January/February 2014

How to Make Process Plants Inherently Safer

A 1974 disaster reshaped the ways engineers think about safety.

By Victor H. Edwards, Ph.D., P.E.

During the past 30 years, the 100 largest property damage losses in the energy and chemical industries have cost approximately $33 billion, not to mention the fatalities, injuries, environmental damage, and loss of production. As professional engineers ethically dedicated to protecting the safety, health, and welfare of the public as well as protecting the environment for future generations, the need for safer process industries is clear.

Process plants can be dangerous places. We work with energy products and chemical transformations that are driven by energy, and often hazardous substances or conditions must be employed. The fuels and industrial chemicals we use can be hazardous: fuels burn readily, with the release of energy; chemical reactions often involve large amounts of energy; and reactive chemicals can harm people and the environment.

Making a refinery or a chemical plant “inherently safe” may not be possible, but plants often can be made inherently safer through an approach pioneered by Trevor Kletz in response to the 1974 tragedy in Flixborough, England.

The Flixborough disaster occurred at a chemical plant with a very large inventory of hot liquid and flammable hydrocarbons. At the plant, cyclohexane was oxidized with air to a mixture of cyclohexanol and cyclohexanone, which are intermediates in the manufacture of nylon 6. Even with six large reactors operating at 155 degrees C and 10 atmospheres pressure, only 6% conversion was achieved by each pass through the reactor train. The six reactors were connected in a series, with each reactor successively lower than the previous reactor, so that the reacting cyclohexane could flow by gravity from the first to the second, the second to the third, and so forth.

When a leak developed in Reactor 5, plant personnel decided to remove Reactor 5 for repairs and provide a large, temporary piping connection between Reactors 4 and 6. The bellows and piping, however, had not been properly engineered by a chartered engineer, and the only documentation for the change was a chalk drawing on the workshop floor. Additionally, pressure testing was not properly conducted on the new piping, and a process hazards analysis was not conducted on the design change to detect and mitigate any new hazards.

When the bellows failed in the temporary piping connecting the two reactors, 40 tons of hot cyclohexane vapor was released. The vapor cloud then exploded. Twenty-eight people were killed and much of the plant was destroyed. The loss of life would have been much greater had not the incident occurred on a Saturday.

A New Approach
Prior to 1977, the approach to process safety was to control hazards via improved procedures, additional safety interlocks and systems, and improved emergency response. In the wake of the Flixborough disaster, Kletz came up with a different idea: Change the process to eliminate the hazard completely, or reduce its magnitude sufficiently to eliminate the need for elaborate systems and procedures. His insights eventually led to what are now the four basic approaches to inherently safer processes.

1. Minimize

The first of the four approaches is to simply use smaller quantities of hazardous substances (a technique also called intensification). One example is a new process for cyclohexane oxidation that uses a gas-phase oxidation process that has a much lower inventory of cyclohexane at process temperatures and pressures than the six large reactors at Flixborough.

Another example of minimization comes from the 1984 tragedy in Bhopal, India, where the loss of containment of a large inventory of methyl isocyanate (MIC) killed at least 3,000 people and more than 100,000 suffered permanent health effects. The MIC was an intermediate, but a large inventory was kept in tanks for convenience in operation, even though the plant was shut down at the time. During the plant shutdown and against safe practice, water entered a large MIC storage tank, possibly due to a leaky valve during cleaning of connected pipework. The water reacted with the MIC, causing an exothermic (heat releasing) reaction. As a result of the heat release, the MIC boiled in the storage tank and MIC vapor vented through the pressure relief valve on the tank. During normal operation, the vapor from the pressure relief valve would be piped to a scrubber or to a flare, thus preventing an atmospheric release of MIC. However, the scrubber was not operating, and the pipe to the flare had corroded and been removed for replacement.

Like Flixborough, the Bhopal tragedy was a watershed event for the process industries and a wake-up call. In the US, one manufacturer was operating a plant that had been importing tank-car quantities of MIC from another US plant over a distance of 1,200 miles. Recognizing the potential hazards of shipping MIC, within six months after the Bhopal disaster the plant had installed a new process in which MIC was made at the site, eliminating the need to import it. In this process, the MIC was immediately reacted with 1-napthol to form the desired crop-protection product.

Now, the new process never has more than a few pounds of the MIC intermediate in the plant at one time, and the plant has operated without any MIC releases since then.

2. Substitute

Replacing a hazardous substance with a less hazardous material is the second approach to inherently safer processes. For example, transporting and using aqueous sodium hypochlorite (bleach) may be safer than transporting liquefied chlorine under pressure. (In this case, however, more truck loads may be needed, so the entire supply chain should be examined.)

The production of acrylonitrile, which is used in the manufacture of plastics, provides another example. The hazardous route involves combining acetylene and hydrogen cyanide, which both are highly flammable and explosive under the wrong conditions. Hydrogen cyanide is also very toxic.

A less hazardous route uses propylene, ammonia, and oxygen to produce acrylonitrile. Although propylene is flammable and ammonia will burn, explosion and toxicity hazards are much less with this route.

The dilapidated premises of the infamous Union Carbide plant stand as a reminder of the 1984 tragedy that killed at least 3,000 people and caused many more to suffer permanent health problems. Photo by Giles Clarke/Getty images

3. Moderate

Creating an inherently safer plant can also be accomplished by using less hazardous conditions, a less hazardous form of a material, or facilities that minimize the impact of a release of hazardous material or energy (also called attenuation).

In the case of ammonia, which has numerous industrial uses, diluting it with water can create a safer environment. Anhydrous (100%) ammonia at typical ambient temperatures must be stored in pressure vessels (at 21 degrees C, the vapor pressure of anhydrous ammonia is 8.8 atmospheres). If containment is lost, the ammonia will quickly vaporize, forming a toxic and potentially flammable vapor cloud.

If ammonia is diluted with water to a concentration of 19%, however, the partial pressure of ammonia at typical ambient conditions is much less than one atmosphere. Therefore, the aqueous ammonia will not boil and form a large vapor cloud if containment is lost.

Similarly, the use of a lower temperature for storage of chlorine can create a safer environment. The lower temperature reduces the vapor pressure and can greatly decrease the size of any vapor clouds formed on accidental release.

4. Simplify

Kletz’s final rule is to design facilities that eliminate unnecessary complexity, make operating errors less likely, and are forgiving of errors when they happen (also called error tolerance). For engineers, this could mean using welded, not flanged, piping for highly toxic chemicals and designing vessels to withstand full vacuum to prevent collapse during vacuum conditions.

Other Inherently Safer Methods
In addition to Kletz’s four steps to inherently safer processes, three additional approaches are proposed here that deserve attention.

Hybridization: This method involves maintaining the original chemistry of the reaction but adding an additional chemical that transforms a potentially hazardous reaction process into a much safer one. This concept is based on work by Jenq-Renn Chen presented in a 2004 article in Process Safety Progress. Chen reported that adding water to cyclohexane decreased the flammability of oxygen/cyclohexane vapors without adversely affecting the basic cyclohexane oxidation process. This innovation prevents combustion from occurring in the gas phase in a gas-liquid reaction.

Stabilize or ensure dynamic stability: Not all process designs are inherently stable, but stable operation is achieved using instrumentation and controls. Modify the process design so that it has wide operating limits and is less sensitive to variations in operating parameters. One example of this approach is to increase the rate of heat removal from a strongly exothermic reactor in a way that prevents runaway reactions.

Limit hazardous effects during conceptual and detailed engineering: Increase the spacing of process equipment and of potentially hazardous units to reduce the likelihood, severity, and consequences of vapor cloud explosions and other overpressure incidents.

The Path Forward
Inherently safer design is now a recognized and generally accepted good chemical engineering practice. It should now be standard practice to apply this approach in design, construction, operation, and maintenance of process plants. How?

• When planning to produce a new fuel or chemical product, examine alternative products and alternative process technologies to get the best inherently safer results.
• Review process design early in the creation or modification of a process plant to ensure that opportunities for inherent safety are incorporated. This can be done by a separate inherently safer review of the process or by incorporating the inherently safer concepts in the process hazards reviews during the design process.
• For existing process plants, look for inherently safer applications when doing the periodic reauthorization process hazards analyses.

It is also important to remember that although it is easier to design for inherent safety than to retrofit existing plants, one can still improve older plants by modifications to incorporate inherent safety principles and practices.

As professional engineers, we are obligated to be ever mindful of safety, and we have the opportunity to continue to incorporate inherently safer design, construction, and operation. One need look no further than the new generation of process plants that will be built in response to abundant new sources of natural gas and oil from shale (“Oil & Gas Rush,” PE, April 2013).

When designing these new facilities, comprehensive process safety management programs will be necessary, and inherently safer design will play a very important role.

NSPE member Victor H. Edwards, Ph.D., P.E., retired in July after 30 years at IHI E&C International Corp., where he served in process engineering positions, including director of process safety. He chaired the American Institute of Chemical Engineers’ Global Congress on Process Safety in 2013 and is an AIChE Fellow.