A Scenario-based Risk Analysis and Safety Design of Batch Processes

Transcription

1 A Scenario-based Risk Analysis and Safety Design of Batch Processes Atsushi Aoyama * and Yuji Naka Tokyo Institute of Technology, Chemical Resources Laboratory, Nagatsuta Midori Yokohama Japan Abstract Batch process becomes increasingly important due to greater emphasis on low-volume, higher added value products, and a need for flexibility in market driven environments. The process safety management becomes a crucial issue and its implementation has become a mandatory as the public concern on environmental impacts and safety of chemical industries heightened. This research proposes a risk analysis and safety design method of batch processes as well as an information model used for it. The proposed method achieves an efficient constructuion and maintenance of abnormal situation handling procedures. Keywords: batch process, risk analysis, safety design, process hazard analysis, independent protection layer, abnormal situation handling, hazard and operability analysis (HAZOP) 1. Introduction The process safety management has been traditionally handled by bottom-up approaches such as the TPM (Total Preventive Maintenance) where existing process safety technologies are simply bunched together. A scenario-based risk analysis and safety design is proposed based on the concept of independent protection layer (IPL) proposed by CCPS to achieve a high level of process safety [CCPS, 1993]. A scenariobased risk analysis such as HAZOP has a number of advantages including a possible utilization of safety design rationale for the management of changes that is especially important for batch processes where changes in plant structures, recipes and manufacturing schedules are prevalent. However the transient nature of batch processes makes a scenario-based risk analysis very difficult because it requires a massive number of hazard scenarios to be examined. The next section describes a concept of scenariobased risk analysis and safety design method for batch processes. Section 3 briefly explains the batch polymerization plant that is used for a case study. Section 4 introduces the layered structure model of plant structure and recipe procedure. Section 5 explains the proposed method layer by layer. Section 6 briefly summarises the achievement. * Author to whom correspondence should be adressed : aoyama@pse.res.titech.ac.jp

2 2. Risk Analysis and Safety Design of Batch Processes The current risk analysis and safety design of batch processes is carried out using heuristics and experiences of process designers and safety engineers without a systematic or formal procedure to follow. The quality of safety design is highly dependent on the expertise of engineers. In addition, it does not support the collection and the record of safety design rationales that reason implemented safety measures. It causes a problem in management of changes: changes in plant structure or operation always demand revaluation of safety measures from scratch because there is no way to estimate the effects of design changes on the safety. A cure for these problems is a scenario-based approach where various abnormal situation scenarios are generated, risks of those scenarios are estimated and a safety design is recommended to contain those risks into acceptable levels. Many process hazard analysis (PHA) methods exist but the hazard and operability analysis (HAZOP) that estimates qualitative process risks by deviating process state variables is most widely used for continuous processes. More elaborate descriptions of HAZOP are found everywhere [CCPS, 1992]. HAZOP assumes the deviation of process variables (eg. temperature, pressue, flow rate, and components) from their normal steady states and estimate the causes and effects of the deviation. There is no concept of the normal steady state in batch processes because the process states are ever changing due to operations dynamically carried out following manufacturing schedule. A massive number of abnormal situation scenarios and abnormal situation handling procedures have to be considered and evaluated in order to apply HAZOP to batch processes in its original form. Although quality risks and productivity risks are important as well in batch process, HAZOP mainly focuses on the risk causing the physical damages to plant structure and humans, This paper proposes a layered structure into risk analysis and safety design of batch processes, notably CGUs, Units and Cell level management, and construct abnormal situation handlings for an entire plant as a combination of them. The risk analysis and safety design of each plant structural region is encapsulated and can be reused for various failure modes as far as the effect to the concerned region is identical. This research also proposes to employ the failure modes (equipment failure, abnormal material behavior and mal-operatios) as initiation events instead of process state deviations. The proposed method requires the rigorous defintion of plant structure model, recipe procedure model and their correspondence. Those information models are explained in Section 4. The proposed method is elabolated in Section Batch Polymerization Case Study Figure 1 shows a schematic of batch polymerization plant that produces an unsaturated polyester liquefied resin. Glycol, unsaturated dibasic acid and saturated dibasic acid are heated, dried and polymerized to make unsaturated polyester. Unsaturated polyester is mixed with vinyl monomer that is cross-linking agent. A reactor, a mixing tank and solvent recovery subsystem constitute the batch polymerization plant. The Esterisation takes place by adding reaction catalyst to glycol and dibasic acid mixture and heating it at the reactor. The moisture generated during the reaction goes together with an evaporated gas ingredient, and the moisture is separated and removed by condensation

3 equipment. A distillation solvent is added to the condensed product liquid portion, and it is returned to the reactor. After the reaction is completed and the reactor temperature is cooled down, the intermediate product is transported to the mixing tank. In the mixed tank, the intermediate product is mixed with a cross linking agent (vinyl monomer), and the liquefied resin is obtained. Using a suitable initiation radical, the solid resin is manufactured, it is transported to a product tank with a pump, and a product manufacturing process (one batch) is completed. Glycol Feed CGU = ECGU1 + ECGU2 ECGU1 Glycol Dibasic acid A Dibasic acid B Partial condenser Packed tower Total condenser Exhaust Vacuum pump Additives Solvent Polymerization inhibitor Separator Inert gas Returned cooling water Steam Heat medium M ECGU2 Cooling water Solvent tank Atmosphere Water reservoir Returned heat medium Reactor Condenser M Cross linking agent Returned cooling water Steam Cooling water Mixing tank Products Transfer pump Figure 1 Batch Polymerization Reactor 4. Information Models for Safety Management 4.1 Plant Structure Model The plant structure model refers to the description of the components of which the plant is built as well as their topological representations. The entire plant is called Cell. The most basic component of the cell is equipment (e.g. pipes, valves). The elementalcontrolled-group-unit (ECGU) is identified as an assembly of equipments isolatable from the other part of the Cell by valves and pumps. ECGUs are identified from the Cell topology only. On the other hand, the controlled-group-unit (CGU) and Unit could not be derived from the equipment topology only. A Unit describes an aggregation of

4 ECGUs that have a common main unit such as reactor or distillation column. A CGU is an aggregation of ECGUs that is actually handled as an isolated region from the other parts of the Cell during an operation. Please note that unlike for continuous plants the CGUs are reconfigured continuously and dynamically during the operation of batch plants. 4.2 Recipe Procedure Model A control recipe contains the information to produce a specific batch size of product after each operation is assigned to specific equipment. It also contains the information about when each operation should be started. A procedure defined in each recipe has layered structure, Procedure, Unit procedure, Operation and Phase following the definition of ANSI/ISA S88 [ANSI/ISA, 1995]. Procedure is corresponding to all the production steps to produces a batch. Unit procedure is corresponding to all the production steps carried out at and around a main unit such as reactor and distillation column. Operation is an operation carried out at a main unit and its peripherals and Phase is a individual step to complete an operation. A procedure (Procedure, Unit procedure, Operation and Phase) has an initiation trigger that establishes the triggering criteria. The activation of procedure changes the state of the structure (such as opening a valve) and the behaviour comes out from such changes. One of the unique contributions of this model is the exact correspondence between the recipe procedure and the plant structure. A Procedure is corresponding to a Cell. A Unit Procedure is a process executed at a Unit. An Operation is a process executed at a CGU that is dynamically configured from ECGU. Phases are execution steps carried out in a CGU. 4.3 Hazard Propagation Model The hazard propagation model has an internal structure based on the concept of Multi- Dimensional Formalism (MDF) that enables an explicit representation of structural, behavioral, and managerial perspectives. The core of this formalism is based on the more general multi-dimensional object-oriented model (MDOOM) [Naka et al., 1997] that provides a conceptual and generic framework. In the MDF scheme, the elements of model are configured to perform roles in a similar way to those played by the equipment, controllers, processed material and energy in a real plant. The managements can change the attributive parameters of corresponding structure model. The structure model parameters in turn work as constraints on the corresponding behavior model. The reason why the MDF separates behaviours from the equipment is because physico-chemical phenomena are not necessarily intrinsic to a certain piece of equipment. This approach allows the presence of more than one kind of behaviour associated to a particular equipment item. This separation is also useful to represent matter, energy, and information flows that do not flow through defined pipe. For example, a vessel leakage or sunshine heating over the equipment can be easily represented as a kind of behaviour objects. 5. Risk Analysis and Safety Design Procedure This research proposes to execute risk analysis and safety design layer by layer (CGU level, Unit level and Cell level). In the CGU level risk analysis and safety design, the effects of initial events within the CGU are evaluated and the risks on plant structure and humans, product quality and productivity are analysed. The CGU level safety measures belonging to IPL3 (critical alarms, operation supervision, and manual intervention), IPL4 (automatic action SIS) and IPL5 (relief devices) are designed to

5 mitigate the effects and contain the effects within the CGU as much as possible. In the Unit level risk analysis and safety design, the effects of the CGU abnormality caused by the initial events are evaluated and the risks on product quality and productvity of the Unit are analysed. The Unit level abnormal situation handling procedures are designed to coordinate safety measures of the CGUs in which the initial event does not occur. The Unit level abnormal situation handling procedure may cause a delay or a cancellation of certain Unit procedures. The Cell level abnormal situation handling procedure is desined to reschedule and coordinate the execution of Unit procedures. 5.1 CGU Level Risk-Analysis and Safety Design An Operation has an exact correspondence to the CGU. For example, Operation Glycol Feeding is corresponding to the CGU highlighted in Figure 1. At the first step, an initial event, which is categorized into the equipment failure, the abnormal material behavior or the mal-operation, leading to abnormal situations is identified. In the case study, the initial events include a failure to close XV4102, XV4103 or XV4104, a failure to open or close XV4101, a mulfunction of INT4101.SUMX accumulated flow sensor. A risk analysis is carried out and a probability, a severity, a propagation path and an affected area are estimated. Further a propagation speed is estimated. The propagation of events is modeled as the interaction of structure (valves, pipes, sensors and tanks), behavior (glycol) and operation (sensor-actuator pair) based on the concept of MDF. The risk level is computed from these estimations and whether it is acceptable or not is determined according to the predefined criterion. If the risk is not acceptable, abnormal situation category (recovery, partial shutdown and total shutdown) is determined and the safety measures such as the installation of timer to detect INT4101.SUMX accumulated flow sensor and the manual closing of XV4101 are implemented. proc_id init_trigger action_task description Initialize Accumulated Flow P01UP01OP04PH02 P01UP01OP04 STARTED SET INT4101.SUMX x012 Sensor P01UP01OP04PH03 P01UP01OP04PH02 COMPLETED CLOSE XV4102 Isolation of Glycol Feeding Line P01UP01OP04PH03 P01UP01OP04PH02 COMPLETED CLOSE XV4103 Isolation of Glycol Feeding Line P01UP01OP04PH03 P01UP01OP04PH02 COMPLETED CLOSE XV4104 Isolation of Glycol Feeding Line Reservation of Glycol Feeding P01UP01OP04PH04 P01UP01OP04PH03 COMPLETED OPEN XV4101 Line P01UP01OP04PH05 P01UP01OP04PH04 STARTED AND INT4101.SUMX GT x013 CLOSE XV4101 Shuting Down of Glycol Feeding Line Figure 2 Part of Control Recipe 5.2 Unit Level Risk-Analysis and Safety Design The effects of initial event often spread to the outside of the CGU in which the initial event occurs. For example, the failure of INT4101.SUMX accumulated flow sensor may result the elongated glycol feeding time and the exceeding amount of glycol in the reactor. A Unit level abnormal situation handling procedure includes the mecanizm and the evaluation criteria to deterimine the expected state of Unit (recovery, holding, partial shut down and total shut down) and the expected states of all the other CGUs. In the case study, the operations have to be modified to increase the amount of diasic acid and cross linking agent charged to the reactor according to the elongated glycol feeding time

6 and the exceeding amount of glycol in the reactor if the expected state of Unit is recovery. 5.3 Cell Level Risk-Analysis and Safety Design A Unit level safety measure may cause a deviation of Unit procedure processing time or the cancellation of Unit procedure. The following four situations are possible. 1. Temporary and Deterministic Processing Time Deviation: The processing time of the Unit procedure is deviated. The Unit procedures following that Unit procedure and the Unit procedures to be executed at the concerned Unit have to be rescheduled. 2. Permanent and Deterministic Processing Time Deviation: The processing time of every Unit Procedure being executed in the concerned Unit is changed. All the Unit procedures following the Unit procedures executed at the concerned Unit have to be rescheduled. 3. Temporary Unit Disability: The Unit procedure executed at the concerned Unit is canceled. Although it does not affect the processing time of the Unit Procedures scheduled to be executed in the concerned Unit, their start time will be changed. 4. Permanent Unit Disability: The Unit Procedure executed at the concerned Unit is canceled. And the Unit Procedures scheduled to be executed at the concerned Unit have to be reassigned to other Unit. 5. Waiting: It is a situation that the deviating from normal state is identified, however the categorization has not been done yet The Cell level safety measure is rescheduling policies corresponding to these situations The Cell level procedure (multi-task management) decides the expected state of Units (recovery, holding, partial shut down and total shut down) and coordinates all Unit procesures. 6. Conclusions This paper introduces the layered structure into the safety management of batch processes. Units and CGUs are convenient regions for the purpose as these regions are isolated most of the time by valves. The three levels of safety measures, CGU, Unit and Cell level, are combined to generate an abnormal situation handling procedure for the entire plant. It enables to construct the comprehensive abnormal situation handling procedure from relatively few elemental safety measures and achieve an easy maintenance of the procedure. References Center for Chemical Process Safety (CCPS), Guidelines for safety Automation of Chemical Processes, American Institute of Chemical Engineers, New York, 1993 Naka, Y., Lu M-L and Takiyama, H, Operational design for start-up of chemical processes, Computers & Chemical Engineering, Vol. 21, pp , 1997 Center for Chemical Process Safety (CCPS), Guidelines for hazard evaluation procedures, American Institute of Chemical Engineers, New York, 1992 ANSI/ISA-S Batch Control Part 1: Models and Terminology, 1995