Process Safety and Process Control

1. Safety. It is imperative that industrial plants operate safely

so as to promote the well-being
well being of people and equipment
within the plant and in the nearby communities. Thus, plant
safety is always the most important control objective.
C pter 9

2. Environmental Regulations. Industrial plants must comply

with environmental regulations concerning the discharge of
Chap

gases, liquids, and solids beyond the plant boundaries.

3 Product Specifications and Production Rate.
3. Rate In order to be
profitable, a plant must make products that meet
specifications
spec c o s co concerning
ce g pproduct
oduc qu
qualityy andd production
p oduc o
rate.

4. Economic Plant Operation. It is an economic reality that the

plant
l t operation
ti over long
l periods
i d off time
ti mustt be
b profitable.
fit bl
Thus, the control objectives must be consistent with the
economic objectives.
5. Stable Plant Operation. The control system should facilitate
smooth stable plant operation without excessive oscillation in
smooth,
C pter 9

key process variables. Thus, it is desirable to have smooth,

p set-point
rapid p changes
g and rapid p recoveryy from plant
p
Chap

disturbances such as changes in feed composition.

2
 Operators
p View of Process Control

A Dayy in the Life of a

Plant Operator V.Venkatasubramanian

Operators View of Process Control

Pump A pumping oil has tripped - Cause Unknown
You switch to Pump p B. That also trips
p - Cause Unknown
Soon hundreds of alarms are going off Cause(s) Unknown
With in minutes you have an explosion and a fire. Two people
are killed
kill d and
d a few
f hurt
h t att this
thi point.
i t
It is 10:00 in the night.
The plant manager is in Aberdeen, Scotland, and not available.
You are on top of an off-shore oil platform in the middle of the
North Sea.

You are the Shift Supervisor:

p
What do you do?

V.Venkatasubramanian
 Process Safety is a Major Concern:
The BIG Ones

Piper Alpha Disaster, Occidental

Petroleum Scotland, 1988
Off shore oil platform explosion
Off-shore
164 people killed
$2 Billion in losses
Union Carbide, Bhopal, India,
1984
MIC release into atmosphere
p
3000-10,000 people killed
100 000 injured
100,000
$0.5-1.0 Billion in losses V.Venkatasubramanian

BP Texas City
y Accident Video
(short version)

http://www.youtube.com/profile?user=USC
//
SB#p/u/20/c9JY3eT4cdM

6
BP Texas City
y Accident Video
(more detailed)

http://www.csb.gov/investigations/detail.aspx?SI
D=20&Type=2&pg=1&F_All=y

AEM: Abnormal Event Management

$20B+ impact
$20B i on U.S.
U S economy; $10B impact
i
on petrochemical companies
Petrochemical companies have rated AEM their

#1 problem
Modern plants are more difficult to control,

diagnose and manage

Complex configurations, very large scale
Running
R i process att its
it limit
li it reduces
d margin
i for
f error
Plant-wide integration makes reasoning difficult

Advanced control puts process in states which operators

have difficulty managing in the event of an upset

Fewer experienced operating personnel due to downsizing

Lack of adequate
q trainingg of operators
p

V.Venkatasubramanian
 T2 Laboratories Accident
Before After

At 1:33pm, 19 December 2007 a powerful explosion at T2

Laboratories in Jacksonville, Florida killed 4 employees, injured
32 (4 employees and 28 members of the public) and destroyed
the facility.
A runaway exothermic reaction in the production of
methylcyclopentadienyl manganese tricarbonyl (MCMT) (fuel
octane booster) due to cooling loss led to the explosion
equivalent to 1400 pounds of TNT. 9

Runawayy reactor accident T2

http://www.youtube.com/profile?user=US
CSB#p/u/3/C561PCq5E1g

10
 Schematic of Reactor
CAUSES OF ACCIDENT

1. T2 did not recognize runaway

reaction hazard with the MCMT
it was producing despite earlier
indications.

2 . Cooling system was susceptible

to single-point
i l i failures
f il d to
due
lack of design redundancy.

3. MCMT reactor relief system was

p
incapable of relieving
g the p
pressure
from the runaway reaction. 11

Runaway Reactions
Metalation Reaction

Reaction of Sodium and Diglyme Solvent

+ Na
+Na ?

12
New Test Cell Burst Test Cell
Operating
p g regimes
g for exothermic chemical reactors.
13

Modeling
g Needs
Why Simulate the Reactor?

1. Determine cooling requirements

2 . Determine conditions that lead

to runawayy conditions,, such as
increasing batch size, change in
cooling water temperature, etc.
(
(so-called
ll d parametric
i sensitivity)
ii i )

33. Size the pressure relief valve

and bursting disk pressure

4. Develop a training tool 14

 Elements for Model

1. Unsteady Material Balance

2 . Unsteady Energy Balance

33. Reaction
i Rates including
i i
temperature dependence
(must come from the lab)

4. Simulation of the model

equations

15

Multiple
p Protection Layers
y
In modern plants, process safety relies on the principle of
multiple protection layers; see Figure 10.1.
10 1
Each layer of protection consists of a grouping of equipment
and/or human actions,
actions shown in the order of activation.
activation
C pter 9
Chap

16
 Typical layers
C pter 9

off protection
i
in a modern
chemical plant
Chap

(CCPS 1993).

17

Basic process control system (BPCS) is augmented with two

levels of alarms and operator supervision or intervention.
An alarm indicates that a measurement has exceeded its
specified limits and may require operator action.
action
Safety interlock system (SIS) is also referred to as a safety
instrumented system or as an emergency shutdown (ESD)
C pter 9

system.
Chap

Th
The SIS automatically
t ti ll takes
t k corrective
ti action
ti when
h the
th process
and BPCS layers are unable to handle an emergency, e.g., the
SIS could automatically turn off the reactant pumps after a high
temperature alarm occurs for a chemical reactor.
Rupture discs and relief valves provide physical protection by
venting a gas or vapor if over-pressurization occurs (also flares
)
for combustibles).
18
 Chlorine Vaporizer
P
Provides
id chlorine
hl i vapor to t a reactor
t that
th t converts
t
alkane (C12H26) to C12H25Cl, which in turn is alkylated
g
with benzene ring.
When reactor is shut down, the vaporizer undergoes a
pressure surge that trips a relief valve/rupture disk
( d i bl behavior).
(undesirable b h i ) Why Wh does
d it occur(modeling
( d li
application)?
The chlorine gas passes through the relief system and is
transferred to beds of clamshells in water, which
neutralizes the Cl2 to CaCl2.
Analyze the P & ID and the valve failure conditions for
shutdown.

19

20
 Typical Complaints from Operators
IInadequate
d t precision
i i off
temporal information (e.g.,
lack of true alarm order).
Excessive nuisance alarms
Inadequate anticipation of
process disturbances.
Lack of real-time,, root-
cause analysis (symptom-
based alarming).
LLackk off distinctions
di ti ti
between instrument failures
and true process deviations
deviations.
Lack of adequate tools to
measure,, track,, and access
past records of abnormal
situations.

21

Types of Alarms
Type
ype 1 Alarm:
a : Equipment
qu p e t status alarm.
a a . Pump
u p iss oon oor ooff,, oor
motor is running or stopped.
Type
yp 2 Alarm: Abnormal measurement alarm. Measurement is
C pter 9

outside of specified limits.

Type 3 Alarm: An alarm switch without its own sensor.
sensor When it is
Chap

not necessary to know the actual value of the process variable,

only whether it is above (or below) a specified limit.
Type 4 Alarm: An alarm switch with its own sensor. This serves as
a backup in case the regular sensor fails.
Type 5 Alarm: Automatic Shutdown or Startup System.

22
 Two interlock
configurations.
C pter 9
Chap

23

Safety Interlock (Instrumented) System (SIS)

Th
The SIS iin Fi
Figure 99.1
1 serves as an emergency bback-up
k system
t
for the BPCS.
The SIS automatically starts when a critical process variable
exceeds specified alarm limits that define the allowable
operating region (starting or stopping a pump or shutting down a
C pter 9

process unit).
Chap

O
Only
l used
d as a llastt resortt to
t preventt injury
i j to
t people
l or
equipment.
SIS must function independently of the BPCS; (e.g., due to a
malfunction or power failure in BPCS). Thus, the SIS should be
physically separated from the BPCS and have its own sensors
and actuators.

24
 Safetyy Instrumented Systems
y Video

http://www youtube com/watch?v=4AbmZ7vjUZk

http://www.youtube.com/watch?v=4AbmZ7vjUZk

25

A Final Thought
As Rinard (1990) has poignantly noted, The regulatory control
system affects the size of your paycheck; the safety control system
affects whether or not you will be around to collect it.
C pter 9
Chap

26