Shutdown Procedures
Discover more from Net Zero by 2050
Shutdown Procedures
Thoughts on a Chemical Safety Board report
The Chemical Safety Board (CSB) has just released one of its excellent videos. This one is to do with an accident that occurred at the Superior Refinery in the year 2018. The following quotation is taken from the report’s Summary.
Refinery shutdowns, as well as startups, can be particularly dangerous because processes are not in normal operation mode. Our investigation found that critical safeguards were not in place during this shutdown, and the procedures followed at the refinery were not correct.
Most process facilities are steady state. (Even batch operations are steady state in as much as they repeat a sequence of actions that do not vary much from batch to batch.) Therefore, start-up and shutdown are hazardous times because operating conditions are not steady. Moreover, the operations personnel may not have all that much experience of starting and stopping the facility.
With these thoughts in mind, I have reproduced some of the material to do with shutdown procedures from our book Process Risk and Reliability Management.
Procedures for (planned) shutdowns have the same features as start-up instructions, except that they are carried out in the reverse order. The starting point is the facility in full operating mode; the end point is having the facility shut down, with equipment cleared of chemicals so that maintenance can work on it. In many cases, shutdowns are only partial; for example, if a pump seal has failed, and the pump has to be isolated, the facility may be put in a stand-by condition in which temperatures and pressures are maintained, and only the section to do with the pump is actually shutdown.
Dynamic Conditions
One important difference between shutdown and start-up is that, if something goes wrong during a start-up, particularly in the early stages, it is possible to stop further action and to take time to correct what has gone wrong. The system is probably in a safe condition at that point. For example, if the first step in the start-up of a distillation column is to put feed into the tower, a failure of the feed pump will mean that the tower will remain in a de-inventoried condition. With shutdowns, however, equipment problems can create hazardous situations. For example, if the distillation column is being deinventoried into a holding tank, and the tank is being pumped out to another section of the facility, failure of the tank pump could lead to the tank overflowing.
The potential hazards associated with shutdown are analogous to flying an airplane. If, during the ‘start-up’ of an airplane something goes wrong, such as the engines fail to start or the brakes will not release, the plane will remain on the ground in a safe condition until the problem is fixed. On the other hand, if the engines fail on a plane that is coming in to land, or if the brakes fail after landing, an accident will ensue.
Levels of Shutdown
If operating conditions deviate sufficiently from the safe state, various levels of automatic shutdown can be implemented. The following system is representative.
Stand-By
A facility is said to be on stand-by operation when most of the equipment is running normally. Only the items that are being worked on are actually shut in. During stand-by operation no feed is entering the unit, nor is any product being made. As far as possible, operating conditions are kept as close to normal as possible so that the facility can be restarted with minimal effort. For example, distillation columns are put on total reflux, vessels are operated at their normal level and rotating equipment is kept running. Only the items that are actually being repaired are taken out of service.
Unit Shutdown
A normal shutdown is that state where all rotating equipment, heaters and other unit operations are stopped. No attempt is made to keep the unit in a partially operating state. However, equipment is not de-inventoried, nor is anything purged except for the equipment that is being worked on.
This type of shutdown is one that affects just a local operating unit. Equipment in that unit should be brought to a safe state, but it will be on stand-by, i.e., ready for immediate restart once conditions are back to normal. Normally, other units in the facility, including the utilities area, will continue operations at this level of shutdown. However, quick action may be required before the local shutdown leads to a shutdown of the whole process.
Facility Shutdown
When the whole facility or plant is to be shut down, additional ripple effects can be caused by issues such as:
Loss of instrument air pressure;
Loss of control hydraulic pressure;
Loss of main electrical power;
Operator invention; and
High liquid level in the flare knock-out pot.
Emergency Shutdown
An emergency shutdown is initiated whey either an operator or the safety instrumentation system deems that the situation is so critical that immediate injury to personnel could occur. It will be initiated by actions such as the following:
Manual action — usually through use of a remotely operated pushbutton;
Confirmed gas detection any non-hazardous area;
Confirmed toxic gas detection in non-designated areas; and
Confirmed fire detection in specific areas.
An emergency shutdown will operate all automatic safety valves and blowdown inventories to a safe location (such as the flare) according to the Cause-and-Effect charts. Similarly, utilities will be de-energized, although the charts may call for some systems — such as electrical power — to remain active. Fire pumps, emergency generators and other emergency equipment will be brought on line using their dedicated fuel supply (such as diesel) as called for.
Some facilities — particularly those offshore — require personnel to evacuate during an emergency shutdown. The emergency systems continue to operate, but the personnel abandon the facility by lifeboat or helicopter.
Turnaround
When a facility is shut down for turnaround, it is completely deinventoried and purged. Blinds are installed and instruments are disconnected and safety systems bypassed. Generally, all vessels are made ready for maintenance and personnel entry. Control of the facility is transferred from the operations department to the maintenance or project department.
