CE20223 - Safety and Ethics Flashcards
What’s a hazard?
A property or condition which can cause an unwanted event.
The can result in near misses and incidents
What does the fire triangle consist of?
Fuel + oxygen + energy
Need all three to be present to get a fire
Oxygen my be bound in the fuel e.g. ammonium nitrate
What are flammable limits?
The fuel concentration, in % by volume of air, must fall within certain limits (LFL - UFL) before it will combust
Typically between 1-10% for most hydrocarbons.
H2, H2S and C2H4 have wide flammable ranges.
What’s the flash point?
Lowest temperature at which a liquid gives off enough vapour to form a flammable mixture with air.
• Some hydrocarbon liquids released to the atmosphere are not hot enough to give off enough vapours that can be ignited by an ignition source
• For safe product handling/storage,
typically use ‘Closed Cup Flash Point’
to characterise the flammability
What’s the auto-ignition temperature?
Temperature at which vapours will spontaneously ignite.
- Some process streams are hot enough that when they escape to the atmosphere they will catch fire immediately and so do not need an ignition source
- In practice temperature at which autoignition occurs is > theoretical AIT
What do the parts of the fire diamond suggest?
Blue - health/toxicity
Red - flammability
Yellow - reactivity/instability
White - special notice
0 is lowest, 4 is highest
What are examples of potential ignition sources?
Fired equipment / Hot surfaces - controlled by equipment spacing
Maintenance hot work - controlled by Work Permit System
Electrical equipment - controlled by Work Permit System and electrical area classification
Vehicles - controlled by Work Permit System and plant layout/spacing
Electrostatic ignition - controlled by earthing, design and procedures
Lightning - controlled by earthing structures
What are examples of potential fuel-air mixtures within equipment?
- Fired heaters
- Decoking and catalyst regeneration
- Air used for reaction - oxidation, sweetening, etc.
- Air blowing lines
- Vacuum systems
- Fixed roof tanks
- Tank trucks/railcars/barges/ships
- Sewers
- Confined/recessed areas
- Flare system
- Startup and shutdown
What are examples of equipment failures for potential loss of containment?
- Corrosion
- Improper material of construction
- Brittle fracture
- Gasket leak
- Small bore piping failure (vibration/mechanical damage)
- Seal leak from pump/compressor
- Furnace tube failure
- Overheating / exotherms
- Over/under pressure
- Freeze-up / thermal expansion
- Pipe-line surge (‘water hammer’)
- Check valve / safety valve failure
- Hose / loading arm failure
- Bellows failure (Flixborough VCE 1974, full lecture)
- Rupture from collision
What are examples of operating procedures causing potential loss of containment?
• Taking equipment out of service:
- Equipment draining /
depressurizing / blinding
• Bringing equipment back into service:
- Deblinding
• Tank / tanker filling
• Tank gassing / frothovers
- Routing light product to tank
- Routing water to hot tank / hot
product to cold tank
- Purging / venting
- Draining water
- Sampling
What are VCEs?
Vapour cloud explosions
Gas or vapours escaping to the atmosphere can form a flammable mixture, which if ignited, can produce an explosion (VCE) followed by a fire.
Ignition of a flammable cloud in an open area will normally produce a flash back fire with low levels of overpressure.
When do VCEs occur?
Vapour cloud explosions require the flammable cloud to be within a congested area.
Multiple obstacles increase turbulence of the flame front. This increases both
the flame speed and the magnitude of the pressure wave. The increase in pressure causes an increase in temperature / Ek. This can act as an ignition source.
VCEs are more likely to occur with a large amount of fluid, involving
release of LPG or volatile liquids.
VCEs can produce a damaging overpressure wave which can cause
non-blast resistant buildings to collapse, and also result in secondary
equipment failures and fires.
What is the difference between deflagration and detonation?
Deflagration is more typical of explosions resulting from flammable releases to atmosphere (flash back fires, unconfined vapour clouds).
- Flame front travelling at subsonic velocity.
- Overpressure normally <1 barg.
Detonation is likely to occur inside a confined space (e.g. tank, pipe)
- Flame front travelling at supersonic velocity produces a shock
wave which compresses and pre-heats reactants ahead of flame
front.
- Overpressure typically > 10 barg.
What’s deflagration?
Combustion which propagates through a gas or across the surface of an explosive at subsonic speeds, driven by the transfer of heat.
A fire is a slow form of deflagration.
Deflagration is more typical of explosions resulting from flammable releases to atmosphere (flash back fires, unconfined vapour clouds).
The flame front travels at subsonic velocity.
Overpressure normally < 1 barg.
What’s detonation?
Combustion of a substance which is initiated suddenly and propagates extremely rapidly, giving rise to a shock wave.
Detonation is likely to occur inside a confined space (e.g. tank, pipe).
The flame front travelling at supersonic velocity produces a shock
wave which compresses and pre-heats reactants ahead of flame
front.
Overpressure typically > 10 barg.
What are the impacts of VCEs on people for different peak over-pressures?
1 psi - knock personnel down
5 psi - ruptured eardrums
10-35 psi - damage to lungs up to threshold fatalities
50-65 psi - 50-99% fatalities
How is a process analyses?
Describe process under normal conditions
Describe the event itself
What was learnt from the accident / how can it be prevented
Analysis of the Flixborough VCE 1974 accident:
• Cyclohexane was oxidised to cyclohexanone (a precursor for
the manufacture of Nylon) by injecting air in the presence of
a catalyst.
• The process of oxidation is relatively slow and six stirred reactors were used in series.
• Reaction kinetics dictated that the cyclohexane in the reactors should be maintained at 155°C and 9 barg – liquid
phase.
• When released to atmosphere some of the liquid flashed-off creating a vapour cloud.
Adiabatic flash of reactor inventory (100 t) gives ~40 t vapour
cloud.
- 28 employees were killed (mostly inside buildings) and 36 injured.
- Extensive damage to process plant.
- 53 members of public injured and 1800 houses damaged.
• Release occurred due to failure of temporary piping/flexible bellows.
- A relatively simply bypass had been installed to allow one of the reactors to be taken out of service for repairs.
• The temporary bypass had not been properly engineered or reviewed.
- No engineering drawing prepared and only basic calculations were carried out.
- Lack of necessary engineering expertise.
- Maintenance team did not recognise that offset piping
created bending moment and high shear forces at
bellows.
• No structured process for reviewing and authorising changes.
• Occupied buildings were not blast resistant and were located
too close to process areas handling highly flammable material.
This could be prevented by double checking calculations
How do ethics and morality differ?
Morality is the difference between right and wrong
“The totality of opinions, decisions, and actions with which people express, individually or collectively, what
they think is good or right”.
Ethics is the systematic reflection on morality.
- how to make moral judgements. There are many ethical theories and frameworks designed to help people arrive at good moral judgement.
- can be ‘DESCRIPTIVE’ concerned with existing morality, or ‘NORMATIVE’ when it tries to produce recommendations about how to act or live.
What are the 6 moral competencies?
Sensibility Analysis skills Creativity Judgement Decision-making Argumentation
What are the 3 Ps for corporate social responsibility?
People
Planet
Profit
What are the key aspects of honesty and integrity?
Act in a reliable and trustworthy manner
Respect confidentiality
Declare conflicts of interest
Reject bribery and improper influence
What are the key aspects for respect for life, law, the environment and public good?
Hold paramount the health and safety of others and draw attention to hazards
Recognize the importance of cyber security and data protection
Protect and improve built and natural environments
Maximise the public good and minimise both actual and potential adverse effects for their own and succeeding generations
Take due account of the limited availability of natural resources
What are the key ethical aspects considering accuracy and rigour?
Perform services only in areas in which they are currently competent or under competent supervision
Keep their knowledge and skills up to date
Assist the development of engineering knowledge and skills in others
Identify, evaluate, quantify, mitigate and manage risks
Not knowingly mislead or allow others to be misled
What are the key ethical aspects when considering leadership and communication?
Promote equality, diversity and inclusion
Promote public awareness and understanding of the impact and benefits of engineering achievements
Be objective and truthful in any statement made in their professional capacity
Challenge statements or policies that cause them professional concern
What are the 4 main ethical principles?
Honesty and integrity
Respect for life, law, the environment and public good
Accuracy and rigour
Leadership and communication
What are the 3 ethical theories?
Consequentialism
Deontology (duty ethics)
Virtue ethics
What are values, norms and virtues?
Values - lasting matters that people feel should be strived for in general to realise a just society
Norms - rules that prescribe what actions are required, permitted or forbidden
Virtues - certain type of human characteristic or quality
What’s consequentialism?
Consequences of actions are central to the moral judgement of those actions.
Utilitarianism actions are judged by the amount of pleasure and pain they bring about - by their ability to benefit a majority.
Considers profits and losses / pleasure and pain.
What does deontology / duty ethics consider?
Duty is a better guide to decision making than pleasure.
Action is considered morally right if it agrees with a certain moral rule.
This rule says ‘you may not lie’ and there are no circumstances under which it is morally right to lie.
What does virtue ethics consider?
An ethical theory that focuses on the nature of the acting person. This theory indicates which good of desirably characteristics people should have or develop to be moral.’
Variant: Aristotle’s (322 – 322 BC) Theory
Each moral virtue (character virtue) holds a position of equilibrium and it is the middle course between two extremes of evil
E.g. A courageous person will not act as a coward in a dangerous situation, but he/she will also not be reckless and ignore the danger.
What’s universalism?
A system of norms and values that are universally applicable to everyone, independent of time, place or culture.
What’s the categorical imperative, universality principle and reciprocity principle?
Categorical imperative A universal principle of the form “Do A” which is the foundation of all moral judgments in Kant’s view.
When judging the morality of an action, it should not lead to a contradiction (self-defeating)
Universality principle: First formulation of the categorical imperative: Act only on that maxim which you can at the same time will that it should become a universal law.
(1) Assume the action is morally correct when you act on it – (2) Assume that everyone can also follow this norm (universality principle) – (3) will this norm survive?
Reciprocity principle Second formulation of the categorical imperative: Act as to treat humanity, whether in your own person or in that of any other, in every case as an end, never as means only.
What’s the Kantian theory?
What are it’s criticisms?
We can speak of good will if our actions are led by the categorical (= unconditional) norm ( = rule).
E.g. If rule says ‘ you may not lie’ there are no circumstances under which it is morally right to lie.
Vs. Hypothetical norm A condition norm, that is, a norm which only applies under certain circumstances
Criticism:
According to Kant all moral laws can be derived from the categorical imperative. Bending rules is not allowed.
Do all these laws form an unambiguous and consistent system of norms? What about contradictory norms (e.g. whistle-blowing)
Kantian theory (and duty ethics) often elicits the objection that a rigid adherence to moral rules can make people blind to the potentially very negative consequences of their actions
Ford Pinto Ethics Case Arguments:
Ford made a cost-benefit analysis to justify actions which showed that total social costs of retrofitting all the cars > social costs of the expected accidents.
Objections against utilitarianism:
(1) amounts of money attached to different kinds of pain (dead, injuries) seem rather arbitrary (some were based on government documents)
(2) Reliability of the estimates (e.g. the number of fatalities)
By deciding solely based on considerations of overall welfare or happiness, Ford adopted a policy of allowing a certain number of preventable deaths/injuries. The case reveals abuse because the victims were sacrificed to optimize overall welfare (the ends justify the means).
Abandoned the “you cannot put a value on human life” or the freedom principle of Mill.
Universality principle: “Ford will market the Ford Pinto, knowing that the car is unsafe and without informing the consumers”
Can this become a universal law and be without contradiction?
“Marketing unsafe cars without informing the consumers is allowable.”
- Loss of customer trust and hence marketing a car would become impossible.
Reciprocity principle: Implies respect for people’s moral autonomy in making their own choices - Ford should have informed its consumers about the safety of the Pinto - so they can make an autonomous rational decision on the car purchase.
Failing to inform them, the rational agency of the consumer was thus undermined, and they were used as merely a means to achieve Ford’s aim: increasing Ford’s turnover
What’s an ethical cycle and what are the 5 phases?
A tool in structuring and improving moral decisions by making a systematic and thorough analysis of the moral problem, which helps to come to a moral judgement and to justify the final decision in moral terms.
1) Moral problem statement
2) Problem analysis
3) Options for actions
4) Ethical evaluation
5) Reflection
Leading to morally acceptable actions
What is mentioned when formulating a moral problem statement for problem analysis?
- State what the problem is
- State relevant facts
- State relevant moral values
Consider shareholders and their interests, who has to act and the moral nature of the problem.
What are the three different strategies for phase 3 - options for actions within an ethical cycle?
Black-and-white strategy
Cooperation strategy
Whistle-blowing strategy
What’s the black-and-white strategy (in ethical cycle)?
A strategy for action in which only two options for actions are considered: doing the action or not.
(Not useful for more complex situations)
What’s the cooperation strategy (in ethical cycles)?
The action strategy that is directed at finding alternatives to help solve a moral problem by consulting other stakeholders (can lead to win-win situations)
What’s the whilst blowing strategy (in ethical cycles)?
Going public with the information; used as a last resort strategy as it is quite damaging to both the individual employee and the organization.
What is considered in the ethical evaluation of an ethical cycle?
You must evaluate the moral acceptability of the various options for action.
These judgments need not be the same because different frameworks can result in different preferred options for action in each situation.
Based on both formal (based on professional ethics such as codes of conduct and the main ethical theories) and informal moral frameworks (intuitions and common sense)
Intuitivist framework: indicate which option for action in your view is intuitively most acceptable and formulate arguments for this statement.
Common sense method: weigh the available options for actions in the light of the relevant values.
Eg: although making a profit is important, the value that is really at stake is public safety
What do HAZOP and HAZID stand for?
Hazard and operability (HAZOP)
Hazard identification (HAZID)
What’s risk?
Risk is a measure of the hazard release potential.
It’s the likelihood of something negative happening
- Prerequisite: you know/understand the hazard!
- Minimise hazard (and risk) through inherently safer design
- Minimise release potential through designed and procedural control measures
How can hazards be measured?
1) Dow Fire & Explosion Index (F&EI)
- Semi-quantitative approach (numerical result).
- Output provides an overview of risk exposure and not a
specific list of potential deficiencies/hazards.
- Can provide estimate of Maximum Probable Property
Damage.
- Useful in ranking different alternatives.
2) Monod Index
- Developed by ICI (Imperial Chemical Industries) after Flixborough.
- Based on Dow Index, modified to address wider scope of hazards.
- Includes plant layout and separation between hazardous units.
What do values for the Down F and EI suggest about a hazard?
1-60: light
61-96: moderate
97-127: intermediate
128-158: heavy
159 < : severe
What is material factor, MF?
A measure of intrinsic rate of energy release due to fire or explosion.
How is the F and EI Dow index calculated?
F&EI = MF * F1 * F2
Where MF is the material factor, F1 are the general process hazards and F2 are the special hazards.
How is material factor, MF, obtained?
From NFPA (national fire protection association) ratings. Based on most dominant/highest risk material present.
It’s the product of Nf (flammability) * Nr (reactivity)
(Non-combustible/stable - MF equals 1
Highly reactive/flammable - MF equal 40)
How are F1 and F2, considering general and special hazards, calculated to find F&EI index?
F1/2 = total number of penalties + 1
1 is the base factor
What does LCCF represent?
Loss control credit factor
How is LCCF (loss control credit factor) calculated?
LCCF = C1 * C2 * C3
Where:
C1 considers process control factors
C2 considers material isolation factors
C3 considers fire protection factors
What do factors C1, C2 and C3 consider in the LCCF (loss control credit factor)?
C1 - Process Control Factors
E.g. Emergency power, cooling, computer control, inert gas, hazard analysis, operating Instructions.
C2 - Material Isolation Factors
E.g. Remote control valves, dump tanks, drainage, interlocks
C3 - Fire Protection Factors
E.g. Leak detection, steel protection, fire water supply, deluge, foam,
monitors, cable protection
Loss Control Credit Factor (LCCF) = C1xC2xC3
Individual control factors are in the range 0.9 to 0.99
(For example 5 x control factors @ 0.95 gives a LCCF = 0.77)
What is MPPD?
Maximum probable property damage.
It’s a function of the Dow F&EI index and LCCF
What are the 4 main principles of inherent safety?
Minimise
(E.g. reduce inventories, reduce vessel hold-up, use loop reactor)
Substitute
(E.g. use non-flammable refrigerants)
Moderate
(E.g. lower T and P)
Simplify
What are the details of the Flixborough VCE accident?
- 28 employees were killed (mostly inside buildings) and 36 injured.
- Extensive damage to process plant.
- 53 members of public injured and 1800 houses damaged.
• Release occurred due to failure of temporary piping/flexible bellows.
- A relatively simply bypass had been installed to allow one of the reactors to be taken out of service for repairs.
Description of process for Flixborough VCE accident:
• Cyclohexane was oxidised to cyclohexanone (a precursor for
the manufacture of Nylon) by injecting air in the presence of
a catalyst.
• The process of oxidation is relatively slow and six stirred reactors were used in series.
• Reaction kinetics dictated that the cyclohexane in the reactors should be maintained at 155°C and 9 barg – liquid
phase.
• When released to atmosphere some of the liquid flashed-off creating a vapour cloud.
Adiabatic flash of reactor inventory (100 t) gives ~40 t vapour
cloud.
Primary causes of Flixborough:
The temporary bypass had not been properly engineered or reviewed.
- No engineering drawing prepared and only basic calculations were carried out.
- Lack of necessary engineering expertise.
- Maintenance team did not recognise that offset piping
created bending moment and high shear forces at
bellows.
• No structured process for reviewing and authorising changes.
• Occupied buildings were not blast resistant and were located
too close to process areas handling highly flammable material.
This could be prevented by double checking calculations
What are possible reasons for loss of containment for the Torrance refinery explosion?
- Low P in tractor caused back-flow of hydrocarbons from the main DC, which escaped into the regenerator and ESP (electrostatic precipitator)
- Slide values unable to maintain catalyst barrier to prevent fuel and air from mixing (due to corrosion)
- Overpressure caused steam to leak into the air side of the FCC, making it hard to repair
- Leaking HX allowed addition of different, light, heated hydrocarbons
- Thermal runaway
- Poorly installed equipment
Ignition source: * ESP Fuel-air mix: * Air continued to move through the ESP * Hydrocarbons leaked to the air side of the reactor
What are examples of atmospheric storage tanks?
Cone roof (CR) tankage
Floating roof (FR) tankage
What are properties of cons roof tanks?
CR
Tank roof is fixed.
There is always a vapour space above the liquid level.
Used for storing materials at temperature < flash point. (So no vapours for ignition form)
Cone roof useful to drain rainwater / snow away, preventing additional weight on tank (if tank were to have flat roof)
What are properties of floating roof tanks?
Tank roof floats on top of the liquid surface and rises/falls as the
liquid level in the tank changes.
There is no vapour space between the liquid and the roof.
Used for storing materials at temperature > flash point.
Not suitable for liquids with TVP (True Vapour Pressure, ASTM D 2879) > 0.9 bara. (Since P above atmospheric would cause the roof to move and tilt, and scratching against the tank wall could create an ignition source)
What are sample hazards in CR (cone roof) tanks?
Liquid overfill
Tank Overpressure or vacuum
Ignition of flammable vapour space inside tank
Tank overheated caused
- flammable vapour space/fire
- foam over (water heel)
Possible control measures of CR (cone roof) tank hazards:
Liquid overfill
- use level indicators, secondary containment. (LHA- level high alarm)
Tank Overpressure or vacuum
- use vent valves
Ignition of flammable vapour space inside tank
- locate safe distance away from other equipment / ignition sources
Tank overheated causing flammable vapour space/fire or foam over (water heel)
- high temp alarm or cut-out on tank heater coil
What are examples of FR (floating roof) tank hazards?
Liquid overfill
Tank Overpressure or vacuum
Vapour release/fire, causing high vapour pressure material or gas blow through
Tank roof sinking
Tank fire, causing vulnerability to lightning
Rim seal fire
Full surface fire (FSF) - (hard to recover from)
Possible control measures of FR (floating roof) tank hazards:
Liquid overfill
- use level indicators, secondary containment. (LHA - level high alarm)
Tank Overpressure or vacuum
- use vent valves
Vapour release/fire, causing high vapour pressure material or gas blow through
- THA (temp high alarm)
- LLCO (level cut-off) on upstream tower
Tank roof sinking
- roof drain
- routine operator checks
- multiple pontoon roof design
- maintenance
Tank fire, causing vulnerability to lightning \+ Rim seal fire \+ Full surface fire (FSF) - (hard to recover from) (For all three...) - HTA and temp control / cut-off - foam damn - FSF attack strategy
What’s the Joule-Thomson effect?
The Joule-Thomson (JT) effect is a thermodynamic process that occurs when a fluid expands from high pressure to low pressure at constant enthalpy (an isenthalpic process).
If this coefficient is positive, then the fluid cools upon expansion and if it’s negative the fluid warms upon expansion.
Why is pressurised storage used?
To store materials that are vapour/gas at atmospheric conditions and too volatile to store in CR or FR tanks.
What are the 3 main pressure vessel storage container designs?
Above ground sphere
Above ground drum (bullet)
Mounded drum (bullet)
What are possible hazards and controls of pressurised storage tanks?
Liquid Overfill
- Three independent level measurements (and safety valve)
Tank Overheating (BLEVE from sustained pool fire)
- Fixed water spray/deluge, often automatically activated
- Fire-proofing
- Sloped ground under tank
Vapour release/fire
- Gas detection/alarm
- Water flood (to fill tank rapidly and float LPG up and away from leak site)
Sampling and water draw-off
- Freeze-proof design
What’s a BLEVE?
Boiling liquid expanding vapour explosion.
Main hazard is due to radiant heat from fire ball (up to 500 m)
• When vessel is exposed to fire the metal weakens. As liquid inside the vessel boils-off the vessel wall dry out and metal surface temperature increases
- Metal softens, yields and ruptures releasing expanding liquid vapour
What are the key BLEVE prevention systems?
Gas and fire detection
Emergency Block Valves (EBV)
Drencher system
Containment area slopes away from sphere
Use of mounded drum (inherently safe)
What’s LPG
Liquified pressurised gas
What happened in the LPG Sphere BLEVE (Boiling Liquid Expanding Vapour Explosion)?
(Elf Refinery Feyzin, 1966)
An operator was draining water from the sphere to local sewer.
- A valve was partially blocked due to hydrate (crystal-like) formation (sub-zero temperature)
- Blockage suddenly cleared – valve was still fully open.
- Leak ignited 25 min later by car travelling on nearby road (150m)
- 90 min after fire started sphere BLEVE occurred
- 18 killed; 80 injured
What was learned from the LPG Sphere BLEVE (Boiling Liquid Expanding Vapour Explosion)?
(Elf Refinery Feyzin, 1966)
To position the sphere on slopes.
Install a series of drainage valves, farther away from the sphere.
Some of the valves may remain closed throughout.
Drainage system at an angle.
(If Fire is ‘taken away’, the BLEVE is stopped/taken away)
What’s refrigerated storage for?
Used to store materials that are vapour/gas at normal atmospheric conditions – too volatile to store in CR or FR Tanks
Liquefied natural gas, LNG. NBP = - 160 C°
Storage container operates at low pressure (typically 0-5 psig)
- Tank is insulated
- Liquid boils off at a controlled rate due to heat inputs
- Vapour is compressed back to liquid and refrigerated
- Release of liquid from refrigerated storage does not have same potential for VCE
- BLEVE scenario is also not credible
• Materials of construction need to be suitable for low operating
temperatures (Brittle Facture)
What’s LNG?
Liquified natural gas
Overview of the Buncefield explosion (2005) site:
There was a large distribution terminal, occupied by 3 separate companies (Hertfordshire Oil Storage Ltd (HOSL), UK Oil Pipelines Ltd and BP Oil UK Ltd.)
Gasoline was released from the HOSL west site
The terminal is fed by 3 separate pipelines, and handles gasoline, diesel and jet products
The west boundary of the site adjoins an industrial estate
The severity of the explosion was much higher than would have been predicted given the low level of confinement.
Actual overpressure in open areas of Northgate and Fuji car parks were 0.7-1.0 barg.
• Normal scenario for an atmospheric storage tank overfill is fire.
• However, there is some past experience of gasoline tank overfill resulting in explosions.
- Typically involve large quantity of fuel (>100m3).
- In each case wind speed was low (or zero) allowing a large vapour
cloud to form.
Buncefield explosion appeared to be unique due to apparent lack of obstacles which would induce turbulence and lead to rapid flame propagation.
- HSE are carrying out further work involving industry experts
Summary of the Buncefield explosion incident:
On the evening of 10th December 2005 Tank 912 started to receive a pipeline transfer of gasoline (550m3/h)
At approx. 3 am on 11th December, the tank level gauge indicated a static level.
However, the tank continued to receive product at the same rate, and the actual level in the tank continued to rise.
The tank started to overflow at 0520 and by 0600 approx. 480m3 of gasoline had overflowed into the bund and surrounding area.
A vapour cloud had spread approx. 200m from the tank towards the Industrial Estate.
At 0601 the first of several explosions occurred causing significant damage to both commercial and residential property in the vicinity.
- Fire engulfed over 20 large fuel tanks
- 2000 people were evacuated and sections of the adjacent motorway
were closed.
- 43 people were injured, none seriously (incident occurred early on Sunday morning)
HSE (health and safety executive) investigation of the Buncefield explosion:
Immediately following the incident the HSE carried out a review and inspection of all Major Hazard sites in the UK to verify that existing standards and best practices were being followed.
The release was due to a tank being overfilled – tank was being filled by pipeline ~ 550m3/h.
The ignition source was believed to be the electric fire pumps.
The tank was fitted with a level instrument, independent LHA and LHCO.
- The level instrument had stuck (14 malfunctions had been reported in previous 5 months).
- LHCO and alarm did not work - it was not responded to or was disabled?
• Evidence that some shifts allowed tank level to exceed ‘high’ and even
‘high-high’ alarm to accommodate pipeline parcel.
• Specific HSE Alert issued concerning design and operation of LHA – concern that alarm can be disabled if test lever is inadvertently left in the incorrect position.
Believe an aerosol could have formed
What was recommended/learned following the Buncefield explosion?
Major Incident Investigation Board issued recommendations on Design and Operation of sites storing highly volatile materials.
- Provision of independent LHA and automatic overfill protection.
- All elements of overfill protective system should be tested (eliminate
use of internal floats). - Use of gas detection, CCTV etc. to provide early detection of loss of containment (linked to automated response).
- Modified design of new tanks to reduce risk of aerosol/vapour formation in the case of tank overflow.
- Industry to share incident/near miss data.
- Develop Process Safety indicators.
Explosion mechanism for Buncefield explosion:
Explosion severity was far greater than would normally have been expected for a vapour cloud.
- A VCE typically results in deflagration (< 1barg overpressure).
- Based on damage to cars, drums and lamp posts the max estimated
overpressure was 2barg – this would require some form of detonation.
Detonation normally requires a confined volume such as inside a building, pipe or vessel.
- Evidence suggests that the ignition source was inside the fire pump house.
- However, once outside the building the flame front would de-accelerate rapidly.
For the flame front to continue to accelerate requires congestion to create turbulence.
- Piping, vessels and plant structures have been shown to create deflagration type explosion only.
- Tests and analysis have shown that congestion due to trees/shrubs along adjacent lane may have been responsible for the higher overpressures.
Examples of pressure relief devices:
Pressure relief valves, PRVs, (spring loaded valve which opens at a given set pressure.
Pressure vacuum valves (typically for low pressure systems – use dead weights).
‘U’ seal or dip leg (for low pressure systems – hydraulic head provides fixed backpressure).
Bursting disc (thin plate – ruptures at specified pressure).
Where do relief devices discharge to?
Closed systems:
- Dump tank/scrubber/quench vessel
- Flare ring main connected to an elevated flare stack
- For older facilities, PRVs are often routed to atmosphere providing material is not liquid phase.
Components of a conventional PRV (pressure relief valve):
Body Blowdown adjustment ring Nozzle Seat disk Disc holder Bonnet Spring Set pressure adjusting screw
Spring opens at set differential pressure between inlet and outlet.
For relieving pressure that is independent of outlet pressure, use bellows.
Advantages and disadvantages of PRVs (pressure relief valves):
Benefits
+ PRV set pressure for actual device can be tested prior to installation and at routine intervals.
+ Device should reseat after lifting once pressure has been reduced
Disadvantages
- Increased risk of blockages due to corrosion products
- Valve seat leakage
- PRV inlet and outlet pipework pressure drop needs to be low to avoid instability (PRV chatter)
- Slower response time (tenths of a second up to > 1 second)
Advantages and disadvantages of bursting discs (pressure relief device)
Benefits
• Very fast response times (milliseconds);
• Less risk of blockage than relief valves
• Lower cost to install and maintain
• Available in a wide range of materials
• No leakage
Disadvantages
• Non re-closing hence may allow large discharges even when pressure falls below relieving (rupture) pressure
• Potential for premature failure due to pressure pulsation, especially if the rupture pressure is close to the operating pressure
• Rupture pressure affected by back pressure
• Risk of incorrect assembly (upside down) !!! (Ie it would never burst)
• Cannot be tested so regularly replaced
Pressure relief vessel design codes:
American society of mech engineers (ASME):
Relieving pressure shall not exceed MAWP (normally DP) by more than:
- 3% for fired and unfired steam boilers
- 10% for vessels equipped with a single pressure relief device
- 16% for vessels equipped with multiple pressure relief devices
- 21% for fire contingency
EU pressure equipment directive (PED) has a different interpretation:
+ 10% for all pressurized equipment with DP >0.5 barg, under all circumstances.
What’s considered when discussing PRV capacity?
Issues e.g. • Instrument air failure • Steam failure wide open • Electric power failure • Blocked outlet - operator error • Cooling water failure • Loss of reflux • Tube rupture • External Fire
Detailed over pressure contingency analysis needs to be carried out to determine required PRV capacity.
- Evaluate credible scenarios and calculate required relief load under these scenarios
- EU Pressure Equipment Directive requires that all “foreseeable” causes of overpressure be considered
- Two unrelated events (double contingency) are not normally considered
How are flares used in closed disposal systems?
Closed system needs to be sized to handle largest pressure relief demand:
- Single largest relief load
- Emergency manual depressurisation of reactor systems
- Multiple PRD activated due to failure of plant utility (electricity, instrument air, cooling water, steam)
Facilities need to be provided to contain any liquid and to scrub or flare any hazardous vapours.
Vent/flare stacks need to be sufficiently elevated to ensure good dispersion and should be located away from public areas/process units to minimise exposure of people to radiant heat
Liquid seal drum and dip leg arrangement to prevent flash back from flare stack in to flare ring main
Alternative to flare isa gas scrubber and atmospheric vent which needs to be available at all times
What are batch and semi-batch reactors used for?
Used extensively in speciality chemicals and pharmaceuticals industries
- Low volume
- Facilities sometimes used to produce different grades/products
What are the hazards of runaway exothermic reactions?
Potential for rapid thermal decomposition causing
deflagration/detonation
High bulk temperature can cause material to boil/vaporise. Potential for contents to overpressure and erupt from vessel.
Reaction generates high volumes of gas which overpressures the reactor
Secondary fire/explosion due to loss of primary containment
What are the causes of runaway reactions?
Reactive chemistry not fully understood
Reactants added in wrong quantities or wrong order
Contaminants
Inadequate temperature control
Poor mixing
Inadequate emergency venting facilities
Failure to take emergency action in the event of high temperature
What are the effects of scale-up on heat balance?
Rate of heat production is proportional to volume
Natural cooling capacity is proportional to surface area
How is reactive chemistry considered in the safety of processes?
Literature search, industry experience and laboratory data
Conduct calorimetric tests
Oxygen balance can help identify whether CXHYOZ compounds could decompose violently
CXHYOZ +(2X+Y/2–Z)O->XCO2 +Y/2H2O
Oxygen balance = -1600(2X + Y/2 – Z) ÷ MW (High Risk if > -200)
From the Heat of Reaction (ΔH) can estimate maximum Adiabatic Temperature Rise (ΔTad)
ΔTad = - ΔH/Cp
Check if max. temperature is below temperature at which:
- Other reactions start to take place (e.g. decomposition)
- Reactants boil
- Gas evolution occurs
What are examples of control measures for reactor safety?
Emergency cooling facilities
Chemical inhibitor injection to suppress reaction or poison catalyst
Drown-out or quenching
- Use an inert medium to quench and dilute the reactants
- May need to dump contents to a secondary vessel if insufficient space in reactor
Provide adequately sized emergency venting facilities (bursting disc)
- Consider hazards of venting reactor to atmosphere and need for scrubber tower/containment facility
Protective instrument systems can be used to automate some or all previous control measures
Consider Inherently Safer design (e.g.)
- Use semi-batch operation, add reactants gradually
- Use CSTR
- Use smaller reactor volume (e.g. loop type reactor)
- Design reactor to withstand worst case temperature/pressure conditions
What is the order of the hierarchy of controls, from most to least effective?
Elimination - physically remove the hazard
Substitution - replace the hazard
Engineering controls - isolate people from the hazard
Administrative controls - change the way people work
PPE - protect the worker with Personal Protective Equipment
What are BPCS, SIS HPS and SIFs?
BPCS - basic process control system
SIS - safety instrumented systems
HPS - hardware protective systems
SIF - safety instrumented functions
Examples of Safety Instrumented Functions (SIFs):
Temperature High Cut-in (THCI) quench/cooling activation for exothermic reactor
Level High Cut-out (LHCO) to prevent vessel overfill
Furnace Flow Low Cut-out (FLCO) to prevent tube rupture
How is hazard rate, H, calculated?
H = D * F
Hazard rate = demand rate * failure of hazard controls
Once found, you must consider: • Is this low enough/acceptable? • if not, what are the options? • Independent cut-out? This hazard control would be a safety instrumented function but it too can fail so... • How reliable does it need to be?
What’s a SIF?
Safety Instrumented Function (SIF) – monitors a unique process variable or variables and takes a specific action when a prescribed limit is exceeded.
Each SIF will have its own availability target defined by the process designer.
What’s AT?
Availability Target (AT) – the required reliability of the SIF to manage the risk adequately.
What’s SIL?
Safety Integrity Level (SIL) – defined availability ranges for standardising protective equipment design and certification
What’s PFD (in safety/ethics)?
Probability of Failure on Demand (PFD) – the chance that the safety instrumented function will fail when required.
What are the key design features of SIS (safety instrumented systems)?
Independent - no point in sharing the same power supply as the basic control system that just failed
Fail-safe - if the power or actuating signal fails, system goes to its safe condition.
Maintained/Testable - it should be possible and safe to test the function periodically to maintain assurance that it will work on demand.
Well documented- future engineers/managers understand what it is protecting and how reliable it needs to be. Essential for future management of change.
What is DP (design pressure) based on?
Based on max. foreseeable internal pressure/vacuum, unless uneconomic.
Pressure Relief Valve (PRV) set at a given margin (e.g. ASME, EU PED) to avoid unnecessary lifting PRV.
What’s DT (design temperature) based on?
Normally based on Max. Operating Temperature (MOT) from Heat and
Material Balance.
Typically a margin of 10-15°C added to MOT to give DT.
DT is also used for piping when assessing thermal stresses from expansion/ contraction.
Material strength decreases as temperature increases.
What does it mean to be boxed in?
When all the valves / outlets are all closed
How is DP, design pressure, considered?
The DP is normally set by the pressure source (pump or compressor)
shut-in conditions i.e. blocked outlet, zero flow.
- Overpressure should be limited by set pressure of PRV protecting the circuit (typically 10% above DP).
- Some equipment operated in a batch or semi-continuous manner may have potential to be ‘boxed-in’ (all outlets closed)
- Liquid filled equipment can be subjected to high internal pressures due to thermal expansion caused by solar gain or external heat tracing.
- Heat exchanger/reboiler tube rupture can expose low pressure side to high pressure fluid.
- Equipment that is subjected to vacuum conditions should be identified.
- Do not assume that vessel can withstand full vacuum if not specified.
What are example reasons of too-high pressures?
Relief path blocked
Safety valve too small or not fitted
Oxidiser in system with flammable - new volatile gas components are created that were not expected
Inadvertent mixture of reactants
Thermal expansion
Connected non-design pressure source
Design pressure under specified
Wrong spec break
What are possible reasons for too-low Pressure?
Unexpected cooling
Composition changes
Loss of heating
P/V Vent Capacity Inadequate (or plugged) and
• Pump out
• Rain shower
• Ambient temperature/pressure drop
What must be considered when discussing DT (design temperature)?
- The maximum feed temperature from upstream unit.
- The max. outlet temperature from fired heater or other heating medium.
- Max temperature if an upstream heat exchanger (cooler) is bypassed e.g. for maintenance.
- Predicted reactor outlet temperature (at “end of run” condition).
- Joule-Thomson cooling effect.
- Auto-refrigeration due to liquid evaporating/boiling to vapour when pressure is reduced
- Solar radiation
- Local site min/max ambient temperatures
- Especially min temperature e.g. Norway -25°C
What are possible reasons for too-high temperature?
External Fire
Reaction Runaway
Loss of Cooling
Pumps/Compressor Energy
Loss of Furnace Feed (overheats tubes)
Heat Tracing on Idle Line
Pyrophoric Materials - Likely to auto-ignite
Electrical heating element control not sensing highest temperature
Inadvertent Catalysis
What are possible reasons for too-low temperature?
Loss of Heating
Auto Refrigeration
Process Composition Changes
Low Ambient Temperatures
Hydro testing
What’s a specification break?
A specification break is a point in the piping where the material or flange rating changes, typically at a valve that might be closed
• This is allowable if the lower rated section is independently protected from overstress.
• Line identification typically must include size, flange class and material (and sometimes the corrosion allowance in mm).
How does pressure vary with flow through centrifugal pumps?
As flow increases, frictional pressure drop through the system increases as the square of flow. (System resistance curve)
As centrifugal pump flow increases, delivery pressure decreases due to frictional drop within the pump, also as the square of flow (pump head curve).
As flow demand on centrifugal pumps increase, the capability of the pump to deliver pressure decreases while the pressure demand increases.
With no control valve, the system quickly reaches a single stable flow (at the intersection of the system and pump curves), only dependent on fluid density.
With a control valve, maximum flow is approximately the same, but adjustable down to zero.
What’s HAZOP?
Hazard and Operability study.
A formal systematic method for examining the potential hazards that may arise due to mal-function or mal-operation of individual items of equipment or processes.
Identify hazards that can result in SHE consequences.
Identify operability issues (e.g. no spare pump, inadequate
facilities to isolate and drain equipment for maintenance).
It’s aim is to identify hazards, not solve them
When are HAZOPs completed?
They’re best done at front end engineering and design (FEED) stages as changes are less costly.
HAZOP is carried out on the P&ID (Process and Instrumentation Drawing) or Flowsheet (less effective).
HAZOP methodology:
HAZOP is carried out on the P&ID (Process and Instrumentation Drawing) or Flowsheet (less effective).
• The study is carried out by a multi-discipline team of experienced people.
- Provides opportunity to explore/brain storm “what could go wrong?” in a systematic way.
-The team help to stimulate and build on each other’s ideas and questions.
• The P&ID is divided into “nodes”.
- Each equipment item within the node is examined in turn.
- Guide Words are used to prompt discussion.
- The drawing is marked-up to show what has been completed. o Potential concerns are documented.
- The role of HAZOP is to identify potential concerns.
- Hazard analysis and resolution is a separate follow-up activity (LOPA).
- Team can propose a suggested action where this is obvious.
What are the HAZOP guide words?
What deviation do they cause (with examples)?
None (no) - no forward (or reverse) flow.
E.g. Control valve closes shut or check valve fails to open
More of (high) - more of a physical property E.g. More pump discharge head due to higher SG. High tank level due to instrument faults.
Less of (low) - less of a physical property E.g. Less flow due to filter blockage. Lowe temperature due to TC failure.
Part of - composition of stream is different from what it should be.
E.g. reactants added in wrong quantities
More than (as well as) - more components present than should be. E.g. water entrained in feed from storage tank. Impurities in feed material.
Other than - what else can happen from normal operations.
E.g. start-up, shut-down and maintenance
What’s a LOPA?
Layers of protection analysis.
A semi-quantitative method evaluating the effectiveness of independent protection layers (IPL) in reducing the likelihood/severity of an undesirable event.
What’s an IEF?
Initiating event frequency - expressed in terms of events per year
What’s an IPL?
Independent protection layer.
To qualify as an IPL, it must be effective, independent, auditable and documented.
They can be passive or active, and each IPL has a PFD
Visual checks and warning signs do not qualify as IPLs
What are BPCS?
Basic process control systems.
They’re designed to maintain a process within a defined safe operating window.
What are conditions modifiers (in safety)?
Factors which may contribute to the frequency of an event e.g. weather, human occupancy or the probability of ignition of a flammable cloud.
