You must log in to edit PetroWiki. Help with editing

Content of PetroWiki is intended for personal use only and to supplement, not replace, engineering judgment. SPE disclaims any and all liability for your use of such content. More information

PEH:Safety Systems

Jump to navigation Jump to search

Publication Information


Petroleum Engineering Handbook

Larry W. Lake, Editor-in-Chief

Volume III – Facilities and Construction Engineering

Kenneth E. Arnold, Editor

Chapter 10 – Safety Systems

Maurice I. Stewart Jr., Stewart Training Co., and Kenneth E. Arnold, AMEC Paragon

Pgs. 395-438

ISBN 978-1-55563-116-1
Get permission for reuse

Production facilities usually operate according to design. Oil and gas travel from the reservoir to the surface facilities where they are separated, cleaned, and measured and then sent through a pipeline to the end user. During most of this process, everything operates according to plan. Occasionally, problems occur, things break, malfunctions happen, settings change, horns go off, and shut-ins take place. Such problems usually can be solved quickly and easily without negative consequences. Unfortunately, some problems have the potential for serious consequences such as injury to personnel, pollution of the environment, and loss of company assets. Understanding, preventing, or minimizing potential negative consequences requires a fundamental understanding of basic protection concepts and safety analysis.

This chapter summarizes the basic protection concepts required for the safe design and operation of a production facility. The chapter begins by developing a hazard tree for a generic production facility and then illustrates how hazards analysis can be used to identify, evaluate, and mitigate process hazards. In addition, this chapter reviews the safety-analysis technique presented in the American Petroleum Inst.’s (API’s) Recommended Practice (RP) 14C.[1] The chapter concludes with a discussion on relief-valve selection and sizing and vent, flare, and relief-systems design.


Basic Protection Concepts

Most threats to safety from production involve the release of hydrocarbons; therefore, the analysis and design of a production-facility safety system should focus on preventing such releases, stopping the flow of hydrocarbons to a leak if it occurs, and minimizing the effects of hydrocarbons should they be released.

Prevention. Ideally, hydrocarbon releases should never occur. Every process component is protected with two levels of protection: primary and secondary. The reason for two levels of protection is that if the first level fails to function properly, a secondary level of protection is available.

Shut-In. If hydrocarbon releases occur (and, in spite of our best efforts, they sometimes do), inflow to the release site must be shut off as soon as possible. The problem should not be exacerbated with the continued release of additional hydrocarbons. Protective shut-in action is achieved by both the surface safety system (SSS) and the emergency support system (ESS). Shut-in systems are discussed in more detail in Sec. 10.2.8.

Minimizing. When hydrocarbons are released, their effects should be minimized as much as possible. This can be accomplished through the use of ignition-prevention measures and ESSs (i.e., the liquid-containment system). If oil spills from a process component, a release of hydrocarbons has occurred. A spill is never good, but component skids and deck drains (if offshore) minimize the effect of a bad situation when the spill would otherwise go into a freshwater stream or offshore waters.

Hazard Tree

A hazard tree identifies potential hazards, determines the conditions necessary for a hazard to exist, determines sources that could create this condition, and breaks the chain leading to the hazard by eliminating the conditions and sources. Because complete elimination is normally not possible, the goal is to reduce the likelihood of occurrence. With statistical analysis, the probability of occurrence can be determined. The effect of a safety procedure or device that reduces the probability of a condition or source occurring also can be quantified with this tool.

A hazard tree is somewhat subjective in that different evaluators may classify conditions and sources differently or they may carry the analysis to further levels of sources. The hazard tree helps the investigator focus attention on all of the aspects to be considered. No matter how the tree is formulated, conclusions reached concerning the design, maintenance, traffic patterns, lighting, etc., should be similar.

General-Production-Facility Hazard Tree. A hazard tree for a generic production facility is shown in API RP 14J.[2] It should be equally valid for an offshore or onshore facility. The major hazards are those of oil pollution, fire/explosion, and injury. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Oil Pollution. Oil pollution derives from an oil spill that can be caused by one of the conditions shown in the general production facility hazard tree. If an oil spill were to occur, pollution could be avoided by installing adequate containment. Requirements for tank dikes, drip pans (offshore), and sumps reduce the probability of oil pollution from most small spills.

Fire/Explosion. An oil spill or gas leak can provide fuel for a fire/explosion. An ignition source and oxygen are also required. The use of gas blankets minimize oxygen entry while good electrical design minimizes ignition sources.

Injury. Injury can occur directly from an explosion, an out-of-control fire, or one of the other conditions shown in the general production facility hazard tree. If there is sufficient warning before a fire develops, there should be enough time to escape before injury occurs. If the fuel can be shut off and adequate fire-fighting equipment is present to control the fire before it becomes a large fire, the probability of injury is small.

The inability to escape increases the probability of injury from any of these conditions. All the conditions are more likely to lead to injury the longer personnel are exposed to the situation; therefore, escape routes, lighting, appropriate survival capsules/boats (if offshore), and fire barriers all lead to a reduction in the probability of injury.

Severity of Source. The hazard tree helps identify the severity of a source that can lead to a hazardous condition. Some of these sources are discussed here.

Overpressure. Overpressure can lead directly to all three hazards. It can lead directly and immediately to injury; it can lead to fire/explosion if there is an ignition source; and it can lead to pollution if there is insufficient containment. Because of the hazard potential, a very good level of assurance is needed that the probability of overpressure occurring is very small.

Fire Tubes. Fire tubes can lead to fire/explosion if there is a leak of crude oil or glycol into the tubes or if there is a failure of the burner controls. An explosion could be sudden and lead directly to injury; therefore, a high degree of safety is required.

Excess Temperature. Excess temperature can cause premature equipment failure at a pressure below its maximum design working pressure. Excess temperature can create a leak, potentially leading to fire/explosion if gas leaks or oil pollution if oil leaks. This type of failure should be gradual, giving off a warning as it develops, and thus does not require as high a degree of protection as those mentioned previously.

Leaks. Leaks rarely lead directly to personnel injury, but they can lead to fire/explosion if there is an ignition source and to oil pollution if there is inadequate containment. The immediacy and magnitude of the developing hazard will be less than with overpressure; thus, although it is necessary to protect against leaks, this protection will not require the same level of safety required for overpressure.

Inflow Exceeds Outflow. Inflow exceeding outflow can lead to oil pollution if there is inadequate containment and can lead to fire/explosion and, thus, to injury if an oil spill occurs. This condition is more time dependent and lower in magnitude of damage; therefore, an even lower level of safety will be acceptable.

Need for Other Protection Devices. The hazard tree also helps identify other protection devices to include in equipment design that may minimize the possibility that a source will develop into a hazardous condition. Additional protection devices that might be included are flame arrestors, stack arrestors, gas detectors, fire detectors, and manual shutdown stations. A hazards analysis can determine the need for safety devices and safety systems.

Hazards Analysis

A hazards analysis identifies potential hazards, defines conditions necessary for each hazard, and identifies the source for each hazard. A hazard tree identifies potential hazards and determines the conditions necessary for these hazards to exist. A hazards analysis starts at the hazard tree’s lowest level and attempts to break the path leading back to the hazard by eliminating one of the conditions.

Many of the sources and conditions identified on the hazard tree require considerations that have nothing to do with the way the process is designed, such as escape paths, electrical systems, fire-fighting systems, and insulation on piping. A facility designed with a safety shutdown system is not necessarily "safe"; it has an appropriate level of devices and redundancies to reduce the risk of occurrence of those sources and conditions that can be anticipated by sensing change in process conditions. A hazard tree helps identify protection devices for inclusion in equipment design (e.g., flame/stack arrestors on fire tubes). Much more, such as maintenance, operating procedures, testing, and drills, is required if the overall probability of any one chain leading to a hazard is to be acceptable.

Primary Defense

The best defense against an undesirable event is the use of appropriate industry codes and design procedures. The defense also should ensure adequate inspection of the equipment and its fabrication into systems. If this is not done, sensors cannot sufficiently protect against overpressure, leaks, or other hazards.



RP 14C[1] is a safety-analysis approach based on a number of traditional hazards-analysis techniques such as failure-mode-effects analysis (FMEA) and hazard-and-operability studies (HAZOPS). The purpose of a safety analysis is to identify undesirable events that might pose a threat to safety and define reliable protection measures that will prevent such events or minimize their effects should they occur. Potential threats to safety are identified through proven hazards-analysis techniques that have been adapted to hydrocarbon-production processes. Recommended protective measures are common industry practices proved through many years of operating experience. The hazards analysis and protective measures have been combined into a "safety analysis" for onshore and offshore production facilities.

The RP 14C[1] safety analysis is based on the following premises.

  • Process components function in the same manner regardless of specific facility design.
  • Each process component is analyzed for "worst case" input and output conditions.
  • If fully protected when analyzed standing alone, the analysis will be valid for that component in any configuration.
  • If every component is protected, the system will be protected.
  • When components are assembled into a system, some devices can be eliminated.

The major benefits of this analysis are concise, easy-to-audit documentation; minimized subjective decisions; and consistent results.

The remainder of Sec. 10.2 explains the basic concepts of protection used in the analysis, discusses the methods of analyzing the process, and establishes design criteria for an integrated safety system. The entire production process is covered, and a step-by-step summary for performing a safety analysis is provided.

Process Variables

There are four main process variables in upstream production facilities: pressure, liquid level, temperature, and flow. A variable fluctuates between a lower and an upper extreme value. For example, the liquid level within a vessel can fluctuate from the bottom of the vessel (empty) to the top (full). Process variables allow movement of the fluids through the process components while simultaneously achieving the degree of separation required for sales or water disposal.

Process Components

A process component is any piece of equipment that handles hydrocarbons. Identifying all the components that handle hydrocarbons in a production facility would be overwhelming. Instead of listing components by their common name, RP 14C[1] lists components by their functions, thus decreasing the number of names from hundreds to only ten. Regardless of what a piece of equipment is called, it can be described as one of the following ten process components: wellheads and flowlines, wellhead injection lines, headers, pressure vessels, atmospheric vessels, fired and exhaust-heated components, pumps, compressors, pipeline, and shell-and-tube heat exchangers.

Normal Operating Ranges

Whenever hydrocarbons are present in a process component, each of the four main process variables take on some value. Values at which the variables can be found when things are going smoothly are called normal values. For example, the pressure on a flowline will fluctuate from reading to reading within a specified period of time (e.g., for a 1-hour period the readings may be 950 psi at 1300 hours, 1,010 psi at 1340 hours, and 979 psi at 1400 hours). As long as flow is occurring, the liquid level within a process component will be changing. For example, in a separator’s oil bucket, the level will steadily rise until the dump valve opens and drains some of the oil, at which time the liquid level falls until the dump valve closes. Within each process component, each variable has a normal operating range instead of having a single normal value.

One of the cornerstones of facility protection lies in protecting each component against certain undesirable events that are closely related to the four main process variables. For example, if the pressure within a component were to become too high, a component could rupture; a pressure too low within a component could indicate a leak. A liquid level within a component that is too high or too low could cause problems as well as indicate equipment failure.

Production operators establish normal operating ranges. The principal concern with the four main process variables is that their sensing devices, which respond to conditions outside normal ranges, have enough time to respond before problems occur. For example, the normal range for a separator’s liquid level can be wherever the operator wants it, provided that the level safety high (LSH) can shut off inflow before liquid overflow occurs and that the level safety low can respond before the level has completely disappeared and allows gas to flow out of the liquid outlet (gas blowby). The normal operating range for a component’s pressure can be established by attaching a pressure recorder to the component and recording the pressure variations over time.

Maintaining normal operating ranges requires normal process flow. When the four main process variables are kept within their normal ranges, process flow is occurring. Process flow is maintained by chokes, regulators, controllers, and the influence of the main process variables on each other; therefore, normal operating ranges are maintained by the same things.

Abnormal Operating Conditions

On average, process variables are found within their normal operating ranges, but horns do go off and shut-ins do occur. When chokes and controllers that normally keep the process variables in their normal ranges fail to function properly, the process variable being controlled can be outside its normal operating limits. Whenever a process variable exceeds its normal range, it is said to be in an abnormal condition. For example, in a component with a normal operating range of 800 to 900 psig, pressure greater than 900 psig or less than 800 psig are abnormal conditions. A liquid level above or below the point at which the dump valve opens or closes is an abnormal condition.

What is the significance of an abnormal condition? In reality, when the normal operating range is exceeded by only a small amount, it makes very little difference to the operation of the facility. However, the point is that if a variable exceeds its normal operating range at all, it could continue to escalate with potentially disastrous results. Operators are concerned mainly about the consequences that might result if abnormal conditions become extreme.

Consequences. Several consequences can result from abnormal operating conditions. At best, there will be only a horn and a shut-in. The most serious consequences are injury to personnel, pollution, and loss of company assets. Abnormal conditions do not always develop into a serious consequence, but it could happen. According to RP 14C,[1] serious consequences usually are preceded by some abnormal condition. Abnormal conditions that are not dealt with quickly can escalate into worst-case scenarios.

Causes. The major causes of abnormal conditions are equipment failure or malfunction and human error. Examples of equipment failure or malfunction are chokes that become enlarged through contact with excessive sand in the flow stream, dump valves that hang open or stay closed, and regulators or controllers that change adjustment because of vibration. Human error can occur if an operator repairing a dump valve does not want to shut in to finish the job and uses the dump valve’s bypass line. If the operator fails to monitor the liquid level properly while the bypass valve is open, the liquid level in the component could get too high or too low. Human error also can occur if the operator monitored the level accurately but forgot to check to see if the newly repaired dump valve was operating properly.

Prevention. The actual causes of abnormal conditions are varied and numerous. RP 14C[1] provides an analysis technique to identify potential abnormal conditions and prevent them from occurring.

Effects of Hydrocarbon Releases

Abnormal operating conditions could result in injury to personnel, pollution, and loss of assets. Whenever any of these worst-case consequences is at its most serious, the release of hydrocarbons is usually involved. While pollution of any type is undesirable, hydrocarbon pollution is the most serious. The May 1989 Exxon Valdez incident is a prime example of the attention drawn to and the expenses involved with hydrocarbon pollution in navigable waterways. Injury to personnel on a major scale also usually involves the release of hydrocarbons. Hydrocarbon releases alone are often sufficient to cause injury to personnel (e.g., whenever H2S is involved). Worst of all is a fire caused by or fed by hydrocarbon releases. An explosion or fire can cause extensive damage to equipment and personnel, which can result in extensive injury, pollution, and facility damage. Offshore platforms have melted to the water line because of released hydrocarbons, as occurred in the Piper Alpha incident in the North Sea in the summer of 1988. Onshore facilities have been completely leveled to the ground because of released hydrocarbons, as occurred in the Phillips incident in Pasadena, Texas, in 1988.

Safety Devices

Safety devices offer a solution for hydrocarbon releases. Specific devices have been developed to protect production facilities. As these devices became more common, industry standards, such as names, symbols and identification, and installation locations, were established. RP 14C Sec. 2[1] summarizes surface-production-facility-related standards.

Names. Before installing a specific safety device, a standard way of referring to it is needed. RP 14C presents two groups of safety devices: "common" (i.e., typical oilfield) names such as check valve or pop-off valve and "proper" names from the Instrument Soc. of America (ISA), such as flow safety valve or pressure safety valve (PSV). With few exceptions, every ISA name includes the measured or initiating variable as the first part of the name and the word safety as the second part of the name. The third and usually final part of the name refers to either the device itself (i.e., valve or element) or to the type of function the device performs (i.e., high or low).

ISA device names usually are abbreviated with the first letter of each part of the name. If a single component has two or more of the same kind of device on it, each device is differentiated from each other by the addition of a number or letter following the device’s letters (LSH1 and LSH2, for example). The same convention is used for all safety devices. An example is shown in API RP 14C.[1] [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Symbols. Process flow diagrams must show safety devices. A graphic symbol represents each safety device. These symbols save space on the diagram and make the appearance neater. API RP 14C[1] contains standardized symbols used in hydrocarbon-facility diagrams. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Production-Process Safety Systems

Production-process safety systems provide a more extensive level of protection than an individual device. They include end devices and auxiliary devices, which are important not only to the system itself but also to the safety of the facility. A brief overview of these systems follows.

Surface Safety System. The SSS consists mostly, but not exclusively, of sensing-type individual safety devices. Devices respond to one of the four major variables. The main purpose of the SSS is to prevent the initial release of hydrocarbons and to shut in additional flow of the hydrocarbons already released. The SSS consists of three major components: sensing devices, relay devices, and end devices. Some devices both sense and respond as an end device (check valves, relief valves, etc.).

The SSS incorporates various sensing devices. When an abnormal condition is detected, the sensing device sends a signal to an end device. The end device diverts or shuts off flow, sounds an alarm, or takes some other corrective action. For example, if a component’s dump valve freezes in the closed position, the liquid level within the component will rise. When it rises high enough, the component’s LSH will sense the high level and send a signal that shuts in the wells flowing into the component. The same signal usually will also sound an alarm to notify facility personnel of the shut-in.

Emergency Support System. The ESS consists of seven major subsystems, all of which help protect the facility and environment. The main purpose of ESSs is to shut in additional flow and minimize the effects of hydrocarbons that have already been released. The API realizes that hydrocarbon releases ideally would be prevented through the use of sensing devices (i.e., the SSS), but the API also knows that there will be times in which hydrocarbons are released in spite of the SSS. To address this problem, the API mandates a backup means of protecting the facility. The ESS is a major part of those backup efforts. The seven subsystems that make up the ESS are an emergency-shutdown (ESD) system, a fire-detection system, a combustible-gas detection system, adequate ventilation, a liquid containment system, sumps, and subsurface safety valves.

Other Support Systems. Two additional systems are required to make a facility as safe as possible. They are the pneumatic supply system and a system for discharging gas to the atmosphere (blowdown/vent). The pneumatic supply system provides the power to operate most of the other systems. The blowdown/vent system provides a means for directing unwanted gas away from the facility while capturing as many liquid hydrocarbons as possible and thereby reducing pollution levels.

Ignition-Prevention Measures

Ignition-prevention measures are designed to prevent released hydrocarbons from being ignited, thereby minimizing the effects of released hydrocarbons. They accomplish this task through four approaches: ventilation, compliance with all applicable electrical codes, locating equipment in areas where exposure to inadvertently released hydrocarbons is minimized, and hot surface protection. Refer to RP 14C, paragraph 4.2.4,[1] for more information about these measures.

Undesirable Events

Abnormal operating conditions can lead to one or more undesirable events that, in turn, could lead to injury to personnel, pollution of the environment, and damage to the facility or its equipment. Safety devices and safety systems are added to prevent undesirable events and they provide the last chance to prevent worst-case consequences from occurring. At each stage, action can be taken to keep the main process variables from resulting in worst-case consequences. Chokes and controllers keep the variables within their normal ranges. Once the variables exceed their normal ranges, safety devices respond to keep the variables from getting further out of range. If the undesirable-event stage is reached, there are still ways of preventing or lessening the chance of the occurrence of worst-case consequences (e.g., ESS). Even though they occur less frequently than either normal or abnormal conditions, undesirable events are much more likely to lead to worst-case consequences than either of the other two conditions.

Eight undesirable events were identified by looking at all the possible ways injury, pollution, and loss of company assets could occur. The process was similar to that used to identify the ten process components. Each of the eight undesirable events was examined further to determine the most common causes of the undesirable event, the effects of the undesirable event, detectable abnormal conditions that usually precede the undesirable event, the most effective primary and secondary protective devices that could prevent the undesirable event, and the optimal location for the placement of the required safety device.

By studying each of these undesirable events, information can be gained to make a facility safe. For example, by knowing the possible causes of a particular undesirable event, those possible causes can be monitored and often corrected before they develop into an undesirable event. Knowing about the possible effects of each undesirable event allows for a more rapid or more appropriate response to the undesirable event. Information about the detectable abnormal condition provides a tool for better monitoring and provides information about which types of safety devices can be used to warn of an impending undesirable event. Primary and secondary protection information assists in determining which safety devices are best for that particular undesirable event. Location data provide information on where the safety devices must be positioned for the most effective protection.

RP 14C[1] does an excellent job of describing this information. It starts by defining an undesirable event as "an adverse occurrence in a process component which poses a threat to safety." There can be many different types of "threat(s) to safety." These can range from minor to the catastrophic. API defines undesirable events with catastrophic threats in mind.

The eight undesirable events identified by RP 14C[1] are overpressure, leak, liquid overflow, gas blowby, underpressure, excess temperature (fire and exhaust-heated components), direct ignition source, and excess combustible vapors in the firing chamber (fired components). The following issues are key points about undesirable events.

  • Worst-case threats to safety originating in process components are usually preceded by one or more of the eight undesirable events.
  • Each undesirable event has a cause that is usually, but not always, preceded by an abnormal condition. The abnormal condition, in turn, is usually detectable.
  • Primary protection must be provided to either prevent the undesirable event from occurring or to minimize the effects of the undesirable event once it occurs.
  • Secondary protection must be provided as a backup to the primary protection. Primary and secondary refer to levels of protection. While these levels are frequently provided by individual devices [e.g., pressure safety high (PSH)/pressure safety low, LSH/level safety low, PSV, etc.], levels of protection also can be provided by other means. For example, the secondary level of protection required for a leak in a pressure vessel is the ESS (and not individual devices).
  • Undesirable events do not always cause injury, pollution, or damage, but they always have the potential to do so. To design a protection system to prevent or minimize injury, pollution, or damage, prevention efforts must be based on the assumption that undesirable events will cause these things.

Safety Analysis

Every process component can be grouped under one of the 10 process components listed in RP 14C,[1] and process-related causes of injury, pollution, and damage can be grouped under one of the eight undesirable events. A safety analysis ties these two things together and is a tool for ensuring that a facility is protected fully. A safety analysis examines every process component on the facility to determine which undesirable events could be associated with each component, which safety devices are required for the protection of the component, and what responses the safety devices must make to ensure adequate protection. The three main components of a safety analysis are safety-analysis tables (SATs), safety-analysis checklists (SACs), and safety-analysis function evaluation (SAFE) charts.

Safety-Analysis Tables. SATs examine each process component as if it was standing alone. SATs consider each undesirable event that could possibly affect the component and then, for each undesirable event, lists associated causes, detectable abnormal conditions, and required locations for installing the protection devices. By examining each component as if it was standing alone, an adequate degree of protection can be determined for each particular component. When this is done for every component on the facility, the entire facility will be adequately protected. Verifying that each and every component is protected without considering other components ensures the greatest degree of consistent protection.

Safety-Analysis Checklists. There are times when the safety devices called for in SATs are not needed because engineering controls eliminate the need for a particular device. For example, the SAT calls for a PSV to protect a wellhead flowline from overpressure. However, if the maximum allowable working pressure (MAWP) of the flowline and associated equipment is greater than the maximum shut-in tubing pressure of the well, the component is already protected and the device is not needed.

A SAT-required safety device also no longer may be required if the same degree of protection is provided by another device located elsewhere. For example, if a PSV has been installed on an upstream flowline segment and if that upstream PSV provides an adequate degree of protection for the downstream flowline segment and its equipment, then a second PSV located on the downstream flowline segment is redundant.

SACs provide a guideline for eliminating redundant devices while maintaining the required level of protection. If it was not possible to eliminate redundant devices, production facilities would contain many more devices without gaining any additional protection. The time and expense of purchasing, installing, and maintaining redundant devices would be significant and unnecessary. It is important to realize that when a device can be eliminated, the device is eliminated and not the required level of protection. Two levels of protection will always be required. The SAC ensures that both levels of protection are maintained, with as few individual devices as possible. API RP 14C[1] shows an example of an SAT and an SAC for a flowline segment. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Safety-Analysis Function-Evaluation Charts. SATs indicate which devices are needed on each component, and SACs determine which devices may be eliminated and what conditions must be met when eliminating the device. Neither SATs nor SACs indicate what the devices do or how the devices on one component relate to the devices on another component. SAFE charts are used to evaluate the function of each safety device and to document precisely what each safety device does. For example, the SAFE chart not only shows that a flowline PSH shuts off inflow, it indicates how it shuts off inflow (e.g., through the closing of a particular well’s surface safety valve).

SAFE charts also indicate everything else that happens when a PSH trips. SAFE charts provide a mechanism for considering every component in the facility and then, for each component, to fully account for each required safety device. SAFE charts are used to ensure that the facility is as fully protected as it should be and also can be used as a troubleshooting tool. For example, if a particular shut-down valve (SDV) keeps closing and nothing is out of range when investigated, the SAFE chart could be consulted to determine which specific devices cause the SDV to close. Each device then could be checked to determine which one is responsible for the SDV closures.

Conducting a Safety Analysis

The following steps comprise the process for conducting a production-facility safety analysis.

  • Obtain an accurate process flow schematic (i.e., one that shows every process component as well as relevant operating parameters). Once the flow schematic is located, it is necessary to verify its accuracy because changes may have been made to the facility over a period of years that were not noted on the schematic. Verification involves walking around the facility to make sure that every process component located in the facility is pictured on the schematic. It also involves making sure that the flow schematic does not depict components that are no longer a part of the process facility and that maximum operating or working pressures are accurate. Failure to take this step jeopardizes the accuracy of both the flow schematic and the SAFE chart.
  • Refer to each process component and the SATs to determine all required safety devices for each process component within the facility. Begin by referring to RP 14C, Appendix A-1 through A-10.[1] Consult the SAT for each process component shown on the corrected flow schematic. Make sure each safety device called for in each component’s section is shown on the schematic. Follow the example found in RP 14C, Appendix E; that is, use "balloons" and ISA names for each device. Before consulting the SAT for a particular component, it is important to first read everything written about that component in RP 14C.
  • Once each process component has been protected with the devices required by RP 14C,[1] consult the SACs in RP 14C to determine which, if any, devices provide redundant protection for each component. For each redundant device, make that device’s solid-line balloon, which represents an installed safety device, into a dotted-line balloon, which represents an eliminated safety device. Remember, there will be adequate protection if there is an SAC reference number that applies to the situation. Look carefully at the descriptions following each SAC reference number, and determine if all the required conditions are met. If all the conditions are met, that particular device may be eliminated or the device may be left on the component. Remember, SACs allow for the elimination of redundant devices but do not require that they be eliminated. For those devices that will be eliminated, revise the schematic by replacing the solid-line balloon with a dotted-line balloon. See RP 14C, Appendix E.[1]
  • Complete a SAFE chart for the facility; that is, fill out a blank SAFE chart with every component, safety device, and responding end device within the facility. Mark the SAFE chart to indicate the action taken by each safety device. In reality, completing a fresh, blank SAFE chart will seldom be required unless the initial safety analysis on a facility is being developed. Most often, an existing chart will be revised; however, knowing how to complete a fresh chart from scratch will make the job of revising an existing SAFE chart easier. Familiarity with SAFE charts enables them to be used to troubleshoot the facility.

The ability to complete a SAFE chart requires an understanding of how SAFE charts are arranged. SAFE charts are designed to be read horizontally and vertically. When read horizontally, the information pertains to all the process components within a facility plus their safety devices. When read vertically, the information pertains not only to the end devices affected by each safety device, but to their function as well (e.g., shut in well, minimize backflow, etc.). API RP 14C shows a typical SAFE chart.[1] [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Relief Valves and Relief Systems


A relief system is an emergency system for discharging gas during abnormal conditions, by manual or controlled means or by an automatic pressure-relief valve from a pressurized vessel or piping system, to the atmosphere to relieve pressures in excess of MAWP. The relief system may include the relief device, the collection piping, flashback protection, and a gas outlet. A scrubbing vessel should be provided for liquid separation if liquid hydrocarbons are anticipated. The relief-system outlet may be either vented or flared. If designed properly, vent or flare emergency-relief systems from pressure vessels may be combined.

Some facilities include systems for depressuring pressure vessels in the event of an emergency shutdown. The depressuring-system control valves may be arranged to discharge into the vent, flare, or relief systems. The possibility of freezing and hydrate formation during high-pressure releases to the atmosphere should be considered.

There are three main engineering considerations when designing or modifying a relief system:

  • Determining the relief requirements of individual pieces of equipment and selecting the appropriate devices to handle the imposed loads.
  • Designing a relief header system that will handle the imposed loads or expansion modifications.
  • Defining reasonable total relief loads for the combined relief header or disposal system and designing an appropriate disposal system with minimum adverse impact to personnel safety, plant-process system integrity, and the environment.

These considerations are interrelated in such a way that makes it impossible to establish a procedural guideline that would be valid for most cases. The design of one portion of a relief system must be considered in light of its effects on the relief system.

Relief Device Selection

Determining Individual Relief Loads. There are a number of industry codes, standards, and recommended practices that provide guidance in the sizing, selection, and installation of relief devices and systems. The American Soc. of Mechanical Engineers (ASME) Pressure Vessel Code, Sec. VIII, Division 1, paragraph UG-127, lists the relief-valve code requirements.[3] RP 520, Part 1, provides an overview of the types of relief devices, causes of overpressure, relief-load determination, and procedures for selecting and sizing relief devices.[4] RP 520, Part 2, provides guidance on the installation of relief devices,[5] and RP 521 provides guidance on the selection and design of disposal systems.[6]

Causes of Overpressure. The most common causes of overpressure in upstream operations are blocked discharge, gas blowby, and fire. When the worst-case relief load is caused by a control valve failing to open (blocked discharge), the relief device should be sized with full-sized trim in the control valve, even if the actual valve has reduced trim. When the worst-case relief load is caused by gas blowby, the relief device should be sized with full-sized trim in the smallest valve in the liquid-outlet line, even if the actual valve has reduced trim. Many vessels are insulated for energy savings. Thermal insulation limits the heat absorption from fire exposure as long as it is intact. It is essential that effective weather protection be provided so that insulation will not be removed by high-velocity fire-hose streams.

Types of Pressure-Relief Devices. The two primary types of relief devices are the relief valve and rupture disk.

Relief Valves. The three basic types of pressure-relief valves are conventional spring loaded, balanced spring loaded, and the pilot operated.

  • Conventional spring loaded. In the conventional spring-loaded valve (Fig. 10.6), the bonnet, spring, and guide are exposed to the released fluids. If the bonnet is vented to the atmosphere, relief-system backpressure decreases the set pressure. If the bonnet is vented internally to the outlet, relief-system backpressure increases the set pressure. The conventional spring-loaded valve is used in noncorrosive services and where backpressure is less than 10% of the set point.
  • Balanced spring-loaded. The balanced spring-loaded valve incorporates a means to protect the bonnet, spring, and guide from the released fluids and minimizes the effects of backpressure. The disk area vented to the atmosphere is exactly equal to the disk area exposed to backpressure. These valves can be used in corrosive or dirty service and with variable backpressure. API RP 520[4] provides an example of a spring-loaded valve. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]
  • Pilot operated. The pilot-operated valve is combined with and controlled by an auxiliary pressure pilot. The resistance force on the piston in the main valve is assisted by the process pressure through an orifice. The net seating force on the piston actually increases as the process pressure nears the set point. API RP 520[4] provides an example of a pilot-operated valve. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Rupture-Disk Devices. The rupture-disk device is a nonreclosing differential-pressure device actuated by inlet static pressure. The rupture disk is designed to burst at set inlet pressure. The device includes a rupture disk and a disk holder. The rupture disk may be used alone, in parallel with, or in conjunction with pressure-relief valves. They are manufactured in a variety of materials with various coatings for corrosion resistance. API RP 520[4] provides an example of a rupture-disk device. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Relief-System Considerations. The entire relief system must be considered before selecting the appropriate relief device. The relief headers should be designed to minimize pressure drop, thus allowing for future expansion and additional relief loads.

  • Conventional spring-loaded-relief-valve considerations. Conventional valves require the relief header backpressure (superimposed plus built up) to be less than 10% of the set pressure of the lowest-set relief valve tied into the header.
  • Balanced-spring-loaded-valve considerations. Balanced spring-loaded valves allow the use of smaller relief headers because of the larger pressure drops allowed, under maximum relief-flow conditions, as a result of higher allowable backpressure (40%). Balanced valves and relief headers are designed as a system to operate at a higher backpressure. The balanced valve is more expensive than conventional valves; however, the total cost of the use of balanced valves plus the smaller header system may be lower. Capacity is reduced at the larger backpressure, so it may not be the solution for all backpressure problems. In the bellows model, the bellows is a flexible pressure vessel that has a maximum backpressure limit that is lower in larger valve sizes. Bellows are available in a limited number of materials and may deteriorate rapidly under certain exposure conditions. Bellows should be checked periodically for leakage. A leaking bellow does not provide backpressure compensation, and it allows the relief header to leak to the atmosphere. The balanced valve commonly is used to tie a new low-pressure-relief load into an existing heavily loaded relief header or to protect the relief-valve top works from corrosive gases in the relief header.
  • Pilot-operated-valve considerations. Pilot-operated valves should be considered for all clean services within their temperature limitations. They are well suited for pressures below 15 psig and are available with the pilot-pressure sensing line connected to either the valve inlet or to a different point. Pilot-operated valves provide tight shutoff with very narrow margins between operating pressure and set pressure.

Special Considerations. When selecting the appropriate relief devices to handle the imposed loads, several issues must be considered.

Set Pressure. Relief devices are normally set to relieve at the MAWP. The greater the margin between the set pressure and the operating pressure, the less likelihood there is of leakage. Aside from the requirements to compensate for superimposed backpressure, there is no reason to set a relief device at less than the MAWP.

Backpressure. The backpressure at the outlet of every relief device should be such that the device can handle its design capacity with the calculated backpressure under the design relief conditions.

Dual Relief Valves. It is common practice to install two relief valves in critical process applications where a shutdown cannot be tolerated. The intent is that if the first relief valve lifts and fails to reseat, a second relief can be switched into service before the first valve is removed for maintenance, without shutting down or jeopardizing the process. This is accomplished by piping the relief valves in parallel and by putting a "car sealed" full-port ball or gate block valve on the inlet and outlet of each relief valve. One set of block valves is sealed open and the other sealed closed. ASME-approved selector valves are available, which simplify relief-valve switching. This provides an interlock of parallel inlet and outlet block valves and ensures full protection for the process equipment.

Multiple Relief Valves. Multiple relief valves are required when the relief load exceeds the capacity of the largest available relief valve. It is good practice to install multiple relief valves for varying loads to minimize chattering on small discharges. ASME Sec. VIII, Division 1, 3 and RP 520, Part 1[4] , both stipulate a 10% accumulation above the MAWP for a single relief valve and a 16% accumulation above the MAWP for multiple relief valves. The primary relief valve must be set at or below the MAWP. Supplemental relief valves should have staged pressures. The highest pressure may be set no higher than 105% above the MAWP. If different-sized relief valves are used, the smallest relief valve should be set to the lowest pressure.

Sizing the Relief Device. The most difficult factors for specifying a relief device are determining the limiting cause of pressure relief, determining the relief load and properties of the discharge fluid, and selecting the proper relief device. When the loads are known, the sizing steps are straightforward. RP 520, Part 1, provides formulas for determining the relief-valve orifice area for vapor, liquid, and steam relief.[4]Fig. 10.11 shows standard orifices available by letter designation, orifice area, and body size. The size of a relief valve should be checked for the following conditions.

Blocked Discharge. One design condition for the sizing of a relief valve is to assume that it must handle the total design flow rate (gas plus liquid) into the component. It is possible to isolate a process component or piping segment for maintenance by blocking all inlets and outlets. On startup, all outlet valves could be left closed inadvertently. If the inlet source can be at a higher pressure than the MAWP of the process component, only a properly sized relief valve could keep the process component from rupturing as a result of overpressure.

Gas Blowby. On tanks and low-pressure vessels normally receiving liquids from higher-pressure upstream vessels, the maximum flow rate through the relief valve often is determined by gas blowby. This situation occurs when the level controller or level control valve of the upstream vessel fails in the open position or a drain valve from an upstream vessel fails in the open position, allowing liquid and/or gas to flow into the component evaluated. Under blowby conditions, both the normal liquid and gas outlets on the component being evaluated are functioning properly. However, the gas flow into the component could greatly exceed the capacity of the normal gas outlet. This excess gas flow must be handled by the relief valve to keep from exceeding the component’s MAWP. Gas-blowby conditions also can occur when a pressure regulator feeding a component fails in the open position, creating a higher than designed inlet flow rate of gas.

Gas-blowby rate is the maximum that can flow given the pressure drop between the upstream component and the component being evaluated. In computing the maximum rate that can flow because of pressure drop, consideration should be given to the effects of control valves, chokes, and other restricted orifices in the line. A more conservative approach would be to assume that these devices have been removed or have the maximum-sized orifice that could be installed in the device.

Fire/Thermal Expansion. The pressure in process components exposed to the heat from a fire will rise as the fluid expands and the process liquid vaporizes. For tanks and large low-pressure vessels, the need to vent the liberated gas may govern the size of the vent or relief valve. Fire sizing a relief valve only keeps pressure buildup to less than 120% of the MAWP. If the component is subjected to a fire for a long time, it may fail at a pressure less than the MAWP because a metal’s strength decreases as temperature increases.

On components that can be isolated from the process, it is possible for the process fluid contained in the component to be heated. This is especially true for cold (relative to ambient) service or when the component is heated (such as a fired vessel or heat exchanger). It is also true for compressor cylinders and cooling jackets. The relief valves on such components should be sized for thermal expansion of the trapped fluids. This normally will not govern the final size selected unless no relief valve is needed for the other conditions.

Installation Considerations. The installation of a relief device requires careful consideration of the inlet piping, pressure-sensing lines (where used), and startup procedures. Poor installation may render the relief device inoperable or severely restrict the valve’s relieving capacity. Either condition compromises the safety of the facility. Many relief-valve installations have block valves before and after the relief valve for in-service testing or removal; however, these block valves must be car sealed or locked open.

Inlet Piping. RP 520, Part 2,[5] and ASME code[3] limit the inlet pressure loss to a PSV of 3% of set pressure where the pressure loss is the total of the inlet loss, line loss, and block-valve loss (if used). Loss is calculated with the maximum rated flow through the relief valve. To minimize the inlet pressure drop to a relief valve, a conservative guideline is to keep the equivalent length-to-diameter ratio of the inlet piping to the relief valve at 5 or less. For pressure-drop limitations and typical piping configurations, refer to RP 520, Part 2.[5]

Discharge Piping. The discharge piping should be designed so that the backpressure does not exceed an acceptable value for any relief valve in the system. Piping diameters generally should be larger than the valve-outlet size to limit backpressure. Lift and set pressures of pilot-operated relief valves with the pilot vented to the atmosphere are not affected by backpressure; however, if the discharge pressure can exceed the inlet pressure (e.g., tanks storing low-vapor-pressure material), a backflow preventer (vacuum block) must be used. The set pressure for balanced spring-loaded relief valves will not be as affected by backpressure as conventional spring-loaded relief valves are. Balanced relief valves will suffer reduced lift as backpressure increases.

Reactive Forces. On high-pressure valves, the reactive forces during relief are substantial and external bracing may be required. Refer to the formulas in RP 520, Parts 1[4] and 2[5] for computing these forces.

Tailpipe Considerations. Relief valves that are not connected to a closed relief system should have tailpipes to direct the relieving gases to a safe area away from personnel. The tailpipe should be sized for a maximum exit velocity of 500 ft/s. This ensures that the gas/air mixture is below the lower flammable limit or lower explosive limit at approximately 120 pipe diameters away from the tailpipe. Tailpipes should be supported at the bottom of the elbow. A small hole or a "weep hole" (minimum of ¼ in. in diameter) should be installed in the bottom of the elbow to drain liquids that enter through the tailpipe opening. The weep hole should be pointed away from process components, especially those classified as an ignition source.

Rapid Cycling. Rapid cycling can occur when the pressure at the valve inlet decreases at the start of the relief valve flow because of excessive pressure loss in the piping upstream of the valve. Under these conditions, the valve will cycle rapidly, a condition referred to as "chattering." Chattering is caused by the following sequence. The valve responds to the pressure at its inlet. If the pressure decreases during flow below the valve reseat point, the valve will close; however, as soon as the flow stops, the inlet-pipe pressure loss becomes zero and the pressure at the valve inlet rises to vessel pressure once again. If the vessel pressure is still equal to or greater than the relief-valve set pressure, the valve will open and close again. An oversized relief valve may also chatter because the valve may quickly relieve enough contained fluid to allow the vessel pressure to momentarily fall back to below set pressure, only to rapidly increase again. Rapid cycling reduces capacity and is destructive to the valve seat in addition to subjecting all the moving parts in the valve to excessive wear. Excessive backpressure also can cause rapid cycling, as discussed previously.

Resonant Chatter. Resonant chatter occurs when the inlet piping produces excessive loss at the valve inlet and the natural acoustical frequency of the inlet piping approaches the natural frequency of the valve’s moving parts. The higher the set pressure, the larger the valve size, or the greater the inlet-pipe pressure loss, the more likely resonant chatter will occur. Resonant chatter is uncontrollable, that is, once started it cannot be stopped unless the pressure is removed from the valve inlet. In actual practice, the valve can break down before a shutdown can take place because of the very large magnitude of the impact force involved. To avoid chattering, the pressure drop from the vessel nozzle to the relief valve should not exceed 3% of the set pressure. RP 520, Part 2 covers the design of relief-valve inlet piping.[5] Pilot-operated relief valves with remote sensing pilots can operate with higher inlet-piping pressure drops.

Isolation (Block) Valves. There is no industry standard or RP for isolation valves, and practices vary widely. Installed isolation block valves allow the testing of spring-loaded relief valves in place, thus eliminating the need to remove the vessel from service while bench testing the relief valve, and allow the relief device to be isolated from the closed relief system when performing maintenance and repair. The ASME Unfired Pressure Vessel Code allows the use of isolation valves below relief valves.[3] ASME Pressure Vessel Code, Appendix M, describes special mandatory requirements for isolation valves. The ASME Boiler Code[3] prohibits them, and the U.S. Occupational Safety and Health Admin.[7] prohibits them on instrument air receivers. Because improper use of an isolation valve may render a relief valve inoperative, the design, installation, and management of these block valves should be evaluated carefully to ensure that plant safety is not compromised. See RP 520, Part 2, for typical block-valve installations under relief valves.[5]

Relief-Valve Configurations. There is no industry standard or RP that addresses this topic. Some of the more common relief-value configurations are listed here and are shown in Fig. 10.12.
  • Installation of full open isolation (block) valves upstream and downstream of relief valves. Isolation valves should be car sealed open (locked open), and a log should be kept. These valves should be discouraged where the potential overpressure is twice the maximum allowable pressure. A test connection should be provided on all spring-loaded relief valves. The installation of two relief valves (100% redundant) should be considered so that one relief valve can be left in service at all times.
  • Installation of pilot-operated valves without isolation valves. This configuration allows for the testing of pilot set pressure only and requires full plant shut-in for relief-valve repair and maintenance.
  • Installation of three-way valves with one port open to a tailpipe or a vent stack. This configuration allows for valve maintenance and repair without requiring plant shut-in and ensures a path to the atmosphere if the three-way valve is left in the wrong position.
  • Installation of two two-way valves, connected by mechanical linkage, and two relief valves. This configuration provides all the advantages of isolation valves. In addition, it is impossible to isolate a process component by mistake. The only disadvantage of this configuration is the initial cost.
  • Installation of a check valve in lieu of an isolation valve. This configuration is not allowed by the ASME Pressure Vessel Code because the check valve may fail or cause excessive pressure drop.[3]

Guidelines for Determining the Number of Relief Devices. There is no industry standard or RP for determining the number of relief devices, and installations vary widely. Sometimes there are two relief devices (100% standby) on vessels receiving production directly from the wells. The primary relief valve is set at MAWP. If the second relief device is another relief valve, the set pressure of the second relief valve is set 10% above the primary relief valve. If the second relief device is a rupture disk (entirely redundant against all possible relieving scenarios), the pressure is set at 15 to 25% above the primary relief device. This setting ensures that the rupture disk will not rupture when the design primary relieving rate is reached at the set pressure plus 10% overpressure. Primary and standby relief rates are considered adequate for fire sizing.

Some companies install two relief valves on all critical installations so that plant shutdowns are not required during testing and maintenance. If the secondary relief device is being counted on to provide any portion of any required relieving capacity (blocked discharge, gas blowby, fire, etc.), then the secondary device should be set in accordance with the rules of RP 520, Parts 1[4] and 2,[5] (i.e., ASME Sec. VIII, Division 1, paragraph UG-134).[3]

Liquid-Discharge Considerations. Condensed mists have liquid droplets that are less than 20 to 30 μm in diameter. Testing and experience have shown that with a slight wind, the envelope of flammability for this type of mist is the same as that for a vapor. Liquids will settle to grade, thus presenting a fire and pollution hazard; therefore, the relief device should be installed in the vapor space of process vessels with an LSH that alarms and shuts in flow when activated. The LSH should be set no higher than 15% above the maximum operating level, while the relief valve should be set no higher than the MAWP of the process component. Scrubbers and knockout drums should be installed in flare, vent, and relief lines to separate and remove liquid droplets from the discharge.

Flare and Vent Disposal Systems

Disposal-System Design

A flare or vent disposal system collects and discharges gas from atmospheric or pressurized process components to the atmosphere to safe locations for final release during normal operations and abnormal conditions (emergency relief). In vent systems, the gas exiting the system is dispersed in the atmosphere. Flare systems generally have a pilot or ignition device that ignites the gas exiting the system because the discharge may be either continuous or intermittent. Gas-disposal systems for tanks operating near atmospheric pressure are often called atmospheric vents or flares, and gas-disposal systems for pressure vessels are called pressure vents or flares. A flare or vent system from a pressurized source may include a control valve, collection piping, flashback protection, and a gas outlet. A scrubbing vessel should be provided to remove liquid hydrocarbons. A flare or vent system from an atmospheric source may include a pressure-vacuum valve, collection piping, flashback protection, and a gas outlet. The actual configuration of the flare or vent system depends on the hazards assessment for the specific installation.

RP 520, Part 1, Sec. 8,[4] and RP 521, Secs. 4 and 5,[6] cover disposal and depressuring system design. RP 521, Appendix C, provides sample calculations for sizing a flare stack. RP 521, Appendix D, shows a flare-stack seal drum, a quench drum, and a typical flare installation.[6]

Knockout Drums

RP 521, paragraph 5.4.2, provides detailed guidance for the design of knockout drums (also called relief drums or flare or vent scrubbers).[6] All flare, vent, and relief systems must include a liquid knockout drum. The knockout drum removes any liquid droplets that carry over with the gas relief sent to the flare. Most flares require that the particle size be reduced to a minimum of less than 300 μm. RP 14J suggests sizing for liquid droplets between 400 and 500 μm.[2] Most knockout drums are horizontal with a slenderness ratio (length-to-diameter ratio) between 2 and 4. A horizontal knockout drum must have a diameter large enough to keep the vapor velocity low enough to allow entrained liquids to settle or drop out.

Knockout drums operated at atmospheric pressure should be sized to handle the greatest liquid volume expected at the maximum rates of liquid buildup and pump out. RP 521 suggests 20 to 30 minutes of liquid holdup.[6] This is not practical in upstream operations. In onshore operations, it is recommended to take 20% of the maximum potential liquid stream and provide a 10-minute liquid holdup. For offshore operations, it is recommended to provide normal separation-retention times (1 to 3 minutes on the basis of API gravity) and an emergency dump design to handle the maximum liquid flow with no valves. An emergency sump (disposal) pile is recommended to dispose of the liquid, and a seal in the pile is recommended to contain the backpressure in the drum.

Knockout drums normally are operated at atmospheric pressure. To maintain an explosion, the MAWP of the knockout drum usually is set at 50 psig. Stoichiometric hydrocarbon/air explosions produce peak pressures seven to eight times the normal pressure.

Flashback Protection

Flashback protection (the possibility that the flame will travel upstream into the system) should be considered for all disposal systems because flashback can result in pressure buildup in upstream piping and vessels. Flashback is more critical where there are tanks or pressure vessels with a MAWP less than 125 psig and in flare systems. RP 520 discusses flashback protection for pressure vents and flares,[4] and STD 2000 discusses atmospheric vents and flares.[8] RP 14C recommends that vents from atmospheric vessels contain a flame arrestor.[1] Because the flame arrestor can plug, a secondary pressure/vacuum valve without a flame arrestor should be considered for redundancy. The secondary system should be set at a pressure high enough and vacuum low enough so that it will not operate unless the flame arrestor on the primary system is plugged.

Pressure vents with vessels rated 125 psig and above normally do not need flashback protection. In natural-gas streams, the possibility of vent ignition followed by flash backpressures above 125 psig is minimal. When low-pressure vessels are connected to pressure vents, molecular or fluidic seals and purge gas often are used to prevent flashback. If relief valves are tied into the vent, the surge of flow when a relief valve opens could destroy a flame arrestor and lead to a hazardous condition. Also, there is a potential for flame arresters to become plugged. A means of flame snuffing should be considered for vent systems.

Flares have the added consideration of a flame always being present, even when there is a very low flow rate. They are typically equipped with molecular or fluidic seals and a small amount of purge gas to protect against flashback.

Seal Drums. Knockout drums are sized with the gas-capacity equations referred to in the chapter on the design of two- and three-phase separators in this section of the Handbook. Liquid seal drums are vessels that are used to separate the relief gases and the flare/header stack by a layer of liquid. Water (or water/glycol mixture) is normally the sealing fluid. The flare gas (or purge gas) is forced to bubble through a layer of water before it reaches the flare stack. This prevents air or gas from flowing backward beyond the water seal. Seal drums serve as a final knockout drum to separate liquid from the relief gases.

In a deep seal drum, the depth of the sealing fluid is designed to be equal to the staging pressure of the staged flare system. The sealing-fluid depth in most staging seal drums is typically in the range of 2 to 5 psig, which is equivalent to 5 to 12.5 ft of water column. In a shallow seal drum (conventional flashback prevention), the water seals have only a 6- to 10-in. water-column depth. It is important to design the deep seal drum with a proper gas velocity at the staging point to ensure that all the sealing fluid is displaced quickly at the staging pressure (an effect similar to a fast-acting valve actuator). It is also common to design the deep seal drum with a concentric overflow chamber to collect the displaced sealing fluid. The overflow chamber can be designed to flow back automatically into the sealing chamber once the gas velocity decreases below the rate required for closing off the second stage.

The depth of the liquid seal drum must be considered in calculating the relief-header backpressure. This depth is set by the flare supplier, but it usually can be altered somewhat, with the supplier’s concurrence, to suit plant conditions. Typical seal depths are 2 ft for elevated flares and 6 in. for ground flares. The height of the liquid seal can be determined by


where h = height of liquid seal, p = maximum allowable header backpressure, and ρ = sealing-liquid density.

The vessel-free area for gas flow above the liquid level should be a minimum of 3 ft or three times the inlet pipe cross-sectional area to prevent surges of gas flow to the flare and to provide space for disengagement.

RP 521 states that surging in seal drums can be minimized with the use of V-notches on the end of the dip leg.[6] If the water sloshes in the seal drum, it will cause pulsations in the gas flow to the flare, resulting in noise and light disturbances. Thus, most facilities prefer either a displacement seal or a perforated antislosh baffle. Fig. 10.13 shows seal-drum configurations.

Molecular Seals. Molecular seals cause flow reversal. They normally are located below the flare tip and serve to prevent air entry into the stack. Molecular seals depend on the density difference between air and hydrocarbon gas. Light gas is trapped at the top of the U-tube. A continuous stream of purge gas is required for proper functioning of the gas seal, but the amount of purge gas is much less than would be required without the seal. The main advantages over liquid seals are that they do not slosh and they produce much less oily water. Gas seal must be drained, and the drain loop must be sealed. Because a gas seal with an elevated flare is required to keep air out of the flare stack, the liquid seal usually is omitted from an elevated-only flare system. If a vapor-recovery compressor is used, a liquid seal is used to provide a minimum header backpressure.

Fluidic Seals. Fluidic seals are an alternative to gas seals. Fluidic seals use an open wall-less venturi, which permits flow out of the flare in one direction with very little resistance but strongly resists counterflow of air back into the stack. The venturi is a series of baffles, like open-ended cones in appearance, mounted with the flare tip. The main advantages of fluidic seals are that they are smaller, less expensive, and weigh less, and thus have less structural load on the flare stack, than molecular seals. However, fluidic seals require more purge gas than molecular seals.

Flame Arrestors. Flame arrestors are used primarily on atmospheric vents and are not recommended on pressurized systems. Because of the acceleration of the flame, the flame arrestor must be installed approximately 10 pipe diameters from the exit, which prevents the flame from blowing through the arrestor. The length of the tube and surface area provided keep the metal cool. The major drawbacks of flame arrestors are that they are easily plugged, can become coated with liquid, and may not be strong enough for pressure-relief systems.

Flare Stacks

RP 521, Sec. 5.4.3, covers the design of elevated flares.[6] RP 521, Appendix C, provides examples of full design of a flare stack.[6] Most flares are designed to operate on an elevated flare stack or on angled booms on offshore platforms.

Elevated-Flare-Stack Designs. Fig. 10.14 shows an example of an elevated-flare-stack design.

Self-Supported Stacks. This is the simplest and most economical design for applications requiring short-stack heights (up to 100 ft overall height); however, as the flare height and/or wind loading increases, the diameter and wall thickness required become very large and expensive.

Guy-Wire-Supported Stacks. This is the most economical design in the 100- to 350-ft height range. The design can be a single-diameter riser or a cantilevered design. Normally, sets of 3 wires are anchored 120 degrees apart at various elevations (1 to 6).

Derrick-Supported Stacks. This is the most feasible design for stack heights above 350 ft. They use a single-diameter riser supported by a bolted framework of supports. Derrick supports can be fabricated from pipe (most common), angle iron, solid rods, or a combination of these materials. They sometimes are chosen over guy-wire-supported stacks when a limited footprint is desired.

Offshore Flare-Support Structures. Because offshore production platforms process very large quantities of high-pressure gas, the relief systems and, therefore, the flare systems, must be designed to handle extremely large quantities of gas quickly. By nature, flares normally have to be located very close to production equipment and platform personnel or located on remote platforms. Maximum emergency-flare design is based on emergency shut in of the production manifold and quick depressurization of the system. Maximum continuous-flare design is based on loss of produced-gas transport, single compression shutdown, gas-turbine shutdown, etc. Typical flare mountings on an offshore platform are angled boom mounting (most common), vertical towers, or remote flare platforms. Fig. 10.15 shows typical offshore flare-support structures.

Selection of the flare structure depends on such factors as water depth, the distance between the flare and the production platform, relief gas quantity, toxicity, allowable loading on the flare structure, location of personnel, location of drilling derrick, locations of adjacent platforms, and whether the flaring is intermittent or continuous.

Flare Booms. Flare booms extend from the edge of the platform at an angle of 15 to 45° and are usually 100 to 200 ft long. Sometimes two booms oriented 180° from each other are used to take advantage of prevailing winds. Fig. 10.16 shows a diagram of an offshore flare boom.

Derrick-Supported Flares. Derrick-supported flares (see Fig. 10.17) are the most common flare towers used offshore. They provide the minimum footprint (four-legged design) and dead load, which are critical design parameters for offshore flares and normally are used when space is limited and relief quantities moderate. Disadvantages of derrick-supported flares include possible crude-oil spill onto the platform, interference with helicopter landing, and higher radiation intensities.

Bridge-Supported Flares. In the bridge-supported flare (see Fig. 10.18), the production platform is connected to a separate platform that is devoted to the flare structure. Bridges can be as much as 600 ft long, and bridge supports usually are spaced approximately every 350 ft.

Remote Flares. Remote flares (see Fig. 10.19) are located on a separate platform connected to the main platform by a subsea relief line. The main disadvantage of remote flares is that any liquid carryover or subsea condensation will be trapped in pockets in the connecting line.

Flare-Stack Design Criteria. Important design criteria that determine the size and cost of flare stacks include flare-tip diameter and exit gas velocity, pressure-drop considerations, flare-stack height, gas dispersion limitations, flame distortion caused by lateral wind, and radiation considerations.

Flare-Tip Diameter and Exit Gas Velocity. The flare-tip diameter should provide a large enough exit velocity so that the flame lifts off the flare tip but not so large as to blowout the flare. The flare diameter and gas velocity normally are determined by the flare supplier. They are sized on the basis of gas velocity, although pressure drop should be checked.

Flare-Tip Diameter. Low-pressure flare tips are sized for 0.5 Mach for a peak, short-term, infrequent flow (emergency release) and 0.2 Mach for normal conditions, where Mach equals the ratio of vapor velocity to sonic velocity in that vapor at the same temperature and pressure and is dimensionless. These API 521 recommendations are conservative.[6] Some suppliers are designing "utility-type" tips for rates up to 0.8 Mach for emergency releases. For high-pressure flare tips, most manufacturers offer "sonic" flares that are very stable and clean burning; however, they do introduce a higher backpressure into the flare system. Smokeless flares should be sized for the conditions under which they are to operate smokelessly.

Velocity Determination. The sonic velocity of a gas can be calculated with


Gas velocity can be determined from


and the critical flow pressure at the end of the relief system can be calculated with


di = pipe inside diameter, in.;
k = ratio of specific heats, CP/CV;
PCL = critical pressure at flare tip, always ≥ 14.7, psia;
Qg = gas-flow rate, MMscf/D;
S = specific gravity, ratio;
T = temperature, °R;
V = gas velocity, ft/s;
VS = sonic velocity, ft/s;
Z = gas compressibility at standard conditions, where air = 1, psi −1 .

Pressure-Drop Considerations. Pressure drops as large as 2 psi have been used satisfactorily. If the tip velocity is too small, it can cause heat and corrosion damage. Furthermore, the burning of the gases becomes quite slow and the flame is influenced greatly by the wind. The low-pressure area on the downwind side of the stack may cause the burning gases to be drawn down along the stack for 10 ft or more. Under these conditions, corrosive materials in the stack gases may attack the stack metal at an accelerated rate, even though the top 8 to 10 ft of the flare is usually made of corrosion-resistant material.

For conventional (open-pipe) flares, an estimate of the total flare pressure drop is 1.5 velocity heads, which is based on nominal flare-tip diameter. The pressure drop is determined by


where g = acceleration due to gravity, 32.3 ft/s2; V = gas velocity, ft/s; ΔPW = pressure drop at the tip, inches of water; and ρg = density of gas, lbm/ft3. Fig. 10.20 shows a "quick-look" nomograph to determine the flare-tip diameter.

Flare-Stack Height. The height is generally based on the radiant-heat intensity generated by the flame. The stack should be located so that radiation releases from both emergency and long-term releases are acceptable and so that hydrocarbon and H2S dispersion is adequate if the flame is extinguished. The stack also should be structurally sound and withstand wind, earthquake, and other miscellaneous loadings. RP 521, Appendix C, provides guidance on sizing a flare stack.[6]

The Hajek and Ludwig equation (see RP 521) may be used to determine the minimum distance from a flare to an object whose exposure to thermal radiation must be limited.


D = minimum distance from the midpoint of the flame to the object being considered, ft;
E = fraction of heat radiated;
K = allowable radiation level, BTU/hr-ft2;
Q = heat release (lower heating value), BTU/hr; and
τ = fraction of heat intensity transmitted, defined by Eq. 10.7.

Table 10.1 shows component emissivity, and Table 10.2 shows allowable radiation levels. Humidity reduces the emissivity values in Table 10.1 by a factor of τ, which is defined by



r = relative humidity, fraction;
R = distance from flare center, ft;
τ = fraction of heat transmitted, in range of 0.7 to 0.9.

Gas Dispersion Limitations. In some cases, it may be desirable to check the stack height on the basis of atmospheric dispersion of pollutants. Where this is required, the authorities with jurisdiction normally will have a preferred calculation method.

Flame Distortion Caused by Lateral Wind. Another factor to be considered is the effect of wind tilting the flame, which varies the distance from the center of the flame. The center of the flame is considered to be the origin of the total radiant-heat release with respect to the plant location under consideration. API RP 521 gives a generalized curve for approximating the effect of wind. [Note: Figure is shown in printed volume. API did not provide permission for its use in PetroWiki.]

Radiation Considerations. There are many parameters that affect the amount of radiation given off by a flare including the type of flare tip, whether sonic or subsonic (HP or LP) or assisted or nonassisted; emissivity of flame produced or flame length produced; amount of gas flow; heating value of gas; exit velocity of flare gas; orientation of flare tip; wind velocity; and humidity level in air.

Several design methods are used for radiation calculations. The most common methods are the API simple method and the Bruztowski and Sommers method. Both methods are listed in RP 521, Appendix C.[6] These methods are reasonably accurate for simple low-pressure pipe flares (utility flare) but do not accurately model high-efficiency sonic-flare tips, which produce short, stiff flames. The fourth edition of RP 521 suggests that manufacturers’ proprietary calculations should be used for high-efficiency sonic-flare tips.[6]

Purge Gas. Purge gas is injected into the relief header at the upstream end and at the major branches to maintain a hydrocarbon-rich atmosphere in each branch, into the off-plot relief system, and into the flare stack. The gas volume typically is enough to maintain the following velocities: ft/s for density seals, 0.4 ft/s for fluidic seals, and 0.4 to 3 ft/s for open-ended flares. RP 521 states that the oxygen concentration must not be greater than 6% at 25 ft inside the tip.[6] When there is enough PSV leakage or process venting to maintain the desired backpressure, no purge gas is injected.

Burn Pits. Burn pits can handle volatile liquids. They must be large enough to contain the maximum emergency flame length and must have a drain valve and pump (if required) to dispose of trapped water. The flare should be pointed down, and the pilot should be reliable. Because of the uncertainty regarding the effects of wind on the center of the flame, it is recommended that the greater of either 50 ft or 25% be added to the calculated required distance behind the tip. Burn pits should be at least 200 ft from property lines. A fence or some other positive means for keeping animals and personnel away from a potential radiation of 1,200 BTU/hr-ft2 should be installed.

Vent Design. The size of a vent stack must consider radiation, velocity, and dispersion.

Radiation. The vent should be located so that radiation levels from ignition are acceptable.

Velocity. The vent must have sufficient velocity to mix air with gas to maintain the mixed concentration below the flammable limit within the jet-dominated portion of the release. The vent should be sized for an exit velocity of at least 500 ft/s (100 ft/s minimum). Studies indicate that gases with velocities of 500 ft/s or more have sufficient energy in the jet to cause turbulent mixing with air and will disburse gas in accordance with the following equation.


W = weight flow rate of the vapor/air mixture at distance Y from the end of the tailpipe;
Wo = weight flow rate of the relief-device discharge, in the same units as W ;
Y = distance along the tailpipe axis at which W is calculated;
Dt = tailpipe diameter, in the same units as Y.

Eq. 10.8 indicates that the distance Y from the exit point at which typical hydrocarbon relief streams are diluted to their lower flammable limit occurs approximately 120 diameters from the end of the discharge pipe. As long as a jet is formed, there is no fear of large clouds of flammable gases existing below the level of the stack. The distance to the lean flammability concentration limits can be determined from Figs. 10.3 through 10.5.[6] The horizontal limit is approximately 30 times the tailpipe diameter.

Industry practice is to locate vent stacks 50 ft horizontally from any structure running to a higher elevation than the discharge point. The stacks must vent at least 10 ft above any equipment or structure within 25 to 50 ft above a potential ignition source. Because the flame can be ignited, the height of the stack must be designed or the pit located so that the radiation levels do not violate emergency conditions.

Dispersion. The vent must be located so that dispersion is adequate to avoid potential ignition sources. The dispersion calculation of low-velocity vents is much more difficult and should be modeled by experts familiar with the latest computer programs. Location of these vents is very critical if the gas contains H2S because even low concentrations at levels accessible by personnel could be hazardous. The location of low-velocity vents should be checked for radiation in the event of accidental ignition.


Cp/CV = specific heats at constant pressure and temperature, dimensionless
d = nominal tip diameter, L, in.
di = pipe inside diameter, L, in.
D = minimum distance from the midpoint of the flame to the object being considered, L, ft
Dt = tailpipe diameter, L, in the same units as Y
E = fraction of heat radiated
g = acceleration due to gravity, 32.3 ft/sec2
h = height of liquid seal, L, ft
k = ratio of specific heats, CP/CV
K = allowable radiation level, BTU/hr-ft2
L = flame length, L, ft
p = maximum allowable header backpressure, m/Lt2, psi
PCL = critical pressure at flare tip, m/Lt2, psia
Q = heat release (lower heating value), BTU/hr
Qg = gas-flow rate, MMscf/D
r = relative humidity, fraction
R = distance from flare center
S = specific gravity, fraction
t = temperature, T, °F
T = temperature, T, °R
Ux = lateral-wind velocity, L
Uj = exit gas velocity from stack, L
V = gas velocity, L/t, ft/sec
VS = sonic velocity, L/t, ft/sec
W = weight flow rate of the vapor/air mixture at distance Y from the end of the tailpipe, mL/t
Wf = gas-flow rate, lbm/hr
Wo = weight flow rate of the relief device discharge in the same units as W, mL/t
xc = horizontal distance from flare tip to flame center, L
yc = vertical distance from flare tip to flame center, L
Y = distance along the tailpipe axis at which W is calculated, L
Z = gas compressibility at standard conditions, Lt2/m, psi−1
ΔPW = pressure drop at the tip in inches of water
Δx = horizontal flame distortion caused by lateral wind, L, ft
Δy = vertical flame distortion caused by lateral wind, L, ft
ρ = sealing-liquid density, lbm/ft3
ρg = density of gas, lbm/ft3
τ = fraction of heat intensity transmitted


  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 APi RP 14C, Analysis Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms. 1998. Washington, DC: API.
  2. 2.0 2.1 API RP 14J, Design and Hazards Analysis for Offshore Production Facilities. 1993. Washington, DC: API.
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Pressure Vessels. 2001. In Boiler and Pressure Vessel Code, Sec. 8, Divisions 1 and 2. New York City: ASME.
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 API RP 520, Design and Installation of Pressure Relieving Systems in Refineries, Part I, seventh edition. 2000. Washington, DC: API.
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 API RP 520, Design and Installation of Pressure Relieving Systems in Refineries, Part 2, fifth edition. 2003. Washington, DC: API.
  6. 6.00 6.01 6.02 6.03 6.04 6.05 6.06 6.07 6.08 6.09 6.10 6.11 6.12 6.13 6.14 6.15 API RP 521, Guide for Pressure-Relieving and Depressuring Systems, fourth edition. 1999. Washington, DC: API.
  7. Occupational Safety and Health Standards, regulations, 29 CFR Part 1910. 1999. Washington, DC: US Dept. of Labor.
  8. API STD 2000, Venting Atmosphere and Low-Pressure Storage Tanks—Nonrefrigerated and Refrigerated, fifth edition. 1999. Washington, DC: API.

SI Metric Conversion Factors

Btu × 1.055 056 E+00 = kJ
Btu/hr × 2.930 711 E+01 = W
ft × 3.048* E−01 = m
ft/s × 3.048* E−01 = m/s
ft/s2 × 3.048* E−01 = m/s2
ft2 × 9.290 304 E−02 = m2
ft3 × 2.831 685 E−02 = m3
°F (°F − 32)/1.8 = °C
lbm × 4.535 924 E−01 = kg
lbm/ft3 × 1.601 846 E+01 = kg/m3
psi × 6.894 757 E+00 = kPa
°R °R/1.8 = °K


Conversion factor is exact.