CE20223 - Safety and Ethics Flashcards

Question 1

Q

What’s a hazard?

Answer

A

A property or condition which can cause an unwanted event.

The can result in near misses and incidents

Question 2

Q

What does the fire triangle consist of?

Answer

A

Fuel + oxygen + energy

Need all three to be present to get a fire

Oxygen my be bound in the fuel e.g. ammonium nitrate

Question 3

Q

What are flammable limits?

Answer

A

The fuel concentration, in % by volume of air, must fall within certain limits (LFL - UFL) before it will combust

Typically between 1-10% for most hydrocarbons.
H2, H2S and C2H4 have wide flammable ranges.

Question 4

Q

What’s the flash point?

Answer

A

Lowest temperature at which a liquid gives off enough vapour to form a flammable mixture with air.

• Some hydrocarbon liquids released to the atmosphere are not hot enough to give off enough vapours that can be ignited by an ignition source
• For safe product handling/storage,
typically use ‘Closed Cup Flash Point’
to characterise the flammability

Question 5

Q

What’s the auto-ignition temperature?

Answer

A

Temperature at which vapours will spontaneously ignite.

Some process streams are hot enough that when they escape to the atmosphere they will catch fire immediately and so do not need an ignition source
In practice temperature at which autoignition occurs is > theoretical AIT

Question 6

Q

What do the parts of the fire diamond suggest?

Answer

A

Blue - health/toxicity

Red - flammability

Yellow - reactivity/instability

White - special notice

0 is lowest, 4 is highest

Question 7

Q

What are examples of potential ignition sources?

Answer

A

Fired equipment / Hot surfaces - controlled by equipment spacing

Maintenance hot work - controlled by Work Permit System

Electrical equipment - controlled by Work Permit System and electrical area classification

Vehicles - controlled by Work Permit System and plant layout/spacing

Electrostatic ignition - controlled by earthing, design and procedures

Lightning - controlled by earthing structures

Question 8

Q

What are examples of potential fuel-air mixtures within equipment?

Answer

A

Fired heaters
Decoking and catalyst regeneration
Air used for reaction - oxidation, sweetening, etc.
Air blowing lines
Vacuum systems
Fixed roof tanks
Tank trucks/railcars/barges/ships
Sewers
Confined/recessed areas
Flare system
Startup and shutdown

Question 9

Q

What are examples of equipment failures for potential loss of containment?

Answer

A

Corrosion
Improper material of construction
Brittle fracture
Gasket leak
Small bore piping failure (vibration/mechanical damage)
Seal leak from pump/compressor
Furnace tube failure
Overheating / exotherms
Over/under pressure
Freeze-up / thermal expansion
Pipe-line surge (‘water hammer’)
Check valve / safety valve failure
Hose / loading arm failure
Bellows failure (Flixborough VCE 1974, full lecture)
Rupture from collision

Question 10

Q

What are examples of operating procedures causing potential loss of containment?

Answer

A

• Taking equipment out of service:
- Equipment draining /
depressurizing / blinding

• Bringing equipment back into service:
- Deblinding

• Tank / tanker filling

• Tank gassing / frothovers
- Routing light product to tank
- Routing water to hot tank / hot
product to cold tank

Purging / venting
Draining water
Sampling

Question 11

Q

What are VCEs?

Answer

A

Vapour cloud explosions

Gas or vapours escaping to the atmosphere can form a flammable mixture, which if ignited, can produce an explosion (VCE) followed by a fire.

Ignition of a flammable cloud in an open area will normally produce a flash back fire with low levels of overpressure.

Question 12

Q

When do VCEs occur?

Answer

A

Vapour cloud explosions require the flammable cloud to be within a congested area.
Multiple obstacles increase turbulence of the flame front. This increases both
the flame speed and the magnitude of the pressure wave. The increase in pressure causes an increase in temperature / Ek. This can act as an ignition source.

VCEs are more likely to occur with a large amount of fluid, involving
release of LPG or volatile liquids.

VCEs can produce a damaging overpressure wave which can cause
non-blast resistant buildings to collapse, and also result in secondary
equipment failures and fires.

Question 13

Q

What is the difference between deflagration and detonation?

Answer

A

Deflagration is more typical of explosions resulting from flammable releases to atmosphere (flash back fires, unconfined vapour clouds).

Flame front travelling at subsonic velocity.
Overpressure normally <1 barg.

Detonation is likely to occur inside a confined space (e.g. tank, pipe)
- Flame front travelling at supersonic velocity produces a shock
wave which compresses and pre-heats reactants ahead of flame
front.
- Overpressure typically > 10 barg.

Question 14

Q

What’s deflagration?

Answer

A

Combustion which propagates through a gas or across the surface of an explosive at subsonic speeds, driven by the transfer of heat.

A fire is a slow form of deflagration.

Deflagration is more typical of explosions resulting from flammable releases to atmosphere (flash back fires, unconfined vapour clouds).

The flame front travels at subsonic velocity.
Overpressure normally < 1 barg.

Question 15

Q

What’s detonation?

Answer

A

Combustion of a substance which is initiated suddenly and propagates extremely rapidly, giving rise to a shock wave.

Detonation is likely to occur inside a confined space (e.g. tank, pipe).

The flame front travelling at supersonic velocity produces a shock
wave which compresses and pre-heats reactants ahead of flame
front.
Overpressure typically > 10 barg.

Question 16

Q

What are the impacts of VCEs on people for different peak over-pressures?

Answer

A

1 psi - knock personnel down
5 psi - ruptured eardrums

10-35 psi - damage to lungs up to threshold fatalities

50-65 psi - 50-99% fatalities

Question 17

Q

How is a process analyses?

Answer

A

Describe process under normal conditions

Describe the event itself

What was learnt from the accident / how can it be prevented

Question 18

Q

Analysis of the Flixborough VCE 1974 accident:

Answer

A

• Cyclohexane was oxidised to cyclohexanone (a precursor for
the manufacture of Nylon) by injecting air in the presence of
a catalyst.
• The process of oxidation is relatively slow and six stirred reactors were used in series.
• Reaction kinetics dictated that the cyclohexane in the reactors should be maintained at 155°C and 9 barg – liquid
phase.
• When released to atmosphere some of the liquid flashed-off creating a vapour cloud.
Adiabatic flash of reactor inventory (100 t) gives ~40 t vapour
cloud.

28 employees were killed (mostly inside buildings) and 36 injured.
Extensive damage to process plant.
53 members of public injured and 1800 houses damaged.

• Release occurred due to failure of temporary piping/flexible bellows.
- A relatively simply bypass had been installed to allow one of the reactors to be taken out of service for repairs.

• The temporary bypass had not been properly engineered or reviewed.
- No engineering drawing prepared and only basic calculations were carried out.
- Lack of necessary engineering expertise.
- Maintenance team did not recognise that offset piping
created bending moment and high shear forces at
bellows.
• No structured process for reviewing and authorising changes.
• Occupied buildings were not blast resistant and were located
too close to process areas handling highly flammable material.

This could be prevented by double checking calculations

Question 19

Q

How do ethics and morality differ?

Answer

A

Morality is the difference between right and wrong
“The totality of opinions, decisions, and actions with which people express, individually or collectively, what
they think is good or right”.

Ethics is the systematic reflection on morality.
- how to make moral judgements. There are many ethical theories and frameworks designed to help people arrive at good moral judgement.

can be ‘DESCRIPTIVE’ concerned with existing morality, or ‘NORMATIVE’ when it tries to produce recommendations about how to act or live.

Question 20

Q

What are the 6 moral competencies?

Answer

A

Sensibility
Analysis skills
Creativity
Judgement
Decision-making
Argumentation

Question 21

Q

What are the 3 Ps for corporate social responsibility?

Answer

A

People
Planet
Profit

Question 22

Q

What are the key aspects of honesty and integrity?

Answer

A

Act in a reliable and trustworthy manner

Respect confidentiality

Declare conflicts of interest

Reject bribery and improper influence

Question 23

Q

What are the key aspects for respect for life, law, the environment and public good?

Answer

A

Hold paramount the health and safety of others and draw attention to hazards

Recognize the importance of cyber security and data protection

Protect and improve built and natural environments

Maximise the public good and minimise both actual and potential adverse effects for their own and succeeding generations

Take due account of the limited availability of natural resources

Question 24

Q

What are the key ethical aspects considering accuracy and rigour?

Answer

A

Perform services only in areas in which they are currently competent or under competent supervision

Keep their knowledge and skills up to date

Assist the development of engineering knowledge and skills in others

Identify, evaluate, quantify, mitigate and manage risks

Not knowingly mislead or allow others to be misled

Question 25

Q

What are the key ethical aspects when considering leadership and communication?

Answer

A

Promote equality, diversity and inclusion

Promote public awareness and understanding of the impact and benefits of engineering achievements

Be objective and truthful in any statement made in their professional capacity

Challenge statements or policies that cause them professional concern

Question 26

Q

What are the 4 main ethical principles?

Answer

A

Honesty and integrity

Respect for life, law, the environment and public good

Accuracy and rigour

Leadership and communication

Question 27

Q

What are the 3 ethical theories?

Answer

A

Consequentialism

Deontology (duty ethics)

Virtue ethics

Question 28

Q

What are values, norms and virtues?

Answer

A

Values - lasting matters that people feel should be strived for in general to realise a just society

Norms - rules that prescribe what actions are required, permitted or forbidden

Virtues - certain type of human characteristic or quality

Question 29

Q

What’s consequentialism?

Answer

A

Consequences of actions are central to the moral judgement of those actions.

Utilitarianism actions are judged by the amount of pleasure and pain they bring about - by their ability to benefit a majority.

Considers profits and losses / pleasure and pain.

Question 30

Q

What does deontology / duty ethics consider?

Answer

A

Duty is a better guide to decision making than pleasure.

Action is considered morally right if it agrees with a certain moral rule.

This rule says ‘you may not lie’ and there are no circumstances under which it is morally right to lie.

Question 31

Q

What does virtue ethics consider?

Answer

A

An ethical theory that focuses on the nature of the acting person. This theory indicates which good of desirably characteristics people should have or develop to be moral.’

Variant: Aristotle’s (322 – 322 BC) Theory
Each moral virtue (character virtue) holds a position of equilibrium and it is the middle course between two extremes of evil

E.g. A courageous person will not act as a coward in a dangerous situation, but he/she will also not be reckless and ignore the danger.

Question 32

Q

What’s universalism?

Answer

A

A system of norms and values that are universally applicable to everyone, independent of time, place or culture.

Question 33

Q

What’s the categorical imperative, universality principle and reciprocity principle?

Answer

A

Categorical imperative A universal principle of the form “Do A” which is the foundation of all moral judgments in Kant’s view.
When judging the morality of an action, it should not lead to a contradiction (self-defeating)

Universality principle: First formulation of the categorical imperative: Act only on that maxim which you can at the same time will that it should become a universal law.
(1) Assume the action is morally correct when you act on it – (2) Assume that everyone can also follow this norm (universality principle) – (3) will this norm survive?

Reciprocity principle Second formulation of the categorical imperative: Act as to treat humanity, whether in your own person or in that of any other, in every case as an end, never as means only.

Question 34

Q

What’s the Kantian theory?

What are it’s criticisms?

Answer

A

We can speak of good will if our actions are led by the categorical (= unconditional) norm ( = rule).
E.g. If rule says ‘ you may not lie’ there are no circumstances under which it is morally right to lie.

Vs. Hypothetical norm A condition norm, that is, a norm which only applies under certain circumstances

Criticism:
According to Kant all moral laws can be derived from the categorical imperative. Bending rules is not allowed.
Do all these laws form an unambiguous and consistent system of norms? What about contradictory norms (e.g. whistle-blowing)
Kantian theory (and duty ethics) often elicits the objection that a rigid adherence to moral rules can make people blind to the potentially very negative consequences of their actions

Question 35

Q

Ford Pinto Ethics Case Arguments:

Answer

A

Ford made a cost-benefit analysis to justify actions which showed that total social costs of retrofitting all the cars > social costs of the expected accidents.
Objections against utilitarianism:
(1) amounts of money attached to different kinds of pain (dead, injuries) seem rather arbitrary (some were based on government documents)
(2) Reliability of the estimates (e.g. the number of fatalities)
By deciding solely based on considerations of overall welfare or happiness, Ford adopted a policy of allowing a certain number of preventable deaths/injuries. The case reveals abuse because the victims were sacrificed to optimize overall welfare (the ends justify the means).
Abandoned the “you cannot put a value on human life” or the freedom principle of Mill.

Universality principle: “Ford will market the Ford Pinto, knowing that the car is unsafe and without informing the consumers”
Can this become a universal law and be without contradiction?
“Marketing unsafe cars without informing the consumers is allowable.”
- Loss of customer trust and hence marketing a car would become impossible.
Reciprocity principle: Implies respect for people’s moral autonomy in making their own choices - Ford should have informed its consumers about the safety of the Pinto - so they can make an autonomous rational decision on the car purchase.
Failing to inform them, the rational agency of the consumer was thus undermined, and they were used as merely a means to achieve Ford’s aim: increasing Ford’s turnover

Question 36

Q

What’s an ethical cycle and what are the 5 phases?

Answer

A

A tool in structuring and improving moral decisions by making a systematic and thorough analysis of the moral problem, which helps to come to a moral judgement and to justify the final decision in moral terms.

1) Moral problem statement
2) Problem analysis
3) Options for actions
4) Ethical evaluation
5) Reflection
Leading to morally acceptable actions

Question 37

Q

What is mentioned when formulating a moral problem statement for problem analysis?

Answer

A

State what the problem is
State relevant facts
State relevant moral values

Consider shareholders and their interests, who has to act and the moral nature of the problem.

Question 38

Q

What are the three different strategies for phase 3 - options for actions within an ethical cycle?

Answer

A

Black-and-white strategy

Cooperation strategy

Whistle-blowing strategy

Question 39

Q

What’s the black-and-white strategy (in ethical cycle)?

Answer

A

A strategy for action in which only two options for actions are considered: doing the action or not.

(Not useful for more complex situations)

Question 40

Q

What’s the cooperation strategy (in ethical cycles)?

Answer

A

The action strategy that is directed at finding alternatives to help solve a moral problem by consulting other stakeholders (can lead to win-win situations)

Question 41

Q

What’s the whilst blowing strategy (in ethical cycles)?

Answer

A

Going public with the information; used as a last resort strategy as it is quite damaging to both the individual employee and the organization.

Question 42

Q

What is considered in the ethical evaluation of an ethical cycle?

Answer

A

You must evaluate the moral acceptability of the various options for action.
These judgments need not be the same because different frameworks can result in different preferred options for action in each situation.

Based on both formal (based on professional ethics such as codes of conduct and the main ethical theories) and informal moral frameworks (intuitions and common sense)

Intuitivist framework: indicate which option for action in your view is intuitively most acceptable and formulate arguments for this statement.

Common sense method: weigh the available options for actions in the light of the relevant values.

Eg: although making a profit is important, the value that is really at stake is public safety

Question 43

Q

What do HAZOP and HAZID stand for?

Answer

A

Hazard and operability (HAZOP)

Hazard identification (HAZID)

Question 44

Q

What’s risk?

Answer

A

Risk is a measure of the hazard release potential.
It’s the likelihood of something negative happening

Prerequisite: you know/understand the hazard!
Minimise hazard (and risk) through inherently safer design
Minimise release potential through designed and procedural control measures

Question 45

Q

How can hazards be measured?

Answer

A

1) Dow Fire & Explosion Index (F&EI)
- Semi-quantitative approach (numerical result).
- Output provides an overview of risk exposure and not a
specific list of potential deficiencies/hazards.
- Can provide estimate of Maximum Probable Property
Damage.
- Useful in ranking different alternatives.

2) Monod Index
- Developed by ICI (Imperial Chemical Industries) after Flixborough.
- Based on Dow Index, modified to address wider scope of hazards.
- Includes plant layout and separation between hazardous units.

Question 46

Q

What do values for the Down F and EI suggest about a hazard?

Answer

A

1-60: light

61-96: moderate

97-127: intermediate

128-158: heavy

159 < : severe

Question 47

Q

What is material factor, MF?

Answer

A

A measure of intrinsic rate of energy release due to fire or explosion.

Question 48

Q

How is the F and EI Dow index calculated?

Answer

A

F&EI = MF * F1 * F2

Where MF is the material factor, F1 are the general process hazards and F2 are the special hazards.

Question 49

Q

How is material factor, MF, obtained?

Answer

A

From NFPA (national fire protection association) ratings. 
Based on most dominant/highest risk material present.

It’s the product of Nf (flammability) * Nr (reactivity)
(Non-combustible/stable - MF equals 1
Highly reactive/flammable - MF equal 40)

Question 50

Q

How are F1 and F2, considering general and special hazards, calculated to find F&EI index?

Answer

A

F1/2 = total number of penalties + 1

1 is the base factor

Question 51

Q

What does LCCF represent?

Answer

A

Loss control credit factor

Question 52

Q

How is LCCF (loss control credit factor) calculated?

Answer

A

LCCF = C1 * C2 * C3

Where:
C1 considers process control factors
C2 considers material isolation factors
C3 considers fire protection factors

Question 53

Q

What do factors C1, C2 and C3 consider in the LCCF (loss control credit factor)?

Answer

A

C1 - Process Control Factors
E.g. Emergency power, cooling, computer control, inert gas, hazard analysis, operating Instructions.

C2 - Material Isolation Factors
E.g. Remote control valves, dump tanks, drainage, interlocks

C3 - Fire Protection Factors
E.g. Leak detection, steel protection, fire water supply, deluge, foam,
monitors, cable protection

Loss Control Credit Factor (LCCF) = C1xC2xC3
Individual control factors are in the range 0.9 to 0.99
(For example 5 x control factors @ 0.95 gives a LCCF = 0.77)

Question 54

Q

What is MPPD?

Answer

A

Maximum probable property damage.

It’s a function of the Dow F&EI index and LCCF

Question 55

Q

What are the 4 main principles of inherent safety?

Answer

A

Minimise
(E.g. reduce inventories, reduce vessel hold-up, use loop reactor)

Substitute
(E.g. use non-flammable refrigerants)

Moderate
(E.g. lower T and P)

Simplify

Question 56

Q

What are the details of the Flixborough VCE accident?

Answer

A

28 employees were killed (mostly inside buildings) and 36 injured.
Extensive damage to process plant.
53 members of public injured and 1800 houses damaged.

• Release occurred due to failure of temporary piping/flexible bellows.
- A relatively simply bypass had been installed to allow one of the reactors to be taken out of service for repairs.

Question 57

Q

Description of process for Flixborough VCE accident:

Answer

A

• Cyclohexane was oxidised to cyclohexanone (a precursor for
the manufacture of Nylon) by injecting air in the presence of
a catalyst.
• The process of oxidation is relatively slow and six stirred reactors were used in series.
• Reaction kinetics dictated that the cyclohexane in the reactors should be maintained at 155°C and 9 barg – liquid
phase.
• When released to atmosphere some of the liquid flashed-off creating a vapour cloud.
Adiabatic flash of reactor inventory (100 t) gives ~40 t vapour
cloud.

Question 58

Q

Primary causes of Flixborough:

Answer

A

The temporary bypass had not been properly engineered or reviewed.
- No engineering drawing prepared and only basic calculations were carried out.
- Lack of necessary engineering expertise.
- Maintenance team did not recognise that offset piping
created bending moment and high shear forces at
bellows.
• No structured process for reviewing and authorising changes.
• Occupied buildings were not blast resistant and were located
too close to process areas handling highly flammable material.

This could be prevented by double checking calculations

Question 59

Q

What are possible reasons for loss of containment for the Torrance refinery explosion?

Answer

A

Low P in tractor caused back-flow of hydrocarbons from the main DC, which escaped into the regenerator and ESP (electrostatic precipitator)
Slide values unable to maintain catalyst barrier to prevent fuel and air from mixing (due to corrosion)
Overpressure caused steam to leak into the air side of the FCC, making it hard to repair
Leaking HX allowed addition of different, light, heated hydrocarbons
Thermal runaway
Poorly installed equipment

Ignition source:
* ESP 
Fuel-air mix:
* Air continued to move through the ESP
* Hydrocarbons leaked to the air side of the reactor

Question 60

Q

What are examples of atmospheric storage tanks?

Answer

A

Cone roof (CR) tankage

Floating roof (FR) tankage

Question 61

Q

What are properties of cons roof tanks?

CR

Answer

A

Tank roof is fixed.

There is always a vapour space above the liquid level.

Used for storing materials at temperature < flash point. (So no vapours for ignition form)

Cone roof useful to drain rainwater / snow away, preventing additional weight on tank (if tank were to have flat roof)

Question 62

Q

What are properties of floating roof tanks?

Answer

A

Tank roof floats on top of the liquid surface and rises/falls as the
liquid level in the tank changes.

There is no vapour space between the liquid and the roof.

Used for storing materials at temperature > flash point.

Not suitable for liquids with TVP (True Vapour Pressure, ASTM D 2879) > 0.9 bara. (Since P above atmospheric would cause the roof to move and tilt, and scratching against the tank wall could create an ignition source)

Question 63

Q

What are sample hazards in CR (cone roof) tanks?

Answer

A

Liquid overfill

Tank Overpressure or vacuum

Ignition of flammable vapour space inside tank

Tank overheated caused

flammable vapour space/fire
foam over (water heel)

Question 64

Q

Possible control measures of CR (cone roof) tank hazards:

Answer

A

Liquid overfill
- use level indicators, secondary containment. (LHA- level high alarm)

Tank Overpressure or vacuum
- use vent valves

Ignition of flammable vapour space inside tank
- locate safe distance away from other equipment / ignition sources

Tank overheated causing flammable vapour space/fire or foam over (water heel)
- high temp alarm or cut-out on tank heater coil

Answer 65

A

Liquid overfill

Tank Overpressure or vacuum

Vapour release/fire, causing high vapour pressure material or gas blow through

Tank roof sinking

Tank fire, causing vulnerability to lightning

Rim seal fire

Full surface fire (FSF) - (hard to recover from)

Answer 66

A

Liquid overfill
- use level indicators, secondary containment. (LHA - level high alarm)

Tank Overpressure or vacuum
- use vent valves

Vapour release/fire, causing high vapour pressure material or gas blow through

THA (temp high alarm)
LLCO (level cut-off) on upstream tower

Tank roof sinking

roof drain
routine operator checks
multiple pontoon roof design
maintenance

Tank fire, causing vulnerability to lightning
\+
Rim seal fire
\+
Full surface fire (FSF) - (hard to recover from)
(For all three...)
- HTA and temp control / cut-off
- foam damn
- FSF attack strategy

Answer 67

A

The Joule-Thomson (JT) effect is a thermodynamic process that occurs when a fluid expands from high pressure to low pressure at constant enthalpy (an isenthalpic process).

If this coefficient is positive, then the fluid cools upon expansion and if it’s negative the fluid warms upon expansion.

Answer 68

A

To store materials that are vapour/gas at atmospheric conditions and too volatile to store in CR or FR tanks.

Answer 69

A

Above ground sphere

Above ground drum (bullet)

Mounded drum (bullet)

Answer 70

A

Liquid Overfill
- Three independent level measurements (and safety valve)

Tank Overheating (BLEVE from sustained pool fire)
- Fixed water spray/deluge, often automatically activated
- Fire-proofing
- Sloped ground under tank

Vapour release/fire
- Gas detection/alarm
- Water flood (to fill tank rapidly and float LPG up and away from leak site)

Sampling and water draw-off
- Freeze-proof design

Answer 71

A

Boiling liquid expanding vapour explosion.

Main hazard is due to radiant heat from fire ball (up to 500 m)

• When vessel is exposed to fire the metal weakens. As liquid inside the vessel boils-off the vessel wall dry out and metal surface temperature increases
- Metal softens, yields and ruptures releasing expanding liquid vapour

Answer 72

A

Gas and fire detection

Emergency Block Valves (EBV)

Drencher system

Containment area slopes away from sphere

Use of mounded drum (inherently safe)

Answer 73

A

Liquified pressurised gas

Answer 74

A

An operator was draining water from the sphere to local sewer.

A valve was partially blocked due to hydrate (crystal-like) formation (sub-zero temperature)
Blockage suddenly cleared – valve was still fully open.
Leak ignited 25 min later by car travelling on nearby road (150m)
90 min after fire started sphere BLEVE occurred
18 killed; 80 injured

Answer 75

A

To position the sphere on slopes.

Install a series of drainage valves, farther away from the sphere.
Some of the valves may remain closed throughout.

Drainage system at an angle.

(If Fire is ‘taken away’, the BLEVE is stopped/taken away)

Answer 76

A

Used to store materials that are vapour/gas at normal atmospheric conditions – too volatile to store in CR or FR Tanks

Liquefied natural gas, LNG. NBP = - 160 C°

Storage container operates at low pressure (typically 0-5 psig)

Tank is insulated
Liquid boils off at a controlled rate due to heat inputs
Vapour is compressed back to liquid and refrigerated
Release of liquid from refrigerated storage does not have same potential for VCE
BLEVE scenario is also not credible

• Materials of construction need to be suitable for low operating
temperatures (Brittle Facture)

Answer 77

A

Liquified natural gas

Answer 78

A

There was a large distribution terminal, occupied by 3 separate companies (Hertfordshire Oil Storage Ltd (HOSL), UK Oil Pipelines Ltd and BP Oil UK Ltd.)

Gasoline was released from the HOSL west site

The terminal is fed by 3 separate pipelines, and handles gasoline, diesel and jet products

The west boundary of the site adjoins an industrial estate

The severity of the explosion was much higher than would have been predicted given the low level of confinement.
Actual overpressure in open areas of Northgate and Fuji car parks were 0.7-1.0 barg.
• Normal scenario for an atmospheric storage tank overfill is fire.
• However, there is some past experience of gasoline tank overfill resulting in explosions.
- Typically involve large quantity of fuel (>100m3).
- In each case wind speed was low (or zero) allowing a large vapour
cloud to form.

Buncefield explosion appeared to be unique due to apparent lack of obstacles which would induce turbulence and lead to rapid flame propagation.
- HSE are carrying out further work involving industry experts

Answer 79

A

On the evening of 10th December 2005 Tank 912 started to receive a pipeline transfer of gasoline (550m3/h)

At approx. 3 am on 11th December, the tank level gauge indicated a static level.
However, the tank continued to receive product at the same rate, and the actual level in the tank continued to rise.

The tank started to overflow at 0520 and by 0600 approx. 480m3 of gasoline had overflowed into the bund and surrounding area.

A vapour cloud had spread approx. 200m from the tank towards the Industrial Estate.

At 0601 the first of several explosions occurred causing significant damage to both commercial and residential property in the vicinity.
- Fire engulfed over 20 large fuel tanks
- 2000 people were evacuated and sections of the adjacent motorway
were closed.
- 43 people were injured, none seriously (incident occurred early on Sunday morning)

Answer 80

A

Immediately following the incident the HSE carried out a review and inspection of all Major Hazard sites in the UK to verify that existing standards and best practices were being followed.

The release was due to a tank being overfilled – tank was being filled by pipeline ~ 550m3/h.

The ignition source was believed to be the electric fire pumps.

The tank was fitted with a level instrument, independent LHA and LHCO.

The level instrument had stuck (14 malfunctions had been reported in previous 5 months).
LHCO and alarm did not work - it was not responded to or was disabled?

• Evidence that some shifts allowed tank level to exceed ‘high’ and even
‘high-high’ alarm to accommodate pipeline parcel.

• Specific HSE Alert issued concerning design and operation of LHA – concern that alarm can be disabled if test lever is inadvertently left in the incorrect position.

Believe an aerosol could have formed

Answer 81

A

Major Incident Investigation Board issued recommendations on Design and Operation of sites storing highly volatile materials.

Provision of independent LHA and automatic overfill protection.
All elements of overfill protective system should be tested (eliminate
use of internal floats).
Use of gas detection, CCTV etc. to provide early detection of loss of containment (linked to automated response).
Modified design of new tanks to reduce risk of aerosol/vapour formation in the case of tank overflow.
Industry to share incident/near miss data.
Develop Process Safety indicators.

Answer 82

A

Explosion severity was far greater than would normally have been expected for a vapour cloud.
- A VCE typically results in deflagration (< 1barg overpressure).
- Based on damage to cars, drums and lamp posts the max estimated
overpressure was 2barg – this would require some form of detonation.

Detonation normally requires a confined volume such as inside a building, pipe or vessel.

Evidence suggests that the ignition source was inside the fire pump house.
However, once outside the building the flame front would de-accelerate rapidly.

For the flame front to continue to accelerate requires congestion to create turbulence.

Piping, vessels and plant structures have been shown to create deflagration type explosion only.
Tests and analysis have shown that congestion due to trees/shrubs along adjacent lane may have been responsible for the higher overpressures.

Answer 83

A

Pressure relief valves, PRVs, (spring loaded valve which opens at a given set pressure.

Pressure vacuum valves (typically for low pressure systems – use dead weights).

‘U’ seal or dip leg (for low pressure systems – hydraulic head provides fixed backpressure).

Bursting disc (thin plate – ruptures at specified pressure).

Answer 84

A

Closed systems:

Dump tank/scrubber/quench vessel
Flare ring main connected to an elevated flare stack
For older facilities, PRVs are often routed to atmosphere providing material is not liquid phase.

Answer 85

A

Body
Blowdown adjustment ring
Nozzle
Seat disk
Disc holder
Bonnet
Spring
Set pressure adjusting screw

Spring opens at set differential pressure between inlet and outlet.

For relieving pressure that is independent of outlet pressure, use bellows.

Answer 86

A

Benefits
+ PRV set pressure for actual device can be tested prior to installation and at routine intervals.

+ Device should reseat after lifting once pressure has been reduced

Disadvantages

Increased risk of blockages due to corrosion products
Valve seat leakage
PRV inlet and outlet pipework pressure drop needs to be low to avoid instability (PRV chatter)
Slower response time (tenths of a second up to > 1 second)

Answer 87

A

Benefits
• Very fast response times (milliseconds);
• Less risk of blockage than relief valves
• Lower cost to install and maintain
• Available in a wide range of materials
• No leakage

Disadvantages
• Non re-closing hence may allow large discharges even when pressure falls below relieving (rupture) pressure
• Potential for premature failure due to pressure pulsation, especially if the rupture pressure is close to the operating pressure
• Rupture pressure affected by back pressure
• Risk of incorrect assembly (upside down) !!! (Ie it would never burst)
• Cannot be tested so regularly replaced

Answer 88

A

American society of mech engineers (ASME):

Relieving pressure shall not exceed MAWP (normally DP) by more than:

3% for fired and unfired steam boilers
10% for vessels equipped with a single pressure relief device
16% for vessels equipped with multiple pressure relief devices
21% for fire contingency

EU pressure equipment directive (PED) has a different interpretation:
+ 10% for all pressurized equipment with DP >0.5 barg, under all circumstances.

Answer 89

A

Issues e.g. 
• Instrument air failure
• Steam failure wide open
• Electric power failure
• Blocked outlet - operator error 
• Cooling water failure
• Loss of reflux
• Tube rupture
• External Fire

Detailed over pressure contingency analysis needs to be carried out to determine required PRV capacity.

Evaluate credible scenarios and calculate required relief load under these scenarios
EU Pressure Equipment Directive requires that all “foreseeable” causes of overpressure be considered
Two unrelated events (double contingency) are not normally considered

Answer 90

A

Closed system needs to be sized to handle largest pressure relief demand:

Single largest relief load
Emergency manual depressurisation of reactor systems
Multiple PRD activated due to failure of plant utility (electricity, instrument air, cooling water, steam)

Facilities need to be provided to contain any liquid and to scrub or flare any hazardous vapours.

Vent/flare stacks need to be sufficiently elevated to ensure good dispersion and should be located away from public areas/process units to minimise exposure of people to radiant heat

Liquid seal drum and dip leg arrangement to prevent flash back from flare stack in to flare ring main

Alternative to flare isa gas scrubber and atmospheric vent which needs to be available at all times

Answer 91

A

Used extensively in speciality chemicals and pharmaceuticals industries

Low volume
Facilities sometimes used to produce different grades/products

Answer 92

A

Potential for rapid thermal decomposition causing
deflagration/detonation

High bulk temperature can cause material to boil/vaporise. Potential for contents to overpressure and erupt from vessel.

Reaction generates high volumes of gas which overpressures the reactor

Secondary fire/explosion due to loss of primary containment

Answer 93

A

Reactive chemistry not fully understood

Reactants added in wrong quantities or wrong order

Contaminants

Inadequate temperature control

Poor mixing

Inadequate emergency venting facilities

Failure to take emergency action in the event of high temperature

Answer 94

A

Rate of heat production is proportional to volume

Natural cooling capacity is proportional to surface area

Answer 95

A

Literature search, industry experience and laboratory data

Conduct calorimetric tests

Oxygen balance can help identify whether CXHYOZ compounds could decompose violently

CXHYOZ +(2X+Y/2–Z)O->XCO2 +Y/2H2O
Oxygen balance = -1600(2X + Y/2 – Z) ÷ MW (High Risk if > -200)

From the Heat of Reaction (ΔH) can estimate maximum Adiabatic Temperature Rise (ΔTad)

ΔTad = - ΔH/Cp

Check if max. temperature is below temperature at which:

Other reactions start to take place (e.g. decomposition)
Reactants boil
Gas evolution occurs

Answer 96

A

Emergency cooling facilities

Chemical inhibitor injection to suppress reaction or poison catalyst

Drown-out or quenching

Use an inert medium to quench and dilute the reactants
May need to dump contents to a secondary vessel if insufficient space in reactor

Provide adequately sized emergency venting facilities (bursting disc)
- Consider hazards of venting reactor to atmosphere and need for scrubber tower/containment facility

Protective instrument systems can be used to automate some or all previous control measures
Consider Inherently Safer design (e.g.)
- Use semi-batch operation, add reactants gradually
- Use CSTR
- Use smaller reactor volume (e.g. loop type reactor)
- Design reactor to withstand worst case temperature/pressure conditions

Answer 97

A

Elimination - physically remove the hazard

Substitution - replace the hazard

Engineering controls - isolate people from the hazard

Administrative controls - change the way people work

PPE - protect the worker with Personal Protective Equipment

Answer 98

A

BPCS - basic process control system

SIS - safety instrumented systems

HPS - hardware protective systems

SIF - safety instrumented functions

Answer 99

A

Temperature High Cut-in (THCI) quench/cooling activation for exothermic reactor

Level High Cut-out (LHCO) to prevent vessel overfill

Furnace Flow Low Cut-out (FLCO) to prevent tube rupture

Answer 100

A

H = D * F

Hazard rate = demand rate * failure of hazard controls

Once found, you must consider:
• Is this low enough/acceptable?
•  if not, what are the options?
•  Independent cut-out? This hazard control would be a safety instrumented function but it too can fail so...
•  How reliable does it need to be?

Answer 101

A

Safety Instrumented Function (SIF) – monitors a unique process variable or variables and takes a specific action when a prescribed limit is exceeded.

Each SIF will have its own availability target defined by the process designer.

Answer 102

A

Availability Target (AT) – the required reliability of the SIF to manage the risk adequately.

Answer 103

A

Safety Integrity Level (SIL) – defined availability ranges for standardising protective equipment design and certification

Answer 104

A

Probability of Failure on Demand (PFD) – the chance that the safety instrumented function will fail when required.

Answer 105

A

Independent - no point in sharing the same power supply as the basic control system that just failed

Fail-safe - if the power or actuating signal fails, system goes to its safe condition.

Maintained/Testable - it should be possible and safe to test the function periodically to maintain assurance that it will work on demand.

Well documented- future engineers/managers understand what it is protecting and how reliable it needs to be. Essential for future management of change.

Answer 106

A

Based on max. foreseeable internal pressure/vacuum, unless uneconomic.

Pressure Relief Valve (PRV) set at a given margin (e.g. ASME, EU PED) to avoid unnecessary lifting PRV.

Answer 107

A

Normally based on Max. Operating Temperature (MOT) from Heat and
Material Balance.

Typically a margin of 10-15°C added to MOT to give DT.

DT is also used for piping when assessing thermal stresses from expansion/ contraction.

Material strength decreases as temperature increases.

Answer 108

A

When all the valves / outlets are all closed

Answer 109

A

The DP is normally set by the pressure source (pump or compressor)
shut-in conditions i.e. blocked outlet, zero flow.

Overpressure should be limited by set pressure of PRV protecting the circuit (typically 10% above DP).
Some equipment operated in a batch or semi-continuous manner may have potential to be ‘boxed-in’ (all outlets closed)
Liquid filled equipment can be subjected to high internal pressures due to thermal expansion caused by solar gain or external heat tracing.
Heat exchanger/reboiler tube rupture can expose low pressure side to high pressure fluid.
Equipment that is subjected to vacuum conditions should be identified.
Do not assume that vessel can withstand full vacuum if not specified.

Answer 110

A

Relief path blocked

Safety valve too small or not fitted

Oxidiser in system with flammable - new volatile gas components are created that were not expected

Inadvertent mixture of reactants

Thermal expansion

Connected non-design pressure source

Design pressure under specified

Wrong spec break

Answer 111

A

Unexpected cooling

Composition changes

Loss of heating

P/V Vent Capacity Inadequate (or plugged) and
• Pump out
• Rain shower
• Ambient temperature/pressure drop

Answer 112

A

The maximum feed temperature from upstream unit.
The max. outlet temperature from fired heater or other heating medium.
Max temperature if an upstream heat exchanger (cooler) is bypassed e.g. for maintenance.
Predicted reactor outlet temperature (at “end of run” condition).
Joule-Thomson cooling effect.
Auto-refrigeration due to liquid evaporating/boiling to vapour when pressure is reduced
Solar radiation
Local site min/max ambient temperatures
Especially min temperature e.g. Norway -25°C

Answer 113

A

External Fire

Reaction Runaway

Loss of Cooling

Pumps/Compressor Energy

Loss of Furnace Feed (overheats tubes)

Heat Tracing on Idle Line

Pyrophoric Materials - Likely to auto-ignite

Electrical heating element control not sensing highest temperature

Inadvertent Catalysis

Answer 114

A

Loss of Heating

Auto Refrigeration

Process Composition Changes

Low Ambient Temperatures

Hydro testing

Answer 115

A

A specification break is a point in the piping where the material or flange rating changes, typically at a valve that might be closed

• This is allowable if the lower rated section is independently protected from overstress.

•  Line identification typically must include size, flange class and
material (and sometimes the corrosion allowance in mm).

Answer 116

A

As flow increases, frictional pressure drop through the system increases as the square of flow. (System resistance curve)

As centrifugal pump flow increases, delivery pressure decreases due to frictional drop within the pump, also as the square of flow (pump head curve).

As flow demand on centrifugal pumps increase, the capability of the pump to deliver pressure decreases while the pressure demand increases.

With no control valve, the system quickly reaches a single stable flow (at the intersection of the system and pump curves), only dependent on fluid density.

With a control valve, maximum flow is approximately the same, but adjustable down to zero.

Answer 117

A

Hazard and Operability study.

A formal systematic method for examining the potential hazards that may arise due to mal-function or mal-operation of individual items of equipment or processes.

Identify hazards that can result in SHE consequences.

Identify operability issues (e.g. no spare pump, inadequate
facilities to isolate and drain equipment for maintenance).

It’s aim is to identify hazards, not solve them

Answer 118

A

They’re best done at front end engineering and design (FEED) stages as changes are less costly.

HAZOP is carried out on the P&ID (Process and Instrumentation Drawing) or Flowsheet (less effective).

Answer 119

A

HAZOP is carried out on the P&ID (Process and Instrumentation Drawing) or Flowsheet (less effective).

• The study is carried out by a multi-discipline team of experienced people.
- Provides opportunity to explore/brain storm “what could go wrong?” in a systematic way.

-The team help to stimulate and build on each other’s ideas and questions.

• The P&ID is divided into “nodes”.

Each equipment item within the node is examined in turn.
Guide Words are used to prompt discussion.
The drawing is marked-up to show what has been completed. o Potential concerns are documented.
The role of HAZOP is to identify potential concerns.
Hazard analysis and resolution is a separate follow-up activity (LOPA).
Team can propose a suggested action where this is obvious.

Answer 120

A

None (no) - no forward (or reverse) flow.
E.g. Control valve closes shut or check valve fails to open

More of (high) - more of a physical property
E.g. More pump discharge head due to higher SG. High tank level due to instrument faults.

Less of (low) - less of a physical property
E.g. Less flow due to filter blockage. Lowe temperature due to TC failure.

Part of - composition of stream is different from what it should be.
E.g. reactants added in wrong quantities

More than (as well as) - more components present than should be. 
E.g. water entrained in feed from storage tank. Impurities in feed material.

Other than - what else can happen from normal operations.
E.g. start-up, shut-down and maintenance

Answer 121

A

Layers of protection analysis.

A semi-quantitative method evaluating the effectiveness of independent protection layers (IPL) in reducing the likelihood/severity of an undesirable event.

Answer 122

A

Initiating event frequency - expressed in terms of events per year

Answer 123

A

Independent protection layer.

To qualify as an IPL, it must be effective, independent, auditable and documented.

They can be passive or active, and each IPL has a PFD

Visual checks and warning signs do not qualify as IPLs

Answer 124

A

Basic process control systems.

They’re designed to maintain a process within a defined safe operating window.

Answer 125

A

Factors which may contribute to the frequency of an event e.g. weather, human occupancy or the probability of ignition of a flammable cloud.

Brainscape's Knowledge GenomeTM

CE20223 - Safety and Ethics Flashcards

Brainscape's Knowledge Genome^TM