# Selecting hydrocracker safety integrity levels: A case study

## Strategies and studies to prevent failures.

##### By Edward Marszal

After the accident at the Tosco Avon Refinery in Martinez, Calif., refiners have paid more attention to the emergency depressuring of hydrocracking process units. They decided that automatic depressuring of the unit when it detected excess temperature should be a safety-instrumented function. Refiners found that applying this safety-instrumented function is difficult because of the number of possible measurements and the challenge of detecting the hazardous condition.

In one situation, the high-temperature emergency depressuring of a hydrocracker reactor was a shortcut that didn't provide a realistic result. The complexity and interrelationship of the multiple safeguards and multiple initiating events interfered with success.

### CASE STUDY

The owner of a hydrocracker process used a standard process for selecting the safety integrity level (SIL). The process is based on a hazard matrix—modified to include qualitative analysis of the layers of protection. The process includes the following steps:

1. Select the consequence category.
2. Select the category representing the likelihood of the initiating event.
3. Determine the required degrees of risk reduction based on the hazard matrix.
4. Determine the number of independent protection layers.
5. Calculate the required SIL by subtracting the number of independent protection layers from the required degrees of risk reduction.

The hazard matrix below is a typical example of a matrix that industry might use. In addition to qualitative descriptions of categories, such as severe and rare, we can also associate the categories with quantitative ranges.

 Typical hazard matrix

### PROCESS PROBLEMS

 Safety integrity level Safety integrity level (SIL) selection is the process of determining the amount of risk reduction required to reduce a process' risk to a tolerable level. The IEC 61511 standard alone contains five different methods for selecting SILs. These methods all perform the same task in essentially the same way. The differences in methodologies are a function of the level of detail in which you analyze the components of risk. The detail ranges from a simple categorization of consequence and likelihood when using the hazard matrix method, all the way to numerical analysis of event frequency and probable loss of life resulting from the accident when using a fully quantitative method.
Although the process owner was very successful in applying this procedure, a small percentage of analyzed scenarios (< 5%) did not yield satisfactory results. The selected SIL was higher than expected, based on judgment. The process shown above and all shortcut risk analysis methods yield poor results when the assumptions upon which the process is built are not valid. Several considerations make the simple hazard matrix protocol ineffective: First, there are a large number of events that can result in a runaway reaction (initiating events). Second, none of the initiating events has a significantly larger frequency than the rest that can be treated as representative of the overall risk. Third, the safeguards employed in the process are not effective against all initiating events. A large number of safety-instrumented functions (SIFs) are intended to prevent essentially the same hazardous event. (An SIF is any functionality or action an instrumented system performs that has a safety purpose. For a broader definition, see IEC 61511.) Multiple SIFs share common equipment. Basic process control system (BPCS) protection functions share final elements with SIF. Many SIFs are not 100% effective in preventing all initiating events from propagating into an accident.

Mitigating events decrease the probability an accident will occur, and they don't fit the description of an independent protection layer as given in the SIL selection guidelines.

### SIL SELECTION WITH FAULT-TREE ANALYSIS

The SIL selection team requested a detailed fault-tree analysis (FTA) to determine how often this event occurred. The SIL selection team agreed on a consequence category of "severe" qualitatively, and did not request further analysis. They then used FTA results to select a likelihood category, and subsequently the required SIL.

You perform an FTA by identifying all basic events that can either be the root cause of the accident—the initiating event—or prevent the initiating event from propagating into the unwanted accident. Note the term distributed control system (DCS) protective function describes a layer of protection. The described system is a BPCS function—separate from the SIS under study.

You can logically relate basic events using a graphical representation. The result of the fault-tree analysis is the frequency, or probability, of the top event or unwanted accident, which you calculate using the probabilities and frequencies of the basic events and a graphical description of how they are logically related. The SIL selection team determined nine initiating events that can cause a runaway reaction if no one takes mitigating actions after those events occur.

### RECYCLE COMPRESSOR FAILURE

During a recycle compressor failure, the flow rate of hydrogen through the reactor decreases. The decrease in the hydrogen flow rate affects the hydrogen-to-hydrocarbon ratio of the feed and also will stop the flow of quench gas. When this occurs, the heat removal with excess hydrogen stops, but the reaction continues to occur because there is still ample hydrogen available at a high pressure. Because the rate of heat removal loss is so great, it is virtually impossible for an operator to prevent a runaway reaction from starting. So this scene requires depressuring. Depres-suring will occur due to either the low recycle gas flow SIF, which activates the slow depressuring upon loss of recycle flow, or manual activation of the slow depressuring.

### REACTOR INTERNALS FAILURE

The failure of reactor internals, such as catalyst support screens and distribution boxes, can result in a temperature runaway. Failure of equipment located above a hydrocracking catalyst bed will result in debris resting on top of the bed. The debris will cause flow misdistribution and channeling. As a result, the areas of the bed where flow has decreased will suffer a decrease in heat removal and an increase in temperature. The increased temperature may propagate into a runaway reaction. The thermal runaway in this scenario is much slower to develop than the recycle compressor failure scenario. As a result, automatic control and operator intervention have a good chance of preventing a runaway reaction by adjusting quench rates to the affected bed. Although recovery from internals failure is possible, in some cases the damage is so severe that recovery is impossible, and a depressuring must occur to bring the process to a safe state.

### QUENCH FAILURE

Failure of quench control resulting in low or no quench flow could occur as the result of either controller failure or quench control valve failure. In either case, reactor temperatures would rise at a moderate rate as a result of heat removal loss. Recovery from the failure is possible through either manual operation of the control valve from the control room, or hand jacking the control valve in the field if control room operation is not possible.

### PLUGGING AND CHANNELING

During the normal course of operation of the hydrocracker, coking and plugging will occur in all of the catalyst beds. Coking and plugging can result in misdistribution of flow and channeling through the catalyst bed. As channeling occurs, heat removal from the catalyst bed will lose its uniformity, allowing hot spots to occur in areas where flow has decreased. The increased reaction in hot spots can result in a temperature runaway. The development of a temperature runaway in this scenario is quite slow compared to other initiating events, allowing automatic control and operator intervention to prevent the runaway in most cases.

Plugging and channeling can also occur as the result of poor catalyst loading. In this scenario, it is expected that the operator will not have enough information or time to detect the cause of the problem, and the channeling could be severe. The resultoperator gets no credit for gaining control of the process.

### BED TEMPERATURE MEASUREMENT

Failure of a bed temperature measurement can lead to a temperature runaway if the result of the failure is decreased or stopped quench flow. An erroneous low bed temperature measurement will result in the automatic quench controller decreasing quench flow rate. The decreased, or stopped, quench flow will result in a moderately rapid temperature rise as the heat removal from the bed decreases.

### GAS FLOW CONTROLLER

Failure of the recycle gas flow controller in a position where flow is stopped or significantly reduced will result in a temperature runaway. This scenario will result in the same outcome as loss of the recycle compressor. In this scenario, there is an opportunity for recovery by operator intervention. Depending on the control loop's failure mode, the operator can take manual control of the loop either from the control room or the field.

### FEED FLOW RATE CHANGE

A significant change in feed flow rate can result in a temperature runaway due to rapid change of the hydrogen-to-hydrocarbon ratio. Significant changes in the feed flow rate are the result of failures in feed flow controllers and feed pumps. The temperature rise in this scenario is moderately fast, but recovery is possible through automatic and manual adjustments of quench rates and readjustment of feed flow rates. A DCS function can be employed to the loss of hydrocarbon feed and subsequently perform a slow depressuring.

### FIRED HEATER OUTLET FAILURE

Excessive temperature of the reactor feed can also result in a temperature runaway. Excessive temperature of the reactor feed is possible as the result of a failure of temperature control in the charge heater such that maximum firing occurs.

This failure may result in reactor inlet temperatures that are so high that maximum quench rates cannot bring the reactant temperature back down to the stable range. If this failure occurs, the operator can bring the process back under control by manually operating the failed temperature control loop. If manual temperature control fails, the operator can also manually stop the heater, which will bring the process to a safe state. Operators can activate a slow depressuring by a manual switch in the control room or by exceeding the high-high temperature, as determined by a DCS protective function. In either case, open the slow depressuring valve by de-energizing its associated solenoid valve. Even if you activate the slow depressuring system, it might not decrease the reaction rate quickly enough to prevent the runaway from propagating. In this case, you'll also need a fast depressuring to bring the process to a safe state.

You can also activate a fast depressuring by a manual switch in the control room or by exceeding the high-high-high temperature, as determined by a DCS protective function. In either case, open the fast depressuring valve by de-energizing its associated solenoid valve. IT

## Behind the byline

Edward M. Marszal is principal engineer at Exida in Columbus, Ohio.

## Hydrocracker primer

Many refineries employ hydrocracking technology to convert heavy hydrocarbon oils into lighter and more valuable products. Here's a typical flow sheet for a single stage hydrocracking process.

Hydrocarbon liquid and hydrogen feed into the hydrocracker. Hydrocrackers are capable of processing a wide range of liquid hydrocarbon feed stocks, but typically process heavy oils such as vacuum gas oils and atmospheric residuals. The hydrogen-hydrocarbon feed blend is typically heated in a fired heater and sent to the reactors, where the cracking reaction occurs. After heat exchange, operators separate the hydrocarbon products from hydrogen and light gases in a series of separators and flash drums. They process hydrocarbon products further in a fractionation section. Both heavy hydrocarbon liquids and hydrogen are recyclable.

The reactions taking place in the hydrocracker process include cracking, whereby long-chain hydrocarbons break into smaller chains, and hydrogenation, where any free radicals or double bonds are saturated. The end result is a hydrocarbon product whose average molecular weight is much smaller than the molecular weight of the feed. The overall reaction set is significantly exothermic. Under some circumstances, heat generated in the reaction may increase the temperature of the catalyst bed, leading to increased reaction rates and more heat generation. This effect can spiral out of control and result in a potential loss of integrity of the reactor vessel or piping due to excessive temperature.

The reaction occurs as liquid hydrocarbon contacts a fixed bed of catalyst with excess hydrogen at a high pressure. During normal operation, adding a cold hydrogen quench to sweep away the heat of reaction to the downstream heat exchangers controls temperature. In an emergency situation, depressuring the reactor can stop the reaction. When a depressuring occurs, the reactor pressure, and thus the partial pressure of hydrogen, decreases. The decrease in hydrogen partial pressure essentially decreases the concentration of reactant available, and in accordance with traditional chemical reaction kinetics, the reaction rate quickly falls off. The speed at which the reaction rate falls is a function of how fast the reactor pressure drops. Many hydrocrackers are equipped with two different means of depressuring: a slow system and a fast system. Obviously, the fast system can bring the process to a safe state more rapidly, but causes unwanted side effects such as intense flaring and equipment degradation due to hydrogen embrittlement. In an emergency scenario, an operator will first attempt to bring the process under control using the slow depressuring and only use the fast depressuring system if the other is not capable of stopping the runaway reaction from continuing.

Shortcut methods such as hazard matrices and risk graphs, commonly used for safety integrity level (SIL) selection, are effective in most situations. In some scenarios, selecting the SIL using these tools doesn't work—usually because the selected SIL was significantly higher than originally expected.

Typical hydrocracker flow sheet