INSTRUMENTATION AND

CONTROLS FOR SAFETY

M. B. Jennings
CHE 185
 INHERENTLY SAFE DESIGN

• PROCESS RISK MANAGEMENT METHODS USED

DURING THE DESIGN PHASE CAN BE PUT
INTO 4 CATEGORIES:
– Inherent
– Passive
– Active
– Procedural
• TARGET IS A FAIL-SAFE INSTALLATION

• FROM: Dennis C. Hendershot and Kathy Pearson-Dafft, Safety Through

Design in the Chemical Process Industry: Inherently Safer
Process Design , AIChE Process Plant Safety Symposium,
27OCT98
 INHERENT SAFETY DESIGN

• Inherent — Eliminating the hazard by using

materials and process conditions which are non-
hazardous.
– Minimize — Reduce quantities of hazardous substances
– Substitute — Use less hazardous substances
– Moderate — Use less hazardous process conditions, less
hazardous forms of materials, or configure facilities to
minimize impact from hazardous material releases or
uncontrolled energy release
– Simplify — Configure facilities to simplify operation
 PASSIVE SAFE DESIGN

• Passive — Minimizing the hazard by process

and equipment design features which reduce
either the frequency or consequence of the
hazard without the active functioning of any
device.
– Location of facilities – separation of ignition
sources and fuels from other facilities
– Design equipment for design pressure in excess of
the adiabatic pressure from a reaction.
 ACTIVE SAFE DESIGN

• Active — Using facilities to detect and correct

process conditions:
– controls
– safety interlocks
– monitoring systems for hazards that develop over
a long term
– and emergency shutdown systems to detect and
correct process deviations.
 PROCEDURAL SAFE DESIGN

• Procedural — Prevention or minimization of

incident impacts using:
• Safe operating procedures and operator
training
• Administrative safety checks
• Management of Change
• Planned emergency response
 DESIGN IN OVERALL SAFETY MANAGEMENT
Art M. Dowell, III, Layer of Protection Analysis, 1998 PROCESS PLANT SAFETY
SYMPOSIUM, October 27, 1998 Houston, TX
DESIGN OF SAFETY INSTRUMENTED SYSTEMS

• ACTIVE INHERENTLY SAFE DESIGN

PROCEDURE (Separate instrumentation
and control component in CHE 165
Design)
• First Level – Alarm systems for out of
range situations and operator action
• Second Level – Interlock systems to
automatically activate safety devices
• Third Level – Devices to minimize impact
of out of control conditions
 USE OF HAZAN AND HAZOP
• PHA’s (Process Hazards Analysis) Are
used to define areas of concern
• HAZAN and HAZOP provide a summary
of the type of risk associated with
various process locations and operations
– Frequency should be determined
– Intensity should be determined
 OVERPRESSURIZATION EXAMPLE

• OVERPRESSURIZATION IS THE SUBJECT OF

NUMEROUS CODES & REGULATIONS
– AIChE Design Institute for Emergency Relief
Systems (DIERS)
– OSHA 29 CFR 1910.119 – Process Safety
Management of Highly Hazardous Chemicals
– NFPA 30 – Flammable & Combustible Liquids
– API RP 520 and API RP 521 – Pressure Relieving
Devices and Depressurization Systems
– ASME Boiler & Pressure Vessel Code
– ASME Performance Test Code 25, Safety & Relief
Valves
 SOURCES OF OVERPRESSURIZATION

• API 521 LISTS THE FOLLOWING

CATEGORIES OF SOURCES
API RP Overpressure Cause API RP Overpressure Cause
521 Item 521 Item
No. No.

1 Closed outlets on vessels 10 Abnormal heat or vapor input

2 Cooling water failure to condenser 11 Split exchanger tube

3 Top-tower reflux failure 12 Internal explosions

4 Side stream reflux failure 13 Chemical Reaction

5 Lean oil failure to absorber 14 Hydraulic expansion

6 Accumulation of noncondensables 15 Exterior fire

7 Entrance of highly volatile material 16 Power failure (steam, electric, or other)

8 Overfilling Storage or Surge Vessel Other

9 Failure of automatic control

 FIRST LEVEL DESIGN

• HOW ARE SOURCES ADDRESSED FOR A

STORAGE TANK?
• Item 1 in previous list - Closed outlets on vessels
– Would be a concern for a nozzle used for pressure control
in the tank, during filling operations.
• Perhaps a temporary blind flange would have been left in place after a
maintenance operation.
• A pressure relief valve may malfunction.
– A PAH pressure switch (ΔP) could be installed if there was
measurable difference between the Normal Operating
Pressure and the Maximum Allowable Working Pressure.
 SECOND LEVEL DESIGN

• HOW ARE SOURCES ADDRESSED FOR A

STORAGE TANK?
• Item 1 in previous list - Closed outlets on vessels
• Add a pressure relief valve to allow gas to leave the
tank and be directed to an appropriate flare or
scrubber.
• Set point needs to be at or slightly above the
Maximum Allowable Working Pressure
• Need an interlock to:
– Alarm to indicate valve has been activated and receiving
unit (flare or scrubber) is activated.
– Shut down a valve in the tank fill line and/or shut off a
pump used for filling.
 THIRD LEVEL DESIGN

• HOW ARE SOURCES ADDRESSED FOR A

STORAGE TANK?
• Item 1 in previous list - Closed outlets on vessels
• Add a rupture disc to relieve to either a flare or
scrubber.
• This level is to protect the equipment from failure
on a major scale
• Need to have an indication that the rupture disc
has opened – typically a wire across the disc
• Need to determine actions necessary when the
disc opens – stop filling, start flare, etc.
 OTHER DESIGN CONSIDERATIONS

• A large storage tank is filled manually by

an operator opening and closing a valve.
Once a year, the tank overfills as the
operator is distracted by other activities.
A high pressure alarm is added to the
tank. After the alarm is added, the tank
is typically overfilled twice a year.
• Why?
 EXAMPLE 1

• After the alarm was installed, the

operator relied on it to indicate a high
level and did not supervise the filling
closely. The alarm loop turned out to
have a failure rate of twice per year, so
the system was not as reliable as the
manual operation.
 OTHER CONSIDERATIONS – EXAMPLE 2

• Fail-safe valves are either Air-to-Open or Air-

to-Close, which equate to Fail Closed and Fail
Open, respectively. Recommend the correct
valve for the following processes:
1. Flammable solvent heated by steam in a heat
exchanger. Valve is on the steam supply line.
2. Exothermic reaction. Valve is on the reactant
feed line.
3. Endothermic reaction. Valve is on the
reactant feed line.
4. Gas-fired utility furnace. Valve is on the gas
supply line.
 EXAMPLE 2 - CONTINUED

• SPECIFY EITHER FAIL-CLOSED OR FAIL-

OPEN FOR THE VALVES IN THESE SYSTEMS
5. Remote-operated valve on the drain for a
storage tank.
6. Remote-operated valve on the fill line to a
storage tank.
7. Gas-fired Combustion furnace. Valve is on
the air supply line.
8. Steam supply line. Valve controls the
downstream steam pressure from the boiler.
 EXAMPLE 2 – SOLUTIONS 1

1. Valve to FAIL-CLOSED to prevent

overheating the solvent
2. Valve to FAIL-CLOSED to avoid a
runaway reaction
3. Valve to FAIL-CLOSED to avoid reactor
thermal stresses.
4. Valve to FAIL-CLOSED to stop gas flow
to uncontrolled combustion.
 EXAMPLE 2 – SOLUTIONS 2

5. Valve to FAIL-CLOSED to prevent

draining material from tank
6. Valve to FAIL-CLOSED to prevent
overfilling tank
7. Valve to FAIL-OPEN to maximize air
flow to furnace
8. Valve to FAIL-OPEN to avoid localized
overpressure of line
 EXAMPLE 3

• 4 kg of water is trapped in between inlet

and discharge block valves in a pump.
The pump continues to operate at 1 hp.
– What is the rate of temperature increase in
C/hr if the cP for the water is constant at 1
kcal/(kg C)?
– What will happen if the pump continues to
operate?
 EXAMPLE 3 SOLUTION - 1

• Assume adiabatic conditions for the

calculations: Set up a heat balance: Q m Cp  ( T − Tref)
Take the derivative with respect to time and
dQ dT
rearrange to get m  Cp  . And
dt dt
dT 1 dQ
resolving to get 
dt m  Cp dt
kcal
Using conversions: 1  hp 0.178 
sec
kcal kcal
m = 4  kg dQ/dt = 0.178  Cp = 1 
sec kg  C
1 C
dT/dt =  dQ/dt dT/dt = 160.2
m  Cp hr
 EXAMPLE 3 SOLUTION - 2

• Allowing the pump to continue to run

will eventually result in high pressure
steam formation. This could result in the
pump exploding.
• Adding a thermal switch or a high
pressure switch to shut down the pump
can prevent this from occurring.