study on safety evaluation and operational design for startup
TRANSCRIPT
Study on Safety Evaluation and Operational Design for Startup Rafael Batres, Sanggyu Lee,’ Ming Liang Lu, Yuji Naka
Tokyo Institute of Technology, Research Laboratory of Resources Utilization, 4259 Nagatsuta, Midori-ku, Yokohama, 226, Japan
Aiming at improving the safety of process startup, this paper integrates safety evaluation into an operational design methodology which designs operableprocesses by proposing alternatives, examining process operability and modifying plant structures and operating proce- dures. Safety analysis is used as a key component of design evaluation for examining potential hazards during startup. Potential hazards are eliminated by modifying both plant structure and operating proce- dures. Issues for both methodology and implementation of a prototype in G2 are discussed. Finally, the system is applied to an industrial hydrodesuljiurization process.
INTRODUCTION
According to the High Pressure Gas Safety Institute of Japan, statistics compiled between 1952 and 1990 show that 46% of the accidents that occurred in petrochemical plants took place during transient operations such as startup and shutdown. Hazard evaluation should be performed through the whole life-cycle of the plant as the main constituent of the process safety management program. However, exist- ing safety evaluation methods such as Hazard and Oper- ability Analysis (HAZOP), FMEA (Failure Modes and Effects Analysis), Human error analysis [ I ] , and CHAZOP (Control system HAZOP) [ 21 and their computer implementations are not well suited for plant startup operations. In this pa- per we present the development of up to date of a safety evaluation methodology and its system architecture for startup that aims at:
Assisting the engineers in the design of a more op- erable and safer plant Providing the necessary computer tools to guaran- tee safer startup operations Setting the basis for future developments to support operations planning in case of abnormal situations
Incidentally, an effort on operational design methodology and its support system development have been carrying out in this laboratory which attempts to design an operable process plant by designing both plant facilities and opera- tions (Naka et al. [3, 41). Startup operation is the first tar- get for operational design. It is, therefore, natural for us to
‘Mr. Lee is currenth worhng at the Department of Chemical Engi- neering of KAIST, Korea.
consider integrating safety evaluation into the operational design for safer startup operation. Attention here is di- rected to both of the safety evaluation and operational de- sign methodology integration and support system integra- tion.
Taking into account these considerations, a knowledge based system, has been implemented in an object-oriented architecture using Gensym’s G2 system. The system ana- lyzes possible hazards during the startup of chemical plants and then makes design recommendations to avoid those hazardous situations, and displays the modified topology.
First we will present an overview of the operational de- sign methodology and describe the architecture of a com- puter support system that facilitates the safety evaluation for startup. Then the detailed components such as the evalua- tion procedure, knowledge organization and implementa- tion will be discussed. Finally, a HDS industrial process case study will be used to demonstrate the use and advantages of the methodology.
ADDRESSING SAFETY IN OPERATIONAL DESIGN
Starting from the design phase, the operational design methodology attempts to accommodate the plant structure in order to improve the future plant operability in terms of safety, reliability, and availability. It starts from a process flow diagram (PFD) and considers modifying the process structures and adding any required facility to the PFD, i.e., generates an operational flow diagram (OFD) towards a process instrumentation diagram (P& ID). This is done by proposing design alternatives which are evaluated against several operational criteria, like process constraints or safety requirements. The safety evaluation for startup is carried out during this part of the design, whereas it be- comes possible to identify potential problems while they are still easy to correct. Figure 1 shows the methodology for addressing safety in operational design which considers evaluation criteria concerning safety, so all the design al- ternatives and modifications are performed in order to re- duce hazardous situations. This paper concentrates in us- ing the safety criteria for improving plant design.
Although some of the steps are carried out concurrently, the above methodology can be described as follows:
1. Propose a plant topology (a PFD could be used as the
2 . Plan and perform a set of actions (operations such as first candidate for this purpose)
Process Safety Progress (Vol.16, No.1) Spring, 1997 37
as@ Basis S&tv constraints L I
1 I f
Ogerating Procedure Dynandc Planner Sirmlator
FIGURE 1 Methodlogy for addressing safety evaluation in operational design.
opening and closing valves) to startup the plant by si- multaneously simulating the startup of the plant
3. During the simulation of the startup all the process variables like pressure, temperature and concentra- tion are checked to satisfy specified safety limits. If any hazard is found in any equipment of the plant then there are two possible alternatives that must be explored:
To modify the plant topology (11, or To plan a new set of plant actions ( 2 )
If any of the process variables has a value between the safety limits then the plant could be considered safe in terms of the operations performed. The methodology can be summarized as: propose, evaluate and modgy.
Although the plant may be safe after the above analysis has been carried out, the probability of a failure during startup could reduce the effect of having a safe design. Consequently, in order to analyze if the system can deal with failures in the equipment, failures such as impossible valve manipulations are assumed and explore any possible modifications in the design or the operations are explored in order to overcome the problem. a) Assume a failure in an equipment b) Simulate the plant and equipment failure (3) c) Analyze the hazard and according to the evaluation per- form either:
a modification of the topology (11, or a new set of operations
d) Simulate the plant with the proposed modification (3) and evaluate again to make sure that no hazardous condi- tion occurs. In summary, if the system identifies any hazardous condi- tion then the correcting actions are:
to change the startup procedure to modify the flowsheet topology, such as adding
to attach safety devices such as check-valves,
If according to the results the plant satisfies the safety re- quirements, then modifications to either the operations or the topology are unnecessary and a safe topology is pro- duced.
extra equipment or auxiliary lines
relief-valves or rupture disks
FIGURE 2 Architecture of the safety evaluation system.
ARCHITECTURE OF THE SAFETY EVALUATION SYSTEM
The overall architecture of the Safety Evaluation System is shown in Figure 2 . The user accesses the system through the graphical user interface. The Safety Evaluator makes the use of the resources provided by the supporting environ- ment for the safety view of the operational design.
The plant topology is basically a flowsheet composed of instances of the required equipment objects. Once the user constructs the flowsheet, every instance of equipment should be instantiated with the pre-commissioning values of temperature, pressure and component compositions. The plant topology follows a hierarchical structure to simplify the plant design and to improve the controllability of the startup operations:
Plant wide level CGU level Elementary level
The whole hierarchical structure follows object orientation, as it provides a framework of representing and mapping physical plant objects and their respective computer ab- stractions with an inheritance hierarchy (see Figure 3).
A CGU is defined as a part of the process surrounded by control valves, that can be operated relatively indepen-
FIGURE 3 Hierarchical structure for planning and per- forming plant operations.
38 Spring, 1997 Process Safety Progress (Vol.16, No.1)
dently from the rest of the plant with the ability to include stationary states. These properties are useful when plan- ning discrete operations like those performed on valves and pumps. Equally important, CGUs are potentially helpful when in an abnormal situation it becomes necessary to iso- late the fault from the rest of the process.
The simulation models represent the behavior of each unit operation attached to every equipment. These models are procedures and dynamic equations that allow to simu- late the dynamics of the plant during transient states like during the startup. Only simplified models were used, be- cause a more detailed dynamic simulator was out of the scope of this work. Models are applied at two levels of ab- straction. The first class of models tells the system how the changes of process variables such as pressure, tempera- ture, and composition are propagated along the plant. The second class of models describes a particular behavior that occurs in each plant item. The former, dealing with interac- tion among plant items, is implemented in concurrent sim- ulation procedures, while the latter deals with mathemati- cal representations of the behavior that occurs inside each piece of equipment, such as reaction, flashing or dynamic changes in the material and energy.
The actions planning module receives the input of the topology, rules for startup and the rules for safety to estab- lish the necessary operations, either for startup itself or for safety. The operations for startup are basically those re- lated with opening and closing valves or turning on and
turning off equipment (e.g. pumps, compressors). The op- erations are performed at two levels: among CGUs and in- side each CGU. Operations among CGUs are regulated by means of a knowledge base containing process specific- constraints and mechanisms to identify and operate plant wide recycles. On the other hand, operations inside CGUs are carried out by means of knowledge bases that regu- lates the liquid inventory control and contains knowledge for the generation of internal stationary states which allows operating each CGU independently from the rest of the plant.
The timing of each operation is registered and displayed in a tabular form, so that the user can ascertain the time when a particular valve has been closed or open. These operations for startup are spaced according to the time re- quired for the fluid to pass along the equipment, taking into account the time for hold up in vessels and the time for satisfying the process conditions (Batres et al. [ 51).
The safety knowledge base allows the detection of any possible abnormality by checking process variables against constraints such as reactivity data (extreme conditions to be avoided), inter-reactivity (dangerous mixtures), flammabil- ity, explosion data and equipment metallurgical limits.
If any hazardous condition is detected, then the actions planning module modifies to the operating procedure for startup, but if the hazardous conditions persists then the topology modification module is instructed to investigate a transformation of the plant topology. The interaction be-
FIGURE 4
Process Safety Progress (Vol.16, No.1)
Graphical user interface of the safety evaluation system.
Spring, 1997 39
tween the rules for safety and the actions planning module is made by the generation of new rules for startup that are stored in the knowledge base for startup.
The actions supported by the action planning module has a hierarchical structure of five levels for the knowledge, which if required, are executed in order: change the startup procedure, change the operating conditions, modify the topology, attach safety equipment, and alarm and fault di- agnosis system (not yet implemented).
Figure 4 shows the graphical user interface of the sys- tem. From the user interface, the user builds the topology by selecting the edit mode in which the corresponding panel with available equipment icons is shown at the left of the screen. The user selects the appropriate icon with the mouse and positions the automatically generated in- stances at the displayed window. By clicking the input and output terminals instances can be linked together through process or signal connections. The next step is to specify the sets of parameters, the initial conditions, the simulation models, etc.
HDS CASE STUDY
Hydrodesulfurization (HDS) process is a well-known process for removing sulfur from diesel oil through a reac- tion with hydrogen. Figure 5 shows the plant wide view of the process. In this representation of the plant, each box represents a CGU and the dotted lines represent the lines that were added after running the safety evaluation proto- type. The original flowsheet of the process is shown in Fig- ure 6 .
The Schematic Diagram of HDS process
FIGURE 5 A view of the plant-wide level of the HDS process.
When the system investigates the order of opening the valves from the feed to the product lines, the valve opera- tion for the valve CV1 is examined first. However, because the inventory control in the high-pressure and low-pres- sure separators has higher priority, the valve CVI is not open first. A further analysis, reveals that if CV1 is allowed to open first, then hydrogen and diesel enter the reactor without completing the inventory control of the vessels, giving rise to several potential risks:
FIGURE 6
40 Spring, 1997
PFD of the HDS process before safety evaluations.
Process Safety Progress (Vol.16, No.1)
wm The Schematlc Diagram of HDS process
FIGURE 7 PFD of the HDS process after the topological modifications.
If the reaction has already started, sulfhidric acid is produced but the separation areas are not ready. Then sulfhidric acid is accumulated and becomes a potential hazard to the operators. If the separation areas are required to shut down, then the reactor should also shut down, becoming a dangerous situation which is particularly critical if the pressure and temperature are high.
The next trial is to feed the diesel first. In this case the liq- uid inventory is satisfied, yet the temperature and pressure constraints are not satisfied, contact with diesel alone de- creases the activity of the catalyst and a low hydrogen to diesel ratio is the cause of coke. As a result the action planning module proposes to create a bypass around the reactor (see Figure 71, and then based on the modified topology, a new operating procedure is planned. There- after the system enters a loop of evaluation and modifica- tion, until no more hazardous situations are detected.
After the system is safe in terms of operating variables, some faults detected during the startup were tested, and simulated in order to analyze possible solutions. The fail- ure module applies ‘Impossible Opening’ to each valve in sequence. These faults occur in practice in case ‘the con- trol system could not open valve which had to be open ac- cording to the startup procedure’. For example, if the valves CV9 and CVl3 which are connected to the lines that take the acid gases to the amine treatment plant, cannot be open on a given time, then an over-pressure event is detected. This is fixed by attaching safety valves on the LPS tank and
the stripper overheads tank. Figure 7 shows the modified PFD and Figure 8 indicates the valve actions as the final results of the hazard evaluations.
CONCLUSIONS
For a safer process startup operation, safety evaluation methodology has been integrated into an operational de- sign framework. As a key component, safety evaluation module examines the potential hazards during startup. Such evaluation result is used for plant topology modification and startup operation regeneration. This method also con- siders assuming failure operations and then checking the consequences of such assumptions so as to improve the plant safety during startup.
A prototype for an automated hazard evaluation system for startup has been developed on Gensym G2 intelligent system shell and has been tested with a HDS process case study. The object-oriented structure implemented in G2 makes easier the simulation of the plant adding more flexi- bility to plan the operations to preserve safety.
In the example problem, the system in this paper at- tached a bypass valve for the reactor and safety valves on units, and had changed the startup procedure to prevent hazardous situations. The modifications show very reason- able results.
Finally we would like to extend the hierarchical design improvement by including interlocks and alarms. Current research projects are taking advantage of the more stable
Process Safety Progress (Vol.16, No.1) Spring, 1997 41
cv 1
c v 2
cv3 c v 4
c v 5
CV6
c v 7
CV8
c v 9
CVlO
CVI 1
c v 1 2
CV13
CV14
CV15
CV16
CV17
CV18
v-0
v- 1
sw1
0 20 40 60 80 100 I I I I I I
FIGURE 8 Valve actions for startup after the topological modifications.
t t t
t 1
underlying facilities and extended functionality (for exam- ple, a support of emergency shutdown as an alternative operation to deal with hazards) to provide a more com- plete support system to deal with abnormal situations.
LITERATURE CITED
1. Crowl, D. A, and J. F. Louvar, Chemical Process Safety: Fundamentals with Applications, Prentice Hall (1990).
2. Nimmo, Ian, Chem. Eng. Prog., 90, 10, 32 (1994). 3. Naka, Y., and C. McGreavy, “Modular Approach for
Start-up Operational Procedures of Chemical Plants,” Presented at PSE ’94 (1994).
4. Naka, Y., M. L. Lu, and H. Takiyama, “Operational Design for Start-up of Chemical Processes,’ (Accepted for publication in the Comp. & Chem. Eng., 1995).
5. Batres, R., Y. Naka, A. Adriani, K. Arai, M. L. Lu, D. Pradubsripetch, S. Lee, and I. Yamada, “Oper-
ational Design for Startup and Shutdown of Chemical Plants based on a Topological Approach,” Presented at First International Plant and Design Conference AIChE Spring Meeting, 19 (1995).
6. Catino, C. A., and L. H. Ungar, AIChE J., 41, 1, 97 (1995).
7. Shimada, Y., 2. Yang, J. Song, and K. Sumki, Com- puter-aided Operability Study, Presented at PSE ’94, 291 (1994).
8. Vaidhyanathan, R., and V. Venkatasubramanian, Reliab. Engng. & System Safety, 50, 33 (1995).
9. Venkatasubramanian, V., and R. Vaidhyanathan, “HAZOPExpert: A Knowledge-Based System for HA- ZOP Analysis,” Presented at PSE ’94, 1117 (1994A).
10. Venkatasubramanian, V., and R. Vaidhyanathan, AIChE J., 40, 3 , 496 (1994B).
mispaper (48f) waspresented at the 5th World Congress at Chemical Engineering in San Diego, California on July 15, 1996.
42 Spring, 1997 Process Safety Progress (Vol.16, No.1)