Application of extended Hazop and event-tree analysis for investigating operational failures and...

Application of Extended Hazopand Event-Tree Analysis forInvestigating OperationalFailures and SafetyOptimization of DistillationColumn UnitNaveed Ramzan, Fred Compart, and Werner WittLehrstuhl Anlagen und Sicherheitstechnik, Brandenburgische Technische Universitat, Burger Chaussee 2 Lehrgebaude 4/5,Cottbus 03044, Germany; [email protected] (for correspondence)

Published online 11 May 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10202

Process safety has a high priority in the chemicalindustry. And the distillation is the most widely usedunit operation in the chemical-processing industries.The use of dynamic simulation for safety-related studiesfor a distillation column has great significance for thestudy of operational failures. In this article, a systematicframework based on Extended Hazop and Event-treeanalysis is applied to a distillation column unit of achemical plant. Over pressuring of column is studiedand different safety system alternatives are generatedand evaluated using Event-tree analysis. This articledescribes the details of an effective method used for a dis-tillation column but it can also be used for other hazard-ous unit operations. � 2007 American Institute of Chem-ical Engineers Process Saf Prog 26: 248–257, 2007

Keywords: overpressure, distillation unit, risk poten-tial matrix, emergency shutdown systems

INTRODUCTIONIn the chemical-processing industries, a safe

design (which minimizes the likelihood of process

accidents and mitigates their consequences, and safeoperation) has a high priority. Distillation is theworkhorse separation process of the chemical-proc-essing industries. The skylines of many refineries andchemical plants are dominated by tall distillationtowers and they are unlikely to be displaced in nearfuture by any other more efficient technique. Despitethe huge progress in distillation, the number of mal-functions reported per year rose [1]. Therefore, inthis article, methodology based on Extended Hazop(Hazop supported by dynamic simulation) and eventtrees for the identification of operational failures andsafety system optimization presented by us in [2] isillustrated with the help of a distillation unit from anindustrial plant. The block diagram of the methodol-ogy is shown in Figure 1.

SYSTEM DESCRIPTION AND OBJECTIVES OF ANALYSIS

Plant and Process DescriptionThe unit under discussion is part of a hydrocar-

bon recovery plant, which removes hydrocarbonsand other solvents from the off-gases. Water, ace-� 2007 American Institute of Chemical Engineers

248 September 2007 Process Safety Progress (Vol.26, No.3)

tone, methanol, and acetic acid are the main compo-nents of the feed stream. The product stream (ace-tone rich) is separated from the effluent by usinglive steam injection. The column has a diameter of0.728 m and consists of 35 trays. The live steamis entered at stage 35 at temperature 1418 C and375 kPa pressures.

The feed, which is at its bubble point, is enteredat stage 16 (the stages are numbered from top to bot-tom) with a column head pressure of 100 kPa. Theseparation targets (mass %) are distillate: water <10%; bottoms: acetone < 2000 ppm; methanol < 2%;acidity < 3%, where acidity is the sum of the massfraction of the acids, that is, acetic acid, formic acid,and propionic acid in the bottoms stream.

The feed rate is about 4000 kg/h. The temperatureat stage 24 is controlled via modification of the steamrate. The design temperature of the column is 1158 Cand design pressure is 190 kPa. Figure 2 shows thestripping column with its basic process control andmonitoring systems. The important points to be notedin the system are

• The absence of any flow measuring device forthe bottoms stream;

• A U pipe is used for level control instead oflevel control system at the column base;

• A vent line of 80 mm diameter is installed tocope with the overpressure hazard.

In case of emergency conditions, the plant is shut-down manually according to emergency shutdownprocedure.

Objectives of AnalysisThe objective of analysis is to identify

• weak points that could lead to operational fail-ures or potential hazards;

• examine the effect of these causes (e.g., loss ofcooling) to the dynamic behavior of the col-umn;

• analyze the effectiveness of existing measures;• recommend the further suitable preventive andoperative safeguards if necessary.

SAFETY/RISK ANALYSIS

Extended HazopExtended Hazop supported by simulation related

to process malfunctions (Figure 2) is carried out. Thesituation of overpressure in the column is consideredhere. Overpressure is the result of an unbalance ordisruption of the normal flows of material andenergy, or both. Analysis of the causes of overpres-sure in a distillation column is a complex study [3].Common causes, which may result in overpressure,are also presented in Figure 2.

Aspen Dynamic ModelFirst, a steady-state simulation model is devel-

oped in Aspen plus and validated against the plantdata. Then, this steady state model is cast intodynamic simulation model in Aspen dynamics withsomewhat modified control scheme for simulationstudy of process malfunctions. Figure 3 shows theAspen dynamics model developed. The basic as-sumptions are

• Unidirectional flow in the column.• Perfect mixing on trays.

Figure 1. Simplified block diagram of methodology based on Extended Hazop.

Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2007 249

• Murphee efficiency is assumed constant.• The vent line open to atmosphere for overpres-sure relief is simulated via installing a processsafety relief valve that opens at pressure slightlymore than the atmospheric pressure and closesat atmospheric pressure.

• Inert gases are not considered.• Instead of a cascade control loop for bottomproduct quality, a temperature controller (Plate24 temperature) via modification of steam rate isused.

• The column bottom liquid level is maintained bylevel controller instead of U pipe.

Some results for more pressure deviation (P >Pdesign) from the Extended Hazop review isdescribed here for the illustration of methodologyand is shown in Table1. Two of the identifiedcauses/scenarios are

(a) Less or total loss of cooling capacity;(b) Restriction or blockage of the vent line pressure

in the column rises and are discussed in detail.

Figure 2. Process diagram of system and common causes for overpressure: 1. Loss of coolant, 2. Lossof electric power 3. More steam, 4. Loss of instrument air, 5. Failure of bottom product (steam control-ler), 6. Failure of feed controller, 7. Failure of distillate (reflux) controller, 8. More feed, 9. Failure ofexchanger tubes, 10. Exterior fire, 11. Accumulation of noncondensibles, 12. Closed column/restrictionsin outlets, 13. Internal explosion. [Color figure can be viewed in the online issue, which is available atwww.interscience.wiley.com.]

Figure 3. Aspen dynamics model developed.

250 September 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)

Table

1.Outputfrom

theExtendedHazopreview

ofdistillationco

lumnunit.

No.

Process

Function/

Param

eter

Detection

Possible

Cau

ses

Consequences

FC*

Reco

mmendedActions

FC

Ref.No.

2More

Notdirect

PDI

1703PI1704

2.1

Physicaleffects:

2-1

-refluxdrum

V1701may

rundry

† Less

orloss

ofco

oling

capacityin

E1705

andE1702

-reductionofreflux

P>

Pdesign

Risk-relatedconsequen

ces:

-product

qualitydeteriorate

22

-pressure

alarm

and

exam

ine

ventlinecapacity

20

-loss

ofproduction

24

33

-releaseofmaterial

toatmosphere

via

ventline

whichmay

ormay

notbe

safely

dispersedan

dcan

resultto

jetfire

orVCE

48

-{ automatic

Emergency

shutdown(ESD

)system

75

2.2

Physicaleffects:

2-1

-accu

mulationofinertgasesin

condenserE1705an

dE1702

††Restriction/blockage

ofventlineplus

pressure

rise

-reductionofco

ndenserE1702

capacity

-increaseoftemperature

profile

Risk-relatedconsequen

ce:

-product

qualitydeteriorate

31

-pressure

alarm

30

-loss

ofproduction

35

-†{au

tomatic

ESD

system

43

-releaseofmaterial

which

may

lead

tofire

ball

orVCEorflashfire

68

-**exam

iningventline

75

-Columnleak

ageorrupture

37

–

*InFC,Frepresents

thefrequency

classratingfrom

0–9an

dC

represents

theco

nsequence

classratingfrom

0–8[2].Thusfirstdigitofnumberbelow

entry

‘‘FC’’showsfrequency

classofoccurringtheco

nsequence

(F)an

dseco

nddigitdefinestheco

nsequence

class(C).

Thenumberdefinestherisk

category

intherisk

potential

matrix.

**Sh

ortcu

tcalculations.

† Dynam

icsimulation.

††Fau

lttreean

alysisorHistoricdatab

ases.

{ Determ

inisticmodels.

† Event-treean

alysis.

Plant:

DF

Pro

cess:

Strippingco

lumn

PageNo:

2Equipment:

T1701

Function:

SeparatesHCsfrom

effluentstream

Document:

HI-2

Volume:

V1

operatingco

nditions:

XD,H

2O<

10%

Toperation¼

558C–1058C;Poperation¼

Patm;M

F¼

4000kg/h;

Dated:

..........

designco

nditions:Tdesign¼

1158C;Pdesign¼

1.9

bara


(a) Less or Total Loss of Cooling CapacityThe total loss of cooling capacity is simulated by

‘‘NO’’ cooling medium flow by writing the followingtask (edited in Aspen Dynamics)

Task ConFail runs when time ¼ 60BLOCKS (‘‘PC1’’).automan:1;BLOCKS (‘‘PC1’’).opman:0;EndThe task ConFail activates at simulation time t ¼

60 min. At this time, the cooling medium flow falls tozero as shown in Figure 4a. As a response of this dis-turbance in about 3–4 min, the pressure in the col-umn rises rapidly (Figure 4b). This is due to the factthat with no cooling medium, vapors are accumu-lated in the column head section, which leads to arise in pressure in the column. After a short period of

time, the vapor is released via the relief vent to avoidthe overpressure as shown in Figure 4c.

The rate of material release reaches maximum to1600 kg/h and distillate flow reduces to zero. Thereflux drum becomes empty in *30 min and refluxflow falls to zero. Because of the release of the mate-rial to atmosphere via relief valve, the column pres-sure does not rise more than design pressure butremains above normal operating pressure unlesscooling capacity is restored.

Thus risk-related consequences of this scenarioare

• Product quality deterioration with less cooling;• Loss of production with total loss of cooling;• Release of material to atmosphere which may ormay not be safely dispersed.

The frequency of this scenario (total loss of cool-ing) is calculated using failure rate data of the com-ponents. The failure rate data used is taken fromopen literature [4–6] and only for the illustration pur-pose of the methodology. The consequence class andfrequency class according to a scoring chart [2] isestablished for these risk consequences using Event-tree analysis. Event-tree analysis is applied in two dis-tinct ways:

1. Preincident application to examine the systems inplace that prevent precursors from developing intoincidents.

2. Postincident application to identify incident out-comes for this purpose.

Figure 5 shows Event-tree analysis for this sce-nario. The frequency of a safe shutdown is 0.1225per year; therefore, the frequency class for risk con-sequence loss of production is two and conse-quence class is four for this medium term produc-tion disturbance according to score chart [2]. Thus,this frequency and consequence class is docu-mented in Extended Hazop worksheet (Table 1) forthe risk of loss of production. The release of mate-rial may result into a range of possible incident out-comes such as jet fire, vapor cloud explosion (VCE),and flash fire. So, the frequency and consequenceclass for the worst one (i.e., VCE with frequencyclass 4 and consequence class 8 (Figure 5)) is docu-mented in Table 1 for the risk consequence of therelease of material.

(b) Restriction or Blockage of the Vent Line Whenthe Pressure in the Column Rises

The increase in pressure is simulated by less orloss of cooling capacity along with the blockage ofvent line via closed atmospheric vent. As shown inFigure 6, the cooling water flow is reduced in threesteps: 10% reduction, 35% reduction, and 50%reduction and finally complete loss of cooling me-dium flow is simulated. Cooling water (7818 kg/h) issupplied to the condenser during normal operation.At simulation time t ¼ 2.5 h, the first step change isintroduced, which reduces the cooling water flowrate to 7036 kg/h. Then at t ¼ 6 and 10 h, the sec-

Figure 4. Simulation of cooling failure with safetyvalve in operation (vent line is open): (a) Total lossof cooling, (b) Simulated response of pressure atstage 1, 9, 16, and 34, (c) Simulated response ofreflux, vent, and distillate mass flow. [Color figurecan be viewed in the online issue, which is availableat www.interscience.wiley.com.]


ond and third step changes are introduced, whichreduced the cooling water flow rate first to 5082 andto 3909 kg/h, respectively. Finally, at t ¼ 15 h, thetotal loss of cooling capacity occurs. This stepwisereduction in cooling capacity is shown in Figure 6a.The simulated responses of column pressure, refluxmass flow, and distillate mass flow in result of thesedisturbances are shown in Figures 6b and 6c. Atabout 35% reduction in cooling with no vent avail-able for release of material, the maximum columnhead pressure becomes more than design pressure(190 kPa), and at a total loss of cooling, it sharplyreaches to three times the design pressure and thenstays at two times design pressure. The reflux fallsto zero at total loss of cooling-medium flow. Thusrisk consequences of this scenario are

• Product quality deterioration on less cooling;• Loss of production on total loss of cooling;• Instantaneous release of material due to columnrupture.

The frequency class and consequence class ofthese risk-related consequences established in thesame way as for scenario (a) and documented in Ta-ble 1 along with the recommended actions to reducethe risk consequences. The column rupture results toa long-term production disturbance and instantane-ous release of the material may also result in a rangeof possible incident outcomes such as fire ball, VCE,and flash fire.

STEP III: SAFETY/RISK ASSESSMENT

Risk Potential Matrix (Hazop Decision Matrix)The scenarios analyzed are documented before

and after improvement in the risk potential matrix(Hazop decision matrix) as shown in Figure 7. Thenumbers in the figures represent the scenarios (pos-sible causes for different deviations) analyzed and aregiven in Table2.

STEP IV: SAFETY/RISK SYSTEM OPTIMIZATIONPressure relieve valves (PRVs), emergency shut

down systems (ESDs), and safety instrument systems(SIS) are used in the process industry to preventoverpressure hazards [6–8]. ESDs perform safety func-tions by moving the process via a predeterminedway into a safe state. A complete system consists ofsensors, logic controllers (computer), and actuators.Keeping in view the risk targets and results of theExtended Hazop, (a) two simple optimization pro-posals are developed during Extended Hazop dis-cussion (SS-A, SS-B) involving installation of pres-sure alarm system, and changing of the manual shut-down valves to remotely operated solenoid valvesand (b) three optimization proposals (SS-C, SS-D,SS-E) are developed after Extended Hazop. The cal-culated value of the probability of failure ondemand (PFD) of the developed optimization pro-posals along with their descriptions to prevent theoverpressure hazard are given in Table3. The

Figure 5. Event-tree analysis for scenario (a) less or total loss of cooling capacity.


assumptions and calculation procedure aredescribed in Appendix A.

The Event-tree analysis is carried out for theevaluation of these optimization proposals. First, apreincident event tree is used to evaluate the effec-tiveness of these safety system proposals andsequence of events leading to a safe shut down andthe core accident is identified. For each case, theprobability of occurrence of a safe shut-off andaccident is calculated. After this, postincident event

tree is used for identifying and evaluating quantita-tively various incident outcomes. One of the prein-cident and postincident event trees with SS-C safetysystem is shown in Figure 8 for illustration. Simi-larly, event trees are constructed for each of thesafety-related optimization proposals. The fre-quency of the accident scenario (failure of safetysystems) and safe shutdown (success of safety sys-tems) obtained from preincident event trees areshown in Figure 9. It is clear that with theimplemntation of a more reliable safety system(from SS-A to SS-E), the frequency of occurrence ofthe accident scenario reduces and the safe shut-down increases. One can select, easily, a suitablesafety system meeting the required risk level. How-ever, final decision also depends on the cost of thesafety system and benefit achieved.

SUMMARY AND CONCLUSIONDistillation is a widely used unit operation in the

chemical-processing industries and is always a bottle-neck. Therefore, methodology based on ExtendedHazop (Hazop supported by Dynamic simulation andEvent-tree analysis) for the identification of opera-

Figure 7. Risk potential matrix (Hazop decision ma-trix).

Figure 6. Simulation of cooling failure without safetyvalve in operation (vent line is in partly or in totalblocked): (a) Stepwise reduction in cooling capacity,(b) Simulated response of pressure at stages 1, 9, 16,and 34, and (c) Simulated response of reflux and dis-tillate mass flow. [Color figure can be viewed in the on-line issue, which is available at www.interscience.wiley.com.]


tional failures and analyzing the effect of designimprovements in safety system is illustrated with thehelp of stripping column. The operational failuresleading to column overpressures are identified. Thepurpose of this article is to illustrate this systematicmethodology, and so common cause failures are notincluded in this study. The column behavior is stud-ied using dynamic simulation in ASPEN Dynamics.Every effort is made to validate the model againstactual process data. Dynamic simulation in combina-tion with Hazop is a powerful tool for safety exami-nations. The result obtained helps in designing thesafety system and making decisions at the time of the

design of the process. Although this method is illus-trated with a distillation column, it can be used forany hazardous unit operation.

FUTURE WORKIncreasing social pressures and strict legislations

have resulted in changing the approach of traditionaldesign practices to incorporate risk in the design ofprocess plant. The risk decision process is very com-plex because not only technical aspects but also eco-nomical, environmental, comfort related, political,psychological, and societal acceptance plays an im-

Table 2. Scenarios (possible causes ID analyzed) presented in Figure 7.

Possible Causes ID Description

1.1 More direct steam flow or high steam temperature1.2 Too much feed or HC slipping from S16011.3 Fouling of base pipe work or E1701 or wrong valve position of

bottom line1.4 Too much reflux flow2.1 Less or loss of cooling capacity in E1705 and E1702 (Table 1)2.2 Restriction/blockage of vent line plus pressure rise (Table 1)3.1 More cooling capacity in E1705 and E17023.2 Less or loss of Reflux flow because of pump failure4.1 Restriction in bottom outlet valve or base pipework4.2 Foaming5.1 Column bottom by pass valve fail open5.2 Rupture of pipe (column bottom outlet)6.1 Faulty level measurement of V17017.1 Controller loss LC1703

Table 3. Safety system alternatives and their probability of failure on demand.

SafetySystem Description PFD

SS-A Manual shutdown system with 1oo2D configuration for the pressurealarm system

0.55

SS-B Remote shutdown system with 1oo2D configuration for the pressurealarm system and 1oo2 configuration for the shutdown valves

0.1004

SS-C Automatic shutdown system using Non redundant PLC System with1oo2D configuration for the pressure sensors and 1oo2configuration for the shutdown valves and parallel 1oo1 pressurealarm system

6.18 3 10�3

SS-D Automatic shutdown using Relay Logic with 2 trip amplifiers and 4relays with 1oo2D configuration for the pressure sensors and 1oo2configuration for the shutdown valves and parallel 1oo1 pressurealarm system

8.3 3 10�4

SS-E Automatic shutdown using PLC TMR System with 2oo3 configurationfor the sensor and 1oo2 configuration of shutdown valves andparallel 1oo1 pressure alarm system

4.30 3 10�4

PFD, Probability of failure on demand; PLC, Programmable logic controllers; TMR System, Triple modularredundant system. 1oo2D, 1 of 2 with diagnostics, i.e., fault tolerant configuration. The diagnostic may be pro-vided by an additional alarm monitor or built into the sensor. 1oo2, 1 of 2. Two valves are installed but onlyone is required to shutdown. 1oo1, 1 of 1, i.e., single device. 2oo3, 2 of 3. Three devices are installed and twoare required to shut down.


portant role. So, the future work is to integrate thesafety/risk objectives with economics and environ-mental objectives in design.

APPENDIX A

Calculations for PFD of Safety SystemAlternatives

Analysis of Relay System (3 Trip Amplifiers and 4 Electro-mechanical Relays)

Assumptions:

• One relay for each input and output• 98% fail safe• Test interval ¼ 12 months• MTBF ¼ 100 years for combined one relay andone trip amplifier

so, k ¼ 1/100 ¼ 0.01 per year

PFDavg ¼ k (TI/2) ¼ 4 3 10�4.

Analysis of Nonredundant PLC SystemAssumptions:

• One PLC module with one input and outputmodule

• Test interval ¼ 12 months• For CPUMTBF ¼ 10 years; diagnostic covering ¼ 90%;Fail safe ¼ 60%.

Figure 8. Evaluation of safety proposal SS-C using preincident and postincident application of Event tree.

Figure 9. Results of Event-tree anaylsis of differentsafety optimization proposals.


• I/O module

MTBF ¼ 50 years; diagnostic covering ¼ 50%;Fail safe ¼ 75%.

PFD avg ¼ k (TI/2) ¼ 5.75 3 10�3.

Analysis of TMR PLC SystemAssumptions:

• One PLC module with one input and outputmodule

• Test interval ¼ 12 months• For CPU

MTBF ¼ 10 years; diagnostic covering ¼ 99%;Fail safe ¼ 60%

• I/O module

MTBF ¼ 50 years; diagnostic covering ¼ 99%;Fail safe ¼ 75%

• Ignoring common cause failures

PFD avg ¼ (k 3 TI)2 ¼ 7.56 3 10�8.

For 1002 Configuration of Shutdown ValvesShutdown valves ¼ (k 3 TI)2/3 ¼ 0.00026.

For 1002D Pressure SensorsAssumptions:

• diagnostic coverage ¼ 60%• mean time to repair (MTTR) ¼ 12 h• test interval (TI) ¼ 12 months

PFDavg ¼ kDD 3 MTTR þ (kDU 3 TI)2/3 ¼ 0.00017Now using formula [4,9]

1. Series link of components

P ¼ 1�Yn

i¼1

ð1� PiÞ

2. Parallel link of components

P ¼Yn

i¼1

Pi

The PFD for systems calculated are

SS-A ¼ 0.55SS-B ¼ 0.00017 þ 0.1 þ 0.00026 ¼ 0.1004SS-CShutdown system ¼ 0.00017 þ 0.00575 þ 0.00026¼ 0.00618Pressure alarm ¼ 0.05SS-DSafety shutdown system ¼ 0.00017 þ 0.0004 þ0.00026 ¼ 0.00083Pressure alarm system ¼ 0.05SS-ESafety shutdown system ¼ 0.00017 þ 7.56 3 10�8

þ 0.00026 ¼ 0.0004Pressure alarm system ¼ 0.05.

LITERATURE CITED1. H.Z. Kister, What caused tower malfunctions in the

last 50 years? Trans I Chem E 81A (2003), 5–26.2. N. Ramzan, F. Compart, and W. Witt, Methodology for

generation and evaluation of safety system alterna-tives based on extended Hazop and event tree analy-sis, Process Safety Progress 26 (2007), 35–42.

3. H.Z. Kister, Distillation Operation, McGraw Hill,New York (1989), pp 229–251.

4. D.A. Crowl and J.F. Louvar, Chemical ProcessSafety: Fundamentals with Applications, PrenticeHall, New York (1999), pp 471–508.

5. F.P. Lees, Loss Prevention in CPI, Butterworths,London, UK (1996).

6. Paul Gruhn, P.E., Harry L, Cheddie P.E. SafetyInstrumented Systems: Design, Analysis and Justifi-cation, ISA-The Instrumentation, Systems, and Au-tomation Society, U.S., 2nd ed., 2006. ISBN: 1-55617-956-1.

7. P. Williams, Reliability for Safety Instrumented Sys-tems, Chem Eng Prog (2004), 27–32.

8. Safeguarding of industrial process plants by meansof process control engineering—Classification ofprocess control systems, realisation, operation andtesting of safety instrumented systems, Part 2,VDI/VDE 2180, German Standard.

9. CCPS-Center for Chemical Process Safety, GuideLines for Chemical Process Quantitative Risk Anal-ysis, Center for Chemical Process Safety, AmericanInstitute of Chemical Engineers, New York (2000),pp 297–387.


Application of extended Hazop and event-tree analysis for investigating operational failures and...

Documents

Transcript of Application of extended Hazop and event-tree analysis for investigating operational failures and...