Safety Considerations in the Chemical Process Industries

Murphy, John F.

doi:10.1007/978-1-4614-4259-2_2

John F. Murphy²

9592 Accesses

Abstract

There is an ongoing emphasis on chemical process safety as a result of highly publicized accidents such as the recent BP Deep Water Horizon well blow out in the Gulf of Mexico that resulted in a fire and explosion that killed 11 people and a massive leak of oil that caused catastrophic damage to the environment and economy of the Gulf Coast. Public awareness of these accidents has provided a driving force for industry to improve its safety record. There has also been an increasing amount of government regulation.

Access provided by Autonomous University of Puebla. Download chapter PDF

Standardization and Risk Regulation for High-Hazard Industries

Methodologies for Assessing Risks of Accidents in Chemical Process Industries

Article 02 April 2019

Chemical Safety and Chemical Security: A Guide to Preventing Health Hazards

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Introduction

Why Process Safety Is Important

There is an ongoing emphasis on chemical process safety as a result of highly publicized accidents such as the recent BP Deep Water Horizon well blow out in the Gulf of Mexico that resulted in a fire and explosion that killed 11 people and a massive leak of oil that caused catastrophic damage to the environment and economy of the Gulf Coast. Public awareness of these accidents has provided a driving force for industry to improve its safety record. There has also been an increasing amount of government regulation.

The chemical industry is one of the safest industries, but its safety record in the eyes of the public has suffered. Perhaps this is because sometimes when there is an accident in a chemical plant it is spectacular and receives a great deal of attention. The public often associates the chemical industry with environmental and safety problems, which results in a negative image of the industry.

So why is process safety important? It is important because good process safety performance, the lack of major process safety incidents, allows a company the freedom to manage its business without the interference of government regulators, litigation, and adverse public opinion. By avoiding injuries to people, major property loss, and business interruption loss, process safety results in the creation of positive business value for a company. The actions that are required to manage process safety well are the same actions required to manage business well.

Occupational Safety Versus Process Safety

It is important to differentiate between occupational safety which involves accident prevention through work systems which are aimed at minimizing the risk of injury to workers and process safety which involves the prevention and mitigation of fires, explosions, and accidental chemical releases that can have far reaching impacts. Occupational safety focuses on the prevention of worker injuries and occupational illness, primarily relating to trips, slips, falls, cuts, burns, etc. These injuries result from the failures in the control of traditional work procedures. Process safety focuses on the prevention of leaks, spills, process upsets, toxic releases, and equipment failures which may or may not injure or result in fatalities to workers or others at or near the site. This chapter deals primarily with process safety.

Process Safety Technology Issues

The Internet provides considerable information on incidents, good industry practice, and design guidelines. The best practices in industry are briefly discussed in this chapter. Details are readily available from resources listed in the references section at the end of the chapter. Hazards from combustion and runaway reactions play a leading role in many chemical process accidents. Knowledge of these reactions is essential for the control of process hazards. Much of the damage and loss of life in chemical accidents are caused by a loss of containment that results in a sudden release of hazardous material at high pressures, which may or may not result in fire; so it is important to understand how loss of containment and sudden pressure releases can occur. Loss of containment can be due, for example, to ruptured high pressure tanks, runaway reactions, flammable vapor clouds, or pressure developed from external fire. Fires can cause severe damage to people and property from thermal radiation. Chemical releases from fires and pressure releases can form toxic clouds that can be dangerous to people over large areas. Static electricity often is a hidden cause of accidents. It is very important to understand the reactive nature of the chemicals involved in a chemical facility.

Process Safety Management Issues

Chemical process safety involves both the technical and the management aspects of the chemical industry, and this chapter addresses both. It is not enough to be aware of how to predict the effect of process hazards and how to design systems to reduce the risks of these hazards. It also is important to consider how chemical process safety can be managed. Technical and management people at all levels in an organization have process safety management responsibility, and can contribute to the overall management of safer chemical processing plants.

Loss of containment due to mechanical failure or misoperation is a major cause of chemical process accidents. The publication One Hundred Largest Losses: A Thirty Year Review of Property Damage Losses in the Hydrocarbon-Chemical Industry [1] cites loss of containment as the leading cause of property loss in the chemical process industries.

It has become clear that process safety can be and must be managed as any other part of the business. A process safety management system is focused on preparedness for the prevention and mitigation of catastrophic releases of chemicals or energy from a process associated with a facility. It also includes the response to and restoration from these events. The term process safety management was first recognized on a broad scale in the late 1980 after Bhopal (see case histories). It formed the basis for many of the American Institute of Chemical Engineers’ Center for Chemical Process Safety’s guideline books and eventually led to US regulations (OSHA PSM) in 1992.

Barrier Analysis and Layers of Protection [2]

There are certain concepts that people and companies have found useful in preventing and minimizing process safety incidents. The US Department of Energy has published a comprehensive and useful report on barrier analysis methodology (Document EH-33, Office of Operating Analysis and Feedback, 1996). The first concept is that of the use of barriers (see Fig. 2.1). Each of these cards represents pieces of Swiss cheese such that when the holes line up an incident will result. The objective of process safety management is to remove and/or minimize the sizes of the holes so that the hazard cannot propagate and become an incident. These barriers include systems for prevention, mitigation, and recovery. Examples of prevention barriers include control systems, procedures, alarms, and maintenance. Examples of mitigation barriers include dikes and containment, facility siting, gas detectors, and fire protection systems. Examples of recovery barriers include medical capability, mutual aid, spare part systems, and insurance.

Another way of looking at barriers is the use of an onion skin model shown in Fig. 2.2. The layers of protection include the tanks, vessels, and piping systems; the basic process controls; and various safety systems both preventive and mitigative. This is sometimes also called defense in depth. All of these barriers or layers of projection must be effectively managed.

Process safety is part of every facet of design and operation of a chemical processing facility during its lifetime as illustrated in Fig. 2.3. The risk of chemical processing must be managed at an acceptable level by the application of inherently safer design strategies, risk reduction measures, and risk-based process safety management, all of which will be discussed further in this chapter.

Anatomy of an Incident [3]

The Anatomy of an Incident Model

One definition of process safety is the sustained absence of process incidents at a facility. The anatomy of an incident is a useful model that explains how process incidents occur. The model will be used to logically introduce the technical elements of process safety. Figure 2.4 illustrates the model. To understand the model, several definitions are necessary:

An incident is an unplanned event or sequence of events that either resulted in or had the potential to result in adverse impacts.
Loss events will result if a deviation continues uncorrected and the process is not shut down. Loss events are generally irreversible process material/energy releases but may also be related to production or equipment failures.
A process hazard is the presence of a stored or connected material or energy with inherent characteristics having the potential for causing loss or harm.

Without safeguards, a cause (such as a process upset) will result in a deviation (such as an increase in pressure rupturing a tank) that will result in the process hazard (such as a flammable liquid in storage) becoming a loss event (e.g., a leak of a flammable liquid that ignites becoming a pool fire) with subsequent impacts (such as injuries and economic and/or environmental damage). However, in a well-designed and operated chemical processing facility there are numerous prevention safeguards to prevent the loss event from happening and mitigation safe guards to minimize the impacts if there is a loss event.

Loss of Containment [2]

The major thrust of process safety is to prevent and mitigate accidental or unintentional loss of containment of hazardous materials. Chemical plants are designed to avoid this consequence but loss of containment has resulted in all the process safety incidents that have occurred and those that are likely to occur in plants in the future. Good process safety design prevents and/or mitigates all forms of loss of containment. Unexpected releases of hazardous materials can occur as a result of:

Mechanical failure of the pressure envelope (the pressure/temperature limit of a vessel or pipe).
Process upset causing overpressure, high temperature or volume increase.
Human error resulting in the direct release of material to environment.

In some cases the leaks are small to begin with and slowly increase such as a small flange leak which continues to open over time. Other sources, such as a major vessel failure, have maximum leak rates initially and as the pressure of the source diminish the leak rate decreases. The type of release can change as well. A line rupture can result in a jet release which could eventually degrade to a slower continuous liquid release.

Common loss of containment events include:

Opening a maintenance connection during operation
Piping failure from corrosion
Overfilling vessel or knockout drum
Mechanical failure of a process vessel due to thermal or mechanical shock
Overpressure due to process upset
Failure to shut valve after transfer operation
Hot work within berm ignites vapors from tank
Leaking roof seams
Leaking floating roof seal
Non-uniform mixing of contents—temperature anomaly
Internal explosion due to violent chemical reaction
Rupture of furnace tube
Rupture of tube in heat exchanger
Failure of an internal baffle due to corrosion
Vacuum due to various causes
Excess flow into vent system
Mechanical impact

Containment and Control [2]

The first layer of protection is to control the process so that it remains within its normal operating conditions. During the operational mode or normal operation, the objective is to maintain normal operation and to keep hazards contained and controlled. Layers of protection that help to attain this objective include the:

Basic process control system
Maintenance procedures
Inspections, tests, maintenance
Operating procedures
- Training people in procedures
- Conducting a procedure or operating a process correctly and consistently
- Keeping a process within established limits
Guards, barriers against external forces
Management of change

The design of the instrumentation is extremely important. The control system addresses process deviations as they occur and has either built in control systems or operator actions to bring the process back into control. Process control systems maintain normal operation with manual operator controls relying on operator procedures and process alarms or automated process control systems utilizing basic process control systems, distributed control systems, and programmable logic controllers.

Initiating Cause or Event [2]

If an initiating cause develops then the control system is the first layer of defense to help bring the process back into control. Some possible initiating events include:

Equipment malfunctions
- Pumps, compressors, agitators, valves, instruments, sensors, control systems
- Spurious trips, vents, reliefs
Loss of utilities
- Electricity, nitrogen, water, refrigeration, air, heat transfer fluids, steam, ventilation
Human errors
- Operations
- Maintenance
External agencies and events
- Vehicle impact, extreme weather conditions, earthquake, knock-on effects, vandalism/sabotage

The safeguards and alarms built into the basic process control system and/or operator actions will attempt to bring it back under control. Many protective features are built into basic process control systems. However, these are not truly independent safety systems. If control is lost because of some instrument failure, that same instrument will normally not be able to function as a safety device. In a basic process control system there is usually no independence between control and protection because they are all controlled by the same control function.

Prevention of Loss of Containment Events [2]

Preventive safeguards come into play once an initiating cause results in an abnormal situation that cannot be controlled by the basic control system when a process deviation has occurred. Bringing the process into a safe condition requires the application of preventive safeguards. Preventive safeguards normally attempt to shut the process down when other safeguards have been unsuccessful in bringing the process back under control.

Safety Instrumented Systems [2, 4]

Typically Safety Instrumented Systems or SIS are the normal means employed to shut the process down. Although an operator may be in charge of initiating shutdown manually, the operator sometimes faces conflicts of interest in deciding whether to let the process operate or shut it down and he may not always be able to reliably assess the data available in a short time. The SIS will try to act such that any loss of containment is averted (Of course the reason the SIS may be shutting the process down is because it was already caused by a loss of containment event!). This includes any loss of containment through relief systems if possible. If the SIS works, then the system will have to go through another startup sequence before it operates again.

There are specific standards that regulate the use of SIS. Testing capability is designed from the beginning. If the SIS can only be tested during shutdowns, there may be a long wait. A safety instrumented system:

Achieves (or maintains) a safe state of the process
Is designed and managed per
- ANSI/ISA 84.00.01-2004
- Guidelines for Safe and Reliable Instrumented Protective Systems, CCPS
- Other applicable practices
Requires rigorous management system with respect to inspection, testing, and maintenance to justify risk reduction claim
Requires that all components of the “system” must be included in the certification of the system (not just the final element) and maintained and tested to justify the risk reduction claim

The key feature of an SIS is that it is totally independent of control. It should have its own independent sensor(s) and final element(s). Because of the additional complexity the plant may endure more spurious trips. Voting systems are sometimes employed to improve reliability while still maintaining the safety levels required.

Redundant Instrumentation and Control Systems [5]

Computer-controlled chemical plants have become the rule rather than the exception. As a result, it is possible to measure more variables and get more process information than ever, and chemical plants can be made safer than ever before. However, it must be kept in mind that instruments and control components will fail. It is not a question of if they will fail, but when they will fail, and what the consequences will be. Therefore, the question of redundancy must be thoroughly considered. The system must be designed so that when failure occurs, the plant is still safe.

Redundant measurement means obtaining the same process information with two like measurements or two measurements using different principles. Redundant measurements can be calculated or inferred measurements. Two like measurements would be two pressure transmitters, two temperature measurements, two level measurements, and so on. An example of inferred measurement would be using a pressure measurement and vapor pressure tables to check an actual temperature measurement.

A continuous analog signal that is continuously monitored by a digital computer is generally preferable to a single point or single switch, such as a high level switch or high pressure switch. A continuous analog measurement can give valuable information about what the value is now and can be used to compute values or compare with other measurements. Analog measurements may make it possible to predict future values from known trends. Analog inputs may be visual, and one can see what the set point is and what the actual value is. The software security system should determine who changes set points, and should not be easy to defeat.

A single point (digital) signal only determines whether switch contacts are open or not. It can indicate that something has happened, but not that it is going to happen. It cannot provide information to anticipate a problem that may be building up or a history about why the problem happened. Single point signals are easy to defeat. Some single point measurements are necessary, such as fire eyes, backup high level switches, and so on.

As a rule, it is best to avoid:

Both pressure transmitters on the same tap
Both temperature measuring devices in the same well
Both level transmitters on the same tap or equalizing line
Any two measurements installed so that the same problem can cause a loss of both measurements

It is a good idea to use devices that use different principles to measure the same variable, if possible.

An alarm should sound if any time redundant inputs disagree. In many cases the operating personnel will have to decide what to do. In some cases the computer control system will have to decide by itself what to do if redundant inputs disagree.

The more hazardous the process, the more it is necessary to use multiple sensors for flow, temperature, pressure, and other variables.

Since it must be assumed that all measuring devices will fail, they should fail to an alarm state. If a device fails to a nonalarm condition, there can be serious problems. If a device fails to an alarm condition, but there is really not an alarm condition, it is also serious, but generally not as serious as if it fails to a nonalarm condition, which can provide a false sense of security.

Usually it is assumed that two devices measuring the same thing will not fail independently at the same time. If this is not acceptable, more than two devices may be used. If this is assumed, one can consider the effects of different levels of redundancy:

Number of Inputs Consequence

One failure provides no information on whether there is an alarm condition or not.

Two failures of one device show that there is a disagreement, but without more information, it cannot be determined whether there is an alarm condition or not. More information is needed; the operator could “vote” if there is time.

Three failures of one device leave two that work; there should be no ambiguity on whether there is an alarm condition or not.

Pressure Relief Systems

If the process cannot be shut down in time, then a relief system may be called into action. Although this is also a “loss of containment,” the fluid is discharged to a specific safe location. Sometimes defining a “safe” location is difficult.

The design of relief systems involves, in general, the following steps:

1.
Generate scenario. What could reasonably happen that could cause high pressures? This could be fire, runaway reactions, phase changes, generation of gases or vapors, leaks from high pressure sources, and so on.
2.
Calculate the duty requirements—the pounds per hour of material that has to be vented, and its physical condition (temperature, pressure, ratio of vapor to liquid, physical properties). This is a rather involved calculational procedure.
3.
Calculate the relief area required based on the duty, inlet and outlet piping, and downstream equipment. This is also a rather involved calculational procedure.
4.
Choose the relief device to be specified from vendor information.

A group of chemical companies joined together in 1976 to investigate emergency relief systems. This later resulted in the formation of The Design Institute for Emergency Relief Systems (DIERS), a consortium of 29 companies under the auspices of the AlChE. DIERS was funded with $1.6 million to test existing methods for emergency relief system design and to “fill in the gaps” in technology in this area, especially in the design of emergency relief systems to handle runaway reactions [6]. DIERS completed contract work and disbanded in 1984.

Huff was the first to publish details of a comprehensive two-phase flow computational method for sizing emergency relief devices, which, with refinements, has been in use for over a decade [7–10]. The most significant theoretical and experimental finding of the DIERS program was the ease with which two-phase vapor–liquid flow can occur during an emergency relief situation. The occurrence of two-phase flow during runaway reaction relief almost always requires a larger relief system than does single-phase flow vapor venting. The required area for two-phase flow venting can be from two to much more than two times larger to provide adequate relief than if vapor-only venting occurs [7]. Failure to recognize this can result in drastically undersized relief systems that will not provide the intended protection.

Two-phase vapor–liquid flow of the type that can affect relief system design occurs as a result of vaporization and gas generation during a runaway reaction or in many liquid systems subjected to fire (especially tanks that are nearly full). Boiling can take place throughout the entire volume of liquid, not just at the surface. Trapped bubbles, retarded by viscosity and the nature of the fluid, reduce the effective density of the fluid and cause the liquid surface to be raised. When it reaches the height of the relief device, two-phase flow results. Fauske and Leung [11] described test equipment that can be used to help determine the design of pressure relief systems for runaway reactions that often result in two- or three-phase flow.

Blow Down Systems/Flare Systems/Incinerators [2]

Relief devices most often discharge into collection/treatment systems called blow down systems. These collection/knockout systems are usually pressure vessels. Treatment systems, usually scrubbers and/or flares/incinerators, are located downstream of the collection/knockout vessels. More blow down systems are being designed to collect relief valve discharges especially two-phase discharges. Collection systems can at times be pretty sophisticated. Retrofit of these systems can be very difficult in placing them within existing process equipment. Some design considerations related to relief systems include:

Relief capacity based on simultaneous release of several PSVs from a single contingency.
System approach used to determine limiting scenario.
Blocked in circuit, fire, or loss of cooling. Which one is quicker acting?
May not take credit for instrumentation or human intervention.
System capacity must consider backpressure at all points of entry.
PSV’s have full capacity at 10% overpressure.
Step configuration for variable loads.
Flare systems and incinerators [2].

A flare system is used to collect and burn excess flammable vapors and safely disperse the byproducts to atmosphere. A blow down (piping manifold) system is used to collect surplus vapors from a process. Most releases occur under emergency or upset (unplanned) conditions and are directed from the outlet of one or more relief valves. Entrained liquid is removed from the vapors (knock out drum) and the vapors are burned in a central stack. The flare stack is usually elevated to reduce thermal radiation effects on the ground and equipment and also to disperse smoke.

An incinerator is a waste treatment device that involves the combustion of organic materials in the solid or gaseous state. It is usually a direct fired piece of equipment where feedstock undergoes combustion. Processes may or may not recover the heat released from combustion.

Mitigation of Loss of Containment Events [2]

Mitigative safeguards limit the extent of the loss event. Mitigative safeguards include both physical as well as administrative components. As the incident progresses, mitigation is successful or unsuccessful. Mitigative safeguards include:

Isolation of piping systems and equipment
Detectors and alarms
Flame arrestors/suppression systems
Explosion containment rooms
Fire protection
Water or steam curtains
Emergency response

Design for Emergency Isolation of Piping Systems [2]

Design of piping systems with its associated equipment must include provision for safe and rapid isolation of the contents of the system should the need arise. This can be accomplished by strategic placement of emergency block valves (EBVs). EBVs are typically located at

Loading/unloading lines in hazardous service
Furnace crack gas outlet lines
Inlet and outlet of compressors
Inlet and outlet of reactors
Inlet of pumps from vessels with 10,000 lb of flammable material
Major lines entering a system of vessels containing more than 10,000 lb of flammable materials which operate together
Battery limits for pipelines containing hazardous materials

Through proper design, it would be possible to provide for isolation of an individual item or section, or to effectively shut down an entire operation. The location of block valves must include consideration of potential hazards to operating personnel. Therefore, manually operated devices must be easily and safely accessible and easy to operate. Remotely or automatically operated block valves, usually recommended in situations where operating personnel would be exposed to hazardous conditions, should be placed in locations where, insofar as possible, they will not be subject to conditions which might impair their operation. If there is a possibility that they might be exposed to fire in the case of an emergency, block valves should be fireproof or fire resistant to the extent necessary to ensure dependable operation under such conditions. It should be apparent that proper use of block valves has the potential to greatly reduce loss of containment with its resultant explosions and fires because they.

Provide isolation between different hazards within a system
Quickly interrupt flow through a system or prevent gross movement of hazardous material into an exposed location
Block in specific pieces of hardware that may be involved in an incident
Cause an orderly shutdown of equipment

Categories of EBVs include:

Manually actuated valve at the equipment to be isolated
Manually actuated valve located at a safe distance from the equipment to be isolated
Mechanically assisted valve at or near the equipment to be isolated
Mechanically assisted valve with remote activation capability

Gas Detection [2]

Gas detection is used to determine the presence of undesired vapors and gases at some specified concentration. It is also used to support some action or decision. Sensors need to be located where gas is most likely to accumulate. With gas detectors, the concentration of test gas at point of measurement at a specific time is known, but how much gas is present, how far the gas cloud extends, the concentration profile within the cloud, what other gases are present, or how fast the gas is moving are not known.

Flame/Detonation Arrestors [2]

There are two types of arrestors: flame arrestors and detonation arrestors which are more massive and robust. The arrestor forces the gas velocity to decrease through increasing the diameter and then provides sufficient surface to cool the gas. If the upstream fire continues eventually it could overwhelm the arrestor as the internal parts heat up. Flame arresters absorb kinetic energy from a fluid and prevent deflagration/detonation transition. Common types include crimped ribbon, parallel plate, expanded metal, packed bed, hydraulic, perforated plate, sintered metal, and liquid seal. Criteria for design include vapor composition, operating pressure and temperature, piping configuration, and flow rate. All flame arresters must be tested in their final environment.

Explosion Venting, Mechanical Isolation, and Explosion Suppression [12]

Explosion vent panels are pretty common especially for dust applications. In dust applications there is a possibility of a buildup of solids on the inside panels which can add weight and resistance. Some materials such as hydrogen can’t be vented using explosion panels because of its high flame speeds. In general these systems are designed to discharge in an open environment. The panels are designed per NFPA 68. They are lightweight, tethered panels which are non-fragmenting.

Fast acting valves are another means of stopping flame propagation. They are dependent on very quick acting sensors that are able to detect change of pressure in the millisecond range.

Suppression systems such as halons cause the fire to starve because air is displaced by an inert. Having a space that is effectively sealed to minimize leakage is very important.

Certain types of foam or plastic media can be applied to a liquid spill in a dike to restrict vaporization.

Explosion containment rooms are used in special applications, particularly high pressure operations. They are also used in laboratories and pilot plants, sometimes with blow out walls and roofs.

Fire Protection [2]

Fire protection must be a functional, rational, and consistent system across a facility. A “holistic” fire protection strategy must be adopted to deal with all possible exposures that could threaten people, equipment, the operation, and the environment. Compliance to codes and standards is a minimal requirement. There must be an integrated fire protection strategy that includes:

Prevention: Process selection, equipment layout, good engineering, quality construction
Detection and response: Isolate fuel source
Suppression: Prevent fire from spreading—extinguish original fire

All of these activities are essential to success. Obviously the first consideration is to prevent as many opportunities for loss of containment of flammables and possible fires as possible. Foam systems are sometimes necessary to extinguish fires. Fire protection includes:

System for ensuring the early detection, extinguishment, and protection from fires
Deluge protection recommended in critical areas such as pump bays
Deluge systems should be easy to operate and should be augmented with detectors
Heat actuated sprinkler systems
Extinguishment in motor control centers and control rooms
Fireproofing on high value equipment (2–4 h)

A typical fire water distribution system is usually installed underground. Valves are placed so that water supply can get to any point from two directions within the loop. A 4 h supply of firewater is usually specified as recommended by insurance companies. The pumping system should be redundant with both electric and diesel backup pumps. With fire protection systems it is important to ensure the ongoing integrity of all fire protection hardware by preventive maintenance and testing. Ownership must be clearly established to ensure that proper testing and maintenance is done on fire protection systems.

All operating personnel must be familiar with the functionality of fire protection equipment that they may be required to use.

Emergency Response [2]

Emergency response involves scenario-based planning. It requires understanding the hazards and risks and on-site response capabilities. It also requires securing support from outside parties, for example, fire departments, and mutual aid organizations. Emergency response also requires the establishment of safe havens, evacuation routes, command centers, and the development of emergency response procedures. Emergency response training includes emergency drills that must be conducted. These drills include tabletop exercises and full-scale drills. Feedback from drills should result in improvement and modification of emergency procedures as necessary. See Chap. 3 for a more detailed discussion of emergency response.

Management Systems (Risk-Based Process Safety) [2, 13]

Management systems are necessary to ensure that process safety concepts and practices are implemented in an organization. There are several models for process safety management systems. The OSHA process safety management model is a legal requirement in the United States (see section on “Regulations” in this chapter). Risk-Based Process Safety is the model developed by CCPS. It is not a regulatory requirement but is consistent with the OSHA PSM standard and the chemical processing industries’ good practice. The recent book entitled Risk Based Process Safety, CCPS, 2007 discusses the model proposed by CCPS that will be used in this discussion of process safety management systems. The concept of Risk Based Process Safety is that each company needs to tailor its process safety management systems to address its risk and risk tolerance. In other words the higher the risk of a major process safety incident, the more robust your management system should be. Also companies with the same risk of a major process safety incident may have different management systems because of different risk tolerance. For example, a company that has a chlorine unloading operation adjacent to another business or residential area should have a more robust management system than a company with a similar unloading operation located in a remote area. Of course hazardous operations need to be located in as remote areas as possible.

CCPS defines process safety management as a management system that is focused on the prevention of, preparation for, mitigation of response to and restoration from catastrophic releases of chemicals or energy from a process associated with a facility. The key concept is “catastrophic” releases of chemicals or energy from a process associated with a facility. A process is a sequence of activities that leads to a desired outcome. That outcome often involves the creation of a marketable product. In practice, processes of concerned include the shipping, handling, storing, mixing, separating, and disposal of chemicals. Risk-based process safety uses risk-based strategies and implementation tactics that are commensurate with the risk-based need for process safety activities, availability of resources, and existing process safety culture. Based on the company’s perception of risk, each element of RBPS needs to be designed and implemented to fit the risk. Each company will have different looking management systems based on their risk perception and culture, but all 20 elements need to be addressed. The goal of RBPS is to design, correct, and improve process safety management activities.

The 20 elements of RBPS are organized under the pillars “commit to process safety,” “understand hazards and risk,” “manage risk,” and “learn from experience.” Each of the 20 elements under the four pillars will be discussed (see Fig. 2.5).

Commit to Process Safety

The first pillar of RBPS is to Commit to Process Safety. To commit to process safety, facilities should focus on:

Developing and sustaining a culture that embraces process safety.
Identifying, understanding, and complying with codes, standards, regulation, and laws.
Establishing and continually enhancing organizational competence.
Soliciting input from and consulting with all stakeholders, including employees, contractors, and neighbors.

Process Safety Culture

What is process safety culture? Process safety culture is the combination of group values and behaviors that determine the manner in which process safety is managed. It is often described as how we do things around here, what we expect here, or how we behave when no one is watching. Why is process safety culture important? Investigations of catastrophic events have identified common process safety culture weaknesses that are often factors in other serious incidents. Examples of process safety culture weakness include warning signs such as lack of enforcement of process safety standards, no sense of vulnerability, poor communications, and delayed or no response to process safety issues and concerns.

Human Factors [2]

When examining process safety culture, it is important to understand human factors. This is a very important subject that people sometimes have difficulty in understanding. It encompasses a broad range of topics. Human errors will happen and must be eliminated or the probability or consequences of those errors must at least be reduced when handling hazardous materials. The perception of the application of human factors as ill-defined, difficult to apply, and expensive is a misconception. Those companies that have actively applied human factors have seen a true business value. Human factors look at the ways to identify and control potential human errors and conditions which affect the outcome of human activity. The human is the ultimate variable in every human–machine interface. The potential for human error exists wherever there are several choices or degrees of freedom. There are three groupings of human interactions that all overlap and are intertwined with one another. These are people, facilities, and management systems. The potential for human errors in all these groupings must be examined. The CCPS book Guidelines for Preventing Human Error in Process Safety by Center for Chemical Process Safety (CCPS), August 2004, is an excellent source of information on human factors.

Compliance with Standards

The next element under the pillar “Commit to Process Safety” is “Compliance with Standards.” A standards system is a system to identify, develop, acquire, evaluate, disseminate, and provide access to applicable standard, codes, regulations, and laws that affect process safety. It addresses internal and external standards; national and international codes and standards; and local, state, and federal regulations and laws. It interacts with every RBPS management system element.

“Recognized and generally accepted engineering practices” or RAGAGEP is a regulatory term that means the engineering practices that are prevalent in the industry must be followed. It is included in the Process Safety Information element as applied to equipment used in the process in the OSHA PSM standard. A standard system as discussed above will help to ensure that RAGAGEP is implemented in the facility.

Why is a standards system important? Knowledge of and conformance to standards helps a company operate and maintain a safe facility and to consistently implement process safety practices. It also minimizes legal liability. Changes in standards must be current so the company can adjust its compliance activities. The standards system also forms the basis of the standards of care used in an audit program to determine management system conformance.

Inherently Safer Concepts [2, 14]

One important accepted practice is inherently safer design. The concept of inherent safety was first coined by Trevor Kletz. Trevor Kletz worked for ICI as a safety consultant and is still active in process safety today. Recently CCPS has updated a guidelines book on inherently safer chemical processes (see references). Inherently safer is a principle that continues to be important in the reduction of overall risk for any company.

In the narrow definition, inherently safer designs permanently and inseparable reduce or eliminate process hazards that must be contained and controlled to avoid loss events. To quote Trevor Kletz “The essence of the inherently safer approach to plant design is the avoidance of hazards rather than their control by added-on protective equipment” [15].

Process safety strategies include:

Inherent (hazard elimination or reduction)
Passive (process or equipment design features that reduce risk without active functioning of any device)
Active (engineering controls)
Procedural (administrative controls)

The above is the hierarchy of strategies to control hazards or risk. Least reliable is an administrative approach. From a reliability stand point, engineering controls follow then passive controls such as dikes. Finally, inherent safety is the most reliable. In practice all four strategies are used to design and operate a safe chemical processing facility.

Sometimes what appears to be an inherently safer approach creates its own hazards and risks which may result in lower risk overall but it will not reduce risk to zero. Sometimes the frequency of a loss of containment will be increased by the change. For example, supplying chlorine, a hazardous material, from many small cylinders instead of one large tank increases disconnect frequency, thus the chance of a leak, but the consequences of a release if a leak should occur will be significantly reduced because the quantity release would be less. Another example is a reactor that underwent runaway reaction would have produced much less consequences if it had failed at only a few pounds pressure. Instead the vessel was designed to 50 psig, to decrease the likelihood of a release and when it failed the pressure rise was exponential producing a much greater amount of stored energy and consequently resulted in much greater damage.

Inherently safer principles put forth by Trevor Kletz include:

Use less hazardous materials
Minimize inventories
Reduce operating severity
Simplify equipment design

The implementation of these principles will result in serious process incidents occurring less frequently. Examples of the application of the principles include:

Intensification: Reduce quantity of hazardous materials.
Substitution: Use of safer materials.
Attenuation: Running at safer operating conditions.
Limitation of effects: Changing equipment layout to reduce consequences.
Simplification: Avoidance of multiproduct operations.
Error tolerance: More robust equipment to tolerate upsets and errors.
Avoid knock-on effects: Open construction, layout.
Prevent incorrect assembly: Piping systems to reduce human error.
Ease of control: Less hands on control. It is extremely important to apply inherently safer principles at the laboratory stage or during the process conceptual design. The earlier inherently safer design concepts can be applied, the easier implementation will be, although, the principles can be applied throughout the life of a plant.

Process Design [2]

Standards and practices are an important aspect of process design. There are many different process safety topics that are part of design. Some are addressed very early in the design process such as layout and spacing, while others are done during detailed design, e.g., bonding and grounding. Some of these safeguards are passive, e.g., grading and drainage and some require engineering control, e.g., system isolation.

The design topics covered briefly in this chapter include:

Layout and spacing
Infrastructure
Grading and drainage
Equipment selection/sizing
Design for pressure protection
Design for mechanical integrity
Fireproofing/firewalls
Inerting
Electrical area classification (EAC)
Bonding and grounding system isolation
Review of design alternatives

Process design is a key element in regard to how to contain and control potential loss of containment events.

Layout and spacing

Layout and spacing are critical to safe design. Congestion and confinement are major contributors to high pressures from vapor cloud explosions. Layout and spacing concepts are much easier to apply with a new grass roots facility, but with an existing facility debottlenecking seems to be more prevalent and the job much more difficult.

An I, L, or H pattern provides ease of access and minimal congestion. Layout involves determining the most logical way of configuring the plant given various constraints from the site plot. Every additional foot of piping (and valves) increases the risk of failure. Important strategies include:

Unit layout in I, L, or H pattern preferred
High value equipment separated from high hazards if possible
Major inventory sources well spaced and separated
Minimize amount of congestion and confinement
Egress, maintenance and fire fighting access
Arrange equipment by function
Arrange piping by category of service
Grading and drainage

Equipment containing large volumes of flammable materials should be located upstream of sloped areas. The rate and quantity of firewater should also be considered in the design of the sewer system or catch basin. The grading plan must be completed prior to plant layout. Key points regarding grading and drainage include:

Grading should slope away from fuel sources or critical equipment
Sewer system should be sized to handle storm runoff or maximum release from major equipment failure
Multiple catch basins reduce the travel time/distance and reduce the surface area for a potential fire
- Remember sewers are costly; catch basins are not
Need to segregate incompatible materials
Sewer design must recognize plugging potential; provide means of clearing
Sewers must not permit the passage of flammable vapor
- Use traps
Integrated approach to layout, grading, and sewers is required
Equipment sizing

Larger vessels are more adiabatic and self-heating and unwanted reactions more difficult to control. Sometimes mixing becomes more difficult in large reactors. Some factors to consider in equipment sizing include:

Determined by inventory requirements and holdup considerations
Driven by economics but limited by transportation systems
Large size equipment is more prone to failure from localized stresses
Difficult to establish control within all parts of large systems
Difficult to establish equilibrium in large vessels and reactors

The advantages of small equipment include:

Reduce hazardous inventory
Reduce size to save capital and reduce maintenance
Reduced size gives quicker response—more predictable behavior
Lower internal stresses

The advantages of larger equipment include:

Increase size to cushion equipment against upset
Increased size may reduce number of procedural steps

These are some of the considerations that must be examined. Sometimes goals of the plant and business area are in conflict. The business area wants to have a large inventory so the customer is always able to be supplied on time. The plant wants to minimize storage to have a more inherently safer plant. A facility is probably less prone to human error in a single large system compared to a group of smaller systems.

Pressure protection design

This topic has already been discussed as a mitigative safeguard.

Design for mechanical integrity

Equipment must be designed for mechanical integrity. The design must tolerate continuous exposure to process fluids at normal and upset operating conditions. Normal modes of failure must be anticipated, i.e., impeller wear, corrosion. What tests are necessary to maintain mechanical integrity and how frequently they must be done needs to be established during design. In many cases instruments, like vibration sensors, are designed and alarmed if the machine goes out of its normal operating range. Pressure vessel cycling is another consideration especially for batch reaction systems. Replacement of systems over time and how that can physically be accomplished must be addressed during design. How critical systems must be tested—on-line and off-line—and how frequently testing will occur must also be addressed.

How relief valve testing will be done and access to relief valves is another design consideration. Key concepts to keep in mind regarding design for mechanical integrity include:

Commit to quality engineering standards
Material selection to match conditions
Design to full range of service conditions
Design for pressure/temperature cycles
Minimize temperature gradients/local stresses/vibration
Quality control during fabrication and construction
Design for ease of testing and maintenance
Dimensional tolerances in rotating equipment
Fireproofing and fire walls

Key aspects of fireproofing include:

Fire hazard zones must be determined based on credible release scenarios
- Consider drainage and system inventory
All load-bearing members which reside in a fire hazard zone must be passively protected for 2 h min per UL 1709
Must extend fireproofing to highest structural member that supports fuel containing equipment—include cross members
Include whole structure footprint unless clear break point exists
Fireproofing materials must have good thermal insulation properties and must resist mechanical impact and erosion
Concrete is an ideal choice for most applications but it can add considerable weight to a structure
Mixed cementaceous fireproof materials (such as Pyrocrete 241) may be used if they are properly applied
Contour or surface application around structural steel is recommended to avoid moisture collecting
All fireproofing applications are subject to verification and approval by UL 1709

Firewalls are solid barriers that shield equipment (usually high value) from direct fire radiation and prevent the spread of fires. Firewalls are generally of concrete construction and provide 2–4 h of fire protection. Full partition firewalls may be used to segregate EAC zones.

Fire stops are barriers installed in pipe racks or conduit runs. They prevent the passage of fuel, air, or fire but permit circuit continuity. Their integrity is a function of design and quality of installation.

Inerting: The addition of inert gases to a mixture of flammable gases and air affects flammability limits. Carbon dioxide causes a greater narrowing of the flammable range than does nitrogen. Water vapor is an acceptable inert gas if the temperature is high enough to exclude much of the oxygen, which requires a temperature of 90–95°C. Because water vapor and carbon dioxide have a higher heat capacity than nitrogen, they are somewhat more effective as inerting agents than nitrogen. Some halogen-containing compounds also can be used for inerting materials at relatively low concentrations. An example of this is the use of Freon-12 (CCl₂F₂). Caution must be used with halohydrocarbons because of the possibility of the halocarbons themselves burning, especially at high pressures. Environmental considerations are making the use of halogenated hydrocarbons for inerting increasingly undesirable. Materials are being developed that are considered environmentally acceptable. Figures 2.6 and 2.7 [16] show flammability envelopes for methane and n-hexane for various air–inert mixtures at 25°C and 1 atm. All flammable envelopes are similar to Figs. 2.6 and 2.7 except in minor detail. The lower limit is virtually insensitive to added inerts. The upper limit, however, decreases linearly with added inert until the critical concentration of inert is reached beyond which no compositions are flammable. In these graphs, C _st means the stoichiometric composition.

The limits of flammability are dictated by the ability of a system to propagate a flame front. Propagation does not occur until the flame front reaches about 1,200–1,400 K. Since the typical terminal temperature for hydrocarbons at stoichiometric conditions is about 2,300 K, it can be seen that having only one-half the fuel or oxidizer present will produce about one-half the flame temperature, which is too low to propagate flame.

A useful rule to remember is that the lower flammable limits of most flammable vapors are close to one-half the stoichiometric composition, which can be calculated. Another easy rule to remember is that about 10% oxygen or less in air (assuming the rest is mostly nitrogen) will not support combustion of most flammable hydrocarbon vapors.

The flammability limits of hydrocarbon-type fuels in oxygen and inert gas atmospheres are a function of the inert gas and any fuel or oxygen in excess of that required by the stoichiometry of the combustion process. In systems where fuel content is fixed, inert material having a high heat capacity will be more effective at flame suppression than inert material having a low heat capacity.

Many of the flammable limits reported in the literature are somewhat too narrow, and certain gas compositions regarded as being nonflammable are in fact flammable when given the proper set of circumstances. In other words, take data on flammability limits from the literature with a grain of salt. It is best not to design closely on the basis of most available data on flammability limits.

The use of inert gases can cause some serious hazards that must be recognized if inerts are to be used effectively and safely. Considerations in the use of inert gases include:

1.
An inert atmosphere can kill if a person breathes it: Precautions should be taken to ensure that personnel cannot be exposed to the breathing of inert atmospheres.
2.
Some products need at least a small amount of oxygen to be stored safely: This includes styrene and some other vinyl monomers, which must have some oxygen in them to make the usual polymerization inhibitor for styrene (t-butyl catechol, or TBC) effective. If pure nitrogen, for example, is used to blanket styrene, the inhibitor will become ineffective. TBC customarily is added to styrene monomer to prevent polymer formation and oxidation degradation during shipment and subsequent storage; it functions as an antioxidant and prevents polymerization by reacting with oxidation products (free radicals in the monomer). If sufficient oxygen is present, polymerization is effectively prevented (at ambient temperatures); but in the absence of oxygen, polymerization will proceed at essentially the same rate as if no inhibitor were present. The styrene may polymerize and can undergo an uncontrolled exothermic reaction, which may generate high temperatures and pressures that can be very hazardous. The inhibitor level of styrene must be maintained above a minimum concentration at all times. The minimum concentration of TBC in styrene for storage is about 4–5 ppm.
3.
To be effective, inert atmospheres must be maintained within certain composition limits. This requires the proper instrumentation and regular attention to the system.
4.
Inerting systems can be quite expensive and difficult to operate successfully: Before the use of inert systems, alternatives should be explored, such as the use of nonflammable materials or operating well outside, preferably below, the flammability range.

Electrical Area Classification [2]: One of the first exercises during design between the electrical engineers and the process engineers results in an electrical classification plot plan diagram. Vehicular traffic in the plant is another source of ignition that should be considered in layout. A plot plan drawing with electrically classified buildings, rooms, etc. is usually developed. More detailed drawings may be needed for special process equipment and discharges. EAC is a system used to control potential electrical ignition sources in close proximity to flammable substances. EAC is usually done by process engineers in conjunction with electrical engineers. It determines electrical hardware which may be used and where it may be located. Non-sparking equipment is defined. Explosion proof enclosures provide small confined enclosure over electrical contacts. Sealing devices must also be specified.

There will be different electrical system requirements depending on the type of material and whether it is a flammable gas or dust. The Zone system is replacing the US Division system.

Class I—Flammable gas vapor or liquid is present
Class II—Combustible dust is present
Group A—Acetylene
Group B—Hydrogen
Group C—Cyclopropane, ethyl ether
Group D—Acetone, butane, hexane, natural gas, fuel oil
Group E—Combustible metals
Group F—Carbonaceous materials, including coal dust
Group G—Flour, starch, plastic
Division 1 (Zone 0 or 1)—Flammable or combustible concentrations exist under normal operating conditions
Division 2 (Zone 2)—Flammable or combustible concentrations exist under abnormal operating conditions or have a low likelihood of occurrence

Static Electricity, Grounding and Bonding

Introduction

Many apparently mysterious fires and explosions have eventually been traced to static. In spite of the large amount of information about static electricity, it remains a complex phenomenon not often understood and appreciated. Static electricity is a potential source of ignition whenever there is a flammable mixture of gas or dust.

When two different or similar materials are in contact, electrons can move from one material across the boundary and associate with the other. If the two materials in contact are good conductors of electricity and are separated, the excess electrons in one material will return to the other before final contact is broken. But if one or both of the materials are insulators, this flow will be impeded. If the separation is done rapidly enough, some excess electrons will be trapped in one of the materials. Then both materials are “charged.” Electric charges can build up on a nonconducting surface until the dielectric strength is exceeded and a spark occurs. The residual charge could ignite flammable mixtures.

The two materials or phases in initial contact may be a single liquid dispersed into drops, two solids, two immiscible liquids, a solid and a liquid, a solid and a vapor or gas, a liquid and a vapor or gas.

The important thing to keep in mind is that whenever there is contact and separation of phases, a charge may develop that could be disastrous. Three conditions must be met before an explosion caused by static electricity can take place:

1.
An explosive mixture must be present.
2.
An electric field must have been produced due to the electrostatic charge that had been generated and accumulated in a liquid or solid.
3.
An electric field must be large enough to cause a spark of sufficient energy to ignite the mixture.

In designing preventive measures, all three factors should be controlled.

Static electricity is essentially a phenomenon of low current but high voltage and high resistance to current flow. A low-conductivity liquid flowing through a pipeline can generate a charge at a rate of 10^–9 to 10^–6 A (A). A powder coming out of a grinding mill can carry a charge at a rate of 10^–8 to 10^–4 A. At a charging rate of 10^–6 A, the potential of a container insulated from earth can rise at a rate of 1,000 V/s and a voltage of 10,000 V or higher can readily be obtained in this way.

Several electrostatic voltages and energies commonly encountered are typified by the following examples:

1.
A person walking on dry carpet or sliding across an automobile seat can generate up to 5,000 V in dry weather. An individual having a capacitance of 100 pF, a reasonable figure, could generate a spark energy of 1.25 mJ. This is far more than is needed to ignite some flammable vapor–air mixtures.
2.
A person can accumulate dangerous charges up to about 20,000 V when humidity is low.
3.
A truck or an automobile traveling over pavement in dry weather can generate up to about 10,000 V.
4.
Nonconductive belts running over pulleys generate up to 30,000 V. The voltage generated by a conveyor belt can be as high as 10[5 V; the system can in effect act as a Van der Graaf generator.
5.
The energy in the spark from an ordinary spark plug is 20–30 mJ.

The capacitance and the energy for ignition of people and of common objects are important. The capacitance of a human being is sufficient to ignite various flammable gas mixtures at commonly attained static voltages.

There are several hazard determinants relating to static electricity

Capacitance: The capacitance of an object is the ratio of the charge of the object to its potential. The capacitance gets larger as the object gets larger. With a given charge, the voltage gets higher as the capacity of the object gets smaller. For a sphere, capacitance is given by

$$ C{ } = { }\frac{{Q({{10}^{{-3}}})}}{V} $$

The energy stored in a capacitor is [17]

$$ W = 0.5C{V^2}(10 - 3) = 500{Q^2}{/}C $$

where

C = capacitance, pF (1 pF = picofarad = 10^–12 F)
Q = charge, microcoulombs (1 C = 1 A/s = charge on 6.2 × 10¹⁸ electrons)
V = voltage in kilovolts
W = energy, millijoules (mJ)

This energy may be released as a spark when the voltage gets high enough. The minimum sparking potential for charged electrodes is about 350 V and occurs at a spacing of 0.01 mm. Sparks from an equally charged nonconductor are less energetic and may contain only part of the stored energy. These comparatively weak sparks are not likely to ignite dust clouds but can ignite flammable gases (Fig. 2.8).

The energy that can be stored by capacitance of an object can be compared with the minimum ignition energies of flammable gas–air mixtures and of dust–air mixtures to determine the probability that a spark discharge may have sufficient energy to cause ignition. If the charged object is a poor conductor, the calculation of energy available to produce a spark may not be possible because the charge often is not uniformly distributed, and the resistance to flow of current is high. Figure 2.8 shows some typical values of electrical capacitance [18].

Relaxation time: When a liquid is flowing in closed metal pipes, static electricity is not a hazard. When the liquid enters a tank, it may become a hazard. Charges caused by liquid separation during pumping, flow, filtration, and other effects such as splashing and agitation can accumulate on the surface of the liquid in the tank and cause sparking between the liquid surface and the tank or conducting objects in the tank. The charge thus generated can be dissipated by relaxation or via discharge through a spark or corona discharge. The relaxation time is the time required for 63% of the charge to leak away from a charged liquid through a grounded conductive container. The half-time value is the time required for the free charge to decay to one-half of its initial value. The half-time is related to the relaxation time by the relationship

$$ {T_{\rm{h}}} = {T_{\rm{r}}} \times 0.693 $$

where T _h = half-time T _r = relaxation time. Relaxation times vary from small fractions of a second up to minutes and even hours for some highly purified hydrocarbons that have very low conductivity.

It is important to recognize that a large charge can accumulate in the liquid even in a grounded container. In fact, it was reported that the majority of accidents attributed to static electricity in the petroleum industry have been with liquid in grounded containers [19].

Relaxation time can be calculated as follows:

$$ {T_{\rm{r}}} = E({E_0}/k) $$

where

T _r = the relaxation time, in seconds; the time for 63% of the charge to leak away
E = relative dielectric constant, dimensionless
E ₀ = absolute dielectric constant in a vacuum = 8.85 × 10^–14 to less than 1 × 10^–18
K = liquid conductivity, Siemens per centimeter (S/cm)

Siemens (S) are also called mhos

Example: Benzene in a large tank could have a specific conductivity as low as 1 × 10^–18 mho/cm and as high as 7.6 × 10^–8 S/cm. The corresponding relaxation times for the two conductivities can be calculated as follows. Pure benzene has a dielectric constant of 2.5 to less than 1 × 10^–18. Using the above equation:

1.
$$ {T_{\rm{r}}} = ({8}.{85} \times {1}{0^{{-{14}}}})({2}.{5})/({7}.{6} \times {1}{0^{{-{8}}}}) = {2}.{91} \times {1}{0^{{-{6}}}}{\text{s}} $$
2.
$$ {T_r} = ({8}.{85} \times {1}{0^{{-{14}}}})({2}.{5}){/}({1} \times {1}{0^{{-{18}}}}) = { 2}.{21} \times {1}{0^{{5}}}{\text{s (this is in excess of 6}}0{\text{ h)}} $$

Benzene typically contains some water and has a higher conductivity than in the above example and has a much lower relaxation time.

The purity of a liquid has a great effect on its relaxation time, and thus its static hazard potential. In actual practice, relaxation times of a few seconds to an hour are encountered, depending on the purity and dryness of the liquid. This emphasizes the dangers of open sampling of tank contents soon after filling. If it is likely that the liquid being used has a low conductivity, it is important that enough time elapses between activities that can produce a static charge, such as loading a tank, and any activity that could cause a spark, such as sampling from the top of the tank.

In case (2) in the above example, a conductivity of 10^–18 S/cm is so low that there may be little charge separation and little charge formation, and there may be no hazard even though the calculated relaxation time is extremely long. Materials with a half-time value of less than 0.012 s have been reported not to cause a hazard. A useful rule to remember is that the concept of relaxation is very important because it is possible for liquid in a tank to retain an electric charge for a long time if the liquid is a poor conductor, even if the tank is grounded. The specific conductivity, and therefore the relaxation time, is greatly affected by impurities. For example, the specific conductivity of benzene can vary from as long as 1 × 10^–18 to about 7.6 × 10^–8 S/cm, depending on its purity. It can vary significantly with the amount of water or other materials dissolved in the benzene [17].

Resistivity: The extent of charge separation is dependent on the resistivity of the liquid. Some materials have a sufficiently high conductivity to render them safe in terms of static buildup. If the resistivity is low, charge separation is easy, but so is charge recombination through the liquid. If the resistivity is high, there may be appreciable charge separation without immediate recombination, leading to a high charge. If the resistivity is extremely high, there may be no charge separation, and there is no buildup of a charge. If the conductivity of a liquid falls in the hazardous range, it is possible to modify it by the use of a very small amount of an additive. Additives usually are a combination of a polyvalent metal salt of an acid such as carboxylic or sulfonic acid and a suitable electrolyte. Additives of this type can impart a conductivity of 10^–8 S/m (Siemens per meter) in a 0.1% solution in benzene [19].

A useful rule to remember is that when the resistivity of a liquid exceeds 10¹⁵ Ω centimeters (Ω-cm), or is less than 10¹⁰ Ω static generation or accumulation is negligible. Between these limits, the net generation of charges increases with the maximum charge generation at 10³ Ω. Styrene, for example, a commonly used monomer, has a resistivity of 4 × 10¹³ at 20°C [20], and therefore is capable of building up a potentially hazardous charge.

Static charge development: Static electrification of solids can occur in various ways. Different operations will produce the percentages of the theoretical maximum charge density shown in Fig. 2.9 [21].

It should be noted that pure gases do not generate significant static electricity in transmission through pipes and ducts. Gases contaminated with rust particles or liquid droplets produce static, but this is not a problem in a closed, grounded piping system. If these gases impinge on an ungrounded, conductive object, dangerous charges can accumulate on that object. Wet steam, which contains water droplets, can develop charges. If the water droplets contact an ungrounded conductor, that object can develop a static charge.

Flammable gases may ignite when discharged to air during thunderstorms, even without a direct lightning hit. Dry hydrogen and occasionally other gases may ignite when they are discharged to air in normal weather. This may be so because the electric field developed by the ejected gases can develop a corona discharge which can cause ignition. The minimum ignition energy of hydrogen is only 0.02 mJ. A toroidal ring developed by the National Aeronautics and Space Administration (NASA) is reported to prevent unwanted discharge and subsequent ignition of a vent-stack outlet [22].

Humidification: The conductivity of electrical nonconductors, such as plastics, paper, and concrete, depends on their moisture content. Relatively high moisture in these materials increases conductivity and therefore increases dissipation of static electricity. With relative humidity of 60–70% or higher, a microscopic film of moisture covers surfaces, making them more conductive.

Humidification can and often should be practiced to reduce the hazard of static electricity, but should not be relied on entirely to remove all possibility of static discharge.

In winter, cold air brought into a building and heated to normal room temperature is extremely dry, often less than 5–10% relative humidity. When processing solid materials that can develop a static charge, this air should be humidified to reduce static hazards as well as improve the comfort of personnel.

Filling liquid containers: A fire during top loading of a flammable liquid into a tank constitutes a serious problem if there could be a flammable mixture in the vapor space. Static electricity can be generated by splashing if the liquid is top-loaded, so it is normal practice to fill with a dip pipe positioned so the tip of the dip pipe is near the bottom of the tank. This may not be sufficient to prevent static charge buildup, as a charge may be generated in the bottom of the tank before the pipe tip is fully submerged, and it is possible for the liquid to acquire a charge before it reaches the tank.

Product filters using cotton, paper, felt, or plastic elements are prolific generators of static electricity. It is considered that at least 30 s is necessary to dissipate this charge, although with dry nonconductive liquids, it may require as long as 500 s.

Loading a less volatile liquid into a tank where there was previously a more volatile liquid is particularly hazardous because the more volatile liquid may form a flammable mixture, and the less flammable material is often a poor conductor and will not readily dissipate static charge. This type of loading accounts for 70–80% of severe losses at terminals [19]. This appears to occur most often when the compartments are one-fourth to one-third full, and when the temperature is close to −1°C.

Inerting the tank while it is being filled will reduce the possibility of ignition by static electricity and is highly recommended when it is possible and practical. However, this is not always practical. In any case, if inerts are to be used, they must be added carefully, as the following example illustrates. Two firemen were fatally injured when an explosion occurred as they were attempting to use portable CO₂ fire extinguishers to inert a tank truck. The source of ignition was believed to be a spark from the horn of the extinguisher to the latch on the tank truck. It was found that the voltage on the horn increased as the carbon dioxide “snow” passed down the horn to the outlet side.

Grounding and bonding lines, although very important, will not immediately dissipate the charge on the surface of a nonconducting liquid in a tank. A relaxation time for charge to be dissipated should be allowed after filling or other operations to permit static charge on the liquid surface to dissipate to the dip pipe or tank shell. The minimum time is 1 min, but longer periods are advisable with some liquids that have extremely low conductivity. Bottom loading may reduce the static electricity hazard but does not eliminate it [23].

Review of Design Alternatives: Hazards should be considered and eliminated in the process development stage where possible. This would include considerations of alternative processes, reduction or elimination of hazardous chemicals, site selection, etc. By the time the process is developed, the process designers already have major constraints imposed on them. Hazards should also be identified and removed or reduced early in the design. Adding protective equipment at the end of the design or after the plant is operating can be expensive and not entirely satisfactory. Allowing time in the early stages of design for critical reviews and evaluation of alternatives would involve studies such as an early hazard and operability (HAZOP) study, using flowsheets, before final design begins [24]. Fault tree analysis,” quantitative risk assessment (QRA), checklists, audits, and other review and checking techniques can also be very helpful. These techniques are extensively discussed in the technical literature and will not be discussed in detail here.

Process Safety Competency

The next element under the pillar “Commit to Process Safety” is “Process Safety Competency.” Process safety competency encompasses three interrelated actions; ensuring the appropriate information is available to people who need it, continuously improving knowledge and competency and consistently applying what has been learned. It is important for several reasons. Catastrophic process safety incidents are relatively rare, but losses can be devastating. Because of this learning must be proactive so that lessons must not be forgotten. Only competent people can transform information into knowledge. Knowledge management, not information management, helps organizations understand and manage risks and remain competitive.

The following principles must be followed. Facilities should implement management systems to help identify learning needs that are critical to process safety, support efforts to learn or obtain critical knowledge, maintain knowledge in a manner that helps promote risk-informed decision-making, and share information with other facilities (in some cases even competitors). Activities that help maintain and enhance process safety competency must be executed and evaluated. Results of the evaluation must be shared and plans adjusted as necessary.

Workforce Involvement

The fourth element in the pillar “Commit to Process Safety” is “Workforce Involvement.” Workforce involvement includes developing a written plan of action regarding worker participation, consulting with workers on the development of the RBPS management system, and providing workers and their representatives access to all information developed under the RBPS system. In the US PSM standard workforce involvement is called employee participation and is a PSM regulatory requirement. This element provides for a consultative relationship between management and workers at all levels of the organization. It is important because it provides an equitable mechanism for workers to be directly involved in protecting their own welfare. It facilitates access to information only available through the unique experience of operating the process every day. It also provides a mechanism for workers to access necessary information and reinforces the process safety culture.

Stakeholder Outreach

The last element under the pillar “Commit to Process Safety” is “Stakeholder Outreach.” Stakeholder outreach involves seeking out individuals or organizations that can be or believe they can be affected by company operations and engaging them in a dialogue about process safety. It also involves establishing a relationship with community organizations, other companies and professional groups, and local, state, and federal authorities. Stakeholders must be provided with accurate information about the company and the facility’s products, processes, plans, hazards, and risks. This is important for several reasons. Sharing information with industry peers will promote better process safety for everyone. Sharing information in proactive ways with community and government stakeholders will build trust and commitment. By promoting openness and responsiveness, an effective outreach program will increase all stakeholders’ confidence in the company.

Understand Hazards and Risk

The second pillar of RBPS is Understand Hazards and Risk. To understand hazards and risk, facilities should focus on:

Collecting, documenting, and maintaining process safety knowledge
Conducting hazard identification and risk analysis studies

Process Safety Knowledge

The first element is “process safety knowledge.” Process safety knowledge includes written technical documents and specifications, engineering documents and calculations, specifications for design, fabrication, and installation of process equipment, and other written documents such as material safety data sheets (MSDSs). In the OSHA PSM standard process safety knowledge is called “Process Safety Information.” To comply with the standard, employers must compile considerable documented process safety information on the hazards of chemicals used in a covered process as well as information on the process technology and equipment before conducting the process hazard analyses required by the standard. Process safety knowledge is important because risk understanding depends on accurate process safety knowledge. Process knowledge also supports other RBPS elements such as procedures, training, asset integrity, management of change, and incident investigation.

Process safety knowledge includes understanding the characteristics that are inherent to each material that is used in a process. Material hazards include flammability and combustibility hazards, reactivity hazards, toxicity hazards, and corrosivity hazards. Each type of hazard will be discussed.

Combustion Hazards

The enchanting flame has held a special mystery and charm the world over for thousands of years. According to Greek myth, Prometheus the Titan stole fire from the heavens and gave it to mortals—an act for which he was swiftly punished. Early people made use of it anyway. Soon the ancients came to regard fire as one of the basic elements of the world. It has since become the familiar sign of the hearth and a mark of youth and blood, as well as the object of intense curiosity and scientific investigation.

Suitably restrained, fire is of great benefit; unchecked or uncontrolled, it can cause immense damage. We respond to it with a powerful fascination coupled with an inbred respect and fear. A good servant but a bad master is Thoreau’s “most tolerable third party” [25].

Fire [26]: Fire or combustion is normally the result of fuel and oxygen coming together in suitable proportions and with a source of heat. The consumption of a material by a fire is a chemical reaction in which the heated substance combines with oxygen. Heat, light, smoke, and products of combustion are generated. The net production of heat by a fire involves both heat-producing and heat-absorbing reactions, with more heat being produced than is absorbed. Energy in the form of heat is required:

1.
To produce vapors and gases by vaporization or decomposition of solids and liquids. Actual combustion usually involves gases or vapors intimately mixed with oxygen molecules.
2.
To energize the molecules of oxygen and flammable vapors into combining with one another and so initiating a chemical reaction.

The amount of energy required to cause combustion varies greatly. Hydrogen and carbon disulfide can be ignited by tiny sparks, or simply may be ignited by static generated as the gases or vapors discharge from pipes into air. Other materials, such as methylene chloride, require such large amounts of energy to be ignited that they sometimes are considered nonflammable. Fire also can result from the combining of such oxidizers as chlorine and various hydrocarbon vapors; oxygen is not required for a fire to take place.

There are exceptions to the general rule that a solid must vaporize or decompose to combine with oxygen; some finely divided materials such as aluminum powder and iron power can burn, and it is generally accepted that they do not vaporize appreciably before burning.

Products of combustion: Heat, light, smoke, and asphyxiating toxic gases are produced by fire. In a hot, well-ventilated fire, combustion usually is nearly complete. Almost all the carbon is converted to carbon dioxide, and all the hydrogen to steam, and oxides of various other elements such as sulfur and nitrogen are produced.

This is not the case in most fires, where some of the intermediate products, formed when large complex molecules are broken up, persist. Examples are hydrogen cyanide from wool and silk; acrolein from vegetable oils; acetic acid from timber or paper; and carbon or carbon monoxide from the incomplete combustion of carbonaceous materials. As the fire develops and becomes hotter, many of these intermediates, which are often toxic, are destroyed (e.g., hydrogen cyanide is decomposed at a significant rate at 538°C).

Small airborne particles of partially burnt carbonaceous materials form smoke, which is often thickened by steam, when there is only partial combustion of fuel.

Solids: Ordinarily, combustible solids do not combine directly with oxygen when they burn. They give off vapor and gaseous decomposition products when they are heated, and it is the vapors or gases that actually burn in the characteristic form of flames. Thus, before a solid can be ignited, it usually must be heated sufficiently for it to give off flammable concentrations of vapors. Glowing, which is combustion in the solid state, is characteristic of materials in the final stages of a fire’s decay when flammable gases have been burned away, or when the production of gases and vapors has been suppressed.

Solids with larger surface areas, in relation to their volume, burn more readily than those that are more compact when exposed to heat and oxygen in the air. Common materials such as textiles in the form of fibers or fabrics, foamed rubber, foamed plastics, thin sheets of plastic, paper, corrugated cardboard, combustible dusts, dry grass and twigs, and wood shavings are examples of materials with large surface areas in relation to their volume. In a well-established fire, materials with relatively small surface areas, such as chunks of coal or logs, burn readily.

Combustion is self-propagating; burning materials produce heat which causes more of the solid to produce flammable vapors until either the fuel or oxygen is exhausted, or until the fire is extinguished in some other way.

Dusts: Most combustible solids can produce combustible dusts. Combustible dusts are particularly hazardous; they have a very high surface area to volume ratio. When finely divided as powders or dusts, solids burn quite differently from the original material in the bulk. Dust and fiber deposits can spread fire across a room or along a ledge or roof beam very quickly. Accumulations of dust can smolder slowly for long periods, giving little indication that combustion has started until the fire suddenly flares up, possibly when no one suspects a problem.

Many combustible dusts produced by industrial processes are explosible when they are suspended as a cloud in air. Even a spark may be sufficient to ignite them. After ignition, flame spreads rapidly through the dust cloud as successive layers are heated to ignition temperature. The hot gases expand and produce pressure waves that travel ahead of the flame. Any dust lying on surfaces in the path of the pressure waves will be thrown into the air and could cause a secondary explosion more violent and extensive than the first.

Liquids: A vapor has to be produced at the surface of a liquid before it will burn. Many common liquids give off a flammable concentration of vapor in air without being heated, sometimes at well below room temperature. Gasoline, for example, gives off ignitable vapors above about −40°C, depending on the blend. The vapors are easily ignited by a small spark or flame. Other liquids, such as fuel oil and kerosene, need to be heated until sufficient vapor is produced.

Many liquids can be formed into mists that will burn at temperatures where the vapor pressure is insufficient to produce a flammable mixture of the vapor and air.

For any flammable vapor there are maximum and minimum concentrations of the vapor in air beyond which it cannot burn. When the mixture of vapor in air is too weak, there is insufficient fuel for burning; when the mixture is too strong, there is insufficient oxygen for burning.

If the density of a flammable vapor is greater than that of air, as is normally the case, flammable concentrations may collect at low levels, such as at floor level or in basements, and can travel a considerable distance to a source of ignition, from which flames will then flash back.

Gases: Flammable gases usually are very easily ignited if mixed with air. Flammable gases often are stored under pressure, in some cases as a liquid. Even small leaks of a liquefied flammable gas form relatively large quantities of gas, which is ready for combustion.

The fire triangle: The well-known “fire triangle” (see Fig. 2.10) is used to represent the three conditions necessary for a fire:

1.
Fuel
2.
Oxidizer: oxygen or other gaseous oxidizer such as chlorine; or liquid oxidizer such as bromine; or solid oxidizer such as sodium bromate
3.
Energy, usually in the form of heat

If one of the conditions in the fire triangle is missing, fire does not occur; if one is removed, fire is extinguished. Usually a fire occurs when a source of heat contacts a combustible material in air, and then the heat is supplied by the combustion process itself.

The fire triangle indicates how fires may be fought or prevented:

1.
Cut off or remove the fuel.
2.
Remove the heat or energy—usually by putting water on the fire.
3.
Remove the supply of oxygen—usually by foam or inert gas.

Flammability: No single factor defines flammability, but some relevant parameters include:

1.
Flash point—often considered the main index of flammability; low flash points usually mean increased flammability.
2.
Flammability limits; wide limits mean increased flammability.
3.
Autoignition temperature; low temperature means increased flammability.
4.
Ignition energy; low ignition energy means increased flammability.
5.
Burning velocity; high velocity means increased flammability.

A combustion process is an exothermic reaction initiated by a source of ignition that produces more energy than it consumes. The speed at which the reaction proceeds through the mixture of reactants depends on the concentration of the flammable gas or vapor. This speed is lower at higher (“rich”) as well as at lower (“lean”) concentrations of the flammable gas than at the stoichiometric mixture. There are lower and upper limits beyond which the reaction cannot propagate through the gas mixture on its own. Some definitions follow:

1.
Flammability limits: The range of flammable vapor–air or gas–air mixtures between the upper and lower flammable limits. Flammability limits are usually expressed in volume percent. Flammability limits are affected by pressure, temperature, direction of flame propagation, oxygen content, type of inerts, and other factors. The precise values depend on the test method.
2.
Upper flammability limit: The maximum concentration of vapor or gas in air above which propagation of flame does not occur on contact with a source of ignition.
3.
Lower flammability limit: The minimum concentration of vapor or gas in air or oxygen below which propagation of flame does not occur with a source of ignition.

The concentrations at the lower and upper flammability limits are roughly 50 and 200–400%, respectively, of the stoichiometric mixture. The maximum flammability usually (not always) occurs at the stoichiometric mixture for combustion [17, 19].
4.
Flammable limits for mixtures of flammable gases and vapors: For mixtures of several flammable gases and vapors, the flammable limits can be estimated by application of Le Chatelier’s equation, if the flammable limits of the components are known: [19]
$$ L = \frac{1}{{\sum\nolimits_{{i = 1}}^n {({y_i}/{L_i})} }}\quad U = \frac{1}{{\sum\nolimits_{{i = 1}}^n {({y_i}/{U_i})} }} $$
where
- L = lower flammability limit of the fuel mixture, vol.%.
- L _i = lower flammability limit of fuel component i, vol.%.
- U = upper flammability limit of the fuel mixture, vol.%.
- U _i = upper flammability limit of fuel component i, vol.%.
- y _i = concentration of fuel component i, vol.%.
  
  This equation is empirical and is not universally applicable, but is useful and a reasonable approximation when actual mixture data are not available.
  
  It is possible for a mixture to be flammable even though the concentration of each constituent is less than its lower limit.
5.
Methods of measurement: Flammability limits are determined by measuring the volume percent of a flammable gas in an oxidizing gas that will form a flammable mixture, thus identifying the lower and upper flammable limits as well as the critical oxygen concentration (the minimum oxidizer concentration that can be used to support combustion).
6.
Uniformity of lower limits on a mass basis: Concentrations of vapors and gases usually are reported in volume percent. As molecular weight increases, the lower limit usually decreases. On a mass basis, the lower limits for hydrocarbons are fairly uniform at about 45 mg/L at 0°C and 1 atm. Many alcohols and oxygen-containing com pounds have higher values; for example, on a mass basis, ethyl alcohol in air has a lower limit of 70 mg/L [17].
7.
Effect of temperature on flammable limits: The higher the temperature at the moment of ignition, the more easily the combustion reaction will propagate. Therefore, the reference temperature (initial temperature) of the flammable mixture must be stated when flammable limits are quoted. There are not a lot of data for flammable limits under different conditions of initial temperature. The behavior of a particular mixture under different conditions of initial temperature usually must be determined by tests.
8.
Burning in atmospheres enriched with oxygen: The flammability of a substance depends strongly on the partial pressure of oxygen in the atmosphere. Increasing oxygen content affects the lower flammability limit only slightly, but it has a large effect on the upper flammability limit. Increasing oxygen content has a marked effect on the ignition temperature (reduces it) and the burning velocity (increases it).

At the lower explosive limits of gas–air mixtures, there is already an excess of oxygen for the combustion process. Replacing nitrogen by additional oxygen will influence this limit very little [7].
9.
Burning in chlorine: Chemically, oxygen is not the only oxidizing agent, though it is the most widely recognized and has been studied the most. Halogens are examples of oxidants that can react exothermically with conventional fuels and show combustion behavior. The applicability of flammability limits applies to substances that burn in chlorine. Chlorination reactions have many similarities to oxidation reactions. They tend not to be limited to thermodynamic equilibrium and often go to complete chlorination. The reactions are often highly exothermic. Chlorine, like oxygen, forms flammable mixtures with organic compounds. As an example: a chlorine–iron fire occurred in a chlorine pipeline, causing a chlorine gas release. Chlorine had liquefied in the lines because of the very cold weather, and the low spot was steam-traced. Steam had been taken from the wrong steam line, using 400 psig steam instead of 30 psig steam. The 400 psig steam was hot enough to initiate the reaction. This serves as a reminder that steel and chlorine can react. The allowable temperature for safe use depends upon the state of subdivision of the iron.
10.
Burning in other oxidizable atmospheres: Flames can propagate in mixtures of oxide of nitrogen and other oxidizable substances. For example, Bodurtha [17] reports that the flammability limits for butane in nitric oxide are 7.5% (lower) and 12.5% (upper).
11.
Flame quenching: Flame propagation is suppressed if the flammable mixture is held in a narrow space. There is a minimum diameter for apparatus used for determination of flammability limits. Below this diameter the flammable range measurements are narrower and inaccurate.

If the space is sufficiently narrow, flame propagation is suppressed completely. The largest diameter at which flame propagation is suppressed is known as the quenching diameter. For an aperture of slotlike cross section there is critical slot width.

The term “quenching distance” sometimes is used as a general term covering both quenching diameter and critical slot width, and sometimes it means only the latter.

There is a maximum safe gap measured experimentally that will prevent the transmission of an explosion occurring within a container to a flammable mixture outside the container. These data refer to a stationary flame. If the gas flow is in the direction of the flame propagation, a smaller gap is needed to quench the flame. If the gas flow is in the opposite direction, a larger gap will provide quenching. If the gas velocity is high enough, the flame can stabilize at the constriction and cause local overheating. These quenching effects are important in the design of flame arrestors.
12.
Heterogeneous mixtures [16]. In industry, heterogeneous (poorly mixed) gas phase mixtures can lead to fires that normally would be totally unexpected. It is important to recognize that heterogeneous mixtures can ignite at concentrations that normally would be nonflammable if the mixture were homogeneous. For example, 1 L of methane can form a flammable mixture with air at the top of a 100-L container although the mixture only would contain 1.0% methane by volume if complete mixing occurred at room temperature, and the mixture would not be flammable. This is an important concept because “layering” can occur with any combustible gas or vapor in both stationary and flowing mixtures.

Heterogeneous gas phase mixtures can lead to unexpected fires if a relatively small amount of flammable gas is placed in contact with a large amount of air without adequate mixing, even though the average concentration of flammable gas in the mixture is below the flammable limit. Heterogeneous mixtures are always formed at least for a short time when two gases or vapors are first brought together.
13.
Effect of pressure: Flammability is affected by initial pressure. Normal variations in atmospheric pressure do not have any appreciable effect on flammability limits.

A decrease in pressure below atmospheric usually narrows the flammable range. When the pressure is reduced low enough, a flame or an explosion can no longer be propagated throughout the mixture.

An increase in pressure above atmospheric usually (not always) widens the flammability range, especially the upper limit.
14.
Explosions in the absence of air: Gases with positive heats of formation can be decomposed explosively in the absence of air. Ethylene reacts explosively at elevated pressure, and acetylene reacts explosively at atmospheric pressure in large-diameter piping. Heats of formation for these materials are +52.3 and +227 kJ/g/mol, respectively. Explosion prevention can be practiced by mixing decomposable gases with more stable diluents. For example, acetylene can be made nonexplosive at a pressure of 100 atm by including 14.5% water vapor and 8% butane.

Ethylene oxide vapor will decompose explosively in the absence of oxygen or air under certain conditions when exposed to common sources of ignition if heated to high enough temperatures. One way to prevent the decomposition reaction is to use methane gas to blanket the ethylene oxide liquid. It has also been found that liquid ethylene oxide will undergo a deflagration in the absence of oxygen with a very rapid pressure increase if ignited at a temperature and pressure above a certain level. Fortunately, the conditions required for propagation of the decomposition of liquid phase ethylene oxide are outside the current normal handling and processing ranges for the pure liquid. Propagation has not been observed below 80°C at from 14 to 100 atm pressure [27]. Ethylene oxide also can undergo explosive condensation when catalyzed by a small amount of caustic [28].

Mists and Foams: If the temperature of a liquid is below its flash point, flammable concentrations of vapor cannot exist, but conditions still can exist for flammability if mists or foams are formed. A suspension of finely divided drops of a flammable liquid in air has many of the characteristics of a flammable gas–air mixture and can burn or explode. A mist may be produced by condensation of a saturated vapor or by mechanical atomization. Normally, the diameter of drops in a condensed mist is less than 0.01 mm, whereas in a mechanical spray it usually is greater than 0.1 mm.

The commonly accepted fallacy that liquids at temperatures below their flash points cannot give rise to flammable mixtures in air has led to numerous accidents. Flash points are measured under stagnant conditions in carefully controlled laboratory experiments, but in the real world one works with a wide variety of dynamic conditions that can produce mists and foams.

Flammable mist–vapor–air mixtures may occur as the foam on a flammable liquid collapses [16]. Thus, when ignited, many foams can propagate flame. An additional hazard can arise from the production of foams by oxygen-enriched air at reduced pressures. Air confined over a liquid can become oxygen enriched as pressure is reduced because oxygen is more soluble than nitrogen in most liquids. Thus, the presence of foams on combustible liquids is a potential explosion hazard.

The lower flammability limit for fine mists (<0.01 mm diameter) of hydrocarbons below their flash point, plus accompanying vapor, is about 48 g of mist/m³ of air at 0°C and 1 atm. Mist can occur in agitated vessels under some conditions, especially when an agitator blade is at or near the liquid–vapor interface in the vessel.

Work on condensed oil mists (drop diameter mostly less than 0.01 mm) has demonstrated that they have flammability characteristics similar to those the mixture would have if it were wholly in the vapor phase at the higher temperature necessary for vaporization. The flammability characteristics are affected by drop size. For larger drop sizes (above 0.01 mm) the lower limit of flammability decreases as drop diameter increases. For mists, the amount of inert gas needed to suppress flammability is about the same as that needed to suppress an equivalent vapor–air mixture of the same material if it were vaporized at a somewhat higher temperature.

A useful rule is that mists of flammable or combustible liquids in air can burn or explode at temperatures below their flash points.

Ignition: Flammable gases and vapors can be ignited by many sources. In the design and operation of processes, it is best not to base fire and explosion safety on the presumption that ignition sources have been excluded. Bodurtha [22] reported that of 318 natural gas fires and explosions, the sources of ignition of 28% were unknown. All reasonable measures should be taken to eliminate possible sources of ignition in areas in which flammable materials are handled.

Autoignition: If the temperature of a flammable gas–air mixture is raised in a uniformly heated apparatus, it eventually reaches a value at which combustion occurs in the bulk gas. This temperature is defined as the spontaneous ignition temperature (SIT) or autoignition temperature (AIT). The gas–air mixture that has the lowest ignition temperature is called by various names, such as the minimum AIT, the minimum spontaneous ignition temperature, and the self-ignition temperature [17]. Usually the AIT reported in the literature is the minimum AIT.

The AIT of a substance depends on many factors, such as:

Ignition delay
Energy of ignition source
Pressure
Flow effects
Surfaces
Concentration of vapors
Volume of container
Oxygen content
Catalytic materials
Flow conditions

Thus, a specific AIT applies only to the experimental conditions employed in its determination. Usually the values quoted are obtained in clean laboratory equipment.

The AIT of a substance may be reduced below ideal laboratory conditions by as much as 100–200°C for surfaces that are insulated with certain types of insulation, or are contaminated by dust.

Mixtures that are fuel-rich or fuel-lean ignite at higher temperatures than do those of intermediate compositions. Also, in a homologous series of organic compounds, the AIT decreases with increasing molecular weight, as shown in Fig. 2.11.

Ignition delay: Ignition of a flammable mixture raised to or above the temperature at which spontaneous combustion occurs is not instantaneous; the time delay between the moment of exposure to high temperature and visible combustion is called the ignition delay. This time delay decreases as the ignition temperature increases. The time delay may be as little as a fraction of a second at higher temperatures, or several minutes close to the AIT.

Environmental effects: It has been found that the AIT becomes lower with increasing vessel size in the range of 35–12 L. An increase in pressure usually decreases AITs, and a decrease in pressure raises AITs. Usually oxygen enrichment of the air tends to decrease the minimum AIT, and a decrease in oxygen content increases the minimum AIT. Low-temperature oxidation can result in “cool flames,” which may grow into ignition.

Catalytic materials: Ignition may occur where the temperature is less than the minimum AIT. Catalytic materials, such as metal oxides, can promote oxidation on their surfaces, leading to a high local temperature and subsequent ignition. There is a recorded reactive chemical case [29] in which a solvent at 80°C was being pressurized with a gas phase consisting of a high oxygen concentration. The solvent has a flash point in oxygen of greater than 130°C and normally is considered not to be a flammability hazard. There was an ignition, causing the vessel to rupture its main gasket with major damage to the facility. It was found that a mist had been formed in the vessel by the agitator, and that the source of ignition probably was a trace of palladium catalyst remaining from a previous run.

From this incident, several important lessons can be learned:

1.
Ignition of a flammable mixture can result from totally unexpected contamination by trace amounts of catalysts if the oxidizer and fuel are present.
2.
Mists of oxidizable liquids may form that can burn or explode at temperatures outside the “normal” flammable range.
3.
It can be dangerous to perform experiments with pure oxygen, or air enriched with oxygen, especially under pressure and at elevated temperatures, when oxidizable materials are present.
4.
The real criterion regarding flammable mixtures in air should be whether a flammable atmosphere can exist under the given process conditions, rather than whether a flammable liquid is at a temperature below its flash point.

Cleaning up spills of flammable or combustible liquids: It is customary to clean up small spills of many liquid materials with sand or other noncombustible absorbent material. Some absorbing agents, such as untreated clays and micas, will cause an exothermic reaction with some liquids, especially monomers, which might ignite the liquid if it is flammable or combustible. Before any material is provided to be used to soak up spills of oxidizable material, tests should be made to determine if the material can cause fires with potential spills.

Ignition caused by insulation: Ignition of combustible materials that have been absorbed into commonly used insulating materials is possible at temperatures lower than the AIT for nonabsorbed material. All oxidizable materials oxidize to some extent in air at ambient temperatures, usually at a very low rate. When an absorbent material is absorbed into insulation, it is “spread” over a large area, increasing its access to oxygen. Because the absorbent is an insulator, heat from oxidation is retained rather than dissipated, and the temperature will rise if the heat is produced faster than it can be dissipated. The rate of oxidation increases as the material temperature increases, which produces more heat, compounding the hazard. If the temperature rises enough, the material will ignite (“spontaneous combustion”). This is similar to the classic oily rag and wet haystack phenomenon, which has caused many fires in homes and on farms. In the wet haystack phenomenon, fermentation by microorganisms will create heat. Some air is necessary; too much air will remove too much heat to allow the combustion temperature to be reached. For equipment operating above about 200°C containing combustible liquids with high boiling points, insulation should be impervious to the material handled. To date, only a closed cell foamed glass provides the required degree of protection where oxidizable liquid materials are used above 200°C. Insulation based on glass fiber, silicate, or alumina materials is known to cause hazardous situations and should not be used in this service.

Laboratory tests and actual fires show that Dowtherm A^® (a heat-transfer fluid consisting of a eutectic mixture of biphenyl oxide and biphenol) can be ignited if it is soaked in glass fiber insulation and in contact with air at temperatures considerably below the normal AIT. This is also true for stearic acid soaked in glass fiber insulation. Table 2.1 shows the reduction in AIT of Dowtherm A^® and of stearic acid soaked in glass fiber insulation.

Table 2.1 Reduction in AITs caused by liquids soaking in glass fiber insulation

Full size table

Ignition of this type generally occurs only with materials having a high boiling point. Usually materials with low boiling points will vaporize and cannot remain soaked in hot insulation. There are exceptions. For example, ethylene oxide has a fairly low boiling point, but if it leaks into insulation, a polymer can be formed that has a high boiling point and can autoignite insulation at low temperatures.

Ignition caused by impact: Solids and liquids can be ignited by impact. Impact tests are made by having a weight fall freely through a known distance and impacting the sample. Impact can occur, for example, if containers are accidentally dropped. The interpretation of the data from impact tests can be difficult.

Ignition caused by compression of liquids: Liquids can be ignited by sudden compression. This can happen when there is water hammer caused by the pressure surge from quick-acting valves and from the compression in liquid pumps. Sudden compression can occur with liquids, for example if a tank car is bumped rapidly and the liquid goes to one end very quickly, possibly trapping some vapor bubbles that compress and create local hot spots that can cause ignition.

Ignition caused by rubbing friction: Solids can be ignited by frictional sources when rubbed against each other or against another material. The frictional heat produced may be enough to ignite other materials, such as lubricants, that are nearby. A common example of this occurs when bearings run hot, causing oil or grease to vaporize and possibly ignite.

Ignition caused by glancing blows: Friction can cause ignition in other ways. Sparks may occur when two hard materials come in contact with each other in a glancing blow (the blows must be glancing to produce friction sparks). These kinds of sparks are not directly related to frictional impact. Hand and mechanical tools are the most likely sources of friction sparks that occur outside of equipment. The need for nonsparking tools is somewhat controversial; Bodurtha [17] states that it is extremely unlikely that anyone would be using tools in a flammable atmosphere, and it is usually more prudent to control the atmosphere than the tools. Sparkproof tools are not really sparkproof in all situations.

Ignition caused by static electricity: Static electricity is a potential source of ignition wherever there is a flammable mixture of dusts or gases (see previous section).

Ignition caused by compression of gases: If a gas is compressed rapidly, its temperature will increase. Autoignition may occur if the temperature of the gas becomes high enough (this is more or less the principle of diesel engines).

An advancing piston of high-pressure gas can compress and heat trapped gas ahead of it. For a perfect gas, the temperature rise due to adiabatic compression is given by

$$ \frac{{{T_2}}}{{{T_1}}} = {\left( {\frac{{{P_2}}}{{{P_1}}}} \right)^{{(k - 1)/k}}} $$

where T ₁ and T ₂ are the initial and final gas absolute temperatures, P ₁ and P ₂ are the initial and final absolute pressures, and k is the ratio of heat capacity at constant pressure to the heat capacity at constant volume. For air and many other diatomic gases, k = 1.4. Many hydrocarbons have k values of between 1.1 and 1.2. The value of k is a function of temperature and pressure.

Energy levels for ignition: If a flammable gas mixture is to be ignited by a local source of ignition, there is a minimum volume of mixture required to cause a continuing flame throughout the mixture.

For example, to ignite a methane–air mixture in a cold container, a hot patch of 18 mm² at 1,000–1,100°C is required in order to heat enough volume of gas to produce a continuing flame [19], even though the auto-oxidation temperature for methane is 540°C. Ignition of a flammable gas–air mixture by electrical discharge can occur only if the electrical discharge is of sufficient energy.

Minimum ignition energy: There is a minimum ignition energy, which usually occurs near the stoichiometric mixture. The minimum ignition energy for some representative substances in air is shown in Fig. 2.12 [19]. The energy required to cause ignition frequently is reported in millijoules (mJ). One joule is 0.24 cal, so 1 mJ is 0.00024 cal, which is a very small amount of energy.

A person typically has capacitance of 200 pF (pF), and if charged to 15 kilovolts (kV) could initiate a discharge of 22.5 mJ. This is enough to ignite many flammable mixtures. The energy in ordinary spark plugs is 20–30 mJ.

The hazard of an explosion should be minimized by avoiding flammable gas–air or dust–air mixtures in a plant. It is bad practice to rely solely on elimination of sources of ignition, as it is nearly impossible to ensure this.

Effect of oxygen-enriched atmospheres: The minimum spark energy to cause ignition varies greatly with the amount of oxygen in oxygen-enriched air. Stull [30] showed that with a composition of 10% methane in air, about 0.5 mJ of spark energy is required to initiate a reaction at the lower flammable limit. If the air is enriched with oxygen, the minimum spark energy decreases. If the flammable material is combined with 100% oxygen, the spark energy required is only about 1% of the required energy in air at 21% oxygen! This demonstrates the extremely small amount of energy required to initiate the reaction, as well as the additional ease with which oxygen-enriched atmospheres are initiated. Table 2.2 compares initiation energies of some common substances in air and in pure oxygen.

Table 2.2 Comparison of initiation energies of some common substances in air and pure Oxygen [47]

Full size table

Effect of pressure: An increase in pressure decreases the amount of energy required to cause ignition. In a mixture of propane, oxygen, and nitrogen, doubling the pressure decreases the minimum energy required to cause ignition by a factor of about 5.

If no other data are available for determination of hazards, minimum ignition energies at ambient temperatures and pressures should be considered as approximately:

0.1 mJ for vapors in air
1.0 mJ for mists in air
10.0 mJ for dusts in air

Explosions

Development of Pressure

Exothermic reactions can lead to high temperatures and in the case of large fires to large loss of property and severe damage from radiant energy. However, in many plant accidents it is the sudden generation of pressure that leads to severe damage, injury, and deaths. Hence, it can be stated that “pressure blows up plants, not temperature.” Of course, temperature and pressure are closely related, but it is the pressure effect that is of concern in this section.

The word “deflagration” can be defined in several ways. One definition is “a reaction that propagates to the unreacted material at a speed less than the speed of sound in the unreacted substance.” [17] Another definition of deflagration is from Latin meaning “to burn down, or to burn rapidly with intense heat and sparks given off.” [28] A deflagration may be an explosion, but not all deflagrations are explosions (a violently burning fire may be a deflagration, but that is not an explosion). On the other hand, not all explosions are deflagrations (a steam boiler may explode, but that is not a deflagration).

An explosion is a sudden and violent release of energy. Usually it is the result, not the cause, of a sudden release of gas under high pressure. The presence of a gas is not necessary for an explosion. An explosion may occur from a physical or mechanical change, as in the explosion of a steam boiler, or from a chemical reaction. The explosion of a flammable mixture in a process vessel may be either a deflagration or a detonation, which differs fundamentally. Both can be very destructive. Detonations are particularly destructive, but are unlikely to occur in vessels.

A detonation is a reaction that propagates to unreacted material at a speed greater than the speed of sound in the unreacted material; it is accompanied by a shock wave and extremely high pressures for a very short time. It is debatable whether the flammable range is the same as the detonable range. Detonation limits normally are reported to be within the flammable limits, but the view is widely held that separate detonation limits do not exist.

Unconfined vapor clouds can both deflagrate and detonate, with a deflagration being much more likely. A detonation is more destructive, but a deflagration also can produce a damaging pressure wave. A deflagration can undergo transition to a detonation in a pipeline, but this is most likely in vessels.

If a flammable mixture may be present in process equipment, precautions should be taken to eliminate ignition sources. However, it is prudent to assume that, despite these efforts, a source of ignition will at some time occur.

Deflagration

The conditions for a deflagration to occur are that the gas mixture is within the flammable range and that there is a source of ignition or that the mixture is heated to its AIT.

For the burning of hydrocarbon–air mixtures:

$$ \frac{{{P_{\rm{2MAX}}}}}{{{P_1}}} = \frac{{{N_2}{T_2}}}{{{N_1}{T_1}}} = \frac{{{M_1}{T_2}}}{{{M_2}{T_1}}} $$

where

T = absolute temperature
M = molecular weight of gas mixture
N = number of moles in gas mixture
P = absolute pressure
1,2 = initial and final states
2MAX = final state maximum value

The maximum pressure rise for a deflagration of flammable mixtures is approximately as follows for initial absolute pressures of 1–40 bar, for initial temperatures of 0−300°C, and for relatively small volumes of a few cubic meters:

$$ \frac{{{P_2}}}{{{P_1}}} = {\text{approximately }}8{\text{ for hydrocarbon}} - {\text{air mixtures}} $$

$$ \frac{{{P_2}}}{{{P_1}}}{\text{ = approximately 16 for hydrocarbon}} - {\text{oxygen mixtures}} $$

For conventionally designed pressure vessels:

$$ \frac{{{P_{\rm{b}}}}}{{{P_1}}} = {\text{approximately 4}} - 5 $$

where P _b = vessel bursting pressureP ₁ = normal design pressureP ₂ = pressure caused by deflagration

Therefore, in the absence of explosion relief, the deflagration explosion of a hydrocarbon–air mixture is easily capable of bursting a vessel if it is operating near its design pressure when the deflagration takes place. For reactions operating at or near atmospheric pressure, such as many drying and solids processing operations, it may be practical to construct facilities that will withstand the maximum explosion pressure of most dust–air and flammable gas–air mixtures.

Detonations

Detonation of a gas–air mixture may occur by direct initiation of detonation by a powerful ignition source or by transition from deflagration. This transition occurs in pipelines but is most unlikely in vessels. Two useful rules are:

1.
Almost any gas mixture that is flammable is detonable if initiated with a sufficiently energetic source.
2.
Detonation of a gas–air mixture is possible in pipelines but is unlikely in vessels.

Bartknecht [31] states that the range of detonability is narrower than the range of flammability. For example, the range of detonability of hydrogen in air is 18–59 vol.%, compared with the flammability of 4–75 vol.%. With flammable gases in air, if the length-to-diameter ratio of a pipe or vessel is more than about 10:1, and the pipe diameter is above a critical diameter, 12–25 mm, a detonation is possible.

Detonation pressure: In the case of the burning of a flammable mixture of gases in a pipe with one end closed, a series of pressure waves traveling at the speed of sound moves through the unburned gas. Later waves traveling through the unburned gas, which has been heated by compression from the earlier waves, speed up because of the higher temperature and overtake the first wave, and a shock wave develops. Flame follows the shock wave and catches up with it, forming a detonation wave. A stable detonation wave may develop, which moves with supersonic speed relative to the unburned mixture, and peak incident (side-on) pressures are of the order of 30 times the initial absolute pressure.

Reflected pressure: Reflected pressure increases the pressure on a rigid surface if the shock wave impinges on the surface at an angle to the direction of the propagation of the wave. The maximum ratio of reflected pressure to incident (side-on) pressure when a strong shock wave strikes a flat surface head-on is 8:1. Furthermore, acceleration from a suddenly applied force of the detonation wave can double the load that a structure “feels.” Table 2.3 shows overpressure that can be expected from typical detonations [32].

Table 2.3 Overpressure from Detonations [39]

Full size table

Thus, the stable detonation wave may cause enormously high pressures at closed ends of pipes, bends, and tees, where the greatest destruction from a gaseous detonation may occur.

Geometry: The following are some factors to consider when detonation is possible:

1.
Large length-to-diameter ratios promote the development of detonations; vessels should be designed with the lowest length-to-diameter ratio practicable if a detonation is possible.
2.
Equipment such as tanks (not including pipelines) designed to withstand 3.5 MPa (about 500 psig) usually will be adequate to contain a detonation, with other safeguards, for flammable gases in air at atmospheric pressure.
3.
Dished heads survive detonations better than do flat heads because of the more unfavorable incidence of flat heads.
4.
If turns in a process line are necessary, two 45º bends or a long sweep elbow will greatly reduce reflected pressure compared with a single 90º elbow.
5.
Restrictions such as orifices in pipelines may intensify a detonation by promoting pressure piling, which results when there are interconnected spaces such that the pressure rise in one space causes a pressure rise in a connected space. The enhanced pressure in the latter then becomes the starting pressure for a further explosion.
6.
Detonation may be extinguished when it enters a wider pipe from a smaller one, but the detonation may be regenerated somewhere along the longer pipe.
7.
Flame arresters, if properly designed, can arrest detonations.

Explosion Violence

The rate of pressure rise is a measure of the violence of an explosion. The maximum rate of pressure rise for confined explosions is greatly affected by the volume of the vessel, with the influence of vessel volume on the rate of pressure rise being given by the following equation:

$$ {({\text{d}}p/{\text{d}}t)_{{{ \max }}}}({V^{{1/3}}}) = {\text{a}}{\text{constant }} = {K_G} $$

where(dp/dt)_max = maximum rate of pressure rise, bar/sV = vessel volume, m³ K _G = a specific material constant (bar)(m)(s)⁻¹This is the cubic law, which states that for a given flammable gas, the product of the maximum pressure rise and the cube root of the vessel volume is a specific material constant, K _G.

The cubic law allows the prediction of the course of an explosion of a flammable gas or vapor in a large vessel, based on laboratory tests. It is valid only for the following conditions:

The same optimum concentration of the gas–air mixture
Same shape of reaction vessel
The same degree of turbulence
The same ignition source

Thus, to characterize an explosion, it is not enough to quote the maximum rate of pressure rise: the volume, vessel geometry [31], turbulence, and ignition energy must also be stated. Table 2.4 lists the K _G values for some common flammable gases measured under laboratory conditions.

Table 2.4 K _G values of gases, spark-ignited with zero turbulence, ignition energy ~10 J, P _max = 7.4 bar⁸

Full size table

It can be seen that the violence of an explosion with propane is about 1.5 times higher than one with methane, and one with hydrogen is about 10 times higher than one with methane. The explosive behavior of propane is representative of many flammable organic vapors in air. Some important relationships among pressure, temperature, turbulence, and vessel shape are discussed below.

1.
Explosion pressure is primarily the result of temperature reached during combustion, not a change in moles. With complete combustion of propane in air there is a negligible change in moles of gas:
$$ \mathop{{{{\text{C}}_{{3}}}{{\text{H}}_{{8}}} + {5}{{\text{O}}_{{2}}} + {18}.{8}{{\text{N}}_{{2}}} = {\text{3C}}{{\text{O}}_{{2}}} + {4}{{\text{H}}_{{2}}}{\text{O}} + {18}.{8 }{{\text{N}}_{{2}}}}}\limits^{{\left\{ { \ldots {\rm{air}} \ldots } \right\}}} $$

Number of moles at start = 24.8. Number of moles after complete combustion = 25.8. Therefore, explosion pressure usually develops principally from an increase in temperature, not an increase in gas moles, during the combustion process of many materials.Peak explosion pressure at constant volume occurs near the stoichiometric concentration in air. If only a small part of the total volume of a container is filled by an explosive gas–air mixture at atmospheric pressure, and the remainder of the vessel contains air, an explosion of this mixture can create enough pressure to severely damage containers that are designed to withstand only slight pressure—such as buildings and low-pressure storage tanks.
2.
Initial pressure affects maximum explosion pressure and rate of pressure rise. If the initial pressure is increased above atmospheric pressure, there will be a proportional increase in the maximum explosion pressure and in the rate of pressure rise. Reducing the initial pressure will cause a corresponding decrease in maximum explosion pressure until finally an explosion reaction can no longer be propagated through the gas mixture.
3.
Initial temperature affects maximum explosion pressure and rate of pressure rise: The maximum explosion pressure decreases when the starting temperature increases at the same starting pressure because of the lower density and thus smaller mass of material within a confined volume at higher temperatures. The maximum rate of pressure rise, (dp/dt)_max, increases as the initial temperature rises because the burning velocity increases with an increase in initial temperature.
4.
Initial turbulence increases the rate of pressure rise: Initial turbulence greatly increases the rates of explosion-pressure rise [17, 31]. It has been found that with pentane and methane mixtures in air, (dp/dt)_max can be five to nine times more with high initial turbulence than with no turbulence. The maximum explosion pressure is raised by about 20%. The course of explosions of flammable gases with a low normal speed of combustion, such as methane, is influenced by turbulence to a much higher degree than is the course of explosions with a high speed of combustion, such as hydrogen. Test data usually are obtained in equipment with a high degree of turbulence.
5.
Effect of vessel shape and increased initial pressure: The maximum explosion pressure in confined vessels is not significantly affected by the volume or shape of the vessel in confined explosions for vessels that approximate the “cubic shape,” that is, with a ratio of diameter to length (or vice versa) of about 1:1–1:1.5. In closed elongated vessels with central ignition, spherical ignition of the flame front will cause the flame to proceed swiftly in an axial direction. In the process, it compresses the unburned gases ahead of it, causing the violence of the explosion to increase, and pressure oscillations may occur.

Losses from Dust Explosions

Most organic solids, most metals, and some combustible inorganic salts can form explosive dust clouds. In order to have a dust explosion, it is necessary to satisfy certain conditions:

Suitably sized dust particles
Sufficient source of ignition energy
Dust concentration within explosive limits
Explosible dust
Oxidizer must be present

If an explosive dust in air that meets the above criteria occurs in a process, an explosion should be considered as inevitable. The process designer should take into account the possibility of dust explosions and design accordingly.

In dust explosions the combustion process is very rapid. The flame speed is high compared with that in gas deflagrations. Detonations normally do not occur in dust explosions in industrial plants.

The sequence of events in a serious industrial dust explosion is often as follows:

1.
A primary explosion occurs in part of a plant, causing an air disturbance.
2.
The air disturbance disperses dust and causes a secondary explosion, which is often more destructive than the primary explosion.

If the occurrence of a flammable (explosive) dust is inevitable in a particular process, several design alternatives or combinations of alternatives are available:

Containment (maximum pressure of a dust explosion is usually below 120–150 psig)
Explosion venting to a safe place
Inerting (most organic dusts are non flammable in atmospheres containing less than about 10% oxygen)
Suppression

A fundamental solution to the dust explosion problem is to use a wet process so that dust suspensions do not occur. However, the process must be wet enough to be effective. Some dusts with a high moisture content can still be ignited.

Dust concentrations in major equipment may be designed to be below the lower flammable limit, but this often cannot be depended on in actual operation. Dust concentrations cannot be safely designed to be above an upper flammable limit because such a limit is ill-defined [19].

For a large number of flammable dusts, the lower explosion limit lies between 0.02 and 0.06 kg/m³. The upper explosion limit is in the range of 2–6 kg/m³, but this number is of limited importance.

A small amount of flammable gas or vapor mixed in with a flammable dust can cause an explosive mixture to be formed even if both are at concentrations below the explosive range by themselves. These mixtures are called “hybrid” mixtures. The ignition energy to ignite a hybrid mixture is often less than that required for the flammable dust by itself.

Venting is only suitable if there is a safe discharge for the material vented. Whenever an explosion relief venting device is activated, it may be expected that a tongue of flame containing some unburned dust will first be ejected. The unburned dust will be ignited as it flows out of the vent and can produce a large fireball that will extend outward, upward, and downward from the vent. It is essential for protection of personnel that venting is to an open place not used by people. If a duct must be used, the explosion pressure in the enclosure will be increased considerably. Therefore, particular attention must be paid to the design of the enclosure in which the explosion could take place.

The NFPA 68 guide issued in 1998 [33] has nomographs, which can be used to select relief areas required for combustible dusts when test data on the dusts are available. The nomographs in NFPA 68 are considered by many to be the preferred way to design dust explosion relief devices.

Relief venting to reduce dust explosion pressure requires the equipment to be protected to have a certain minimum strength. If the enclosure strength is too low, the enclosure will be damaged or destroyed before the explosion relief device can function. NFPA 68 [33] states that the strength of the enclosure should exceed the vent relief pressure by at least 0.35 psi. For industrial equipment such as dryers and baghouses, it is often desirable to have considerably more strength built into the structure to reduce the size of the vent area required. Also, the supporting structure for the enclosure must be strong enough to withstand any reaction forces developed as a result of operation of the vent.

Inerting is a very good preventive measure against dust explosions. The maximum oxygen concentration at which dust explosions are “just not possible” cannot be predicted accurately, as it depends on the nature of the combustible material; testing is usually required. It has been found that in an atmosphere of 10% oxygen and 90% nitrogen, most combustible organic dusts are no longer explosive. To allow a safety margin, it is good industrial practice to maintain oxygen concentrations below 8%. For metal dusts, the allowable oxygen content is about 4% [6].

Inerting leads to the possibility of asphyxiation by operating personnel if they were exposed to the inert gas. Strict precautions must be taken to prevent exposure of personnel to inerting atmospheres.

Explosion suppression systems are designed to prevent the creation of unacceptably high pressure by explosions within enclosures that are not designed to withstand the maximum explosion pressure [31]. They can protect process plants against damage and also protect operating personnel in the area. Explosion suppression systems restrict and confine the flames in a very early stage of the explosion. Suppression systems require more maintenance than do relief venting devices. Explosion suppression systems are made by only a few manufacturers and are quite expensive. This may be the reason why this type of safe-guard has not been as widely used in industry as one might expect, although its effectiveness has been proved by much practical experience.

Explosion suppression is a proven technology and should be considered as a candidate for explosion protection. The NFPA has published a standard reference on explosion-suppression protection [8]. Manufacturers should be consulted on design, installation, and maintenance.

Even with explosion suppression, it is common for the explosion pressure to reach one atmosphere before it is suppressed. The added pressure surge from the injection of the suppressing agent must also be considered. Therefore, sufficient mechanical strength is always required for enclosures protected by explosion suppression.

Boiling Liquid Expanding Vapor Explosions: Among the most damaging of accidents is a boiling liquid expanding vapor explosion (BLEVE, pronounced BLEV-ee). This occurs when a pressure vessel containing liquid is heated so that the metal loses strength and ruptures. Typically, this happens when the vessel failure results from overheating upon exposure to fire. The failure usually is in the metal contacting the vapor phase; the metal in this area heats to a higher temperature because there is no liquid heat sink to keep the metal temperature from rising rapidly, as there is where metal contacts a liquid phase. A BLEVE can occur with both flammable materials and nonflammable materials, such as water. In all cases the initial explosion may generate a blast wave and missiles. If the material is flammable, it may cause a fire or may form a vapor cloud that then gives rise to a secondary explosion and fireball. Kletz states that BLEVEs can cause as many casualties as can unconfined vapor cloud explosions (UVCEs) [19].

The best known type of BLEVE involves liquefied petroleum gas (LPG). Once a fire impinges on the shell above the liquid level, the vessel usually fails within 10–20 min. In the case of a BLEVE involving a flammable material, the major consequences are, in order of decreasing importance:

Thermal radiation from the resultant fireball
Fragments produced when the vessel fails
Blast wave produced by the expanding vapor/liquid

For example, a BLEVE of a propane sphere with a diameter of 50 ft, holding about 630,000 gal, could cause damage as far away as 13,600 ft, and radiation damage and fragmentation damage would each extend to about 3,000 ft.

In a fire, a tank containing liquid is most vulnerable in the shell at the vapor space because very little heat can be absorbed by the vapor, and the metal in the vapor space can heat up rapidly to a temperature where it will weaken rapidly. The metal contacting the liquid phase will heat up much less rapidly because the liquid can absorb significant amounts of heat, keeping the shell temperature down in that area for a significant amount of time. Thus, there is a dilemma: a partly full vessel may BLEVE sooner than will a full vessel, but a full vessel will have more fuel for the resulting fireball and fire than will a partly empty vessel.

Significant equipment and building damage from radiation is possible from a BLEVE. Wooden structures may be ignited if the radiant heat density at the structure’s location exceeds the threshold value for ignition of wood. Severe damage from fragmentation can be expected in the area where 50% or more of the fragments may fall, or typically about 300 ft from the vessel.

A BLEVE can lead to shock waves, projectiles, and thermal radiation. The effects of a shock wave and projectiles were dealt with earlier; by far the most serious consequence of a BLEVE is the radiation received from the fireball. The following calculational procedure is used to determine thermal impact (details are available in CPQRA [34]):

Damage Estimates [17]: Damage estimates deal with the consequences of explosions and thermal radiation to both people and property. Physical models for explosions and thermal radiation generate a variety of incident outcomes: shock wave overpressure estimates, fragment velocities, and radiant flux. These models rely on the general principle that severity of outcome is a function of distance from the source of release. In addition to estimating the damage resulting from an explosion, it is also necessary to estimate how the consequences of these incident outcomes depend on the object of the study. To assess effects on human beings, damage estimates may be expressed as deaths or injuries. If physical property is the object, the damage estimates may be expressed as monetary losses.

Explosion Consequences: A principal parameter characterizing an explosion is the overpressure. Explosion effect modeling generally is based on TNT explosions to calculate the overpressure as a function of distance. Although the effect of a TNT explosion differs from that of a physical or a chemical explosion (particularly in the near-field), the TNT model is the most popular because a large data base exists for TNT explosions.

More recently the explosion multi-energy method was developed by an international group in Europe. This model is the best representation of overpressures at far distances. The mass of vapor in congested volume participates in explosion. This approach requires intricate volume calculation and estimate of congestion. The TNT model overpredicts pressures at the source and underpredicts at longer distances. However, when you have overpressures of 5 psi or so it really doesn’t matter as most structures and equipment at that level are destroyed [2].

Several kinds of energy may be released in an explosion; three basic types are: (1) physical energy, (2) chemical energy, and (3) nuclear energy. Nuclear energy is not considered here. Physical energy may take such forms as pressure energy in gases, strain energy in metals, or electrical energy. Chemical energy derives from a chemical reaction. Examples of explosions involving chemical energy are runaway exothermic reactions, including decomposition and polymerization.

Table 2.5 summarizes the effects of explosion overpressure on structures. With respect to human casualties, heavy building damage usually is equated to a fatal effect, as the people inside the buildings probably would be crushed. People outside of buildings or structures are susceptible to direct blast injury (blast overpressure) and indirect blast injury (missiles or whole body translation).

Table 2.5 Effect of explosion overpressure on structures (Copyright 1989 by the American Institute of Chemical Engineers, Reproduced by permission of the Center for Chemical Process Safety of AIChE [34])

Full size table

Relatively high blast overpressures (>15 psig) are necessary to produce a human fatality from a direct blast. Instead, the major threat is produced by missiles or by whole body translation. Fatalities arising from whole body translation are mainly due to head injury from decelerative impact. Injury to people due to fragments usually results from either penetration by small fragments or blunt trauma from large fragments. TNO [22] suggested that projectiles with a kinetic energy of 100 J can cause fatalities. Table 2.6 shows damage to people (physiological damage) as a function of overpressure.

Table 2.6 Physiological damage as a result of overpressure

Full size table

Radiation Consequences: The effect of thermal radiation on people and objects is determined by one of two approaches:

1.
Simple tabulations based on experimental results
2.
Theoretical models based on the physiology of the skin burn response

Data on time to pain threshold [34] are summarized in Table 2.7. For comparison, solar radiation intensity on a clear, hot summer day is about 320 Btu/h/ft² (1 kW/m²). Other criteria for thermal radiation damage are shown in Table 2.8 [34].

Table 2.7 Time to pain threshold for varying levels of radiation [41] (Courtesy American Petroleum Institute)

Full size table

Table 2.8 Effects of thermal radiation (Copyright American Institute of Chemical Engineers, reproduced by permission of the Center for Chemical Process Safety of AIChE [34].)

Full size table

The effect of thermal radiation on structures depends on whether they are combustible or not, and the nature and duration of the exposure. Thus, wooden materials will fail because of combustion, whereas steel will fail because of thermal lowering of the yield stress.

Unconfined Vapor Cloud Explosions: When a large amount of volatile material is released rapidly to the atmosphere, a vapor cloud forms and disperses. If the cloud is ignited before it is diluted below its lower flammability limit, an uncontrolled vapor cloud explosion will occur. This is one of the most serious hazards in the process industries. Both shock waves and thermal radiation will result from the explosion, with the shock waves usually the more important damage producers. UVCEs usually are modeled by using the TNT model [34]. The energy of the blast wave generally is only a small fraction of the energy available from the combustion of all the material that constitutes the cloud; the ratio of the actual energy released to that available frequently is referred to as the “explosion efficiency.” Therefore, the TNT weight equivalent of a UVCE includes an explosion efficiency term, which typically is an empirical factor ranging from 1 to 10%. The explosion effects of a TNT charge are well documented.

Physical Explosions: A physical explosion usually results from the production of large volumes of gases by non-chemical means. The gases necessary for a physical explosion may be those already existing, such as compressed nitrogen released suddenly from a ruptured cylinder, or steam released explosively from a crack in a steam drum.

The following are some settings and situations in which physical explosions have been known to take place:

Steam boilers
Hydraulic overfill of tanks or pipes with external applied pressure (as in pressure testing)
Compressed air tanks
Deadheaded pumps
Thermal expansion of tanks or pipes
Liquid cryogenic fluids on water (such as liquid methane on water)
Water suddenly mixed with sulfuric acid (also may cause a chemical explosion)
BLEVE with superheated liquid (flammable or nonflammable) (see next section)
Explosion of grinding wheel at too high a speed
Liquid water in molten mgcl₂ solution at high temperatures
Implosions due to vacuum
Overpressured refrigerant systems
Molten metals exploding violently on contact with water
Some molten metals exploding when mixed with each other
The mixing of two immiscible liquids whose boiling points are not widely separated

Steam boilers are commonly used in power plants and industries of all kinds. They generally are taken for granted now, but in the second half of the nineteenth century boilers blew up with alarming regularity. Records indicate that from 1870 to 1910 there were at least 10,000 boiler explosions in the United States and adjacent areas of Canada and Mexico; that is, more than one recorded explosion every 36 h! By 1910, the rate had jumped to between 1,300 and 1,400 per year. On October 8, 1894, in the Henry Clay Mine in Shamokin, Pennsylvania, 27 boilers disintegrated almost simultaneously! Mainly because of the incorporation of the ASME Boiler Code into laws, boiler explosions have decreased dramatically [35].

When a pressurized vessel ruptures, the resulting stored energy is released. This energy can cause a shock wave and accelerate vessel fragments. If the contents are flammable, ignition of the released gas could produce additional effects. There is a maximum amount of energy in a bursting vessel that can be released, and it is released in the following proportions: [32]

	Distribution of energy when vessel ruptures
Type of failure	Strain energy	Kinetic energy of fragments	Shock wave energy
Brittle failure	<10%	~20%	up to 80%
Plug ejection	small	up to 60–80%	20–40%

The relative distribution of these energy components will change over the course of the explosion, but most of the energy is carried by the shock wave with the remainder going to fragment kinetic energy. To estimate the damage resulting from the shock wave from a physical explosion, the TNT model is used widely. To determine the TNT equivalent of a physical explosion, the total energy in the system must be estimated. For a physical explosion, if the expansion occurs isothermally, and ideal gas laws apply, then the TNT equivalent of the explosion can be calculated. This energy then can be used to estimate overpressure at any distance from the explosion. The analogy of the explosion of a container of pressurized gas to a point source explosion of TNT is not appropriate in the near-field. Prugh [36] suggests a correction method using a virtual distance R _v from an explosion center.

In addition to shock wave effects, a major hazard of a ruptured gas-filled vessel is from projectiles. To estimate damage from projectiles, both the initial velocity and the range are required. A simplified method for calculating the initial velocity uses the following equation: [37]

$$ u = {2}.0{5}{\left( {\frac{{P{D^{{3}}}}}{W}} \right)^{{0.{5}}}} $$

where

u = initial velocity, ft/s.
P = rupture pressure, psig.
D = fragment diameter, in.
W = weight of fragments, lb.

Clancey [38] gives the following values for initial velocity for the majority of fragments from a TNT explosion:

Thin case: 8,000 ft/s
Medium case: 6,000 ft/s
Thick case: 4,000 ft/s

Once the initial velocity has been determined, the maximum range of the fragment, ignoring air resistance, can be estimated from

$$ {R_{{{ \max }}}} = \frac{{{u^2}}}{g} $$

Where R _max is the maximum range of fragments and g is the acceleration of gravity.

If the above values for typical velocity are substituted into the above equation, a maximum range of 5 × 10⁵ ft is possible. Therefore, it is clearly necessary to include air resistance. To include air resistance, a value of C _D, the drag coefficient, must be estimated. The drag coefficient ranges from 0.48 for a sphere to 2 for flow perpendicular to a flat strip, and for most fragments ranges from 1.5 to 2.0.

If one knows the air density, drag coefficient, exposed area of the fragment, mass of the fragment, and the initial velocity, the maximum range R can be calculated with the aid of Fig. 2.13 [18]. Although this technique gives the maxim-um range, most fragments do not travel the maximum distance but fall at distances between 0.3 and 0.8 of the maximum.

The energy required to impart an initial velocity of u to a fragment is

$$ E = \frac{1}{2}m{u^2} $$

where m is the mass of the fragment (lb)u the initial velocity (ft/s)

Example: A high pressure vessel containing air at 600 bar has ruptured, leading to 15 fragments of approximately equal mass (85 lb), one of which was found as far as 400 ft from the vessel. This fragment has a drag coefficient of 1.5 and an exposed area of 3 ft². Assuming that 20% of the explosion energy went to energy of the fragments, estimate the energy of the explosion in weight equivalent TNT. The air density is 0.081 lb/ft³.

Procedure: Assuming that the fragment found at 400 ft is at the maximum range for the fragments, the scaled fragment range R _s can be calculated:

From Fig 2.13, we obtain a scaled force (F _s) of approximately 5. The initial velocity of the fragment then can be calculated as

$$ u = \sqrt {{\frac{{Mg{F_{\rm{s}}}}}{{{r_0}{C_D}{A_D}}}}} = \sqrt {{\frac{{85 \times 32.17 \times 5}}{{0.081 \times 1.5 \times 3}}}} = 194 \ {\text{ft/s}} $$

The energy required to give the fragment this initial velocity is

$$ E = \frac{1}{2}(85){(194)^2} = 1.6 \times 106{\text{lb}}{\text{f}}{{\text{t}}^{{2}}}{/}{{\text{s}}^2} = 64 \ {\text{BTU}} $$

Since there were 15 fragments, the total energy of the explosion that went into fragment kinetic energy is 15 × 635.8 BTU = 9,537 BTU. If only 20% of the explosion energy went into fragment kinetic energy, then the total explosion energy is 47,680 BTU, which is the equivalent of 23.8 lb of TNT. Using the method of Clancey [38], 2.4 lb TNT can provide a maximum range of 950 ft for projectiles (Fig. 2.13b).

Mechanical Heat

Mechanical motion in fluids becomes kinetic energy and may become heat in devices with rotating parts. Mechanical heat input from rotating agitators, pump impellers, and other mechanical equipment must be taken into account in the design of process equipment, particularly in systems containing reactive chemicals. This section will provide some guidelines for the analysis of individual cases involving pumps and agitated tanks [20, 23, 39].

Some useful rules are as follows.

1.
A deadheaded pump is a pump operating full of liquid and with inlet and outlet valves closed.
2.
Almost all deadheaded centrifugal pumps with motors of three horsepower or larger are headed for trouble if left deadheaded. (Depending on the horse power, a few minutes may be too long.)
3.
The heat input from the rotating impeller in a deadheaded centrifugal pump is always a large value relative to the heat sink of the fluid and the pump.
4.
It is not necessary for there to be a chemical reaction in a pump for an explosion to take place. Deadheaded pumps containing only water or brine have blown up.
5.
An agitator or a circulating pump left on in a vessel of a reactive chemical may heat up the contents enough to cause a runaway reaction.
6.
All centrifugal pumps with motors larger than 3 hp should be protected in some way to prevent deadheading.
7.
A temperature alarm in the casing is a minimum form of protection. A better way may be to have the high-temperature alarm wired to the process control computer, to both alarm and shut off the pump. Other systems are available and may be used; they may include (but are not limited to) a relief valve on the pump, a minimum flow valve, and a flow orifice in the recirculating line. A relief valve on a pump relieving back to the pump inlet may not eliminate the problem of heat buildup in a deadheaded pump and usually should be avoided unless other protective measures are used such as a high-temperature device.
8.
An ammeter on the pump motor usually is not a reliable means of detecting deadheaded conditions. The low power factors often experienced with pump motors, and the nature of pump curves, often make it difficult to distinguish between normal running and dead headed conditions using an ammeter.
9.
For mechanical heat equivalent, the following are recommended: (a) For pumps, use 50% of the connected motor horsepower for centrifugal pumps that are deadheaded, unless better information is available. (b) For agitators, use 100% of the vendor rated shaft input horsepower for the input shaft (total power less drive and bearing inefficiencies) for the actual material in the vessel.

Vacuum [39]

Ask any chemical engineers who have had some plant experience what they know about vacuum, and they probably will smile and tell a tale about some piece of equipment that tried to turn itself inside out. Usually no one was hurt, and often there is no massive leakage—but not always!

The design for the internal pressure condition of vessels usually is straightforward and well understood. Under vacuum conditions, equipment is subject to external pressure from the atmosphere; and the design for external pressures is more difficult than that for internal pressures. The devious ways in which external pressure can be applied often may be overlooked.

The following are some obvious causes of vacuum collapse:

Liquid withdrawal by pump or gravity draining
Removal of gas or vapor by withdrawing with a blower, fan, or jet
Siphoning of liquids

Less obvious causes include:

Condensation of vapor
Cooling of hot gas
Combination of cooling and condensation of a mixture of gas and condensable vapor

Sometimes obscure causes of vacuum collapse include:

1.
Absorption of a gas in a liquid; for example, ammonia in water, carbon dioxide in water, hydrogen chloride in water.
2.
Reaction of two or more gases to make a liquid or solid; for example, ammonia plus hydrogen bromide to form ammonium bromide.
3.
Reaction of a gas and a solid to form a solid; for example, corrosion in a tank, air plus Fe or FeO forming Fe₂O₃ in the presence of water.
4.
Reaction of a gas and a liquid to give a liquid; for example, chlorination, hydrogenation, ethylation.
5.
Sudden dropping of finely divided solids in a silo, creating a momentary vacuum that can suck in the sides of the silo.
6.
Flame arrestors plugging; for example:
1. (a)
  In styrene service, vapor may condense in flame arrestors, and the liquid formed is low in inhibitor; the liquid may polymerize and plug off the arrestor. Possible solutions: clean the arrestor frequently or use a PVRV (pressure-vacuum-relief valve).
2. (b)
  Liquid service in cold weather: vapor may condense in a flame arrestor and the liquid formed may freeze and plug the arrestor. Possible solution: heat and insulate the arrestor to prevent condensation.
7.
Maintenance and testing. It is not a good idea to apply vacuum on a vessel during maintenance or testing without full knowledge of the external pressure rating unless a suitable vacuum relief device is in place and operable.

Protective Measures for Equipment

If equipment may be subject to vacuum, consideration should be given to designing the equipment for full vacuum. This may eliminate the need for complicated devices such as vacuum relief valves and instruments; if they are used, designing the equipment for full vacuum will prevent collapse of the vessel if the instruments or relief valves fail or plug.

A disadvantage of this approach is that it usually is expensive. However, when the total cost of a suitably instrumented vessel not designed for vacuum is compared with the cost of a vessel designed for vacuum but without the extra equipment, the difference may be small or negligible, and the vessel designed for vacuum will be inherently safer. If a vessel is designed for vacuum, precautions should be taken to ensure that internal or external corrosion will not destroy the integrity of the vessel.

Reactivity Hazards [2]

As a nation, we continue to have chemical reactivity incidents that cause harm to people, property and the environment. The Chemical Safety Board’s report analyzed 167 incidents from 1980 to 2001 that resulted in a total of 108 fatalities and significant property damage. While this number may seem small in comparison to, say the number of automobile related fatalities annually in the US, it is significant because the data used are admittedly incomplete, leading to the expectation that the “true” impact of chemical reactivity incidents is much higher.

By way of definition, the CCPS Concept Book intentionally uses the term “chemical reactivity hazard” rather than “reactive hazard,” “reactive chemical hazard,” or “chemical reaction hazard.”

A chemical reactivity hazard is defined as a situation with the potential for an uncontrolled chemical reaction that can result in serious harm or loss.

According to the CSB report, in a vast majority of these cases, the information needed to properly assess (and therefore, control) these hazards was known prior to the incident. In 90% + of all incidents studied, the information necessary to have prevented the incident was documented and publicly available.

As the Chemical Safety Board has concluded in its Hazard Investigation, the problem is not reactive chemicals but managing reactive chemicals.

Reactivity of chemicals provides us with much of the materials necessary for modern civilization, but the hazards associated with reactive chemicals must be controlled.

It’s not reactive chemicals, it’s reactive chemistry—and the management of its hazards.
Many reactive chemistry incidents have occurred in operations where there was no intended chemical reaction (storage, blending, distillation, etc.).
Reactive chemicals can be reactants, intermediates and products.

An approach to reactivity hazard evaluation used by a major chemical company that is a leader in reactive chemical safety includes the following steps.

Identify all chemicals used in the process (raw materials, intermediates and products).
Obtain reactivity information and data on the above including inadvertent mixing—testing may be required.
Use a team approach to identify what can go wrong.
Determine the consequences of all possible deviations.
Calculate the worst case scenario.
Identify and implement appropriate safe guards.

Many reactive chemical incidents take place when there is no chemical reaction intended. Such an incident occurred April 21, 1995 at Napp Technologies in Lodi, New Jersey. The Napp incident involved inadvertent mixing of water with a water reactive chemical (aluminum powder and sodium hydrosulfite) during a blending operation. There were five fatalities, evacuation of 300 people and major property damage and loss of business. Neither aluminum powder or sodium hydrosulfide are included in the OSHA PSM standard.

The first step in managing a reactive hazard is to identify that there is a hazard. This can be done by literature surveys, energy of reaction, chemical structures and bonds, and interaction matrixes. It helps to have someone is your organization that has special expertise on reactive hazards.

It is important to have enough data to describe the hazard and to provide control measures. Special expertise is required to do this right.

There is plenty of literature, vendor information and other resources to help. General types of reactivity testing:

DOT/UN tests
Screening tests
Reaction calorimetry
Detailed hazard testing
Special studies

There are numerous testing methods that can be used depending on the hazard information required. If more detailed information is required for engineering calculations, such as relief valve sizing, different methods should be used.

Reactive Chemistry References:

CCPS, Guidelines for Chemical Reactivity Evaluation and Application to Process Design, 1995.
CCPS (2003), Essential Practices for Managing Chemical Reactivity Hazards, AIChE, NY.
Bretherick, Handbook of Reactive Chemical Hazards Vols. 1 and 2, Elsevier 2007.
Sax, Dangerous Properties of Industrial Materials (Lewis and Irving, 2001).
CHRIS Chemical Hazards Response Information Systems (US Coast Guard).
NFPA Stds. 49, 325, 432, 491.
ASTM CHETAH (Balaraju et al. 2002).

There are standards that can help you construct binary chemical compatibility charts. These charts are useful when you handle a variety of chemicals in an area and are concerned with inadvertently mixing any two chemicals. Factors that should be considered when specifying the mixing scenario include material quantities and temperatures, degree of confinement, atmosphere, and the maximum time the materials may be in contact. Do this for all chemicals including warehousing, cleaning chemicals, etc.

ASTM 2012–00 Standard Guide for Preparation of a Binary Compatibility Chart.

Chemical Reactivity Worksheet, Version 2.0.2, NOAA/CCPS, last updated August 2010. http://response.restoration.noaa.gov/chemaids/react.html.

It is important to have enough data to describe the hazard and to provide control measures. Special expertise is required to do this right.

Sufficient data to fully characterize reactive hazards is sometimes available from supplier or other sources.
Work with someone who knows:
- The various tests and their limitations
- When they should be conducted
- How to interpret and use the results

To summarize, if you handle chemicals, you need a reactive chemicals program. Some important aspects include …

Ownership of the reactive chemistry
Reactive chemical (life cycle) reviews
Screening and testing protocols
Screening and testing facilities
Capture of reactivity hazard data
Availability of experts to participate in reviews, be available for consultation

Toxicity Hazards [2]

Toxicity is a life safety issue and there are different ways to express the threat. A particular toxin can represent hazards in more than one type of exposure. Fluorine has both serious skin contact and respiratory issues. Respiratory rate can also contribute to the extent of the exposure. Toxicity is a measure of harm from direct exposure to certain chemical substances. It measures potential life threatening exposures including oral, skin contact and respiratory. Life health risk is a function of type of contact, toxicity and duration of exposure. Reaction of individuals to a specific toxin varies. Toxicity data do not reflect chronic health effects. Examples of highly toxic chemicals include:

Acetic anhydride
Acrylamide
Aniline
Arsenic compounds
Benzoyl peroxide
Barium salts
Fluorine, Chlorine, Bromine
Formaldehyde
Hydrazine
Hydrogen sulfide
Mercury compounds
Nitrobenzene
Nickel carbonyl
Oxalic acid
Phenol
Phosgene
Pthalic anhydride
Propylamines
Silver salts
Tetrachlorethane
Sulfur dioxide

Toxicity includes:

Acute exposure
- A single exposure to a toxic substance which may result in severe biological harm or death; acute exposures are usually characterized as lasting no longer than a day and
Chronic exposure
- Continuous exposure to a toxin over an extended period of time, often measured in months or years can cause irreversible side effects

Process safety is primarily concerned with acute exposure. Some common terms used to describe toxicity include:

LC 50—Concentration of a material in air that will kill 50%of the test subjects (typically animals) when administered as a single exposure (typically 1–4 h)
LC Lo—Lowest concentration reported to have killed animals or humans
LD 50—Dose required to kill half the members of a tested population
LD 50—Dose at which 50% of a tested population are killed

There are many ways to define and present acute exposure levels. These definitions and exposure levels have been created with help from organizations like the American Conference of Governmental Hygienists (ACGIH). The data is normally hard to find for acute effects and an even more extensive amount of data, say compared to an IDLH, is necessary to produce a probit relationship which will map out all the combinations of concentration and time for a particular probability of fatality. Probits have application for detailed QRAs.

Some other terms to describe acute toxicity include:

ERPG—Emergency Response Planning Guidelines
- ERPG 1—1 h exposure mild health effects
- ERPG 2—1 h exposure w/o/ irreversible health effects
- ERPG 3—1 h exposure w/o life threatening health effects
IDLH—Immediately Dangerous to Life and Health
- Maximum airborne concentration to which a healthy male worker can be exposed up to 30 min and be able to escape without loss of life or irreversible organ damage
Probit—Dose/Response Algorithm
EEGL/SPEGL—Emergency Exposure Guidance Levels

Asphyxiants are a special class of toxic gases. Asphyxiants are normally inert gases such as nitrogen, argon, carbon dioxide and others. Nitrogen is the most prevalent in the chemical industry. There are multiple deaths because someone tries to be a hero in a rescue attempt. In some cases where they suspect the cause they think they can hold their breath long enough. Breathing air is normally produced from compressed air. However, air is sometimes manufactured as a mixture of nitrogen and oxygen. These mixtures are normally not acceptable for breathing air but if it is used that way there is always a chance that the ratio of nitrogen to oxygen is not correct. There are approximately 8 deaths/year from N₂ asphyxiation alone in the United States. Contributing causal factors for these incidents include in or near a confined space, inadequate monitoring, mix up of N₂ and breathing air and attempted rescue.

Corrosivity Hazard [2]

Rust is the most simple form of corrosion. Rust can result in a damaged hose clamp that cannot be tightened or removed due to rust deposition. The single biggest concern with corrosion is inside the equipment but external corrosion can also be a major concern. A broken hose clamp can cause a hose to slip off a connection. Corrosion is a chemical reaction between a metal and its environment. Common corrosion (rust) requires air and moisture. The corrosive layer can weakened a pipe or equipment structurally and thus initiate a failure. Corrosion or erosion often occurs in pipe elbows where high velocity can scour corrosion products exposing additional metal to corrosion. Common corrosion rates in pipe wall are 0.1–0.2 mm/year, but corrosion rates may increase tenfold in highly corrosive or erosive service.

The most common example of metal oxidation is rust but other metal oxides can also oxidize (e.g. aluminum). Insulation can absorb moisture and act to dramatically increase the rate of rust formation. High temperature corrosion does not require the presence of a liquid electrolyte such as water. Oxidation is the major type of high temperature corrosion but you can also have sulfidation and carburization. Alloys often rely on the oxidation reaction to produce a protective scale. Galvanic corrosion is an electrochemical process in which one metal corrodes preferentially when in electrical contact with another metal and both metals are immersed in an electrolyte. The galvanic couple is set up and ions move from the anode to the cathode. The presence of electrolyte and a conducting path between the metals may cause corrosion. Underground piping can undergo this problem and sometimes sacrificial anodes such as zinc, magnesium or aluminum are used. One form of microbial corrosion is caused by two types of bacteria one that eats sulfates in the absence of oxygen and nitrates to form hydrogen sulfide (sulfate reducing bacteria) and another that eats the hydrogen sulfide to form sulfuric acid. This can be a problem when city wastewater is used in the plant. The city of Phoenix had problems a few years ago and firewater systems in plants in that area had severe corrosion using that water. The addition of as little as 3 ppm of chlorine eliminated that problem. Corrosion in passivated materials can produce localized pitting if the coating is not completely uniform. Be aware of whether materials passivated by a layer of oxidized material such as aluminum oxide are not in an environment where that passivated layer is continuously scraped away. Corrosion rates are normally in the range of mils/year. Clad vessels are sometimes used if normal materials have too high a corrosion rate for the service and alternative materials are too costly for the thickness needed. Additional thickness needed to compensate for an expected corrosion rate over the lifetime of the equipment Corrosion rates are dependent on piping or vessel materials of construction and chemical conditions including flow, concentration of corrosive chemical(s), temperature, and pressure.

Hazard Identification and Risk Analysis

The other element included in the pillar Understanding Hazards and Risk is Hazard Identification and Risk Analysis (HIRA). HIRA encompasses all activities involved in identifying hazards and evaluating risks to employees, the public and the environment at facilities, throughout the facility’s life cycle, to control the risk within the organization's risk tolerance. HIRA addresses three questions:

What can go wrong?
How bad is it?
How likely is it to occur?

HIRA Logic Diagram

The logic diagram (Fig. 2.14) explains the process of how to uncover hazards and how to analyze and address the risks. Note there is a recycle loop at the end. If risks are too high as judged by a company then ways for risk reduction must be sought and the final risk accepted. Risk is a function of the probability and consequences of an undesirable event which could occur as a result of the presence of a hazard. Another way to express risk is to say it is some function of the combination of probability that something might happen and the expected consequences if it does.

HIRA includes the following topics

Hazard identification
Qualitative hazard evaluation methodologies
Quantitative hazard evaluation methodologies
Consequence analysis
Probability analysis

Hazard Identification

Hazard identification answers the question “What can go wrong?”

OSHA requires that Process Hazard Analyses (PHAs) be conducted on covered processes. PHAs use qualitative hazard evaluation methodologies.

PHAs include both the identification and evaluation of the hazards (refer to section on “Regulations”). Commonly methodologies used to conduct PHAs include:

What if
Checklist
What if/Checklist
FMEA (Failure Modes and Effects Analysis)
FTA (Fault Tree Analysis)
HAZOP

HAZOP stands for “Hazard and Operability Studies,” a set of formal hazard identification and elimination procedures designed to identify hazards to people, processes, plants, and the environment. The techniques aims to stimulate the imagination of designers and operations people in a systematic way so they can identify potential hazards. In effect, HAZOP studies assume that there will be mistakes, and provide a systematic search for these mistakes. In some European countries, HAZOP studies are mandatory and attended by observers from regulatory authorities to ensure that the studies are carried out correctly. The examination of accidents [40] during 1988 at a large US chemical company revealed that the accidents could be classified as follows:

Spills: 52%
Emissions: 30%
Fires: 18%

Of the fires, about 50% occurred during construction, 25% were due to pump seal failure, and the remaining 25% resulted from engineering and operational oversights that a HAZOP study possibly could have prevented.

Of the emissions, 37% were due to piping failure, with lined pipe being the largest contributor. Operational and procedural issues accounted for 53% of the remainder.

Of the spills, 11% were due to equipment failures. Piping failures (especially lined pipe and gaskets) accounted for 30, and 56% were caused by various types of operational errors, noncompliance with procedures, or nonexistent procedures. Material handling was a factor in many spills and emissions. The most frequent type of operational error was a valve being left in an improper position, either open or closed. HAZOP studies probably could have reduced the number and seriousness of the problems experienced. Some investigations have shown that a HAZOP study will result in recommendations that are 40% safety-related and 60% operability-related. Thus, HAZOP is far more than a safety tool; a good HAZOP study also results in improved operability of the process or plant, which can mean greater profitability.

The HAZOP technique can be used to identify human error potential. From a practical point of view, human error and its consequences can occur at all levels of a management structure as well as in the operation of a particular plant or process. Carried out correctly, Technica [41] states that a HAZOP study will identify at least 70–75% of potential operational and safety problems associated with a particular design process, including human error.

The HAZOP technique also can be used for the evaluation of procedures. Procedures may be regarded as a “system” designed to “program” an operator to carry out a sequence of correct actions. Deviations from intent are developed, with the emphasis on “operator action deviation” rather than “physical property deviation.” It is the procedure, not the hardware, that is the object of study, but hardware modifications may be recommended to cover potential problems identified from procedure deviations.

Some Tools for Evaluating Risks and Hazards

Dow Fire and Explosion Index: The Dow Fire and Explosion Index (F&EI), developed by The Dow Chemical Company, is an objective evaluation of the potential of a facility for a fire, an explosion, or a reactive chemical accident. Its purpose is to quantify damage from incidents, identify equipment that could contribute to an incident, and suggest ways to mitigate the incident; it also is a way to communicate to management the quantitative hazard potential. It is intended for facilities handling flammable, combustible, or reactive materials whether stored, handled, or processed. The goal of the F&EI evaluation is to become aware of the loss potential and to identify ways to reduce the potential severity in a cost-effective manner. It does not address frequency (risk) except in a general way. The number is useful mainly for comparisons and for calculations of damage radius, maximum probable property damage, and business interruption loss, and to establish frequency of reviews. The method of carrying out an F&EI evaluation is available to the public from the American Institute of Chemical EngineersNew York, NY.

Failure modes and effects analysis (FMEA): FMEA is a systematic, tabular method for evaluating the causes and effects of component failures. It represents a “bottom–up” approach, in contrast with a fault tree, where the approach is “top–down.” In large part, HAZOP is a well-developed form of FMEA [19].

Fault tree: A fault tree is a logical model that graphically portrays the combinations of failures that can lead to a particular main failure or accident of interest. A fault tree starts with a top event, which is usually a hazard of some kind. The possibility of the hazard must be foreseen before the fault tree can be constructed. A fault tree helps reveal the possible causes of the hazard, some of which may not have been foreseen [19].

Safety audit: A safety audit is a method of reviewing the actual construction and operation of a facility. Often, safety audits are conducted by a small interdisciplinary team. At least some of the members of the team are not connected with the plant. The audit may be carried out before startup and also is repeated later at intervals of, typically, 1–5 years.

Chemical exposure index: The Chemical Exposure Index is a technique for estimating the relative toxic hazards of chemicals, developed by The Dow Chemical Company. It provides for the relative ranking of toxic chemicals in a given facility, including factors relating to toxicity, quantity volatilized, distance to an area of concern, and physical properties. A description of the method can be found in Guidelines for Safe Storage and Handling of High Toxic Hazard Materials, Center for Chemical Process Safety, American Institute of Chemical Engineers [42].

The methods above are described in detail in Guidelines for Hazard Evaluation Procedures, Third Edition, CCPS, 2008 and will not be discussed in any more detail in this chapter.

Consequences and Impacts

The next question is “How bad is it?” Evaluating consequences is a very technical subject requiring special training and expertise. There are several good books on the topic in the references. Some general comments will be made here. The first step in evaluating consequences is to select a release scenario. How to choose a scenario is not always well defined. There is a requirement in the Seveso regulations that major hazards must be addressed. The top event of a fault tree may be another starting point. Possible sources of potential release incidents include:

Hazard evaluation process
- Scenario based methodologies most useful (e.g., HAZOP)
Regulatory requirements
Fault tree analysis
Company initiative

The next step involves choosing a source model. Source models describe how a material escapes from a process. Use of source models should be referred to experts. If potential release is flammable and/or toxic the following are possible consequences:

Fires
Explosions
Toxic Releases
Environmental Pollution

The above consequences have already been discussed in the section on “Chemical Hazards”.

Probability

The last HIRA question is “How likely is it to occur?” Generating the frequency or probability of an event requires both technical competence in the calculations and experience. Evaluation methodologies to estimate frequency or probability include:

Fault tree analysis (FTA)
Event tree analysis (ETA)
Level of protection analysis (LOPA)
Cause–consequence analysis
Human reliability analysis (HRA)

Detailed description on the methodologies can be found in Guidelines for Hazard Evaluation Procedures, Third Edition, CCPS, 2008. Again, there will not be a detailed description of these methodologies in this chapter.

There are always questions about sources of failure data. Experienced analysts can help work through this maze. In some cases frequency information can be obtained from the plant history (e.g., number of times a relief valve has gone off in anger) which comes in at a higher point in the tree. Predicted data relates to establishing a failure rate from the sum of all the individual component failures. PERD is an AICHE CCPS organization (Process Equipment Reliability Data) where companies contribute data and then have access to others data.

Common cause failures must be accounted for when assigning failure rates. See the references at the end of this chapter for other sources of frequency or probability data.

Risk Analysis

Risk is a combination of the consequence if someone is impacted by a hazard combined with the expected frequency of being impacted by that hazard. For instance if a person steps in a hole in the floor what would the consequence be? It depends on a lot of things—including how deep the hole is, the sharpness of the edges of the hole, etc. … Risk is often expressed in terms of probability/likelihood and impact/consequence.

Risk Understanding

As Fig. 2.15 illustrates, risk can be managed by managing the probability and the consequence of occurrence. For probability the question asked is—How likely is it? For consequence the question is—What can go wrong…and if it does what are the impacts? Answers are often based on our personal past experiences, what has been learned from others experiences, and/or by using some analytical (and perhaps technical) methodologies. Risk estimates are based on exposure to impact, magnitude of impact and probability. The risk estimate must be related to base level of risk. What principal factor determines the magnitude of the risk? If risk is a function of the probability and consequences then risk can be reduced by lowering the probability an incident will occur, reducing the consequences of occurrence, or a combination of both. Lowering the probability of occurrence is the prevention approach. Reducing the consequences of occurrence is the mitigation approach. It is best to try and prevent before trying to mitigate. Risk analysis followed by risk assessment is usually needed to support either approach.

Good risk analysis has the following attributes:

Level of effort commensurate with the risk
Experienced analysts
Uncertainties defined
Options for risk reduction identified
Risk analysis documented clearly and understandably
Risk analysis is both defendable and repeatable

There are several approaches to risk analysis including qualitative risk ranking, semi—quantitative analyses using risk matrices, layer of protection analysis (LOPA), and quantitative analysis (QRA). These approaches will not be discussed in detail here. See the references at the end of the chapter.

Quantitative Risk Analysis

Quantitative risk analysis (QRA) models the events, incidents, consequences, and risks, and produces numerical estimates of some or all of the frequencies, probabilities, consequences, or risks [34, 43]. QRA can be done at a preliminary level or a detailed level, and in all cases may or may not quantify all events, incidents, consequences, or risks [36]. QRA is the art and science of developing and understanding numerical estimates of the risk associated with a facility or an operation. It uses highly sophisticated but approximate tools for acquiring risk understanding.

QRA can be used to investigate many types of risks associated with chemical process facilities, such as the risk of economic losses or the risk of exposure of members of the public to toxic vapors. In health and safety applications, the use of QRA can be classified into two categories:

1.
Estimating the long-term risk to workers or the public from chronic exposure to potentially harmful substances or activities.
2.
Estimating the risk to workers or the public from episodic events involving a one-time exposure, which may be acute, to potentially harmful substances or activities.

QRA is fundamentally different from many other chemical engineering activities (e.g., chemistry, heat transfer), whose basic property data are capable of being theoretically and empirically determined and often established experimentally. Some of the basic “property data” used to calculate risk estimates are probabilistic variables with no fixed values, and some of the key elements of risk must be established by using these probabilistic variables. QRA is an approach for estimating the risk of chemical operations by using the probabilistic approach; it is a fundamentally different approach from those used in many other engineering activities because interpreting the results of QRA requires an increased sensitivity to uncertainties that arise primarily from the probabilistic character of the data.

Safety Risk Criteria [44]

Risk is something that exists every day in our business and private lives. Each one of us has a tolerance level, very often based on our personal experiences. While that may be acceptable for us personally, we need to have a logical and documented way of making risk based decisions in the work place. Let’s look at a standard diagram (Fig. 2.7) of how risk based decisions should be made in the work place.

1.
First the system that is being analyzed must be understood. So, a system description is required and understood. In some sense, this is compiling the process safety knowledge.
2.
Second, hazard identification process must be completed. PHAs are one route to hazards identification. Another way of identifying hazards is to review the process safety information and/or to do a walkthrough of the area.
3.
Now, the hazard must be converted to a risk. Remember that risk is a combination of probability that something might happen combined with the consequences if it does.
4.
With that in hand, an estimate of the risk can be made.
5.
Now it needs to be determined if that risk can be tolerated or if risk must be reduced. So, the risk must be compared to the risk tolerance criteria.
6.
If it passes the tolerance test, no changes are needed.
7.
If it does not pass the tolerance test, then something must be changed. And that something is either the probability or the consequence.

There are a variety of ways to set the risk tolerance. It can be just a guess based on what is known or believed but that isn’t very scientific and is certainly not repeatable or defendable in a court of law. Perhaps it can be copied from someone or some company that we know. That might work, but it may not consider all the things in our company that makes it unique. Or, we can make our own list and criteria based on company culture, beliefs, resources, etc. To do that we probably want to break our decision making process down into small pieces so that each decision has a relatively small impact on the final product. Often performance is evaluated in three areas—safety, environmental, and financial. Failure to pass the tolerance test in any of these areas causes the risk to be unacceptable. There may be other topics that need to be to detail out when making risk tolerance decisions. Whatever they are, write them down and get them universally accepted in your company. They will be the standard that a company will use for critical decisions. Company criteria must be developed so that it is defendable and repeatable. So, what is acceptable (and we really should use Tolerable instead of Acceptable since Acceptable seems to be an inflammatory word in general public use) This brings us back to our tolerance criteria. The CCPS book entitled Guidelines for Developing Quantitative Safety Risk Criteria, CCPS, 2009 cover this topic in detail.

The benefits of risk management include that it identifies key exposures minimizes surprises, provides an objective basis for allocating resources, improves culture and puts risk to competitive advantage.

Manage Risk

The third pillar of RBPS is Manage Risk. To manage risk facilities should focus on:

Developing written operating procedures
Implementing an integrated suite of safe work policies, procedures, permits and practices to control maintenance and other non routine work.
Executing work activities to ensure that equipment is fabricated and installed in accordance with specifications and that it remains fit for duty for service over its entire life cycle.
Managing contractors, and evaluating work performed by contractors.
Providing training.
Recognizing and managing changes.
Ensuring that units, and the people who operate them, are properly prepared for start ups.
Maintaining a very high level of human performance.
Preparing for and managing emergencies.

Operating Procedures

Operating procedures can be written (or electronic) documents that list the steps for a given task and describe the manner in which steps are to be performed. Procedures describe the process, the hazards, tools, protective equipment, and controls; provide instructions for troubleshooting, emergency shutdown, and special situations; describe the tasks necessary to safely start up, operate, and shutdown processes, including emergency shutdown; and provide formatted instructions.

Operating procedures are important because without written operating procedures a facility can have no assurance that the intended procedures and methods are used by each operator or even that an individual operator will consistently execute a particular task in the intended manner. Operating procedures are also a regulatory requirement for PSM covered facilities in the United States (see section on “Regulations”). The implementation of operating procedures requires the identification of when operating procedures are needed, the development of procedures, the use of procedures to improve human performance and the assurance that procedures are maintained.

Safe Work Practices

Safe work practices help control hazards and manage non-routine work. A non-routine activity is any activity that is not fully described in an operating procedure. Safe work practices typically control hot work, stored energy (lockout/tag out), opening process vessels or lines, confined space entry, and similar operations as well as other routine highly hazardous operations.

Safe work practices are important because non-routine work increases risk and can lead to conditions that make a catastrophic event more likely. Some examples include:

Piper Alpha (removal of a pressure safety valve for recertification).
Nitrogen asphyxiation during confined space entry resulted in 80 fatalities from 1992 to 2002.

There are also regulatory requirements regarding safe work practices in the US.

Asset Integrity and Reliability

Asset integrity and reliability is the systematic implementation of activities, such as inspections and tests necessary to ensure equipment will be suitable for its intended application throughout its life. Specifically, work activities focused on preventing catastrophic release of a hazardous material or sudden release of energy and ensuring high availability or (dependability) of critical safety or utility systems that prevent or mitigate the effects of these types of events.

Asset integrity and reliability is important because designing and maintaining equipment fit for its purpose and functions when needed is paramount in maintaining containment of hazardous materials and ensuring that safety systems work when needed. These are two primary responsibilities for any facility. It is a PSM regulatory requirement under the element mechanical integrity. Mechanical integrity requirements emphasize the safety aspect rather than the reliability aspect, but both are important in managing risk.

Contractor (Safety) Management

Contractor (safety) management is a system of controls to ensure contracted services support both facility operations and the company’s process safety and personal safety performance goals. It does not address the procurement of goods and supplies or offsite equipment fabrication functions that are covered by the asset integrity quality assurance function. It involves workers located closest to process hazards and more routine tasks such as janitorial and ground keeping services.

It is important because it facilitates the company in achieving the goals of accessing specialize expertise that is not continuously or routinely required, supplementing limited company resources during periods of unusual demand and providing staff increases without the overhead cost of direct hire employees. Companies and contractors must work together to provide a safe workplace that protects the workforce, the community, and the environment, as well as the welfare and interest of the company.

Training and Performance Assurance

Training is practical instruction in job and task requirements and methods. Performance assurance is the means by which workers demonstrate that they understood the training and can apply it in practical situations.

This element is important because a high level of performance is a critical aspect of any process safety program. A less than adequate level of human performance will adversely affect all aspects of operations. Without an adequate training and performance assurance program, a facility can have no confidence that work tasks will consistently be completed to minimum acceptable standards and in accordance with accepted procedures and practices. The implementation of training and performance assurance involves the principles to identify what training (and retraining) is needed, to provide effective training, and to monitor worker performance.

Management of Change

A change is any change (modification) to process chemicals, technology, equipment, or procedures and changes to facilities that affect a covered process except replacement in kind. A replacement which satisfies the design specification is not a change. Management of change (MOC) helps to ensure that changes to a process do not inadvertently introduce new hazards or unknowingly increase the risk of existing hazards. MOC includes a review and authorization process for evaluating proposed adjustments to facility design, operations, and organizations. It is a system to ensure that all introduced changes are thoroughly scrutinized prior to implementation. More than 80% of large losses are related to change. In a MOC system all changes are evaluated, communicated and coordinated prior to execution. A rational basis is required to initiate the process. MOC applies to physical equipment, products, operating conditions, staffing and including organizational changes.

It is important because if a proposed modification is made to a hazardous process without appropriate review, the risk of a process safety incident could increase significantly. The principles of MOC are to identify potential change situations, evaluate possible impacts, decide whether to allow change, and complete follow-up activities.

Operational Readiness

Operational readiness ensures that shut down processes are verified to be in a safe condition before re-start. It is defined more broadly than OSHA PSM prestart up safety review element because it addresses start up from all shut conditions, not only from those resulting from new or changed processes.

Operational readiness is important because experience has shown that the frequency of incidents is higher during process transitions such as startups.

It is important that the process be verified as safe to start. The principles of operational readiness include the following: to conduct appropriate readiness reviews as needed, make startup decisions based on the readiness results, and to follow through on decisions, actions, and the use of readiness results.

Conduct of Operations

Conduct of operations involves the execution of operational and management tasks in a deliberate and structured manner. It institutionalizes the pursuit of excellence in the performance of every task and minimizes variations in performance. Some companies call this Operating Discipline (walk the talk).

It is important for several reasons. A consistently high level of human performance is a critical aspect of any process safety management program. A less than adequate level of human performance will adversely impact all aspects of operations. As operational activities become more complex, an increase in the formality of operations must also occur to ensure safe, and consistent performance of critical tasks. The principles of conduct of operations include the control operational activities, control the status of systems and equipment, development of required skills/behaviors and the monitoring of organizational performance.

Emergency Management

Emergency management includes:

Planning for possible emergencies
Providing resources to execute the plan
Practicing and continuously improving the plan
Training or informing employees, contractors, neighbors, and local authorities on what to do, how they will be notified, and how to report an emergency
Effectively communicating with stakeholders in the event an incident does occur

It is important the consequences of any particular incident can be significantly reduced with effective emergency planning and response. Effective emergency management saves lives and protects property and the environment. It also helps reassure stakeholders that, in spite of the incident, the facility is well managed and should be allowed to continue to operate. It is a PSM Regulatory requirement. The principles of emergency management are to prepare for emergencies, and to periodically test the adequacy of plans and level of preparedness. Chap. 3, Managing an Emergency

Preparedness Program has an in-depth discussion on this topic.

Learn from Experience

The fourth pillar of process safety management is Learn from experience.

To learn from experience facilities should focus on:

Investigating incidents.
Applying lessons from incidents that occur at other facilities in the company and the industry.
Measuring performance and striving to continuously improve in areas of significant risk.
Auditing RBPS management systems and work activities.
Holding periodic management review to see if things are working and helping to manage risk.

Incident Investigation

Incident investigation is a process for reporting, tracking, and investigating incidents that includes:

The trending of incident and incident data to identify reoccurring incidents.
A formal process for investigating incidents including staffing, performing, documenting, and tracking investigations of process safety incidents.
Managing the resolution and documentation of recommendations generated by the investigations.

Incident investigation is important for the following reasons. It is a way to learn from incidents and communicate lessons learned to internal personnel and other stakeholders. Feedback can apply to the specific incident or a group of incidents sharing similar root causes. Determination of root causes of equipment failures and personnel errors can result in solutions that reduce the frequency and/or consequences of entire categories of incidents. In the United States it is required for facilities covered by the PSM regulation.

The key principles of incident investigation are to:

Identify potential incidents for investigation.
Use appropriate techniques to investigate incidents.
Document incident investigation results.
Follow through on the results of investigations.
Trend data to identify repeat incidents that warrant investigation.

Measurement and Metrics

Measurement and metrics establishes performance and efficiency indicators to monitor the near-time effectiveness of RBPS and address which indicators to consider (leading and lagging), how often to collect data, and what to do to ensure effective RBPS. It is important for several reasons. Facilities should monitor the real-time performance managements systems rather than wait for incidents or for infrequent audits to identify management system failures. Performance monitoring allows problems to be identified and corrective actions taken before a serious incident occurs.

The principles of measurement and metrics are to conducts metric acquisition (determine what measurements are needed and collect them) and to use metrics to make corrective action decisions.

Auditing

Auditing is a systematic, independent review to verify conformance with prescribed standards of care. Auditing employs a well-defined review process to ensure consistency and to allow the auditor to reach defensible conclusions. An RBPS management system audit is the systematic review of RBPS management systems to verify suitability and effective, consistent implementation.

Auditing is important because it evaluates RBPS management systems to ensure they are in place and functioning in a manner that protects employees, customers, communities, and physical assets against process safety risk. Audits are an important control mechanism within the overall management of process safety.

The principles of auditing are to conduct the necessary work activities and to use audits to enhance RBPS effectiveness.

Management Review and Continuous Improvement

Management review and continuous improvement include the routine evaluation of whether management systems are performing as intended and producing the desired results as efficiently as possible. It is important because it provides regular checkups on the health of the process safety management systems in order to identify and correct current or incipient deficiencies before they may be revealed by an audit or incident. In other words, if you are management you can expect what you inspect.

The principles of management review and continuous improvement are to conduct review activities and to monitor organizational performance.

Process Safety in Bioprocess Manufacturing Facilities [45]

CCPS defines bioprocess as “A process that makes use of microorganisms, cells in culture, or enzymes to manufacture products or complete a chemical transformation.” Chapters 30, Chapters 31 and Chapters 32 in this book discuss these processes in some detail. This section discusses the process safety issues associated with these technologies.

Bioprocessing has been used by humans since prehistoric times. Examples include making bread, making cheese, and fermenting alcoholic beverages. Recent advances include the commercialization of recombinant DNA and the production of a variety of protein based therapeutic drugs. Emerging industries and technologies include the production of biofuels from renewable biomass feed stocks such as ethanol biodiesel and polymeric materials. Other emergency technologies include stem cells, gene therapy vectors, and new vaccines.

Bioprocess have many of the same process safety hazards as chemical manufacturing along with other hazards specific to bioprocess. Biohazards can represent extremely low risk (e.g., most recombinant mammalian cell lines used for large scale production of antibody and protein drugs). However in some cases where infectious organisms are used, or where the culture may be susceptible to adventitious contamination (e.g., contamination of human cell lines with a virus), the hazard may be much more significant and the risk to the workers or the public from an accidental release considerably higher. These hazards require the same risk based process safety management systems already discussed.

In addition to the toxic, flammable, or explosive process safety risk that may be present in a bioprocessing facility, risk based process safely management systems must account for biohazard or potentially biohazard materials including the following:

Biological agent:
- Pathogenicity
- Infectious dose
- Virulence (primary or secondary communicability)
- Host factors (immunocompetence, pregnancy, underlying medical conditions, extreme age, or immunity
- Sensitization reactions (allergies, toxins, or biologically active compounds)
- Incidents of laboratory acquired infections (LAI)
- Availability of vaccine and/or prophylactic treatment
- Environmental impact (agent stability—sensitivity to chemical or physical inactivation—survivability and dissemination in the environment)
Routes/Modes of transmission in the workplace:
- Respiratory: inhaling of contaminated particles
- Mucous membrane: splashing, spraying, or droplets in the eyes or mouth
- Parenteral: penetration through the skin such as cuts, needle sticks, or abrasions
- Non-intact skin: contact with skin affected with dermatitis, chaffing, hangnails, abrasions, acne, or other conditions that can alter the barrier properties of the skin)
- Ingestion: swallowing contaminated material
- Adsorption: adhesion to a surface
Environmental factors:
- Climate
- Geography
- Proximity to the public
Procedural and facility factors:
- Ventilation and laboratory design: directional air, pressure gradients, separation of laboratories from offices, interlocking autoclave and airlock doors
- Laboratory procedures: use of inherently safer engineered sharps, containment of aerosols, and other means
- Containment equipment: Class II and III biological safety cabinets, sealed centrifuges, cups and rotors, gasket seals and unbreakable tubes
- PPE: gloves, safety glasses, lab coats, face masks, respirators or gowns
- Training: standard microbiological practice, aseptic practices, decontamination, spill cleanup, and handling of accidents
- Facility sanitation: decontamination, housekeeping, routine cleaning and disinfection, pest and rodent control program
- Medical surveillance: as dictated by the risk present in the bioprocessing facility

1.
For a complete discussion of the topic refer [45].

Regulations

This section was prepared with the help of William Carmody, Midland, Michigan. Carmody has had more than 30 years experience in chemical and manufacturing operations for The Dow Chemical Company, Midland, Michigan and six years in Safety and Loss Consulting for Midland Engineering Limited, Midland, Michigan. He has developed entire PSM programs and has conducted many Process Hazard Analyses.

Regulations are a major consideration in the design and operation of chemical facilities. This section provides a description of the significant process requirements. Details of the regulations are available on the Internet or from government agencies, such as the US Department of Labor, or from publications such as those produced by the Thompson Publishing Group and by Primatech, Inc.

Abbreviations used in Government Regulations information:

CFR	Code of Federal Regulations
EPA	Environmental Protection Agency
EPCRA	Emergency Planning and Community Right To Know Act
HAZWHOPER	Hazardous Waste Operations and Response Emergency
HHC	Highly Hazardous Chemicals
MSDS	Material Safety Data Sheet
NIOSH	National Institute for Occupational Safety and Health
OSHA	Occupational Safety and Health Administration
PHA	Process Hazard Analysis
PPA	Pollution Prevention Act
PSM	Process Safety Management
RCRA	Resource Conservation and Recovery Act
RMP	Risk Management Plans
SARA	Superfund Amendments and Reauthorization Act
TRI	Toxics Release Inventory

Process Safety Management

On February 24, 1992, the US Department of Labor, Occupational Safety and Health Administration (OSHA) promulgated a final rule, 29 CFR Part 1910.119, “Process Safety Management of Highly Hazardous Chemicals.”

OSHA administrates regulations whose objectives are primarily involved with protecting workers. This can be regarded as “inside the fence line.” This is a safety issue and is addressed in this section. The rule requires employers to effectively manage the process hazards associated with chemical processes to which the rule applies. OSHA is responsible for the Process Safety Management (PSM) program that is used to prevent or minimize the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals. Standard Number CFR 1910.119 contains requirements for preventing or minimizing the consequences of catastrophic releases of toxic, reactive, flammable, or explosive chemicals. It establishes procedures for PSM that will protect employees by preventing or minimizing the consequences of chemical accidents involving highly hazardous chemicals. The requirements in this standard are intended to eliminate or mitigate the consequences of such releases.

PSM applies to a process involving a chemical at or above the specified threshold quantities listed in 1910.119, Appendix A, and also listed in Table 2.9. The requirements of the rule are also applicable to processes that involve a flammable liquid or gas on-site, in one location, in a quantity of 10,000 lb or more, except for hydrocarbon fuels used solely for workplace consumption as a fuel, or flammable liquids stored in atmospheric pressure tanks.

Table 2.9 List of highly hazardous chemicals, toxics, and reactive chemicals (mandatory)

Full size table

Process means any activity involving a highly hazardous chemical including any use, storage, manufacturing, handling, or the on-site movement of such chemicals, or combination of these activities. For purposes of this definition, any group of vessels that are interconnected and separate vessels which are located such that a highly hazardous chemical could be involved in potential release shall be considered a single process.

The PSM elements required by 29 CFR Part 1910.119 are briefly described in the following.

Employee participation: Employers must develop a written plan of action for how they will implement employee participation requirements. Employers must consult with employees, affected contractors, and their representatives on the conduct and development of process hazard analyses and on other elements of the standard. They must have access to information developed from the standard, including process hazard analyses.

Process safety information: Employers must compile considerable documented process safety information on the hazards of chemicals used in a covered process as well as information on the process technology and equipment before conducting the process hazard analyses required by the standard.

Process hazard analysis (PHA): Employers must perform an analysis to identify, evaluate, and control hazards on processes covered by this standard. The PHA shall be appropriate to the complexity of the process and shall identify, evaluate, and control the hazards involved in the process. The OSHA standard specifies a number of issues that the analysis must address, as well as requirements for who must conduct the analysis, how often it must be performed, and response to its findings. Methodologies that are appropriate include:

What-if
Checklists
What-if/checklist
HAZOP Study
Failure Mode and Effects Analysis (FMEA)
Fault tree analysis

The selection of a PHA methodology or technique will be influenced by many factors including the amount of existing knowledge about the process. All PHA methodologies are subject to certain limitations. The team conducting the PHA needs to understand the methodology that is going to be used. A PHA team can vary in size from two people to a number of people with varied operational and technical backgrounds. Some team members may only be a part of the team for a limited time. The team leader needs to be fully knowledgeable in the proper implementation of the PHA methodology that is to be used and should be impartial in the evaluation. The other full- or part-time team members need to provide the team with expertise in areas such as process technology, process design, operating procedures, and practices.

Standard Number: 1910.119 Appendix A (on the Internet).

This is a listing of toxic and reactive highly hazardous chemicals that present a potential for a catastrophic event at or above the threshold quantity.

Operating procedures: Employers must develop and implement written operating instructions for safely conducting activities involved in each covered process consistent with the process safety information. The written procedures must address steps for each operating phase, operating limits, safety and health considerations, and safety systems and their functions. Included must be normal operation, startup, shutdown, emergency operations, and other operating parameters.

Training: The proposal requires training for employees involved in covered processes. Initial training requires all employees currently involved in each process, and all employees newly assigned, be trained in an overview of the process and its operating procedures. Refresher training shall be provided at least every 3 years, and more often if necessary, to each employee involved in the process. After training, employees must ascertain that workers have received and understood the training.

Contractors: Employers must inform contract employees prior to the initiation of the contractor’s work of the known potential fire, explosion, or toxic release hazards related to the contractor’s work and the process. Contract employees and host employers must ensure that contract workers are trained in the work practices necessary to perform their jobs safely and are informed of any applicable safety rules of the facility work and the process.

Pre-startup safety review: Employers must perform a pre-startup safety review for new facilities and for modified facilities when the modification is significant enough to require a change in the process safety information. The safety review shall confirm that prior to the introduction of highly hazardous chemicals to a process:

1.
Construction and equipment is in accordance with design specifications.
2.
Safety, operating, maintenance, and emergency procedures are in place and are adequate.
3.
For new facilities, a PHA has been performed and recommendations have been resolved or implemented before startup.
4.
Modified facilities meet the requirements contained in management of change.

Mechanical integrity: Employers must ensure the initial and on-going integrity of process equipment by determining that the equipment is designed, installed, and maintained properly. The standard requires testing and inspection of equipment, quality assurance checks of equipment, spare parts and maintenance materials, and correction of deficiencies. The following process equipment is targeted in this proposal: pressure vessels and storage tanks; piping systems (including valves); relief and vent systems and devices; emergency shutdown systems; controls, and pumps.

Hot work permit: Employers must have a hot work program in place and issue a permit for all hot work operations conducted on or near a covered process.

Management of change: Employers must establish and implement written procedures to manage changes (except for “replacements in kind”) to process chemicals, technology, equipment, and procedures; and, changes to facilities that affect a covered process. Employees involved in operating a process and maintenance and contract employees whose tasks will be affected by a change in the process shall be informed of, and trained in, the change prior to startup of the process or affected part of the process. The procedures shall ensure that the necessary time period for the change and authorization requirements for the proposed change are addressed.

Incident investigation: Employers must investigate each incident that resulted in, or could reasonably have resulted in a catastrophic release of highly hazardous chemical in the workplace. An incident investigation shall be initiated as promptly as possible, but not later than 48 h following the incident. A report shall be prepared at the conclusion of the investigation.

Although not stressed by the regulations, the objective of the incident investigation should be the development and implementation of recommendations to ensure the incident is not repeated. This objective should apply not only to the process involved, but also to all similar situations having the same potential. In major incidents, the Chemical Safety Board’s investigation of reports serves as a vehicle to communicate to a much broader audience than the organizations that had the incident.

Emergency planning and response: Employers must establish and implement an emergency action plan for the entire plant in accordance with the provisions of OSHA’s emergency action plan to meet the minimum requirements for emergency planning. This is the only element of PSM that must be carried out beyond the boundaries of a covered process.

Compliance audits: Employers must certify that they have evaluated compliance with the provisions of this section at least every 3 years to verify that procedures and practices developed under the standard are adequate and are being followed. The compliance audit shall be conducted by at least one person knowledgeable in the process. The employer shall determine and document an appropriate response to each of the findings of the compliance audit, and document that deficiencies have been addressed.

Trade secrets: Employers must make all information necessary to comply with the requirements of this section available to those persons responsible for compiling the process safety information, developing process hazard analyses, developing the operating procedures, those involved in incident investigations, emergency planning, and response and compliance audits without regard to possible trade secret status of such information. Nothing in this paragraph shall preclude the employer from requiring the persons to whom the information is made available to enter into confidentiality agreements not to disclose the information.

The above elements outline the programs required by PSM. These programs are performance-type standards. They spell out programs and choices and are not limited to specific details. These elements have served to organize and guide the process safety programs of all who are covered by it. They have served to bring direction to training and publications involving process safety. The AIChE’s Center for Chemical Process Safety has publications and training programs to support most of these elements.

Risk Management Plans

The EPA is charged primarily with the responsibility to protect the public and the environment. One could regard this as “outside the fence line.” Risk management plans (RMPs) are required by the Environmental Protection Agency (EPA). Since protecting the public and the environment is mainly an environmental issue rather than a safety issue, this subject will be covered only briefly in this section.

Congress enacted Section 112(r) of the 1990 Clean Air Act (CAA) to address the threat of catastrophic releases of chemicals that might cause immediate deaths or injuries in communities. It requires owners and operators of covered facilities to submit RMPs to the EPA. The final RMP rule was published in 40 CFR 68 in the Federal Register on June 20, 1996. RMPs must summarize the potential threat of sudden, large releases of certain dangerous chemicals and facilities’ plans to prevent such releases and mitigate any damage.

Operators of facilities that are subject to the EPA’s RMP must perform offsite consequence analyses to determine whether accidental releases from their processes could put nearby populations at risk. In performing a consequence analysis it is assumed that all or part of a hazardous substance escapes from a process at a given facility. It is then estimated how far downwind hazardous gas concentrations may extend.

Facilities that must prepare and submit RMPs must estimate the offsite consequences of accidental releases. This can be done using tables (such as those provided in CAA 112(r) Offsite Consequence Analysis) or a computerized model. There are a number of commercially available computer models. Submitters are expected to choose a tool that is appropriate for their facility.

The owners and operators of stationary sources producing, processing, handling, or storing of extremely hazardous substances have a general duty to identify hazards that may result from an accidental release This includes agents that may or may not be identified by any government agency which may cause death, injury, or property damage. In other words, just because a substance is not listed is not an excuse to fail to consider its hazards.

This section with its emphasis on Process Safety does not cover the considerable other safety, design, and operating requirements of other chemical-related regulations. Many of these requirements also include national codes as guidelines or as adopted regulations. Examples of these are in the American Society of Mechanical Engineers (ASME) 2001 Boiler Pressure Vessel Code, the National Fire Protection Association (NFPA) which covers a wide range of fire safety issues and the American Petroleum Institute (API) Recommended Practice 520, Sizing, Selection, and Installation of Pressure Relieving Devices in Refineries.

An extremely hazardous substance is any agent that may or may not be listed by any government agency which, as the result of short-term exposures associated with releases to the air, cause death, injury, or property damage due to its toxicity, reactivity, flammability, volatility, or corrosivity.

Toxics Release Inventory

Two statutes, the Emergency Planning and Community Right-to-Know Act (EPCRA) and Section 6607 of the Pollution Prevention Act (PPA), mandate that a publicly accessible toxic chemical database be developed and maintained by the US EPA. This database, known as the Toxics Release Inventory (TRI), contains information concerning waste management activities and the release of toxic chemicals by facilities that manufacture, process, or otherwise use these materials. The TRI of 1999 is a publicly available database containing information on toxic chemical releases and other waste management activities that are reported annually by manufacturing facilities and facilities in certain other industry sectors, as well as by federal facilities. The TRI program is now under the EPA’s Office of Environmental Information. This inventory was established under the EPCRA of 1986 which was enacted to promote emergency planning, to minimize the effects of chemical accidents, and to provide the public. As of November 2001, there were 667 toxic chemicals and chemical compounds on the list.

Hazardous Waste Operations and Emergency Response Standard

The Hazardous Waste Operations and Emergency Response (HAZWOPER) standard, 29 CFR Part 1910.120, applies to five distinct groups of employers and their employees. This includes any employees who are exposed or potentially exposed to hazardous substances—including hazardous waste—and who are engaged in one of the following operations as specified by 1910.120:

Clean-up operations
Corrective actions
Voluntary clean-up operations
Operations involving hazardous wastes
Emergency response operations for releases of, or substantial threats of release of, hazardous substances regard less of the location of the hazard.

In addition, with the passage of the Pollution Prevention Act (PPA) in 1991, facilities must report other waste management amounts including the quantities of TRI chemicals recycled, combusted for energy recovery, and treated on- and offsite.

More Information

For more information on Regulations, the books, magazine articles, and Internet references in the reference section can be very helpful. Following the requirements of the many aspects of Regulations can be quite complicated and involve a lot of detail. There is a considerable amount of good assistance available which help can make the subject manageable.

The Principal Reason for Most Chemical Process Accidents

Ask any group of people experienced in chemical plant operations what causes most chemical process accidents, and you will get a variety of answers including: operator error, equipment failure, poor design, act of God, and bad luck. However, in the opinion of representatives of many of the large chemical and oil companies in the United States, these answers are generally incorrect. The Center for Chemical Process Safety, an organization sponsored by the American Institute of Chemical Engineers, includes representatives of many of the largest chemical and oil companies in the United States and the world, and states that “It is an axiom that process safety incidents are the result of management system failure.” Invariably, some aspect of a process safety management system can be found that, had it functioned properly, could have prevented an incident (or reduced the seriousness of it). “It is a rare situation where an “Act of God” or other uncontrollable event is the sole cause of an incident. Much more common is the situation where an incident is the result of multiple causes, including management system failures. Therefore, it is more appropriate to presume that management system failures underlie every incident so that we may act to uncover such failures and then modify the appropriate management systems, rather than presume that if an “Act of God” appears to be the immediate cause, investigation should cease because there is nothing that can be done to prevent such future incidents” [17].

For example, consider a case where a small amount of hazardous material is spilled while a sample is being taken from a process line. It is not enough to look into the situation and conclude that this is an example of an operator error where procedures were not followed, and then simply to recommend that the employee be instructed to follow procedures in the future. Further investigation may reveal deficiencies in the training system or in the equipment. Still more investigation may reveal deficiencies in the management system that plans resources for training or that provides for proper equipment for sampling. It then may be appropriate to change the management system to prevent repetition of the incident.

Levels of Causes

There are several levels of causes of accidents, usually (1) the immediate cause, (2) contributing causes to the accident or to the severity of the accident, and (3) the “root cause.” The root cause is what really caused the accident, and when this is determined, it may be possibly to prevent future similar accidents. With the 20–20 hindsight that is available after an accident, the root cause usually can be found. The purpose of the discussion in the next section is to illustrate how knowledge about the root causes of some important accidents can help to keep them from happening again. It will be noted that the root cause is rarely the fault of one person, but instead is the result of a management system that does not function properly.

Following are brief analyses of several case histories that have been of landmark importance in the industrial world, and that have affected the chemical industry all over the world.

Case Histories

Flixborough, England 1974 [19]

On June 1, 1974, an accident occurred in the Nypro plant in Flixborough, England, in a process where cyclohexane was oxidized to cyclohexanone for the manufacture of caprolactam, the basic raw material for the production of Nylon 6. The process consisted of six reactors in series at 155°C and 8.8 bar (130 psig) containing a total of 120 t of cyclohexane and a small amount of cyclohexanone. The final reactor in the process contained 94% cyclohexane. There was a massive leak followed by a large UVCE and fire that killed 26 people, injured 36 people, destroyed 1,821 houses, and damaged 167 shops. It was estimated that 30 t of cyclohexane was involved in the explosion. The accident occurred on Saturday; on a working day, casualties would have been much higher.

The accident happened when the plant had to replace one of six reactors and rushed to refit the plant to bypass the disabled reactor. Scaffolding was jerry-rigged to support a 20-in. pipe connecting reactor four with reactor six, which violated industry and the manufacturer’s recommendations. The reactor that failed showed stress crack corrosion. The only drawings for the repair were in chalk on the machine shop floor. Both ends of the 20-in. pipe had expansion joints where they attached to the reactors. The pipe was supported on scaffolding-type supports and was offset with a “dog-leg” to fit the reactors, which were at different levels to promote gravity flow. The safety reviews, if any, were insufficient.

Immediate cause: A pipe replacing a failed reactor failed, releasing large quantities of hot cyclohexane forming a vapor cloud that ignited.

Contributing causes to the accident and the severity of the accident:

1.
The reactor failed without an adequate check on why (metallurgical failure).
2.
The pipe was connected without an adequate check on its strength and on inadequate supports.
3.
Expansion joints (bellows) were used on each end of pipe in a “dog-leg” without adequate support, contrary to the recommendations of the manufacturer.
4.
There was a large inventory of hot cyclohexane under pressure.
5.
The accident occurred during startup.
6.
The control room was not built with adequate strength, and was poorly sited.
7.
The previous works engineer had left and had not been replaced. According to the Flixborough Report, “There was no mechanical engineer on site of sufficient qualification, status or authority to deal with complex and novel engineering problems and insist on necessary measures being taken.”
8.
The plant did not have a sufficient complement of experienced people, and individuals tended to be overworked and liable to error.

Root cause: Management systems deficiencies resulted in:

1.
A lack of experienced and qualified people
2.
Inadequate procedures involving plant modifications
3.
Regulations on pressure vessels that dealt mainly with steam and air and did not adequately address hazardous materials
4.
A process with a very large amount of hot hydrocarbons under pressure and well above its flash point installed in an area that could expose many people to a severe hazard

This accident resulted in significant changes in England and the rest of the world in the manner in which chemical process safety is managed by industry and government. One of the conclusions reached as a result of this accident, which has had a wide effect in the chemical industry, is that “limitations of inventory (or flammable materials) should be taken as specific design objectives in major hazard installations.”

The use of expansion joints (bellows, in this case) which were improperly installed may have been a principal reason for the accident. This provides additional reasons not to use expansion joints (except in special exceptional circumstances).

Bhopal, 1985 (C&EN Feb 11, 1985; Technica 1989 [41])

On December 3 and 4, 1985, a chemical release causing a massive toxic gas cloud occurred at the Union Carbide India, Ltd, plant in Bhopal, India. (Union Carbide is now a part of The Dow Chemical Company.) The process involved used methyl isocyanate (MIC), an extremely toxic chemical, to make Sevin, a pesticide. According to various authoritative reports, about 1,700–2,700 (possibly more) people were killed, 50,000 people were affected seriously, and 1,000,000 people were affected in some way. The final settlement may involve billions of dollars. It was one of the worst industrial accidents in history. The accident occurred when about 120–240 gal of water were allowed to contaminate an MIC storage tank. The MIC hydrolyzed, causing heat and pressure, which in turn caused the tank rupture disk to burst.

Equipment designed to handle an MIC release included a recirculating caustic soda scrubber tower and a flare system designed for 10,000 lb/h, which would be moderate flows from process vents. It was not designed to handle runaway reactions from storage. The design was based on the assumption that full cooling would be provided by the refrigeration system. The actual release was estimated to be 27,000 lb over 2 h, with the tank at 43°C. At the time of the release the refrigeration had been turned off. The flare tower was shut down for repairs. A system of pressurized sprinklers that was supposed to form a water curtain over the escaping gases was deficient, in that water pressure was too low for water to reach the height of the escaping gas.

There have been conflicting stories of how the water got into the tank, including operator error, contamination, and sabotage.

Immediate cause: The immediate cause was hydrolysis of MIC due to water contamination. The exact source of the water has not been determined.

Contributing causes

1.
Flare tower was shut down for repair.
2.
Scrubber was inadequate to handle a large release.
3.
Chilling system was turned off. (It also was too small.)
4.
MIC tank was not equipped with adequate instrumentation.
5.
Operating personnel lacked knowledge and training.
6.
The inventory of MIC was large.
7.
There was a lack of automatic devices and warning systems; it has been reported that safety systems had to be turned on manually.
8.
When the plant was built, over 20 years before the accident, there were very few people near it. At the time of the accident, a shanty town had grown up near the plant with a density of 100 people per acre, greatly increasing the potential exposure of people to toxic releases. There was no emergency action plan to notify neighbors of the potential for toxic releases or of what to do if there was a release, nor was there a functioning alarm system.

Root cause: The root cause of the accident appears to be a management system that did not adequately respond to the potential hazards of MIC. There was probably a greater inventory of MIC than was needed. The main process expertise was in the United States. Local management does not appear to have understood the process or the consequences of changes made. This includes plant design, maintenance and operations, backup systems, and community responsibility. (Union Carbide has provided legal arguments alleging that sabotage caused the release; there appears to be enough blame to go around for all those involved in any way in the plant, including government units.)

This accident has become widely known. It is an objective of many chemical process safety programs and government actions to “avoid another Bhopal”—that is, to avoid a severe release of toxic chemicals (usually referring to toxic chemicals in the air). Almost every chemical company in the world has been affected by this incident in one way or another, in the design and operation of chemical plants, in community action programs, and in the activities of such organizations as the American Institute of Chemical Engineers, the Chemical Manufacturers Association (now the American Chemistry Council), and many governmental units.

Phillips Explosion, 1989 [37]

On October 23, 1989, at approximately 1,300, an explosion and fire ripped through the Phillips 66 Company’s Houston Chemical Complex in Pasadena, Texas. At the site, 23 workers were killed, and more than 130 were injured. Property damage was nearly $750 million. Business interruption cost is not available but is probably a very large figure.

The release occurred during maintenance operations on a polyethylene reactor. Two of the six workers on the maintenance crews in the immediate vicinity of the reactor leg where the release occurred were killed, together with 21 other employees of the facility. Debris from the plant was found 6 miles from the explosion site. Structural steel beams were twisted like pretzels by the extreme heat. Two polyethylene production plants covering an area of 16 acres were completely destroyed.

The Phillips complex produces high-density polyethylene, which is used to make milk bottles and other containers. Prior to the accident, the facility produced approximately 1.5 billion pounds of the material per year. It employed 905 company employees and approximately 600 daily contract employees. The contract employees were engaged primarily in regular maintenance activities and new plant construction.

The accident resulted from a release of extremely flammable process gases that occurred during regular maintenance operations on one of the plant’s polyethylene reactors. It is estimated that within 90–120 s more than 85,000 lb of flammable gases were released through an open valve. A huge flammable vapor cloud was formed that came into contact with an ignition source and exploded with the energy of 4,800 lb of TNT. The initial explosion was equivalent to an earthquake with a magnitude of 3.5 on the Richter scale. A second explosion occurred 10–15 min later when two isobutane tanks exploded. Each explosion damaged other units, creating a chain reaction of explosions. One witness reported hearing ten separate explosions over a 2-h period.

In the process used by Phillips at this site to produce high-density polyethylene, ethylene gas is dissolved in isobutane and, with various other chemicals added, is reacted in long pipes under elevated pressure and temperature. The dissolved ethylene reacts with itself to form polyethylene particles that gradually come to rest in settling legs, where they are eventually removed through valves at the bottom. At the top of the legs there is a single ball valve (DEMCO^® brand) where the legs join with other reactor pipes. The DEMCO valve is kept open during production so that the polyethylene particles can settle into the leg. A typical piping settling leg arrangement is shown in Fig. 2.16.

In the Phillips reactor, the plastic material frequently clogged the settling legs. When this happened, the DEMCO valve for the blocked leg was closed, the leg disassembled, and the block removed. During this particular maintenance process, the reactor settling leg was disassembled and the block of polymer removed. While this maintenance process was going on, the reaction continued, and the product settled in the legs that remained in place. If the DEMCO valve were to open during a cleaning-out operation, there would be nothing to prevent the escape of the gas to the atmosphere.

After the explosion it was found that the DEMCO valve was open at the time of the release. The leg to be cleaned had been prepared by a Phillips operator. The air hoses that operated the DEMCO valve were improperly connected in a reversed position such that a closed DEMCO valve would be opened when the actuator was in the closed position. In addition, the following unsafe conditions existed:

1.
The DEMCO valve did not have its lock out device in place.
2.
The hoses supplied to the valve actuator mechanism could be connected at any time even though the Phillips operating procedure stipulated that the hoses should never be connected during maintenance.
3.
The air hoses connecting the open and closed sides of the valve were identical, thus allowing the hoses to be cross-connected and permitting the valve to be opened when the operator intended to close it.
4.
The air supply valves for the actuator mechanism air hoses were in the open position so that air would flow and cause the actuator to rotate the DEMCO valve when the hoses were connected.
5.
The DEMCO valve was capable of being physically locked in the open position as well as in the closed position. The valve lockout system was inadequate to prevent someone from inadvertently opening the DEMCO valve during a maintenance procedure.

Established Phillips corporate safety procedures and standard industry practice require back-up protection in the form of a double valve or blind flange insert whenever a process or chemical line in hydrocarbon service is opened. According to OSHA, Phillips had implemented a special procedure for this maintenance operation that did not incorporate the required backup. Consequently, none was used on October 23.

The consequences of the accident were exacerbated by the lack of a water system dedicated to fire fighting, and by deficiencies in the shared system. When the process water system was extensively damaged by the explo-sion, the plant’s water supply for fighting fires was also disrupted. The water pressure was inadequate for fire fighting. The force of the explosion ruptured water-lines and adjacent vessels containing flammable and combustible materials. The ruptured water lines could not be isolated to restore water pressure because the valves to do so were engulfed in flames. Of the three backup diesel pumps, one had been taken out of service and was unavailable, and another soon ran out of fuel. It was necessary to lay hoses to remote sites—settling ponds, a cooling tower, a water treatment plant, and so on. Electric cables supplying power to regular service pumps were damaged by fire, and those pumps were rendered inoperable. Even so, the fire was brought under control within 10 h.

In the months preceding the explosion, according to testimony, there had been several small fires, and the alarm had sounded as many as four or five times a day. There had been a fatality at the same plant doing a similar operation about 3 months before this incident. Some of the employees in the area where the release occurred may not have heard the siren because of the ambient noise level, and may not have known of the impending disaster. Employees in the immediate area of the release began running as soon as they realized the gas was escaping.

The large number of fatalities was due in part to the inadequate separation between buildings in the complex. The site layout and the proximity of normally high-occupancy structures, such as the control and finishing building, to large-capacity reactors and hydrocarbon vessels contributed to the severity of the event.

The distances between process equipment were in violation of accepted engineering practices and did not allow personnel to leave the polyethylene plants safely during the initial vapor release; nor was there sufficient separation between reactors and the control room to carry out emergency shutdown procedures. The control room, in fact, was destroyed by the initial explosion. Of the 22 victims’ bodies recovered at the scene, all were located within 250 ft of the vapor release point.

OSHA’s investigation revealed that a number of company audits had identified unsafe conditions but largely had been ignored. Thus, a citation for willful violations of the OSHA “general duty” clause was issued to Phillips with proposed penalties of $5,660,000. In addition, proposed penalties of $6,200 were issued for other serious violations. A citation for willful violations with proposed penalties of $724,000 was issued to Fish Engineering and Construction, a Phillips maintenance contractor. Other financial penalties have been proposed. In the investigation it became apparent that Fish had become accustomed to tolerating safety and health violations at the site by its personnel and Phillips personnel, as well as participating in those violations by knowing about them and not taking direct positive action to protect its employees.

Since 1972, OSHA has conducted 92 inspections in the Dallas region at various Phillips locations; 24 were in response to a fatality or a serious accident. OSHA determined that Phillips had not acted upon reports by its own safety personnel and outside consultants who had pointed out unsafe conditions. OSHA also had conducted 44 inspections of the Fish Company, seven of them in response to a fatality or a serious accident.

One of the major findings by OSHA was that Phillips had not conducted a PHA or equivalent (such as HAZOP) in its polyethylene plants.

Immediate cause: There was a release of flammable process gases during the unplugging of Number 4 Reactor Leg on Reactor 6 while undergoing a regular maintenance procedure by contractor employees. The unconfined flammable vapor cloud was ignited and exploded with devastating results.

The immediate cause of the leak was that a process valve was opened by mistake while the line was open. The valve was open to the atmosphere without a second line of defense such as another valve or a blind flange.

Contributing causes to the accident and the severity of the accident.

1.
Procedures to require backup protection in the form of a double valve or a blind flange insert were not used. The lockout system was inadequate.
2.
Air hoses were improperly connected in the reversed position.
3.
The air hoses for the open and closed side of the valve were identical, allowing the hoses to be cross-connected.
4.
The DEMCO valve actuator mechanism did not have its lockout device in place.
5.
There was not a water system dedicated to fire fighting, and there were deficiencies in the system shared with the process.
6.
The site layout and proximity of high-occupancy structures contributed to the severity.
7.
There was inadequate separation of buildings within the complex. Especially, there was inadequate spacing between the reactors and the control room.

Root causes: The root causes of the accident and its extreme severity appear to be failures of the management system, as shown by the following: [37]

1.
According to OSHA, Phillips had not conducted a PHA or equivalent (such as HAZOP) in its polyethylene plants.
2.
It was found by OSHA that the contractor, Fish Engineering, had a history of serious and willful violations of safety standard, which Phillips had not acted upon. The same contractor also had been involved in a fatal accident at the same facility 3 months earlier.
3.
A report by OSHA stated that Phillips had not acted upon reports issued previously by the company’s own safety personnel and outside consultants. Phillips had numerous citations from OSHA since July 1972. OSHA discovered internal Phillips documents that called for corrective action but which were largely ignored.
4.
Safe operating procedures were not required for opening lines in hazardous service.
5.
An effective safety permit system was not enforced with Phillips or contractor employees, especially line opening and hot work permits.
6.
Buildings containing personnel were not separated from process units in accordance with accepted engineering principles, or designed with enough resistance to fire and explosion.
7.
The fire protection system was not maintained in a state of readiness:
1. (a)
  One of the three diesel-powered water pumps had been taken out of service.
2. (b)
  Another of the three diesel-powered water pumps was not fully fueled, and it ran out of fuel during the fire fighting.
3. (c)
  Electric cables supplying power to regular service fire pumps were not located underground and were exposed to blast and fire damage.

Summary

As the tragic case histories illustrate, the importance of the risk based process safety practices presented in this chapter to prevent and mitigate potential catastrophic process safety incidents in the future becomes alarmingly apparent, and the necessity for risk based process design is clear. The case histories also reveal significant flaws in the management systems necessary to ensure that good process safety practices are followed. Even a process designed according to principals of process safety can be transformed into one with a high potential for disaster if risk based process safety management systems are not in place to ensure that good process safety practices are followed throughout the life cycle of the process.

Because there is always risk when equipment, instrumentation, and human activity are involved, there is no way to make a plant completely safe. However, facilities can be made risk tolerant by careful examination of all aspects of design and management, using modern techniques that are now available. If the process safety performance and public image of the chemical processing industries is to improve, risk based process design coupled with risk based process management is imperative.

In addition to the information presented in this chapter and in the publications it has cited, references listed below are recommended as appropriate source material.

References

M & M Protection Consultants (1989) One hundred largest losses: a thirty year review of property damage in the hydrocarbon-chemical industry, 12th edn. M & M Protection Consultants, Riverside Plaza
Google Scholar
CCPS (2010) Process safety boot camp (CCPS Training Course). Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2008) Guidelines for hazard evaluation procedures. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2008) Guidelines for safe and reliable instrumented protective system. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
Grinwis D (1986) Process Systems Associate; Larsen, Paul, Associate Instrument Engineering Consultant; and Schrock, Luther, Process Consultant, The Dow Chemical Co., Midland, MI and Freeport, personal-communication, Oct 1986
Google Scholar
Fisher H (1985) Chem Eng Prog 3
Google Scholar
Huff JE (1977) A general approach to the sizing of emergency pressure relief systems. Reprints of International symposium on loss prevention and safety promotion in the process industries, Heidelberg. DECHEMA, Frankfurt, p. IV 223
Google Scholar
Huff JE (1984) Institute of chemical engineers symposium series, No. 85, p. 109
Google Scholar
Huff JE (1984) Emergency venting requirements for gassy reactions from closed system tests. Plant/Operations Progress 3(1):50–59
Article CAS Google Scholar
Huff JE (1987) The role of pressure relief in reactive chemical safety. In: International symposium on preventing major chemical accidents, Washington, DC (Sponsored by the Center for Chemical Process Safety of the American Institute of Chemical Engineers, The United States Environmental Protection Agency, and the World Bank), Feb 3, 1987
Google Scholar
Fauske, Hans K, Leung J (1985) New experimental technique for characterizing runaway chemical reactions. Chem Eng Progr 39
Google Scholar
CCPS (2010) Guidelines for process safety metrics. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2007) Guidelines for risk based process safety. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2009) Inherently safer chemical processes, a life cycle approach. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
Kletz TA (1991) Plant design for safety—a user-friendly approach. Hemisphere, New York
Google Scholar
Zabetakis MG (1965) Flammability characteristics of combustible gases and vapors. In: Bulletin 627. U.S. Dept. of the Interior, Bureau of Mines, Washington, DC
Google Scholar
Bodurtha FT (1987) Industrial explosion control course. Center for Professional Advancement, Chicago, Sept 14–16, 1987
Google Scholar
Baker WE, Cox PA, Westine PS, Kulesz JJ, Strehlow RA (1983) Explosion hazards and evaluation. Elsevier, New York
Google Scholar
Lees FP (1980) Loss prevention in the process industries. Butterworths, London
Google Scholar
Ludwig EE (1977) Applied process design for chemical and petrochemical plants, vol 1, 2nd edn. Gulf, Houston
Google Scholar
Eichel FG (1967) Electrostatics. Chem Eng 154–167
Google Scholar
TNO (1979) Methods for the calculation of the physical effects of the escape of dangerous materials: liquids and gases. In: The yellow book. TNO, Apeldoorn
Google Scholar
Brasie WC (1983) Michigan Division, Process Engineering, The Dow Chemical Co., Midland, MI, personal communication, March 9, 1983
Google Scholar
Kletz T (1985) Cheaper, safer plants or wealth and safety at work. Institution of Chemical Engineers, Rugby
Google Scholar
Cloud MJ (1990) Fire, the most tolerable third party. Mich Nat Res 18
Google Scholar
FPA (1988) Fire safety data. Fire Protection Association, London
Google Scholar
Cawse JN, Pesetsky B, Vyn WT (n.d.) The liquid phase decomposition of ethylene oxide. Union Carbide Corporation., Technical Center, North Charleston
Google Scholar
Stull DR (1976) Fundamentals of fire and explosion, Corporate Safety and Loss Dept., The Dow Chemical Co., Midland. American Institute of Chemical Engineers, New York, p 50
Google Scholar
Kohlbrand (1990) Case history of a deflagration involving an organic solvent/oxygen system below its flash point. In: 24th Annual loss prevention symposium. Sponsored by the American Institute of Chemical Engineers, San Diego, Aug 19–22, 1990
Google Scholar
Prugh RW (1988) Quantitative evaluation of BLEVE hazards. In: AICHE loss prevention symposium, Paper No. 74e, AICHE Spring National Meeting, New Orleans, March 6–10, 1988
Google Scholar
Bartknecht W (1981) Explosions course prevention protection. Springer, Berlin, p 108
Google Scholar
NFPA 77 (1986) National Fire Protection Association, Batterymarch Park, Quincy
Google Scholar
NFPA 68, National Fire Protection Association, Batterymarch Park, Quincy, MA, 1998.
Google Scholar
CCPS (1989) CPQRA (chemical process quantitative risk analysis) Tables 2.12, 2.13. Center for Chemical Process Safety, American Institute of Chemical Engineers, p. 161, 165
Google Scholar
Walters S (1984) The beginnings. Mech Eng 4:38–46
Google Scholar
Burk, Art., Principal Safety Consultant. Du Pont, Newark, DE, personal communication (Feb. 20, 1990).
Google Scholar
OSHA (Occupational Safety and Health Administration) (1990) U.S. Department of Labor, The Phillips Company Houston Chemical Complex explosion and fire, Apr 1990
Google Scholar
Clancey VJ (1972) Diagnostic features of explosion damage. In: Sixth Int. Meeting of Forensic Sciences, Edinburgh
Google Scholar
Brasie WC (1982) Michigan Division, Process Engineering, The Dow Chemical Co., Midland, MI, personal communication, Oct 6, 1982
Google Scholar
NUS Corp. (1989) HAZOP Study Team training manual. Predictive hazard identification techniques for Dow Corning facilities. NUS Corp., Gaithersburg
Google Scholar
Technica, Inc. (1989) HAZOP leaders course. Technica, Inc., Columbus, OH, Nov 6–10 (course leaders David Slater and Frederick Dyke)
Google Scholar
CCPS (1988) Guidelines for safe storage and handling of high toxic hazard materials. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
API RP 521 (1982) 2nd ed, American Petroleum Institute, Washington, DC
Google Scholar
CCPS (2009) Guidelines for developing quantitative safety risk criteria. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2011) Guidelines for process safety in bioprocess manufacturing facilities. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (1993) Guidelines for safe automation of chemical processes. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
Mackenzie J (1990) Hydrogen peroxide without accidents. Chem Eng 84ff
Google Scholar

Additional Reading References

American Petroleum Institute, API Recommended Practice 520, Sizing, Selection, and Installation of Pressure Relieving Devices in Refineries, Part I, Sizing and Selection, American Petroleum Institute, 1995–2000
Google Scholar
American Society of Mechanical Engineers (2001) 2001 Boiler Pressure Vessel Code, ASME International, Fairfield, NJ
Google Scholar
Bartknecht W (1993) Explosions course: prevention, protection. Springer, Berlin
Google Scholar
Bretherick L (1995) Handbook of reactive chemical hazards, 5th edn. Butterworths, London
Google Scholar
Crowl D, Bollinger R (1997) Inherently safer chemical processes: a life cycle approach. Center for Chemical Process Safety (CCPS), American Institute of Chemical Engineers, New York
Google Scholar
DIERS (Design Institute for Emergency Relief Systems), American Institute of Chemical Engineers, 3 Park Ave, New York. http://www.diers.net/
Englund SM (1991) Design and operate plants for inherent safety. Chemical Engineering Progress, 85–91 (Part 1); 79–86 (Part 2)
Google Scholar
Englund SM (1993) Process and design options for inherently safer plants. In: Fthenakis VM (ed) Prevention and control of accidental releases of hazardous gases. Van Nostrand Reinhold, New York
Google Scholar
Englund SM (1997) Chemical process safety. In: Green DW, Green DW (eds) Perry’s chemical engineers’ handbook, 7th edn. McGraw-Hill, New York
Google Scholar
Hendershot D (2000) Smaller is safer—simplifying chemical plant safety, Safe Workplace, National Council on Compensation Insurance, Boca Raton (Hendershot is a senior technical fellow in the Process Hazard Assessment Department of the Rohm and Haas Company, Bristol, PA, and has written extensively on Process Safety)
Google Scholar
Hendershot D (1994) Chemistry—the key to inherently safer manufacturing processes. Presented before the Division of Environmental Chemistry, American Chemical Society, Washington, DC, 21 August 1994
Google Scholar
Kletz T (1998) What went wrong?: case histories of process plant disasters. Gulf Publishing Company, Houston, May 1998 (Kletz is well known for his many publications and for bringing the term, “Inherently Safer Plants,” into popular usage.)
Google Scholar
Kletz T (1998) Process plants. In: A handbook of inherently safer design. Taylor & Francis, Philadelphia
Google Scholar
Lees F (1996) Loss prevention in the process industries: hazard identification, assessment, and control. Butterworths, London
Google Scholar
Loss Prevention Committee, Safety, Health Division, AIChE (1995) Proceedings of the 29th Annual Loss Prevention Symposium—(Serial), December, 1995
Google Scholar
Publications by National Fire Protection Association (NFPA), 1 Batterymarch Park, Quincy, MA 02269. For a more complete list, see http://www.nfpa.org/Codes/CodesAndStandards.asp
NFPA 30 (2000) Flammable and combustible liquids code
Google Scholar
NFPA 69 (1997) Standard on explosion prevention systems
Google Scholar
NFPA 68 (1998) Guide for venting of deflagrations
Google Scholar
NFPA 325 Guide to fire hazard properties of flammable liquids
Google Scholar
PHA Software, “PHA Works,” PSM Source (reference tool for OSHA’s 1910.119) Primatech Inc., Columbus. http://www.primatech.com
Smith KE, Whittle DK (2001) Six steps to effectively update and revalidate PHAs. Chem Eng Progr 70–77
Google Scholar
Thompson (2006) Chemical process safety report, Washington, DC
Google Scholar

Internet References and WEB pages

American Institute of Chemical Engineers, Center for Chemical Process Safety. http://www.aiche.org/ccps/
American Society of Mechanical Engineers (2001) Boiler pressure vessel code. ASME International, Fairfield. http://www.asme.org/
CCPS (Center for Chemical Process Safety). American Institute of Chemical Engineers, New York
Google Scholar
Chemical Safety Board (Incident Reports). http://www.acusafe.com/Incidents/frame-incident.htm
Manufacturers Chemical Association: http://es.epa.gov/techinfo/facts/cma/cma.html
Manufacturers Chemical Association (Responsible Care): http://es.epa.gov/techinfo/facts/cma/cmacommo.html OSHA Regulations & Compliance Links http://www.osha.gov/comp-links.html
OSHA Regulations (Standards—29 CFR) http://www.osha-slc.gov_OshStd_toc/OSHA_Std_toc.html
Google Scholar
RMP Regulations http://www.epa.gov/swercepp/acc-pre.html. CCPS (Center for Chemical Process Safety)
American Institute of Chemical Engineers, New York (This is not a complete list. For a complete list, see on the Internet. http://www.aiche.org/pubcat/seadtl.asp?Act=C&Category=Sect4&Min=30)
Google Scholar
CCPS (2009) Guidelines for chemical process quantitative risk analysis, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2011) Guidelines for engineering design for process safety, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2011) Guidelines for auditing process safety management systems, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (1995) Guidelines for chemical reactivity evaluation and application to process design, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2010) Guidelines for evaluating the characteristics of vapor cloud explosions, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (2003) Guidelines for investigating chemical process incidents, 2nd edn. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar
CCPS (1995) Guidelines for safe storage and handling of reactive materials. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York
Google Scholar

Download references

Acknowledgment

The author wishes to acknowledge that earlier versions of this chapter, which appeared in the eleventh and preceding editions of the Handbook, were authored by Stan Englund of Midland, Michigan, and that significant content from the previous editions is included herein.

Author information

Authors and Affiliations

Process Safety Services, Punta Gorda, FL, USA
John F. Murphy

Authors

John F. Murphy
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John F. Murphy .

Editor information

Editors and Affiliations

University Blvd 819101, Jupiter, 33458, Florida, USA
James A. Kent

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Murphy, J.F. (2012). Safety Considerations in the Chemical Process Industries. In: Kent, J. (eds) Handbook of Industrial Chemistry and Biotechnology. Springer, Boston, MA. https://doi.org/10.1007/978-1-4614-4259-2_2

Download citation

DOI: https://doi.org/10.1007/978-1-4614-4259-2_2
Published: 19 November 2012
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4614-4258-5
Online ISBN: 978-1-4614-4259-2
eBook Packages: Chemistry and Materials ScienceChemistry and Material Science (R0)

Publish with us

Policies and ethics

Safety Considerations in the Chemical Process Industries

Abstract

Similar content being viewed by others

Standardization and Risk Regulation for High-Hazard Industries

Methodologies for Assessing Risks of Accidents in Chemical Process Industries

Chemical Safety and Chemical Security: A Guide to Preventing Health Hazards

Keywords

Introduction

Why Process Safety Is Important

Occupational Safety Versus Process Safety

Process Safety Technology Issues

Process Safety Management Issues

Barrier Analysis and Layers of Protection [2]

Anatomy of an Incident [3]

The Anatomy of an Incident Model

Loss of Containment [2]

Containment and Control [2]

Initiating Cause or Event [2]

Prevention of Loss of Containment Events [2]

Safety Instrumented Systems [2, 4]

Redundant Instrumentation and Control Systems [5]

Number of Inputs Consequence

Pressure Relief Systems

Blow Down Systems/Flare Systems/Incinerators [2]

Mitigation of Loss of Containment Events [2]

Design for Emergency Isolation of Piping Systems [2]

Gas Detection [2]

Flame/Detonation Arrestors [2]

Explosion Venting, Mechanical Isolation, and Explosion Suppression [12]

Fire Protection [2]

Emergency Response [2]

Management Systems (Risk-Based Process Safety) [2, 13]

Commit to Process Safety

Process Safety Culture

Human Factors [2]

Compliance with Standards

Inherently Safer Concepts [2, 14]

Process Design [2]

Static Electricity, Grounding and Bonding

Introduction

There are several hazard determinants relating to static electricity

Process Safety Competency

Workforce Involvement

Stakeholder Outreach

Understand Hazards and Risk

Process Safety Knowledge

Combustion Hazards

Explosions

Development of Pressure

Deflagration

Detonations

Explosion Violence

Losses from Dust Explosions

Mechanical Heat

Vacuum [39]

Protective Measures for Equipment

Reactivity Hazards [2]

Toxicity Hazards [2]

Corrosivity Hazard [2]

Hazard Identification and Risk Analysis

HIRA Logic Diagram

Hazard Identification

Some Tools for Evaluating Risks and Hazards

Consequences and Impacts

Probability

Risk Analysis

Risk Understanding

Quantitative Risk Analysis

Safety Risk Criteria [44]

Manage Risk

Operating Procedures

Safe Work Practices

Asset Integrity and Reliability

Contractor (Safety) Management

Training and Performance Assurance

Management of Change

Operational Readiness

Conduct of Operations

Emergency Management

Learn from Experience