|
Relief Valves: "What Can Go Wrong" Scenarios (Part 1 of many)
The Problem What can go wrong in a chemical facility? Plenty! A report in the August 2000 issue of CEP1 shows that operator error or poor maintenance was the leading of cause of accidents for unfired pressure vessels eight years running. Accidents not only damage
For the purposes of this discussion and those that will follow, a "what can go wrong" scenario is defined as an action that will cause a vessel containing a gas or liquid to overpressure, leading to a catastrophic failure of that vessel if it were not for the presence of a relief valve or rupture disk. To find these potentially deadly incidences, the Process Engineer goes through a type of "self HAZOP" (Hazardous and Operability Study), analyzing the process to determine what these scenarios are. For each credible scenario identified, the Process Engineer performs calculations to determine the amount of vapor or liquid that must be relieved from the vessel in order to prevent the overpressure from occurring (the relieving load). Fair warning, this discussion and those that will follow in future installments assume the reader is at least somewhat knowledgeable in Process Design. Safety analysis should never be left up to the junior Process Engineer unless closely supervised. So if you Mr., Mrs., Ms. Reader become confused or somewhat lost in some of the terminology used, I sincerely apologize. I welcome your very direct and specific questions about anything I write and would be happy to help you understand what I am saying. This is an extremely important function for Process Engineers.
The Checklist Since there are many potential causes of failure, it would be nice to have a checklist to make the analysis organized and somewhat standard. After all, those of us in Process Design may be working on a project for a chemical plant today and end up on a project for a pharmaceutical plant tomorrow (it happens, believe me). A pretty good checklist is given by Table 2 in Section 3 of The American Petroleum Institute (API) publication, "Guide for Pressure-Relieving and Depressuring Systems"2, better known as API Recommended Practice 521 (or just API 521). For those not familiar with API, this is the organization in the United States that sets the standards by which codes (laws) are followed. API publishes the Recommended Practices 520 and 521, among others. A condensed version of the API checklist is presented in Table 1 below. Table 1 – API RP 521 Scenario Check List
In this installment, I want to establish a framework for analyzing a given process. In future installments, I will begin to tackle the scenarios (Overpressure Cause) themselves in some detail. The ultimate goal is for the Process Engineer to identify credible "what can go wrong" scenarios, perform relieving load calculations to prevent catastrophic failure and eventually size the relieving device and system.
I can’t begin to tell you how many people still don’t understand this concept. API allows you to "ignore" failures that fall under the "Double Jeopardy" principle (See API 521, March 1997, 4th edition, paragraph 2.2). Double Jeopardy basically means two unrelated failures occurring at the exact same time, i.e. simultaneous. This does not mean the failures occurred one minute, one second or even one millisecond apart. It means at exactly the same instant in time! Let’s look at some examples. There is a loss of power to a pump causing stoppage of cooling water to a condenser on a distillation column. Because vapor from the distillation column can no longer be condensed, pressure builds up to the point of popping the relief valve, i.e. the system goes into relief. At the same time, the control room operator strokes open a steam flow control valve to the reboiler on that same distillation column causing the generation of an excessive amount of vapor. When calculating the total amount of vapor that must be relieved to prevent damage, should one take into account the excessive vapor produced by the wide-opened steam valve? Or, should we consider only the normal amount of vapor exiting the column; API 521, paragraph 2.3.2 says that the control valve should be considered to be in its normal operating position unless its function is affected by the primary cause of failure, this being loss of power to a pump. The answer is, this is a Double Jeopardy failure, two unrelated events occurring at the same time. One has nothing to do with the other. Therefore, you only need to calculate the relief load for one scenario at a time. For the loss of power to a pump scenario, the relief load would be based on the amount of vapor generated at the "normal" rate of steam to the reboiler. For the steam control valve failure scenario, the relief load would be based on the amount of vapor generated by the heat provided by a wide opened steam valve (possibly limited by heat transfer constraints) with credit taken for the amount of vapor that can be condensed! Remember that for this failure, the condenser would still be in operation. Let’s look at the situation again. With the pump stopped, cooling water is lost to the condenser causing the distillation column to go into relief. However, this time the control room operator realizes that the relief valve has opened and attempts to stop steam flow to the reboiler. The operator puts the steam control valve in manual and tries to close it but it won’t respond because it is stuck. To free it, he strokes it wide-open, shooting steam into the reboiler and causing the generation of an excessive amount of vapor. Now we have two failures occurring at the exact same time but are now related. The power failure stops the pump and thus the cooling water to the column condenser. This causes the column to go into relief, which then causes the operator to react, initiating the second failure. This is a perfectly credible relieving scenario and the calculation of relieving load should be based on the amount of vapor generated by the heat provided by a wide opened steam valve (possibly limited by heat transfer constraints) without credit taken for the amount of vapor that can be condensed! Remember that for this failure, the condenser will NOT be in operation. A very obvious example of a Double Jeopardy failure would be a tube rupture in the reboiler occurring at the same time cooling water flow was lost to the condenser. Two very unrelated failures occurring at exactly the same time. By the way, stuck opened control valves occurring simultaneously with a second failure does NOT constitute Double Jeopardy. That valve may have been stuck in its operating position for a significant amount of time before the second failure has occurred. The first failure was the mechanical failure of the valve (sticking) and that did not happen at the same time as the second failure. These are unrelated failures but they do not occur simultaneously!
There are times when a failure may be obvious, cooling water stops to a condenser. Then there are times when it will take some stretching to find any, a pressure vessel operating in a nonflammable, low-pressure system with little fluid throughput. There are three approaches you can take when analyzing your process. You can be CONSERVATIVE. You can be conservative or, as I like to think of myself, you can be CONSERvative. I follow API 520 and 521 to the letter as a minimum. If my company or the client I am working for happens to have more stringent rules, these obviously supercede what is in API documents. For example, API 521, paragraph 3.15.1.1 basically allows you to "ignore" heights above 25 feet when considering how much of a vessel to include in a fire zone calculation. I worked for a company that used 50 feet for its standard. I will perform the necessary relieving load calculations for any scenario that cannot be rationally explained away, even if there is only a remote possibility that the failure will ever occur. The alternative is to perform fault tree analysis, risk assessment, etc. If it can be shown that a given scenario is indeed a 1 million to 1 long shot, then I’ll label it as being not credible. Until then, it’s only a relatively small amount of time that needs to be spent to perform the necessary calculations to be safe. In the case of analyzing for Double Jeopardy, this is where I get my most grief; my conservatism tells me to error on the safe side, the client’s money tells me to make the scenario go away. If I feel that even a Double Jeopardy failure can lead to a loss of life or major equipment damage, I might go ahead and do the relieving load calculations anyways (this does not usually go over too well with the powers-to-be because this usually results in larger relief systems). API 521, paragraph 3.4 states that one can take credit for operator response after 10-30 minutes. I stick with the higher end at all times. When analyzing a system for failures of control valves, I will always assume all my valves will fail as they are intended (fail close will indeed fail close, fail open will indeed fail open) except for the one control valve that will cause an overpressure hazard! This valve I assume to fail in the opposite direction (fails closed if it is intended to fail open). When analyzing a system for "what can go wrong" scenarios, plant instrumentation sometimes may be used to justify the elimination of some scenarios. For example, if I have a hard wired (opposed to a Distributed Control System-DCS) pressure interlock that will shut steam off to the reboiler when the column pressure rises to some predetermined value, and there are redundant pressure switches, I might consider cooling water failure to the condenser as not being a credible scenario. On the other hand, once a credible scenario has been established, you are never to take into account the use of instrumentation as a means of reducing the relieving load.
Always analyze the system as a whole. Don’t get tunnel vision on one area of the process. Of course you will consider individual "what can go wrong" scenarios but remember the example I used when discussing Double Jeopardy. I considered two actual failures that combined into one. I found these two by considering the system as a whole. "What can go wrong" scenario analysis is a very important but complex process. I do not intend to cover every nuance associated with it (simply because it will be impossible). I also don’t expect everyone to agree with my analysis for every API RP521 Item number (Table 1 above). That’s the fun and scary part of doing this type of work. Some of it can be highly subjective as to what constitutes a credible scenario. I strongly suggest you get a copy of API 5203 and 5212 and the ASME Boiler and Pressure Vessel Code, Section VIII, Division 14 and try to read through them (the operative word here is "try"). I welcome and encourage your feedback. Feel free to E-Mail me at the Internet address below. All correspondences that include a name will be published in this column. Better yet, I encourage discussion of any topic I cover utilizing The Chemical Engineers' Resource Message Board. This will enable the entire Internet community to join and learn. And, don’t forget to check back for future installments on this series.
References: By: Philip Leckner, First Content Manager (read
the author's Profile) |
ChE Plus Subscriber - Click Here for a Printable Version
