There are interlocks on the feed rate, and automatically-activated emergency cooling, emergency venting, and emergency dump systems. Alarms are provided for high temperature, high-high temperature, and rate of temperature rise.

Reactor safeguards include emergency reaction quench system, auxiliary cooling, emergency venting, and emergency dump system. A rupture disk (PSE) and a relief valve (PSV) are provided to reduce the likelihood of reactor vessel failure. An emergency reactor evacuation (dump) system is composed of a large diameter pipe that flows to an open water basin and discharges 10 ft below the surface of a remote basin. There are on-line analyzers as well as periodic lab sample analysis.

Other safeguards include an integrated set of safety management systems, operator training and qualification program, mechanical integrity (inspections, reliability assurance, testing/calibrations), written general operating procedures, written specific batch instruction sheets, emergency response plans, environmental documentation, e.g., spill prevention, control and countermeasure (SPCC) plans, flammable gas detectors, a water-spray deluge system, and a flare. Designated critical steps in the batch cycle are required to be verified by a second (qualified) person.

Pre-event side of Bow-Tie
In this illustration, not all cause scenarios are included on the pre-event side of the Bow-Tie. A screening study would be conducted in significantly more detail and would identify and include all credible cause scenarios. The PHA team develops the pre-event (cause scenario) side of the diagram by progressing from right to left, backwards in time, in a deductive approach. Figure 4 illustrates the first level of the pre-event diagram, along with associated safeguard barriers The PHA team identified five general cause categories at the first level that could result in an unintended exotherm (Figure 4):

First level causes

Figure 4: Click to enlarge

A. Mis-charging (during the initial reaction step or during subsequent step of continuous feed).
B. Less than adequate Agitation due to a variety of reasons, motor, shaft, impeller/blade.
C. Heat Removal Problem (during normal operation or during a temperature excursion).
D. Control System Problem. 
E. “Other and Miscellaneous”.

Safeguards, or barriers, are identified and added to the diagram between the identified causes and the designated top event (the unintended exotherm). Some barriers may apply to more than one cause. As shown on Figure 4, the team identified five existing barriers that apply to the Mis-charge scenario:

1. Written Specific Batch Control Instruction or Specification Sheet that is generated, reviewed, and approved by operation managers.
2. Physical action by operations personnel to verify and confirm the operating conditions and completed actions.
3. Lab analyses.
4. On-line analyzers.
5. Operator qualification and competency specifically applicable to the cause scenario.

The PHA study progresses systematically through each of the five cause categories at level one, then progresses to the next level of detail. Figure 5 illustrates 16 potential second level cause scenarios.

Second level causes

Figure 5: Click to enlarge

In some aspects, results of a Bow-Tie analysis resemble a modified Failure Mode and Effect Analysis (FMEA): credible failures are systematically identified, and then existing safeguards are determined and evaluated. For example, credible causes for malfunctions of the written Specific Batch Control Instructions could be examined by the team; the associated safeguard measures related to these causes would be further identified and evaluated The system for ensuring that written instructions are accurate and up-to-date would be discussed by the PHA team. Procedures for change management, and occasional, anticipated deviations related to these written instructions, would be evaluated. Finally, reliability, and degree of independence, of each of the identified safeguards are evaluated. Further analysis can be conducted later as desired. 

The analysis then proceeds to the next level of detail. One of the identified concerns at this level is the availability of cooling water for heat removal. The third-tier of detail for this concern might include credible causes of loss of cooling water such as:

• supply problem (inadequate quantity available for pumping, or low supply pressure)
• flow restriction problem caused by obstruction (fouling or corrosion inside the piping system)
• flow restriction problem caused by mis-valving (manual block valve positions incorrect)
• flow problem associated with the pumping system
• flow problem associated with freezing water

Safeguards associated with each of these identified flow problems would then be identified and evaluated by the PHA team. Another example of additional detail is shown in Figure 6, where the team identifies and examines potential causes for mis-charge events, which could involve one or more of eight possible sources.

Mischarging

Figure 6: Click to enlarge