safety Management National Emphasis Program,
OSHA Notice, CPL 03-00-010, U.S. Occupational Safety and Health
Administration, August 2009. www.osha.gov
1. INTRODUCTION 11
2
FOUNDATIONAL CONCEPTS
13
14 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Section 2.5 Throughout this book Guidelines for Hazard Evaluation Procedures
Non-Linearity of the (Ref. 2-1)
Design Process Guidelines for Risk Based Process Safety
(Ref, 2-6)
Guidelines for Chemical Process Quantitative
Risk Analysis (Ref. 2-7)
Inherently Safer Chemical Processes: a Life
Cycle Approach (Ref. 2-8)
2. FOUNDATIONAL CONCEPTS 15
Property Characteristic
Boiling point and freezing point data establish whether a substance is a solid, liquid,
or gas at atmospheric pressure. Comparison of boiling points or volatilities relative to
process conditions provides insight into a number of potentially significant issues, such
as flammability or ease of separation by distillation. Vapor pressure data are more
difficult to obtain but are more useful in predicting volatility-related behavior. Freezing
point data reveal that some relatively common substances may require special handling
for cold weather.
Molecular weight provides a quick comparison of gas densities, which indicate
whether a vapor released to the atmosphere will rise and disperse or travel along the
ground. Critical pressure and temperature are needed for developing thermodynamic
expressions using the laws of corresponding states. Since vapors cannot be compressed
into liquids at temperatures above their critical regions, substances that can exist only as
vapor are indicated by critical temperatures below ambient or processing temperature.
Fluid density and viscosity determine the difficulty of transporting substances inside
piping. This information is also useful in other transportation-related issues, such as
overloading tank trailers with high density liquids and design of relief systems. In the
event of spills, density and solubility relative to water are important issues. Electrical
conductivity often indicates the degree to which static charges might build in flowing
systems. Enthalpy or specific heat data predict temperature rises for heated substances,
critical information when vessels containing volatile flammable liquids are subjected to
fire. Heat-of-mixing data indicates pronounced thermal effects that might occur when
mixing substances, such as two different concentrations of sulfuric acid.
2.1.1.2 Reactivity
The reactivity of a chemical substance not only influences process reactions, it also
influences the hazard potential in accidental releases or inadvertent mixtures.
Exothermic reactions can pose hazards because the heat evolved raises the temperature
of the reactants leading to increased reaction rate or vaporization of materials. When
high temperature is reached in an open system, the materials may ignite or explode. In a
closed system, high temperature can lead to vessel rupture from overpressurization
caused by gas evolution or vapor pressure.
Some materials react violently upon contact with water, generating considerable
heat. For example, some strong acids may evolve large amounts of hazardous fumes
when contacted with water or moisture in the air. It is important to recognize this aspect
when preparing fire fighting contingencies.
Pyrophoric substances react violently with air, resulting in spontaneous ignition.
Such substances are typically handled by methods that prevent contact with air, often by
submerging the substance in a compatible solvent, water or oil.
Other chemicals react violently with oxidizing or reducing agents. Oxidants may
generate heat, oxygen, and flammable or toxic gases. Reducing agents react with a
variety of chemicals and may generate hydrogen, as well as heat, and flammable or toxic
gases. Storage and usage of strong oxidizing and reducing agents require special
precautions that are unique to the particular substance in question. Generally, each
supplier provides complete packages of safety-related information to its customers.
2. FOUNDATIONAL CONCEPTS 17
2.1.1.3 Flammability
Another important material characteristic requiring attention in early stages of process
design is flammability. The most common measures of flammability potential for
materials are:
• Autoignition temperature
Conductivity
• Fire point
• Flammable limits
• Flash point
• Kst
• Minimum / limiting oxygen concentration
These are discussed further in Chapter 3, Basic Physical Properties / Thermal
Stability Data.
2.1.1.4 Toxicity
Toxic releases generally have a greater impact on humans than fire or explosion;
therefore, recognizing the toxicity of materials is important in process design. Humans
can be exposed to toxics by inhalation, ingestion, and dermal contact. Toxic exposure is
influenced by the airborne concentration and the duration of exposure. Toxic exposures
are described as:
• Acute - Acute exposures represent brief contacts with potentially lethal
concentrations, typically experienced during sudden large discharges of toxic
materials.
• Chronic - Chronic exposures occur due to prolonged exposure, usually over a
period of time.
18 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 2.3 Selected Primary Data Sources for Toxic Exposure Limits
Source Acronym Exposure Limit Acronym
2.1.3 Inventory
A common factor in major disasters in the chemical industry is a large release of a
hazardous material. One of the best ways to make a plant safer is to minimize the
quantity of hazardous materials. The principal approach is to minimize inventory, so
that even if there is a leak or explosion, the consequences are minimized (Ref. 2-8).
Low inventories result in safer and more cost-effective process facilities. Lower
inventories can be achieved by using smaller or fewer vessels. If fewer vessels are used,
fewer protective devices, such as alarms, valves, trips, and smaller flare systems, may be
required, further reducing facility costs.
Other methods to limit inventory include:
• Reducing reactor volumes by improving mixing conditions or better
understanding reaction kinetics
• Reducing inventory by integrating plant operation, especially for storage tanks
and day tanks that usually contain large inventories
• Using continuous reactors instead of batch reactors
• Reducing holdup in distillation columns by using low holdup equipment
internals, e.g., packing has less holdup than conventional trays
• Reducing onsite storage by using just-in-time delivery
• Laying out equipment and pipe to reduce pipe rack toxic material holdup
• Improving the performance of the reactor (reducing by-product production) so
that subsequent operations, e.g., distillation, become easier, further reducing
holdup
Making highly toxic material generation (e.g., phosgene) a subprocess just prior
to using the material in the main process, shifting inventory to less toxic
materials
Producing on-demand from less hazardous materials
Substituting a less hazardous material or limiting the inventory of hazardous
materials is usually the first choice in risk reduction. For example, consider using steam
as heat transfer medium instead of a flammable material. If reduction of the inventory or
substitution of hazardous materials is not feasible, attempts should be made to use less
hazardous conditions, such as low pressure and temperature storage; use of material in its
gas phase instead of its liquid phase; or use of a safer solvent.
Some secondary effects of reducing inventories may need to be considered, such as:
A reduction in residence time could result in poor separation of materials
Increased potential for cavitation of pumps
• Less time for operator response to a low level alarm
Identify hazards • Systematic identification of hazards and related failure scenarios that can lead
to incidents
• Frequently involves application of standard techniques, such as HAZOP,
FMEA, What-lf?, etc.
Estimate likelihood * Process used to estimate the frequency of a particular incident or outcome
• Where available, historical data are used to quantify the likelihood
■ When historical data are unavailable, incomplete, or inappropriate, analytical
approaches such as fault tree and event trees are employed to determine the
likelihood of incident / outcomes based on more fundamental failure data
Estimate risk ■ Process of combining consequence and likelihood estimations of all selected
scenarios into a measure of overall risk, the simplest form being a risk matrix
• Includes various ways of displaying risk, such as individual risk contours or
overall likelihood of various levels of consequence
• Prioritization of risks
Step 1
Identify Failure
Scenarios
Step 2
Evaluate the
Consequences
Yes
Estimate Likelihood
Step 5
Estimate Risk
Yes
Step 7
Consider Design
Solutions to Reduce Consequence
and/or Likelihood
No
Document
Results
either a positive or negative manner, due to a wide variety of factors, such as personnel
turnover, staffing level changes, or change in management.
Equipment failure data are available from a number of sources, and while there are
uncertainties and gaps in the data, these can be objectively and consistently evaluated
through the use of plant data collection and component failure testing. Also, a
comprehensive risk management plan based on the results of studies such as these can
provide typical component failure rates to be used for a wide range of evaluations.
At some point, quantification of likelihood may be necessary, but often it is
superseded by standardization into policies, engineering standards, and standard
practices. For example, failures with no or low consequences may be considered
adequately controlled by normal process controls, whereas severe hazards (such as those
with offsite impact) may require several independent layers of protection in order to
bring the risk into an acceptable range.
Cost / Benefit - Is it the best use of resources, or can greater risk reductions be
achieved by spending the same money elsewhere?
• Synergistic / Mutual Exclusivity Effects - Will this solution work in conjunction
with other potential enhancements, or will its implementation eliminate other
potential beneficial solutions from being considered?
• Additional New Hazards - Will this solution create new hazards that must be
evaluated?
The tables in Chapter 6, Equipment Design, are intended to suggest potential alternatives
to enhance the risk tolerability of the design. Not all solutions presented in the tables
will be applicable to every situation; however Chapter 6 contains detailed references.
sequence of processing steps and frequent startups and shutdowns increase the
probability of human errors and equipment failures. Moreover, batch reaction
systems often handle multiple processes and products in the same equipment.
This can also lead to increased probability of human error.
Design Considerations - Too often, safeguards for batch operations rely on
administrative safeguards, such as procedures and training. While these are
important parts of a process safety program, facilities that design, own, and
operate batch processes should look towards layers of engineering safeguards in
combination with administrative controls. The nature of batch operations
(unsteady state), frequently involving manual intervention, creates significant
issues pertaining to the design of control systems, design of operating
procedures, and the interaction between the control system and the operators.
Design considerations should include:
Proper Selection of Materials - Raw materials, intermediates, products, by-
products, decomposition or unintended products which are hazardous or
could be reactive with other materials handled in this equipment.
Avoidance of Use of Incompatible Materials, Especially Materials That
React with Common Substances - Inadvertent contact between two or more
incompatible chemicals may lead to a hazardous condition. Water is of
particular concern as this seemingly innocuous material can react violently
with many chemicals. Some materials react rapidly and violently with
water and have an NFPA reactivity rating of 2 or higher based on water
reactivity alone (Ref. 2-32).
Human Factors - Human factors are especially important in batch
operations when much of the process is influenced by an operator's actions
(or inactions). The batch operator is more involved and is often in closer
proximity to the process. This close proximity puts the operator at
increased risk to direct exposure to the hazards associated with larger
inventory of raw materials and semi-finished products than continuous
systems with comparable throughput. Special design manifolds and
transfer panels can reduce the potential for human error. Automation of the
batch sequence using a PLC can also reduce the potential for human error.
Selection of Materials of Construction - Batch operations are often
designed for general use, rather than dedicated to a specific process. The
piping and layout of the equipment is often modified to meet the needs of
the current process, or the process is modified to use the existing
equipment. Use of the same equipment in different campaigns, complex
process piping, and the use of shared auxiliary equipment, such as columns
and condensers, present greater challenges in preventing cross
contamination; in selecting materials of construction; and in selecting
instrumentation and control systems. Additionally, the complexity of
equipment and the frequency of changes complicate the process
documentation task. These frequent changes often result in complex
Management of Change (MOC) issues.
The issues discussed above are just a small sample of the process safety issues faced
in the design process of batch operations. All of these issues make batch reaction
systems unique, in terms of the challenges they pose for managing process safety. Refer
to Guidelines for Process Safety in Batch Reaction Systems (Ref. 2-11) for more detail.
2. FOUNDATIONAL CONCEPTS 31
Figure 2.2 Engineering Design for Process Safety - A Life Cycle Approach
Robust management systems must be in place to successfully evaluate and manage the
hazards and risk over and over for the life of the facility. These management systems
influence the effectiveness and robustness of this continuous process and include:
GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
2.6 REFERENCES
2-1. CCPS. Guidelines for Hazard Evaluation Procedures, Third Edition. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 2008.
2-2. CCPS. A Practical Approach to Hazard Identification for Operations and
Maintenance Workers. Center for Chemical Process Safety of the American
Institute of Chemical Engineers. New York, NY. 2010.
2-3. CCPS. Guidelines for Safe Process Operations and Maintenance. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 1995.
2-4. CCPS. Guidelines for Process Safety Fundamentals in General Plant
Operations. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 1995.
2-5. CCPS. Guidelines for Chemical Reactivity Evaluation and Application to
Process Design. Center for Chemical Process Safety of the American Institute
of Chemical Engineers. New York, NY. 2007.
2-6. CCPS. Guidelines for Risk Based Process Safety. Center for Chemical Process
Safety of the American Institute of Chemical Engineers. New York, NY. 2007.
2-7. CCPS. Guidelines for Chemical Process Quantitative Risk Analysis, Second
Edition. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 2000.
2-8. CCPS. Inherently Safer Chemical Processes, A Life Cycle Approach. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 2009.
2-9. CCPS. Safe Design and Operation of Process Vents and Emission Control
Systems. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 2006.
2-10. CCPS. Guidelines for Safe Storage and Handling of Reactive Materials. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 1995.
2-11. CCPS. Guidelines for Process Safety in Batch Reaction Systems. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 1999.
2-12. Haynes, W. CRC Handbook of Chemistry and Physics, 91st Edition. National
Institute of Standards and Technology. Boulder, CO. 2010.
2-13. Green, D. W. and Perry, R. H. Perry's Chemical Engineers' Handbook, Eighth
Edition. McGraw-Hill. 2008.
2. FOUNDATIONAL CONCEPTS 37
2-14. DIPPER® Data Compilation of Pure Chemical Properties, Design Institute for
Physical Properties, American Institute of Chemical Engineers. New York, NY.
2010.
2-15. Urben, P. Bretherick's Handbook of Reactive Chemical Hazards, Seventh
Edition. Academic Press. Oxford, UK. 2007.
2-16. EPA. EPA's Chemical Compatibility Chart, A Method for Determining the
Compatibility of Chemical Mixtures. 1980. www.epa.gov
2-17. Lewis, R. S. Sax's Dangerous Properties of Industrial Materials, 10th Edition.
John Wiley & Sons. Hoboken, NJ. 1999.
2-18. NOAA. Chemical Reactivity Worksheet, Version 2.1. National Oceanic and
Atmospheric Administration. http://response.restoration.noaa.gov/CRW
2-19. NFPA. Fire Protection Handbook, 12th Edition. National Fire Protection
Association. Quincy, MA. 2008.
2-20. CCPS. Reactivity Evaluation Screening Tool. Center for Chemical Process
Safety of the American Institute of Chemical Engineers (A1CHE). New York,
NY. 2010. www.aiche.org/ccps
2-21. DOE. Protective Action Criteria (PAC) Values. Subcommitee on Consequence
Assessment and Protective Actions (SCAPA) of the Department of Energy
(DOE). www.atlintl.com/DOE/teels/teel.html
2-22. CCPS. Tools for Making Acute Risk Decisions. Center for Chemical Process
Safety of the American Institute for Chemical Engineers. New York, NY. 1995.
2-23. Australian National Standard for the Control of Major Hazard Facilities,
NOHSC: 1014, 2002. www.docep.wa.gov.au/
2-24. Korean Occupational Safety and Health Agency, Industrial Safety and Health
Act, Article 20, Preparation of Safety and Health Management Regulations.
Korean Ministry of Environment, Framework Plan on Hazards Chemicals
Management, 2001-2005. http://english.kosha.or.kr/main
2-25. Malaysia, Department of Occupational Safety and Health (DOSH) Ministry of
Human Resources Malaysia, Section 16 of Act 514.
http://www.dosh.gov.my/doshV2/
2-26. Control of Major Accident Hazards Regulations (COMAH), United Kingdom
Health & Safety Executive, 1999 and 2005. www.hse.gov/uk/comah/
2-27. Accidental Release Prevention Requirements: Risk Management Programs
Under Clean Air Act Section 112(r)(7), 40 CFR Part 68, U.S. Environmental
Protection Agency, June 20, 1996 Fed. Reg. Vol. 61 [31667-31730].
www.epa.gov
2-28. Process Safety Management of Highly Hazardous Chemicals (29 CFR
1910.119), U.S. Occupational Safety and Health Administration, May 1992.
www.osha.gov
38 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
2-29. CCPS. Guidelines for Chemical Transportation Safety, Security, and Risk
Management. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 2008.
2-30. CCPS. Guidelines for Developing Quantitative Safety Risk Criteria. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 2009.
2-31. CCPS. Guidelines for Process Safety Documentation. Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
NY. 1995.
2-32. CCPS. Guidelines for Safe Storage and Handling of Reactive Materials. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 1995.
2-33. HSE. Case Study, Icmesa Chemical Company, Seveso, Italy. July 10, 1976.
Health and Safety Executive.
http ://www .hse.gov. uk/comah/sragtech/casese veso76 .htm
2-34. CCPS. Guidelines for Investigating Chemical Process Incidents, Second
Edition. Center for Chemical Process Safety of the American Institute for
Chemical Engineers. New York, NY. 2003.
Guidelines for Engineering Design for Process Safety, Second Edition
by Center for Chemical Process Safety
Copyright © 2012 American Institute of Chemical Engineers, Inc.
3
BASIC PHYSICAL PROPERTIES/
THERMAL STABILITY DATA
Understanding the behavior of all the chemicals involved in the process - raw materials,
intermediates, products, and by-products - is a key aspect of understanding the process
safety issues relevant to a given process. A knowledge of how these chemicals behave
individually and how they interact with other chemicals, utilities, materials of
construction, potential contaminants, or other materials that they can come in contact
with during shipment, storage, and processing is essential for understanding and
managing process safety.
Understanding the chemistry of the process also provides the greatest opportunity in
applying the principles of inherent safety at the chemical synthesis stage. Process
chemistry greatly determines the potential impact of the processing facility on people
and the environment. It also determines such important safety variables as inventory,
ancillary unit operations, by-product disposal, etc. Creative design and selection of
process chemistry can result in the use of inherently safer chemicals, a reduction in the
inventories of hazardous chemicals, and / or a minimization of waste treatment
requirements.
39
40 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
• Measures property values needed by DIPPR members that are not found in the
literature. These data are added to the DIPPR® databases to replace, improve,
and extend existing estimations.
• Disseminates data to the public after a period of exclusive use by members.
Dissemination is via hard copy publications, computer programs and databases
on diskettes and online, and multimedia.
Saturation Vapor
Pressure Curve
^ » Not Flammable
:S Mists
l·^^^^^--- ' Autoignition
I Flammable
, Region
UJ Ξ
O S
§3
Lower Flammability Limit
Not Flammable
/ TEMPERATURE
\ Autoignition
Flashpoint /
Temperature Temperature (AIT)
the temperature of the pool is below the flash point, the pool will not ignite. From a
safety perspective, a release of liquid below its flash point should not ignite even if it
finds an ignition source.
Because it is an indicator of the hazard of a material, the flash point of a liquid is
one of its most important fire characteristics. At its flash point, a liquid continuously
produces flammable vapors at the right rate and amount (volume) to give a flammable
and even explosive atmosphere if a source of ignition should be brought into the mixture.
Flammable liquids (like gasoline) with a flash point of-45°F (-42.8°C) continually give
off vapors that can burn at ordinary temperatures. However, fuel oil (such as that used in
home-heating furnaces) with a flash point of 130°F (54.4°C) does not give off vapor that
can burn until heated above its flash point (Ref. 3-2). However, when either material is
ignited, an intense fire ensues.
The flash point is when the vapor pressure of a substance is such that the
concentration of vapor in air above the substance corresponds to the lower flammable
limit. For flammable liquids, the term flammable is any liquid that has a closed-cup
flash point below 100°F (37.8°C) and a Reid vapor pressure not exceeding 40 psia
(2068.6 mm Hg) at 100°F (37.8°C). The term combustible is used for liquids that have a
closed-cup flash point at or above 100°F (37.8°C) (Ref. 3-5).
The flash point and other important properties of some common materials are listed
in Table 3.1 (Ref. 3-6).
[
n general, the AIT (Ref. 3-7):
Decreases with increasing pressure
Increases as mixtures become rich or lean
1
Decreases with increased oxygen concentration
Decreases as the test volume increases
44 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
approaches (literature, databases, and software programs) may not be sufficient for final
plant design. Experimental work is usually required on various scales depending on the
extent of reactivity. Therefore, the application of well-designed experimental test
methods is of prime importance to define hazardous conditions. Numerous test methods
are available using a variety of sample sizes and conditions.
3.3.1.5 Oxidizers
Oxidizers may not themselves be combustible, but they may provide reaction pathways
to accelerate the oxidation of other combustible materials. Combustible solids and
liquids should be segregated from oxidizers. Certain oxidizers undergo dangerous
reactions with specific noncombustible materials. Some oxidizers, such as calcium
hypochlorite, decompose upon heating or contamination and self-react with violent heat
3. BASIC PHYSICAL PROPERTIES / THERMAL STABILITY DATA 49
output. Oxidizers include nitrates, nitric acid, nitrites, peroxides, chlorates, chlorites,
dichromates, hypochlorites, perchlorates, permanganates, persulfates, and the halogens.
Integrated Risk www.eoa.aoWi ris/su bst/i ndex .htm 1 The type of data covered for individual
Information System chemical includes both descriptive and
(IRIS) quantitative information on:
■ Oral reference doses and inhalation
reference concentrations (RfDs and
RfCs, respectively) for chronic
noncarcinogenic health effects
■ Hazard identification, oral slope factors,
and oral and inhalation unit risks for
carcinogenic effects
Occupational Safety and www. osh a .q ov/S LTC/pel/ OSHAregulationsand publications include
Health Administration Permissible Exposure Limit (PEL) values for
(OSHA) both short-term exposures and 8-hour
exposures to numerous materials. OSHA
Website searches for specific materials can
be conducted at this website.
National Institute for www.cdc.aov/n iosh/rtecs/defa ult, htm 1 The RTECS database includes toxicity data
Occupational Safety and and summaries of pertinent journal articles,
Health (NIOSH) government reports, and EPA test
Registry for Toxic Effects submissions, SinceDecember2001,
of Chemical Substances responsibility for maintaining RTECS has
(RTECS) (Ref. 3-24) been transferred from NIOSH to various
private and foreign organizations listed at this
website. These individual organizations
update RTECS and make it available for
purchase or lease along with software for
searching and retrieving specific records.
National Institute for www . cdc .qov/niosh/id 1 h/intrid 14. h Iml Contains a chemical listing and
Occupational Safety and documentation of revised IDLH values (as of
Health (NIOSH) 3/1/95).
Documentation for
Immediately Dangerous
to Life or Health
Concentrations (IDLHs)
American Conference of www.acqih.org/ Threshold Limit Values (TLV) for more than
Governmental Industrial 700 chemical substances and physical agents
Hygienists (ACGIH) are contained in the latest ACGIH (2003)
listing. TheTLVvaluesare determined by an
ACGIH committee review of pertinent
scientific literature. Proposed changes and
new listings can be found on the ACGIH
website.
• Other materials that may contact process chemicals, such as absorbents and
insulation
• All operating conditions that pertain to the given facility, such as elevated
temperature
• In some situations, conditions such as "confinement" and "adiabatic
compression" may be pertinent.
A matrix that would include all of the above items for a given process can be quite
large. If it is necessary to restrict the effort involved in developing the interaction
matrix, judgment can be exercised in limiting the scope of the study or including only
those substances and conditions that have a reasonable likelihood of being present and
causing reactivity concerns.
of the requested information inputs. The tool then outputs all of the assessed scenarios
along with a generalized determination of consequence severity. References are
provided to guide the user to information on how to remediate each type of hazard
identified.
2. Pilot Plant - Chemical reaction hazards Influence of plant technology regarding potential
hazards
Definition of safe procedures
Effects of expected variations in process conditions
Definition of critical limits
3. Full-Scale Production - Reevaluation of chemical Newly revealed reactivity hazards from plant
reaction hazards operations
Management of changes
Update of safety procedures as required
Ongoing hazard assessment in examining potential
deviations from process conditions through
interaction of process safety with engineering and
production, personnel
Screening tests can be run to identify reaction hazards. Also, data for pilot plant
considerations should be evaluated and obtained as necessary. In the pilot plant stage,
additional material becomes available so that the reaction hazards can be investigated
more extensively. Process control features and deviations from normal operating
conditions should be checked. Operating procedures can be drafted and checked.
Emergency procedures can be defined.
3. BASIC PHYSICAL PROPERTIES / THERMAL STABILITY DATA 57
Specific Tests
i '
1 ' ''
'' 1 '
''
• Design of Vent
• Safe Operation Temperature/Time
• Safe Storage Temperature/Time
• Alarms, Quenching, etc.
Safe Storage/Handling
Temperature
Reactivity Tests
Pyrophoric
With Water
Oxidizing Properties
Spent Inhibitor
Decomposition
Temperature
/ Is Substance ^ N . Yes
\ . Flammable y^ Prec&uuuns
No
i '
1
'
Storage Tests
Large-Scale Stability
''
Safe Storage/Handling
Temperature
These tests can also be used to evaluate induction time for the start of an exothermic
decomposition and compatibility with metals, additives, and contaminants. The initial
part of runaway behavior can also be investigated by Dewar tests and adiabatic storage
tests. To record the complete runaway behavior and often the adiabatic temperature rise,
that is, the consequences of a runaway reaction, the Accelerating Rate Calorimeter
(ARC) can be used, although it is a smaller scale test.
To investigate gas evolution during decomposition and / or a runaway reaction, both
the ARC and RSST simultaneously record rise in temperature and pressure, which is
usually proportional to the gas evolution during decomposition. Other types of
equipment available to investigate the gas evolution are various autoclave tests,
isoperibolic autoclave tests, and closed Dewar tests. Mass flux data are also required in
designing any vent facilities. Extrapolation of data from any and all of these tests to
large scale should be made with care.
3.4 REFERENCES
3-1. DIPPR® Data Compilation of Pure Chemical Properties. Design Institute for
Physical Properties, American Institute of Chemical Engineers. New York, NY.
2010.
3-2. NFPA. Fire Protection Handbook, 20th Edition. National Fire Protection
Association. Quincy, MA. 2008.
3-3. Crowl, D.A. Understanding Explosions. Center for Chemical Process Safety for
the American Institute of Chemical Engineers. New York, NY. 2003.
3-4. ASTM A502-03. Standard Specification for Rivets, Steel, Structural. ASTM
International. West Conshohocken, PA. 2009.
3-5. NFPA 30. Flammable and Combustible Liquids Code, 2008 Edition. National
Fire Protection Association. Quincy, MA. 2008.
3-6. CCPS. Guidelines for Fire Protection in Chemical, Petrochemical, and
Hydrocarbon Processing Facilities. Center for Chemical Process Safety of the
American Institute of Chemical Engineers. New York, NY. 2003.
3-7. Crowl, D.A. and Louvar, J.F. Chemical Process Safety: Fundamentals with
Applications, 2nd Edition. Prentice-Hall, Inc., Englewood Cliffs, NJ. 2009.
3-8. GESTIS-DUST-EX, Institute for Occupational Safety and Health of the German
Social Accident Insurance (IFA), www.dguv.de/ifa/en/pestis/expl/index.isp
3-9. NFPA 68. Standard on Explosion Protection by Deflagration Venting, 2007
Edition. National Fire Protection Association. Quincy, MA. 2007.
3-10. Lewis, R.S. Sax's Dangerous Properties of Industrial Materials, 11th Edition.
John Wiley & Sons. Hoboken, NJ. 2007.
3-11. NFPA 704, Standard System for the Identification of the Hazards of Materials
for Emergency Response, 2007 Edition. National Fire Protection Association.
Quincy, MA. 2007.
3-12. National Oceanic and Atmospheric Administration, 1401 Constitution Avenue,
NW, Room 5128, Washington, D.C. 20230. www.noaa.gov
3. BASIC PHYSICAL PROPERTIES/THERMAL STABILITY DATA 61
3-13. NFPA 55. Compressed Gases and Cryogenic Fluids Code, 2010 Edition.
National Fire Protection Association. Quincy, MA. 2010.
3-14. NFPA 400. Hazardous Materials Code, 2010 Edition. National Fire Protection
Association. Quincy, MA. 2010.
3-15. NFPA 491. Fire Protection Guide to Hazardous Materials, 13th Edition.
National Fire Protection Association. Quincy, MA. 2001.
3-16. Urben, P. Bretherick's Handbook of Reactive Chemical Hazards, Seventh
Edition. Academic Press. Oxford, UK. 2007.
3-17. Grewer, Th. Thermal Hazards of Chemical Reactions. Industrial Safety Series,
4. Elsevier. Amsterdam. 1994.
3-18. Pohanish, R.P. and Green, S.A. Wiley Guide to Chemical Improbabilities,
Second Edition. John Wiley & Sons, Inc. Hoboken, NJ. 2003.
3-19. CCPS. Guidelines for Safe Storage and Handling of Reactive Materials. Center
for Process Safety for the American Institute of Chemical Engineers. New
York, NY. 1995.
3-20. Frurip, D.J., Hofelich, T.C., Leggett, DJ., Kurland, J.K., and Niemeier, J.K. A
Review of Chemical Compatibility Issues, Proceedings of the 1997 AIChE Loss
Prevention Symposium. American Institute of Chemical Engineers. New York,
NY. 1997.
3-21. Leggett, D.J. Chemical Reaction Hazard Identification and Evaluation: Taking
the First Steps, Proceedings, AIChE Spring National Meeting; 36th Annual
Loss Prevention Symposium. New Orleans, Louisiana. 2002.
3-22. Gibson, J. and Weber, J. Handbook of Selected Properties of Air and Water-
Reactive Materials (RDTR). U.S. Naval Ammunition Depot. Crane, IN. 1969.
3-23. EPA. Integrated Risk Information System (IRIS). Environmental Protection
Agency. http://www.epa.gov/IRIS/
3-24. NIOSH. Registry for Toxic Effects of Chemical Substances (RTECS). National
Institute for Occupational Safety and Health.
3-25. Gay, D.M. and Leggett, D.J. Enhancing Thermal Hazard Awareness with
Compatibility Charts. J. Testing and Evaluation, 21,477-480. 1993.
3-26. ASTM E2012-06. Standard Guide for Preparation of a Binary Chemical
Compatibility Chart. ASTM International. West Conshohocken, PA. 2006.
3-27. CCPS. Reactivity Evaluation Screening Tool (REST). Center for Process Safety
for the American Institute of Chemical Engineers. New York, NY. 2011.
www.aiche.org/ccps
3-28. National Oceanic and Atmospheric Administration, 1401 Constitution Avenue,
NW, Room 5128, Washington, D.C. 20230. www.noaa.gov
3-29. CHRIS. Hazardous Chemical Data Manual. Chemical Hazards Response
Information System. 1999.
http://ocean.floridamarine.org/acp/mobacp/PDF/TACTICAL/chris.pdf.
GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Thompson, R.E., Zamejc, E.R., and Alhlbeck, D.R. Hazardous Materials Car
Placement in a Train Consist, Volumes 1 and 2. Federal Railroad
Administration. Washington, D.C. 1992.
Fauske, H.K. The Reactive System Screening Tool (RSST): An Inexpensive and
Practical Approach to Sizing Emergency Relief Systems. Process Safety
Symposium. Houston, TX. 1998.
Guidelines for Engineering Design for Process Safety, Second Edition
by Center for Chemical Process Safety
Copyright © 2012 American Institute of Chemical Engineers, Inc.
4
ANALYSIS TECHNIQUES
Engineering design for process safety should consistently and systematically identify and
evaluate hazards posed by a process and reduce the risk to an acceptable level. Process
hazards come from many sources, including:
Material and chemistry used (e.g., flammability, toxicity, reactivity)
Process variables - the way the chemistry works in the process (e.g., pressure
temperature, concentration)
Equipment failures
This chapter provides an overview of:
• Hazard Identification - A hazard is a physical or chemical condition with the
potential for harming people, property, or the environment. Hazard
identification involves understanding:
Undesirable consequences
Material, system, process, and plant characteristics that could produce those
consequences
• Hazard Analysis Techniques - A hazard analysis is an organized effort to
identify and analyze the severity of hazardous scenarios associated with a
process or activity. Specifically, hazard analyses are used to identify
weaknesses in design and operation of facilities that could lead to hazardous
material releases. Hazard analyses can also be used to identify and evaluate the
effectiveness of safeguards. This chapter introduces a variety of hazard
analysis techniques that can provide information to help companies improve
safety and manage risk.
• Risk Assessment - Risk assessments used during engineering design provide a
valuable tool for evaluating design concept alternatives and making risk-based
decisions.
For more detailed information, refer to CCPS publications:
• Guidelines for Hazard Evaluation Procedures (Ref. 4-1)
• Guidelines for Chemical Process Quantitative Risk Assessment (Ref. 4-2)
• Layer of Protection Analysis, Simplified Process Risk Assessment
(Ref. 4-3)
63
64 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Water and Diesel dhven Methane gas Chlorine, sulfur Chlorine and Exposure to
Wastewater water pumps accumulation dioxide, and sulfur dioxide contaminated
Treatment present a and its anhydrous are strong water may cause
potential f re subsequent ammonia can be oxidizers and adverse health
hazard. ignition present used at facilities will react with effects.
Storage of dry explosion that treat water most metals and There has been a
sludge may hazards. and wastewater. organic history of worker
contain Releases of materials, injury and fatality
these materials Sulfuric acid will due to unsafe
pyrophoric iron
have the react with conf ned space
sulfides.
potential to concrete and entry activities in
impact troth produce a open pit treatment
onsite workers reactive by- areas.
and the product.
community.
Process hazards can lead to the release of a toxic or flammable material and
subsequent fire, explosion, or exposure to toxics. Small events can escalate to cause
significant injury, environmental impact, or asset damage. Process hazards can lead to:
Fires
• Explosions / implosions
• Uncontrolled chemical reactions
• Exposure to:
Corrosive materials
Toxic materials
Ionizing and non-ionizing radiation
Pathogens
Temperature extremes
Hazardous materials can be solids, liquids, or gases. Hazards may be associated
with the material size. Fine powders can form explosive atmospheres; liquids can be in
the form of droplets or vapors, both of which are generally more hazardous than bulk
material.
Some causes of process hazards may be easy to identify, such as:
Equipment defects or degradation
External corrosion
Impact to piping and equipment
• Inadequate isolation of equipment or piping
• Inadequate energy isolation (lockout / tagout)
4.1.1.1 Intrinsic
Intrinsic hazards are characteristics that are permanently associated with the material or
operation in question. They cannot be separated, and they are not dependent upon use or
location, e.g., flammability, toxicity, etc.
Process conditions also create hazards or exacerbate the hazards associated with the
materials in a process. For example, water is not classified as an explosion hazard based
on its material properties alone. However, if a process is operated at a temperature and
pressure that exceed water's boiling point, then a rapid introduction of water presents the
potential for a steam explosion. Similarly, a heavy hydrocarbon may be difficult to
ignite at ambient conditions, but if the process is operated above the hydrocarbon's flash
point, a spill of the material may ignite. Therefore, it is not sufficient to consider only
the material properties when identifying hazards; the process conditions must also be
considered.
Considering the process conditions may also enable an analyst to eliminate some
materials from further evaluation as significant hazards. For example, a material may
have a flash point greater than 750°F (400 °C). If the material is only present at ambient
temperature and atmospheric pressure, then it may not be considered a significant fire
hazard that warrants further evaluation. However, when identifying hazards, it is
important to consider both normal and abnormal process conditions. Consider the
following three cases:
70 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
4.1.1.2 Extrinsic
Extrinsic hazards are dependent upon where or how something is found or used, e.g.,
operating conditions, quantity, physical or geographical location. Extrinsic hazards can
be directly related to the decisions made by the engineering team.
requirement for special supports to handle the stresses generated. Process design should
take these stresses into account. The design should minimize stresses, especially during
startup and shutdown.
High temperatures are often obtained with the use of fired heaters, which have
additional hazards, such as tube rupture and explosions. Use of steam heaters, where
possible, instead of fired heaters should be considered to prevent such hazards.
Process design should consider and address subfreezing temperatures and also
recognize that some materials freeze well above the freezing point of water. Exposed
drain valves and deadlegs have caused several major process safety incidents. The initial
break in containment (such as split pipe) may not become immediately evident and can
cause loss of containment release when the process unit is restarted. The process design
engineer must also consider the potential impact to process fluids caused by extended
low ambient temperature. Design engineering standards for insulation are based on both
minimum temperature and duration of sub-freezing temperature. One common example
of process fluid freezing is liquid 50% sodium hydroxide, which freezes at
approximately 50°F (10°C). Viscosity and plugging process problems can occur.
Fortunately, water is the only common liquid that expands when it freezes. Most process
materials can freeze without damage to equipment.
ancillary systems, such as utility air, water, fuel gas, inerting gas, etc., can lead to an
uncontrollable situation, e.g., loss of cooling to a reactor could result in a runaway
reaction and explosion.
Another issue with utilities is cross-contamination, e.g., air connected to nitrogen
systems could result in a flammable mixture in a conveying system.
Utility systems are discussed further in Chapter 6, Equipment Design.
4.1.2.1 Intrinsic
A heat flux of 8,000 Btu/hr/ft2 (25 kW/m2) has been published as a general rule-of-
thumb for damage to process equipment (Ref. 4-5). Clearly, this excludes electrical and
electronic equipment, which may fail to operate at much lower heat fluxes and resulting
temperatures.
Further details on overpressure sources can be found in the CCPS Concept Book
Understanding Explosions (Ref. 4-6) and Guidelines for Vapor Cloud Explosion,
Pressure Vessel Burst, BLEVE and Flash Fire Hazards, Second Edition (Ref. 4-7).
4.1.2.2 Extrinsic
sources while taking all necessary steps to protect the equipment should such a source be
present. These steps may involve control to protect against flammable atmospheres,
design to contain any explosion within the equipment, or incorporation of devices to
intercept, suppress, or vent a flame reaction zone. Even if all internal ignition sources
were eliminated within the process equipment, an external pool fire or impingement
flame might still damage the equipment or initiate an uncontrolled internal reaction.
Therefore, external fire protection measures such as thermal insulation and sprinkler
systems may be used in addition to prudent design and layout to minimize the severity of
damage caused by external fires.
In addition to protecting equipment, measures should be taken to minimize the
probability of a flash fire or vapor cloud explosion should a leak occur. Many ignition
sources are obvious, such as flares, burn pits, furnaces, and other flame sources. Less
obvious ignition sources include internal combustion engines, atmospheric static
charges, and equipment that might not be recognized as "fixed" ignition sources on a site
plan.
Often, ignition sources are insidious. For example, a poorly designed liquid transfer
system might regularly give rise to static sparks but not cause ignition because the vapor
is outside its flammable range. Any change in the vapor concentration might quickly
give rise to an explosion. As another example, after years of uneventful operation, a fire
might develop in a spray dryer due to accumulation of an unusually thick powder layer
which spontaneously ignites (the accumulated heat reaches the autoignition temperature
of the material). This fire might in turn ignite a powder suspension in the dryer causing
an explosion. Measures to avoid ignition sources must often be taken at the design stage.
However, to do this it is necessary to gather appropriate information on the ignition
behavior of the materials concerned. Discovery of this behavior once a unit is
operational means costly retrofit, redesign, or add-on safety measures.
Further details can be found in:
• API RP 2003, Protection Against Ignitions Arising out of Static, Lightning and
Stray Currents (Ref. 4-9)
• NFPA 55, Compressed Gas Code (Ref. 4-10)
• NFPA 400, Hazardous Material Code (Ref. 4-11)
• NFPA 69, Explosion Prevention Systems (Ref. 4-12)
• NFPA 70, National Electrical Code (Ref. 4-13)
• NFPA 77, Static Electricity (Ref. 4-14)
• NFPA 78, Lightning Protection Code (Ref. 4-15)
• NFPA 497M, Manual for Classification of Gases, Vapors and Dusts for
Electrical Equipment in Hazardous (Classified) Locations (Ref. 4-16)
• Reactions of metals
• Thermite reactions
• Thermally unstable materials
Accumulation of unstable materials
• Pyrophoric materials
blindness, organ system damage, and death. In addition, the severity of many of these
effects varies with intensity and duration of exposure. For example, exposure to a
substance at an intensity that is sufficient to cause only mild throat irritation is of less
concern than one that causes severe eye irritation or dizziness, since the latter effects are
likely to impede escape from the area of contamination.
There is also a high degree of variation in response among individuals in a typical
population. Withers and Lees (Ref. 4-17) discuss how factors such as age, health, and
degree of exertion affect toxic responses (in this case, to chlorine). Generally, sensitive
populations include the elderly, children, and persons with diseases that compromise the
respiratory or cardiovascular system. As a result of the variability in response of living
organisms, a range of responses is expected for a fixed exposure. Suppose an organism
is exposed to a toxic material at a fixed dose and the responses determined. Some of the
organisms will show a high level of response while some will show a low level. The
results are frequently modeled as a Gaussian, or "bell-shaped," curve.
The experiment is repeated for a number of different doses and Gaussian curves are
drawn for each dose. The mean response and standard deviation are determined at each
dose. A complete dose-response curve is produced by plotting the cumulative mean
response at each dose. This form typically provides a much straighter line in the middle
of the dose range. The logarithm form arises from the fact that in most organisms there
are some subjects who can tolerate rather high levels of the causative variable and,
conversely, a number of subjects who are highly sensitive to the causative variable.
Experiments have shown that the threshold of pain occurs when the skin
temperature at a depth of 0.1 mm is raised to 840°F (450°C). When the skin surface
temperature reaches about 1025°F (550°C), blistering occurs.
The inputs to most thermal effect models are the thermal flux level and duration of
exposure. Thermal flux levels are provided by one of the fire consequence models and
durations by either the consequence model (e.g., for BLEVEs) or an estimate of the time
to extinguish the fire or escape from the fire. More detailed models use thermal energy
input after a particular skin temperature is reached.
Probit constants for a number of different vapor exposures are provided in Table 4.2.
82 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
a b n a b n
The main mechanisms of heat transfer in a process facility are thermal radiation and
direct flame contact. Heat transfer to personnel can cause burns. Heat transfer to
equipment and structures can lead to failure equipment containing flammable or
combustible material, which can further feed the fire.
Radiant energy that strikes a surface can be:
• Reflected
• Absorbed
• Transmitted (for transparent material)
Flames of some materials, such as natural gas, contain relatively little soot, whereas
heavier hydrocarbons, such as kerosene and crude oil, generate copious amounts of soot
and smoke.
Radiant heat transfer can result in burns to personnel and can heat up unprotected
process equipment and structural elements. If the heat is not dissipated by the
application of cooling or conduction, the process equipment or structure may fail.
500 1.74 60
740 2.33 40
920 2.90 30
1500 4.73 16
2200 6.94 9
3000 9.46 6
3700 11.67 4
6300 19.Θ7 2
84 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
5000 15.77 Heat intensity on structures and in areas where operators are not likely to be
performing duties and where shelter from radiant heat is available, for example,
behind equipment.
3000 9.46 Value of K at design flare release at any location to which people have access,
for example, at grade below the flare or on a service platform of a nearby tower.
Exposure must be limited to a few seconds, sufficient for escape only.
2000 6.31 Heat intensity in areas where emergency actions lasting up to 1 min may be
required by personnel without shielding but with appropriate clothing.
1500 4.73 Heat intensity in areas where emergency actions lasting several minutes may
be required by personnel without shielding but with appropriate clothing.
500 1.58 Value of K at design flare release at any location where personnel are
continuously exposed.
4,000 12.5 Minimum energy required for piloted ignition of wood, melting of plastic tubing.
3,000 9.5 Pain threshold reached after 8 sec; second degree bums after 20 sec.
1,200 4 Sufficient to cause pain to personnel if unable to reach cover within 20 sec.
however blistering of the skin (second degree bums) is likely; 0% lethality.
Hexafliioracetone NA 1 50
Hexafluoropropylene 10 50 500
Hydrogen Chloride 3 20 100
Hydrogen Cyanide NA 10 25
Hydrogen Fluoride 54 20 50
Hydrogen Sulfide 0.1 30 100
Isobutyronitrile 10 50 200
2-lsocyanatoethyl NA 0.1 1
Methacrylate 25 iugm/m5 lOQpgm/nf 500 jjgm/rrh1
Lithium Hydride 200 1000 5000
Methyl Chloride NA 400 1000
Melhylene Chloride 200 750 4000
Methyl Iodide 25 50 125
Methyl Isocyanate 0.025 0.5 5
Methyl Mercaptan 0.005 25 100
88 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
4.1.3.5.5 Other
Some states have their own exposure guidelines. For example, the New Jersey
Department of Environmental Protection (NJ-DEP) uses the Toxic Dispersion (TXDS)
method of consequence analysis for the estimation of potentially catastrophic quantities
of toxic substances as required by the New Jersey Toxic Catastrophe Prevention Act
(TCPA) (Ref. 4-26). An Acute Toxic Concentration (ATC) is defined as the
concentration of a gas or vapor of a toxic substance that will result in acute health effects
in the affected population and one fatality out of 20 or less (5% or more) during 1 hour
exposure. ATC values as proposed by the NJ-DEP are estimated for 103
"extraordinarily hazardous substances" and are based on the lowest value of one of the
following:
• The Lowest Reported Lethal Concentration (LCLO) value for animal test data
• The Median Lethal Concentration (LC50) value from animal test data
multiplied by 0.1
• The IDLH value
The EPA (Ref. 4-27) published a set of toxic endpoints to be used for air dispersion
modeling of toxic gas releases as part of the EPA Risk Management Plan (RMP). The
toxic endpoint is, in order of preference: (1) the ERPG-2, or (2) the Level of Concern
(LOC) promulgated by the Emergency Planning and Community Right-to- Know Act.
The LOC is considered "to be the maximum concentration of an extremely hazardous
substance in air that will not cause serious irreversible health effects in the general
population when exposed to the substance for relatively short duration" (Ref. 4-28).
Toxic endpoints are provided for 77 chemicals under the RMP rule (Ref. 4-28).
In general, the most directly relevant toxicological criteria currently available,
particularly for developing emergency response plans and conducting risk assessments,
are ERPGs, SPEGLs, and EEGLs. These were developed specifically to apply to general
populations and to account for sensitive populations and scientific uncertainty in
toxicological data. For incidents involving substances for which no SPEGLs or EEGLs
are available, IDLHs provide alternative criteria.
90 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
A much more extensive list of toxic chemical characteristics has been prepared by
the Health and Safety Executive in the UK. The HSE uses two levels of impact, "SLOT"
and "SLOD." These terms have several definitions, most notably:
SLOT (Specified Level of Toxicity) - Highly susceptible people possibly being
killed
• SLOD (Significant Likelihood of Death) - 50% mortality in exposed population
There is no direct comparison between the HSE data and the earlier approaches but
the results seem comparable. The HSE values can be used as a basis for estimating
probabilities of fatality for the broader range of chemicals that the HSE reports.
Table 4.7 contains an excerpt from the beginning of the almost 100 SLOT / SLOD
Dangerous Toxic Load (DTL) values provided by the HSE (Ref. 4-29).
The user calculates the integral concentration of toxic material (in ppm), raised to
the n power with respect to the exposure duration (in minutes). The result is then
compared to the SLOT and SLOD values in the table above to determine if the specific
impact level has been reached.
There is no specified method for converting a SLOT/SLOD form into a probit form
in order to facilitate interpolation or extrapolation from the SLOT / SLOD values to
other impact magnitudes. Therefore, if SLOT / SLOD data are used for impact levels
other than those defined above, the basis for doing so must be described by the analyst.
• Perspiration: by losing heat through the evaporation of water vapor on the skin
• Radiation: receiving radiation from an external source or radiating heat from
our body
Clearly, some methods are more effective than others.
Thermal hazards can include both heat and cold hazards. This section discusses
temperature hazards associated with the process or chemical properties of process
materials.
Thermal
rnysicai txpiosion Explosion*
decomposition)
Deflagration/Explosive
Chemical Explosion
Decomposition
The continuous damage function is the approach used by the U.S. Department of
Defense Explosive Safety Board (Ref. 4-31). The limitations of this approach are that it
does not readily allow for the identification of what type of damage has occurred and
which building components may be governing the percentage of damage to the structure.
Typical discrete BDLs used in the process industry are shown in Table 4.8. One
advantage of this approach is that the nature of the damage is indicated by the damage
description. Pressure-impulse diagrams serve to define the boundaries between the
damage states when discrete BDLs are used.
3 Major Reflected wall has collapsed. Other walls and roof have
substantial plastic deformation that may be approaching incipient
collapse.
4.1.3.7.2 People
People outside of buildings or structures are susceptible to:
• Direct blast injury (blast overpressure)
• Indirect blast injury (missiles or whole-body translation)
Relatively high blast overpressures (>15 psig) are necessary to produce fatality
(primarily due to lung hemorrhage).
94 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
It is generally believed that fatalities arising from whole-body translation are due to
head injury from impact. Baker et al. (Ref. 4-32) present tentative criteria for probability
of fatality as a function of impact velocity. Lees (Ref. 4-18) provides probit equations
for whole-body translation and impact. Injury to people due to fragments usually occurs
either because of penetration by small fragments or blunt trauma by large fragments.
Injury from blunt projectiles is a function of the fragment mass and velocity. Very
limited information is available for this effect.
Construction and startup Identify error-likely situations in the startup. Safety Review
and operating procedures. Checklist
Verify that all issues from previous hazard What-lf
evaluations were resolved satisfactorily and What-lf/Checklist
that no new issues were introduced.
Critical Task Analysis
Identify hazards that adjaoent units may
create for construction and maintenance
workers.
Identify hazards associated with vessel
cleaning procedures.
Identify any discrepancies between as-built
equipment and the design drawings.
96 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
4.2.2 Qualitative
Hazard analysis is the cornerstone of an organization's overall PSM program. Although
hazard analyses typically involve the use of qualitative techniques to analyze potential
equipment failures and human errors that can lead to incidents, the studies can also
highlight gaps in the management systems of a process safety program. Qualitative
hazard evaluation techniques, often referred to as Process Hazard Analyses (PHA),
include:
• Hazard Identification
• Checklist Analysis
• What-lf Analysis
• Hazard and Operability Study (HAZOP)
Research and Material, physical, and Rough screening of Provides a quick focus
development. chemical data. general hazards. on big issues.
Conceptual design. Basic process Ranking of hazardous Potential to miss
Piiot plant operation. chemistry. areas or processes. something.
Process flow diagram.
Conceptual design Material, physical, and Response to pre- Can be used with less
Pilot plant operation chemical data defined questions experienced personnel
Basic process Documentation of if the experience is
Detailed engineering
chemistry compliance captured in the
Construction /startup checklist.
Routine operation Process flow diagram
Quality of the analysis
Decommissioning Operating procedures
is only as good as the
Expansion or Piping and quality of the checklist.
Instrumentation Checklists that are too
modification
Diagrams (P&IDs) long or don't relate
During What-If or specifically enough to
HAZOP studies to
the process being
provide compliance with
analyzed may have a
items such as facility
tendency to be
siting, human factors,
completed without
and other general
thorough evaluation.
issues.
T a b l e 4.13 H A Z O P Overview
4.2.3 Semi-Quantitative
LOPA can be effectively used at any point in the life cycle of a process or a facility,
but it is most frequently used during:
• The design stage when the process flow diagram and P&IDs are essentially
complete
• Modifications to an existing process or its control or safety systems
• The regular cycle of Process Hazard Analyses performed on a process
Table 4.14 provides an overview of LOPA requirements and results.
T a b l e 4.15 F M E A Overview
4.2.4 Quantitative
Process quantitative risk analysis is a methodology designed to provide management
with a tool to help evaluate overall process safety in the chemical process industry.
Management systems such as engineering codes, checklists, and Process Safety
Management (PSM) provide layers of protection against accidents. However, the
potential for serious incidents cannot be totally eliminated. Quantitative risk analysis
provides a quantitative method to evaluate risk and to identify areas for cost-effective
risk reduction. This section provides an overview of quantitative risk analysis. For
further detail, see Guidelines for Hazard Evaluation Procedures (Ref. 4-1) and
Guidelines for Chemical Process Quantitative Risk Assessment (Ref. 4-2).
A quantitative risk analysis examines a range of possible incident outcomes for a
given loss event, such as by the use of event trees to evaluate the probability of success
or failure of each applicable mitigative safeguard and the overall risk of each resulting
scenario. Techniques used as inputs to Quantitative Risk Analyses (QRAs) include:
• Fault Tree
• Event Tree
combinations are the "smallest" combinations in that all of the failures in a MCS must
occur if the top event is to occur as a result of that particular MCS. For example, a car
will not operate if the cut set "no fuel" and "broken windshield" occurs. However, the
MCS is "no fuel" because it alone can cause the top event; the broken windshield has no
bearing on the car's ability to operate. Sometimes analysts may include special
conditions or circumstantial events in a fault tree model (e.g., the existence of a certain
plant operating condition). Thus, a list of minimal cut sets represents the known ways
the undesired consequence can occur, stated in terms of equipment failures, human
errors, and associated circumstances.
The fault tree is a graphical representation of the relationships between failures and
a specific consequence. Fault events and basic events representing failures of equipment
or humans (hereafter, both equipment and humans are referred to as components) can be
divided into failures and faults. A component failure is a malfunction that requires the
component to be repaired before it can successfully function again. For example, when a
pump shaft breaks, it is classified as a component failure. A component fault is a
malfunction that will "heal" itself once the conditions causing the malfunction are
corrected. An example of a component fault is a switch whose contacts fail to operate
because they are wet and when the contacts are dried they operate properly.
Whether a component malfunction is classified as a fault or a failure, a basic
assumption of Fault Tree Analysis is that all components are in either a failed state or a
working state. Analysis of several degraded operating states is generally not practical.
Analysts must define the conditions of failure and success for each event used in a fault
tree model.
Detailed information on performing a Fault Tree Analysis can be found in
Guidelines for Hazard Evaluation Procedures (Ref. 4-1).
Define Motivation
Q New review l~J Recurrent review Q Revalidate previous review Q Redo previous review Q Special rqmt
T
Determine Type of Results Needed
Q List of hazards l~j List of problems/incidents Q Prioritization of results
Q Hazard screening Q Action items Q Input for QRA
±
Identify Process Information
I
Examine Characteristics of the Problem
Complexity / Type of Process Type of Operation
Size |~j Chemical Q Electrical Q Fixed facility |~J Permanent Q Continuous
Q Simple / complex l~J Physical Q Electronic Q Transportation |~J Temporary Q Semi-batch
|~j Small / large l~j Mechanical Q Computer Q Batch
Q Biological Q | Human
Situation / Incident / Event of Concern
Nature of Hazard Q Single failure |~J Process upset |~J Procedure
QToxicity Q Reactivity Q Dust explosibility Q Multiple failure |~J Hardware Q Software
Q Flammability Q Radioactivity Q Physical hazard | ~ j Loss of function Q Human
Q Explosivity Q Corrosivity [~J Other ΓΤ Simple loss-of-containment
Q Availability of skilled personnel |~j Time requirements l~J Funding necessary |~J Analyst / management preference
Specific benefits from risk assessment as part of a risk management system include:
• Providing a clear process and concrete criteria, increasing confidence that risk
management decisions are rationally determined and not the result of arbitrary
decisions
• Providing a basis for prioritizing / apportioning finite resources (providing the
best mix of expenditures to minimize total risk across the company)
• Assisting in the evaluation of the relative benefits of risk reduction alternatives
Helping define which level of the organization should take responsibility for the
decisions that affect the risk (i.e., higher risk decisions made at higher levels)
• Helping protect the organization's permission to operate (actual or figurative)
and enhancing the sustainability of the business
• Yielding a better understanding of the management of the risk
Identify
Hazards
Identify Estimate
Consequences Likelihood
I
Estimate the
Risk
i
Evaluate the
Risk
I
Identify and Prioritize
Potential Risk
Reduction Measures
For toxic releases, effect models consider the concentration and duration of
exposure and the mode of physiological impact to convert these incident-specific results
into effects on people (injury or death). For flammable releases, fire and explosion
models convert information on the concentration and mass of material present (and,
perhaps, information describing the physical environment of the flammable cloud) into
energy hazard potentials such as thermal radiation and explosion overpressures. Other
effect models are then used to estimate effects on people and structures.
Additional refinement to consequence estimates may be provided by consideration
of mitigation factors, such as isolation systems that might reduce the duration of the
release or water sprays, foam systems, and sheltering or evacuation that may reduce the
magnitude of potential effects.
Figure 4.4 shows an overall logic diagram for consequences models for releases of
volatile, hazardous substances.
4. ANALYSIS TECHNIQUES 111
i
Select Source Model to
Describe Release Incident
Results may include:
• Total quantity released
• Release duration
• Release rate
• Material phase
1
Select Dispersion Model
(if applicable)
• Neutrally buoyant
• Heavier than air
• Others
Results may include:
• Downwind concentration
• Area affected
• Duration
i
~^^^ and/or IOXIC ^ - ^
\
Select Fire and Explosion Model Select Dispersion Effect Model
• Escape
• Emergency response
• Shelter-in-place
• Containment dikes
• Other
i
Risk Calculation
qualitative risk criteria can be found in Guidelines for Hazard Evaluation Procedures,
Chapter 7, Risk-Based Determination of the Adequacy of Safeguards (Ref. 4-1).
There are many diverse measures of individual and societal risk. Those addressed
here are the most commonly applied in the process industries. Readers seeking a broader
perspective may wish to consult Guidelines for Developing Quantitative Safety Risk
Criteria (Ref. 4-36) for other examples of risk measures and formats for their
presentation.
• Offsite individuals, while perhaps further removed from the hazards, may be
exposed for a greater percentage of the time (e.g., stay-at-home residents who
may be at risk nearly 100% of the time). Conversely, depending upon the nature
of offsite developments, there may be individuals whose risk exposure is
transient and brief (e.g., visitors to a park adjacent to a chemical or petroleum
facility).
The calculation of individual risk is made with the understanding that the
contributions of all incident outcome cases (i.e., event sequences) are additive. For
example, the total individual risk to an individual working at a facility is the sum of the
risks from all potentially harmful incidents considered separately, i.e., the sum of all
risks due to fires, explosions, toxic chemical exposures, etc., to which the individual
might be exposed.
4.5 REFERENCES
4-1. CCPS. Guidelines for Hazard Evaluation Procedures. Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York, NY.
2008.
4-2. CCPS. Guidelines for Chemical Process Quantitative Risk Analysis, Second
Edition. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 2000.
4-3. CCPS. Layer of Protection Analysis - Simplified Process Risk Assessment. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 2001.
4-4. CCPS. Guidelines for Process Safety in Batch Reaction Systems. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 1999.
4-5. CCPS. Guidelines for Fire Protection in Chemical, Petrochemical, and
Hydrocarbon Processing Facilities. Center for Chemical Process Safety of the
American Institute of Chemical Engineers. New York, NY. 2003.
4-6. Crowl, D.A. Understanding Explosions. Center for Chemical Process Safety for
the American Institute of Chemical Engineers. New York, NY. 2003.
4-7. CCPS. Guidelines for Vapor Cloud Explosion, Pressure Vessel Burst, BLEVE
and Flash Fire Hazards, Second Edition. Center for Chemical Process Safety.
New York, NY. 2010.
4-8. NOAA. Chemical Reactivity Worksheet, Version 2.1. National Oceanic and
Atmospheric Administration. http://response.restoration.noaa.gov/CRW.
4-9. API RP 2003. Protection Against Ignitions Arising out of Static, Lightning and
Stray Currents. American Petroleum Institute, Washington, D.C. 1991.
4-10. NFPA 55. Compressed Gas Code. National Fire Protection Association, Quincy,
MA. 2010.
4-11. NFPA 400. Hazardous Material Code. National Fire Protection Association,
Quincy, MA. 2010.
4-12. NFPA 69. Explosion Prevention Systems. National Fire Protection Association,
Quincy, MA. 1986.
4-13. NFPA 70. National Electrical Code. National Fire Protection Association,
Quincy, MA. 2011.
4-14. NFPA 77. Static Electricity. National Fire Protection Association, Quincy, MA.
1988.
4-15. NFPA 78. Lightning Protection Code. National Fire Protection Association,
Quincy, MA. 1989.
4-16. NFPA 497M. Manual for Classification of Gases, Vapors and Dusts for
Electrical Equipment in Hazardous (Classified) Locations. National Fire
Protection Association, Quincy, MA. 1991.
120 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
4-17. Withers, R.M.J. and Lees, F.P., The Assessment of Major Hazards: The Lethal
Toxicity of Chlorine, Parts I and 2. Journal of Hazardous Materials, 12(3).
1985.
4-18. Lees, F.P. Loss Prevention in the Process Industries, Third Edition. Elsevier, Inc.
Oxford, UK. 2005.
4-19. CCPS. Guidelines for Safe Storage and Handling of High Toxic Hazard
Materials. Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, NY. 1988.
4-20. ANSI / API STD 521. Pressure-Relieving and Depressuring Systems, Fifth
Edition. American Petroleum Institute. Washington, D.C. 2007.
4-21. DOE. Protective Action Criteria (PAC) Values. Subcommitee on Consequence
Assessment and Protective Actions (SCAPA) of the Department of Energy
(DOE). www.atlintl.com/DOE/teels/teel.html
4-22. EPA. Acute Exposure Guideline Levels (AEGLs). Environmental Protection
Agency, www.epa.gov/oppt/aegl/index.htm
4-23. AIHA. Emergency Response Planning Guidelines and Workplace Environmental
Exposure Level Guides. American Industrial Hygiene Association. Fairfax, VA.
www.aiha.org
4-24. DOE. Temporary Emergency Exposure Limit (TEEL) Data Sets. Department of
Energy Office of Emergency Management.
http://orise.orau.gov/emi/scapa/chem-pacs-teels/default.htm
4-25. NIOSH. Publication No. 94-116: NIOSH Pocket Guide to Chemical Hazards. US
Department of Health and Human Services. Washington, D.C. 1994.
4-26. Baldini. R., Komosinsky, P. Consequence Analysis of Toxic Substance Clouds.
New Jersey Department of Environmental Protection. Trenton, NJ. 1988.
4-27. EPA. RMP Offsite Consequence Analysis Guidance. Environmental Protection
Agency. Washington, D.C. 1996.
4-28. EPA. Accidental Release Prevention Requirements: Risk Management Programs
Under Clean Air Act Section 112(r)(7). 40 CFR Part 68, U.S. Environmental
Protection Agency, June 20, 1996 Fed. Reg. Vol. 61[31667-31730].
www.epa.gov
4-29. HSE. Health and Safety Executive, UK. http://www.hse.gov.uk/hid/haztox.htm
(referenced March, 2010)
4-30. Attwood, D.A., Deeb, J.M., and Danz-Reece, M.E. Ergonomie Solutions for the
Process Industries. Elsevier, Inc. Oxford, UK. 2004.
4-31. U.S. Department of Defense Explosive Safety Board. Technical Paper 14. 2009.
4-32. Baker, W.E., Cox, P.A., Westine, P.S., Kulesz, J.J., and Strehlow, R.A.
Explosion Hazards and Evaluation. Elsevier. New York, NY. 1983.
4-33. API. Tool for Incorporating Human Factors during Process Hazard Analysis
(PHA) Reviews of Plant Design. American Petroleum Institute. Washington,
D.C. 2004.
4-34. CCPS. Guidelines for Risk Based Process Safety. Center for Chemical Process
Safety of the American Institute of Chemical Engineers. New York, NY. 2007.
4. ANALYSIS TECHNIQUES 121
4-35. CCPS. Guidelines for Evaluating Process Plant Buildings for External
Explosions and Fires. Center for Chemical Process Safety. New York, NY.
1996.
4-36. CCPS. Guidelines for Developing Quantitative Safety Risk Criteria. Center for
Chemical Process Safety of the American Institute of Chemical Engineers. New
York, NY. 2009.
4-37. Vinnem, J.E. Offshore Risk Assessment: Principles, Modeling and Applications
of QRA Studies. Kluwer Academic Publishers Group. Dordrecht, The
Netherlands. 1999.
Guidelines for Engineering Design for Process Safety, Second Edition
by Center for Chemical Process Safety
Copyright © 2012 American Institute of Chemical Engineers, Inc.
5
GENERAL DESIGN
This chapter provides design considerations for general design issues. Chapter 6
provides design considerations for specific pieces of equipment. Chapter 7 provides
design information on protection layers used to prevent and mitigate incidents.
123
124 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
5.1.1 Inherent
Inherently safer design solutions eliminate or mitigate the hazard by using materials and
process conditions that are less hazardous. For additional information on the concept of
inherently safer chemical processes, see Section 5.2.
Examples of inherently safer solutions include:
• Substituting water for a flammable solvent
• Reducing or eliminating inventories of hazardous intermediates
Continuous metal equipment, such as a steel pipe, is inherently bonded and once it is
grounded permanently (such as via multiple steel pilings anchoring the equipment)
requires minimal maintenance of ground connections. This is an inherently safer design
than one incorporating rubber boots, swivel joints, or other potential breaks in electrical
continuity that would require external bond connections and associated maintenance.
A vessel designed to contain the maximum pressure predicted due to any credible
upset, such as an internal explosion, is inherently safer than one designed to mitigate the
event via other protective means.
In both the above examples, the systems described are inherently safer than some
alternative design options. However, they would be better described as passive systems
rather than inherently safer. As discussed, true inherently safer designs reduce the hazard
by using materials or process conditions that are less hazardous. In the examples, higher
levels of inherent safety might be provided by designing the process to eliminate
flammable atmospheres that require bonding or equipment reinforcement.
Frequently, both active and procedural design solutions are used to complement
each other. For example, in a tank truck bonding procedure, an "active" ground
indicating device could be installed to show the presence of a positive ground
connection. In such a case, it would still be necessary to ensure that the system is not
defeated by simple neglect of an alarm or even bypassing of the indicating device. A
ground indicating device might additionally be interlocked with a pump to prevent
operator error. For a flame arrester, a complementing procedural system might be
monitoring the pressure drop periodically and performing maintenance when a specific
differential has been reached (Ref. 5-1).
5. GENERAL DESIGN 125
5.1.2 Passive
Passive design solutions do not require any device to sense and / or actively respond to a
process variable and have very reliable mechanical design. Examples of passive design
solutions include:
• Using incompatible hose couplings, non-splash filling using permanently
installed dip pipes, permanent grounding, and bonding via continuous metal
equipment and pipe rather than with removable cables
• Containing hazardous inventories with a dike that has a bottom sloped to a
remote impounding area, which is designed to minimize surface area
Passive designs may be complemented by procedural or active systems, especially
where transient conditions are routinely experienced. As an example, a passive system
might comprise a permanent dip pipe going to the bottom of a flammable liquid storage
tank to avoid splash filling.
Other examples of passive safeguards include:
• Spacing
• Bollards for collision protection
While passive designs typically require less ongoing maintenance than active
systems, maintenance is still critical for them to function as intended. For example, a
remote impound area to capture a hazardous spill will not be effective if the impound
area is allowed to fill with rainwater or breached due to poor maintenance practices.
5.1.3 Active
Active design solutions require devices to monitor a process variable and function to
mitigate a hazard.
Frequently active solutions involve a considerable maintenance and procedural
component and are therefore typically less reliable than inherently safer or passive
solutions. To achieve necessary reliability, redundancy is often used to eliminate
conflict between production and safety requirements (such as having to shut down a unit
to maintain a relief valve).
Active solutions are sometimes referred to as engineering controls. Examples of
active solutions include:
• Using a pressure safety valve or rupture disk to prevent vessel overpressure
• Interlocking a high level sensing device to a vessel inlet valve and pump motor
to prevent liquid overfill of the vessel
• Installing a deluge system
Active solutions include pressure relief valves, deflagration vents, explosion
suppression systems, fast-acting valves, check valves, and regulators. All these devices
require maintenance, operate by responding to a process variable, or both.
126 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
5.1.4 Procedural
Procedural design solutions require human intervention to avoid a hazard. This would
include following a standard operating procedure or responding to an indication of a
problem such as an alarm, an instrument reading, a noise, a leak, or a sampling result.
Since an individual is involved in performing the corrective action, consideration needs
to be given to human factors issues (Ref. 5-2), e.g., over-alarming, improper allocation
of tasks between machine and person, and inadequate support culture. Because of the
human factors involved, procedural solutions are generally the least reliable of the four
categories.
Procedural solutions are sometimes referred to as administrative controls. Examples
of procedural solutions include:
Following standard operating procedures to keep process operations within
established equipment mechanical design limits.
• Completing checklists with sign-offs for certain operations
• Manually closing a feed isolation valve in response to a high level alarm to
avoid tank overfilling.
• Executing preventive maintenance procedures to prevent equipment failures.
• Manually attaching bonding and grounding systems.
Higher Higher
Initial Capital
Lower Lower
Inherently Passive Active Procedural Inherently Passive Active Procedural
Safer Safer
Buncefield gasoline terminal (Ref. 5-4) in the UK resulted in a major fire and explosion
because the level alarm on a gasoline storage tank was inoperative.
In the second case, a poorly planned safeguard can create hazards. An example is a
Safety Instrumented System (SIS) installed to stop the flow to a process vessel to prevent
overfilling. When the SIS actuates an isolation valve, the pump providing feed to the
vessel could deadhead, resulting in seal failure and loss of containment. To avoid this
situation, the SIS should have activated shutdown of the feed pump or an automatic
spillback (recycle) could be provided on the pump to satisfy minimum flow
requirements. In the Buncefield incident (Ref. 5-4), the fire water pump was suspected
as being the source of ignition for the explosion and resulting fire.
Inherently safer design should be an essential aspect of any process safety program.
If hazards can be eliminated or reduced, extensive layers of protection to control those
hazards may not be required or may be less robust. However, inherently safer concepts
are not the only process risk management strategy available and may not always be the
most effective. A system of strategies that includes both inherently safer design and
additional layers of protection may be needed to reduce risks to an acceptable level.
An inherently safer process can offer greater safety potential, often at a lower cost.
However, selection of an inherently safer approach does not guarantee that the actual
implementation of those approaches will result in a safer operation than an alternate
process that is safer due to multiple layers of protection. The traditional strategy of
providing layers of protection for a hazardous process can be quite effective, although
the expenditure of resources to install and maintain the layers of protection may be very
large. In some cases, benefits of the inherently more hazardous technology will be
sufficient to justify the costs needed to provide the layers of protection required to reduce
its risk to a tolerable level.
Approaches to the design of inherently safer processes and plants have been grouped
into four major strategies (Ref. 5-6):
Minimize Reduce quantities of hazardous substances
Substitute Replace a material with a less hazardous substance
Moderate Use less hazardous conditions, a less hazardous form of a material, or
facilities that minimize the impact of a release of hazardous material or
energy
Simplify Design facilities which eliminate unnecessary complexity and make
operating errors less likely and which are forgiving of errors that are
made
These four strategies form a protocol by which the risks associated with loss of
containment of hazardous materials or energy can be significantly reduced and in some
cases eliminated. The elimination of risk due to loss of containment is very difficult, if
not impossible to achieve using other risk reduction measures, i.e., active or passive
safeguards. These measures, while effective if installed and maintained properly,
generally reduce the likelihood of release and sometimes will mitigate the consequences
of a release. However, they cannot reduce the risk to zero. Kietz's statement "What you
don't have can't leak" embodies the ultimate goal of inherently safer strategies and
describes the elimination of the risk of hazardous materials releases. However, while
they are highly effective techniques, it is usually not possible to eliminate all process-
related risks since the properties that make a material hazardous are often the same
properties that make it useful.
5.2.1 Minimize
In the context of inherently safer, minimize means to reduce the quantity of material or
energy contained in a manufacturing process or plant. Process minimization is often
thought of as resulting from the application of innovative new technology to a chemical
process, for example, tubular reactors with static mixing elements, centrifugal distillation
techniques, or innovative, high surface area heat exchangers. These types of
minimization strategies are also discussed in this section. However, much can be
130 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
5.2.2 Substitute
In the context of inherently safer, substitution means the replacement of a hazardous
material or process with an alternative that reduces or eliminates the hazard. Process
designers, line managers, and plant technical staff should continually inquire if less
hazardous alternatives can be effectively substituted for all hazardous materials used in a
manufacturing process. However, the substitution concept of inherent safety is best
applied during the initial design of a process. Substituting raw materials and
intermediates after the process has been built, while possible in some cases, is usually
very difficult.
Examples of substitution in two categories - reaction chemistry and solvent usage -
are discussed below. However, there are many other areas where opportunities to
substitute less hazardous materials can be found, including materials of construction,
heat transfer media, insulation, and shipping containers.
Basic process chemistry that uses less hazardous materials and chemical reactions
offers significant potential for improving inherent safety in the chemical / processing
industry. Alternate chemistry may use less hazardous raw materials or intermediates or
result in reduced inventories of hazardous materials (minimization) or less severe
processing conditions (moderation). Identifying catalysts that can enhance reaction
selectivity or allow desired reactions to be carried out at a lower temperature or pressure
is often the key to developing inherently safer chemical synthesis routes.
Replacement of volatile organic solvents with aqueous systems or less hazardous
organic materials improves the safety of many processing operations and final products.
In evaluating the hazards of a solvent, or any other process chemical, it is essential to
consider the properties of the material at the processing conditions. For example, a
combustible solvent is a major fire hazard if handled above its flash point or boiling
point.
5. GENERAL DESIGN 131
5.2.3 Moderate
In the context of inherent safety, moderate means using materials under less hazardous
conditions. Moderation of conditions can be accomplished by strategies that are either
physical (e.g., lower temperatures, dilution) or chemical (e.g., development of a reaction
chemistry which operates at less severe conditions).
5.2.4 Dilution
Dilution reduces the hazards associated with the storage and use of a low boiling
hazardous material in two ways:
1. By reducing the storage pressure
2. By reducing the initial atmospheric concentration if a release occurs
Materials that boil below normal ambient temperature are often stored in pressurized
systems under their vapor pressure at the ambient temperature. The pressure in such a
storage system can be lowered by diluting the material with a higher boiling solvent.
This reduces the pressure imposed on the storage container, as well as the pressure
difference between the storage system and the outside environment, thereby reducing the
rate of release in case of a leak in the system. If there is a loss of containment incident,
the atmospheric concentration of the hazardous material at the spill location and the
downwind atmospheric concentration and hazard zone are reduced.
5.2.5 Simplify
In the context of inherently safer, simplify means designing the process to eliminate
unnecessary complexity, thereby reducing the opportunities for error and misoperation.
A simpler process is generally safer and more cost-effective than a complex one. For
example, it is often cheaper to spend a relatively small amount of money to build a
higher pressure reactor, rather than spend a large amount of money for an elaborate
system to collect and treat the discharge from the emergency relief system of a reactor
designed for a lower maximum pressure. Inherently Safer Chemical Processes, A Life
Cycle Approach (Ref. 5-6) offered a few reasons why process designs are unnecessarily
complex:
• The Need to Control Hazards - Instead of avoiding hazard using inherently
safer design principles, most designers choose to control them actively using
controls, alarms, and safety instrumented systems.
• The Desire for Technical Elegance - To some designers, simple equates to
crude or primitive, whereas, if carefully designed, a simple process can achieve
what it needs to do without excess equipment. A simple process design that
contains only the essential elements to safely carry out its intended task(s) is
actually more elegant than a complicated process that does the same thing.
• The Failure to Conduct Hazard Analyses Until Late in the Design - PHAs and
similar studies performed late in the design usually result in more active
controls and equipment rather than more inherently safer solutions.
• Following Standards and Specifications That Are No Longer Appropriate or
Not Completely Applicable - Active solutions to potential hazards that are
sometimes contained in design / engineering standards and specifications can
accumulate in a design and create an over-complicated process.
132 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Safety Instrumented System (SIS) may be required to rapidly shut down or otherwise
place the process in a safe state if the BPCS fails to maintain safe operating conditions
(Ref. 5-8). A BPCS may not be adequate as the sole source of a process safety
shutdown. Many of the following guidance items related to the design, operation, and
testing of BPCSs are not inherently safer technology in a strict sense, because they relate
to active safeguards. However, much of this guidance can also be considered part of the
inherently safer strategy to simplify systems.
alternatives should be displayed. The navigation of digital BPCSs should be intuitive and
user friendly, particularly with respect to alarm screens.
Alarm priority assignment is determined according to how fast an operator should
respond to a situation. The most important alarms, at any given time, should be obvious
to the operator. Alarms are typically prioritized considering the following two factors:
1. Severity of the Consequences - The expected outcome that the operator can
prevent by taking the corrective action associated with the alarm.
2. Time Available - Compared with the time required for the corrective action to
be performed and its desired effect.
Alarm prioritization makes it easier for the operator to identify important alarms
when a number of them occur together. Alarms can be prioritized as:
• Critical - Operator action is required to avoid a serious incident (e.g., safety and
environmental impact; or may be initiated by a safety shutdown system).
• High - Timely operator action required (e.g., to avoid severe equipment damage
or unit shutdown).
Medium - Operator action required (e.g., to avoid off-spec product and
equipment level management).
• Low - Operator action required, but unit is still in steady state operation.
Troubleshooting Zone
Maximum Normal Operating Limit
Normal
Operating Zone
substantial difference in results. Space does not permit complete discussion of this
subject here; however, additional information can be found in CCPS, Guidelines for Fire
Protection in Chemical, Petrochemical, and Hydrocarbon Processing Facilities (Ref. 5-
19).
In addition to radiant heat exposure, other factors which should be considered in
determining separation distances and plant layout include topography, prevailing winds
for normal and accidental vapor / gas releases, liquid drainage paths for accidental liquid
spills, location of fire protection equipment, and accessibility for emergency vehicles.
Specifically for toxics, dispersion modeling can be used to assist in the location of
buildings and the need for shelter-in-place (Ref. 5-20).
• Fully understand the internal process, the exterior environment, and failure
modes
• Select materials for the intended application
• Apply proper fabrication techniques and controls
• Follow good maintenance, inspection, and repair techniques
Corrosion refers to the degradation or breakdown of materials due to chemical
attack. Corrosion is one of the most important process factors in material selection and
yet the most difficult to predict. In general, equipment service life can be predicted from
well-established general corrosion data for specific materials in specific environments.
However, localized corrosion is unpredictable, difficult to detect, and can greatly reduce
service life. Even more insidious are subsurface corrosion phenomena. API RP 571
Damage Mechanisms Affecting Fixed Equipment in the Refinery Industry provides a
detailed discussion on corrosion mechanisms (Ref. 5-23).
Both the external (ambient) and internal (process) conditions in contact with
materials need to be examined. The external environment, that is, the ambient conditions
in the plant, may be corrosive. Atmospheric pollutants include corrosive species as well
as those which may have adverse catalytic effects upon other pollutants (e.g., coal dust).
Contaminants in soil or groundwater as well as naturally occurring variations in
groundwater composition and pH should be considered for equipment or pipelines in
contact with the ground.
The internal environment is defined by the process, its chemistry, and its conditions.
The process engineer should provide the materials engineer with sufficient information
about the process, ambient conditions and utilities, for startup and shutdown as well as
routine operations, to ensure adequate selection, especially for corrosive service.
Preliminary materials selection is usually based on process conditions, such as:
• Process chemicals, including the major and minor constituents of each process
stream, trace contaminants, pH, and oxidizing or reducing agents and water
content. For example, styrene will leach copper, and thus materials in contact
with styrene are generally specified to not contain copper. Additionally,
chlorine can lead to stress corrosion cracking in stainless steel.
• Operating conditions, including temperature, pressure, velocity, and solids
content.
Process variations, including operational excursions in process chemistry,
temperature, or pressure; excursions associated with startup or shutdown
conditions. The order in which the conditions occur can be important (Ref. 5-
24), e.g., purging / cleaning with steam may constitute a temperature excursion.
• Contaminants in feedstock, process intermediate, product, or utility.
Contaminants introduced by small or midsized internal leaks in heat exchanger
tubes or other internals. Impact of contaminants on gaskets and packing and
seals.
• Catalysts. Metal ions in the material may affect either the chemistry of the
process itself or the product quality. For example, nickel is known to catalyze
many synthesis reactions and its inclusion can result in unwanted side reactions.
• Utilities, including trace elements in cooling water, hydrotest water, steam, etc.
5.8 CORROSION
Corrosion is chemical attack on a metal. Corrosion may occur at a uniform, predictable
rate or it may be localized, on the surface or as a subsurface phenomenon. The following
discussion of corrosion, although normally thought of in terms of the internal, i.e.,
process environment, also applies to external surfaces of equipment and piping.
brackish water, and chlorinated city water have chlorides and, in most cases, are not
compatible with stainless steel.
5.8.2.3 Pitting
Pitting results from electrochemical potential set-up by differences in oxygen
concentration inside and outside the pit (Ref. 5-26). Pitting is also used as a generic term
to refer to other types of localized corrosion.
Because of its localized and deeply penetrating nature, pitting is one of the more
damaging types of corrosion in the process industry. Pits can extend through the
material within a short period of time. Pitting is difficult to detect by online monitoring
or field testing. Addition of corrosion inhibitors (e.g., oxygen scavengers) can prevent
this type of corrosion. Pitting often occurs or is accelerated when vessels / piping are
opened for inspection or other reasons.
processes are discussed in API RP 941, Steels for Hydrogen Service at Elevated
Temperatures and Pressures in Petroleum Refineries and Petrochemical Plants (Ref. 5-
27), commonly known as the "Nelson curves."
Hydrogen sulfide (H2S) in refinery operations significantly increases corrosion in
carbon steel. Guidance on materials for use in H2S service can be found in NACE
MR0175/ISO 15156, Petroleum and Natural Gas Industries - Materials for Use in H2S-
Containing Environments in Oil and Gas Production (Ref. 5-28), and MRO103-2007,
Materials Resistant to Sulfide Stress Cracking in Corrosive Petroleum Refining
Environments (Ref. 5-29).
5.8.4 Erosion
Erosion is a mechanical effect and therefore not technically within the scope of this
section, but it is a significant factor in material selection. Erosion is wearing away of a
material by mechanical energy that can lead to loss of containment. Erosion occurs by
impingement of solid particles or liquid drops on a surface. Erosion is seen very
frequently in high velocity slurry and pneumatic solids transport services, but it can also
occur in more common scenarios, such as particles in steam, bubbles in a liquid, or
where restrictions in flow exist.
Erosion can typically be found at inlet and outlet nozzles, on internal piping, on grid
or tray sections, on vessel walls opposite inlet nozzles, on internal support beams, on
piping elbows, and on impingement baffles. Impingement protection, smoother
curvature, and higher corrosion allowances are generally used to combat erosion.
Materials selected for equipment construction should consider the potential for erosion
from the process stream based on the highest anticipated process stream velocity. Higher
velocities will accelerate erosion rates. Harder faced materials are more resistant to
erosion. Erosion can also result from cavitation in a flowing fluid, usually in or
downstream of throttling service. Erosion may remove the protective passive layer,
resulting in accelerated corrosion.
5.9.1.3 Foundations
Foundations should be designed to transmit all loads and forces from the equipment or
structures to the soils or rock beneath the foundations. Loads should be calculated using
actual density of liquids and solids used in the process if heavier than water. Seismic
and explosion or blast loads also should be considered. Foundation design of facilities
related to the containment of hazardous material should address internal and external
pressures, equipment loads, dynamic forces from vibrating equipment, and hydraulic
uplift pressure from groundwater.
The geotechnical report will specify flood design considerations, such as reduced
lateral pressure factor or lower shear resistance for foundation designs. For any large-
volume underground chambers, such as buried drainage lines, below-grade storage tanks,
or "basement" levels used for maintenance or storage, flotation should be considered in
the design to assure anchorage. Similarly, open concrete pits or reservoirs have to be
designed with this problem in mind. An American Petroleum Institute (API) separator or
other concrete chamber, even a manhole, should be investigated to ensure that the weight
of the item, plus its normally expected contents, will not float out of the ground or
otherwise be dislodged from its designed location due to hydrostatic buoyancy forces.
Foundation design is determined by bearing pressure geotechnical investigation and
testing. In situ pile testing (test piles) should include not only bearing tests but uplift
resistance tests as well.
Good engineering practice or regulatory criteria may require that foundation designs
for vessels containing hazardous materials also provide for containment and detection of
148 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
leaks. For example, a ring foundation may not be appropriate for a tank storing
hazardous material because it provides an undetected path for leaks to migrate to
groundwater. For corrosive fluids, the design should include protection against seepage
of the fluid into soil areas around the foundation.
Similar to the impact of environmental contaminants on piping and equipment
selection, consideration should be given to selecting proper materials of construction for
foundations, dikes, and containment structures. For example, a bare concrete
containment dike or tank foundation can be rapidly degraded by even small leaks of
strong acids. Coatings, linings, or alternate materials of construction may be required to
ensure long-term integrity of foundation systems.
For older plants, it is not a good practice to rely only on underground piping drawing. In
many instances these drawings contain significant errors and omissions.
Underground piping in process plants is generally utility piping, including services
such as sewers and drains, city and service water, fire protection, and cooling water
supply and return. Electrical power lines and pressure piping also may be underground.
Special elements of design should be considered for safety, such as anchoring and thrust
blocks to prevent movement of pressured lines, use of cathodic protection to prevent
corrosion, and avoidance of process water tie-ins to fire water supply or sanitary water.
Points where lines either enter the ground or come out of the ground should be protected
from vehicular traffic.
Headers or mains for these services are normally located in open corridors outside
plant operational areas for maintenance and modification accessibility. Elevations of
lines containing liquids should be below any nearby underground electrical conduits.
Underground process drains should be evaluated for creation or transportation of
hazardous or flammable vapors. In normal operation, an open area above the fluid in the
drains allows vapors to migrate beyond the areas where they are generated. Such vapors
could enter an area where an open flame or electrical sparks could cause combustion.
Therefore, oily water sewer systems should be designed with P-traps, submerged outlets,
vent tubes, and vapor sealed manholes to prevent flammable vapors from migrating to
sources of combustion. Monitoring of the concentration of flammable materials may be
necessary.
In transporting hazardous liquids, particularly hazardous wastes, double-walled
piping has become the preferred or required method of transport, to prevent the release
of the transported materials to the environment. Double-walled piping is also used for
transporting highly toxic gases. Double-walled piping normally consists of an inner
pipe, an outer pipe, a spacer system which suspends the inner pipe within the outer, and a
leak detection system. This type of system is normally used where any release of the
material would create a major health hazard. In designing this system, certain elements
need to be addressed:
• Both pipe walls and the piping supports should be compatible with the material
being transported.
• The supports should be spaced so that the inner pipe will not sag, and
potentially rupture, between supports.
• For long pipe runs it may be desirable to zone the leak detection system to
pinpoint the location of the leak.
As with aboveground lines, this movement should be considered in the design. The lines
generally run in trenches, with solid or open grating covers, with expansion room at
turns. If for some reason (generally, the depth of the lines) it is not practical to trench,
the lines should be sleeved, usually with larger bore piping, to allow free movement
during growth or shrinkage.
Insulation is also applied to protect workers from injury. Equipment and piping are
generally insulated for personnel protection when the exterior temperature exceeds
140°F (60°C).
5.10.1.4 Fabrication
Some insulation materials perform well thermally but are difficult to fabricate; they do
not form well to the substrate or to adjoining insulation sections or shrink after
application and leave gaps in the system. These gaps cause "hot spots" on the jacketing
surface or cold spots on hot process temperature systems. Poor insulation fit-up and the
resulting problems can be reduced if the chosen insulation material is fabricated to
standard dimensions and is tested for linear shrinkage and dimensional stability at the
conditions for which it is being specified. In addition, allowances should be made for
the differential expansion between the pipe and the insulation.
5.10.1.5 Durability
If the insulation does not hold up well in service, the thermal performance and ultimately
the safety of the whole system can be affected. Insulation which is crushed or torn may
allow a heat flow path or expose the equipment or piping surface to outside elements
such as fire, moisture, or corrosive atmospheres. For example, if insulation is damaged
on a high temperature line where cabling or instrument tubing runs in close proximity,
the tubing could become overheated and fail. Also, insulation should not rip off when
hit by fire water.
ASTM C795 identifies requirements for insulation materials acceptable for use over
austenitic stainless steel including corrosion testing and chemical analysis (Ref. 5-37).
methods such as drains and vents to let moisture escape. Attachment of nozzles, clips,
and insulation should be designed to control moisture into and out of the insulation.
Certain designs contribute to especially corrosive situations. The location of vents
and drains, along with faulty sealing methods, allows water entry (and often retention).
Size reductions in towers create water trap potentials. Low temperature refrigerated
systems can condense and freeze atmospheric moisture resulting in ice buildup which,
once begun, further damages vapor barriers and insulation materials.
5.10.3.1.4 Climate
Proximity to airborne salt is a significant problem; plants on the sea coast are more prone
to problems. The facility itself may provide a source of moisture and contaminants (such
as cooling tower fall-out areas). Olefin plants with sub-ambient conditions can result in
condensation dripping which creates an unfavorable climate, especially when airborne
salts can be washed from adjacent equipment into insulation.
Most insulating materials contain or can absorb moisture in storage and installation.
If a tight, impermeable weather barrier is installed over such insulation and then placed
in hot service, the moisture should be allowed to evaporate through release vents.
Installing and maintaining flashing and caulking at structural or piping penetrations
of the insulation can prevent water ingress at these locations. The condition of the
insulation sealant can determine whether or not corrosion occurs under the insulation.
Hydroscopic insulation should be carefully maintained at joints. Although keeping water
out is effective in preventing corrosion, it is very difficult to do consistently.
Corrosion problems are most prevalent on insulated steel surfaces operating in the
temperature range of 140-250°F (60-121°C). For this service, external protective
coatings are especially important. Immersion grade epoxy-phenolics and amine-cured
coal tar epoxies are frequently used, depending on the operating temperature. Proper
preparation of the surface is critical in determining how well the protective coating
works.
For protecting insulated surfaces at 270-l,000°F (130-540°C) a NACE publication
(Ref. 5-39) describes coating systems and tapes which are chemically resistant to humid
environments containing chlorides and sulfides. Although corrosion may be reduced at
very low temperatures, it can be appreciable at intermediate temperatures in the range of
-50-35°F (-45-2°C). For these temperatures, NACE provides recommendations for
suitable coating materials as well as surface preparation and application methods
required for reliable performance.
Culture is a factor overriding all of these issues, as it defines the norms in which a
system operates, both socially and technically.
Hazard identification
Risk assessment
Simply put, human factors involves working to make the environment function in a
way that seems as natural as possible to people. The goal of human factors is to fit the
task and environment to the person, rather than forcing the person to significantly adapt
in order to perform the work. This reduces the potential for human error that can cause
or contribute to process safety and other types of incidents.
Human factors has its origins in the Industrial Revolution and emerged as a full-
fledged discipline during World War II when it was recognized that aircraft cockpit
designs needed to consider the human interface for controls and displays to ensure safety
and reliability of operations. Likewise, human factors has an essential role in the
application of inherently safer design. A system or procedure that is designed with
human factors as a core focus will be less prone to human error, resulting in reduced risk
of safety, process safety, or environment-related incidents.
The subject of human factors in the process industries is treated in depth in Human
Factors Methods for Improving Performance in the Process Industries (Ref. 5-40),
which includes approaches for implementation of such strategies in the designs of plants
and their management systems. A Human Factors Tool Kit is also provided.
Designing for human factors minimizes the potential for these types of errors and
improves the potential for identification and corrective action in order to minimize the
consequences of the error.
The guiding premises for making systems inherently safer against human error are:
• Humans and the systems designed and built by them are susceptible to error.
Human factors design reviews of new and existing facilities and modifications,
such as through process hazard analyses (PHAs) or separate human factors
evaluations, as well as reviews of human factors-related root causes or
contributing factors in incident investigations (particularly near-misses), can
help identify means to reduce the potential for human error.
5. GENERAL DESIGN 157
• Existing facilities can contain many traps to cause human error. It is important
to identify these potential traps based on operator input, as they alone may be
aware of them. Input from both experienced and newer operators should be
sought because newer operators may be more aware of the traps that more
experienced operators have become used to and found ways to routinely avoid.
Elimination of such traps is inherently safer than training and expecting people
to avoid them. Input from operators and maintenance personnel can also be
valuable in identifying other human factors-related issues. Human factors
training often helps personnel identify issues that they may have previously
recognized but were unable to understand and express in terms of human
factors and the potential for error that could lead to adverse safety
consequences.
• Designers can provide systems to facilitate operator involvement in the process
and ensure an appropriate workload. In modern highly automated chemical
plants it is possible for the operators to become too removed from the process
such that, should an unexpected event occur, they do not have the knowledge to
respond appropriately. Operator workload also has a significant influence on
their reliability. Operators that are too busy or not busy enough have both been
shown to have an increased likelihood of error. Including operator involvement
and workload as parameters in the process design can reduce operator error and
facilitate better performance from the operators in responding to unplanned
events. (Ref. 5-40).
CCPS (Ref. 5-40), Lorenzo (Ref. 5-42), and Attwood (Ref. 5-43) discuss human
error in detail.
The tools in Human Factors Methods for Improving Performance in the Process
Industries (Ref. 5-40) can be used in each stage of the chemical process life cycle to help
evaluate the tradeoffs involving human factors between various options. In many cases,
low cost options in design can make the operations inherently safer from a human factors
perspective.
Well-designed human systems can produce inherently safer plant designs and
operating procedures. Plants and processes that are designed and constructed with careful
attention to human factors are inherently safer than those that are not. If we understand
how humans work and how human errors occur, we can design better systems for
managing, supervising, designing, reviewing, training, auditing, and monitoring. Human
factors consideration is an integral part of an inherent safety effort in a company.
Safety,
Health and
Environmental
Review
QA/QC
Planning Review
HAZOP/P&ID
Human Factors
Review
Review
Post Project
Human Factors Skills Training Review
A primary key consideration for new design is to locate the most vulnerable or
important locations so that it is the hardest for adversaries to reach.
Facility management should assess its unique security needs and establish an
appropriate level of security protection service.
5.13 REFERENCES
5-1. API RP 2003. Protection Against Ignitions Arising out of Static, Lightning, and
Stray Currents, Seventh Edition. American Petroleum Institute. Washington,
D.C. 2008.
5-2. CCPS. Guidelines for Preventing Human Error in Process Safety, Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 1994.
5-3. EPA. Risk Management Program (RMP). 40 CFR 68. U.S. Environmental
Protection Agency. Washington, D.C. 1996.
5-4. MIIB. The Buncefield Incident, 11 December 2005. The final report of the
Major Incident Investigation Board. 2008.
http://www.buncefieldinvestigation.gov.uk/reports/
5-5. CCPS. Final Report: Definition for Inherently Safer Technology in Production,
Transportation, Storage, and Use. Center for Chemical Process Safety of the
American Institute of Chemical Engineers. New York, NY. 2010.
5-6. CCPS. Inherently Safer Chemical Processes, A Life Cycle Approach. Center
for Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 2009.
5-7. CCPS. Guidelines for Safe Automation of Chemical Processes. Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, NY. 1993.
5-8. CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems.
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, NY. 2007.
5-9. ANSI / ISA 18.2-2009, Management of Alarm Systems for the Process
Industries. International Society of Automation, Research Triangle Park, NC.
2009.
5-10. Sanders, R. Chemical Process Safety: Learning from Case Histories, 3rd
Edition. Elsevier. Oxford, UK. 2005.
5-11. CCPS. Guidelines for Independent Protection Layers and Initiating Events.
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, NY. 2011.
5-12. ISA 84.91.01. Identification and Mechanical Integrity of Instrumented Safety
Functions in the Process Industry. International Society of Automation,
Research Triangle Park, NC. 2011.
5-13. ANSI / ISA 84.00.01-2004 (IEC 61511 modified). Functional Safety: Safety
Instrumented Systems for the Process Industry Sector. International Society of
Automation, Research Triangle Park, NC. 2004.
5-14. ISA TR84.00.04. Guidelines on the Implementation of ANSI/ISA 84.00.01-2004
(ISA 61511 Modified). International Society of Automation, Research Triangle
Park,NC. 2006.
162 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
6
EQUIPMENT DESIGN
The design solutions presented in the tables in this chapter are established and offer well
proven approaches for mitigating the failure scenarios. However, a potential design
solution is false protection if it is not reliably engineered and maintained. Active
solutions in particular may need redundancy (i.e., dual sensors, separation of control and
interlock functions) to provide the required level of reliability and risk reduction. True
redundancy must include the absence of common mode failures by providing
independence and functional diversity (e.g., independent power supplies, sensors
operating on different principles). The advantage of a risk based approach to design
selection is that it provides the means for determining how much redundancy is enough.
The design should also take into account the need for periodic inspection and proof
testing of systems. For example, Pressure Safety Valves (PSVs) may need testing at
intervals that are shorter than scheduled plant turnarounds. A good engineering design
solution is the installation of dual PSVs to allow testing at prescribed intervals without
interfering with production.
Safety design solutions can contribute to hazards if not properly maintained. While
system maintenance is not specifically addressed, this book assumes the safety
equipment will be subjected to a maintenance and inspection program once installed.
Material of construction should be specified and selected to minimize corrosion, because
external visual inspection would be difficult and interior visual inspection would be
expensive and would increase downtime.
The importance of a documented Design Engineering Package cannot be
emphasized enough. This documentation is not only critical during the design phase, but
is essential for operations and maintenance throughout the life cycle of the facility.
Design Engineering packages are further discussed in Chapter 8, Documentation.
It should also be recognized that the failure scenarios presented in the tables focus
on process-related hazards rather than maintenance-initiated incidents. It is further
assumed that the facility has adequate safe work practices, which encompass hot work
permits, confined space entry, ignition control, lockout / tagout, etc.
Information on equipment failure scenarios and associated design solutions is
introduced in table format. The organization of the tables is the same in each section.
The table headings are described below.
• Events - Specific failure mechanism / cause (e.g., control system failure).
Consequence - Potential outcome if the cause were to occur and no intervention
happens. In many cases, loss of containment is the final consequence.
165
166 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
In addition to providing the required degree of reliability for any one failure
scenario, multiple safeguards may be the optimum approach to process deviations caused
by very different failure scenarios. The LOPA analysis is one technique that determines
if sufficient layers of protection are available. The LOPA analysis is discussed further in
Chapter 4.
6.1 VESSELS
This section presents potential failure mechanisms for vessels and suggests design
alternatives for reducing the risks associated with such failures. The types of vessels
covered in this section include:
• In-process vessels (surge drums, accumulators, separators, etc.)
• Pressurized tanks (spheres, bullets)
• Atmospheric, fixed roof storage tanks (cone / dome roof)
• Atmospheric storage tanks (cone, cone with internal floating roof, floating roof
tanks)
Reactors and mass transfer equipment are a unique subset of vessels, in that they are
specifically intended to process chemical reactions. Because reactors have unique failure
scenarios specifically attributable to the reaction (e.g., reactant accumulation), Section
6.2 is devoted to this class of equipment. However, many of the generic vessel failure
modes discussed in this section, such as corrosion-related failures or auto-
polymerization, may also apply to reactors.
Flame arresters are often implicated in vessel incidents, not because they are
ineffective, but because they are misapplied or improperly maintained. Flame arresters
that are not routinely inspected can become plugged (e.g., condensation / corrosion by
stored fluids, foreign debris). Eventually, the protected vessel can be subjected to
overpressure or vacuum conditions if the vessel is not protected by a relief device (Ref.
6-2).
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Pressure
Generally Applicable - High Pressure Vesse/designed for Pressure relief device Operator response to
(Applicable to all high pressure maximum utility high pressure alarm
BPCS control loop to
scenarios) pressure, supply
vent pressure to safe
pressure, upstream
location
pressure
High pressure
interlocked to isolate
source
Interlock to isolate
vessel inlet or trip feed
pump on high pressure
Generally Applicable - Low Pressure Vessel designed for Vacuum relief system Operator response to
(Applicable to all low pressure scenarios) maximum vacuum (full Automatic blanketing
low pressure alarm
vacuum rating)
pressure control to
minimize vacuum
Low pressure
interlocked to isolate
vessel
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
2 Flammable Potential Floating-raof tank Explosion venting (e.g.. Oxygen analyzer with
atmosphere in ignition in vapor instead of fixed roof frangible roof for fixed- alamn
vessel vapor space resulting (see procedural) roof tank)
Written procedures
space in fire 1
Ignition source controls Vapor space and training for no
explosion
(e.g., lightning combustible transfers during
protection, permanent concentration control electrical storms
grounding / bonding,
Vapor space inerting Written procedures
non-splash filling
and training to feed
including dip pipe, fill Emergency purge and /
empty tanks at low
line flow restriction, or or isolation activated by
rate until fill line
bottom inlet) detection of flammable
submerged, avoiding
atmosphere
Vessel designed for splash filling
deflagration pressure
3 Inadequate or Potential Outlet block valve Heat tracing of vent to Written procedures
obstructed increased minimization avoid condensation and and training for
vent path pressure solidification securing valves open
Outlet sized to
via seals or locks
eliminate or reduce
likelihood of plugging Written procedures
and training to
Vent screen to avoid
periodically examine
entrance of foreign
vent opening for
objects
obstructions
Written procedures
and training to verify
open vent path before
initiating fill operation
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Potential Design Solutions
Operator response to
low pressure alarm
Flow
Written procedures
and training to monitor
filling rate and prevent
excessive fill rate
10 Excessive fill Potential Flow restriction orifice Pressure controllers Written procedures
rate increased level infll line with alarms and and training to feed
and pressure in interlocks empty tanks at low
Grounding and
vessel rate until fill line
bonding on vessel and
submerged, avoiding
transfer lines
splash filling
Non-static producing
material
172 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
13 Electrostatic Potential fire / Dip leg to minimize Automatic inerting of Written procedures
spark explosion static accumulation vessel prior to addition and training for manual
discharge grounding and bonding
Ground and bonding
during of container to vessel
on vessel
charging of
Written procedures
liquids Non-static producing
and training for manual
material
inerting of vessel prior
Bottom filling of vessel to liquid addition
Written procedures
and training to avoid
use of non-conductive
containers
Temperature
Generally Applicable - High Vessel designed for High temperature alarm Operator response to
Temperature maximum expected and interlock that high temperature
(Applicable to all high temperature temperature isolates the heating alarm
scenarios) medium
Generally Applicable - Low Temperature Vessel designed for Low temperature alarm Operator response to
{Applicable to alt tow temperature minimum expected and interlock low temperature alarm
scenarios) temperature
6. EQUIPMENT DESIGN 173
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Potential Design Solutions
15 Insulation ftres Potential Closed cell insulation Fixed water Emergency response
increased provided spray .(deluge) and / or plan
temperature foam systems activated
Liquid tight seal Emergency response
and pressure in by flammable gas,
provided where there team
vessel flame, and / or smoke
is likelihood for liquid
detection devices Written procedures
hydrocarbon soaking
and training for manual
into the insulation Relief valves sized for
activation of fxed
external f re scenario
water spray (deluge)
and / or foam systems
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Potential Design Solutions
Level
Generally Applicable - High Level Diking or drainage to High level alarm and Operator response to
(Applicable to all high level scenariosj remote impounding automatic feed cutoff/ high level alarm
isolation
Overfill line to safe Written procedures
location and training to monitor
level during transfer
Written procedures
and training to stop
feed when level
reaches a certain point
Written procedures
and training to verify
tank has sufficient free
board prior to transfer
Generally Applicable - Low Level Gravity feed or run-dry Low level alarm with Operator response to
(Applicable to all low level scenarios) type pump interlock to low level alarm
automatically shut
down the transfer pump
20 Low level Potential for Underflow nozzle Electrical bonding of Written procedures
floating roof located to maintain a floating roof to tank and training to monitor
(floating-raof
sitting on its minimum liquid level in tank level periodically
tank)
internal legs, the tank
possible
ignition of
flammable
atmosphere in
tank vapor
space
6. EQUIPMENT DESIGN 175
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Equipment Failure
Table 6.1 Common Failure Scenarios and Design Solutions for Vessels
Corrosionresistant
secondary
containment, including
complete resistant
foundation under tank
as part of secondary
containment
The fabrication techniques and inspections conducted during fabrication will greatly
influence the quality of the finished vessel. Faulty fabrication, for example, poor
welding, improper heat treatment, dimensions outside tolerances allowed, or improper
assembly, may cause problems to develop in pressure vessels. Vessel fabrication should
be independently verified to ensure the vessel is fabricated per the specification.
Mechanical forces can cause a vessel to fail unless adequate provision has been
made for such forces, e.g., thermal shock, cyclic temperature changes, vibration,
excessive pressure surges, thrust from relief devices, and other external loads.
Internal components such as baffles, agitators, and trays should be installed in such a
manner that liquid and vapors are not trapped, which might prevent them from being
drained or vented from the vessel. Although intermittent tack welding may provide
sufficient mechanical strength for baffles or tray support rings, complete fillet welds are
preferred so that crevices and pockets are not created that could produce hidden locations
for corrosion.
Agitators present a different set of challenges for pressure vessels. They not only
bring with them the usual hazards of leaking seals, vibration, and alignment, agitators
also apply additional loads beyond static and dynamic (torque) to the vessel head.
Normal torque loads are in the same plane as the nozzle face and determined from the
horsepower required for the agitator motor.
6.1.4 References
6-1. API STD 650. Welded Steel Tanks for Oil Storage, 11th Edition. American
Petroleum Institute. Washington, D.C. 2008.
6-2. CCPS. Deflagration and Detonation Flame Arresters, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 2002.
6-3. API RP 941. Steels for Hydrogen Service at Elevated Temperatures and
Pressures in Petroleum Refineries and Petrochemical Plants, American
Petroleum Institute. Washington, D.C. 2008.
6-4. API STD 620. Design and Construction of Large, Welded, Low-Pressure
Storage Tanks, American Petroleum Institute. Washington, D.C. 2008.
6-5. API STD 2000. Venting Atmospheric and Low-pressure Storage Tanks, 6th
Edition, American Petroleum Institute. Washington, D.C. 2008.
6-6. NFPA 30. Flammable and Combustible Liquids Code, National Fire Protection
Association. Quincy, Massachusetts. 2008.
6-7. NFPA 58. Liquefied Petroleum Gas Code, 2008 Edition National Fire
Protection Association. Quincy, Massachusetts. 2008.
API STD 2510. Design and Construction of Liquefied Petroleum Gas (LPG)
Installations, American Petroleum Institute. Washington, D.C.
ASME Code for Pressure Piping B31.3. Chemical Plant and Petroleum Refinery Piping,
American Society of Mechanical Engineers. New York, New York.
UL 58. Steel Underground Tanks for Flammable and Combustible Liquids,
Underwriter's Laboratory. Camas, Washington.
UL 142. Steel Aboveground Tanks for Flammable and Combustible Liquids,
Underwriter's Laboratory. Camas, Washington.
Myers, P. Above Ground Storage Tanks, McGraw-Hill. New York, New York. 1997.
6.2 REACTORS
This section presents potential failure mechanisms for reactors and suggests design
alternatives for reducing the risks associated with such failures. The types of reactors
covered in this section include:
• Batch reactors
• Semi-batch reactors
• Continuous-flow stirred tank reactors (CSTR)
• Plug flow tubular reactors (PFR)
• Packed-bed reactors (continuous)
• Packed-tube reactors (continuous)
• Fluid-bed reactors
This section presents only those failure modes that are unique to reaction systems.
A number of the generic failure scenarios pertaining to vessels and heat exchangers may
also be applicable to reactors. Consequently, this section should be used in conjunction
with Section 6.1, Vessels, and Section 6.4, Heat Transfer Equipment. Unless specifically
noted, the failure scenarios apply to more than one type of reactor.
Choosing a reactor design pressure high enough to contain the maximum pressure
resulting from a worst case runaway reaction eliminates the need to size the emergency
relief system for this scenario. It is essential that the reaction mechanisms,
thermodynamics, and kinetics under runaway conditions be thoroughly understood to be
confident that the design pressure is sufficiently high for all credible reaction scenarios.
All causes of a runaway reaction must be understood, and any side reactions,
decompositions, and shifts in reaction paths at the elevated temperatures and pressures
experienced under runaway reaction conditions must be evaluated. Many laboratory test
devices and procedures are available for evaluating the consequences of runaway
reactions (Refs. 6-8, 6-9, and 6-10).
and 28 members of the public who were working in surrounding businesses. Debris
from the reactor was found up to one mile away, and the explosion damaged buildings
within one quarter mile of the facility.
The facility was producing its 175th batch of Methylcyclopentadienyl Manganese
Tricarbonyl (MCMT). The process operator had an outside operator call the owners to
report a cooling problem and request they return to the site. Upon their return, one of the
two owners went to the control room to assist. A few minutes later, the reactor burst and
its contents exploded, killing the owner and process operator who were in the control
room and two outside operators who were exiting the reactor area.
A loss of sufficient cooling during the process likely resulted in the runaway
reaction, leading to an uncontrollable pressure and temperature rise in the reactor. The
pressure burst the reactor; the reactor's contents ignited, creating an explosion equivalent
to 1,400 pounds of TNT.
Lessons learned include not recognize the runaway reaction hazard associated with
the MCMT it was producing. Additionally, the cooling system employed was
susceptible to single-point failures due to a lack of design redundancy and the MCMT
reactor relief system was incapable of relieving the pressure from a runaway reaction.
to be 446°F (230°C), but possibly as low as 365°F (185°C)]. The reaction was carried
out under vacuum, and the reactor was heated by steam in an external jacket, supplied by
exhaust steam from a turbine at 374°F (190°C) and a pressure of 174 psig (12- bar
gauge). The turbine was on reduced load, as various other plants were also shutting
down for the weekend (as required by Italian law), and the temperature of the steam rose
to about 572°F (300°C). There was a temperature gradient through the walls of the
reactor [572°F (300°C) on the outside and 320°F (160°C) on the inside] below the liquid
level because the temperature of the liquid in the reactor could not exceed its boiling
point. Above the liquid level, the walls were at a temperature of 572°F (300°C)
throughout.
When the steam was shut off and, 15 minutes later, the agitator was switched off,
heat transferred from the hot wall above the liquid level to the top part of the liquid,
which became hot enough for a runaway reaction to start. This resulted in a release of
TCDD (dioxin), which killed a number of nearby animals, caused dermatitis (chloracne)
in about 250 people, damaged vegetation near the site, and required the evacuation of
about 600 people (Ref. 6-11).
The lesson learned from this incident is that provision should have been made to
limit the vessel wall temperature from reaching the known onset temperature at which a
runaway reaction could occur. Additionally, transient conditions such as startup and
shutdown should be considered adequately in the design.
Table 6.2 Common Failure Scenarios and Design Solutions for Reactors
Runaway Reactions
1 Overcharge of Potential Dedicated catalyst Quantity of catalyst added Written procedures and
catalyst runaway charge tank sized limited by flow totalizer training regarding the
(batch, semi- reaction to hold only the amount or concentration
High level interlock /
batch, and amount of catalyst of catalyst to be added
permissive to limit quantity
plug flow needed (might consider one
reactors) of catalyst person to stage the
Reactor type
required catalyst amount
selected tbat is
and a second person to
less sensitive to
add the required amount,
catalyst change
serving as a double check
issues
on type and quantity)
Table 6.2 Common Failure Scenarios and Design Solutions for Reactors
Table 6.2 Common Failure Scenarios and Design Solutions for Reactors
Uninterrupted power
supply backup to motor
188 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.2 Common Failure Scenarios and Design Solutions for Reactors
12 Hot spot Potential Alternative reactor Automatic switch to diluent Written procedures and
develops in runaway design (e.g., fuid training for monitoring of
catalyst reaction bed) exterior wall temperature
(continuous with infrared optical
Flow distribution
packed bed or detection system or other
trays provided to
packed tube detection method
minimize
reactors)
channeling Written procedures and
training for packing tubes
Multiple small
to ensure uniformity of
diameter beds to
catalyst filling
reduce
maldistribution
Reactor head
space volume
minimized to
reduce residence
time (partial
oxidation reactors)
and mitigate
autoignition
6. EQUIPMENT DESIGN 189
Table 6.2 Common Failure Scenarios and Design Solutions for Reactors
14 Insufficient Potential Flow limiting orifice Automatic feed isolation Written procedures and
residence incomplete on feed lines based on continuous training for manual feed
time reaction, mechanically limit online reactor composition isolation based on
leading to maximum flow monitoring continuous online reactor
unexpected capability of feed composition monitoring
reaction in pumps
Written procedures and
subsequent
training tor sampling
processing
before manual transfer of
steps (in
material
reactor or
downstream
vessel)
6.2.3.3 Addition
All flammable liquids should be charged into a reactor via dip legs or elbows which
cause the liquid to run down the reactor wall to minimize static electricity accumulation.
Where the addition rate of a reactant or catalyst could result in a runaway reaction if
added too quickly, a restriction orifice should be installed in the feed line to limit the
flow rate. Where overcharging (adding too great a quantity) of a reactant or catalyst can
cause a runaway reaction, the use of a gravity flow head tank sized to hold only the
quantity needed should be considered.
Where solids have to be added to a batch reactor containing flammable or toxic
liquids, they should be charged by means of a rotary valve, lock-hopper, or screw feeder
so that the operator will not have to open the reactor and be exposed to hazardous
conditions or chemicals. The hopper or screw feeder may also be inerted to provide an
additional protection layer. There should be instruments and procedures to assure that
the solids are being fed as intended. In addition, special attention should be given to
methods of safely unplugging valves and lines.
6.2.3.4 Agitation
A runaway reaction could occur due to unrecognized cessation of agitation (the shaft is
still rotating although the impeller has fallen off or corroded out, or the circulation pump
providing agitation has stopped, failed, or encounters a blockage in the discharge
piping). To prevent this, a malfunction detector could be installed in the reactor in the
vicinity of the impeller. The malfunction detector should have an alarm and be
interlocked to stop feed of reactants or catalysts. Back-up power supply should be
supplied to the agitator motor for critical reactions, such as polymerization reactions.
6.2.4 References
6-8. CCPS. Guidelines for Chemical Reactivity Evaluation and Application to
Process Design. Center for Chemical Process Safety of the American Institute
of Chemical Engineers. New York, New York. 1995.
6-9. CCPS. Guidelines for Process Safety Fundamentals in General Plant
Operations, Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, New York. 1995.
6. EQUIPMENT DESIGN 193
6-10. CCPS, Guidelines for Pressure Relief and Effluent Handling Systems, 2nd
Edition The American Institute of Chemical Engineers, New York, New York.
2011.
6-11. Kietz, T.A. What Went Wrong: Case Histories of Process Plant Disasters, 3rd
Edition. Gulf Publishing Company. Houston, Texas 1994.
6-12. NFPA 69. Standard of Explosion Prevention Systems, National Fire Protection
Association. Quincy, Massachusetts. 2008.
Stripping
• Washing
This section presents only those failure modes unique to mass transfer equipment.
Many of the generic failure modes presented in Section 6.1 may also apply to vessels
used for mass transfer. Mass transfer equipment failure may also result from
disturbances in heat transfer processes in associated ancillary equipment. Refer to
Section 6.4, Heat Transfer Equipment, for failures associated with heat transfer
equipment. Unless specifically noted, the failure scenarios apply to more than one class
of mass transfer equipment.
Lessons Learned include the use of emergency isolation in the event of a fire and the
need for measuring and alarming the temperature in the bed.
Table 6.3 Common Failure Scenarios and Design Solutions for Mass Transfer Equipment
Pressure
Generally Applicable - High Pressure Vessel designed Emergency relief device Operator response to
(Applicable to all high pressure for maximum differential pressure
Automatic high pressure
scenarios) expected pressure indication
shutdown of heat input
Operator response to high
pressure alarm
Generally Applicable - Low Pressure Vessel designed Vacuum relief system Operatorresponseto low
(Applicabletoall low pressure scenarios; for maximum pressure alarm
Automatic isolation and
vacuum
purge of equipment with Written procedures and
inert gas on loss of training for manual addition
vacuum of vacuum breaking gas
4 Air leakage into Potential Oxygen analyzer with Oxygen analyzer with alarm
equipment overpressure, automatic activation of and manual activation of
operating potential fire inert gas addition on inert gas addition on
under vacuum detection of high oxygen detection of high oxygen
concentration concentration
Table 6.3 Common Failure Scenarios and Design Solutions for Mass Transfer Equipment
potential Design Solutions
Flow
6 Poor vapor flow Potential for Adsorber cross- Continuous monitoring Written procedures and
distribution hot spots sectional area of bed temperatures or training to monitor bed
through minimized by-products at certain temperature / by-products
adsorbers locations and interlock and take appropriate action
Vessel distributors
shutdown and /or (e.g.. inerting/flooding)
designed to avoid
inerting /floodingon
regions of flow High t low flow limits to set
high temperature
maldistribution in the bounds of good
the bed distribution as calculated in
the design
Table 6.3 Common Failure Scenarios and Design Solutions for Mass Transfer Equipment
Temperature
Generally Applicable - High Vessel designed Interlock to isolate feed Written procedures and
Temperature for maximum on detection of high bed training for reinstating
(Applicable to all high temperature expected temperature process flow after
scenarios) temperature regeneration and cooling
Level
Generally Applicable - High Level High reliability Interlock to isolate feed Operator response to high
(Applicable to all high level scenarios) level device on detection of high level alarms
level
Generally Applicable - Low Level High reliability Interlock to shutdown Operator response to low
(Applicable to all low level scenarios) level device withdrawal on detection level alarms
of low level
10 Interfacial level Potential Interface level High / low interfacial Written procedures and
control failure carryover of controlled with level alarm with shutoff training for manual vessel
(extractor) unwanted overflow leg or preventing further liquid interfacial level control
material to weir withdrawal from vessel
downstream
equipment
Potential to Downstream
exceed design equipment
pressure designed for
rating, maximum
potential loss pressure
of
containment.
6. EQUIPMENT DESIGN 199
Table 6.3 Common Failure Scenarios and Design Solutions for Mass Transfer Equipment
Potential Design Solutions
Composition
11 Premature Potential Adsorbent Oxygen analyzer with Oxygen analyzer with alarm
introduction of internal fire on selected to automatic activation of and manual activation of
process stream packing minimize inert gas addition on inert gas addition on
containing air combustion detection of high oxygen detection of high oxygen
(adsorber) potential concentration concentration
Table 6.3 Common Failure Scenarios and Design Solutions for Mass Transfer Equipment
Maintenance / Startup
Pressure relief devices should be located upstream of potential blockage points. For
example, the inlet to a Pressure Safety Valve (PSV) should be placed below the mist
eliminator in the top of a column if severe fouling of the mist eliminator is possible.
Locating the vessel temperature probe on the bottom head to ensure accurate
measurement of temperatures, even at a low liquid level.
• Minimizing column internal inventory
6.3.3.1 Columns
Columns, like other pieces of equipment, are available in a variety of mechanical
designs. All of these various types are covered by the standard design codes, such as
ASME Section VIII, Rules for Construction of Pressure Vessels (Ref. 6-18).
Column inventory can be minimized by understanding the different types of internal
components that have differing operability flexibility and internal inventory. Choices for
internal components include:
• Trays (bubble cap, valve, sieve reciprocating, baffles)
• Packed beds
Distillation columns often contain a large inventory of flammable liquids at elevated
pressure and temperature. Inventory reduction may be obtained by prudent reduction of
operating flexibility to obtain minimum holdup. Various tray designs and packing
options can affect holdup volumes and, of course, column efficiency. Improved feed
distribution, preheat, column pressure or multiple columns may be used to improve
efficiency. The turndown ratio must be considered, particularly for large columns that
may be on standby.
Minimizing column bottom inventories may make a column more sensitive to upsets
if the response time of the control instrumentation is not capable of making quick
adjustment. The same is true with the reflux inventory. For example, if a level
controller fails open, the designer should determine if there is adequate time for response
before the reflux pump runs dry. Operational problems include flooding, fouling,
excessive pressure drop, or inefficient liquid / vapor contact. There is a need to provide
pressure relief caused by loss of coolant, excessive heating in a reboiler, or fire. Design
of pressure relief systems should account for all cases determined to be credible for the
specific application under consideration.
Some chemicals are temperature sensitive and the bottom of the column should be
sized down to minimize residence time, e.g., butadiene, ethylene oxide, etc.
Internal supports should be designed to withstand deviations such as flooding or
pressure surge, a sudden collapse of packing, or tray failure. Process conditions may be
particularly severe in distillation columns. The materials of construction should be
thoroughly reviewed to understand any corrosion mechanisms that could occur in the
vapor or liquid phases and with the vaporization and condensation processes.
Adequate instrumentation should be provided for monitoring and controlling
pressure, temperature, level, and composition. The location of sensing elements in
relation to column internals must be considered so that they provide accurate and timely
information and are in direct contact with the process streams.
For vacuum towers, consideration should be given to installation of emergency
block valves in the vacuum line which would close at selected column pressure and the
purging of the column with nitrogen to break the vacuum. Another hazard associated
with loss of vacuum is a rapid increase in the column bottoms temperature which may
6. EQUIPMENT DESIGN 203
6.3.4 References
6-13. Jarvis, H.C. Butadiene Explosion at Texas City-2, Plant Safety & Loss
Prevention, Vol. 5. 1971.
6-14. Freeman, R.H. and McCready, M.P Butadiene Explosion at Texas City-], Plant
Safety & Loss Prevention, Vol. 5. 1971.
6-15. Keister, R.G., et al. Butadiene Explosion at Texas City-3, Plant Safety & Loss
Prevention, Vol.5. 1971.
6-16. Britton, L.G., Loss Case Histories in Pressurized Ethylene Systems. Process
Safety Progress, Vol. 13, No. 3. 1994
6-17. HSE. Carbon Bed Adsorbers - Fire and Explosion Hazards Report. DIN
SI5/62. Health and Safety Executive. UK. 2009.
www.hse.gov.uk/foi/internalops/hid/din/562.pdf
6-18. ASME. Boiler and Pressure Vessel Code, Section VIII, Division 1: Rules for
Construction of Pressure Vessels. American Society of Mechanical Engineers,
New York, NY. 2010.
source of the nitrogen was identified as Nitrogen Oxides (NOx) present in a feed stream
from a catalytic cracking unit. Operating upsets could have promoted unstable gums by
permitting higher than normal concentrations of 1,3-butadiene and 1,3-cyclopentadiene
to enter the cold box. To prevent NOx from entering the cold box, the feed stream from
the catalytic cracking unit was isolated from the ethylene plant.
These incidents demonstrate that a thorough understanding of the inherent hazards
of the process and a comprehensive consequence of deviation assessment are necessary
during the equipment design and hazard identification phases.
Table 6.4 Common Failure Scenarios and Design Solutions for Heat Transfer Equipment
Flow
Generally Applicable - More Flow Cold and hot side Operator response to
designed for high flow or high / low
(Applicable to ell moreflowscenarios)
maximum expected temperature alarms
pressure
Written procedures and
training for manual
isolation or bypassing of
heating medium on
indication of no flow on
cold side
1 Control system Potential Heat exchanger Pressure relief device Written procedures and
failure, cold- excessive heat designed with an air training to ensure heat
side blocked in input resulting pocket exchangers are not
in bbckedin
Temperature of the
overpressure
heating medium
of cold side
limited
Table 6.4 Common Failure Scenarios and Design Solutions for Heat Transfer Equipment
Temperature
High temperature
indication with alarm
and intedock which
isolates the heating
medium
Generally Applicable - Low Mechanical design to Interlock to isolate Operator response to low
Temperature accommodate feed on detection of temperature alarm
(Applicable to all tow temperature minimum expected low temperature
scenarios) temperature
3 Differential Potential leak Shell expansion joint, Automatic control of Written procedures and
thermal or rupture internal floating head introduction of training for control of
expansion / resulting in or U tubes process fluids on introduction of process
contraction overpressure startup and shutdown fluids on startup and
Alternative exchanger
(shell-and-tube of the low shutdown to reduce
design other than
exchanger) pressure side cycling
shell and tube (e.g.,
spiral, piate, and Written procedures and
frame) training for periodic
inspection / analysis of
Alternative flow
low pressure fluid for high
arrangement to avoid
pressure fluid leakage
thermal stress
Table 6.4 Common Failure Scenarios and Design Solutions for Heat Transfer Equipment
4 Sudden Potential Different type of Automatic air inlet Written procedures and
ambient excessive heat exchanger selected to temperature control training for monitoring
temperature transfer rate minimize or eliminate via air pre-healing and manual adjustment of
drop (air- resulting in consequences of with steam or air air inlet temperature
cooled freezing of freezing recirculation
exchanger) material
Air flow control (e.g.,
variable pitch /speed
fans)
Level
Generally Applicable - Low Level Interlock to shut down Operator response to low
(Reboilers) heat source on level alarm
(Applicable to all low level scenarios) detection of low level
Demister installed in
kettle vaporizer
Equipment Failure
Mechanical design to
accommodate
maximum expected
temperature and
pressure of a possible
exothermic reaction
208 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.4 Common Failure Scenarios and Design Solutions for Heat Transfer Equipment
8 Tube leak / Potential leak Seamless versus Pressure relief device Written procedures and
rupture (shell- or rupture seam-welded tubes training for penodic
and-tube resulting in inspection / analysis of
Alternative exchanger
exchanger) overpressure low pressure f uid for high
design other than
of the low pressure fluid leakage
shell and tube (e.g.,
pressure side
spiral, plate, and
frame)
Table 6.4 Common Failure Scenarios and Design Solutions for Heat Transfer Equipment
9 Fouling, Potential loss Additional surface Automatic tempering Written procedures and
accumulation of heat areainaircoolerto of cooling medium training for manual
of non- transfer transfer heat via temperature to avoid adjustment of cooling
condensables natural convection low tube wall medium tempering
temperature resulting
Continuous open Written procedures and
in solids deposition
venting of non- training for periodic
condensables Automatic venting of exchanger cleaning
non-condensables
Exchanger designed Written procedures and
forsuitabieveiocityto training manual isolation
minimize fouling of input flow on detection
of high vent temperature
Heat exchanger
design less prone to
fouling (e.g., direct
contact)
11 Fan blade Potential Design of passively Vibration monitoring Written procedures and
failure (air- vibration cooled system with automatic fan training for manual fan
cooled resulting in shutdown shutdown on indication of
Machine guarding
exchanger) tube rupture excessive vibration
due to impact
12 Misalignment Potential for Screens at entrance Automatic shutdown Written procedures and
or entrance of scraper of heat exchanger to of motor on high training for manual
foreign objects punctures heat remove foreign amperage or power shutdown of motor on
(scraped transfer objects high amperage or power
surface) surface
resulting in
equipment
damage
210 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
result in very large heat input when exposed to an external fire. Indeed, it may not be
practical to install a relief device sized for an external fire case due to large relief area
requirements. Other mitigation measures, such as siting outside the potential fire zone or
diking with sloped drainage, may be used to reduce the likelihood and magnitude of
external fire impinging on the heat exchanger. Alternative heat exchanger designs may
also be used to reduce the surface area presented to an external fire.
• Tube pitch and spacing, flow distribution, fluid velocity, and AT should be
considered to prevent fouling.
The bending of exchanger tubes to form U-bends introduces residual stresses in
the tube material which may make it more susceptible to stress corrosion
cracking. Stress relief of U-bend exchanger tubes depends on the alloy and
service conditions (temperature and constituents); in fact, stress relief may
introduce undesirable metallurgical effects.
• External stress corrosion cracking from chlorides in cooling water must be
addressed; for example, the designer may consider using alloys more resistant
to chloride attack.
• Selection, installation, and maintenance of insulation to avoid corrosion under
thermal insulation.
Design to prevent ice plugging in cold condensers when inadvertent moisture
gets in the system or the system temperature control goes colder than intended.
The minimization strategy of inherent safety can be applied in some instances by
using several smaller exchangers rather than one large one. Besides the reduction in
hazardous material retained, more corrosion resistant materials can be used in the first
exchanger, which experiences the greatest temperature differential. This first exchanger
could either be a sacrificial type under continuous corrosion monitoring or be fabricated
from a more corrosion resistant alloy.
One safeguard strategy to protect leaking exchanger tubes that contaminate the
cooling water is to provide gas detectors or gas separators for the cooling water return.
In addition to analyzing the compounds exchanging heat, the designer should consider
the potential effects of inhibitors (or other water treatment chemicals) in the cooling
water or heat transfer fluid.
Another safeguard strategy may be to protect against leaking tubes by considering
potential interaction between the materials exchanging heat in the event of a leak. The
decision as to which is the high pressure side may depend on the potential reactions
between process chemicals and the heating medium. If a small amount of chemical "A"
is introduced through a tube leak into large amounts of chemical "B" without a
considerable reaction, then try to design the process so that "A" is slightly higher in
pressure than "B". In case corrosion or tube failure occurred, then the only hazard would
be poor product quality and heat exchange. Other hazardous conditions may exist if
water can poison a catalyst or react with an acid.
Consideration must be given to possible tube rupture and an adequately sized relief
device must be provided.
6.4.4 References
6-19. Viera, G.A., Simpson L. L., and Ream B. C. Lessons Learnedfrom the
Ethylene Oxide Explosion at Seadrift, Texas, Chemical Engineering Progress.
August 1993.
6-20. Price, J. H. Cold Box Explosion at Shell Steam Cracker in Berre, France. Paper
presented at AIChE Spring National Meeting, Houston, Texas. 1989.
6-21. API STD 521. Guide for Pressure Relieving and Depressuring Systems, Fifth
Edition. American Petroleum Institute, Washington D.C.. 2007.
6. EQUIPMENT DESIGN 213
6-22. ASME Section VIII-DIV 1. ASME Boiler and Pressure Vessel Code, Section
VIII, Division 1: Rules for Construction of Pressure Vessels. American Society
of Mechanical Engineers. New York, New York. 2010.
6-23. API STD 520. Sizing, Selection, and Installation of Pressure Relieving Devices
in Refineries, Part I - Sizing and Selection, Eighth Edition. American Petroleum
Institute. Washington D C. 2008.
6-24. API STD 660. Shell-and-Tube Heat Exchangers, Eighth Edition. American
Petroleum Institute. Washington D. C. 2007.
6-25. Lees, F.P. Loss Prevention in the Process Industries, Third Edition. Elsevier,
Inc. Oxford, UK. 2005.
6.5 DRYERS
This section presents potential failure mechanisms for dryers, drying systems and
suggests design alternatives for reducing the risks associated with such failures. The
types of equipment covered in this section include:
• Spray dryers
• Tray dryers
Fluid-bed dryers
• Conveying (flash, mechanical, and pneumatic) dryers
Rotary dryers
This section presents only those failure modes that are unique to dryers. Some of
the generic failure scenarios pertaining to vessels and heat transfer equipment may also
be applicable to dryers. Consequently, this section should be used in conjunction with
Section 6.1, Vessels and Section 6.4, Heat Transfer Equipment. Also, since drying
equipment is often associated with solid-fluid separators and solids handling and
processing equipment, refer to Section 6.7 for additional information. Unless
specifically noted, the failure scenarios apply to more than one class of dryers.
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
Potential Design Solutions
Pressure
Generally Applicable - High Pressure Dryer designed to Deflagration venting Operator response to
(Applicable to all high pressure contain high pressure alarm
Deflagration suppression
scenarios) overpressure
system
Generally Applicable - Low Pressure Dryer designed for Operator response to low
(Appticable to all low pressure vacuum conditions pressure alarm
scenarios)
Flow
Generally Applicable - More Flow Alternate type of Automatic feed trip on Operator response to
(Appticable to all mom flow scenarios) dryer loss of ventilation or high high flow alarm
concentration of
Written procedures and
flammable vapor
training for manual
Automatic isolation via activation of Are
quick closing valves of protection /inerting
manifold duct system on system
detection of fire/
Written procedures and
flammable atmosphere in
training for manual
duct system
bonding and grounding
Automatic shutdown of
Written procedures and
conveyor on high speed
training for manual
indication
isolation offeed on loss
Automatic sprinkler of ventilation
system / CO? total
flooding system
Use of inert atmosphere
Ventilation system to
keep flammable
concentration below
lower flammable limit
216 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
2 Inadequate Potential Design dampers so Limit switch on damper Note: manual isolation
ventilation due flammable that system will interlocked to introduce using quick closing
to obstructions atmosphere handle the minimum inerting gas valves is not practical in
or closed with safe ventilation rate this application
dampers subsequent at maximum
ignition damper throttling
resulting in fire
Provide damper
/explosion
mechanical position
stop to prevent
complete closure of
damper
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
Use continuous or
semi-continuous
dryer design
7 Manifolding of Spread of fire Use dedicated Vent individual dryers Operator action to isolate
ventilation or deflagration exhaust ducts through conservation various ducts on
exhaust ducts from one vents to prevent back detection of fire/
Design dryer and
of several location to the flow flammable atmosphere
ductwork to contain
dryers next
overpressure where Install flame arresters in
practical dryer vents
Θ Low feed rate Potential Use of heating Automatic control of heat Written procedures and
to dryer increased medium which input to dryer based on training for manual
temperature of automatically limits feed flow rate control of feed rate
material in the the temperature to
High temperature alarms Operator response to
dryer, which the feed is
and shutdown systems high temperature
possible fire/ exposed
indication
explosion Automate control of feed
rate
218 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
Potential Design Solutions
Temperature
Generally Applicable - High Dryer designed for Automatic feed trip on Written procedures and
Temperature high temperature loss ofventiiation or high training for manual
(Applicable to all high temperature concentration of activation of flre
Dryer designed to
scenarios) flammable vapor protection / inerting
contain
system
overpressure Automatic isolation of
associated equipment via Written procedures and
Permanent bonding
quick-closing valves training for manual
and grounding
bonding and grounding
Automatic isolation via
Eliminate for feed or product
quick-closing valves of
flammables discharge.
manifold duct system on
Eliminate ignition detection of fire/ Written procedures and
sources within trie flammable atmosphere in training for manual
ductwork duct system isolation using quick-
dosing valves normally
Automatic shutdown of
not practical
conveyor on high speed
indication Online flammable gas
detection and manual
Automatic sprinkler
activation of CO? total
system / COz total
flooding system
flooding system
Ventilation system to
keep flammable
concentration below
lower flammable limit
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
Potential Design Solutions
11 High surface Potential Insulation of Fines removal from exit Written procedures and
temperature in ignition of external dryer gas (bag Alters) training for good
dryers and surrounding surfaces to reduce housekeeping
ductwork combustibles surface temperature
(including to a safe limit
fugitive
Limit temperature of
emissions from
the dryer to below
the dryer)
the safe
resulting in fire
temperature limit of
/ explosion
surrounding
materials
Maintain proper
clearances between
hot surfaces and
combustible
materials
12 Heat Potential Are / Use dryer Provide torque limiting Operator response to
generated from explosion component types devices (i.e., shear pins) high and low torque
mechanical which minimize for mechanical alarms for mechanical
input (i.e., mechanical heat components devices
plugging of input
Written procedures and
rotary feeders,
Use non-flammable training to monitor
paddle dryers,
/ high flash point temperature and take
screw
lubricants action on high
conveyors)
temperature alarm
Composition
Equipment Failure
Table 6.5 Common Failure Scenarios and Design Solutions for Dryers
6.5.4 References
6-26. Drogaris, G. Major Accident Reporting System: Lessons Learned from
Accidents Notified. Elsevier Science Publishers B. V. Amsterdam. 1993.
6-27. CCPS. Guidelines for Safe Handling of Powders and Bulk Solids. Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, New York. 2005.
222 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.6 Common Failure Scenarios and Design Solutions for Fluid Transfer Equipment
Pressure
Generally Applicable - Low Pressure NPSH maximized Low pressure shutdown Operator response to
(Applicable to all low pressure scenarios) Supply tank elevated interlock low pressure alarm
Flow
Table 6.6 Common Failure Scenarios and Design Solutions for Fluid Transfer Equipment
6 Speed control Potential for Solid versus built-up High speed alarm and
system failure compressor rotor compressor overspeed
[compressor) overspeed shutdown system
resulting in
equipment
damage
7 Liquid Potential for Liquid-tolerant design Heat tracing between Operator response to
carryover to compressor [e.g., liquid ring the KO drum and the high level alarm in the
compressor damage compressor) compressor KO drum
Online vibration
monitoring with
automatic shutdown
Temperature
Table 6.6 Common Failure Scenarios and Design Solutions for Fluid Transfer Equipment
Generally Applicable - Low Temperature Choice of materials Low temperature Operator response to
(Applicable to all low temperature and design to shutdown interlock low temperature alarm
scenarios) minimum temperature
conditions
Composition
Table 6.6 Common Failure Scenarios and Design Solutions for Fluid Transfer Equipment
Written procedures
and training for manual
cleaning of strainer/
filter
Written procedures
and training for
periodic inspection of
shaft seals
Equipment Failure
Written procedures
and training for manual
pressure control which
limits rate of oxygen
infiltration or negative
pressure
228 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.6 Common Failure Scenarios and Design Solutions for Fluid Transfer Equipment
14 Loss of seal Potential loss of Pumps that do not Interlock to shutdown Written procedures
flush on pump containment require seal flush pump on loss of seal and training for manual
flush shutdown of pump on
loss of seal flush
Localized fire protection
15 Loss of oil mist Potential loss of Pump seals that do Interlock to shutdown Written procedures
on pump seal containment not require oil mist pump ontossof oil mist and training for manual
shutdown of pump on
Localized fire protection
loss of oil mist
6.6.2.4 Seal Leaks (Scenarios 11, 13, 14, 15, and 16)
Seal leaks are a major source of concern, especially when handling toxic or flammable
materials. Centrifugal pumps with double mechanical seals, diaphragm pumps, and
various types of sealless pumps may be used for highly hazardous duty. See Grossel
(Ref. 6-28) for more details.
High temperatures decrease lubricity, resulting in increased friction and heat buildup
that can promote abnormal wear of the seal face. Temperatures can be decreased by
providing a seal flush system which provides filtered and cooled fluid. The pump
operating characteristics should be checked to make sure that the appropriate type of
lubrication is being used.
Operating pumps in parallel may cause deadheading of one pump, reverse flow
scenarios, or thrust bearing failure. If pumps are operated in parallel, then consideration
should be given to flow control valves on the discharge of each pump.
Compatibility of the seal fluid with the process fluid should be established.
Depending on the seal system used (tandem or double) leakage can occur into the seal
fluid or into the process.
Excessive face pressure, either hydraulic or installation imposed, can reduce face
lubrication, increase frictional heat buildup, and cause face distortion. Pressure surges
and hydraulic shock created by automatic valving can also reduce seal life; therefore,
carefully consider system hydraulics. Acid conditions can form acidic metal salts, which
can be abrasive to seal faces. A seal flush system should be provided.
Erosion by abrasive particles in the system can contribute to seal failure, particularly
particles under 200 mesh size, such as thermal decomposition products in heat transfer
fluids. Pump suction strainers may protect the pump from solids debris in the fluid and
are used especially during startup and commissioning. However, suction strainers
increase overall pressure drop and can reduce NPSH available at the pump inlet. If not
carefully evaluated, this pressure drop can cause cavitation that may damage pump
internals or reduce pump capacity. Cavitation can cause pressure variation, shaft
deflection, vibration, or mechanical shock that will damage seal components. Cavitation
problems usually can be avoided by proper system design, especially Net Positive
Suction Head (NPSH), and by avoiding entrained gases.
Sealless pumps, both canned-motor and magnetic-drive designs, avoid the seal
problem altogether. These types of pumps are driven by a magnetic coupling between
the pump and an external rotating motor. The magnets are attached to the pump shaft
and the motor shaft, with a non-magnetic shield between them. Magnetic-drive pumps
use permanent magnets; canned pumps use electromagnets. Virtually all pump
manufacturers now supply magnetic-drive pumps, both centrifugal and gear.
Canned and magnetic-drive pumps are not without their own safety considerations.
Most failures of sealless pumps are caused by running them dry and damaging the
bearings. A low boiling liquid may flash and a reverse circulation system or bypass
stream may be required (Ref. 6-29). If the temperature of the flush liquid increases, the
vapor pressure may rise and liquid may flash and the sleeve bearings can run dry. Solids
may abrade the bearings of magnetic- drive pumps or may plug small ports in the can
area. High temperature can decrease the strength of the magnets.
Sealless pumps are equipped with a more complex hydraulic system involving
sleeve bearings and other parts which must receive some attention if the pump is to be
kept in good running condition. The specific heat and the rate of change of vapor
pressure are two critical physical factors which must be taken into account when
designing the pump.
232 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
6.6.3.1 Compressors
Compressors run the gamut from small, oil-less fractional horsepower reciprocal units to
massive turbine-driven multi-stage compressors. Typical uses of compressors include:
compression of process gas, supply of plant air, and compression of air for furnace or
fluidized bed combustion, exhaust, ventilation, and aeration. A comprehensive
discussion of reciprocating and centrifugal compressors can be found in Perry's
Chemical Engineers Handbook (Ref. 6-30).
Compressors share several design problems that involve safety: potential
overpressure and overheat of the gas, vibration, seal leakage, and liquid intake into the
compression chamber. All of these can cause material failure in the compressors or its
ancillary piping, causing a gas release to the atmosphere. For reciprocating compressors
overpressure is a special problem. While centrifugal compressors will reach a maximum
pressure when the compressor is deadheaded, the reciprocating compressor can continue
to increase pressure until either material failure occurs or the motor stalls and overheats.
For this reason reciprocating compressors are equipped with pressure relief valves. To
prevent these potential problems from occurring, the following design features should be
considered:
• Use of knock-out drums, cyclones, or inlet heaters to prevent liquids from
entering the compression chamber
The sizing and installation of the proper seals - for large units, this will include
seals with a circulating lube oil system, degassing sealpots and piping of the
sealpot gases to recovery or treatment
• Piping design, including the proper materials of construction, vent and drain
lines, and the use of vibration isolation joints
Use of appropriate alarm and shutdown instrumentation including vibration
switches, low / high discharge pressure, engine overspeed, high discharge
temperature, and low oil pressure
• Use or properly sized and located pressure relief devices
Process variables and parameters that determine safe compressor operation and
maintenance include: throughput, suction and discharge pressure, rotary speed, gas
molecular weight, heat capacity ratio (Cp/Cv), and suction and discharge temperature. In
general, during stable operation with a constant rotary speed, the pressure differential
across centrifugal and axial compressors decreases with increase in throughput. For a
fixed pressure drop, throughput increases with increasing rotary speed. Likewise, for a
constant throughput, pressure differential increases with increasing rotary speed.
Potential hazards of high throughput compressor operation, commonly referred to as
the "stonewall region," include throughput limits caused by horsepower / torque
constraints and insufficient pressure differential to meet the downstream process
requirements. Low throughput operation is known as the "surge region." When the
throughput falls below a critical value, known as the surge limit, self-sustained
oscillations of pressure and flow are induced leading to flow reversal (or slippage inside
the compressor) since the compressor wheel fails to impart sufficient kinetic energy to
compress gas continuously. Under severe surge, a compressor can exhibit high
frequency vibrations and high thrust bearing temperatures which can lead to permanent
mechanical damage. A compressor under regulatory control and operating in close
proximity to the surge limit can quickly move into surge.
6. EQUIPMENT DESIGN 233
• The liquid used in liquid ring vacuum pumps may also require treatment prior
to release to atmosphere (for example, if it absorbs flammable process liquids).
• Instrumentation should be provided to control and monitor pressure (vacuum).
• Backup of motive steam could cause overpressure in ejectors.
Loss of intercondenser cooling medium could lead to overpressure of the
system.
Ryans and Roper (Ref. 6-31) present a thorough discussion of the design and
operation of vacuum systems and equipment.
Dry vacuum pumps are compact and energy efficient compared to other mechanical
vacuum pumps because they do not require a working fluid to produce vacuum, so
nothing contacts the vapors being pumped. They have been successfully used for
pumping corrosive and flammable vapors. Dry vacuum pumps are available as rotary-
lobe Roots blowers, claw compressors, and screw compressors. These three all have
certain things in common. Thigh clearances result in these pumps running hot and the
potential for overheating is inherent in their design. Dissipating the heat of compression
is necessary, and temperature control is required. Generally, temperature control is
accomplished by using a water jacket or injecting cooled process gas or nitrogen into the
working volume of the pump. Occasionally, both methods are used together.
Safety is an issue when pumping flammable vapors and gases because of the
potential for an explosion, initiated for example by a spark caused by contact between
the rotors and casing. Dry vacuum pump manufacturers address safety in part by
designing pumps that will contain an internal explosion. Flame propagation can be
minimized by inerting with nitrogen or other inert gas prior to startup.
Autoignition is also a consideration. Dry vacuum pumps run hot, with discharge
temperatures for screw compressors sometimes reaching 662-752°F (350-400°C). To
cope with this, the latest generation of dry vacuum pumps is designed to run at lower
temperature and has precise temperature control.
6.6.4 References
6-28. Grossel, S.S. Highly Toxic Liquids - Moving Them Around the Plant. Part 1.
Chemical Engineering. 1990.
6-29. Reynolds, J.A. Canned Motor and Magnetic Drive Pumps. Chemical
Processing, No. 12. 1989.
6-30. Green, D W. and Perry, R.H. Perry's Chemical Engineers' Handbook, Eighth
Edition, McGraw-Hill. New York. 2008.
6-31. Ryans, J.L. and Roper, D.L. Process Vacuum System Design and Operation.
McGraw-Hill. New York. 1986.
Bloch, H. P. Pump Wisdom: Problem Solving for Operators and Specialists. John
Wiley & Sons, Hoboken, New Jersey. 2011.
Eierman, R.B. Improving Inherent Safety with Sealless Pumps. Proceedings of the 29th
Annual Loss Prevention Symposium, July 31-August 2, 1995, Boston, Massachusetts.
1995.
Karassik, I. J et al. Pump Handbook, 4th Edition. McGraw-Hill, New York. 2008.
Kietz, T. A. Lessons from Disaster. Gulf Publishing Company, Houston, Texas. 1993.
Kletz, T. A. Learning from Accidents. Butterworth-Heinemann Ltd., Oxford. 1994.
Ryans, J. and Bays, J. Run Clean with Dry Vacuum Pumps. Chemical Engineering
Progress, pp. 32-41. October 2001.
Tunna, C. Pumping Potentially Explosive Atmospheres. The Chemical Engineer
(IChemE), pp. 30-31. May 2005.
damaged. No nitrogen inerting was used and enough time had elapsed to allow
sufficient air to be drawn into the centrifuge to create a flammable atmosphere.
Sufficient heat could also have been generated by friction to raise the temperature of the
precooled solvent medium above its flash point. Because the Teflon® coating on the
centrifuge basket had been worn away, ignition of the flammable mixture could also
have been due to metal-to-metal contact between the basket and the bottom outlet chute
of the centrifuge, leading to a friction spark. A static discharge might also have been
responsible for the ignition. Since the incident, the company has required use of nitrogen
inerting when centrifuging flammable liquids at all temperatures (Ref. 6-32).
Lessons learned include monitoring the oxygen concentration in conjunction with
inerting and sealing the bottom outlet to minimize air entry. Because the ignition source
was uncertain (static discharge, frictional heat), this incident illustrates why it often is
prudent to assume an ignition source when designing for flammable materials.
installation drawings with explanatory notes describing the clear space needed for vent
actuation and for fire ball attenuation. Although it was unfortunate that the dust collector
was damaged, much additional damage was probably avoided because good
housekeeping minimized the dust available for a secondary explosion. Nuts and bolts
located inside of rotating equipment have the potential to cause significant damage if
they come loose. Consider the use of tack-welded wire ties or other means to prevent
them from disengaging during operation.
Table 6.7 Common Failure Scenarios and Design Solutions for Solid Fluid Separators
Pressure
Generally Applicable - High Pressure Filter design Emergency relief Operator response to
(Applicabletoall high pressure accommodating device high pressure alarm
scenarios) maximum expected
Rupture disk upstream
pressure
of relief valve with
appropriate rupture
disk leak detection
Generally Applicable - Low Pressure Filter design Vacuum relief device Operator response to
(Applicabletoall low pressure scenarios) accommodating low pressure alarm
minimum expected
pressure
1 Loss of vacuum Potential Totally enclosed, Automatic shutdown Written procedures and
(vacuum belt release of vapor-tight filter operation in response training for manual
filter, vacuum toxic or to vapor detection shutdown in response
Grounding and bonding to vapor detection
pan filter, rotary flammable alarm
vacuum f Iter) vapors to alarm
Local exhaust
atmosphere
ventilation connected
to a control system
(vent condenser,
adsorber, scrubber, or
incinerator)
2 Relief device Potential Flow sweep fitting at Automatic sweep of Written procedures and
plugged on increase inlet to relief device inlet to relief devioe training for manual
filter pressure with purge fluid periodic flush of inlet to
relief device with purge
Heat trace and insulate
fuid
relief device
238 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.7 Common Failure Scenarios and Design Solutions for Solid Fluid Separators
3 High pressure Potential tube Tube sheet designed Relief valve on intet
differential sheet buckling, for maximum possible side of fiter
across tube potential loss differential pressure
sheet of containment High inlet or differential
pressure alarm and /or
interlock
Flow
4 Deposits on Potential fire Different type of Fire / explosion Written procedures and
walls (tarry or separator (e.g., wet- suppression training for periodic
sticky dust) type pr ecipitator or cleaning of
(cyclones, dust scrubber) accumulated
collectors, and flammable dust
Fire-retardant filter
electrostatic deposits
bags or ceramic
precipitators)
cartridges
5 Loss of feed Potential Design that is tolerant Adequate supply of Written procedures and
{ciarifier and equipment to loss of feed {e.g., wash liquid orwater training to provide
separator damage pusher type oentrifuge) automatically as feed is adequate supply of
centrifuges, caused by reduced under wash liquid orwater
i.e., disc bowl, vibration emerge ncy shutdown manually as feed is
nozzle bowl, conditions reduced under
chamber bowl, emergency shutdown
desludger, conditions
opening bowl)
Temperature
Table 6.7 Common Failure Scenarios and Design Solutions for Solid Fluid Separators
Composition
6 Pyrophoric Potential fire Filter with cake removal Automatic fixed water Written procedures and
material used when cake by spinning plates and 1 spray training to ensure that
in filter (batch exposed to air or sluicing with liquid filter cake is sufficiently
Inerting
filters) when filter is (filter does not have to flushed with water
opened be opened up) before filter is opened
Equipment Failure
Generally Applicable Centrifuge design Automatic external fire Written procedures and
(Applicable to all squipirten/ failure accommodating suppression system training for pre-inerting
maximum expected prior to restart ofa
scenarios) Automatic inerting
pressure batch centrifuge
Automatic isolation of
Elimination of Written procedures and
associated equipment
flammable solvent training for manual
via quick-closing
activation of external
Equipment design valves or chemical
fire suppression
accommodating barrier (flame
system
maximum expected suppression)
pressure
Deflagration venting
Permanent grounding
Internal automatic fine /
and bonding
explosion suppression
system
7 Static electricity Potential Avoid non-conductive Automatic shutdown on Written procedures and
(centrifuges) ignition of lined centrifuge low pressure or low training for manual
flammable flow sensor on nitrogen shutdown of batch
Electrically conductive
vapors supply line with centrifuge on detection
wash liquid
resulting in fire interlocks to shut down of low inert gas
/ explosion Less volatile / filter or centrifuge pressure or flow
flammable wash liquid
Written procedures and
Non-flammable or high training for manual
flash point solvent bonding and grounding
for portable units
240 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.7 Common Failure Scenarios and Design Solutions for Solid Fluid Separators
interlock bearing
temperature sensor to
shut down the
centrifuge at high
temperature
11 Basket Potential Alternate solid /fluid Control system to Written procedures and
imbalance equipment separator designs admit feed at proper training for control of
(batch damage flow rate and feed rate to avoid
Continuous centrifuge imbalance of basket
centrifuges) caused by appropriate time in
design and vibration
vibration acceleration period
Flexible connections to
Vibration sensor Written procedures and
reduce vibration
interlocked to shut training for shutdown of
down centrifuge centrifuge on detection
of excessive vibration I
6. EQUIPMENT DESIGN 241
Table 6.7 Common Failure Scenarios and Design Solutions for Solid Fluid Separators
12 Loss of speed Potential Alternate solid / fluid Speed detector Written procedures and
control equipment separator designs interlocked to shut training for shutdown of
(centrifuges) damage down the centrifuge at centrifuge on detection
caused by overspeed point of high speed
vibration
13 Gasket leak Potential loss Different type of fitter or Written procedures and
(filter presses) of containment centrifuge with fewer training to pretest filter
of flammable gaskets for leaks with water
or toxic before feeding process
Filter enclosed in
material slurry
splash shield housing
Written procedures and
Filter located in leak
training for testing
containment trough or
compatibility of gasket
in containment vessel
material with process
Higher integrity gaskets fluid
6.7.3.1 Centrifuges
Since centrifuges are subject to the hazards inherent in all rotating equipment, the
designer should first consider whether other, safer methods of separation (such as
decanters or static filters) can be used. If it is determined that a centrifiige must be used,
the design should be reviewed to ensure that it is as safe and reliable as possible.
242 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
6.7.3.2 Filters
One of the primary concerns for filters is the loss of containment of flammable and toxic
materials and operator safety during the frequent opening and closing of the equipment
(e.g., for changing filter elements or unloading filters). Inherently safer process
alternatives should be considered to eliminate or lessen the need for filtration. Self-
cleaning, automatic backwashing, or sluicing filters should be considered for pyrophoric
or toxic materials as they do not have to be opened or disassembled to remove the filter
cake. Solid-liquid filters can be either pressure or vacuum filters. Filters for liquid
service should be provided with fire relief valves, as appropriate, and safe operating
procedures for out-of-service conditions. Solid-liquid filters that handle mixtures that
are either toxic or have other health-hazardous properties should use gas-tight, totally
enclosed units. Several types of filters are available in this design. Filters handling
mixtures containing flammable liquids may require inerting.
For filters that require frequent cleaning or changing, consideration should be given
to provide a parallel filter or bypass line. The design should include capability to take
filter offline, have proper isolation for lockout / tagout, depressuring, and draining to safe
locations.
Bag house filters are normally low pressure units. They can vary in operating
conditions from hot and chemically aggressive to cool and inert. Hot feed may lead to
6. EQUIPMENT DESIGN 243
exceeding the temperature rating of the filters and could even result in a bag house fire.
As with all filters, not exceeding the design differential pressure is important to both the
process stability and safety. As the solid is removed from the gas stream and is
subsequently handled for recovery or disposal, all of the conventions and concerns for
handling dust, powders and other solids apply. The system should be protected from the
potential of dust deflagration by the use of pressure relief or suppression devices. A
discussion of safety considerations for these types of systems is found in Dust Explosion
Prevention and Protection (Ref. 6-36).
6.7.4 References
6-32. Drogaris, G. Major Accident Reporting System: Lessons Learned from
Accidents Notified.: Elsevier Science Publishers, B.V, Amsterdam. 1993.
6-33. NFPA 68. Standard on Explosion Protection by Deflagration Venting, 2007
Edition. National Fire Protection Association. Quincy, Massachusetts. 2007.
6-34. NFPA 69. Standard of Explosion Prevention Systems, National Fire Protection
Association. Quincy, Massachusetts. 2008.
6-35. Grossel, S.S. Inerting of Centrifuges for Safe Operation. Process Safety
Progress. R4: Issue 4, pp. 273-278. 2003.
6-36. Barton, J. Dust Explosion Prevention and Protection - A Practical Guide. Gulf
Publishing, Woburn, Massachusetts. 2002.
packing buildings that surrounded the silos, or loaded into railcars and tanker trucks in
the bulk sugar loading area.
The first dust explosion initiated in the enclosed steel belt conveyor located below
the sugar silos. The recently installed steel cover panels on the belt conveyor allowed
explosive concentrations of sugar dust to accumulate inside the enclosure. An unknown
source ignited the sugar dust, causing a violent explosion. The explosion lifted sugar dust
that had accumulated on the floors and elevated horizontal surfaces, propagating more
dust explosions through the buildings. Secondary dust explosions occurred throughout
the packing buildings, parts of the refinery, and the bulk sugar loading buildings. The
pressure waves from the explosions heaved thick concrete floors and collapsed brick
walls, blocking stairwell and other exit routes. The resulting fires destroyed the packing
buildings, silos, palletizer building, and heavily damaged parts of the refinery and bulk
sugar loading area.
Lessons learned include:
• Sugar and cornstarch conveying equipment was not designed or maintained
to minimize the release of sugar and sugar dust into the work area.
• Inadequate housekeeping practices resulted in significant accumulations of
combustible granulated and powdered sugar and combustible sugar dust on
the floors and elevated surfaces throughout the packing buildings.
• Airborne combustible sugar dust accumulated above the minimum
explosible concentration inside enclosed steel belt assembly.
windows were broken up to 90 meters away by the pressure wave, and missiles were
projected up to 120 meters away.
Subsequent experimental testing indicated that the explosion was caused by a
decomposition which reached high rates due to a critical degree of confinement. The
initiating source of the decomposition was not positively identified, but it was assumed
that the heat was generated by mechanical friction due, for example, to the screw rubbing
on the vessel wall. Another possibility is that a small metal item found its way into the
vessel and became trapped between the screw and the wall (Ref. 6-37).
Lessons learned include the need for good understanding of material reactivity
during the design phase. A deflagration suppression system might have prevented the
explosion; however this requires knowledge of the decomposition rate and
decomposition products.
Table 6.8 Common Failure Scenarios and Design Solutions for Solids Handling and
Processing Equipment
Pressure
Flow
Temperature
2 Jamming and Potential fire Dust collector bag cages Overload shutdown Written procedures
frictional and filters designed to on the motor driving and training to secure
heating (rotary be properly secured to the rotary valve dust collector bags
valves) avoid falling into rotary and cages
valve
Outboard bearings to
prevent failure due to
solids contamination
Table 6.8 Common Failure Scenarios and Design Solutions for Solids Handling and
Processing Equipment
Equipment Failure
Deflagration venting
to safe location
Table 6.8 Common Failure Scenarios and Design Solutions for Solids Handling and
Processing Equipment
6 Mechanical Potential dust Fluid energy mill with Magnets to Written procedures
energy or deflagration inert gas instead of air automatically and and training for
electrostatic continuously remove manual removal of
Screens to remove
spark (mills, tramp metals and tramp metals and
tramp metals and other
grinders, and other foreign other foreign materials
foreign materials
other size materials
reduction
equipment)
Θ Frictional Potential dust Convey solids as pellets Negative pressure for Written procedures
heating from deflagration instead of granules or bucket elevators and training for
slipping belts or powder installed inside frequent routine
chains (bucket buildings to minimize inspection and
Increase particle size
elevators and dust leakage scheduled
en-masse replacement of belts
Hot material detection
conveyors) and chains
and automatic
quench system
Overpressure
(orbiting screw
powder
blender, fluid
bed blender, or
ribbon blender)
10 Flammable or Potential dust High flash point solvents Internal deluge water Written procedures
combustible deflagration or sprays and training to process
solvents used fire most stable materials
(spray first when
granulators and campaigning multiple
coaters) products to avoid
ignition of unstable
materials
250 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.8 Common Failure Scenarios and Design Solutions for Solids Handling and
Processing Equipment
12 Jammed idler Potential fire Fire retardant belts Belt velocity detection Written procedures
roller, orif the interlocked to shut and training for
Different type of
belt jams, asa down on low speed manual shut down on
conveyor (e.g., vibratory
result of drive detection of low speed
type)
rollers
continuing to Sealed roller bearings to
run (belt minimize ingress of
conveyors) solids
systems for the end-of-line equipment, and good grounding and bonding of the pipeline
and equipment. Other measures that can be taken involve modification of the solids
being conveyed, such as increasing the particle size (making pellets) or formulating the
solids so that they are less friable. Also, it is important to isolate the pneumatic
conveying line from end-of-line equipment by a quick-closing valve or suppressant
barrier so that the flame front developed in the end-of-line equipment does not propagate
backwards into the equipment upstream of the conveying system.
Static ignition mechanisms in recovery bins, silos and related equipment are
discussed by Eckhoff (Ref. 6-39). Recommended preventive and protective practices are
described in British Standards Institute BS-5958 (Ref. 6-40).
frictional heating which can act as an energy source for an explosion. Sensors for hot
material can be installed and interlocked with a water quench system to extinguish the
hot solids. Also, it is very important to prevent the propagation of a dust explosion flame
into the upstream and downstream equipment connected to conveying equipment. This
can be accomplished by installing material chokes such as rotary valves or screw feeders
at the inlet and outlet sides of conveyors. It has been found that material chokes (plugs
of powder) quench the flame (Refs. 6-38 and 6-39). Quick-closing valves and
suppressant barriers can also be used to isolate upstream and downstream equipment
from conveyors.
6.8.3.1 Storage
Storage vessels also include bins and silos used for the storage of solid materials such as
pellets, granules, or dusts. The primary danger in the bins comes from dust in the vapor
space above the material creating an explosive or ignitable condition. Suspensions of
combustible dusts in the vessel vapor space above the material can be ignited leading to
fires and explosions. Since dust production typically cannot be prevented, other means
of explosion prevention must be applied. Ignition sources should be minimized, and
explosion venting of vessels (including bin vent filters or bag-houses) should be
considered. Care should be taken during the design of a bin to reduce horizontal surfaces
inside the bin where material can remain and create a hazard when the bin is opened for
maintenance; the air above such areas has been known to explode while work inside the
bins was being performed during normal repairs.
Additionally, the vessels can be inerted in a manner similar to that used for
atmospheric storage tanks (Section 6.1.3.4). The pneumatic transfer of solids can also be
performed using an inert or a reduced oxygen concentration gas with a closed-loop
return to the sending tank. Deflagration suppression can also be provided for bins and
silos to prevent a deflagration. Among the principal reasons for providing inerting on
reactors and vessels is the desirability of eliminating flammable vapor-air mixtures that
can be caused by addition of solids through the manhole or materials having low
minimum spark ignition energies, or autoignition temperatures. Also, the pneumatically
conveyed stream can first be routed to a cyclone at the top of the silo and then admitted
to the silo slowly via a rotary airlock feeder. This minimizes the potential for a dust
cloud in the silo.
254 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
6.8.4 References
6-37. Whitmore, M.W., Gladwell, J.P. and Rutledge, P.V. Journal of Loss Prevention
in the Process Industries, p 169-175.1993.
6-38. Field, P. Dust Explosions. Elsevier Scientific Publishing Company. New York
1982.
6-39. Eckhoff, R.K. Third Edition. Dust Explosions in the Process Industries.
Butterworth-Heinemann. Boston. 2003.
6-40. BS-5958. Code of Practice for Control of Undesirable Static Electricity: Part 1,
General Considerations, and Part 2, Recommendations for Particular Industrial
Situations. British Standards Institute. London 1992.
6-41. NFPA 77. Recommended Practice on Static Electricity, 2007 Edition. National
Fire Protection Association, Quincy, Massachusetts. 2007.
6-42. CCPS. Guidelines for Safe Handling of Powders and Bulk Solids, Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, New York. 2005.
6-43. NFPA 654. Standard for the Prevention of Fire and Dust Explosions from the
Manufacturing, Processing, and Handling of Combustible Particulate Solids.
National Fire Protection Association, Quincy, Massachusetts. 2006.
6. EQUIPMENT DESIGN 255
While operating the cracking heaters on light by-product off gases with a low
calorific value, a plant upset resulted in the trip of the cracked gas compressor. The
heaters were maintained online with cracked gas routed to a flare. Subsequently, without
forward flow of cracked gas to the downstream separation facilities, the production of
plant-produced off-gas diminished and LPG was automatically added to the fuel gas
system. With the addition of LPG the heating value of the fuel gas increased
significantly; this resulted in the overfiring (adding too much heat) of the heaters and
major damage to the coil and associated supports.
Lessons learned include the provision of a heater emergency shutdown based on a
measurement of coil outlet temperature independent from process controls would have
been advantageous.
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
Pressure
Generally Applicable - High Pressure Design for Pressure relief device Operator response to high
(Applicable to all high pressure scenarios,! maximum Deflagration or
burner pressure alarm
pressure
detonation arresters Operator response to high
firebox pressure alarm
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
1 High fuel gas Potential flame Burners with Automatic heater shut Operator response to high
pressure lift off resulting wider turndown down on high firebox pressure alarm
in fire box ratio pressure or high stack
explosion if temperature
Pilot burners
gas fl ow is
designed with a Automatic heater shut
^introduced
separate fuel down on high fuel gas
source pressure
Pilot gas supply
from the
upstream side of
the main sbutoff
valve for all
burners
2 Low fuel gas Potential Pilot burners Flame surveillance Operatorresponseto low
pressure flameout designed with a system to shut down fuel gas pressure alarm
resulting in separate fuel heater on loss of flame
firebox source
Automatic heater shut
explosion if
Pilot gas supply down on low fuel gas
gas flow is
from the pressure
^introduced
upstream side of
the main shutotf
valve for all
burners
Flow
Generally Applicable - More Flow Flow restriction Automatic heater Written procedures and
(Applicable to all more How scenarios) orifice shutdown on high fuel training to prevent
gas flow excessive firing rates
Generally Applicable - No 1 Less Flow Automatic heater shut Written procedures and
(Applicabletoalt no /less How scenarios) down on low process training for manual
flow (total or individual shutdown of heater on low
passes) process flow
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
4 Waste gas supply Potential Alternative waste Automatic control of Written procedures and
manifold to flashback into gas disposal waste gas training for manual control
incinerator supply line method (e.g., concentration of waste gas concentration
adsorption)
Automatic temporary Written procedures and
diversion of waste gas training for manual
to alternative disposal temporary diversion of
waste gas to alternative
disposal
5 Closure of flue Potential fire Firebox Automatic heater Operator response to high
gas damper or box explosion designed for shutdown on high pressure alarm
trip of induced shutoff pressure firebox pressure or
Operator response to low
draft fan of forced draft high stack temperature
oxygen concentration
fan
Automatic heater alarm
Mechanical shutdown on low
position stop to oxygen concentration
prevent
complete closure
of damper
Natural draft
design to
eliminate
induced draft fan
and / or damper
6 Insufficient Potential for Alternate means Automatic heater Operator response to low
oxygen incomplete of disposal of shutdown on low oxygen or carbon
(Incinerator) destruction of hazardous oxygen or carbon monoxide concentration
hazardous material monoxide alarm
materials concentration
Increased stack Written procedures and
height to reduce Permissive systems training for manual
ground level that won't allow main sampling of incinerator
concentration of burner lighting until offgas for concentration of
hazardous pilot confirmation hazardous materials
materials
7 Low or no fuel Potential for Alternate means Introduction of Written procedures and
gas flow incomplete of disposal of alternate fuel supply training for manual
(Incinerator) destruction of hazardous sampling of incinerator
hazardous material offgas for concentration of
materials hazardous materials
Increased stack
height to reduce
ground level
concentration of
hazardous
materials
6. EQUIPMENT DESIGN 259
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
9 Makeup boiler Potential tube Tubes in the Interlock to shut down Operatorresponseto flow
water stops rupture convection fring on low boiler feed alarm
(boiler drum] section designed water flow
to operate "dry"
Temperature
Generally Applicable - High Temperature Automatic heater shut Operator response to high
(Applicabletoail high temperature down on high process stack temperature or high
scenarios) outlet temperature or firebox temperature alarm
high firebox
Written procedures and
temperature
training for manual shut
Automatic heater shut down of heater on high
down on high stack firebox temperature or high
outlet temperature process outlet temperature
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
12 Overling Potential tube Enhanced tube High stack temperature Operator response to high
rupture metallurgy interlock temperature alarm
resulting in f re
Heavier wall Oxygen analyzer on Operator response to tube
outside the
thickness heater with low oxygen skin temperature alarm
firebox
alarm
Indirect f ring Written procedures and
training for visual
observation of tubes for
hot spots
Composition
14 Rapid increase in Potential tube Dedicated Automatic adjustment Written procedures and
fuel gas heating rupture constant heating of firing on process training for operation of
value resulting in fire value fuel gas outlet temperature and heater
outside the fuel heating value (on-
firebox line Btu analyzer)
6. EQUIPMENT DESIGN 261
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
15 Liquid in feed to Potential for Alternative Feed preheating to Written procedures and
Catalytic hot catalyst incinerator vaporize any entrained training for manual liquid
Incinerator bedresultingin design liquid removal from knock-out
high (KO)drum
Heat tracing of feed
temperature or
system
fire
Liquid knock-out drum
with automatic liquid
removal
16 Liquid carry over Potential loss Pilot burners Flame surveillance Operator response to high
with fuei gas of flame and with a separate system to trip heater level alarm on liquid knock-
possible fuel line on loss of flame out (KO) drum and manual
explosion on liquid removal
Pilot gas supply Heat tracing of fuel gas
reign ition of
from the system
gas
upstream side of
Liquid knock-out drum
the main shutoff
with automatic liquid
valve for all
removal
burners
Equipment Failure
Table 6.9 Common Failure Scenarios and Design Solutions for Fired Equipment
Heavier wall
thickness
Sulfur-free fuel
Alternative
design without
induced draft fan
several times its design pressure, but a furnace tube may only withstand a few percent
increases in its absolute temperature (Ref. 6-44).
6.9.3.1 Corrosion
Corrosion is a major source of tube rupture problems in fired heaters. External corrosion
of furnace tubes and other equipment in fireboxes may be caused by:
• Temperature
• Corrosive deposits on tubes
• Flue gas composition
• Physical conditions existing beneath and in any overlying deposit of ash
Oxygen and contaminants in the fuel gas and oils, rather than the fuel itself, cause
most of the corrosion in fireboxes. The harmful contaminants are alkali metals (Na, K),
sulfur, and vanadium. Although heater tubes usually operate at much lower metal
temperatures, consideration must be given to the corrosivity of the process fluid, typical
metal temperature, and the fuel used in firing the heater when tube materials are selected.
Corrosion occurs in the convection section when the temperature is lower than the
dew point of the flue gases. Proper operation / shutdown procedures are the most
effective methods to avoid convection section corrosion.
Incomplete combustion of fuel in the firebox will cause a buildup of combustible gases
(unburned fuel or carbon monoxide) which may ignite when sufficient oxygen is present
resulting in an explosion within the fire box.
Process variables and parameters that determine safe furnace operation are Coil
Outlet Temperature (COT), pass outlet temperature (POT), excess oxygen in the flue
gas, combustible gases in the flue gas, flue gas opacity, firebox pressure, firing rate
(furnace tube heat flux), coking, stack and bridge wall temperatures, and combustion
efficiency. A sound control scheme must supply sufficient air to promote complete
combustion, ensure safe operation and maintenance, maintain COT at specified target,
balance burner firing, maintain equal POTs, constrain the furnace firing rate to avoid
maximum allowable stack temperature, furnace tube temperature, or convection section
temperature, and monitor indications of coking over long-term operation.
In the design of safe control systems, constraints imposed on process variables are
intended to ensure plant safety and efficient operation. Excessive temperatures lower
the strength of carbon steel and alloy materials used in the furnace and may lead to
premature failure. Thermocouples can be located in critical areas of the furnace to
indicate when temperatures are above safe operating conditions. Constraint controls
should be used to override furnace duty or COT controls and maintain the furnace within
metallurgical constraints.
In process plants, fired equipment such as furnaces and boilers are a vital necessity.
The combustion process must be controlled to maintain the desired rate of heat transfer,
to maintain efficient fuel combustion, and to maintain safe conditions in all phases of
operation. These combustion controls are normally a part of the basic process control
system and typically consist of some or all of the following control functions:
Firing Rate Demand Control
• Combustion Air Flow Control
Fuel Flow Control
• Fuel / Air Ratio (Excess Air) Control
Draft Control
• Feed Water Flow Control (Steam Boilers Only)
• Steam Temperature Control (Steam Boilers Only)
For further details on the implementation of fired equipment controls can be found
in API RP 556 (Ref. 6-46).
6.9.4 References
6-44. Kietz, T.A. Lessons from Disaster. Gulf Publishing Company. Houston, Texas
1993.
6-45. Liptak, B.G. Instrument Engineers Handbook. Process Control, Fourth Edition.
Radnor, Pennsylvania: 2005.
6-46. API RP 556. Instrumentation and Control Systems for Fired Heaters and Steam
Generators. American Petroleum Institute. Washington D.C. 1997.
6-47. Green, Don W. and Perry, R.H. Perry's Chemical Engineers' Handbook, Eighth
Edition, McGraw-Hill. New York, New York. 2008.
6-48. API RP 560. Fired Heaters for General Refinery Service, Fourth Edition.
American Petroleum Institute. Washington D.C. 2007.
valve specifications, piping flexibility analysis, piping supports, special piping materials
of construction, and maintenance in accordance with the proper ASME B31 code
(Ref. 6-50). The section focuses on process lines carrying hazardous materials.
Codes of practice and standards address the solutions to common problems but
establish only minimum design, fabrication, testing, and examination requirements for
average service. Many circumstances relating to service, operation, materials and
fabrication, inspection, or unusual design deserve special consideration if the resulting
piping systems are to operate safely and be reasonably free from frequent maintenance.
Standards and codes of practice related to the safe design of piping are the following
codes issued by the American Society of Mechanical Engineers (ASME) (Ref. 6-50);
those also approved by the American National Standards Institute (ANSI) are indicated
with an asterisk:
• B31.1 * Power Piping
• B31.2 Fuel Gas Piping
• B31.3* Chemical Plant and Petroleum Refinery Piping
• B31.4* Liquid Transportation Systems for Hydrocarbons, Liquid Petroleum
Gas, Anhydrous Ammonia, and Alcohols
• B31.5* Refrigeration Piping
• B31.8* Gas Transmission and Distribution Piping Systems
• B31.9* Building Service Piping
• B31.11 * Slurry Transportation Piping Systems
• API Specification 5L, Specification for Line Pipe
These various sections provide different margins of safety for pressure piping
systems based on service considerations and industry experience.
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
Potential Design Solutions
Pressure
Generally Applicable - High Pressure Ail piping and Pressure relief device Operator response to
(Applicabletoall high pressure equipment designed high pressure alarm
Automatic isolation based
scenarios) for maximum
on detection of high
expected pressure
pressure
Written procedures
and training to leave
one end of line open
268 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
2 Deflagration Potential loss Dedicated vent lines Detonation or suitable Written procedures
and of containment used where deflagration arresters and training for inert
detonation in incompatible material between protected purging prior to
piping mixing may occur equipment and potential startup
ignition sources
Elbows and fittings
avoided or Gasflamedetection and
minimized, which can actuatation of fast closing
cause turbulence and valve or suppression
flame acceleration system
Operate outside
flammable range, e.g., Oz
analyzer or hydrocarbon
analyzer control inert
purge or enrichment gas
addition
Written procedures
and training for
periodic cleaning via
flushing, blowdown,
internal line cleaning
devioes (e.g., "pigs")
6. EQUIPMENT DESIGN 269
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
5 Valve in line Potential liquid Slow-closing manual Closing rate limited for Written procedures
rapidly closed hammer and valves (i.e., gate motor-operated valves via and training to close
pipe rupture, instead of quarter appropriate gear ratio valves slowly
loss of turn)
Closing rate limited for
containment
pneumatic-operated
valves via restriction
orifice in air line
Surge arrester
Θ High pressure Failure of low High pressure valving Check vaive to prevent
supply pressure and flanges installed back flow thru pump to
deadheaded piping, nozzles, at low pressure low pressure inlet piping
at low etc. isolation (example:
Reliefvalveonlow
pressure class 600 fange and
pressure piping
piping / tank isolation valve on
open-top Backflow preventers or
atmospheric tank) auto-starts on pumps to
lower the frequency of
Valving after high
backf ow events caused
pressure isolation
by loss of pump
eliminated (e.g.,
discharge into top of
tank)
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
Flow
10 Blockage of Potential loss Flow sweep fitting at Automatic flush of relief Written procedures
relief device of relief inlet of relief device device inlet with purge and training for
by solids capability fluid manual periodic or
Trace and insulate
accumulation oontinuous flush of
relief device Rupture disks atone or in
(poly- relief device inlet with
combination with safety
merization, purge fluid
valves with appropriate
solidification)
rupture disk leak detection
Conductive line
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
14 Failure to Potential loss "Dead man" (self- Automatic closed-loop Written procedures
close valves of containment closing) valve sampling system and training for
on sample double block and
Latching handle
connection, bleed valves, valve
design on valves to
drain and plugs, caps, blinds,
prevent inadvertent
other fittings etc.
opening
Written procedures
and training to
immediately reinstall
caps and flanges
15 Breakage of Potential loss Eliminate the use of Excess flow check valves Written procedures
sight glasses of containment glass components to limit discharge due to and training to
or other glass glass failure normally isolate sight
Flow restriction orif ce
components glass when not in use
in glass connection
Physical protection
against damage (i.e.,
armored sight glass)
Temperature
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
19 External fi re Potential Continuous welded Fire detection system with Operator response to
undesired pipe automatic water spray fire detection system
process and activation of
Fireproof insulation Automatic closure of
reaction (e.g., manual water spray
with stainless steel isolation valve on fire
acetylene
sheathing and detection
decomposition)
banding
6. EQUIPMENT DESIGN 273
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
Written procedures
and training for
manual injection of
chemical to reduce
freezing
Equipment Failure
23 Gastet leak Potential loss Double-walled pipe Ensure proper gasket Written procedures
of containment material is specified and and training for
Maximize use of all- periodic inspection for
used
welded pipe
leaks
Minimize use of
unnecessary fittings
274 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
24 Flange leak Potential loss Avoid use of Automated leak detection Procedural
of containment underground piping with shutoff restrictions to avoid
damage {crane
Double-walled pipe
restrictions, climbing
Maximize use of all- restrictions)
welded pipe
Written procedures
Minimize use of and training for
unnecessary fittings periodic inspection for
leaks
Physical collision
barriers
Shielding at flanges
to prevent operator
exposure
25 Valve leak Potential loss Proper design and Fusible link valves for Procedural
of containment selection of valves automatic closure under restrictions to avoid
fire conditions damage (crane
restrictions, climbing
restrictions)
Written procedures
and training for
periodic inspection for
leaks
26 Transfer hose Potential loss Eliminate hose Excess flow check valve Written procedures
leak of containment connections (hard upstream and check valve and training to
piped) downstream of hose pressure test transfer
hose before use
Higher integrity hose Emergency Isolation
[e.g., metallic Valves (EIVs) installed on Written procedures
braided) both ends of hose and training for
periodic replacement
Hose with higher
of hoses, gaskets,
pressure rating
and o-rings
Table 6.10 Common Failure Scenarios and Design Solutions for Piping and Piping Components
29 Deadleg line Potential loss Deadlegs removed Heat trace deadleg Written procedures
of containment and training for
periodic thickness
testing of metal pipe
wall
Written procedures
and training for
identification of
deadlegs
in the relief path may also be a source of blockage, particularly if the process fluid is
fouling, or can solidify or polymerize.
imposed in order to avoid hazards which could occur because of the following
conditions:
Corrosion
Erosion
Vibration
Noise
Hydraulic hammer
Static electricity
6.10.3.3 Valves
The code requirements for valves include ANSI / ASME B 16.34 (Ref. 6-53), B16.5 (Ref.
6-54), and MSS standards (Ref. 6-55).
The key to safe valve selection and installation lies in the generic specifications
written for the plant, with specific requirements created only for well-defined purposes.
The factors that need to be addressed in creating these specifications are discussed
below.
The service that the valve will perform (on / off, throttling, back-flow
prevention, etc.), including the pressure drop and the amount of permissible
leakage though the valve, will determine the type of valve (gate, ball,
diaphragm, etc.) that can be used.
• The need to be able to visually determine the operating position (open / closed)
of the valve is often a factor.
• The process fluid conditions the valve must accommodate [chemicals, material
phases (including solids), temperature, pressure, and flow rate] will determine
the pressure and temperature class, end connection type, and the materials of
construction for the valve body, internals, seat, trim, and seals / gaskets.
Consideration of corrosion / erosion and temperature stress will be part of the
determination.
Regulatory limits on vapor leakage from valves will determine the stem packing
requirements. For materials with little or no vapor pressure the standard compressible
rope packings can be used. Vapor leakage may be addressed by providing a stuffing box
and stem or flexible graphite packing. Backseating the valves will relieve the load on the
packing. When complete elimination of packing is required, bellows seal-type valves
may be specified.
Valves for normal and emergency operations should have access from grade,
particularly if the valve is needed for emergency isolation. Emergency isolation valves
should not be located in pipe racks. See Section 7.4.1 for more information.
Check valves are used to prevent reverse flow, such as flow into a plant from
storage vessels, reverse flow through a pump, and reverse flow from a reactor. Check
valves are selected with consideration of service. Options include ball, piston, spring-
loaded wafer, swing, tilting disc, and intrinsically damped. Check valves have had poor
reliability and performance issues. Hazardous services (where backflow can create a
hazardous situation) should not depend totally on a check valve. Some positive
backflow prevention device would then be required, such as instrumented backflow
prevention (e.g., tight shutoff control valves or knife-gate valves).
6. EQUIPMENT DESIGN 279
Control valves may fail in-place, fail open, or fail closed. Failure position should be
carefully chosen during the design process to ensure a system is taken to a safe state
upon failure.
The term "pipe support" is used generically to encompass a whole range of integral
and non-integral pipe attachments, variable and constant spring hangers, sliding
supports, rod hangers, shock suppressors, vibration dampeners, anchors, pipe support
frames, etc. The purpose of pipe supports is to transmit the loads acting on piping
systems to building structures or other structures. The designer should also consider the
requirements for flexibility in special conditions:
• Steam purging, which may differ from standard operating conditions
• Hydrotesting
• Startup, when temperature may be higher than the operating temperature
• Startup, when attached equipment is cold
• Shutdown
• Cyclic conditions
Process excursions
• Steam tracing
Reactive force (recoil) of discharge on vessels
• Reactive forces of relief devices
6.10.3.5 Flanges
Flanges are used to join sections of pipe or connect valves to piping. There are many
types and design of flange connections. Of particular concern is the use of long bolts
(bolts longer than 3 inches). Long bolts can receive direct flame impingement and
expand when exposed to heat. This allows the flanges to leak and feed the fire. Welded
pipe joints are preferred; however, standard flange joints should be used before long bolt
flanges.
It should be noted that the expansion joints should only be considered as the last
resort, when all attempts to attain adequate piping flexibility through layout
modifications have failed. In such cases, close monitoring of the conditions of the joints
must be performed. The concerns with regard to expansion joints are:
• Expansion joints tend to develop cracks when used to absorb large lateral
deflections.
• They require additional anchors and guides in controlling thermal movements.
• Due to erosion concerns, expansion joints should not be used in streams with
high levels of particulates, although liner sleeves can mitigate this problem.
• For expansion joints handling hazardous materials, double-layer expansion
joints with interspatial monitoring should be considered.
6.10.3.7 Vibration
Vibration may cause stresses in a component due to displacement resulting in failure of
the component. In addition, vibrations can be transmitted to other equipment and
structures. Vibration of piping and components can be classified as either steady state or
transient. Transient vibration can be caused by water hammer, earthquake, slug flow, or
relief valve thrust forces. Steady state vibration can be caused by pressure pulsations
from mechanical equipment subject to pulsating flow, such as reciprocating compressors
and pumps, valve chattering, or turbulent flow conditions.
In cases where vibration is present, a stress analysis should be performed to evaluate
the impact of vibration on system life. Stress analysis is the calculation of the stress in a
component and the comparison to a safe limiting value. The limiting value will be
related to time or frequency and is dependent upon the properties of the material. One of
the more significant methods of indicating a property of a material is the design fatigue
endurance curve. Simplified, the endurance curve indicates failure limits (stress values)
based on cycles. Higher cycles require lower stress values; in other words, high stress
values result in reduced cyclic life.
• Ammonia
• Oxygen and oxygen-enriched atmospheres
Chlorine
• Phosgene and other toxic chemicals
• Hydrogen
Considerations could include:
• Chemical compatibility (internal corrosion resistance, corrosion rates, and years
of remaining life considerations).
• Gasket systems (chemical resistance, performance limitations, and useful life).
• Materials of construction vs. service. For example:
- Stainless steel is good in some low temperature services, but subject to
chloride stress cracking, making it less suitable for chlorine liquefaction.
- Carbon steel is a good material for caustic solutions such as sodium
hydroxide and potassium hydroxide at relatively low temperatures, but
subject to caustic stress cracking as low as 140°F (60°C) depending
concentration.
Special cases often require careful consideration of operating conditions outside of
"normal" that still can be expected to be encountered. For example, evacuation of a
pipeline containing a liquefied gas can get much colder than "normal" requiring a
material selection that would be different than selected if evacuation is not considered.
• Ensure that all supports, anchors, and guides are installed prior to hydrostatic
testing. This cannot be over-emphasized since the pipe system can be severely
damaged without proper pipe support.
All valves, valve operators, and other components in the system must be
independently supported.
• Valves that require high torques to open and close should be anchored so that
the high torque does not damage the pipe.
• Riser supports for vertical runs should be guided or laterally restrained to
reduce vibration and effects of wind load. Unnecessary loading in vertical runs
should be avoided. Support should be provided to vertical runs in compression,
where possible.
Avoid point loading.
• Provide the minimum support width-bearing stress <85 psi.
Avoid unnecessary bending.
6.10.4 References
The editions that were in effect when these Guidelines were written are indicated below.
Because standards and codes are subject to revision, users are encouraged to apply only
the most recent edition.
6-49. Lees, F.P. Loss Prevention in the Process Industries, Third Edition. Elsevier,
Inc. Oxford, UK. 2005.
6-50. ASME B31. Standards of Pressure Piping. American Society of Mechanical
Engineers. New York, New York. 2010. www.asme.org
6-51. NFPA 69. Standard of Explosion Prevention Systems. National Fire Protection
Association. Quincy, Massachusetts. 2008.
6-52. CCPS. Deflagration and Detonation Flame Arresters. Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 2002.
6-53. ANSI / ASME B 16.34. Valves-Flanged, Threaded, and Welding End.
American National Standards Institute and American Society of Mechanical
Engineers. New York, New York. 1996.
6-54. ANSI / ASME B16.5. Pipe Flanges and Flanged Fittings. American National
Standards Institute and American Society of Mechanical Engineers. New York,
New York. 2009.
6-55. MSS SP-6-2007. Standard Finishes for Contact Faces of Pipe Flanges and
Connecting-End Flanges of Valves and Fittings. Manufacturers
Standardization Society of the Valve and Fittings Industry. Vienna, Virginia.
2007.
6-56. Mruk, S.A. Thermoplastic Piping. Chapter Dl in Piping Handbook, 6th
Edition, M.L. Nayyar, editor. McGraw-Hill Book Company. New York, New
York. 1992.
6-57. McCallion, J. Secondary Containment Takes Off. Chemical Processing. Pp.
33-38. March 1990.
6-58. CCPS. Guidelines for Safe Handling of Powder and Bulk Solids. Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, New York. 2005.
286 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
API 941. Steels for Hydrogen Service at Elevated Temperatures and Pressures in
Petroleum Refineries and Petrochemical Plants, 5th Edition. American Petroleum
Institute. Washington, D.C. 1997.
API SPEC 6FC. Specification for Fire Test for Valves with Automatic Backseats, 4th
Edition. American Petroleum Institute. Washington, D.C. 2009.
API STD 594. Check Valves: Flanged, Lug, Wafer and Butt-welding. American
Petroleum Institute. Washington, D.C. 2004.
API STD 600. Steel Gate Valves - Flanged or Butt-Welding Ends, Bolted Bonnets, 12th.
American Petroleum Institute. Washington, D.C. 2009.
API STD 602. Steel Gate, Globe and Check Valves for Sizes DN100 and Smaller for the
Petroleum and Natural Gas Industries, 9th Edition. American Petroleum Institute.
Washington, D.C. 2009.
ASME. Boiler and Pressure Vessel Code, Section 8, Division 1. American Society of
Mechanical Engineers. New York, New York. 2007.
ASTM A105 / A105M-10. Standard Specification for Carbon Steel Forgingsfor Piping
Applications. American Society for Testing and Materials. Philadelphia, Pennsylvania.
2010.
ASTM A182 / A182M-10. Standard Specification for Forged or Rolled Alloy and
Stainless Steel Pipe Flanges, Forged Fittings and Valves and Parts for High-
Temperature Service. American Society for Testing and Materials. Philadelphia,
Pennsylvania. 2010.
ASTM G-88-05. Standard Guide for Designing Systems for Oxygen Service. American
Society for Testing and Materials. Philadelphia, Pennsylvania. 2005.
Beard, C. S. Final Control Elements: Valves and Actuators. Chilton Co. Philadelphia,
Pennsylvania. 1969.
Branan, C. R. Rules of Thumb for Chemical Engineers, 4th Edition. Gulf Professional
Publishing, Elsevier, Oxford, UK. 2005.
CGA, Accident Prevention in Oxygen-Rich and Oxygen-Deficient Atmospheres. P-14.
Compressed Gas Association, Inc. Arlington, Virginia. 1992.
CGA, Oxygen Compressor Installation Guide, Third Guide. Publication G-4.6.
Compressed Gas Association, Inc. Arlington, Virginia. 2008.
CGA, Oxygen, 10th Edition. Publication G-4. Compressed Gas Association, Inc.
Arlington, Virginia. 2008.
CGA, Safe Handling of Cryogenic Liquids, 4th Edition. Publication P-12. Compressed
Gas Association, Inc. Arlington, Virginia. 2005.
CGA, Acetylene, 12th Edition. Publication G-l. Compressed Gas Association, Inc.
Arlington, Virginia. 2009.
CGA, Cleaning Equipment for Oxygen Service, 6th Edition. Publication G-4.1.
Compressed Gas Association, Inc. Arlington, Virginia. 2009.
288 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
CGA, Oxy-Fuel Hose Line Flashback Arrestors, 5th Edition. Technical Bulletin TB-3.
Compressed Gas Association, Inc. Arlington, Virginia. 2008.
CGA, Standard for Hydrogen Piping at Consumer Locations, 4th Edition. Publication
G-5.4. Compressed Gas Association, Inc. Arlington, Virginia. 2010.
CGA, Industrial Practices for Gaseous Oxygen Transmission and Distribution Piping
Systems. Publication G-4.4. Compressed Gas Association, Inc. Arlington, Virginia.
2003.
CGA HB, Handbook of Compressed Gases, 4th Edition. Compressed Gas Association.
Van Nostrand Reinhold. New York, New York. 1999.
Chlorine Institute. Chlorine Pipelines, 6th Edition. Chlorine Institute. Washington, D.C.
2007.
Chlorine Institute. Piping Systems for Dry Chlorine. Pamphlet No. 6. Chlorine Institute,
Washington, D.C. 1989.
Coker, A.K. Ludwigs Applied Process Design for Chemical and Petrochemical Plants,
Volume 1,4th Edition. Elsevier, Oxford, UK. 2007.
Danielson, G.L. Handling Chlorine-Part 1, Tank Car Quantities. Chemical
Engineering Progress. 60(9)86. 1964.
EJMA (Expansion Joint Manufacturers Association, Inc.). 9th Edition EJMA Standards
(Included one copy of Practical Guide). White Plains, New York. 2008.
Grossel, S.S. Improved Design for Slurry Piping. Chemical Engineering Progress, pp.
114-117. April 1998.
Helguero, V. Piping Stress Handbook, 2nd Edition. Gulf Publishing Co. Houston,
Texas. 1986.
Kannappan, S. Introduction to Pipe Stress Analysis. Wiley. New York, New York.
1986.
Lyons, J.L. Encyclopedia of Valves. Van Nostrand Reinhold. New York, New York.
1975.
Mallison, J.H. Corrosion-Resistant Plastic Composites in Chemical Plant Design.
Marcel Dekker, Inc. New York, New York. 1988.
MSS SP-43-2008. Wrought and Fabricated Butt-Welding Fittings for Low Pressure,
Corrosion-Resistant Applications. Manufacturers Standardization Society of the Valve
and Fittings Industry. Vienna, Virginia. 2008.
MSS SP-53-1999. Quality Standard for Steel Castings and Forgings for Valves,
Flanges and Fittings and Other Piping Components Magnetic Particle Exam Method.
Manufacturers Standardization Society of the Valve and Fittings Industry. Vienna,
Virginia. 1999.
6. EQUIPMENT DESIGN 289
This section presents only those failure modes that are unique to material handling
and warehousing equipment. Some of the generic failure scenarios pertaining to other
equipment may also be applicable to material handling and warehousing.
and the plant employees. Commercial grade nitric acid contains 35% water and the
sulfuric acid has a strong affinity for the water. The heat of solution caused an
exothermic reaction and the once ambient-temperature acid shot up to about 160°F
(71°C). Nitrogen dioxide was liberated from the hot nitric acid creating a blue-white
cloud drifting 25 Feet in the air. An emergency shelter in place was called after the
accident to protect residents in the nearby community.
Lessons learned include proper labeling of unloading connections, providing
different types of connectors, or relocating similar connections away from each other.
filling operation. The intentions to improve the environment were noble, but the simple
vent system design possessed an unrecognized flaw that allowed a minor overfill
situation to suddenly and completely destroy the vessel.
About a year after the system was put in service, the tank was filled via a tank truck,
instead of being supplied by the usual pipeline. As the delivery tank truck was unloaded,
the acid level rose in the small storage tank. The company representative wanted to top
off the tank. Before the acid truck was unloaded, acid started to overflow and pour
through the 6-inch (15-cm) line into the scrubber. The alert truck driver quickly
responded. He abruptly shut the delivery valve on his truck. Unexpectedly, the partial
vacuum created by the siphoning action of the overflowing liquid exceeded the tank's
vacuum rating and the storage tank was totally destroyed.
Lessons learned include performing a proper Management of Change and providing
training to operation and maintenance staff on the changes implemented.
Pressure
Generally Applicable - High Pressure Piping / hose designed PSV on tank truck, Operator response to
for deadhead pressure railcar, or marine high pressure alarm
(Applicable to all high pressure scenarios)
of pump vessel
Generally Applicable - Low Pressure Receiving tank Vacuum relief device Operator response to
designed for full on tank truck, railcar, or low pressure alarm
(Applicabletoall low pressure scenarios)
vacuum manne vessel
6. EQUIPMENT DESIGN 293
2 Use of high Potential to Flow restriction orifice PSV on inert gas line Written procedures and
pressure inert overpressure training to monitor
gas to transfer tank truck, pressure gauge on tank
material from railcar, or truck, railcar, or marine
tank truck, marine vessel, vessel
railcar, or potential loss of
marine vessel containment
3 Transfer pump Potential loss of Pump deadhead Pump shutdown on Written procedures and
deadhead containment pressure less than deadhead conditions training to ensure
pressure design pressure of (e.g., low flow, low proper valve alignment
exceeds hose or piping amps, low power) prior to transfer
transfer hose
or piping
design
pressure
4 Overfill storage Overpressure Containment Relief valve discharge Written procedures and
tank or resulting in directed to secondary training identifying
transport vessel failure or containment, scrubber, maximum fill volumes/
vessel relief valve flare, etc., if toxics or weights (include
lifting flammables involved loading temperature
(especially an and pressure
Reliable level overfill
issue with considerations when
protection system
liquefied gases) appropriate)
Volume, weight
measurement
5 Low final Excess flew Provisions for inert gas Written procedures and
container devices may padding training for identifying
pressure not operate minimum final pressure
for shipment
Flow
Generally Applicable - More Flow Orifice restriction Automatic response to Operator response to
high flow alarm high flow alarm
(Applicabletoall more flow scenarios)
6 Excessive fill Potential static Flow restriction orifice Inert receiving vessel
rate accumulation,
potential fire /
explosion
294 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
8 Quantity of Potential overfill Storage tank designed High level alarm with Written procedures and
material of storage tank larger than delivery automatic shutoff of training to verify
delivered / vessel, vessel transfer capacity prior to
greater than potential loss of transfer
capacity of containment
storage tank /
vessel
9 Manual valve Potential to Pump deadhead Pump shutdown on Written procedures and
in delivery deadhead pressure less than deadhead conditions training to ensure
system closed transfer pump, design pressure of (e.g., low flow, low proper valve alignment
potential loss of hose or piping amps, low power) prior to transfer
containment
Level
Composition
Equipment Failure
6. EQUIPMENT DESIGN 295
11 Transfer hose Potential loss of Excess flow valve Written procedures and
leak /rupture containment (upstream of hose) training to ensure
inspection and /or
Automatic shutoff at
hosereplacementat
both ends of loading
proper intervals
hose / piping
Procedures to ensure
Low pressure interlock
proper visual inspection
on supply /filling line
of hoses prior to use
Preloading pressure
test/leak check
procedures
Written procedures and
training to ensure
proper visual inspection
of hoses prior to use
12 Transfer hose / Potential loss of Excess flow valve Written procedures and
piping failure containment (upstream of hose) training for controlling
due to vessel truck, railcar, vessel
Automatic shutoff at
movement positioning, movement,
both ends of loading
securing, etc.
hose / piping
Container movement
interlocks
Pressure
13 Design Potential to Design pressure of Relief valve set to Written procedures and
pressure of overpressure transfer pump does not below drum design training to ensure vent
transfer pump drum, potential exceed design pressure is open or vapor control
exceeds dmm loss of pressure of drums or system is operating
design containment bulk containers
pressure
296 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
14 Vent bung cap Potential to Drum placed in curbed Written procedures and
not removed overpressure area or above sump training to ensure vent
prior to filling drum, potential with slotted cover bung cap is removed
loss of priortofilling
Containment
containment
16 Drum not Potential loss of Drum placed in curbed Written procedures and
sealed properly containment area or above sump training to ensure drum
with slutted cover is sealed properly
Containment
Flow
Composition
20 Accumulation Explosion, Filling, emptying, Padding system design Written procedures and
of explosive / oorrosion, venting design (oil-less, dry, inert, etc.) training for controlling
reactive runaway considerations to transfer mettiods (such
Padding system air
contaminants reaction prevent accumulation as inert padding vs.
intakes located away
resulting in loss of undesirable compressor gas
from potential
of containment, contaminants (e.g., padding)
contaminant releases
fire, etc. inert padding vs.
Written procedures and
compressor gas
training for measuring
padding, etc.)
undesired
Upstream design contaminates in raw
considerations to matenals, final
eliminate / reduce trace products, storage
contaminants. vessels
absorption or
entrainment of
contaminants, etc.
of containers, and loss of liner integrity. Some of the hazards present in the drumming
stage have the potential for overpressurization leading to release of chemicals and
operator exposure, underpressurization of drums, or uncontrolled reactions occurring
after drumming, leading to potential fires or explosions. Special consideration needs to
be given to drummed materials that are shock / heat sensitive as well as drummed
materials that degrade over time.
Both manual handling and piping system transfers are used for moving hazardous
materials onsite. The kind of material handling system used for hazardous materials is
dictated by the process and inventory requirements, the type of container in which the
hazardous material is received or shipped, and safety considerations.
misdirecting of materials. Dedicated and unique connections and hoses are being used
for loading and unloading in some installations where contamination or incompatibility
is of concern; for example, the decomposition of some organic peroxides can be initiated
by acids, unsaturated organics, and other chemicals. Clear and distinct labeling of lines
and connections is also very important where multiple unloading connections exist.
Hose assemblies are generally the weakest link in a piping system because they are
usually made from materials that promote flexibility. It stands to reason that rigid
systems are more durable than flexible lines. However, hose assemblies must be flexible
to accommodate piping misalignments, increase efficiency in processes having many
connected parts, and act as vibration isolators and dampeners.
Hose specifications need to be based upon a number of requirements. Some hose
criteria include size, delivery temperature, maximum pressure, chemical properties of the
fluid, hose material, and end fittings. The major components of a chemical hose are the
end fittings, an inner core, pressure / vacuum reinforcement, and the protective outer
cover. The exact selection of hoses is beyond the scope of this text.
Hoses should be carefully inspected before each use. Obvious signs of damage such
as bulging, kinked, or broken covering must be addressed immediately. Naturally, the
end fittings should be observed for leak-free tightness. If the material being delivered is
extremely flammable or highly toxic, the hose should be tested before each use. Hoses
should be properly secured to prevent whipping. If possible, consider using piping
instead of hoses.
regular basis. The storage of compressed gases and flammable and combustible liquids
should meet the local building code requirements.
Incompatible materials should be kept separated so that any spills cannot mix. The
storage of containers in rack areas may require specialized fire control systems such as
individual sprinkler lines to deliver water or foam directly to each rack level. The
placement of drums in processing the area for the dispensing of the contents may not
need to meet the same stringent storage specifications, but it will still be necessary to
meet all pertinent safety requirements. The process drums area may include safety
barriers to prevent traffic from hitting the drums, portable drum sumps to contain any
spills, a ventilation system to control fumes, and double valving or a valve and plug to
minimize drum leakage.
During operations, most materials require one or several steps of warehousing or
other storage outside of tanks or vessels. This type of goods storage can occur in
warehouses or buildings (roof and walls), open air, under a roof (no walls), in a tent or
inflatable enclosure, or simply in the staging area. Large warehouse storage of
hazardous materials in particular may present a danger to people, the environment or
plant operations. Warehouse fires have resulted in strict requirements in most European
jurisdictions and a reappraisal of North American requirements. Fire and firefighting
consequences that relate to the storage of large amounts of hazardous materials as in
certain warehouses need to be evaluated to determine if firefighting is appropriate.
Storage and receiving are activities that can greatly contribute to a safe and
economic operation. It is here that quality control can be achieved at minimal cost.
Label verification and other quality assurance measures can increase the confidence level
that the correct chemicals have arrived, thereby potentially circumventing the use of
wrong chemicals. Wrongly shipped chemicals can be returned to the manufacturer with
minimal or no cost to the batch operation owner. As with all processes and activities it is
of great importance to apply the principles of inherent safety, in particular the
minimization and attenuation principles.
Materials that can react with each other should be stored in segregated areas. Special
attention is needed for corrosive materials which upon leakage from their primary
containment (e.g., a plastic bag) can corrode their main container as well as other
containers holding different chemicals in adjacent areas. Proper material handling
procedures need to be developed and followed and correct tools should be used. For
example, the use of forklift trucks with rounded forks to avoid puncturing drums / bags
could be considered. Hazards associated with stacked pallets loaded with shrink-
wrapped bags of free flowing materials that can topple over when bags have been
punctured should be recognized. Storage areas should be inspected on a regular basis
and damaged bags, drums, and other type of containers should be isolated and properly
discarded by staff using appropriate Personnel Protective Equipment (PPE).
Hazardous chemicals are often stored under an inert material or atmosphere, stored
in a diluted form, or stabilized by a chemical additive. These situations require special
care; for example:
• Vaporization of solvents covering alkali metals during storage can expose the
metals to moisture.
• Vaporization of diluting solvents may increase the concentration of hazardous
chemicals to unsafe levels.
6. EQUIPMENT DESIGN 303
6.11.4 References
6-59. NFPA 780. Standardfor the Installation of Lightning Protection Systems.
National Fire Protection Association. Quincy, Massachusetts. 2011.
• Electricity
Emergency power supply
• Steam / condensate
• Cooling water
• Inert gas
• Instrument air
• Fuel
• Heat transfer fluids
• Process vents and drains
6.12.2.1 Electricity
Electricity is supplied for various purposes: to drive equipment and machinery, to
operate instrumentation and control systems, to provide heating of process operations
and as tracing of piping runs, etc.
Loss of motive power on process equipment may be quite hazardous. Other serious
hazards would result from failure of cooling fans or heating loops required to control
temperature and pressure or loss of ventilation to prevent buildup of flammable gases.
Provision of backup electrical power is routinely addressed in plant design. Electrical
system hazards derive from their potential to serve as ignition sources. Electrical area
classification is a way to separate flammable materials from ignition sources. Electrical
area classification is discussed in Chapter 7.
The biggest hazards include:
• A common cause failure, e.g., loss of electrical power, loss of cooling water
pumps, loss of the plant utilities, etc.
• Loss of pumps and compressors.
• Loss of key instruments, emergency lighting, computer controls, and lube oil
pumps can be catastrophic and should be addressed through use of
uninterruptible power supplies and emergency generators.
It is sometimes necessary to have an emergency or standby power system to protect
personnel and plant integrity. Such systems need to be designed such that they can be
tested for reliability and readiness.
shutdown can occur upon power loss. Consideration for operating steam systems during
power outages is a common design philosophy.
Design considerations for steam systems include:
Thermal expansion loops.
The potential for vacuum when steam condenses (1600 to 1 reduction in
volume).
The power (and potential forces) of hydraulic water hammer when starting up
and shutting down steam systems.
The need to remove and return condensate from steam heaters.
The value of isolation block valves on steam and condensate headers at battery
limits or other strategic locations.
Thermally insulating steam lines for personnel protection.
Steam piping and tracing design should address adequate flexibility and avoid
condensate pockets.
Sparing in case of loss of one boiler.
The problems that should be addressed due to steam loss in the plant will include:
Loss of heat in endothermic reactors.
Loss of heat in tanks where steam coils are used to keep material liquid.
Loss of process motive power because of steam-driven pumps and eductors.
Freezing of steam traced piping and vents.
Loss of steam for purging.
Loss of mixing steam to the flare units.
inerting a tank does not prevent the release of material vapors into the tank's vapor space.
Material vapors will diffuse into the inerting gas until equilibrium is reached, just as it
would with air. This is important to remember when designing tank purging systems and
when estimating the toxic and volatile organic compounds (VOCs) material releases for
the plant.
Another purpose of inerting is to control oxygen concentrations where process
materials are subject to peroxide formation or oxidation to form unstable compounds
(acetylides, etc.) or where materials in the process are degraded by atmospheric oxygen.
An inert gas supply of sufficient capacity must be ensured. The supply pressure must be
monitored continuously.
The designer should consider the need for additional measures to supply inert gas.
Particular attention must be given to the following situation: In the case of locally high
nitrogen consumption (e.g., when a large kettle is inerted), the pressure in the main line
may drop so far that the mains could be contaminated by gases or vapors from other
apparatus connected at the same time. Depending upon the application, the quality of
inert gas (e.g., water content, contaminants) can be important to process safety. The
required level of inerting must be ensured by technical and administrative measures, for
example:
• Control and monitoring of inert gas flow and inert gas pressure
• Continuous or intermittent measurement of oxygen concentration
• Explicit information in the standard operating procedures or in the process
computer program for the correct procedure to achieve a sufficient level of
inerting
• Control of the health hazards of nitrogen asphyxiation to operators entering
tanks and reactors being inerted
6.12.2.7 Fuel
Failure of fuel systems (process gas, natural gas, waste streams, etc.) can affect many
processes requiring temperature and pressure control. Affected systems may include:
• Boilers
• Furnaces
• Engine drivers
• Compressors
Gas turbines
• Fired reboilers
The flammability hazards of these fuels are usually addressed in routine design, but
often ignored in temporary or emergency operations. For that reason, multiple
interlocks, precise air-freeing operations, and other controls are used to make operating
6. EQUIPMENT DESIGN 311
fuel systems as fail-safe as possible. Also, combustible gas or oxygen analyzers are
commonly used to provide necessary information to plant operators.
ranges, peak temperature, and peak loads are factors influencing choice of heat transfer
fluid. Available steam or other utility temperature should be considered. Prevention of
leaks and temperature regulation are critical design criteria. Manufacturer's literature
should be consulted for final application of heat transfer fluids.
Instrumentation and controls applicable to heat transfer fluid systems are
comparable to conventional process control systems. Most instrument systems are
intended to control the heating or cooling mechanism at both the heater or vaporizer and
the energy using units. The heater controls are required to regulate the firing in
proportion to either the fluid flow or the outlet temperature. In certain situations the
controls are simplified to an on / off or high / low mechanism depending upon the degree
of accuracy required by the process. However, since the most critical variable in the
operation of the heat transfer fluid is temperature, it is generally recommended that units
be equipped with modulating temperature controllers. Proper energy delivery is further
achieved by installing individual temperature controls at each user. Manufacturer's
literature should also be consulted.
As the fluid degrades, generally flash point, fire point, and autoignition temperature
of the fluid decrease; this increases the hazard. As discussed by Ballard and Manning
(Ref. 6-64) regular analysis of the fluid is important. For other heat transfer fluids,
consult the manufacturer for specific analysis. Automatic sampling devices should be
considered. To establish a degradation curve for each specific system, testing is
conducted more frequently at first. Essentially, fluid change-out must be determined on
a case-by-case basis. Continued operation with degraded fluid can be disastrous, for
example, irreparable fouling of the heat transfer surfaces. On the other hand, discarding
usable fluid is wasteful. Knowing how fast the heater performance is deteriorating and
the extent of the fluid degradation is a key factor in deciding when to change the fluid.
No matter how long the system is designed to operate, it will have to be
deinventoried (emptied) and hydrocarbon freed (cleaned) occasionally for normal
maintenance and inspection. The system should be designed so that the "normal"
equipment, especially circulating pumps, can also be used for deinventorying. However,
some components of the system, notably filters and the circulating pumps, will have to
be deinventoried more frequently, while the balance of the system continues to operate.
These pieces of equipment may require special considerations for emptying and
cleaning, in addition to those which apply to the entire system.
Non-absorbent insulation should be selected and applied after leakage and pressure
tests have been completed. Where leaks are likely to occur, either use no insulation,
non-absorbing insulation, a spray shield, or insulation treated to prevent penetration by
heat transfer fluids.
• Heat transfer fluid circuits may fall under ASME Section 1, "Boiler Code,"
requiring additional pressure relief considerations.
• Ethylene (or propylene) glycol / water systems may have further design criteria
because of the potential for corrosion of bundles to result in cross-
contamination. Freeze protection may be required.
• Decomposition products may form deposits on metal heat transfer surfaces,
causing localized overheating and failure of the metal.
• Consideration should be given to conducting special leakage testing in addition
to a hydrostatic test (Ref. 6-65). Consult the manufacturer for detailed testing
procedures.
6.12.3 References
6-60 IEEE 446. Recommended Practice for Emergency and Standby Power Systems
for Industrial and Commercial Applications. The Institute of Electrical and
Electronics Engineers, Inc. New York, New York. 1995.
6-61 Halpern, G.S.,Nyce D., and Wrenn.C, Inerting for Safety, 20th Annual Loss
Prevention Symposium, Paper No. 82C, New Orleans, American Institute of
Chemical Engineering. New York, New York, 1986.
6-62 CCPS. Guidelines for Technical Management of Chemical Process Safety.
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, New York. 1992.
6-63 AIGIH. Industrial Ventilation, A Manual of Recommended Practice for Design,
27th Edition, ASHRAE / American Conference of Governmental Industrial
Hygienists. New York, New York. 2010.
6-64 Ballard, D., and Manning W.P., Boost Heat Transfer Systems Performance,
Engineering Progress, Vol. 86, No. 11. p 51-59, 1990.
6-65 FM Global. Heat Transfer by Organic and Synthetic Fluids. Property Loss
Prevention Data Sheet 7-99. Factory Mutual Global. Norwood, Massachusetts.
2009.
314 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
7
PROTECTION LAYERS
With all process designs, there is the potential for failures to occur. Process safety
incidents of greatest concern typically involve the loss of containment, where the release
of a hazardous material could lead to fire, explosion, or toxic release with the potential to
harm employees, the public, or the environment.
This chapter describes engineering design protection layers. It is important to
remember that human interaction can also provide a layer of protection, which requires
procedures and training in order to be effective. However, in many circumstances
automated response is necessary due to the quick response time required; in other words
operator response cannot occur fast enough.
A preventive safeguard stops the occurrence of a particular loss event after an
initiating cause has occurred, i.e., a safeguard that intervenes between an initiating cause
and a loss event in an incident sequence. A mitigative system is designed to reduce the
consequences of an incident in an effort to maintain a safe and operable plant.
Mitigative systems provide a layer of protection after there has been loss of containment
or the incident has progressed to a point that the preventive safeguards will not be of
value. The layer of protection concept is shown in Figure 7.1.
This chapter deals with protective layers whether preventive or mitigative, such as:
• Safety Instrumented Systems (SISs) to shut down a process based on preset
process conditions, i.e., high temperature in a reactor will shut down heating
and activate cooling.
• Pressure relief systems to prevent overpressure of equipment or vacuum, i.e., a
pressure relief valve will open to a safe location (e.g., flare) in the event a
control valve failed closed in the overhead system of a pressure vessel.
• Equipment isolation and blowdown to limit the amount of material that can be
released in the event of a leak, i.e., a remotely operated valve on the inlet of a
pump can be closed in the event of a seal leak.
• Detection and alarm systems to detect a release of flammable or toxic material
and provide an alarm so that action can be taken by operations or emergency
response personnel.
• Fireproofing to protect structural components so that in the event of a fire
structural supports will not fail.
Explosion suppression and isolation systems to detect an internal fire or
explosion and provide quenching or isolation.
• Fire protection to control and extinguish fires.
• Effluent control to manage and control runoff or vapors and ensure that
hazardous wastes can be managed.
315
316 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
equipment, minimizing the potential for sparking, and controlling vapor travel into or out
of an electrical enclosure, which include upset and cleanout / turnaround conditions.
When selecting heat-generating, electrical equipment for a hazardous (classified)
location, its hottest external-surface operating temperature should be compared to the
ignition temperature of the surrounding gas, vapor, or dust. Lowering of the ignition
temperature for organic dusts that dehydrate or carbonize should be considered. Care
should be taken to ensure that these special features of the equipment match the
flammability and ignition characteristics of the materials to which it is likely to be
exposed.
Appropriate precautions should be taken to maintain hazardous (classified) location
equipment in a manner that does not jeopardize the integrity of protection. Guidance
offered by the manufacturer, listing agency, or NFPA 70B (Ref. 7-1) should be followed.
Where practical, the possibility of electrical equipment igniting a combustible gas,
vapor, or dust should be reduced by:
• Eliminating the use of hazardous materials. Alternate processes or material
substitutions may accomplish this.
• Maintaining the mechanical integrity of process equipment so as not to allow
material to be released into the workplace.
Limiting hazardous (classified) areas by using pressurization, ventilation,
barriers, enclosures, or other suitable means.
• Locating electrical equipment outside of hazardous (classified) locations or
replacing electrical operators with manual or pneumatic operators.
Locations are classified according to the properties of the material being used and its
surrounding atmosphere. Elements that affect area classifications may include
availability of flammable or explosive material, operating temperature and pressure,
flash points, autoignition temperature, vapor density of the material, resistivity of dust or
fibers, explosive pressures, dust layer ignition temperature, open or sealed conduit, and
ventilation. Definitions for flammable and combustible liquids are given in NFPA 30
(Ref. 7-2).
Each room, section, or area must be considered individually in determining its
classification. Normal activities such as draining liquids, disconnecting hose, drumming,
and sampling can affect the electrical classification. The overall classification of the area
should also be considered. For example, consider the control building within a
processing unit. Although the process unit may be electrically classified, the control
building could be pressurized, making it non-classified.
7.1.1.2 Equipment
Once a hazardous location has been classified, appropriate electrical equipment should
be chosen for that area. In general, equipment must be approved for use in that
hazardous classified area. Testing labs, such as Underwriter's Laboratory (UL) test,
label, list, or approve equipment suitable for installation in accordance with their
legislated code.
Listed equipment for hazardous (classified) areas is marked to show the code-
specified environments where it can be safely used. These markings often include the
maximum surface temperature of the equipment under normal operating conditions.
The best-known type of hazardous location of electrical equipment is explosion-
proof equipment. This equipment is suitable for use in certain Class I, Division 1
locations and in Class I, Zone 1 locations when listed for use in those atmospheres.
Explosion-proof equipment is not suitable for use in Class I, Division 1 locations where
ignitable concentrations of gases or vapors can exist for long periods of time, or in Class
I, Zone 0 locations. Explosion-proof equipment is designed to contain explosions
without allowing the escape of enough energy to ignite the hazardous atmosphere in the
area.
In recent years, electrical area classification has become more focused on risk of
release and distance away from the release point than the risk of flammable vapor / air
mixture. Therefore, equipment types are often mixed inside buildings or units, instead of
all being explosion proof.
Comparable equipment suitable for use in Class II, Division 1 locations is called
dust ignition proof. Dust-tight equipment is designed for use in Class II, Division 2
7. PROTECTION LAYERS 319
locations. These terms should not be confused with equipment designated "dustproof."
Dustproof equipment is constructed or protected so that dust will not interfere with its
successful operation. This term does not imply the equipment is suitable for use in a
hazardous (classified) area.
While explosion-proof and dust-ignition-proof enclosures are most frequently used
in hazardous areas, there are other National Electrical Manufacturer's Association
(NEMA) type enclosures for electrical equipment located in non-hazardous areas.
Pressurization is mostly used in areas with large volumes such as a control room or a
switchgear building. In this case, the fresh air intake is positioned to ensure clean air. A
draft fan maintains internal positive pressure.
fntrinsically Safe Will Dot ignite the most ignitable concentration of the Class I, Division 1
hazardous material at 1.5 times the highest energy Class I, Zone 0
possible under normal conditions, under 1.5 times the
Class II, Division 1
energy of the worst single fault, and under the energy of
the worst combination of two faults. Class III Locations
Non-incendive Will not ignite the most ignitable concentration of the Class I, Division 2
hazardous material under normal conditions. Class II, Division 2
Class III Locations
Note that intrinsically safe equipment approved for use in the European community
might not pass UL 913 tests for intrinsically safe designation in the U.S. These
standards are similar, but not identical. Integration components intended for different
codes or systems should be avoided unless approved by an appropriately qualified
electrical engineer.
Electrical equipment suitable for classified locations can be expensive and hard to
maintain. Alternatives to using this equipment are sometimes available. These options
include eliminating hazardous materials, separating the hazardous location from
electrical equipment, or moving electrical equipment outside the hazardous location. It
is frequently possible to locate much of the equipment in less hazardous or in non-
hazardous locations and, thus, to reduce the amount of special equipment required.
Special precautions are required to maintain equipment used in hazardous
(classified) locations. Examples are identified in NFPA 70B (Ref. 7-1). If maintenance
work voids the listing applicable to a device, the device should not be reenergized in a
hazardous (classified) area. A replacement device should be obtained. Special attention
should be given to replacement and proper tightening of enclosure bolts, covers, and
other fastening devices following maintenance.
Free fall of liquids into vessels or containers during transfer can create static
electricity. Two primary methods of minimizing static are to:
• Provide a dip tube that extends into the liquid (generally within 6-inch of the
bottom)
Consider bottom filling the vessel or container
The minimum ignition energy depends on the composition of the mixture and can be
as low as 0.2 mJ for many common hydrocarbon fuels and even lower for reactive
hydrocarbons like acetylene. This low energy threshold means even a small electrical
spark or static discharge can ignite a hydrocarbon vapor cloud.
Loading and unloading operations of ships, barges, tank cars, and tank trucks or, in
the case of solid material, hopper cars or trucks are susceptible to static electricity
generation. Filling operations should use down-comers or run down the side of the
container to avoid splashing that causes static. Transferring from drums to small
containers and some processing operations in open-topped vessels can also be at risk.
For more information, refer to API Recommended Practice 2003, Protection against
Ignitions Arising Out of Static, Lightning and Stray Currents (Ref. 7-8), and Avoiding
Static Ignition Hazards in Chemical Operations (Ref. 7-9).
container walls and the top surface adjacent to the air space, if any, will receive the
charge. It is this latter charge, often called the surface charge, which is of most concern.
If the potential difference between any part of the liquid surface and the metal tank shell
should become high enough to cause ionization of the air, electrical breakdown may
occur and a spark may jump to the shell. This spark across the liquid surface is in an
area where flammable vapor-air mixtures are normally present. Bonding or grounding of
the tank or container cannot remove this internal surface charge (Ref. 7-7).
7.1.6 Lightning
Lightning strikes have resulted in fires in processing facilities. They can also be the
cause of electrical and computer control system malfunctions and result in process
upsets.
Open structural steel process structures normally do not require specific lightning
protection since the columns, beams, joists, and stringers are all metal, electrically
continuous down through the structure, and bonded to the building or structure's
grounding system as required. Buildings of masonry construction or steel frame
buildings with non-metal side wall cladding or non-metal roof or top decks usually
require lightning protection.
Building structures that are non-conductive can be equipped with air terminal
("lightning rod") conductors and ground terminal systems to safely direct lightning
strikes to ground. Buildings in the design stage should utilize conductive building
supports or rebar in concrete walls and floors to provide conductive paths. The
conductive path to ground for lightning charges should have less than 1 ohm resistance.
NFPA 780 (Ref. 7-10) provides additional guidance on lightning protection.
Tanks, vessels, and equipment handling flammable or Class II combustible liquids
and constructed of 3/16-inches (4.8-mm) or thicker metal that may be exposed to direct
lightning strikes are not normally required to have lightning protection. This presumes
that the tank bottom is grounded and the ground conductors are periodically inspected,
tested, and replaced if deteriorated. Even so, the highly charged condition of the tank
wall can result in an arc if the pathway to ground is interrupted at any point. The
resulting arc, if in a flammable vapor space, can readily cause an ignition. For example,
7. PROTECTION LAYERS 325
vapor leaking from poorly maintained seals on floating roof tanks has been ignited by
lightning. Sheet steel less than 3/16-inches (4.8-mm) in thickness might be punctured by
a severe lightning strike (Ref. 7-10). Lightning protection is not required on process
structures since they are already grounded.
ANSI / ISA 84.00.01 / IEC 61511 establish a numerical benchmark for the SIS
performance known as the Safety Integrity Level (SIL) and provide requirements on how
to design and manage the SIS to achieve the target SIL. Achieving the SIL requires
rigorous analysis, design, operation, maintenance, testing, and management.
Stepl Step 2
Step 3
Step 4 Step 5
Develop
Design and Develop Safety
Safety Requirements
Functions Assigned to
Specification for the Safety
Non-SIS Layers
Manage Instrumented System (SIS)
Functional
Safety Step 6
Step 8
Step 9
Manage Change
Step 10 '
V Decommission
ISA TR84.00.03, Mechanical Integrity of Safety Instrumented Systems (SIS) (Ref. 7-18),
provides guidance on developing and executing a mechanical integrity program for SIS.
Identify
Hazardous Events
No
Yes
Identify Safeguards
(orlPLs)
No
Yes
Make
Recommendations
to Reduce Risk
Next Event
ISS
BPCS ISS
Engineering
Interface Interface
Interface
ISS Input
Devices I ISS Logic
Solver I ISS Output
Devices
equipment being protected are proper. The relief device design should be consistent with
the system's temperature and pressure.
Scenario Description
External fire The main result of f re exposure is heat input, causing thermal expansion or
vaporization or thermally induced decomposition, resulting in pressure rise. An
additional result of fire exposure is overheating a vessel wall to high temperature
in the vapor space where the wall is not cooled by liquid.
Blocked outlet Operation or maintenance errors (especially after a plant turnaround) can block
the outlet of a liquid or vapor stream from a process equipment item, resulting in
an overpressure condition.
Operational failure Manual valves which are normally closed to separate process equipment and / or
streams can be inadvertently opened, causing the release of a high pressure
stream or resulting in vacuum conditions.
Control valves downstream of high pressure vessels containing liquid could fail
open resulting in excessive flow of liquid generating a high vapor flow to the
downstream vessel.
Control valve, even with the proper fail-safe design, could be switched from
automatic to manual and then overlooked while excessive pressure builds up in
the downstream equipment.
Equipment failure Heat exchangers and other vessels should be protected with a relieving device of
(hardware failure sufficient capacity to avoid overpressure in case of internal failure.
such as tube rupture There are two failures that commonly occur in air coolers, fan failure or louver
or control system failure.
failure)
Failure of a control valve in wide open position causing a high pressure fluid to
enter a lower pressure system.
Process upset, such Runaway temperate and pressure in reactor vessels can occur as a result of
as runaway reactions several factors. Some of these are loss of cooling, feed or quench failure,
or excessive excessive feed rates or temperatures, runaway polymerization, contaminants,
exothermic reactions catalyst problems, or instrument and control failures (e.g., agitation failure).
Design pressure of equipment located downstream of a centrifugal pump is
normally set at pump cutoff head combined with maximum suction pressure.
However, if the downstream equipment has a low design pressure, or if the pump
is a positive displacement type, a relief valve may be set at the design pressure of
the equipment and sized to relieve pump capacity.
334 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Process upset, such Design pressures for interstage receivers and recycle gas circuits and their
as runaway reactions associated relieving requirements depend upon the type of compressor used, the
or excessive compressor performance curves, anti-surge controls, settling-out pressure
exothermic reactions considerations, and number of stages used.
(Continued) The design pressure of the firebox of a forced-draft furnace should be set to
withstand the overpressure generated by the fans with the stack dampers fully
dosed.
Utility failure One of the most commonly encountered causes of overpressurization is cooling
water failure. Different scenarios should be considered for this event depending
on whether the cooling water failure affects a single equipment item (or process
unit) or is plant-wide.
Power failure will shut down all motor driven rotating equipment such as pumps,
compressors, air coolers, and reactor agitators. As with cooling water failure,
power failure can have a cascading negative effect on other equipment and
systems in the plant. Different scenarios should be considered for this
contingency depending upon whether the power interruption is local (to a single
equipment item), to a unit substation, or plant-wide.
The consequences of instrument air failure should be evaluated in conjunction
with the failure mode of the control valve actuator. It should not be assumed that
the correct air failure response will occur on these control valves (fail open,
closed, or in position),
The loss of reflux or recirculation on fractionation towers is typically caused by
power failure to the pumps, by a pump trip, or when a control valve fails closed.
The relieving rates should be analyzed based upon heat balances around the
fractionator to account for the loss of this heat sink.
A failure in the inert gas system can lead to overpressure of equipment and
should be considered in the relief calculations.
Thermal expansion Equipment or pipelines which are full of liquid under no-flow conditions are subject
to hydraulic expansion due to an increase in temperature and, therefore, require
overpressure protection. Sources of heat that cause this thermal expansion are
solar radiation, heat tracing, heating coils, heat transfer from the atmosphere or
other equipment.
Vacuum Ejectors, where steam is used as a motive force, may create a vacuum condition
primarily during maintenance.
Storage tanks that NFPA 30 (Ref. 7-2) and API Standard 2000 (Ref. 7-23) provide guidance for
operate at or near design of this type of overpressure protection. In particular, NFPA 30 focuses on
atmospheric flammability issues, while API Standard 2000 focuses on both pressure and
vacuum vent requirements. A common tank failure scenario is insufficient vent
capacity (either pressure or vacuum) to allow for all operating cases, plus rapid
climatic changes. Adherence to API Standard 2000 is recommended.
The following sections provide brief descriptions of pressure relieving devices and
guidelines for their use based upon their performance and service characteristics.
protect against plugging. Where a rupture disk is installed before a relief device, a
pressure indicator should be installed to alert personnel that the rupture disk has burst.
Rupture disks are available in several types and designs and can be used in pressure
or full vacuum. Choice of types is based on safety and operating considerations and
vendor alternatives should be closely evaluated.
The burst tolerance of rupture disk devices is typically 5% for set pressures over 40
psig, compared with tolerance of ± 3% for pressure relief valves at set pressures over 70
psig; however, disks can be made to closer tolerances for special applications. In
addition, manufacturing tolerances exist which can affect the stamped burst pressure on
the rupture disk. Consideration of the operating temperature of the rupture disks needs
proper specification due to the reduced metal strength at elevated temperatures.
Generally additional care is required in the selection of graphic and knife blade rupture
disks due to premature failure concerns.
full or partial vacuum, provide a vacuum relief device, or permit ingress of air, nitrogen,
or fuel gas to the vessel to prevent a vacuum from developing. If vacuum relief is from a
header, it should be assured that the header does not contain condensable vapors.
Designing for full vacuum is the inherently safer approach whenever practical. Glinos
and Myers (Ref. 7-26) discuss the sizing of vacuum relief valves for atmospheric
distillation columns.
The outlet line size of a relief valve discharging to atmosphere is generally dictated
by back pressure, velocity limitations and environmental considerations. Sizing of relief
valves discharging into a closed system, for example, a flare, is impacted primarily by
back pressure considerations. Design guidelines for sizing outlet lines should limit the
friction loss to 10% and should consider multiple relief devices operating simultaneously
so that the back pressure can be adequately calculated. Refer to Safe Design and
Operation of Process Vents and Emission Control Systems for additional information
(Ref. 7-30).
Inlet and outlet piping for a rupture disk should be the same size as the disk.
7.3.5.1 Location
Normally, relief valves are installed at the top of vessels. Barring any code requirements,
it is permissible to mount relief valves on the outlet piping from a vessel. In some towers
handling corrosive or dirty fluids, relief valves are best installed below the packing or
trays since there is a potential for column plugging. In other cases, it would be advisable
to install relief valves at a point in the tower which provides the most advantageous
temperature, phase, or density for relief, thereby avoiding possible disposal problems.
The discharge point for relief devices should also be a consideration in designing
relief protection. The nature of the discharge and the point of the discharge may present
significant hazards.
These designs should include consideration of when it is acceptable to relieve to the
atmosphere, when it is necessary to relieve to an effluent disposal system, and when to
relieve inside or outside a building, etc. For example:
Chlorine vaporizer relief protection discharge into a caustic scrubber
• Distillation system relief protection to a safe location, e.g., flare system for
flammables
• Fluorocarbon refrigerant relief outside enclosed building
Avoid steam relief valve discharge at head level into walkways or buildings to
avoid possible asphyxiation, etc.
7.3.5.2 Spares
Sparing of relief valves is now an installation approach that allows online maintenance
of the valve by switching. Use of spares should be accompanied by certain restrictions,
including:
7. PROTECTION LAYERS 339
Isolation valves may be located near the property line, the edge of a process unit, or
the liquid outlet of a vessel. Valves should be installed on all hazardous materials lines
entering or leaving the facility to ensure the facility can be isolated in the event of a spill
or fire. Similarly, valves should be located at or near the battery limit of each unit or
outside dike walls for the same reasons and for safety and ease of access.
These battery-limit unit isolation valves should be clearly identified and installed in
easily accessible locations that are a safe distance from potential fire sources. Generally,
25 - 50 feet (8 - 15 m) provides an acceptable separation distance. These isolation valves
can also be used for turnaround purposes and should be located at or near ground level.
Where emergency isolation valves are provided on the suction of pumps and
compressors or on vessels with large flammable liquid holdup, the emergency isolation
valve should be provided with remote activation. Generally 50-feet (15 m) provides an
acceptable separation distance. The location should also consider the ability to reach the
remote activation switch given the radiant heat load. Additionally, fail-safe valves can
be used.
Equipment such as pumps, compressors, tanks, and vessels associated with large
inventories of flammable gas or liquid (>5,000 gallons) should be provided with
equipment emergency isolation valves to stop the flow of material if a leak occurs. For
example, the decision to add emergency isolation valves to the inlet and outlet of a
compressor is dependent on the flammability of the gas, its pressure, and the quantity of
gas in the associated piping and vessels.
Isolation valves can be operated remotely or locally, and automatically or manually
but should be placed such that operators and emergency responders can activate them
safely.
All isolation valves should be clearly and uniquely identified by sign or color or
other means.
7.4.2 Depressurization
When the shell of a vessel is exposed to extreme heat on the outside and the inside is in
contact with vapor, metal temperatures may reach levels where tensile strength will be
reduced such that rupture may occur even though the pressure does not exceed the set
point of the pressure relief valve [for ordinary carbon steel, this temperature is ~900°F
(482°C)]. Depressurization provides fire protection for process units by reducing the
contained pressure at such a rate that:
• There is a significant reduction in the chance of rupture of any steel pressure
vessel exposed to fire.
• The driving force behind pressure jet flames is rapidly decreased.
• The leakage rate of liquid spills decreases, allowing containment of pool fires.
Depressurization may also be used as protection during startup, shutdown, and
short-term upsets by reducing the pressure to prevent a pressure relief valve discharge.
However, vapor depressuring should not be used as a permanent operating control in lieu
of correcting the causes of a process upset. There are several advantages of
depressurization, including the following:
• An auto-refrigeration effect may be produced in a pressure vessel, which
provides cooling of liquid contained in the vessel.
7. PROTECTION LAYERS 341
• The need for a liquid blowdown system is eliminated. By retaining liquid in the
vessel as a heat sink, any increase in temperature of the wetted shell is
minimized.
It should be noted that depressurization may not be practical when the vessel design
pressure is less than 100 psig (690 kPa) because valves and piping can become
unreasonably large and costly or when the vapor depressuring load governs the size of
pressure relief and flare headers. Refer to ANSI / API Std 521, Pressure-Relieving and
Depressuring Systems (Ref. 7-22), and Guideline for Protection of Pressurized Systems
Exposed to Fire (Ref. 7-33).
7.4.2.1 Design
Depressurization design considerations include the following:
• Vessels should be depressured to at least 50% of the design pressure within
approximately 15 minutes for vessels exposed to pool fires with wall
thicknesses of 1-inch, (2.5 cm) or greater. Jet flame impingement requires more
rapid rates.
• Vessels with thinner walls usually require a greater depressurization rate.
• The depressurization rate percentage is based on the wall thickness, initial metal
temperature, and the rate of heat input from the fire (Ref. 7-22).
• Bare pressure vessels in a process unit protected by vapor depressuring may not
require protection by fixed water spray systems.
Some companies limit the application to facilities operating over 250 psig (1724
kPa), while others depressure all light hydrocarbon processes.
allowed flame from the burner to blow back into the windbox and the combustion air
header. The flame front generated a pressure wave which then blew apart the flame
arrestor, fan, valves, and piping. This incident shows that even well-designed systems
may be overcome. Determination of actual failure mode is complicated by the
safeguards already in place. More importantly, it demonstrates the need to consider the
use of in-line detonation arresters or explosion vents for assurance of passive protection
of vapor lines in flare, incinerator, and blowdown systems.
Selection of the disposal system is determined by characteristics of the effluent such
as physical state (vapor / liquid / solid), pressure and temperature, and boiling point;
quantitative factors such as flow rate, duration of discharge, total quantity of material to
be discharged; hazardous properties (toxicity, flammability, buoyancy); nuisance factors
(noise, odor); as well as the location of the disposal system (in relation to meteorological
conditions, local populations, and local regulations and ordinances). If the effluent is
nontoxic, it can be discharged to the atmosphere; however, many non-toxic materials
should not be discharged to the atmosphere because of the potential for environmental
damage, fire, explosion, odor, or noise. Further treatment may be required in accordance
with the Clean Air Act's New Source Performance Standards.
Standards for emergency relief system or Volatile Organic Compound (VOC)
emissions control are governed by the Code of Federal Regulations (CFR) under the
Clean Air Act's New Source Performance Standards. Flares meeting these conditions are
assigned a destruction efficiency equal to 98% of the organic materials by the EPA.
These standards are detailed in 40 CFR 60.18 and include requirements for:
• Minimum Btu values for the flare gas, for non-assisted and steam- or air-
assisted flares
• Maximum flare tip speeds, which vary with the Btu value of the flare gas
Continuous monitoring for the presence of a flame
7.5.1 Flares
Federal, state, and local permits are required to construct and operate flares. The
minimum amount of information required for the permitting process includes normal and
design maximum flow rates, estimated gas composition and Btu value, normal maximum
flare tip velocity, a description of the flame tip monitoring system, and the location and
height of the flare. In some cases regulatory authorities may require that the flare
emissions be modeled for ambient air effects. Regulatory authorities may also require
smokeless (zero visible emissions) operation up to a prescribed percentage of the flare's
design maximum emission. Aircraft warning lights may be another regulatory
requirement.
Several types of flares are available in the market for application in process plants.
Four of the most common flare types in the process industry are (Ref. 7-23):
• Elevated flares
• Ground flares
• Low Pressure flares
• Burn pits
7. PROTECTION LAYERS 343
The following common design criteria for flare systems need to be considered by the
designer:
Regulatory limits on release of toxic, corrosive, and flammable substances;
noise; smoke (federal, state, or local venting permits).
• Location and spacing in relation to process units, storage areas, grade level, and
personnel. Criteria are based on radiant heat flux and ground level
concentrations of toxic or corrosive components of the flare gas combustion
products.
• Ability to remove liquids entrained in the flare gas.
Prevention of oxygen from entering the system, especially via relief devices.
Maintenance of relief valves should be performed using procedures that prevent
air from entering the system.
• Flashback protection to prevent internal explosions in case flammable vapor-air
mixtures are generated. Air may be present from backflow through the stack or
inlet piping after a release of hot process gas (a hot blow).
• Provision for pilot ignition systems and their controls to be located safely.
• Provision for purging the flare header with fuel gas or an inert gas.
• A separate flare system for oxygen-containing streams might be preferable to
avoid introduction of streams containing air or oxygen into the main flare
header. This practice avoids the potential for explosion if flammable
concentrations are possible.
• Exit velocity; excessive exit velocity can cause flame detachment or flameout.
• Materials of construction should be addressed, especially in regard to low
temperatures or corrosive or reactive chemicals.
Design of elevated flares is dictated by radiation at grade level and the possibility of
falling sparks. Sizing criteria and calculations of elevated flares are detailed in ANSI /
APIStd521 (Ref. 7-22).
Although pressure relief valves are sized to accommodate individual peak relieving
loads, the relief system design requires that a cumulative relieving load from valves
discharging simultaneously be determined. This load is used to determine the back
pressure obtained in the relief system, fluid velocity in sections of the relief header and at
the flare tip, and the level of thermal radiation and noise at grade. Since back pressure
may affect the performance of a pressure relief valve, the relief header system (PSV
tailpipe, subheader, and main flare header) is sized to limit the back pressure at the valve
outlet and thus maintain the required capacity of the pressure relief valve. The
maximum allowable back pressure is a function of the type of pressure relief valve and
its set pressure. The actual back pressure obtained at the relief valve outlet is a function
of line size and its associated relieving rate in each section of the relief header system.
The flow rate in each section of the relief header is different depending on the location,
number, and capacity of each pressure relief valve which is expected to discharge into
the relief header at the same time.
Typical common mode failures such as fire, cooling water failure, and power failure
are generally involved in the simultaneous discharge of several relief devices.
Consequently, the controlling loads generated by one of these emergencies should be
evaluated for design of the flare headers as well as the equipment items in the system.
344 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
These failures should be further analyzed to determine if the effect is plant wide or local,
if other standby equipment is available to pick up the service, if automatic startup spares
are available, or if standby power supplies are provided. The relief loads for one
contingency (e.g., cooling water failure or power failure) may not be additive, and
therefore proper transient analysis may reduce the overall controlling load.
Special consideration should be given to situations where relief devices can
discharge flashing liquids or where a combination of cold liquid and hot vapor discharge
may result in vaporization of the liquids. Such situations may generate additional vapor
loads, beyond those corresponding to the relieving loads. Mechanical effects due to
uneven thermal stress should be considered.
Instrumented shutdowns of equipment and heat sources can appreciably reduce flare
design loads. This not only reduces environmental problems associated with flaring or
scrubbing but also reduces the cost of chemicals wasted during plant upsets. When
considering the relief loads resulting from instrumented shutdowns, it may be assumed
that all trips will function. However, it is recommended design practice to assume that
the trip on an equipment piece contributing the largest noncumulative relieving load will
not function. It is also suggested that this philosophy be supported with a quantitative
assessment of reliability.
In order to prevent the risk of explosion to the flare, protection can be provided by
seal drums, header purging, or use of a dry seal such as a molecular seal, especially when
the flare gas is lighter than air, e.g., hydrogen. Flame arresting devices may be installed
in headers of the flare system to prevent propagation of any flashbacks which might
occur.
Some tanks, wastewater treatment facilities, and other units may continuously vent
to the flare without the use of relief valves. Use of direct venting of low pressure tanks
and pressure relief devices to flare headers is risky due to potential for overpressure or
back mixing during emergency events in other equipment. Care should be taken in the
design of flare headers to make sure that these units, and units with low pressure relief
valves, cannot overpressure and rupture during high volume relief situations. In some
cases it may be necessary to increase the pressure rating of the individual unit to above
that seen in flaring situations or use a separately dedicated low pressure stack.
Improperly sized knockout drums can lead to the presence of liquids at the flare tip
during high levels of flaring. This dangerous situation can cause an explosion at the flare
tip, extinguishing the flame or ejecting burning liquids into the air.
A method to monitor the pilot and provide a reliable system to reignite the pilot
burners should be provided. The most frequent cause of pilot failure is loss of fuel gas
flow; this is often due to a plugged line or filter. Provide a means to ensure that the fuel
gas is clean and to verify flow to the pilot. Another cause of loss of flame is blowout on
low pressure flares in high winds.
The design should include provisions for handling the effluents in case the effluent
disposal / treatment facilities are inoperative. Consideration should also be given to the
schedule of operations (for example, batch or continuous process) and the procedures for
disposal of waste loads from the incineration system.
Incinerator hazards are similar to those involved in combustion processes located
near flammable materials. Storage areas for materials, particularly liquids and sludges,
should be designed to prevent flammable or detonable material from coming in contact
with an ignition source, including the incinerator itself. Fire detection and protection
equipment should be the same as that used in the rest of the plant. Additional care
should be taken to ensure that incompatible wastes are not mixed in one vessel. This has
been the cause of several waste storage fires.
In all cases, consideration should be given to installation of detonation arresters for
last-resort, passive protection against deflagrations and detonations in vapor lines.
Failure to promptly report a fire could result in greater damage and, more
importantly, could delay warning affected personnel. The alarm and surveillance
element of fire prevention triggers emergency response and has a major impact on the
control of property losses, safety of personnel, and community impact. Some key
components of alarm and surveillance are:
• A continuously staffed location for receiving and acting on reported incidents
and emergencies.
• Automated detection and protection systems to signal at an offsite central alarm
station service for continuous monitoring.
• Back-up power to operate emergency alarm systems in the event of main power
failure.
• A reporting system for personnel to report incidents and emergencies to the
staffed station. This could include an "alarm pull-box" system, plant
telephones, or radios.
• An alarm system for notifying personnel of an emergency in progress and for
communicating action required, such as information only, shelter-in-place, or
evacuate. This could include bells, sirens, whistles, horns, or public address
systems.
A documented procedure for periodically and systematically testing the
reporting and alarm systems to confirm their functionality.
• Assurance of an acceptable level of surveillance for the facility by appropriate
resources, procedures, and facility design features.
Each type of emergency alarm or signal should clearly inform those onsite of the
actions to be taken. This requires training and testing of the alarm so personnel can
recognize the alarm and take appropriate action. Some of these alarms may be
automatic. For example, detection of a fire may be signaled directly by the protection or
detection system rather than by an individual. This alarm signal may alert not only
personnel in the immediate area, but all facility personnel and the community fire
department.
The alarm and surveillance procedure should also describe how to use the warning
and alerting equipment, which may include telephones, alarms, buzzers, lights, horns,
public address systems, radios, and pagers. A useful addition to this procedure is a
simple flow diagram indicating how information is distributed, an emergency call
recording form, and a regulatory reporting requirements form.
For additional information, refer to NFPA 72 (Ref. 7-36) and NFPA 101
(Ref. 7-37).
7.6.1.1 Evacuation
Depending on the severity of the incident, evacuation may be necessary. Evacuation can
be for portions of a facility or the entire facility. When evacuation is an option at a
facility, procedures should include:
• Means to warn personnel both inside building and outside
Evacuation plan that directs personnel to designated specified assembly area
• Emergency exits and safe evacuation routes
• Emergency action procedures and training that will facilitate evacuation
352 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
7.6.1.2 Shelter-in-Place
Shelter-in-place is a concept used when a toxic release occurs and personnel do not have
time to evacuate because the incident occurs very quickly. Shelter-in-place is the use of
a building, vehicle or other enclosed space to provide protection against exposure to a
toxic gas or vapor. Personnel downwind of a release who are in a building or vehicle
should, in most circumstances, stay in the building or vehicle (shelter-in-place) and take
action to minimize the ingress of vapors by closing doors, windows, fresh air intakes,
and other openings between the space and the outdoors.
Where onsite buildings are used for shelter-in-place, written procedures should be
developed to guide personnel in entering and securing the shelters. Equipment required
to implement the procedures should be maintained. Considerations for the design of
shelter-in-place buildings include:
• Signals for entering and leaving temporary shelters
• Communication equipment necessary
• Equipment to be maintained at each location, including communications
equipment (radio or telephone), and materials for securing the shelter
• Heating, Ventilation and Air Conditioning (HVAC) systems capable of
shutdown of the system or placement in recirculation mode, whichever is more
appropriate
• Seals for all windows, doors and penetrations
The emergency response plan should include a list of all approved shelter-in-place
buildings, procedures for accounting for personnel in shelter-in-place buildings, and
methods to evaluate the situation if conditions worsen.
frequency is not. Given the initial and final intensities, the average
concentration of gas in the path is calculated and transmitted.
Point Combustible Gas Detectors (IR) are used to indicate the presence of gas
at a particular location (e.g., in a congested area of the plant or in small ducts).
• Areas handling lighter than air gases where no roof or deck is present above the
release sources, as the footprint of any release is likely to be too small to
practically detect.
The primary challenge in using fixed combustible gas detection is that it is
impractical, if not impossible, to detect minor releases, for the same reasons discussed
under toxic detection. In addition, flammable releases will have much smaller detectable
footprints than similarly sized toxic releases, because their concentrations of concern
(essentially measured in parts per hundred) are much higher than those of toxic releases
(measured in parts per million). Moderate to large releases also pose a detection
challenge because:
• The rate of area engulfment and vapor travel leave very little time for
intervention by control systems or operators.
• The threat of flash fires and explosion make operations in the release area
particularly dangerous for operating personnel and emergency responders.
• Explosions emanating from enclosed spaces or highly congested or obstructed
portions of the plant can be quite powerful and result in widespread damage
throughout the facility, thus spreading the incident.
Due to these challenges, the objectives of most flammable detection programs in the
process industries are limited to:
Alerting personnel to the accumulation of combustible gases in buildings due to
releases within the space or the ingress of exterior releases.
Initiating the shutdown of internal process streams / equipment and ventilation
systems where combustible gases have accumulated in an enclosed space.
Alerting personnel to releases that may affect highly congested or obstructed
areas of the plant from which powerful explosions may propagate.
Alerting personnel to large releases in the area of high potential release sources.
Alerting personnel to releases that may affect commonly used access routes,
normally occupied areas, emergency marshalling points or the public.
Alerting personnel to releases that are affecting their immediate location.
Providing combustible gas detection in elevated locations, such as process unit
decks and on offshore docks, is not practical in most cases, because the number of
factors at play precludes a reasonable degree of detection success.
The principal value of fireproofing is realized during the early stages of a fire when
efforts are primarily directed at shutting down units, isolating fuel flow to the fire,
actuating fixed suppression equipment, and setting up portable firefighting equipment.
During this critical period, if non-fireproofed equipment and pipe supports fail due to
fire-related heat exposure, they could collapse and cause gasket failures, line breaks, and
equipment failures, resulting in expansion of the fire. Fireproofing may be applied to
control or power wiring to allow operation of emergency isolation valves, vent vessels,
or actuate water spray systems during a fire.
Determining fireproofing requirements involves experience-based or risk-based
evaluation (Ref. 7-39). An approach for selecting fireproofing includes the following
steps:
• Conducting a hazard evaluation, including quantification of inventories of
potential fuels.
• Developing fire scenarios, including potential release rates and determining the
dimensions of fire-scenario envelopes.
• Determining fireproofing needs based on the probability of an incident
considering industry experience, the potential impact of damage for each fire-
scenario envelope, and technical, economic, environmental, regulatory, and
human risk factors.
• Choosing the level of protection (based on appropriate standard test procedures)
that should be provided by fireproofing material for specific equipment, based
on the needs analysis.
Foam Smothering Best for Class B Pool Not for electrical fires
Fires (Two-dimensional Foam blanket may break-up
fires)
Not applicable for LPG
Dry Chemical Chain breaking Classes B and C Fire reflashes if not completely
extinguished or hot surfaces are
present (especially flammable /
combustible liquids)
Clean Agent Chain breaking Good for Classes A, B,C Not for outdoors
Inerling May produce toxic gases
The reliability of the fire water supply should be such that the loss of any one source
does not result in a loss of more than 50% of the flow requirements of the system. For
example:
• A large facility connected to the city water supply should have two independent
connections off different branches of the city underground piping.
• A facility drawing water from a stream or lake should either have independent
locations from which to draw from or have a back-up supply from the city
system or a private well. Care should be taken when using potable and non-
potable sources so that cross-contamination does not occur.
Fire water pumping capacity (flow rate) should be sufficient to provide the
required amount of water at required pressure to the fire areas having the
greatest demand. At least 50% of the pumping capacity should be from diesel-
driven pumps. Fire water pumps should have a minimum capacity of 1,500
gpm (5,700 1pm) and can range up to 5,000 gpm (18,930 1pm).
360 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
It is common practice to provide pumping capacity so that when the largest fire
water pump is out of service, the total fire water demand can still be met. In situations
where the demand does not exceed 1,500 gpm (5,700 1pm), it may be acceptable to use a
single pump.
The reliability of the power supply should be determined, taking into account the
frequency of power outages and extent of interruption. Consideration should be given to
connecting electrically driven fire water pumps to the emergency power system, where
one exists.
The design of water spray systems should be in accordance with NFPA 750
(Ref. 7-43).
The design of clean agent systems should be in accordance with NFPA 2001 (Ref.
7-46).
pressure shock wave and the dynamic energy and to split the flame front before
it reaches the flame arrester element (Ref. 7-51).
• Arrester Element (Matrix) Construction for Dry-Type Arresters - Dry-type
deflagration and detonation flame arresters have an internal arrester element
(sometimes called a matrix) that quenches the flame and cools the products of
combustion. A great number of arrester elements have been developed and
used. The most common types currently available are as follows:
Crimped metal ribbon
Parallel plate
Expanded metal cartridge
Perforated plate
Wire gauze and wire gauze in packs
Sintered metal
Metal shot in small housings
Ceramic balls
Oxidant concentration reduction
increased pipe diameter. Although detonations may fail on encountering branches into
smaller pipe diameters, run-up to detonation may reoccur (Ref. 7-52).
In Europe process equipment such as spray dryers, fluid-bed dryers, and mills are
available in "shock-resistant" designs for pressures up to 145 psig (10 bars).
Pressure containment can also be provided by using piping systems with a pressure
rating above the anticipated maximum pressure generated during a deflagration.
More information about pressure containment design is available in NFPA 69 (Ref.
7-35).
sensors are not normally used for pipeline barriers since there is no clear correlation
between the front of the pressure wave and the flame front, and pressure sensor response
times often are too slow for use in this application.
Process interlocking is a long used principle to guide the operator safely through an
operating sequence. Once the proper steps have been identified mechanical interlocks
can be installed that prevent continuing until a key is inserted. An interlock guides the
operator through the sequence with unique keys for each step. It is only when a mistake
is made that the operator will not be allowed to proceed: a key will not fit or a valve will
be locked in position. The principle of mechanical key interlocking is the transfer of
keys. Each lock is executed with two keys, One for the locked open position and one for
the locked closed position. When the valve is open the "open key" can be released and
transferred to another lock with the same code. All keys are unique and depend on the
sequence.
A three-way valve can be considered a type of interlock since it ensures the flow is
directed in only the desired direction.
alternate configuration is an eduction system with a high rate water supply, such as a fire
water system, with the educted material being diverted to an empty system.
The design of drainage / spill control systems can be complex. Some of the factors
that should be considered in the design of drainage / spill control systems include the
following:
• Expected duration of fire (or time to implement contingency plans)
• Expected flow from water-based fire extinguishing systems, such as sprinklers,
foam systems, hoses, and monitor nozzles
• Local codes and regulations
• Properties of the liquid which could be released, including extinguishability,
viscosity, water solubility, specific gravity, volatility, etc.
• Rainfall (containment facilities should normally contemplate some rainfall in
capacity design)
Reactivity of chemicals with water or other chemicals in the drainage system
• Risk of environmental contamination (proximity to water supplies, geology,
etc.)
• Separation of organics from water to prevent drainage to rivers
• Spacing and location of facilities
• Surface type (earth, gravel, concrete, etc.)
• Topography
• Volume of liquid which could be released as well as the rate and mode of
release
NFPA 30 (Ref. 7-2) and the appendix of NFPA 15 (Ref. 7-42) should be consulted
for details on the design of drainage / spill control systems.
Drainage / spill control systems should be inspected on a regular basis to ensure they
are in good condition. In particular, drains and trenches should be examined to ensure
they do not contain any blockages. Rainwater should be drained or pumped out of
containment facilities following each rainfall.
7.12 REFERENCES
7-1. NFPA 70B. Recommended Practice for Electrical Equipment Maintenance.
National Fire Protection Association. Quincy, Massachusetts. 2010.
7-2. NFPA 30. Flammable and Combustible Liquids Code, National Fire Protection
Association. Quincy, Massachusetts. 2008.
7-3. NFPA 70. National Electrical Code (NEC), 2011 Edition, Article 500, National
Fire Protection Association, Quincy, Massachusetts. 2011.
7-4. API RP 500 (R2002). Recommended Practice for Classification of Locations
for Electrical Installations at Petroleum Facilities Classified as Class I,
Division I and Division 2, Second Edition, American Petroleum Institute. 1997.
7-5. NFPA 496. Standard for Purged and Pressurized Enclosures for Electrical
Equipment, 2008 Edition, National Fire Protection Association. Quincy,
Massachusetts. 2008.
374 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
7-6. ANSI / UL 913. Intrinsically Safe Apparatus and Associated Apparatus for Use
in Class I, II and III, Division 1, Hazardous (Classified) Locations,
Underwriters Laboratory. 2002.
7-7. Static Electricity. FM Global 5-8, Factory Mutual Insurance Company. 2001.
7-8. API RP 2003. Protection Against Ignitions Arising out of Static, Lightning, and
Stray Currents, American Petroleum Institute. 2008.
7-9. CCPS. Avoiding Static Hazards in Chemical Operations, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 1999.
7-10. NFPA 780. Standardfor the Installation of Lightning Protection Systems,
National Fire Protection Association. Quincy, Massachusetts. 2011.
7-11. ISA 84.91.01. Identification and Mechanical Integrity of Instrumented Safety
Functions in the Process Industry, International Society of Automation.
Research Triangle Park, North Carolina. 2011.
7-12. IEC 61511. Functional Safety: Safety Instrumented Systems for the Process
Sector, International Electrotechnical Commission, Geneva, Switzerland. 2003.
7-13. ANSI / ISA 84.00.01-2004 (IEC 61511 modified). Part 1, Functional Safety:
Safety Instrumented Systems for the Process Industry Sector - Part 1:
Framework, Definitions, System, Hardware and Software Requirements,
International Society of Automation, Research Triangle Park, North Carolina.
2004.
7-14. ANSI / ISA 84.00.01-2004 (IEC 61511 modified). Part 2, Functional Safety:
Safety Instrumented Systems for the Process Industry Sector - Part 2:
Guidelines for the Application ofANSI / ISA-84.00.0I-2004 Part 1 (IEC 61511-
1 Mod) - Informative, International Society of Automation, Research Triangle
Park, North Carolina. 2004.
7-15. ANSI / ISA 84.00.01-2004 (IEC 61511 modified). Part 3, Functional Safety:
Safety Instrumented Systems for the Process Industry Sector - Part 3: Guidance
for the Determination of the Required Safety Integrity Levels - Informative,
International Society of Automation, Research Triangle Park, North Carolina.
2004.
7-16. ISA TR84.00.04. Guidelines on the Implementation of ANSI / ISA 84.00.01-
2004 (ISA 61511 Modified), International Society of Automation, Research
Triangle Park, North Carolina. 2006.
7-17. ISA TR84.00.02. Safety Integrity Level (SIL) Verification of Safety
Instrumented Functions, International Society of Automation, Research
Triangle Park, North Carolina. 2002.
7-18. ISA TR84.00.03. Mechanical Integrity of Safety Instrumented Systems (SIS),
International Society of Automation, Research Triangle Park, North Carolina.
2002.
7. PROTECTION LAYERS 375
7-19. CCPS. Guidelines for Hazard Evaluation Procedures, Third Edition, Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, New York. 2008.
7-20. CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment,
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, New York. 2001.
7-21. CCPS. Guidelines for Independent Protection Layers and Initiating Events,
Center for Chemical Process Safety of the American Institute of Chemical
Engineers. New York, New York. 2011.
7-22. ANSI / API Std 521. Pressure-Relieving and Depressuring Systems, Fifth
Edition, American Petroleum Institute. 2007.
7-23. API Std. 2000. Venting Atmospheric and Low-pressure Storage Tanks, Sixth
Edition, American Petroleum Institute. 2009.
7-24. ASME Section VIII-DIV 1. 2010 ASME Boiler and Pressure Vessel Code,
Section VIII, Division I: Rules for Construction of Pressure Vessels. American
Society of Mechanical Engineers. 2010.
7-25. API Std 520. Sizing, Selection, and Installation of Pressure-relieving Devices in
Refineries, Part I - Sizing and Selection, Eighth Edition, American Petroleum
Institute. 2008.
7-26. Glinos, K. and R.D. Myers. Sizing of Vacuum Relief Valves for Atmospheric
Distillation Columns, Journal of the Loss Prevention in the Process Industries,
Vol. 4, No. 3, pp. 166-169. 1991.
7-27. Simpson, L.L. Estimate Two-Phase Flow in Safety Devices, Chemical
Engineering, Vol.98, No. 8, pp. 98-102. 1991.
7-28. Leung, J.C. Size Safety Relief Valves for Flashing Liquids, Chemical
Engineering Progress, Vol. 88, No. 2, pp. 98-102. 1992.
7-29. DIERS. Emergency Relief System Design Using DIERS Technology, DIERS
Project Manual. American Institute of Chemical Engineers. New York, New
York. 1992.
7-30. CCPS. Safe Design and Operation of Process Vents and Emission Control
Systems, Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, New York. 2006.
7-31. DIERS. Systems Analysis for Integrated Relief Evaluation (SAFIRE) User's
Manual, SAFIRE Computer Program and Documentation. American Institute
of Chemical Engineers. New York, New York. 1986.
7-32. CCPS. Guidelines for Pressure Relief and Effluent Handling Systems,2"
Edition, Center for Chemical Process Safety of the American Institute of
Chemical Engineers. New York, New York. 2011.
7-33. Scandpower. Guideline for Protection of Pressurized Systems Exposed to Fire,
Scandpower. 2002.
376 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
7-34. ANSI / API Std 537. Flare Details for General Refinery and Petrochemical
Service, American Petroleum Institute. 2008.
7-35. NFPA 69. Standard of Explosion Prevention Systems, National Fire Protection
Association. Quincy, Massachusetts. 2008.
7-36. NFPA 72. National Fire Alarm and Signaling Code, National Fire Protection
Association. Quincy, Massachusetts. 2010.
7-37. NFPA 101. Life Safety Code, National Fire Protection Association. Quincy,
Massachusetts. 2009.
7-38. CCPS. Continuous Monitoring for Hazardous Material Releases, Center for
Chemical Process Safety of the American Institute of Chemical Engineers.
New York, New York. 2009.
7-39. CCPS. Guidelines for Fire Protection in Chemical, Petrochemical, and
Hydrocarbon Processing Facilities, Center for Chemical Process Safety of the
American Institute of Chemical Engineers. New York, New York. 2003.
7-40. API Publ 2218. Fireproofing Practices in Petroleum & Petrochemical
Processing Plants, American Petroleum Institute. 1999.
7-41. NFPA 13. Installation of Sprinkler Systems, National Fire Protection
Association. Quincy, Massachusetts. 2010.
7-42. NFPA 15. Standardfor Water Spray Systems for Fire Protection, National Fire
Protection Association. Quincy, Massachusetts. 2007.
7-43. NFPA 750. Standard on Water Mist Fire Protection Systems, National Fire
Protection Association. Quincy, Massachusetts. 2010.
7-44. NFPA 11. Standard for Low-, Medium-, and High-Expansion Foam, National
Fire Protection Association. Quincy, Massachusetts. 2010.
7-45. NFPA 16. Standard for the Installation of Foam-Water Sprinkler and Foam-
Water Spray Systems, 2007 Edition. National Fire Protection Association.
Quincy, Massachusetts. 2007.
7-46. NFPA 2001. Standard on Clean Agent Fire Extinguishing Systems, National
Fire Protection Association. Quincy, Massachusetts. 2008.
7-47. NFPA 12. Standard on Carbon Dioxide Extinguishing Systems, National Fire
Protection Association. Quincy, Massachusetts. 2008.
7-48. NFPA 17. Standard for Dry Chemical Extinguishing Systems, National Fire
Protection Association. Quincy, Massachusetts. 2009.
7-49. NFPA 10. Standard for Portable Fire Extinguishers, National Fire Protection
Association. Quincy, Massachusetts. 2010.
7-50. CCPS. Deflagration and Detonation Flame Arresters, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 2002.
7-51. Halstrick, V. Technical Report Part I, Protego Fundamentals. Braunschweiger
Flammenfilter GmbH. Braunschweig, Germany. 1995.
7. PROTECTION LAYERS 377
8
DOCUMENTATION TO SUPPORT
PROCESS SAFETY
Documentation is important to long term management as well as the day-to-day safe
operation of a process facility. As the regulatory mandate for documentation evolves,
failure to maintain accurate and complete records can become a legal liability.
Documentation is frequently the means to implement a corporate process safety
management program and to verify plant compliance to its provisions. In addition,
quality documentation can facilitate continuous improvement. The primary elements of
a document management program are information infrastructure, procedures, retention,
and control. Access to necessary information during emergency conditions is essential,
as well as to support Management of Change.
A robust document management system ensures version control of procedures and
other process safety information. This is particularly challenging when process safety
information is computer based and managed over an intra-net system.
379
380 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
- A description of control system logic in narrative format - Material and energy balances
and / or simple figures - Maximum intended inventory
- Adiabatic reaction temperature and the corresponding - Process chemistry, including laboratory notebooks that
system pressure, based on both intended and worst provide information developed during the early stages
credible case material composition of product or process development
- Cause-and-effect trails - Basis for and values of safe upper and lower limits
- Consequences of deviations from safety limits - Separation equipment design information and design
- Hazards related to credible undesired chemical bases
reactions - Simplified process flow diagram or block flow diagram
- Map and / or tables showing zones / distances of
concern for overpressurized or toxic exposure hazards
based on consequence analysis
- Control system logic diagrams, loop sheets, and - List of design codes and standards applicable to the
interlock tables process
- Electrical classification diagrams - Location of safety showers /eye wash stations, fire
- Electrical data, including one-line diagrams, a motor extinguishers, and other safety equipment
database, and grounding / bending drawings - Materials of construction
- Facility data, including plot plans that document the - Mechanical data / design basis sheets for process
location of underground utility and process piping, equipment
structural drawings and structural analysis, design and - Piping and Instrumentation Diagrams (PSIOs)
design basis information for fixed fire protection
- Piping specifications
systems, and information on heat / blast loads and fire t
blast walls - Portable multi-unit equipment
- Instrument data, including a register or database of key - Relief system design basis and calculations, including
parameters for field instruments, alarms, interlocks, etc. any fare system
- Isometric drawings - Safety systems (e.g., interlocks, detection, or
suppression systems)
- Shop fabrication drawings
- Ventilation system design basis and calculations
8. DOCUMENTATION TO SUPPORT PROCESS SAFETY 381
control, and revision of this information. Design documents typically include those
described below.
• Design Basis Documents - Process definition and design criteria are usually the
initial information assembled. The basic process knowledge includes process
chemistry, energy and mass balances, general control philosophy, process
hazard analysis, etc. Applicable codes and design standards are identified.
Design calculations and research and development reports, which explain the
original design bases with their underlying philosophy and define safe operating
ranges for process variables, should also be clearly documented. The latter are
often a useful place to begin troubleshooting or planning alternative operating
conditions. Design basis should also be documented for mitigation systems.
• Equipment Specifications - These documents describe all of a plant's equipment
in a concise and complete way. The original design basis is clearly stated.
Sufficient process and mechanical data are provided to allow procurement of
the items required. Changes sometimes occur after the purchase order is
awarded. The specifications should be updated to show "as delivered" and
installed.
• Design Standards - Design standards explain in detail the proper components,
fabrication, assembly or construction techniques, or references used for items
other than specific equipment.
• Drawings - While design standards may go through minor adjustments,
engineering drawings are revised frequently to reflect the addition of equipment
and instruments or rerouting of lines. Regulatory agencies most often require
retention of P&IDs and plot plans; these documents encompass the essence of
the facility in a condensed form.
Hazard Analysis - One of the most common elements of industry guidelines and
regulations is the performance and documentation of a hazard analysis. This
review does not ensure that all hazards have been identified, but it is currently
the most effective method to systematically review a process and its
components for hazards. The hazard analysis should be thoroughly documented
with detailed minutes of meetings and records of decisions and actions taken.
Besides serving as a reference against which potential changes may be assessed,
the hazard analysis can serve as a case study for similar process units. For more
information on hazard analyses, see Chapter 4, Analysis Techniques, and
Guidelines for Hazard Evaluation Procedures (Ref. 8-3).
• Vendor Information - Equipment manufacturers should provide drawings and
operating manuals for each piece of equipment. These drawings and manuals
are useful because they reflect exact detail or "as built" descriptions and include
proper operating instructions intended to ensure safe and trouble-free operation.
These documents are particularly useful in establishing the historical
background of specific pieces of equipment. Vendor training manuals are
useful for ensuring proper and consistent maintenance of equipment. Manuals,
drawings, and Material Safety Data Sheets (MSDSs), and all test reports should
be retained in the plant maintenance department, the engineering office, or
operating department.
• Quality Control (New Equipment) - Procedures should be developed to ensure
that equipment is purchased, fabricated, inspected, tested, and installed to meet
8. DOCUMENTATION TO SUPPORT PROCESS SAFETY 383
produced or that the "approved for construction" drawings be field verified after
a change is made.
• Expected composition of each stream and the expected variations that were
considered and used in design. This information impacts several important
process safety design considerations, e.g., chemical reactions, corrosion,
instrumentation calibration and response, material of construction, and pressure
relief sizing.
• Document thermochemistry data for expected reaction and credible cases of
advertent reactions or inadvertent reaction rates.
Mechanical integrity program expectations to conduct appropriate inspections
and tests according to manufacturer recommendations and industry practice.
The project design team needs to provide the information necessary for safe
operation, including consequences of deviations and steps to correct the deviation. This
information is essential for operations training.
There are four major types of procedures in process operations:
• Operating procedures are written step-by-step instructions and associated
information (cautions, warnings, notes, etc.) for safely performing a task within
operating limits. Procedures should cover all modes of operation. Typically,
operating procedures are required for:
Initial startup
Normal startup
Startup after a turnaround
Normal operations
Temporary operations
Emergency operations
386 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY
Normal shutdown
Emergency shutdown
• Emergency or abnormal operating procedures are written instructions that
provide step-by-step actions for operations personnel to ensure the process is in
a safe and stable mode following a system upset or when a process is in
intentional (startup, shutdown, etc.) or unintentional (upset) transition.
Temporary operations are written instructions that document the steps taken
during operations that are not conducted on a daily basis.
• Maintenance procedures are written instructions that address material control
and maintenance practices needed to ensure system operability and integrity as
well as maintenance, testing, and inspection frequency.
• Ensure enough information for the user to perform the task safely and correctly.
Ensure that the level of detail considers the experience and capabilities of the
users, their training, and their responsibilities.
• Develop processes to ensure that users are able to quickly and accurately locate
the correct procedure for the job.
• Write all procedures in a standard format which is set by a "style guide."
• Instruct users in the use of their procedures.
• Cleaning / Decontaminating
• Emergencies
For batch processes, there may be two types of documents necessary to conduct
operations because the same equipment is often used in different configurations for
different products. First, there are operating procedures that contain the steps and safety
information for performing each task. Second, there are the "batch" or "recipe" or
"process" sheets that contain operating parameters such as temperature, material
amounts, and sequencing. These batch sheets may change with each run, although the
actual operating procedures remain the same. The batch sheets may change several
times a week, but the operating procedures are always applicable to the equipment.
Together, batch sheets and operating procedures provide the necessary information for
safe operation.
therefore critical that key information from the design effort be passed along in a
consistent and useful manner to facilitate the initiation of the reliability effort.
Non-destructive testing findings, details of construction, repairs, alterations, or other
conditions may also affect the future evaluation of the equipment's integrity. From the
point of view of tracking the service history of equipment, the following initial
engineering design project records in addition to the equipment specifications listed
earlier are useful:
• ASME Code Data Reports for pressure vessels.
• Field-verified inspection drawings for major equipment with reference
inspection points. Wall thickness measurements (including original
measurements) and other non-destructive examination findings, both past and
present, should be on the drawings or a separate sheet.
• A copy of jurisdictional reports and permits which are required to operate
boilers or pressure vessels (for the duration of the permit).
Repair and alteration documentation for major equipment and process piping.
In addition to the transmittal of initial design information, the design process must
also be enlisted to support the ongoing collection of equipment performance data, both to
validate (or, if necessary, correct) the initial design basis, and to ensure that equipment
integrity is maintained in an efficient and effective manner. Collection of asset integrity
and equipment performance data into meaningful data sub-sets during analysis and "as
found, as left" data in a format designed to make analysis efficient is required. The
CCPS Process Equipment Reliability Database Project (PERD) is one example of a
structured method for documenting and recording equipment data which may be
employed as a part of a structured design information transfer effort that facilitates
accurate and meaningful data collection, based on design information, to ensure the
ongoing integrity of process equipment.
By making the data collection factual (requiring little or no interpretation on the part
of field personnel), easy (automated wherever practical to minimize both tedium and
transcription errors), and specific [providing information on the failure(s) of interest], the
ability to extract useful trends is greatly enhanced. These qualities are best built into the
system with the input of the initial designers, while design intent is fresh, and all
assumptions and key variables are clearly understood and remembered.
Testing intervals are also a key component for equipment integrity maintenance.
Intervals may be based on regulatory requirements or determined through a facility's
Risk Based Inspection (RBI) or Reliability Centered Maintenance (RCM) program.
Initial test intervals should be a routine part of the design basis, which may then be
modified based on actual field experience. Refer to Guidelines for Mechanical Integrity
Systems for additional information (Ref. 8-5).
8.5 REFERENCES
8-1. CCPS. Guidelines for Risk Based Process Safety, Center for Chemical Process
Safety of the American Institute of Chemical Engineers. New York, New York.
2007.
8. DOCUMENTATION TO SUPPORT PROCESS SAFETY 391
8-2. CCPS. Guidelines for Process Safety Documentation, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 1995.
8-3. CCPS. Guidelines for Hazard Evaluation Procedures, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 2008.
8-4. API Std 510. Pressure Vessel Inspection Code: Maintenance Inspection,
Rating, Repair, and Alteration, 8th Edition. American Petroleum Institute.
June 1997, Addendum 1 (December 1998), Addendum 2 (December 2000),
Addendum 3 (December 2001), and Addendum 4 (August 2003).
8-5. CCPS. Guidelines for Mechanical Integrity Systems, Center for Chemical
Process Safety of the American Institute of Chemical Engineers. New York,
New York. 2006.
Guidelines for Engineering Design for Process Safety, Second Edition
by Center for Chemical Process Safety
Copyright © 2012 American Institute of Chemical Engineers, Inc.
INDEX
Active Design Solutions, 125 Columns, 203
Agitation, 192 Compressors, 234
American Conference of Governmental Consequence/Impact Assessment, 109
Industrial Hygienists. (ACGIH), 52 Consequences of Deviation, 137
Asset Integrity/Reliability/Predictive Consequences, 25
Maintenance Data, 389
Contaminants, 142
Atmospheric Storage Tanks, 179
Cooling Water, 310
Autoignition Temperature, 43
Corrosion Allowance, 146
Baker Panel Report, 2
Corrosion Fatigue, 144
Basic Process Control System, 132-134
Corrosion, 143, 265
Alarm Management, 133
Corrosive Environments, 142
Testing Instrumentation, 134
Corrosion Under Insulation, 146,153
Batch Reaction Systems, 29
Contributing Factors, 153
Below Grade Structures, 150
Material Stress Conditions, 154
BLEVE, 74
Prevention of Corrosion, 155
Blowdown Systems, 346-347
Corrosivity / pH Hazards, 75
Disengaging Facilities, 347
Crevice Corrosion, 145
Equipment Drainage Systems, 347
Critical Task Analysis, 105
Quench Drums, 347
Culture, 35
Buffer Zone, 135
Deflagration, 57
Building Damage Levels, 92
Deflagration/Detonation Arresters, 363
Buncefield Incident, 128
Selection and Design Criteria, 365
Calorimetric Data, 50
Depressurization, 340
Catalysts, 142
Design Alternatives, 78
Cathodic Protection and Anodic Protection, 146
Design Basis, 381
Centrifuges, 244
Design Considerations for Flare, 344
Checklist Analysis, 97
Flare Header Design, 344
Chemical / Material Hazards, 72
Flare Stack, 345
Chemical Hazard Response Information
Flare System Safety, 346
System (CHRIS), 55
Knockout Drums, 345
Chemical Incompatibility Charts, 51
Chemical Interaction Matrix, 53 Design Considerations, 145
Chemical Reactivity Hazard, 46,47 Design Institute for Physical Properties
(DIPPR®), 16,39
Civil/Structural/Support Design, 146
393
394 GUIDELINES FOR ENGINEERING DESIGN FOR PROCESS SAFETY