01 August 2003
Preventing overpressure: A safety system success story
Using failsafe systems to prevent overpressure.
By David K. Thomas
The American Society of Mechanical Engineers (ASME), American Petroleum Institute (API), and other codes call for pressure relief devices to protect equipment from overpressure. But when the vessel contents are toxic or flammable, rules might not allow venting to the atmosphere for environmental or safety reasons. Venting through a pressure relief device happens at a high rate, so vent scrubbers and vapor destruction units must be quite large to handle the flow. The capital expense required for such a venting system can be prohibitive.
Engineers have traditionally relied on relief devices (valves and rupture disks) to protect systems from overpressure. It is generally better to relieve overpressure in a controlled fashion than to have an uncontrolled release following an explosion. ASME's Boiler and Pressure Vessel Code, Sections I and VIII embody this philosophy. API Recommended Practice 521 has taken it from there. The application of pressure relief devices in these codes' criteria is almost universal. Most observers would consider this to be one of the most successful safety codes in history. Yet as industry has evolved, some situations have arisen where following code was not adequate in itself to produce a safety system.
The nuclear industry was quick to realize it could tolerate no release to the atmosphere. Experts designed elaborate containment systems for any release that might occur. In the Three Mile Island event, the containment system worked as planned, and it did not vent radioactive materials to the atmosphere. But a long and horribly expensive cleanup operation ensued afterward.
The chemical industry similarly had incidents where pressure vessel code was not sufficient in itself to ensure safety. In the Flixborough incident, a release caused a flammable vapor cloud that drifted to an ignition source. The Seveso incident similarly resulted from a controlled release of toxic vapors. A number of systems have evolved to deal with these controlled releases to make them safe. Incinerators remove flammables from vented streams. Scrubbers neutralize acidic or caustic vent streams. And scrubbers and incinerators work in combination in some cases.
Each of these solutions generates more problems, though. Designers can determine the maximum venting load; they cannot accurately predict when they will vent, or the actual magnitude of a particular venting. Incinerators may experience difficulty with incomplete combustion, and they frequently are plagued with large NOx emissions. Acid scrubbers do not always operate at peak efficiency, especially when the vent stream has entrained liquids. When the scrubber is not running at peak loading, it can vent the scrubbing solution (frequently a caustic or ammonia solution) to the atmosphere. The complexity of these vent-handling systems, as well as their capital costs, can make processes economically unviable.
The authors of ASME Code Case 2211 reasoned correctly—in many cases it makes more sense to eliminate the conditions leading up to a release rather than trying to find an acceptable way to vent the release. The system used to eliminate these conditions is the high-integrity protection system (HIPS). HIPS must meet the standards of any safety system. The code case leaves the decision to use HIPS up to the users, but they get no criteria for what safety integrity level (SIL) the HIPS must achieve. The general thought is it should be at least as reliable as the equivalent relief device. HIPS adds a layer of complexity to the operations, so it is not a cure-all for relief concerns. API Recommended Practice 521 discourages using HIPS except where a traditional relief system is impractical.
An alternate approach is to install safety systems that eliminate the conditions that require venting through relief devices. One client needed large relief systems for a reactor and a distillation tower because of the potential for cooling-system failure. Rather than build a huge vapor destruction/scrubber system for the toxic vapors, we designed a safety system for each system to ensure the cooling systems would never reach the overpressure venting conditions. A quantitative risk analysis (QRA) verified the reliability of the safety system.
Workers combined two reactants catalytically in reaction tubes to form product. The reactants and product were toxic and acidic. During the hazard and operability study, we determined a runaway reaction could produce temperatures greater than the maximum acceptable temperature of the reaction tubes. Changing the construction materials of the tubes would delay project start-up by close to one year. We also determined a scrubber system dealing with a tube rupture would be impractical. After consulting with a national regulatory authority, we determined HIPS would ensure the temperature of the reactor and reactants would not exceed the maximum allowable temperature for the reaction tubes. The HIPS needed to meet a SIL of 3.
Because neither the client company nor the regulatory authority had much experience with QRA, they jointly determined we should include the potential for human error in the QRA. This was a departure from the normal procedure for dealing with any safety-instrumented system. We designed HIPS to monitor reactor temperature and reactant temperature and shut down the reaction in case of high temperature.
The HIPS met the desired criteria (probability of failure of the completed HIPS = 3.827e-04, or SIL = 3). The local regulatory authority agreed the plant could continue with design, construction, and start-up on schedule. The first 10 cut sets (groups of actions that can lead to the top event, listed in order of highest probability first) are on the chart.
In this case HIPS proved to be a useful tool, and it remains useful in a variety of situations. Yet it is likely to remain limited in application in the near term due to the perceived lack of specific guidelines for required reliability. HIPS also puts more emphasis on smart process engineering in the conceptual stage. With increased use and the passage of time, HIPS will become recognized as a useful standard tool for the designers of safety systems. P
Behind the byline
David K. Thomas heads Meerkat Consulting in Houston.
Three Mile Island
The failure happened while the plant was shut down for the weekend; it had closed midway through the production of a batch of 2,4,5-trichlorophenol (TCP), leaving the reactor full of material at an elevated temperature. Among these were ethylene glycol and sodium hydroxide, which eventually underwent an uncontrolled exothermic reaction that released sufficient gas to exceed the pressure limit of the safety plate.
The reactor produced TCP. Within the cloud were components and by-products of the process—TCP, ethylene glycol and chlorinated phenols, and 2,3,7,8-tetrachloro-dibenzo-para-dioxin (TCDD).
The reaction also raised the reactor temperature to 450–500°C, a condition that greatly increased the formation of TCDD. The reactor had no automatic cooling system; because only maintenance and repair personnel were in the plant over the weekend, no one was present to initiate cooling manually and suppress the reaction. Fortunately, the cloud vented for only twenty minutes before a worker noticed and stopped the release. It is estimated that 2 kilograms of the dioxin were in the cloud, and officials immediately sealed off the area and evacuated the population. Locally grown food was banned for several months, and several inches of topsoil were removed and incinerated, as were the livestock from the local farms. However, despite all these worries, only one person, to date, appears to have died from liver cancer, although there were a number of cases of skin disease (chloracne). No employees of the company suffered damage to their organs, but a number of women had abortions due to the potential danger to their unborn children.