Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis
for Oil and gas Plant
Version 3 Issue 1
January 2015
Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis for Oil and
Gas Plant
ITSA
Prunusvej 39,
3450 Allerød,
Denmark
Issue
Date
V3I1 Jan 2015
Author
JRT
Approval
Release
Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis
Preface
This report was written because of concerns that many hazop and hazid workshops do not
capture all of the accident types which are known from experience. It covers the need for a
systematic way of utilising accident experience to supplement hazard identification methods
such as Hazop and Hazid.
J.R.Taylor
Abu Dhabi 2012
Systematic Lessons Learned Analysis
Updating history
Issue
Initial version
Date
Dec 2012
Affected
Change
Initial release
V2
2013
Update with more cases for gas
plants
V3
2015
Update with more cases for oil
and gas plants
Systematic Lessons Learned Analysis
Contents
1.
2.
Introduction ........................................................................................................................1
Index to Lessons Learned ...................................................................................................2
2.1 Case history index – case history titles .......................................................................2
2.2 Case history index – case history equipment types .....................................................5
2.3 Lessons learned ...........................................................................................................9
2.4 Design lessons learned ..............................................................................................16
2.5 Management of change lessons learned ....................................................................19
3. Case Histories and Lessons Learned ................................................................................21
Systematic Lessons Learned Analysis
Systematic Lessons Learned Analysis
1. Introduction
One of the largest problems in hazard identification, such as with HAZOP, HAZID or What
If? processes, is to ensure that all significant accident types and threats are covered.
Typically even the best analyses only covers about 98% of the accidents which could occur
(see QRAQ report, ref 1). Some accidents are have such complex causality that it is difficult
to see how they could ever be predicted. Nevertheless, such accidents have occurred and
represent a significant part of process plant risk (see Ch xx).
In these circumstances, a lower objective than absolute completeness may be accepted.
However, a reasonable expectation when we analyse a plant is that the analysis should cover
the accidents which have occurred on the plant, or the accidents on similar plants elsewhere
which have been published.
There are many publications which describe accidents and give lessons learned. A short list
is:
One of the problems with such literature is that the lessons learned books need to be read, and
for practical purposes need to be memorised, in order that the lessons can be incorporated, for
example into a HAZOP report. In practical hazard identification work, it has been found that
even experienced professionals can only recall a fraction of the accidents which have
occurred around the world. Experienced plant operators can usually remember a large
fraction of the accidents which have occurred on their own plants.
Systematic Lessons Learned Analysis
2. Index to Lessons Learned
2.1 Case history index – case history titles
Case
no.
1
2
3
4
5
6
7
8
9
10
11
12
13
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
37
38
Title
UVCE after piping modification
Problem of galvanised stairs and platform walkways in fire
Layering in a liquefied gas accumulator lead to low temperatures and brittle fracture causing release
and VCE
Overfilling of propane storage vessel gave condensation hammer, vessel rupture and vapour cloud
explosion
Compressor gasket leak gave flash fire
Hammer in a multi product pipeline rupture the line, releasing fuel which flowed into a village and
burned
Fire on opening a pipe flange for valve maintenance
Blowby when liquid was drained from a separator allowing gas to discharge though te liquid line. The
LP separator ruptured
Damage to electrical power cables due to trench excavation
Condensate hammer caused a pipe rupture after a steam trap was disabled to allow confined space
entry
Inadequate pipe support and inadequate installation and thermal cycling caused pipe rupture and fire
Gasket displacement due to thermal cycling causes leak and explosion
Flange failure due to rapid heating of reactor, giving a dangerous flange fire.
Human factors error led to opening of a naphtha pump while pressurised, and a VCE
Procedural drift led to operation of a reactor outside the design envelope and a VCE
Premature start up and design errors led to column filling and overflow of naphtha to a vent
Freezing in a dead leg caused pipe cracking and a welding rod in a block valve allowed propane to
escape and a jet fire, with domino effects.
Crude oil release due to vibration fatigue pipe fracture
Chlorine release due to incorrect supply of material
Vessel overflow and hammer rupture of flare line
Problems in shift handover caused a compressor to be started although maintenance was not
complete and a blind flange was open, giving a large fire and domino effects
Methyl isocyanate storage was operated despite the vent scrubber being out of operation. Water
ingress cause a release and massive fatalities
An oversight in inspection procedures allowed heavy corrosion at a pipe elbow which led to VCE
Buiding operations over a gas pipeline caused cracking. Gas ignited when fire fighters attempted to
uncover the leak.
A massive explosion when a vapour plume from a gasoline tank overflow ignited
A sour gas blowout occurred during adverse conditions giving many fatalities
Confusion of design pressure and operating pressure led to pipe rupture and VCE
Sour water tank explosion
Pump not properly isolated and drained prior to removal for maintenance resulted in explosion
Crude oil tank overflow gave a large explosion and multiple tank fires
Fuel leak into boiler fire box witout pilot flame led to explosion
Pump weld fracture led to release of propylene and a large explosion with domino effects
Slops tank explosion
Cavitation damage and holing on a vacuum column inlet
Crude oil jet fire due to non replacement of fitting after maintenance
Water hose used to ransfer hydrogen between vessels ruptured due to overpressure
Systematic Lessons Learned Analysis
39
40
41
42
43
44
45
46
47
48
75
76
77
78
79
80
81
82
82
84
85
86
87
88
89
90
91
92
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
112
113
114
115
116
Pool fire due to lube oil sight glass damage
Sulphur burner blower wing shed leading to sulphur dioxide release
Steam condensate hammer pipe rupture due to a condensate collection loop overfilling
Knock out drum overflow and compressor shattering
Wrong materials used for a nitric acid plant pipe spool
Wrong materials used for a crude unit bottoms pump leading to rupture
Hot oil pumped to an "empty" tank causes rapid phase transition explosion
Third party interference rupture of a high hazard natural gas pipeline
Pipeline damage while installing new pipelines
Propane leaking from a pump seal ignited by a nearby transformer
Natural gas liquids released "to a safe place" travelled 15 km. and then exploded.
Floating roof tank was emptied excessively so roof settled on its legs then air was drawn in
under the roof
Steam release from pinholes due to entry of hydrogen sulphide into the steam system from a
heat recovery heat exchanger.
Vertical two phase flow almost destroys an amine regenerator
Verical two phase flow in an oil degassing tank riser caused heavy vibration
40 m. drain line with no supports
Slug catcher bouncing due to two phase flow slugging
Incipient lagging fire on a steam turbine
Potential lagging fire on ESD fire protection insulation
Very high vibration on reciprocating compressor
Jet fire from a fired heater.
Steam condensate tank collapse
Under insulation corrosion
Use of ordinary electrical equipment in classified areas
Conduit damage caused fire
Fork lift and crane collisions
Fork lift truck collisions with a drain valve causes major vapour cloud explosion
Pipeline jet fire alongside a major highway
Inadequate closure of terminal boxes and junction boxes
Hydrogen sulphide corrosion of terminals in cable room
Vessel damage due to pipe expansion and locked up pipe guides
Pipe shoes fallen off the support
Vessel support nearly falling from a foundation sole plate
Support not adjusted on pipeline relief line
Sand accumulation and dew condensation caused pitting corrosion and sour gas release
Dripping dew causes localised corrosion
Pipe fatigue due to pump vibration
Hand rail failure on a distillation column due to acid smoke
Projectiles from an LPG packing station fire.
Fire induced tank explosion
Boilover in a closed roof tank storing heavy fuel oil
Torque loading due to failure of expansion bellows bolts causes pipe rupture
Solvent fire spread due to fire fighting
Oil release from separators
Overvolatge on power supply damages all instruments
Earthquake causes subsidence and leak from upstream of ESD
Large capacitor in main power supply explodes
Erratic and dangerous loss of control for a loading arm due to PLC failure
Oxygen instead of nitrogen in purging
Nitrogen used as backup for instrument air, operators killed
Stress cracking due to hard spot initiation resulting in fire
Systematic Lessons Learned Analysis
117
118
119
120
120
121
122
123
124
125
126
127
128
129
130
132
135
136
137
138
84a
Heat exchanger cracking due to liquefied gas evaporation while shut down
Pump seal leak ignited by a transformer
Single pipeline used for loading butane, propane and naphtha caused phase transition
explosion
Confined space entry lead to multiple fatalities
Welder asphyxiated by argon gas seeping from welding set
Steam pipe damages an SCBA set
Inadequate ventilation prior to confined space entry
Fire at a glycol reboiler due to crack in burner face plate to fire tube.
Overflow of ethylen liquid to flare due to unconnected instruments
Instrument internal failure
Lightning strike on tank causes closed roof tank explosion
Flame detector bypassed on boiler followed by an explosion
Bypass left over from commissioning resulted in a boiler low level without trip and an
explosion.
Tank vent taken to ground level was ignited by welding slag
Foreman collapses on tank entry due to hydrogen sulphide, multiple fatalities
Overpressuring rupture of a heat exchanger due to reverse blow by
Wrong NGL line cut leading to large jet fire
Evaporator burst due to brittle cracking this being due to cryogenic nitrogen overflow.
Failure of hydraulic tubing causes fatality
Valve breakage due to excessive force and resultant water jet causes a fatality
High vibration level in a high pressure header
Systematic Lessons Learned Analysis
2.2 Case history index – case history equipment
types
Equipment
group
Blower
Equipment type
Boiler
Boiler
Column
Fire box
Flame detector
Distillation
column
Amine
regenerator
column
Vacuum column
Head gasket
Reciprocating
compressor
Column
Column
Compressor
Compressor
Confined
space
Confined
space
Confined
space
Confined
space
Cylinders
Drain
Electrical
equipment
Electrical
equipment
Electrical
equipment
Electrical
equipment
Electrical
power
Fired heater
Fired heater
Fork lift
truck
Gas cylinder
Heat
exchanger
Heat
exchanger
Heat
exchanger
Heat
exchanger
Title
Sulphur burner blower wing shed leading to sulphur dioxide
release
Fuel leak into boiler fire box witout pilot flame led to explosion
Flame detector bypassed on boiler followed by an explosion
Premature start up and design errors led to column filling and
overflow of naphtha to a vent
Vertical two phase flow almost destroys an amine regenerator
Cavitation damage and holing on a vacuum column inlet
Compressor gasket leak gave flash fire
Very high vibration on reciprocating compressor
Case
no.
40
34
127
19
78
37
5
84
Confined space entry lead to multiple fatalities
120
Welder asphyxiated by argon gas seeping from welding set
120
Inadequate ventilation prior to confined space entry
122
130
Lpg cylinders
Fire water drain
Cables
Foreman collapses on tank entry due to hydrogen sulphide,
multiple fatalities
Projectiles from an LPG packing station fire.
Solvent fire spread due to fire fighting
Use of ordinary electrical equipment in classified areas
Conduit
Conduit damage caused fire
89
Junction box
Inadequate closure of terminal boxes and junction boxes
95
Switches
Hydrogen sulphide corrosion of terminals in cable room
96
Cable
Damage to electical power cables due to tench excavation
Fire box
Reboiler
Jet fire form a fired heater.
Fire at a glycol reboiler due to crack in burner face plate to fire
tube.
Fork lift and crane collisions
85
123
Oxygen instead of nitrogen in purging
Heat exchanger cracking due to liquefied gas evaporation while
shut down
Evaporator burst due to brittle cracking this being due to
cryogenic nitrogen overflow.
Gasket displacement due to thermal cycling causes leak and
explosion
Steam release from pinholes due to entry of hydrogen sulphide
into the steam system from a heat recovery heat exchanger.
114
117
Evaporator
Evaporator
Gasket
Heat recovery
exchanger
105
109
88
9
90
136
12
77
Systematic Lessons Learned Analysis
Heat
exchanger
Hose
Instrumentat
ion
Instrumentat
ion
Instrumentat
ion
Nitrogen
cylinder
Pig receiver
Level trip
Pipe
Pipeline
Pipeline
Piping
Bellows
Crude oil pipeline
Liquefied gas
pipeline
Multi product
pipeline
Natural gas
pipeline
Natural gas
pipeline
Natural gas
pipeline
Natural gas
pipeline
Bellows
Piping
Blind flange
Piping
Piping
Piping
Piping
Condensate
collection loop
Drain line
Drain line
Expansion loop
Piping
Flange
Piping
Piping
Flare line
Flare line
Piping
Flare line
Piping
Piping
Gas distribution
manifold
Hydrogen pipe
Piping
Injection line
Piping
Instrument tubing
Pipeline
Pipeline
Pipeline
Pipeline
Pipeline
Plc
Pressure
transmitter
Instrument air
backup
Overpressuring rupture of a heat exchanger due to reverse
blow by
Water hose used to ransfer hydrogen between vessels
ruptured due to overpressure
Bypass left over from commissioning resulted in a boiler low
level without trip and an explosion.
Erratic and dangerous loss of control for a loading arm due to
PLC failure
Instrument internal failure
132
Nitrogen used as backup for instrument air, operators killed
115
Natural gas liquids released "to a safe place" travelled 15 km.
and then exploded.
UVCE after piping modification
Pipeline damage while installing new pipelines
Wrong NGL line cut leading to large jet fire
75
Hammer in a multi product pipeline rupture the line, releasing
fuel which flowd into a village and burned
Buiding operations over a gas pipeline caused cracking. Gas
ignited when fire fighters attempted to uncover the leak.
Third party interference rupture of a high hazard natural gas
pipeline
Pipeline jet fire alongside a major highway
38
128
113
125
1
47
135
6
27
46
92
Stress cracking due to hard spot initiation resulting in fire
116
Torque loading due to failure of expansion bellows bolts causes
pipe rupture
Problems in shift handover caused a compressor to be started
although maintenance was not complete and a blind flange
was open, giving a large fire and domino effects
Steam condensate hammer pipe rupture due to a condensate
collection loop overfilling
40 m. drain line with no supports
Pipe fatigue due to pump vibration
Vessel damage due to pipe expansion and locked up pipe
guides
Flange failure due to rapid heating of reactor, giving a
dangerous flange fire.
Fire on opening a pipe flange for valve maintenance
Sand accumulation and dew condensation caused pitting
corrosion and sour gas release
Overflow of ethylen liquid to flare due to unconnected
instruments
High vibration level in a high pressure header
108
Confusion of design pressure and operating pressure led to
pipe rupture and VCE
An oversight in inspection procedures allowed heavy corrosion
at a pipe elbow which led to VCE
Failure of hydraulic tubing causes fatality
24
41
80
103
97
13
7
101
124
84a
30
26
137
Systematic Lessons Learned Analysis
Piping
Piping
Loading hose
Manifold
Piping
Natural gas trunk
line
Pipe shoes
Pipe support
Steam piping
Piping
Piping
Piping
Piping
Piping
Tank discharge
nozzle
Tee junction
Piping
Valve loop
Piping
Piping
Piping
Drain line
Piping
Piping
Power
supply
Power
supply
PPE
Pump
Drain pipe
Lagging
Capacitor
Pump
Centrifugal pump
Pump
Centrifugal pump
Pump
Pump
Centrifugal pump
Centrifugal pump
Pump
Centrifugal pump
Reactor
Structure
Structure
Tank
Tank
Tank
Continuous
reactor
Lube oil sight
glass
Hand rail
Walkway
Bfw tank
Closed roof
Closed roof tank
Tank
Closed roof tank
Tank
Tank
Closed roof tank
Closed roof tank
Sight glass
Instrument power
supply
SCBA
Centrifugal pump
Chlorine release due to incorrect supply of material
Single pipeline used for loading butane, propane and naphtha
caused phase transition explosion
Dripping dew causes localised corrosion
22
119
Pipe shoes fallen off the support
Support not adjusted on pipeline relief line
Condensate hammer caused a pipe rupture after a steam trap
was disabled to allow confined space entry
Earthquake causes subsidence and leak from upstream of ESD
98
100
10
Inadequate pipe support and inadequate installation and
thermal cycling caused pipe rupture and fire
Freezing in a dead leg caused pipe cracking and a welding rod
in a block valve allowed propane to escape and a jet fire, with
domono effects.
Wrong materials used for a nitric acid plant pipe spool
Wrong materials used for a crude unit bottoms pump leading
to rupture
Fork lift truck collisions with a drain valve causes major vapour
cloud explosion
Crude oil release due to vibration fatigue pipe fracture
Under insulation corrosion
Large capacitor in main power supply explodes
11
21
87
112
Overvoltge on power supply damages all instruments
111
Steam pipe damages an SCBA set
Human factors error led to opening of a naphtha pump while
pressurised, and a VCE
Pump not properly isolated and drained prior to removal for
maintenance resulted in explosion
Pump weld fracture led to release of propylene and a large
explosion with domino effects
Pump seal leak ignited by a transformer
Crude oil jet fire due to non replacement of fitting after
maintenance
Propane leaking from a pump seal ignited by a nearby
transformer
Procedural drift led to operation of a reactor outside the design
envelope and a VCE
Pool fire due to lube oil sight glass damage
121
17
Hand rail failure on a distillation column due to acid smoke
Problem of galvanised stairs and platform walkways in fire
Steam condensate tank collapse
Lightning strike on tank causes closed roof tank explosion
A massive explosion when a vapour plume from a gasoline tank
overflow ignited
Hot oil pumped to an "empty" tank causes rapid phase
transition explosion
Fire induced tank explosion
Boilover in a closed roof tank storing heavy fuel oil
104
2
86
126
28
102
112
20
43
44
91
32
35
118
37
48
18
39
45
106
107
Systematic Lessons Learned Analysis
Tank
Degassing tank
Tank
Floating roof tank
Tank
Floating roof tank
Tank
Tank
Tank
Turbine
Valve
Valve
Slops tank
Slops tank
Vent line
Steam turbine
ESD valve
Shut off valve
Vessel
Feed drum
Vessel
Vessel
Vessel
Feed drum
Knock out drum
Separator
Vessel
Vessel
Vessel
Separator
Slug catcher
Storage vessel
Vessel
Storage vessel
Vessel
Well
Vessel support
Sour gas well
Verical two phase flow in an oil degassing tank riser caused
heavy vibration
Crude oil tank overflow gave a large explosion and multiple
tank fires
Floating roof tank was emptied excessively so roof settled on
its legs then air was drawn in under the roof
Sour water tank explosion
Slops tank explosion
Tank vent taken to ground level was ignited by welding slag
Incipient lagging fire on a steam turbine
Potential lagging fire on ESD fire protection insulation
Valve breakage due to excessive force and resultant water jet
causes a fatality
Layering in a liquefied gas accumulator lead to low
temperatures and brittle fracture causing release and VCE
Vessel overflow and hammer rupture of flare line
Knock out drum overflow and compressor shattering
Blowby whn liquid was drained from a separator allowing gas
to discharge though te liquid line. The LP separator ruptured
Oil release from separators
Slug catcher bouncing due to two phase flow slugging
Overfilling of propane storage vessel gave condensation
hammer, vessel rupture and vapour cloud explosion
Methyl isocyanate storage was operated despite the vent
scrubber being out of operation. Water ingress cause a release
and massive fatalities
Vessel support nearly falling from a foundation sole plate
A sour gas blowout occurred during adverse conditions giving
many fatalities
79
33
76
31
36
129
82
82
138
3
23
42
8
110
81
4
25
99
29
Systematic Lessons Learned Analysis
2.3 Lessons learned
lesson Lesson title
no.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Need for at least one competent person for all disciplines
Need for MOC
Need for a proper safety review in MOC
Need for safety review of temporary modifications
Zinc corrosion of piping in a fire
Layering effect on evaporative cooling
Low temperature embrittlement
Need for blast resistance
Need for engineering quality blast mapping
Liquefied gas hammer (condensation hammer)
Ignorance of the many hammer effects
Good level control, level alarms and trips are needed in storage vessels, especially if these
have long rundown lines
Need for domino effect calculation
Inadequate awareness of bolt tightening good practice
Less than adequate storage and handling
Avoidance of hammer in pipeline filling and product change
Need to recognise low pressure as a symptom of pipeline leakage
Need for awareness of possible plugging when draining for maintenance.
Use of double block and bleed
Valve position indication
Proper procedure for flange opening.
Avoiding spills when despading
Need for job safety analysis
Need for hazard awareness at the supervisor level
All hazop teams and especially facilitators need to be aware of blowby
Need for blowby pressure relief
Blowby in hazard and effects register
Steam trap closure causes hammer rupture
Need to reinstate after inspection or test
Need to shut steam traps when working in confined spaces
Steam condensate hammer rupture
Piping needs to be installed as specified in the design.
Pipe inspection required after pipe installation or modification
Management of change procedure needed for all pipe changes.
Need for pipe support inspection and audit
Need for detailed gasket closure procedures
Need for training in gasket installation
Avoid flange failure due to rapid heating
Need for QRA
Need for blast analysis and spacing or blast protection.
Need for blast proof or blast resilient control rooms and operator rooms
Need for gas ingress prevention
Personnel exposure minimisation
Need for a properly designed gas detection network
case
no.
1
1
1
1
2
3
3
3
3
4
4
4
4
5
5
6
6
7
7
7
7
7
7
7
8
8
8
9
9
10
10
10
10
11
11
11
11
12
12
13
14
14
14
14
14
14
Systematic Lessons Learned Analysis
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Need for PTW enforcement
Double block and bleed needed for liquefied gas plants which require frequent
maintenance.
Fire water supply must be independent of process water piping
power supply ad controls for fire water pumps must be protected from fire
Need for emergency planning
Requirement for performance testing after maintenance.
marking of interchangeable couplings
Very large size of areas affected by BLEVE
Vulnerability of fire systems in UVCE or BLEVE explosions
Need to take BLEVE overpressure into account
Projectile range in a BLEVE
Opening flanges
Quarter turn valve handles need to correctly indicate valve position
Management of change safety analysis is needed for all changes except replacement in kind.
Problem of blockage in draining and in venting
Gradual acceptance of operation outside the design envelope, procedural drift
Poor display of reactor temperature profile data
Lack of operator training
Inadequate maintenance od reactor temperature profile instrumentation
Procedures out of date and procedural drift
Inadequate process hazard analysis
Need for a start up procedure with check list
Testing of safety critical equipment
Need to learn from experience
Need for pre start up safety review.
Need for safe location for start up trailers
Need for performance standards
Need for functional performance standards
Vents should not be used for hydrocarbon relief disposal within process plants
Need for dead leg review
Need for domino effect analysis
Need for inspection for foreign objects in pipes and vessels
Need for structural steel fire proofing
Need for periodic inspection of pipe supports
Need for post commissioning and periodic inspection for vibration
Need for guideline for unacceptable vibration.
Need for PMI
Need for detailed operating procedures
Need for safety training
Need for explanation in operating procedures
Need to transfer HAZOP information to procedures
Need for piping integrity inspection
Need for overview display of the plant performance, including mass balance and critical
alarms
need for simulator training
Need for hazard awareness training for operators including input from HAZOP and QRA
Need for improved HAZOP
Need for awareness of hammer problems
Need for a full HSE management programme
Need for safety management audit
14
14
14
14
14
14
14
16
16
16
16
17
17
17
17
18
18
18
18
18
18
19
19
19
19
19
19
19
19
20
20
20
20
21
21
21
22
22
22
22
22
22
23
23
23
23
23
23
24
24
Systematic Lessons Learned Analysis
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Need for safety management training
Need for accommodation and muster area segregation from process.
Need for fire water system operability from multiple locations
Need for a good shift hand over process.
Need for living risk analysis
Need for quality standards for QRA
Need for vulnerability and functional standards for all safety critical equipment
Need for evacuation exercises
need for hazard awareness based on high quality hazops and on QRA results
Need for plant upset section in the operating procedures
Need for quality and coverage standards for QRAs
Need for minimum conditions for operation
Need for sneak path analysis
Need for advanced pipework inspection approach
Need for MOC
Need for identification process for locations vulnerable to corrosion
Need for sharing of inspection data with operations and vice versa.
Need for RBI
Need for corrosion review as part of MOC
Need for realistic input to RBI
Need for exclusion zones in a pipeline right of way
Need for awareness of massive damage from pipeline release explosions and jet fires.
Need for accurate pipeline maps
Need for rapid response to reports of damage
Need for care in investigating reports of pipeline leaks
Need for awareness of the explosions caused by a pipeline rupture
Need for effective follow up of audit recommendations
Need for full flow and tank status information for tank farm operation
Need for adequate manning
Need for hazard awareness based on high quality hazops and on QRA results
Need for safety critical equipment monitoring
Need for effective safety auditing
Need for safety y(HSE) leadership
Need for better SIL review
Need for logging of tank level and available capacity
Need for audit of passive safety measures
Need for safety critical equipment performance standards and monitoring
"Flat line" on gauging systems which are filling needs to be alarmed
Need for human factors review
Need for reliability standards and reliability or SIL calculation fro safety critical equipment
Uncontrolled and uncoordinated setting of alarm limits
Use of alarms as controls
Lack of detail in procedures
Inadequate manning
Lack of hazard awareness for tank farms
Need for instrument integrity check list during design
Need for awareness of overflow hazards
Need for emergency preparedness when drilling
Once a plan has been made it needs to be followed
Need to take area topology into account in QRA's
Need to ignite sour gas blowouts
Need to be clear about the operations envelope
24
24
24
24
24
24
24
24
25
25
25
25
25
26
26
26
26
26
26
26
27
27
27
27
27
27
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
29
29
29
29
30
Systematic Lessons Learned Analysis
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
Need for audit of pressure vessel and piping calculations
Need for inert gas blanketing on sour water and slops tanks
Need for preventive maintenance programme.
Need for safety review of even "small" changes to components.
Need effective "lock out tag out" programs
Need for awareness of the possibility of UVCEs in tank farms
Need for burner management system
Rapid recovery after a very large explosion and multiple domino effects.
Danger of welding old pump casings
Need to take domino effects into account in emergency planning
Failures and problems in emergency response
Need for blanketing on slops tanks
There will always be an ignition source
Erosion due to vacuum
Release from a pump just after maintenance
Need for different connections and safety coding for different types of hoses
Need for training in hose use.
Sight glasses should be protected from physical damage
Need for vibration analysis and regular review to prevent fatigue failure.
Need for investigation when excessive vibration occurs on rotating equipment
Even respectable manufacturers can suffer from design error
Hazards of condensate hammer
Measures needed to prevent incorrect material installation
Measures needed to prevent incorrect material installation
Danger of transferring oil to unused tanks
Need for awareness of rapid phase transition explosions
Very clear and direct communication is needed in order to ensure risk reduction measures
are implemented
Pipelines need to be protected from traffic
need for careful marking of buried pipelines
Need for special care when installing new pipelines alongside existing ones
Housing should never be located close to refinery equipment or storage without an in depth
risk assessment.
Evacuation is necessary when there is a leak of any liquefied gas or volatile liquid
Natural as liquids should not be "drained to a safe place"
Need for care when emptying floating roof tanks
Avoid the danger of heat recovery from high pressure gas streams
Hazard of two phase vertical flow
Hazard of two phase vertical flow
Need for piping installation inspection of pipe supports
Two phase flow induced vibration
Oil soaked insulation fire threat on hot pipes
Oil soaked insulation fire threat due to solar heat
Avoid excessive resonant vibration
Need for periodic inspection for vibration
Need for care in emergency response
Hot water can be a significant hazard
Unusual forms of corrosion
30
30
31
32
32
32
32
33
34
35
35
35
35
35
36
36
37
37
38
38
39
40
40
40
41
42
43
44
45
45
46
46
46
47
48
75
76
77
78
79
80
81
82
82
84
84a
85
86
Systematic Lessons Learned Analysis
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
Take care when inspecting lagged piping
Prevention of under lagging corrosion
Use of ordinary electrical equipment in classified areas
Need for supervision of tools and equipment used in classified areas
Need for inspection and remediation of damaged conduit
Fork lift and crane collision prevention in process pipe tunnels
Pipe bridges over roadways should be protected by strong steel portals (Headache bars)
Pipe stubs and valves should not project into roadways
Vehicle collision protection
Fork lift and crane collision prevention in process areas
Need for designated roadways and access ways
Need for structural steel fire proofing
Need for pipeline right of way marking
Need for adequate closure of terminal boxes and junction boxes
Hydrogen sulphide corrosion of terminals in cable room
Need for awareness of piping design during construction
Need for pipe inspection during mechanical completion
Pipe shoes need to be sufficiently long and well located
Vessel supports need to be inspected during mechanical completion
Liquid relief lines need to be designed for hammer and surge effects
Pipe spring supports need to be adjusted after pipe filling.
Above ground piping without suitable coating should be kept clear from drifting sand
Need for understanding of actual ambient conditions when designing
Need to look for corrosion weak points during inspections.
Screw jack supports are a menace
Need for periodic inspection of screw jack supports
Avoid corrosion due to sulphur containing smoke
Need for cages to prevent projectile launch in the case of LPG cylinder fires
Need for fire water monitors at large LPG cylinder storage.
Fire induced tank explosion
Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere
Dipping anything into a tank storing flammable or combustible liquids may cause an
explosion
Fixed fire suppression equipment needs to be tested on a regular basis
Boilover can occur in any liquid which has components with high range of boiling points
Boilovers can have a very large hazard range
When a crude oil or fuel oil tank develops a full surface fire, evacuate
need for restraining bolts or rods on expansion bellows
Fire water for cooling must be applied carefully, and never directly onto oil or insoluble
solvent pool fires
Need for fire water drainage
Need for drainage to divert leaks
Instrument power supplies should be fitted with overvoltage protection, and should
preferably also be fail safe
Take subsidence and tank movement into account when building tankage for earthquake
prone areas.
Segregation and protection of redundant power supplies.
Need for guaranteed environment for electronics
Need for CHAZOP
Assessment of safety for modern control and instrumented safety systems
Training in correct use of cylinders and potential hazards
87
87
88
88
89
90
90
90
90
91
91
91
92
95
96
97
97
98
99
100
100
101
102
102
103
103
104
105
105
106
107
107
107
107
107
107
108
109
109
109
110
111
112
112
113
113
113
114
Systematic Lessons Learned Analysis
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
Use different couplings for different gases.
Avoid using nitrogen as a backup for instrument air
Use airline breathing apparatus if SCBA is inadequate
Connections for breathable air should be different from thos for proces or instrument air
fatigue ruptures can develop very rapidly
Cooling water should be kepy running even when plant is shut down if there is a chance of
freezing
Do not locate high voltage transformers close to critical process equipment
Foam glass is an effective form of passive fire protection
Different liquefied gases, and liquefied gas and naphtha should never be transported in the
same pipeline
Provide training for emergency rescue for persons collapsed in confined spaces
Need for gas testing on entry to confined spaces
Need for checking safety equipment before use
Need for proper positive isolation before confined space entry
Need for gas testing of the complete confined space, not just at the man way
Need to be able to enter and exit confined spaces while using SCBA
Need for personal multiple gas alarm including oxygen deficiency alarm
Need for detailed analysis of any new assemblies installed on process equipment
Need for thorough functional test of instrumentation prior to post turn round start up
Start up should not commence until control functionality has been demonstrated
Need for adequate manning during turn round
Pre start up review of lessons from previous start ups is needed
Make sure that the turn round approval authority has the best possible support
Review the turn round organisation for simplicity
114
115
115
115
116
117
Need for care when equipment internals are changed
Hazards of halogens with stainless steel
Need for weak roof seam on closed roof tanks
Boilers and fired heaters should never be started up with flame detectors bypassed
Bypasses installed for testing during instrumentation commissioning must be removed.
Need for appropriate safety distances when approving hot work permits
Need for guidance on hot work safety distances
Hazards of slops tanks
Hazards of flying tanks
Train operators and maintenance on the dangers of hydrogen sulphide in confined spaces.
Need for formal management of change for all design changes
Need for awareness of the hazards of rapid phase transition in liquefied gas
Need for awareness of cryogenic nitrogen hazards
Need for thorough HAZID check lists
Need for clear communication of hazards between designer teams and operations.
Need for a continuity in the management of change register, and a communication of
identified hazards to the operators
Need for safety review sign off in management of change forms.
Need for effective way to communicate hazards to operators and maintenance
Need for hazop of vendor packages
Need for alarm management analysis
The operations envelope needs to be defined and appropriate alarm response for
excursions stated
Need for safety design review procedure
125
125
126
127
128
129
129
129
129
130
132
133
136
136
136
136
118
118
119
120
120
121
122
122
122
122
123
124
124
124
124
124
124
136
136
136
136
136
136
Systematic Lessons Learned Analysis
292
293
294
295
296
297
Need for care in installing instrument , pneumatic and hydraulic tubing.
Tubing installations need to be pressure tested
Do not work with tools on pressurised equipment.
Do not stand in a line of potential fire, of liquid jets.
Do not use improvised high power or high force tools on active process equipment
Do not drive through pool or even approach pools of crude oil
137
137
137
137
138
139
Systematic Lessons Learned Analysis
2.4 Design lessons learned
lesson Lesson title
no.
1
case
no.
1
2
Need for at least one competent person for all disciplines during design through to
operations
Zinc corrosion of piping in a fire
3
Low temperature embrittlement
3
4
Need for blast resistance
3
5
Liquefied gas hammer (condensation hammer)
4
6
Ignorance of the many hammer effects
4
7
4
8
Good level control, level alarms and trips are needed in storage vessels, especially if
these have long rundown lines
Avoidance of hammer in pipeline filling and product change
9
Use of double block and bleed
7
10
Valve position indication
7
11
All hazop teams and especially facilitators need to be aware of blowby
8
12
Need for blowby pressure relief
8
13
Steam trap closure causes hammer rupture
10
14
Need to shut steam traps when working in confined spaces
10
15
Steam condensate hammer rupture
10
16
Need for blast analysis and spacing or blast protection.
14
17
Need for blast proof or blast resilient control rooms and operator rooms
14
18
Need for gas ingress prevention
14
19
Need for a properly designed gas detection network
14
20
14
21
Double block and bleed needed for liquefied gas plants which require frequent
maintenance.
Fire water supply must be independent of process water piping
22
power supply ad controls for fire water pumps must be protected from fire
14
23
marking of interchangeable couplings
14
24
Very large size of areas affected by BLEVE
16
25
Vulnerability of fire systems in UVCE or BLEVE explosions
16
26
Need to take BLEVE overpressure into account
16
27
Projectile range in a BLEVE
16
28
Quarter turn valve handles need to correctly indicate valve position
17
29
Poor display of reactor temperature profile data
18
2
6
14
Systematic Lessons Learned Analysis
30
Inadequate maintenance od reactor temperature profile instrumentation
18
31
Need for performance standards
19
32
Need for functional performance standards
19
33
Vents should not be used for hydrocarbon relief disposal within process plants
19
34
Need for dead leg review
20
35
Need for structural steel fire proofing
20
36
23
37
Need for overview display of the plant performance, including mass balance and critical
alarms
Need for fire water system operability from multiple locations
38
Need for vulnerability and functional standards for all safety critical equipment
24
39
Need for minimum conditions for operation
25
40
Need for awareness of massive damage from pipeline release explosions and jet fires.
27
41
Need for accurate pipeline maps
27
42
Need for full flow and tank status information for tank farm operation
28
43
Need for safety critical equipment performance standards and monitoring
28
44
"Flat line" on gauging systems which are filling needs to be alarmed
28
45
Uncontrolled and uncoordinated setting of alarm limits
28
46
Need for instrument integrity check list during design
28
47
Need to be clear about the operations envelope
30
48
Need for audit of pressure vessel and piping calculations
30
49
24
30
50
Need for inert gas blanketing on sour water and slops tanks
31
51
Need for burner management system
34
52
Need for blanketing on slops tanks
36
53
There will always be an ignition source
36
54
Erosion due to vacuum
37
55
Sight glasses should be protected from physical damage
39
56
Even respectable manufacturers can suffer from design error
40
57
Hazards of condensate hammer
41
58
Measures needed to prevent incorrect material installation
43
59
Measures needed to prevent incorrect material installation
44
60
Need for awareness of rapid phase transition explosions
45
61
Avoid the danger of heat recovery from high pressure gas streams
77
Systematic Lessons Learned Analysis
62
Hazard of two phase vertical flow
78
63
Two phase flow induced vibration
81
64
Hot water can be a significant hazard
86
65
Unusual forms of corrosion
66
Fork lift and crane collision prevention in process pipe tunnels
90
67
Pipe stubs and valves should not project into roadways
90
68
Vehicle collision protection
90
69
Fork lift and crane collision prevention in process areas
91
70
Need for structural steel fire proofing
91
71
Need for pipeline right of way marking
92
72
Hydrogen sulphide corrosion of terminals in cable room
96
73
Need for awareness of piping design during construction
97
74
Screw jack supports are a menace
103
75
Need for cages to prevent projectile launch in the case of LPG cylinder fires
105
76
Need for fire water monitors at large LPG cylinder storage.
105
77
Fire induced tank explosion
106
78
Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere
107
79
107
80
Dipping anything into a tank storing flammable or combustible liquids may cause an
explosion
Need for fire water drainage
81
Need for drainage to divert leaks
110
82
112
83
Take subsidence and tank movement into account when building tankage for earthquake
prone areas.
Need for guaranteed environment for electronics
84
Use different couplings for different gases.
114
85
Avoid using nitrogen as a backup for instrument air
115
86
Connections for breathable air should be different from thos for proces or instrument air
115
87
117
88
Cooling water should be kepy running even when plant is shut down if there is a chance
of freezing
Foam glass is an effective form of passive fire protection
89
Need for detailed analysis of any new assemblies installed on process equipment
123
90
Need for weak roof seam on closed roof tanks
126
91
Hazards of slops tanks
129
92
Need for awareness of the hazards of rapid phase transition in liquefied gas
133
93
Need for awareness of cryogenic nitrogen hazards
136
94
Need for alarm management analysis
136
95
The operations envelope needs to be defined and appropriate alarm response for
excursions stated
136
109
113
118
Systematic Lessons Learned Analysis
2.5 Management of change lessons learned
lesson no.
Lesson title
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Need for at least one competent person for all disciplines
Need for MOC
Need for a proper safety review in MOC
Need for safety review of temporary modifications
Zinc corrosion of piping in a fire
Use of double block and bleed
All hazop teams and especially facilitators need to be aware of blowby
Need for blowby pressure relief
Piping needs to be installed as specified in the design.
Pipe inspection required after pipe installation or modification
Management of change procedure needed for all pipe changes.
Need for pipe support inspection and audit
Quarter turn valve handles need to correctly indicate valve position
Management of change safety analysis is needed for all changes except replacement
in kind.
Poor display of reactor temperature profile data
Inadequate maintenance od reactor temperature profile instrumentation
Vents should not be used for hydrocarbon relief disposal within process plants
Need for MOC
Need for corrosion review as part of MOC
Need for accurate pipeline maps
Need for audit of pressure vessel and piping calculations
Need for safety review of even "small" changes to components.
Need for blanketing on slops tanks
There will always be an ignition source
Measures needed to prevent incorrect material installation
Measures needed to prevent incorrect material installation
Danger of transferring oil to unused tanks
Need for awareness of rapid phase transition explosions
Avoid the danger of heat recovery from high pressure gas streams
Avoid excessive resonant vibration
Pipe stubs and valves should not project into roadways
Leaks from steam coils in a heavy oil tank can cause an explosive atmosphere
Take subsidence and tank movement into account when building tankage for
earthquake prone areas.
Connections for breathable air should be different from thos for proces or instrument
air
Do not locate high voltage transformers close to critical process equipment
Foam glass is an effective form of passive fire protection
Different liquefied gases, and liquefied gas and naphtha should never be transported
in the same pipeline
Need for detailed analysis of any new assemblies installed on process equipment
Need for care when equipment internals are changed
Hazards of halogens with stainless steel
Need for formal management of change for all design changes
Need for a continuity in the management of change register, and a communication of
identified hazards to the operators
case
no.
1
1
1
1
2
7
8
8
11
11
11
11
17
17
18
18
19
26
26
27
30
32
36
36
43
44
45
45
77
84
90
107
112
115
118
118
119
123
125
125
132
136
Systematic Lessons Learned Analysis
43
44
Need for safety review sign off in management of change forms.
Need for hazop of vendor packages
136
136
Systematic Lessons Learned Analysis
3. Case Histories and Lessons Learned
The following list of cases is selected from the Hazards, Threats and Consequences database
(ref. 2) representing cases with lessons relevant to oil and gas plant. For more detail see the
original reference.
Systematic Lessons Learned Analysis
case
no.
1
Location
Accident description
Flixborough
Vapour cloud explosion after piping modification with design
error. Temporary pressure piping was put together without
consulting a mechanical engineer.
1
Lesson
no.
1
2
1
3
1
4
2
Flixborough
One problem identified in the enquiry was that of zinc coated
stairs and platform material, which caused corrosion and piping
failure in the piping
5
3
Beek
A process upset led to gathering of ethane above propane plus in
a feed drum (layering). On flashing this caused evaporative
cooling, low temperature in the evaporated gas. This led to low
temperature embrittlement and cracking at a pipe elbow. Ethane
and propane were releases giving vapour cloud explosion.
6
3
3
3
7
8
9
Lessons
Need for competency in key engineering discipline
Need for management of change procedure. The MOC
procedure should cover all changes made after issue of
drawings for hazop, and should cover all changes except
"replacement in kind", that is replacements with identical
equipment .
There should be a safety review in management of change.
For simple change of a component to another .similar type,
or a change of gasket material, the safety review could be
made by a discipline specialist For all larger changes such
as bypassing a reactor, a mini-hazop is needed
Temporary modifications are often made with some
degree of improvisation, or use of equipment outside its
originally intended purpose. There is an even greater need
for safety review of temporary modification than for
permanent plant
Galvanised steel platforms, stairs and piping can release
liquid zinc in a fire and can then cause rapid metal
corrosion and pipe failure. Shell DEP's have special rules
governing the use of galvanised components.
This kind of accident, with layering of fluids, is very difficult
to predict in hazop. It needs lessons learned list for hazop
follow up. Need lessons learned list for hazop follow up.
Low temperature embrittlement is a serious potential
cause of pipe rupture, especially when there are
Control room was not blast resistant
Blast mapping is needed as a basis for design for process
plant, especially if liquefied flammable gas is handled or
there are liquids stored above their boiling point. Ordinary
QRA calculations are inadequate because they often use
Systematic Lessons Learned Analysis
case
no.
4
Location
Texas City
4
Accident description
Overfilling of a propane vessel from a run down line led to
hammer in the vessel (gas bubble collapse hammer with a long
rundown line). The vessel ruptured releasing propane, which
exploded on ignition. There was al BLEVE's caused by the
following fires, and several vessels were damaged by projectiles.
Lesson
no.
10
11
4
12
4
13
5
Bloomfield
New Mexico
5
6
Vila Soco,
Cubatao,
Brazil
At the Bloomfield plant, near Bloomfield, a gasket on a
compressor began to leak. Two operators heard the noise and
tried to shut off the gas supply and the compressor engine.
Before this could be done, ignition occurred, and both operators
were burned.
The problem arose from improper tightening of the compressor
head bolts, and lack of training in bolt tightening.
14
A multi product pipeline was being refilled with kerosene after a
shutdown. The pipeline was filled rapidly, and a valve shattered
when the kerosene column hit it. The operators, with little
information or feed back from the pipeline, noticed the low
pressure and increased the pumping rate.
The kerosene ran through the favela of Vila Soco, ignited and
caused a large fire. There were 800 reported deaths.
16
15
Lessons
low quality models, and because the correct location and
actual degree of congestion is not modelled. The
calculations need to be of high quality, such as true
geography CAM2, SCOPE or CFD
The phenomenon of liquefied gas bubble collapse hammer
needs to be taken into account in hazops and in vessel
design.
At most hazops, contractor engineers did not know how to
make a full range of hammer calculations.
Level control was inadequate in the affected vessel. All
storage vessels for hazardous materials should have level
control, high level alarm and hi hi level trip. All should be
tested on a routine basis and should preferably have self
testing or signal comparison.
Domino effect calculations, including projectile
calculations, are an important part of QRA.
Bolt tightening procedures are critical for process safety.
Training in the use of bolt tightening and flange closure
procedures is necessary.
Good warehousing and kit preparation for gasket
replacement are important for prevention of leaks
Procedures for filling liquid pipelines need to take into
account the possibility of hammer. Such procedures should
be developed taking into account a full range of
possibilities for equipment failure and errors.
Systematic Lessons Learned Analysis
case
no.
6
7
Location
Grangemouth
Accident description
A fire broke out when a maintenance team opened a flange in a
flare line. Hydrocarbons escaped and ignited, killing two persons
and injuring two others. The line was isolated, and drain valve
had been opened, but the drain line was plugged.
Fifteen months before the incident occurred it had been noticed
that the flare line isolation valve V17 was passing. It was decided
however to wait for a scheduled shutdown of the catalytic
cracker unit and No 1 flare before commencing work on the
valve. Gases from the remaining operating units were re-routed
to No 2 and No 3 flares. This flare arrangement would allow the
pipelines at V17 to be isolated.
When senior refinery staff prepared a plan for the isolation of the
flare system, they concentrated on the operational and safety
requirements of the flare system, making sure that no
operational areas of the plant were inadvertently isolated. The
details of the removal of V17 were not considered and left to
those who would be responsible for the work.
Four workers were involved with the removal of the valve. When
the majority of the bolts were undone the joint opened slightly
and liquid dripped from a small gap between the flanges. The
workers sought advice. The valve was checked by the supervisor
and it was concluded that it was safe to carry on. Non ferrous
hammers were provided before continuing with the removal. All
the bolts were removed and the crane took the weight of a
spacer and started to remove it, at which point gallons of liquid
poured from the valve. A flammable vapour cloud formed from
the rapidly spreading pool. The cloud reached the nearby air
compressor, ignited and flashed back around the working area.
Lesson
no.
17
18
Lessons
A common pipeline operation problem is that operators
increase pumping rate to maintain pressure when rupture
occurs.
The possibility of plugging of drain valves, leaking isolation
valves, and the presence of liquids in interspaces must be
taken into account in procedures.
Systematic Lessons Learned Analysis
case
no.
7
Location
Accident description
Two workers managed to escape the fire but a fitter and a rigger
were engulfed by the flames and killed. The fire was allowed to
burn in a controlled manner for almost two days while the rest of
the refinery was shut down and the flare system purged with
nitrogen.
Lesson
no.
19
7
20
7
21
7
22
7
23
7
24
Lessons
Various techniques are used to limit the risk in isolation
and equipment opening. Double block and bleed to a safe
place should be used on all high hazard lines. There is still a
problem however, if the "safe place" is required to be a
disposal system such as a flare, because of the possibility
of back pressuring from the flare, and passing of the bleed
valve, so opening of flanges to install spades, or for vessel
entry needs to be made with case (gas testing and use of
SCBA etc.).
All valves must have position indicators. Position indicators
need to be permanently fixed, and to follow a consistent
and logical system of indication.
All flanges must be opened carefully. Once bolts are
loosened, the flange should be "sprung" open, so that
gaskets sticking in the flange do not block possible flows.
"Flange spreader" tools and wedges are available to ensure
this. If liquid drips from the flange, assume the pipe is
filled with liquid.
Many companies require systems to be "hydrocarbon free"
before flanges may be opened, spades removes, spectacle
plates turned etc. This is best practice, but requires careful
thought being given to draining, with a thorough drain
lines analysis.
A good job safety analysis would have identified the
hazard. However such a JSA needs to answer several hazop
type questions such as "what if the drain is blocked?
Supervisors, foremen and team leaders need frequent
hazard awareness training and reinforcement.. The best
Systematic Lessons Learned Analysis
case
no.
8
Location
Grangemouth
Accident description
A control valve on the liquid line between the HP and the LP
Separators was opened in error and the liquid allowed to drain.
High pressure hydrogen passed uncontrolled into the closed LP
Separator which had limited pressure relief capacity. It
overpressurised rupturing at an estimated pressure of 50 bar.
The explosion disintegrated the separator and also damaged
other vessels and pipes. Released flammable substances were
ignited resulting in jet-fires.
In a safety audit and in a review of pressure relief capacity within
the hydrocracker complex which were carried out in 1975, the
operator of the refinery concluded that high pressure gas
breakthrough into the LP Separator would not arise because
there was a safety trip actuated by low liquid levels. As a
consequence the pressure relief valve on the LP Separator was
sized only for fire engulfment on the vessel and was of
comparatively small size. Increased production caused
turbulence in the HP separator and frequent spurious trips. Also
impulse lines plugged frequently. The trip was removed, with
responsibility for level monitoring passing to the operators.
8
8
9
Lesson
no.
25
A loss of electrical power was caused by damage to a 33kV
underground electricity feeder cable which eventually resulted in
approach is for supervisors to provide tool box talks with
good prepared material.
Supervisors need to be able to plan for the worst - the
supervisor could have opened a test port to check for
liquid.
Lessons learned at the time of this accident are all
incorporated into hazop and SIL for review procedures for
the plant today. In hazops it has been found that most
operators in the oil and gas industries are aware of blowby,
but many designers are not. Few are able to assess blowby
pressures. Blowby software is available.
Check also for hammer effects when blowby occurs.
Check also that any pressure spec break is on the correct
side of the valve.
26
27
Grangemouth
2000(a)
Lessons
28
Relief systems need to be designed for blowby wherever
there is a change in pressure specification on liquid/gas
process systems.
A hazard such as the one in this case should be included in
the hazard and effects register, and the risk level should be
evaluated. This ensures the blowby protection s registered
as safety critical
Third party interference is well recognised as a problem for
pipelines and cable power supplies. The problem of first
Systematic Lessons Learned Analysis
case
no.
Location
an earth leakage (electricity flowing to earth) from the cable. The
damage had been caused to the electrical cable during
excavation of a trench for the installation of a new cable,
sometime before the distribution failure occurred.
The local bus circuit breaker on the distribution system failed to
operate due to the insertion of small plastic connectors which
isolated the relay. The power shut down
9
10
Accident description
Grangemouth
2000(b)
A steam trap was disabled to allow inspection in a culvert and
was not restored after the inspection. As a result, steam
condensate collected, and eventually caused a condensate
hammer. The steam pipe was ruptured and hot steam and
condensate projected across a roadway.
The site wide power distribution failure on 29th May 2000
resulted in excess amounts of water (associated with the
shutdown of utility supplies) being sent to drain, as well as the
unavailability of electrical power to drainage pumps. This led to
the flooding of culverts (service tunnels) beneath the A904
Bo’ness road through the site which contained medium pressure
(MP) stream distribution lines. During the following
investigations to determine whether the flooding had caused any
damage to the pipework a steam trap located in a low point in
the section of pipework beneath the road in the West Gemec
culvert was closed to allow safe access for inspection. The steam
trap was subsequently not re-opened and this prevented the
removal of condensate (hot water produced by the condensation
of steam) from this section of the system. As the liquid
condensate level built up in the pipework a quantity of steam (or
“steam bubble”) was trapped between the hot condensate and
Lesson
no.
29
30
Lessons
party interference is not so well recognised. Procedures
are needed for protection of already installed equipment.
Bypassing and disabling of essential trips is a problem on
instrumentation and on electrical systems. Procedures are
needed to ensure removal of bypasses and defeats after
testing and after maintenance.
Even such a lowly item as a steam trap can be safety
critical.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
closed isolation valves on the southern side of the culvert
beneath the road. Eventually collapse of the steam bubble
resulted in a phenomenon called “condensation induced water
hammer” which led to a gross overpressure and the subsequent
catastrophic failure of the pipeline.
10
Lesson
no.
31
10
32
10
33
11
Grangemouth
There was a significant leak of hydrocarbons from the Fluidised
Catalytic Cracker Unit (FCCU or Cat Cracker) creating a vapour
cloud which ignited resulting in a serious fire.
A welded up tee piece was installed on at the bottom of a
debutaniser column. On removal of a valve in a design change a
pipe support was also removed. Also, due to a change in an
upstream design there was a high rate of tripping and thermal
cycling. The tee junction failed due to fatigue. Light naphtha
escaped and a vapour cloud explosion ensued.
Investigations revealed that the leak was as a result of failure of a
tee-piece connection at the base of the Debutaniser column
which then found a source of ignition nearby (probably an
uninsulated hot flange). During the investigations the tee-piece
connection which had originally been installed in the 1950s was
found to be correctly specified but incorrectly fitted and then
34
Lessons
Care needs to be taken after any maintenance to restore
the plant to its proper state. This should be a check off
item on all PTW's returned.
The need to shut steam traps when working in confined
spaces needs to be recognised in PTW's. Steam traps
should preferably be avoided in confined spaces.
Condensate hammer is a relatively frequent cause of
accidents in plant and needs to be taken into account in
steam utility and some process hazops. Unfortunately, this
hazard is often forgotten, or is not known. In this case the
mechanism was not liquid pickup in the flow but steam
condensation in a closed pipe
Great care needs to be taken during construction to ensure
that piping arrangements are according to specification.
This generally requires auditing. This applies even for high
quality companies. Pipe fitters MUST have proper pipe
arrangement drawings or isometrics. This applies for
modifications as well as for initial construction
Systematic Lessons Learned Analysis
case
no.
11
Location
Accident description
covered in lagging. (A set-on tee-piece had been installed
whereas a seamless forged weld reducing tee-piece had been
specified.) There had been no subsequent amendment to the
plant layout drawings to identify the change.
Prior to the mid 1980’s modifications had been made to the
pipework at the base of the column and a valve removed which
resulted in there being inadequate support for the remaining
pipework and the tee-piece connection. Further modifications to
the FCCU in 1996/1998 had resulted in the FCCU being
increasingly difficult to operate reliably. This had resulted in an
increase in the number of start-up/shutdown cycles for the plant
and pipework. Failure of the tee-piece connection pipework was
probably caused by a combination of the incorrectly fitted teepiece connection, the inadequately supported pipework and the
cyclic stresses/vibration caused by the increased startup/shutdown activity on the plant. Eventually this led to
“fatigue” failure of the pipework in the vicinity of the welded
connection.
Lesson
no.
35
Lessons
New or modified piping MUST be inspected and signed off
before lagging is installed. Inspection includes:
Checking for consistency of piping with specification and
drawings
Checking for alignment and visual weld inspection
Checking flange alignment
Radiography or other NDT as specified in company
standards
Checking of records for any heat treatment or passivation
required
Checking for foreign objects
Checking for dryness
Checking for coating damage
Checking supports are in place and adjusted
Checking pipe guides are in place and that there is freedom
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
11
36
11
37
12
Sodegura,
Japan
12
13
ME
14
Pasadena,
Texas 1989
A large release of hydrogen occurred from a feed/discharge heat
exchanger of a heavy oil desulphurisation unit. After a few
minutes the leak ignited, and exploded. There were ten killed and
seven injured.
The source of the release was a gasket. The gasket retainer had
displaced due to repeated thermal cycling and resultant
deformation, and an erroneous repair. The gasket retainer no
longer rested in the gasket groove, and on start up, began to leak
38
An isomerisation reactor was started up much more rapidly than
usual. Flanges heated and expanded before the flange bolts could
be heated, so the bolts stretched. The then expanded as the
heating caught up. The gasket was then no longer in
compression. The naphtha, above its autoignition temperature,
caught fire. The vessel was protected by insulation so fortunately
was not significantly damaged
Polyethylene loop reactors allow ethylene, in a mixture with
propane and A catalyst, to react to make polyethylene as small
pellet like lumps, soft, and gelatinous at first. The mixture is
taken out of the loop and the propane separated, leaving the
polyethylene to be melted and chopped into easily handled
material. If the reactor stops for some reason, it is necessary to
remove the material from the loop to prevent the reactor from
40
39
41
Lessons
for expansion
A management of change procedure for changes in piping
is required prior to construction. This applies even to
simple changes such as turning a spool.
An effective procedure is needed for this.
Pipe supports are a regular problem, due not only to poor
installation, but also due to deterioration during operation.
Mechanical integrity auditing, in the sense of OSHA
regulation 1910.119 is needed in order to be able to detect
High pressure piping including flanges and gas should be
installed with careful attention to procedures. They should
be repaired using standard procedures only.
There is a need for detailed training in gasket closure. This
needs to cover all gasket types, and the use of special
gasket tightening equipment.
Process start up heating rates are specified in operating
procedures for a reason. Operators need to be aware of
the accident potential of rapid heating:
- Flange leakage due to differences temperatures and
differential expansion
- Possibility of thermal stress cracking in thick walled pipes
and vessels.
A hazard analysis needed for made for all plants with this
level of hazard. However none of the usual hazard analyses
would have predicted this accident. A human error analysis
for the unclogging process would probably have identified
it, since reconnection the wrong way round is a standard
maintenance error type.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
being clogged by solidifying polyethylene..
Lesson
no.
The day before the incident scheduled maintenance work had
begun to clear three of the six settling legs on a reactor. A
specialist maintenance contractor was employed to carry out the
work. A procedure was in place to isolate the leg to be worked
on. During the clearing of No.2 settling leg part of the plug
remained lodged in the pipework. A member of the team went to
the control room to seek assistance. Shortly afterwards the
release occurred. Approximately 2 minutes later the vapour
cloud ignited.
14
The accident investigation established that the single isolating
ball valve was actually open at the time of the release. The air
hoses to the valve had been cross-connected so that the air
supply that should have closed the valve actually opened it.
42
14
43
14
44
14
45
14
46
Lessons
There is a need for a method of transferring knowledge
from JSA's to design and QRA
Layout separation distances were inadequate and did not
follow industry practice. Blast analysis calculations are
needed for all plants handling liquefied gases of liquids
above their boiling point. Standards such as API 752 and
API 753 describe approaches. Note that usual QRA
calculations are not generally accurate enough for blast
protection design. Advanced methods such as CAM2,
SCOPE or CFD are preferred and the actual location of
congested areas needs to be taken into account.
Control rooms and operator rooms need to be located at a
safe distance from potential explosions and/or need to be
blast proof.
Building ventilation intakes need to be equipped with
automatic closure on detection of flammable gas
Personnel exposure needs to be minimised for high hazard
plant
plants handling liquefied gases, liquids above their boiling
point or olefines need a properly designed gas detection
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
14
47
14
48
14
49
14
50
14
51
14
52
14
53
16
San Juan
Ixhuatapec,
Mexico
The PEMEX plant was a distribution terminal for LPC, with six
very large storage spheres, and 48 bullets, fed via a 400 km
pipeline. At 05:30, a fall in pressure was registered in the control
room at a pumping station 40 km up the pipeline. The 8" line had
ruptured. A release of LPG continued for about 5 - 10 minutes, at
which time the gas cloud was ignited at a ground flare. There was
54
Lessons
network. Gas detection mapping needs to be made with
realistic gas jet and plume simulation.
Permit to work system need to be enforced for plants like
this. The PTW system needs to be enforced, with penalties
for infraction, such as proceeding to work without a
permit, or violating permit conditions.
Double block and bleed, or unit depressurisation and
purging, need to be practiced on all plants where opening
is frequent prior to maintenance involving opening of plant
Fire water needs to be provided from an independent
supply, and not from process water source
Cables for fire water pumps need to be buried, and not
above ground.
There must be adequate planning for emergencies, and
planning must be based on realistic scenarios. These
lessons are all incorporated into Al Hosn procedures and
designs.
The misconnection of the shut off valve is a critical issue.
How did the valve come to be controlled the wrong way
round. All valves must be tested during commissioning to
ensure correct operation of opening and closing. To
facilitate this, it must be possible to identify in the field
that the valve position can be seen.
Where a valve may be dismounted, couplings for opening
and closing should be of different size of type, so that
incorrect reconnection is impossible. Where this is
impossible, the correct connection should be clearly
marked in a way which will not deteriorate.
LPG, Propane and Butane vessels are susceptible to BLEVE.
The BLEVE explosions can be extremely large
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
a large flash fire and explosion. After this there remained a
ground fire, a jet fire at the rupture, and some house fires. At
05:45, the first BLEVE occurred, followed shortly by others. A rain
of burning LPG fell on the area. A long series of further Bleve´s of
the bullets and spheres occurred. There was a good deal of
rocketing of the bullets, some up to 900 m, and one at 1200 m.
16
16
16
17
17
17
Lesson
no.
55
56
Jamestown
NM
A pump on an isobutane stripper failed. Maintenance artisans
closed the suction valve and discharge valve and "drained" the
pump. However the drain line was clogged and the pump
wrench (opening handle) was installed wrongly so the pump was
open to the process. Alkylate was ejected, hitting two persons.
The alkylate flashed to a gas cloud and ignited, causing an
explosion.
57
58
59
60
Lessons
Fire protection deluge systems are likely to be blown away
in any initial vapour cloud explosion or BLEVE
When a large LPG vessel ruptures, as in a BLEVE, a
significant explosion occurs as a result of the pressure
release itself. This can be sufficient to blow large vessels of
their saddles. BLEVE explosions do not usually generate
large explosion energies, so the range of the explosion may
be short, but the peak pressures can be very high.
Projectiles can cause significant damage at up to 1 km.
Care should always be taken when opening flanges, with
cracking and spreading before full loosening of bolts.
Opening on the side away from the person is preferable.
The valve wrench was removable, and had been put on in
an illogical way, so that the wrench crossed position
corresponded to the valve being opened, not the wrench
aligned. There was a valve position indicator, but this was
much less visible than the wrench valve handles must
follow human factors (and common sense) guidelines.
Valve handles should also not be removable.
The wrench had been installed as a replacement of a
quarter turn actuator. This was not regarded a safety
related change, and so was not subject to the MOC safety
procedure. This case shows that even the smallest changes
can be strongly related to safety.
Systematic Lessons Learned Analysis
case
no.
17
18
18
Location
Martinez CA
Accident description
A naphtha hydrocracker gradually ran away. The operators had
become used to an abnormal and unsafe mode of operation, in
which high reactor bed temperatures were accepted. They did
not shut down when the maximum allowed temperature was
exceeded. Exacerbating the situation was a problem that only a
few of the reactor bed temperature sensors could be read from
the control room. A field operator had to go out to the area
beneath the reactor to read the temperature values. Operations
did not follow procedures, and operations above allowed
maximum temperature had become standard practice.
Eventually the reactor discharge pipe ruptured due to high
temperature (7600c. Light gases from methane to butane, light
gasoline, heavy gasoline and hydrogen were release and ignited
coursing an explosion. One operator was killed and 36 injured.
Lesson
no.
61
62
63
18
64
18
65
18
66
18
67
Lessons
Local depressurisation of inter valve spaces is not a reliable
process, blockage in the vent line can often occur, and it is
difficult to know that depressurisation is complete. For this
reason, cracking open of a flange when the bolts are first
loosened is necessary.
Conditions encouraging safe operations were lacking.
There was strong management pressure to maintain
production despite exceeding permitted limits to operation
Human factors for the temperature monitoring wee poor.
Full monitoring could only be done from the field. The
alarm system on the data logger only allowed one alarm.
Supervisory management was inadequate. Emergency
procedures were not followed on this incident, or on
earlier ones. No comprehensive operator training was
available for this critical unit
Maintenance was inadequate. The data logger/alarm
system was periodically out of service. Radio
communications needed to relay readings from the outside
panels was unreliable and did not function during the
incident. Quench valves flanges were also leaking.
Procedures were out of date and incomplete, and in any
case had been replaced by operator developed procedures
The process hazard analysis was incomplete and did not
Systematic Lessons Learned Analysis
case
no.
19
19
Location
Accident description
Texas City TX
A refinery isomerisation unit was being brought back on line after
turnround. The raffinate splitter tower was lines up for restart,
and raffinate was pumped into the tower for over 3 hours.
However, the pump out had not been started, so that the tower
overfilled. Raffinate passed through the tower safety valves to a
vent relief knock out drum, and eventually, sprayed from the top
of the relief vent stack. The resulting vapour cloud was ignited,
most probably by a truck. The resulting explosion and fire killed
15 people and injured 180.
There were many problems contributing, poor operations
practice, defective procedures, lack of maintenance, lack of
supervision, and dangerous location of temporary
accommodation.
Lesson
no.
68
69
19
70
19
71
19
72
19
73
19
74
19
75
Lessons
reflect the actual equipment and instrumentation used.
For safety critical operations such as start up, a properly
prepared procedure is needed, with a check list of actions
which can be ticked off. (There actually was one for this
plant, but in the actual incident the completion check
record was falsified).
Integrity of safety critical equipment needs to be
monitored. Start up should be commenced while there are
safety items which are known to be defective.
Eight serious releases had already occurred from the vent.
Near miss incidents must be followed up and the situation
remedied.
A pre start up safety review and safety mechanical
integrity audit are needed.
Occupied trailers must be located at a safe distance,
following for example the API 753 standard.
Instrumentation should have good functional integrity, and
should therefore meet a number of functional
performances.
A check list based procedure is needed for instrumentation
design review.
Experience demonstrates that vents should not be used for
relief disposal within process plants because of the
possibility of liquid in the relief, and also because heavy
hydrocarbon vapours can be released and flow to ground
level. Proper disposal to a flare system is required.
Systematic Lessons Learned Analysis
case
no.
20
Location
Accident description
Sunray TX
A crack occurred on a shut down by pass line of a flow controller
to a propane de asphalting unit. The line cracked through
freezing of water, and propane was released. (The line was
normally shut down, but there was a piece of welding rod inside
the shut off valve). The propane ignited, causing a jet fire. The jet
fire impinged on the de asphalting vessel discharge nozzle.
Bolting on the nozzle failed allowing more propane to be
released and a larger jet fire to occur. This jet fire caused
extensive fire at a pipe rack, destroying it. Two persons were
severely burned in the initial flash fire. The jet fire was a near on
a butane sphere, and cause release of 2.5 ton of chlorine when
the over pressure protection plug melted.
20
Lesson
no.
76
77
20
78
20
79
21
Alaska
Large pipeline pumps were driven by gas turbines as a series of
pipeline pumping stations. The pump discharge lines were
subject to heavy vibration, and were designed with detuning
weights on the line, to prevent resonance at the normal
operating speed of the pump. The discharge line was provided
with a 2½" drain line which ran to a transfer pump at about 25 m
80
Lessons
Dead legs are a continuing threat, even on lines which are
nominally isolated. Although freezing is unlikely in a desert
environment, corrosion and thermal expansion rupture are
possible.
Extensive evacuation was needed because of the number
of pipes failing on the pipe rack, and the failure of chlorine
vessels.
Domino effects and escalation are routinely ignored in
QRA´s and HAZIDS, and are therefore not transferred into
hazard and effects registers. domino effects must be taken
into account for asset risk and emergency response
purposes.
The presence of foreign objects in piping needs to be
minimised, but will always occur to some extent. Pre
commissioning inspection is essential.
Structural steel in areas handling hydrocarbons or other
flammable liquids should be fireproofed up to a level
which can be engulfed by pool for jet fires (usually up to
platform 2)
Pipe supports can deteriorate over time. This is particularly
true for screw jack supports. On inspection, up to 25% of
supports have been observed to have failed on some
plants. Failures must be expected to fail unless maintained
periodically.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
distance. The drain piping was high pressure line with a block
valve at the end. It was supported on screw jack supports. In the
course of time, the screw jacks loosened with vibration, and
began to hang from the drain line i.e. ceased to support the line.
In all, lines at three stations cracked due to fatigue in each case
releasing crude oil. In the last incident, the oil vapour caught fire
and an operator was killed in the flash fire.
21
21
22
Lesson
no.
81
82
Missouri,
2002
Railroad tank cars were used to supply liquid chlorine
repackaging to cylinders and containers to cylinders. Connections
for tank car unloading were made using 1 inch flexible hoses. The
hoses had Teflon liners, with Hastelloy C braid armouring for
pressure containment, and spiral HDPE for abrasion protection.
In the actual case, hose with 316L stainless steel, rather than
Hastelloy C had been supplied. Atmospheric moisture, together
with chlorine molecules diffusing through the Teflon, formed
hydrochloric acid which ate away the reinforcement. The hose
ruptured, releasing 48.000 pounds of chlorine over a period of
about 3 hours.
The cause of the incorrect hose supply was narrowed down on
investigation to inadequate paper tag labelling at the supplier,
and possibility mix ups at the shipping area. The shipping
documents indicated a Hastelloy hose despite a 316L SS hose
being supplied.
83
Lessons
Mechanical integrity inspection is needed as part of
mechanical completion, and needs following up post
commissioning. It then needs to be repeated on a regular
basis, at least once per year.
Vibration fatigue is a serious cause of failure of piping,
particularly in the neighbourhood of rotating equipment or
reciprocating pumps. Vibration can also occur due to liquid
or gas flow. Vibration fatigue needs to be considered
during hazop, and needs to be checked a) during
commissioning, b) periodically in OSHA style mechanical
integrity audits
There is a need for a guideline concerning how much
vibration can be tolerated in piping. Inspectors need to be
able to distinguish between minor vibration and
threatening vibration.
Positive Materials Identification (PMI) is essential for
companies relying on supplies of alloy piping and
equipment. PMI involves chemical analysis of the incoming
steel materials. The analysis is made using convenient
rapid measuring electronic instruments. ZAD made a
special study of alloy materials received, and found a very
high percentage of errors, including components stamped
with the wrong identification.
Systematic Lessons Learned Analysis
case
no.
22
Location
Accident description
Lesson
no.
84
22
85
22
86
22
87
22
88
23
Milford
Haven,
Wales,
A powerful thunderstorm caused the Milford Haven refinery
units to trip several times during the night. Gas compressors had
to be restarted frequently. Butane began to accumulate in a feed
drum. However, the level indicator for the feed drum was stuck,
so that the operators did not notice. Eventually liquid butane was
released through relief valves and passed via the relief header to
a flare knock out drum. The knock out drum had a modified liquid
pump out, which returned liquids to the drum after water
89
Lessons
It was found that there was inadequate auditing of
operating procedures and insufficient detail in periodic test
procedures to ensure adequate testing. In particular, it was
found that there was no checking of valve positions when
the ESD functioning was tested.
It was found that there was insufficient training of
supervisors in safety issues, and of operators on
inspection, testing and warning indications. In particular
training was focussed primarily on what to do, when to do
it, but not on why to do it, can on the consequences of not
doing it properly.
Standard operating procedures and test procedures had
not been reviewed or checked for fitness for purpose.
The inclusion of motivational text of the kind "Why do we
do this, and what happens if we do not do it well?" needs
to be included into procedures. A standard format for
procedures which includes sections on "purpose of the
procedure" "performance standards for the procedure"
and "cautions and warnings".
Operators were not aware of the need to keep the system
free of moisture. This is the kind of information which
needs to be included in HAZOPS and needs to be
transferred to procedures
Integrity programs were inadequate to identify corrosion
arising from moisture entry into the chlorine system.
The main lesson to be learned here was that the operators
had no overview of the status of the plant. The failure of a
single level indicator left them in confusion. UKHSE´s
lessons learned stated that there should be an overview
display of mass flow and conditions for the entire plant.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
separation. The level in the knock out drum built up until it
overflowed. Liquid hammer occurred at the elbow where the line
turned to the flare stack, and ruptured the elbow. Corrosion in
the flare line contributed. Butane escaped, passed into the main
process area of the refinery. A large vapour cloud explosion
occurred.
23
Lesson
no.
90
23
91
23
92
23
93
23
24
94
95
Piper Alpha.
North Sea
Work was being done on one of two condensate injection pumps,
under the PTW system. The second pump tripped resulting in
increase in flare intensity. A PSV had been removed, and a blind
flange installed instead. The first pump was started up. The blind
Lessons
UKHSE also concluded that there should be simulator
training for operators, which included extreme events such
as the one which occurred here. This was a major advance
on practice at the time, since simulator training was up to
then regarded as a luxury in most refineries.
An important lesson to be learned is that operators need
to be trained concerning the results from Hazop studies
and from QRA studies. At present, it seems that most such
information is kept secret from operators, unless they are
participants in the actual Hazop workshop. It must be
admitted, that most hazop and QRA reports do not have a
form which would support training.
Current hazop analyses would not have (and did not)
predict this kind of accident. The reason is that it involves
failures in two widely separated units, the butane
depropaniser and the flare KO drum. Hazop information
analysis should be taken for enough at least to take into
account flooding of the flare line, since this is a relatively
frequent accident type, (Has occurred at over 50% of the
refineries where information was available).
All designs need to be checked to ensure that they take
liquid hammer resulting from overflow into account. This is
frequently forgotten both in hazops and in piping design.
There was no effective company safety management
system for the company as a whole.
All persons, from the plant manager to individual labourers
Systematic Lessons Learned Analysis
case
no.
24
Location
Accident description
flange leaked causing a gas cloud to build up in the process
module. The vapour ignited and exploded, demolishing the
control room, large fires followed. The fire suppression system
did not start because it was operating on manual activation,
because there were divers in the water, 2 men went to start the
pumps, and perished. Persons gathered in the accommodation
but no systematic evacuation was carried out. Some self
evacuated on their own initiative. Other platforms continued to
pump oil and gas. The heat from jet fires cause the riser coming
from the Tartan platform to rupture, with a huge fireball. The
Tartan platform continued to pump gas, since the offshore
management lacked authority to shut down. The helideck was by
this time engulfed in smoke. The lifeboats were inaccessible. The
gangway form the safety vessel Tharos was too short 61 persons
jumped into the sea, 165 died, 109 of those from smoke
inhalation, 80 of these in the accommodation.
Lesson
no.
96
24
97
24
98
24
99
24
100
24
101
Lessons
need to be aware of the full range of risks, each from his
own point of view. Training material is needed
A regular audit of the functioning of the safety
management system is essential
Training is needed in the use of the safety management
system and in understanding risks.
Control rooms, muster areas and accommodation must be
segregated and isolated from process areas.
Fire water systems should be operable from several
locations, including the control room, even when on
manual.
There were problems is shift handover. The actual status of
pump, which had not been restored to operation, was
unknown to the second shift. There was no shift overlap
and no proper handover procedure. A note from one
supervisor to the next shift supervisor was overlooked.
There was no recognition of the additional risk when the
platform was extended from only processing oil to
processing oil and gas. Ideally a living risk analysis is
maintained which takes into account all modifications to
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
24
102
24
24
25
103
104
105
25
Bhopal, India,
An intermediate storage of methyl isocyanate was operated at
the Bhopal plant of Union Carbide. At the time of the accident a
relief scrubber used to prevent spreading of methyl isocyanate
when relief valves opened, was out of operation. Water leaked
from a cooler heat exchanger into the methyl isocyanate, and
reacted. The reaction produces heat, so that the storage
overpressured and released MIC vapour. There was apparently
no awareness of the seriousness of the release,. No general
alarm was raised, and no evacuation. The plants, though
originally quite remote, had become surrounded by low cost
housing. As a result there were many persons in the hazard zone.
The actual number of persons affected is not known with any
accuracy, but estimated as more than 100,000 persons injured
and over 8,000 fatalities. At the time of the accident, it was
assumed that the accident was a result of poor operating
standards in what was then a developing country. However,
virtually the same accident occurred at a plant in West Virginia in
1986, though with no fatalities due to more favourable weather
and better ability to close windows.
Lessons
plant or operating conditions before changes are made,..
The safety assessment which had been made was
inadequate.
ESD valves were inappropriately located
Evacuation plans which are not exercised are likely to fail.
Operators need to be completely aware of the accident
types which can occur, and their potential consequences.
In present practice results from hazop analyses are
currently not transferred to QRA or to hazard and effects
register, let alone to operations. This may affect integrity
activities for the safety measures.
106
25
107
25
108
Operating procedures need to have a section covering
plant disturbances, which should also give a full range of
cases.
QRA´s need to provide a complete coverage of accident
types. At present QRA practice only covers a fraction of the
accident types occurring. For example, current QRA´s do
not include event corresponding to the Bhopal event, i.e.
cold venting.
One of the main safety systems, a scrubber, was out of
operation. For any plant, minimum conditions for
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
25
26
26
Lesson
no.
109
Humberside,
England
An elbow on a de-ethaniser unit corroded due to the presence of
a water injection line just upstream of the elbow. As a result,
vapour escaped, causing a vapour cloud explosion and major fire.
The injection line had been added as a supplement to the original
design, in order to deal with build up of salts and hydrates. The
corrosion implications of the change were either not recognised,
or not recorded. No injection quill or other dispersal device was
fitted and the water entered as a free jet.
There had been several discussions about water injection point
corrosion among the company corrosion professionals, but this
particular one slipped through the net. There was no written
scheme of examination for the injection point or the elbow, even
though these were required by law, under the Pressure Systems
and Transportable Gas Container Regulations, 1989, and later
under Pressure Systems Safety Regulations 2000.
A risk based inspection system was under development at the
time of the incident. The injection point had not been included in
the RBI calculations because it was thought to be permanently
isolated. There was no risk assessment for the elbow.
110
111
26
112
26
113
26
114
Lessons
operation need to be established. For the Bhopal plant, for
example.
Hazops need to take into account possible reactions and
sneak paths along which reactants can come together
Need for an effective pipework inspection systems that
meet or exceed current industry practice and are based
upon full knowledge of past history and current operating
conditions.
Need for a management of Change systems that
accommodate both plant and process modifications.
Need for systematic arrangements for the management of
corrosion including identification of possible corrosion
mechanisms and the use of trained and competent staff.
Need for arrangements to ensure the effective sharing of
information about process conditions and the accurate
recording of all inspection data. A n integrity review
workshop seems to be a good way of communicating.
A corrosion analysis is needed for every pipe spool which
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
26
115
26
116
27
Ghislenghien,
Belgium,
2004
A 40 inch natural gas pipeline operated at 60 bar, design pressure
80 bar (wall 62,5 mm). When the gas receiving terminal at
Zeebrugge shut down, the pressure rose to 70 bar. A gas leak was
reported, and fire fighters called. The firefighters were setting up
barricades when the pipeline ruptured. Five firefighters died in
the initial blast and 11 others later. Over the following weeks
further 8 persons died. There were 150 persons injured. Most of
the injuries were from the intense heat radiation from the jet
fire. Investigation later showed that there were gouges of up to
10 mm deep in the steel of the pipe, both in sections blown away
(at 200m) and in the sections of pipeline not affected. Damage
was judged to have occurred when a mechanical soil stabiliser
was used in the construction of a car park. A representation of
the gas pipeline company had been present all the time of the
construction, but apparently had not been able to prevent the
damage, because a 350 mm long deep scoring was found. In the
emergency response, problems were found because the name of
the road had been changed, the pipeline marker was wrongly
numbered, and the pipeline was not marked on maps. (Maps
117
Lessons
takes into account material, fluid, flow velocity, amount of
solids, period of static conditions possible inleak of oxygen,
disturbances, possible build up of contamination etc. This
may be done using risk based inspection mathematics, but
can equally be done on a qualitative basis.
Corrosion implications need to be considered in
management of change, and the result needs to be
incorporated into inspection. This implies that corrosion
specialists or metallurgists need to be on the MOC sign off
list.
RBI systems need to be implemented properly, and with
care. Assessment of risk needs to be realistic, and based on
evidence. When data are entered and there is no earlier
history of inspection, worst case assumptions should be
made.
Exclusion zones along pipeline rights of way must be
respected, and SIMOPS analyses must take into account
the possibilities of accidental interference. The best
approach is to provide physical protection if heavy
machinery is being used (12 inch girders, or large pipe
sections are effective, they can be laid gently at the edge
of the right of way).
Best practice is for all buried pipelines to have a bund
cover, and well marked right of way, which at least helps to
prevent encroachment damage to pipelines. Damage has
nevertheless occurred, due to heavy equipment drivers
moving too close to existing pipelines, and there has been
one case of propane pipe rupture by a backhoe. This is
second party interference, not third party.
The biggest threat to well protected pipelines is from
installation or maintenance of other pipelines on the ROW,
with many cases known.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
existed but not at the emergency centre). As a result, initially the
gas company did not know that it was its own pipeline which was
damaged, but it did send a technician to investigate.
27
Lesson
no.
118
27
119
27
120
27
121
27
122
28
Buncefield,
England,
At the HOSL fuel distribution terminal two gasoline storage tanks
were being filled in parallel from the same pipeline. When one
tank filled, the full flow was diverted to the second tank. The tank
has two forms of level control - a gauge which enabled operators
to monitor filling, and a high level switch, intended to close down
pumping when the level rose towards an unsafe height. The high
level switch had stuck intermittently, prior to the accident. The
switch required a padlock to retain its check level (used for
testing) in a working position. The supplier had not
communicated this fact to the installer or to the maintenance
contractor. Because of this lack of understanding, the padlock
was not fitted. The tank overfilled, and gasoline cascaded down
123
Lessons
Large pipelines can give massive damage arising from an
initial flash fire and subsequent jet fires. Such releases are
commonly calculated inaccurately in QRA´s, by not taking
into account experience from accident lessons learned.
High quality control is needed for prevention of third party
interference, including accurate maps.
Damage to the pipeline was reported prior to the accident,
but not acted on. All such damage must result in a
professional integrity assessment. From experience in Abu
Dhabi, a no blame reporting system is needed.
When investigating leaks, the potential for jet fires needs
to be remembered, and proper safety distances need to be
maintained. Gas detectors should be used, and if
excavation is needed it should be done with spark proof
tools.
There was a significant explosion of Ghisenligen. It seems
doubtful that this explosion from burning gas, considering
the lack of confinement. However, the rupture of any 40".
70 bar vessel will cause a rupture explosion.
Managements systems at HOSL relating to tank filling were
deficient, and were not followed, despite the fact that the
systems were independently audited.
Systematic Lessons Learned Analysis
case
no.
28
28
Location
Accident description
the side of the tank. Liquid gasoline was retained in the bunded
area, but a large amount of liquid evaporated, forming a vapour
cloud. The cloud passed into a light industrial complex, ignited,
and caused an intense vapour cloud explosion. Luckily, the
explosion occurred early in the morning, and no one was killed.
After the explosion, major fires occurred. Burning fuel flowed
into bunds. The bunds were found to leak, however. Also water
supplies for fire fighting were inadequate.
Lesson
no.
124
125
28
126
28
127
Lessons
Pressure on staff had been increasing prior to the incident.
The terminal was fed by three pipelines, two of which the
operators had little control over in terms of flow rate or
timing of receipt of fuel. This meant that staff did not have
efficient information easily available to them to manage
precisely the storage of incoming fuel. Need for full
information about incoming and outgoing flows, and
future expectations is needed to be able to manage a tank
farm or a terminal.
Throughput had increased at the terminal. This put more
pressure on site management and staff, and further
degraded the ability to monitor the receipt of fuel. The
pressure on staff was made worse by a lack of engineering
support . These pressures created a culture where keeping
the process operating was the primary focus and process
safety did not get the attention, resources, or priority that
it required.
There needs to be adequate manning such that safety
management can be performed.
There should be a clear understanding of the major
accident risks and the safety critical equipment designed to
control them.
There should be systems and culture in place to detect
signals of failure in the safety critical equipment and the
respond to them quickly and effectively.
Systematic Lessons Learned Analysis
case
no.
28
Location
Accident description
Lesson
no.
128
28
129
28
130
28
131
28
132
28
133
28
134
28
135
28
28
136
137
Lessons
There should be an effective auditing system in place,
which tests the quality of management systems and
ensures that these systems are actually being used on the
ground and are effective.
At the core of managing major hazards business should be
a clear and positive process safety leadership with board
level involvement and competence to ensure that major
hazards risks are properly managed.
Hazops and SIL studies should have identified the fact that
a single high level switch is an inadequate protection for a
gasoline tank
Operators should have a clear idea of the level of filling of
their tanks at all times, with a proper inventory log.
Bund walls were found to have holes through which fire
water and burning products passed. Even passive safety
measures such as bunds require a periodic mechanical
integrity audit
Safety critical equipment is required to have functional
performance standards. The equipment needs to be
checked to ensure that it fulfils these standards. This
includes design standards. Unfortunately, nearly all checks
currently made are based on the assumption that
equipment designs are correct.
The automatic gauging system had stuck, giving a "flat
line". Such flat indications on critical instruments should be
regarded as serious problems, and should be controlled
according to "maximum requirements for operation" rules.
There was only a single visual display, and tank gaging
could only be displayed one tank at a time. Human factors
had not been taken into account in the design
There was no backup for the critical tank gaging system.
Supervisors were able to set ATG alarm levels with no
security limits. The supervisors used the alarm limits each
in his own way
Systematic Lessons Learned Analysis
case
no.
28
Location
Accident description
Lesson
no.
138
28
139
28
140
28
141
28
142
28
143
Lessons
Supervisors relied on alarms to control (shut off) the filling
process. This is a classic cause of overflow accidents.
Written procedures were available, but had insufficient
detail.
Supervisors were working 12 hour shifts, with other duties
as well as supervising tank filling, with schedules giving up
to 84 hours work in a 7 day period. There were no fixed
breaks. The investigation committee remarks that:
Management has a duty to monitor working pressure, on
staff, and to take action to keep work loads to acceptable
levels.
The present author has noted in auditing many fuel
terminals, that managers and supervisors did not really
regard their plants as "major hazards". Even major hazards
specialists have tended to regard gasoline tanks as
"relatively safe", in that, at worst, they would burn down.
In fact, on a world scale, incidents like e at Buncefield have
occurred relatively frequently.
The instrument problems at Buncefield were design
weaknesses, but of a kind which could only be identified
when instrument engineers select instruments from
catalogues, or instruments checked during commissioning.
A process is needed which ensures that correct functional
and design integrity is in place. This requires a check list
based process.
The phenomenon of overflow vapour generation and liquid
spray releases leading to vapour cloud explosions was
unknown to risk analysts at the time of the accident, even
though several cases had occurred earlier. The
phenomenon had not been incorporated into safety
analyses, hazids, H&E register or QRA´s. The situation has
not changed much since the Buncefield accident, QRA's
still do not include vapour formation and vapour cloud
explosions for tank farms. Current QRA software is not able
Systematic Lessons Learned Analysis
case
no.
29
29
29
29
Location
Accident description
Kaixian
blowout,
Chongquing.
During drilling of a sour gas well a kick occurred. The kick was
detected by the mud logging system, and a driller was sent to
shut in the well. Three minutes later, mud erupted from the well,
and the slips were washed away. By 5 minutes after the kick, the
well was shut in except for a release from the top valve, at storey
2, which could not be closed. The top drive caught fire.
16 minutes after the kick, the BOP was activated. The operators
tried to remove the drill stem, but failed. Inverse circulation was
released from an open flashing valve. At 30 minutes, kick control
failed completely. A large flow (4x106 to 1x107 m2/day) of sour
gas 9% was released.
Weather was cold, with low wind speed and inversion.
The topology was one of a narrow valley, so the gas plume
travelled far. At Kaixian, the elevation is from 500 to 1000m with
narrow valleys. The accident occurred at a site at 470 to 540 m.
wind speed was 0.13 m/s average, 0.7m/s maximum. Stability
conditions varied from D to E.
245 persons were killed, 1242 hospitalised, and 65 000 were
evacuated. Most fatalities were in a zone of 500 m from the well.
H2S concentrations were 11 to 32 mg/m3 at 5700 m
Lesson
no.
144
Lessons
to account for this effect.
The developers of the well were stated to be unprepared
for the high well pressure on reacting the pay zone.
Insufficient mud had been prepared of insufficient density.
There is a need for a drilling risk analysis and an emergency
plan for every well drilled
145
146
147
A back pressure valve had been removed prematurely
The importance of topology for gas dispersion is
recognised qualitative terms, but has not been taken into
account quantitatively, either in QRA´s or emergency
plans.
The drilling team ignited the gas 18 hours after the
blowout started. This contributed to the many casualties.
Instructions for ignition were given after 13 hours, but
workers could not ignite immediately.
Modern recommendation is to ignite sour gas blow outs
after 30 minutes.
Systematic Lessons Learned Analysis
case
no.
30
Location
Woods Cross,
Utah,
30
Accident description
A 10" pipe coming from the base of a reactor, failed
catastrophically, during catalyst regeneration. High pressure
hydrogen was being circulated. Gas was released, giving a 35 m
high cloud and an explosion. Four workers nearby were blown to
the ground but were not injured. 100 homes near the refinery
were damaged, one being knocked off its foundations.
Mechanical integrity programmes had been undertaken by a
contractor. Metal thickness readings taken by the contractor
were of doubtful validity. The thickness values were
miscalculated. The contractor had been using ultimate tensile
strength values as a basis for allowable operating pressures. Also
thickness readings were inaccurate.
The pipe which failed was accorded in 2007 to have a thickness
of ½ inch but on failing in 2009 had a thickness of only 1/8 inch.
30
31
Lesson
no.
148
149
150
Marathon
Detroit
A slops tank containing diesel fuel exploded during maintenance
work at Marathon Detroit Refinery, forcing a mandatory
evacuation order for a nearby area. One employee was injured in
the blast, authorities said. Sour water release during l tank
maintenance. Sour water is wastewater from the refining
151
Lessons
Emergency preparedness must include facilities for igniting
sour gas blowouts.
Checking calculations of this type is normally made during
individual design reviews by the responsible engineer.
Mistakes can be made, and if they are, hopefully they can
be caught during installation on pre commissioning
inspection. Design review should in principle trap this kind
of error. However, design review processes are of variable
quality.
Calculations of values such as pipe thickness are today
largely made using software, or spreadsheets. These are
often well checked before use. Input of erroneous data will
nevertheless still be a possibility, as here.
One of the difficulties which can arise with software
calculations is also use of programs beyond their range of
applicability. This kind of problem has arisen in modern
high integrity companies. The only known method to resist
this kind of problem is spot check audits, including QC
system audits. The lesson learned from the case is that
such audits are needed, and that it requires experienced
engineers to make them.
Sour water and slops tanks are among the most
dangerous, if not protected. Blanketing can be by nitrogen,
or by fuel gas.
Diesel does not normally need blanketing, but as a blanket
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
process. Pollutants have to be stripped out of it before the water
can be reused or sent to an outside wastewater system.
Lesson
no.
Lessons
liquid in a slops or sour water tank it is easily
contaminated.
Marathon reported the sour water tank involved in the fire
contained ammonia, hydrogen sulphide and sulphur dioxide.
Inside the tank were benzene and hydrogen sulphide covered by
about 4 feet of diesel fuel used to contain those chemicals.
32
Gallup NM
It was the diesel fuel that burned. Benzene and hydrogen
sulphide can penetrate skin, which is why they pulled the trigger
on a 3,000-person evacuation.
A spare pump was scheduled for maintenance . To isolate the
pump for work, plant personnel, using a valve wrench, turned a
shut-off valve connecting the pump to a distillation column to
what they believed was the "closed" position. CSB investigators
determined that the valve was actually open.
An operator disconnected the pump's vent hose to verify that no
pressure was in the pump, and witnessed some alkylate flow
through the hose. After the flow subsided, he believed the pump
had been de-pressurized and was ready for removal. The study
concluded that the vent line was plugged, not de-pressurized. As
the mechanics were removing the pump alkylate was suddenly
released at high pressure and temperature, producing a loud roar
that was audible throughout the refinery. One of the mechanics
was blown over an adjacent pump and broke his ribs. About 30 to
45 seconds after the initial release, the first of several explosions
occurred. The plant operator was covered in alkylate that quickly
ignited and seriously burned him. Other personnel suffered burns
and eye injuries.
The design of the valve wrench used to "close" the suction line
made it easy to remove and reposition onto the valve stem in
different directions, and this led to a potential hazard because
152
CSB findings included : "Giant's mechanical integrity
program did not effectively prevent repeated pump seal
failures. Problems were addressed when equipment broke
down, not in a preventive manner.
There should be proper mechanical integrity programs to
prevent breakdown maintenance. The study said Giant
should have determined the cause of the frequent alkylate
recirculation pump malfunctions and implemented a
program to prevent them.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
operators sometimes determined whether the valve was open by
its wrench position, rather than the valve position indicator. In
this incident, the valve wrench collar had been installed in the
wrong position. Operators depended on the wrench position and
mistakenly determined the valve was closed."
Lesson
no.
Lessons
The study also found that the valve had been modified in the past
to replace a hand wheel method of opening and closing it with a
bar-type hand wrench. If the company had performed a
management of change analysis before modifying the valve, they
could have recognized the hazard of identifying the valve position
that this modification caused. In addition, Giant operators did not
effectively verify that the pump involved in this incident had
been isolated and depressurized before beginning to remove it.
32
153
32
154
32
33
34
Caribbean
Petroleum,
Bayamon,
San Juan,
Puerto Rico
Wynnewood,
Tulsa, OK
A tank overflow occurred at a crude oil tank farm. At 12:23 a.m.
on October 23, a large vapour cloud ignited at the Caribbean
Petroleum facility near San Juan, Puerto Rico. The blast damaged
homes and businesses over a mile from the facility. Investigators
from the U.S. Chemical Safety Board arrived in Puerto Rico that
evening. The incident was very similar to that at Buncefield.
A boiler that was being brought back online after maintenance
exploded at an oil refinery in Wynnewood, killing one worker and
injuring another.
The explosion occurred after the plant had been shut down
earlier in the week for planned maintenance, a 40-day a
turnaround.
155
156
157
Under Lessons Learned, the CSB urges management of
change analyses for any valve modification
Need effective "lock out tag out" programs to ensure
equipment has been isolated, depressurized, and drained
A vapour cloud was formed, presumably as a result of
overflow. The cloud ignited and causes a major explosions,
which then involved the full tank farm.
This kind of accident is all too familiar. Over 40 such
accidents are registered in the database. Such accidents
should be virtually eliminated by the use of a well designed
burner management system.
Systematic Lessons Learned Analysis
case
no.
35
35
Location
Alon Big
Spring, Texas
Accident description
Fuel had entered the boiler fire box for a considerable period
without pilot or burner flame.
A propylene splitter on a refinery developed a crack and break on
the bottom of a pump case. The crack was caused by a faulty
weld.
The propylene flashed, and the gas plume flashed, and the gas
plume reached an ignition source. The gas cloud was in a highly
congested area. The gas cloud exploded.
This case is quite ordinary in its cause though it does illustrate
that manufactured items can contain defects (all other similar
pumps in the refinery were checked). The case is unique
however, in the extent of documentation of the overpressure
and domino effect damage. Damage was recorded to housing at
6 miles, with heavy damage at 2 miles. Storage tank walls were
collapsed and fires started at 370m from the explosion source.
Four persons were injured. All but one were released from
hospital within 2 days.
Lesson
no.
Lessons
158
One of the lessons to be learned is the surprising speed of
recovery from what was one of the largest vapour cloud
explosions. Loading racks at 200 m from the explosion
centre were damaged, but were operating 30 days after
the explosion. The refinery was in operation after 2
months, at reduced capacity. The propylene splitter unit
was destroyed completely, and not rebuilt.
159
The accident was caused by the failure of a weld repair of a
cracked pump casing. This kind of weld is difficult,
especially for pumps handling propylene, where low
temperatures can occur from even the smallest leak.
The accident gives a very clear picture of the domino
effects from the explosion, because many aerial
photographs were published. The extent of the domino
effects, with secondary fires started at 10 different
locations.
35
160
35
161
The explosion occurred at 8:12. Fire service response was
within 3 minutes. Access to the refinery fire house was
damaged. A hydraulic lift fire truck was able to contribute
to fire fighting only after the doors were torn off the
firehouse. The blast also damaged fire pumps, leaving only
one fire pump operable.
Systematic Lessons Learned Analysis
case
no.
35
36
Location
Accident description
Lesson
no.
162
Waste
treatment
plant
Expanded polystyrene entered a slops tank. Electrostatic ignition
occurred when the polystyrene touched a level control
instrument. The vessel exploded
163
37
Refinery
165
37
Refinery
38
Ethylene
cracker
Erosion occurred on the inlet line to a vacuum distillation column
due to low pressure downstream of a piping expander section.
Air was sucked in, and burned immediately in the residual fuel oil
being distilled. The piping glowed red hot. The unit was shut
down successfully, with a small spill of heavy gas oil.
A fire occurred on a crude column bottoms pump. A small (8 mm)
nipple had not been replaced after maintenance, and oil sprayed
from the hole. The fire was about 12 m. in diameter, and was
extinguished in about 15 minutes.
A hose was connected from a hydrogen gas vessel to another
process vessel. The hose was a water hose and ruptured almost
immediately. The hydrogen ignited causing a small fire.
36
38
164
Lessons
Pumps are pressure vessels, and should be repaired
according to standards for pressure vessels, including
checking of consumables, good storage of consumables,
weld preparation, inspection and radiography.
Slops tank may always receive volatile liquids, and can then
explode on ignition. Slops tanks need to be blanketed
It is virtually impossible to eliminate all ignition sources.
Good housekeeping and good classified area design
reduces the probability but can never eliminate the chance
of ignition
Cavitation erosion can occur on pipes subject to vacuum as
well as pressure or high fluid velocity
166
Restoring a pump after maintenance can be error prone.
The pump needs to be checked for leaks before putting it
back into full production.
167
If water hoses have a standard coupling and this coupling
can be fitted to nitrogen, air or process nozzles/couplings
there is always a chance that operators will use them.
Water hoses are not rated for the pressures which can
arise in nitrogen or air supplies, and should never be used
as process connections. Properly designed couplings
should be used.
168
The problem is made worse by the fact that many process
units have couplings for water to allow for washing or
sludge removal, which may be used if the plant is
depressurised and made safe.
All operators and maintenance personnel need to be
trained in the use for hoses.
Systematic Lessons Learned Analysis
case
no.
39
40
Location
Accident description
Ethylene
cracker
A lube oil sight glass was damaged by impact (cause unknown).
On start up oil escaped and ignited (also cause unknown). The
fire was about 10 m. in diameter.
Sulphuric
acid plant
A blower on a sulphur burner, producing sulphur dioxide and
trioxide developed a vibration. It was shut down until
engineering evaluation could be made. After assessment it was
decided to start the blower carefully with close observation,
rather than to dismantle the blower, which would have required
one or two days loss of production. When the blower reached
3000 rpm, one of the blower blades broke off, and flew up the
discharge duct until it reached the first bent, where it passed
through the duct pipe wall. The 3 m. diameter blower impeller
was now very much out of balance, and caused violent vibration.
The impeller and shroud were torn from the foundations,
tearing2 inch bolts out of the foundation. The 20 1.5 inch bolts of
the main bearing were either stripped of threads or stretched
and broke, With rupture of the bearing box, lube oil escaped and
ignited due to the friction of the shaft on the damaged bearing.
The fire was about 15 m. diameter and 15 m. high. It was put out
in about 10 minutes. The instrumentation on the steam turbine
drive was damaged and had to be replaced.
On investigation it was found that a small sulphur spot was
present at the source of a crack, and a fatigue fracture spread
from this. The development of the crack had taken less that 3
minutes of actual running time at high speed.
A similar crack occurred on the replaced blower impeller 6
months later. The blower manufacturer was one of the most
Lesson
no.
169
170
Lessons
Sight glasses for lube oil are often mounted at a very
vulnerable height, close to the platform. They are also
mounted in the lube oil return line, so the lube oil will be
hot, and many fires have occurred from the release of hot
lube oil. If a sight glass must be located in a vulnerable
position, as is often the case, the glass should be protected
against physical impact, and should be protected against
bezel overtightening damage.
Fatigue cracks can grow from microscopic size to
catastrophic in minutes or hours. The only way to prevent
them from becoming catastrophic is to monitor for
vibration, and to calculate what small defect could grow to
a major accident. The vibration review needs to be
repeated, for example yearly, because vibration can
become worse over time.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
respected in the industry, but nevertheless the design showed
weakness.
40
40
Lesson
no.
171
172
41
Ethylene
cracker
42
Polyethylene
plant
43
Nitric acid
plant
A pipe loop was used to collect steam condensate from a heat
recovery exchanger. The operator knew that the loop was
becoming full, but calculated that there was enough time to
allow the loop to be drained. The steam flow through the loop
picked up water in the loop, and a slug of water passed into the
discharge pip. When it hit the first tee junction, the junction
ruptured, The entire steam system in the unit had to be replaced.
Fortunately, no hydrocarbon lines were damaged seriously
enough to escalate the accident.
A knock out drum for an ethylene stream to a compressor
required manual emptying because the amount of liquid in the
gas stream was very small, Eventually the knock out drum filled.
Liquid passed to the reciprocating compressor, and the
compressor ruptured.
A pipe section carrying unabsorbed nitric fumes to a vent stack
corroded and released nitrogen dioxide at ground level. It was
found that the pipe spool was made from ordinary carbon steel,
not the stainless steel used in the rest of the piping.
173
Lessons
If serious vibration does occur on rotating machinery,
assume that there is a possibility of a serious accident. Do
not restart without in depth inspection.
Inspection using endoscopes can sometimes be used to
detect cracks, but more usefully, can be used to guide
tapping with a small hammer or impactor, or to guide the
application
Even rotating equipment from reputable manufacturers
with tens of years experience can suffer from design error
Condensate build up in low points, collecting pots or knock
out drums can overflow if not drained of in a timely
fashion. If the liquid overflows or is caught up as a slug by
the gas flow, the result is likely to be sever hammer, and
pipe rupture can occur. This can happen in steam lines or
in any wet gas lines.
174
Knock out drums need to be regarded as safety critical
equipment. There should be a strict procedure and
schedule for
175
Incorrect materials are a frequent cause of accidents in oil
and gas plants. To prevent such accidents the correct
specification of materials needs to be made on drawings
(P&IDs and piping layouts or isometrics) The corresponding
coding is needed in warehouses, and good warehousing
practice is required. Ordinary carbon steel needs to be
kept separate from alloy steel and all components need to
be well labelled.
Systematic Lessons Learned Analysis
case
no.
44
Location
Accident description
Refinery
The discharge from a crude unit bottoms pump corroded and
released hot gas oil. Fortunately it did not ignite. The material for
the elbow at the discharge was found to be the wrong material.
The replacement elbow also failed a month later. The
specification provided by the pipe manufacturer was found to be
in error.
45
Refinery
The operations supervisor at a cracker unit found that all
available tanks for the residual oil were full. He would have to
close down the unit. However he found a gasoline tank in the
refinery which had not been in use for a long time and was
empty. He routed the piping so that the oil could be transferred.
When the hot resid reached the gasoline tank the small amount
of gasoline remaining flashed immediately due to the heat from
the oil, The roof of the tank blew off, and a spray of oil was blown
across the managers car park.
45
46
Venezuela,
An excavator used by a telephone company to uncover cables cut
into a 10 inch natural gas pipeline, and displaced the ends of the
pipeline by over a metre, A jet of gas blew across the highway
and ignited. This caused a car pile up and many fatalities.
The potential problem was recognised many years earlier, but
communication lines for solving the problem were very long (four
companies, with at least three layers of management in each, lay
between the analysts and those needed to implement
safeguards.
Lesson
no.
176
177
178
179
Lessons
Incorrect materials are a frequent cause of accidents in oil
and gas plants. To prevent such accidents the correct
specification of materials needs to be made on drawings
(P&IDs and piping layouts or isometrics) The corresponding
coding is needed in warehouses, and good warehousing
practice is required. Ordinary carbon steel needs to be
kept separate from alloy steel and all components need to
be well labelled.
Operators need to be aware that "unused " or "empty"
tanks need to be fully investigated before any new use.
Using a tank for a new material such as hoy oil is a major
design change, since the tank will probably not have been
designed for the new material. A change safety analysis or
a mini hazop is needed with qualified specialists
participating
The phenomenon of rapid phase transition occurs
whenever a low boiling liquid is mixed with a hotter high
boiling liquid. The effect can be hot oil into water or
gasoline, or vice versa, water into a hot deep fry pan, liquid
steel onto water or butane into a pentane tank for
example.
Very clear and direct communication is needed in order to
ensure risk reduction measures are implemented
Implementation may involve several companies, and may
involve costs and operating difficulties for each.
Implementation may take time, and large expenditures
need to be budgeted and approved which means that
momentum may be lost. The implementation may take
several years because of this. The message must therefore
be very clear. I have found that the easiest way of securing
understanding is to provide photographs or videos of
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
46
180
46
181
47
48
Venezuela,
Several instances of pipeline damage have been recorded for
cases in which new pipelines are being installed in existing rights
of way.
In one case investigated, the backhoe operator excavating a
valve pit turned the wrong way to deposit a bucket full of
excavated soil. The bucket hit an above ground oil pipeline
putting a dint into it. The hit was not reported, but was found on
inspection.
182
Propane was released from the seal of a transfer pump. The area
was cordoned off, because the release could not be stopped.
Eventually the gas ignited, with a large explosion as a result.
Housing which had been built for security staff only 50 m. from
the fence line was destroyed and there were many fatalities.
Five oil storage tanks were also set on fire.
183
Lessons
accidents similar to the one identified.
Pipelines should preferably be routed at a considerable
distance from highways. From observation of traffic
accident photographs 40 m. is usually sufficient for an
above ground pipeline. Distances could perhaps be smaller
for buried pipelines but the effect of traffic running over a
pipeline may be a dent or coating damage which need to
be taken into account. QRA guidelines give a good
indication of the risks of mixing traffic and pipelines, but
these still need to be checked. The NTSB reports of
pipeline accidents give a good indication of what can
happen.
Buried pipelines should be run in well marked right of way,
preferably fenced. Pipes should have a good ground cover,
and warning plastic strips and or concrete slabs to provide
warnings for excavation.
When a new pipeline is being installed in a right of way
containing existing ones, ideally there should be a good
safety distance. This should be sufficient to allow excavator
and side loader access without running over existing lines.
Protection 1s needed to prevent excavators from swinging
and hitting existing lines. Heavy concrete barriers or old
sections of pipe generally provide good protection. Heavy
sheet steel should not be used as it can be dropped and
damage pipe. Corrugated steel sheeting does not provide
much physical protection, but it does provide good visual
protection. Excavator drivers do not feel comfortable in
knocking down safety barriers.
Housing should never be located close to refinery
equipment or storage without an in depth risk assessment.
Systematic Lessons Learned Analysis
case
no.
Location
75
Venezuela,
76
Taiwan
77
Taiwan
Accident description
Lesson
no.
184
Natural gas liquids were releases “to a safe place” from a pigging
station. The vapour travelled 4 km. Along a narrow valley until it
reached a cantina, and was ignited, causing many fatalities,
Contributing to the accident were the facts that the valley was
narrow and deep, and that the atmospheric conditions were
stable.
A floating roof tank was being cleaned, with the roof standing on
its supporting legs. Vapour evaporating from the remaining oil on
the tank floor and walls ignited, causing an explosion which
destroyed the roof, but fortunately causing no injuries.
185
Steam was found to be issuing from pin holes in the steam
system at many parts of the steam piping. Later high levels (over
200 ppm) of hydrogen sulphide were found coming from an
open drain. The source was identified as a steam trap.
On investigation it was found that gas was leaking into the steam
187
186
Lessons
Leaks of liquefied flammable gases (including ammonia)
will eventually ignite if the leak is allowed to continue for a
long period, even if the area is cordoned off. It is
sometimes necessary to allow the leak to continue
because there is no way it can be isolated fro a large
inventory. In this case the area should be evacuated, up to
a safe distance. Consequence calculations should be made
to determine what is a safe distance. The calculations
should take into account the fact that leaks can get worse
over time, and that ignition causing a small fire can result
very quickly into a large fire due to escalation. So base
evacuation on a worst case prediction.
Natural as liquids should not be "drained to a safe place",
what is a reasonably safe place under normal wind
conditions can be a lethal place when winds are low and
the atmosphere is stable. Hydrocarbon gas can collect in
hollows and can remain in high concentration for many
days.
Tanks must sometimes be emptied completely for example
to allow maintenance to take place. When a floating roof
settles on its legs, air will be drawn in unless blanketing gas
is provided. At some stage though, there will be both air
and flammable vapour present. Ignition can occur due to
mechanical sparking as the legs and leg springs adjust, and
form pyrophoric sulphide. The period between stopping of
pumping or stopping of blanketing flow, and the point at
which the tank is ventilated below the LEL must be
minimised. It is a good idea to give a tank roof "time to
settle" after emptying, before ventilation begins.,
When designing heat recovery systems, take into account
the effect of any leakage from the gas stream into the
steam system
Systematic Lessons Learned Analysis
case
no.
78
79
80
Location
Taiwan
Accident description
system from a heat recovery boiler. The hydrogen sulphide was
causing accelerated corrosion, The entire steam piping had to be
replaced.
A riser on a rich solvent regenerator (Containing absorbed H2S)
was found to be swaying back and forth by about 1 m. Three
supports had been tor away, and a fourth was half way cracked.
The cause was vertical two phase flow in the line, with bubbles
forming and collapsing as they passed up the riser. The collapse
caused the column of liquid to fall, and place a heavy impulse
load on the pipe supports. The accident would potentially have
released a large amount of H2S, but the problem was found in
time and the unit shut down.
Lesson
no.
188
An oil degassing tank had a 24 inch riser, the crude oil passing to
the top and then being released into the tank. The collapse of
bubbles of gas in the riser caused a rhythmic vibration lifting the
riser and its support foundations about 3 inches out of the
ground.
It was calculated that the vibration, at a frequency of about one
cycle every three second, would cause fatigue cracking within 1
to 3 years. The foundations were replaced by much more
massive construction.
189
During a plant mechanical integrity audit, a 2½ inch drain line was
found, over 40 m. long without any supports at all. The need for
supports had simply been forgotten. The line was an important
one, it came from a deethaniser accumulator, and was about half
filled with propane. The lack of support placed a very large
torque onto the vessel nozzle. Vibration fatigue would have
eventually ruptured the nozzle.
190
The surprising thing was that the general standard of piping on
Lessons
Vertical two phase flow can destroy piping in a short time,
if bubble collapse occurs at the top of the flow. The
problems arise when the liquid is close to the bubble point,
as it can well be in a reflux or a column feed pipe. A
particular problem arises when there is a flow control valve
at the base of the column and this is throttled down.
Operators need to be aware of this effect, and to react
urgently to prevent pipe damage. Designers need to carry
out calculations where column feed lines will contain
liquids close to their boiling point, or liquid/gas mixtures.
Vertical two phase flow can destroy piping in a short time,
if bubble collapse occurs at the top of the flow. The
problems arise when the liquid is close to the bubble point,
as it can well be in a reflux or a column feed pipe. A
particular problem arises when there is a flow control valve
at the base of the column and this is throttled down.
Operators need to be aware of this effect, and to react
urgently to prevent pipe damage. Designers need to carry
out calculations where column feed lines will contain
liquids close to their boiling point, or liquid/gas mixtures.
Even the best companies can make errors in construction
and pipe installation. EVERY pipe run needs to be
registered and inspected, and signed off according to a
check list when being installed and when being modified
Systematic Lessons Learned Analysis
case
no.
Location
the plant was excellent, with (nearly) all pipes resting on their
shoe supports, and all pipe shoes centred in their guides. Also
surprising was that the lack of supports had not been noticed in
integrity inspections
A slug catcher consisting of a 50 m. section of 36 inch pipe was
found vibrating (jumping) about four times per minute. The
vibration lifted one end of the slug catcher about three times
every minute. The cause was two phase oil and gas flow into the
slug catcher.
Later, the foundations were strengthened and the catcher
stresses recalculated to ensure they were below those likely to
cause fatigue cracking in the reinforced structure
In an integrity audit insulation on a compressor steam turbine
was found soaked in hydraulic oil and was smoking badly. The
turbine was hot enough to ignite the oil especially as an
insulation fire. The oil came from an ESD valve control line. The
line was repaired and Insulation was removed. A fire watch was
organised until the compressor could be shut down
Oil was found in the insulation on an ESD valve fire protection
box. The oil was quite hot due to solar heating, but not at a level
where ignition would be an immediate threat. However ignition
is possible in insulation over time, as the oil gradually oxidises.
The oil came from a leak on the hydraulic control lines for the
ESD valves.
81
82
82
84
Accident description
Gas injection
plant
A gas injection compressor was found to be vibrating very
heavily. The vibration was sufficient to cause bolting in the plant
structural steel at up to 50 m. away to fail due to fatigue.
Vibration is to be expected on any reciprocating compressor, but
this was beyond anyone's experience. It proved difficult to
determine the cause of the vibration, with many specialists
investigating over a period of years. The compressor had a large
Lesson
no.
Lessons
191
Two phase flow in pipelines can cause severe vibration,
especially if the liquid to gas mass ratio is high, or if there
are low points in the pipeline.
192
Oil in insulation on hot pipes is a relatively frequent cause
of small fires,. There can in turn develop into large fires if
the fire affects flanges or seals.
193
Solar heating on cladding can heat any oil or solvent
soaked into insulation sufficiently to cause ignition. Special
care is needed when removing cladding, because at this
stage, air may reach oil residue above its flash point, or
may reach pyrophoric residues. Fire may start though even
when the cladding is intact. Cladding should never be
painted in dark colours and should preferably be left
reflective.
Vibration can be excessive on any rotating machinery and
especially on reciprocating compressors if there is
resonance with some other item, such as piping or the
structural steel. The vibration can cause fatigue cracking
and rupture.
194
It is in principle possible to predict resonant frequencies,
but in practice the stiffness of support points is rarely
Systematic Lessons Learned Analysis
case
no.
Location
84a
Taiwan
A gas distribution manifold, 16 inch in diameter and rated for 300
bar was found to have heavy high frequency vibration. On
calculation, the fatigue life of the piping was estimated to be 2 to
3 years. The problem was eliminated when shims which had
shaken loose were replaced.
195
Denmark
Tubing on a cylindrical fired heater caused an enlarged fire within
the fire box. The plant fire brigade was called. Seconds after their
arrival, the heater tube broke causing a large jet fire. Two
firemen were killed and the fire tender burned out.
196
85
86
Accident description
concrete foundation. Possible causes identified were reflection of
pressure waves from bedrock with period at the main
compressor frequency and organ pipe resonance in the
downstream piping and knock out drum.
An operator was walking alongside a hot steam condensate tank.
It ruptured along welds which had been attacked by carbonate
corrosion. He was killed by the hot water.
Lesson
no.
197
198
Lessons
known, and frequencies change depending on degree of
filling of pipes and vessels. It is essential to identify
resonant vibrations during commissioning and in the post
commissioning period, and to add supports or weights
when vibration is excessive (detuning). Also the actual
performance of supports needs to be checked.
Vibration needs to be checked not only during and after
commissioning, but throughout the lifetime of a plant.
Resonant frequencies can change due to corrosion
reducing pipe thickness and therefore stiffness, and due to
failure of supports, and excitation frequencies can change
due to changes in operation. Fatigue failures have occurred
many years after initial start up due to these causes.
The consequences of this accident were due to a tragic
coincidence of timing. The accident occurred many years
before the ideas of pre-incident planning had arisen.
Today, pre-incident planning would give responders an
idea of the degree of hazard, and the appropriate safety
distance. This would not necessarily be sufficient to keep
them safe because inspection of the release and source
control (shutting valves) are part of most emergency
response plans. However it might be possible to make the
responders thing first, and ask for remote shutdown,
rather than risking life.
Responders should be equipped with binoculars to enable
them to see the source of releases from a distance (this
often works, although just as often the source is concealed
with smoke, vapour or fire)
Hot water tanks and de-aerators should be regarded as
severe hazards, in the same way as caustic and acid tanks.
Walkways should not be routed alongside such tanks and
there should be a safety distance around them
A problem in the actual accident was that the corrosion
Systematic Lessons Learned Analysis
case
no.
87
87
Location
ME
Accident description
During a mechanical integrity audit, an insulated vertical pipe run
was found which deflected on application of pressure from a
gently applied finger tip. The 1 inch ID pipe was carrying hot
benzene to a column for distillation. The plant was quickly shut
down, and the piping inspected. A large part of the piping was
subject to under insulation corrosion, The wall thickness of the
pipe first identified was found to have been reduced from 3.5
mm to 0.8 mm. During dismantling the pipe broke in many
places.
Hot piping will usually not corrode externally, but corrosion did
occur during period of unit shutdown. Water leaking into the
insulation contained salt fro sea pray, being only a few kilometres
from the sea. Salt concentrated in the lagging, and warm
concentrated salt solution then caused accelerated corrosion.
Lesson
no.
199
200
Lessons
form was unknown. There are several forms of corrosion
which depend on particular chemical conditions in the
fluid. Plant integrity specialists should be aware of all the
special types of corrosion associated with their plants.
In retrospect, the inspectors were lucky. A more vigorous
checking of the piping for weakness would have ruptured
the pipe releasing hot high pressure benzene.
Under lagging corrosion can rapidly reduce pipe thickness
to a fraction of its initial thickness, especially if the water
leaking into lagging is contaminated.
Liss (ref. National Board of Boiler and Pressure Vessel
Inspectors January 1988 National Board BULLETIN) reports:
"Corrosion may attack the jacketing, the insulation
hardware, or the underlying piping or equipment.
Depending on other factors, chloride, and galvanic, acidic
or alkaline corrosion may occur.
Galvanic corrosion generally results from wet insulation
with an electrolyte or salt present that allows a current
flow between dissimilar metals (i.e., the insulated metal
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
Lessons
surface and the outer jacket or accessories).
Polyurethane foams with fire retardant, and phenolic
foams were found to form very acidic solutions with
accelerated corrosion.
The major factor in preventing CUI is to keep liquid from
intruding into the insulation. Water decreases the
effectiveness of the insulation and leads to corrosion of
pipe or equipment. Poor conditions caused by wet
insulation can be aggravated by weathering, vibration or
abuse from people.
Unfortunately, the insulation picked is normally based on
installed costs versus energy saved, and maintenance or
corrosion costs are not considered. The following should
be considered:
- The cost of repairing the insulation if corrosion is
detected. Insulation should be removed in limited sections
for inspection. - If insulation is subject to damage by abuse,
the cost of periodic replacement must be considered.
- The cost of the protective paint.
- For non-absorbent insulation, a "credit" should be given
for the energy saved by eliminating periodic water invasion
to absorbent insulation during wash-downs and storms.
Insulations such as calcium silicate, glass fibre and, to some
extent, cellular plastic foams absorb and retain liquids and
vapours. Additional flashing is required where spills, leaks
or drippings may occur, or where washing and hosing are
carried out. The only fully non-absorbent insulation is
cellular glass. Cellular glass should be used where corrosive
or flammable liquids are present.
Systematic Lessons Learned Analysis
case
no.
88
88
89
Location
Accident description
Lesson
no.
In several mechanical integrity audits, contractors and in one
case company maintenance technicians were found to be using
ordinary electric hand tools rather than non sparking or Ex safe
types, and were found to be using household cabling, connectors
and plugs, without the areas being approved for hot work. In
some cases the persons involved had made adaptors so that Ex
safe sockets could be used to supply non Ex safe equipment. In
one case an ordinary electric drill was being used in an area with
many operating mixer settlers using volatile solvent. In another
case a team was installing a new corrosive resistant flooring in an
area which was approved for hot work, but had stretched lengths
of ordinary household cable, linked together with household two
pin plugs and sockets, through a working solvent stripping plant.
201
In many plants conduit was found corroded or damaged. In some
cases conduit was found honing from cables. In such cases, cable
may be damaged by fretting and resultant short circuiting can
203
202
Lessons
The proper design of insulation for pressure vessels, tanks
and piping includes consideration of the support and
connection of the material. Details can be found in a
handbook from Midwest Insulation Contractor's
Association.3 According to plant operators, weather
barriers for insulation are frequently broken either
because inappropriate details were originally given for
equipment or not enough space was allotted around the
insulation. Improvement in design can be accomplished by
handling the insulation specifications early during the
vessel design and by "simplifying" the surface to be
insulated."
All operators, maintenance workers and contractors need
training in the meaning and purpose of classified areas and
the rules needed to ensure safety against ignition
Foremen, supervisors and safety officers need to be aware
of the hazards of using unsafe equipment in classified
areas unless there is an approval for hot work. They need
to know, and have the authority, to stop work when
conditions are unsafe and where fire could be started.
During mechanical integrity audits, conduit needs to be
inspected and corrosion. Conduit should be watertight,
and where cables exit from conduit, grommets or flaring
Systematic Lessons Learned Analysis
case
no.
90
90
Location
Accident description
take place. This has caused electrocution accidents and fires.
Fork lift trucks and small cranes (cherry pickers) are often used
within plants for moving drums of chemicals, lifting replacement
pumps or vales and similar heavy lifting. Many accidents have
occurred due to collisions with drums, collisions with pipe stubs
and valves and damage to piping. Dropping of hazardous loads is
also a frequent problem.
90
90
91
91
Lesson
no.
204
205
206
207
At about 3:05 PM on October 6, 2005, a trailer being towed by a
forklift snagged and pulled a small drain valve ( 1 inch valve on a
2 inch pipe) out of a strainer in a liquid propylene system.
Escaping propylene rapidly vaporized, forming a large flammable
vapour cloud.
Operators immediately began to shut the plant down and
attempt to isolate the leak They tried to reach and close manual
valves that could stop the release; however, the advancing
vapour cloud forced them to retreat. At the same time, control
room operators shut off pumps, closed control valves, and
vented equipment to the flare stack to direct flammable gases
away from the fire. At about 3:07 PM, the vapour ignited,
creating an explosion The explosion knocked down several and
burned two (one seriously) operators exiting the unit. Flames
from the fire reached more than 500 feet in the air Because of
the size of the fire, Formosa initiated a site-wide evacuation.
Fourteen workers sustained minor injuries including scrapes and
smoke inhalation. The extensive damage shut down Olefins II unit
for 5 months.
208
209
Lessons
should prevent wear on cables and possible short circuits.
Pipe tunnels should be kept clear of projections such as
light fixtures and pipe stubs, which can be broken if hit.
Pipe bridges over roadways should be protected by strong
steel portals (Headache bars)
Pipe stubs and valves should not project into roadways
Where piping or equipment is close to a parking or vehicle
turning area, or runs alongside a roadway, there should be
an anti collision barrier.
Roadways and access ways should be kept clear of
projections such as light fixtures and pipe stubs, which can
be broken if hit.
The fork list ruck was moving in a non approved area.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
91
92
95
96
Lesson
no.
210
A 10 inch 80 bar pipeline ran alongside a major highway, with a
separation distance of as little as 5 m. and with little protection.
In the accident, the pipeline was ruptured by a backhoe
excavating to install new telephone cables, rather than being hit
by a vehicle, but the risk analysis showed a fairly high frequency
for both types of accidents. When the rupture occurred a jet fire
shot across the highway. A multi car collision followed, and a fire
with 64 fatalities.
On several refineries terminal and junction boxes intended for
use in classified areas were found with closure bolts missing,
bolts loose and in some cases with boxes open. In some cases the
boxes were partially filled with water. This causes a systematic
increase in ignition probability as well as cresting a possibility for
short circuit fires and unwanted plant trips due to control signal
short circuits
211
A switching and cable room in an oil plant suffered form
blackening and sulphide corrosion on copper and silver contacts,
which affected plant control system performance with frequent
213
212
Lessons
There were designated access ways, but these were only
marked on drawings, not on the plant.
Access roads should be clearly marked, and there should
be signage or barriers to areas which are not approved, If
access is needed under exceptional circumstances, for
example for maintenance or replacement of heavy
equipment, this must be done under a permit to work
(PTW) with a job safety analysis and a risk analysis. The
need for protection of vulnerable piping and vessels need
to be taken especially into account.
Structural steel in areas handling hydrocarbons or other
flammable liquids should be fireproofed up to a level
which can be engulfed by pool for jet fires (usually up to
platform 2)
Pipelines should always be laid in a well marked right of
way. The pipelines should be buried whenever there is a
possibility of collision. Where the pipeline must be
exposed, it must be protected from possible vehicle
collision threats by collision barriers.
Enclosures, terminal panel boxes and junction boxes in
classified areas must be kept closed, otherwise classified
area requirements are not met, and fire and unwanted
shutdowns are likely. The mots frequent reason for not
closing properly is that frequent entry is needed due to
poor contacts or for instrument testing. Boxes with a
minimum of bolts or with handle closure are preferred.
Bolts are often lost, so spares must be made available.
The atmosphere in cable and switching rooms and control
rooms needs to be well controlled in order to prevent
corrosion and poor control reliability
Systematic Lessons Learned Analysis
case
no.
97
97
98
99
Location
Accident description
false alarms. The hydrogen sulphide entered the room via
ventilation or via seepage into the cellar. The source was from
sour oil which had leaked into the ground from tanks. The
concentration was low, too low to be measured on ordinary
safety gas detectors, but could be detected on more sensitive
detectors. The gas could sometimes be detected by smell. The
problem was cured by better ventilation, and by cutting a
drainage ditch around the building.
Pipe guides on a waste heat recovery steam line were placed on
the expansion loop rather than on the straight line runs. As a
result the pipe expansion on heating locked the expansion loops
against the guides. The expansion cased force on the heat
exchanger head, forcing it inward. A new heat exchanger head
had to be installed, with a resulting seven month delay in
commissioning.
On a steam pipe a relatively long pipe shoe nevertheless fell from
a pipe support due to movement caused by thermal expansion.
On contraction, the pipe shoe damaged the structural steel.
The same effect was seen on many oil flow lines resting on
sleepers. In a few cases this led to damage of the coating and
accelerated external corrosion, as the pipe rubbed against the
now tilted support sleeper. This as sufficient to cause holing in
two cases
The support shoe for a nitrogen blow down vessel was located so
that only ½ inch rested on the foundation sole plate. It was found
that the vessel could fall off under abnormal ambient
temperatures, in which case nozzle breakage could occur. The
plant had been operating for several years, so apparently this
Lesson
no.
Lessons
214
Pipe fitting crews need to be aware of the way in which
piping works, and the working of pipe guides and supports
215
There is a need for pipe inspection during mechanical
completion, as is obvious. The inspection though needs to
verify pipe supports and guides, including proper
expansion clearances, proper shimming and proper
adjustment of spring supports.
Pipe shoes need to be long enough to accommodate pipe
expansion, and need to be placed well centred on
supports, so that they cannot fall off
216
217
Vessel supports need to be examined as well as piping,
pipe supports and the vessels themselves during
mechanical completion, and need to be inspected again as
vessels are filled and temperatures increased during
commissioning.
Systematic Lessons Learned Analysis
case
no.
100
100
101
102
102
103
Location
Accident description
coincidence of high ambient temperature and low cooling in the
vessel was a rare one.
A support for a 24 inch pipeline surge relief valve was found out
to be properly installed but springs were not adjusted after line
filling. The pipeline rested on the lower snubbers.
Earlier during a surge relief episode, the relief line has kicked as
the oil ran into the surge tank. the line ripped open the side of
the tank and the contents filled the bund. There was fortunately
no ignition.
A flare line ran on sleepers above ground. In some relief cases
the flare gas would be cold, and dew condensed on the flare line.
Tis kind of effect frequently causes pitting at the 6 o clock
position on lines and in vessels, but in this case the corrosion was
enhanced by build up of blown sand with a high salt content
beneath the line. The flare line corrode due to concentrated salt
solution.
When the pit finally crated a through hole of about 1.5 inches,
sour flare gas was released, Gas alarms were activated at about
100 m. distance, but all employees survived without significant
harm due to a well functioning shelter in place procedure.
Dew dripping from a concrete slab bridge over a pipe trench
caused intense local corrosion on a high pressure gas pipe. The
pipe had no coating because under desert conditions corrosion
rates were low. The wet conditions could be recognised because
the locations had a few green plants thriving on the
condensation, which often occurred in the cold desert nights.
Very large gas turbine driven pumps were subject to a high level
Lesson
no.
Lessons
218
Liquid relief lines need to be designed for hammer and
surge effects.
219
Pipe spring supports need to be adjusted after pipe filling.
This means that there is a need for adjustment during the
commissioning stage.
Above ground piping without suitable coating should be
kept clear from drifting sand. Or preferably coating should
be applied suitable for buried piping (this can be difficult
for flare lines with a wide rang of operating temperatures.
In such cases, do not locate them close to the ground)
220
221
222
223
Designers who make decisions about coating needs need
to know the actual ambient and operating conditions for
materials. A common assumption is that deserts are hot
and dry, and designers have given that as a reason for not
needing coatings. The actual conditions become well
known if you have the opportunity to work on a night or
early morning shift.
It is necessary to consider unusual forms of corrosion
In many installations, screw jack supports have been found
Systematic Lessons Learned Analysis
case
no.
103
104
105
105
Location
Accident description
of high frequency vibration. The pumps and main piping were
designed to resist the vibration, including the use of weight
collars on the discharge pipe to detune resonance and prevent
vibration fatigue.
A 2½ inch drain line on the pump discharge led to a smaller
pump. The drain line was permanently pressurised. Initially the
drain line was not subject to excessive vibration, being well
supported, but the screw jacks worked loose. Fatigue rupture
occurred on three separate similar installations. In one case the
escaping oil ignited, causing one fatality.
During an inspection on a distillation column, one of the
inspectors took hold of a hand rail. The rail came away in his
hand, showering rust on those below. The column was close to a
fired heater, and firing with oil with a high sulphur content had
caused acid corrosion of the railing. Much of it was largely rust.
Inspection of the column itself showed only a normal level of
corrosion, presumably because the column would always be hot
at the time the heater was in operation, so that no condensation
could take place on the vessel itself.
A fire occurred in an LPG packing (cylinder filling and distribution)
plant. Many of the cylinders explodes due to the BLEVE effect or
due to overpressuring. Several landed on the roof of floating roof
tanks at the refinery alongside the packing station. Fortunately
they did not cause fire on the tanks.
Lesson
no.
224
225
226
227
Lessons
to be inactive. This usually occurs where there is
vibrations, because ground vibration caused bas plate
rotation and unscrewing. If screw jacks without springs are
used they should be supported on a solid foundation, and
the nuts should be tack welded in place.
It is necessary to inspect screw jacks for possible air gaps
under the bas plate during integrity inspections. If the
support is causing vibration, consider an alternative form
of support, or adjust the support and tack weld the nut.
Smoke form boilers and fired heaters may contain sulphur
dioxide. This can react with rain or mist to form sulphurous
or sulphuric acid, which can corrode piping and structures.
During layout, avoid locating high columns and stacks in
such a way that they are frequently engulfed by smoke
plumes.
Storage of filled LPG cylinders should be minimised, but a
certain storage is necessary in order to take into account
the daily demand pattern (many cylinders need to be
loaded onto trucks in the morning, and there is need to
take seasonal variations into account). Cylinders should be
stored in robust cages, so that if fire and cylinder
explosions occur, projectiles are not generated.
If fire affects an LPG cylinder storage, the only effective fire
protection is fire water monitors, preferably from different
sides of the store. These need to be placed so that roof
Systematic Lessons Learned Analysis
case
no.
106
Location
Lamesa TX
Accident description
Many tanks with liquids stored above below their flash point such
as diesel and fuel oil tanks are stored without blanketing. Under
most conditions blanketing is unnecessary. However in a fire the
oil can be heated generating flammable vapour, and since there
is air in the tank, the tank may explode. If the tank constructed
properly, for example according to API 650, the tank roof will lift,
giving a jet of fire, and may blow off. However if the tank base
weld is corroded the tank may fly, spreading burning fuel behind
it. Usually the distance flown is 50 to 90 m. and the tank can
cause significant damage when it lands.
Lesson
no.
228
107
Venezuela
and half walls do not obstruct the water stream. The
monitors need to be fixed because only in this way can the
necessary short response time be achieved
Combustible liquids stored in tanks below their flash point
can generate vapour due to the heat input from an
external fire, even one which does not engulf the tank but
only supplies it with radiated heat. The vapour can ignite if
it leaves the tank and the tank may explode.
The explosion should blow the roof partly off in a well
maintained and well designed tank with a weak roof seam.
If the weld between the tank wall and the tank base is
weak due to corrosion the tank may be lifted as a whole
from its base and then may fly up to 90 m. in some cases
trailing burning liquid behind it. For this reason tanks
involved in fire should be cooled with deluge or with fire
water monitor sprays, even if they contain liquids stored at
temperatures below their flash point.
This occurred at port Edouard Heriot, Lyons in 1992, and the
result was the total destruction of a fuel terminal. Several fire
induced tank explosions occurred at Thessaloniki in Greece in
1984, contributing to destruction of a large fuel import terminal.
A very good video of the phenomenon was taken at the Lamesa,
Texas solvents distribution terminal in 2012.
Examination of the history of tank fires shows that the
phenomenon of fire induced tank explosion and flying tanks
occurs in as many as 30% of closed roof tank fires when the liquid
in the tank is one with high boiling point, stored without
blanketing.
A 60 m diameter heavy fuel oil tank was heated by steam coils in
the base. The coils began to leak, resulting in a high temperature
in the oil. Operators went to the tank and lowered a
thermometer in order to confirm the fixed temperature sensor
readings. When they did so, an electrostatic spark ignited the
flammable vapour in the tank, and the explosion blew off the
tank roof. The operators were killed.
Lessons
229
Leaks from steam coils in a heavy oil tank can cause an
explosive atmosphere due to stripping of light fractions. Oil
vapour can collect in the air space above the heavy oil,
even if the light fraction stripped has a boiling point above
the steam temperature due to the stripping effect.
it is good practice to install a temperature transmitter
inside the tank just above the heating coils in order to
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Normally there is no vapour of significance in a heavy fuel oil
tank, and it is in fact difficult to get it to burn unless it is broken
into a fine spray in a high pressure spray nozzle. It is so resistant
to ignition that in some places it is stored in open lagoons. In the
actual case though the steam stripped whatever light fraction
remained in the vessel, perhaps a small fraction of kerosene used
as a flux oil.
Lesson
no.
Lessons
detect overheating
The explosion caused a full surface fire at the tank. Fire fighting
as attempted, but access was difficult due to the step slope and
the way in which the tanks were on a site excavated into the
hillside. Injection of foam through foam risers failed because the
tank had been overfilled earlier, and the heavy fuel oil froze
inside the risers (weathered heavy fuel oil is a bit like soft asphalt
at ambient temperatures).
107
The fire continued to burn for about 8 hours until a boilover
occurred. many people were killed and many more injured
because the fire had become a spectator event, with fire fighters,
national guard, boy scouts also attending (This was not unusual,
the area was and still is subject to brush fires in the summer, and
volunteers often help in fire fighting). also several news teams
and a large number of onlookers were gathered. Burning oil fell
from the fireball and affected an area up to 400 m. downwind,
and burning oil flowed about 600 m downhill to the sea.
230
Dipping is used for sample taking in dip cups , for gaging
tanks to determine the actual level of liquid in order to
check or calibrate level gauges, and to measure
temperature, as in this case. Objects lowered into a tank
may build up a high voltage if they are insulated. Any rods
used for dipping or gaging should be conductive and
earthed to the tank. Any thermometer or dip cup lowered
should be on cotton rope, which is conductive except
when it is clean and in very dry weather. Even with these
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
107
231
107
232
107
233
107
234
108
A large circulation pump on a fume scrubber was reinstalled after
maintenance. There was a bellows on the 16 inch discharge pipe,
fitted to reduce vibration. The bellows restraining bolts (fitted to
prevent a bellows from expanding beyond its design limit) were
ether forgotten, or failed. When the pump was started , the
bellows expanded. The discharge pipe had a short riser then a
235
Lessons
precautions it is not possible to guarantee that ignition will
not take place due to unusual circumstances, so designs
which avoid the need for dipping are preferred.
Fire suppression equipment such as foam injection lunes,
fire water monitors, foam generators and hydrants need to
be tested on a regular basis, at least once per year, more
frequently if failures are found. Fire water pumps need to
be tested more frequently.
Until this accident, boilover was considered to be a
phenomenon restricted to crude oil tanks. I experiments
undertaken after the accident it was found that boilover
could occur in heavy fuel oil with just a small addition of
kerosene and a very small amount (a few litres) of water.
See QRAQ report 10 for detailed description of the
boilover mechanism and modelling. Tank farm operators
need to be aware of this potential
Boilovers can be the largest accidents developed in oil
plant and refineries. The largest have had burning oil rain
out at distances up to 12 tank diameters. The size of
boilovers needs to be taken into account in emergency
planning.
Boilover usually takes some time to develop, because heat
must be conducted to the bottom of the tank sufficient to
cause water to boil and to stir up the hot and just warm oil
layers. When the heat begins to move down the tank, the
area should be evacuated upwind, to at least 5 tank
diameters. The entire downwind area should be evacuated
to at least 15 tank diameters.
If a bellows is allowed to expand unrestrained the spring
sections will extend beyond their design limit and may
crack. The expansion may also overstress piping. Bellows
should always be fitted with some restraint, and the most
common form of restraint on pump discharge piping is a
set of loose bolts which limit the length to which the
Systematic Lessons Learned Analysis
case
no.
109
109
109
110
Location
Accident description
bend with a 4 m horizontal section then a second bend and a
second horizontal section at right angle to the first. The bellows
expansion caused a torque on the second horizontal pipe section
and ruptured it. The jet force for the water from the rupture
broke the downstream piping. The jet reaction then broke the
first horizontal pipe section.
Extraction solvent leaked from a mixer settler and caught fire.
The fire brigade attacked the fire with cooling water, spreading
the burning solvent throughout the plant unit. It was completely
destroyed.
The plant was quite congested with two units side by side. The
second unit was saved from damage by an 8 m. high fire wall.
Separators were built on sloping ground. When oil was released
from a drain valve it flowed downhill, partly under the other
separators and partly along the roadway. Fortunately it was not
Lesson
no.
236
237
238
239
Lessons
bellows can expand. Proper fitting of these must be
checked prior to commissioning and after any removal of a
pump for maintenance. The restraining bolts nuts usually
have a lock nut design, when one nut is tightened against
another, The tightening of these nuts against each other
should be checked because the nuts can loosen due to
vibration. New lock washers should be fitted. whenever
the restraining bolts or rods are replaced. The length of the
restraining rods or bolts between the nuts must be
checked against manufacturer specifications
Fire water for cooling must be applied carefully, and never
directly onto oil or insoluble solvent pool fires
Fire water applied to a fire, or for cooling, needs to be
drained, it should not be allowed to collect within a plant
as it will merely spread the fire. After the accident the
drainage system for the entire plant was rebuilt, with large
drainage trenches routed away from process equipment,
and with wide mesh grids to prevent water flowing more
than a limited distance before being diverted to a safe
drainage..
Plants which are designed with a slope towards a drainage
channel at the edge of each unit generally perform much
better in a pool fire that those which are sloped towards a
central drain.
Fire water drainage needs to be kept free and unblocked
Alter the incident, curbs were fitted around the separators
so that any leak would be directed away from the
separators to a drainage channel. The channel flowed to a
Systematic Lessons Learned Analysis
case
no.
Location
ignited
111
112
Accident description
Kobe, Japan
An output transistor on a 24 volt power pack failed due to a
faulty transistor. It then generated 40 volts. Two other power
packs on the same distribution regulated down their supply, but
the faulty power supply was able to feed the full demand without
blowing the fuse. As a result all instruments on the same supply
bus were damaged.
The power pack was from 1971 and had no overvoltage
protection.
A cryogenic LPG tank had been back fitted with an ESD valve. The
valve was supported on spring supports, but on a separate
foundation from that for the tank itself. The connection to the
tank was fitted with an expansion joint.
Lesson
no.
240
Lessons
large sump, which could quickly be covered with foam.
Whenever there is a possibility of pool fires beneath
critical vessels, drainage should be fitted to take away
burning liquid as quickly as possible.
Instrument power supplies should be fitted with
overvoltage protection, and should preferably also be fail
safe
241
Take subsidence and tank movement into account when
building tankage for earthquake prone areas. Where ESD
valves are fitted, they should be on the same tank
foundation raft as the tank itself.
242
Even well protected control power supplies with UPS can
fail if power supply component failure is sufficiently
powerful, such as a capacitor or transformer explosion.
Different redundant supplies should be separated by
physical barriers sufficient to prevent damage to the
unaffected item. This is done routinely for large
transformers, but other electric equipment should also be
In the earthquake the ground alongside the tank subsided. The
piping for the ESD bent downward, and the upstream flange
began to leak. The leak continued for some days until the LPG
could be transferred to another tank, and remaining LPG
displaced by nitrogen.
112
AD
During the period of leak all hot work was forbidden and use of
electrical equipment (which could have been damaged in the
earthquake) was forbidden.
A large capacitor in a power supply exploded. The explosion
overloaded UPS supplies, so that all critical power was lost to a
large oil and gas plant.
Systematic Lessons Learned Analysis
case
no.
113
113
Location
Accident description
A fourth loading rack for flammable products had PLC control on
the platform, loading arm and valve opening. The earlier three
loading racks had relay interlocks. In the incident number four
loading arm and platform were seen rising and lowering out of
control. The unit was shut down immediately. One of the tanker
manhole covers was found to have been damaged.
In the investigation, the PLC enclosure was found to have
condensation. The PLC logic implemented the relay logic exactly.
There had been several failures on the relay systems earlier, but
these had always been fail safe, corresponding to the design
intent. It was not realised that the failure modes of the PLC could
differ from those of the relays. In the follow up vents were
provide on the PLC enclosure to prevent condensation. Also an in
depth analysis of the PLC control was made to see if additional
safety could be achieved. As a result a hard wired shut off was
provided from the dead man's loading handle, to prevent the
shut off valve and the flow control valve from opening unless the
dead man's handle was activated.
113
114
114
Lesson
no.
243
244
245
A cylinder of oxygen was used instead of nitrogen as a purge gas
prior to ventilation of equipment for maintenance
246
247
Lessons
considered. Where there are redundant power supply
busses these should be protected from voltage spikes
being passed from one to the other.
Enclosures for control systems must provide a guaranteed
environment for the electronic equipment
CHAZOP should always be made for critical control and
interlock systems
Assessment of PLC safety is difficult requiring highly expert
fault tree analysis. Old fashioned hard wired safety
systems can provide assurance when complex analyses
cannot.
All personnel involved with use of cylinders should be
trained and certificated for their use, including
understanding of colour coding and understanding gas
hazards.
Where possible, different couplings should be provided for
oxygen and nitrogen cylinders
Systematic Lessons Learned Analysis
case
no.
115
Location
Accident description
Nitrogen was provided as a back up to the plant instrument air
system. At one point maintenance workers used the instrument
air system as a supply for their air line breathing apparatus. The
system switched to backup gas supply, and the two workers were
killed
115
115
249
250
116
117
118
Lesson
no.
248
Venezuela,
Natural gas pipeline rupture occurred due to stress cracking
initiated at a hard spot created during manufacture. Fire from the
20 inch, 40 bar line rose to between 90 and 150 m. The fire
persisted for 2hr 45 min because of confusion about the line
identity, a second parallel line being identified from helicopter
overflight
During the shutdown of a plant containing liquid propylene, the
flow of cooling water to a cooler was isolated. As the pressure in
the plant was reduced, the propylene became colder and the
water in the tubes froze, breaking seven bolts in the floating
head. The operators saw ice forming on the outside of the cooler
but did not realize that this was dangerous and did not do
anything about it. When the plant was started up again,
propylene entered the cooling water system and the pressure
blew out a section of the 400mm line. The escaping gas was
ignited at a furnace nearly 40m away and the fire caused serious
damage.
Cryogenic propane leaked from pump seals. It evaporated on the
ground and ignited from an 11 kV transformer that was only 12
m. from the pump. The liquid burned until the propane was
pumped and ejected by pressure from the piping (due to the
heat input from the fire). ESD functioned, stopping the flow from
251
Lessons
Designers should avoid using nitrogen as backup the plant
air systems. If a back up is needed, designers should at
least use compressed air.
If SCBA is not sufficient, safety qualified breathable air
supply and airline breathing apparatus should be used.
This can be portable trolley or vehicle mounted apparatus
if fixed breathable air system is not installed.
Connections for breathable air should be different to those
for plant air. Safety audits should check to ensure that
there are no “adaptors” allowing connection to plant air.
Ruptures from hard spot stress cracking can develop very
rapidly. Any abnormalities such as inclusions or weld
defects identified by NDT should take this into account
252
Cooling water should be kept running even during
shutdown if there is a possibility of freezing
253
High voltage transformers should never be located close to
critical pumps or other process equipment. The ignition
probability for a gas or vapour cloud which reaches a high
voltage transformer is historically close to 1.0. The
question arises of how far away this should be. The answer
Systematic Lessons Learned Analysis
case
no.
Location
the storage tank. The pumps were not damaged because they
were in the vapour rich part of the plume, above the LEL. Piping
was not damaged because it was protected by foam glass
insulation, but the aluminium cladding burned away
118
119
120
Accident description
Michigan,
USA some
years ago
Lesson
no.
254
At a gas processing plant, a single line from the storage area to a
distant jetty was used for propane, butane and naphtha (largely
pentane). An error was made in valve line up when a butane
transfer to a ship was to be made. The discharge valve from the
pentane tank was not closed. As a result butane was forced back
into the pentane tank. The butane flashed to gas and pentane
was ejected from a rupture panel at the top of the tank. 20000
bbl of pentane was ejected into the bund. About 50% of this was
recovered over a period of 3 days, the rest evaporating.
255
Two employees in a fertilizer plant had to install a float valve in
an old 10m-deepwatercistern. When the first man dropped onto
a wooden platform 1.8m below the tank opening, he was
immediately overcome by hydrogen sulphide gas, which had
displaced the oxygen in the tank atmosphere, and he fell into the
water below. His partner went for help and the two men who
entered the tank were also overcome and fell into the water. A
256
Lessons
is given by QRA using a calculation method based on
discrete ignition locations.
The fire in this case lasted about 30 minutes until it burned
out, following closure of the ESD valves. The pumps
themselves were relatively undamaged, the motors had no
structural damage but the electrical parts were destroyed.
Piping was undamaged but flanges were damaged to the
extent that they were still leaking small amounts of
propane due to ESD valves passing at the time of the post
incident inspection.
A pipeline or manifold which is used for both liquefied gas
and a higher boiling liquid, mixing will almost certainly
occur at some time. This can be due to misalignment of
valving, valves passing or failing open. When valves are
widely open, the mixing of warm liquid with cold liquefied
gas will cause a rapid phase transition or flashing
explosion. When the leak is slow, as through a passing
valve, the mixing can proceed without an explosion, but it
will usually lead to contamination of product, layering in
storage, and may cause a roll over. Separate piping is
needed for each liquefied gas product. (by contrast, multi
product lines are often used for transporting naphtha,
gasoline, kerosene and diesel. Care is needed in transition
because there are differences in viscosity and hammer
effects can arise.
It is difficult to prevent people from placing themselves in
danger by acting instinctively in an emergency, but it can
be done by training them to act in a given way in a given
set of circumstances. It is essential that this training be
provided for all people who may have to work in confined
spaces and to those members of management who will
have contact with them. In addition, the basic training
Systematic Lessons Learned Analysis
case
no.
120
121
122
Location
Accident description
passer-by, trying to save the drowning men, jumped into the
water and he too was drowned. By this time, the fire brigade had
arrived and a fire officer wearing breathing apparatus descended
to the wooden platform. He removed his face piece for a
moment to shout instructions to men outside the tank and he
was instantly overcome and died. Thus, the original victim and
four would-be rescuers lost their lives in this one incident. It also
serves to demonstrate that even a seemingly innocent water
tank must be treated with respect and tested thoroughly before
men are permitted to enter and work in it.
A welder had been working inside the barrel of a road tanker.
When he stopped work for lunch, he switched off the ventilation
fan but left his argon arc-welding gun inside the barrel. Shortly
after he resumed work, he collapsed but fortunately an observer
was present and he was rescued in time. Argon had leaked from
the valve on the argon arc-welding gun and had accumulated in
the barrel to a dangerous level.
While a man, wearing breathing apparatus, was working inside a
tank, the air supply failed. He pressed the air demand valve but
no air came out. As he was near to the manhole, he was able to
dive out and remove his mask.
A hole was found in the air pipe about 15cm along the hose from
the mask. It was believed that before use, the mask and air line
had been hung over a pipe nearby and the air line had touched
an unlagged steam tracing line. This had melted the plastic but it
did not fail completely until it had been in use for some time.
A nitrogen receiver was to be inspected internally. The vessel was
isolated and a flange opened to ventilate. To speed the isolation,
air was blown in with a hose through the manhole at the bottom.
The air was tested for oxygen.
When the inspector entered the receiver he worked for a short
time then passed out. The “buddy” waiting outside the tank
could no enter because the SCBA he was using could not pass
through the manhole.
Lesson
no.
Lessons
must be backed up with refresher periods from time to
time.
257
Argon is an inert gas and, like nitrogen, can cause death by
lack of oxygen in enclosed spaces. The arc welder should
have been isolated and removed from the work area
before the man took his break. When work is interrupted,
consideration should be given to testing the oxygen
content again before resumption of work.
258
Safety equipment should always be carefully checked
before use. Including the full length of breathable air lines.
Training in this kind of caution is needed
259
Vessels to be entered should be properly isolated,
preferably with spool pieces removed. A minimum is
positive isolation with spades or spectacle plates.
Systematic Lessons Learned Analysis
case
no.
122
Location
Accident description
Lesson
no.
260
122
261
122
262
123
A glycol reboiler had been in service for about two years when an
operator noted an increase of temperature in the unit, and on
looking through the burner observation port saw flames within
the fire box although the reboiler control unit had shut off the
gas supply to the burner. The flames increased in intensity and
the unit temperature rose significantly. It was obvious that there
was a leak allowing glycol to enter the fire tube and burn. As the
glycol heated up it started to decompose and vaporise. The
vapours were contained within the reboiler shell and passed
along a vent pipe, through a combined pressure relief valve (PSV)
/vacuum breaker and into the platform atmospheric vent.
Platform personnel were attempting to cool the unit and control
the fire with water hoses when the combined PSV/vacuum
breaker unit failed, releasing vaporised glycol which ignited,
producing a fire external to the reboiler, whereas the fire had
previously only been internal. Significant damage occurred local
to the facility before the glycol supply within the unit was
depleted and the fire burnt itself out.
It was found that the weld between the fire tube and the plate at
the burner end was cracked along the top half of its length.
Examination of the corresponding weld at the other end of the
fire tube showed that it too was fatigued and cracks were
starting to form. The reboiler design was new, with straight
263
Lessons
Gas testing requires testing in the entire vessel, not just at
the manway entry. If necessary, the gas detector should be
mounted on a pole.
If an SCBA is to be used for rescue it should fit the opening
along with the largest “buddy”. This is often an impossible
requirement. In such cases airline breathing apparatus
should be used.
Under modern conditions persons inspecting inside vessels
should be equipped with personal multiple gas and oxygen
depletion alarms.
.The PSV/vacuum breaker had functioned effectively as
two separate units, but had an inherent weakness, which
was not apparent under normal operating conditions.
Whilst the 6mm bolts were adequate to withstand the
stress of internal pressure or vacuum, they were unable to
withstand the sideways loading produced by expansion of
the vent system piping.
When purchasing equipment a standard requirement
should be that the equipment is proven in practice
INCLUDING ANY MODIFICATIONS.
If modified equipment is to be accepted it should be
thoroughly tested under the actual conditions of
operation. If this is impractical, a very thorough electrical
and stress analysis. In particular take into account the
stresses imposed by piping and supports external to the
equipment, which may be unknown to the equipment
designer.
Systematic Lessons Learned Analysis
case
no.
124
Location
Accident description
through fire tubes. The tubes were fitted with expansion joints to
accommodate thermal expansion between the two fixed tube
plates On investigation it was found that the expansion joints
were much stiffer than calculated, and expansion was actually
accommodated by bowing of the fire tubes. This led to high
stresses at the tube plate resulting in the cracking.
The combined PSV and vacuum breaker was constructed by
bolting two units together. The inlet was on side of the vacuum
breaker, the outlet on the side of the PSV so that a shear force
was generated on the valves. The bolts sheared releasing the
glycol vapour which ignited
During the course of starting up the ethylene plant after a major
overhaul cold liquid hydrocarbon flooded the liquid drain header,
filled the knock-out drum and flowed into the flare stack itself.
The flare stack failed due to low temperature embrittlement.
Lesson
no.
264
Start up should not be made until it is confirmed that all
controls and all safety loops are working. This should be
done using a check lists. There should be an operator that
checks temperatures and levels on the control panel
displays as the plant is being filled.
265
Start up should not be attempted when there are major
The area had been inspected for readiness for start up one day
earlier but it was not noticed that level controls on a column
were isolated, nor that the level alarm instruments on the knock
out drum were disconnected, because in both cases the
instruments were obscured by the turn round scaffolding. The
column filled for 4 hours with nobody noticing that the level was
not rising, because attention was diverted to dealing with a
leaking heat exchanger flange. It had been noted in earlier start
ups that the flange should be insulated in order to allow more
rapid equalisation of cold liquid and steel temperatures but this
lesson had not been effectively communicated.
124
Contributing to the problem was the organisation of the turn
round teams. The turn round managers were working on 12 hour
shifts, but the turn round staff worked on 8 hour shifts for work
agreement reasons related to overtime payment.
Lessons
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
124
266
124
267
124
268
124
269
125
Bourdon tubes in pressure gauges which were originally
phosphor bronze were replaced by stainless steel ones on a
gasoline/tetramethyl lead blending system. Stress corrosion
cracking occurred two months later due in part cavitation
vibration in the gasoline TML inductor and in part to the bromine
compounds in the TML.
270
Lessons
problems on the plant, and if start up is found to require
bypassing and plant modification it should be suspended.
It is easy to say that there should be adequate manning for
turn round maintenance but this may not be easy. Turn
round managers for example cannot simply be hired, they
need to know the plant in depth and breadth. They are
often very heavily loaded, and nominal 12 hour shifts often
develop into 14 hour efforts, if for no other reason than
the need for effective hand over. Such work loads may
persist for several weeks. Everything should therefore be
done to assist them, including provision of assistants to
write up daily reports, and assistants with radio
communication to provide feed back from the field.
A part of start up preparation should be a review of earlier
lessons learned, and a check that these lessons have been
included in the turn round work procedures and also in the
pre startup check procedure
The area authority who is responsible for approving and
giving permission for the next step to proceed is an
important but very heavily loaded person. The work area
to be approved should be tidy and there should be as little
“hidden” aspects of status as possible. The work should be
organised so that there is a minimum number of pre shift
area inspections
For any major start up, the organisation should be
reviewed and should be kept as simple as possible. Each
team should include a good proportion of people who
have contributed to turn round on the plant earlier.
It is often difficult to know when vendors change the
internal design of nominally identical replacement
instruments. When the change in design or in materials IS
known, replacement should be subject to management of
change.
Systematic Lessons Learned Analysis
case
no.
Location
TML contaminated the area and workers in the area were found
to have heightened levels of lead in their urine.
125
126
127
128
Accident description
Wynnewood,
Tulsa, OK
Lightning struck a closed roof tank holding "25,000 barrels of
light oil" with internal floating roof. Vapour inside the tank
exploded causing the roof to partially lift, ejecting flame, but the
roof settled back into place. Fire continued from beneath the
roof.
A flame detector on one of three burners on a steam boiler
showed repeated faults and was therefore bypassed, The normal
bypassing would be available when the neighbouring burners
were lit, but in this case normal bypassing was not used because
the burner was the first of four to be used. Instead a jumper was
used ion the terminal block.
Shortly after starting the burner, there was a flame out. It was
considered after the event that this occurred because of a
change in gas density in the multi fuel supply, bringing the gas
above the UEL. When a second burner was brought on line an
explosion occurred. The boiler was completely destroyed and an
adjacent boiler suffered minor damage. An operator on the
burner platform was injured when he jumped over the railing to
escape the fire.
A package boiler was used to supply steam for two units. In an
unusual situation the two units started nearly simultaneously and
the water level fell rapidly under the unusually high initial load.
The main fire tube was uncovered so that there was no water to
cool its upper surface, and it ruptured. The boiler exploded.
On investigation it was found that there was a bypass on the trip
Lesson
no.
271
272
Lessons
The problems of halogen stress corrosion cracking is well
known to metallurgists, but generally not to instrument
engineers. The presence of bromine compound in
tetramethyl lead may be known to operators, but this may
fail to be communicated to metallurgists. management of
change requires a multi disciplinary approach.
Closed roof tanks with flammable or combustible contents,
or with aqueous fluids which can be contaminated, or can
generate hydrogen, should have a weak roof seam. Details
for this are given in API 650
273
The use of jumpers to bypass instruments should be
prohibited because they lead to too many accidents.
Properly designed bypass systems should be used. In the
present case it appears that the problem could have been
avoided by changing the sequence of burner light off.
274
Jumpers are often used by contractor instrument
engineers during system testing. All bypasses must be
registered (even during completion testing). A thorough
inspection should be made prior to commissioning to
ensure that all bypasses have been removed.
Systematic Lessons Learned Analysis
case
no.
129
129
Location
Accident description
relay for the low level trip. This had been left in place since the
original commissioning tests 20 years earlier. There had obviously
been on serious low level incidents in that time
A slops tank had a vent pipe which passed to close to ground
level in a bund. Flame cutting was to be carried out on a platform
alongside and above the bund about 2.5 m. away. Slag from the
cutting fell into the bund and ignited the vapour from the tank.
The tank exploded and and separated at the tank base, The tank
flew about 90 m. and spread burning liquid across the area
causing several fatalities.
The bunded area had been tested for flammable vapour as part
of the PTW conditions. However the tests were made 12 hours
prior to the flame cutting work.
Lesson
no.
275
Flame cutting slag can travel far and carborundum disc
cutting sparks can travel up to 30 m. This makes the
required protected area for working activities very large. If
work is difficult, steel sheeting can be used as a barrier to
prevent sparks, as can a welding tent.
276
Generally workers and safety inspectors are expected to
“just know” what are the appropriate safety distances
around any work site and threatened operating plant. This
is not satisfactory, because this means that they have to
learn by experience, and even in the best case each
experience is a near miss. There should be clear guidance
about safety distances around working sites, hot work
locations and locations which could conceivably release
flammable or toxic vapour or gas.
Slops tanks are dangerous, they can have flammable
vapour even when the liquid inside is nominally water.
Slops tanks should have nitrogen blanketing.
Closed roof tanks can fail at the base in an explosion due to
corrosion at the shell to base plate weld. In this case the
tank fails at the base rather than the tank roof weld as per
API 650. The tank will then fly a considerable distance. To
prevent this, ensure that all tanks have a designed weak
roof seam, and especially inspect the base weld and
reinforce it if it is corroded at every tank inspection.
It is necessary to re-emphasize time and again that there is
129
277
129
278
130
A foreman, in his anxiety to progress a job, entered a large open
Lessons
279
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
topped vessel situated in a large well-ventilated building, by
climbing down a ladder. He attempted to clear a blocked outlet
valve by rodding it from the inside. When he disturbed the sludge
in the bottom of the tank it released hydrogen sulphide and he
was immediately overcome. On seeing what had happened, his
mate clambered into the tank to rescue him and suffered the
same fate. Both men were dead by the time a proper rescue was
organized. The company had a detailed procedure for entry into
a confined ,which had been ignored.
During the start-up of an ethylene plant on a petrochemical
complex, a heat exchanger within a cold box was subject to
pressure above its design pressure. This resulted in the
exchanger rupturing, blowing away a corner of the cold box. The
escaping gases ignited at source and the ensuing fire burnt for 36
hours. Fortunately, no one was injured as a result of this incident.
132
133
Jonava
134
Deepwater
Horizon
The possibility of overpressuring had been noted by the plant
manager, plant chemical engineer and plant superintendent, and
they introduced a valve to prevent the overpressuring, but the
changes were not marked on drawings and no information was
transferred to the operating procedures or operators.
An operating error apparently led to liquid ammonia at 10 deg C
being pumped into a cryogenic ammonia storage tank at -33 deg
C. The warm ammonia cussed a rapid overpressuring, and
ruptured a section of the plant base. 7500 tonnes of ammonia
were released. The force of the ejected ammonia pushed the
tank off of its pedestal. and drove it through a bund wall.
The ammonia caught fire and ignited NPK fertiliser on a conveyor
which then carried the fire to fertiliser storage. This causes a
release of nitrogen dioxide.
February 2010, the Deepwater Horizon rig commenced drilling at
the Macondo prospect, 66 km from the Louisiana coast, in a
water depth of 1500 m. on 20th April 2010, a blow out occurred
at the rig. It caught fire, exploded and continued to burn. 11
Lesson
no.
Lessons
a proper procedure for entry into a confined space and it
must always be adhered to.
Foremen and supervisors are particularly susceptible to
taking short cuts in order to “get the job done and keep
production going”. However confined space entry
procedures are not optional, in just the same way that
prohibition against smoking is not optional.
280
This accident occurred before real attention was given to
management of change, but illustrates why MOC is
needed. In this case MOC should have involved a minihazop and the results should have been transferred to the
operating procedures.
281
Insufficient detail is available to determine the actual
cause of the mistake, but it is possible to conclude that the
hazard of hot ammonia into cold ammonia must be
recognised, included into procedures and communicated
to operators.
282
This is a story of multiple failures on what is highly
developed equipment, with sophisticated safety design,
procedures and training. It is hard to avoid the conclusion
that the teams believed that there were so many safety
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
persons were killed. After burning for about 36 hours, the rig
sank. The following oil spill continued until September 19 2010-
Lesson
no.
Lessons
systems that none were particularly important. Lessons to
be learned are:
At the time of the accident the rig was drilling on exploratory
well. The well had been drilled to 5600 m. production casing was
being run and cemented at the time of the accident. The
cementing contractor stated that it had finished cementing 20
hours before the accident, but that it had not set the final
cement plug to allow temporary well abandonment.
The well head was fitted with a blow out preventer, actuated by
cable from the surface. (The lack of acoustic or other remote
control was later criticised).
At the time of the accident the rig was drilling on exploratory
well. The well had been drilled to 5600 m. production casing was
being run and cemented at the time of the accident. The
cementing contractor stated that it had finished cementing 20
hours before the accident, but that it had not set the final
cement plug to allow temporary well abandonment.
283
1. The various safety barriers are there for a purpose,
and need to be tested and maintained strictly according to
procedures
284
2. Maintenance and testing procedures need to be
validated, to ensure that they actually work
285
3. The impact of schedule pressure is evident in the
reports, particularly the need for speed in the cementing
process, and in reluctance to question the results of tests,
and the lack of tests. Schedule pressure should never be
allowed to compromise critical safety procedures.
The well head was fitted with a blow out preventer, actuated by
cable from the surface. (The lack of acoustic or other remote
control was later criticised).
Analysis showed that a total of five safety barriers failed.
The well head was fitted with a blow out preventer, actuated by
cable from the surface. (The lack of acoustic or other remote
control was later criticised).
Analysis showed that a total of five safety barriers failed.
·
Annulus cementing
·
Mechanical barriers at the bottom of the well
·
Well control (mud circulation and mud weight)
·
Blowout preventer failed
·
Ignition prevention was inadequate
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Concerning the annulus cementing, subsequent tests indicate
that there would have been problems in achieving a stable
nitrified cement. Also the planned number of casing centralisers
were not installed because the team believed (erroneously) that
21 slip on centralisers were the wrong type, and could lodge
across the BOP. There are claims of errors in the cement
formulation, and acknowledged lack of testing of the cement.
Lesson
no.
286
A negative pressure test was carried out but was over interpreted
to conclude that the cementing was sound.
287
The “shoe track” at the base of the well should have prevented
ingress of oil and gas to the 7 inch casing. The shoe track cement
could have been contaminated by nitrogen or well fluid, or it
could have been badly designed. Float collars with flapper valves
were also determined to have failed.
It was not determined what the actual cause of the two failures
were.
The negative pressure test should have confirmed the down hole
seals. The team observed 15 bbl of sea water bled from the well,
when 3.5 bbl was expected. The tool pusher interpreted this as
due to “annular compression”. the investigation team could not
find any evidence that the effect exists.
Once the negative pressure test was completed, the annular
preventer was opened, and the pressure in the well
correspondingly increased. The crew began to displace mud from
the riser with seawater. As a result well pressure decreased.
Hydrocarbons entered the well. Little or no logging activity took
place, in part because of preparations for the next phase of
completion of the well. The presence of hydrocarbons was not
recognised.
About 5 minutes after the mud pumps were shut down, mud
began to flow onto the drilling floor. The crew attempted to
control the well by closing the BOP. The annular preventer did
288
289
290
Lessons
4. The blowout preventer reliability was analysed
carefully in a detailed risk analysis report in 2001. The
analysis makes assumptions about the reliability and the
testing frequency. In practice, the system was subject to
common cause failure (solenoid coils) connectors,
batteries were beyond their intended design life, and had
insufficient charge, and had inadequate diagnostics. There
were many other deficiencies.
The original reliability analysis was carried out properly,
but if underlying requirements ae not met, the analyses
are at best misleading.
A short check list of items which need to be in place to
ensure reliability of equipment of this type is:
All active systems need to be provided with
diagnostics which can test functionality
Certification and replacement intervals must be
observed
291
-
Non OEM components should not be used
292
The condition of consumables such as battery charge
needs to be tracked
Systematic Lessons Learned Analysis
case
no.
135
Location
Accident description
not fully seal around the drill pipe so that hydrocarbons
continued to be released.
The rig crew diverted the flow to the mud gas separator, but this
was quickly over loaded. The alternative, of diverting the flow
overboard was apparently not chosen.
Shortly afterwards an explosion occurred.
Mont Belvieu
TX
Lesson
no.
293
-
294
When failures are found, root cause analysis must be
investigated and causes eliminated
Evidence of common cause failure needs to be reviewed
with some urgency and the root causes found. If the cause
cannot be found, the safety systems must be regarded as
suspect, and rules for minimum conditions for operation
apply
All critical parts need to be on the testing list.
Note: the HVAC systems for the engine room were on manual
control, and did not prevent ignition.
295
The blowout preventer had two actuation systems, one electrical,
one hydraulic. Evidence was found that there were faults on
solenoids, non original equipment fitted, and batteries not
charged. There is evidence that one of the annular blow out
preventers was subject to a pressure differential larger than its
design value. The blind shear ran failed to close because a non
shearable section of pipe was in the shearing sections.
After the explosion, control of the BOP was probably lost due to
damage to control cables. Automatic (fail safe) shutdown
probably failed due to a defective solenoid on one system, and a
discharged battery on the other.
296
Two maintenance contract workers went to change the position
of a spectacle plate on an incoming NGL line to an NGL
processing plant. For an unknown reason NGL was released and
ignited. The workers were killed.
Two workers had gone out to cut a 10" pipe, they had dug a 6
foot hole to the underground pipe. Pneumatic pipe cutters were
found in the hole and pipe had been cut. There were several 10"
pipes in the area, and the wrong one was cut.
Lessons
Test intervals need to be observed
297
5. Maintenance records were not made properly. In
some cases maintenance was recorded for periods in
which BOP was on the seabed.
298
299
6. The emergency response plan was inadequate
This is yet another example of the importance of isolation
and of safe isolation procedures and proper equipment
identification.
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
The resulting jet fires were intense and destroyed a distribution
manifold racks.
The fire continued for several hours because three ESD valves
(out of 27) had failed and became too hot to close down
manually.
135
Lesson
no.
300
135
301
135
302
136
ME
Liquid nitrogen overflowed into a nitrogen receiver vessel when
steam supply to a water bath evaporator was shut down. The
receiver vessel failed due to low temperature brittle fracture. The
vessel burst, with damage to neighbouring equipment.
303
There was a low temperature trip on the nitrogen header but the
trip valve failed to close completely because of a hardware
change. The change had been made much earlier and was
unknown to most of the plant staff.
Lessons
Properly located ESD valves are important, and valves need
to be protected from all reasonable possible fires.
Permit to work systems need to have a "positive
identification of equipment and piping" section on forms.
Permit to work systems need to have a "positive
identification of equipment and piping" section on forms.
The hazards of liquid nitrogen should have been identified
in hazops, and presumably were identified, since a trip
system was specified for low temperature. However, the
knowledge was obviously not communicated to operators.
A much more systematic way is needed for communication
of hazard knowledge to operators.
Low temperature alarms were received and acknowledged in the
control room, but no further actions were taken.
136
304
136
305
Liquid nitrogen is listed as a hazard in the ISO hazid check
list under "cold surfaces". Its danger to piping, and vessels
is not mentioned, and its danger as an asphyxiant is
mentioned under "Excessive N2" hazid check lists need to
be complete, otherwise they become a source of danger
themselves.
Generally, a much more systematic approach is needed to
hazard identification and hazard communication between
designers and operators, designers and maintenance, and
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
136
306
136
307
136
308
136
309
136
310
136
311
136
312
137
Canada
A contract operator was part of a team commissioning a well.
Gas had been seen “bubbling” from the base of a threaded
tubing fitting which connected a well head to a pressure
transmitter.
The operator attempted to tighten the ferrule using a wrench. He
leaned over the connection and touched it with a wrench, at
which time, the ferrule broke loose. The tubing whipped back
and gouged a hole in the wall. The operator took the full force of
escaping gas in his face. The gas turned his face black, and tore a
15 cm hole in his throat and collapsed a lung.
The ferrule fittings had not been checked, and were found only
313
Lessons
between companies when transfer of ownership or
operating licence takes place..
The management of change procedure broke down
completely, probably in two ways, a) by not being applied
and b) by results not being communicated. The
management of change register needs to be a living
document which follows the plant throughout its life.
A safety review section is needed in the management of
change procedure
A more effective way of communications hazards to
operators and maintenance personnel.
The evaporator was part of a vendor package. All vendor
packages need to be hazopped
An alarm management review procedure is needed, so
that the correct response to alarms is ensured.
All parameter excursions outside the normal operating
envelope need to be investigated
many accident types cannot be identified by HAZOP. A
procedure is needed for safety design review of process
drawings, including as built P&ID´s, cause and effect
matrices, alarm lists and display layouts,
Instrument tubing must be installed according to
manufacturers procedures, and with the correct tools.
Artisans need to be aware of the hazards of high pressure
tubing
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
to be finger tight. The ferrules were not seated on the tubes.
Lesson
no.
Lessons
No hydrostatic or pneumatic testing had taken place
A similar accident occurred in Alaska, due to tubing being
designed to operate at maximum allowable pressure. When a
ferrule slipped, the tubing whipped and carved a 1 inch slice from
the top of the fitter´s helmet, missing his cranium by millimetres.
He suffered a strained neck.
137
137
137
314
315
316
138
ME
Two operators were trying to close a valve tight on a water
injection system. They used an “extended valve key” – that is a
spanner (wrench) with a length of scaffold pipe as extension. The
valve broke, and the jet of water blew the operator across the
platform. The operator died from a broken skull when his head
hit a railing.
317
139
ME
A central degassing station had an emergency shut down. As a
result of hammer effects there were oil leaks from two flow lines.
The central degassing station was brought back up and
operations teams started to open wells. Another team drove to a
remote degassing station to isolate wells from the station. Close
to the remote station, there was a leak from another flow line,
across the main access track. While crossing the oil pool, the
vehicle caught fire. There were four fatalities and one person
with minor injuries.
318
139
319
Tubing installations need to be pressure tested
Do not work with tools on pressurised equipment. The
equipment should be depressurised before tightening
starts.
Consider the possibilities of failure of equipment when
using tools, and do not stand in the line if fire when there
is a possibility of equipment or breaking or a tool slipping.
Do not use improvised high power or high force tools on
active process equipment (especially high pressure
equipment) There is a temptation to use high force tools to
tighten bolts when valves or flanges are leaking. This is a
mistake. Firstly the force can break the bolts. Secondly,
overtightening will crush the gasket, so that it will leak as
soon as there is any temperature or pressure change.
Do not drive through pool or even approach pools of crude
oil (or any other chemical or flammable fluid for that
matter). Crude oil generally has a high vapour pressure and
will give off plumes of flammable vapour. Such vapour is
easily ignited (for example by a car engine) and will give a
large flash fire or possibly a vapour cloud explosion
Hammer effects need to be taken into account when
liquid pipelines are closed rapidly. This needs to be taken
Systematic Lessons Learned Analysis
case
no.
Location
Accident description
Lesson
no.
139
320
139
321
139
139
322
323
139
139
324
325
Lessons
into account during detail design, but also when periodic
inspection is carried out.
The wells did not trip on high pressure. (This is not
surprising if the cause of over pressuring was a hammer
effect, since the high pressure does not affect the
upstream pressure sensors.
Current designs for well flow lines and trunk lines do not
generally have high pressure protection
Well head maintenance was behind schedule
Operations at night in response to an emergency had not
been identified as a “critical activity”. There was no risk
analysis or job safety analysis
Hazop/SIL revalidation had not been undertaken
Labourers had not been issued with fire resistant overalls.
Systematic Lessons Learned Analysis