health, safety and environment 1

Rock-solid safety
Stephen Rowe asks how robust is your basis of safety?
RAPID overpressure in process plants can have a number of potential causes. Most common are dust, gas and vapour explosions; detonation or deflagration of highly energetic materials; rapid decomposition of thermally-unstable substances or mixtures; and runaway exothermic chemical processes. ATEX and CAD legislation requires European companies to conduct risk assessments and implement preventative or mitigating measures to avoid or minimise the occurrence of such events. They rely on companies using robust and thorough assessment procedures. When handling flammable, explosive or thermally-unstable substances, or conducting chemical reactions, a defined mechanism has to be in place to avoid or protect against the intrinsic hazard of the material or process. This might be a single safety system (eg explosion relief vent) or a combination of measures that collectively protect the plant, personnel and environment from the consequences of all foreseeable undesirable events. These individual or collective measures which can be a combination of both organisational and technical measures are defined as the basis of safety for the plant or operation. The ATEX directive explicitly requires this basis of safety to be detailed in an explosion protection document. Other regulations such as CAD make companies formally record the risk assessments and risk reduction measures, but that record has not been assigned a special name. Any hazard and risk assessment, irrespective of the nature of the hazard or risk, requires a methodical strategy involving: MIE (mJ) 1.15 0.2 0.14 0.016 1500 25 >1000 300 23 MIT/AIT (C) 535 535 455 560 780 380 710 380 480 Parameter Dusts/pPowders group Ignition sensitivity Minimum ignition energy (MIE) Minimum (cloud) ignition temperature (MIT) Layer (5 mm) ignition temperature (LIT) Maximum explosion pressure (Pmax) Explosion severity constant (Kst) Gases/vapours Minimum ignition energy (MIE) Autoignition temperature (AIT) Maximum explosion pressure (Pmax) Explosion severity constant (Kg) Upper and Lower explosive limits (UEL and LEL) Limiting oxygen concentration for combustion (LOC) Flash point

Explosion severity

Minimum explosible Flammable concentration (MEC) range Limiting oxygen concentration for combustion (LOC)

Table 1: Example parameters for explosion hazards characterisation of the process and material; hazard and risk identification; consequence analysis; and safety system specification, design and implementation. Deficiency in any of these areas will potentially result in an ineffective or in the worst case unsafe basis of safe operation. This article seeks to provide an overview of the decision-making and assessment process, highlighting areas where failings are most common. but the physical characteristics of dusts and powders are so variable that their specific properties will usually have to be measured. Almost all organic or metal powders, when finely divided and dispersed, can ignite and propagate an explosion. Even for a given substance, the moisture content, particle size and even particle geometry can have a profound effect on the ignition sensitivity and the severity of an explosion. Only the tests needed to specify and confirm the acceptability of the basis of safety are required. Not all parameters may be essential for the ultimate basis of safety. Powders can be much less sensitive to ignition than gases or vapours. This means that for powders, avoiding ignition sources can be a robust and reliable basis of safety especially for the less sensitive powders while for gases and vapours this rarely is an option. Table 2 gives some typical data for dusts, gases and vapours and highlights the wider range of sensitivity for dusts (dust data are sample-specific). It is impossible to reliably predict ignition sensitivity and severity and, unfortunately, there are no formal correlations between the various parameters. This makes it essential to test a specific dust sample to understand its properties. Figure 1 illustrates testing methods for ignition temperature determination. Detonation (combustion propagation at a rate above the speed of sound) is possible for vapours, gases and dusts. Hydrogen, for example, can readily detonate under certain circumstances. Detonations produce much higher pressures than deflagration and hence www.tcetoday.com

characterising the process and materials

A sound basis of safety relies fundamentally on a thorough understanding of the process and materials involved. For explosion hazards, it may be necessary to characterise the parameters detailed in Table 1. Data may be available from reliable literature sources for gases and vapours, LIT (C) N/A N/A N/A N/A >450 230 340 350 >400 kst/kg (bar m s-1) 56 66 550 47 151 54 63 278

Table 2: Typical data for dusts, gases and vapours Material Acetone Toluene Methanol Hydrogen

Polyvinylchloride (PVC) Coal (lignite) Coal (anthracite) Wheat flour Pharmaceutical*

* This is a typical API recently tested at Chilworth Technology 24

tce april 2008

health, safety and environment 1

have far more serious consequences. The detonable concentration range is generally narrower than the normal flammable limits so operators have to take care to avoid transition from deflagration to detonation. For dusts, it is hard to meet the conditions to support detonation since it is virtually impossible to achieve homogeneous detonable concentrations. Detonation can also occur in solid and liquid substances (condensed-phase explosives). A simple structural evaluation of molecules will soon identify energetic functional groups which can cause explosions, such as nitro, azide, peroxide, diazo, nitroso and chlorate groups. If such groups exist, plant operators must evaluate the thermal stability, mechanical (impact and friction) sensitivity, and shock (detonation) sensitivity so that they can choose the most suitable handling and process methods. Ball milling for example, would not be appropriate for an impact-sensitive nitro compound. Any process mixing combustible and oxidising species has to be carefully assessed. One example we have come across is a contact lens manufacturer which kept blowing apart its tabletting head when compressing a metal peroxide and enzyme composition and couldnt understand why! Table 3 details the parameters for characterising thermal instability and runaway reaction hazards. Common raw materials can sometimes be assessed using literature data, but experimental tests will be needed for proprietary materials and mixtures. For all processed materials, the necessary conditions to initiate instability should be characterised to help establish safe processing temperatures. This may initially take the form of small-scale screening tests such as differential scanning calorimetry (DSC) or the Carius tube test (a form of differential thermal analysis (DTA). These rapid and relatively-insensitive tests give a first idea of onset conditions and magnitude of instability. If materials become unstable at conditions close to potential plant operating conditions, they will have to be characterised in greater detail using more sensitive techniques such as accelerating rate calorimetry (ARC). To interpret the data from such tests you need to understand the test sensitivity so you can apply appropriate safety margins. Special tests can examine self-heating properties, as opposed to pure decomposition properties. For drying or storage under air, these tests should be considered in addition to the www.tcetoday.com Parameter Group Thermodynamics Kinetics Pressure effects Thermal Instability / Runaway Reaction Hazards Magnitude of heat release Onset temperature of activity Rate of heat release and rate of change with temperature Catalytic impact of possible contaminants including autocatalytic behaviour Identification of gas generation (quantity and rate) and / or Identification of vapour pressure effects of principal components and decomposition products

Table 3: Parameters for characterising thermal instability and runaway reaction hazards. Test Method Differential thermal analysis (Carius tube) Differential scanning calorimetry (under air) Differential scanning calorimetry (under nitrogen) Accelerating rate calorimeter (ARC) Diffusion cell test Aerated cell test Dried citrus peel Azodicarbonamide Onset temperature (C) Onset temperature (C) 115 223 250 165 114 101 145 179 179 135 169 168

Table 4: Enhanced sensitivity of the powder-specific diffusion and aerated cell tests compared with the contained test methods (DSC, Carius Tube and ARC) for materials that oxidise pure decomposition analysis afforded by DSC, Carius Tube or ARC methods. It is not uncommon to see companies using just DSC analysis as a panacea for thermal stability investigation. However, for powders in particular this method can completely miss oxidative events at modest temperatures because the test cell does not contain enough air. A study at Chilworth Technology compared the sensitivity of thermal test methods for a material that decomposes (azodicarbonamide) with another that oxidises (dried citrus peel). The results, shown in Table 4, graphically demonstrate the enhanced sensitivity of the powder-specific diffusion and aerated cell tests compared with the contained test methods (DSC, Carius Tube and ARC) for materials that oxidise. For powder drying or bulk storage situations, it is imperative to collect safety data in equipment specifically designed to mimic the specific industrial situation. One of the main hazards of a decomposition or oxidation reaction is gas generation. The gas can cause a vessel to overpressurise or, potentially worse, it can introduce a gas flammability or toxicity risk. The Carius tube and ARC methods are therefore routinely used to check for gas generation as well as (or in conjunction with) measuring temperature and thermal events. For exothermic chemical reactions which have the potential to run away, a good understanding of the thermodynamics, kinetics and gas generation and vapour pressure of the desired process helps evaluate the consequences of process deviations. Calorimetric techniques typically employed for such measurements are often based on heat flow measurements under controlled laboratory conditions (for example, using the Mettler Toledo, RC1 system). These measurements, together with the thermal stability data, helps operators understand the behavioural limits during deviation assessments. As well as understanding the materials and reactions, it is equally important to understand the characteristics of the plant. Even for generic unit operations, the equipment will be unique and will present its own individual hazards. Figure 1 illustrates what can happen when a process vessels heat removal mechanisms cannot keep up with the rate at which a batch process generates it. The reaction had been scaled up from a smaller scale, where the higher relative heat removal capability meant that the same reaction proceeded smoothly and without incident.

identifying hazards and risks

Once the process and materials have been characterised, plant operators have

Figure1: An example of what can happen when a process vessels heat removal mechanisms cannot keep up with the rate at which a batch process generates it april 2008

tce 25

health, safety and environment 1

Type of safety system Passive prevention Passive protection Thermal instability and reaction hazards Instrumented prevention Instrumented protection Specific safety measure Inherent safety Venting Containment Process control Emergency (secondary) cooling Quenching Reaction inhibition Inherent safety Avoidance of ignition sources Avoidance of flammable concentrations Venting Containment Inerting Explosion suppression such as an explosion in a reactor, and then considers all combinations of failures and conditions which could cause the event to occur. This technique is widely used as a precursor to quantitative risk assessment. Event tree analysis works in reverse, by identifying an initiating event and then working forward to top events. FMEA and FTA are complex techniques and, because of this, their use in the process industries is often limited to the identification of hazard progression sequences before quantification is applied. Choosing the most appropriate way of identifying a hazard is a key step in being able to demonstrate how safe a plant is, and ensure its kept that way. The more detailed techniques are generally more applicable to highly hazardous processes, and often follow on from less rigorous screening studies. Of the above techniques, HAZOP is probably the most widely used in the process industries, but its success depends on the quality of the team. Only an experienced team straddling a variety of disciplines will be able to produce a thorough and balanced view of the process hazard. Such a team will usually focus the HAZOP study in the appropriate direction spending a proportionate amount of time on the higher risks whilst remaining rigorous across the whole process. It is not uncommon to perform small individual risk assessments on a specific item of plant equipment, such as a dust collector, which focuses on one area of risk (in this case, the dust explosion potential). This can be more efficient than a full HAZOP, or may be performed as an action from a HAZOP. Whichever technique is chosen, the outcome should be a list of retained scenarios requiring consequence analysis. They may have to be quantified and will recommend steps for the specification, detailed design and implementation of appropriate safety measures. It is often the robustness of the hazard identification and risk assessment phase which dictates the overall robustness of the safety system. Omitting foreseeable deviations at this stage compromises the resultant safety system.

consequence analysis
The consequence and risk of an undesirable event will (or rather, should) dictate the level of expense and time spent addressing it. The consequence can range from the trivial, ie off-spec product, to catastrophic events such as a reactor explosion resulting in fatalities, environmental contamination, and commercial loss. For gas, vapour or dust explosion hazards, it is possible to evaluate the consequences of an event using explosion prediction software such as PHAST etc. Such software is well developed, readily available and gives a rapid overview of the impact of an event. For thermal stability and reaction hazards, it is harder to evaluate consequence analysis using software, thanks to the complex nature of the required inputs (kinetic parameters, physical properties prediction, etc). Batch and semi-batch reaction hazards are usually evaluated using experimental techniques which simulate the deviation scenario under low thermal inertia (phi factor) and heat loss conditions which closely resemble the manufacturing environment. The techniques are usually based around adiabatic calorimeters such as the ADC II (adiabatic pressure Dewar calorimeter), and provide a basis for simulating specific failure cases and determining in terms of pressure, temperature and time their consequences. Data from such tests is also indispensable for the specification of safety systems, such as setting the required response time from corrective controls, data for emergency relief vent sizing, etc. The magnitude of the consequence will govern how acceptable the risk is and therefore the effort and cost applied to controlling the risk. Regulators in the UK and elsewhere use the principle of ALARP (as low as reasonably practicable) on such risks. The investigation has to fully support the decisions taken during the assessments.

Passive prevention Dust, gas and vapour explosion hazards Passive protection Instrumented prevention Instrumented protection Table 5: Summary of typical safety measures to establish the hazards which exist on the industrial scale and identify the likelihood of the hazard being realised (ie the risk). Techniques for hazard and risk assessment include: Hazard and operability studies (HAZOP): A review team of knowledgeable professionals guided by a study leader who uses a series of guide words to examine potential deviations that could occur for each part of the plant. The team considers the consequence (including knock-on effects) of each deviation judged to have a credible cause, assesses the acceptability of safeguards, and marks down potentially hazardous situations for more detailed further investigation (consequence analysis). What-if or checklist analysis: A checklist of potential failure situations is drawn up based on past experience and reviewed in combination with the plant and process details. Failure modes and effects analysis (FMEA): FMEA is based on identifying the possible failure modes of each component of a system and predicting the consequences of the failure. This method is especially useful for the analysis of systems containing many critical components but few process steps (eg instrumentation loops). Fault tree analysis (FTA): This analysis is based on working from a top event

Figure 2: Data requirements associated with bases of safety for flammability hazards

basis of safety: specification and data requirements

A variety of safety measures can be applied to thermal stability, runaway reaction and explosion hazards to prevent them occurring or, alternatively, to protect against them. These measures www.tcetoday.com

26

tce april 2008

health, safety and environment 1

can be passive, meaning that they dont contain any instruments running on external energy, or active, in which case they contain instruments requiring pneumatic or electrical activation. Table 5 summarises typical measures. It is not uncommon for plants to use a combination of layers of protection rather than solely relying on one basis of safety. Layers of protection analysis (LOPA) has become popular as a way of extending the hazard identification and risk assessment process and demonstrates that multiple independent safety features can achieve an acceptable level of safety. If a safeguard is effective in preventing a scenario from reaching its consequence, and it is independent of the initiating event and other layers of protection, then it is considered to be an independent protection layer (IPL). LOPA assesses the combination of IPLs, general design features, procedural and other such layers to give an overall credit. The frequency of the initiating event, the assessed risk reduction, or probability of failure on demand (PFD) and the severity of the undesired consequence, are used to determine how acceptable an identified risk is against the safety and environmental and commercial criteria deemed to be tolerable. Analysing the efficacy of the combined layers of protection against the risk acceptability criteria can help assess how acceptable the layers of protection are and examine the need for any additional layers. Inherent safety is the ideal goal in process design but this is difficult to achieve and is rarely the sole basis of safety. Passive protection systems are often a good option since designing, evaluating, maintaining and operating instrumented safety systems can be complex. With runaway reactions, for example, it is most common to find process control systems backed up with passive emergency venting systems to safely relieve over-pressure. On the surface, this is a straightforward safety solution. However, such relief systems have to be designed to best practice techniques (eg DIERS methodology to account for multi-phase flow) and almost always need an adequate catch-tank or other environmental protection system to contain the material ultimately relieved. The additional costs of such systems (in space as well as cost) can sometimes outweigh their safety advantages. As has been stated, it is down to the designer to choose the most appropriate protection measures, bearing in mind the characteristics of the hazard, the desirability and efficacy of the various options, and the costs of provision. www.tcetoday.com Where safety instrumented systems are employed to control safety-critical parameters, its best practice to follow the principles laid down in IEC 61508 (EN 61508) Functional safety of electrical/electronic/programmable electronic safety related systems and IEC 61511(EN 61511) Functional Safety safety instrumented systems for the process industry sector. These international standards provide both a framework for assessing the required standard to which a safety instrumented system (SIS) should be specified, and provide the instrument engineer with the methodology to build, operate and maintain an appropriate system thus the standards encompass process safety and are not just instrumentation standards. Safety instrumented systems will typically be independent of the process control system, will usually employ proven technology and will be limited in programmable functionality. In the simplest sense, a SIS may consist of a traditional hardwired interlock, whilst the higher specification systems will probably involve multiple sensors and shutdown valves, redundancy in the logic unit, diagnostics in the signal transmission circuits and so on. Thus high safety integrity level (SIL) systems can become expensive, particularly once lifetime costs of testing, maintenance and management are considered. The selection of the most appropriate basis of safety will be governed by technical and financial issues. Whichever basis of safety is selected, it is critical that all phases of the hazard assessment are rigorously completed. Characterisation of the process and material hazards is a critical phase and one that can easily be overlooked. The ultimate basis of safety must protect or prevent the manifestation of process and material hazards and therefore must be based on a sound understanding of the system. For dust, gas and vapour explosion hazards, engineers must obtain data on the characteristics of the material to identify the criteria the safety system has to meet. For example, to design an inerting system for handling flammable gases, you have to know the LOC (limiting oxygen concentration for combustion) to properly specify the design level for the inerting system. Figure 2 highlights the data requirements associated with bases of safety for flammability hazards. Whilst literature data is usually available and sufficient for vapour and gas flammability hazards (at least at standard temperature and pressure

conditions for common materials), reliable data for dusts is scarcer. Best practice is to obtain experimental data for the specific materials processed this mitigates question marks that arise in the use of generic data. For thermal stability and reaction hazards, Figure 3 gives the data requirements associated with the various available bases of safety. Thermal stability and reaction hazards data are almost always derived by experimentation. There are many techniques; but it is crucial to select the most appropriate technique for the specific material or process situation in order to obtain valid and relevant information. For powder drying or storage situations, for example, DSC (normally conducted in a sealed or inerted test cell), is inappropriate; the situation calls for powder specific test methods.

Figure 3: Data requirements associated with the various available bases of safety

conclusions
Protecting against overpressure hazards arising from gas, vapour or dust explosion, and thermal stability and reaction hazards is a pre-requisite for the process industries. The critical phases in the process are: process/material characterisation; hazard and risk identification; consequence analysis; and safety system specification, design and implementation. At the end of this process, operators should specify and implement a robust basis of safety which protects against all foreseeable overpressure hazards. A rigorous exercise will dictate the extent to which overpressure hazards are foreseen. Consequence analysis will identify the magnitude of the manifested hazard and dictate the effort and measures imposed to mitigate the risk. It cannot be overstated how critical it is to have the appropriate experimental data on the process or material. Deficiency in safety data can lead to under-design of the safety system, rendering it potentially unsafe. At the other end of the scale, over-designing the safety system adds unnecessary expense and complexity. tce

Stephen Rowe (srowe@ chilworth.co.uk) is operations manager at Chilworth Technology, Southampton; (references available on request)

april 2008

tce 27