During HazOp we consider what could go wrong with the process, and the safeguards we have in place to prevent that. We also consider the consequences if our safeguards don’t act to provide protection. But what about when they do operate? Could the correct operation of a safeguard cause an incident?
You’ve done your HazOp and are confident that you have all the right safeguards in place. However, is it possible that those safeguards could also be causing risks in their own right?
It is as important to consider safeguard activation as it is to consider their failure, and to take appropriate action to ensure your process remains safe under all circumstances.
Based on a true story
“Are there any more causes of overpressure?” asked the HazOp leader. The team’s silence was gratifying – all of the causes so far identified were well protected by the dual redundant relief system installed. Whilst there was always the chance of a runaway reaction on this process, if the worst did happen, the solvent vapours would be relieved to a safe place – after all, that’s what you’d written on the P&ID, right?
“OK, so we have assessed the likelihood of the relief valves not working, and we have good protection against vessel rupture” said the facilitator, “but what happens when the relief valves do lift? Won’t the vapours released be both toxic and flammable?”.
Oh no, that sinking feeling – you never even thought about that!
Dishonourable Discharge
Recently, the =Method team have come across several incidences of vents and relief valves discharging to unsafe locations, including:
- Flammable solvent vapours discharged at low level outdoors, capable of causing a vapour cloud explosion if ignited.
- Toxic gases vented directly into an occupied plant area
- Toxic gases released near to building ventilation air intake points
- A steam relief valve discharging upwards, just below an outward-opening laboratory window
- A relief valve on a thermal oil system discharging horizontally and at head height
- Vents releasing flammable vapours at the rear of a smoking shelter (the vent was there long before the shelter)
We also came across a bursting disc which discharged through the roof of the plant, and at high level. The original plant designers had assumed that this was safe. However, modelling showed that because the vapours released were heavier than air, on a still day they would fall to ground rapidly. This had the potential for both on-site and off-site medical treatment cases.
Computer Says No
Another example of this issue was a control system (BPCS) interlock which prevented an actuated valve from being opened under certain circumstances. When the plant malfunctioned, the right response was for the operators to open the valve, but the control system would not allow them to.
Whilst control system interlocks can be very useful, it is important to make sure they won’t cause any unintended consequences, particularly during startup, shutdown and abnormal operations.
It’s Not Easy Being Green
It is not uncommon for equipment installed for environmental reasons to cause safety issues. Often this equipment is bought from specialist vendors who know their equipment well. However, they may not be told the full details of the process, and that can cause a hazard. Some examples:
- When a company had a vent gas scrubber which could not meet new environmental targets, they replaced it with a thermal oxidiser (a type of vent gas incinerator). However, they were unaware that at certain points in their process, the vent gases reached flammable concentrations. Soon after installation, the flame from the thermal oxidiser flashed back to the plant, distorting the duct work and blowing flames out of a vessel manway which narrowly missed the plant operator.
- An extraction fan which was not ATEX-rated caused an ignition when there was a release of solvent vapour inside the plant.
- A carbon bed was installed downstream of an existing scrubber to meet new emission targets. One day the scrubber recirculation pump failed, resulting in more concentrated solvent vapours reaching the carbon bed. Because solvent adsorption onto the activated carbon was exothermic, the carbon bed overheated and caught fire.
The tendency here is for HazOp teams to only be thinking about the environmental consequences if abatement equipment fails, and to therefore miss the safety consequences if something abnormal happens upstream which puts the abatement equipment outside its safe operating envelope. This is a classic example of where the team as a whole have all the knowledge they need, but unless there is effective communication between the different team members, hazards can be missed:
Although the team as a whole should have the information needed to keep the plant safe, everybody has knowledge gaps. Good communication is key to gaining a shared understanding and hence producing a good HazOp.
The Lessons Learned
It’s just as important to assess if there is a hazard when safeguards do work as it is to assess the risk of them not working.
- Relief valves and bursting discs must genuinely discharge “to a safe place”, and that is not the same as just writing that on the P&ID. Relief locations must be assessed to show there is no risk of either fire or toxic effects. This sometimes requires dispersion modelling etc.
- Relief valve discharge manifolds must be sized for the worst-case credible demand from multiple vessels. One plant had a relief manifold to protect against external fire, but which was sized for only one relief valve discharging at once.
- Interlock activation or control system (BPCS) failure must put the plant into a safe state under all operating conditions. (This is usually to close valves and turn off pumps, but not always!)
- Pay particular attention to environmental abatement equipment. How might an issue with the plant push that equipment outside of its safe operating envelope?
