Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 25 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
25
Dung lượng
1,21 MB
Nội dung
CHAPTIR 14 Safety Systems* This chapter discusses overall safety analysis techniques for evaluating production facilities, describes the concepts used to determine where safe- ty shutdown sensors are required, and provides background and insight into the concept of a Safety and Environmental Management Program. To develop a safe design, it is necessary to first design and specify all equipment and systems in accordance with applicable codes and stan- dards. Once the system is designed, a process safety shutdown system is specified to assure that potential hazards that can be detected by measur- ing process upsets are detected, and that appropriate safety actions (nor- mally an automatic shutdown) are initiated. A hazards analysis is then normally undertaken to identify and mitigate potential hazards that could lead to fire, explosion, pollution, or injury to personnel and that cannot be detected as process upsets. Finally, a system of safety management is implemented to assure the system is operated and maintained in a safe manner by personnel who have received adequate training. Safety analysis concepts are discussed in this chapter by first describ- ing a generalized hazard tree for a production facility. From this analysis, decisions can be made regarding devices that could be installed to moni- tor process upset conditions and to keep them from creating hazards. ^Reviewed for the 1999 edition by Benjamin T. Banken of Paragon Engineering Services, Inc. 386 Safety Systems 387 This analysis forms the basis of a widely used industry consensus stan- dard, American Petroleum Institute, Recommended Practice 14C, Analy- sis, Design, Installation, and Testing of Basic Surface Systems for Off- shore Production Platforms (RP14C), which contains a procedure for determining required process safety devices and shutdowns. The proce- dures described here can be used to develop checklists for devices not covered by RP14C or to modify the consensus checklists presented in RP14C in areas of the world where RP14C is not mandated. While RP14C provides guidance on the need for process safety devices, it is desirable to perform a complete hazards analysis of the facility to identify hazards that are not necessarily detected or contained by process safety devices and that could lead to loss of containment of hydrocarbons or otherwise lead to fire, explosion, pollution, or injury to personnel. The industry consensus standard, American Petroleum Insti- tute Recommended Practice 14J, Design and Hazards Analysis for Off- shore Facilities (RP14J), provides guidance as to the use of various haz- ards analysis techniques. The final portion of this chapter describes the management of safety using Safety and Environmental Management Programs (SEMP) as defined in API RP75, Recommended Practices for Development of a Safety and Environmental Management Program for the Outer Continen- tal Shelf (OCS) Operations and Facilities, and using a Safety Case approach as is commonly done in the North Sea. HAZARD TREE The purpose of a hazard tree is to identify potential hazards, define the conditions necessary for each hazard, and identify the source for each condition. Thus, a chain of events can be established that forms a neces- sary series of required steps that results in the identified hazard. This is called a "hazard tree." If any of the events leading to the hazard can be eliminated with absolute certainty, the hazard itself can be avoided. A hazard tree is constructed by first identifying potential hazards. Starting with the hazard itself, it is possible to determine the conditions necessary for this hazard to exist. For these conditions to exist, a source that creates that condition must exist and so forth. Using this reasoning, a hierarchy of events can be drawn, which becomes the hazard tree. In a hazard analysis an attempt is made, starting at the lowest level in the tree, to see if it is possible to break the chain leading to the hazard by elimi- 388 Design of GAS-HANDLING Systems and Facilities nating one of the conditions. Since no condition can be eliminated with absolute certainty, an attempt is made to minimize the occurrence of each of the steps in each chain leading to the hazard so that the overall proba- bility of the hazard's occurrence is within acceptable limits. This process is perhaps best illustrated by a simple example. Figure 14-1 shows a hazard tree developed for the "hazard" of injury while walking down a corridor in an office. The conditions leading to injury are identified as collision with others, tripping, hit by falling object, and total building failure. The sources leading to each condition are listed under the respective condition. Some of the sources can be further resolved into activities that could result in the source. For example, if no soil boring was taken this could lead to "inadequate design," which would lead to ''building failure," which could lead to ""injury." It is obvious that it is impossible to be absolutely certain that the hazard tree can be broken. It is, however, possible to set standards for ceiling design, lighting, door construction, etc., that will result in acceptable fre- quencies of collision, tripping, etc., given the severity of the expected injury from the condition. That is, we could conclude that the probability of building failure should be lower than the probability of tripping because of the severity of injury that may be associated with building failure. Figure 14-1. Hazard tree for injury suffered white walking in a hallway. Safety Systems 389 It should be obvious from this discussion that the technique of creating a hazard tree is somewhat subjective. Different evaluators will likely classify conditions and sources differently and may carry the analysis to further levels of sources. However, the conclusions reached concerning building design, maintenance, layout of traffic patterns, lighting, etc., should be the same. The purpose of developing the hazard tree is to focus attention and help the evaluator identify all aspects that must be consid- ered in reviewing overall levels of safety. It is possible to construct a hazard tree for a generalized production facility, just as it is possible to construct a hazard tree for a generalized hallway. That is, Figure 14-1 is valid for a hallway in Paragon Engineer- ing Services' offices in Houston, in Buckingham Palace in London, or in a residence in Jakarta. Similarly, a generalized hazard tree constructed for a production facility could be equally valid for an onshore facility or an offshore facility, no matter what the specific geographic location. Figure 14-2 is a hazard tree for a generalized production facility. The hazards are identified as "oil pollution," "fire/explosion," and "injury." Beginning with injury, we can see that the hazards of fire/explosion and oil pollution become conditions for injury since they can lead to injury as well as being hazards in their own right. The tree was constructed by beginning with the lowest level hazard, oil pollution. Oil pollution occurs as a result of an oil spill but only if there is inadequate containment. That is, if there is adequate containment, there cannot be oil pollution. Onshore, dikes are constructed around tank farms for this reason. Off- shore, however, and in large onshore facilities it is not always possible to build containment large enough for every contingency. The requirement for drip pans and sumps stems from the need to reduce the probability of oil pollution that could result from small oil spills. One source of an oil spill could be the filling of a vessel that has an outlet to atmosphere until it overflows. Whenever inflow exceeds out- flow, the tank can eventually overflow. Another source is a rupture or sudden inability of a piece of equipment to contain pressure. Events lead- ing to rupture are listed in Figure 14-2. Note that some of these events can be anticipated by sensing changes in process conditions that lead to the rapture. Other events cannot be anticipated from process conditions. Other sources for oil spills are listed. For example, if a valve is opened and the operator inadvertently forgets to close it, oil may spill out of the system. If there is not a big enough dike around the system, oil pollution will result. It is also possible for oil to spill out the vent/flare system. All pressure vessels are connected to a relief valve, and the relief valve dis- Figure 14-2. Hazard free for production facility. (Source: API RP14.) * Indicates sources that can be anticipated by sensing changes in process conditions Figure 14-2. Continued 392 Design of GAS-HANDLING Systems and Facilities charges out a vent or flare system. If the relief scrubber is not adequately sized, or if it does not have a big enough dump rate, oil will go out the vent system. Fire and explosion are much more serious events than pollution. For one thing, fire and explosion can create catastrophes that will lead to pol- lution anyway, but for another thing, they can injure people. We clearly want to have more levels of safety (that is, a lower probability of occur- rence) in the chain leading to fire or explosion than is necessary in the chain leading to pollution. That is, whatever the acceptable risk for oil pollution, a lower risk is required for fire or explosion. For fire or explosion to occur, fuel, an ignition source, oxygen, and time to mix them all together are needed. If any of these elements can be eliminated with 100% assurance, the chain leading to fire or explosion will be broken. For example, if oxygen can be kept out of the facility, then there can be no fire or explosion. Eliminating oxygen can be done inside the equipment by designing a gas blanket and ensuring positive pressure. For practical purposes it cannot be done outside the equipment, as a human interface with the equipment is desired. Fuel cannot be completely eliminated, though the inventory of com- bustible fuels can be kept to a minimum. Oil and gas will be present in any production facility, and either an oil spill or escaping gas can provide the fuel needed. Escaping gas can result from rapture, opening a closed system, or gas that is normally vented. The amount of fuel present can be minimized by preventing oil spills and gas leaks. Ignition sources are numerous, but it is possible to minimize them. Lightning and static electricity are common ignition sources in production facility, especially tank vents. It is not possible to anticipate the ignition by sensing changes in process conditions, but gas blankets, pressure vacu- um valves, and flame arresters can be installed to ensure that flame will not flash back into the tank and create an explosion. Electrical shorts and sparks are also sources of ignition. These are kept isolated from any fuel by a whole series of rules and regulations for the design of electrical sys- tems. In the United States, the National Electrical Code and the API Rec- ommended Practices for Electrical Systems (Chapter 17) are used to mini- mize the danger of these ignition sources. Human-induced ignition sources include welding and cutting operations, smoking, and hammering (which causes static electricity). Flash back is also a source of ignition. In some vessels a flame exists inside a fire tube. If a fuel source develops around the air intake for the fire tube, the flame can propagate outside the fire tube and out into the open. The flame would then become a source of Safety Systems 393 ignition for any more fuel present and could lead to a fire or explosion, This is why flame arrestors are required on natural draft fire tubes. Hot surfaces are another common source of ignition. Engine exhaust, turbine exhaust, and engine manifold on engine-driven compressors may be sufficiently hot to ignite oil or gas. A hot engine manifold can become a source of ignition for an oil leak. An engine exhaust can become a source of ignition for a gas escape. Exhaust sparks from engines and burners can be a source of ignition. Any open flame on the facility can also be a source of ignition. Fire tubes, especially in heater treaters, where they can be immersed in crude oil, can become a source of ignition if the tube develops a leak, allowing crude oil to come in direct contact with the flame. Fire tubes can also be a source of ignition if the burner controls fail and the tube overheats or if the pilot is out and the burner turns on when there is a combustible mixture in the tubes. Because these ignition sources cannot be anticipated by sensing changes in process conditions and since oxygen is always present, a haz- ards analysis must concentrate on reducing the risk of oil spill and gas leak when any of these ignition sources is present. Or the hazards analy- sis must concentrate on reducing the probability that the ignition source will exist at the same location as an oil spill or gas leak. Injury is always possible by fire, explosion, or the other conditions listed in Figure 14-2. A fire can lead directly to injury, but normally there needs to be several contributory events before the fire becomes large enough to lead to injury. For example, if a fire develops and there is suf- ficient warning, there should be sufficient time to escape before injury results, if the fuel is shut off and there is enough fire-fighting equipment to fight the fire before it becomes large, the probability of injury is small. When an explosion occurs, however, it can directly cause injury. A substantial cloud of gas can accumulate before the combustible limit reaches an ignition source. The force of the explosion as the cloud ignites can be substantial. There are other ways to injure people, such as physical impact due to falling, tripping, slipping on a slick surface, or being hit by an object or by direct physical impact from a rapture. Asphyxiation can occur, espe- cially when dealing with toxic chemicals. Electric shock and burns can also lead to injury. Burns can occur by touching hot surfaces. They can also occur from radiation. The probability of injury from any of these conditions is increased by an inability to escape. All the conditions tend to be more likely to lead to 394 Design of GAS-HANDLING Systems and Facilities injury the longer people are exposed to the situation. Therefore, escape routes, lighting, appropriate selection of survival capsules or boats, fire barriers, etc., all lead to a reduction in injury. DEVELOPING A SAFI PROCESS In going through this hazard tree it can be seen that many of the sources and conditions leading to the three major hazards have nothing to do with the way in which the process is designed. Many sources cannot be anticipated by sensing a condition in the process. For example, it is not possible to put a sensor on a separator that keeps someone who is approaching the separator to perform maintenance from falling. Another way of stating this is that many of the sources and conditions identified on the hazard tree require design considerations that do not appear on mechanical flow diagrams. The need for proper design of walkways, escape paths, electrical systems, fire-fighting systems, insulation on pip- ing, etc., is evident on the hazard tree, in terms of developing a process safety system, only those items that are starred in the hazard tree can be detected and therefore defended against. This point must be emphasized because it follows that a production facility that is designed with a process shut-in system as described in API RP14C is not necessarily "safe." It has an appropriate level of devices and redundancy to reduce the sources and conditions that can be antici- pated by sensing changes in process conditions. However, much more is required from the design of the facility if the overall probability of any one chain leading to a hazard is to be acceptable. That is, API RP14C is merely a document that has to do with safety analysis of the process components in the production facility. It does not address all the other concerns that are necessary for a "safe" design. The starred items in the hazard tree are changes in process conditions that could develop into sources and lead to hazards. These items are iden- tified in Table 14-1 in the order of their severity. Overpressure can lead directly to all three hazards. It can lead directly and immediately to injury, to fire or explosion if there is an ignition source, and to pollution if there is not enough containment. Therefore, we must have a very high level of assurance that overpressure is going to have a very low frequency of occurrence. Fire tubes can lead to fire or explosion if there is a leak of crude oil into the tubes or failure of the burner controls. An explosion could be sudden and lead directly to injury. Therefore, a high level of safety is required. Safety Systems 395 Table 14-1 Sources Associated with Process System Changes Contributing Source Source Hazard of Condition Overpressure Injury None Fire/Explosion Ignition Source Pollution Inadequate Containage Leak Fire/Explosion Ignition Source Oil Pollution Inadequate Containage Fire Tubes Fire/Explosion Fuel Inflow Exceeds Outflow Oil Pollution Inadequate Containage Excessive Temperature Fire/Explosion Ignition Source Oil Pollution Inadequate Containage Excessive temperature can lead to premature failure of an item of equipment at pressures below its design maximum working pressure. Such a failure can create a leak, potentially leading to fire or explosion if gas is leaked or to oil pollution if oil is leaked. This type of failure should be gradual, with warning as it develops, and thus does not require as high a degree of protection as those previously mentioned. Leaks cannot lead directly to personal injury. They can lead to fire or explosion if there is an ignition source and to oil pollution if there is inadequate containment. Both the immediacy of the hazard developing and the magnitude of the hazard will be smaller with leaks than with overpressure. Thus, although it is necessary to protect against leaks, this protection will not require the same level of safety that is required to pro- tect against overpressure. Inflow exceeding outflow can lead to oil pollution if there is inade- quate containment. It can lead to fire or explosion and thus to injury by way of creating an oil spill. This type of accident is more time-dependent and lower in magnitude of damage, and thus an even lower level of safe- ty will be acceptable. The hazard tree also helps identify protection devices to include in equipment design that may minimize the possibility that a source will develop into a condition. Examples would be flame arresters and stack arresters on fire tubes to prevent flash back and exhaust sparks, gas detectors to sense the presence of a fuel in a confined space, and fire [...]...396 Design of GAS-HANDLING Systems and Facilities detectors and manual shutdown stations to provide adequate warning and to keep a small fire from developing into a large fire PRIMARY DEFENSE Before proceeding to a discussion of the safety devices required for the process, it is important to point out that the primary defense against hazards in a process system design is the use of proper material of. .. systems give early warning of impending trouble to allow personnel to take corrective action prior to a shut-in, and provide informa- 406 Design of GAS-HANDLING Systems and Facilities tion about the initial cause of a shut-in They are a vital party of any large shutdown system design On smaller systems, process alarms may be minimal as there may not be sufficient time for personnel to react to the alarm... pressure vessels (Source: API RP J4C, 6th Edition, March 1998.} 404 Design of GAS-HANDLING Systems and Facilities 4 PSVs on downstream equipment can satisfy relief equipment of the vessel and cannot be isolated from the vessel 5 Vessel is final scrubber in a flare, relief, or vent system, is designed to withstand maximum built-up back-pressure, and has no internal or external obstructions, such as mist extractors,... other hand, is not as severe In this case, a drip pan to protect against oil pollution may be adequate back-up 4 Assume that two levels of protection are adequate Experience in applying FMEA analysis to production equipment indicates that in many cases only one level of protection would be required, given the degree of reliability of shutdown systems and the consequences 400 Design of GAS-HANDLING Systems. .. each piece of equipment (not each device) as an independent unit, assuming worst case conditions of input and output Separators, flowlines, heaters, compressors, etc., function in the same manner no matter the specific design of the facility That Safety Systems 399 is, they have level, pressure and temperature controls and valves These are subject to failure modes that impact the piece of equipment... such as compressors, lean oil pumps, and direct fired heaters, and either shuts in the process or diverts flow around the process by closing inlet/outlet block valves and opening bypass valves The second level shuts down the remaining utilities and support facilities, including generators and electrical feeds ANNUNCIATION SYSTEMS These systems give early warning of impending trouble to allow personnel... occur if this particular check valve fails to close Assuming this happens, some redundancy that keeps a source from developing must be located in the system Next, the process would be evaluated for the second failure mode, that is, what occurs if the check valve leaks internally Next, the process would be 398 Design of GAS-HANDLING Systems and Facilities evaluated for the third failure mode of this check... also form the basis for the design of the logic necessary to carry out the functions that are to be performed when a sig(text continued on page 410) Figure 14-4 Safety analysis function evaluation (SAFE) chart for process flow in Figure 14.5 {figure continued on pugf) Figure 14*4, Continued Figure 14*5 Simple process flow diagram 410 Design of GAS-HANDLING Systems and Facilities (text continued from... not properly designed and inspected, it may rupture before reaching 1,480 psi pressure The primary defense to keep this from happening is to use the proper codes and design procedures and to ensure that the manufacture of the equipment and its fabrication into systems are adequately inspected In the United States, pressure vessels are constructed in accordance with the ASME Boiler and Pressure Vessel... the SAT (with the exception of "gas make-up system") is listed It must either be installed or it can be eliminated if one of the reasons listed is valid (text continued on page 405) 4 02 Design of GAS-HANDLING Systems and Facilities Table 14-4 Safety Analysis Table (SAT) Pressure Vessels Undesirable Event Cause Delectable Condition At Component Overpressure Blocked or restricted outlet Inflow exceeds . flash back and exhaust sparks, gas detectors to sense the presence of a fuel in a confined space, and fire 396 Design of GAS-HANDLING Systems and Facilities detectors and manual. the check valve leaks internally. Next, the process would be 398 Design of GAS-HANDLING Systems and Facilities evaluated for the third failure mode of this check valve. Check valves . would be required, given the degree of reliability of shutdown systems and the consequences 400 Design of GAS-HANDLING Systems and Facilities of failure. However, it is more costly