Case study

Cooling Water Loss During Exothermic Reactor Startup Case Study

Chemical engineering case study on cooling-water loss during exothermic reactor startup, covering heat generation, safe hold time, alarms, interlocks, operator response, validation evidence, and restart decision.

This case study follows a cooling-water loss during startup of an exothermic liquid-phase reactor. The event is realistic rather than tied to one incident. It is useful because the hazard develops through ordinary engineering details: feed addition begins, heat generation rises, cooling flow is not actually available, a bypassed safeguard is not restored, and the operator has less time than the procedure assumes.

The purpose is to show how a chemical-process safety decision should connect heat balance, safe hold time, alarm timing, interlock status, field evidence, and restart authorization.

Technical Context

Exothermic reactors need heat removal at the same time that reaction rate, feed rate, temperature, mixing, and composition are changing. Startup can be more hazardous than normal operation because the plant is moving through transient states, instruments may have been bypassed for maintenance, utilities may not be fully lined up, and operators may be following a sequence rather than watching one steady operating point.

A simplified thermal balance during an upset is:

\displaystyle mC_p\frac{dT}{dt}=\dot{Q}_{gen}-\dot{Q}_{rem}

where m is reacting mass, C_p is average heat capacity, \dot{Q}_{gen} is heat generation, and \dot{Q}_{rem} is heat removal. The equation is simple, but the safety decision depends on how quickly alarms, interlocks, and operator actions act relative to the temperature rise.

Scenario

A batch reactor is being restarted after jacket maintenance. The startup procedure allows feed addition after the reactor reaches the initial temperature and the operator confirms cooling-water availability.

ParameterValue
Reacting mass6200\ \text{kg}
Average heat capacity3.4\ \text{kJ/(kg K)}
Initial reactor temperature70^\circ\text{C}
High-temperature alarm82^\circ\text{C}
High-high trip setpoint90^\circ\text{C}
Decomposition concern threshold100^\circ\text{C}
Nominal heat generation during feed ramp520\ \text{kW}
Residual heat removal after cooling-water loss120\ \text{kW}
Temperature sensor effective dead time2.5\ \text{min}
Operator diagnosis and action time4.0\ \text{min}
Feed isolation valve closure time1.5\ \text{min}

During startup, reactor temperature rises faster than expected. The cooling-water low-flow interlock had been bypassed during maintenance and was not restored before feed addition. The temperature alarm remains active, but the response now relies on operator diagnosis and manual action.

Event Sequence

  1. Maintenance clears the jacket for startup but leaves a cooling-flow interlock bypass active.
  2. The startup checklist confirms valve lineup but does not require an interlock proof or live cooling-flow challenge.
  3. Feed addition begins at the normal ramp rate.
  4. Reactor temperature starts rising; jacket outlet temperature does not rise as expected because cooling flow is low.
  5. The operator receives a high-temperature alarm and checks trends.
  6. Feed is stopped and emergency cooling lineup is restored before the high-high trip setpoint is reached.
  7. The unit is held for engineering review before restart.

No vessel rupture or release occurs. The near miss is still serious because the credited safeguard was not available at the moment it was needed.

Heat-Balance Screening

Thermal capacitance of the reacting mass:

mC_p=6200(3.4)=21080\ \text{kJ/K}

Net heat accumulation after cooling-water loss:

\dot{Q}_{net}=\dot{Q}_{gen}-\dot{Q}_{rem}
\dot{Q}_{net}=520-120=400\ \text{kW}

Because:

1\ \text{kW}=1\ \text{kJ/s}

temperature rise rate is:

\displaystyle \frac{dT}{dt}=\frac{400}{21080}=0.0190\ \text{K/s}

Convert to kelvin per minute:

0.0190(60)=1.14\ \text{K/min}

Engineering Interpretation

At the nominal heat-generation rate, the reactor temperature rises by more than one kelvin per minute after cooling is lost. That is slow enough for a working protection system, but not slow enough to treat the event casually.

Time Available Before Trip

Temperature margin from the initial condition to high-temperature alarm:

82-70=12\ \text{K}

Time to alarm under the screening rate:

\displaystyle t_{alarm}=\frac{12}{1.14}=10.5\ \text{min}

Temperature margin from the initial condition to high-high trip:

90-70=20\ \text{K}

Time to trip:

\displaystyle t_{trip}=\frac{20}{1.14}=17.5\ \text{min}

Response chain after the temperature measurement begins to show the event:

t_{response}=2.5+4.0+1.5=8.0\ \text{min}

Nominal time margin from alarm to completed feed isolation:

M_t=10.5-8.0=2.5\ \text{min}

Engineering Interpretation

The manual response has only a small margin. The process did not run away because the operator acted correctly and the heat-generation rate stayed near the nominal estimate. A few minutes of diagnostic delay, a higher feed concentration, a slower valve, or a less visible trend could have consumed the margin.

Conservative Heat-Release Case

The engineering team checks a plausible conservative case:

  • heat generation is 10\% higher because feed concentration is high;
  • residual heat removal is 80\ \text{kW} because the cooling path is more restricted than assumed.

Conservative heat generation:

\dot{Q}_{gen,high}=1.10(520)=572\ \text{kW}

Conservative net heat:

\dot{Q}_{net,high}=572-80=492\ \text{kW}

Temperature rise rate:

\displaystyle \frac{dT}{dt}=\frac{492}{21080}=0.0233\ \text{K/s}

Convert:

0.0233(60)=1.40\ \text{K/min}

Time to alarm:

\displaystyle t_{alarm,high}=\frac{12}{1.40}=8.6\ \text{min}

Time margin against the same response chain:

M_{t,high}=8.6-8.0=0.6\ \text{min}

Engineering Interpretation

The conservative case nearly consumes the available response time. That means the alarm cannot be credited as a robust independent safeguard for this startup unless response time is shortened, the alarm is moved earlier, heat generation is limited, or an automatic interlock is restored and proof-tested.

Failure Analysis

The incident has several contributing failure modes:

Failure modeTechnical effect
Cooling-flow interlock bypass left activeautomatic feed prevention was unavailable
Startup checklist did not require live cooling-flow proofutility availability was assumed rather than demonstrated
Temperature alarm was the remaining safeguardresponse depended on operator diagnosis and timing
Feed ramp was normal despite abnormal safeguard stateheat generation rose before cooling evidence was secure
Maintenance handover did not flag bypass restorationcontrol-room and field state were not aligned

The root problem is not only cooling-water flow. It is safeguard governance during a transient operating mode.

Evidence Required Before Restart

Restart should require evidence, not reassurance.

EvidenceAcceptance purpose
cooling-water flow transmitter proof testconfirms the trip input works
interlock bypass removed and independently checkedrestores automatic protection
emergency cooling valve stroke testconfirms response path
reactor temperature sensor calibration and dead-time checkvalidates alarm timing
feed isolation valve closure testvalidates response time
startup checklist revisionprevents recurrence during lineup
operator trend reviewconfirms event recognition and response sequence
management-of-change recorddocuments altered startup protection basis

The review should also confirm whether the high-temperature alarm setpoint is early enough for the fastest credible heat-release case.

Restart Decision

The engineering decision is:

Do not restart the reactor until the cooling-flow interlock is restored and proof-tested, startup requires live cooling-flow verification before feed addition, the high-temperature alarm has adequate response margin for the conservative heat-release case, and bypass governance is corrected.

If production pressure requires a temporary startup limit, it should be written as an engineered restriction:

  • lower initial feed ramp;
  • verified cooling-water flow permissive before feed;
  • no active bypasses on credited safeguards;
  • operator stationed on reactor temperature, jacket outlet temperature, and cooling-flow trends;
  • automatic feed isolation available and tested;
  • engineering approval required for any deviation.

Transferable Lessons

  • A utility confirmation is not the same as a live functional proof.
  • Manual alarm response is weak when the calculated time margin is measured in minutes.
  • Interlock bypasses are process-safety states, not paperwork details.
  • Startup and shutdown need their own hazard review because the plant is not at steady state.
  • A heat-balance calculation becomes operational only when it is tied to sensor dead time, valve closure time, operator action, and proof-test evidence.
REF

See also