The Role of Instrumentation and Process Controls in Minimizing Accidental

Releases

Ronald Hill P.O. Box 504, 16A Douglas Street, New Providence, NJ 07974

~ _ ~ ~ _ _ _ _ _ ~ ~ ___ ______

Most accidental releases are the result of either mechanical failures or measures taken to prevent such failures, such as, venting through emergency vents, relief valves, or rupture discs. Where the mechanical failure is the result of defective materials, inadequate design, or external factors, little can be done by means of instrumentation to prevent the release. It may be possible, however, to reduce the flow. Many failures are due to process upsets such as overpressure, internal explosions, and runaway reactions. The probability of these failures occurring can be substantially reduced by proper instrumentation.

~

Introduction

In the past we have tended to think of safety instrumentation systems as being installed in order to prevent catastrophic incidents, that could damage or destroy a plant, and kill or injure people. However, with the current emphasis on the environment, any accidental release could be regarded as cat- astrophic, and the probability of it happening must be reduced to the lowest possible level. This can be done very effectively by designing and installing adequate control and safety in- strumentation.

Design of Instrumentation for Minimizing Releases

Process instrumentation systems can normally be divided

a) Control Instrumentation b) Safety Instrumentation

into two parts:

The operating requirements for the two parts are very different, as can be seen from Table I , so that it is common practice to provide separate and independent systems to fulfill these func- tions. In principle it is possible to design a single system that will fulfill both functions adequately, and this is done in some cases, for example, aircraft control systems. However, it re- quires extensive duplication and diversification of equipment, as well as considerable design effort, to achieve the required degree of reliability, and this is both difficult and expensive to do. A more practicable solution for process plants is to provide a basic control system which will normally maintain

the process in a safe condition. Then an additional, separate safety system which will operate if unsafe conditions are ap- proached should be installed. The safety system is usually designed to shut the process down in an orderly and safe manner in the event that certain defined parameters are vio- lated. This is to insure that it will protect against control fail- ures, which are one of the most common causes of process upsets, as well as protecting against external events. As such a system is usually very simple, it is comparatively easy to design it with a high degree of reliability. In order to illustrate how the addition of safety instrumentation can help to min- imize the occurrence of accidental releases, let us consider some typical examples:

Example 1-Distillation Column Figure l a shows a typical distillation column, with a very

simple control system. A number of events could result in a high pressure, which would cause the relief valve to discharge.

~~~~~

TABLE 1 COMPARISON BETWEEN “NORMAL” AND “SAFETY” INSTRUMENTATION

“Normal” Instrumentation “Safety” Instrumentation Often uses complex control Usually simple.

algorithms. Reliability must be sufficient Reliability Must be very high.

to meet economic needs. Control failure may result in Must be designed to“fai1-

unsafe conditions. safe” whenever possible.

Plantloperations Progress (Vol. 10, No. 3) July, 1991 129

Typical external events would be: Loss of cooling water Reflux pump failure Excessive light ends in the feed.

Similarly, some control failures which would have the same effect are:

Excessive steam rate set, or controller fails high Excessive feed rate set, or controller fails high Low reflux rates set, or controller fails low.

An obvious possibility for reducing the probability of the relief valve discharging is to install a High Pressure Trip, as shown in Fig. lb . However, before concluding that such a system will be effective, it is necessary to check the system responses. The pressure trip itself will be fast acting, but the process response is likely to be much slower. Even though the steam is quickly shut off, there is a substantial amount of residual heat in the reboiler, in the form of uncondensed steam and high temper- ature metal. When the steam is first shut off, the column will

4 ' 7 2 2 I 1 (p - 0 ' J T T O ? S ,

FIGURE l(b). Distillation system with high pressure trip.

r - - - - - I I I I I I I I - - - - - - +[+)

F1

FIGURE l(c). Duplicated trip system.

drain, increasing the proportion of lights in the boitom, and thus the pressure may initially rise before eventually falling. Thus it is necessary t o take this phenomenon into account in deciding the setpoint of the pressure trip relative 10 the op- erating pressure and the relief valve setting.

Another factor to be taken into account in the overall design of the system is the effect on the upstream and dmnstream parts of the process of shutting off the steam to one unit. Obviously, with the steam shut off, the bottom composition and flow will tend to approach that of the feed, and the po- tential effects of this on the downstream operations must be considered. It would be possible to shut off the feed stream, as well as the steam, in the case of high pressure, but this will cause an upset to the upstream process, as well as the down- stream effects. Thus the final design of the irip system may be a good deal more complex than shown here

Also it may be necessary to duplicate all, or part of the trip system in order to obtain sufficient reliability, and such a system is shown in Figure Ic. Unfortunately, although this system would have less tendency to fail-dangerous than that shown in Figure lb , it would also have a higher likelihood of

t

L FIGURE l(d). Voting system.

PlantlOperations Progress (Vol. 10, No. 3) 130 July, 1991

t

I RESET

r

I

- FIGURE l(e). Complex control system.

failing-safe, i.e. shutting the column down when there was nothing wrong. Such spurious trips can result in severe process problems, sometimes to the point where the trip is deliberately disabled in order to permit smoother operation. If this is a problem, it would be necessary to implement a voting system, such as the 2 out of three system shown in Figure Id. In this system a high pressure must be registered by at least two of the pressure switches before a shutdown will take place. If one of the sensors fails in such a way as to indicate a high pressure where none exists, an alarm will be given, but there will not be a shutdown. In practice, pressure sensors are usually quite reliable, so that it is unlikely that these more complex designs would be necessary, but other sensors, such as thermocouples or analytical instruments, are substantially less so. Where these instruments are used to actuate the trip system, greater com- plexity of a voting system can often be justified.

It is often thought that increasing the sophistication of the control system will have the desired effect of reducing the probability of an accidental release, and to some extent this is true. For example, the control system in Figure leis designed

8 FIGURE 2. Typical batch reactor.

to maintain a constant heat balance, so that steam is auto- matically reduced in the event of a loss of feed or reflux flow. Loss of feed and reflux flow are two of the major causes of high pressure. Control could be made even more precise by feeding into the computer the stream temperatures and com- positions and a high pressure shutdown could be integrated with the overall control. Unfortunately, the greater the com- plexity of the control system, the lower its reliability tends to be. Thus the main causes of an accidental release are control failures and external events, such as cooling water or power failure. As discussed previously, it is, in principle, possible to improve the reliability of the control system to the required level. This is an expensive and difficult project and it will still be necessary to provide protection against the external events. On the other hand, although a trip system is probably still required, even with sophisticated control systems, a well de- signed control system will reduce the demand on the trip system itself. Thus this procedure will contribute to reducing the over- all probability of a release.

Example 2-A Batch Reactor It is often more difficult to protect batch reactions than

continuous ones. Continuous reactions normally operate at steady state conditions, so that quite small deviations can be readily detected and corrected. On the other hand, batch re- actions usually involve conditions that vary throughout the batch, making difficult to detect deviations quickly. In addi- tion, it is often difficult to correct a deviation once it has occurred (e.g. over-charging of a reactant).

Let us consider a simple batch reactor, such as is shown in Figure 2. Two materials, A & B are reacted together to form a product C, with the evolution of heat. The reaction is carried out in an inert solvent, and the heat of reaction is removed by boiling off some of the solvent, condensing it, and returning the condensate to the reactor. The reaction is started by charg- ing the reactants and solvent, and then heating the mixture to the boiling point with steam. As the reaction proceeds, the steam is controlled to maintain a steady reflux. The reaction is carried out at the boiling point of the mixture, which will steadily rise as the product accumulates in the reactor. At the completion of the batch, the reactor contents are checked to ensure that no excess reactants remain, and the solvent distilled off under vacuum.

The major hazard with this particular reaction is that at temperatures substantially above that at which the reaction is normally carried out, the product decomposes in a highly ex- othermic manner, producing a non-condensable gas. If the decomposition temperature is reached, the increased heat of reaction would produce a sudden increase in the boil-up, tend- ing to overload the condenser. At the same time, the presence of non-condensible gases would reduce the condenser capacity. The combined effect would be to increase the pressure in the reactor, which would increase the decomposition rate still fur- ther. Eventually the reaction runs away, rupturing the burst disc, and in extreme cases, possibly the reactor itself. Such an event is extremely unlikely under normal circumstances, but could occur in the event of certain malfunctions, such as:

a) Cooling water failure. b) Excess ratio of reactants to solvent. c) Excessive use of steam at the start of the reaction.

Cooling water failure can be readily detected by means of a flow switch on the cooling water supply. This could be used to activate an emergency cooling water supply, and shut off the steam, if it is in use. However, it should be remembered that the changeover will take time, and during this period it is probable that the reaction rate will continue to rise. Thus it is likely that both the condenser and the emergency cooling water supply will need to be designed for condensation rates above the normal.

Plantloperations Progress (Vol. 10, No. 3) July, 1991 131

An incorrect reactor charge is more difficult to detect, hence the need to carefully control the reactant charge. However, there would be indications of an incorrect charge. If there is insufficient solvent, the temperature of the batch will tend to rise more quickly than normal, and the pressure may also increase, although these are not very sensitive indicators. A better approach might be to monitor the heat of reaction as a function of temperature, by measuring the reflux flow or the cooling water flow and temperature. In the event of ex- cessive heat production, the reaction could be “quenched” by shutting off the steam and by adding additional solvent, or by addition of a “poison”. This will stop the reaction or reduce the reaction rate. Of course, this approach is only possible if the reactor has been designed to have sufficient spare volume to accommodate the addition. Generally such a system would be designed to initially shut off the steam, and then to add the solvent if the temperature does not fall to a safe value within a specified time.

Excessive use of steam can be minimised by limiting the maximum steam flow as a function of temperature. In addi- tion, the “high heat flow trip” described above would shut off the steam in the event of an excessive reaction rate. In this case, the temperature should fall quickly, thus obviating the need for the solvent addition.

In the case discussed above, all of the reactants are charged at the beginning of the batch. A better alternative might be to charge only one reactant initially, and then to add the other one continuously, making the operation a semi-continuous one, rather than a true batch reaction. This type of system, where one reactant is in a large excess offers more scope for control, as the reaction rate will then be dependent on the rate of addition of the second reactant,

Example 3-Mitigation of Releases In many cases releases of hazardous materials are caused by

failures of piping, or of equipment such as filters, pumps, or valves within the piping system. It is not possible to prevent such occurrences by means of instrumentation alone. The con- sequences can often be mitigated by providing an emergency shut-off valve as close as possible to the supply vessel, or at battery limits in the case of a pipe-line supply. In some cases this is triggered by a high flow rate at or near the valve location, but this is rarely a satisfactory arrangement. In many situations in a process plant, serious leaks can occur without any increase in the outflow from the vessel or pipeline. In fact, if the flow is of a liquid above its atmospheric pressure boiling point, a break in the line can, in some circumstances, result in a re- duction in the flowrate, due to the effect of flashing in the line. For this reason excess flow valves are often ineffective. It is sometimes possible to find a suitable indication of failure, such as the pressure or flow at the outlet end of the line, or at intermediate positions along the line. This can be used to automatically trip an isolation valve, and this technique is widely used on long pipelines.

For flammable materials, heat sensors, or rate of temper- ature rise detectors are sometimes used to activate emergency shut-off valves, but of course these will only operate if the leak ignites. A more general procedure is to use an analytical sensor to detect excessive concentrations of the hazardous ma- terial, and shut the emergency valves if a specified limit is exceeded. The problem with detectors which measure the at- mospheric concentration in some way, is that they can only indicate that there is a leak. They can also give a general indication of the location. However, promptly shutting off large sources of hazardous material is often sufficient to pre- vent a major catastrophe.

As in the previous cases, proper consideration must be given to the overall effects of suddenly stopping a flow, so that the final design of an effective emergency system may be a good deal more complex than just shutting off an isolation valve.

Overall Instrumentation Design In the previous examples it has only been possible to iconsider

the effects of one or two particular deviations. In any practical case, it will be necessary to consider all potential deviations, and ensure that the control and safety instrumentation can adequately deal with them. This should be done at an early stage in the process design, as it is often more feasible to make changes in the design which will make the instrumentation more effective, than it is to design an instrumentation system that will cope successfully with every eventuality. Techniques have been developed, such as “Hazop”, which make it rela- tively simple to analyse the effects of potential deviations from the design intent, and thus help to define the instrumentation and safety systems that will be required for an effective design. Other techniques, such as Fault Tree Analysis, can be used to refine the conclusions of the initial “Hazop”, and to determine the level of reliability that is needed, or can be obtained, from a particular system. These techniques, or comparable ones, should be used as an integral part of the instrumentation design process .

Summary

The provision of adequate control instrumentation, inter- locks, and trips, can reduce the incidence of accidental dis- charges from process causes to a very low level, and can often be effective in mitigating the effects of discharges resulting from external causes. This can reduce the need for complex incineration, flaring, or scrubbing systems, which are usually expensive, and often relatively ineffective under emergency conditions. However, instrumentation systems will only be effective if they are designed to achieve an exceptionally high degree of reliability, and thus they must take into account the characteristics of the process and the plant, Such systems must form an integral part of the plant design, and must not be regarded as “optional add-ons”, intended to correct for de- ficiencies in the original design. The best way of designing an effective system is to analyse the process thoroughly, using techniques such as “Hazop” and Fault Tree Analysis through- out the design process.

Appendix 1

Reliability of Trip Systems Frequency of Over pressure Demand Rate = O.S/year = D Failure Rate of Trip System = O.l/year = f Testing Frequency = 2 timesiyear Testing Interval = 0.5 years = T Number of Independent Trips Then -

= 1 in 2 years

= n

Release Frequency = f“ x T“ ~ ’ x 1 -- exp - __ I z]] (Assuming simultaneous testing) For Figure l a (No Trip)

For Figure 1 b (One trip)

For Figure lc (Two Trips)

*In practise the frequency will tend to be higher than shown.

Release Frequency = O.S/year

Release Frequency = 0.01 l/year

Release Frequency = 0.0004/year*

This paper (41d) was presented at the AiChE Summer National Meeting in Denver, Colorado, August, 1988.

132 July, 1991 PlantlOperations Progress (Vol. 10, No. 3)