GCPS 2014 __________________________________________________________________________
Inherently Safer Design: Lessons Learned About the Principle of Simplification
Andrew R. Carpenter Russell A. Ogle Brenton L. Cox Sean J. Dee Exponent 4580 Weaver Parkway Warrenville, IL 60555
[email protected],
[email protected],
[email protected],
[email protected]
Prepared for Presentation at American Institute of Chemical Engineers 2014 Spring Meeting 10th Global Congress on Process Safety New Orleans, LA March 30 – April 2, 2014
UNPUBLISHED
AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications
GCPS 2014 __________________________________________________________________________
Inherently Safer Design: Lessons Learned About the Principle of Simplification
Andrew R. Carpenter Exponent 4580 Weaver Parkway Warrenville, IL 60555
[email protected] Russell A. Ogle Brenton L. Cox Sean J. Dee Exponent 4580 Weaver Parkway Warrenville, IL 60555 Keywords: Inherently Safer Design; Simplification; hazardous release, fire, explosion
Abstract The American Institute of Chemical Engineers (AIChE), the Chemical Safety Board (CSB), and the Occupational Safety and Health Administration (OSHA) have all emphasized the importance of advancing inherently safer design concepts into chemical process plants. Incident investigations offer an important opportunity to identify, evaluate, and correct potential shortcomings in the design, construction, operation, and maintenance of a chemical process unit that has experienced a release. This paper focuses on the inherently safer design principle of simplification. The case studies share the common theme of storing or handling liquids. Each case study illustrates how a design flaw led to unintended flow, reverse flow, or overfilling of a vessel which ultimately led to a fire, explosion, or hazardous release. Based on the incident investigation experiences of the authors, the paper illustrates how application of the simplification principle could have prevented these incidents.
1. Introduction Process risk management has four generic strategies for reducing risk in chemical processes: Inherently Safer, Passive, Active and Procedural. Inherently safer design (ISD) eliminates potential process hazards through the use of safer materials or operating conditions. [1] ISD can be considered during initial design conceptualization and typically results in solutions with low operating costs, high reliability and low levels of complexity when compared with the three alternative risk reduction strategies. [2] While it is not always feasible to eliminate hazards, Note: Do not add page numbers. Do not refer to page numbers when referencing different portions of the paper
GCPS 2014 __________________________________________________________________________
many professional organizations and regulatory groups have advocated that ISD should be considered before accepting process hazards and relying on safety systems for hazard management. [3-4] Therefore, ISD is commonly placed at the top of the risk reduction design solution hierarchy. [5-6] This study focused on the examination of the principle of simplification within ISD through case studies. Simplification, along with Minimization, Substitution, and Moderation, are the four main approaches to designing inherently safer processes. In the context of ISD, simplification refers to the elimination of unnecessary complexity thereby reducing the probability of error or misinterpretation. Herein, four case studies are presented involving the storage and handling of liquids: Chlorine Release at a Commercial Water Park, Fire and Explosion at a Specialty Chemical Manufacturer, Chemical Release at an Ethanol Production Facility, and Mixing of Incompatible Wastes at a Waste Treatment Facility. All four cases highlight the role of the principle of simplification in creating inherently safer processes.
2. Methods of Risk Reduction and Design The prevention of the progression of a hazardous event into undesired consequences can be controlled through various layers of protection. [7] These layers of protection can be grouped into three categories. At the outer edges of the layers of protection are response layers, which correspond to actions taken after a hazard event has taken place. Response layers intend to reduce the severity of the consequence of an event, but their effectiveness is often unknown. Underneath the response layers, are control layers which are intended to keep the hazards of a process within safe allowable operating limits. Control layers include basic controls, alarm systems, safety instrumented systems, automated shutdown systems, and physical protection. The impact of these systems can influence both likelihood and severity of an event several orders of magnitude. The design core lies at the core of the layers of protection. This design layer determines the inherent hazards within the process and is the most important layer because it has the capability to completely eliminate hazards through ISD. All the additional layers of protection around the design core served to mitigate risks and hazards that cannot be eliminated through ISD. Therefore, when performing a layer of protection analysis, inherently safety design is the preferred method for reducing risk when compared with adding independent protection layers.
3. Principles of Inherently Safer Design Inherent safety is at the top level of the hierarchy of process risk management strategies, above passive, active and procedural approaches. ISD is the process of identifying and implementing solutions that result in the permanent and inseparable elimination of a process hazard. [8] Reduction of process hazards are also included in ISD, and are referred to as second order approaches to inherent safety. ISD includes the following four design strategies: •
Minimization – The use of smaller quantities of hazardous materials.
GCPS 2014 __________________________________________________________________________
•
Substitution – The replacement of a hazardous material with a less hazardous material.
•
Moderation – The concept of limiting the impact of an event by using less hazardous conditions, less hazardous forms of a material, or modifying the facility
•
Simplification – The elimination of unnecessary complexity in the design of a facility, resulting in the reduction in the number of errors or an tolerance of process operation fluctuations.
While the concepts of minimization, substitution, and moderation appear simple to apply to a process, simplification can be much more intimidating. Simplification involves the deliberate questioning of the necessity of every aspect of a process and a broad knowledge of all potential alternatives. Simplification also requires individuals to discount the operational history or a process or unit and consider that safer approaches were either disregarded in the initial design, or not considered all together. The primary reason complexity exists in plant designs stems from the need to control hazards. [9] Unnecessary complexity can also result from the need to control hazards, the desire for technical elegance, failure to carry out a hazard analysis until too late in the design process, following standards or specification that are not applicable or necessary, or creating flexibility and redundancy. The strategy of simplification implies a reduction in the complexity of safeguards while simultaneously maintaining or increasing the level of risk reduction. Understanding the appropriate definition of risk is paramount to the utilization of the concept of simplification in ISD. Risk is the product of an event likelihood and consequence severity. It is important to remember that process designs can be made inherently safer though strategies that affect both likelihood and consequence. Process equipment can often be designed to withstand overpressures and fires at much lower costs than complex safety instrumentation systems. This eliminates the likelihood of a loss of containment event. However, there are circumstances where a loss of containment event cannot be eliminated through process design. In those situations, hazard consequences can sometimes be mitigated by reducing potential consequences through siting. For example, if a vessel cannot be designed to withstand the overpressure generated from an explosion, consequences can be mitigated by ensuring the vessel is not located next to critical pieces of equipment, storage of additional hazardous materials, or occupied buildings. Thus, by being conscious of siting, the risk can be mitigated through reduction of an event consequence.
4. Case Studies: Storage and Handling of Liquids The desire to reduce risk though complex control schemes can create new hazards that can be mitigated through inherently safer design. The handling and storage of hazardous chemicals at facilities is an example of a routine task that can become unnecessarily complex. These case studies illustrate three common accident scenarios that can arise: unintended transfers caused by siphoning, receiving vessel overflows, and unexpected accumulation in low points of the flow system. In each case, the principles of inherently safer design could have served to reduce the likelihood or severity of the associated incidents. 4.1
Chlorine Release at a Commercial Water Park
GCPS 2014 __________________________________________________________________________
This case study involved a chlorine gas release at a public swimming pool. Over one hundred patrons were exposed to the chlorine gas release. The chlorine gas was generated by the inadvertent mixing of sodium hypochlorite solution and muriatic acid (31% aqueous solution of hydrochloric acid). The swimming pool involved in this incident was a lazy river type pool that had a total volume of water greater than 1,000,000 liters. The water treatment system for the pool consisted of filtration, disinfection with bleach, and pH control with hydrochloric acid. The water treatment system operated continuously and had a design capacity of 2,400 liters per minute. A maintenance contractor was performing some non-routine maintenance on the water treatment system. This activity required that he shut the system down. What the contractor did not know was that while the system was idle, both the concentrated bleach solution and the hydrochloric acid began to siphon from the feed tanks and drain into the mixing tee of the circulation pipe. The mixing tee was a short vertical pipe spool at the lowest point in the mechanical room. The orientation of the injection ports for the chemicals resulted in the lighter solution, muriatic acid, forming a stable layer above the denser solution of sodium hypochlorite. When the main circulation pump was restarted, the superchlorinated water was discharged into the pool area releasing chlorine gas. Two design improvements would have resulted in an inherently safer design. The first improvement would be to lower the elevation of the chemical feed tanks to reduce the potential for siphoning. The second improvement would be to reverse the installation of the injection ports so that, in the event of siphoning, the heavier solution would enter the mixing tee above the less dense solution, thus encouraging the mixing of the two chemicals. 4.2
Fire and Explosion at a Specialty Chemical Manufacturer
A specialty chemical manufacturer produced a very high purity chemical for the electronics and optics industries. The process involved several stages of batch distillation and batch vacuum distillation operating at near total reflux conditions to achieve the very high purity required. A typical batch distillation could run for several days producing only milliliters of high purity distillate product per hour. The distillate was water reactive, and when allowed to oxidize produced a highly unstable, shock sensitive solid. A control system failure occurred in the evening while the facility was not staffed. The control system alerted the operators via email that the system had shut down, but the control system did not place the system into a safe state. The control system failure left the heating system in operation and opened the product withdrawal valve on the distillation system. The product withdrawal valve normally operates by opening and closing such that a very slow flow rate of product flows into a receiver. The distillation system typically processes a batch of 30 to 40 liters, while the receiving vessel was approximately 5 liters in volume. With the heating system on and the product withdrawal valve open the contents of the distillation system overflowed the receiving vessel. When the operators arrived at the site the following morning, they observed that the receiving vessel had overflowed and a significant volume of distillate had spilled onto the production floor. While attempting to clean the spill, the product ignited resulting in a fire that destroyed the entire facility and caused the rupture of several chlorine tanks resulting in an
GCPS 2014 __________________________________________________________________________
environmental release. Fortunately, the operators who were cleaning the spill had just exited the area prior to the fire and were not injured. While the extent of damage precluded the ability to determine the specific nature of the control system failure, a simple design improvement would have resulted in an inherently safer design that would have prevented the release and the fire. The receiving vessel was significantly smaller in volume that the volume of material being processed. By increasing the size of the receiving vessel to contain the entire batch contents, the overflow condition resulting in the fire and chlorine release would not have occurred. 4.3
Chemical Release at an Ethanol Production Facility
A corn based ethanol producer sold a variety of animal feed stocks from the residual products left over from the fermentation process. One of these products, wet-cake, is a combination of distillers dry grain (ddg) and corn syrup. The wet cake is produced by adding hot corn syrup at 180°F into the ddg as it exits a grain dryer using a configuration similar to that shown in Figure 1. Hot corn syrup was injected into the ddg conveyor system near the top of an inclined conveyor transition. This location allowed hot corn syrup to pool in the bottom of the conveyor. This build up would progress and eventually plug the vertical transition, preventing ddg from entering the inclined conveyor. To clear the blockage, the facility operator cut a porthole near the bottom of the inclined transition. When an operator attempted to clear the blockage by opening the porthole and rodding through the plug, a stream of hot corn syrup was released which resulted in significant burn injuries to the operator.
Figure 1: Conveyor configuration for mixing distillers dry grain (ddg) and heated corn syrup to produce wet-cake. Two design improvements would have resulted in an inherently safer design. The first would be to place the conveyor inspection hatch at the top of the conveyor system such that an operator
GCPS 2014 __________________________________________________________________________
would not have to stand below the opening while attempting to clear a blockage. The second was to move the corn syrup injection point to the front of the horizontal conveyor that feeds into the inclined conveyor. This location would allow for the ddg and the corn syrup to mix and produce a wet cake and eliminate the pooling which was causing the blockage to occur.
5. Conclusion and Lessons Learned
The storage and handling of liquids requires the use of relatively simple technologies. But even simple technologies can experience failures. If the liquids are hazardous, the consequences of these potential failures must be controlled. These case studies illustrate three common accident scenarios that can arise: unintended transfers caused by siphoning, receiving vessel overflows, and unexpected accumulation in low points of the flow system. In the case studies presented above, relatively minor changes could have mitigated, or potentially eliminated, the likelihood or severity of the hazards associated with each incident. In the first case study, both system layout and mixing point location alterations could have moderated or prevented the release of superchlorinated water. In the second case, a larger receiving vessel could have prevented the release of the hazardous chemical, and, in turn, the subsequent fire and explosion. In the third case, relocating the an inspection port would have kept the operator out of harm’s way during a hazardous procedure, and relocating the injection point for the hot corn syrup may have eliminated the need for the procedure altogether. Note that, while these alternatives may be obvious in hindsight, the alternatives, or even the hazards, may not have been apparent to the engineers at the time of the design. However, when designing or reviewing a system, let these incidents serve as a reminder to ask, “Are there modifications to the system that could reduce or eliminate any associated hazards?”
GCPS 2014 __________________________________________________________________________
6. References [1]
Lees, F. P. Loss Prevention in the Process Industries: Hazard Identification Assessment and Control. 2nd Edition, Volume 1. 1996.
[2]
CCPS. Guidelines for Engineering Design for Process Safety. Center for Chemical Process Safety. 2012.
[3]
“CSB Releases New Safety Video on Inherently Safer Design and Technology: ‘Inherently Safer: The Future of Risk Reducation’ Examines how Industry Can Eliminate or Reduce Hazards,” Jul 11, 2012, http://www.csb.gov/csb-releases-new-safety-video-oninherently-safer-design-and-technology-inherently-safer-the-future-of-risk-reductionexamines-how-industry-can-eliminate-or-reduce-hazards/ (accessed Jan. 20, 2014).
[4]
Hendershot, D. C. “Inherently Safer Design: The Fundamentals,” CEP, January 2012.
[5]
Crowl, D. A. Understanding Explosions. Center for Chemical Process Safety/AIChE. 2003.
[6]
Johnson, R. W.; Rudy, Steven W.; Unwin, Stephen D. Essential Practices for Managing Chemical Reactivity Hazards. 2003.
[7]
CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems. Center for Chemical Process Safety. 2007.
[8]
CCPS. Inherently Safer Chemical Processes: A Life Cycle Approach. Center for Chemical Process Safety. 2009.
[9]
Kletz, T. A. Process Plants: A Handbook for Inherently Safer Design. 1998.
