5838
Ind. Eng. Chem. Res. 2004, 43, 5838-5845
Risk-Based Design of a Regenerative Thermal Oxidizer Micaela Demichela* and Norberto Piccinini Centro Studi su Sicurezza Affidabilita` e Rischi (SAfeR), Politecnico di Torino, Dipartimento di Scienza dei Materiali e Ingegneria Chimica, C.so Duca degli Abruzzi 24, 10129 Torino, Italy
Following an explosion in a piece of equipment [a thermal oxidizer (Loss Prev. Bull. 2003, 170, 8-10)] employed for the purification of gas streams contaminated by volatile flammable compounds, a similar plant that is under construction was redesigned with a risk-based approach, to increase both the reliability and operational safety of the regenerative thermal oxidizer (RTO) and venting collection system (VCS). This paper, in particular, describes the methodologies that were used and the results that were obtained in terms of the reduction of the frequency of occurrence of the top event (TE) “Explosion in the venting collection system”. A recursive operability analysis (ROA) was performed to identify “primary events” that could lead to a possible explosion in the RTO or VCS, with their evolution toward the TE. Fault trees were then directly derived from the ROA tables, through an intermediate logic diagram, the incidental sequence diagram, and then quantified in order to assess the frequency of occurrence of a possible explosion. The modifications that were suggested, thanks to the risk-based approach, should reduce this frequency from 1.03 to 5.27 × 10-3 occurrences/year. 1. Risk-Based Approach in Design A valid quantitative approach to a risk-based engineering design involves acquiring and incorporating all of the possible knowledge on the design into the decision process.1-3 This means that empirical knowledge, phenomenological knowledge, and intuitive knowledge must be incorporated in a probabilistic framework. In the case under study, the empirical knowledge that was derived from an analysis of the accident that had occurred in a similar plant demonstrated the necessity of a better understanding of the process, which was obtained through a thermoanalysis of the process residues. On the basis of this analysis and of the relevant technical standards, a number of plant modifications were suggested. Their effectiveness was then assessed through a quantitative risk analysis (QRA). Starting from the basic knowledge of the plant as formalized in a well-structured recursive operability analysis (ROA), it is possible to carry out a safety analysis by turning the features of both the fault trees (FTs) and event trees (ETs) into the best advantage, as illustrated in the flowchart in Figure 1.4 This full integration of qualitative and quantitative methods ensures the essential features for probabilistic safety analysis, namely, in qualitative terms, systematism, completeness, and congruence, and, in numerical terms, reliability and verification. 2. Description of the Plant Thermal oxidation is an effective way of handling fast gas flows contaminated with relatively low concentrations of volatile flammable compounds (VFCs) through the use of a regenerative thermal oxidizer (RTO).5,6 In the plant that was the subject of this study, RTO is employed for the purification of gases extracted from an aluminum can painting unit. The units that were * To whom correspondence should be addressed. Tel.: +39 011 5644629. Fax: +39 011 5644665. E-mail: micaela.
[email protected].
analyzed with the aim of identifying the critical components and operations were as follows: Painting Section. Cans are painted in a coater station, in a deco station, and then, on the inside, in an internal lacquering station (Figure 2). After each station, the cans are conveyed to an oven (the drying step and Ross and internal bake ovens, respectively). Each oven has a chimney and its own collection system, which are identified by the numbers 11, 12, and 19 in Figure 2. Venting Collection System (VCS). The VCS is about 73 m long and 1.5 m in diameter. With reference to Figure 2, the gases discharged from the ovens (pipeworks 11, 12, and 19) are collected in the main duct and then conveyed to the RTO. The gases from the internal lacquering stations, instead, are not conveyed to the RTO because the dusts that are generated (classified as St 3, the most dangerous class according to the Bartknecht classification7) are collected in a bag filter. VCS operating conditions are as follows: (i) Flammable substances normally present in flue gases are at a concentration of about 0.1% of the lower explosion limit (LEL). (ii) The whole system works slightly under pressure thanks to a fan that is located downstream to the RTO. (iii) The total flow rate of the flue gases is about 13 700 m3/h at 130 °C in the main duct. (iv) The solvent flow rate in the flue gases outweighs 5 kg/h. RTO. The polluting charge is burnt in a combustion chamber (Figure 3) that is built on five towers containing ceramic saddle beds. A part of the sensible heat of the flue gases is recovered thanks to the cyclic operation of the towers. In the inlet phase, the process air rises through the beds and reaches a temperature that is close to the combustion chamber temperature (T ≈ 800 °C). Two methane burners are present in case extra heat is needed. In the subsequent outlet phase, the flue gases pass down through the ceramic saddle beds. The beds thus absorb part of the sensible heat of the gases, and the
10.1021/ie0342208 CCC: $27.50 © 2004 American Chemical Society Published on Web 08/25/2004
Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004 5839
Figure 1. Flow chart to develop a quantitative safety analysis.
towers are then reset for the subsequent inlet phase. During this inversion phase, about half the volume of the towers is occupied by a plug flow of process air that has not yet reached the combustion chamber. A fraction of the flue gases is therefore withdrawn into the chamber (purge phase). 3. Empirical Knowledge: Analysis of the Accident The accident occurred in a plant with a three-tower RTO used to abate volatile organic carbon emissions from a painting line that is almost identical with the one described in this paper. Its safety only relied up a sprinkler extinguishing system with breakable bulb detectors inside the VCS pipework.
The accident started from a localized fire and rapidly developed into an explosion, with the release of flammable gases and flames from several collapsed pipes. An examination of the damage showed that ignition occurred in one of the towers. It is known that flue gases tend to deposit considerable quantities of flammable material along the inner surfaces of the pipework (20 cm of resins was found inside the pipework). Furthermore, a thermoanalysis of the deposits demonstrated that (i) the source of the flammable atmosphere was the exothermic decomposition of the deposits (if their quantity had been sufficiently high, the LEL could have been reached) and (ii) the self-igniting temperature of the vapors that were generated from the decomposition (about 450-480 °C)
5840 Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004
Figure 2. Flow sheet of the plant.
Figure 3. RTO. Table 1. Flue Gas Composition and Flow Rates chimney 11
chimney 12
chimney 19
solvent
concn [mg/Nm3]
flow rate [g/h]
concn [mg/Nm3]
flow rate [g/h]
concn [mg/Nm3]
flow rate [g/h]
2-methoxyethanol n-butanol methyl isobutyl ketone xylene (isomers) 2-butoxyethanol other solvents (such as xylene)
5.76 15.24 1.00 13.25 25.87 279.50
15.35 40.61 2.66 26.68 68.41 744.86
21.50 40.26
64.71 121.18
53.41
192.00
8.31 151.88 913.80
25.01 457.15 2750.50
54.55 107.96
196.13 388.91
lay within the operating range of the towers (from 137 °C at the bottom to 810 °C near the combustion chamber). The results of the investigation highlighted the importance of determining the chemical and physical characteristics of the substances that are present in the VCS, without neglecting the deposits that flue gases may form. 4. Phenomenological Knowledge: Thermoanalysis Both the flue gases and the deposits were then characterized with the aim of (i) identifying both the
nature and quantity of hydrocarbons in the 11, 12, and 19 chimney flue gases, (ii) assessing the flammability properties of the pipework deposits and identifying their pyrolysis products, and (iii) characterizing the decomposition process as a function of the temperature. The flue gas samples that were drawn from each stack (11, 12, and 19), when analyzed through gas chromatography, revealed the composition shown in Table 1. Pipework residues were analyzed through differential scanning calorimetry. The samples (five for each stack) were heated from 20 to 450 °C at a 10 °C/min rate; all of them showed a general endothermic behavior due to pyrolysis phenomena at low temperatures (450 >450
one exothermic peak due to polymerization of the nonreacted paint between 150 and 230 °C. In the samples from stack 11 (the drying step), a second exothermic peak was found between 230 and 320 °C (Figure 4) as a result of decomposition of the deposit to form flammable vapors. The residues reach their glass transition at about 140 °C; therefore, the residue can be considered as a liquid at higher temperatures. The vapor flammability in the air stream was assessed, obtaining the results reported in Table 2. 5. Process and Plant Modification Because there are a number of permanent sources of ignition in the plant (production oven burners, RTO combustion chamber burners, the high temperature in the RTO ceramic saddle beds, and so on), it is necessary to maintain the flammable vapor concentrations at levels lower than LEL to avoid fires and explosions. The results of the thermoanalysis thus highlighted the effectiveness of combining the flows from the drying step (45 °C) and the Ross oven (225 °C). The resulting temperature of about 140 °C allows a gradual decomposition of the solid residues without generating gas mixtures in the flammability range. The following safety measures have also been introduced:8,9 (i) Periodic inspection and cleaning procedures. Through an inspection and “housekeeping” procedure, the thickness of the deposits is maintained lower than 2 cm in all of the VCS pipeworks. (ii) Flammability monitors (FMs). Four continuously operating FMs were installed along the VCS pipework and connected to the alarm and automatic plant shutdown devices, which are described in Table 3.
(iii) Fireproofing system (FPS). An FPS endowed with an alternating series of sprinklers and water spray nozzles was installed.10,11 The bulbs break at 160 °C. (iv) Deflagration vents (DVs) and protection barriers in the discharge area. The VCS venting system is made of 12 DVs, which were installed where flue gases change flow direction. The blowoff area for the RTO was divided into five DVs, one for each tower.12,13 6. Probabilistic Framework A ROA, an advanced development of the classical HazOp directed toward the elaboration of logic trees, was used to verify the effectiveness of the proposed modifications.14,15 The ROA allows six TEs to be identified, these being critical operating states due to the nonintervention of their protection systems following a process deviation. Table 4 shows the portion of the ROA that relates to TE 1: Explosion generated by the accumulation of deposits and their subsequent decomposition into VFC. This was the only TE under study because it represents the sequence of events that could lead to an accident similar to the one that actually occurred. A detailed piping and instrumentation (P&I) diagram of the VCS is shown in Figure 5. The relevant process variable is the VFC concentration in the VCS. The deviation that was detected (“high VFC concentration, 15% LEL”) is caused by decomposition of the deposits. The consequence of this deviation is a very high VFC concentration that forms in the absence of the intervention of either the plant shutdown (ASH-400) or the operator (alerted by AAH-400). The recursive mechanism is clearly visible in the next step: consequence “3. very high VFC concentration, 35% LEL” becomes a deviation (shift from the third to the first column); the cause can only be due to the previous deviation, i.e., “3. high VFC concentration, 15% LEL” (shift from the first to the second column). This leads to the identification of a new consequence that arises from the nonintervention protective means: “Explosive mixture in the VCS”. Failure of the DVs, because of their damaging or design errors, results in TE 1. Development of Logic Trees. ROA both realizes the full value of the classic strong points of the method,
5842 Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004 Table 3. FM Alarms and Shutdown Devices alarm and interlock devices
description
high concentration ASAH-400
shutdown and the conveyance of fresh air into the plant activated when all of the detectors reach the threshold valuea
very high concentration ASAHH-400
alarm set at 35% of the LEL; shutdown occurs when all of the detectors (AI-401/404) reach this threshold value at the same time; fresh air is conveyed into the plant,a the production oven burners and the RTO are turned off, and the vent valves on the towers are opened
detector malfunctioning
detectors automatically check their own operating conditions; a periodic calibration system was installed on the line; each detector activates an alarm when it detects its own malfunctioning; the shutdown device comes into operation if AI-401 and AI-404 malfunction at the same time, and fresh air is conveyed into the planta
a
Opening of the XV-442 and XV-482 butterfly valves and deviation of the flue gases into the atmosphere.
Table 4. ROA of VCSa
a
Asterisks indicate primary events. HE: human error.
namely, the systematic nature and completeness of the analysis, and enables simple checks to be made of the real attainment of the objectives. In addition, direct extraction of the incidental sequence diagram (ISD) from an ROA provides an otherwise impossible check of the congruity of the analysis and a rapid development of FT and ET.4,14,15 The ISD in Figure 6 graphically represents the logical links within TE 1 (explosion), its primary causes, and nonintervention of the protection systems. ISD stops at the depth reached by ROA. When the events that cause the nonintervention of protective means are fully develpoed, a FT is obtained (Figure 7). A reduction and quantification of the FT was performed using ASTRA,16,17 a software that was developed by JRC-Ispra. The failure rates and unavailability data reported in Figure 7 come from the literature.18,19 All of the components were considered to be unrepairable; the test time interval (ϑ) for the protective systems was 6 months. The mission time was calculated considering 5 working days/week. The common cause failures for redundant components, mainly owing to the breakdown of plant utilities (power, air, etc.), were neglected because of a highly reliable independent system dedicated to safety equipment.
Nine minimal cut sets (MCSs) were obtained with orders ranging from 5-7. The most critical ones were as follows: MCS 1. (E01, E09, E11, E12, E13, E14) w W1 ) 2.77 × 10-3 occurrences/year. MCS 2. (E01, E04, E05, E09, E11, E12, E16) w W2 ) 9.94 × 10-4 occurrences/year. MCS 3. (E01, E04, E05, E09, E13, E14, E16) w W3 ) 9.94 × 10-4 occurrences/year. The whole frequency of occurrence of TE 1 was W ) 5.27 × 10-3 occurrences/year. Because primary events E01 (nonintervention of DV) and E09 (nonobservation of cleaning procedures) appear in all of the MCSs, it is clear that they indicate the occurrence frequency of each MCS. It can therefore be supposed that an even better result could be obtained by keeping the thickness of the deposits down throughout the VCS and designing appropriate DVs with their maintenance procedures. The situation prior to the accident can be illustrated by the FT of Figure 7 if event G12 is replaced by TE 1. When the accident occurred, there were, in fact, no FMs with their respective “high” and “very high” VFC concentration alarms nor DVs. The frequency of occurrence of a possible explosion in the plant where the
Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004 5843
Figure 5. P&I diagram of the VCS.
Figure 6. ISD of TE 1.
accident occurred can be assessed through the calculation of the gate G12 frequency of occurrence because no protective means were installed. This results in an expected number of failures (ENOF) (explosion) of 1.03 occurrences/year. The FTA results, therefore, confirm the effectiveness of the modifications of the risk-based design project and show further possibilities of improvement.
The other TEs identified through the ROA are not affected by the plant modifications suggested. As can be seen in the flow sheet in Figure 1, the second logic tree that can be readily extracted from an ROA is the ET. This diagram identifies, and in some cases quantifies, the possible consequences of an initiating event. Account is also taken of the events that consist of the complete or partial intervention of the
5844 Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004
Figure 7. FTA of TE 1.
Figure 8. ET for TE 1.
means of protection.4,14 The ET developed for this plant (Figure 8) validated the intervention sequence of the means used to protect the VCS. 7. Conclusions Following an explosion that occurred in an RTO of a can painting shop, a risk analysis was performed on a similar plant in order to modify its design before it was constructed and the production started. A risk-based
design approach was adopted. The empirical knowledge obtained from the accident analysis highlighted the need for a better phenomenological knowledge of the characteristics and the behavior of the solid residues released into VCS pipeworks from flue gases. This was achieved through the thermal analysis of the residues themselves. It was found that the more dangerous residues were released by the drying flue gases and that, to control
Ind. Eng. Chem. Res., Vol. 43, No. 18, 2004 5845
their decomposition in order to avoid the formation of vapor mixtures within flammable limits, the temperature of the flue gases must be kept at around 140 °C. To maintain this temperature, the drying step flue gases were collected in the same duct as those from the Ross oven. A number of preventive and protective measures was also suggested: (i) periodic inspection and cleaning procedures; (ii) FMs; (iii) FPS; (iv) DVs and protection barriers in the discharge area. These measures were included in a probabilistic framework in order to verify their effectiveness. The ENOF (explosion) was assessed through the quantitative solution of a FT that was directly drawn from the tables of a ROA performed on the plant. The value decreased by 3 orders of magnitude when the suggested preventive and protective measures were considered: from 1.03 occurrences/year (for the plant in which the explosion occurred) to 5.3 × 10-3 occurrences/year. This value thus confirms the effectiveness of the suggested measures and also the one of the riskbased approach as a tool to improve plant design. Acknowledgment An early version of this study was presented at the ESREL 2001 European Conference.20 Notation DSC ) differential scanning calorimetry DV ) deflagration vent ENOF ) expected number of failures ET ) event tree FM ) flammability monitor FPS ) fireproofing system FT ) fault tree FTA ) fault tree analysis HE ) human error ISD ) incidental sequences diagram JRC ) Joint Research Center-Ispra (VA), Italy LEL ) lower explosion limit MCS ) minimal cut set Q ) unavailability QRA ) quantitative risk analysis θ ) test time interval ROA ) recursive operability analysis RTO ) regenerative thermal oxidizer VCS ) venting collection system VFC ) volatile flammable compound TE ) top event W, W′ ) occurrence frequency λ ) failure rate µ ) repair rate
Literature Cited (1) Turney, R. Explosion within a thermal oxidizer. Loss Prev. Bull. 2003, 170, 8-10.
(2) Galvagni, R.; Clementel, S. Risk Analysis as an instrument of design. In Safety Design Criteria for Industrial Plant; Cumo, M., Naviglio, A., Eds.; CRC Press: Boca Raton, FL, 1989. (3) Antona, E.; Fragola, J.; Galvagni, R. Risk-based decision analysis in design. 4th SRA Europe Conference, Rome, Italy, Oct 18-20, 1993. (4) Piccinini, N.; Scarrone, M.; Ciarambino, I. Probabilistic analysis of transient events by an event tree directly extracted from operability analysis. J. Loss Prev. Process Ind. 1994, 7, 2332. (5) Waldern, P. J.; Nutcher, P.; Lewandowski, D. Options for VOC reduction in a Regenerative Thermal Oxidizer (RTO). Emerging Solution VOC Air Toxic Control; Air and Waste Management Association: Pittsburgh, PA, 1996; pp 462-483. (6) Self, F. E.; Hill, J. D. Safety considerations when treating VOC streams with Thermal Oxidizer. AIChE 1997 Spring National Meeting Case Histories and Miscellaneous Topics; AIChE 31st Annual Loss Prevention Symposium, Houston, TX, Mar 1997. (7) Eckhoff, R. K. Dust Explosions in Process Industries; Butterworths-Heinemann: Oxford, 1991. (8) Clark, D. G.; Sylvester, R. W. Ensure Process Vent Collection System Safety. Chem. Eng. Prog. 1996, 1, 65-77. (9) Thomas, C. D.; Schoenmaker, G. Implement Proper Furnace Safety Interlocks. Chem. Eng. Prog. 1996, 7, 45-49. (10) National Fire Protection Association. Installation of Sprinkler Systems; National Fire Protection Association: Boston, 1994; p 13. (11) National Fire Protection Association. Water Spray Fixed Systems for Fire Protection; National Fire Protection Association: Boston, 1994; p 15. (12) National Fire Protection Association. Standard on Venting of Deflagration; National Fire Protection Association: Boston, 1994; p 68. (13) National Fire Protection Association. Standard on Explosion Prevention Systems; National Fire Protection Association: Boston, 1992; p 69. (14) Piccinini, N.; Ciarambino, I. Operability analysis devoted to the development of logic trees. Reliab. Eng. Syst. Saf. 1997, 55 (3), 227-241. (15) Demichela, M.; Marmo, L.; Piccinini, N. Recursive Operability Analysis Of Systems With Multiple Protection Devices. Reliab. Eng. Syst. Saf. 2002, 77, 301-308. (16) Contini, S.; de Cola, G.; Wilikens, M.; Cojazzi, G. ASTRA, an integrated tool set for complex systems dependability studies. Workshop on Tool Support for System Specification, Development and Verification, Malente, Germany, 1998. (17) Contini, S. Recenti Sviluppi metodologici dell’analisi degli alberi di guasto. Valutazione e gestione del rischio negli insediamenti civili e industriali, Convegno nazionale VGR 98, Pisa, Oct 1998. (18) Center for chemical process safety of the AIChE. Guidelines for process equipment reliability data; AIChE: New York, 1989. (19) Procaccia, H.; Arsenis, S. P.; Aufort, P. European Industrial Reliability Data bank, 3rd ed.; Crete University: Iraklion, 1998. (20) Piccinini, N.; Quattrini, A.; Rapone, N. The Safety of A Regenerative Thermal Oxidiser and its Venting Collection System. ESREL 2001, Torino, Italy, Sept 16-20, 2001.
Received for review October 29, 2003 Revised manuscript received June 9, 2004 Accepted June 17, 2004 IE0342208